3rd Grader Accused of Hacking Schools' Computer System

Gud writes "According to The Washington Post a 9-year-old was able to hack into his county's school computer network and change such things as passwords, course work, and enrollment info. From the article: 'Police say a 9-year-old McLean boy hacked into the Blackboard Learning System used by the county school system to change teachers' and staff members' passwords, change or delete course content, and change course enrollment. One of the victims was Fairfax Superintendent Jack D. Dale, according to an affidavit filed by a Fairfax detective in Fairfax Circuit Court this week. But police and school officials decided no harm, no foul. The boy did not intend to do any serious damage, and didn't, so the police withdrew and are allowing the school district to handle the half-grown hacker.'"

Re:More likely,

[Rary]

Some dumb teacher probably just left their admin password laying around on a post-it note, or hell even left some admin interface open unattended, and doesn't want to admit it. Therefor, "hacking"!

Actually, although TFA doesn't provide any details about how the "hack" occurred, they do differentiate between this and a similar case where someone merely obtained someone else's password. The implication of the article is that there was actual technical skill of some kind involved.

Re:More likely,

[Anonymous Coward]

FTFA:

In January, students at Churchill High School in Montgomery County broke into their system to change grades, but that involved stolen passwords, not hacking, and did not involve Blackboard, Montgomery police said.

Re:More likely,

[commandermonkey]

ABS News has another article about the incident:

According to a search warrant, the computer savvy boy was able to get a hold of an administrator's password at Spring Hill Elementary to get into the Blackboard learning system

http://www.wjla.com/news/stories/0410/726170.html [wjla.com]

Re:More likely,

[Anonymous Coward]

It doesn't appear as though it was a hack after all - merely a student with a privileged user's password:
http://blog.blackboard.com/blackboard/2010/04/reported-hack-not-the-case-clarification.html

The Washington Post has issued a correction/clarification:
http://www.washingtonpost.com/wp-dyn/content/article/2010/04/15/AR2010041505517.html

Re:Blackboard - the biggest educational POS EVER

[BobMcD]

Could be a POS, not commenting there. However:

1) You're admitting to a crime. Stop it. There is absolutely zero reason to do so unless you're desperate for the wrong kind of attention.

2) Try a distinct channel. Assuming 802.11b/g you have three viable options. Try Channels 1/6/11. These are the only ones that do not overlap. They can't be occupying all of these at the same time, at the power levels you're stating they are. Or, if they genuinely are doing so, call the FCC and I imagine it'll stop fairly soon.

Re:FTFA

[FlyingBishop]

My impression is that this says more about Blackboard's security than anything else.

Time to switch to one of the FOSS (and in many ways superior) alternatives:

Moodle [moodle.org] and Sakai [sakaiproject.org]

Really, it's amazing Blackboard is still around with two full-featured FOSS competitors in existence. I guess it's just testament to the power of lock-in.

Re:Dade Murphy?

[AlamedaStone]

Or maybe Oliver Wendall Jones [yimg.com]?

You must be old here.

Re:More likely,

[fuzzyfuzzyfungus]

She has a stronger claim than most; but not entirely ironclad [wikipedia.org]...

Re:More likely,

[Minwee]

you can expect the price to be tailored to your individual institution, or in other words, likely several hundred dollars at least, probably in the thousands.

I think you missed "Per student" and "annually" at the end of that.

The typical customer licensing the works will pay $160,000 - per year [mfeldstein.com]. Even small victims are being bled for upwards of $50,000 every year just for the joy of being permitted to use Blackboard.

Blackboard doesn't sell to teachers or even individual schools, they target entire districts and school boards, aiming high enough up in the organization to be sure that nobody they meet will ever have to use their product, or have any idea of what Moodle [moodle.org] is.

Blackboard

[Arancaytar]

Is the proprietary online education platform with an apparent side job as a patent troll, if memory serves.

Given its closed nature, I wouldn't be surprised if their software is full to the brim of SQL injection, XSS and CSRF vulnerabilities that an interested elementary school student can exploit.

Hack? Nope ... boneheaded admin? Yes

[Anonymous Coward]

From TFA ... "a student's account at Spring Hill had been enabled with administrator privileges"

Sounds like the kid didn't hack anything, didn't use a login from a teacher or administrator. Looks like his account was "enabled with administrator privileges."

Re:More likely,

[fuzzyfuzzyfungus]

Oh, I've heard some real horror stories from colleagues who have worked in other districts. It sounds like there is some seriously mismanaged crap going on out there, horrible churn, completely unclear mission, near-nonexistent resources(obviously, schools don't need the newest and shiniest; but if admins are being forced to use their personal vehicles to drive from building to building because the "IT Director" won't approve any sort of remote management tools, or make even basic efforts in the direction of maintaining decent network uptime, that just doesn't make sense).

My personal experience, though, has been pretty benign. Some sub-optimal stuff(some of which I was able to get fixed, some not); but mostly the same dynamics you'll see in IT anywhere, just with a somewhat longer replacement cycle, lots of customish apps, and fewer 50k SANs.

Re:I got accused of "Hacking" also...

[profplump]

6/10. Next time remember that drive letters belong to DOS, that most of the Mac with built-in monochrome CRTs didn't have internal hard drives, that token-ring devices were typically connected to a MSAU that took offline hosts out of the loop, and that encryption was not readily available -- particularly whole-disk encryption that can be applied while running from the disk in use -- anytime that the computers described in common use. Also try to work in an offensive or controversial person or group name for maximum effect.

Re:Dade Murphy?

[severoon]

Whoops, I think there's a minor error in this summary and the headline of the article. It should read, Fairfax County public school system administrators criminally negligent in securing sensitive data. There, glad I fixed that...

Re:Dade Murphy?

[History's Coming To]

It is kind of funny (I'm in the UK), but I'll tell you what, I could be arrested in this country for the fact that I sympathise with people who carry out suicide bombings. Honestly, I do, I mean how bad must things be if they really feel that blowing themselves up in a busy public place is an appropriate action? They must be absolutely desperate. I'm not saying I agree with their methods, I'm weird because I'm an atheist who for some odd reason also believes in the "no killing" rule. But the point remains that the state here can arrest me for sympathising. I'll leave the argument of whether the state or suicide bombers are a bigger threat to my "freedom" (whatever that is) to the reader. I'm not sure yet.

NOT a hack, NEW Wash Post story clarifies:

[superj711]

New Washington Post story today clarifies that it was NOT a hack of Bb – someone found and used a valid teacher login. http://www.washingtonpost.com/wp-dyn/content/article/2010/04/15/AR2010041505517.html [washingtonpost.com] Local Digest Friday, April 16, 2010; B02 VIRGINIA Boy had teacher's computer password A 9-year-old Fairfax County boy who changed course content and passwords in the Fairfax school system's online teaching system -- including the superintendent's -- accessed it using a teacher's password, officials said Thursday. The school district detected the problems last month and, with the help of Fairfax police, tracked them to a McLean boy's home computer. Police obtained a search warrant that said Fairfax's version of the widely used Blackboard Learning System "had been hacked" and that the boy's Blackboard account had "administrator privileges." Blackboard and school officials clarified Thursday that the boy had not found and exploited a security vulnerability, but rather that he had obtained a teacher's password. Fairfax schools spokesman Paul Regnier said the boy was able to use that access to enroll other users, including Superintendent Jack D. Dale, into his class and could then change their passwords. -- Tom Jackman

Re:Blackboard - the biggest educational POS EVER

[zippthorne]

Oh yeah. Get a radio amateur to measure the power levels. 802.11b gear is unlicensed, and as such the maximum allowed power is very low. A local amateur is likely to have both the equipment and the inclination to measure and report violating emissions.

Re:More likely,

[dingram17]

I did part time computer support for the computer classroom at the high school I went to (yes this was awhile ago, and the computers were BBC Model Bs or BBC Master Compacts) while I was at university.

I was told that I was offered the position because I had been one of the chief troublemakers when I was a pupil and I'd kept my predecessor on his toes and so it was thought that I'd be able to keep things in order :-) The previous guy (also a David) went on to work for a small company in the UK called ARM and designed a processor that could work with 16b and 32b instructions (US Patent 5740461) -- the 'Thumb', which is the T in ARM7TDMI.

I'm glad that I had such a good 'adversary' to go head to head with :-)

Working with the classroom computers helped when I applied for a more general PC admin role at a school closer to the university. Running a Novel network was quite a different experience, esp. when the 'standard' computer of the day was a 486DX-33 and the school was running discless XTs @ 8MHz.