3rd Grader Accused of Hacking Schools' Computer System 344
Gud writes "According to The Washington Post a 9-year-old was able to hack into his county's school computer network and change such things as passwords, course work, and enrollment info. From the article: 'Police say a 9-year-old McLean boy hacked into the Blackboard Learning System used by the county school system to change teachers' and staff members' passwords, change or delete course content, and change course enrollment. One of the victims was Fairfax Superintendent Jack D. Dale, according to an affidavit filed by a Fairfax detective in Fairfax Circuit Court this week. But police and school officials decided no harm, no foul. The boy did not intend to do any serious damage, and didn't, so the police withdrew and are allowing the school district to handle the half-grown hacker.'"
Re:More likely, (Score:5, Informative)
Some dumb teacher probably just left their admin password laying around on a post-it note, or hell even left some admin interface open unattended, and doesn't want to admit it. Therefor, "hacking"!
Actually, although TFA doesn't provide any details about how the "hack" occurred, they do differentiate between this and a similar case where someone merely obtained someone else's password. The implication of the article is that there was actual technical skill of some kind involved.
Re:More likely, (Score:2, Informative)
FTFA:
In January, students at Churchill High School in Montgomery County broke into their system to change grades, but that involved stolen passwords, not hacking, and did not involve Blackboard, Montgomery police said.
Re:More likely, (Score:5, Informative)
According to a search warrant, the computer savvy boy was able to get a hold of an administrator's password at Spring Hill Elementary to get into the Blackboard learning system
http://www.wjla.com/news/stories/0410/726170.html [wjla.com]
Re:More likely, (Score:1, Informative)
It doesn't appear as though it was a hack after all - merely a student with a privileged user's password:
http://blog.blackboard.com/blackboard/2010/04/reported-hack-not-the-case-clarification.html
The Washington Post has issued a correction/clarification:
http://www.washingtonpost.com/wp-dyn/content/article/2010/04/15/AR2010041505517.html
Re:Blackboard - the biggest educational POS EVER (Score:3, Informative)
Could be a POS, not commenting there. However:
1) You're admitting to a crime. Stop it. There is absolutely zero reason to do so unless you're desperate for the wrong kind of attention.
2) Try a distinct channel. Assuming 802.11b/g you have three viable options. Try Channels 1/6/11. These are the only ones that do not overlap. They can't be occupying all of these at the same time, at the power levels you're stating they are. Or, if they genuinely are doing so, call the FCC and I imagine it'll stop fairly soon.
Re:FTFA (Score:2, Informative)
My impression is that this says more about Blackboard's security than anything else.
Time to switch to one of the FOSS (and in many ways superior) alternatives:
Moodle [moodle.org] and Sakai [sakaiproject.org]
Really, it's amazing Blackboard is still around with two full-featured FOSS competitors in existence. I guess it's just testament to the power of lock-in.
Re:Dade Murphy? (Score:3, Informative)
Or maybe Oliver Wendall Jones [yimg.com]?
You must be old here.
Re:More likely, (Score:3, Informative)
Re:More likely, (Score:3, Informative)
I think you missed "Per student" and "annually" at the end of that.
The typical customer licensing the works will pay $160,000 - per year [mfeldstein.com]. Even small victims are being bled for upwards of $50,000 every year just for the joy of being permitted to use Blackboard.
Blackboard doesn't sell to teachers or even individual schools, they target entire districts and school boards, aiming high enough up in the organization to be sure that nobody they meet will ever have to use their product, or have any idea of what Moodle [moodle.org] is.
Blackboard (Score:4, Informative)
Is the proprietary online education platform with an apparent side job as a patent troll, if memory serves.
Given its closed nature, I wouldn't be surprised if their software is full to the brim of SQL injection, XSS and CSRF vulnerabilities that an interested elementary school student can exploit.
Hack? Nope ... boneheaded admin? Yes (Score:1, Informative)
From TFA ... "a student's account at Spring Hill had been enabled with administrator privileges"
Sounds like the kid didn't hack anything, didn't use a login from a teacher or administrator. Looks like his account was "enabled with administrator privileges."
Re:More likely, (Score:4, Informative)
My personal experience, though, has been pretty benign. Some sub-optimal stuff(some of which I was able to get fixed, some not); but mostly the same dynamics you'll see in IT anywhere, just with a somewhat longer replacement cycle, lots of customish apps, and fewer 50k SANs.
Re:I got accused of "Hacking" also... (Score:4, Informative)
6/10. Next time remember that drive letters belong to DOS, that most of the Mac with built-in monochrome CRTs didn't have internal hard drives, that token-ring devices were typically connected to a MSAU that took offline hosts out of the loop, and that encryption was not readily available -- particularly whole-disk encryption that can be applied while running from the disk in use -- anytime that the computers described in common use. Also try to work in an offensive or controversial person or group name for maximum effect.
Re:Dade Murphy? (Score:5, Informative)
Whoops, I think there's a minor error in this summary and the headline of the article. It should read, Fairfax County public school system administrators criminally negligent in securing sensitive data. There, glad I fixed that...
Re:Dade Murphy? (Score:3, Informative)
NOT a hack, NEW Wash Post story clarifies: (Score:2, Informative)
Re:Blackboard - the biggest educational POS EVER (Score:3, Informative)
Oh yeah. Get a radio amateur to measure the power levels. 802.11b gear is unlicensed, and as such the maximum allowed power is very low. A local amateur is likely to have both the equipment and the inclination to measure and report violating emissions.
Re:More likely, (Score:2, Informative)
I was told that I was offered the position because I had been one of the chief troublemakers when I was a pupil and I'd kept my predecessor on his toes and so it was thought that I'd be able to keep things in order :-) The previous guy (also a David) went on to work for a small company in the UK called ARM and designed a processor that could work with 16b and 32b instructions (US Patent 5740461) -- the 'Thumb', which is the T in ARM7TDMI.
I'm glad that I had such a good 'adversary' to go head to head with :-)
Working with the classroom computers helped when I applied for a more general PC admin role at a school closer to the university. Running a Novel network was quite a different experience, esp. when the 'standard' computer of the day was a 486DX-33 and the school was running discless XTs @ 8MHz.