|Home » Industry Watch » The Technological
Haddonfield Memorial High School
A predictable pattern.
IDG news reporter Bob McMillan tweeted about this a few hours ago.
#smalltownhack Teenagers get slapped on the wrist for accessing school computers to change grades. http://bit.ly/cpOQeJ
There are so many levels to this story it's not funny. Following Bob's link and then using Google News yields a number of interesting links, whereof four of the best appear at the end of this article.
Basically the gist of the story is this.
- Haddonfield Memorial High School is considered a 'top-performing high school'.
- Three students, ages 14, 15, and 16, were somehow caught last March fiddling with the school network. They'd installed keystroke loggers to get passwords so they could gain access to the network.
- The 16yo allegedly used the access to change grades.
- The 14yo used the access to peek at confidential information.
- No one seems to know what the 15yo did.
- The three students were placed on probation and pleaded guilty in a 'family court'.
- Their names are not revealed because of their ages.
- Superior Court Judge Angelo DiCamillo insisted the students adhere to a 22:00 curfew, write essays about 'making better choices', and not be allowed any unsupervised computer time.
- DiCamillo also forbade the students from using Facebook and MySpace - but Twitter's OK, he said.
- The court ordered the students be subjected to a 'psychological evaluation'. Camden County assistant prosecutor Kevin Moran reported having difficulty giving the evaluation to the 15yo - the dates suggested were in conflict with his family's holiday schedule.
- DiCamillo granted the school district $10,502.85 in 'salary' for the staff to clean up the computers and the network.
- Two of the defence attorneys called the $10 K claim rubbish. 'I don't believe that was money expended by the school district', said defence attorney Matthew Portella. 'Dealing with disciplinary and computer issues is what salaried school employees are paid to do', said defence attorney Salvatore Siciliano.
- Portella and Siciliano also protested against the unlawful seizure of private property not connected with and having no bearing on the case. The local Keystone Kops had seized a calculator, a cellphone, and blank computer disks - none of which was returned. 'They can't keep evidence not related to the offence', said Portella. An agreement to return the items supposedly got derailed when the school district started making restitution demands.
- The parents of the 14yo voluntarily brought the 14yo's laptop to the authorities to prove there was no nefarious involvement. They also testified that the authorities had promised to return the laptop without delay. The authorities have not returned the laptop. Prosecutor Moran wanted to explain the delay in returning it by claiming the hard drive would have to be 'scrubbed' first.
It's hard to know where to start with something like this. Perhaps starting at the end and working toward the beginning is the best approach.
- Scrubbing a hard drive is hardly necessary in order to return a laptop.
- The authorities must in such case be held responsible for destroying private property.
- Scrubbing a hard drive takes a matter of hours - it's no excuse for prolonging the return of the family's computer.
- The authorities behaved in predictable fashion, seizing anything not glued down. They're notoriously clueless when it comes to IT. They might not have known the 'empty' discs were in fact 'empty'. What type of secrets they were looking for in a calculator is not known. Police have in the past mistaken calculators for computers - there's nothing out of the ordinary there.
- The agreement to return the property incorrectly seized was derailed by a demand from the school district for restitution? What difference could that make? The authorities shouldn't be allowed to keep the items - there's no reason to not return them immediately.
- The claim for damages of $10,502.85 is of course outrageous - but it also fits into a predicable pattern.
- DiCamillo's rule about use of social sites is of course ridiculous and helps illustrate a far deeper issue than keystroke loggers and fudged grades. The 22:00 curfew is of course ridiculous, and this business about 'writing essays' can only lead to nonstop hilarity. As for unsupervised computer time: good luck, judge.
Finally there's the bit about hacking into the school network.
The students needed an authorised access to the network to be able to look around, to change grades. They needed a password for this. They presumably installed keystroke loggers on teachers' PCs to get such a password.
Anyone with half a gram of IT brains knows how easy it is to download a keystroke logger off the Internet. They probably also know it's not improbable that one of the students was capable of writing such a keystroke logger from scratch.
But that same person with at least half a gram of gray matter would also know that such devices are pointless without a computer operating system that's open for attack. Serious operating systems - such as the innumerable variations of Unix and including Apple's Mac OS X - can't be tinkered with in such a fashion without further trump cards such as local passwords already being available.
Therefore it's a good guess that the computer system in use was Microsoft Windows. A keystroke logger has to operate on device (hardware) level - access to the keyboard driver - and systems other than Windows will dutifully and reliably prevent access to the computer hardware from 'user land'. Such code simply cannot be installed and run on a non-Windows system without superuser (root) access.
On Windows there is no such obstacle: anything can be installed anywhere with no user intervention and with no privilege escalation. So the students were attacking a Windows system, had learned a bit about the hacks against that system, and then set about - using minimal effort - compromising it.
That's all between the lines of course because:
- No one at that school is likely to know what difference the operating system makes.
- There's bound to be an MSFT rep in the neighbourhood to remind the media (if they need reminding) that they can be sued for libel if they specifically name the OS vendor.
And there are unwritten rules that always apply in cases such as the current one at Haddonfield Memorial High School.
- If you ever felt subjected to the illusion that humans in general appear to be getting more intelligent over time, that's probably because the true dimwits have been able to find cubbyholes in IT-related jobs where they're rarely seen.
- High schools don't attract the great minds of IT. They're lucky if they get anyone that can handle a DOS prompt without breaking into a sweat.
- Most people today know of the dangers of Microsoft Windows - but not these guys.
- Anytime a school or any other corporation/authority gets whacked by a hack, they immediately start cooking up an inventive story about how much the damage has cost them.
- $10 K in damages is a criminal assertion. That's 100 hours at $100/hour - and most of those losers would be ripping off their school district if they were paid so much.
- 100 hours to clean a keystroke logger means we're dealing with some incredibly stupid people here - people who ordinarily are challenged by 'Add/Remove Programs' and clicking icons in Control Panel.
- More likely the 'admins' have friends on the outside who are a bit smarter than them and who run Windows security firms (a lucrative business). And these people came in and cooked the books themselves a bit - perhaps with a bit of a kickback to their friends on the inside.
- It's easy to cook the books when you're dealing with clients funded by taxes - money disappears so wonderfully inside such organisations!
- The three students on the other hand have shown true talent. They bettered the morons running the school network. They should be given all the encouragement possible. As for making better choices: they've already made good choices - they're pursuing their interests! The NSA will probably want to pick them up in a year or two and probably already have their names.
- The idiots at Haddonfield Memorial High School responsible for the choice of Windows for school computers should be sacked. Haddonfield Memorial High School should instigate a lawsuit against Microsoft for selling substandard software to them. A higher court judge should immediately issue an injunction against further purchases of Microsoft products - after all: if a 14yo, a 15yo, and a 16yo can hack through the system, then it's not worth very much, is it?
Remember when David Lightman got the school network password from a desk drawer where it was written in plain text?
|GET HTTP/1.1 200 OK|
|Cache-Control: no-cache||Accept-Ranges: bytes|
|Content-Length: 9517||Server: Microsoft-IIS/6.0|
|Content-Type: text/html||MicrosoftOfficeWebServer: 5.0_Pub|
|Content-Location: http://172.16.1.10/hmhs/Default.htm||X-Powered-By: ASP.NET|
|Last-Modified: Fri, 23 Jul 2010 00:15:08 GMT||Connection: close|
Philadelphia Inquirer: Haddonfield High hackers get probation
NorthJersey.com: Probation for NJ teens who hacked school computer
NJ.com: Haddonfield teen hackers are given curfews, essay assignments
NJ.com: Haddonfield high school students admit hacking into computer system to change grades