Some friends and I hacked Blackboard last year. We exploited it by smuggling null bytes (0x00) via. their WebDAV protocol.
This made it possible to hijack other accounts, including our professors'. So we hacked our own grades and then reported it. Luckily we didn't suffer the same fate as Demirkapi.
I reported a vulnerability in blackboard when I was in college (around the same time period as you).
I don't recall any sort of disclosure mailing list, and the only contact link I found seemingly went through my college's IT department. Whether my university had applied some customization, or whether it was just me being a young college student, I'm not sure.
Anyways, a few days after I had reported the vulnerability, I was summoned to a meeting where I found myself sitting at a table opposite my academic advisor, as well as the Department Chair of the CS department, where they began to speak to me about "academic integrity".
I'm glad the story mostly ends there, as during this meeting I realized what had actually happened; someone in the IT department had misinterpreted my report as some sort of hacking threat, and they had "tracked me down on the university network", which makes no sense because I had reported the vulnerability via email directly from my .edu address.
While I wasn't exactly well-liked among the professors in the CS department, the department chair at least recognized that it was a big misunderstanding, that I wasn't doing anything nefarious, and had been acting in good faith.
After that meeting, I had approximately zero interest in disclosing vulnerabilities of any sort, for fear of being on the hook if/when they were ever exploited.
Back on the windows 9x kernel, one could render a file/folder by including a NIL character (0xFF) in the name. The NIL wouldn't render at all in explorer, but explorer was also incapable of accessing the file or folder. I forget the exact error message, but it was something along the lines of the path not existing. Had to hop out to a command prompt to temporarily rename it to make it accessible, then rename it back. Had to enter the code by using ALT+0+2+5+5. Sadly, doesnt work on the NT based kernel. Was fun hiding in plain sight in the 90s.
Things like this were fun if you could use Linux to access windows via a samba share with write access. You could make all kinds of directories that explorer wouldn't handle correctly.
Also reminds me of a bug that was common in Adobe Reader that would create a very deep recursion of adobe folders in the users directory. You could not delete said files because the path was far too long. Had to use SUBST to map it to a shorter path then delete your way up.
I'm confident that if you poked around the software of the vast majority of organizations in this world, you'd find "SQL injections galore". There is just limitless amounts of old code that no one has the resources to address. Should the information on students be well protected? Of course. Have you ever seen the software running your local dentist, doctor, insurance office? It's just impossible to spend money and fix things that already work.
> if you poked around the software of the vast majority of organizations in this world, you'd find "SQL injections galore".
As a security consultant, I disagree. There is quite a clear trend in what kind of vulnerabilities web applications have. XSS is getting slightly better but still has a way to go, CSRF has much more awareness and went from "rarely prevented" to "usually prevented", SSRF is getting more common due to new kinds of architectures (more back-ends talking to each other), but SQL injections are, well, not quite a solved problem, but vastly better than it was ten years ago.
I think this can be attributed largely to better libraries that make the secure way the default (such as parameterized queries) and somewhat to more awareness (tutorials and examples will mention things like escaping variables). Perhaps people also hear more about it in school nowadays, but I don't think schools changed much.
My view of the world is somewhat tainted since companies pay me to find their bugs (they are serious about security), but I also am a normal user of random websites like everyone else. Some websites smell, and I'll investigate and sometimes find vulnerabilities. And I hear what is going on in the field, what leaks have happened, what bugs people are finding. I try not to let my paid work taint my view too much.
The SQL Server back end makes it only too easy to run in SQL Injection mode. Does every ASP.NET site out there use stored procedures (or functions) for all database access?
Things today are a LOT different than they were 10 years ago. Not only are ORMs encouraged out of the box, which are (pretty much) immune to SQL injection unless you consciously run native SQL. There is also a HUGE amount of documentation, warnings, etc. on almost everything - got a few links at the end.
You could argue that the major source of insecure code these days is old answers on stackoverflow which show vulnerable examples. Though, i believe there was an initiative to go back and change old answers which posted vulnerable code but not sure if that ever took off.
As an (ex) security professional myself, i definitely agree with the guy above saying that these days in general you do see a lot less of the "schoolboy" vulnerabilities. Definitely still out there though, even in tier 1 public-facing websites of global banks, but certainly not widespread, and certainly not ubiquitous. I'd say this is due to a combination of hand-holding in frameworks, and better education all round.
I am fairly certain dotNet has been pushing parameterized queries since .net 2.0 in 2005. I know at my current employer we have been doing it since 2008.
Indeed, ORM is encouraged out of the box in many ecosystems... and sure enough, it is viewed as a silver bullet by many developers and this is a pity.
Some ORMs are powerful and even have subsets of language for data transformation, and so on... And now you have even another problem: another layer of abstraction that might fail or have their own bugs and security issues.
I miss writing pure and simple SQL queries whenever I'm forced to use an ORM. This is one of the things I enjoy in the Go ecosystem: if you want SQL, probably go with database/sql and write SQL directly instead of any fancy ORMs out there.
I don't write anything user facing, but write plenty of scripts that query a database, return a dataset, create a data frame, and then do statistical analysis on it. The SQL is all pretty straightforward with no ORM and is really easy to understand and use.
Yeah. Most of the time I see people complaining about SQL, I identify that they are trying to build complex nested joins and other stuff likewise for no good reason besides risky premature optimization... And they end up creating little monsters that will haunt them sometime in the future.
Then, what happens next? They might end up hating SQL for no good reason and embracing the 'NoSQL' flag with any kind of non-relational database out there and make the very same mistakes they were complaining about SQL, only this time it'll be probably in JSON instead.
And they will probably notice earlier the errors and end up thinking SQL is harder and, say, whatever-NoSQL-brand is easy... only because they had more experience and a clear vision of everything when trying out the later.
I just wished more people would just keep things simple. For most common web applications out there a single SQL database suffices well, and you can do most, if not all, queries on two or three lines at most with no complex operations and keep things lean.
For sure, for search engine ElasticSearch is marvelous, and for keeping track of documents without ever losing data, Datomic is a robust and proven solution... but what I see is mostly people writing software for mom-and-pops shops using Mongo with no transaction support whatsoever.
The bar for "working" is limited to perfect-path tests then?
As someone pointed out the other day, we do seem to be getting better about security -- less issues overall than there used to be. Likely a sign people are taking this seriously and frameworks have gotten better.
Ultimately, a big issue with security is that nobody thinks of it as their job. "Oh cool, I made code my non-technical boss said was good enough! Time to clock out!" And that's really flawed. Security is everyone's job. Everyone. The best system is still susceptible to bad passwords. (=
What's security training look like in your org? Most likely there isn't any. So... pitch it. Here's a good template to get started:
> There is just limitless amounts of old code that no one has the resources to address. [...] It's just impossible to spend money and fix things that already work.
So then, "shady" sellers are pricing software solutions below cost, maybe there needs to be some standards around minimum time length warranties similar to manufacturer warranties. Somehow the refrigerator market managed to standardize onto requiring a certain minimum for each fridge - maybe we need a software association or union to do the same.
It usually doesn't actually cost that much to fix SQL injections and they're really easy to find.
I've prioritised identifying and fixing these problems whenever I'm leading teams. It's an easy sell to management (spend a sprint to greatly lower risk) and a good training exercise for teams.
FWIW, today I was looking at a legacy PHP site and noticed a SQL injection possibility in its query handling which I fixed while fixing another problem. It’s not every day that I see these things, but basically every time I look into a legacy PHP site, I notice one or two.
Insert a line of code before that statement which validates that the variable is an integer and you're sorted. As an added bonus, check that it's in range.
In some languages migrating to the prepared statement API can be a considerable amount of work and that takes a lot of time.
If the code is mainly made up of queries with an integer ID then you can make the code safe using guards with a fraction of the effort meaning that your software is stable faster. Then you can take your time rewriting your data access layer to use the safe-by-design APIs.
I should have made that clear in my original post :)
BTW at some point you might need to get into escaping / validation to support operations not supported by the safe APIs. If/when you encounter this it's a massive red flag. Your system design should reflect that. It should be treated like radioactive waste: be paranoid.
Not in any code I've written; I only use parameterized queries. I definitely maintain code that just sends parameters as strings. The prevalence of this is alarming.
Nothing is this simple in technology ever - it is extremely difficult to declare blanket rules like this.
I do think it's reasonable to try and get third party software auditing to become more normalized, if a contractor is writing scheduling system to control class enrollment I'd appreciate another contractor looking it over... but even that has it's issues.
I still think that will never be enforced on companies that didn't have it coming. I never heard of the EU fining a company in a way that truly hurt them unless they knowingly and exceedingly violated the law.
As an example, Cambridge Analytica was started in 2013 and was presumably a startup when it started doing public manipulation, so that's an example of whom I think has it coming if they get a company-bankrupting fine. Your mom and pop shop having a data breach due to a negligent SQL injection won't have to close up just because of that. I would be interested to hear a case where a company was fined to bankruptcy when they did not totally deserve it. Until then, I feel like reciting this over and over (people often bring it up in a negative context) is just spreading FUD about doing business in the EU.
I can't find any sources now, but there have been numerous fines for minor data breaches. (Like sending a mail to all your clients and putting everybody on CC, not BCC, so each client gets to know all others).
But they absolutely haven't been fined to bancrupcy, just a few thousand Euro.
Me and my friends had a lot of fun hacking into our school IT systems in high school. We took security as a challenge, not as a warning.
At various points, we had a shared file server for sharing movies and music for the whole school, bypassed the proxy (which also gave us a vastly improved connection speed), had Unreal Tournament 99 on the computers (this was ~2010, but it was one of the only games that would play well), we figured out how to send messages to all computers (using Novell Zenworks or something), and eventually a few of us just had full root access to the entire system. We also had lots of fun with fork bombs, setting peoples desktops to porn (we weren't meant to be able to change our desktop but there were workarounds), and the occasional broadcast storm.
If only we had known about bitcoin at the time, we'd have become rich running a mining network on the school computers.
Luckily, our school had a very relaxed attitude to our shenanigans. We generally avoided doing anything actively harmful and we also got a few free passes by helping the IT staff when they had problems (they were useless at their job).
When I was in junior high, circa mid 90s, I hade full control of my school's network. Was Novell Netware based, DOS only. Menu was meant to restrict what apps we could run to only those in the menu. Found an "exploit" in WordPerfect in that you could launch WP, hit a function key to launch a limited command prompt, but on exiting WP, it would crash, returning to a full command prompt. Being basically DOS 6.x, there was no further permissions at that point. I was friendly with the IT admin, so I always let him know when I stumbled into something (I also had about a half dozen admin accounts hidden). I had the ability to chamge grades, impersonate teachers and send messages as a teacher, but never abused my acceas. I did get suspended for a week after a network crash (likely caused by a failed disk) that I had nothing to do with.
My parents asked me point blank if I'd done and if I knew how to do it, or which I honestly replied no to both. That was when I got my first C++ book. My parents were like "if you got suspended for something you didnt do, you're sure as fuck going to learn how to do it."
Many teachers left the default password on their accounts. Was messing in the interface that I didn't understand very much and sent a broadcast message to the entire network. One by one they started beeping and displaying a blank message notification across all the computer labs in the school. Luckily I had some opsec at that age and didn't do it on the workstation I was assigned to. Logged out and quickly went back to my seat in the confusion that quickly spread in our class.
Wasn't till 2 years later that I got in trouble and got kicked off the computers for a month. For having a shareware game on the network. The network admin said something to the effect of "We are pretty certain you have done a lot of things far worse than this, but we can't pin any of them to you, so this is what you get punished for", and well, he was right.
Yeah, I didnt start cracking passwords until I was in college - I didnt need to. When in junior high, the IT admin would kick off a tape back up of the network, and stay logged in. Id wait until later, like 6pm-7pm and dial into his computer (his computer had a connected modem that accepted inbound connections with no username/password), do my thing, then restart the backup before I was for the night, so he wouldn't notice in the morning. Never did anythinf destructive, but I did have about 6 bogus accounts with full admin access. Kept those accounts to myself, lest they grt discovered. They never did... He left around my freshman year of high school. Didn't trust his replacement, so kept my lips shut about the access I had. Graduated with nearly all of my accounts with admin access intact.
In college, had to crack some passwords. Turns out all of the lab computers, the admin password of all NT lab Pcs was a 5 character building abbreviation + room number of where campus IT was based... I was expecting the crack to run overnight on my then 500 Mhz P3. The password was cracked before I could stand up to go to dinner. Last cracked passwords on my old XP laptop, that I couldn't remember the password to. Hard part is getting the unencrypted password file (since I think Win2k, Windows encrypts the SAM file on disk and exclusively locks the file while the OS is running), but if you can run something with system authority, you can inject a dll and extract the decrypted file. You still have to brute force the NTLM hashes after that, but on modern hardware, takes just a few mins. Back in the NT 4 days, at least the way our comouters were configured, nonadmins had write permissions to everything under c:\Windows. Easy way to get system? Replace the default screen saver with a copy of cmd.exe, then log out and wait for the logon screen saver to fire. Back in the day, screen savers ran as system. They dont any longer.
On the NT 4 boxes, I was able to script everything. Pop in a bootable floppy with the script and an NTFS driver, reboot, wait for the script to complete, having copied the SAM file, then reboot again and back to normal. Walk back to my dorm room, crack at will.
I managed to get root on the school district computer than were running every school thin client AND the system for grades. This was before any wide spread general software offerings to do stuff like that. The "hacking" consisted of aborting the boot process using ctrl-c and voila: root console.
I reported it to the school first and got threatened with legal action. Reported it to the central IT department and a guy came and bought me lunch and yelled at our principal for not letting me report it.
I had a similar experience being 13, but luckily for me it only involved my own highschool website and data. I found a blind sql injection and got access to the credentials of any user. I wasn't a particularly mature 13 y/o so I started messing around.
My highschool reported the incidents and I got caught in a few weeks. I almost went to trial, my hard drive with my StarCraftII campaign almost finished was confiscated (I haven't seen it again since that moment) and it was overall an instructing episode. It didn't go any further because my parents had good relations with the highschool's direction and they withdrawed the report as soon as they knew it was me.
In the following years I kept in contact with the webmaster and I remember feeling very encouraged to report any other flaw I could find to him. I found a few more things over the years, but most importantly learned a lot.
Every time I read news like this I remember how grateful I felt when my highschool not only forgave me but also helped me keep learning. I believe it can make a difference, and even more so when dealing with younger kids.
Yeah, it’s cliche but for kids, the quote they “were so preoccupied with whether or not they could, they didn’t stop to think if they should” really applies. You’re smart enough to hack the system but not smart enough to know that it’s a really bad idea.
>Demirkapi passed on his findings to his school's IT department. However, it ended up being viewed by every school in his district and he was suspended from school for two days.
We had a local kid that did something similar at a school here. He wrote a crawler which he then used to search files (in the school system) for names. He found his own name in spreadsheets which contained names, usernames, and passwords - in plain text.
For some reason, all students had access to the admin file systems - and for some other reason, the IT people had usernames and passwords stored like that. Either way, he reported the findings to the school admin.
What did the school do? Press charges. Police came knocking on his door, and confiscated his computer.
Meh, anyone who knows anything would look very positively on a kid who had the curiosity and ability to do that and suffered ridiculous consequences. The suspension is a badge of honor, a great story, and generally a life long benefit.
When I was in high school a few of us grabbed passwords from unencrypted wifi/network protocols (maybe it was POP3 logins, I don't remember) and "reported" it with some harmless website defacing, telling the admin (who was a cool guy). Nothing happened and I don't think anyone ever even noticed.
I was nearly expelled from my high school for finding and immediately reporting a vulnerability, without having actually exploited it. Also my story is far too common. Most of the people in charge don't know anything!
Many of us in the industry who have been around the block a few times support either selling your exploits or open disclosure. We have our reasons.
I had a friend that noticed some really nasty vulns in his college's software (passwords in plaintext in the page, and the reset question and answer). I coached him how to very carefully report them and he had some help from family. But given that the uni takes federal funding he could have easily landed a federal felony for just reporting, and all he did was do view source on the page.
All depends on the individual you are reporting to. It can get worse.
My brother had a classmate who ended up being subject to pretty intense investigation for something similar, mostly because the IT guy was incompetent and characterized a problem in a certain way. He wasn't charged, but it cost his family a bunch of money.
I would advise anyone to never volunteer anything of a infosec nature in a public school environment.
It depends how much your school throwing the book at you derails your life. I agree that white-hack vulnerability discovery should be celebrated, but right now even ethical hacking can have severe penalties on opportunities available and your mental state.
This even extends into victimless[1] hacktivism. (@see Aaron Swartz)
I live in the town where this happened. A lot of us parents already hated the software involved. On the other hand, it's not clear that alternatives would fare any better. In my experience, software specific to non-technical orgs like schools or doctors' offices is uniformly terrible not just in terms of security but all over. I wouldn't be at all surprised if competitors' software was even worse. Such is the state of the world.
There are many. Unfortunately both the domain-knowledge requirement and switching costs are very high. It's hard for a newcomer to break in, and once they have there's little incentive to keep updating the product. The result is a succession of companies and products that were probably fine for the time when they were introduced, but quickly seem dated as the rest of the industry evolves.
The other alternative is open source. Lower the initial cost of entry, amortize the cost of maintaining and enhancing core components, and let vendors compete on the basis of what they can offer on top of that. Unfortunately, this approach yields much lower margins than what "vertical" software vendors are used to, so they'll fight any such thing tooth and nail. That gets us into the domain of trusts, cartels, and regulatory capture. The business factors preclude technical solutions, and users pay the price. :(
Keeping up annually with federal and individual state education reporting regulations is a severe PitA. The Texas Board of Ed itself is a monster of a bureaucracy compared to some other states.
School choice: spend money upgrading a system that seems to be "fine", spend time and money training personnel on how to use the new system, and cut classes of your choice angering parents.
Or, just keep doing what they've been doing.
Seems like a pretty obvious choice, even if it doesn't feel "right"
To a certain extent, yes. But having experience in dealing with schools for IT (in NZ), you'll be hard pressed to get them to spend money on upgrades when the current solution "works".
When I was in school, there was a vulnerability where you could reach courses that you didn't belong to, simply by changing the id in the URL. A couple of students got punished (banned from school computers for months) for exploiting this (to leave a message on said courses). As of a year later, the vulnerability was still not fixed (although the messaging infrastructure was disabled).
Heh. When I was in school (maybe dating myself here), there was a blanket prohibition on accessing "DOS Screens" because the total morons that ran the school's IT department couldn't lock it down and someone sent a bunch of popup messages to the entire campus using net send.
A friend of mine got hassled in the high school computer lab for being in cpanel for his personal website. Apparently it looked scary.
Security on the old Macs was hilarious though - the student user accounts had a limited set of applications they were allowed to launch, but it was only enforced via Finder checking when you double clicked it.
There were so many other ways to launch things. Custom buttons in AppleWorks toolbars, AppleScript, dragging it into Safari and then opening it from the downloads manager, and setting the creator code to match any application you had permission for were convenient options.
Don't have access to run Script Editor? That's ok, type applescript: into Safari's URL bar and it'll pop right up.
I was a bad fit for my high school's Computer shop curriculum. Sophmore year I was supposed to learn COBOL. I also learned Fortran-77, the Prime mainframe's JCL, found and learned the assembly language for the Prime 750, accidentally accessed all the HDD partitions (for eight local schools and six police departments) and got suspended for using 30000% more CPU time than all other users combined, while exploring.
My family made a fuss when they wanted to expel me and I switched over to Electronics. Had a grand time.
net send is what tipped my school off to a group of students having deeper access to the network than they should. Turns out 'net send * "Hiya Man!"' is not very subtle. Before that, people were only sending to individual users, but apparently someone didn't think through the consequences of sending to * - it took about 2-3 minutes for the IT manager to show up. Weirdly, it was still possible _after_ that - a friend of mine experimented with using a tool to change the sender address (his IT teacher knew, but just told him "If you're going to do this, don't get caught"), so getting a "Message from GOD" wasn't uncommon.
They apparently missed that another group had already created their own domain admin account, and didn't notice that until some weeks after the net send incident (I think it lead to them paying closer attention for anything unusual happening). I do think they brought it on themselves to some extent - having a domain admin password of "school" (easily shoulder-surfed), later "<name of school with an o replaced with a 0>7" (ophcrack made short work of that one, using cached credentials), and a VNC password of "vnc" (server installed on every machine in the school), is asking for trouble.
Fortunately they weren't malicious, just curious (the most "damage" they did was changing a single pixel in the desktop background of all users to see if it was possible) - they even slipped a note under the IT Admin's door with the current domain admin password on it, but apparently they either didn't see it or didn't act on it. Given they had write access to every user's network drive, it could have been far worse. It ended up being a lesson in OPSEC as well - getting logged on a rogue domain admin account using a device called "<family name> USB" is a bit of a red flag.
I think the punishment was pretty fair though (despite some initial ranting from senior leadership about suspensions and getting the police involved - cooler heads from the deputy leadership and IT technicians prevailed) - helping the IT technicians out for a week, which amounted to cataloguing hardware (chasing down services tags), and re-wiring a couple of the computer rooms.
When I was in school (computers were running Win 95, I believe), I discovered a lot of nice software like NetSeven and BackOrifice, and I infected the school computers with it. Then I would play tricks to my school mates by displaying a lot of modal dialogs, or something. I never did anything nasty and that sort of programs did not autoreplicate or infect other media, but in hindsight it was quite irresponsible, especially because I did not manage to deinfect the computers when leaving the school. Fortunately nobody ever seemed to find out.
At my school we had "net send shutdown" fights, which escalated, so you had to write defensive .bat scripts aborting the shutdown in a loop on your own PC.
Heh. That reminds me, at college we figured out that you could send a remote shutdown command, and all you needed was a computer name. Also you could set the timeout to '0' so that they'd have no chance to save their work.
We often shared our computer lab with others, so whenever they came into the room we'd shut the computer down and watch them get confused, move to another PC and we'd shut that down too.
this was on nt3.5 (or maybe nt4) but we had some smb shares that were simply public with r/w. i created a folder that i hid deep in there and in my typing class me and my friends would do 1/5 the assignment and merge them all together on this share. one time someone made a mistake and obviously we all had the same mistake and we were suspended for "hacking" even though we showed them it was just a friggin directory. they also gave us all F's for the typing class, my gpa thanked them for that....
after that i think either the CDC or l0phtcrack or one of those groups posted a way you can get to the user/groups window with admin privledges. i did that on one of the library computers which was logged in with the library account and deleted the admin group. what a shit storm that was. i was never caught for that one thank goodness.
That correlation is very frustrating -- people should take this more seriously, but those who discover things are punished... should be pretty obvious why security is way it is, right?
True story: I inadvertently hacked the Smart TVs at my college once. They are typically always showing announcements, and they let student clubs post messages with the approval of Student Life.
Well, after a software update, nobody noticed that the permissions system for the TV was disabled. So I come along, a few weeks/months/? later and make an ad for Math Club, and it went live immediately. No Student Life approval.
Of course, this isn't a glamorous bug. Briefly thought, "Man, if I was a bad guy, I'd totally post some really _shocking_ material." I wasn't a bad guy though, told Student Life, and they fixed it.
EDIT: There is a shared account detailed in the Club manual on how to create a TV ad (for context).
This article has more details about the reasons Demirkapi was suspended. Apparently he first tried to contact Follett (the software maker) directly, but they ignored him. He then tried to use the software itself to send a message Follett, but the message was instead broadcast to a large number of parents, teachers, and administrators across the district. This does seem pretty irresponsible, and Demirkapi said he understood the reason for his suspension.
Thus, this doesn't seem like the usual "person reports vulnerability and is punished for it" story.
Of course the ultimate responsibility lies with the software makers who have these vulnerabilities in their software and who don't respond when someone reports them.
I think your "usually" is heavily biased by media stories, which of course report only the exceptional, otherwise it wouldn't be news.
I've reported vulns in school before and got an unexpected bug bounty. I also abused vulns to put games on a school server when I was younger and that time I got a firm talking to. I also know someone and their friend who were around 18 at the time and stole a teacher's password (don't remember how, but nothing clever) and changed some grades of theirs. They were indeed suspended.
This was the case when I was in school too. (Gesh, it's been that long already?!).
I bet most schools are in a similar situation. Lack of a proper budget, cheaply made software sold by shady vendors, IT staff that isn't properly trained, etc.
This kid seems a lot more responsible than I was when I was in high school.
Taking about manipulating the URL parameters... yeah, I used that trick to apply discount codes way back in the day. The web form wouldn't accept them, but if you bolted them on to the URL after that step in the checkout process, they'd blindly get applied to your cart anyway. Found one for like 95% off a CD, and used it on a laptop at BestBuy. 15 year-old me thought he was really smart, but mostly he was just a vandal and a thief.
Best line:
> "Don't fall for marketing. Just because (vendors) say they take care of data doesn't mean they do."
A good friend of mine got suspended for a semester after he found a pretty trivial flaw in his university's password reset form that would ultimately allow him to reset the password of anyone who had an account on the school's network including faculty and administrators. IT discovered him, locked him out of the network before he was able to report it, and threatened to take legal action. From what I've heard, they never fully fixed it. He went to a technology university mind you.
I found a blind SQL injection in my university course management system. Probably could have dropped the entire campus course list... but I didn't try. Found it at ~2-3AM, and so figured I'd bother IT in the morning. Woke up to a locked account and a message from the dean of students to pay him a visit.
I got off with some stupid fine and my online access being locked for 30 days. Was pretty annoying though, because they counted the 30 days only during when school was in semester. I happened to be doing this the final day of the semester... so that 30 days ended up being a lot longer.
I found the same thing in high school. Except that I didn't tell anyone, and it was fixed after a few months. I guess someone was looking at request logs after all.
As a current high school student I know that my school's software has similar weaknesses. I talked to our IT "department" (we only have one active person that I know of) and he said the district does not really have anywhere to bring up the issue.
My school (biggest school in Germany in the time) had VNC Server running on all PCs, so the teachers could check what there students where doing. Surely enough they used the same password on every single PC in the whole school. Fun times.
For a 17 year old, that is brilliant. But he has to look after himself because obesity problems create bigger problems. You can not spend so much time in front of a computer. Take a walk. Do some sports. You can be a good hacker too. Peace man.
https://www.wired.com/story/teen-hacker-school-software-blac...
Why should we punish someone for their curiosity? Arguably, we should be punishing the school for their lax security. If a teacher left the gradebook out and a student changed their grade, the teacher would be reprimanded too.
When does that become victim blaming? If you left your garage open and a thief stole something from it, it's your fault for being irresponsible but that does not absolve the thief of his wrong-doing.
In this case, this child knew what he was doing was wrong and continued to do so. His motivations were clearly to use the vulnerabilities in the software as a hedge to his burgeoning career in the security industry. He put people's jobs on the line and caused grave embarrassment to the school district for his own selfish motives.
> as a hedge to his burgeoning career in the security industry.
Other people at that age want to be astronauts, do you yell at them if they look at the sky?
> He put people's jobs on the line
Incompetence put those people's job on the line. But given the state of that industry I find that statement unlikely.
> and caused grave embarrassment to the school district for his own selfish motives.
The kid was curious, end of story. It's not their fault that a particular industry is both used by people at a curious age and prone to be crapware insecure.
You seem to attribute some criminal motivation to this behaviour, I highly suggest you read through other threads here and hopefully come to the realization that this is normal behaviour for tech-savvy kids. Villanizing this not only leads to absolutely unnecessary problems for kids like that in school, it's a token of unproductive reactions to disclosures we see everywhere these days. These people do you a favor, a responsible disclosure by a curious party is far preferrable than real criminals exploiting them.
He didn't damage anything, apparently not beyond displaying a message for every user in the school district. Jail time is incredibly draconian and would only make him disillusioned with the system.
This made it possible to hijack other accounts, including our professors'. So we hacked our own grades and then reported it. Luckily we didn't suffer the same fate as Demirkapi.
Blog post here: https://bustbyte.no/blog/how-we-hacked-blackboard-and-change...