This is a fun story, detailing the hack a group of high school students perpetrated against an Illinois school district, hacking 500 screens across a bunch of schools.
During the process, the group broke into the school’s IT systems; repurposed software used to monitor students’ computers; discovered a new vulnerability (and reported it); wrote their own scripts; secretly tested their system at night; and managed to avoid detection in the school’s network. Many of the techniques were not sophisticated, but they were pretty much all illegal.
It has a happy ending: no one was prosecuted.
A spokesperson for the D214 school district tells WIRED they can confirm the events in Duong’s blog post happened. They say the district does not condone hacking and the “incident highlights the importance of the extensive cybersecurity learning opportunities the District offers to students.”
“The District views this incident as a penetration test, and the students involved presented the data in a professional manner,” the spokesperson says, adding that its tech team has made changes to avoid anything similar happening again in the future.
The school also invited the students to a debrief, asking them to explain what they had done. “We were kind of scared at the idea of doing the debrief because we have to join a Zoom call, potentially with personally identifiable information,” Duong says. Eventually, he decided to use his real name, while other members created anonymous accounts. During the call, Duong says, they talked through the hack and he provided more details on ways the school could secure its system.
EDITED TO ADD (9/13): Here’s Minh Duong’s Defcon slides. You can see the table of contents of their report on page 59, and the school’s response on page 60.
Posted on August 31, 2022 at 9:33 AM •
Interesting story of test-takers in India using Bluetooth-connected flip-flops to communicate with accomplices while taking a test.
What’s interesting is how this cheating was discovered. It’s not that someone noticed the communication devices. It’s that the proctors noticed that cheating test takers were acting hinky.
Posted on October 4, 2021 at 9:40 AM •
Gizmodo is reporting that schools in the US are buying equipment to unlock cell phones from companies like Cellebrite:
Gizmodo has reviewed similar accounting documents from eight school districts, seven of which are in Texas, showing that administrators paid as much $11,582 for the controversial surveillance technology. Known as mobile device forensic tools (MDFTs), this type of tech is able to siphon text messages, photos, and application data from student’s devices. Together, the districts encompass hundreds of schools, potentially exposing hundreds of thousands of students to invasive cell phone searches.
The eighth district was in Los Angeles.
Posted on December 18, 2020 at 6:53 AM •
The company Edgenuity sells AI systems for grading tests. Turns out that they just search for keywords without doing any actual semantic analysis.
Posted on September 4, 2020 at 6:02 AM •
Lance Vick is suggesting that students hack their schools’ surveillance systems.
“This is an ethical minefield that I feel students would be well within their rights to challenge, and if needed, undermine,” he said.
Of course, there are a lot more laws in place against this sort of thing than there were in—say—the 1980s, but it’s still worth thinking about.
EDITED TO ADD (1/2): Another essay on the topic.
Posted on December 30, 2019 at 10:20 AM •
Verizon’s Data Brief Digest 2017 describes an attack against an unnamed university by attackers who hacked a variety of IoT devices and had them spam network targets and slow them down:
Analysis of the university firewall identified over 5,000 devices making hundreds of Domain Name Service (DNS) look-ups every 15 minutes, slowing the institution’s entire network and restricting access to the majority of internet services.
In this instance, all of the DNS requests were attempting to look up seafood restaurants—and it wasn’t because thousands of students all had an overwhelming urge to eat fish—but because devices on the network had been instructed to repeatedly carry out this request.
“We identified that this was coming from their IoT network, their vending machines and their light sensors were actually looking for seafood domains; 5,000 discreet systems and they were nearly all in the IoT infrastructure,” says Laurance Dine, managing principal of investigative response at Verizon.
The actual Verizon document doesn’t appear to be available online yet, but there is an advance version that only discusses the incident above, available here.
Posted on February 17, 2017 at 8:30 AM •
More psychological research on our reaction to terrorism and mass violence:
The researchers collected posts on Twitter made in response to the 2012 shooting attack at Sandy Hook Elementary School in Newtown, Connecticut. They looked at tweets about the school shooting over a five-and-a-half-month period to see whether people used different language in connection with the event depending on how geographically close they were to Newtown, or how much time had elapsed since the tragedy. The analysis showed that the further away people were from the tragedy in either space or time, the less they used words related to sadness (loss, grieve, mourn), suggesting that feelings of sorrow waned with growing psychological distance. But words related to anxiety (crazy, fearful, scared) showed the opposite pattern, increasing in frequency as people gained distance in either time or space from the tragic events. For example, within the first week of the shootings, words expressing sadness accounted for 1.69 percent of all words used in tweets about the event; about five months later, these had dwindled to 0.62 percent. In contrast, anxiety-related words went up from 0.27 percent to 0.62 percent over the same time.
Why does psychological distance mute sadness but incubate anxiety? The authors point out that as people feel more remote from an event, they shift from thinking of it in very concrete terms to more abstract ones, a pattern that has been shown in a number of previous studies. Concrete thoughts highlight the individual lives affected and the horrific details of the tragedy. (Images have >particular power to make us feel the loss of individuals in a mass tragedy.) But when people think about the event abstractly, they’re more apt to focus on its underlying causes, which is anxiety inducing if the cause is seen as arising from an unresolved issue.
This is related.
Posted on February 16, 2016 at 6:27 AM •
Yesterday, the city of Los Angeles closed all of its schools—over 1,000 schools—because of a bomb threat. It was a hoax.
LA officials defended the move, with that city’s police chief dismissing the criticism as “irresponsible.”
“It is very easy in hindsight to criticize a decision based on results the decider could never have known,” Chief Charlie Beck said at a news conference.
I wrote about this back in 2007, where I called it CYA security: given the choice between overreacting to a threat and wasting everyone’s time, and underreacting and potentially losing your job, it’s easy to overreact.
What’s interesting is that New York received the same threat, and treated it as the hoax it was. Why the difference?
EDITED TO ADD (12/17): Best part of the story: the e-mailer’s address was email@example.com.
EDITED TO ADD (1/13): There have been copycats.
Posted on December 16, 2015 at 6:28 AM •
A Texas 9th-grader makes an electronic clock and brings it to school. Teachers immediately become stupid and call the police:
The bell rang at least twice, he said, while the officers searched his belongings and questioned his intentions. The principal threatened to expel him if he didn’t make a written statement, he said.
“They were like, ‘So you tried to make a bomb?'” Ahmed said.
“I told them no, I was trying to make a clock.”
“He said, It looks like a movie bomb to me.'”
The student’s name is Ahmed Mohamed, which certainly didn’t help.
I am reminded of the 2007 story of an MIT student getting arrested for bringing a piece of wearable electronic art to the airport. And I wrote about the “war on the unexpected” back in 2007, too.
We simply have to stop terrorizing ourselves. We just look stupid when we do it.
EDITED TO ADD: New York Times article. Glenn Greenwald commentary.
EDITED TO ADD (9/21): There’s more to the story. He’s been invited to the White House, Google, MIT, and Facebook, and offered internships by Reddit and Twitter. On the other hand, Sarah Palin doesn’t believe it was just a clock. And he’s changing schools.
EDITED TO ADD (10/13): Two more essays.
Posted on September 16, 2015 at 10:09 AM •
India is cracking down on people who use technology to cheat on exams:
Candidates have been told to wear light clothes with half-sleeves, and shirts that do not have big buttons.
They cannot wear earrings and carry calculators, pens, handbags and wallets.
Shoes have also been discarded in favour of open slippers.
In India students cheating in exams have been often found concealing Bluetooth devices and mobile SIM cards that have been stitched to their shirts.
I haven’t heard much about this sort of thing in the US or Europe, but I assume it’s happening there too.
Posted on July 10, 2015 at 12:44 PM •
Sidebar photo of Bruce Schneier by Joe MacInnis.