High-School Graduation Prank Hack

This is a fun story, detailing the hack a group of high school students perpetrated against an Illinois school district, hacking 500 screens across a bunch of schools.

During the process, the group broke into the school’s IT systems; repurposed software used to monitor students’ computers; discovered a new vulnerability (and reported it); wrote their own scripts; secretly tested their system at night; and managed to avoid detection in the school’s network. Many of the techniques were not sophisticated, but they were pretty much all illegal.

It has a happy ending: no one was prosecuted.

A spokesperson for the D214 school district tells WIRED they can confirm the events in Duong’s blog post happened. They say the district does not condone hacking and the “incident highlights the importance of the extensive cybersecurity learning opportunities the District offers to students.”

“The District views this incident as a penetration test, and the students involved presented the data in a professional manner,” the spokesperson says, adding that its tech team has made changes to avoid anything similar happening again in the future.

The school also invited the students to a debrief, asking them to explain what they had done. “We were kind of scared at the idea of doing the debrief because we have to join a Zoom call, potentially with personally identifiable information,” Duong says. Eventually, he decided to use his real name, while other members created anonymous accounts. During the call, Duong says, they talked through the hack and he provided more details on ways the school could secure its system.

EDITED TO ADD (9/13): Here’s Minh Duong’s Defcon slides. You can see the table of contents of their report on page 59, and the school’s response on page 60.

Tags: , ,

Posted on August 31, 2022 at 9:33 AM29 Comments

Comments

mdebusk August 31, 2022 10:20 AM

Embarrassed bureaucrats are not ordinarily so magnanimous. It makes me wonder what wasn’t reported.

Winter August 31, 2022 11:08 AM

@mdebusk

It makes me wonder what wasn’t reported.

Jailing a significant fraction of you graduating students for a prank does affect your ranking in the minds of parents and prospective students who are looking for a school to register.

I would think thrice before I would recommend a school who tries to send that many bright students to jail.

I assume any embarrassed school bureaucrats understood where his interests were located.

Clive Robinson August 31, 2022 12:21 PM

@ mdebusk, winter, ALL,

“It makes me wonder what wasn’t reported.”

Or more probably “to whom” it was not reported.

The US seperation of State and Federal legislation and judiciary does make a difference.

But the fundemental idea behind not just Old English law but most law systems that evolved from it is the notion of a harm which gets equated to a financial loss. You also have the notion of “a breach of a public duty to society” (criminal) and “a breach of a private duty to an individual” (tort) and their basic respective punishments of imprisonment and fine as primary methods of redress.

As you can appreciate things can get a little messy. Let’s assume the education authorities decided to treat it initially as a “breach of a private duty” that is against the honour code or similar students get bound by. Then the question of harm comes up which means that the education authorities are alowed to consider not just current cost but future cost as well as being mindful of any harms they might commit by their actions (contracts have a habit of going both ways).

Yes the students caused some cost, but then that would have been at best a future cost the education authority would incure anyway, only with a higher probability of increased cost (think ransomware) and significant harm to other students, staff and even parents.

From what has been said the students asside from probably indulging in the initial equivalent of thrill seeking acted reasonably and responsably.

Thus any half way smart administrator could probably make an argument for not persuing the students legally because they had actually saved the authority money.

Like the UK the US has some realy bad “Computer Crime” legislation with a scope way way to broad. Worse in the US “prosecutorial discretion” once with a DA etc realy does not happen infact the very opposit (especially if elections are involved).

This case appears to have had a fairly neat and tidy outcome at low or even negative cost to the education authority and in a timely fashion.

Call it a win for conmon sense.

Denton Scratch August 31, 2022 12:21 PM

Embarrassed bureaucrats are not ordinarily so magnanimous.

Certainly not in Illinois, at least as far as I can tell from the reports I see over here.

If I were that school head, I guess I’d commend them on their achievement, and thank them for their assistance with remediation; and cite them for breaking the school rules. I’d try to do all that off the public record; I don’t generally like the way that school stories are reported by journalists and exploited by politicians.

A school is largely a closed community; it has explicit and implicit conventions and rules, that outsiders don’t understand. That may not be desirable, but it’s inevitable – that’s how the world works.

But there are scandals in school administration; so there has to be some transparency. I guess none of the usual information vectors – administrators, policemen, and journalists – make me feel that transparency is happening. Personally, I’m inclined to trust teachers.

It’s completely normal and customary for kids let loose with computer networks and programming tools to try to break security, or at least to probe the security boundaries. I’m afraid criminalizing that is completely wrong. The correct approach is to protect and immunize the network against students, which is the responsibility of the school admin and the network admins.

Anyway, despite the remarks above, congratulations to that head for not going crazy (when the fashionable thing seems to be to go completely nuts). Somebody upthread was suggesting that he’d acted this way for administrative, instrumental reasons; I think that’s assuming bad faith, and that he did it because they’re (a) kids; (b) under his care.

NOTE: I’m just commenting on Bruce’s meta-report; I’ve had a look at the Wired report, but it was too breathless for me.

Ted August 31, 2022 12:29 PM

@mdebusk, Winter, All

Minh Duong and his three friends must have anticipated the potential for a backlash. They sent a 26-page report to the school immediately after the “The Big Rick.”

If I’m reading the article right, the report included the guidelines the group had agreed to abide by, including that they would protect the safety of others, would keep disruptions to a minimum, would not access sensitive private information, etc.

I don’t know if the school discussed the incident with legal counsel or law enforcement. “The Big Rick” was presented at Def Con.

JonKnowsNothing August 31, 2022 12:54 PM

@Winter, mdebusk, All

re: It’s not a Prank

It’s not a prank. It’s a criminal invasion of a computer security system. By laws defined and enforced, it may not be up to the school board to be magnanimous at the end of the day.

Per the info, the students clearly knew what they were doing was illegal or at best unauthorized. Both of these aspects have criminal definitions which can land you big time in prison.

They hid their access, they accessed multiple times, they changed software they didn’t have authorization for, they exploited a security hole, and even if they reported it they used it to gain further access.

There are only a few possible qualifying mitigations: Age and Race.

Age: This won’t get you far in the USA and LEOs have set traps targeting such “pranks” to clip the wings of anyone over 18yo. If the pranksters haven’t figured this out they are in for a shock later on. Some of them have figured it out because they used a “fake name” in the zoom call debriefing. We all know how good an anonymous shield that is.

Race: If they are the “wrong race” they are going to get clipped fast. If they come from the “less privileged classes” it won’t be tolerated long. The District Attorney maybe up for election and normally targeting any easy-to-vilify group will win votes.

re: “Sending that many bright students to jail”

They formed a Criminal Conspiracy so they aren’t all that bright to have crossed that line. We toss people into jail for things far less egregious than this.

The USA does skew laws and maybe they will luck out…

They might get jobs offers they can’t refuse from the NSA, GCHQ or Pick-A-LEA.

===

Search Terms

Ahmed Mohamed
clock incident

mrfox August 31, 2022 12:55 PM


… a “classroom management” software that can track everything students do, including monitor students’ screens and log keystrokes.

Wow. That’s not creepy at all.

Congrats to Mr. Duong et al on the well played prank!

lurker August 31, 2022 2:49 PM

The interesting side of this story is that a group of youngsters with the ability to perform this “prank”, also managed to muster the ethics necessary to perform it in a White Hat manner.

Dave August 31, 2022 7:47 PM

@mdebusk: Not all schools, or government departments, are automatically clueless and malicious, it could just be that they talked to clueful people about the issue and were advised to handle it magnanimously.

Some years ago a recruiter for US universities came to speak at a local (not in the US) rather prestigious and long-established school. Some of the kids hijacked the audio system and blasted Green Day’s “Don’t wanna be an American idiot” through it. AFAIK not much came of it, they took it for the prank it was.

Nick Levinson August 31, 2022 9:53 PM

Different high school and state and not IT security: Radio host Larry King told approximately this story from his own experience:

Students announced the tragic death of one of them, Moppo, and collected donations for flowers. They spent it on pizza. School, not knowing about the pizza, scheduled a school assembly to honor the deceased, complete with banner, principal, and high attendance, and honoring the students who organized the memorial, who were on the stage. N.Y. Times reporter, doing a story on a typical high school, attends. Moppo walks in, puzzled. One of the honored students shouts from the stage, “Go home! You’re dead!” Attendees turn around and figure out they’ve been had. Principal, furious, orders the organizers to his office for discipline. In the office, with the reporter present, when the principal has spoken, one organizer (not King) asks to speak. Okay. Organizer points out that the students have a right to a district hearing and that the school took the word of a class clown while Moppo’s family was on vacation and didn’t answer the phone, and tells the principal that they may be suspended but he, the principal, is out of a job. This seems to sink in with the principal. The organizer speaking proposes a different punishment and then raises a possibility about the reporter, who’s sitting in the disciplinary meeting, watching. The reporter laughs and says don’t worry about it, his editors wouldn’t believe it anyway.

Winter September 1, 2022 3:21 AM

@JonKnowsNothing

It’s not a prank. It’s a criminal invasion of a computer security system.

Intent matters in criminal law. [1]

If the intent is not to cause harm or obtain benefits, e.g., a prank, and the perpetrators executed with caution, and no harm was done, it is not necessarily a crime. [2]

If you are a legalistic country that prouds itself of locking up the maximum number of people, then intent might be ignored to maximize the number of convictions. But civilized countries normally don’t lock up youngsters unnecessarily.

[1] ‘https://legaldictionary.net/criminal-intent/

[2] Like stag party pranks involving kidnapping the groom rarely go to court.
‘https://www.stagweekends.co.uk/blog/nasty-pranks-to-frame-the-groom/

Petre Peter September 1, 2022 8:04 AM

I am glad that the students were not made an example of as predicted in Bruce Sterling’s The Hacker Crackdown. Kevin Mitnick was definitely a victim of that operation.

Petre Peter September 1, 2022 8:34 AM

This reminds me of another prank I witnessed in Boston’s subway (red line). The wagons all have controls in what was supposed to be a locked cabin. Some teenagers found one such cabin and broadcasted all sorts of obscenities to all passengers. Since the conductor was the only authority in the train, and he/she was busy with driving it, the prank went on for a few stops.

JonKnowsNothing September 1, 2022 9:47 AM

@ Winter

re: Intent matters IN COURT

Intent is only one factor in the complex legal system in the USA. In some countries intent is no factor at all.

ex:

The USA cops had a program to catch carjackers/car thieves. As Bait the cops planted a parked car, of high value (BMW, Mercedes etc), with a lot of high tech gadgets visible. This car also had a huge array of video surveillance and audio recording systems that could track anyone around or near the car. It also contained a number of remote control options that the Catch Team, parked not too far away in an unmarked vehicle, could control the functions of the car. The Bait Car was generally placed in a low income area and was more than successful at catching a number of Car Takers.

The video recordings showed the Car Takers casing the Bait Car, looking here and there, under the carriage, peering at it from different directions and windows. Looking around themselves, checking the short and long distance view for street traffic and pedestrians.

When the Car Taker finally decided it was safe enough, they cracked the door and got in.

This particular model of car had a key fob and button start. No need to hot wire it, although they did have Bait Cars for that too. The key fob was visible in the center console.

The next action had to do with Intent.

The Car Taker pulled their often fashionably over large hoodie sleeves down over their hands and covered them completely. Then they hit the start button, the gas and peeled out.

You can guess what happened a block away when the cops activated their remote braking system and locked the windows and doors.

So, this person gets clipped for using something that is Not Theirs. They did not break any security system, and did not rip wires out or otherwise damage anything. They accessed at $50,000-$80,000 USD vehicle

They took advantage of a security flaw:

  • The car will not lock the doors if the key fob is inside the car.

I can assure you they didn’t get off with a HUZZAH for their Prank. They aren’t going to college and they aren’t going to get a scholarship and they aren’t going to get to present their “findings” anywhere except in a court of law.

The value of 500 desktop computers, file servers, and software is a lot more than that fancy car.

Unequal application of the law?

ymmv Theirs was about 2 blocks and 5-10 years.

Winter September 1, 2022 10:28 AM

@JonKnowsNothing

In some countries intent is no factor at all.

The USA is a country where sheriffs, district attorneys and judges are elected based on their number of convictions.

Unequal application of the law?

If justice is not blind, it is not justice. But as the US is not a Democracy but a Republic, it’s criminal system does not strive for justice, but for due process.

The result is 2+ million people in jail and 9+ million on some form of “parole”. The highest in the world by far.

‘https://eji.org/news/united-states-still-has-highest-incarceration-rate-world/

‘https://en.m.wikipedia.org/wiki/Incarceration_in_the_United_States

wumpus September 1, 2022 1:16 PM

@Winter “I assume any embarrassed school bureaucrats understood where his interests were located.”

School bureaucrats sufficiently intelligent to figure that out are in extremely short supply. I wonder how good the job is that such a person hasn’t left in these employment conditions.

Nick Levinson September 2, 2022 2:57 AM

@Winter & @JonKnowsNothing:

Intent in the U.S. is often misunderstood. Intent to do what is what matters.

Example: Commonly, someone who would owe no income tax and doesn’t file a tax return when they’re supposed to says they never intended to cheat the government of its money. That may be true but is irrelevant. If they knew or should have known they were supposed to file and could have filed and no one held a gun to their head and said “don’t file or I kill you” (so there’s no duress), but didn’t file, that’s all that’s needed to establish intent. They intended not to file. That’s enough for a conviction.

The law governing an offense generally specifies what must be intended.

Anonymous September 2, 2022 5:02 AM

@Nick Levinson

Intent to do what is what matters.

That is the legalistic reading. Things are more complicated (they always are).

‘https://www.legalmatch.com/law-library/article/criminal-liability-for-pranks.html

For example, a man decides to prank his co-worker by taking her cell phone and temporarily hiding it in a potted plant in the office.

The man would not be guilty of theft because theft requires the intent to permanently deprive the victim of their property. Since he had no intent to take the cell phone permanently, the man lacked the requisite intent to commit theft in this instance.

Clive Robinson September 2, 2022 8:50 AM

@ Winter, Nick Levinson, ALL,

Re : Intent or premeditation.

These are very jurisdictional dependent and that makes life very awkward.

The definition of “theft” is geberally to,

“Deny the owner the rights and privileges pertaining to ownership”

Not there is no intent, premeditarion or time in that…

It’s why standing beside somebody elses expensive car and chatting up a girl is technically theft as mad as that may seem it’s also technically fraud as well. What makes the difference is two fold,

1, What the jurisdiction you are in says is a crime.
2, What the jurisdiction you are from says is a crime.

So with regards that tax form, being locked up in a South American Jail does not excuse you from filling out that return, not just Federally but in the State you nominally live in.

Also “being dead” is not an excuse either… An entire estate can be confiscated because tax forms were not correctly submitted in time by executors… Oh and not knowing what is owed is not an excuse either.

There is also a classic case of somebody winning money by “card counting” and the Law Enforcment confiscated the winnings not just in their entirety but much else besides. Apparently that was insufficient excuse to stop him being chased and prosecuted by the Revenue services…

Oh and it does not matter if the money is actually owed or not… In the UK for instance the revenue can assess you and decide what you owe. There was a series of cases up in Scotland where the local Law enforcment informed the Revebue on very little or no evidence that certain people were poachers. There was no evidence sufficient to mount a civil let alone criminal case, but the Revenue assumed they were earning the equivalent of three proffessional level incomes despite atleast one of them living in very real poverty, and gave them 90days to pay the tax, National Insurance and a whole lot more…

Such behaviour is known as “Rights Stripping” and it is an extrodinarily abusive process, but hey “Might is Right” yes?

Winter September 2, 2022 9:05 AM

@Clive
Re: intent and taxes

Your examples all concern taxes. That is for a reason. Only tax law assumes guilt unless proven innocent.

That UK (and USA) judicial systems are dysfunctional was already known. No sane person will seek USA or UK law as the ruling law if they can in any way prevent it.

Bernie September 2, 2022 1:44 PM

@Clive
“The definition of ‘theft’ is gerbilly to,”
I wanted to do a fixed-that-for-you joke, but it isn’t working. “Gerbil-ly” became “gerbilly” which looks like “ger-billy” which doesn’t sound as funny to me.

The techwannabe September 2, 2022 2:37 PM

@JonKnowsNothing
Maybe where you are, but here in Upstate NY the opposite is true. If you’re of the “less privileged classes”(sure) you can get away with most anything.
I’m not sure what a correct answer is,but they seem to have broken the law. But,I’m not a lawyer and I don’t play one on TV.

Clive Robinson September 2, 2022 3:03 PM

@ Bernie,

“I wanted to do a fixed-that-for-you joke”

Sadly it’s “fat finger syndrome” often on the top line of the on screen keyboard.

Though how “generally” became “geberally” I guess “Is a step to the left” on the next to bottom row…

Maybe if we changed it to “Gerbil-Lily” a joke might pop up like a meerkat and do a standup show…

Mind you you could try “Ge Beer Ally” or some such as it’s Friday Evening in London and people are making their way out for a tipple or three.

But not me… I was carrying a wee bit to much shopping in the rain and my foot slipped on some wet bit of rubbish as I was hurrying, and I’ve put my back out… So I can’t sit or lie down as I get shooting pains in the legs as for standing up the legs go numb and wobbly. So no fun for me this weekend.

Bernie September 2, 2022 7:52 PM

@ Clive

Actually, it’s a jump to the left then a step to the right. To avoid falling, try carrying less so that you can put your hands on your hips. Once the slipping starts, bring your knees in tight.

Sorry to hear about that injury. I know back pain. Not fun at all. The best way for me to avoid immobilizing back pain is to avoid using my back. Even if I’m strong “enough” to do it today, I’ll be stuck in bed for next few days.

My fat fingers like to press Enter instead of ‘ or ” sometimes, sending the text message when I’ve only written half of it. Sometimes I press Shift instead of / or ? too.

Clive Robinson September 3, 2022 2:23 AM

@ Bernie,

“Actually, it’s a…”

You got the refrence 😉

As for backs, yup one of my recuring minor medical problems in life, the Drs have been telling me for the past two decades or so that it is to be expected in some one my hight and “long back” who has led such an active life when younger. Mind you they expected me to be in a “mobility scooter” or wheel chair or similar more than a decade ago doped to the eyeballs on opiates or the equivalent… So I have a mission in life to fail their expectations 😉 Intense physio helps when I can get it as do the excercises and walking sticks (when the rotor cuff injuries don’t play up).

Put simply I’ve worn out most of the lower spine in various ways, so I get pressure on the nerves, with the resulting pain and weakness. When I get up in the morning on a good day, I find my hight to be near the six foot six and a half when I was in my early thirties before the back problems, at the end of a busy day and things are hurting then I’ve lossed an inch or two. Likewise if I measure it when I’m in pain I’ve generally lost a couple of inches in hight… All because the bottom of the spine compresses. Apparently there is surgery that can do things to help but when you get down to the bio-mechanics of it… No thanks.

Obviously me and my bed are quite close, as I sometimes have to spend a day or two “resting”. However one thing I’ve found gives faster releaf is to “hang from the ankles” a bit. I have a wooden bed with horozontal rails as a “foot board” which I can tuck my feet under which used to be great for doing situps. If I jack up the foot of the bed with one of those devices the sell to raise beds for old folks I get a downward slope that I can use to help stretch the back a little and it gives more relief than a handfull of pills (though it’s not good for the blood preasure).

Turns out although it’s not used in “Modern Western medicine” over in the far East of Europe stretching people on a weight rack is part of a recognized therpy to help build up the rings of muscles around the abdomen. It apparently works with a high success rate. It can not cure the damage, but it can help stop further degeneration by keeping the spine open.

If what I’m doing actually works or not I can not say, but I’m nolonger poping pain killers “like they are Smarties” and I’m still mostly on my feet and not in a wheel chair… Though I avoid cars, curling up to get in is bad enough but the back pain starts almost immediately and the legs go “pins and needles” numb very quickly after that, so getting out can be realy quite embarrassing…

What I’m not doing though is running and climbing up mountains, hiking through countryside, cycling in races or doing those many other outdoor activities I used to avidly do… Those things that help keep you sane in an otherwise whirligig modern world.

vas pup September 3, 2022 5:04 PM

Tag – hacking

How North Korean hackers keep the regime afloat
https://www.dw.com/en/how-north-korean-hackers-keep-the-regime-afloat/a-63002642

“As international sanctions increasingly isolate North Korea from global sources of finance, Pyongyang’s army of hackers is ramping up attacks on vulnerable cryptocurrency accounts around the world.

A report released in mid-August by the US-based blockchain analysis company Chainalysis suggests that hackers stole $1.9 billion (€1.9 billion) in the first seven months of this year, up significantly from the $1.2 billion in cryptocurrencies such as Bitcoin, Ethereum, or Litecoin that was taken in the same period last year.

And from the digital fingerprints left in the hackers’ wake, the company estimates that more than $1 billion of the total was stolen by “bad actors affiliated with North Korea, especially
elite hacking units like Lazarus Group.”

The hackers have a number of approaches to access cryptocurrency accounts, with North Korea’s state-sponsored units presently focusing on exploiting decentralized finance protocols, it
said. Also known as DeFi, this is an emerging technology in the sector that permits users to privately exchange cryptocurrencies without the need to go through an intermediary or involving public blockchains.

==>The problem [???]with DeFi protocols, analysts point out, is that they use open source code that can be studied for weaknesses and then exploited by cybercriminals.
“North Korean hackers have been extremely successful since the early 2000s, preying on South Korean users with voice phishing attacks and on local banking services, which is why Korean banks are so over the top with security in comparison with Western banks,” said the analyst, who declined to be identified for security reasons.

==>”As well as taking advantage of DeFi vulnerabilities — which the North Koreans have become very good at — another frequent tactic is spearfishing, or using social media sites under an
assumed name to contact people who are in the cryptocurrency sector, opening a conversation with them, building a friendship and then asking about the technology they are working on,”
Das told DW.

!!!”In many cases, they will then make an offer of a very well-paid job but ask for some evidence of the technology that the person is working on,” he said. “As soon as they have some inside
information or direct access, they can send a file with malware attached and access a system.”

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.