Working in IT/tech for school district is the worst. My experience from many years ago - around 2002, I think:
1. First day on the job, email to boss: "Hey, the computer lab at Springfield High has a ton of known security flaws that are begging to be exploited."
2. Reply, 1 week later: "Sorry, we don't have any money for that. Just keep everything up-and-running."
3. 3 weeks later the computer lab at Springfield High got "hacked". All the computers displayed a popup window that said, "Miss Krabappel is a dyke!" (sorry for the offensive language)
4. Next day, email from boss: "The computer lab at Springfield High was hacked! Figure out how to fix this and make sure it doesn't happen again!"
5. A few days later Miss Krabappel filed to sue the school district. The local newspaper picked up the story.
6. Email from boss, in full panic mode: "I need you to figure out who hacked the computer lab at Springfield High so we can report him to the police!"
7. A week later an independent consulting firm was brought in to help identify the person behind the "hack". I heard they were paid $50K and found nothing. However, the kid got ratted out when he told all his friends. (It wasn't Bart Simpson! ;) )
8. Several weeks later: meeting to discuss working with a consulting firm that's gonna fix all the security issues because the current staff (me and my team) lacks the skills.
I 'worked' for my own high school's IT dept, a few hours a week, as a student. It was an amazing experience working with those guys. I learned so many things, from how to punch, terminate, and run cables to how to set up a Ghost image and deploy it en masse across the district.
One day one of the old macs was showing the frowny face in a in-session classroom. Boss sent me down there with specific instructions: "pull out the hard drive and beat it really hard with the handle of this screwdriver". I was like: "?" and he was like, "just do it".
So I go down there and let myself in, trying not to interrupt the class. I climb behind the computer on a cart and pull out the HD. I beat it with the handle, like a good 10 times. Of course this got the class all riled up. I blushed, but told them this was normal operating procedure. Plug it back in and it works. I was (secretly) as amazed as everyone else in the class.
Back in the IT office, I say it worked. IT boss smiles and nods. I ask how. Well as it turns out some of those old hard drives used a vegetable oil based lube that seizes up if it's not used for a while. So if you bash it it un-seizes and starts turning again.
Anyway great times, fun memories. We all got our CompTIA A+ certifications at the end, but don't ask me what IRQ number is for the parallel port these days.
> ...pull out the HD. I beat it with the handle, like a good 10 times...
Heh. Nice.
A coworker's Mac wouldn't boot. I couldn't hear the hard drive. It was a model with the tip of the spindle exposed. I found a pencil with a gummy eraser. Gave the spindle a twist as I turned the power on.
Told the amazed user, "Do not turn off your computer until after you have backed up your data. That probably won't work twice."
More likely an armature rather than a platter. Violence also worked when the drive would get stuck on a bad sector. Bashing the drive horizontally, while it was on, would sometimes move the arm enough for the drive to reacquire and hopefully not hit the same error on the next read attempt.
I did similar violence to my old HDD-based iPod. One day it just made a chugga chugga noise. Meaning the HDD was dead. In researching how to recover some music a forum member mentioned dropping it really hard. So I slammed it into my desk and terrified the office. And it continued working for the next few years.
"stiction". Well known in the Apple community in the ... late 80's/early 90's, IIRC? I want to say I remember some official Apple documentation saying to drop the machine from a few inches up in the air, but I may be misremembering.
Are you me?! This basically was my experience working for a very large school district in the early 2000's. My favorite was they asked me to train a school bus driver to be the newest member of the IT staff because "they wanted to learn computers", it also just so happened that this person was the only person their budget could afford (less than 40k/year).
I worked for them as a contractor for a while and one of the big issues they had was they had tons of money to implement new technology (mostly from grants and things like that), but nearly nothing to maintain old tech. They could buy new computers all day long, but if something needed to be repaired/updated/maintained, there was no budget or resources to do it. So there were all sorts of fun issues, like they would buy computers and before they could get deployed their warranty would expire (since they weren't allowed to buy 3 year warranties on the computers) and computers with bad HDDs would get disposed of, even though the fix might be $50 and 10 minutes of time.
That’s hilarious, at a small school our bus driver was the local it admin… 7 minutes of rainbow tables with ophcrack live cd was all it took to become domain admin.. never changed it for all 4 years lol.
The IT in my district was so bad the students basically ran it for my middle and high school. We did all the desktop repairs and component swaps for free. I don't even think we had an "IT guy." This was 2009-2014 for me.
On the bright side, we got comfortable with computers and ended up building our own little projects (in and outside of school). In 10th grade we souped up one of the engineering lab computers by consolidating a bunch of old graphics cards and played games on it, lol.
That's funny, I worked for a school district about 10 years ago and our IT director was also the transportation director. He knew nothing about IT but I guess they had to give the role to someone at one point and it was him. I think I lasted 2 years before finding my current job.
I've had an internship once at a chain of elementary schools, the main IT guy(s) at those schools were regular teachers that had computers as a hobby. I came in with a few years of school, doing some maintenance, installing some printers (really satisfying with the stick-on stuff), fiddling with the server (a workstation in a broom closet), and playing runescape / internetting in the dark, warm server room at the other location away from the main IT guy.
When I was a teacher my school IT was run as a petty fiefdom. I don’t know if it was outright maliciousness, or just extreme anxiety from the IT team lead about job security, but they were universally derided amongst staff (including some senior managers I knew) as being terrible to work with.
If I wanted to do something I would be told that there weren’t the resources. If I volunteered to be those resources — in my spare time! — I would be told it’s against policy. If I asked if we could revisit the policy I would be told I was welcome to ask the IT committee (closed door meetings, unminuted) to consider it for their agenda. Time passes. Proposal rejected.
I gave myself one term to see if we could find a working relationship. It obviously didn’t work out so I ghosted them and just did everything myself without asking, out of my own pocket. I felt like an asshole but at some point you’ve just got to move on, especially if your end goal is improving teaching and learning for the pupils.
> It obviously didn’t work out so I ghosted them and just did everything myself without asking, out of my own pocket.
In my one experience in a university, this how it’s done. Just set you own stuff up, hope you aren’t discovered and ideally have a friend high up the ranks.
> I don’t know if it was outright maliciousness, or just extreme anxiety from the IT team lead about job security
It's probably anxiety about job security/being overworked rather than maliciousness, but it could be both. It is made more complex by the likelihood that the position pays far less than comparable positions pay elsewhere. This causes the district to hire whatever candidate they can get to take the job. The outcome of that works out one of two ways: (a) the employee leaves as soon as they have enough experience to be paid more to do less work by someone else or (b) the employee stays knowing nobody else will hire them and makes sure to only hire other people who know less than they do.
> If I wanted to do something, I would be told that there weren't the resources.
You were told correctly, but probably not told just how bad it is. If it works like it worked for folks I know in similar situations, 80% of the job -- regardless of what you were hired in for or what your title is -- is fixing things that teachers/administration broke or didn't know how to use correctly. Tell them the laptop is for school business only until you're blue in the face, they'll visit every web site offering Flash games, some will surf porn sites riddled with malware and if your IT guy doesn't have a mental breakdown by then, the only thing they're spending the rest of the 20% of time on is blocking teachers/non-IT staff from doing things that they've been told, clearly, not to do. The rest is spent locking things down or softening security policies to keep teachers/non-IT staff from taking more of that 80% time.
> [Volunteering my time] is against policy.
It could be against policy, but that's probably just an excuse being used because it's effective at shutting down the request. There's a very good reason to say "no" in the IT person's mind: your volunteering will still involve their time, and if you're not as capable as you claim to be, it'll involve a lot of their time. If you're one of their users and you're claiming to know a lot about IT, you're more likely to be seen as "someone who knows enough to be dangerous"--the worst kind of user. Even if they believe you, they're confronted with the reality that you deploying/using this new "unapproved thing", will cause others to ask for it -- another teacher/staff member will want it and at some point that IT person is going to end up having to deploy it, patch it, fix it, and maintain it. You'll find this thinking prevalent in most IT support organizations -- the camel can barely walk so it's easier to say "No" and hopefully keep it that way than say "yes" and add enough load to the break its back.
> I gave myself one term to see if we could find a working relationship.
I feel your pain. I'm not sure what you've tried and you could very well have just run into a BOFH but assuming this IT person is typical of those I've worked with when I did this work, there are some options. You may have tried these -- it's not meant as "well, you obviously approached this all wrong" but rather advice for others on what I have personally seen work (and had work on me when I did this sort of work, albeit a long time ago).
For anyone in a similar situation, there are a few ways to "hack your IT person". It's nothing magical and can be applied well beyond IT folks, but I'm aiming at folks in this conundrum. While I've not worked for a school district, I spent the first 10 years of my career in several levels of support/systems and ultimately architecture with the first few being similar to the whole "small IT with too many users who hate IT[2]". First, understand what their motivation is -- less support, more time to improve/architect (or play WoW ;) ...). If you have the expertise, approach that person and "talk shop" -- don't reveal that you "have skills", just ask a question or two in an area that teachers/staff often know little about, or go with a simple "I wouldn't do what you do ... all these teachers, many of whom haven't touched a keyboard that wasn't on their phone since 2010 or so ... it's got to be hell". If you can get them to tell a "war story" or two you'll probably find a few opportunities to say something that will reveal that you have somewhat of a clue what you're talking about. Do this outside of work, on their schedule -- Happy Hour or off-site lunch (not often possible during the school day due to time).
If things go well, say something like "I can't imagine how you get anything done with such a computer illiterate staff to babysit (aligning yourself with IT over said staff) ... I'm happy to help out anywhere I can if you can think of something I can do to reduce that grief[0]" This IT person spends their work life dealing mostly with people who are unhappy about things that are broken and the staff they support place blame for those breakages, not the resolution, at their feet[1].
You're now in the magical role of "the teacher who believes IT isn't incompetent." If you are received well, make your ask. Make it very limited -- if you need to be an admin of your laptop, insist that it be temporary and that you'll call the IT person when you are done (offer to let them watch if they want. They won't). Insist that you'll not let people know IT made an exception and will provide the required excuse if someone notices you're running something they can't: usually "IT doesn't know about it" is settled on. Maybe it's something you want every teacher to have -- don't dare explain that, and if you have to, outright lie: "I'm not interested in seeing the district adopt this, I just want to use it myself." You're not shooting your grand plans in the foot, you're giving yourself time to provide hard facts/evidence to make the case that it should be deployed. If it works out well, start planting the seeds with your IT person: "I really love this application, thanks for letting me use it on my school laptop ... what do you think the support overhead for something like this would be if every teacher had it?" ... listen to their concerns, find answers to each of them, revisit the topic. Your IT person is used to management (administration in schools) saying "this is what we need on every PC" without care for what amount of work/grief IT will deal with to sort it out. Administration doesn't care about IT griping very much -- it's seen as IT, "yet, again", complaining about having to "do work" and treating completely reasonable (in their minds) requests as though they're equivalent to scaling Mount Everest. If you have the data from your unofficial pilot to back you up, and the right person in IT (at least) not working against you, and other financial considerations/contracts aren't in the way, you'll be successful. If you're successful and your project works, the next time you may not have to ask at all.
Your IT person makes just as many judgements about you and their users as they make about IT but there's a lot more of you than their are IT folks. Having an ally/expert among the "clueless users" has a much higher value to your IT person than having that person as your ally does for you, even if it doesn't seem that way[1--(again)].
[0] How much time is IT spending doing "Help Desk" kind of support for everyone outside of IT (regardless of title/responsibilities the IT person was hired in for)? It's probably 80% "User Support" and 20% "everything else" which means all of the effort put into "everything else" centers around reducing how often teachers have to take time away from IT. Your offer, if its trusted, will reduce that burden at no cost to the IT person. Don't make that promise if you're not willing to do it, but it's unlikely anything will be asked of you.
[1] In the "Game of IT Support" (or it's variants: "The Game of Network Security Administration", etc), you can never have a score greater than "Zero". Zero is "everything works". When something breaks, you lose points. When you fix it, you gain points up to (but not always) your top score of "Zero". Roll out massive new infrastructure for WiFi? You're at Zero (or less since it probably won't work as conveniently as it does at home). You're an expense who's purpose it is to make things operate the way everyone expects they're designed/intended/meant to work. They also expect that you (IT) shouldn't be necessary -- these things should just work like my router/PC/internet service at home works and shouldn't require so much "policy" to "avoid doing things".
[2] While I was still living with my parents, my neighbor referred me to the IT job -- he was in Development. I'll never forget when my Dad called me up asking "why is IT (where I worked) at (company) so bad?" after listening to my neighbor berate my company's IT operations teams (never me, specifically). We were so hated. By everyone, especially non-Support IT. That was an impossible conversation to have.
When I engaged in `net send` shenanigans at the local community college, at least the IT staff was smart enough to know where to scramble a runner whenever those dialog boxes popped up across campus.
"ALL YOUR BASE ARE BELONG TO US" was quite the meme then, but apparently they thought it was some form of cyber-terrorism.
I haven’t thought of net send in years. Circa 2000 I worked at Cisco and added some javascript to my profile in the corporate directory that sent me a net send message with the hostname of the computer that viewed my profile. At that time the hostname usually included the employees username, so I had a nice heads up that somebody was looking me up.
I should have left it at that, but Ingot cheeky and also did a net send back to the origin saying something like “thanks for your interest in onionisafruit”. That got escalated and I was threatened with disciplinary action. It didn’t occur to IT that they shouldn’t allow arbitrary script tags in user profiles. The best response was just to threaten the people who were creative with what they were given.
When I had my net send fun back in school, an IT guy found me and just explained that if it becomes a recurring thing, they'll have to disable it on the network. And that they would prefer to keep the functionality available, so it would be a real shame if I ruined that for them. I never did another one, because I understood it would be a dick move.
No condescension, no threats. Just treating me like an adult with a constructive conversation. It never occurred that anyone might overreact like many in this thread experienced. Makes me feel pretty fortunate now.
O mannn I was suspended from HS, and banned for 2 years from touching school computers for net send shenanigans as I wasn't smart enough to cloak the originating workstation.
My message to every single computer in our HS:
"Hey what's up!"
my friend added to this:
"Your network (H:/) drive is being deleted."
School administrators and teachers did not find this funny.
Wow, almost the exact same thing happened to me and I was thrown out of that school, mainly for using another students account to send the base message.
School districts absolutely love consultants. Because they have to make difficult decisions, and they can hide behind a consultant. Its part of the bureaucracy survival suite.
They always have the money. They just don't care about doing things properly. It simply isn't a priority for them.
Makes me feel good when someone comes and exploits their negligence. It's like divine retribution and they're doing god's work. They tempt fate and the gods punish them by making them pay more than they would have paid had they done things right. Amazing.
I got two Saturday detentions for finding that same tool (also ~2002) - though I just typed “Hi” and hit send - to everyone on the school network.
I of course didn’t really know what I was doing. Looking back, this was a very strange punishment. Jokes on them I guess - left Oklahoma after HS and am now a software engineer in the Bay Area.
If only we could have reframed our approach to these situations.
Provided what was sent/defaced/etc wasn't hate speech or punching down on someone else, we should have really used these events as flags for identifying kids who could hone their computer skills into something "productive".
This is not unique to school districts at all, but any organisation, large or small, that treats IT/tech only as a necessary inconvenience, instead of an actual part of the org deserving of resources, planning, and people.
If you work in tech/IT, and the big bosses consider you and your org disparagingly, leave immediately. Something bad will happen with their IT, and you will be blamed, hassled, and harrassed for it.
People respond to incentives, and "fast-to-react" is easier to measure than "wisely proactive" in at least two ways. First, the risk is no longer theoretical; the damage was measured. Second, the fix is easy to measure: spend $X dollars on Y firm on date Z. This is all nice, easy to understand evidence of a manager doing their job.
Alternatively, you have staff pointing out a possible flaw. That staff's time was already allocated; their noticing a flaw is a) taking time away from their allocation, and b) tacitly critical of decisions made above their pay grade. And even if they are right, the manager won't get credit for prevention, and in fact will get punished for "wasting" resources in an ad hoc way, rather than what they were acquired for.
It is depressing in the extreme to work for such an organization, and you were right to quit, because over time these perverse incentives will start to shape you whether you like it or not. The very idea of owning your work, of caring about real-world outcomes, becomes anathema as a matter of survival. You have to exist, along with your org, in a checking-the-boxes, don't-notice-what-you-aren't-paid-to-notice, mode. It's safe and comfortable for the body; it is deadly to the soul.
I loved working IT for a school district. My favorite memory/story is the time a woman called the cops on me for talking on my cellphone in the parking lot. lol
My first thought: Your district had an IT department? I guess that's probably more common now than when I went to HS in the 90s but I'm fairly certain IT duties are still farmed out to a small business for the districts I live near.
Outside of that, though, I've talked to folks who worked in IT at a nearby hospital[0] and knew several who worked in IT at a University a town over and heard variations of your story. After ransomware hit a few hospitals across the country, my hope is that this is less common but I'd be surprised if anything is meaningfully better.
The problem with getting non-technical people to understand the importance of securing things is that they assume that everything provides a basic level of security. They read about hacks/attacks and hear about them on the news but they have probably not experienced one, personally[1]. They apply physical security considerations to the virtual world -- for instance, the keys you use to lock your front door are almost certainly terrible[2] but requiring physical access to the lock makes attacks on them rare. And that's the rub, it's the mistake in thinking that "Nobody cares about my stuff enough to hack me" which is the evidence used to justify the "it's never going to happen to me". It's a failure to understand that even if it were true that an attacker would literally have no use for anything you're protecting with a password (which is absolutely false -- your identity is enough) that another target will be chosen ahead of you[3]. On the internet, every target can be attacked at once, silently, from a distance and targets are chosen based on whether or not the attack succeeds.
In a High School, you can fully expect there's at least one of me in every graduating class. I'm surprised things like this don't happen all the time given how little attention is paid to network security/endpoint security in these places. No amount of threats of expulsion, legal action, etc will serve to help when your attackers are High School students[4]. The same part of their brain that makes them believe they're immortal/causes irresponsible behavior early-on in driving causes them to not understand the real probability that they will face criminal charges which is coupled with them not fully understanding how badly those criminal charges will affect the rest of their lives.
[0] The discussion arose after he had watched Season 1 of Mr. Robot and said "that's exactly how it is here except we have a (technical) staff of two rather than one"
[1] I can't tell you how many extended family members have shared that they still use a single password for every account and in a few cases, that password might as well be a variation of "Password".
[2] I have a close friend who learned how to pick locks as a hobby; he filed me off a bump key and taught me how to use it, whacking it with a branch of a tree; I was able to open my supposedly "extra secure" dead bolt pretty consistently with about 15 minutes of practice, he's picked each of my locks at one time or another.
[3] The old "You can't outrun the bear, but if you and your friend are being chased by the same bear, you only need to outrun your friend".
[4] I used to tell my kids that our High School not only had no doors in the stalls of the mens room, there had never been any doors designed into the plan. The partitions were brick, there were no holes, anywhere, where doors had been removed. I figured this was to make it easier to catch kids smoking but while fixing his PC, I asked the principal about it. His answer was "vandalism" -- students would rip them out. Reallt?! I couldn't imagine this. Fast forward to this year, the doors on the stalls at my kid's HS were ripped out by students during the first week of class. The kids were caught, criminally charged and had to pay for the damage. Their reason? They saw someone do it on TikTok and didn't think they'd get caught (there are 2 dome cameras at the entry to each bathroom!). Despite paying for the damage, the doors are not coming back this year -- I'd wager they'll never come back.
Reminds of me my school leaving prank. I rewrote the whole internet on my school's computers. Google's logo became "Leavers '08", Facebook became "Hatebook" and was red, YouTube only played videos of cats, amongst other things.
These were the days when nothing had SSL, so you could just intercept and rewrite traffic!
My only requirement was: do no actual damage
It was implemented as a Debian live CD that you could drop into any school computer. It would boot up, then Ettercap would MITM the whole network by spoofing the router. It routed all HTTP traffic via Squid and a custom ICAP server that did the actual rewriting. If you removed the live CDs, the network just went back to normal within a couple of minutes.
Routing the whole school's network through one old Pentium machine wouldn't work though, so I figured out a way of doing distributed load balancing: it would do the ARP spoofing slowly and randomly. So, as you added more machines, it would just magically balance between them.
It worked great for about an hour then whole network mysteriously stopped working for the rest of the day. I left all the live CDs in the computers as a calling card.
Unless you had a special case for the hijacking machines to ignore the spoofed ARPs, the whole thing probably fell apart when they ended up with a loop between each other rather than a path to the real gateway.
Oh, yeah. That's a very good point. That's probably why it stopped working. I always thought the network admins pulled the plug assuming they'd been hacked.
Used to be that Windows allowed programs to hook into each others’ event busses. (It might still, I’m not sure.) This might be why a few of my Highschool’s computers would interpret every 5th right click in minesweeper as a left click
I ran into a fun bug in W10 where my arrow keys were moving the mouse cursor around. Turns out MS Paint does this as a feature and somehow it leaked beyond Paint.
Yup, you can still do that. AutoHotkey is a wonderful tool for this. You can intercept input events globally, and transform them or send completely different events to the target app.
For example, I use AutoHotkey to implement my JKLmouse program, which turns certain keyboard events into mouse movement for precise control. It's similar to the MouseKeys that comes with Windows, but made for laptop keyboards without numeric keypads.
And yes, you could definitely do that Minesweeper hack in AutoHotkey! :-)
Wow, somehow that use of random and slowly ARP proxying as a duct-taped together load balancing mechanism makes this so much cooler.
I'm not sure I quite understand the details, though. I assume there was only one gateway for the segment, so were the spoofed ARP replies unicast instead of broadcast? Otherwise, wouldn't all clients just switch to whatever machine announced their spoof for the gateway IP last?
This was 13 years ago so my memory is fuzzy... if I recall correctly, spoofed ARP replies were unicasted to every possible address on the network. It switched from machine to machine slowly, which is fine because they all served the same content.
There were several subnets at the school, each with its own gateway. I remember having to set up live CDs in several computer labs to cover each of the subnets.
Hypothetically it could happen and even if it isn’t true, I feel it adds something to the conversation. Besides, you cited as many sources as they did.
I did some similar shenanigans when in 10th grade, with backtrack 3 and ettercap-ng it was pretty easy. I didn’t do the load balancing, and ended up crashing the network when my laptop couldn’t keep up lol.
I'm less skeptical. OP already mentioned that most things were not encrypted back then, so this was probably still in the days of transparent proxies, so OP could have "just" added one with some ARP spoofing. They were somewhat common in school and office networks, and like regular HTTP proxies (except the transparent ones had the traffic redirected forcefully to them) they essentially consumed HTTP requests and sent new ones out to The Internet. While mostly used for caching and blocking, it seems relatively simple to me that OP could have just replaced e.g. some stylesheets served back to the client.
Three things are remarkable about this, and make it a happy story.
First, that the pranksters were so egregiously responsible in the way they went about it. They avoided disrupting any actual educational activities; it was meant to be harmless fun, not vandalism. No harm came to anything here.
Second, that they documented their findings to the administration as part of the action, including recommendations for improvements.
Third, the administration took this as exactly that: a harmless prank by smart, ethical kids who ALSO did them a favor by pointing out the vulnerabilities. If the admin had a panicked fit about this, they could have made it an ugly situation.
My educational experience was populated far more by "freak out and yell" types than this school district, which was a shame.
The school district itself was relatively chill, however the individual deans freaked out. Because the penetration report was sent to the tech team and not the deans, the deans were intent on finding out exactly who did the hack to find something to report to their bosses (and according to them concern about the grade book system being exposed?? Not sure how you’re supposed to rick roll a grade book but if anyone has an idea i’d love to know). As the earliest poster of footage of this event, I actually got tracked down (despite the fact that the only information they had to go off of was my youtube channel which had no references to my actual name whatsoever) and interrogated about what I knew of the event by the dean. The penetration report had been sent a while prior to this (which I knew about, as being a sibling of the original blog poster can have many benefits) which made the entire thing so much funnier. I was thankful that masks were a requirement for in person students at the time, as my mouth was literally twitching the entire time during the interrogation.
In our high school they didn't expose the gradebook in that you could get in and change it, but we were able to see everyone else's grades. Teachers would post grades for their class and "obscure" it by posting it with the student ID (you were only supposed to know your own) next to the grade. But when the posted, the entire list was still in alphabetical order so it wasn't hard to figure out everyone's grade and student ID.
And the cherry on top of this was that all the students' passwords were their student ID.
>and according to them concern about the grade book system being exposed??
Junior year in high school, I got suspended for "hacking."
The tl;dr is that I was using a proxy to fetch assignments for class (because the county decided "yeah, this state run Moodle instance is obviously not appropriate for education" and one of my classes used Moodle) and got caught with the proxy configuration screen open. I wish I was joking.
Anyway, when I was sitting in the guidance counselor's office as the teacher was talking up how "dangerous" I was, I noticed a sticky note with a username and password written on it. Turns out it was an admin account for the gradebook, though I think it was just intended for scheduling.
I never did anything bad with those credentials, but that really tanked what little respect I still had for the administrators there.
On a lighter note, when stack exchange & co got blocked the next year, I was good friends with the librarians since I helped out a fair amount fixing up their laptop carts (and doing other things the sysadmins were too busy to take care of), and they were able to get them unblocked. It taught me a lot about office politics: people are willing to return favors, so you should always make those connections.
> espite the fact that the only information they had to go off of was my youtube channel which had no references to my actual name whatsoever
Assuming you took the video at the top of the article, it was presumably trivial to figure out who was in the class you were in and then rule out everyone who appears on camera as the camera man. Or just ask the teacher...
For contrast, I once got suspended from the school computer labs for two weeks for the heinous crime of... running an unauthorized executable from a flash drive.
It was Rainmeter; I was showing it to a friend. The IT guy even was like "yeah Rainmeter's pretty cool, I read about it in a magazine". But it was auto-detected and school policy, apparently.
Preface this by saying this was a smaller school, and the students had limited access to wifi. For example a teacher would create a set of radius credentials that would only be active for 1 hour. Since data was also expensive that was not an easy work around.
In my grade 11 electronics class, one project we were assigned was to create a digital clock with notifications for one of the teachers. Me and a friend set up a raspberry pi with magic mirror installed on it, and modified some available plugins at the time to allow a google calendar for test dates embedded on the display. The teacher was quite pleased with this, but we convinced him to hard wire it to the network for "stability". In the background we had installed a vpn connection to one of my vps that I used to host my website, and created a new set of sudo enabled credentials naming it magic-mirror or something. The teacher then reviewed the project and changed the normal user credentials etc. Then right before it was installed in the ceiling, we attached a wifi adapter to the pi. A week or so later we remoted in through the tunnel and enabled a wireless hotspot from the pi. This provided us with internet while we were close to the classroom for the next year. People also over time learned that you could extend the range by hot spotting additional jumps using laptops.
Nice! I used to carry around a wireless router in my backpack for the same reason, and made sure to surreptitiously plug it in at the back of every class. Similarly, the school had very restricted WiFi, but no restrictions on the wired network. Fun times.
When I was in High School (early 90's) we got a new computer system that nobody was using yet. I discovered there was an email system of some kind and that every student had an email address that we were not told about. I also discovered Tetris installed in a directory on the server. I was able to play Tetris and I could show other students how to access it, but it was inconvenient to get to.
Therefore I decided I would email Tetris to every student (I emailed the executable, not a link to Tetris), making it easier for everyone to play also. As soon as I did this the entire system got very slow...apparently the server had no quotas or partitioning and the hundreds of copies of Tetris filled up 100% of the hard drive space. It was a disaster. The computer "specialist" had no idea how to fix the system and she was teaching an adult education class that evening that required the system to work. She was furious and wanted me to get suspended. It didn't happen though because I spoke up about the problem right when I knew there was a problem and also some other teachers intervened on my behalf.
The woman who was responsible for the computer system back then is now the superintendent of the school system. I wonder if she remembers me.
I also graduated in the early 90's and my children recently graduated from my alma mater. When I went with them to teacher conferences some of the same teachers were still there. Teachers that I didn't even have classes with remember me.
In like '89 when I was 19 and at university my work-study job was with the IT/ComputingResources department (old names). I worked as a graveyard shift NOC operator swapping tapes and handing out print-jobs, running system tests and stuff like that. We had several 24/7 computer labs full of Sun 3/50(60) workstations and things like that. But there was one lab that was closed from 10-5 overnight and I thought to myself "hey, there's a whole room of workstations not doing anything" so I wrote some scripts rsh/NFS and used that lab one night to run distributed ray-tracing jobs. The next day my account was disabled and I had to go talk to Security. They sorta laughed a bit then went like NO don't do that. I worked for the IT department for the next four years. Then I left for a decade. Then I came back and applied for a job. The interview lasted all of five minutes, I worked for a few months before being forcibly promoted up into the upper circle. My first task was to go around to the dozen others who had root and ask for advice and update the root-speech documentation. I got to Security.... tippity tappity "Oh, hello Mr. zengargoyle, let's see... '89 'misuse of computing resources'." LOL, still had root by the end of the day.
So, this is just to say... that places like education where people may stick around for a long while in the system and such. They probably do remember a bunch of events from even a decade ago. It's the good places that have a sense of humor or appreciation for a worthy harmless infraction. They may even be secretly proud or have some admiration.
Though I do sorta fear that I just happened to hit the tail end of old-school hackery where such things are such things are rewarded. Now get off my lawn.
I feel so dumb when I read kids doing these things. Back in High School all I knew was how I could run arbitrary executable files by renaming them to calc.exe. We also did the classic "take a screenshot of the desktop, set it as the wallpaper, then remove all icons and the start menu" thing.
Another good one on that level was using the Windows keyboard shortcut ctrl-alt-down to rotate the display upside down - totally harmless, but absolutely maddening if you don’t know how to undo it
Even better if you combined it with an upside down screenshot of the desktop. So it looked like only the mouse was upside down and all buttons didn't work.
I told a friend who knew absolutely nothing about computers to go and type format c: on the school only computer and wait for the result. It turned a bit ugly but we're still friend :)
I went to Buffalo Grove High School in this same district and graduated many years ago. At the time no IPTV systems or EPIC bell systems were in place. However, as soon as I walked in my freshman year I noticed the 'teacher' WiFi was only using MAC Address Filtering. One minute scan and a spoof later I was poking around to discover a whole lot was visible from this privileged network. “...From the results, we found various devices exposed on the district network. These included printers, IP phones... and even security cameras without any password authentication!” It was even worse back then. It was all exposed on wide open WiFi!
My senior prank was going to revolve around the printers. We were shocked to discover every printer not just in BG but across the entire district was accessible with no authentication of any kind. We cooked up ideas and were planning to print either porn or I has cheezburger/lolcat memes via telnet (I'm dating myself.)
Ultimately I got into other trouble before we could execute and figured this wasn’t worth not graduating over. I moved on and so happy to see a much better prank on this same network happen so many years later with almost no repercussions. Congratulations and great prank!
In middle school all classrooms had their own printer. They were also shared on the entire school network with no security. We had a lot of fun printing stuff to other classes and never got caught.
I’ve said this a bunch on here so please tell me to stuff it if it’s tiresome, but having been on the far side of a large scale bug bounty i am incredibly impressed with the skills that young folks are developing in infosec. Probably not particularly unique but the industry is still a bit of a combination of tradecraft and academic pursuit and can be confusing for people to find a way in. I think this is why i really appreciate those that just bear down and get after it.
Readit News
1. First day on the job, email to boss: "Hey, the computer lab at Springfield High has a ton of known security flaws that are begging to be exploited."
2. Reply, 1 week later: "Sorry, we don't have any money for that. Just keep everything up-and-running."
3. 3 weeks later the computer lab at Springfield High got "hacked". All the computers displayed a popup window that said, "Miss Krabappel is a dyke!" (sorry for the offensive language)
4. Next day, email from boss: "The computer lab at Springfield High was hacked! Figure out how to fix this and make sure it doesn't happen again!"
5. A few days later Miss Krabappel filed to sue the school district. The local newspaper picked up the story.
6. Email from boss, in full panic mode: "I need you to figure out who hacked the computer lab at Springfield High so we can report him to the police!"
7. A week later an independent consulting firm was brought in to help identify the person behind the "hack". I heard they were paid $50K and found nothing. However, the kid got ratted out when he told all his friends. (It wasn't Bart Simpson! ;) )
8. Several weeks later: meeting to discuss working with a consulting firm that's gonna fix all the security issues because the current staff (me and my team) lacks the skills.
9. About 6 months later, I quit.
One day one of the old macs was showing the frowny face in a in-session classroom. Boss sent me down there with specific instructions: "pull out the hard drive and beat it really hard with the handle of this screwdriver". I was like: "?" and he was like, "just do it".
So I go down there and let myself in, trying not to interrupt the class. I climb behind the computer on a cart and pull out the HD. I beat it with the handle, like a good 10 times. Of course this got the class all riled up. I blushed, but told them this was normal operating procedure. Plug it back in and it works. I was (secretly) as amazed as everyone else in the class.
Back in the IT office, I say it worked. IT boss smiles and nods. I ask how. Well as it turns out some of those old hard drives used a vegetable oil based lube that seizes up if it's not used for a while. So if you bash it it un-seizes and starts turning again.
Anyway great times, fun memories. We all got our CompTIA A+ certifications at the end, but don't ask me what IRQ number is for the parallel port these days.
Heh. Nice.
A coworker's Mac wouldn't boot. I couldn't hear the hard drive. It was a model with the tip of the spindle exposed. I found a pencil with a gummy eraser. Gave the spindle a twist as I turned the power on.
Told the amazed user, "Do not turn off your computer until after you have backed up your data. That probably won't work twice."
Good times.
Our education system is amazing ;)
More likely an armature rather than a platter. Violence also worked when the drive would get stuck on a bad sector. Bashing the drive horizontally, while it was on, would sometimes move the arm enough for the drive to reacquire and hopefully not hit the same error on the next read attempt.
Deleted Comment
I worked for them as a contractor for a while and one of the big issues they had was they had tons of money to implement new technology (mostly from grants and things like that), but nearly nothing to maintain old tech. They could buy new computers all day long, but if something needed to be repaired/updated/maintained, there was no budget or resources to do it. So there were all sorts of fun issues, like they would buy computers and before they could get deployed their warranty would expire (since they weren't allowed to buy 3 year warranties on the computers) and computers with bad HDDs would get disposed of, even though the fix might be $50 and 10 minutes of time.
On the bright side, we got comfortable with computers and ended up building our own little projects (in and outside of school). In 10th grade we souped up one of the engineering lab computers by consolidating a bunch of old graphics cards and played games on it, lol.
If I wanted to do something I would be told that there weren’t the resources. If I volunteered to be those resources — in my spare time! — I would be told it’s against policy. If I asked if we could revisit the policy I would be told I was welcome to ask the IT committee (closed door meetings, unminuted) to consider it for their agenda. Time passes. Proposal rejected.
I gave myself one term to see if we could find a working relationship. It obviously didn’t work out so I ghosted them and just did everything myself without asking, out of my own pocket. I felt like an asshole but at some point you’ve just got to move on, especially if your end goal is improving teaching and learning for the pupils.
In my one experience in a university, this how it’s done. Just set you own stuff up, hope you aren’t discovered and ideally have a friend high up the ranks.
For anyone in a similar situation, there are a few ways to "hack your IT person". It's nothing magical and can be applied well beyond IT folks, but I'm aiming at folks in this conundrum. While I've not worked for a school district, I spent the first 10 years of my career in several levels of support/systems and ultimately architecture with the first few being similar to the whole "small IT with too many users who hate IT[2]". First, understand what their motivation is -- less support, more time to improve/architect (or play WoW ;) ...). If you have the expertise, approach that person and "talk shop" -- don't reveal that you "have skills", just ask a question or two in an area that teachers/staff often know little about, or go with a simple "I wouldn't do what you do ... all these teachers, many of whom haven't touched a keyboard that wasn't on their phone since 2010 or so ... it's got to be hell". If you can get them to tell a "war story" or two you'll probably find a few opportunities to say something that will reveal that you have somewhat of a clue what you're talking about. Do this outside of work, on their schedule -- Happy Hour or off-site lunch (not often possible during the school day due to time).
If things go well, say something like "I can't imagine how you get anything done with such a computer illiterate staff to babysit (aligning yourself with IT over said staff) ... I'm happy to help out anywhere I can if you can think of something I can do to reduce that grief[0]" This IT person spends their work life dealing mostly with people who are unhappy about things that are broken and the staff they support place blame for those breakages, not the resolution, at their feet[1].
You're now in the magical role of "the teacher who believes IT isn't incompetent." If you are received well, make your ask. Make it very limited -- if you need to be an admin of your laptop, insist that it be temporary and that you'll call the IT person when you are done (offer to let them watch if they want. They won't). Insist that you'll not let people know IT made an exception and will provide the required excuse if someone notices you're running something they can't: usually "IT doesn't know about it" is settled on. Maybe it's something you want every teacher to have -- don't dare explain that, and if you have to, outright lie: "I'm not interested in seeing the district adopt this, I just want to use it myself." You're not shooting your grand plans in the foot, you're giving yourself time to provide hard facts/evidence to make the case that it should be deployed. If it works out well, start planting the seeds with your IT person: "I really love this application, thanks for letting me use it on my school laptop ... what do you think the support overhead for something like this would be if every teacher had it?" ... listen to their concerns, find answers to each of them, revisit the topic. Your IT person is used to management (administration in schools) saying "this is what we need on every PC" without care for what amount of work/grief IT will deal with to sort it out. Administration doesn't care about IT griping very much -- it's seen as IT, "yet, again", complaining about having to "do work" and treating completely reasonable (in their minds) requests as though they're equivalent to scaling Mount Everest. If you have the data from your unofficial pilot to back you up, and the right person in IT (at least) not working against you, and other financial considerations/contracts aren't in the way, you'll be successful. If you're successful and your project works, the next time you may not have to ask at all.
Your IT person makes just as many judgements about you and their users as they make about IT but there's a lot more of you than their are IT folks. Having an ally/expert among the "clueless users" has a much higher value to your IT person than having that person as your ally does for you, even if it doesn't seem that way[1--(again)].
[0] How much time is IT spending doing "Help Desk" kind of support for everyone outside of IT (regardless of title/responsibilities the IT person was hired in for)? It's probably 80% "User Support" and 20% "everything else" which means all of the effort put into "everything else" centers around reducing how often teachers have to take time away from IT. Your offer, if its trusted, will reduce that burden at no cost to the IT person. Don't make that promise if you're not willing to do it, but it's unlikely anything will be asked of you.
[1] In the "Game of IT Support" (or it's variants: "The Game of Network Security Administration", etc), you can never have a score greater than "Zero". Zero is "everything works". When something breaks, you lose points. When you fix it, you gain points up to (but not always) your top score of "Zero". Roll out massive new infrastructure for WiFi? You're at Zero (or less since it probably won't work as conveniently as it does at home). You're an expense who's purpose it is to make things operate the way everyone expects they're designed/intended/meant to work. They also expect that you (IT) shouldn't be necessary -- these things should just work like my router/PC/internet service at home works and shouldn't require so much "policy" to "avoid doing things".
[2] While I was still living with my parents, my neighbor referred me to the IT job -- he was in Development. I'll never forget when my Dad called me up asking "why is IT (where I worked) at (company) so bad?" after listening to my neighbor berate my company's IT operations teams (never me, specifically). We were so hated. By everyone, especially non-Support IT. That was an impossible conversation to have.
When I engaged in `net send` shenanigans at the local community college, at least the IT staff was smart enough to know where to scramble a runner whenever those dialog boxes popped up across campus.
"ALL YOUR BASE ARE BELONG TO US" was quite the meme then, but apparently they thought it was some form of cyber-terrorism.
His punishment was community service, and the service was having to be basically an intern for the school IT guy. Smart administration, really.
I should have left it at that, but Ingot cheeky and also did a net send back to the origin saying something like “thanks for your interest in onionisafruit”. That got escalated and I was threatened with disciplinary action. It didn’t occur to IT that they shouldn’t allow arbitrary script tags in user profiles. The best response was just to threaten the people who were creative with what they were given.
No condescension, no threats. Just treating me like an adult with a constructive conversation. It never occurred that anyone might overreact like many in this thread experienced. Makes me feel pretty fortunate now.
My message to every single computer in our HS:
"Hey what's up!"
my friend added to this:
"Your network (H:/) drive is being deleted."
School administrators and teachers did not find this funny.
They always have the money. They just don't care about doing things properly. It simply isn't a priority for them.
Makes me feel good when someone comes and exploits their negligence. It's like divine retribution and they're doing god's work. They tempt fate and the gods punish them by making them pay more than they would have paid had they done things right. Amazing.
I of course didn’t really know what I was doing. Looking back, this was a very strange punishment. Jokes on them I guess - left Oklahoma after HS and am now a software engineer in the Bay Area.
Provided what was sent/defaced/etc wasn't hate speech or punching down on someone else, we should have really used these events as flags for identifying kids who could hone their computer skills into something "productive".
If you work in tech/IT, and the big bosses consider you and your org disparagingly, leave immediately. Something bad will happen with their IT, and you will be blamed, hassled, and harrassed for it.
Alternatively, you have staff pointing out a possible flaw. That staff's time was already allocated; their noticing a flaw is a) taking time away from their allocation, and b) tacitly critical of decisions made above their pay grade. And even if they are right, the manager won't get credit for prevention, and in fact will get punished for "wasting" resources in an ad hoc way, rather than what they were acquired for.
It is depressing in the extreme to work for such an organization, and you were right to quit, because over time these perverse incentives will start to shape you whether you like it or not. The very idea of owning your work, of caring about real-world outcomes, becomes anathema as a matter of survival. You have to exist, along with your org, in a checking-the-boxes, don't-notice-what-you-aren't-paid-to-notice, mode. It's safe and comfortable for the body; it is deadly to the soul.
I remember getting yelled at for changing the display resolution and typing a few commands in DOS to change file names quickly.
Computers were never up to date of course, we had cathodic displays up to 2010.
That email chain could be used to prove that you did what you could before the incident. If you were so inclined.
Outside of that, though, I've talked to folks who worked in IT at a nearby hospital[0] and knew several who worked in IT at a University a town over and heard variations of your story. After ransomware hit a few hospitals across the country, my hope is that this is less common but I'd be surprised if anything is meaningfully better.
The problem with getting non-technical people to understand the importance of securing things is that they assume that everything provides a basic level of security. They read about hacks/attacks and hear about them on the news but they have probably not experienced one, personally[1]. They apply physical security considerations to the virtual world -- for instance, the keys you use to lock your front door are almost certainly terrible[2] but requiring physical access to the lock makes attacks on them rare. And that's the rub, it's the mistake in thinking that "Nobody cares about my stuff enough to hack me" which is the evidence used to justify the "it's never going to happen to me". It's a failure to understand that even if it were true that an attacker would literally have no use for anything you're protecting with a password (which is absolutely false -- your identity is enough) that another target will be chosen ahead of you[3]. On the internet, every target can be attacked at once, silently, from a distance and targets are chosen based on whether or not the attack succeeds.
In a High School, you can fully expect there's at least one of me in every graduating class. I'm surprised things like this don't happen all the time given how little attention is paid to network security/endpoint security in these places. No amount of threats of expulsion, legal action, etc will serve to help when your attackers are High School students[4]. The same part of their brain that makes them believe they're immortal/causes irresponsible behavior early-on in driving causes them to not understand the real probability that they will face criminal charges which is coupled with them not fully understanding how badly those criminal charges will affect the rest of their lives.
[0] The discussion arose after he had watched Season 1 of Mr. Robot and said "that's exactly how it is here except we have a (technical) staff of two rather than one"
[1] I can't tell you how many extended family members have shared that they still use a single password for every account and in a few cases, that password might as well be a variation of "Password".
[2] I have a close friend who learned how to pick locks as a hobby; he filed me off a bump key and taught me how to use it, whacking it with a branch of a tree; I was able to open my supposedly "extra secure" dead bolt pretty consistently with about 15 minutes of practice, he's picked each of my locks at one time or another.
[3] The old "You can't outrun the bear, but if you and your friend are being chased by the same bear, you only need to outrun your friend".
[4] I used to tell my kids that our High School not only had no doors in the stalls of the mens room, there had never been any doors designed into the plan. The partitions were brick, there were no holes, anywhere, where doors had been removed. I figured this was to make it easier to catch kids smoking but while fixing his PC, I asked the principal about it. His answer was "vandalism" -- students would rip them out. Reallt?! I couldn't imagine this. Fast forward to this year, the doors on the stalls at my kid's HS were ripped out by students during the first week of class. The kids were caught, criminally charged and had to pay for the damage. Their reason? They saw someone do it on TikTok and didn't think they'd get caught (there are 2 dome cameras at the entry to each bathroom!). Despite paying for the damage, the doors are not coming back this year -- I'd wager they'll never come back.
Dead Comment
These were the days when nothing had SSL, so you could just intercept and rewrite traffic!
My only requirement was: do no actual damage
It was implemented as a Debian live CD that you could drop into any school computer. It would boot up, then Ettercap would MITM the whole network by spoofing the router. It routed all HTTP traffic via Squid and a custom ICAP server that did the actual rewriting. If you removed the live CDs, the network just went back to normal within a couple of minutes.
Routing the whole school's network through one old Pentium machine wouldn't work though, so I figured out a way of doing distributed load balancing: it would do the ARP spoofing slowly and randomly. So, as you added more machines, it would just magically balance between them.
It worked great for about an hour then whole network mysteriously stopped working for the rest of the day. I left all the live CDs in the computers as a calling card.
Sorry, school network admins.
https://superuser.com/questions/1467313/mouse-pointer-moving...
For example, I use AutoHotkey to implement my JKLmouse program, which turns certain keyboard events into mouse movement for precise control. It's similar to the MouseKeys that comes with Windows, but made for laptop keyboards without numeric keypads.
And yes, you could definitely do that Minesweeper hack in AutoHotkey! :-)
https://www.autohotkey.com/
This is just pure evil.
I'm not sure I quite understand the details, though. I assume there was only one gateway for the segment, so were the spoofed ARP replies unicast instead of broadcast? Otherwise, wouldn't all clients just switch to whatever machine announced their spoof for the gateway IP last?
There were several subnets at the school, each with its own gateway. I remember having to set up live CDs in several computer labs to cover each of the subnets.
Dead Comment
First, that the pranksters were so egregiously responsible in the way they went about it. They avoided disrupting any actual educational activities; it was meant to be harmless fun, not vandalism. No harm came to anything here.
Second, that they documented their findings to the administration as part of the action, including recommendations for improvements.
Third, the administration took this as exactly that: a harmless prank by smart, ethical kids who ALSO did them a favor by pointing out the vulnerabilities. If the admin had a panicked fit about this, they could have made it an ugly situation.
My educational experience was populated far more by "freak out and yell" types than this school district, which was a shame.
In our high school they didn't expose the gradebook in that you could get in and change it, but we were able to see everyone else's grades. Teachers would post grades for their class and "obscure" it by posting it with the student ID (you were only supposed to know your own) next to the grade. But when the posted, the entire list was still in alphabetical order so it wasn't hard to figure out everyone's grade and student ID.
And the cherry on top of this was that all the students' passwords were their student ID.
Junior year in high school, I got suspended for "hacking."
The tl;dr is that I was using a proxy to fetch assignments for class (because the county decided "yeah, this state run Moodle instance is obviously not appropriate for education" and one of my classes used Moodle) and got caught with the proxy configuration screen open. I wish I was joking.
Anyway, when I was sitting in the guidance counselor's office as the teacher was talking up how "dangerous" I was, I noticed a sticky note with a username and password written on it. Turns out it was an admin account for the gradebook, though I think it was just intended for scheduling.
I never did anything bad with those credentials, but that really tanked what little respect I still had for the administrators there.
On a lighter note, when stack exchange & co got blocked the next year, I was good friends with the librarians since I helped out a fair amount fixing up their laptop carts (and doing other things the sysadmins were too busy to take care of), and they were able to get them unblocked. It taught me a lot about office politics: people are willing to return favors, so you should always make those connections.
Assuming you took the video at the top of the article, it was presumably trivial to figure out who was in the class you were in and then rule out everyone who appears on camera as the camera man. Or just ask the teacher...
It was Rainmeter; I was showing it to a friend. The IT guy even was like "yeah Rainmeter's pretty cool, I read about it in a magazine". But it was auto-detected and school policy, apparently.
Why report when you can simply administratively deny?
My own child will never use a school-issued laptop or school wifi.
In my grade 11 electronics class, one project we were assigned was to create a digital clock with notifications for one of the teachers. Me and a friend set up a raspberry pi with magic mirror installed on it, and modified some available plugins at the time to allow a google calendar for test dates embedded on the display. The teacher was quite pleased with this, but we convinced him to hard wire it to the network for "stability". In the background we had installed a vpn connection to one of my vps that I used to host my website, and created a new set of sudo enabled credentials naming it magic-mirror or something. The teacher then reviewed the project and changed the normal user credentials etc. Then right before it was installed in the ceiling, we attached a wifi adapter to the pi. A week or so later we remoted in through the tunnel and enabled a wireless hotspot from the pi. This provided us with internet while we were close to the classroom for the next year. People also over time learned that you could extend the range by hot spotting additional jumps using laptops.
Therefore I decided I would email Tetris to every student (I emailed the executable, not a link to Tetris), making it easier for everyone to play also. As soon as I did this the entire system got very slow...apparently the server had no quotas or partitioning and the hundreds of copies of Tetris filled up 100% of the hard drive space. It was a disaster. The computer "specialist" had no idea how to fix the system and she was teaching an adult education class that evening that required the system to work. She was furious and wanted me to get suspended. It didn't happen though because I spoke up about the problem right when I knew there was a problem and also some other teachers intervened on my behalf.
The woman who was responsible for the computer system back then is now the superintendent of the school system. I wonder if she remembers me.
I also graduated in the early 90's and my children recently graduated from my alma mater. When I went with them to teacher conferences some of the same teachers were still there. Teachers that I didn't even have classes with remember me.
So, this is just to say... that places like education where people may stick around for a long while in the system and such. They probably do remember a bunch of events from even a decade ago. It's the good places that have a sense of humor or appreciation for a worthy harmless infraction. They may even be secretly proud or have some admiration.
Though I do sorta fear that I just happened to hit the tail end of old-school hackery where such things are such things are rewarded. Now get off my lawn.
My senior prank was going to revolve around the printers. We were shocked to discover every printer not just in BG but across the entire district was accessible with no authentication of any kind. We cooked up ideas and were planning to print either porn or I has cheezburger/lolcat memes via telnet (I'm dating myself.)
Ultimately I got into other trouble before we could execute and figured this wasn’t worth not graduating over. I moved on and so happy to see a much better prank on this same network happen so many years later with almost no repercussions. Congratulations and great prank!