The perpetrators should be punished by being made to give a presentation on how they automated the process, what poor security practices allowed them to pull it off, and recommendations for preventing a similar incident in the future.
Suppose I walk into the neighborhood 7-11, and steal the money from the cash drawer when the cashier glances away. I'm only caught once the tapes are reviewed and they find my license plate. Should my punishment be to give a presentation to the cashier that they should be watching everyone at all times?
Obviously the answer is no. Sometimes, catching someone breaking rules/laws after the fact is sufficient - 100% prevention of a crime before it happens shouldn't be the only way crimes are avoided.
Did the school make some poor choices with their cybersecurity? Sure. But an open/unlocked door does not give permission to steal or break the law, whether that door is digital or physical.
I was suspended in high school for "hacking"; this was in 2000. I added two (crudely named) folders to an old DOS style typing teaching software.
My presentation would have just been "I pressed F10, and typed in bad words", but it would have been preferable to a three day suspension, haha. I hope this is the outcome!
punished by being made to give a presentation on how they automated the process, what poor security practices allowed them to pull it off, and recommendations for preventing a similar incident in the future
> “It just shows that people don’t make healthy cybersecurity decisions,” said Stern.
You mean like the administrators of the school? You can set a temp password to immediately expire. What's notable is that even after this incident they still didn't do so, just encouraged students to change the default password during orientation.
Indeed. An immediately expiring temp password is the usual workflow for new private-labeled Google accounts. I suppose, though, that somebody thinks middle schoolers can't handle it.
I did something very similar to this for my high school's prom queen vote who I wanted to win for teenager reasons. The voting system was just a bunch of laptops in front of the lunch room running a web app and all that was needed to vote was to know a student id. A few hours and some javascript later, I voted more than the entire senior class. It was only discovered after the event.
I could have rigged the vote to win at my school too, except that I wasn't in the right cliques. It would have been very suspicious if I won, and everyone knew I was "good with computers".
Our program actually saved who voted for who in plaintext. At least I got to see who voted for me.
I'm glad to see that it seems the student in question was afforded a measure of process and admitted guilt -- I could easily see the story ending where the weaker opponent casts fake votes for their competition to get them eliminated!
The number of responses which go to "...I did this too" are fascinating. I also did stupid things in my past which nowadays would incur severe penalty, as hacking. They felt mild right up to the point I was caught (this is 35 years ago) and then they stopped feeling mild very quickly.
I feel very sorry for people in todays world who don't get the "everybody gets one free pass" on these things we did back in the day. I think we need a clear statute of limitations on some stuff done by minors and near-minors, regarding their future lives. Nobody is going to be eligible for election to senate or the law courts, or to work in federal or state bodies if we don't work out how to deal with this kind of thing.
That said, I am pretty sure rigging an election is a good indication you have need of some ethics. Amusing, but also not a good idea.
This ranks (in my books) with the recurring "we thought we'd make a film about a bank robbery without informing the bank or the shopping mall about it" type cock-up: Actions have (unforseen) consequences.
Gosh, I did this back in my high school as a Senior, two years ago. Got myself suspended for two days and ruined my perfect attendance, oh well. It scared the shit out of me when two police officers barged into my U.S. History class and pulled me out.
The usernames of our voting system were our 5 digit student IDs. And the passwords... same as the usernames. I wrote a puppeteer script that looped through 2000 IDs and voted for everyone. They tracked me down through my home IP address -- if there is a next time, I'll definitely use Tor haha.
EDIT: Yeah, the school's VP picked up on it because normally about 40% of the student body actually votes -- but this time it was 100%; plus when student's started signing into their voting accounts, it claimed they already voted. Not my brightest moment.
“When we spotted it, it was incredibly obvious,” said Stern, 17. “There were just massive alphabetical votes at random hours.”
Reminds me of an interview question: How would you do a reasonably good job of randomizing an incoming stream of items, while minimizing auxiliary storage?
> Schweng said the culture around this election, from the outset, was different than what she’d seen in the past. There were more reports of students taking down candidates’ posters, and more activity on social media. Some students suggested to the principal that the stakes felt higher because colleges are becoming increasingly more selective, and extracurriculars like student government are consequently more important.
This part was the most interesting revelation in the article to me! It never would have occurred to me as a HS student to "cheat on extracurriculars"! I just did the stuff that was interesting.
Nowhere in the article is it mentioned where the student gained access to a mapping of student IDs to student first and last names. As a recent BHS alumni, these ID numbers are not obviously derivable from a student's name (but I do think they are allocated sequentially). Getting access to this list implies some sort of social engineering or threat vector elsewhere.
The flaws exposed were of general cybersecurity--they had default passwords comprised of a static string for every student + their student ID, and did not require students to change that default password immediately upon first login.
"If a student does not change the default password, “anyone with access to your student ID number will be able to access and delete your emails, schoolwork, personal documents and anything stored on your Google Drive,” Stern wrote in his message to the student body."
[+] [-] nkrisc|7 years ago|reply
[+] [-] kemitche|7 years ago|reply
Obviously the answer is no. Sometimes, catching someone breaking rules/laws after the fact is sufficient - 100% prevention of a crime before it happens shouldn't be the only way crimes are avoided.
Did the school make some poor choices with their cybersecurity? Sure. But an open/unlocked door does not give permission to steal or break the law, whether that door is digital or physical.
[+] [-] tickthokk|7 years ago|reply
My presentation would have just been "I pressed F10, and typed in bad words", but it would have been preferable to a three day suspension, haha. I hope this is the outcome!
[+] [-] stcredzero|7 years ago|reply
So punish them by sending them to DefCon?
[+] [-] trhway|7 years ago|reply
[+] [-] Someone1234|7 years ago|reply
You mean like the administrators of the school? You can set a temp password to immediately expire. What's notable is that even after this incident they still didn't do so, just encouraged students to change the default password during orientation.
[+] [-] OliverJones|7 years ago|reply
[+] [-] thaumasiotes|7 years ago|reply
> The investigators were also able to determine that the false votes were cast from a computer
I bet the real votes were cast from a computer too.
[+] [-] smelendez|7 years ago|reply
[+] [-] depressed|7 years ago|reply
[+] [-] mountainofdeath|7 years ago|reply
[+] [-] dustindiamond|7 years ago|reply
[+] [-] RandomBacon|7 years ago|reply
I could have rigged the vote to win at my school too, except that I wasn't in the right cliques. It would have been very suspicious if I won, and everyone knew I was "good with computers".
Our program actually saved who voted for who in plaintext. At least I got to see who voted for me.
[+] [-] veryworried|7 years ago|reply
[+] [-] bowmessage|7 years ago|reply
[+] [-] mfoy_|7 years ago|reply
https://www.bmo.com/olbb/help-centre/en/my-profile/change-pa...
[+] [-] dontbenebby|7 years ago|reply
(Or they were sequential with blocks for each class)
[+] [-] hbosch|7 years ago|reply
[+] [-] jlrubin|7 years ago|reply
[+] [-] ggm|7 years ago|reply
I feel very sorry for people in todays world who don't get the "everybody gets one free pass" on these things we did back in the day. I think we need a clear statute of limitations on some stuff done by minors and near-minors, regarding their future lives. Nobody is going to be eligible for election to senate or the law courts, or to work in federal or state bodies if we don't work out how to deal with this kind of thing.
That said, I am pretty sure rigging an election is a good indication you have need of some ethics. Amusing, but also not a good idea.
This ranks (in my books) with the recurring "we thought we'd make a film about a bank robbery without informing the bank or the shopping mall about it" type cock-up: Actions have (unforseen) consequences.
[+] [-] ryanmjacobs|7 years ago|reply
The usernames of our voting system were our 5 digit student IDs. And the passwords... same as the usernames. I wrote a puppeteer script that looped through 2000 IDs and voted for everyone. They tracked me down through my home IP address -- if there is a next time, I'll definitely use Tor haha.
EDIT: Yeah, the school's VP picked up on it because normally about 40% of the student body actually votes -- but this time it was 100%; plus when student's started signing into their voting accounts, it claimed they already voted. Not my brightest moment.
[+] [-] zaroth|7 years ago|reply
[+] [-] stcredzero|7 years ago|reply
Reminds me of an interview question: How would you do a reasonably good job of randomizing an incoming stream of items, while minimizing auxiliary storage?
[+] [-] greiskul|7 years ago|reply
[+] [-] dangrover|7 years ago|reply
This part was the most interesting revelation in the article to me! It never would have occurred to me as a HS student to "cheat on extracurriculars"! I just did the stuff that was interesting.
[+] [-] bhsalumni123|7 years ago|reply
[+] [-] OliverJones|7 years ago|reply
In my opinion these two have done us all a service by showing what could go wrong.
[+] [-] MagicPropmaker|7 years ago|reply
[+] [-] will_pseudonym|7 years ago|reply
"If a student does not change the default password, “anyone with access to your student ID number will be able to access and delete your emails, schoolwork, personal documents and anything stored on your Google Drive,” Stern wrote in his message to the student body."
[+] [-] anbop|7 years ago|reply
[+] [-] aiddun|7 years ago|reply
[deleted]
[+] [-] QuamStiver|7 years ago|reply