Sh1mmer – An exploit capable of unenrolling enterprise-managed Chromebooks

thank you kind person, my network operator seems to have blocked this site

I was really lucky that our Computer Teacher/IT guy (this was back in the early 2000s) was really cool and allowed us a bit of leeway to break things. After the first time we got caught (there was three of us) he sat down with us, and essentially gave us some rules of engagement, anything we got around, or defeated we had to write up a short report and turn it into him, explaining what we were able to accomplish, the level of access we were able to get and the steps to reproduce. So we did so, and he actually gave us class credits for it. (Our school system had some "special projects" class credits that could be earned to give students and teachers some leeway on allowing students to learn things that weren't part of the curriculum)

We managed to figure out how to override our typing program to give certificates saying we typed 200wpm at 100% accuracy. By passed the internet filter to access gmail (back in it's early days, we held onto that ability for a while) and a few other things I forget about now. He was one of my favorite teachers.

Exact same story. I was having way too easy a time in my comp sci class in high school, so I wrote a program that simulated our login screen, saved whatever you typed into the box to a text file in my home dir, gave the "bad username or password" error, and then seamlessly sent you to the real login screen.

After a week, I'd stolen the credentials of everyone in my class and the class after mine. And then, I did... nothing with it, because I was already able to finish the homework in class and had a high grade.

The teacher busted me because I had a file in my home dir called stolen_passwords.txt. But instead of punishing me, he made me help him patch all the security flaws I'd exploited. It inspired my decision to go to college for comp sci. Best high school teacher ever. (a few years later, I had graduated with a comp sci degree. and he was trying to recruit me into selling amway. oh well.)

I relate to this. As someone currently in high school, messing around with web proxies and code deployment sights, and web-based IDE's trying to run Dwarf Fortress in my school browser has taught me more about computers and networks then just about anything else. It is painfully easy to get around school filters these days. I've never really messed with unenrollment because you do need enrollment to access the testing websites but I've been trying to get into Developer Mode to get linux apps, but the IT guys must have thought ahead on that one.

Dad did a PhD in something with a lot of math and so we had a computer even when I was a kid. Got exposed at a young age.

Eventually I figured out how to use the dial up to see naked pictures. Old man changed the dial-up password, wouldn't let us use the computer.

Occasionally, when he was around he'd let me online for legit school stuff. I'd heard of keyloggers -- featured prominently in stories about catching cheating lovers -- so while allowed on for legitimate reasons I got on Altavista and was successful in downloading and installing one. Couple days later I had an opportunity to kick off the program while no one was around. It worked -- got the password.

Ended up in military signals and then cyber. Now a fatass IT guy working remotely. Adversarial relationships spark learning, it seems, be it parents, school, war, etc.

Although I was already well into programming by then, my final "huh if I enjoy this so much I might as well pursue it as a career" push came from a similar incident, except it was about getting access to the faster wifi for the teachers in exchange for showing my calculus teacher how to bypass the website blocking.

I had the 'benefit' of a poorer school district with basically no IT. The extent of blocks on our computer labs was an application running at startup. Being Windows 98, I just booted into DOS and renamed the executable.

Teacher didn't care if we bypassed it, as long as we put it back before class was over.

My son (in jr high) updates me daily on his and other kids efforts to play games at school.

We're all someones kid

I am one of the creators of shimmer. Can vouch that I am a bored kid.

Hi, I'm the owner of mercury, everyone who made this exploit is under 17 and was bored so yes, it's bored kids

I don't know how to prove it, because I don't want to post screenshots or other identifying info, but I've been in communication with a couple members of the sh1mmer crew. After posting some technical info about it on Reddit, they reached out.

They claim to be in high school, and the way they converse seems to match.

They're good kids. Good hackers.

I don't see any although the FAQ page certainly reads like it's written by somebody young.

They're K-12 IT staff... they've got 900 other things to worry about.

If someone is smart enough to find this and unenroll their device, they're probably smart enough to be left to their own devices. (Literally)

That patch seems to be just checking more devices/partitions for images?

:]

Why?

I used a laptop full time in school from 16-18 (and then at university too) and found it much more productive. My notes were better and more usable.

For younger children I think everyone agrees that it's important to be teaching computer skills, and that requires computers. Having rooms of desktop computers is arguably outdated, and a poor use of space, so many schools have switched to trolleys of shared laptops.

Additionally there's a problem with computer access for homework. Many households don't have a computer suitable for homework, so by giving every child a laptop, schools can (theoretically) rely on everyone having a basic level of equipment available.

Is this perfect? No, it takes some effort to do, but given modern remote management tools I'd expect not a lot more than traditional IT provisioning at schools. Should kids get one from day 1 in kindergarten? Probably not, but during primary school could be reasonable.

> I don't think kids should have chrome books, or any type of laptops in school

Our eldest has had a school-issue iPad, along with the rest of his class, for a couple of years now.

As a parent I'd suggest that, despite being basically issued "for free", they're a very mixed blessing, since they were given out I can count on one hand the number of pieces of work his class have done on the iPad where the device was of benefit.

The number of times my son has reported one of his classmates getting into trouble due to messing about on iPad in class easily numbers in the hundreds...

If the school decided to take all the iPads away tomorrow I wouldn't be bothered in the slightest.

Why? As a student, giving me access to a laptop improved my ability to get things done by orders of magnitude. I always struggled with messy writing, and being distracted easily. Having a laptop let me pay better attention, because I could work on something and passively listen to the class. My notes were also legible, meaning I could take meaningful notes for the first time ever. I could also combine photos of the chalkboard with captions on days I was particularly distracted, or record important sections of the class and review it later.

If I had to sit with just a notebook, and listen to the class only, I'd rapidly become sidetracked and check completely out. Then when it came to writing things down that were important, I'd have to check back in, and quickly jot things down that were illegible.

Massively improved my retention, and overall ability to function in class.

The "no computers, computers bad" mentality in schools is a major limiting factor for people with different learning styles, and neurodivergent children.

Getting Chromebooks to schools is the single most horrific act we could have done to our education system. This act undermines the very future of our nations. A big proportion of all the classwork and homework is now done on the screen. There is plenty of evidence that handwriting boosts cognitive processes - thinking on paper is something that the next generation will mostly lack. Rich and powerful are all aware of that, so they deliberately put their own kids into private schools where screen exposure is more limited.

Not only that. We are promoting to our kids a fully proprietary system that increasingly becomes a walled garden, run by an aggressive imperialist company with abysmal technical support, with a complete failure in parental control practices. It is, at least with our school, completely impossible to implement parental controls on enrolled Chromebooks, so you have to trust the school's policy which is, in many cases, inadequate. The school's solution - well, take the Chromebook away at home. Good luck with that.

Chromebook pushes the agenda of Google cloud and Google apps on the user. Millions of people are grown into this world assuming the only option for them to perform functions or access their own data is to be online and use the cloud. This is as close to a digital dystopia as I can imagine.

I don't like what Google has become and I would never buy a Google Chromebook. Forcing this in schools so early (11-years old here in the UK) is a crime we're all committing. We all are going to pay for it.

I agree with you if science agrees.

It's easy enough to give some classes chromebooks, while others don't have chromebooks, and see who gets higher test scores.

Then keep track of those people, and see who does better at university, and who ends up earning more, having a bigger house, or living longer - just to confirm that those people really end up doing better, rather than just doing well on the test.

Sorry to dash your hopes but you do, in fact, sound like a Luddite.

Students have been using laptops in schools for nearly 20 years.

I'm with you, here. And I'm a seasoned IT Consultant of almost 3 decades. I've seen (and argued for) "both sides" of this argument and I now believe the net gains of giving each student a monetized ad-machine (aka Chromebook) are FAR outweighed by the net losses. I'm certainly not the first or only one advocating this, of course, and there is a large and ever-growing body of evidence to support the claim that Chromebooks specifically (i.e. not just a dumb laptop, disconnected from the Internet and social media) are hugely detrimental to students development, both academically and socially. Don't be lazy or in denial, a simple DuckDuckGo or Wikipedia search will provide many enlightening studies for you to read. Pick your favorite. For those in a rush, you can't go wrong by starting with the Your Undivided Attention podcast. Good luck, and here's to a balanced discussion that fairly represents BOTH sides of the story.

To the contrary: Laptops and other forms of digital devices can be used for way better educational experience. Classes like maths, chemistry or physics can greatly benefit from interactive elements such as graphs or simulations.

Besides, as our societies transform more and more into service sector economies based on IT services and media transforms as well (with the shift from traditional gatekeeper TV/radio/newspapers to Youtube/podcasts/a ton of services), it is imperative that children from a young age learn how to properly interact with computers and digital society. We're already seeing kids unable to judge the quality of online media sources, for example.

What do you suggest instead? Write on stone tablets?

Where I went to college, certain math and science classes were taught on NeXT workstations. I'll admit that staying focused on class was a challenge for my 17-year-old self, but having in-class access to tools like Mathematica and being able to manipulate equations and simulations with the teacher really made understanding how the math/physics worked so much easier.

I started taking meeting notes on a succession of Palm and then Compaq handhelds before I bought my first Tablet PC with OneNote in 2005. It was a tremendously valuable tool both professionally and academically. For example, this is a page of notes from a Tandberg certification class I took in 2006:

https://imgur.com/a/1XgNOoi

Sharing my notes was trivial. I could print to PDF and email to the rest of my team in a minute. Organizing my notes was equally simple. It's been nearly two decades, and I was able to locate these notes in seconds. Even though they're handwritten, OneNote can index my notes. It's pretty amazing.

Around the same time, I took an ITIL certification class. The teacher was someone like you, and he demanded we put away our computers for class. I'd love to share with you the detailed notes I took, but they're buried somewhere in a drawer full of paper notebooks. It'd probably take me an hour or two to locate those notes, scan them, and upload them somewhere. My employer spent thousands on that class, but if I have ITIL questions in my various IT operations roles, I have to google reference material instead of using what I created for myself. It's such a ridiculous waste of time and effort that it still frustrates me, ~15 years later.

I was lucky enough to go to a school with uniforms. I thought it was stupid at the time. As an adult, I realize now what that did was level the playing field between the rich kids and poor kids.

I can’t even imagine being a kid in school these days with an off brand smartphone or ipods, especially when Apple actively promotes bullying non users.

I concur. Nothing I learnt in high school required anything more than pen and paper.But my EE degree? I would lie if I said a laptop with Matlab did not help me immensely to learn concepts

My son's programming classes would be pretty hard without his laptop.

For primary school I might agree with you, but not for secondary school.

Yes, you do sound like a Luddite. Because computers is the integral part of the modern society, like it or not.

>hacking the school network meant you risk exposing yourself to people with strong opinions about plot points in Buffy The Vampire Slayer

Not really, porn and gore were integral parts of the internet even "back then". Rotten.com launched in 1996 for example, Ogrish at 2000. Eating disorders are also fluorishing in the current era, on TikTok for one, but I remember the pro-ana websites from my youth as well, distributed on private websites, because creating a website or blog was easy. It was also very easy to find porn, even if specific websites were banned on your network, because it was just everywhere. Peer to peer networks also happily distrubuted whatever, let that be gore, hardcore porn, or any illegal thing you can think of, including abuse material.

I do agree about your conclusion though. Emotional maturation, strong connection to people matter a lot, and a lot of the horrors are created specifically when these are missing from one's life.

> In my time ::shakes fists at cloud::, hacking the school network meant you risk exposing yourself to people with strong opinions about plot points in Buffy The Vampire Slayer.

lol. In my time, hacking the school network meant you could access programs that belonged to other schools, or print to their printers. And that was pretty much it.

The kids will figure it out like you did. Maybe the terrain has changed, but there was noone to tell you whats what back in the day anyway, so why worry? Or rather, emotional maturity can go both ways here: jumping to a paternalistic mindset will rob you the wisdom the kids themselves can give. I think its natural and probably right to feel concern, but don't overcorrect it into presumption or into a false idea that you can just give to kids what you had to learn/discover yourself.

This really is not something that I have thought about very much as they very likely have phones where they are able to view all of the same content, anyway.

Um, we didn't create the exploit to look at porn, that should be blocked on the network level anyways