There is a big to-do in Pelham N.H. this weekend as the word “hacked” gets tossed around like a sorority rush at a frat party. As the reporting from WDHD-TV goes, a high school student (who remains anonymous to this point) supposedly “hacked” into a school computer to alter his grades, circa Matthew Broderick in the 80’s classic “War Games”. The school has declined to provide details on exactly how the student was able to do this, and I can tell the most likely cause why; because, the answer is embarrassing as all shit.
You see, at this point, the school and the media have begun painting a portrait of some uber-hacker prodigy, sitting in his mother’s basement, hax0r1ng the bastion of digital security that is the school district’s WAN (Wide Area Network), blasting past firewalls, ignoring “honey pots”, brute forcing authentication and gaining unauthorized access to a secure database in order to alter his grades. What a crock. I work in a public school district, handling IT for the WAN, managing security and keeping an eye on students and teachers alike, and there are no students out there that meet the mythical hacker prodigy that is currently being perpetuated through this BS story. The real truth of the matter that no one is will to admit is this; public educators are the single greatest security risk to public school computer networks. Period. 9 out of 10 classrooms I go into I find the teacher computer completely unlocked and unattended, while the room is full of students, with the software database they use for grades and attendance pulled up and on the screen the great majority of those times. Public school teachers are complete savants when it comes to computer and classroom security. You don’t even have to be a script kiddie for christ’s sake, all you have to do is wait for your idiot teacher to walk out of the room. BOOM! A’s for everyone! Don’t think I have not thrown righteous fits about this to Administration, only to be told that I am blowing things out of proportion. Honestly, if the educators are going to be that incompetent, then good job kid, you deserve whatever grade you gave yourself. Welcome to the wonderful world of social engineering, where the greatest security weakness in any network system is the human component. No amount of security policy on the networking side can trump human stupidity.
Backing up my version of the story is this little nugget “Although local authorities were notified, WDHD reports they are currently not involved. ” Yeah, no shit, that would be because no crime has been fucking perpetrated, unless we are finally outlawing weapons grade dipshittery, in which case, awesome! Also, when they say “local authorities were notified”, what they mean is that they told the local, small town officer that hangs out and provides security on campus during the day (this includes writing tickets when catching kids smoking and other silly things kids do); at which point Officer Couldntpossiblycareless, simply shrugs, because he is not a member of the FBI cyber security task force and wouldn’t know a hacker from a hole in the wall. I scoured this story and you know who I couldn’t find any comments from? That’s right, there are no comments anywhere from any members of the IT department of Pelham Public School District extolling the virtues of maintaining a secure digital environment. Why you ask? Because if they had interviewed a competent member of the IT department, the response would have gone something like this; “Some snot nosed pre-teen hacked my network? Go fuck yourself. I have this place locked down so tight it makes the Department of Defense look lax. Seriously, Bradly Manning walked in and burned thousands of classified files to a CD and walked out. You can’t do that shit on this network. No, the teacher left the workstation unlocked with her gradebook program open and some ankle-biter had a field day. But now I am under pressure to institute a whole host of security policy changes district wide, as if it will make a bit of difference in the world. At the end of the day, the biggest security vulnerability is between the keyboard and chair.” OK, so maybe I am taking liberty with fictitious IT guy’s words, but rest assured, this would miff any competent IT professional. We constantly hound the higher ups about the need to emphasize better security habits from the biological end, only to be ignored.
In closing, if the public education system ever accuses your child of “hacking” their network, rest assured, your kid is not Neo, but their teacher may very well be the Rain Man.