How to (Hypothetically) Hack Your High School

I’ve never been good at writing fiction, but I’ll give it a shot. For legal reasons, everything described below happened to our fictional character Bob.

Once upon a time, all computers at Bob’s high school could access a shared public drive called the "P-Drive." This was useful so kids could work on group projects together and so teachers could post materials for everyone to access. However, with a bit of social engineering, someone could also post a virus to the P-Drive.

At this point in Bob’s programming career, he knew enough of the language "Processing" to be dangerous. Bob realized that to run certain programs on his school’s Windows computers, users sometimes had to input their usernames and passwords into a box that looked like this:

account_control

Now, Bob was a crafty child. He managed to perfectly reconstruct this password box, right down to the color gradient, blue-highlighted mouse-over buttons, and the hidden text that appears when someone types their password in (required some Java sprinkled into Processing). Once a user pressed "Yes", some random files would be generated containing the user’s student ID and password, and a secondary application would be launched which was relevant to the file name of the malicious software. So if the file was called "Click Me for a Fun Game," a fun game would then open up!

But this wasn’t enough for Bob, oh no. He needed to be able to access these passwords from anywhere. So Bob built another feature into the program which sent a student’s ID and password to his private server, where he could scroll through them at his leisure.

Bob got a couple passwords from this, it was all in good fun. Then one day, something very interesting happened. The WEBMASTER of his school opened up the file and sent over his password. Uh oh. It turns out that with this info, Bob could now access the teacher drive ("T-Drive," similar to the P-Drive) at his school, which contained a database of ALL student IDs and passwords, as well as class materials, test banks, letters of recommendation, emails… Talk about bad security practices. Bob got into some deep shit real quick.

passwords

Not only that, but the Webmaster could edit ANY teacher’s homepage on the high school’s site, and now so could Bob. He thought about redirecting teachers’ logins to a fake login page to gather more passwords but decided he’d pushed his luck far enough. Bob never told anyone about this until well after he graduated.

One thing is 100% true about this story though. Bob never used any of what he discovered to change grades (he could have), cheat on tests, or harm anyone.