The story of one computer war
This article is an abbreviated retelling of a nearly 10-year-old epic about resourcefulness and betrayal, ingenuity and cunning, derived from human laziness. It all started with the fact that at a certain IT department of a certain university, a distance learning system was launched to control students' knowledge of one of the semester courses. The further struggle consisted of a turn-based strategy with phases in the semester, and on the part of the students each time there were new people with fresh ideas.
Faculty: Since the training was intended to be remote, then the tests (tests) were sent to you to conduct the house at a convenient time for you.
Students: Great! We all come to the hostel and pass tests with teams. You can even put a smart friend to take for the entire group in turn in exchange for some buns.
Faculty: Something is wrong here. Let's take this year, you will still take tests at a fixed time in the classrooms of the faculty. By the way, just like last year, you can prepare for the test by taking a training test any number of times.
Students: Great! We wrote a script that randomly passes a training test until it receives a 100% grade for it. Selected answers are remembered and used in further attempts until the entire database of questions has been fully extracted. Then you can memorize it, the benefit is not great.
')
Faculty: More questions! Extract on health, learn more.
Students: We created a website with an identical interface that proxies our requests to the distance learning system, correcting our answers to the necessary ones. Without analyzing the very similar address bar, it is unnoticeable that we are on another site.
Faculty: Distance learning system is located in the local network. Disable the external Internet in the classes!
Students: Not scary. We dragged javascript to the computers, which, when passing the test, shows the correct answer in the status bar of the browser.
Student X: Sorry, but the system gave me 68 points, but it should have been 78. Here I have a printout with a complete dump of your databases of questions, it says that I answered correctly, so ...
Faculty: Yes, you completely insolent! It was impossible to show questions to the test. This time we provided you with 2 pools of various questions - for training and for the actual test. By the way, it is no longer possible to store any files locally - these are diskless stations, and they are still without access to the Internet, and all USB ports are in front and they are very clearly visible.
Students: Panic! Panic!
Faculty: Something you have estimates have nowhere below! Perhaps, with all this arms race, we have written too difficult questions ... Let us just in case get 3 additional attempts to retake every test.
Students: Interesting business. We have here one craftsman coursework on pattern recognition, and you also have floppy drives working.
Faculty: So what?
Students: And we will bring to floppy a program that hides in the tray and collects screenshots.
Faculty: And then what? You will have questions, but not the answers. And how will you collect all the questions?
Students: The division of labor and a clear organization. The army of suicide bombers will come to retake the test and honestly fill up the first attempt, collecting a collection of screenshots. Over the next night, the nerds will mark these screenshots. Then a new program is generated on their basis.
Audience attendant: Oh, what is your mouse driving around the screen and pressing the correct answers?!?!
Faculty: So it will not work. All retake after the test session, why you face a non-admission to all exams.
Students: Hmm, and in fact among us there are students from the department, where the administrator of a distance learning system lives. % username%, and please show statistics on my group. Look, you can sit down at this wonderful machine infected with a Trojan and enter your password here. So, and now we are pumping out the entire database of questions of our year with the help of a paid anonymous proxy, which we will go through via anonymous WiFi ( honestly, they did it! ).
Faculty: Something of an estimation at them grew up, and any violations are not noticed. Probably taken up the mind and teach.
Students: Hooray! The administrator's password for the whole year has not changed, we stupidly use the achievements of the past generation.
Student X: Sorry, but the system gave me 68 points, but it should have been 78. Here I have a printout with a complete dump of your databases of questions, it says that I answered correctly, so ...
Faculty: So, I have no words. New password, new questions, database of questions is uploaded to the server 24 hours before the start of the test.
Students: Hmm, but your distance learning system on the local server has not been updated for 7 years, right?
Faculty: Well, yes, so what?
Students: Yes, yes, one found the vulnerability of an old unclosed. From any user we log in, and then we take and through a specially formed URL we pull out the question with the given number from the database. By the way, we have stolen not only the questions of our year of our course that are available to our administrator, but in general all the courses ever read through this system on this server. It all took us hours 6.
System developers: We can not roll a new version, because outsourced designers have not finished drawing the interface.
Faculty: Damn :(
Perhaps, the sequence of steps of the sides is broken, and not all phases lasted for half a year. However, all the described approaches and technical means were really used:
There were, of course, more typical and primitive tools: wikis, forums, VKontakte groups, where they laid out the memorized questions or screenshots made through Paint. One person was severely reprimanded for photographing the monitor of the passing group through a transparent wall.
Students are capable of anything, just not to pass honestly, but IT students are much more dangerous. Such is the story. If there are developers of such systems or people who are related to the educational process, think about whether you have secured yourself from everything - all of these are not mythical potential threats, but quite practical things.
UPD. I was corrected that the inscription over the address bar was not displayed by a custom browser script, but by a Delphi program. In addition, last year a similar solution was also developed and implemented as a browser plugin.
Faculty: Since the training was intended to be remote, then the tests (tests) were sent to you to conduct the house at a convenient time for you.
Students: Great! We all come to the hostel and pass tests with teams. You can even put a smart friend to take for the entire group in turn in exchange for some buns.
Faculty: Something is wrong here. Let's take this year, you will still take tests at a fixed time in the classrooms of the faculty. By the way, just like last year, you can prepare for the test by taking a training test any number of times.
Students: Great! We wrote a script that randomly passes a training test until it receives a 100% grade for it. Selected answers are remembered and used in further attempts until the entire database of questions has been fully extracted. Then you can memorize it, the benefit is not great.
')
Faculty: More questions! Extract on health, learn more.
Students: We created a website with an identical interface that proxies our requests to the distance learning system, correcting our answers to the necessary ones. Without analyzing the very similar address bar, it is unnoticeable that we are on another site.
Faculty: Distance learning system is located in the local network. Disable the external Internet in the classes!
Students: Not scary. We dragged javascript to the computers, which, when passing the test, shows the correct answer in the status bar of the browser.
Student X: Sorry, but the system gave me 68 points, but it should have been 78. Here I have a printout with a complete dump of your databases of questions, it says that I answered correctly, so ...
Faculty: Yes, you completely insolent! It was impossible to show questions to the test. This time we provided you with 2 pools of various questions - for training and for the actual test. By the way, it is no longer possible to store any files locally - these are diskless stations, and they are still without access to the Internet, and all USB ports are in front and they are very clearly visible.
Students: Panic! Panic!
Faculty: Something you have estimates have nowhere below! Perhaps, with all this arms race, we have written too difficult questions ... Let us just in case get 3 additional attempts to retake every test.
Students: Interesting business. We have here one craftsman coursework on pattern recognition, and you also have floppy drives working.
Faculty: So what?
Students: And we will bring to floppy a program that hides in the tray and collects screenshots.
Faculty: And then what? You will have questions, but not the answers. And how will you collect all the questions?
Students: The division of labor and a clear organization. The army of suicide bombers will come to retake the test and honestly fill up the first attempt, collecting a collection of screenshots. Over the next night, the nerds will mark these screenshots. Then a new program is generated on their basis.
Audience attendant: Oh, what is your mouse driving around the screen and pressing the correct answers?!?!
Faculty: So it will not work. All retake after the test session, why you face a non-admission to all exams.
Students: Hmm, and in fact among us there are students from the department, where the administrator of a distance learning system lives. % username%, and please show statistics on my group. Look, you can sit down at this wonderful machine infected with a Trojan and enter your password here. So, and now we are pumping out the entire database of questions of our year with the help of a paid anonymous proxy, which we will go through via anonymous WiFi ( honestly, they did it! ).
Faculty: Something of an estimation at them grew up, and any violations are not noticed. Probably taken up the mind and teach.
Students: Hooray! The administrator's password for the whole year has not changed, we stupidly use the achievements of the past generation.
Student X: Sorry, but the system gave me 68 points, but it should have been 78. Here I have a printout with a complete dump of your databases of questions, it says that I answered correctly, so ...
Faculty: So, I have no words. New password, new questions, database of questions is uploaded to the server 24 hours before the start of the test.
Students: Hmm, but your distance learning system on the local server has not been updated for 7 years, right?
Faculty: Well, yes, so what?
Students: Yes, yes, one found the vulnerability of an old unclosed. From any user we log in, and then we take and through a specially formed URL we pull out the question with the given number from the database. By the way, we have stolen not only the questions of our year of our course that are available to our administrator, but in general all the courses ever read through this system on this server. It all took us hours 6.
System developers: We can not roll a new version, because outsourced designers have not finished drawing the interface.
Faculty: Damn :(
Perhaps, the sequence of steps of the sides is broken, and not all phases lasted for half a year. However, all the described approaches and technical means were really used:
- team surrender
- bot writing
- phishing (admittedly, not the user, but the observer)
- custom script with answers
- hidden tool for collecting questions and auto answer
- social engineering
- breaking into
There were, of course, more typical and primitive tools: wikis, forums, VKontakte groups, where they laid out the memorized questions or screenshots made through Paint. One person was severely reprimanded for photographing the monitor of the passing group through a transparent wall.
Students are capable of anything, just not to pass honestly, but IT students are much more dangerous. Such is the story. If there are developers of such systems or people who are related to the educational process, think about whether you have secured yourself from everything - all of these are not mythical potential threats, but quite practical things.
UPD. I was corrected that the inscription over the address bar was not displayed by a custom browser script, but by a Delphi program. In addition, last year a similar solution was also developed and implemented as a browser plugin.
Source: https://habr.com/ru/post/111114/
All Articles