High school students expelled for keylogging teacher computers

High school students expelled for keylogging teacher computers

Summary: Eleven high school students are paying the price for keylogging their teacher's computers and changing grades as they willed.

TOPICS: Security, Education
credit cnet
Credit: CNET

A number of high school students involved in a hacking scandal to change their grades have been expelled.

Taking place at a high school in Newport Beach, Southern California, a number of students used keyloggers in order to spy on their teachers' computer systems, infiltrate the network and change their grades electronically.

Six of the students have left the district, and five have been transferred to other schools.

The students in question allegedly worked with a local tutor to learn how to hack in to the school systems in order to change their grades and steal test papers. According to the LA Times, a science teacher sounded the alarm after becoming concerned that someone may have accessed her computer and altered grades.

Timothy Lai, the 28-year-old accused tutor, has apparently vanished. Officials say that the tutor instructed students to attach keylogger devices to the computers in order to scrape user login details and passwords, which would later be used to change student grades and access English, science and history exams -- some of which were at honor and Advanced Placement levels.

District officials say they are unsure of how many grades were changed, and are in the midst of examining the scope of the scandal. In total, 52,000 grades issued over 12 months are now under audit to work out whether grades were input by teachers or changed by network infiltrators.

In a statement, the Newport Mesa Unified School District said:

"The Board’s action imposes discipline upon these students for the maximum allowed by the Education Code for what occurred at Corona del Mar High School. The Newport Beach Police Department is currently seeking to interview the alleged private tutor for his involvement in the incident.

The District is currently involved in an intensive audit of all CdM teachers’ grade books so that we can ensure the integrity and accuracy of all posted grades. The District has also taken preventative measures and is implementing a new notification system districtwide to flag grade changes."

While both the students and Lai could face criminal charges, none have yet been filed.

A local newspaper, The Daily Pilot, reports that this is not the first time the affluent school has been involved in a cheating scandal. The publication says that two years ago, 10 students purchased answers for history tests on Amazon, and a 17-year-old student was arrested in 2004 after being accused of changing other students' grades on the school's computer system.

Topics: Security, Education

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Shotty security software

    They really should have thought this one through when implementing security at schools. While they are busy putting metal detectors at entry ways, locks and bars on doors, the kids are running a muck with the network. Oh and Timothy Lai is not his name. The last name is a clue for those who don't know.
    • "Timothy Lai"

      That is a common name. Probably not a clue.
    • Security ?

      Most schools have little-to-zero security. Especially once on the inside.

      School District budgets aren't exactly full of IT funding. Most have bare-bones IT and related-support.
    • @nucrash, You do have the answer correct?

      “Oh and Timothy Lai is not his name. The last name is a clue for those who don't know”.
    • Somehow...

      ...I'd be surprised if Newport Beach schools thought it necessary to install the hardware you mention. This is definitely an upscale community. But perhaps the district IT staff is finally going to get the time allocated to do the security work they've probably wanted to do for the past five years.
      John L. Ries
  • teachers walk out of the room without locking their pc constantly

    usually have passwords on post-its on their desk.
    • One of the things that sysadmins get to do...

      ...is to educate employees about proper security procedures and why they're necessary.
      John L. Ries
      • then they cry babies

        if they had a real job other than k12 babysitter, they would be fired for such activity.

        Removing local admin rights and forcing strong passwords(with 6 month resets), you would of thought I killed their first born.

        Too much hand holding, most k12 sysadmins quit as I did after a year or two.
        • If you despise teachers that much...

          ...then it's just as well that you did quit your job. People usually read contempt in a big hurry and react accordingly.
          John L. Ries
        • hmmm

          Either a troll or a post by a bitter flunking high school student. You'll never get anywhere with that behavior, so wise up.
      • Are You Kidding Me?

        Teachers, as a group, are the LEAST likely to learn something new like computer security. I've tried to teach them in the past, but they just don't care. Heck, I've got family members who have taught for over 10 years and STILL have the same password into their grading system.
        • Back when I was in charge of sysadmin

          I had the same problem with all manner of non-techies.
          John L. Ries
      • There's no accountability

        Yes, you can educate them, but that won't stop them from keeping the password on a post-it note under the keyboard.

        And do you do spot checks looking for those notes? No. But even if you did, there's no "punishment", just a "hide it better" speech from those higher up.

        So they just keep on doing what they've been doing.
        • Policing doesn't help much

          Buy-in does. Admittedly, the average sysadmin doesn't do sales well, but sometimes it's important to learn new skills.
          John L. Ries
    • Yup

      Haven't you seen War Games?
  • Sounds like the problem was PHYSICAL security.

    Keyloggers can be software installed by briefly inserting a stick drive, or they can be hardware between the keyboard connector and cable. Considering that school computers probably use the PS/1 connectors for keyboard and mouse (which is actually a good idea to avoid using up a USB port, and so that USB can be disabled except on the administrator's account), and teachers never look back behind the CPU boxes, the devices can go unseen for months unless the computer is moved or serviced. And the average non-tech teacher would not suspect that this additional box doesn't belong there anyway.

    Back in the "old days" of punched cards, the teacher of a beginning FORTRAN course (for both engineering and business students) at the college junior level used the IBM batch system to verify correct homework and to enter weekly quiz grades. Quiz grades were punched into cards and run overnight after the quiz; homework programs had to call a subroutine for each assignment, passing their student number and computed results, and it punched a completion card if results matched, which went into the weekly batch run. The batch run punched a new master deck to go into next week's run, which was returned to the teacher, AS IF TO A STUDENT, in the public file drawers. Some bright students then figured out how to find their cards, or a friend's, in the master deck, duplicate them, change the grades to better ones or show homework complete, and put them back in the deck. Of course, for homework, since the teacher did not examine program listings, the ones who had done the assignments right could simply show their struggling friends which numbers to pass to the grading subroutine. Only quiz grades required "hacking" the card file (and the hackers were careful to use the standard off-white card stock, and after altering the card, make a fresh copy of the altered card with PRINT OFF).

    So we see that PHYSICAL security WITHIN the building is important. I heard that next year this course was assigned a LOCKED file drawer for the master file.
  • Security is not the issue

    Sure better security should have been implemented. Physical, electronic, etc...

    The real issue is that the few students involved thought this was a valid way to achieve a better grade. Hopefully they will understand that they only person that was being cheated is themselves.
    • Sure, its an issue

      While it would be nice if all of the students were honest and well behaved, the chances of that happening are inversely proportional to the number of students. Some students *are* going to try to game the system, so it behooves those in charge to make it as difficult as possible.
      John L. Ries
      • So its like

        Someone shooting someone else and the criminal blames the victim because "he should have been wearing a bulletproof vest". Yea, that's a great way to look at it.
        • Nope

          The students involved should have been punished, and were, but basing computer security measures on what people should do rather on what they will do is just plain stupid.
          John L. Ries