203 comments

[ 4.2 ms ] story [ 246 ms ] thread
Give the kids the SGT puzzles web page.
This is a great read, I recently fell down the rabbithole reading about all the different versions of minecraft that have been cracked and playable in the browser so kids can play it on school laptops, that was a great thread to follow too.
Speaking as a past kid trying to play video games on school laptops, I'm really grateful for the experience.

Some of my first experience with reverse engineering/pentesting methodologies came from extracting flash games from websites so they could run without getting net-nannied, or learning that you could use google translate to run a makeshift web proxy.

Honestly helped kickstart a lot of my learning about computers.

I visited my high school a few years after graduating. My secret persys.sys folder (full of games) was still there. Fun times.

That was the era of painfully slow (~10min) windows boot times. At one point, teenage me had a floppy with unetbootin to boot a flash drive with tinycore. I could get a browser running a solid 8min. before anyone else.

Regardless of the fun, there was still a dark side. Fear Uncertainty and Doubt should not be the foundation of education.

This relates to something that has been bugging me lately, which is as a parent I have zero parental control over the devices that our school board issues to my children. My kids have iPhones and iPads, which are part of my Apple family account, and I can both monitor what they are doing and also set limits on screen time including hours of usage and for particular apps. However, I recently became aware that my son was staying up until the wee hours of the morning scrolling on Instagram and YouTube, using his school-issued iPad, and I had no idea this was happening.

I am not entirely sure how to approach this. On the one hand, I am unsympathetic to parents who might want the kind of control that prevents children from accessing information about sexuality, for example. On the other, I really don’t want my kids to have unfettered access to social media and YouTube entirely without my knowledge. Suggestions on this are welcome.

You control the network that device is on. Block and/or track access using that fact.

I use a combination of DNS via https://1.1.1.1/ and WiFi/DHCP via https://eero.com/.

Works great.

Yes. This should be way easier.

Until your kid learns how to boot linux and run aircrack-ng to get into the neighbor's wifi because you're restricting the internet access...

Ask me how I know

Then at least they are learning some critical thinking and some valuable IT skills.

I think that's probably a win for most parents.

And then, at some point, hacking systems becomes a lot more fun than playing video games.

A lot of kids learned about hacking (the good and the bad kind) this way.

Hahaha at that point I’m not sure anything works better than frequent and empathetic conversation. I’ve known kids in middle school figure out how to make $200 or so to buy their own devices to stash away for personal use.
I schedule my wifi to turn off when people should be asleep. That can help depending on the device.
Easy, no devices in their hands after bedtime. Your child isn't some busy tech professional that needs to be on call for work emails. They can live without having their iPad and iphone in their room. When I got caught as a kid playing my Gameboy when I should have been asleep, I lost my free access to it and could only use it when homework and chores were completed. Once play time was over, they took it back because I was a dumb kid who wasn't responsible enough to manage my own screentime.
Thank you. This confirms my suspicion: Just take the hardware away.

I am lucky that my children accept the limits I impose on them. I think because they are not stupid and they sense that they need limits. It's not a struggle to take the hardware away. I even apologize to them when it's time to let the laptop go.

We do take the devices at bedtime, in fact, I have a reminder on my phone that goes off at 9:30 pm every night (which I started after discovering the problem). But it’s not just about the late night usage, which is mostly curtailed but not perfectly given I’m not a perfect authoritarian. It’s more generally what he’s doing with it.

I don’t want him going down YouTube rabbit holes, developing a body image complex via Instagram, etc., at any time of day. It just seems strange to me that there’s this gaping hole in my parental oversight that was put there by our educational system.

What if he is watching videos about quantum physics, and he might have been the next Einstein, if his parents didn't restrict his access to the information superhighway?
1 in 5000 views. You can bet 20% are TidePod challenges and blowing up swimming pools with dry ice.
I think part of it comes down to knowing your children well enough to know if this is likely.

In truth as someone with autism and ADHD I found myself down some pretty nasty rabbit holes if I wasn't at least given some guidance.

YT has a watch history so this “what if” can be easily tested. In case it’s true you can then supplement the internet superhighway with some relevant books on the subject.
Kids know how to clear the watch history. YouTube has been a real struggle for me.

My kids cleared the watch history then I would notice the history was empty so I’d talk to them about it.

Then the started clearing and then leaving playlists of “educational” stuff running over night to poison the history.

Kids are smart.

I haven’t found a real solution yet other than banning YouTube on everything but the tv in the family room.

It’s funny because classes assign YouTube videos and the kids have to sit there and watch ads before their assignment.

For this, you're in a bit of a bind, and I too have run into this on my son's school issued chromebook. Blocking Instagram and Tiktok seem to be an easy enough solution at the firewall level (or DNS, using something like this: https://dnsadblock.com/block-social-media/). Youtube, however, is the tough one, as half the time the actual class material requires the use of Youtube embedded videos in the first place.

I'd raise the issue among the PTA -- it seems like something that if enough people get involved on you might get a workable solution figured out. Hope the other stuff helps though.

Same gameboy experience here
Parents got rid of my Gameboy when I was caught playing it under the covers with a torch at 3am (original one with no backlight). Eyes bloodshot as hell. Deserved it I guess but was devastated because I hadn’t finished Mario yet.q
> Easy, no devices in their hands after bedtime.

This is no longer so easy after your kid realizes they can simply wait until you fall asleep, then sneak into your room and filch the machine from wherever you've stashed it.

That’s what locks are for.
Assuming the parents are competent, that only happens once.
Well, thank you very much for that helpful bit of advice.
I mean, if the parents care about it it's as simple as pointing a camera at the goods or otherwise devising some mechanism to detect tampering.

And before anyone says "DatS sUrVeIlAnCe!", sod off: Parents have a duty to surveil their kids and discipline their behaviour properly, it's a part of raising a kid.

My router turns off all kid device internet at 930. So devices still have power but no connectivity.
Yes, that's my 'solution' as well - the router Sky (UK) gave me is utter crap, I put another one besides it and added QoS (so my kid has a poor game experience) and blocked useless websites (youtube, facebook, tiktok).

Call me a bad father, but it's working. When it takes a looong time to download a shitty Roblox game, he starts doing other projects. It's like magic.

We handle this by not allowing devices in our kid's room after lights-out. There's just no reason to have them there, and they represent a temptation that can be hard to resist at any age, nevermind school-age.
Better sleep hygiene as well
Ah, the old days when I'd read a book with a flashlight under the covers.
My kids are 4 and 2. When they get to where they can read independently I intend to make sure they have flashlights, and if I have my shit together I'll make sure they always have batteries.
Idk I feel doing this a lot as a child may have solidified terrible sleep hygiene for myself.
Yeah, I see what you mean, but I also want them to love reading.
If they love reading, they’ll love reading. Anything that becomes an obsession for a kid to the point where they are forgoing sleep (food, social interaction, etc.) is probably unhealthy. Kids don’t have enough executive function development to adequately moderate themselves.
Ah, then the paradoxical key is to ban books. What you want more of: reject, what you want less of: become the boyfriend's new best pal. No so much reverse psychology as manipulating oppositional tendencies.
Years ago I thought the same thing, but one of my kids will stay up reading until well past midnight and absolutely obliterate his health over it.

Re: shit togetherness and batteries, a great (maybe too great) solution is a dimmable headlamp with rechargeable batteries which charge from a USB port or something similar. They tend to get excellent life on a charge, and being able to dim them is nice so you don't have the flood light on white pages effect before they're going to sleep.

All of my kids have one and I've never needed to swap batteries or remind them to charge them. They take them camping, too. They're a great thing to have handy.

I used to stay up all night to read, too late for my own good and my parents eventually started taking away every light source at 10pm or so (that's when I was less than 11, so it was really late enough).

I ended up collecting toys that glow in the dark, I would recharge them until 10 next to the light, and managed to read with them for a few minutes more (not much longer I guess). Under white bedsheets I would have enough light to be able to labouriously read sufficiently large-printed letters.

I guess my point is just that some kids absolutely do need some limits even for reading and other "good" activities, and they will use any means they can find to work around the limits you give them.

The other answers are great 1. Keep the devices out of your kids room 2. Control access via Apple’s parental controls (like you already do) and also via NextDNS which allows excellent filtering controls (time of day, content, etc).
Coincidentally, I just emailed our school board about this. Our district claims to support BYOD, but has no documentation.

As parents, we should be able to determine what our kids have access to based on our own family values. No two families will be the same.

The idea that elementary or middle school children can handle having unrestricted (or minimally restricted) devices is absurd.

BYOD is partially a terrible idea. They shouldn't be sending kids home with devices. What about parents who object to technology screen time?

Could we not invent a religion, say Reformed Mennonites, that objects to children using screen devices? How could they argue with that?

>What about parents who object to technology screen time?

As in, completely?

Then those parents should realise that they're severely hampering their kid's education and development in a screen-focused world, and set more reasonable restrictions.

I’m guessing the Amish have way higher SAT and lifetime income stats.
I was able to use unspecific religious and cultural preferences to get my school to allow BYOD, after many other attempts failed.

I think there’s some value in having a modern, atheist, philosophical church to yield positive bureaucratic results. It reminds me of the early internet’s Church of the Subgenius [0] and people playing around for lulz. I had friends who were ironically Satanists and still have some who claim to be Discordians, but I think that’s just to mess with census takers.

[0] https://en.wikipedia.org/wiki/Church_of_the_SubGenius

Real US church with a long history, prominent historic members (John Adams and family) and a rather open attitude towards the existence of God/gods: the Unitarian-Universalist Church. My agnostic childhood best friend sends her daughters to various youth programs there, and she and I are both recovering Southern Baptists (I went a more middle road: Episcopalian). She really likes their relationship and sexuality education series for teens.
(comment deleted)
> devices that our school board issues to my children

Why is the school issuing anything to students? It should be your prerogative to outfit your child with whatever they need. School can ask for minimums (a pen, a notebook, certain textbooks, etc.) but they should not be issuing anything themselves.

Because a lot of parents are really not well off. Buying laptops, ipads, whatever is an expense they just can't afford. Pens, notebooks etc are cheap.
Aren't the devices ultimately paid by the parents anyway, though? I guess it depends on how the school is funded but around here it's only private schools that provide devices, so the funds come from the parents.
Property taxes pay for schools and school computers so people are ultimately paying. But school issued helps with parents who can’t afford laptops or tablets, and I think this can be a good thing.

I just wish schools were smarter.

I think iPads are probably the most durable, but they probably need a specialized teaching device like a new version of OLPC.

Since thus far all solutions proposed have been technological or taking devices away, I would suggest "parenting". Talk to your child and convince them. Them "having access" is not the problem (they will have that everywhere). It is how they overuse that access and here is where a parent should do their job instead of trying to hide the problem by removing access.
YouTube shows up everywhere, and unless you dns block it, there’s always some way to get sucked into the rabbit hole. Google.com, DuckDuckGo, all the search engines make it possible to watch YouTube without it showing up as site:YouTube in parental controls.

Yes, there are useful videos, and that’s why it’s not hard blocked.

But the lure and attention tuning of Minecraft videos, other gaming vids, and whatever else is at the top of the list now is just too strong.

(Btw, assume for these purposes that restrictions at some level are necessary, and that any response with “just” in it probably has been considered and doesn’t work)

I have timeboxed access for devices controlled at the router - kids devices are blocked after their bed time, and all devices are blocked after midnight (which has been a good thing for me, too).

It doesn't stop them from playing a local game, but the removal of the internet seems to break most of the desire to use devices inappropriately.

This was a big issue for me. My school wouldn’t give me visibility into the laptop, they wouldn’t let me set screen time controls, wouldn’t let me tune content filters when they were out of school, wouldn’t let me install apps that I purchased, wouldn’t let kids message parents, and wanted me to sign these blanket “we can capture all data, including camera and microphone, sell it to whomever we want, and do whatever we want with it” waivers.

Aside from teaching kids to be slaves to sysadmins and kind of crushing the coolest part of computers, they were basically making kids take care of these expensive bricks. And that’s a lot of work for an 8 year old.

I think it’s more due to stupidity than any agenda, but still not something I want to be involved with.

I bought cheap refurbed macbookairs that sync to screen time controls with other devices, have pretty decent privacy controls, I have root school doesn’t, they can message me and other family members, and the battery lasts two days. The school didn’t like it, but I had to make a stink and said either this or do special paper assignments. My kids were embarrassed but now appreciate just putting their laptop into their backpack instead of laptop plus charger and charging it all day.

The school still issues their laptops some days for exams that will only run on their equipment. Whatever that means.

As others have suggested, simply taking the device after bed time is probably your most bullet proof option.

In lieu of that, setting up rules on your router or firewall to disallow all network access to their IP addresses after bed time. Better yet, to all addresses not on a white list.

Might occasionally be a pain for overnight updates though.

I got my start in computers figuring out how to play games on school computers.

No class or degree could have taught me as much or been as valuable for my career.

Educators shouldn’t try too har to win this arms race. Losing is also winning.

As with many here I'm sure, during "computer lab" I was often done with assignments quite quickly all through school.

The teachers rarely had any extra work to assign me so they pretty much gave me carte blanche to use my time however I wanted as long as it was on the computer.

Great memories of trying to skirt school "blockers" in order to get to gaming websites in high school (this would have been in the early 00s). Glad to see this spirit is still alive and well and probably even moreso now than ever.

I once got suspended because I figured out how to bypass my schools lockdown policies on the computers in the lab and wouldnt tell them how i did it.

(Hint: i learned they kept the "bypass" code in clear text in the registry, and later simply killed the processes from a command prompt with a batch file).

I also had a small apache server and ftp box i would tunnel though or get executables from i wanted to play (like pinball, the monsters blocked pinball). Since it was the very early days of the internet my morning routine generally consisted of waiting for folks to leave, firing up the server and taking over the fax line for the day and getting the IP before heading off to school.

I used a scheduler (probably cron, i dont remember) to bring it all down around 3pm before my parents got home.

Did they ever notice anything amiss with the phone bill?
My pops was in sales. The fax line itself was a write off. That said, at one point he told a colleague to fax him something and he would pick it up at home and it was busy, which got me busted. Mostly the fax line was used then for him to send his receipt scans into accounting though.

I was grounded for that as well. But it was also near/around the time that broadband/docsis was rolling out so they moved to it at some point soon after.

My tech inept dad was what got me into tech honestly. He had a nack for turning off the computer by just holding the power button back in the windows 95 days. Eventually he corrupted the thing, blamed me and forced me to "fix" it with gateway support. I ended up searching up how to install an OS at the school lab, and just re-installed windows for him and stopped using a computer at home until i could get my own.

oh man I remember the days of converting gamespy.com's IP to octal to get around the school's firewall block thing

Hell I even made a counter-strike map of the campus and surrounding suburban downtown where the terrorists bomb the school's proxy server so the students can have unrestricted internet!

Man that would have gone over so well nowadays...

edit: or the time I got around their EXE blocking by changing a bunch of strings in UnrealTournament.exe to look like Norton Anti-virus. Got a couple weeks' suspension for that!

The network admin (a friend of mine) told me he gauged his skill as an admin by how quickly I was able to break past whatever blocks he had in place.

I always made the exe look like mspaint
> edit: or the time I got around their EXE blocking by changing a bunch of strings in UnrealTournament.exe to look like Norton Anti-virus. Got a couple weeks' suspension for that!

OMG That's awesome!

This game of cat-and-mouse has existed for at least as long as I've been in school (21 years ago). Back then it was calculator games, finding an unblocked flash site game, or booting games off USBs. One of the best weeks ever was when we got Unreal Tournament (the original) to boot off USBs and work on the LAN. ~20 person in-class deathmatch games were wild.
Ahh, reminds me of the old days playing Doom in my school's computer lab.

Good times.

Good time for me to finish my DEFCON talk: Spoofing UEFI to play Fortnite on a Chromebook at 60FPS :)
So many good memories here, like making a website that curated flash games on unblocked domains and sharing floppy disks with emulators and a ROM or two.
I kind of miss the days of school-sanctioned educational games, like those from MECC / The Learning Company. Of course the quality varied, but it made sense as a reward for finishing an assignment, where it could still be fun, but still be educational.
Playing Gizmos and Gadgets on the old IBMs token-ring'd together at school was where it all began for me and computers :)

EDIT: One teacher even had an Apple II with "Touch the Target"

Really makes me feel old thinking about it now-- it wasn't really THAT long ago but then again I guess it was.

I truly miss Number Munchers haha. We played until the game crashed because the computer running it ran out of memory. Somewhere around n=13 for the prime number version (the only version worth playing). Probably because at that point there were too many monsters on the board.
Good for them. As long as it's not dangerous, I'm on the side of the kids on this one. And it looks like there are plenty of adults supervising the situation to keep it reasonably safe (it is the internet after all). The kids are going to learn a lot of useful skills and develop a fascination with computers that will stay with them for years if not their whole lives.
My generation was writing games on school computers. Now they struggle to play them.

Kids these days! Happy to consume content endlessly. It has to mean something.

{ Old man shakes his cane at young people. }

What percentage of your generation was actually writing games on school computers? 0.1%? If that. That number is definitely higher today, given that they have computer programming classes in schools now.

I get that you're trying to make a self aware joke about your comment with the old man shaking his cane. But this comment really is completely out of touch with reality.

I myself got into game programming by moding Quake and StarCraft. I’d guess a ton of people who ended up as programmers did this. So I think you’re right almost no students did anything with computers, but I’d say easily 50% of people who could code at all tried to make games and often school computers were all we had. Thankfully the computers had unbelievably bad security so it wasn’t super hard to get stuff going :)
I guess I didn't see the comments from others about creating games in their youth. Sorry for being so out of touch!
Back in my day it was easy: Mac OS used the 4-character "creator code" to check what applications your user could open, so you just set the creator code to a known allowed one and could run anything you want.

Of course you don't have access to run ResEdit, so your bring your own copy of that on a flash drive with its creator code already fixed.

"RASM" was my go-to. That was the remote access status monitor, and any user account had access to it.

For the less technically inclined, you could create a custom "Launch Application" toolbar button in Apple Works (or Claris Works before that). It would give you an error that you don't have permission to launch the application, and then it would open anyway.

There was a while on our school macs where they were doing application restriction by directory instead of by executable. The Rosetta Stone folder in particular was a popular place for people to run stuff out of.
I know I'm picturing a technology will solve education problems, but...

...can't we fund some amazing games that are... educational?

Kids are very smart and if they get a whiff that a game is trying to teach them something, they won't find it as interesting as a shooter or platformer. This probably varies by age, but I've got a third grade boy and I can tell you that's how he is.
So... can't we figure out how to make a shooter or platformer... which also teaches?

And not as some clunky add-on to the side of a game...

...but like, reasonably a part of the game.

Just let the kids play games in foreign languages. That's educational enough for me.
When I was in the fifth grade we got a few G3's in our classroom. We were supposed to rotate small blocks of time throughout the week so we could have "research" time on them. I was the one who found CroMagnon Rally, Bugdom, & Nanosaur. They didn't let us use them much after that!
I learned how to program as a side effect of modifying games and then programming my own.
> “One kid kept opening up game sites” said one high school teacher who asked to stay anonymous, to protect the identities of their students. “I would wait for them to open one, add it to my list of blocked websites, refresh my settings, and then they would get locked out of it. Then they would open a new tab, find a new game site, and the cycle would repeat. This happened over and over over the course of about half an hour."

It strikes me as strange that the schools are playing a cat-and-mouse game rather than simply disciplining the students caught playing games or accessing these sites. Loss of privileges or so forth for violators would serve as an actual deterrent rather than encouraging students to simply find new ways to get around the block.

Taking computers away means they can't use them for their intended purpose either. It's just going to be a bigger mess (if the alternative is less work, every kid will try to get banned) and end up with the headache of parents getting involved. My high school didn't punish students unless they did something really bad (someone I knew got in trouble for printing off porn).
Or perhaps the lesson is that technology in the classroom is distracting more than it is teaching and we should use, say, paper?
what I don't understand is why they are working with a blacklist and not whitelist?

Sure kids would find ways to do something else or play the same way they use collaborative editing to chat but I don't even understand the purpose of letting them browse the whole internet during a class.

At least at the school my kids go to, the staff is basically not allowed to discipline students for minor infractions.

There were kids leaving trash out after lunch, and one of the staff had the worst offenders pick up trash before leaving the lunch room. This practice was banned because it was "degrading."

That's just the most recent story, there are dozens others like it.

More on topic, we got a letter from the teacher that my son was playing games. I said "why not just take the Chromebook away when that happens?"

The response: oh we can't do that.

When I went to high school we used windows XP. I took an accounting class that used Excel and by some keen insight and nifty use of formulas and copy->paste values, I was able to get down with in class work exceptionally fast and often had a good hunk of time left over.

I decided to play a SNES emulator in my spare time, on a USB stick. I had to sit towards the back. But the machines were locked down and I couldn't run any plain old .exe I had on a stick. But XP had a zip file view, and I could launch the exe from there. The last thing I needed to do was preconfigure saves and the controls to point at the correct thumb drive letter since it was different at home than it was at school.

Now I've moved on the real world, but that time of mindset sticks with me. That software doesn't do what you want in an automated way? Surely there's a way to do that. Autowiring JSPs in a mixed Spring/JSP legacy java app, writing custom jenkins plugins, a custom code coverage library to performantly calculate code coverage against minified JS, etc.

Many aeons ago, someone at my school worked out you could download the Halo trial on to the school PCs and play anyone on any other school PC over the LAN. Entire classes of IT students were just sat playing Halo every lesson. At one point the teacher even gave up trying to get everyone to stop and just came round and watched everyone play it lol those were the days
I've been teaching my nephew how to code using Scratch. He told me that they blocked Scratch at school because some of the kids were using it to play games during school. Kind of a shame, because it is a great way for kids to learn how to code.
"The culture of no" demands obedience and forbids anything remotely fun.

Lazy pencil pushers kill kids' curiosity before it begins, footgunning their entire purpose for being.

C'mon ... the reality is that teachers need the kids to concentrate and given a choice between doing work and playing games, the games are likely to win. Teachers are being put in an impossible situation.
I have quite a number of fond memories of how we hid pokemon blue and gameboy emulators on every machine in our school's computer lab (from around 1999-2003).

We were also the kids who were the most into computers at the time, and eventually the teacher realised that if they were on our side, they could use us to help teach the other kids basic computer skills (office, etc), by using games as the incentive.

If you can't beat them, have them join you...

Edit: We have reached max depth it seems, so I will just update stating that I suppose the change in the scene is quite drastic. Back when I was in school, maybe 5% of the class were computer literate. I felt like a god in that place, being able to help the "smart" students do basic things like creating an email address.

The fact that the teacher doesn't see this as an opportunity is what surprises me. If the work is so boring that kids would rather play games, then use gamification to exploit this behaviour.

I don’t see how that applies here. It’s not just a handful of kids that are most into computers that would rather use their devices to play games at school than do school work.
Same era and outcome from our computer shenanigans. We ended up being enlisted to set up new computer labs etc. We even got some of the old network hardware "gifted" to us, which eventually let us run lan parties.

In a little Aussie country town, getting computers linked together was a huge boon to our gaming horizons.

I think the premise here is that curiosity is the source of learning. Without it, students are just going through the motions. Learning becomes a form of drudgery. Cleverness emerges as method of solving the meta-problem of institutionalism. Švejk-like behavior becomes the norm where passionate learning could have been cultivated.

Under these premises, teachers in standardized environments are already in an impossible situation.

Well kids don’t tend to be great at thinking about long term consequences or moderating their time spent having fun, so how would you have the lazy pencil pushers handle the problem of kids being distracted by games at school?
Using Scratch to create programs is one of those cases where a kid can learn and have fun at the same time. Sounds like the best possible sort of activity to encourage at school. So what if the programs are games?
Absolutely, creating games is a great learning activity for school. But, if it was blocked, I’m guessing the issue is that most of the kids were just using it as another gaming website—just playing games that had been created by others. But I’ll admit, I only have a general familiarity with Scratch. Perhaps the scenario I’m describing doesn’t make sense/isn’t how Scratch works?
Scratch is great - such an excellent introduction to coding.
Try Snap as well. It's like Scratch and has the same learning curve, but has more features (functions, 2D arrays, hashmaps, local variables, recursion, string manipulation, etc.) that make it more suitable than Scratch for more advanced computer science concepts if the student wants to speed ahead. It could be used all the way from elementary school through high school without running into serious limitations, if an instructor wanted to.

https://snap.berkeley.edu/snap/help/SnapManual.pdf

Similarly, my attempt to get my son started on simple HTML was stranded by his school disabling the "developer view" in Chrome. I suspect the simple reason is that seeing the source allowed you to cheat on some of the educational websites the teachers use for assignments.
We had something like this but for French. The website was used for real tests and assignments but the answers would be loaded somewhere even if the test/assignment would not show you if you got it wrong.

So we made a Javascript one-liner that would retrieve and fill in the answers.

The first edition also submitted them but the teacher could see how fast you completed a test so we removed that as students who normally could not pass the test suddenly had 100% and in 5 seconds of time.

In the end, manually removing, answering some answers wrong and waiting to submit made that class a breeze.

Too bad my French is now very bad but that wasn't something youth-me thought of at the time.

Had the IT apprentice at my office disable dev tools on Chrome. They didn't realise that we, as web developers, used them.
Back when I was 14 I interned at the local department of transportation office doing IT, which at the time meant creating filemaker databases, scanning and manually entering lots of forms, carting massive CRTs and desktops around, and deleting viruses from civil engineers' computers.

I still clearly remember the day I was showing one of the other interns an application I wrote in visual basic. I was quite proud of it since I was fairly new to programming at the time, and I had been working on mastering GDI. If you know what GDI is, you can probably guess where this is going. It was what game devs call a "map editor", where you could take a palette of images and place them around in a grid to author scenes. This was during our lunch break.

One of the supervisors walked over, saw something "game-like" on the screen, and angrily unplugged the PC at the back. (Good thing I didn't have any important files open.) Once I explained what it was he wasn't angry anymore, but he didn't apologize.

So I guess "no fun allowed, even if you're learning" is a pretty old mantra everywhere.

god forbid anyone actually learns something at school
The ability to play games is what makes it so good. It provides an incentive to learn the tool, and then an incentive to try to alter the games written in it.
Maybe the problem is the reliance and substitution of glowing screen distractions for fundamental teaching. Take the devices away for most of the time.
Back in my day, we had a room filled with 386 and 486 machines running windows 3.11, we'd bring floppies from home and boot them to dos to play, it was great and teachers encouraged it. I guess things have changed.. For one.. Kids no longer get to experience the joy of "going to the computer room".. Or later, the thrills of networked delta-force matches during lunch at the library.
No, now they have more computer power than that entire room sitting in their pocket. Very different times.
and yet that power has been tamed, dulled, to the point where they can do even less with it
> Shell Shockers doesn’t make a ton of money—Kapalka pegged its quarterly profits in the “low seven figures”—but it is profitable.

Several million dollars in annual profit? That's a pretty decent haul, considering the size of the team!

A school IT specialist told me about a clever student hack. Their school blocks all sorts of traffic, but teachers can allow exceptions via a password.

One student installed a keylogger onto his BYOD laptop (many schools allow kids to bring their own, or use a mediocre school-provided device), and then made up a plausible excuse to hit the firewall (e.g., doing a report on anatomy, but innocuous site was blocked because the word "breast" appears).

Then the student presents the laptop to the teacher, who types in the exception password. Since the keylogger is running, the student can now grant himself exceptions to his heart's content.

The school eventually figured this out. It's not clear how they avoid the situation however; do you tell teachers never to grant exceptions on student-owned devices?

There are plenty of better ways. You make the student auth in some manner then grant an exception from your own computer.

Entering the password on the student’s BYOD is pretty stupid

Wholeheartedly agreed. Even if the student has the absolute best of intentions, you have no way of knowing that the laptop doesn't have say, malware on it.
Usually these sorts of passwords are single-purpose just for getting around mundane firewall blocks, so they're not that critical.
So then what? The student just can't go ahead with the assigned task? This probably happens like 20 times a day for them.
> Entering the password on the student’s BYOD is pretty stupid

I wouldn't say it was stupid of the teacher to enter the password, given the amount of technical expertise that elementary school teachers can be expected to possess.

The blame should probably go to the person who set up the exception-granting system, who should have used a system that doesn't involve authenticating on a non-trusted device.

I didn't read it as "it was stupid of the teacher to enter the password" but rather "the system making teachers enter the password on that computer is stupid".
Yes that’s what I meant. I totally understand the stress teachers are under, school funding challenges etc
If teachers are to be trusted with the password then they need training on how to protect the training. And a simple “only enter this password in secure locations” is necessary.
> It's not clear how they avoid the situation however; do you tell teachers never to grant exceptions on student-owned devices?

the target of the exception and the device granting the exception do not need to be the same device necessarily. if you have that figured out then yes only allow password entry on locked-down devices.

TOTP would do well here for this case for a really simple path forward - but then having the student login themselves and the request be formally logged and allowed via not-their-computer would offer a bit more scaleability and auditability
> TOTP would do well here for this case

Indeed: this is almost exactly the attack type TOTP was designed for.

The idea was that if someone intercepted your network traffic and captured your password, it wouldn't do them any good without also having your code generator.

It turns out that if you have a live MitM connection there are ways around that problem, but TOTP is still helpful against other attacks.

I agree that for this situation, it's probably better to focus on detection than bulletproof enforcement.

> The school eventually figured this out. It's not clear how they avoid the situation however; do you tell teachers never to grant exceptions on student-owned devices?

Make it so the firewall exception process on student devices gives a 6 digit code which the instructor enters into a staff-only interface on the instructor's device, so that the process always requires input on both a student and an instructor's computer.

This requires two devices to have working internet, which is often not the case at schools. Teachers are computer illiterate, to boot.
To be fair, TOTP works offline.
>do you tell teachers never to grant exceptions on student-owned devices?

Yes. This is correct from both a security and educational perspective. What kind of example does the opposite set for children?

I run a pihole and clients can request an exception and then I grant it on my own device.

Having root type into someone else’s machine that they control is a total noob move and it’s funny the teacher fell for it.

Of course since the student is using a custom machine it’s likely they have a specific ip, host name, and traffic pattern that can identify them (eg, look at the requests across 7 different classrooms and find the single student that’s in all of them before the password spreads too much). Then they can intervene and punish the kid.

Keyloggers aren’t particularly clever or “hackery” and are just a social engineering hack so it’s more malicious than exploratory.

But I’d hope the school doesn’t crack down too hard and instead uses it to teach kids that if you want to be clever you have to be very clever.

Don't worry about blocking it via firewall; just log traffic, make it against the rules, and punish kids when they're caught?
Have you met kids before? You'd never get any actual educating done if you were busy constantly punishing them for things they did first and thought about later.
To do it the lazy way: 1) change your password to hunter2, 2) use hunter2 on byod laptop, 3) revert your password.
That doesn't sound like the lazy way to me!
There's actually many solutions to this.

>You can use certificate based authentication instead of password based. Certificate based authentication COMPLETELY prevents this attack because the student's computer never sees the private key which actually authenticates the teacher to bypass

>You can use time based one-time passwords/HMAC instead of using certificates, with a teacher pulling up an app

>You can have the computer have its password managed by a centralised store which has the ability to rotate said password. When the teacher needs to unlock a computer, they request that computers password from the centralised store, and after it's used, the password is then rotated.

>What I would recommend the most, is just giving each teacher their own credentials and sending the teacher an alert when their credentials were used.

You could easily lock this down, but I honestly don't think it's a good idea. I think using weak security measures actually has a merit, as it grants the teacher some degree of flexibility in how to deal with things, and it grants the kids a greater degree of freedom and education in both what weak security looks like and how cracking security just because it's weak might not be the best idea.