766 points by aabbccsmith
14 days ago
Reminds me of a passion project I started in high school that went completely viral and took on a life of its own. Wrote a small script for my friends to check their AP scores a few days early. Required high schoolers giving clear text access to their entire CollegeBoard account so I could log on and scrape their scores. Somehow it got posted to Reddit and from that year on, grew wildly. Got to almost 2 million students checking their score in its peak year. It was immensely fun while it lasted (ran for about 7 years) and honestly I miss the thrill of it. CollegeBoard now releases all scores on the same day so the site is pretty much useless now. Definitely always looking to chase the thrill of that score release day again though.
Congrats on a successful end to a fun high school project! Stories like this are always fun to read.
You ran EarlyScores? Thanks for a tool that really helped my friends and I!
You’re welcome - Glad it helped!
Can you elaborate on the approach? This sounds really interesting but I don't quite understand from reading your comment and https://earlyscores.com/about/
I think I remember paying some small amount of money (flat fee irrespective of # of years, IIRC) to get my scores quicker via a phone call in 2003,2004,2005. Perhaps I would've been better served by your EarlyScores.
The approach was fairly simple: access to the college board’s website was geo-IP restricted for about 5 days time. It would start with a small collection of states, and each day over the five days another group of states would get access to the site starting at ~8:00am EST. I would get a few AWS/GCP/DigitalOcean nodes in a DC that had an IP in a state releasing on the first day. Put a small JS script on the nodes that would use the username and password input from students to sign in to their Account and send back the scores. Basically just a proxy without the need for configuration.
Probably wouldn't have helped.
> In 2014, with my first AP courses under my belt, I anxiously anticipated the release of my AP scores. What I realized at that time was that scores were rolled out by the College Board over a week’s time, and my AP scores would be accessible on one of the later dates. The need to see my scores on the first available date spurred me to create EarlyScores.com.
I remember that kind of thrill. For a while I ran a tool for Etsy before they had an API, circa 2007. What they did have was AMFPHP, powering their flash toys (treasury, etc). I used it to allow sellers to see their sales stats.
Even went to the Etsy office in Brooklyn at one point and had a chat about it. I think some of the team was a bit bemused that I'd essentially extracted a large amount of data. But they took forever to get to the point of having an actual API (and I was one of the early users of this as well).
Eventually it became unsustainable and I shut it down, but it sure was fun having people be passionate about using it and sharing it.
Epic stuff, and I think this experience may well be more valuable than the homework you avoided. Basically you did harder homework in order to avoid easier homework.
The problem is letting other people use it; of course it's nice to help people, and it's altruistic to do so for free, but some of those people might actually need this homework to learn, and you may have deprived them of that. (Although I also think watching a video and doing some multiple choice questions is the laziest low-effort homework assignment there is, and the damage may not have been all that big.) But you used logic and programming to work around a math problem, which are roughly in the same field, so I think that's fair.
A slightly similar situation: my previous job was at a bank, and banks over here are bound by all sorts of ethics and rules, and are required to regularly train all their employees in balancing the interests of customers, society, and the bank. This bank did that by gamifying it: we had an app where we had to answer all sorts of ethical questions and make sure our score in the app was over 70% at the end of every month.
A coworker used our testing framework to access the app, answer questions randomly like you did, and store the correct answer to use next time. It apparently worked very well, but using tech to avoid ethics questions is quite a different issue than yours. (He shared it with me when he left, and I tried it, but it didn't work for me.)
> The problem is letting other people use it; of course it's nice to help people, and it's altruistic to do so for free, but some of those people might actually need this homework to learn, and you may have deprived them of that.
This, when the scope is limited to yourself, it's very different from when it impacts others.
Back when AOL Instant Messenger (AIM) was super popular, I was in university and had read about ARP poisoning. Our school was pretty cheap, so all the dorms had hubs instead of switches. This meant that it would be, theoretically, possible to ARP poison an entire dorm, MITM attack and read all the text being sent on AIM since it was sent in the clear. I had a bit of a cyber security passion lab in my dorm room, so I wrote a PoC and ran it on a LAN air-gapped from the rest of the network. I proved that it should work for myself, having confirmed that similar cleartext messages would get passed to the machine intending to listen in between two other machines.
I told my classmate of my project and he expressed interest, so I gave him a copy. Fortunately, I didn't add any authorship info, mostly because I forgot to. I did caution him that ARP poisoning is a pretty "noisy" attack, and someone who was paying attention would notice it. He foolish ran it on the university network, and confirmed he was able to see AIM messages flying back and forth for all the dorm, as well as all the other traffic. It didn't take long for our school's IT to notice that one dorm was funneling all traffic through one machine. A week later he was banned from having a computer in his dorm room for a school year. Thankfully he never gave me up, admitting it was his stupidity that brought it on himself, but nevertheless it was a lesson learned - if you're going to play in the grey space between ethical and not, do so responsibility and don't share the exploits with others.
> you're going to play in the grey space between ethical and not, do so responsibility and don't share the exploits with others
Aka "don't get caught".
One of the times I got in bother at the first university I attended was because I kept logging into their production servers as the root user every morning.
Their admins had left a few glaring holes open that I'd patched (and evicted some fellow travellers), but I kept their SSH keys to explore a bit.
One morning one of them happened to peruse the SSH logs, and spotted a pattern where someone on the student network was logging in every morning.
Didn't take them long to work out something was deeply fucked, and they cut my network access before pulling up the contact info they had on file for me and summoning me to their office for a bollocking.
Luckily for me they figured it would be better for their job security if they kept it purely informal as opposed to notifying the university proper and having me face a disciplinary committee.
They never rotated those ssh keys, and I learned the "don't get caught" lesson as opposed to the "don't do this" lesson.
KPMG got fined $US450k for this kind of behaviour . If I recall correctly, employees kept the answers to the mandatory compliance training tests in a document on a shared drive.
Well, then I guess it's good that I didn't share it with anyone else.
The university didn't take kindly to that. They accused me of trying to take down the co-op system and threatened to sue me for copyright infringement. Since I linked into their system for job descriptions, I was able to show that the data I actually had (company, title, location) wasn't creative work and therefore not copyrightable. I also had some friends in the university faculty and staff who spoke up for me, since I had reported security vulnerabilities in the past, indicating that I wasn't acting with malicious intent. In the end, I just had to take a business ethics course, which I probably would have taken anyway.
So you made a tool to make life easier for you and your fellow students, and rather than congratulating you they threatened to sue?
Yes, that's how institutions operate. Seeing Like a State is the classic text on the subject.
Sounds like WaterlooWorks.
To me, it sounds more like the old system that WaterlooWorks replaced (JobMine). JobMine was just Oracle/PeopleSoft's PeopleTools under the hood.
Some of my friends who graduated earlier told stories about how JobMine at one point accepted resumes in HTML. Of course, this also meant that it was vulnerable to XSS attacks. The eventual fix was just to only allow PDF resumes.
Yeah, you're right. I was blanking on the name of the predecessor.
Haha, it was JobMine!
Right from your first sentence I was thinking "I bet this is JobMine"
It still blows me away a school filled with CS people had such a god-awful system. Then again we are CS people and not UI/UX designers.
I worked with a guy who was previously a big state university buyer/administrator. He said that Oracle charged around 1% of retail prices to the university.
I did “information security” at a community college and learned I could find sites just by googling answers. These sites were behind a paywall after the first few answers but if you viewed the source you see them.
So I wrote a python/selenium script to search google and dump all of these answers for my weekly homework. Then I’d bang out all of my classes in a few minutes.
I knew just enough about networks, security and building computers from my childhood I never got worse than a C on a test.
It looks like JobMine Plus is a project that started after I graduated. From what I gather, the university cancelled their own JobMine replacement project around that time and finally relented in letting students take a shot at improving things.
Awesome story, and good response by Hegarty. It reminds me of something similar (but with an opposite response), where an intern who worked at Replit built a basic repl site (not even a clone) but was threatened by the CEO that he'd be sued.
I always remember that story and is the reason I’ve boycotted replit. This dude let the smallest amount of success go to his head and immediately started acting like a tyrant.
The threat of suing very much loomed in the background if they did not cooperate. Hegarty is just more slick, buttering them up with (well deserved) praises and attention from grownups to get voluntary cooperation.
I didn't really get that vibe, especially when we called Colin. He was super friendly. But then again, we didn't want to test it and we complied immediately =)
Diplomacy often comes across as friendliness. I've been in situations where I've not acquiesced and seen how quickly things can change. As they say, don't take friendliness for weakness. Wonderfully managed by all parties though.
Yeah, chances are Hegarty was actually impressed and alarmed, and the best way to reconcile both of those was to befriend this kid, share the info so that HegartyMath doesn't get damaged from the leak, and send some praise their way for identifying a glaring security and utility issue in the app.
Thanks for the casual misogyny.
Wow what a dick. Yeah they backed off after the backlash but that shouldn’t have happened in the first place.
I’ll use Codespaces next time
Everyone has to start somewhere. These young lads “worked around” couple of educational platforms. 35 years ago I was hex dumping ZX Spectrum game saves and disassembling the program files to get more lives, infinite lives or just more ammo or whatever. That seemed easier and more interesting than getting good at games themselves.
I sometimes wonder if that kind of “not approved” intellectual curiosity can be used to augment education. Sort of like having old school alarm clocks that are designed to be disassembled.
I did the same thing with Bolo on an Apple ][e - I never got very good at the game but I dumped the assembler code for the whole thing onto greenbar paper and marked it up with highlighters. Then gave myself infinite lives, made the maze walls penetrable, made myself invisible to the robots - all kinds of stuff.
The penetrable walls were the best, because if you drove your tank off the map, the graphics renderer would just look at whatever memory happened to be specified by your impossible coordinates, display eerie shifting structures that were the working memory of your code, and pretty quickly crash the whole machine writing the tank sprite into god knows what.
That was a fun summer. I wonder if my mom still has that greenbar printout in her basement.
When I was way way younger, I mucked about in our school's computer library and the network security (or rather, how the permissions were set up) until I figured out a way to run and share Halo and Soldier of Fortune 2 off of a networked USB stick (or maybe I just copied it to my computer and then shared it off of the HDD, the memory is pretty vague). This is back in the XP days.
It worked pretty well and we had many a play session with 10-16 kids, alt-tabs were pressed, until somehow they discovered we were playing games, and then a bit later they found some residual files that had my account as the initial creator set on them.
I got a 30 minute dressing down talk from the IT head, then again from my mentor, and then again from the 'dean' (our school system is a little different). Then I had detention after school for months.
No one ever asked me how I actually bypassed their network permissions. When I found another exploit weeks later, I never used it, but I also never told them.
That's a good point, you're definitely on to something I think. Reversing classes at a young age would be super engaging for kids as it's "not something you're supposed to do"
My mother is a teacher for ages 7-11 and I help out with her IT curricula sometimes. I think I might do some reversing with her next time I am with them!
Heh, I still use game trainers for games that have annoying grinds. The Assassin's Creed games come to mind. There is no way I'm spending 150 hours on grinding just to progress through a level gated region of the map.
Some people just want casual gaming and having part of the map locked off forever is depressing - in my case, Forza Horizon 5, never bothered to do the grind, just drive around aimlessly, but I want all the cars and interesting places to be open. Maybe a "casual mode" setting?
When I was 6 years old my older brother showed me how to use Copy ][ Plus/Edit (what was it called? This was 35 years ago) to edit my characters’ stats in the Bard’s Tale and other games. I’d learn to search for specific strings like a Character name and then twiddle bits to change level or whatever.
It made no sense to me until HS where I started to understand how I was editing a Data file, and more in college when I learned assembler.
I fondly remember playing Bard's Tale on one computer while using the other one to edit the character files and reverse engineering all the item codes and other statistics. Good times.
Hex-editing save game files to cheat at Civilisation 1 was what got me into open source, where I started working on improving the hex editor I was using, frhed, which was GPL.
I've been doing something similar but in the pursuit of graphics assets. Typical ZX Spectrum game was usually one blob of bytes containing everything it needed to run. I'd load the main game block into memory and run small assembly routine displaying a fragment of code on screen in a form of a window with dynamically configurable width and height. You could "slide" the window throughout whole memory block, which was quite fast, and eventually you'd find out something resembling backgrounds, sprites, fonts. Often they were of different dimensions, hence the dynamic window size. After few tweaks you'd find the offset and the size of assets and you could replace them easily. I'll never forget the Rocky Horror Show play-through with all the characters replaced with their other, rather obscene, versions. Well, not so mature when you think about it, but quite funny it was back then. If anything I've learned quite a few tricks about fitting a lot of assets into very limited memory.
I still do this on my iPhone. As long as you keep the bit count the same i.e. changing 12 points to 99 the code signing passes and you don’t need to do anything but edit the hex.
It sounds like you're saying iPhones have an easily exploitable code signing vulnerability. It's that correct?
That sounds more like a data format with length-prefixed fields.
Could you provide some more detail? Sounds interesting.
Years ago I was working at a multinational consultancy, and then they suddenly decided to block most of the internet except for a whitelist. We quickly figured out that the whitelist worked with keywords, and since we were programming in java, java was one of the keywords, so if a url was banned, we could access it by adding ?param=java. As twenty something year old developers, we said, challenge accepted, and we built a GreaseMonkey or TamperMonkey script that when it couldn't load a page it would reload with the param added, and rewrite all the links and img tags to also add the param. Soon after that the system admin guys gave us a proxy config to bypass the whole ban, but it was fun to do it anyway.
I had a very similar situation. For some reason using the python requests library didn't trigger the company filtering, so one afternoon I built a little proxy. Handy when something something random was blocked.
Ways back we got a prnalty when we did not do our homework which was called "Zapfen" in German language.
It's basically like this: You get a starting number, have to multiply it with 2, then it's result with 3, then this result with 4, until you multiplied it with 9. After that you had to divide it by 2, then by 3, ... and finally by 9 and end up with the same number you started with. Sometimes even higher than 9.
Since our teachers understood that there are calculators and even kids like me who knew how to write loops in Basic code, they chose the numbers big enough to result in scientific format or overflows, so that at a certain step the precise calculation could not be done any more with a calculator or computer program.
So I wrote a Basic program which did multiplications and divisions the way you would do it manually with strings. From this point on I was only limited by the amount of memory, which wasn't an issue since my Amiga 500 had 1 MB of Ram.
But that’s weird, as 9! is just 360,000, 6 digits in decimal.
Assuming a pocket calculator has 8 digits, it would overflow only if the starting number was around 300. Was it like that?
I believe the answer is already in the comment to which you've replied:
> they chose the numbers big enough to result in [...] overflows
Rooting for you guys. If anything this should cause some people to question the very educational structure they've set up. If people are attempting to evade homework it's because it isn't interesting to the student, which hints at a deeper problem that the school/teacher/entire school set-up and structure needs to address. They essentially need to throw out everything they've set up because they're operating it more like a police state/prison "Ooo let's CATCH the cheaters! Let's CATCH the plagiarists! That'll show them!"
Instead of saying "What are we doing that isn't capturing the students interest in these tasks? How can we connect this subject to the students most meaningful, important, and immediate concerns and goals? What concepts from this subject can we teach the student that'll help them achieve those salient goals?"
The creators of these companies seem less concerned with actual long-term meaningful learning and more concerned with playing policemen.
Educational institutions need to be way more student-driven and student-concerned, allowing the student to shape their journey, as opposed to turning out cogs for the system like military training.
Alternatives exist like behavior analysis's programmed instruction, but even that needs a radical upgrade or integration with AI.
>If anything this should cause some people to question the very educational structure they've set up.
I played basketball growing up. Much of our practice was boring things like passing drills, dribbling drills, running, countless free throws. We all grumbled & complained - "Why can't we just scrimmage?" we'd ask. "I already know how to play the game, why do I need to work on these boring skills?"
I don't think I need to explain why this logic is flawed, and why our coach was in fact using the best methods to teach even if they were occasionally boring.
In the academic world I was very similar to these guys. I automated/cheated with tech whenever I could because I felt the grunt work was "below me" - fast forward to college and I realized how many fundamentals I had missed and struggled mightily.
In chess I drilled tactics puzzles, I drilled endgames, I memorized openings, I studied the game, all things typically considered less interesting than actually playing. Yet I never felt this was very difficult because I paced myself out, I skipped it when I was bored, I did extra when I felt more encouraged, I alloted a fixed amount of time to this sort of practice. I used spaced repetition software and generally optimised for actual learning of the skill.
The big difference with sports and games vs school is that in sports and games you are optimising to win the game, and in school you're optimising to pass an arbitrary test which only exists in the context of school. It's depressing for the same reason people grinding leetcode puzzles just to get through interviews is depressing. I've had to drill many pointless things over the years to prove to some authority that I'm willing to waste tons of time if they want me to.
The dependencies still need not be taught in a boring way. For example, if teachers did surveys of students strongest interests and goals, they can think of ways to 'inject' (in a genuine way) dependencies as stepping stones to their goals. "In order to achieve goal X, you need to know how to do Y, and in order to know how to do Y, you need to know how to do Z". Let's assume Z is the boring task. Just by connecting it in a sequence to the student's goals it becomes less boring because the student instantly sees the relevance.
Contrast this with "Do this" "Why?" "Just do as I say if you want good grades"
So in practice this would be "Ben, I know your most important goal is to become like LeBron James. LeBron James has this special trick that you like called X. He has said in the past that the fastest way to achieve this is to practice Y boring technique for at least 2 hours a day"
"John, your most important goal is greater flexibility. To be as flexible as possible, you need to do this other boring exercise more frequently 3 hours a day"
If the goal is important enough, they will go through it. However, an even wiser method is to frame it this way: In your brain you have the 'you-now'/thalamic/elephant part of your brain "Give me candy now" and the 'you-in-the-future'/cortical/mouse riding elephant "I have to lose weight". These 2 are always competing, but the 'elephant' always wins. In order to solve this, one has to research what is it that 'tastes good', and develop a diet that tastes better than the junk they already eat. If you do that, you'll stick with your diet long-term. Why? Because your diet is always the best tasting thing on the menu.
The dumb approach is to say "I'm going to force myself"... you'll burn out eventually. Reference: "Immediate Rewards Predict Adherence to Long-Term Goals" https://sci-hub.hkvisa.net/10.1177/0146167216676480
In other words, the higher-level abstract representation of this is both the 'elephant' or the 'you-now' has to be as maximally satisfied (given its range of options, the 'best' one is the most fun one), and the 'mouse thats trying to direct the elephant' or the 'you-in-the-future' also gets what it wants.
Put simpler: if you don't have fun, it will never get done.
Emphasizing relevance is in the spirit of just-in-time learning. To give an example, years ago, I struggled to learn programming for a long time. I'd watch 11 hour courses, and nothing would stick. "Today, for-loops, and conditionals..." In my mind: 'who cares? How is this relevant to the thing I'm trying to do?'
It wasn't until I found a meaningful goal and exciting project that still was simple enough, and broke it down into a series of 'google-able steps' that I finally learned and remembered what a "for loop" meant.
The irrelevant rote approach is not a good method of memorization or learning. More intuitive approaches which try to build on your existing background (reducing the friction), and your existing goals (increasing attraction), are more likely to help you remember.
Most people aren't going to be interested in what is taught in school. Is there a way to get such a person interested? Maybe in some cases, but not everything in life will be interesting and engaging. Sometimes hard work and diligence are simply required.
Fundamentals are almost always hard. There will always be struggle, just like working out is painful. It’s part of human nature.
Many people shy away from doing hard things and use words like boring.
There are strategies to make fundamentals more fun, but those strategies only work for a small subset of people. Other people look at those strategies and think they are boring as well.
TFA mentions the website creator actually congratulated their achievement, advised them and worked with them to fix the cheating problems. That's spectacular and not often seen.
I think most of these platforms are created in good faith. In the internet, we can watch millions of videos, chat with strangers all over the world, listen to basically every song ever made. What if we could educate everyone? That's a noble goal.
I think we could usr a mix of both styles education: boring exercises which are nevertheless important for learning, and these could be automated, leaving room for student driven learning where a teacher can guide and evaluate a student.
> Instead of saying "What are we doing that isn't capturing the students interest in these tasks? How can we connect this subject to the students most meaningful, important, and immediate concerns and goals? What concepts from this subject can we teach the student that'll help them achieve those salient goals?"
While this is not a bad question to ask, asking it won't avoid this kind of thing. Because it doesn't matter what the learning system is, or how good it is, many students will always do stuff like this if they can. Because it's fun. Because you get to stick it to authority.
Whether that authority is just or has your best interests at heart or is trying as hard as they can to do a good job is beside the point when you're young...
Very fair point. But perhaps if they did focus on those questions in the first place, they'd be viewed less as authority and more as friends.
I feel like this can happen with individual teachers that you have a personal relationship with. I don't believe it's possible with a company, no matter how "pure" the company's intentions were, even if they were not for profit, etc. At best, it would a bit less likely.
I think it is telling that the first version simply skipped the mandatory 20 minute YouTube video.
Just provide a transcript! MathML and Latex exist.
In high school I was trying to make an app to scrape my grading system Skyward and ended up finding a trivial auth bypass that let me see anyones grades. Knew the school would turn me into a villain if I was discovered even though I was on student council and an honor student so I emailed the principal and got a meeting with him. For some unknown reason my poc didn't work in the meeting so during the meeting I found a second auth bypass. They paid me $75 for finding the issue and told me to try to hack the teachers side of the system next. Lots more to the story if anyones interested.
I'd interested to hear more about the story! Would be cool if you wrote a blog post or something about it.
Definitely interested. Would you mind if we had a call or discuss over email and I can post it as blog or podcast
Between 2018 and 2020, I wrote a website that cloned the databases of a couple online learning platforms, and used it to skip lots of homework I should have done.
I wrote this at the beginning of the year, but never released it as I was never sure if I was missing details. I realised today there is no point in keeping it hidden, so brushed it up a bit and published it.
Btw, the repo that houses the blog is open source, so feel free to fork or whatever and use it as your own
Honestly kind of impressed that the HegartyMaths guy independently found this and then handled it without (explicitly) threatening to sue you.
The jump-straight-to-suing approach is to be honest a bit specific to the US. In the UK (like here) it’s more usual to deal with these sorts of things with a kind word, combined with hints of potential problems later.
They were champs! We even connected on LinkedIn with Colin afterwards and he actually offered us summer work but that fell through unfortunately.
He didn't pay you for the consulting time you have him?
Money is vain. They got much more out of it and the post very clearly states that.
Congrats Alistair and Scott! This is an amazing story that made me remember my high-school days. As the authors, I was into programming from an early age, and high school definitely took the second place :) My grades ended up REALLY suffering when I got my first full-time role at a startup while I was 17 years old (parents approved) and on my last school year. Fast-forward many years and I don't regret a thing. I attended University of Oxford (despite my bad grades!) and I'm doing very well doing what I love.
Wish you both a very, very bright future!
Thank you! Alistair and I have been in startups since we were 15/16, and we've both now finished school and work full time in the startup space.
My grades definitely took a down turn the last two years, but I'm happy with my decisions and am loving working in tech!
I think it's fair to say most of us had our grades suffer. My GCSEs back in 06 were terrible, but no wonder, I spent most of my time hacking & writing code. I'm no worse off for it, and I'm sure you won't be either!
thank you for the kind words :) things are going well for us so far, so fingers crossed it stays like this! You've put a big smile on my face :)
Well done, and nice of you guys to take it down too.
I remember having some fun in high school when windows XP was the thing and handing out software at school was done using USB memory sticks. I wrote a small program just to mess with classmates that copyed itself to the machine when the memory stick was inserted and set itself to run at startup. It also copyed itself to any USB storage that was connected to the machine.
The program didn't do anything other than connect to a server so I could add it to a database along with some basic info, just so I could mess with the right person. It was fun when a USB stick was passed around, and I was the first to get it. So I got access to the the laptops of all my classmates and could mess around with them.
The problem was that it spread like wildfire, and in just a couple of weeks there was thousands of machines and it was spreading exponentially, with no way for me to stop it. That's when I realized that it might have been a stupid idea and that I should probably remove any traces of my involvement.
So you made the Morris worm but for USB. Nice!
Given the modern division of labour, people are more often than not an expert at whatever they do for a living.
It makes me think that high school is still too generalized. I think I only got to pick about half my courses and even those had to fit into certain bins. Couldn’t do too many tech courses. Had to have an arts course each year. Stuff like that.
If students have _any_ personal inclination towards any course we should enable them to take it without any bureaucracy. One of the most precious and fleeting resources is when a teen is self-motivated over education.
I'm not sure I agree. In the UK we kind of have that: 16-18 you can drop all but 3-4 subjects, with no restrictions. But as university courses often have specific requirements, that means you're pretty much deciding on your degree area at 16. That's a lot to decide so young.
Indeed! It’s important to push kids outside their comfort zones so they experience a broader menu of life and learning.
I’m not sure I feel too strongly about either of these perspectives.
Perhaps if we optimize this, we will just end up near where schools are today: a balance of freedom of choice and a mandatory exposure to many domains.
I sort of disagree there, since you don't necessarily have to decide on a career field as young as 16.
If someone takes Math, one science and two humanities, they can apply for virtually any degree program they want (maybe with the exception of medicine, since I think that's a little stricter).
Sure, your application to a competitive degree program at a top-tier university won't be as strong compared to someone who's picked subjects showing a higher level of commitment/resolve to whatever they're applying for, but it's fine for most cases I'd say.
Some of us decided younger than that. As long as there's no "you have to decide" push I don't see the harm in allowing it.
Couldn't agree more. Last line you wrote is * chef's kiss *
Ha. I had a homeroom teacher in grade 8 who would clip out the numerical crossword puzzle (basically like super-Sudoku) from the newspaper and give us a bonus mark if we could complete it by the next morning.
I was the kid who wrote myself a recursive descent solver for it in QuickBasic, of all things.
Heh...reminds me in my Algebra II class, we were being taught polynomial expansion. I had a TI-89 which would do it automatically with a single function, but that wouldn't show the work, so I wouldn't get credit for it.
So I wrote a program that would show the work.
I asked my teacher if I could use that program on the test, and she said that if I knew the material so well that I could write a program that shows the work, then I'd probably ace the test without it anyways, so I could go ahead and use it on the condition that I did not share the program with any of my friends.
That condition was fine with me. I didn't have any friends. :-(
This is a really heartwarming tale of having good intentions and assuming it of others. There was a similar situation in my high school days where someone's college path to computer science was taken away for something even less malevolent than described in this post, he ended up becoming a pretty wild startup founder and a defrauder of millions.
In the world of Music Conservatories, practice space is limited and there is a lot of competition to get a room booked. Many places use a niche scheduling product called Asimut specifically tailored to conservatories. Depending on how it is set up, for example, you could book a room 72 hours in advance on a rolling basis - this mean people were always on their phones booking rooms and then extending their booking times.
As you can guess, I wrote a simple python script that lived on a vps and read a schedule and list of my favourite rooms from a text file, would wait until the right time and book/extend for me with my username and password. Never told anyone except my girlfriend, who spent enough time with me to realize I was making bookings without ever looking at my phone!
I love the veiled threat to "take a legal approach" in the last email. If I ever take over the world, there will be a law where if you imply that you're investigating litigation, you have to file your case within 24 hours or the ability expires.
That would be a really, really annoying world, because people wouldn't threaten litigation, they would actually just start suing immediately. If you have only two choices: to not do anything and put yourself at risk, or start the expensive and time-consuming litigation process, the latter will be the "smart" move more often than not. Products and services would become more expensive, there would be fewer free things, there would be more weasel words and fucked up clauses in ToS, etc. Let's not go down that path.
Hahaha true, and that's really not even a terrible idea to give 24 hours.
We definitely ended things on a good note with Hegarty & Educake. They were really friendly to us and also super helpful to be honest, good team over there.
That's good to hear. Maybe it wasn't a veiled threat, but rather an attempt to be nice. ("A lot of companies would sue you right now, but we would never do that," could be an alternate reading.)
100% veiled threat. Even the "a lot of companies.." interpretation is just a reminder of their power should you not want to hop on that call.
He explicitly avoided saying he wouldn't do it. He said he prefered not to, because he was making a threat to harm the person who exposed his incompetence and caused no harm.
I think this was an "educational experience" in the truest sense. Hegarty showed the spirit of a true educator. This is a situation that can end up with legal action -- but there is a much better path for both sides! Young people may not know the ramifications of their actions, and it is much better to show the range of outcomes and work together for a mutually beneficial solution.
There is a much weaker disadvantage for a party threatening litigation, which is that the recipient of the threat could choose to sue for declaratory judgment.
I was a supply teacher. A kid did something similar in early 2010s and he was doing online homeworks for his classmates for about $1 per month. He had about a hundred clients at the peak and he was never caught.
Overall, those who cheat are lazy by nature, and therefore easy to catch.
I teach art and design. Now is grading season and it is maddeningly easy to catch students who plagiarize. Like shooting fish in a barrel.
The contract cheating is another thing. At one of my previous places of employment, companies contacted students directly on their university mail and approach them offering 'educational services'. Some of them even knew what courses the students were taking.
And professors complain about not being able to get data to check on enrollment trends for their departments!
Pursuing a programming degree required me to obtain two credit hours of a foreign language. Gotta suck as much cash from the student body as possible I guess.
I took Spanish classes online. One of the common exercises tested your "ear": An audio recording of one or more people talking in Spanish would play, which the student was expected to transcribe. Not translate, just transcribe.
Funny thing- for accessibility purposes, they had to provide a text transcript of the exercise.
Heh, I started coding (in python) when I was about 15. One of my nerdy interests that motivated it was "historical" crypto (vigenère, etc). But another one of the first things I wrote was a script that would factor quadratic equations for me, in order to do my math homework for me. I really hated that kind of repetitive homework, where every night for weeks on end we'd have 25 equations to factor or whatever, even when I had already "gotten it".
It was pretty dumb, using the exact "algorithms" we were taught to do it by hand. It would even "show the work" so I could transcribe it. In the end, it probably took as much time to input the homework into the program, and then transcribe all the answers, making sure to fake it so it looked like I did the work, as just doing the homework. Not to mention actually writing the program, but that part was really fun. I remember turning on a small night light when I was supposed to be past bed time so I could scribble down algorithms or solutions to bugs on a piece of paper so I could implement them the next day.
If I had been a bit smarter, I might have realized that I could have used a CAS that already existed. Not sure if there were many open-source ones (that could run on windows) back then (2003-2004) though, just looked and sympy was released in 2007.
This reminds me of back at university we had to use a platform called "Wiley Plus" for weekly physics homework.
To prevent copying, while the equations needed remained the same, the numbers (inputs to what you had to work out) varied across user sessions.
One lad in the course wrote a website that he updated weekly that mimicked the UI/UX, you would plug in the values WP gave you and it would emit an answer.
The following year I took over maintaining it, and ended up in a spot of bother with the administration.
There was also another homework website that some lectures made us use, which did all the shit client side in JS. You could just inspect element and get the answer.
I honestly still don't get the point of those additional homeworks, on top of assignment and lab report workloads at university. They seemed to only exist to loosely tick a box regarding "continuous assessment".
Relatedly, they also implemented 5% credit for attendance by proxy by making us rent these radio " clickers" from the university, each with a unique ID tied to a student.
During lectures, there would be multiple choice questions asked, where the answer was irrelevant - it was a means of counting attendance.
Naturally by the second month people were delegating their clicker to someone else if they needed to skip a class.
A couple of years later, smartphone apps replaced the clickers, and SDR became affordable, granting the university a near-miss from any radio shenanigans.
It's a different era now, but back in my day Altavista had just launched Babelfish and a few of us began using it for our French homework. My friend got "caught" due to the "peculiar" nature of his work, and while they couldn't figure out what was happening, we were all warned quite sternly to stop doing whatever it was we were doing. Lesson learnt: only use Altavista to read French ;-)
I have a similar story -- our Swedish language teacher congratulated a classmate of his excellent Norwegian essay. I have no recollection any longer what and how actually caused his mixup, but he would've definitely been caught in any case as the output was far above his skill level.
Reminds me of the times when at my school (2010) there was WLAN but only the teachers had the password. I was nagged by my schoolmates as the most proficient computer nerd and my IT teacher said that if I cracked the wifi password, I would get an A+ from IT classes for all three years.
Backtrack 4, Atom N270, some deauthenticated Windows XP and 13 hour long dictionary attack did NOT do the trick. But what I learned is mine.
Sounds like you might have wanted to try social engineering on the teachers instead? Humans are always the weakest link
Offtopic, but the font in that site drives me up the wall: fixed width with that skinny cursive "f" is like nails on chalkboard.
I actually love it! Anyone know what it is?
DM Mono: https://fonts.google.com/specimen/DM+Mono
I think you passed the take home interview and phone screen for this company.
Using programming to avoid homework has a long and storied history.
One of my very first programs I wrote was a QBASIC program to sort my spelling words in 2nd grade in 1991. I loved the idea of beating the system more than I actually disliked sorting my spelling words. I was quite proud of myself, and it seems to have worked out in the long run.
I had a similar-ish experience between 2005-2010 but not as complex. Teachers could control what programs appeared in the start menu of computers in the class as well as see what is on their screen etc. Don't remember the name of the software.
Was incredibly easy to exploit by invoking windows explorer via a Word toolbar of all things. This meant I could browse the start menu shortcuts of every classroom in the school and open whatever application I wanted even if it was disabled by the teacher.
A relative worked in IT at another school using the same software. I showed it to them and they mentioned it to the company who were installing it in their school. The company refused to believe I could exploit it so easily and even said they would buy me an xBox if it was true. Of course, it was true and when shown proof they went silent and I never got an xBox.
"Cruically, our teachers could see how many times we've watched the video..."
This sounds like it's normalizing invasive surveillance. Getting kids used to the notion that their teachers should be able to monitor their online educational activities... and then, if governments and corporations are tracking all your internet activity, email communications, phone location data - it's just the way things are done! Now have a social credit score, it's like a grade in life...
That said, I wonder if there's a similar approach, some scripts users could run to artificially boost their social credit score (in China, for example). Just something that would run in the background - it could send pithy positive tweets, visit all the government-approved websites, etc. - all with no need for the user to be involved.
Canvas, which I think is pretty standard, has views, last access, and total access time for all pages. I don't think there's a way to choose not to track, and I've not seen a policy for what happens to the data.
Our school also has mandatory online trainings every year or two, with videos in a pop-up with most controls disabled. "document.querySelector('video').playbackRate = 1000;" used to save a lot of time, but with cross-site protections it's easier to use a plugin, which is much slower to adjust.
This was so fantastic to read. You are both clearly operating well beyond the expectations our society sets for ~16 year olds. At some point, please could you write about your journeys, what the enablers and barriers were, and what advice you would give to teenagers who want to achieve similar capabilities? I regularly feel like I could have done so much more in my teenage years, but I was never sure of how I needed to shape my environment to push my potential to the max. I hope as a civilisation we can get over this ageist idea that teenagers are 'just kids' who 'don't understand the real world' and we can start to enable all people to pursue their curiosity and ambitions from an early age!
In the early 80's on a TRS-80 Model III, I was in whatever grade you learn to alphabetize words, and I wrote a Basic program to handle the alphabetization. I input the 20 or so words, it output them in order, and then I transcribed that to my homework assignment. My mom said it was cheating and I couldn't use it, and my dad said that if I could write a program to do it then I illustrated that I could alphabetize word lists and it wasn't cheating.
I have a suspicion that I probably found the code in one of my dads computer magazines, so it probably was cheating since I doubt I actually wrote the program from scratch. Maybe partial credit for being resourceful. :)
I also wrote something similar for my university quizzes using Tampermonkey. I noticed that some of the questions from non-graded quizzes would later appear on graded quizzes. There weren't any IDs that I could use and the wording of the questions would usually change a bit. When taking any quiz, it would search the questions on the page against the database. It would scape the questions, do some cleaning like removing stopwords and symbols, and then do a fuzzy string search against the database. It would give a score to each match and display the top 5 best matches. Worked quite well. I would then spend the rest of the time answering the questions that it could not match.
Really cool, I was also using an exploit with my GCSE Hegarty maths homework and doddle science, I think the 1st "exploit" was pre-GCSE the answers were stored on the client side and I just inspected the code, this got patched after, the next exploit was during my GCSE's, the answers were stored on the server so I made a github repo that used a browser extension which would let you inject JS, I think it was some kind of brute force attack with their SQL DB.
Anyway I received my GCSE results in August, I was surprised how well I did considering I did no revision, but I should've actually used hegarty maths instead of exploiting it :D
Wow that's amazing! The best part is that you managed to get their entire database, that must have taken a lot of work. How did that burner account thing work?
My favorite experience with "hacking" in school involves wifi. My school had free wifi, but you had to log in with your student password. Well, the login step involved a GET request in which the password was sent in plain text as a URL parameter... so if you had your friend's laptop, it was a simple matter of looking at his browser history to see his password!
Never did anything with it, but always wondered what someone seriously motivated could have done with it
Burner account was really just a friend of ours, it wasn't something you could just sign up for and join a class. The teacher had to create your user account for you and give you a login, and assign you to a class.
He ended up getting his account reset a lot of times, but it was funny having him answer the entire dataset of questions in literally about 1m30s...
School security always seems to be a funny weak point, it seems common that a school's budget never seems to reach the IT department... and yet everybody is shocked when a vuln is discovered like that :p
Maybe I had a different takeaway from everybody else here about this story. It's hard to focus on anything other than the ending interaction.
To me it sounds like the CEO just started panicking and sent you an email so he wouldn't have to do anything relating to fixing or explaining the problem in sales for all his customers or paying you for your work / to fix it. He probably didn't even want to pay for a lawyer, rather than how he played off being nice.
It sounds like he just got away without having to do anything because he threatened you and sold you a cop-out story "But what about the kids?"
That CEO definitely read "How to Make Friends and Influence People" lol
But then again everybody benefited from that approach? If he had really wanted he could probably have gotten them in trouble with the university for cheating.
I can absolutely see how you think that, but I didn't get that impression. There was certainly the thinly-veiled legal threat -- or at least, the implication that it could go that direction if they completely ignored him -- but it sounds like they did take these kids' suggestions on how to harden their system a bit to heart and implement at least some of them. That time isn't free.
That's a very cynical take.
I worked at Sun Microsystems in the late 90s/early 2000s and at the World Trade Center offices, pretty much everyone had to hot desk.
I was in a group that, unlike our "pure" sales brothers & sisters, spent a lot of time in the office. The whole hot desk was a big PITA because we had to reserve our desks and we could only reserve, I think, 1 week in advance.
But, one of my colleagues figured out that the back-end of the reservation system had an RMI interface and it didn't do any validation of the reservation requests. So he wrote a CLI utility that let us reserve the same offices week after week.
We would've gotten away with it except that the head of sales realized one Monday morning that we always seemed to be sitting in the same place. I guess she made some enquiries because not long after that, we were all called into her office and made to promise that we wouldn't hack the reservation system anymore.
At the bard so famously wrote, "Pride goeth before a fall." :)
Homework should not exist in the first place. If any education system is sending children back to their homes with assignments, then it means that system is failing in the classroom already. For that, it is overflowing that responsibility to children's private lives.
What difference does this have from having employees take work back home and work in their private time...
University was my playground for this sort of this sort of thing (because my high school was all paper). One subject used an Online Platform called Wiley which stored the answer in the page, a weekend writing up the script to solve it, fake a realistic completed percentage and take a realistic amount of time to solve. I used a greasemonkey script, just like this post as well!
Countless subjects also distributed questions and answers from Textbooks in a PDF format. One OCR run later and a script to clean text I had a database of questions and answers I could share with my friends to practice for the exam (which helpfully used the exact same questions). https://www.rytek.me/archive/projects/epmquiz-webapp/
I never did flex my cheating like you did haha for fear of the repercussions.
Very interesting, and love the way Colin Hegarty took it, it's probably never worth to drag kids to court etc.
In fact, listening to them, communicating with them, and praising them for their efforts probably leads to _better_ outcomes than anything else, as it reinforces white hat behaviour.
Still in Uni, I remember the first day, when I got the class wifi credentials, i found out one app i use was blocked. A basic messenger app. Why am I trying to be spooky, it's WhatsApp. Other sites like instagram, Twitter, Snapchat etc were also blocked. I used none of the other blocked sites. I still remember that as soon as I realised it, i installed orbot to tunnel my WhatsApp traffic through tor. It worked as expected. I don't have many people texting me, but when someone does it's usually urgent and not anything spam. So people noticed it and held me as some tech genius who defeated the system, little did they know I just dug the ground and made a tunnel. They still are distracted, sometimes, but it's fine. Atleast for me.
Not exactly the same, but in the late 80s I've written some Amiga Basic (or was it AMOS?) programs to do all the variations of my algebra homework. Maybe that's why I suck at maths today...
Probably AMOS, unless you were using an A1000 running OS 1.x. I don't think Amiga Basic worked on anything else.
It was Amiga 500, and it was either 1988 or 89. Amiga Basic most definitely worked on the A500 (although it's equal chance I used it or Amos).
It might have worked on a 500, but it definitely didn't work on OS 2 or newer.
I'm not sure how this relates to what I said but no worries. All good.
When I was in high school I got a second hand TI86 and started writing code for it… for one of the math-heavy subjects I effectively stopped studying and started writing code instead, on the calculator.
Whenever the teachers would do exercises on the whiteboard I would just do testing of my software, verifying its correctness.
Calculators were allowed, and the teacher kinda encouraged us to get familiar with our calculators (the subject was calculations-heavy) so I didn’t get caught.
Fun times, sometimes I miss TI-basic.
This reminds me of when I was in college, they used this platform that randomly gave out questions, and the same platform was used for quizzes. It was one of my first practical programming experiences to scrape all the questions and save them as a text file. Later on, these files were passed around the entire class etc. It is just astonishing to see how these things spread.
Because this all happens on the front end and the backend accepts the requests - I'm curious if this is exempt from the legal definition of "hacking" aka "accessing a remote system with Ill intent" or however it's defined .
Although I guess that applies to sql injection as well so in theory there was really potential legal trouble here?
awesome work and awesome CEO. I think you guys both learned from each other which is a great zero sum game.
These online learning platforms should also consider drawing on canvas e.g. flutter to make it harder to scrape screen contents
I think they could also just check the isTrusted field in the Event since that can't be overwritten without a custom compiled browser
That's a total no-go unfortunately since WCAG-AA accessibility is a non-optional requirement in edtech.
The solution in general is in improving the quality of the content, using a more sophisticated format of questions that requires work rather than mere knowledge (which is also far better for formative assessment, but most platforms are focused on summative, particularly in the US)... independent multi-choice is always easily gameable in some way - if there is no better format of question available, the best that can be done for multi-choice is to have a massive pool from which you randomly draw a different subset of questions for each student, and limit the number of attempts to make it impossible to fully scrape... even then, a smart group of students may pool and share their feedback as they progress.
The tricky thing is that you want to encourage such behaviour, helping each other learn, and although in some people's eyes this is purely cheating, it's not dissimilar in spirit.
Bad multiple choice sets reminded me of a history class my friend took in summer school. All the questions were multiple choice, and the teacher was extremely lazy and decided that the answer bank for every question would just be randomly drawn from the population of all answers. The end result is that most the questions end up like :
What year was the Declaration of Independence signed?
a) Martian Luther King Jr.
b) The Spanish-American War
d) The New Deal
Needless to say everyone aced the test.
Aside from being easy to cheat on, multiple choice tests are bad measures of knowledge/ability.
I'm good at them. I can often infer the desired answer from the phrasing of the question and answer without actually knowing enough about the topic to answer correctly in a free response format. I can almost always eliminate a wrong answer or two that way even if I can't necessarily pick the winner, improving my odds.
Some people are bad at them, especially when the test demands the "best" of several defensible options.
In either case, the test results in an unfair and inaccurate estimate of the evaluatee's performance.
It's always a game of cat and mouse... if a human can use a website then it's theoretically possible that a robot can too. I used to do a lot of sneaker botting a few years prior, so I kind of lot about web automation then. Developers will always find a way, even if it means spending more time writing the software than it would have just doing the homework
Don't forget checking for the evil bit too!
Why would you need to fake whether you watched a video? Just let it play while you do something else. If it still bothers you how long it takes, put it on 2x speed.
It was part of the homework, we had to watch a video and write down notes in a physical notebook. The notebook was never checked because they assumed that a video watched >=1x meant that we understood the task. The videos took a while to watch so we'd rather skip.
Half serious here. If they’re so smart why didn’t they know about screenshots? I mean part of their proof was a photograph of a screen, which seems odd to me.
We never really thought about documenting progress, so the photo of the email was taken from a phone camera of a teacher's computer (they had sent the email). We managed to find it while I was writing the article earlier on in the year, in a "deleted pictures" folder. I thought it would be cool to add it on. It's purely because the project spanned such a long time and nothing was really written down or saved.
Ah, relief! Thanks
That ended much better than expected. Good on Hegarty to recognize and reach out to these kids instead of punishing them.
Hilarious. This kid's got a future.
I wish I was this skilled and focused on a project when I was in high school
I hope they did their homework even after breaking the platform.
tbh i had online math homework years ago now like back in 5th grade. my solution was a whole lot jankier but i spent more time writing a script to store and use answers (unlimited quiz retakes go brrrr) than it would have taken me to just do the quizzes and was still happy. i ended up with this unholy thing that used a flat text file like a very ghetto database bc i didn't know shit about coding... eventually got to this thing that stored question text alphabetized line-by-line and binary-searched through so that was at least less terrible.
anyway i spent probably 10x as long on this and was happier because grinding repetitive math problems is fucking boring. so if he didn't do his math homework honestly who cares.
> flat text file like a very ghetto database
My second site was a blog in about 1998. I had never heard of a blog, but whatever. I built a user system, "karma" system, ability to spend karma (anyone with enough karma could post on my front page), an interactive choose-your-own-adventure story where you got to help write it, and some other features I'm forgetting.
Anyway, I built all that with flat files at first, because I hadn't heard the word "database" yet--even though I wrote this in PHP. As soon as I heard about databases, I converted it in a couple days.
Interesting response from Mr Hegarty. I wonder if they would have gotten the same treatment by a US company?
I did a similar thing as a universtiy student and received a similar very nice response from a (huge) US company.
I got good advice and a cool story out of it.
There are nice people everywhere.