Minneapolis students use “Rickroll” prank to highlight district computer security flaws

Two Minneapolis Public Schools students used an email prank Friday to draw attention to what they say are more security flaws in the district's computer systems.

The teens, who described themselves as members of Washburn High School’s class of 2025, sent a mass email from a district account to staff and students.

Couched as a Rickroll joke, in which a prankster tricks their target into listening to Rick Astley’s “Never Gonna Give You Up,” the email linked to a detailed report that the teens wrote detailing the problems that they found, including easily accessible student photos and usernames.

Ian Coldwater, a Minneapolis-based professional hacker who helps their clients find vulnerabilities in computer systems, said in a phone interview Friday that the students uncovered serious security flaws.

“There are things that are accessible from within the network that shouldn't be,” Coldwater said. “There should be extra layers of having to be authorized to see some of this stuff, even if you are connected to the school network.”

The teens wrote in their report that a March ransomware attack targeting the district inspired them to investigate other potential information technology problems.

Coldwater, who reviewed the report for MPR News, said that the students included suggested fixes and were careful not to publish private data.

“Their work is solid,” Coldwater said. “I hope that people see their talent, see their desire and commitment to act ethically and help them cultivate it, channel it in good directions, hire them to help fix this rather than punishing them.”

The teens wrote that they were not able to access their fellow students’ grades, but that potential security flaws with Chromebook laptops could enable “academic cheating and dishonesty” when the computers are used for standardized testing.

In an email to MPR News Friday afternoon, district spokesperson Crystina Lugo-Beach downplayed this latest incident.

“This was NOT a hack, but an internal email sent out by a group of students using MPS student mailing systems,” Lugo-Beach wrote. “The mailing list feature used to send this email is a standard Google feature, like a building paging system, and operates under the premise that it will only be used appropriately. Clearly the students used it for another purpose.”

But Coldwater said that the students were able to access far more than the mailing system.

“They found network passwords by sniffing the network, they found various issues relating to enrolled Chromebooks, they found directories, they described how they got into the email system, and they also talk about different kinds of security issues that they found.”

Collected from Minnesota Public Radio News. View original source here.

Minnesota Public Radio (MPR) is a public radio network for the state of Minnesota. With its three services, News & Information, YourClassical MPR and The Current, MPR operates a 46-station regional radio network in the upper Midwest. Last updated from Wikipedia 2024-03-03T22:03:37Z.
More Reliable
Middle or Balanced Bias
Take-Down Requests
If you represent the source for this content and would like us to remove this from our site, please submit a takedown request above and we will review it promptly.
Something here about the community discussion ground rules. Recently updated charts from the most popular data releases according to the Federal Reserve Economic Database (FRED).
…..comments widget will be down here.
Recently updated charts from the most popular data releases according to the Federal Reserve Economic Database (FRED).