How I got suspended

Note before we start

This was back in my 9th grade year, specifically the day after coming back from spring break. The school wasn’t particularly mad at me; rather, they were happy I had figured this out.

Background

Let’s start off basic before we get to the logical thinking part. In Spanish class, my friend - who is extremely interested in cyber security - accidentally typed his password exactly as student!. As he was interested in cybersecurity, I knew 100% sure that he did not choose this password. That got me thinking: why would his password be like that? I had a theory: maybe he didn’t choose his password.

Thinking portion

This is where I started thinking:

What could have caused his password to be student!? First, maybe the school had set his password directly to that - which might be independent for each student. Maybe it was a default password that applied to multiple people. Yeah, that’s probably it. Now, that’s interesting. Perhaps the flag Reset password wasn’t set for a specific group of people. Wait, no, maybe it was just him. No, wait - it definitely wasn’t just him, because why would he need a password reset? Okay, great, now my assumption is that the flag wasn’t set when his account was created. Interuption by him: “Dude, that’s the password I got when I created the account”. Thought Process: Ok, that confirms it. Let me assume that it was explicitly for people who joined the school district in 2023-2024. Probably that; I’ll test it later.

This is what my brain was basically thinking.

After school that day, at the start of spring break

When I got home, I instantly downloaded Proton VPN and booted up a Linux VM to test my theory. First, I confirmed by logging into his account - logged in successfully. Then, I opened Google Classroom to find other people who match the criteria and their emails. I found around 20 people at risk of the issue. I had around six of their email addresses. I logged into each individual account, sent an email about the issue affecting them, and then logged off. The problem I realized then is that people often save passwords under Google Password Manager, which since 2023 has synced to all devices - which means that having a saved password in StudentVUE can be devastating for someone. I didn’t look at these details as privacy is what’s key, and what I actively fight for. After signing into all of their accounts, I made an anonymous tip to report the issue, leaving all the details. However, there was something I hadn’t told you yet: during this process, ProtonVPN turned off randomly, which revealed my IP address to the school - instantly indicating to them who had logged in and since I’d logged in many times using my personal school email, they tracked me down quickly. Within a day, all accounts that were affected were locked, making it impossible to log in, including mine. I knew they found me, so what came next was very expected.

Day of spring break ending

Going to school the next day, I knew my fate. I don’t know why I even brought my school ID with me; I knew this already. Going into my first period - which at the time was yearbook - when the student came in with a student pass, I knew it was mine. I went to the office with my stuff and was brought into the principal’s office. She asked, “Do you happen to know EternalHyperion?” (My alias, just in case they wanted to contact me). I said yes, I am EternalHyperion, and I already know why I’m here. She then asked how I figured all of this out and my execution, and I complied fully - as my only goal was to help the school and give them a wake-up call. I offered to send VM data with the stored cookies; they declined that offer, which is reasonable. I was suspended right there for three days, but she said because your intentions were good, we will give you a lower suspension. But something else she said: this happened before, but a whole lot worse. The previous attempt had apparently involved someone with similar actions, but his intentions are not good - rather, very evil. His goal was extortion. Luckily, they caught him and expelled him. After that, she said next time that I or anyone find a potential exploit, report the exploit and do not test it, which is the takeaway here. You can use anonymous tips or a straight email directly to her.

The Aftermath

After my suspension was over, my email was unblocked. In reality, it helped me more than hurt me. Wait, what? Let me elaborate. I was given three days - that was more than enough time to finish my custom-built printer, as well as help the school fix an issue and a second one which will not be specified here, as I am 80% sure it still exists and is very dangerous for students’ data. Now, that’s why I got suspended.

AI Data

This data was assisted to be presentable by AI, specifically, ollama3.1:8b, which is self hosted. Sure, an 8b model does have low resources and will make mistakes. These mistakes were checked before adding to the website. The PC used has an i7-13th gen intel core processor with an 4060 Nvidia GPU. This AI had zero access to the internet and only summarized what was provided to the model. Specific usage of the AI was to correct gramatical errors and spelling errors