Skip to content(if available)orjump to list(if available)

Avoiding homework with code and getting caught

jbman223

Reminds me of a passion project I started in high school that went completely viral and took on a life of its own. Wrote a small script for my friends to check their AP scores a few days early. Required high schoolers giving clear text access to their entire CollegeBoard account so I could log on and scrape their scores. Somehow it got posted to Reddit and from that year on, grew wildly. Got to almost 2 million students checking their score in its peak year. It was immensely fun while it lasted (ran for about 7 years) and honestly I miss the thrill of it. CollegeBoard now releases all scores on the same day so the site is pretty much useless now. Definitely always looking to chase the thrill of that score release day again though.

Congrats on a successful end to a fun high school project! Stories like this are always fun to read.

arjvik

You ran EarlyScores? Thanks for a tool that really helped my friends and I!

jbman223

You’re welcome - Glad it helped!

np_tedious

Can you elaborate on the approach? This sounds really interesting but I don't quite understand from reading your comment and https://earlyscores.com/about/

I think I remember paying some small amount of money (flat fee irrespective of # of years, IIRC) to get my scores quicker via a phone call in 2003,2004,2005. Perhaps I would've been better served by your EarlyScores.

jbman223

The approach was fairly simple: access to the college board’s website was geo-IP restricted for about 5 days time. It would start with a small collection of states, and each day over the five days another group of states would get access to the site starting at ~8:00am EST. I would get a few AWS/GCP/DigitalOcean nodes in a DC that had an IP in a state releasing on the first day. Put a small JS script on the nodes that would use the username and password input from students to sign in to their Account and send back the scores. Basically just a proxy without the need for configuration.

unsafecast

Probably wouldn't have helped.

> In 2014, with my first AP courses under my belt, I anxiously anticipated the release of my AP scores. What I realized at that time was that scores were rolled out by the College Board over a week’s time, and my AP scores would be accessible on one of the later dates. The need to see my scores on the first available date spurred me to create EarlyScores.com.

vertis

I remember that kind of thrill. For a while I ran a tool for Etsy before they had an API, circa 2007. What they did have was AMFPHP, powering their flash toys (treasury, etc). I used it to allow sellers to see their sales stats.

Even went to the Etsy office in Brooklyn at one point and had a chat about it. I think some of the team was a bit bemused that I'd essentially extracted a large amount of data. But they took forever to get to the point of having an actual API (and I was one of the early users of this as well).

Eventually it became unsustainable and I shut it down, but it sure was fun having people be passionate about using it and sharing it.

mcv

Epic stuff, and I think this experience may well be more valuable than the homework you avoided. Basically you did harder homework in order to avoid easier homework.

The problem is letting other people use it; of course it's nice to help people, and it's altruistic to do so for free, but some of those people might actually need this homework to learn, and you may have deprived them of that. (Although I also think watching a video and doing some multiple choice questions is the laziest low-effort homework assignment there is, and the damage may not have been all that big.) But you used logic and programming to work around a math problem, which are roughly in the same field, so I think that's fair.

A slightly similar situation: my previous job was at a bank, and banks over here are bound by all sorts of ethics and rules, and are required to regularly train all their employees in balancing the interests of customers, society, and the bank. This bank did that by gamifying it: we had an app where we had to answer all sorts of ethical questions and make sure our score in the app was over 70% at the end of every month.

A coworker used our testing framework to access the app, answer questions randomly like you did, and store the correct answer to use next time. It apparently worked very well, but using tech to avoid ethics questions is quite a different issue than yours. (He shared it with me when he left, and I tried it, but it didn't work for me.)

dinedal

> The problem is letting other people use it; of course it's nice to help people, and it's altruistic to do so for free, but some of those people might actually need this homework to learn, and you may have deprived them of that.

This, when the scope is limited to yourself, it's very different from when it impacts others.

Back when AOL Instant Messenger (AIM) was super popular, I was in university and had read about ARP poisoning. Our school was pretty cheap, so all the dorms had hubs instead of switches. This meant that it would be, theoretically, possible to ARP poison an entire dorm, MITM attack and read all the text being sent on AIM since it was sent in the clear. I had a bit of a cyber security passion lab in my dorm room, so I wrote a PoC and ran it on a LAN air-gapped from the rest of the network. I proved that it should work for myself, having confirmed that similar cleartext messages would get passed to the machine intending to listen in between two other machines.

I told my classmate of my project and he expressed interest, so I gave him a copy. Fortunately, I didn't add any authorship info, mostly because I forgot to. I did caution him that ARP poisoning is a pretty "noisy" attack, and someone who was paying attention would notice it. He foolish ran it on the university network, and confirmed he was able to see AIM messages flying back and forth for all the dorm, as well as all the other traffic. It didn't take long for our school's IT to notice that one dorm was funneling all traffic through one machine. A week later he was banned from having a computer in his dorm room for a school year. Thankfully he never gave me up, admitting it was his stupidity that brought it on himself, but nevertheless it was a lesson learned - if you're going to play in the grey space between ethical and not, do so responsibility and don't share the exploits with others.

nibbleshifter

> you're going to play in the grey space between ethical and not, do so responsibility and don't share the exploits with others

Aka "don't get caught".

One of the times I got in bother at the first university I attended was because I kept logging into their production servers as the root user every morning.

Their admins had left a few glaring holes open that I'd patched (and evicted some fellow travellers), but I kept their SSH keys to explore a bit.

One morning one of them happened to peruse the SSH logs, and spotted a pattern where someone on the student network was logging in every morning.

Didn't take them long to work out something was deeply fucked, and they cut my network access before pulling up the contact info they had on file for me and summoning me to their office for a bollocking.

Luckily for me they figured it would be better for their job security if they kept it purely informal as opposed to notifying the university proper and having me face a disciplinary committee.

They never rotated those ssh keys, and I learned the "don't get caught" lesson as opposed to the "don't do this" lesson.

pards

KPMG got fined $US450k for this kind of behaviour [0]. If I recall correctly, employees kept the answers to the mandatory compliance training tests in a document on a shared drive.

[0]: https://www.theguardian.com/australia-news/2021/sep/15/us-wa...

mcv

Well, then I guess it's good that I didn't share it with anyone else.

rcfox

When I was in university, I scraped an internal job postings site for students to find internships. The site was terrible- each job description would load in a pop-up window controlled by Javascript, and loading a second description would override the first. It was also really slow and had limited filtering. My version could load job descriptions in new tabs, presented the table on a single page, and you could mark jobs that you weren't interested in or had already applied to.

The university didn't take kindly to that. They accused me of trying to take down the co-op system and threatened to sue me for copyright infringement. Since I linked into their system for job descriptions, I was able to show that the data I actually had (company, title, location) wasn't creative work and therefore not copyrightable. I also had some friends in the university faculty and staff who spoke up for me, since I had reported security vulnerabilities in the past, indicating that I wasn't acting with malicious intent. In the end, I just had to take a business ethics course, which I probably would have taken anyway.

rjmunro

So you made a tool to make life easier for you and your fellow students, and rather than congratulating you they threatened to sue?

lupire

Yes, that's how institutions operate. Seeing Like a State is the classic text on the subject.

polio

Sounds like WaterlooWorks.

karlding

To me, it sounds more like the old system that WaterlooWorks replaced (JobMine). JobMine was just Oracle/PeopleSoft's PeopleTools under the hood.

Some of my friends who graduated earlier told stories about how JobMine at one point accepted resumes in HTML. Of course, this also meant that it was vulnerable to XSS attacks. The eventual fix was just to only allow PDF resumes.

polio

Yeah, you're right. I was blanking on the name of the predecessor.

rcfox

Haha, it was JobMine!

edgyquant

I did “information security” at a community college and learned I could find sites just by googling answers. These sites were behind a paywall after the first few answers but if you viewed the source you see them.

So I wrote a python/selenium script to search google and dump all of these answers for my weekly homework. Then I’d bang out all of my classes in a few minutes.

I knew just enough about networks, security and building computers from my childhood I never got worse than a C on a test.

mlex

JobMine Plus?

rcfox

It looks like JobMine Plus is a project that started after I graduated. From what I gather, the university cancelled their own JobMine replacement project around that time and finally relented in letting students take a shot at improving things.

cercatrova

Awesome story, and good response by Hegarty. It reminds me of something similar (but with an opposite response), where an intern who worked at Replit built a basic repl site (not even a clone) but was threatened by the CEO that he'd be sued.

https://news.ycombinator.com/item?id=27424195

user3939382

I always remember that story and is the reason I’ve boycotted replit. This dude let the smallest amount of success go to his head and immediately started acting like a tyrant.

club_tropical

The threat of suing very much loomed in the background if they did not cooperate. Hegarty is just more slick, buttering them up with (well deserved) praises and attention from grownups to get voluntary cooperation.

aabbccsmith

I didn't really get that vibe, especially when we called Colin. He was super friendly. But then again, we didn't want to test it and we complied immediately =)

imdsm

Diplomacy often comes across as friendliness. I've been in situations where I've not acquiesced and seen how quickly things can change. As they say, don't take friendliness for weakness. Wonderfully managed by all parties though.

puyoxyz

Wow what a dick. Yeah they backed off after the backlash but that shouldn’t have happened in the first place.

I’ll use Codespaces next time

mynegation

Everyone has to start somewhere. These young lads “worked around” couple of educational platforms. 35 years ago I was hex dumping ZX Spectrum game saves and disassembling the program files to get more lives, infinite lives or just more ammo or whatever. That seemed easier and more interesting than getting good at games themselves.

I sometimes wonder if that kind of “not approved” intellectual curiosity can be used to augment education. Sort of like having old school alarm clocks that are designed to be disassembled.

Vivtek

I did the same thing with Bolo on an Apple ][e - I never got very good at the game but I dumped the assembler code for the whole thing onto greenbar paper and marked it up with highlighters. Then gave myself infinite lives, made the maze walls penetrable, made myself invisible to the robots - all kinds of stuff.

The penetrable walls were the best, because if you drove your tank off the map, the graphics renderer would just look at whatever memory happened to be specified by your impossible coordinates, display eerie shifting structures that were the working memory of your code, and pretty quickly crash the whole machine writing the tank sprite into god knows what.

That was a fun summer. I wonder if my mom still has that greenbar printout in her basement.

jorvi

When I was way way younger, I mucked about in our school's computer library and the network security (or rather, how the permissions were set up) until I figured out a way to run and share Halo and Soldier of Fortune 2 off of a networked USB stick (or maybe I just copied it to my computer and then shared it off of the HDD, the memory is pretty vague). This is back in the XP days.

It worked pretty well and we had many a play session with 10-16 kids, alt-tabs were pressed, until somehow they discovered we were playing games, and then a bit later they found some residual files that had my account as the initial creator set on them.

I got a 30 minute dressing down talk from the IT head, then again from my mentor, and then again from the 'dean' (our school system is a little different). Then I had detention after school for months.

No one ever asked me how I actually bypassed their network permissions. When I found another exploit weeks later, I never used it, but I also never told them.

aabbccsmith

That's a good point, you're definitely on to something I think. Reversing classes at a young age would be super engaging for kids as it's "not something you're supposed to do"

My mother is a teacher for ages 7-11 and I help out with her IT curricula sometimes. I think I might do some reversing with her next time I am with them!

cercatrova

Heh, I still use game trainers for games that have annoying grinds. The Assassin's Creed games come to mind. There is no way I'm spending 150 hours on grinding just to progress through a level gated region of the map.

visarga

Some people just want casual gaming and having part of the map locked off forever is depressing - in my case, Forza Horizon 5, never bothered to do the grind, just drive around aimlessly, but I want all the cars and interesting places to be open. Maybe a "casual mode" setting?

smugma

When I was 6 years old my older brother showed me how to use Copy ][ Plus/Edit (what was it called? This was 35 years ago) to edit my characters’ stats in the Bard’s Tale and other games. I’d learn to search for specific strings like a Character name and then twiddle bits to change level or whatever.

It made no sense to me until HS where I started to understand how I was editing a Data file, and more in college when I learned assembler.

spullara

I fondly remember playing Bard's Tale on one computer while using the other one to edit the character files and reverse engineering all the item codes and other statistics. Good times.

pabs3

Hex-editing save game files to cheat at Civilisation 1 was what got me into open source, where I started working on improving the hex editor I was using, frhed, which was GPL.

wst_

I've been doing something similar but in the pursuit of graphics assets. Typical ZX Spectrum game was usually one blob of bytes containing everything it needed to run. I'd load the main game block into memory and run small assembly routine displaying a fragment of code on screen in a form of a window with dynamically configurable width and height. You could "slide" the window throughout whole memory block, which was quite fast, and eventually you'd find out something resembling backgrounds, sprites, fonts. Often they were of different dimensions, hence the dynamic window size. After few tweaks you'd find the offset and the size of assets and you could replace them easily. I'll never forget the Rocky Horror Show play-through with all the characters replaced with their other, rather obscene, versions. Well, not so mature when you think about it, but quite funny it was back then. If anything I've learned quite a few tricks about fitting a lot of assets into very limited memory.

drKarl

Years ago I was working at a multinational consultancy, and then they suddenly decided to block most of the internet except for a whitelist. We quickly figured out that the whitelist worked with keywords, and since we were programming in java, java was one of the keywords, so if a url was banned, we could access it by adding ?param=java. As twenty something year old developers, we said, challenge accepted, and we built a GreaseMonkey or TamperMonkey script that when it couldn't load a page it would reload with the param added, and rewrite all the links and img tags to also add the param. Soon after that the system admin guys gave us a proxy config to bypass the whole ban, but it was fun to do it anyway.

remus

I had a very similar situation. For some reason using the python requests library didn't trigger the company filtering, so one afternoon I built a little proxy. Handy when something something random was blocked.

de6u99er

Ways back we got a prnalty when we did not do our homework which was called "Zapfen" in German language.

It's basically like this: You get a starting number, have to multiply it with 2, then it's result with 3, then this result with 4, until you multiplied it with 9. After that you had to divide it by 2, then by 3, ... and finally by 9 and end up with the same number you started with. Sometimes even higher than 9.

Since our teachers understood that there are calculators and even kids like me who knew how to write loops in Basic code, they chose the numbers big enough to result in scientific format or overflows, so that at a certain step the precise calculation could not be done any more with a calculator or computer program.

So I wrote a Basic program which did multiplications and divisions the way you would do it manually with strings. From this point on I was only limited by the amount of memory, which wasn't an issue since my Amiga 500 had 1 MB of Ram.

lynguist

But that’s weird, as 9! is just 360,000, 6 digits in decimal.

Assuming a pocket calculator has 8 digits, it would overflow only if the starting number was around 300. Was it like that?

dwringer

I believe the answer is already in the comment to which you've replied:

> they chose the numbers big enough to result in [...] overflows

youssefabdelm

Rooting for you guys. If anything this should cause some people to question the very educational structure they've set up. If people are attempting to evade homework it's because it isn't interesting to the student, which hints at a deeper problem that the school/teacher/entire school set-up and structure needs to address. They essentially need to throw out everything they've set up because they're operating it more like a police state/prison "Ooo let's CATCH the cheaters! Let's CATCH the plagiarists! That'll show them!"

Instead of saying "What are we doing that isn't capturing the students interest in these tasks? How can we connect this subject to the students most meaningful, important, and immediate concerns and goals? What concepts from this subject can we teach the student that'll help them achieve those salient goals?"

The creators of these companies seem less concerned with actual long-term meaningful learning and more concerned with playing policemen.

Educational institutions need to be way more student-driven and student-concerned, allowing the student to shape their journey, as opposed to turning out cogs for the system like military training.

Alternatives exist like behavior analysis's programmed instruction, but even that needs a radical upgrade or integration with AI.

josefresco

>If anything this should cause some people to question the very educational structure they've set up.

I played basketball growing up. Much of our practice was boring things like passing drills, dribbling drills, running, countless free throws. We all grumbled & complained - "Why can't we just scrimmage?" we'd ask. "I already know how to play the game, why do I need to work on these boring skills?"

I don't think I need to explain why this logic is flawed, and why our coach was in fact using the best methods to teach even if they were occasionally boring.

In the academic world I was very similar to these guys. I automated/cheated with tech whenever I could because I felt the grunt work was "below me" - fast forward to college and I realized how many fundamentals I had missed and struggled mightily.

faeriechangling

In chess I drilled tactics puzzles, I drilled endgames, I memorized openings, I studied the game, all things typically considered less interesting than actually playing. Yet I never felt this was very difficult because I paced myself out, I skipped it when I was bored, I did extra when I felt more encouraged, I alloted a fixed amount of time to this sort of practice. I used spaced repetition software and generally optimised for actual learning of the skill.

The big difference with sports and games vs school is that in sports and games you are optimising to win the game, and in school you're optimising to pass an arbitrary test which only exists in the context of school. It's depressing for the same reason people grinding leetcode puzzles just to get through interviews is depressing. I've had to drill many pointless things over the years to prove to some authority that I'm willing to waste tons of time if they want me to.

youssefabdelm

The dependencies still need not be taught in a boring way. For example, if teachers did surveys of students strongest interests and goals, they can think of ways to 'inject' (in a genuine way) dependencies as stepping stones to their goals. "In order to achieve goal X, you need to know how to do Y, and in order to know how to do Y, you need to know how to do Z". Let's assume Z is the boring task. Just by connecting it in a sequence to the student's goals it becomes less boring because the student instantly sees the relevance.

Contrast this with "Do this" "Why?" "Just do as I say if you want good grades"

So in practice this would be "Ben, I know your most important goal is to become like LeBron James. LeBron James has this special trick that you like called X. He has said in the past that the fastest way to achieve this is to practice Y boring technique for at least 2 hours a day"

"John, your most important goal is greater flexibility. To be as flexible as possible, you need to do this other boring exercise more frequently 3 hours a day"

If the goal is important enough, they will go through it. However, an even wiser method is to frame it this way: In your brain you have the 'you-now'/thalamic/elephant part of your brain "Give me candy now" and the 'you-in-the-future'/cortical/mouse riding elephant "I have to lose weight". These 2 are always competing, but the 'elephant' always wins. In order to solve this, one has to research what is it that 'tastes good', and develop a diet that tastes better than the junk they already eat. If you do that, you'll stick with your diet long-term. Why? Because your diet is always the best tasting thing on the menu.

The dumb approach is to say "I'm going to force myself"... you'll burn out eventually. Reference: "Immediate Rewards Predict Adherence to Long-Term Goals" https://sci-hub.hkvisa.net/10.1177/0146167216676480

In other words, the higher-level abstract representation of this is both the 'elephant' or the 'you-now' has to be as maximally satisfied (given its range of options, the 'best' one is the most fun one), and the 'mouse thats trying to direct the elephant' or the 'you-in-the-future' also gets what it wants.

Put simpler: if you don't have fun, it will never get done.

Emphasizing relevance is in the spirit of just-in-time learning. To give an example, years ago, I struggled to learn programming for a long time. I'd watch 11 hour courses, and nothing would stick. "Today, for-loops, and conditionals..." In my mind: 'who cares? How is this relevant to the thing I'm trying to do?'

It wasn't until I found a meaningful goal and exciting project that still was simple enough, and broke it down into a series of 'google-able steps' that I finally learned and remembered what a "for loop" meant.

The irrelevant rote approach is not a good method of memorization or learning. More intuitive approaches which try to build on your existing background (reducing the friction), and your existing goals (increasing attraction), are more likely to help you remember.

mmcdermott

Most people aren't going to be interested in what is taught in school. Is there a way to get such a person interested? Maybe in some cases, but not everything in life will be interesting and engaging. Sometimes hard work and diligence are simply required.

mensetmanusman

Fundamentals are almost always hard. There will always be struggle, just like working out is painful. It’s part of human nature.

Many people shy away from doing hard things and use words like boring.

There are strategies to make fundamentals more fun, but those strategies only work for a small subset of people. Other people look at those strategies and think they are boring as well.

pnt12

TFA mentions the website creator actually congratulated their achievement, advised them and worked with them to fix the cheating problems. That's spectacular and not often seen.

I think most of these platforms are created in good faith. In the internet, we can watch millions of videos, chat with strangers all over the world, listen to basically every song ever made. What if we could educate everyone? That's a noble goal.

I think we could usr a mix of both styles education: boring exercises which are nevertheless important for learning, and these could be automated, leaving room for student driven learning where a teacher can guide and evaluate a student.

jonahx

> Instead of saying "What are we doing that isn't capturing the students interest in these tasks? How can we connect this subject to the students most meaningful, important, and immediate concerns and goals? What concepts from this subject can we teach the student that'll help them achieve those salient goals?"

While this is not a bad question to ask, asking it won't avoid this kind of thing. Because it doesn't matter what the learning system is, or how good it is, many students will always do stuff like this if they can. Because it's fun. Because you get to stick it to authority.

Whether that authority is just or has your best interests at heart or is trying as hard as they can to do a good job is beside the point when you're young...

youssefabdelm

Very fair point. But perhaps if they did focus on those questions in the first place, they'd be viewed less as authority and more as friends.

jonahx

I feel like this can happen with individual teachers that you have a personal relationship with. I don't believe it's possible with a company, no matter how "pure" the company's intentions were, even if they were not for profit, etc. At best, it would a bit less likely.

hedora

I think it is telling that the first version simply skipped the mandatory 20 minute YouTube video.

Just provide a transcript! MathML and Latex exist.

madmod

In high school I was trying to make an app to scrape my grading system Skyward and ended up finding a trivial auth bypass that let me see anyones grades. Knew the school would turn me into a villain if I was discovered even though I was on student council and an honor student so I emailed the principal and got a meeting with him. For some unknown reason my poc didn't work in the meeting so during the meeting I found a second auth bypass. They paid me $75 for finding the issue and told me to try to hack the teachers side of the system next. Lots more to the story if anyones interested.

omermikhailk

I'd interested to hear more about the story! Would be cool if you wrote a blog post or something about it.

technological

Definitely interested. Would you mind if we had a call or discuss over email and I can post it as blog or podcast

aabbccsmith

Between 2018 and 2020, I wrote a website that cloned the databases of a couple online learning platforms, and used it to skip lots of homework I should have done.

I wrote this at the beginning of the year, but never released it as I was never sure if I was missing details. I realised today there is no point in keeping it hidden, so brushed it up a bit and published it.

Btw, the repo that houses the blog is open source, so feel free to fork or whatever and use it as your own

alexarena

Honestly kind of impressed that the HegartyMaths guy independently found this and then handled it without (explicitly) threatening to sue you.

robin_reala

The jump-straight-to-suing approach is to be honest a bit specific to the US. In the UK (like here) it’s more usual to deal with these sorts of things with a kind word, combined with hints of potential problems later.

aabbccsmith

They were champs! We even connected on LinkedIn with Colin afterwards and he actually offered us summer work but that fell through unfortunately.

lupire

He didn't pay you for the consulting time you have him?

yaddaor

Money is vain. They got much more out of it and the post very clearly states that.

jviotti

Congrats Alistair and Scott! This is an amazing story that made me remember my high-school days. As the authors, I was into programming from an early age, and high school definitely took the second place :) My grades ended up REALLY suffering when I got my first full-time role at a startup while I was 17 years old (parents approved) and on my last school year. Fast-forward many years and I don't regret a thing. I attended University of Oxford (despite my bad grades!) and I'm doing very well doing what I love.

Wish you both a very, very bright future!

hiett

Thank you! Alistair and I have been in startups since we were 15/16, and we've both now finished school and work full time in the startup space. My grades definitely took a down turn the last two years, but I'm happy with my decisions and am loving working in tech!

imdsm

I think it's fair to say most of us had our grades suffer. My GCSEs back in 06 were terrible, but no wonder, I spent most of my time hacking & writing code. I'm no worse off for it, and I'm sure you won't be either!

aabbccsmith

thank you for the kind words :) things are going well for us so far, so fingers crossed it stays like this! You've put a big smile on my face :)