The perpetrators should be punished by being made to give a presentation on how they automated the process, what poor security practices allowed them to pull it off, and recommendations for preventing a similar incident in the future.
Suppose I walk into the neighborhood 7-11, and steal the money from the cash drawer when the cashier glances away. I'm only caught once the tapes are reviewed and they find my license plate. Should my punishment be to give a presentation to the cashier that they should be watching everyone at all times?
Obviously the answer is no. Sometimes, catching someone breaking rules/laws after the fact is sufficient - 100% prevention of a crime before it happens shouldn't be the only way crimes are avoided.
Did the school make some poor choices with their cybersecurity? Sure. But an open/unlocked door does not give permission to steal or break the law, whether that door is digital or physical.
Are you suggesting these kids are criminals and committed a crime? Because I don't really see the connection between theft and what this article is about. It sounds like this can be turned into a learning opportunity. Learning seems appropriate for a school setting as opposed to vengeful retribution.
If, as you suggested, you commit theft, engagement with the criminal justice system seems appropriate, but maybe not if you rigged a school election.
Well, they didn't just rig the election. They did it by accessing their (apparently google backed) email accounts. If that happened outside of a school setting, there'd be no question that the person violated the law. So, yeah, they did commit a crime. Maybe it shouldn't be prosecuted, but it's still a crime.
Plus they were dumb as posts to think it wouldn't be noticed. I'm surprised they weren't suspended. Word at Berkeley High is they got 300 "service hours."
That is the kind of busy-body, authoritarian crap that makes children hate school. Kids are there to learn. Given him a talking to, ask him to give up the goods, and move on.
Having been one of them high school hackers, and having been both threatened with jail and simultaneously being given the carrot of "don't do it again, and tell us what you know," the latter is going to produce a better outcome and if the student chooses to pick the former... well you gave them an honest choice.
Most kids doing this aren't malicious, but just trying to learn and have some damn fun. If you just jump straight to the stick, you're just going to end up with a bitter kid with some cybersecurity chops. Not the greatest combination.
I don't think I would characterize "attempting to steal a student election via unauthorized use of other students' accounts to commit voter fraud" as "trying to learn and have some damn fun". This was a malicious, dishonest act. Full stop. I think they're getting off easy: just being disqualified from the election and perhaps losing in-school computer privileges. That doesn't seem like it's going to teach them what they did was wrong. More likely it'll teach them to be better at not getting caught.
If you believe that most human concepts are lessons that need to be learned, be that calculus or morality/socially acceptable behaviours then it follows that not all students will respond equally to a given teaching method. Just as we're discovering that some students given some patience and different explanations can flourish at maths late on in their "education", perhaps the same can be true for individuals and them learning their lessons when it comes to ethics.
This story resonates somewhat with me as I was definitely a problem-teenager but have since mellowed out substantially, thankfully without ever encountering trajectory-altering consequences (although probably deserving to in some ways)
When I look back I simply wasn't engaged/challenged in the right ways and was looking for every opportunity to challenge myself - even pushing the limits of authority was a source of enjoyment and punishment was almost a reward for me: I never really responded positively to punishment and definitely didn't learn anything from them.
This became really obvious to me after I had the following observations:
- at high school I was highly disruptive
- at college I was fully engaged because the environment was academically challenging
- many years after at coding bootcamp I felt some of the old teenage urges to disrupt bubbling under the surface when classes were too slow (thankfully I know much better than to act on them now)
So I guess my point is that it feels natural to condemn the individual, but we really don't know anything about them or their circumstances, and with my educator hat on, I'd rather assume a misguided individual and challenge myself to find a way to teach a new lesson than opt for the easy way out and condemn them with some kind of heavy punishment (like expulsion).
Perhaps in this case some of the following may be useful lessons:
- some labour-intensive efforts that directly relate to cleaning up the mess of security breaches and election counting
- work on fixing vulnerabilities of the school network (if money were no issue, have the student try to protect the school against a pen-tester, in the hopes of establishing some empathy for the difficulties of being a time-poor underpaid school sysadmin, or at the least have some constructively directed black/white-hat energy)
- find some relatable issues on the morality / pain of vote rigging and have the student study them
I mean Bill Gates phreaked because it was "fun". The people that do this find it fun breaking into systems. You need to understand who you're dealing with. And understanding the motives of preparators helps in how you should discipline them. At least effective discipline.
And that's the point. You're dealing with smart, misguided youth with a literal hacker mindset. You'd hope this wouldn't need explaining on Hacker News, but here we are...
Having been in this kid's shoes many beers ago, I technically committed major felonies. The District flipped a lid, mind you I'd been reporting vulnerabilities two years, when I gained access to their server with their financials and PII. Wasn't doing it because I wanted to sell my shit-heel English teacher's identity to Russian cybercriminals... no... I was having fun learning and discovering this fucking awesome world of computers.
Those of y'all acting as if this kid if a real piece of work need to check your outlook. That is some real "get off my lawn" stuff. He's a high schooler, and capable enough to pull this crap off. Show him the right path, turn it into a teaching (it's school, y'all) moment, and if he doesn't want to walk the right path then who are we kidding, a detention isn't going to change that outlook anyway.
"when I gained access to their server with their financials and PII"
The problem with your attitude is that you have become the authoritarian in this situation. The district wasn't interested in fixing their security issues (their right), and you didn't like this, so you went ahead and broke into their systems anyway.
"I was having fun learning and discovering this fucking awesome world of computers."
There are plenty of other ways to do this.
"He's a high schooler, and capable enough to pull this crap off. Show him the right path, turn it into a teaching (it's school, y'all) moment"
A teaching moment would be punishment. Maybe a suspension. In the real world, you can't just trample on others' rights, without some sort of repercussions.
That doesn't make them the authoritarian. By the way they are talking they obviously weren't writing ransom notes and holding the school hostage, they were poking around and exploring. While I can't say for sure, they likely just left a note saying "hey you should probably fix this" and the administration lost their shit.
Also a teaching moment surely isn't a suspension. That's how you burn any bridges towards getting the kid to learn. You said that in the real world you can't trample others' rights, well sure but it's kind of the point that high school isn't the real world. A teaching moment would be sitting someone down, getting them to admit/explain what they did, telling them that in the real world they would get in trouble, and pointing them towards a better outlet. Teach them what it means to be a white hat and send them on their way.
> The problem with your attitude is that you have become the authoritarian in this situation. The district wasn't interested in fixing their security issues (their right), and you didn't like this, so you went ahead and broke into their systems anyway.
I wasn't holding anything hostage. I didn't tell them "Fix it or else." I'd been reporting vulnerabilities I'd been finding. Found more. Reported 'em.
> In the real world, you can't just trample on others' rights, without some sort of repercussions.
Sounds like you've never lived in the real world.
Again, it's high-school. You seriously have no idea how to incentivize this type of kid.
"Sounds like you've never lived in the real world."
You're the one talking about how it's somehow your right to break into private systems, because muh learning.
This doesn't sound like the real world to me.
"Again, it's high-school. You seriously have no idea how to incentivize this type of kid."
Why should we? Why shouldn't this type of kid have to follow the same rules as anyone else?
The administration was already aware of potential flaws in their system, but chose not to fix it. These kids decided to exploit them anyway. If this was at a workplace, they would be fired at best and have a criminal record at worst.
> You're the one talking about how it's somehow your right to break into private systems, because muh learning.
No one is saying this.
> Why should we? Why shouldn't this type of kid have to follow the same rules as anyone else?
Why don't we punish 5 year olds as adults? Hint: answer is the same.
> The administration was already aware of potential flaws in their system, but chose not to fix it.
And now they will. Both are at fault. Both have blame. But we're saying "Don't turn these kids into criminals. Push them to use their skills in a way that can help our society (ie: security researcher). They're still young enough that they can change. These aren't hardened criminals we're talking about. We're talking about kids.
tldr: Kids aren't adults. Who knew this was such a controversial topic?
Obviously I don't know the kid at all, but on the face of it, it appears he wanted to win an election and decided to cheat to get what he wanted. Hardly "just for funsies" or "following the hacker ethos". It's just a morally-challenged kid behaving badly.
A student election is absolutely worthless. This is not like stealing money from a convenience store — that has value - it’s more like taking home a paperclip from your office once. I see absolutely no reason that someone taking an office supply item home should be treated differently.
To kids in school, the election is not worthless. Even when I was in HS that wasn't the case, and the article mentions that with college admissions so competitive now, every edge -- including being elected to a student government -- is important.
Even if it's not actually important, it's the perception of importance to the student that matters. The idea that "it's ok to commit fraud if I think it's something important" is definitely one we don't want becoming widespread.
So what do you do with badly behaving kids? Whip them with a belt or show them the right path? If the kid's rotten, he's rotten. But more than likely he's not truly a bad person and can redeem himself.
The moment you get mitigating circumstances because you just did it for fun is the moment when everybody starts doing it "for fun". Plenty of crimes might have a "thrill" component. This doesn't justify them at all.
The guy accessed other people's email accounts. The punishment for "hacking the elections" is one thing, accessing someone's email account goes way beyond that. So even comparing it to abusing a paper ballot system is not at all appropriate. It's comparable to someone opening up your mailbox, reading your mail, then sending some in your name. For fun.
I think the punishment you described does a better job of teaching them to not get caught. My suggestion turns it into an opportunity for them to learn why it was wrong and to help make amends for the harm they caused.
Student elections serve no purpose other than to decide who gets to wear the fancy jackets. Normally the election is rigged by having more money to give out free candy and make better posters. Sounds like someone just found a way other than money. If you actually cared about school smarts in a high school election, winning without being popular seems like a better sign of it.
If you value truth over ignorance, then exposing high school and its elections for the farces that they are is making people's lives better. Allowing students to find their own paths to fulfillment instead of relying on a silly popularity contest seems plenty productive to me.
Among countless other problems, high school elections promulgate the idea that there can be only one hierarchy, that there is a group of "betters" that should comprise that hierarchy, and that the only measure of merit in that hierarchy is popularity.
That's a fair point of view. However I think school should focus less on punishment and more on learning wherever possible. I'm suggesting that instead of punishment this could be opportunity for all to learn.
A punishment can often be used as a form of learning. By punishing the individual, he gets a chance to better understand the costs associated with doing such acts. At the same time, if it becomes public enough (or teachers decide to anonymize and make it a use case), others may get a chance to see an example of what not to do. The case can also be used by the school and other entities to improve security, etc.
The biggest loss of all would be to put it under the rug.
Punishments are effective at teaching people to not get caught. They put the offender on the defensive, which is a hard place to learn the right lessons from.
Or, treat this student as an individual and a real person, learn to not talk so condescendingly about others, and encourage this person to make constructive and better use of their rare and unique intellectual capabilities and work ethic.
You attract more flies with honey than vinegar. Good luck to the society whom discourages young outside-the-box thinkers and bright minds from pursuing intellectual passions within STEM. This is a huge problem in the US and it's culture around education.
> Treat this student as an individual and a real person
Treat everyone else as an individual and real person. If this were not what amounted to a pointless election and therefore a dumb prank, there could be real consequences. Some jackass screwed around with his high school election, sure, I don't think a severe punishment is in order. Suspension? Detention? Sure, whatever.
You think that individual's individuality is supposed to somehow put him in front of everyone else affected by his actions? Or is it the fact that someone is interested in STEM, that makes them special?
There is sometimes a victim of actions (in this case, other people running, other people voting). You write as if they don't matter or exist.
It’s not a matter of legality but of honesty. They still committed fraud. It's like cheating at some exam. Might not break a law, but I wouldn’t hire them in a bank.
If I ran across a resume of someone who hacked a student election and a resume of someone who won it legitimately, I’d consider the hacker to be the more valuable and qualified applicant by a long shot for any STEM position. I am amazed that you have never done an unethical thing when you were a youth, but I know that my entire cs class in high school was finding exploits in the IT security structure and abusing them for fun.
I'm being very careful to not proclaim _what_ I think the punishment/learning should be. I'll concede that my 7-11 analogy makes it sound like I'd push for a harsh punishment, though that's not my intent (and indeed, is detracting from my main point, which is that _the student made a large mistake_, on par with cheating on a test or worse, and there is a large amount of blame that belongs on that student's shoulders, regardless of how poor the cybersecurity of the voting mechanism was).
Swartz was an adult who decided to do something illegal that he believed was nonetheless moral and the right thing to do. (I agree with his stance, but doubt I would have the balls for such civil disobedience.)
This HS student is a child who committed voter fraud in a student election for his own benefit. Nothing noble about that.
An open door doesn't give permission to steal, but as any insurance will tell you the blame for the theft will fall on both sides: The justice system will find the thief guilty and punish him, and the insurance will find the shop owner guilty and punish him.
If the security problem is more subtle than an open door it's not unheard of to consult the criminal, who may be given a lesser sentence or other freedoms for helping make everyone more secure.
Of course in this case all of that is kind of moot. The rigging attempt was crude and quickly detected. Everything worked as it should, and while organizing an election brings a high burden of ensuring no manipulation occurs, everything was executed perfectly. The real problem was students not being forced to change their default password, which is akin to an open door, just from a different department.
well perhaps the criminal can explain to the judge how society failed him or a rough traumatic childhood caused him to be this way. Also add in the presentation how easy it was for him to get a gun and how the cashier should have been automated. I do think cashiers will be an outdated job in a few yrs.
I believe it is fairly simplistic to just say good/bad without understanding the nuances and shades of gray in between.
I was suspended in high school for "hacking"; this was in 2000. I added two (crudely named) folders to an old DOS style typing teaching software.
My presentation would have just been "I pressed F10, and typed in bad words", but it would have been preferable to a three day suspension, haha. I hope this is the outcome!
Yup, I did the same. A contractor replaced all our Classic Macs with Windows 9x boxes and never taught any of the staff how to secure them.
We were using winpopup to send messages to each other, when I worked out how to send them to the entire subnet (or domain - I forget). Three months later I was hauled in front of the Deputy Rector to explain how I managed to 'write my name' on the admin office server. It turned out that they never turned on the monitor connected to the print server until the printer stopped working and they jumped to blaming me.
It took some really fast thinking to wriggle out of that one - I was warned 'he'd be watching me' from then on though.
The stories seem to be going backwards in time, so I'll chain my 80's version of this. I wrote a fake login prompt on our VAX that looked exactly like the normal login prompt on the VT100 terminals. It would record the userid and password in a log file, give the "wrong password" message, then exit/logout so the real prompt was there for their second try.
I'd launch that on a few terminals on my way out of the lab.
Never did anything notable with it, but didn't get caught either.
I believe this sort of thing is the primary reason for needing to ctl-alt-del to login to windows. Though I'll bet most people wouldn't think much of a (fake) login screen just being there ready to go...they'd probably try to login anyway.
Yeah, but not quite. When you sent the message it used your network I’d as for the ‘from’ field. I was even that dorky that the message I used to prove it worked was “Hello, World!”. Try explaining geek memes to high school teachers in the late 90’s.
Thankfully the time i took down the high school's network using a looping bat file that opened looping NetSend commands to the entire domain the teacher of the CCNA class I was in thought it was hilarious and more of a shame on him than a shame on me.
I used NET SEND to do something similar, a little later on. In my previous experiments, this caused a message to appear on all laptops on the local network, so when it didn't, I started sending... less than savory messages. Screaming into the void, as it were.
Unfortunately, the messages were appearing... on the domain controller.
I think I got a detention and a couple weeks ban from using the computers. Fair enough.
How would a presentation be preferable to a 3-day holiday from prison^W school? At least at home I could read my textbooks in peace.
I got a five day suspension for showing a teacher I could log in before accounts were authorized while they were watching. Loaded the school's official website in a browser. Best week of high school.
My high school solved that by making all suspensions "in school" suspensions. You were sequestered in a classroom with the other miscreants. You were not allowed to talk to anyone but the ISS teacher, who was a mean wrestling coach. You were assigned double or triple homework, which had to be completed before you were allowed out of ISS, and you automatically received Fs on all that homework.
Those things removed all motivation for 'vacation.' No one wanted to get suspended.
Oh wow, that sounds educational, or rather its opposite. Sounds trivial to hack though. You have no incentive to actually do the homework other than the time, so just drag it out to the maximum time. I'm sure the coach would love to stay watching one kid to 2AM.
I guess it's just being older that you realize school is a fake world anyway, and expulsion is not a real punishment except to the school's budget. The community college path is cheaper and better anyway.
No, if the homework didn't get done, the coach went home at his usual time and the next day the kid had to come back to ISS instead of going back to regular classes.
Expulsion was a real punishment back then. It may be less so nowadays, I'm not sure, but when I was in high school, without a diploma it was very difficult to get any kind of job beyond something menial, and nearly impossible to get into any kind of higher education, including community college.
Then again, two generations earlier than mine, you could support a family on an 8th-grade education -- although an 8th-grade education a hundred years ago involved more than a high school diploma these days.
Around the same time I was one of the first kids to have a laptop in my highschool and was actually just doing homework on it in studyhall. The proctor was aghast and thought I was going to infect all the school computers with viruses. I tried explaining that I was not even on the school network and she tried to tell me that they could spread through the power supply.
Similar things happened to me. My main takeaway was that these supposed authority figures were so certain about this stuff, and they obviously had zero clue. Made me distrust authority in general for years, which led to several problems.
punished by being made to give a presentation on how they automated the process, what poor security practices allowed them to pull it off, and recommendations for preventing a similar incident in the future
> “It just shows that people don’t make healthy cybersecurity decisions,” said Stern.
You mean like the administrators of the school? You can set a temp password to immediately expire. What's notable is that even after this incident they still didn't do so, just encouraged students to change the default password during orientation.
Indeed. An immediately expiring temp password is the usual workflow for new private-labeled Google accounts. I suppose, though, that somebody thinks middle schoolers can't handle it.
I did something very similar to this for my high school's prom queen vote who I wanted to win for teenager reasons. The voting system was just a bunch of laptops in front of the lunch room running a web app and all that was needed to vote was to know a student id. A few hours and some javascript later, I voted more than the entire senior class. It was only discovered after the event.
I could have rigged the vote to win at my school too, except that I wasn't in the right cliques. It would have been very suspicious if I won, and everyone knew I was "good with computers".
Our program actually saved who voted for who in plaintext. At least I got to see who voted for me.
I don't think student governments get to push policies that can actually help students very much. I don't think school administrations let the student government have any real control whatsoever.
IIRC, my high school government was very effective at choosing the prom theme and lobbying for a specific brand of crackers in one of the vending machines.
Why is this such a common thing? Just about every bank I've used has had one of these issues on their website:
- Password can't be long
- Password can't be pasted
- Password must contain symbols
- Password can't contain symbols
I even locked myself out of my credit card (AMEX) account 3 times in less than 2 days because they have multiple different password reset forms, but one of them doesn't enforce their password length limit, so I successfully set my password to a password that was too long for the web/mobile login forms.
Finance is worse than most industries because financial institutions grow by acquisition. You make money by managing customer assets of some sort, so you're constantly buying up smaller companies, and the main corporation is this frankenstein's monster of smaller companies.
Not only does anything digital has to be transferred over, but often customers have to be persuaded to agree to new terms, which is obviously a long, complicated process.
They also have legal legacy as the government will always grandfather old accounts when the law changes. So the banks may have special accounts that are obsolete but a few customers like the perks, that could live in an old system of their own.
Plus there are various deals they've made over time that might restrict one part of the company from doing some activity, any kind of international stuff is a total mess, it goes on.
All this means they have a ton of duplication and are constantly trying to merge their internal systems, on top of the normal awfulness of any non-tech company trying to do technology.
But, in the same breath, these are the same institutions that have the highest compliance requirements. It seems crazy that when I get these random vendor questionnaires they require such strict password requirements, yet financial institutions aren't included in adhering to these best practices.
In summary: there are a lot of third party products for interacting with banking data. Different versions between those products still in use. The need to enforce security based on the product/interface with the worst usability (ie: most restrictive set of functionality or most bugs to work around)
The talk specifically talks about Open Financial Exchange (OFX) as one of these legacy pieces.
Can't be pasted has changed more recently to my knowledge
Can't be long is due to some OFX protocols limiting password transmission length (and sharing passwords between services in plain text!)
Special characters are disallowed because some of those characters were control characters for the communication markup.
In my experience with banks that did this it was to allow a mapping to 10digit keypads for bank by phone access. I haven't tried it recently, and they allow complex passwords now. When I noticed this several years ago I was able to log into my bank account via the website with the 10digit equivalent password. At least your bank balance is insured...
There are always engineering solutions to such things, but I don't think most of the decisions are made in terms of "it's possible". There is always a risk/reward conversation, and a lot of conservatism in systems currently processing a large number of transaction and/or $ successfully. Perceived risk may or may not be analyzed correctly, mind.
It's not just banks - there's a lot cargo culting around passwords in general, and it often manifests as long and pointless lists of requirements, that often make things worse rather than better.
One recent example I had was with an online account that demanded a password reset. One of the requirements was "no two consecutive or three sequential characters". I'm still not quite sure what exactly it means, but it was tripped by any sequence of characters like "ab" or "21", and as a result, my generated 16-character password with no meaningful words in it was not accepted.
You know what passed the filters though? "secret_1".
You'd lose your $5. BMO's online banking system is an outgrowth of their telephone banking system, which used 4-6 digit PINs. (Thankfully not the same PINs as used with their bank cards though! Or rather, each card had two PINs, one for use as a card and one for use with telephone/internet banking.)
I'm sure they're all stored in plaintext in an ancient mainframe system, but that's not the reason for the odd requirement.
I wish there was a name for this kind of thing, because I see it a lot. Something is used a username in one context, then a password/authentication token in another.
(Ex: many libraries use your barcode number as your username)
I suspect the mistake stems from not understanding how passwords are stored.
(Eg: while yes, well set up systems hash passwords, usernames or any other identifier paired w the password are in cleartext, and in many cases huge swathes of the userbase can access them)
A bit late, but in my high school, we realized that our student IDs were chunked by which feeder middle school we came from. This was after we scraped the entire ID->Name mapping database.
For example, 7500-7600 was Middle School "A"; 7600-7700 was Middle School "B" and so forth. Within those chunks, we couldn't really discern an order, alphabetical or otherwise.
I'm glad to see that it seems the student in question was afforded a measure of process and admitted guilt -- I could easily see the story ending where the weaker opponent casts fake votes for their competition to get them eliminated!
The number of responses which go to "...I did this too" are fascinating. I also did stupid things in my past which nowadays would incur severe penalty, as hacking. They felt mild right up to the point I was caught (this is 35 years ago) and then they stopped feeling mild very quickly.
I feel very sorry for people in todays world who don't get the "everybody gets one free pass" on these things we did back in the day. I think we need a clear statute of limitations on some stuff done by minors and near-minors, regarding their future lives. Nobody is going to be eligible for election to senate or the law courts, or to work in federal or state bodies if we don't work out how to deal with this kind of thing.
That said, I am pretty sure rigging an election is a good indication you have need of some ethics. Amusing, but also not a good idea.
This ranks (in my books) with the recurring "we thought we'd make a film about a bank robbery without informing the bank or the shopping mall about it" type cock-up: Actions have (unforseen) consequences.
Gosh, I did this back in my high school as a Senior, two years ago. Got myself suspended for two days and ruined my perfect attendance, oh well. It scared the shit out of me when two police officers barged into my U.S. History class and pulled me out.
The usernames of our voting system were our 5 digit student IDs. And the passwords... same as the usernames. I wrote a puppeteer script that looped through 2000 IDs and voted for everyone. They tracked me down through my home IP address -- if there is a next time, I'll definitely use Tor haha.
EDIT: Yeah, the school's VP picked up on it because normally about 40% of the student body actually votes -- but this time it was 100%; plus when student's started signing into their voting accounts, it claimed they already voted. Not my brightest moment.
“When we spotted it, it was incredibly obvious,” said Stern, 17. “There were just massive alphabetical votes at random hours.”
Reminds me of an interview question: How would you do a reasonably good job of randomizing an incoming stream of items, while minimizing auxiliary storage?
I'm thinking of randomizing the entire stream, and getting something that looks "reasonably random" to casual inspection by human beings, using only O(1) space.
It's easy if you don't need exact results! For instance if you want 1/2 votes for A, 1/3 for B and 1/6 for C, well you roll a die and vote A for 1-3, B for 4-5 and C for 6 - do this enough times and it'll approximate that distribution!
Things only get difficult if you need exact results OR start doing things to make it "look" random - breaking up long runs of one vote, that sort of thing. (which of course makes it look distinctly nonrandom to someone with a stats background)
Let me see if I'm misunderstanding something about the problem.
1. The items come in a stream, so you have to accept each one in order.
2. You have to output a stream too.
3. You get a fixed amount of storage, much smaller than the stream.
4. The items are arbitrary and unique, so there is no way to compact n items into significantly less then O(n) storage.
If the stream is large and sorted, you run out of buffer before the input stream gets past 'A'. You're forced to output thousands/millions of entries in a row that start with A. That doesn't look at all random.
It seems impossible if I understand the problem. Is one of my numbered statements wrong? Is there a way to get items out of order? Put items back into the stream? Is there a limited range of items? Getting unique items in order lets me compress the data very slightly, but 25% more storage doesn't fix anything either.
getting something that looks "reasonably random" to casual inspection by human beings, using only O(1) space.
7 (+/- 2) is the magic number. However, you make a good point. This is highly dependent on exactly how large the data is, and how "casual" the human are.
The size of working memory... that sounds like a threshold for taking an already-randomized list and turning it into another one that looks different on casual inspection.
Even with a small size like 200 a shuffler that weak won't do a good job of turning sorted into unsorted, even at a glance.
I would expect the most casual inspection to actually be the least affected, since it would be be the most focused on the first letter or two of each entry.
Randomly choosing the votes sequentially with no memory is arbitrarily close to being the same thing as shuffling for sufficiently high numbers of votes.
hmm you can randomise the time at which you next put something into the stream right? I am thinking you can sleep() until the next time, just by doing rand() * someMultiplier * aSecond
> Schweng said the culture around this election, from the outset, was different than what she’d seen in the past. There were more reports of students taking down candidates’ posters, and more activity on social media. Some students suggested to the principal that the stakes felt higher because colleges are becoming increasingly more selective, and extracurriculars like student government are consequently more important.
This part was the most interesting revelation in the article to me! It never would have occurred to me as a HS student to "cheat on extracurriculars"! I just did the stuff that was interesting.
Nowhere in the article is it mentioned where the student gained access to a mapping of student IDs to student first and last names. As a recent BHS alumni, these ID numbers are not obviously derivable from a student's name (but I do think they are allocated sequentially). Getting access to this list implies some sort of social engineering or threat vector elsewhere.
The flaws exposed were of general cybersecurity--they had default passwords comprised of a static string for every student + their student ID, and did not require students to change that default password immediately upon first login.
"If a student does not change the default password, “anyone with access to your student ID number will be able to access and delete your emails, schoolwork, personal documents and anything stored on your Google Drive,” Stern wrote in his message to the student body."
