Between 2018 and 2020, I wrote a website that cloned the databases of a couple online learning platforms, and used it to skip lots of homework I should have done.

I wrote this at the beginning of the year, but never released it as I was never sure if I was missing details. I realised today there is no point in keeping it hidden, so brushed it up a bit and published it.

Btw, the repo that houses the blog is open source, so feel free to fork or whatever and use it as your own

Awesome story, and good response by Hegarty. It reminds me of something similar (but with an opposite response), where an intern who worked at Replit built a basic repl site (not even a clone) but was threatened by the CEO that he'd be sued.

https://news.ycombinator.com/item?id=27424195

Everyone has to start somewhere. These young lads “worked around” couple of educational platforms. 35 years ago I was hex dumping ZX Spectrum game saves and disassembling the program files to get more lives, infinite lives or just more ammo or whatever. That seemed easier and more interesting than getting good at games themselves.

I sometimes wonder if that kind of “not approved” intellectual curiosity can be used to augment education. Sort of like having old school alarm clocks that are designed to be disassembled.

Honestly kind of impressed that the HegartyMaths guy independently found this and then handled it without (explicitly) threatening to sue you.

Wow that's amazing! The best part is that you managed to get their entire database, that must have taken a lot of work. How did that burner account thing work?

My favorite experience with "hacking" in school involves wifi. My school had free wifi, but you had to log in with your student password. Well, the login step involved a GET request in which the password was sent in plain text as a URL parameter... so if you had your friend's laptop, it was a simple matter of looking at his browser history to see his password!

Never did anything with it, but always wondered what someone seriously motivated could have done with it

I love the veiled threat to "take a legal approach" in the last email. If I ever take over the world, there will be a law where if you imply that you're investigating litigation, you have to file your case within 24 hours or the ability expires.

I think you passed the take home interview and phone screen for this company.

I hope they did their homework even after breaking the platform.

common alistair w

Reminds me of a passion project I started in high school that went completely viral and took on a life of its own. Wrote a small script for my friends to check their AP scores a few days early. Required high schoolers giving clear text access to their entire CollegeBoard account so I could log on and scrape their scores. Somehow it got posted to Reddit and from that year on, grew wildly. Got to almost 2 million students checking their score in its peak year. It was immensely fun while it lasted (ran for about 7 years) and honestly I miss the thrill of it. CollegeBoard now releases all scores on the same day so the site is pretty much useless now. Definitely always looking to chase the thrill of that score release day again though.

Congrats on a successful end to a fun high school project! Stories like this are always fun to read.

Congrats Alistair and Scott! This is an amazing story that made me remember my high-school days. As the authors, I was into programming from an early age, and high school definitely took the second place :) My grades ended up REALLY suffering when I got my first full-time role at a startup while I was 17 years old (parents approved) and on my last school year. Fast-forward many years and I don't regret a thing. I attended University of Oxford (despite my bad grades!) and I'm doing very well doing what I love.

Wish you both a very, very bright future!

This is a really heartwarming tale of having good intentions and assuming it of others. There was a similar situation in my high school days where someone's college path to computer science was taken away for something even less malevolent than described in this post, he ended up becoming a pretty wild startup founder and a defrauder of millions.

I was a supply teacher. A kid did something similar in early 2010s and he was doing online homeworks for his classmates for about $1 per month. He had about a hundred clients at the peak and he was never caught.

Ha. I had a homeroom teacher in grade 8 who would clip out the numerical crossword puzzle (basically like super-Sudoku) from the newspaper and give us a bonus mark if we could complete it by the next morning.

I was the kid who wrote myself a recursive descent solver for it in QuickBasic, of all things.

This reminds me of when I was in college, they used this platform that randomly gave out questions, and the same platform was used for quizzes. It was one of my first practical programming experiences to scrape all the questions and save them as a text file. Later on, these files were passed around the entire class etc.

When I was in university, I scraped an internal job postings site for students to find internships. The site was terrible- each job description would load in a pop-up window controlled by Javascript, and loading a second description would override the first. It was also really slow and had limited filtering. My version could load job descriptions in new tabs, presented the table on a single page, and you could mark jobs that you weren't interested in or had already applied to.

The university didn't take kindly to that. They accused me of trying to take down the co-op system and threatened to sue me for copyright infringement. Since I linked into their system for job descriptions, I was able to show that the data I actually had (company, title, location) wasn't creative work and therefore not copyrightable. I also had some friends in the university faculty and staff who spoke up for me, since I had reported security vulnerabilities in the past, indicating that I wasn't acting with malicious intent. In the end, I just had to take a business ethics course, which I probably would have taken anyway.

Maybe I had a different takeaway from everybody else here about this story. It's hard to focus on anything other than the ending interaction.

To me it sounds like the CEO just started panicking and sent you an email so he wouldn't have to do anything relating to fixing or explaining the problem in sales for all his customers or paying you for your work / to fix it. He probably didn't even want to pay for a lawyer, rather than how he played off being nice.

It sounds like he just got away without having to do anything because he threatened you and sold you a cop-out story "But what about the kids?"

In high school I was trying to make an app to scrape my grading system Skyward and ended up finding a trivial auth bypass that let me see anyones grades. Knew the school would turn me into a villain if I was discovered even though I was on student council and an honor student so I emailed the principal and got a meeting with him. For some unknown reason my poc didn't work in the meeting so during the meeting I found a second auth bypass. They paid me $75 for finding the issue and told me to try to hack the teachers side of the system next. Lots more to the story if anyones interested.

Well done, and nice of you guys to take it down too.

I remember having some fun in high school when windows XP was the thing and handing out software at school was done using USB memory sticks. I wrote a small program just to mess with classmates that copyed itself to the machine when the memory stick was inserted and set itself to run at startup. It also copyed itself to any USB storage that was connected to the machine.

The program didn't do anything other than connect to a server so I could add it to a database along with some basic info, just so I could mess with the right person. It was fun when a USB stick was passed around, and I was the first to get it. So I got access to the the laptops of all my classmates and could mess around with them.

The problem was that it spread like wildfire, and in just a couple of weeks there was thousands of machines and it was spreading exponentially, with no way for me to stop it. That's when I realized that it might have been a stupid idea and that I should probably remove any traces of my involvement.

I also wrote something similar for my university quizzes using Tampermonkey. I noticed that some of the questions from non-graded quizzes would later appear on graded quizzes. There weren't any IDs that I could use and the wording of the questions would usually change a bit. When taking any quiz, it would search the questions on the page against the database. It would scape the questions, do some cleaning like removing stopwords and symbols, and then do a fuzzy string search against the database. It would give a score to each match and display the top 5 best matches. Worked quite well. I would then spend the rest of the time answering the questions that it could not match.

Epic stuff, and I think this experience may well be more valuable than the homework you avoided. Basically you did harder homework in order to avoid easier homework.

The problem is letting other people use it; of course it's nice to help people, and it's altruistic to do so for free, but some of those people might actually need this homework to learn, and you may have deprived them of that. (Although I also think watching a video and doing some multiple choice questions is the laziest low-effort homework assignment there is, and the damage may not have been all that big.) But you used logic and programming to work around a math problem, which are roughly in the same field, so I think that's fair.

A slightly similar situation: my previous job was at a bank, and banks over here are bound by all sorts of ethics and rules, and are required to regularly train all their employees in balancing the interests of customers, society, and the bank. This bank did that by gamifying it: we had an app where we had to answer all sorts of ethical questions and make sure our score in the app was over 70% at the end of every month.

A coworker used our testing framework to access the app, answer questions randomly like you did, and store the correct answer to use next time. It apparently worked very well, but using tech to avoid ethics questions is quite a different issue than yours. (He shared it with me when he left, and I tried it, but it didn't work for me.)

Love it!

In the world of Music Conservatories, practice space is limited and there is a lot of competition to get a room booked. Many places use a niche scheduling product called Asimut specifically tailored to conservatories. Depending on how it is set up, for example, you could book a room 72 hours in advance on a rolling basis - this mean people were always on their phones booking rooms and then extending their booking times.

As you can guess, I wrote a simple python script that lived on a vps and read a schedule and list of my favourite rooms from a text file, would wait until the right time and book/extend for me with my username and password. Never told anyone except my girlfriend, who spent enough time with me to realize I was making bookings without ever looking at my phone!

This reminds me of back at university we had to use a platform called "Wiley Plus" for weekly physics homework.

To prevent copying, while the equations needed remained the same, the numbers (inputs to what you had to work out) varied across user sessions.

One lad in the course wrote a website that he updated weekly that mimicked the UI/UX, you would plug in the values WP gave you and it would emit an answer.

The following year I took over maintaining it, and ended up in a spot of bother with the administration.

There was also another homework website that some lectures made us use, which did all the shit client side in JS. You could just inspect element and get the answer.

I honestly still don't get the point of those additional homeworks, on top of assignment and lab report workloads at university. They seemed to only exist to loosely tick a box regarding "continuous assessment".

Relatedly, they also implemented 5% credit for attendance by proxy by making us rent these radio " clickers" from the university, each with a unique ID tied to a student.

During lectures, there would be multiple choice questions asked, where the answer was irrelevant - it was a means of counting attendance.

Naturally by the second month people were delegating their clicker to someone else if they needed to skip a class.

A couple of years later, smartphone apps replaced the clickers, and SDR became affordable, granting the university a near-miss from any radio shenanigans.

Years ago I was working at a multinational consultancy, and then they suddenly decided to block most of the internet except for a whitelist. We quickly figured out that the whitelist worked with keywords, and since we were programming in java, java was one of the keywords, so if a url was banned, we could access it by adding ?param=java. As twenty something year old developers, we said, challenge accepted, and we built a GreaseMonkey or TamperMonkey script that when it couldn't load a page it would reload with the param added, and rewrite all the links and img tags to also add the param. Soon after that the system admin guys gave us a proxy config to bypass the whole ban, but it was fun to do it anyway.

It's a different era now, but back in my day Altavista had just launched Babelfish and a few of us began using it for our French homework. My friend got "caught" due to the "peculiar" nature of his work, and while they couldn't figure out what was happening, we were all warned quite sternly to stop doing whatever it was we were doing. Lesson learnt: only use Altavista to read French ;-)

Ways back we got a prnalty when we did not do our homework which was called "Zapfen" in German language.

It's basically like this: You get a starting number, have to multiply it with 2, then it's result with 3, then this result with 4, until you multiplied it with 9. After that you had to divide it by 2, then by 3, ... and finally by 9 and end up with the same number you started with. Sometimes even higher than 9.

Since our teachers understood that there are calculators and even kids like me who knew how to write loops in Basic code, they chose the numbers big enough to result in scientific format or overflows, so that at a certain step the precise calculation could not be done any more with a calculator or computer program.

So I wrote a Basic program which did multiplications and divisions the way you would do it manually with strings. From this point on I was only limited by the amount of memory, which wasn't an issue since my Amiga 500 had 1 MB of Ram.

Because this all happens on the front end and the backend accepts the requests - I'm curious if this is exempt from the legal definition of "hacking" aka "accessing a remote system with Ill intent" or however it's defined .

Although I guess that applies to sql injection as well so in theory there was really potential legal trouble here?

Rooting for you guys. If anything this should cause some people to question the very educational structure they've set up. If people are attempting to evade homework it's because it isn't interesting to the student, which hints at a deeper problem that the school/teacher/entire school set-up and structure needs to address. They essentially need to throw out everything they've set up because they're operating it more like a police state/prison "Ooo let's CATCH the cheaters! Let's CATCH the plagiarists! That'll show them!"

Instead of saying "What are we doing that isn't capturing the students interest in these tasks? How can we connect this subject to the students most meaningful, important, and immediate concerns and goals? What concepts from this subject can we teach the student that'll help them achieve those salient goals?"

The creators of these companies seem less concerned with actual long-term meaningful learning and more concerned with playing policemen.

Educational institutions need to be way more student-driven and student-concerned, allowing the student to shape their journey, as opposed to turning out cogs for the system like military training.

Alternatives exist like behavior analysis's programmed instruction, but even that needs a radical upgrade or integration with AI.

Given the modern division of labour, people are more often than not an expert at whatever they do for a living.

It makes me think that high school is still too generalized. I think I only got to pick about half my courses and even those had to fit into certain bins. Couldn’t do too many tech courses. Had to have an arts course each year. Stuff like that.

If students have _any_ personal inclination towards any course we should enable them to take it without any bureaucracy. One of the most precious and fleeting resources is when a teen is self-motivated over education.

"Cruically, our teachers could see how many times we've watched the video..."

This sounds like it's normalizing invasive surveillance. Getting kids used to the notion that their teachers should be able to monitor their online educational activities... and then, if governments and corporations are tracking all your internet activity, email communications, phone location data - it's just the way things are done! Now have a social credit score, it's like a grade in life...

That said, I wonder if there's a similar approach, some scripts users could run to artificially boost their social credit score (in China, for example). Just something that would run in the background - it could send pithy positive tweets, visit all the government-approved websites, etc. - all with no need for the user to be involved.

Heh, I started coding (in python) when I was about 15. One of my nerdy interests that motivated it was "historical" crypto (vigenère, etc). But another one of the first things I wrote was a script that would factor quadratic equations for me, in order to do my math homework for me. I really hated that kind of repetitive homework, where every night for weeks on end we'd have 25 equations to factor or whatever, even when I had already "gotten it".

It was pretty dumb, using the exact "algorithms" we were taught to do it by hand. It would even "show the work" so I could transcribe it. In the end, it probably took as much time to input the homework into the program, and then transcribe all the answers, making sure to fake it so it looked like I did the work, as just doing the homework. Not to mention actually writing the program, but that part was really fun. I remember turning on a small night light when I was supposed to be past bed time so I could scribble down algorithms or solutions to bugs on a piece of paper so I could implement them the next day.

If I had been a bit smarter, I might have realized that I could have used a CAS that already existed. Not sure if there were many open-source ones (that could run on windows) back then (2003-2004) though, just looked and sympy was released in 2007.

I worked at Sun Microsystems in the late 90s/early 2000s and at the World Trade Center offices, pretty much everyone had to hot desk.

I was in a group that, unlike our "pure" sales brothers & sisters, spent a lot of time in the office. The whole hot desk was a big PITA because we had to reserve our desks and we could only reserve, I think, 1 week in advance.

But, one of my colleagues figured out that the back-end of the reservation system had an RMI interface and it didn't do any validation of the reservation requests. So he wrote a CLI utility that let us reserve the same offices week after week.

We would've gotten away with it except that the head of sales realized one Monday morning that we always seemed to be sitting in the same place. I guess she made some enquiries because not long after that, we were all called into her office and made to promise that we wouldn't hack the reservation system anymore.

At the bard so famously wrote, "Pride goeth before a fall." :)