 Hello everybody, I'm Jure and I'm going to talk about why I hacked my school So first some more about me. I said I'm Jure, Jure Grunendijk. I'm a 15-year-old teenager from the Netherlands I have a twin brother who's not here at the moment because he's not as much into technology as I am And I'm in a fourth grade. I do a VWO bilingual So what drives me to do what I do? I want to know how a system works I want to see I want to see the system. I want to know how does it work and can I get around it? So to do that I do multiple things Which is breaking and making stuff? So on the left here you can see me with multiple devices that I got from the flea market Which I then soldered apart see if I can get a UART on it. On the right you can see me soldering together on mini consoles thing So it all started out a few years ago at the plus class which was a Class for people were different than the rest So it wasn't primary school about sixth grade And it all started out there and learning scratch where you could move little Blobs to make a little program where you could make your character do stuff And after that we went on to basic You're in quite basic off that we went on the good academy Which is a website where you can learn to program using little challenges So here you can see an example of such a challenge. So on line three. It says set my into Two seven and then line eight. It says you need to set it to four. So I didn't set it to seven minus three Another side I use that is certified secure. So that's where I learned to hack Sir, but here's a great website for learning to hack. So It starts out with stuff like what's HTTP? How does a web page work and then it moves on to how the spot? Potter version work out at school injection work And then it gives you a website that you need to like get into yourself and in the end they also learn how to How to secure your own website So another one of these things I did with that is to program hardware. So here you see a Digit box, which is an Arduino With a keyboard module on it So I use it as a keyboard to for example when a friend pissed me off I just I just said I'm a leak hacker a thousand time per second crashing their phone or when I was playing cookie click cookie clicker I would let it click a thousand time per second. So I'd get a lot of cookies Another one of my Project was the remote control, but it is not not just any remote control. It's a remote control steroids known as a TV be gone So what I would do is it would send off signals to all the televisions in about a hundred meter radius So we went to a photo to a TV store and watched employees pull out the head as it as the TVs turned off one by one So then you might wonder hmm. That sounds like a phone prank What if I were to adjust my grades as a prank? You know, just look over the shoulder of a teacher and then see his password and then enter it at home And then hey, yeah, this biology test I fucked up right about if I change that to it then However, I don't think school would like that and need it with a law because then you'd be stuck with either a Geo time of four years or twenty thousand five hundred dollar fine or a euro fine about or well since I'm a teenager It would be four thousand, but still that's a lot of money. You don't want to pay that So the process of responsible closure or white hat hacking is usually the step one is to get approval Okay, so step one would be to get approval which Which you usually do by responsible closure. So in my case, I just went to the headmaster and said hi Can I hack yours? Can I hack the school and for some weird reason you were like, yes, sure Then you go and test around See what you can do If you can find anything any vulnerability And after that you of course report it usually by email or just visit them or whatever And after that they fix it which by the way can take a long time So you need to be careful to not go brag around like hey, I found this and this why what's not fixed because then people can use it against you or against this Business that you're working with and they've also broken the responsible closure deals So after that It's optional that you get a reward So I personally don't do it for the robot myself. I do it. I do it why I do it I will explain in the later slide And after that the school can disclose it or whatever company you're working with I could say hey, we were This guy helped us solve a problem and then after that you can disclose it say hey, I help this organization solve a problem Also, there's another arrow here that doesn't fit with the explanation that I just said that's because if I were Hacking a company and like I haven't found anything in months. I would just go back to see if I like if I still have all the permissions because For example in those four months they had another issue with a black hat hacker and they changed their policies or they don't think you're Like you're no longer allowed to like Hack then you're still breaking the law even though you haven't been notified The step one is to get approval It's what I did as I said before by just going to the headmaster and Making some responsible closure deals so the deals were that the test I do may not impact schools availability so I may not like Just destroy it in that work for the just because I want I want to Another one is that it may not be discussed with third parties While it's not fixed except for my dad because he was helping me with it I would also need to report everything directly to the school the school board so I couldn't For example tell my friends that hey, hey, I found this but while it was still not fixed So those are responsible to close your deals Most websites or not most but a lot of websites have those on there on bottom of the page So you can just go there and see the deals and if they know you can Go to them yourself and see if you can make a deal there Um so When you're testing stuff, so you got response you go You got permission you can do what you want you can test around a bit You got to really be careful that you don't break anything So for example, if you're messing around with em up or whatever and you And you make a little mistake then you certainly sending thousands upon thousands to package you to serve Which could slow it down or break it So you got to really be careful that you don't break anything or that you don't mess up while you're testing stuff because of course that That will still break the deals and you'll be in trouble So one of the project I did was I made a lunchbox using an Arduino and a D card shield a NFC reader and an LCD screen and if you combine all those things together you get my lunchbox My lunchbox is a device that I made to copy the school key cards for the lockers So it would copy the Co that's on the passes and then we just put them on the card so I could copy them to another pass when I was home Another example of what I found at my school is that the PCs were unlocked in both ways that you cannot You cannot lock them with control L or winner key L Which would usually give the normal the PC is locked enter password on lock screen and that the bios were also open So you could also boot with a with your own stick Which should also be a huge vulnerability So you think hey might not be that much big of a deal with you that you That I kind of look my PC because hey worst thing that will happen is that they'll just go to my Facebook and and post Something weird about me or something But that's not the case because they can also just use Mimi cult for example and just get all the passwords from the from memory So when you found your issue when you found your vulnerability you need to report it When you report such an issue you need to report the issue the impact and the fix so in my case with school lockers I did that by reporting. Hey, I can find I can copy the values of the key cards The impact is that I can copy the cards and maybe put stuff into lockers or also take stuff out of it And the fix would be that well to replace the entire local system would be very very expensive So I suggested that I put on camera systems to make sure that wouldn't happen which they did And then you wait until it gets fixed so after you found something you reported it everything's well and dandy You still cannot go around down and hey, I found I found this and I reported this because it's not fixed yet After that it's just an optional part the reward and the honor so here on left you can see the I hack the Pentagon All I got was this lousy t-shirt shirt And on the right you can see what I got which was voucher for For cinema and not really big, but I don't really care about the About the compensation. I do it for Well, I'll talk about it later And after that you just restart and find something else Go check around see what you can do and as I mentioned before once every while just check if you can still do it So the answer the question is in the first slide. Why did I hack my school? I had my school to make it a safer place So for example those lockers Those key card mechanisms for example, they could have been used against anybody in the school They could have been used against me people could have like for example, but fireworks into my locker And I'm not resweeping the playground for the entirety of the summer vacation Well, now that's impossible to do anymore. So I made school a safer place What do I do to keep my knowledge up to date? I attend hacker camps like the one we're at right now or here you can see CCC 32 or well at the current state the building is more like this but I Also shared the knowledge I have so as you see me doing right here. I give lectures Camp Gathering like here on electric see me at ETH zero and on the right you can see me at a convention Meeting by Deloitte So now I'm going to give you guys some tips and maybe already know them but they can give them to the relatives about how to Be more secure how to Not get hacked basically So tip one out of eight might seem like an easy one, but don't forget to lock your PC It's as easy as pressing Windows key L and then when you come back just enter your password It's not that hard and it can really save you a lot of work in hassle The two out of eight is to back up and unplug so It's very important to make regular backup because as you see One a cry that was released a few months ago that would have That could have encrypted all your files or maybe it did. I don't know So it's very important to make backups so in just when that happens That you know just make it in a lose everything And it's also important that you unplug the backup because of course if you keep the backup into your in your computer And it will just also encrypt the backup like that won't help And tip three is to update so as I mentioned with previous example one a cry One a crack could have been resolved. Everybody just updated there down PCs. I mean the The fix for one a cry was released. I think about four or five months before one a cry was released So if you just if you updated it's like really important Because they can solve you a lot of work and it can make your your system a lot safe place So I don't know just talking about PC that you also need to update your phone your car your toaster or whatever IOT stuff you're using So tip four is have I been pwned? I haven't been pwned No, I think it's a great website where you can Enter your email and see if it has already been hacked if it's already been in the database online And your password is already on the street. So I Just anti-pulse with that and possibly will enter email there and see that if if it has been hacked on one of the sites I change that password and anywhere else you use that same password So tip five is simple and long is strong so Imagine you put a password like cd underscore b8 like all complex characters If it's under seven characters, it can be cracked within a second However, if I put water bottle dad chair then colleague as my password It's the remen- it's a memorable password It's very long so it will take quite a while for computers to crack and It's a lot safer than all those garbled up pathways for a few characters However, that can still be correct with dictionary attacks so I still use a path with manager anyway and only use the top of which can remember for the main password and then Use randomly generated path words for everything else. So a popular manager for the people who don't know it is a program Which in which you can store all your passwords And then encrypt them when you're not when you have no enough open so it's secure You of course need a path word to get into your popular manager because also will be no security Um Tip seven is to have fake answers. So for example, you know those Websites that are for security questions just in case you lose access to your email and you don't have your password Like you've seen example What's the name of your first bet The only issue would be that if you if your first bet was named Charlie and you have a Facebook page saying come home Charlie Then it's not quite hard to then it's not quite that hard to guess your like your third dog name with Charlie And then they can just get actually your account. So what I would just do is Select what my mother bird plays and then I say in in in a teepee in the middle of nowhere in Afghanistan and Then save that inside of a pulver manager show that nobody can Docs me and find out the answer to my security questions because they're random then And tip 8 of 8 is to enable to work down dedication. So, you know how when you use mobile banking apps It will always send you another Message to your mobile phone with a timecode you need to enter because Else will be unsecure. So that's to make sure that when a hacker gets your path word He cannot access your account because they still need that Extra code and you can do that more things that you could have met and you think because you can also use it on Steam I think Twitter has one to for Apple of course banking a lot of things have to affect our communication So, yeah, that's my talk are there any questions I suggest schools When the challenge comes towards you Don't block it out, but accept it because it's not it's very rarely find such talents inside of your school And that they're willing to help you because of course We're kids we we can also use it for bad purposes. So it really depends if you're using it if you're using it Well or not, of course, I recommend them to download Responsible to close your guidelines and then put them on their side so that Even when you go when you don't go to the teacher to the headmaster anything you still see that This school is open to responsible closure deals and like how they still do that. So, yeah Presentation you mentioned that When you have a when you found a bug you also have to Announce the impact and also a fix yes It ever happened that you didn't know the fix right away. So you knew that there was a bug for a while And that you couldn't do anything yet No, not quite most most of the things I found Were quite obvious things and they were quite easy to fix so What would you do Well, most things that are vulnerable usually already have fixes to them, but If not, I'd if I can't come up with one. I'd first Google around a bit and see if I can think of anything creatively And yeah, if I really really can't think of anything. I just Whoops Damn it. I just reported to whatever instance you're working for and say I can't think of a fix Have your IT guys work at it? Anybody else? Do what? Yes, I'm right here well because yeah I Yeah, sure. So he asked if I was in his class is there anything I could he could do to To motivate me or help me with score or anything. He necessarily shouldn't do Quite an interesting question haven't talked about that before Do you mean like me or like a hacker in general or programmers or what? Well, for me it all started out with school when I was in my class and I was usually finished with everything Like half a year before the rest of school the rest of the class was so what he did was he invited me to he invited me to Do a computer club that he set up himself where? Where he would teach other people programming, however, I also already knew that so He gave me he then gave me a PC with Linux on it said I could wipe it and do whatever I want with it So I put got a Linux on that PC and that's where it all started Well, I think that if like if there's a huge problem that many people can use and they don't fix it Well, first of all, I'll be there that because if it's very likely that people will use it people eventually will use it and then they're with the problems, but Yeah, I would I just wait I Haven't had that happen to me yet, but what I do is I I'd clearly communicate to them that hey I found this If you're not gonna fix it, I'm gonna give you a certain amount of time So maybe a few weeks or a few months or maybe a year or whatever if you haven't fixed it by then I'm just gonna release it to the public like just give them a warning and Tell that you will do it eventually Well, I personally I've had a very hard influence from of course you because you work at a white hacker But I've also read helping hackers from Chris von Hof Cross promo But yeah, that also really helped me with Yeah, knowing about responsible closure staying on the good side. First of all, I think your school is very very done Yeah, I mean like if you can access test and the answers like why we cannot fix that That's like one of the most important things, but second of all, I would send multiple emails to the school I would not use it because If you can't actually something you're not supposed to actually using it that would still be Let's still be breaking the law, but I just keep on sending emails until I notice it and Well, if they don't You know extend an email like after a few weeks maybe maybe half a year like hey, you haven't done anything about it I'm gonna give you this much time and then I'm gonna disclose it to the public. So If I you I don't have a six by then that's something like that. Um, well, yeah, I just go to the newspaper and say hey, I've I've hacked this company or whatever and there's an error and then don't disclose whatever it is because then of course people could use it and Say they haven't fixed it yet and see what the newspaper does with it Okay, thank you