jbman223
Reminds me of a passion project I started in high school that went completely viral and took on a life of its own. Wrote a small script for my friends to check their AP scores a few days early. Required high schoolers giving clear text access to their entire CollegeBoard account so I could log on and scrape their scores. Somehow it got posted to Reddit and from that year on, grew wildly. Got to almost 2 million students checking their score in its peak year. It was immensely fun while it lasted (ran for about 7 years) and honestly I miss the thrill of it. CollegeBoard now releases all scores on the same day so the site is pretty much useless now. Definitely always looking to chase the thrill of that score release day again though.

Congrats on a successful end to a fun high school project! Stories like this are always fun to read.

mcv
Epic stuff, and I think this experience may well be more valuable than the homework you avoided. Basically you did harder homework in order to avoid easier homework.

The problem is letting other people use it; of course it's nice to help people, and it's altruistic to do so for free, but some of those people might actually need this homework to learn, and you may have deprived them of that. (Although I also think watching a video and doing some multiple choice questions is the laziest low-effort homework assignment there is, and the damage may not have been all that big.) But you used logic and programming to work around a math problem, which are roughly in the same field, so I think that's fair.

A slightly similar situation: my previous job was at a bank, and banks over here are bound by all sorts of ethics and rules, and are required to regularly train all their employees in balancing the interests of customers, society, and the bank. This bank did that by gamifying it: we had an app where we had to answer all sorts of ethical questions and make sure our score in the app was over 70% at the end of every month.

A coworker used our testing framework to access the app, answer questions randomly like you did, and store the correct answer to use next time. It apparently worked very well, but using tech to avoid ethics questions is quite a different issue than yours. (He shared it with me when he left, and I tried it, but it didn't work for me.)

rcfox
When I was in university, I scraped an internal job postings site for students to find internships. The site was terrible- each job description would load in a pop-up window controlled by Javascript, and loading a second description would override the first. It was also really slow and had limited filtering. My version could load job descriptions in new tabs, presented the table on a single page, and you could mark jobs that you weren't interested in or had already applied to.

The university didn't take kindly to that. They accused me of trying to take down the co-op system and threatened to sue me for copyright infringement. Since I linked into their system for job descriptions, I was able to show that the data I actually had (company, title, location) wasn't creative work and therefore not copyrightable. I also had some friends in the university faculty and staff who spoke up for me, since I had reported security vulnerabilities in the past, indicating that I wasn't acting with malicious intent. In the end, I just had to take a business ethics course, which I probably would have taken anyway.

cercatrova
Awesome story, and good response by Hegarty. It reminds me of something similar (but with an opposite response), where an intern who worked at Replit built a basic repl site (not even a clone) but was threatened by the CEO that he'd be sued.

https://news.ycombinator.com/item?id=27424195

mynegation
Everyone has to start somewhere. These young lads “worked around” couple of educational platforms. 35 years ago I was hex dumping ZX Spectrum game saves and disassembling the program files to get more lives, infinite lives or just more ammo or whatever. That seemed easier and more interesting than getting good at games themselves.

I sometimes wonder if that kind of “not approved” intellectual curiosity can be used to augment education. Sort of like having old school alarm clocks that are designed to be disassembled.

drKarl
Years ago I was working at a multinational consultancy, and then they suddenly decided to block most of the internet except for a whitelist. We quickly figured out that the whitelist worked with keywords, and since we were programming in java, java was one of the keywords, so if a url was banned, we could access it by adding ?param=java. As twenty something year old developers, we said, challenge accepted, and we built a GreaseMonkey or TamperMonkey script that when it couldn't load a page it would reload with the param added, and rewrite all the links and img tags to also add the param. Soon after that the system admin guys gave us a proxy config to bypass the whole ban, but it was fun to do it anyway.
de6u99er
Ways back we got a prnalty when we did not do our homework which was called "Zapfen" in German language.

It's basically like this: You get a starting number, have to multiply it with 2, then it's result with 3, then this result with 4, until you multiplied it with 9. After that you had to divide it by 2, then by 3, ... and finally by 9 and end up with the same number you started with. Sometimes even higher than 9.

Since our teachers understood that there are calculators and even kids like me who knew how to write loops in Basic code, they chose the numbers big enough to result in scientific format or overflows, so that at a certain step the precise calculation could not be done any more with a calculator or computer program.

So I wrote a Basic program which did multiplications and divisions the way you would do it manually with strings. From this point on I was only limited by the amount of memory, which wasn't an issue since my Amiga 500 had 1 MB of Ram.

youssefabdelm
Rooting for you guys. If anything this should cause some people to question the very educational structure they've set up. If people are attempting to evade homework it's because it isn't interesting to the student, which hints at a deeper problem that the school/teacher/entire school set-up and structure needs to address. They essentially need to throw out everything they've set up because they're operating it more like a police state/prison "Ooo let's CATCH the cheaters! Let's CATCH the plagiarists! That'll show them!"

Instead of saying "What are we doing that isn't capturing the students interest in these tasks? How can we connect this subject to the students most meaningful, important, and immediate concerns and goals? What concepts from this subject can we teach the student that'll help them achieve those salient goals?"

The creators of these companies seem less concerned with actual long-term meaningful learning and more concerned with playing policemen.

Educational institutions need to be way more student-driven and student-concerned, allowing the student to shape their journey, as opposed to turning out cogs for the system like military training.

Alternatives exist like behavior analysis's programmed instruction, but even that needs a radical upgrade or integration with AI.

madmod
In high school I was trying to make an app to scrape my grading system Skyward and ended up finding a trivial auth bypass that let me see anyones grades. Knew the school would turn me into a villain if I was discovered even though I was on student council and an honor student so I emailed the principal and got a meeting with him. For some unknown reason my poc didn't work in the meeting so during the meeting I found a second auth bypass. They paid me $75 for finding the issue and told me to try to hack the teachers side of the system next. Lots more to the story if anyones interested.
aabbccsmith
Between 2018 and 2020, I wrote a website that cloned the databases of a couple online learning platforms, and used it to skip lots of homework I should have done.

I wrote this at the beginning of the year, but never released it as I was never sure if I was missing details. I realised today there is no point in keeping it hidden, so brushed it up a bit and published it.

Btw, the repo that houses the blog is open source, so feel free to fork or whatever and use it as your own

alexarena
Honestly kind of impressed that the HegartyMaths guy independently found this and then handled it without (explicitly) threatening to sue you.
jviotti
Congrats Alistair and Scott! This is an amazing story that made me remember my high-school days. As the authors, I was into programming from an early age, and high school definitely took the second place :) My grades ended up REALLY suffering when I got my first full-time role at a startup while I was 17 years old (parents approved) and on my last school year. Fast-forward many years and I don't regret a thing. I attended University of Oxford (despite my bad grades!) and I'm doing very well doing what I love.

Wish you both a very, very bright future!

NorwegianDude
Well done, and nice of you guys to take it down too.

I remember having some fun in high school when windows XP was the thing and handing out software at school was done using USB memory sticks. I wrote a small program just to mess with classmates that copyed itself to the machine when the memory stick was inserted and set itself to run at startup. It also copyed itself to any USB storage that was connected to the machine.

The program didn't do anything other than connect to a server so I could add it to a database along with some basic info, just so I could mess with the right person. It was fun when a USB stick was passed around, and I was the first to get it. So I got access to the the laptops of all my classmates and could mess around with them.

The problem was that it spread like wildfire, and in just a couple of weeks there was thousands of machines and it was spreading exponentially, with no way for me to stop it. That's when I realized that it might have been a stupid idea and that I should probably remove any traces of my involvement.

Waterluvian
Given the modern division of labour, people are more often than not an expert at whatever they do for a living.

It makes me think that high school is still too generalized. I think I only got to pick about half my courses and even those had to fit into certain bins. Couldn’t do too many tech courses. Had to have an arts course each year. Stuff like that.

If students have _any_ personal inclination towards any course we should enable them to take it without any bureaucracy. One of the most precious and fleeting resources is when a teen is self-motivated over education.

mikepurvis
Ha. I had a homeroom teacher in grade 8 who would clip out the numerical crossword puzzle (basically like super-Sudoku) from the newspaper and give us a bonus mark if we could complete it by the next morning.

I was the kid who wrote myself a recursive descent solver for it in QuickBasic, of all things.

Sohcahtoa82
Heh...reminds me in my Algebra II class, we were being taught polynomial expansion. I had a TI-89 which would do it automatically with a single function, but that wouldn't show the work, so I wouldn't get credit for it.

So I wrote a program that would show the work.

I asked my teacher if I could use that program on the test, and she said that if I knew the material so well that I could write a program that shows the work, then I'd probably ace the test without it anyways, so I could go ahead and use it on the condition that I did not share the program with any of my friends.

That condition was fine with me. I didn't have any friends. :-(

primitivesuave
This is a really heartwarming tale of having good intentions and assuming it of others. There was a similar situation in my high school days where someone's college path to computer science was taken away for something even less malevolent than described in this post, he ended up becoming a pretty wild startup founder and a defrauder of millions.
lucas_codes
Love it!

In the world of Music Conservatories, practice space is limited and there is a lot of competition to get a room booked. Many places use a niche scheduling product called Asimut specifically tailored to conservatories. Depending on how it is set up, for example, you could book a room 72 hours in advance on a rolling basis - this mean people were always on their phones booking rooms and then extending their booking times.

As you can guess, I wrote a simple python script that lived on a vps and read a schedule and list of my favourite rooms from a text file, would wait until the right time and book/extend for me with my username and password. Never told anyone except my girlfriend, who spent enough time with me to realize I was making bookings without ever looking at my phone!

jrockway
I love the veiled threat to "take a legal approach" in the last email. If I ever take over the world, there will be a law where if you imply that you're investigating litigation, you have to file your case within 24 hours or the ability expires.
charlieyu1
I was a supply teacher. A kid did something similar in early 2010s and he was doing online homeworks for his classmates for about $1 per month. He had about a hundred clients at the peak and he was never caught.
RunSet
Pursuing a programming degree required me to obtain two credit hours of a foreign language. Gotta suck as much cash from the student body as possible I guess.

I took Spanish classes online. One of the common exercises tested your "ear": An audio recording of one or more people talking in Spanish would play, which the student was expected to transcribe. Not translate, just transcribe.

Funny thing- for accessibility purposes, they had to provide a text transcript of the exercise.

auxym
Heh, I started coding (in python) when I was about 15. One of my nerdy interests that motivated it was "historical" crypto (vigenère, etc). But another one of the first things I wrote was a script that would factor quadratic equations for me, in order to do my math homework for me. I really hated that kind of repetitive homework, where every night for weeks on end we'd have 25 equations to factor or whatever, even when I had already "gotten it".

It was pretty dumb, using the exact "algorithms" we were taught to do it by hand. It would even "show the work" so I could transcribe it. In the end, it probably took as much time to input the homework into the program, and then transcribe all the answers, making sure to fake it so it looked like I did the work, as just doing the homework. Not to mention actually writing the program, but that part was really fun. I remember turning on a small night light when I was supposed to be past bed time so I could scribble down algorithms or solutions to bugs on a piece of paper so I could implement them the next day.

If I had been a bit smarter, I might have realized that I could have used a CAS that already existed. Not sure if there were many open-source ones (that could run on windows) back then (2003-2004) though, just looked and sympy was released in 2007.

nibbleshifter
This reminds me of back at university we had to use a platform called "Wiley Plus" for weekly physics homework.

To prevent copying, while the equations needed remained the same, the numbers (inputs to what you had to work out) varied across user sessions.

One lad in the course wrote a website that he updated weekly that mimicked the UI/UX, you would plug in the values WP gave you and it would emit an answer.

The following year I took over maintaining it, and ended up in a spot of bother with the administration.

There was also another homework website that some lectures made us use, which did all the shit client side in JS. You could just inspect element and get the answer.

I honestly still don't get the point of those additional homeworks, on top of assignment and lab report workloads at university. They seemed to only exist to loosely tick a box regarding "continuous assessment".

Relatedly, they also implemented 5% credit for attendance by proxy by making us rent these radio " clickers" from the university, each with a unique ID tied to a student.

During lectures, there would be multiple choice questions asked, where the answer was irrelevant - it was a means of counting attendance.

Naturally by the second month people were delegating their clicker to someone else if they needed to skip a class.

A couple of years later, smartphone apps replaced the clickers, and SDR became affordable, granting the university a near-miss from any radio shenanigans.

petercooper
It's a different era now, but back in my day Altavista had just launched Babelfish and a few of us began using it for our French homework. My friend got "caught" due to the "peculiar" nature of his work, and while they couldn't figure out what was happening, we were all warned quite sternly to stop doing whatever it was we were doing. Lesson learnt: only use Altavista to read French ;-)
pfoof
Reminds me of the times when at my school (2010) there was WLAN but only the teachers had the password. I was nagged by my schoolmates as the most proficient computer nerd and my IT teacher said that if I cracked the wifi password, I would get an A+ from IT classes for all three years.

Backtrack 4, Atom N270, some deauthenticated Windows XP and 13 hour long dictionary attack did NOT do the trick. But what I learned is mine.

rippercushions
Offtopic, but the font in that site drives me up the wall: fixed width with that skinny cursive "f" is like nails on chalkboard.
teeray
I think you passed the take home interview and phone screen for this company.
cortesoft
Using programming to avoid homework has a long and storied history.

One of my very first programs I wrote was a QBASIC program to sort my spelling words in 2nd grade in 1991. I loved the idea of beating the system more than I actually disliked sorting my spelling words. I was quite proud of myself, and it seems to have worked out in the long run.

lloydatkinson
I had a similar-ish experience between 2005-2010 but not as complex. Teachers could control what programs appeared in the start menu of computers in the class as well as see what is on their screen etc. Don't remember the name of the software.

Was incredibly easy to exploit by invoking windows explorer via a Word toolbar of all things. This meant I could browse the start menu shortcuts of every classroom in the school and open whatever application I wanted even if it was disabled by the teacher.

A relative worked in IT at another school using the same software. I showed it to them and they mentioned it to the company who were installing it in their school. The company refused to believe I could exploit it so easily and even said they would buy me an xBox if it was true. Of course, it was true and when shown proof they went silent and I never got an xBox.

photochemsyn
"Cruically, our teachers could see how many times we've watched the video..."

This sounds like it's normalizing invasive surveillance. Getting kids used to the notion that their teachers should be able to monitor their online educational activities... and then, if governments and corporations are tracking all your internet activity, email communications, phone location data - it's just the way things are done! Now have a social credit score, it's like a grade in life...

That said, I wonder if there's a similar approach, some scripts users could run to artificially boost their social credit score (in China, for example). Just something that would run in the background - it could send pithy positive tweets, visit all the government-approved websites, etc. - all with no need for the user to be involved.

wcerfgba
This was so fantastic to read. You are both clearly operating well beyond the expectations our society sets for ~16 year olds. At some point, please could you write about your journeys, what the enablers and barriers were, and what advice you would give to teenagers who want to achieve similar capabilities? I regularly feel like I could have done so much more in my teenage years, but I was never sure of how I needed to shape my environment to push my potential to the max. I hope as a civilisation we can get over this ageist idea that teenagers are 'just kids' who 'don't understand the real world' and we can start to enable all people to pursue their curiosity and ambitions from an early age!
edub
In the early 80's on a TRS-80 Model III, I was in whatever grade you learn to alphabetize words, and I wrote a Basic program to handle the alphabetization. I input the 20 or so words, it output them in order, and then I transcribed that to my homework assignment. My mom said it was cheating and I couldn't use it, and my dad said that if I could write a program to do it then I illustrated that I could alphabetize word lists and it wasn't cheating.

I have a suspicion that I probably found the code in one of my dads computer magazines, so it probably was cheating since I doubt I actually wrote the program from scratch. Maybe partial credit for being resourceful. :)

throwaway74828
I also wrote something similar for my university quizzes using Tampermonkey. I noticed that some of the questions from non-graded quizzes would later appear on graded quizzes. There weren't any IDs that I could use and the wording of the questions would usually change a bit. When taking any quiz, it would search the questions on the page against the database. It would scape the questions, do some cleaning like removing stopwords and symbols, and then do a fuzzy string search against the database. It would give a score to each match and display the top 5 best matches. Worked quite well. I would then spend the rest of the time answering the questions that it could not match.
IndigoIncognito
Really cool, I was also using an exploit with my GCSE Hegarty maths homework and doddle science, I think the 1st "exploit" was pre-GCSE the answers were stored on the client side and I just inspected the code, this got patched after, the next exploit was during my GCSE's, the answers were stored on the server so I made a github repo that used a browser extension which would let you inject JS, I think it was some kind of brute force attack with their SQL DB.

Anyway I received my GCSE results in August, I was surprised how well I did considering I did no revision, but I should've actually used hegarty maths instead of exploiting it :D

thomastay
Wow that's amazing! The best part is that you managed to get their entire database, that must have taken a lot of work. How did that burner account thing work?

My favorite experience with "hacking" in school involves wifi. My school had free wifi, but you had to log in with your student password. Well, the login step involved a GET request in which the password was sent in plain text as a URL parameter... so if you had your friend's laptop, it was a simple matter of looking at his browser history to see his password!

Never did anything with it, but always wondered what someone seriously motivated could have done with it

bgro
Maybe I had a different takeaway from everybody else here about this story. It's hard to focus on anything other than the ending interaction.

To me it sounds like the CEO just started panicking and sent you an email so he wouldn't have to do anything relating to fixing or explaining the problem in sales for all his customers or paying you for your work / to fix it. He probably didn't even want to pay for a lawyer, rather than how he played off being nice.

It sounds like he just got away without having to do anything because he threatened you and sold you a cop-out story "But what about the kids?"

njacobs5074
I worked at Sun Microsystems in the late 90s/early 2000s and at the World Trade Center offices, pretty much everyone had to hot desk.

I was in a group that, unlike our "pure" sales brothers & sisters, spent a lot of time in the office. The whole hot desk was a big PITA because we had to reserve our desks and we could only reserve, I think, 1 week in advance.

But, one of my colleagues figured out that the back-end of the reservation system had an RMI interface and it didn't do any validation of the reservation requests. So he wrote a CLI utility that let us reserve the same offices week after week.

We would've gotten away with it except that the head of sales realized one Monday morning that we always seemed to be sitting in the same place. I guess she made some enquiries because not long after that, we were all called into her office and made to promise that we wouldn't hack the reservation system anymore.

At the bard so famously wrote, "Pride goeth before a fall." :)

unity1001
Homework should not exist in the first place. If any education system is sending children back to their homes with assignments, then it means that system is failing in the classroom already. For that, it is overflowing that responsibility to children's private lives.

What difference does this have from having employees take work back home and work in their private time...

shitcoder
University was my playground for this sort of this sort of thing (because my high school was all paper). One subject used an Online Platform called Wiley which stored the answer in the page, a weekend writing up the script to solve it, fake a realistic completed percentage and take a realistic amount of time to solve. I used a greasemonkey script, just like this post as well!

Countless subjects also distributed questions and answers from Textbooks in a PDF format. One OCR run later and a script to clean text I had a database of questions and answers I could share with my friends to practice for the exam (which helpfully used the exact same questions). https://www.rytek.me/archive/projects/epmquiz-webapp/

I never did flex my cheating like you did haha for fear of the repercussions.

JacobSeated
Very interesting, and love the way Colin Hegarty took it, it's probably never worth to drag kids to court etc.
spicysugar
Still in Uni, I remember the first day, when I got the class wifi credentials, i found out one app i use was blocked. A basic messenger app. Why am I trying to be spooky, it's WhatsApp. Other sites like instagram, Twitter, Snapchat etc were also blocked. I used none of the other blocked sites. I still remember that as soon as I realised it, i installed orbot to tunnel my WhatsApp traffic through tor. It worked as expected. I don't have many people texting me, but when someone does it's usually urgent and not anything spam. So people noticed it and held me as some tech genius who defeated the system, little did they know I just dug the ground and made a tunnel. They still are distracted, sometimes, but it's fine. Atleast for me.
harel
Not exactly the same, but in the late 80s I've written some Amiga Basic (or was it AMOS?) programs to do all the variations of my algebra homework. Maybe that's why I suck at maths today...
znpy
When I was in high school I got a second hand TI86 and started writing code for it… for one of the math-heavy subjects I effectively stopped studying and started writing code instead, on the calculator.

Whenever the teachers would do exercises on the whiteboard I would just do testing of my software, verifying its correctness.

Calculators were allowed, and the teacher kinda encouraged us to get familiar with our calculators (the subject was calculations-heavy) so I didn’t get caught.

Fun times, sometimes I miss TI-basic.

chazeon
This reminds me of when I was in college, they used this platform that randomly gave out questions, and the same platform was used for quizzes. It was one of my first practical programming experiences to scrape all the questions and save them as a text file. Later on, these files were passed around the entire class etc. It is just astonishing to see how these things spread.
moondev
Because this all happens on the front end and the backend accepts the requests - I'm curious if this is exempt from the legal definition of "hacking" aka "accessing a remote system with Ill intent" or however it's defined .

Although I guess that applies to sql injection as well so in theory there was really potential legal trouble here?

tonnoz
awesome work and awesome CEO. I think you guys both learned from each other which is a great zero sum game.
trinovantes
These online learning platforms should also consider drawing on canvas e.g. flutter to make it harder to scrape screen contents

I think they could also just check the isTrusted field in the Event since that can't be overwritten without a custom compiled browser

kazinator
Why would you need to fake whether you watched a video? Just let it play while you do something else. If it still bothers you how long it takes, put it on 2x speed.
tomcam
Half serious here. If they’re so smart why didn’t they know about screenshots? I mean part of their proof was a photograph of a screen, which seems odd to me.
lxe
That ended much better than expected. Good on Hegarty to recognize and reach out to these kids instead of punishing them.
MattDemers
Hilarious. This kid's got a future.
piyh
I wish I was this skilled and focused on a project when I was in high school
2muchcoffeeman
I hope they did their homework even after breaking the platform.
polarlol
sammy2255
landonboles
AriDutilh
wild
phibz
Interesting response from Mr Hegarty. I wonder if they would have gotten the same treatment by a US company?
sr.ht