Decrypt this code! (+high school computer security)
-
(Skip to bottom for challenge)
Schools always seem to be places where IT is incompetent and and things never work as well as they're supposed to. I just finished high school, and also have come from one of the worse computer security systems I've seen over the years. Here's how their security worked: everything was locked down. That is, no right clicking on the desktop or the taskbar, minimal start menu, no browsing the C: drive (not even through shortcut), no storing EXEs, Word, Excel, PowerPoint, scripts, etc. on the student drive... you get the idea. Unless you mess with computers frequently, the best you can do is use Chrome and run a few school-approved apps. Of course, you could plug in a USB drive on the few computers that had unlocked cabinets.
I did some research on what the various lockdown techniques were, and how they were applied. Turns out most of them were policies, and a number of them are defined as registry keys in HKCU. Now that made things easier, because the user has access to HKCU all the time. I wrote a quick AutoIt script to delete the policies, and presto! the computer was more or less unlocked. Now, that had to be run from a USB stick, and not every computer you can plug one in. So the next year, I decided to write some sort of script that wasn't blocked so I can run it quickly from the student drive. Turns out, out of all the script types that were blocked, HTA was not. Not sure what those IT people were thinking, but HTA is a nice vector for VBA and JavaScript code. So for the first month, I wrote a HTA script (completely at school, BTW), tested, made sure it worked, and stuck it inside my student share. For good measures, I obfuscated the code (which you will be decrypting). It's not tough obfuscation, and will take all of 5 minutes to reverse it, but I wagered that the IT people are too stupid to figure it out.
So, some exploration reveals a nice WTF. Apparently everyone is an admin on the computers. That means once the lockdown is removed, users can install/remove software, write to anywhere on the hard drive, change any registry keys, and all that good stuff. This is security by obscurity at its best. I took advantage by installing Visual C# on the few computers I regularly use so I can write random programs. To get by the file extension restrictions on the student share, I made a TrueCrypt container there and installed TrueCrypt whenever I needed it. Cleanup is easy (just delete the container), and if there was anything incriminating they wouldn't know about it.
Here's another WTF from the same school: they have a Googles Apps Site (Google Apps was a side effect of "cost cutting" switching from Microsoft Office, and it really sucked for most of the time it was there; the techs hid Office... by deleting their shortcuts) that had a whole bunch of IT info regarding the school. Although it was internal, it was accessible by anyone within the school division. That means not only techs, but all students, even those from different schools, can access it. There were calendars with what they plan on doing in the summer, usage diagrams for lab bookings, and some server hardware info. But the most interesting was the hardware database, which listed all the computers in the school, all monitors, printers, and peripherals, and repair records dating back to the late 90's. Amazingly, they also stored student accommodation info (for those who requested the use of computers for midterms), complete with name, teacher, course, and what room they were in. Some security by these people.
(Tip: if you want to prevent Faronics Insight from spying on you, get a third-party task manager, pause Student.exe, use services.msc to disable its service, and then kill the process. It'll try to restart, but fail every time. Some teachers don't know better that you've dropped off the radar.)
Other WTFs from previous schools:
-My elementary/junior high school had user folders set up in a common folder on their server. They were hidden using some Windows naming convention involving '$'. Of course, they failed to secure the folders, and as long as you knew someone else's login name, you can do whatever you want to their files.
-In grade 2 I asked my computer teacher why the lab Macs were so slow. She replied that the computers probably had viruses or something, whatever. (The same teacher also taught music, and had the class give me a round of applause when I showed her how to use the Repeat button.)
So, the decrypt this code challenge:
This link is to the "release" version of my lockdown remover. It's obfuscated. Your task is to deobfuscate it back to the original code. You can do it with such accuracy that I am supplying the MD5 and size of the source. First person to get it right gets one of my random programming projects (TBD). Upload it somewhere so I can check
Release file: http://dl.dropbox.com/u/29365870/FreedomDeliverer_release.hta
Source MD5: dfc6b72a58968c65f17c811c1f2a08a2
Source length: 2153 bytes
-
@GMMan said:
First person to get it right gets one of my random programming projects (TBD).
If I win I have to maintain your buggy-ass code?
-
Maybe. I haven't thought of what I'd give out yet. What, you want money? A joke? Technical documents?
-
Too much work. Would rather just do a programming project by myself with the work, then I know exactly what kind of quality I'm getting.
Seriously, this is the sidebar. It's where people slack off, not where they post challenges ;)
-
I hope reading that much text was relaxing.
-
Ok, here you go
-
Not bad. That is the code, but it's not the original file. Add in the HTML bits and verify your MD5. Meanwhile, I'll dig through my archives and see what I can come up with.
-
This is what I got after using an online decoder:
<html>
<HEAD>
<TITLE>Freedom Deliverer</TITLE>
<HTA:APPLICATION ID="oFreedomD"
APPLICATIONNAME="FreedomDeliverer"
BORDER="dialog"
CAPTION="yes"
SHOWINTASKBAR="yes"
SINGLEINSTANCE="yes"
SYSMENU="no"
WINDOWSTATE="normal"
MAXIMIZEBUTTON="no"
MINIMIZEBUTTON="no"
CONTEXTMENU="no"
SCROLL="no"
VERSION="1.1.1">
</HEAD>
<SCRIPT Language="VBScript.Encode">
'**Start Encode**
Sub onLoad()
window.ResizeTo 150,80
const HKEY_CURRENT_USER = &H80000001
strComputer = "."
Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
' Delete Policies registry key
strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Policies"
DeleteSubkeys HKEY_CURRENT_USER, strKeyPath, objReg
' Remove IE restrictions
strKeyPath = "Software\Policies\Microsoft\Internet Explorer"
DeleteSubkeys HKEY_CURRENT_USER, strKeyPath, objReg
' Enable Command Prompt
objReg.SetDWORDValue HKEY_CURRENT_USER, "Software\Policies\Microsoft\Windows\System", "DisableCMD", 0
' Kill Explorer.exe
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcessList = objWMIService.ExecQuery _
("Select * from Win32_Process Where Name = 'explorer.exe'")
For Each objProcess in colProcessList
objProcess.Terminate(1)
Next
' Launch Explorer.exe
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "explorer.exe"
Set objShell = Nothing
document.parentWindow.setTimeout "CloseMe()", 3000
End Sub
' Recursively delete registry keys
Sub DeleteSubkeys(HKEY_CURRENT_USER, strKeyPath, objRegistry)
objRegistry.EnumKey HKEY_CURRENT_USER, strKeyPath, arrSubkeys
If IsArray(arrSubkeys) Then
For Each strSubkey In arrSubkeys
DeleteSubkeys HKEY_CURRENT_USER, strKeyPath & "\" & strSubkey, objRegistry
Next
End If
objRegistry.DeleteKey HKEY_CURRENT_USER, strKeyPath
End Sub
' Close the window
Sub CloseMe()
close
End Sub
</SCRIPT>
<body onLoad="onLoad()">
Freedom delivered!
</body>
</html>
-
Removing the 'start encode' comment and adding a type="text/vbscript" attribute to the script tag got it to the exact same length (2153), but I don't see how we'll ever get the exact md5sum when there's so many opportunities for changes in case of letters.
-
To me, the scary part is that on my fully-patched Win 7 install with Avast and Windows Defender, the part that kills Windows Explorer still works without so much as a shield prompt.
-
@DaveK said:
Removing the 'start encode' comment and adding a type="text/vbscript" attribute to the script tag got it to the exact same length (2153), but I don't see how we'll ever get the exact md5sum when there's so many opportunities for changes in case of letters.
If you remove ".Encode" off of "VBScript.Encode", you'll have the right file. The script encoder retains the exact same code down to the indentation, so the code that's reversed should be identical to the source.
Anyway, here's the prize. It's not my code, but something I pulled out of an HP laptop. It will loop the HP logo over and over again until you press Alt-F4 (I bet in the first time setup they just kill the app). It also only works on DirectX 10+ (relies on Direct2D). You can swap out the images with your own, if you'd like. http://www.mediafire.com/file/0tij67aftmpzcgt/HPAnimatedLogo.zip
-
@Seahen said:
To me, the scary part is that on my fully-patched Win 7 install with Avast and Windows Defender, the part that kills Windows Explorer still works without so much as a shield prompt.
Windows Explorer is just another unprivileged process running with your own user account's security token. Why would you expect it to have UAC protection against being killed and restarted?
-
@flabdablet said:
@Seahen said:
To me, the scary part is that on my fully-patched Win 7 install with Avast and Windows Defender, the part that kills Windows Explorer still works without so much as a shield prompt.
Windows Explorer is just another unprivileged process running with your own user account's security token. Why would you expect it to have UAC protection against being killed and restarted?
I'd expect a browser to not let random websites close my desktop. Is that too much to ask?
-
@GMMan said:
Here's how their security worked: everything was locked down. That is, no right clicking on the desktop or the taskbar, minimal start menu, no browsing the C: drive (not even through shortcut), no storing EXEs, Word, Excel, PowerPoint, scripts, etc. on the student drive... you get the idea.
I'm a primary school netadmin. At my site, staff user accounts get local admin rights, student accounts get normal user rights. I don't use any of the idiot Group Policy "lockdown" features, for the exact reason you document at length - they're basically just irritants, and all they do is create the social conditions for a war between the IT department and any user with sufficient IT aptitude to find the rather trivial workarounds.
Personally, I'd rather that users with that kind of aptitude are on my side so that I can learn from them and make use of their roaming eyeballs to alert me to user problems I might not otherwise find out about. Because IT aptitude is relatively rare, it usually costs very very little to set them up with the extra resources they need to make them happy and comfortable. And when they do the usual teenage thing of thinking their skillz are more 1337 than they actually are and breaking something as a result, I can enlist their willing help in getting it fixed and we both learn something.
Most kids are not arseholes except to people whose default position is to treat them as such.
-
@Seahen said:
To me, the scary part is that on my fully-patched Win 7 install with Avast and Windows Defender, the part that kills Windows Explorer still works without so much as a shield prompt.
Actually, the really interesting part is it uses WinMgmt to get the process list. I haven't checked exactly what you can do with it and under non-admin conditions, but if you can do everything it would definitely be a security hole.
-
@flabdablet said:
@GMMan said:
Here's how their security worked: everything was locked down. That is, no right clicking on the desktop or the taskbar, minimal start menu, no browsing the C: drive (not even through shortcut), no storing EXEs, Word, Excel, PowerPoint, scripts, etc. on the student drive... you get the idea.
I'm a primary school netadmin. At my site, staff user accounts get local admin rights, student accounts get normal user rights. I don't use any of the idiot Group Policy "lockdown" features, for the exact reason you document at length - they're basically just irritants, and all they do is create the social conditions for a war between the IT department and any user with sufficient IT aptitude to find the rather trivial workarounds.
Personally, I'd rather that users with that kind of aptitude are on my side so that I can learn from them and make use of their roaming eyeballs to alert me to user problems I might not otherwise find out about. Because IT aptitude is relatively rare, it usually costs very very little to set them up with the extra resources they need to make them happy and comfortable. And when they do the usual teenage thing of thinking their skillz are more 1337 than they actually are and breaking something as a result, I can enlist their willing help in getting it fixed and we both learn something.
Most kids are not arseholes except to people whose default position is to treat them as such.
Oh, I see you are not trainning them for their future jobs.
-
Had to join and comment on this one...definitely a creative way of getting access :) Never would've thought to use an HTA application. Of course, the absolute incompetenece of the school's IT made that possible (not even bothering to use restricted user accounts for students? WTF). The TrueCrypt idea was interesting. A security application used to beat...unwanted security.
I had a creative way of doing it at my high school, but since they got the security (mostly) right, my solution ended up involving modded network gear, linux, and BartPE:
The challenge faced: No admin access, Deep Freeze on most systems, and all the typical restrictions (no regedit, no cmd, no task manager, no browsing C:, no control panel, etc). Physical security was tight (locked boxes, so no USB devices or CDs), but the power and network cables were exposed at the wall jacks.
Solution? I had seen IT use PXE for reimaging so I knew it was enabled, and I could get to the network cable. Nothing was stopping me from providing my own boot server. Since all I needed were DHCP and TFTP, I put custom firmware on a Linksys WRT54G...I had one already, and it fit in my backpack, had a network adapter, and ran linux. I removed the antennas and added a battery to eliminate the wall wart.
The router served a small linux image to the PC, which contained just enough to download a BartPE ISO over the internet and chainload it. The PE had software (written in AutoIt, VBScript, and batch) to create a new account, grant rights, thaw Deep Freeze, and unlock the UI on the AV/HIPS software they used. Another script let me undo it all. After it ran, I'd log in using a new account "aty" that had full access and a password I knew.
It took me a month to get this together (someone else had to do the Linux stuff, I did the PE work), and it worked for 1.5 years until a friend found a far better solution (another story entirely, if anyone's interested, I'll share). The router is still around, but its now sitting next to my PC doing...routing.
-
@flabdablet said:
+1I'm a primary school netadmin. At my site, staff user accounts get local admin rights, student accounts get normal user rights. I don't use any of the idiot Group Policy "lockdown" features, for the exact reason you document at length - they're basically just irritants, and all they do is create the social conditions for a war between the IT department and any user with sufficient IT aptitude to find the rather trivial workarounds.
Personally, I'd rather that users with that kind of aptitude are on my side so that I can learn from them and make use of their roaming eyeballs to alert me to user problems I might not otherwise find out about. Because IT aptitude is relatively rare, it usually costs very very little to set them up with the extra resources they need to make them happy and comfortable. And when they do the usual teenage thing of thinking their skillz are more 1337 than they actually are and breaking something as a result, I can enlist their willing help in getting it fixed and we both learn something.
Most kids are not arseholes except to people whose default position is to treat them as such.
-
@flabdablet said:
I'm a primary school netadmin.
@Mcoder said:
Oh, I see you are not trainning them for their future jobs.
Correct - trainning isn't a responsibility of a netadmin.
@flabdablet said:
Most kids are not arseholes except to people whose default position is to treat them as such.
+1 here also. You can't change other people, but you can change your attitude towards them, and that - in turn - may shape their attitude towards you.
-
@Seahen said:
To me, the scary part is that on my fully-patched Win 7 install with Avast and Windows Defender, the part that kills Windows Explorer still works without so much as a shield prompt.
Not that scary I think. HTA files are treated as local applications, not as websites IIRC. So if you can write an application that kills explorer there's no reason why a HTA shouldn't be able to do it. At least if it's treated the same way when it comes to starting it.
-
@Ben L. said:
I'd expect a browser to not let random websites close my desktop. Is that too much to ask?
HTA doesn't rely on the browser, unless my memory is even older and wonkier than I thought. Isn't it a Windows Scripting Host thing?
-
@flabdablet said:
I'm a primary school netadmin. At my site, staff user accounts get local admin rights, student accounts get normal user rights. I don't use any of the idiot Group Policy "lockdown" features, for the exact reason you document at length - they're basically just irritants, and all they do is create the social conditions for a war between the IT department and any user with sufficient IT aptitude to find the rather trivial workarounds.
That's not quite how it works. Per-user policies do live inside HKCU, but they're write-protected. So yes, there are sections of HKCU that are not writeable by the owning user. When I read the OP, I was confused until he revealed that all the students were local admins. That was the real WTF. There's no sense wasting time setting ANY restrictions if you simultaneously give the users carte blanche permissions to wipe them! School IT for me was a similar level of incompetence.
(This reminds me of a company where a number of PCs had various Registry keys locked down to a particular user, so much so that Automatic Updates would fail to install IE 8 (it needed to write to these keys), and applying a service pack would cause massive damage to the system. The keys were not even readable to anyone but SYSTEM and that single staff member who'd long since left: Windows permits you to ban administrators from accessing data, and breaking back in is messy in Regedit as you can't propagate access overrides, not in XP anyway, so you have to override each level of the tree one by one by one. I doubt I'll ever figure out how she managed to screw up the machines so badly; she was only a designer, not a techician.)
-
Ah, this brings back memories! Your school's IT guys sound slightly more competent than they were at my high school though. During my senior year, they installed some remote management tool (I forget the name) on every workstation in the school, including the ones used by faculty, and even their own computers. I knew this because for one, it would set up a tray icon which told you the name of the program, plus from time to time they would use it to mess with me (take control of my mouse/keyboard, overlay a blank white image over the whole screen, etc.). Well, I looked up the program they were using, and it turned out it had a 30 day free trial period without limitations. I just downloaded the client side, stuck it on a flash drive, and gave it a try.
Time for TRWTF: they never set up a password for ANY of the workstations! I was in kind of tight with the IT team, so at the time I didn't think it was too crazy that they were messing with a student, but it still rubbed me the wrong way. If they hadn't done any of that crap, I probably would have just told them about the huge security hole they had. Instead, I had quite a fun senior year!
-
@GMMan said:
First person to get it right gets one of my random programming projects (TBD).
Will that also be malware that compromises security on any computer it's run on?
-
Breaking security software at high schools is normally not that hard. They always try implement it in the most bazaar sort of ways. My high school had pathetic Internet security, it could easily be bypassed by going to .uk or other country extensions for popular websites. Also did not block proxy websites so could always use a proxy site to get a webpage. My high school also used some pretty interesting software to protect the computers. It prevent the computer from saving changes to the hard drive. Because of this they gave students pretty nice level of privileges even could even install whatever we wanted. However as soon as you logged off or rebooted all changes were lost. This was great for us computer geeks since we could fubar computers in very creative ways and one quick reboot and the machines were back to normal.
Ah good times...
-
I was able to circumvent Novell lockdowns on Windows 98 and launch minesweeper with an Office VBScript macro.
Lost my computer privledges after I brought it to Mr. Jay's attention. Didn't tell anyone or try to abuse it. I didn't really care about it, and mearly suggested he remove VBScript components from the Office installs.
I learned in high school to keep my mouth shut and never report a security hole to another admin. This guy had some serious personal insecurity issues, though.
-
Our school used Mac Classics on Appletalk. I found out the security let you do anything with a file in the trash can. So you just kept your video games in the trash can and only brought them out when you actually wanted to play, then "threw them away" when done. The security system would never catch on that they were there. And to copy games off the computer onto your disk, you just put them in the trash and copied directly from there to the disk.
-
@Anketam said:
They always try implement it in the most bazaar sort of ways.
So, what, they would sell the students login credentials or something? Maybe along with a persian rug? That's a pretty bizarre way of doing security!
-
My high school had very little network security at first, which was fine because the average student didn't know enough to work around it. This was in the early-to-mid 2000's however we still had a decent number of 486's with Windows 95 in use. Newer systems were Athlon64's running Windows XP. All security came from some kind of NetWare setup. (Also keep in mind my school had less than 300 students for K-12, we were from several small towns in a very rural area.)
Things changed when my friends and I would get bored and start poking around. Thankfully we were well-respected and liked, and the admin preferred that we find these things so he could fix them than have some kids with actual malicious intent discover them first. But in all honesty, the security was just the illusion of a locked door. That was enough to keep everyone but us out. No one else cared.
I imagine things are somewhat different these days considering just how many more gadgets are in circulation compared to then. Also, YouTube tutorials. Those didn't exist at the time either.
-
I guess I had a good computer teacher, then. He challenged the tech-savvy among us to bypass the security for 20 bonus points. (Not that any of the tech-savvy needed them.) I won the challenge, but I swore I wouldn't reveal how.
I will, however, give a hint on how I figured it out: it involved looking up the software's name on Google!
Sadly, he only gave me 15 bonus points since all I did was look up known vulnerabilities. I think he learned more from that than I did, though. The following year, security was much much more difficult to bypass.
-
I was homeschooled, so I'm going to talk about colleges.
Of the two I have experience with, one was just a by-the-book Windows domain. Each student has a user account and stored their data in a roaming profile. Boring.
The second one is much more curious. There's no individual user accounts, just a few variations of "student". The big thing that's noticed is a message placed on the stock wallpaper: "All data saved on this computer will be erased every restart!" It means it to. Every time, the user data folders only contain a few "token" entries (like a stock Visual Studio projects folder), and settings in each application all revert to a specific group of settings. I'm not sure if the machines are being reimaged daily or not, but it's a possibility. Students are told to use usb keys to store their data because otherwise it would be lost.
-
@MiffTheFox said:
Filed under: It's a piece of cake to have a safe network / when the way is hazy / you gotta do the admin by the book / you know you can't be lazy
If you use some cheap security,
the LAN will turn out crazy
But if you do the admin by the book
AAAANOOOOO THANKS FOR GETTING THAT STUCK IN MY HEAD I was sober and clean for nearly a year now and NOW IT'S BACK AAAAARRG
-
@MiffTheFox said:
The second one is much more curious. There's no individual user accounts, just a few variations of "student". The big thing that's noticed is a message placed on the stock wallpaper: "All data saved on this computer will be erased every restart!" It means it to. Every time, the user data folders only contain a few "token" entries (like a stock Visual Studio projects folder), and settings in each application all revert to a specific group of settings. I'm not sure if the machines are being reimaged daily or not, but it's a possibility. Students are told to use usb keys to store their data because otherwise it would be lost.
Sounds like Deep Freeze or one of its may competitors. Any changes you make end up in a temporary cache of changes (usually kept as a file at the end of the disk, but I've seen it stored in RAM). The program makes that cache appear as if it were part of the file system, so Windows sees the changes as normal. At reboot, the cache of changes is discarded.
-
All this discussion reminds me of back in the day when computers in a store had a demo mode, but also had the floppy drive accessable, all one had to do to gain access was insert a boot disk and reboot the computer, i remeber at the local walmart, you didn't even need to remeber to bring a disk with you since you could usually find one in one of the drives ^^
It was actually quite easy to spot; just look for the computer that was running the program:
10 PRINT "SOME OBSCENE MESSAGE OR HELLO WORLD"
and take out the disk.20 GOTO 10
* yes it was always in caps and always the same 2 line basic program.
-
C'mon,
You want an exact MD5 hash, a stray bit of whitespace or using the wrong line ending convention will fuck that up. I've not attempted your challenge (yeah, kids like you do get jobs some day), but still i've gotta salute you're endeavours. I mean, if it was me, i would have probably opted for SQLI on an intranet site, which would no doubt be running as the domain admin, but hey, i'm not as creative as you.
I've gotta say my University did it right. They had a highly technical user base, and they didn't deny it. Nothing was locked down, but if you fucked shit up and got caught, the penalty was that you were kicked out of the program. It was a good deterrant against anything serious, but there was still fun to be had ;)
-
@Seahen said:
To me, the scary part is that on my fully-patched Win 7 install with Avast and Windows Defender, the part that kills Windows Explorer still works without so much as a shield prompt.
If you ran the script, then it is running as 'you'... and you can probably kill the explorer process if you want. Why is it surprising that the programatic interface lets you do the same? Since I haven't read the script, i will admit i might be talking out my arse, but if it doesn't do a taskkill, then it may use one of the several hundred known ways to make the explore process crash. I haven't coded for windows in about two years, but last time i did, i found the UAC feature to be pretty trivial to bypass (even in a "locked down enterprise environment", where it was meant to require a domain admin to perform any elevated task). At PDC-09 (the last MS event i attended) I saw Mark Russinovish give a great talk which touched on UAC (and the philosophy behind it, along wiht it's limitations), which included a great demo exposing it's weaknesses.
My reasons for bypassing it weren't however malicious, I worked for an ISV who's management wanted things to "just work", so my team made them "work". The fact that there is even a programatic interface to add an exception to the windows firewall is a WTF, the fact that you can do so whilst running as any user with write access to HKCU is just a joke. The fact that on a 64 bit install (up to XP-SP3 that I know of), you can even do it from a process running as a network service is farcical. Don't trust the little shield. It lies to you.
-
My high school got its first Apple ][+ the last year I was there, so IT security wasn't really a thing.
Technical college had a FACOM M160F mainframe that they were very proud of because it had cost a huge amount of money. There were assorted annoying restrictions on the type and quantity of files that first year engineering students were allowed to store inside their own user accounts; lots of stuff got purged every Friday. This was mainly because first year engineering students were supposed to do most of our work using coding forms and punch cards instead of clogging up the terminal rooms.
My friend figured out that the punch card queue was processed by a user account called TMP that had full admin rights. Fun ensued.
-
Ugh, Now I recall... Typing class had 386's with color monitors, Computer programming class had 286's with a mix of amber/green monitors...
There was a machine in the offices the teachers used to access the district grading system, no ports or drives accessable, just the keyboard and monitor. While it was unattended I crashed the application, and used "copy con: program.com" to code a small keylogger, which then logged the next teachers password...
However, I knew I stood out well enough in school that I couldn't change anyone grades, I would have been the only obvious suspect.
