Comment by mdip

My first thought: Your district had an IT department? I guess that's probably more common now than when I went to HS in the 90s but I'm fairly certain IT duties are still farmed out to a small business for the districts I live near.

Outside of that, though, I've talked to folks who worked in IT at a nearby hospital[0] and knew several who worked in IT at a University a town over and heard variations of your story. After ransomware hit a few hospitals across the country, my hope is that this is less common but I'd be surprised if anything is meaningfully better.

The problem with getting non-technical people to understand the importance of securing things is that they assume that everything provides a basic level of security. They read about hacks/attacks and hear about them on the news but they have probably not experienced one, personally[1]. They apply physical security considerations to the virtual world -- for instance, the keys you use to lock your front door are almost certainly terrible[2] but requiring physical access to the lock makes attacks on them rare. And that's the rub, it's the mistake in thinking that "Nobody cares about my stuff enough to hack me" which is the evidence used to justify the "it's never going to happen to me". It's a failure to understand that even if it were true that an attacker would literally have no use for anything you're protecting with a password (which is absolutely false -- your identity is enough) that another target will be chosen ahead of you[3]. On the internet, every target can be attacked at once, silently, from a distance and targets are chosen based on whether or not the attack succeeds.

In a High School, you can fully expect there's at least one of me in every graduating class. I'm surprised things like this don't happen all the time given how little attention is paid to network security/endpoint security in these places. No amount of threats of expulsion, legal action, etc will serve to help when your attackers are High School students[4]. The same part of their brain that makes them believe they're immortal/causes irresponsible behavior early-on in driving causes them to not understand the real probability that they will face criminal charges which is coupled with them not fully understanding how badly those criminal charges will affect the rest of their lives.

[0] The discussion arose after he had watched Season 1 of Mr. Robot and said "that's exactly how it is here except we have a (technical) staff of two rather than one"

[1] I can't tell you how many extended family members have shared that they still use a single password for every account and in a few cases, that password might as well be a variation of "Password".

[2] I have a close friend who learned how to pick locks as a hobby; he filed me off a bump key and taught me how to use it, whacking it with a branch of a tree; I was able to open my supposedly "extra secure" dead bolt pretty consistently with about 15 minutes of practice, he's picked each of my locks at one time or another.

[3] The old "You can't outrun the bear, but if you and your friend are being chased by the same bear, you only need to outrun your friend".

[4] I used to tell my kids that our High School not only had no doors in the stalls of the mens room, there had never been any doors designed into the plan. The partitions were brick, there were no holes, anywhere, where doors had been removed. I figured this was to make it easier to catch kids smoking but while fixing his PC, I asked the principal about it. His answer was "vandalism" -- students would rip them out. Reallt?! I couldn't imagine this. Fast forward to this year, the doors on the stalls at my kid's HS were ripped out by students during the first week of class. The kids were caught, criminally charged and had to pay for the damage. Their reason? They saw someone do it on TikTok and didn't think they'd get caught (there are 2 dome cameras at the entry to each bathroom!). Despite paying for the damage, the doors are not coming back this year -- I'd wager they'll never come back.