Three days before the rickroll, with most of the setup in place, the group had a breakthrough. When they searched the county network (again), they found EPIC, the Education Paging and Intercom Communications System – the third component of the prank. This controls the hallway and classroom speakers and is used for teacher announcements, fire alarms and end of class bells. It can also play custom audio tracks.
As with the IPTV system, the group attempted to access EPIC using standard usernames and passwords. “It’s not really like a sophisticated attack,” says Duong. “They’re all script kiddies that take default passwords and do random things there.” But the presets didn’t work.
“I HAVE THE PASSWORD FOR THE PPA SYSTEM,” Shapes told the group on April 29. Yes, the default has been changed – to a password example given in the user guide available online. From here, the team discovered another administrator account—the password was password—that could give them access to speakers for the entire district.
The night before Big Rick, the speaker system was set to automatically trigger in the afternoon.
while the big one Rick was always thought of as a high school prank – Duong says other pranks last year consisted of students papering some trees with toilet paper – the hacking was very likely illegal. The students were accessing networks they shouldn’t have — what a lawyer would call “unauthorized access” under the Computer Fraud and Abuse Act. And a malicious hacker could have stolen data, moved through the systems, or used access to try to cause harm. “I totally expected them to turn the police on,” Duong says, adding that things were “pretty scary” for a while.
The four students involved were aware of the risk and were keen to show that they hadn’t accessed the school’s devices for more than one prank. When the Rickroll ended, their script restored the systems to their original state. The only thing they couldn’t do, Duong says, was make sure projectors that were off were turned off again. All in all it was a success.
“The teachers definitely thought it was very funny,” says Duong. one tweeted: “😂😂😂 Very smart seniors!” Duong says the only complaint he heard was that Astley was too loud. “That’s fair because I turn the volume up to the max.” But it wasn’t just the teachers’ reaction that worried the group.
“What really saved us from trouble is the report we sent,” says Duong. Prior to the rickroll, the team wrote a 26-page report that was sent to administrators immediately after the incident, detailing what they had done and providing security suggestions.
The report – Duong shared an edited version with WIRED – says the group had a set of guidelines. It is said that they would not do anything that might affect the safety of others; would try to keep any interruption in learning to a minimum (they chose a Friday towards the end of the semester, right at the end of a lesson); would not access sensitive private information; would not leave systems weaker than they found them; and all decisions would be made together as a group. Her report also explained what school administrators could do to prevent this — like changing all default passwords.