Originally posted to the sidebar by "compaqdrew"...

At my old public high school, the District (maybe even the State) mandated that every class must have a final exam, and it must account for 20% of the student's grade. Of course, this fails to explain how it is even possible to give a final in, say, Vocal Music. The teachers hated it and even the principal sympathized, and thus was born the Exemption System.

I should start with a brief primer of how my school's computerized records worked. A few years before, they discovered that their existing client/server OLE networked grading system was hackable (some fool stole the client off of a public network share and told everyone), and so the District authorized a multi-million dollar expenditure to 'upgrade' the system. The upgrade consisted of constructing a Java web application that was hosted over SSL. There were strong password requirements and MD5 hashing that they undoubtedly borrowed from some other library, and all the other bullet points you need in a multimillion dollar government contract. What everyone failed to realize, however, was that all the SQL commands were being sent to the SQL server in unencrypted plain text over a standard TCP connection.

One of the 'hacker' students must have noticed this on ettercap, or something, because it wasn't long before someone opened a telnet session to and sent "DROP TABLE GRADES." Of course, the SQL server kept no IP logs, and even if it did, there were no logs to tie an IP address to the user logged on at that workstation, and there were several well-known anonymous accounts (more about that in another WTF). The software company characterized the loss of 100% of the grades throughout the entire school of 2500 students as a "server crash" and pushed for more upgrades and more patches that the State paid for. In most cases these 'patches' amounted to introducing new loading screens that said exciting things like "Encrypting access..." and "Enabling cyphertext..." (not kidding). This continued for several weeks, and eventually teachers went back to tracking grades in a physical gradebook, and just re-entering every week after a "crash."

Anyway, this same SQL server and software was used to track absences, and someone had the bright idea of extending it to form the Exemption System. The idea was that if you missed only a couple of classes a semester, you would receive an Exemption Pass that you could use in a single class to skip the final exam. Of course, there was great success duplicating the paper Exemption Passes (attempts to thwart this included deliberately misspelling the name of the high school). Automating this should be easy enough, right? Just write an SQL query that SELECTs all STUDENTS WHERE ABSENCES < 3 and hand them all passes.

There was also a little bit of logic to exclude certain absences (bereavement, jury duty, etc. should not count against you). Unfortunately, there were several absence codes stored in the database that were not really an absence — that is, the software would sometimes store other information (a student's year, or their state-wide test scores) as a "fake" absence code. If you have "J" marked on a day, that might be jury duty, and "B" might be bereavement, but "L" on January 25th means you're a Sophomore. Long story short, many students who should have gotten exemption passes did not. Mass panic.

So half the student body (1200+ students) shows up in the main office on the day exemption passes were handed out at 4:00PM, demanding absence reports (fortunately these were generated in a way that they did not include "fake" absences). The students were to go to one office, get their attendence report printed out, go to another office on the other side of the building and get it checked (and hopefully get an Exemption Pass). Of course, there were only one or two days before the exams, because the administration didn't want the precious Exemption Passes out long enough for students to be able to forge them (it would be easier to forge the Attendence Reports, they looked for all the world like Excel spreadsheets). This means that 1200 students needed their pass TODAY, and the Attendence Office typically had a turnaround time of 24 hours (e.g. you would submit a request for a report and receive it the next day). Somebody discovered that teachers could print out attendence reports for their students, and thus the Attendence Office was saved from printing out 1200 reports, and individual teachers had to print out the reports.

So I got my report printed out by a sympathetic teacher and headed to the Main Office to fight with the powers that be. There were three people dealing with 1200 angry students. I waited in line for a few hours and finally got in to see The Exemption Lady. She was bald and overweight, with curly graying hair. She looked at my Attendence Report and determined that I had more than three absences. The sympathetic teacher had accidentally printed out an Attendence Report for the year, of which this was the second semester, and the Exemption Passes were handed out based on per-semester attendence (not per year). Now this wasn't some type of totals sheet — the Attendence Report had a row for every school day and its date along with the attendence code. So it would be easy to just start counting in January on page two rather than in August on page one. This logic completely escaped her — she counted the absence codes, completely ignoring the dates, and she counted more than three. When I got up from my chair so that I could point to January on the page and the fact that it might make sense to start counting there, she flipped out and threatened to have me suspended for what she perceived to be "agression." I was a white kid with glasses, weighing maybe 160, and she weighed like 220, at least. Anyway, I decided that it might be easier to just get another report.

And so I did, this time making sure the teacher clicked the "Semester only" button. Got back in line, waited a few more hours (it was like 7:00 at this point). Saw the Exemption Lady again, this time with a new report, that started on page two with "January". This was literally the exact same document, except it had 60-70 records less than the last one did. She held the two reports side-by-side and looked slowly to one and then to the other. I was thinking "any minute now, she will see it! One is for a single semester and the other is for the entire year!" After a few minutes of careful scrutiny she held them both up to the light. I don't know what watermark she expected to see; they were both printed out using the school's printers. Finally she said "This is odd. According to this report, you have too many absences, but according to this other one, I can give you a pass." I sat there, dumbfounded, hoping to get away without being hauled out for 'agression'. Finally, she put both reports down, gave me a long lecture about how I much further in life I can get if I'm not 'agressive', and she gave me my pass.

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!