My high school has probably the worst IT department anywhere. First of all, we use Twotrees Shelterbelt for our proxy. It is insanely easy to bypass using UltraSurf, yet it blocks everything worth two shits (including Bing, which is strange considering our entire district is run on MS Windows). A few months ago, as I was exploring our system a little bit, I noticed something... In Active Directory, they appended our school ID numbers to our last names! These ID numbers are supposed to be secret and can be used to access the gradebook, state testing, along with other resources. Best of all, you can buy lunch using someone's cafeteria account by simply using an online barcode generator, plugging in the ID number, printing it out, and scanning it in the lunchroom. So all you do is open a contact search, punch in the display name (which is Last, First), and the ID number pops right up (example: John Doe12345). Kid stuff. And our dumb admin probably thought that only he could access it.