[HN Gopher] IoT hacking and rickrolling my high school district
___________________________________________________________________
IoT hacking and rickrolling my high school district
Author : revicon
Score : 706 points
Date : 2021-10-12 19:38 UTC (3 hours ago)
(HTM) web link (whitehoodhacker.net)
(TXT) w3m dump (whitehoodhacker.net)
| dmitrygr wrote:
| Many here, I am sure, got in trouble in high school for exposing
| security issues in school IT. So I imagine we're all very happy
| to see a sane response from school administration for once!
| h2odragon wrote:
| Stories of more enlightened school administrators are always
| welcome.
|
| My story: the "second best high school in the state" had an
| AT&T 3b2. They wouldn't let me take any classes that used it
| because they were afraid of what I might do to it (their
| words). I mean, they weren't actually _wrong_ to worry, but it
| din 't really have anything on it.
| dvtrn wrote:
| I got in trouble once in high school just for discovering and
| then using `net send` to send a message to my friend that said
| "Hi from lab 3".
|
| Computer lab access revoked for 6 weeks. Jokes on them, now I
| send socket messages to my friend that says "Hi from Chicago"
| and there's nothing they can do about it.
|
| My friend however keeps begging me to use this thing called
| 'email' because he claims he doesn't see the socket messages.
| flatiron wrote:
| everyone in my school net send bombed everyone all the time.
| Im not sure how they didn't figure out how to just turn it
| off.
|
| but i remember you had to do it from a library computer,
| because it said who it sent it from. so you had to do a
| little drive by walking net send as you walked out of the
| library to not get caught
| m0ngr31 wrote:
| We would write scripts to essentially make net send DOS
| attacks on different labs.
| uudecoded wrote:
| Sorry you got access revoked. I accidentally did a net send
| (via the GUI) to the whole district domain instead of my
| friend in AP CS that said "Time for break!" right before the
| snack break.
|
| In my next class, the teacher was talking about "Time for
| break" virus going around... :/
|
| This was after the district IT wanted to suspend me for
| setting up a Windows 2000 domain for the yearbook lab, so I
| kept my mouth shut.
| ar_lan wrote:
| There was an excessively annoying kid in my high school and I
| learned to send remote commands to any computer in our lab, so
| I sent a command on loop that continuously opened his disk
| drive (it would automatically re-open after closing), and if he
| was particularly annoying I would shut down his computer.
|
| I never once got in trouble for it - the teacher would ask the
| class, directly looking at me, from time to time to stop it,
| but I never got in trouble.
|
| I imagine he was just using those announcements to get me to
| stop from time to time, but knew this kid deserved it so he
| never did more than that.
| AnIdiotOnTheNet wrote:
| I don't know. I feel like a lot of the people here celebrate
| their former exploits as though they weren't committing the
| computer equivalent of rifling through unlocked desk drawers
| and graffitiing the walls. They seem so surprised that
| overworked and underpaid public servants don't appreciate that.
| tubbs wrote:
| Story time, I guess.
|
| I went to a small private Christian school back in the late
| 200X's, and not the type of private school that had gobs of
| money. For two years, our desktop computers in the computer lab
| and the English classroom ran Ubuntu Linux (presumably because
| Windows licenses were >$0). The only students with Linux
| experience were myself and a friend that I introduced to Linux
| (who is also now an IT professional).
|
| For a month or two we systematically changed the remote desktop
| preferences to automatically accept new connections and not to
| display any messages saying that there is a connection. We
| tried to never sit at the same computer twice so that we could
| "adjust" as many computers as possible and to make a secret map
| of where each computer was by hostname.
|
| If we were in the computer lab and feeling mischievous
| (always), we'd poll around English classroom hostnames to see
| if any were in use, or vice versa. We'd "help" people write
| their papers (very creatively, I might add), speedrun through
| other students' typing lessons, open a terminal and run "telnet
| towel.blinkenlights.nl", or whatever else we could come up
| with.
|
| Well, wouldn't you know it, word gets around this is happening
| and we naturally get called in to the principal's office
| (because who else?). While expecting the worst, we were told
| "we know what you're doing, we don't know how to stop you, but
| we encourage you to stop and use your technical abilities
| productively instead" and were let off without punishment. We
| both came out of it with great respect for the administration
| because they showed us respect we didn't deserve, and we
| stopped.
| thomasfromcdnjs wrote:
| So much attention to detail that I can't help but think that the
| kids parents were helping along the way.
| ajford wrote:
| Maybe, maybe not. The author has graduated from High School,
| meaning they're about to enter college or the workforce. I
| wouldn't be surprised to see this level of detail from someone
| at that level academically. Delighted, yes. Would I expect if
| from everyone? Hell no.
|
| But surprised that a tech-enthusiast and eager learner might
| have put this much thought into this prank and it's potential
| consequences, not so much.
|
| Teenagers/young adults tend to have different stressors and
| other things to occupy their time than the average adult in the
| workforce, meaning the author likely gave this prank a fair
| amount of their free time, and that dedication showed through
| in the amount of planning done.
|
| Additionally it's likely, given they mentioned once or twice in
| the article they planned on posting a blog about the prank,
| that they might be hoping to use this on their resume or as a
| talking point in their career. If they're hoping to go into
| security or comp sci, this would be a decent feather in their
| cap and the amount of time spent is easily justified.
| donatj wrote:
| When I was in elementary school in the early 90's, I discovered
| you could use AppleTalk to print to just about any printer in the
| district.
|
| I would print pages and pages of "I AM THE MASS PAPER WASTER!!!"
| to random printers in other buildings. I'm genuinely curious if
| it actually worked.
| castis wrote:
| Free relatively harmless large-scale pen testing! Nice work.
| giantg2 wrote:
| My first thought when I read the headline was "another kid with a
| felony following them around for a prank that didn't harm
| anyone". Nice to see they weren't prosecuted.
| ianhawes wrote:
| Given the amount of press this is receiving and the fact that
| the message the administration sent to them _seemed_ a bit
| suspect, I wouldn 't be surprised if the kids did end up
| catching several charges.
| hnwd wrote:
| I'm interested to know how was he able to remote access to
| seemingly any machine in the network, from outside?
| WhiteHoodHacker wrote:
| I had Chrome RDP access on a few machines setup earlier, since
| I could come in-person with my team for security competitions.
| midwestemo wrote:
| Hey I know someone who goes to that school, interesting. He was
| telling me about this incident before
| jcims wrote:
| I've said this a bunch on here so please tell me to stuff it if
| it's tiresome, but having been on the far side of a large scale
| bug bounty i am incredibly impressed with the skills that young
| folks are developing in infosec. Probably not particularly unique
| but the industry is still a bit of a combination of tradecraft
| and academic pursuit and can be confusing for people to find a
| way in. I think this is why i really appreciate those that just
| bear down and get after it.
| datavirtue wrote:
| Quick! Hire them before they can use their powers for the forces
| of good.
| ubermonkey wrote:
| Three things are remarkable about this, and make it a happy
| story.
|
| First, that the pranksters were so egregiously responsible in the
| way they went about it. They avoided disrupting any actual
| educational activities; it was meant to be harmless fun, not
| vandalism. No harm came to anything here.
|
| Second, that they documented their findings to the administration
| as part of the action, including recommendations for
| improvements.
|
| Third, the administration took this as exactly that: a harmless
| prank by smart, ethical kids who ALSO did them a favor by
| pointing out the vulnerabilities. If the admin had a panicked fit
| about this, they could have made it an ugly situation.
|
| My educational experience was populated far more by "freak out
| and yell" types than this school district, which was a shame.
| RubberShoes wrote:
| I went to Buffalo Grove High School in this same district and
| graduated many years ago. At the time no IPTV systems or EPIC
| bell systems were in place. However, as soon as I walked in my
| freshman year I noticed the 'teacher' WiFi was only using MAC
| Address Filtering. One minute scan and a spoof later I was poking
| around to discover a whole lot was visible from this privileged
| network. "...From the results, we found various devices exposed
| on the district network. These included printers, IP phones...
| and even security cameras without any password authentication!"
| It was even worse back then. It was all exposed on wide open
| WiFi!
|
| My senior prank was going to revolve around the printers. We were
| shocked to discover every printer not just in BG but across the
| entire district was accessible with no authentication of any
| kind. We cooked up ideas and were planning to print either porn
| or I has cheezburger/lolcat memes via telnet (I'm dating myself.)
|
| Ultimately I got into other trouble before we could execute and
| figured this wasn't worth not graduating over. I moved on and so
| happy to see a much better prank on this same network happen so
| many years later with almost no repercussions. Congratulations
| and great prank!
| sodality2 wrote:
| I told my district that I could change my race at-will via a
| hidden form on the profile page. I changed it to "Purple". Got a
| call back from some IT guy telling me I accessed their computer
| without authorization, and that if it happened again, they'd
| press charges. I asked to be put through to the IT administrator,
| and he laughed and told me don't worry about it... Sometimes,
| they can handle it well. Very glad they did for you as well :)
| bfirsh wrote:
| Reminds of me my school leaving prank. I rewrote the whole
| internet on my school's computers. Google's logo became "Leavers
| '08", Facebook became "Hatebook" and was red, YouTube only played
| videos of cats, amongst other things.
|
| These were the days when nothing had SSL, so you could just
| intercept and rewrite traffic!
|
| My only requirement was: _do no actual damage_
|
| It was implemented as a Debian live CD that you could drop into
| any school computer. It would boot up, then Ettercap would MITM
| the whole network by spoofing the router. It routed all HTTP
| traffic via Squid and a custom ICAP server that did the actual
| rewriting. If you removed the live CDs, the network just went
| back to normal within a couple of minutes.
|
| Routing the whole school's network through one old Pentium
| machine wouldn't work though, so I figured out a way of doing
| distributed load balancing: it would do the ARP spoofing slowly
| and randomly. So, as you added more machines, it would just
| magically balance between them.
|
| It worked great for about an hour then whole network mysteriously
| stopped working for the rest of the day. I left all the live CDs
| in the computers as a calling card.
|
| Sorry, school network admins.
| [deleted]
| mdip wrote:
| This is excellent; reminds me of (very much smaller and far less
| cleverly executed) grief that I caused the administration at my
| HS back in the day[0].
|
| There's a few comments about the risks along with a little
| surprise/at least applause for the administration choosing not to
| waste the courts/various other parts of the justice system with
| this prank. I completely agree -- I don't know if I'm _terribly_
| surprised they chose that route (whether or not they were truly
| upset in the first place). I applaud the students for executing
| this so carefully /well and if my kids pulled something like this
| off with this level of care -- well, they'd at least be getting a
| dinner out of their choosing -- probably a trip to a nearby theme
| park.
|
| I suspect the kids involved were also certain that their
| approach, attention paid to keep from disrupting class and
| (thankfully thorough) testing that helped avoid a harmless prank
| turning into expensive litigation/really pissed off parents. But
| I'll bet there was a lot of fear around that, anyway! Had
| something gone awry -- and that's always where the risk is -- I'm
| guessing the outcome would have been more severe for these kids.
|
| They really played the social engineering/covering their hind-
| quarters side of this prank very well. A large amount of effort
| was put toward making sure class was not interrupted[1], things
| worked and were tested and they provided detailed information to
| the administration on how to secure their systems -- that last
| piece allowing them to say "Without our minimally invasive prank
| and report you'd have never known these issues existed. We're not
| that special; a more malicious student could have discovered
| these flaws, opted for a _porn broadcast_ and made it difficult
| /impossible to find them to punish." They probably understand
| their own school's administration and took an educated guess as
| to how they might handle something like that, too. At least for
| the scope of anything I did, I _knew_ I wouldn 't hear from the
| Vice Principal or Principal -- I'd solved various computer
| problems for them by then that the worst I'd get would be "that
| was cool, but please don't do that again."
|
| I didn't get in trouble because the pranks worked similarly -- I
| tested/avoided disruption (most of the time), did no permanent
| damage and anything was resolved by a reboot (DOS and no fixed
| disk) and our harm was necessarily limited since there are only
| so many computers you can covertly pop a floppy disk in -- there
| was no network. The biggest factor, though, was that our
| programming teacher sometimes got involved, himself. He was the
| head of the math department, not your traditional "computer geek"
| and I was doing things that he wasn't teaching, so he encouraged
| it. The guy was amazing (passed away in the mid-00s).
|
| So, kids, if you _do_ try this at home, make _sure_ it all works,
| provably, very _very_ well and don 't do anything that will give
| them other reasons to throw the book at you. And if your
| administration has more than the typical "Zero Tolerance[2]"
| stance on things, it's just a bad idea regardless.
|
| I'm _sure_ there were a few among the ranks that became _furious_
| but cooler heads prevailed. The report at the end was a _nice_
| touch.
|
| [0] Mostly contained in the computer lab, which was non-
| networked, but when we discovered the three-letter-acronym TSR
| (DOS's Terminate and Stay Ready) and realized it was rare that
| another student would reboot an already booted machine (it took
| forever counting to the 512KB or so RAM installed). Incredibly, I
| graduated in the late 90s -- my Senior year, the lab that taught
| (Turbo, then Borland) Pascal was 15 years behind what most people
| had at home... these diskless all-in-one bastards wouldn't break.
|
| [1] I'm sure it took the kids a little longer to get to their
| classes after that all happened -- that's a minor, completely
| expected, situation here and at least a small reward for the
| efforts involved.
|
| [2] The school ten miles north of us was in a rural district and
| had a parking lot full of trucks with hunting rifles attached
| sitting in the parking lot every day (well after all of the
| schools installed additional locks and added security theater to
| make parents feel better post-Columbine)...that wasn't forbidden
| at least as far back as the early 00s and I wouldn't be surprised
| if a blind eye is mostly turned, today in some parts of that
| district.
| guynamedloren wrote:
| Fun story! Such incredible attention to detail and
| thoughtfulness, all the way up to automatically sending a pen
| test report to the district's technical supervisors, and sharing
| a presentation _after_ graduation. This kid was one step ahead
| all along.
|
| Great work, Minh.
| dyingkneepad wrote:
| I feel so dumb when I read kids doing these things. Back in High
| School all I knew was how I could run arbitrary executable files
| by renaming them to calc.exe. We also did the classic "take a
| screenshot of the desktop, set it as the wallpaper, then remove
| all icons and the start menu" thing.
| alistairSH wrote:
| All this. Plus TI-86 king fu. Though this was 1991-1995, IoT
| didn't exist and email and web access was mostly through AOL or
| Prodigy.
| securiTee wrote:
| Neat story, and this is clearly harmless. But isn't the most
| basic, fundamental, number one rule of security/pen testing to
| try to break into a system (no matter how weak) if and only if
| you've been given clearance beforehand? Why doesn't that hold
| here?
| GavinMcG wrote:
| The rule does apply. Also, it was a senior prank, which by
| definition involves breaking the rules.
| jdmichal wrote:
| The author literally put in TWO disclaimers making that exact
| point...
| unethical_ban wrote:
| I think the OP is asking "Why are we applauding them if they
| broke the rules?". The answer is "Sometimes, people break the
| rules".
| ajford wrote:
| Glad to see a cooperative and supportive academic administration,
| and I'm sure the thoroughness and planning that the team
| demonstrated made it easier on the administration.
|
| The sheer amount of testing and verifying no major impact to
| academic testing took place probably helped, and cleaning up
| after themselves and documenting their finding and reporting it
| to IT was a cherry on the top.
|
| I like that the administration even requested that the team brief
| the district IT on the "attack".
| lxe wrote:
| In 2001, in 7th grade at the beginning of my web dev "career", so
| to speak, I made a website that looked exactly like our school
| district's "snow day" school closure and delay page -- and I
| allowed anyone to edit the message. I told a few kids about this
| -- it was a pinnacle of my PHP prowess back then.
|
| Got called into an office -- a gifted program administration, not
| the regular school office. I think one of the teachers there
| caught wind of my cool little trick, and asked me to take it down
| right then and there. I was terrified, as I wasn't really someone
| to get into any sort of trouble. I was able to take it down
| through their machine's windows explorer's FTP access.
|
| Now I realize that this teacher probably saved me from a lot of
| trouble. I wish these sort of stories were the norm -- where
| educators welcome the natural curiosity instead of throwing the
| law at kids who dare to think outside the box.
| ar_lan wrote:
| TIL there is an Elk Grove that is not in California!
| duped wrote:
| Do prosecutors need consent from victims to file charges in cases
| like this?
|
| Also if you're going to commit a crime and brag about it, don't
| say "hey well they would point the finger at me anyway and I'm
| not going to name my partners." You've just told them there are
| coconspirators, and you don't have a right not to incriminate
| others.
| paxys wrote:
| They don't legally need it, but such cases are pretty much dead
| in court without the victim's cooperation so the prosecution
| will almost always drop it.
| duped wrote:
| What happens when the suspect publicly admits to doing it and
| providing detailed information on the motive and means
| EvanAnderson wrote:
| The Aaron Swartz prosecution continued, even after MIT and
| JSTOR said they didn't want to press charges, because of a
| zealous prosecutor.
| SavantIdiot wrote:
| Up until OP starts working out the frustrations of RTSP it was
| pretty much a yawner "scan for ports, http to them, see if
| sumthins there and unguarded". But the perseverance to make a
| prank work like that with a finicky protocol across a wide
| variety of different OEM hardware is really exceptional!
| bentcorner wrote:
| Using the school computer's webcam to test his exploit at night
| was genius. Very clean.
| nudgeee wrote:
| I got in trouble and subsequently suspended from school back in
| the '90s for causing BSOD's on classmates computers using WinNuke
| [0]. They classed it as vandalism even though the payload causes
| no permanent damage (apart from losing unsaved work).
|
| I found more severe vulnerabilities including being able to lift
| home addresses of students by querying an unprotected endpoint.
| Didn't get in trouble for this one, and reported it promptly to
| the IT administrator.
|
| [0] https://en.m.wikipedia.org/wiki/WinNuke
| cghendrix wrote:
| I thought I was cool being able to modify the ready message on
| printers across the school network. This is really impressive.
| drusepth wrote:
| In middle school I used Javascript to change Google's button
| text from "I'm feeling lucky!" to "Andrew is the best!"
| (javascript:getElementById('').text='blah')
|
| I showed some other students who were so freaked out that I had
| "hacked Google" that I got the attention of the librarian, who
| promptly banned me from the library computers for the rest of
| the year, even after I refreshed the page to show them it
| wasn't "real". Oof.
| person22 wrote:
| I wrote an infinite loop in postscript and sent it to all the
| printers. This was when postscript printers cost a fortune so
| there were not many of them. Fun days were those.
| earksiinni wrote:
| Serious question. What, if any, instruction do kids these days
| receive regarding what's allowed on computer systems?
|
| I remember in high school poking around a network drive until I
| found an executable with the name "SEND" in the name. I had a
| sense that it would send some kind of message somewhere, but I
| honestly didn't know where or to how many people. I was quite
| surprised when all the screens in our computer lab froze and,
| five seconds later, my message appeared on all of them. (I later
| learned that my message appeared on every desktop screen in the
| school!)
|
| I'm not sure exactly how they found me out, but I was called into
| the IT admin's office a couple of days later. She was furious
| with me. I told her the truth. I didn't know what exactly would
| happen when I ran that command, but she didn't buy it.
| Fortunately, nothing ended up happening after that.
|
| I've wondered to this day what exactly they could have done to me
| if they decided to press whatever legal authority they might have
| had to its fullest extent. I was never told "don't go to Z:\" or
| "don't run any program other than those on this list." Even after
| I was found out, I wasn't ever explicitly told that my actions
| constituted unauthorized access.
|
| It was a different, perhaps more innocent (or ignorant) time back
| then. How much have things changed now?
| thrashh wrote:
| Kids have been jumping fences for millennia.
|
| That said, I did know a kid that had charges pressed against
| him when I was in school so things weren't necessarily innocent
| back then either. He was admittedly an idiot and borderline
| malicious though.
| jovial_cavalier wrote:
| I graduated high school in 2015. I remember similarly poking
| around a network drive until I found a file in plaintext which
| contained everyone's student ID and whether or not they had a
| nut allergy (protected by HIPAA), for the bus system.
|
| I didn't think much of it, but some other students caught wind.
| Before I knew it, the superintendent threatened to have the
| police involved and press legal action for "hacking
| confidential student data."
|
| It's CYA all the way, usually at the expense of the person in
| the chain least equipped to cover their ass (the student).
| earksiinni wrote:
| Wow. That's terrifying. And you didn't even run anything!
|
| I'm guessing that they never told you "don't browse this
| network drive"?
| Buttons840 wrote:
| Never press F12 while browsing. Instant hacker.
|
| Seriously, I found a state website that appeared to be
| exposing NPI about certain people in an API response. So
| much NPI nicely formatted in a JSON response. I closed the
| page and never touched it again. You know the state will
| declare me a dangerous and sophisticated hacker because I
| pressed F12 to open the developer tools, that's much easier
| than admiring they made a mistake.
| 35fbe7d3d5b9 wrote:
| > whether or not they had a nut allergy (protected by HIPAA)
|
| Personal pet peeve:
|
| Your high school is not a covered entity and is not acting as
| a business associate of a covered entity. HIPAA does not
| apply. They are free to keep a plaintext file with your name,
| nut allergies, COVID vaccination status, and anything else
| they want to put in there - without HIPAA entering into the
| discussion.
|
| FERPA could apply, but I don't know much about that.
| drusepth wrote:
| Similar story: the dean of my "high school" [1] asked me to
| create our school website. Another student apparently poked
| around on a network drive and found an SQL dump of all the
| students' network username/passwords. I brought this file to
| the dean, told them it was available on a shared drive (so
| they could remove it), and asked if they'd like me to use it
| -- since I already had it -- to enable all the students to
| log in to the school website with their existing network
| usernames/passwords. They said that was a great idea and gave
| me the OK.
|
| A week later, police escorted me from my dorm and both I and
| the other student were eventually expelled and threatened
| with harsh legal action, which never came.
|
| [1] The "high school" was an early-entrance-to-college
| program where we started college at 16, lived on campus, took
| the normal freshman/sophomore college courses, and eventually
| received a high school diploma _and_ an Associate of Science
| when we graduated at 18. The website was for the school I
| attended, but the SQL dump included all of the university
| students as well. The school has since shut down.
| buzzert wrote:
| Hopefully everyone here has seen the movie Hackers, where a
| similar, but slightly more destructive prank involving the
| school's sprinkler system took place.
| Justsignedup wrote:
| My time in highschool was wasted. Kudos to these amazing kids.
| azinman2 wrote:
| Reminds me lightly of when I was in high school, email was fairly
| new -- especially at a school. My friend at a fancy private
| school had a Linux machine to access, and she really wanted to
| know what someone else had said about her. I managed to script
| kiddy my way in leveraging her existing shell login, got root,
| and read the email. What I didn't realize was that my .history
| file contained everything I had done. Eventually the sysadmin
| wrote me an email saying he knew what was going on and wanted to
| meet up, stating 'he wouldn't cuff me' and that he was 'a chill
| dude'. I was obviously scared, deleted everything, and tried to
| pretend nothing ever had happened.
|
| Luckily no one got in trouble (meaning me or my friend). Not so
| sure this would happen in 2021.
| particulars02 wrote:
| Greatest rickroll since S2E10 of Ted Lasso.
| 908B64B197 wrote:
| I just hope the author, at least, applied to MIT. He would fit
| right in.
|
| http://hacks.mit.edu/.
| mister_c_dub wrote:
| What a legend.
| belval wrote:
| The fact that the administration didn't choose to sue them to
| oblivion is refreshing. I hope we'll see a trend in the future of
| educator being smart enough to admit that they made a mistake and
| to encourage the students to develop their talent.
|
| One can only hope.
| _wldu wrote:
| Being a minor probably helps. There are so many laws today.
| It's too risky to do this. It's not like it was 25 years ago.
| flatiron wrote:
| I was suspended for a week for creating a network share in my
| typing class and dividing the work among my friends and we
| copied and pasted into a single document on the share. This
| was on Windows NT though so a LONG time ago. It's also I
| guess "cheating". But they got us on "computer hacking"
| johnebgd wrote:
| I used CACLS with an Office hack in NT / 9X to copy
| homework. Never got caught for that.
|
| They got me on propagating computer games through the
| network using shared drives the teachers were supposed to
| use for homework.
|
| We had BNC network cables in those days and the entire
| building shared a single T1 line for several hundred
| computers.
|
| The world has changed.
| squareof wrote:
| Same thing here. Teacher came into class with his multiple
| month investigation comparing all students work
| highlighting common errors. Found three different groups
| that were sharing work load. In school suspension for all
| of us, only like three kids left in class for the week.
| arenaninja wrote:
| Also in my typing class circa 2004 the teacher was about to
| kick me out because he thought I was on a chat room during
| his class. I was actually viewing page source on an HTML
| document
| the-dude wrote:
| _You were hacking a website_
| mrexroad wrote:
| 25 years ago wasn't any better... I recall several in my
| circle getting suspended for harmless things. The lesson:
| don't explore, don't be curious, and don't try to fix
| anything related to the school and computers. Sigh.
| AnIdiotOnTheNet wrote:
| People on HN always act like what they were doing was
| almost noble. You weren't. If you had been picking locks or
| even rummaging around unlocked desk drawers you'd get the
| same treatment and deserve it.
| PradeetPatel wrote:
| Consent is paramount when doing that type of exploration.
| Without explicit permission, how would an IT administrator
| distinguish the difference between a curious student and a
| malicious attacker?
| jhgb wrote:
| Well, I imagine that would require using a brain, which
| may an onerous requirement.
| burnished wrote:
| You're not wrong, but I think it might be helpful to
| think of this in different terms. Teenagers, with
| burgeoning agency, are being denied the ability to
| meaningfully impact their environment yet are bound to it
| for most of their lives.
|
| I agree with you that explicit permission is important,
| but it is also something that young people are frequently
| and explicitly denied. I don't think the solution is
| condoning that sort of 'extracurricular', but I think we
| should recognize the problem is probably starting with
| the adults in the situation.
| BackBlast wrote:
| You would think so, only this is a bit opaque when
| dealing with a local school and a district bureaucracy
| with various computer labs, internet and phone systems.
| As a student, you may think that the right person to ask
| is the local teacher who has control of the asset.
| Especially if that teacher has been assigned IT duties.
|
| But to many school administrators consent of teachers is
| meaningless. Those assets aren't owned by the teachers
| but by the district, even if they are the apparent
| authority figures and stewards in the eyes of the
| students.
| bluedino wrote:
| Yea , kids would get expelled in the old days for putting a
| screensaver password
| judge2020 wrote:
| It can get pretty messy. For example, they could wait until
| they're 21 to try them as an adult, even if it was committed
| at 17 or younger [0 p. 128]:
|
| > a person who committed the offense before his eighteenth
| birthday, but is over twenty-one on the date formal charges
| are filed, may be prosecuted as an adult.... This is true
| even where the government could have charged the juvenile
| prior to his twenty-first birthday, but did not.
|
| However, the statute of limitations for CFAA violations is 2
| years [1 p. 2] so this might not apply. If somehow they can
| still go after him at 21, this post could play a part in
| evidence for performing the hack (I truly hope not).
|
| 0: https://www.justice.gov/sites/default/files/criminal-
| ccips/l...
|
| 1: https://www.goodwinlaw.com/-/media/files/publications/10_0
| 1-...
| giantg2 wrote:
| The newest policy is to charge minors as adults unless
| there's a compelling and beneficial reason not to. I think
| that was a DOJ change around 2009. Not sure how many states
| followed suit. But in general, its increasingly likely that
| minors are being charged as adults.
| nielsbot wrote:
| Probably helps that "We prepared complete documentation of
| everything we did, including recommendations to remediate the
| vulnerabilities we discovered. We went a comprehensive 26-page
| penetration test report to the D214 tech team and worked with
| them to help secure their network."
| munificent wrote:
| In many cases, a 26-page report documenting the incompetency
| of a team would not be taken kindly.
| IshKebab wrote:
| That hasn't helped in the past. Frankly I think they were
| naive to reveal themselves no matter what the authorities
| said. It hasn't gone nearly as well for other people.
| treesknees wrote:
| The students were extremely lucky.
|
| The advice given to me in high school (I was working on
| tech projects after school for several teachers and groups)
| was to not even try or explore poking around the IT
| networks it no matter how good my intentions were. All it
| takes is one grumpy school administrator to feel undermined
| or to misunderstand your report and you could be expelled.
|
| When you're in a position like a student, you're still
| working your way up and building credibility. No need to
| risk it all for an IT group that doesn't want your security
| advice and didn't ask for your help.
| dylan604 wrote:
| It doesn't stop at the student level. Find something at
| the corp level with an arrogant IT dept, and you'll find
| yourself in uncomforatable situations as well.
| adventured wrote:
| It's always fascinating how dramatically different
| schools can be. When I was in high school, in the late
| 1990s, nobody would have cared so much about something
| along these lines. At worst it would have resulted in a
| three day suspension from school and lecture from the
| principle.
| PradeetPatel wrote:
| Seconded, the same advice has also been given to me back
| in India.
|
| "Know where your boundaries are and who your stakeholders
| are, don't do anything that will make your stakeholders
| look bad." It's a life advice given to me by my high
| school teacher that served me well in my professional
| life.
| [deleted]
| rootsudo wrote:
| Yep - I, like many of my friends and people who are
| naturally curious and work today in "Cybersecurity" had
| fun, poked around - but once you found little data troves
| - it reveals how inept alot of people can be.
|
| And you just volunteer to be thrown under the bus as that
| "hacker."
|
| Anonymous, maybe. As a student, under 18 - you're
| "immune" from many things - but it can be a stain.
| colinmhayes wrote:
| He had already graduated, so expulsion wasn't an option.
| ohazi wrote:
| Expulsion is one of the friendlier outcomes. Federal
| prosecution and prison time are also very realistic
| options here. It's happened to other well-meaning kids on
| many occasions.
| 63 wrote:
| He addresses this pretty well in the post imo. His co-
| conspiritors remained unnamed while he alone revealed
| himself because he wanted to publish this post and it's
| highly likely he would've been blamed anyway.
| dont__panic wrote:
| The poster/hacker actually addresses this -- he doesn't
| reveal himself until _after_ graduation, keeps his fellow
| hackers secret still, and mentions that he was most likely
| the prime suspect in the district anyway. Seems like a fair
| tradeoff if he wanted to make this blog post, though school
| districts could be nasty and litigious, I guess.
| throwawayboise wrote:
| Pretty sure there's nothing stopping the school district
| from retroactively recinding his graduation, or refusing
| to send transcripts to universities, or informing those
| universities of his transgressions, which would probably
| result in revoked admission.
| duped wrote:
| It's still a terrible idea to admit to committing a crime
| under your real name before the statute of limitations
| has run out
| generalizations wrote:
| Is there even a statute of limitations for this kind of
| thing? Seems way better to just never admit to it at all.
| greyface- wrote:
| The CFAA has a statute of limitations of 2 years.
| Accujack wrote:
| I'm sure it helps a lot that they're in a high tax base area,
| and the quality of the educators hired probably reflects that.
|
| https://statisticalatlas.com/school-district/Illinois/Townsh...
| Waterluvian wrote:
| Yep. What they did was wrong. And by doing so they threw
| themselves at the mercy of the entity they hacked. The
| refreshing part is that the entity did the morally right thing
| and showed mercy.
| edoceo wrote:
| Too right! Get this kid a job, not punishment.
| bluedino wrote:
| I'm glad to see a kid using bash and not something like _gulp_
| PowerShell
| codezero wrote:
| Not to diminish your comment, but a thing I've found late my
| career is to abandon dogma when it comes to young folks
| learning. If they can learn with PowerShell, they're a lot
| better off than a lot of young folks! There is no one-true-
| way and as soon as you find it, another generation will show
| up with another-true-way :)
| blacktriangle wrote:
| Credit where credit is due, we all WISH *nix had something
| like PowerShell. Passing strings from program to program is a
| pain, passing around .NET objects instead is a great step
| forward, as can be seen by the several attempts at similar
| shells passing around JSON objects.
| throwawayboise wrote:
| > Passing strings from program to program is a pain
|
| The internet has been pretty successful and many popular
| protocols (http, smtp, etc) are exactly "passing strings
| from program to program"
| AnIdiotOnTheNet wrote:
| Which is why all browsers render the same thing exactly
| the same way and there's no need at all to test more than
| one. Yep.
| oneplane wrote:
| The presentation layer has nothing to do with he protocol
| layer...
|
| If you pump some serialised binary into a browser it will
| still render wrong.
| simorley wrote:
| > Credit where credit is due, we all WISH _nix had
| something like PowerShell.
|
| Who is "we". I've worked exclusively on a windows stack so
| used powershell on the job. But at home, I use bash. I
| don't want something like powershell in _nix and don't use
| powershell on _nix even though it 's been available on _nix
| for many years now.
|
| > Passing strings from program to program is a pain
|
| You can argue it's the basis of computer science and also
| pretty efficient.
|
| > passing around .NET objects instead is a great step
| forward, as can be seen by the several attempts at similar
| shells passing around JSON objects.
|
| Passing around objects can be slow, inefficient, wasteful,
| etc though it can be convenient.
|
| If you are on a windows stack then go with powershell. If
| not, then go with bash. Nobody should be on a windows stack
| but sadly, much of the business world has been captured by
| microsoft.
| jdmichal wrote:
| PowerShell has been available on Linux via .NET Core since
| 2016 and version 6.0. Even my Windows box with PowerShell
| 5.1 likes to remind me of this fact every time I start it:
| Windows PowerShell Copyright (C) Microsoft
| Corporation. All rights reserved. Try the
| new cross-platform PowerShell https://aka.ms/pscore6
| judge2020 wrote:
| On that note, i'm saddened Windows 11 doesn't ship with
| Powershell 7. Are there that many breaking changes in the
| switch from 5 -> 6 or 5 -> 7?
| oneplane wrote:
| There have been REPLs like PowerShell for ages, it's
| nothing really new. The only nuance in this is that it is
| new in the Windows ecosystem to have something like that
| supported by Microsoft. Ironically, it hasn't managed to
| displace the command prompt or batch files, so instead of
| having to deal with one thing, you now have to deal with
| two things.
|
| As for the passing of strings: it might seem like a pain,
| but as soon as you start working with non-program I/O it's
| not like you'll have much of a choice. Keep in mind that it
| is the lowest form of communication and you can build on
| top of that. Same with I/O in general: nothing prevents you
| from using shared memory or a device instead.
| IshKebab wrote:
| You're glad to see them using the ancient clusterfuck that is
| Bash, and not a modern relatively sane shell that is
| indisputably the most seminal shell in the last 30 years?
| orwin wrote:
| Nah, i actually used powershell before bash because i did a
| lot of android hacking stuff before learning to code. I
| worked with Powershell 3, powershell 4 and powershell 5.
| Powershell 3 was the most painfull thing to work with. No
| state accross session, the default were shit so i had to
| reconfigure more often than not. Slow, painfull, buggy...
| Around the same ime i learned how to bash pretty well in
| two days, use rsync, use ssh, use sed and awk... Powershell
| 3 was shit compared to this.
|
| Then i used powershell4, i guess it was better but honestly
| i don't think i've used it very much. Powershell5 might be
| better than bash for 90% of the dev population though.
| jhgb wrote:
| Well at least it's a racing horse and not a turtle.
| flerchin wrote:
| Seminal.
| Miner49er wrote:
| Powershell is actually good though.
| rsp1984 wrote:
| In case anyone else is wondering how the heck the kid got access
| to the district's network, the key sentence is hidden in the
| middle of the post:
|
| _Since freshman year, I had complete access to the IPTV system.
| I only messed around with it a few times and had plans for a
| senior prank, but it moved to the back of my mind and eventually
| went forgotten._
|
| Not sure why they don't go into more detail about how exactly
| "complete access" was obtained, since that is obviously the
| hardest part of hacking any system. Not trying to downplay the
| achievement here, just think that this would have deserved a bit
| more detail.
| kevinsundar wrote:
| It seems like he just was on the school network and the IPTV
| devices were also on the same network with no authentication.
| gjsman-1000 wrote:
| I was at my own community college 2 years ago, and they had those
| Smart TVs showing news and weather everywhere, as well as custom
| images uploaded by the clubs on campus.
|
| It was supposed to be that a club could log into them, make, and
| submit a graphic to display on the TVs, but the school would have
| to review them before they would be displayed.
|
| However, I would later find out, a software update had messed up
| the roles system and so that club username/password which was in
| a public document actually had the ability to post things
| immediately on the TVs, without review. I found this out when I
| made a Math Club poster, hit the button, and it was immediately
| live without a check.
|
| I just reported it and it was fixed the next day. My instructor
| said that could have been really really bad considering some more
| unscrupulous college kids who would have (not naming names)
| probably gotten a kick out of throwing pr0n on them...
| hx2a wrote:
| When I was in High School (early 90's) we got a new computer
| system that nobody was using yet. I discovered there was an email
| system of some kind and that every student had an email address
| that we were not told about. I also discovered Tetris installed
| in a directory on the server. I was able to play Tetris and I
| could show other students how to access it, but it was
| inconvenient to get to.
|
| Therefore I decided I would email Tetris to every student (I
| emailed the executable, not a link to Tetris), making it easier
| for everyone to play also. As soon as I did this the entire
| system got very slow...apparently the server had no quotas or
| partitioning and the hundreds of copies of Tetris filled up 100%
| of the hard drive space. It was a disaster. The computer
| "specialist" had no idea how to fix the system and she was
| teaching an adult education class that evening that required the
| system to work. She was furious and wanted me to get suspended.
| It didn't happen though because I spoke up about the problem
| right when I knew there was a problem and also some other
| teachers intervened on my behalf.
|
| The woman who was responsible for the computer system back then
| is now the superintendent of the school system. I wonder if she
| remembers me.
| codazoda wrote:
| She remembers you.
|
| I also graduated in the early 90's and my children recently
| graduated from my alma mater. When I went with them to teacher
| conferences some of the same teachers were still there.
| Teachers that I didn't even have classes with remember me.
| jackson1442 wrote:
| About two years ago, I was in high school and decided to, as a
| joke, "hack" the computer. By logging in as admn:password. I was
| incredibly surprised when it actually ended up working as a
| domain admin account. After checking this, I immediately signed
| out.
|
| When my CS teacher filed a ticket asking "who has the user
| account 'admin' and why is the password 'password?'" IT wanted to
| revoke my network login and probably put me in ISS for a few
| days. Fortunately, my CS teacher didn't reveal who I was.
|
| Very glad IT at this person's school took it in stride,
| unfortunately this was just the MO of IT in my district.
| themantra514 wrote:
| This is the way.
| kervantas wrote:
| The s in IoT stands for security.
| don-code wrote:
| I'm impressed with how much foresight this high schooler had in
| preparing for the prank. My impression is that most high school
| age kids would out themselves within the first few weeks of
| planning due to wanting to boast, here they instead took to
| testing covertly, overnight.
| mmaunder wrote:
| Someone I know did something similar, was arrested in their
| college dorm, and at the sentencing hearing in federal court was
| fined and sentenced to 5 years probation, and now has a criminal
| record.
|
| This kid is very very lucky. Obviously they violated the CFAA
| which carries severe criminal penalties. They engaged in actual
| hacking without any permission or defined scope. And they
| exploited the system without any responsible disclosure process.
|
| Anyone in the field will tell you that this is an absolute
| disaster of a post because it sends the signal to other young
| aspiring cybersecurity professionals that this is OK, and the
| school will laugh it off, and you'll be seen as an adorable
| Matthew Broderick type Wargames character. I can't overemphasize
| how far this is from the truth in 2021.
|
| Absolutely do not access systems you are not allowed to. If you
| do want to do penetration testing, you need permission from the
| systems owner and a clearly defined scope. And when you do find
| issues, you don't exploit them, you responsibly disclose them
| within a clearly defined framework.
|
| If you want to end up with a criminal record that will profoundly
| effect the rest of your life, including your career prospects and
| ability to travel internationally, then by all means, do what
| this guy did.
|
| I wish it wasn't so. It never used to be. But this is how it is
| now. Overzealous prosecutors have been given a huge amount of
| power, and all you need is one embarrassed systems administrator,
| school board or management team to trigger a disastrous outcome
| in stories like this.
| inputsecretcode wrote:
| Wow that's terrifying, I'm from the EU and did 1000x worse
| stuff than that, never suffered any consequence, which is not
| right, but teenagers going to prison for hacking pranks it's
| really fucked up.
| bsza wrote:
| > This kid is very very lucky.
|
| No, he is just smart. He did it anonymously. He knows how to
| cover his a$$.
|
| > it sends the signal to other young aspiring cybersecurity
| professionals that this is OK
|
| The post literally has a whole section dedicated to explaining
| that this is not OK, but whatever.
| jdkee wrote:
| This post is 100% spot on. While the local school district may
| treat it as a prank, in the U.S. the federal authorities may
| not. To see how seriously the government takes this act, look
| at the penalties section of the relevant U.S. code.
|
| https://www.law.cornell.edu/uscode/text/18/1030
| collegeburner wrote:
| Yeah, go to them about ransomware gangs or nation state
| actors and you basically get told "lol we cant do shit".
| Complain about a kid prank and theyll go apeshit and make a,
| uhh, federal case of it to make themselves feel needed.
| dakna wrote:
| And yet, there is overwhelming demand for what the government
| calls "cyber security". As a developer it is easy to get good
| at your craft by practicing and learning, how in the world is
| a security specialist able to practice without asking for
| permission or already having a job? A home lab setup? A
| college degree and formal education? I'm curious how people
| actually evaluate this career choice.
| ActorNightly wrote:
| In my personal experience with working in government
| related cyber security, the positions are for dudes that
| type bash commands to run tools that are all developed by
| 3p companies, which end up hiring people regardless of
| criminal history.
| aerostable_slug wrote:
| Capture The Flag challenges. You don't need much more than
| a terminal.
| rhexs wrote:
| The leetcode of the security world! Thankfully not that
| bad...yet.
| jjoonathan wrote:
| Gross but true. The administration has every incentive and
| opportunity to spin this into a self-serving story about taking
| down evil sinister hackers -- and maybe scapegoat a few
| unrelated problems while they are at it.
|
| I am delighted that these admins had the character to resist
| the perverse incentives of the system.
| marvin wrote:
| There is something obscenely totalitarian about this whole
| mindset. You're making a very pragmatic point, but take a step
| back and look at the whole thing.
|
| You're warning a teenager against making a brilliant, harmless,
| funny and responsible prank so that they won't get their whole
| life fucked up forever. Think a little about what kind of
| political system necessitates that kind of ridiculous warning.
| What sort of nation does this kind of thing to its kids? If we
| strike the United States from the list, what sort of countries
| are left?
|
| You guys really need to get your so-called justice system
| sorted out. Sorry to make such a blunt point, but this is
| depressing as hell.
| mcbishop wrote:
| Malicious hackers could have shown something unspeakably vile
| on all those screens. If this kid reduced the likelihood of
| that... he's a hero. Alas, I totally hear you.
| Faaak wrote:
| I agree, that feels wrong to me...
|
| When I was younger (~15) I also did some "fun" (aka stupid)
| stuff with the school computer network and in the end they got
| me and I received a "formal warning" (it was in France).
|
| In the end I'm glad for it because that scared me off and I
| never tried again on stuff that I don't own.
|
| But putting a kid in jail/having a criminal record seems way to
| excessive to me. Kids are dumb. And by punishing them that hard
| they won't become a better person. hell, they won't be able to
| have a job !
| WarOnPrivacy wrote:
| > But putting a kid in jail/having a criminal record seems
| way to excessive to me.
|
| It absolutely is. Society is clearly harmed by laws like the
| CFAA.
|
| LEO do like overly broad laws though. There's nothing better
| to ruin the lives of people that cops don't like.
| donatj wrote:
| When I was in High School in 2003 I discovered you could pretty
| easily get around the tool that blocked running installers by
| launching them by entering the full path to the installer in
| the address bar of Internet Explorer. This was before Windows
| and IE were decoupled. I installed VNC server on a couple
| friends computers and used it for some light hearted pranks,
| but didn't do anything else with it.
|
| One of my friends who I did this to went crazy with it and used
| it to mess with his teachers computers. Ended up in huge
| trouble, cops knocking on his door, and I believe probation.
| This was the year after I graduated.
|
| On the one hand, I kind of feel responsible for showing him, on
| the other hand, it's his fault he had to go off and be an idiot
| with something I just thought was fun.
| bellyfullofbac wrote:
| Ah, 2021, such sad times, where we squash our creativities in
| fear of the police, where you'd think twice before doing
| something like one of the MIT hacks http://hacks.mit.edu ...
|
| I do wonder if they could've secured themselves with VPN and
| "untraceable" anonymous emails (e.g. asking for a guarantee
| that they won't be sued/charged), although the teenage bragging
| rights would've been too tempting.
|
| I wonder if it was possible for the hacker to ask a lawyer to
| represent them anonymously and make a contract, something like
| the district promises not to file criminal charges, and if they
| violate this deal they will have to pay a lot of money...
| nucleardog wrote:
| > I wonder if it was possible for the hacker to ask a lawyer
| to represent them anonymously and make a contract, something
| like the district promises not to file criminal charges, and
| if they violate this deal they will have to pay a lot of
| money...
|
| Criminal charges are generally filed by the prosecutor.
| They'll generally follow the wishes of the victim, but are
| not required to (think, e.g., domestic violence cases). There
| is absolutely zero the school can do to guarantee that you
| won't be charged if the prosecutor does catch wind of the
| incident and decides to make an example of you.
| petesergeant wrote:
| My understanding is that in America, prosecutors are often
| political appointees without much institutional oversight,
| as compared to being a reasonably dull civil service
| department who have to justify prosecutions as being in the
| public interest
| noodlesUK wrote:
| This is generally true, but the CFAA is obviously not
| violated by access which is authorised. In this case, you
| could simply draw up a pentest agreement and get them to
| say any such activity would be authorised.
| whimsicalism wrote:
| > I do wonder if they could've secured themselves with VPN
| and "untraceable" anonymous emails (e.g. asking for a
| guarantee that they won't be sued/charged), although the
| teenage bragging rights would've been too tempting.
|
| If you read TFA, that is effectively what happened. Even with
| the guarantee, only one of them revealed themselves.
| paxys wrote:
| No point in pulling off a complicated prank without
| enjoying the notoriety gained from it.
| pascalxus wrote:
| yeah, it's pretty messed up that there's such extremely heavy
| penalties for merely playing a youtube video on a few screens
| whereas looting and stealing go completely unpunished. what
| kind of message is that sending to our youth?
| usmannk wrote:
| > Anyone in the field will tell you that this is an absolute
| disaster of a post because it sends the signal to other young
| aspiring cybersecurity professionals that this is OK
|
| Maybe a bit overzealous with the reaction here. OK, sure, the
| OP could have been even more serious about this but literally
| the first labeled section is "DISCLAIMER" and says:
|
| > With that said, what we did was very illegal, and other
| administrations may have pressed charges. We are grateful that
| the D214 administration was so understanding.
| tkinom wrote:
| For anyone who like to hack legally and ethically, check out
| https://www.hackerone.com/. If you're very good at hacking
| devices, software, networks, etc, companies will pay bounties
| for the vulnerabilities you find thru HackerOne.
|
| Looks like they paid out millions in bounty in 2020:
| https://www.zdnet.com/article/hackerones-2020-top-10-public-
| bug-bounty-programs/
| cwkoss wrote:
| Worth a try, but I didn't have a good experience with it.
|
| Companies can mark items as duplicates without fixing the
| underlying bug for an indefinite period of time. So the 3
| vulnerabilities I found all got marked as duplicates without
| any compensation or even acknowledgement of my time writing
| up the issues. Felt like a complete waste of time.
|
| If you're great, you can probably find novel stuff better
| than I was able to, but if you're that great you likely
| already have plenty of employment opportunities.
| hparadiz wrote:
| Posts like yours validate the insane over criminalization of
| what essentially amounts to a prank. I had literally the exact
| same experience in high school. Got expelled and had to get a
| GED. They could have easily pressed charges.
|
| Part of the issue is people like you who advocate for
| respecting "the system" and essentially scaring kids into not
| doing anything. Except that simply re-enforces the draconian
| laws that are currently in place. If more kids rebelled and
| this was a regular occurrence it would help to desensitize
| society to digital pranks instead of always treating these kids
| like terrorists.
| quasarj wrote:
| What? How is warning someone that they are going to ruin
| their lives the same as endorsing it?
| testudovictoria wrote:
| GP isn't validating over criminalization. GP is trying to
| steer people clear of catching charges. The end results for
| both is, "Don't hack your school district for a prank," but
| the context of the two are very different. Students' minds
| are still developing. You can tell them not to respect
| Draconian laws surrounding hacking, but do the students
| understand what's at stake?
|
| Yes, students get in trouble all the time, but most of the
| consequences for their stupidity are slaps on the hand. Lunch
| in a classroom, a parent-teacher conference, after school
| detention, in-school suspension, getting grounded - none of
| these things carry civil or criminal charges that are a
| matter of record. What should be a harmless prank can turn
| into a life altering civil and criminal charges. With high
| school kids, things quickly go from, "I hacked the school
| network to do a Rick Roll; they laughed and sent me on my
| way," all the way to, "I gave my friend the exploit to do
| something similar; I didn't know he was going to change
| everyone's grades to 69%."
|
| Further, I would not want to teach in a district where
| students doing digital pranks is the norm. I volunteer at a
| high school. Unchecked digital pranks would quickly turn into
| a constant stream of disruptions. Everyone would think that
| their prank is better than the last.
| chrisseaton wrote:
| > a prank
|
| Why do we tolerate pranks? You shouldn't be able to interfere
| with someone else and say 'just a prank bro'. Leave other
| people's things alone. Don't create work for other people.
| Don't bother people just trying to do their jobs. Don't
| impose your sense of humour on others. These all seem like
| basics to me?
|
| If you think someone's funny? Great. Just don't bother other
| people with it. Do it with your own stuff, not other
| people's.
| guynamedloren wrote:
| > Why do we tolerate pranks?
|
| Pranks can be an outlet for creativity and learning that
| might not otherwise happen.
|
| The post concludes with:
|
| > This has been one of the most remarkable experiences I
| ever had in high school and I thank everyone who helped
| support me. That's all and thanks for reading!
|
| I'm certain this kid learned so much working through the
| execution of this prank, and without being criminalized by
| the district, he's better off for it. Likewise, the IT
| department is better off with a more secure system, and
| staff and students experienced shared moments of unexpected
| joy.
|
| Call me naive, but I'd say this kid made his small slice of
| the world a bit better, if only for a fleeting moment.
| chrisseaton wrote:
| > Pranks can be an outlet for creativity and learning
| that might not otherwise happen.
|
| Great.
|
| But do it with your own things then. Don't bother anyone
| else or touch anyone else's things.
|
| And no worker should ever have to do any work (such as
| reset a computer system) because of your prank. Workers
| have enough work to do and enough hassles in their lives.
| guynamedloren wrote:
| > But do it with your own things then. Don't bother
| anyone else or touch anyone else's things.
|
| You're really oversimplifying here. Something tells me
| this highschooler doesn't personally own the breadth of
| commercial equipment that he hacked for this prank.
|
| > And no worker should ever have to do any work (such as
| reset a computer system) because of your prank. Workers
| have enough work to do and enough hassles in their lives.
|
| Okay, let's all be worker robots :)
| chrisseaton wrote:
| > Something tells me this highschooler doesn't personally
| own the breadth of commercial equipment that he hacked
| for this prank.
|
| So they shouldn't have done it.
|
| > Okay, let's all be worker robots :)
|
| It's not about what you want to do. It's about what some
| low-paid worker who has to clean up after you thinks.
| lr4444lr wrote:
| Many criminal cases require establishing intent. Pranks may
| be harmful as you allude to, but the intent still matters.
| chrisseaton wrote:
| How does that work? Can you murder someone for a prank
| and say your intent was just a prank so it was fine?
| 999900000999 wrote:
| This is a very complicated problem.
|
| Unless you kill someone I generally don't believe in life
| long criminal records. They only serve to drive people into
| further criminality.
|
| I imagine for a robbery you could get 5 years in prison, 5
| years with it on your record and then automatically get it
| expunged.
|
| Back to the topic at hand , what if the IT hack stopped
| people from getting paid on time. How many suffered emotional
| distress ? Evictions can literally cause suicide.
|
| Maybe someone can't afford medication, skip it and have a
| stroke.
|
| The entire criminal justice system is broken. So you did
| something stupid at 20, at 46 you still can't find a job due
| to your record.
|
| People want simple easy solutions. Things are much more
| complicated. If you release a dozen felons 5 years early and
| 2 go on to commit horrific crimes it's easy to ignore the
| good the other 10 did
| WarOnPrivacy wrote:
| > The entire criminal justice system is broken. So you did
| something stupid at 20, at 46 you still can't find a job
| due to your record.
|
| Welcome to the War On Redemption. Primary participants are
| the harmful people who create these systems and the people
| who remain silent while countless lives are ruined for no
| good result.
| lr4444lr wrote:
| I dunno. Assault that permanently injures someone, rape,
| kidnapping, and trafficking are lifelong scarring for the
| victims. I may not rank computer hacking or selling drugs
| as deserving of a permanent record, but there are lots of
| other violent crimes short of homicide that do.
| Gunax wrote:
| I don't think it's the record's duty to keep you from being
| employed. That's the employer's decision.
|
| Even if I agree that it's a dumb practice, you're proposing
| a world where employers are free to refuse your hire if you
| (eg.) were fired from a job 26 years ago, but not because
| you were convicted of a crime.
| drusepth wrote:
| Unfortunately, "desensitizing" people to existing law by
| illegal rebellions is a Pyrrhic victory at best when the
| consequences are so impactful to the individuals that martyr
| for The Cause.
|
| There are processes for changing the laws without sending
| kids to jail, having to treat kids like terrorists, or
| potentially making the law even _harsher_ because it isn 't
| effective enough to dissuade lawbreaking. If the laws feel
| draconian, perhaps following those processes might be a
| better approach to change the system without as many
| sacrifices.
| drhayes9 wrote:
| I don't think telling kids not to narc on themselves
| "validates the insane over-criminalization". I think telling
| legislators or parents would, though.
|
| The comment didn't say "respect the system", it said to deal
| in the realpolitik and don't try to effect legislative change
| by ruining your life as a high school student.
| paxys wrote:
| I don't understand this response. Having been on the wrong
| end of it you should be advocating harder than anyone to
| teach kids the complexities of cybersecurity law and ensure
| they can make the right decisions rather than throw away
| their future over a stupid prank. There is no "validation"
| happening here, the OP is just stating reality. Random high
| schoolers' rebellions aren't going to result in Congress
| overturning the Computer Fraud and Abuse Act and a hundred
| related laws.
| rkk3 wrote:
| > ensure they can make the right decisions rather than
| throw away their future over a stupid prank.
|
| Is it a good system if a "stupid prank" can "throw away
| your future" ?
| paxys wrote:
| No it is not a good system. But nothing I said is invalid
| because of that.
| skeaker wrote:
| No, but that doesn't mean you should deliberately play
| into it.
| [deleted]
| restingrobot wrote:
| We need to have harsh penalties for this. People who don't
| understand the complex systems they were able to access,
| might introduce vulnerabilities that more malicious entities
| can exploit. An example of this would be a student at a
| university accessing internal network from a physical
| terminal in a building, (intranet), and accidentally
| disabling a firewall, (say to play a video from a remote
| location). In doing so, its no longer just a prank as they
| may have exposed the entire internal network to outside
| internet.
|
| This is a super basic example, but it serves to illustrate my
| point. It's not just a prank bro, even when it is.
| javajosh wrote:
| _validate the insane over criminalization_
|
| I think you misread the GP. He's not defending the system,
| just describing it, and how the OP was lucky that the people
| in charge were unusual and open-minded. He's warning others
| that the risk/reward implied by the OP's experience is
| misleading.
|
| Let's say the OP had stolen his families life-savings and
| bought lottery tickets with the money. He wins and pays them
| back 10x, plus his own stash. This story might encourage
| readers to steal their families life-savings, expecting a
| similar outcome. But the more usual outcome is far different,
| worse, and harmful, and this deserves emphasis.
|
| I suspect that _most_ commenters on this site applaud the
| kids adventurousness and style. A great hack! But we are
| uniquely aware of how rare it is that anyone with authority,
| school administrators or law enforcement, would show any
| leniency or self-restraint in these cases. On balance, the
| instinct seems to go for the jugular, dehumanize the kid as a
| criminal hacker, and ruin his life. No-one is saying that 's
| good, or reasonable. It's just how it is.
| tertius wrote:
| Probably better to try and reform the law instead of suggest
| children break the law and ruin their lives.
| WarOnPrivacy wrote:
| Clarifying that the ruination of lives here is the direct
| result of profoundly bad laws that inappropriately
| criminalize benign behaviors.
| CobrastanJorji wrote:
| I remember back in high school we had this computer lab that
| was all locked down. Didn't allow opening the CD-ROM drives,
| only allowed certain educational websites, etc. I put a little
| remote access app on my share drive as a way to open my own CD
| drive, mostly just to see if I could do it. The school's
| computer guy came and found me and was like "hey, a file pinged
| as malware, what's up with that" and we had a fun discussion
| about it and I deleted it and we moved on with our lives. I
| didn't think about it again. Years later, I looked back with
| horror at how badly that could have gone for me.
| aspenmayer wrote:
| Your school didn't have paperclips?
| klyrs wrote:
| Can't get 'em through the metal detector. Gotta grind down
| a toothbrush on concrete these days...
| jfk13 wrote:
| Ah, you young whippersnappers with your labs and networks and
| CDs... my high school just got one Commodore PET, that was
| "the school computer" in my day.
|
| Fortunately, I got on well with the math teacher who had
| charge of it, and he'd let me take it home over the weekends.
| Those were the days...
| edoceo wrote:
| Apple IIe gang over here. Don't bend my floppy!
| Mizza wrote:
| I know somebody - I think they post here, hi! - who ended up in
| "weekend jail" with a conviction for sharing a school's WiFi
| password without permission. I also once got reprimanded for
| writing a blog post not too dissimilar to this one at a less
| sympathetic school. I also remember the joy of hiding a server
| in the ceiling of our school so we could play UT2K3 on the
| library computers before that exploded similarly. Adults are so
| boring.
| mdip wrote:
| Every district is different, heck -- every _school_ within a
| district can be different in extreme discipline like this.
| Frankly, the size of his district represented a lot of risk;
| those often have the policies with the least wiggle-room --
| like "Weekend Jail for Sharing a WiFi password" (insane).
|
| At the school my child attends, I am confident he would have
| ended up with a pat on the back if the circumstances were
| similar. I can't speak for the district -- I'd be willing to
| bet that'd be _very_ risky. At the school I had once
| attended, I 'd expect the entire district would behave
| similarly. I'm _sure_ there were people within the district
| administration that wanted to throw the book at the kids
| involved.
|
| Here's the thing for those people: the last thing a school
| district wants is to become national news for punishing a
| bunch of kids who the evening news can make out to look like
| "Geniuses". Since nothing failed in their plan -- that's
| _crazy important_ -- there would be very few ways to frame
| the story that makes the administration look like anything
| but bullies, and many will frame them as "petty bullies". I
| have a friend I went to High School with who is now a High
| School principal. He's still "that guy I went to High School
| with." I have no doubt he would have given the kids an award
| privately, if not publicly.
|
| It's sad that some public school districts are using
| discipline approaches you'd expect to see in prisons, rather
| than a school, and I'm sure in certain places in the country,
| that might be a necessity. Context matters, too -- were these
| kids who were constantly pulling pranks like this, had been
| talked to in the past/impacted things in the past, etc, I'd
| expect a harsh response: "Yes, we get it, you're smart, stop
| breaking things already, read the horrors of the 1986 CFAA
| because that's coming if it happens again." I'm guessing
| these were otherwise good students.
| baybal2 wrote:
| This is ridiculous
| outworlder wrote:
| > because it sends the signal to other young aspiring
| cybersecurity professionals that this is OK,
|
| There are _multiple_ disclaimers in the text, almost every
| other paragraph.
| runjake wrote:
| That said, maybe we should lighten up on minors performing
| harmless/non-destructive pranks.
|
| Not everything warrants felony charges for kids.
| jjoonathan wrote:
| Of course -- but we aren't the ones making the rules, and the
| ones who do make the rules have certain incentives that lead
| them in dark directions.
| dec0dedab0de wrote:
| _Anyone in the field will tell you that this is an absolute
| disaster of a post because it sends the signal to other young
| aspiring cybersecurity professionals that this is OK, and the
| school will laugh it off, and you 'll be seen as an adorable
| Matthew Broderick type Wargames character. I can't
| overemphasize how far this is from the truth in 2021._
|
| Or maybe it will shame other IT departments into not having a
| stick up their butt. Especially if there is already a culture
| of overlooking minor criminal activity in the name of harmless
| pranks.
| ActorNightly wrote:
| Id actually wonder if criminal history matters when you have
| skills like this that are very much in demand.
|
| If this went to court, the charges of malicious intent would
| likely not stick, so jailtime could likely be avoided in leu of
| fine/community service.
|
| Competent tech companies will not give a shit about criminal
| record of this nature.
|
| Expulsion from school is pretty much irrelevant, especially for
| CS careers. You can get a GED, find any college with CS program
| that will take your money, spend a year having fun, apply for
| an internship at a tech company, do a good job to be offered a
| return, talk to HR to go directly into entry level role, and
| you are set (have personally seen 2 cases of this happening
| with an intern).
|
| The most functionally harmful thing would be monetary cost,
| which is still inconsequential considering the salary this guy
| would make.
| kube-system wrote:
| It depends on how regulated the particular industry is. If
| you're building consumer web apps at a startup, it probably
| won't matter. If you want to be a government contractor, it's
| probably a nonstarter.
| joezydeco wrote:
| I live near this kid and I'd offer them an internship on the spot
| if they came forward...but I fear they'd just be bored.
___________________________________________________________________
(page generated 2021-10-12 23:00 UTC)