[HN Gopher] IoT hacking and rickrolling my high school district ___________________________________________________________________ IoT hacking and rickrolling my high school district Author : revicon Score : 706 points Date : 2021-10-12 19:38 UTC (3 hours ago) (HTM) web link (whitehoodhacker.net) (TXT) w3m dump (whitehoodhacker.net) | dmitrygr wrote: | Many here, I am sure, got in trouble in high school for exposing | security issues in school IT. So I imagine we're all very happy | to see a sane response from school administration for once! | h2odragon wrote: | Stories of more enlightened school administrators are always | welcome. | | My story: the "second best high school in the state" had an | AT&T 3b2. They wouldn't let me take any classes that used it | because they were afraid of what I might do to it (their | words). I mean, they weren't actually _wrong_ to worry, but it | din 't really have anything on it. | dvtrn wrote: | I got in trouble once in high school just for discovering and | then using `net send` to send a message to my friend that said | "Hi from lab 3". | | Computer lab access revoked for 6 weeks. Jokes on them, now I | send socket messages to my friend that says "Hi from Chicago" | and there's nothing they can do about it. | | My friend however keeps begging me to use this thing called | 'email' because he claims he doesn't see the socket messages. | flatiron wrote: | everyone in my school net send bombed everyone all the time. | Im not sure how they didn't figure out how to just turn it | off. | | but i remember you had to do it from a library computer, | because it said who it sent it from. so you had to do a | little drive by walking net send as you walked out of the | library to not get caught | m0ngr31 wrote: | We would write scripts to essentially make net send DOS | attacks on different labs. | uudecoded wrote: | Sorry you got access revoked. I accidentally did a net send | (via the GUI) to the whole district domain instead of my | friend in AP CS that said "Time for break!" right before the | snack break. | | In my next class, the teacher was talking about "Time for | break" virus going around... :/ | | This was after the district IT wanted to suspend me for | setting up a Windows 2000 domain for the yearbook lab, so I | kept my mouth shut. | ar_lan wrote: | There was an excessively annoying kid in my high school and I | learned to send remote commands to any computer in our lab, so | I sent a command on loop that continuously opened his disk | drive (it would automatically re-open after closing), and if he | was particularly annoying I would shut down his computer. | | I never once got in trouble for it - the teacher would ask the | class, directly looking at me, from time to time to stop it, | but I never got in trouble. | | I imagine he was just using those announcements to get me to | stop from time to time, but knew this kid deserved it so he | never did more than that. | AnIdiotOnTheNet wrote: | I don't know. I feel like a lot of the people here celebrate | their former exploits as though they weren't committing the | computer equivalent of rifling through unlocked desk drawers | and graffitiing the walls. They seem so surprised that | overworked and underpaid public servants don't appreciate that. | tubbs wrote: | Story time, I guess. | | I went to a small private Christian school back in the late | 200X's, and not the type of private school that had gobs of | money. For two years, our desktop computers in the computer lab | and the English classroom ran Ubuntu Linux (presumably because | Windows licenses were >$0). The only students with Linux | experience were myself and a friend that I introduced to Linux | (who is also now an IT professional). | | For a month or two we systematically changed the remote desktop | preferences to automatically accept new connections and not to | display any messages saying that there is a connection. We | tried to never sit at the same computer twice so that we could | "adjust" as many computers as possible and to make a secret map | of where each computer was by hostname. | | If we were in the computer lab and feeling mischievous | (always), we'd poll around English classroom hostnames to see | if any were in use, or vice versa. We'd "help" people write | their papers (very creatively, I might add), speedrun through | other students' typing lessons, open a terminal and run "telnet | towel.blinkenlights.nl", or whatever else we could come up | with. | | Well, wouldn't you know it, word gets around this is happening | and we naturally get called in to the principal's office | (because who else?). While expecting the worst, we were told | "we know what you're doing, we don't know how to stop you, but | we encourage you to stop and use your technical abilities | productively instead" and were let off without punishment. We | both came out of it with great respect for the administration | because they showed us respect we didn't deserve, and we | stopped. | thomasfromcdnjs wrote: | So much attention to detail that I can't help but think that the | kids parents were helping along the way. | ajford wrote: | Maybe, maybe not. The author has graduated from High School, | meaning they're about to enter college or the workforce. I | wouldn't be surprised to see this level of detail from someone | at that level academically. Delighted, yes. Would I expect if | from everyone? Hell no. | | But surprised that a tech-enthusiast and eager learner might | have put this much thought into this prank and it's potential | consequences, not so much. | | Teenagers/young adults tend to have different stressors and | other things to occupy their time than the average adult in the | workforce, meaning the author likely gave this prank a fair | amount of their free time, and that dedication showed through | in the amount of planning done. | | Additionally it's likely, given they mentioned once or twice in | the article they planned on posting a blog about the prank, | that they might be hoping to use this on their resume or as a | talking point in their career. If they're hoping to go into | security or comp sci, this would be a decent feather in their | cap and the amount of time spent is easily justified. | donatj wrote: | When I was in elementary school in the early 90's, I discovered | you could use AppleTalk to print to just about any printer in the | district. | | I would print pages and pages of "I AM THE MASS PAPER WASTER!!!" | to random printers in other buildings. I'm genuinely curious if | it actually worked. | castis wrote: | Free relatively harmless large-scale pen testing! Nice work. | giantg2 wrote: | My first thought when I read the headline was "another kid with a | felony following them around for a prank that didn't harm | anyone". Nice to see they weren't prosecuted. | ianhawes wrote: | Given the amount of press this is receiving and the fact that | the message the administration sent to them _seemed_ a bit | suspect, I wouldn 't be surprised if the kids did end up | catching several charges. | hnwd wrote: | I'm interested to know how was he able to remote access to | seemingly any machine in the network, from outside? | WhiteHoodHacker wrote: | I had Chrome RDP access on a few machines setup earlier, since | I could come in-person with my team for security competitions. | midwestemo wrote: | Hey I know someone who goes to that school, interesting. He was | telling me about this incident before | jcims wrote: | I've said this a bunch on here so please tell me to stuff it if | it's tiresome, but having been on the far side of a large scale | bug bounty i am incredibly impressed with the skills that young | folks are developing in infosec. Probably not particularly unique | but the industry is still a bit of a combination of tradecraft | and academic pursuit and can be confusing for people to find a | way in. I think this is why i really appreciate those that just | bear down and get after it. | datavirtue wrote: | Quick! Hire them before they can use their powers for the forces | of good. | ubermonkey wrote: | Three things are remarkable about this, and make it a happy | story. | | First, that the pranksters were so egregiously responsible in the | way they went about it. They avoided disrupting any actual | educational activities; it was meant to be harmless fun, not | vandalism. No harm came to anything here. | | Second, that they documented their findings to the administration | as part of the action, including recommendations for | improvements. | | Third, the administration took this as exactly that: a harmless | prank by smart, ethical kids who ALSO did them a favor by | pointing out the vulnerabilities. If the admin had a panicked fit | about this, they could have made it an ugly situation. | | My educational experience was populated far more by "freak out | and yell" types than this school district, which was a shame. | RubberShoes wrote: | I went to Buffalo Grove High School in this same district and | graduated many years ago. At the time no IPTV systems or EPIC | bell systems were in place. However, as soon as I walked in my | freshman year I noticed the 'teacher' WiFi was only using MAC | Address Filtering. One minute scan and a spoof later I was poking | around to discover a whole lot was visible from this privileged | network. "...From the results, we found various devices exposed | on the district network. These included printers, IP phones... | and even security cameras without any password authentication!" | It was even worse back then. It was all exposed on wide open | WiFi! | | My senior prank was going to revolve around the printers. We were | shocked to discover every printer not just in BG but across the | entire district was accessible with no authentication of any | kind. We cooked up ideas and were planning to print either porn | or I has cheezburger/lolcat memes via telnet (I'm dating myself.) | | Ultimately I got into other trouble before we could execute and | figured this wasn't worth not graduating over. I moved on and so | happy to see a much better prank on this same network happen so | many years later with almost no repercussions. Congratulations | and great prank! | sodality2 wrote: | I told my district that I could change my race at-will via a | hidden form on the profile page. I changed it to "Purple". Got a | call back from some IT guy telling me I accessed their computer | without authorization, and that if it happened again, they'd | press charges. I asked to be put through to the IT administrator, | and he laughed and told me don't worry about it... Sometimes, | they can handle it well. Very glad they did for you as well :) | bfirsh wrote: | Reminds of me my school leaving prank. I rewrote the whole | internet on my school's computers. Google's logo became "Leavers | '08", Facebook became "Hatebook" and was red, YouTube only played | videos of cats, amongst other things. | | These were the days when nothing had SSL, so you could just | intercept and rewrite traffic! | | My only requirement was: _do no actual damage_ | | It was implemented as a Debian live CD that you could drop into | any school computer. It would boot up, then Ettercap would MITM | the whole network by spoofing the router. It routed all HTTP | traffic via Squid and a custom ICAP server that did the actual | rewriting. If you removed the live CDs, the network just went | back to normal within a couple of minutes. | | Routing the whole school's network through one old Pentium | machine wouldn't work though, so I figured out a way of doing | distributed load balancing: it would do the ARP spoofing slowly | and randomly. So, as you added more machines, it would just | magically balance between them. | | It worked great for about an hour then whole network mysteriously | stopped working for the rest of the day. I left all the live CDs | in the computers as a calling card. | | Sorry, school network admins. | [deleted] | mdip wrote: | This is excellent; reminds me of (very much smaller and far less | cleverly executed) grief that I caused the administration at my | HS back in the day[0]. | | There's a few comments about the risks along with a little | surprise/at least applause for the administration choosing not to | waste the courts/various other parts of the justice system with | this prank. I completely agree -- I don't know if I'm _terribly_ | surprised they chose that route (whether or not they were truly | upset in the first place). I applaud the students for executing | this so carefully /well and if my kids pulled something like this | off with this level of care -- well, they'd at least be getting a | dinner out of their choosing -- probably a trip to a nearby theme | park. | | I suspect the kids involved were also certain that their | approach, attention paid to keep from disrupting class and | (thankfully thorough) testing that helped avoid a harmless prank | turning into expensive litigation/really pissed off parents. But | I'll bet there was a lot of fear around that, anyway! Had | something gone awry -- and that's always where the risk is -- I'm | guessing the outcome would have been more severe for these kids. | | They really played the social engineering/covering their hind- | quarters side of this prank very well. A large amount of effort | was put toward making sure class was not interrupted[1], things | worked and were tested and they provided detailed information to | the administration on how to secure their systems -- that last | piece allowing them to say "Without our minimally invasive prank | and report you'd have never known these issues existed. We're not | that special; a more malicious student could have discovered | these flaws, opted for a _porn broadcast_ and made it difficult | /impossible to find them to punish." They probably understand | their own school's administration and took an educated guess as | to how they might handle something like that, too. At least for | the scope of anything I did, I _knew_ I wouldn 't hear from the | Vice Principal or Principal -- I'd solved various computer | problems for them by then that the worst I'd get would be "that | was cool, but please don't do that again." | | I didn't get in trouble because the pranks worked similarly -- I | tested/avoided disruption (most of the time), did no permanent | damage and anything was resolved by a reboot (DOS and no fixed | disk) and our harm was necessarily limited since there are only | so many computers you can covertly pop a floppy disk in -- there | was no network. The biggest factor, though, was that our | programming teacher sometimes got involved, himself. He was the | head of the math department, not your traditional "computer geek" | and I was doing things that he wasn't teaching, so he encouraged | it. The guy was amazing (passed away in the mid-00s). | | So, kids, if you _do_ try this at home, make _sure_ it all works, | provably, very _very_ well and don 't do anything that will give | them other reasons to throw the book at you. And if your | administration has more than the typical "Zero Tolerance[2]" | stance on things, it's just a bad idea regardless. | | I'm _sure_ there were a few among the ranks that became _furious_ | but cooler heads prevailed. The report at the end was a _nice_ | touch. | | [0] Mostly contained in the computer lab, which was non- | networked, but when we discovered the three-letter-acronym TSR | (DOS's Terminate and Stay Ready) and realized it was rare that | another student would reboot an already booted machine (it took | forever counting to the 512KB or so RAM installed). Incredibly, I | graduated in the late 90s -- my Senior year, the lab that taught | (Turbo, then Borland) Pascal was 15 years behind what most people | had at home... these diskless all-in-one bastards wouldn't break. | | [1] I'm sure it took the kids a little longer to get to their | classes after that all happened -- that's a minor, completely | expected, situation here and at least a small reward for the | efforts involved. | | [2] The school ten miles north of us was in a rural district and | had a parking lot full of trucks with hunting rifles attached | sitting in the parking lot every day (well after all of the | schools installed additional locks and added security theater to | make parents feel better post-Columbine)...that wasn't forbidden | at least as far back as the early 00s and I wouldn't be surprised | if a blind eye is mostly turned, today in some parts of that | district. | guynamedloren wrote: | Fun story! Such incredible attention to detail and | thoughtfulness, all the way up to automatically sending a pen | test report to the district's technical supervisors, and sharing | a presentation _after_ graduation. This kid was one step ahead | all along. | | Great work, Minh. | dyingkneepad wrote: | I feel so dumb when I read kids doing these things. Back in High | School all I knew was how I could run arbitrary executable files | by renaming them to calc.exe. We also did the classic "take a | screenshot of the desktop, set it as the wallpaper, then remove | all icons and the start menu" thing. | alistairSH wrote: | All this. Plus TI-86 king fu. Though this was 1991-1995, IoT | didn't exist and email and web access was mostly through AOL or | Prodigy. | securiTee wrote: | Neat story, and this is clearly harmless. But isn't the most | basic, fundamental, number one rule of security/pen testing to | try to break into a system (no matter how weak) if and only if | you've been given clearance beforehand? Why doesn't that hold | here? | GavinMcG wrote: | The rule does apply. Also, it was a senior prank, which by | definition involves breaking the rules. | jdmichal wrote: | The author literally put in TWO disclaimers making that exact | point... | unethical_ban wrote: | I think the OP is asking "Why are we applauding them if they | broke the rules?". The answer is "Sometimes, people break the | rules". | ajford wrote: | Glad to see a cooperative and supportive academic administration, | and I'm sure the thoroughness and planning that the team | demonstrated made it easier on the administration. | | The sheer amount of testing and verifying no major impact to | academic testing took place probably helped, and cleaning up | after themselves and documenting their finding and reporting it | to IT was a cherry on the top. | | I like that the administration even requested that the team brief | the district IT on the "attack". | lxe wrote: | In 2001, in 7th grade at the beginning of my web dev "career", so | to speak, I made a website that looked exactly like our school | district's "snow day" school closure and delay page -- and I | allowed anyone to edit the message. I told a few kids about this | -- it was a pinnacle of my PHP prowess back then. | | Got called into an office -- a gifted program administration, not | the regular school office. I think one of the teachers there | caught wind of my cool little trick, and asked me to take it down | right then and there. I was terrified, as I wasn't really someone | to get into any sort of trouble. I was able to take it down | through their machine's windows explorer's FTP access. | | Now I realize that this teacher probably saved me from a lot of | trouble. I wish these sort of stories were the norm -- where | educators welcome the natural curiosity instead of throwing the | law at kids who dare to think outside the box. | ar_lan wrote: | TIL there is an Elk Grove that is not in California! | duped wrote: | Do prosecutors need consent from victims to file charges in cases | like this? | | Also if you're going to commit a crime and brag about it, don't | say "hey well they would point the finger at me anyway and I'm | not going to name my partners." You've just told them there are | coconspirators, and you don't have a right not to incriminate | others. | paxys wrote: | They don't legally need it, but such cases are pretty much dead | in court without the victim's cooperation so the prosecution | will almost always drop it. | duped wrote: | What happens when the suspect publicly admits to doing it and | providing detailed information on the motive and means | EvanAnderson wrote: | The Aaron Swartz prosecution continued, even after MIT and | JSTOR said they didn't want to press charges, because of a | zealous prosecutor. | SavantIdiot wrote: | Up until OP starts working out the frustrations of RTSP it was | pretty much a yawner "scan for ports, http to them, see if | sumthins there and unguarded". But the perseverance to make a | prank work like that with a finicky protocol across a wide | variety of different OEM hardware is really exceptional! | bentcorner wrote: | Using the school computer's webcam to test his exploit at night | was genius. Very clean. | nudgeee wrote: | I got in trouble and subsequently suspended from school back in | the '90s for causing BSOD's on classmates computers using WinNuke | [0]. They classed it as vandalism even though the payload causes | no permanent damage (apart from losing unsaved work). | | I found more severe vulnerabilities including being able to lift | home addresses of students by querying an unprotected endpoint. | Didn't get in trouble for this one, and reported it promptly to | the IT administrator. | | [0] https://en.m.wikipedia.org/wiki/WinNuke | cghendrix wrote: | I thought I was cool being able to modify the ready message on | printers across the school network. This is really impressive. | drusepth wrote: | In middle school I used Javascript to change Google's button | text from "I'm feeling lucky!" to "Andrew is the best!" | (javascript:getElementById('').text='blah') | | I showed some other students who were so freaked out that I had | "hacked Google" that I got the attention of the librarian, who | promptly banned me from the library computers for the rest of | the year, even after I refreshed the page to show them it | wasn't "real". Oof. | person22 wrote: | I wrote an infinite loop in postscript and sent it to all the | printers. This was when postscript printers cost a fortune so | there were not many of them. Fun days were those. | earksiinni wrote: | Serious question. What, if any, instruction do kids these days | receive regarding what's allowed on computer systems? | | I remember in high school poking around a network drive until I | found an executable with the name "SEND" in the name. I had a | sense that it would send some kind of message somewhere, but I | honestly didn't know where or to how many people. I was quite | surprised when all the screens in our computer lab froze and, | five seconds later, my message appeared on all of them. (I later | learned that my message appeared on every desktop screen in the | school!) | | I'm not sure exactly how they found me out, but I was called into | the IT admin's office a couple of days later. She was furious | with me. I told her the truth. I didn't know what exactly would | happen when I ran that command, but she didn't buy it. | Fortunately, nothing ended up happening after that. | | I've wondered to this day what exactly they could have done to me | if they decided to press whatever legal authority they might have | had to its fullest extent. I was never told "don't go to Z:\" or | "don't run any program other than those on this list." Even after | I was found out, I wasn't ever explicitly told that my actions | constituted unauthorized access. | | It was a different, perhaps more innocent (or ignorant) time back | then. How much have things changed now? | thrashh wrote: | Kids have been jumping fences for millennia. | | That said, I did know a kid that had charges pressed against | him when I was in school so things weren't necessarily innocent | back then either. He was admittedly an idiot and borderline | malicious though. | jovial_cavalier wrote: | I graduated high school in 2015. I remember similarly poking | around a network drive until I found a file in plaintext which | contained everyone's student ID and whether or not they had a | nut allergy (protected by HIPAA), for the bus system. | | I didn't think much of it, but some other students caught wind. | Before I knew it, the superintendent threatened to have the | police involved and press legal action for "hacking | confidential student data." | | It's CYA all the way, usually at the expense of the person in | the chain least equipped to cover their ass (the student). | earksiinni wrote: | Wow. That's terrifying. And you didn't even run anything! | | I'm guessing that they never told you "don't browse this | network drive"? | Buttons840 wrote: | Never press F12 while browsing. Instant hacker. | | Seriously, I found a state website that appeared to be | exposing NPI about certain people in an API response. So | much NPI nicely formatted in a JSON response. I closed the | page and never touched it again. You know the state will | declare me a dangerous and sophisticated hacker because I | pressed F12 to open the developer tools, that's much easier | than admiring they made a mistake. | 35fbe7d3d5b9 wrote: | > whether or not they had a nut allergy (protected by HIPAA) | | Personal pet peeve: | | Your high school is not a covered entity and is not acting as | a business associate of a covered entity. HIPAA does not | apply. They are free to keep a plaintext file with your name, | nut allergies, COVID vaccination status, and anything else | they want to put in there - without HIPAA entering into the | discussion. | | FERPA could apply, but I don't know much about that. | drusepth wrote: | Similar story: the dean of my "high school" [1] asked me to | create our school website. Another student apparently poked | around on a network drive and found an SQL dump of all the | students' network username/passwords. I brought this file to | the dean, told them it was available on a shared drive (so | they could remove it), and asked if they'd like me to use it | -- since I already had it -- to enable all the students to | log in to the school website with their existing network | usernames/passwords. They said that was a great idea and gave | me the OK. | | A week later, police escorted me from my dorm and both I and | the other student were eventually expelled and threatened | with harsh legal action, which never came. | | [1] The "high school" was an early-entrance-to-college | program where we started college at 16, lived on campus, took | the normal freshman/sophomore college courses, and eventually | received a high school diploma _and_ an Associate of Science | when we graduated at 18. The website was for the school I | attended, but the SQL dump included all of the university | students as well. The school has since shut down. | buzzert wrote: | Hopefully everyone here has seen the movie Hackers, where a | similar, but slightly more destructive prank involving the | school's sprinkler system took place. | Justsignedup wrote: | My time in highschool was wasted. Kudos to these amazing kids. | azinman2 wrote: | Reminds me lightly of when I was in high school, email was fairly | new -- especially at a school. My friend at a fancy private | school had a Linux machine to access, and she really wanted to | know what someone else had said about her. I managed to script | kiddy my way in leveraging her existing shell login, got root, | and read the email. What I didn't realize was that my .history | file contained everything I had done. Eventually the sysadmin | wrote me an email saying he knew what was going on and wanted to | meet up, stating 'he wouldn't cuff me' and that he was 'a chill | dude'. I was obviously scared, deleted everything, and tried to | pretend nothing ever had happened. | | Luckily no one got in trouble (meaning me or my friend). Not so | sure this would happen in 2021. | particulars02 wrote: | Greatest rickroll since S2E10 of Ted Lasso. | 908B64B197 wrote: | I just hope the author, at least, applied to MIT. He would fit | right in. | | http://hacks.mit.edu/. | mister_c_dub wrote: | What a legend. | belval wrote: | The fact that the administration didn't choose to sue them to | oblivion is refreshing. I hope we'll see a trend in the future of | educator being smart enough to admit that they made a mistake and | to encourage the students to develop their talent. | | One can only hope. | _wldu wrote: | Being a minor probably helps. There are so many laws today. | It's too risky to do this. It's not like it was 25 years ago. | flatiron wrote: | I was suspended for a week for creating a network share in my | typing class and dividing the work among my friends and we | copied and pasted into a single document on the share. This | was on Windows NT though so a LONG time ago. It's also I | guess "cheating". But they got us on "computer hacking" | johnebgd wrote: | I used CACLS with an Office hack in NT / 9X to copy | homework. Never got caught for that. | | They got me on propagating computer games through the | network using shared drives the teachers were supposed to | use for homework. | | We had BNC network cables in those days and the entire | building shared a single T1 line for several hundred | computers. | | The world has changed. | squareof wrote: | Same thing here. Teacher came into class with his multiple | month investigation comparing all students work | highlighting common errors. Found three different groups | that were sharing work load. In school suspension for all | of us, only like three kids left in class for the week. | arenaninja wrote: | Also in my typing class circa 2004 the teacher was about to | kick me out because he thought I was on a chat room during | his class. I was actually viewing page source on an HTML | document | the-dude wrote: | _You were hacking a website_ | mrexroad wrote: | 25 years ago wasn't any better... I recall several in my | circle getting suspended for harmless things. The lesson: | don't explore, don't be curious, and don't try to fix | anything related to the school and computers. Sigh. | AnIdiotOnTheNet wrote: | People on HN always act like what they were doing was | almost noble. You weren't. If you had been picking locks or | even rummaging around unlocked desk drawers you'd get the | same treatment and deserve it. | PradeetPatel wrote: | Consent is paramount when doing that type of exploration. | Without explicit permission, how would an IT administrator | distinguish the difference between a curious student and a | malicious attacker? | jhgb wrote: | Well, I imagine that would require using a brain, which | may an onerous requirement. | burnished wrote: | You're not wrong, but I think it might be helpful to | think of this in different terms. Teenagers, with | burgeoning agency, are being denied the ability to | meaningfully impact their environment yet are bound to it | for most of their lives. | | I agree with you that explicit permission is important, | but it is also something that young people are frequently | and explicitly denied. I don't think the solution is | condoning that sort of 'extracurricular', but I think we | should recognize the problem is probably starting with | the adults in the situation. | BackBlast wrote: | You would think so, only this is a bit opaque when | dealing with a local school and a district bureaucracy | with various computer labs, internet and phone systems. | As a student, you may think that the right person to ask | is the local teacher who has control of the asset. | Especially if that teacher has been assigned IT duties. | | But to many school administrators consent of teachers is | meaningless. Those assets aren't owned by the teachers | but by the district, even if they are the apparent | authority figures and stewards in the eyes of the | students. | bluedino wrote: | Yea , kids would get expelled in the old days for putting a | screensaver password | judge2020 wrote: | It can get pretty messy. For example, they could wait until | they're 21 to try them as an adult, even if it was committed | at 17 or younger [0 p. 128]: | | > a person who committed the offense before his eighteenth | birthday, but is over twenty-one on the date formal charges | are filed, may be prosecuted as an adult.... This is true | even where the government could have charged the juvenile | prior to his twenty-first birthday, but did not. | | However, the statute of limitations for CFAA violations is 2 | years [1 p. 2] so this might not apply. If somehow they can | still go after him at 21, this post could play a part in | evidence for performing the hack (I truly hope not). | | 0: https://www.justice.gov/sites/default/files/criminal- | ccips/l... | | 1: https://www.goodwinlaw.com/-/media/files/publications/10_0 | 1-... | giantg2 wrote: | The newest policy is to charge minors as adults unless | there's a compelling and beneficial reason not to. I think | that was a DOJ change around 2009. Not sure how many states | followed suit. But in general, its increasingly likely that | minors are being charged as adults. | nielsbot wrote: | Probably helps that "We prepared complete documentation of | everything we did, including recommendations to remediate the | vulnerabilities we discovered. We went a comprehensive 26-page | penetration test report to the D214 tech team and worked with | them to help secure their network." | munificent wrote: | In many cases, a 26-page report documenting the incompetency | of a team would not be taken kindly. | IshKebab wrote: | That hasn't helped in the past. Frankly I think they were | naive to reveal themselves no matter what the authorities | said. It hasn't gone nearly as well for other people. | treesknees wrote: | The students were extremely lucky. | | The advice given to me in high school (I was working on | tech projects after school for several teachers and groups) | was to not even try or explore poking around the IT | networks it no matter how good my intentions were. All it | takes is one grumpy school administrator to feel undermined | or to misunderstand your report and you could be expelled. | | When you're in a position like a student, you're still | working your way up and building credibility. No need to | risk it all for an IT group that doesn't want your security | advice and didn't ask for your help. | dylan604 wrote: | It doesn't stop at the student level. Find something at | the corp level with an arrogant IT dept, and you'll find | yourself in uncomforatable situations as well. | adventured wrote: | It's always fascinating how dramatically different | schools can be. When I was in high school, in the late | 1990s, nobody would have cared so much about something | along these lines. At worst it would have resulted in a | three day suspension from school and lecture from the | principle. | PradeetPatel wrote: | Seconded, the same advice has also been given to me back | in India. | | "Know where your boundaries are and who your stakeholders | are, don't do anything that will make your stakeholders | look bad." It's a life advice given to me by my high | school teacher that served me well in my professional | life. | [deleted] | rootsudo wrote: | Yep - I, like many of my friends and people who are | naturally curious and work today in "Cybersecurity" had | fun, poked around - but once you found little data troves | - it reveals how inept alot of people can be. | | And you just volunteer to be thrown under the bus as that | "hacker." | | Anonymous, maybe. As a student, under 18 - you're | "immune" from many things - but it can be a stain. | colinmhayes wrote: | He had already graduated, so expulsion wasn't an option. | ohazi wrote: | Expulsion is one of the friendlier outcomes. Federal | prosecution and prison time are also very realistic | options here. It's happened to other well-meaning kids on | many occasions. | 63 wrote: | He addresses this pretty well in the post imo. His co- | conspiritors remained unnamed while he alone revealed | himself because he wanted to publish this post and it's | highly likely he would've been blamed anyway. | dont__panic wrote: | The poster/hacker actually addresses this -- he doesn't | reveal himself until _after_ graduation, keeps his fellow | hackers secret still, and mentions that he was most likely | the prime suspect in the district anyway. Seems like a fair | tradeoff if he wanted to make this blog post, though school | districts could be nasty and litigious, I guess. | throwawayboise wrote: | Pretty sure there's nothing stopping the school district | from retroactively recinding his graduation, or refusing | to send transcripts to universities, or informing those | universities of his transgressions, which would probably | result in revoked admission. | duped wrote: | It's still a terrible idea to admit to committing a crime | under your real name before the statute of limitations | has run out | generalizations wrote: | Is there even a statute of limitations for this kind of | thing? Seems way better to just never admit to it at all. | greyface- wrote: | The CFAA has a statute of limitations of 2 years. | Accujack wrote: | I'm sure it helps a lot that they're in a high tax base area, | and the quality of the educators hired probably reflects that. | | https://statisticalatlas.com/school-district/Illinois/Townsh... | Waterluvian wrote: | Yep. What they did was wrong. And by doing so they threw | themselves at the mercy of the entity they hacked. The | refreshing part is that the entity did the morally right thing | and showed mercy. | edoceo wrote: | Too right! Get this kid a job, not punishment. | bluedino wrote: | I'm glad to see a kid using bash and not something like _gulp_ | PowerShell | codezero wrote: | Not to diminish your comment, but a thing I've found late my | career is to abandon dogma when it comes to young folks | learning. If they can learn with PowerShell, they're a lot | better off than a lot of young folks! There is no one-true- | way and as soon as you find it, another generation will show | up with another-true-way :) | blacktriangle wrote: | Credit where credit is due, we all WISH *nix had something | like PowerShell. Passing strings from program to program is a | pain, passing around .NET objects instead is a great step | forward, as can be seen by the several attempts at similar | shells passing around JSON objects. | throwawayboise wrote: | > Passing strings from program to program is a pain | | The internet has been pretty successful and many popular | protocols (http, smtp, etc) are exactly "passing strings | from program to program" | AnIdiotOnTheNet wrote: | Which is why all browsers render the same thing exactly | the same way and there's no need at all to test more than | one. Yep. | oneplane wrote: | The presentation layer has nothing to do with he protocol | layer... | | If you pump some serialised binary into a browser it will | still render wrong. | simorley wrote: | > Credit where credit is due, we all WISH _nix had | something like PowerShell. | | Who is "we". I've worked exclusively on a windows stack so | used powershell on the job. But at home, I use bash. I | don't want something like powershell in _nix and don't use | powershell on _nix even though it 's been available on _nix | for many years now. | | > Passing strings from program to program is a pain | | You can argue it's the basis of computer science and also | pretty efficient. | | > passing around .NET objects instead is a great step | forward, as can be seen by the several attempts at similar | shells passing around JSON objects. | | Passing around objects can be slow, inefficient, wasteful, | etc though it can be convenient. | | If you are on a windows stack then go with powershell. If | not, then go with bash. Nobody should be on a windows stack | but sadly, much of the business world has been captured by | microsoft. | jdmichal wrote: | PowerShell has been available on Linux via .NET Core since | 2016 and version 6.0. Even my Windows box with PowerShell | 5.1 likes to remind me of this fact every time I start it: | Windows PowerShell Copyright (C) Microsoft | Corporation. All rights reserved. Try the | new cross-platform PowerShell https://aka.ms/pscore6 | judge2020 wrote: | On that note, i'm saddened Windows 11 doesn't ship with | Powershell 7. Are there that many breaking changes in the | switch from 5 -> 6 or 5 -> 7? | oneplane wrote: | There have been REPLs like PowerShell for ages, it's | nothing really new. The only nuance in this is that it is | new in the Windows ecosystem to have something like that | supported by Microsoft. Ironically, it hasn't managed to | displace the command prompt or batch files, so instead of | having to deal with one thing, you now have to deal with | two things. | | As for the passing of strings: it might seem like a pain, | but as soon as you start working with non-program I/O it's | not like you'll have much of a choice. Keep in mind that it | is the lowest form of communication and you can build on | top of that. Same with I/O in general: nothing prevents you | from using shared memory or a device instead. | IshKebab wrote: | You're glad to see them using the ancient clusterfuck that is | Bash, and not a modern relatively sane shell that is | indisputably the most seminal shell in the last 30 years? | orwin wrote: | Nah, i actually used powershell before bash because i did a | lot of android hacking stuff before learning to code. I | worked with Powershell 3, powershell 4 and powershell 5. | Powershell 3 was the most painfull thing to work with. No | state accross session, the default were shit so i had to | reconfigure more often than not. Slow, painfull, buggy... | Around the same ime i learned how to bash pretty well in | two days, use rsync, use ssh, use sed and awk... Powershell | 3 was shit compared to this. | | Then i used powershell4, i guess it was better but honestly | i don't think i've used it very much. Powershell5 might be | better than bash for 90% of the dev population though. | jhgb wrote: | Well at least it's a racing horse and not a turtle. | flerchin wrote: | Seminal. | Miner49er wrote: | Powershell is actually good though. | rsp1984 wrote: | In case anyone else is wondering how the heck the kid got access | to the district's network, the key sentence is hidden in the | middle of the post: | | _Since freshman year, I had complete access to the IPTV system. | I only messed around with it a few times and had plans for a | senior prank, but it moved to the back of my mind and eventually | went forgotten._ | | Not sure why they don't go into more detail about how exactly | "complete access" was obtained, since that is obviously the | hardest part of hacking any system. Not trying to downplay the | achievement here, just think that this would have deserved a bit | more detail. | kevinsundar wrote: | It seems like he just was on the school network and the IPTV | devices were also on the same network with no authentication. | gjsman-1000 wrote: | I was at my own community college 2 years ago, and they had those | Smart TVs showing news and weather everywhere, as well as custom | images uploaded by the clubs on campus. | | It was supposed to be that a club could log into them, make, and | submit a graphic to display on the TVs, but the school would have | to review them before they would be displayed. | | However, I would later find out, a software update had messed up | the roles system and so that club username/password which was in | a public document actually had the ability to post things | immediately on the TVs, without review. I found this out when I | made a Math Club poster, hit the button, and it was immediately | live without a check. | | I just reported it and it was fixed the next day. My instructor | said that could have been really really bad considering some more | unscrupulous college kids who would have (not naming names) | probably gotten a kick out of throwing pr0n on them... | hx2a wrote: | When I was in High School (early 90's) we got a new computer | system that nobody was using yet. I discovered there was an email | system of some kind and that every student had an email address | that we were not told about. I also discovered Tetris installed | in a directory on the server. I was able to play Tetris and I | could show other students how to access it, but it was | inconvenient to get to. | | Therefore I decided I would email Tetris to every student (I | emailed the executable, not a link to Tetris), making it easier | for everyone to play also. As soon as I did this the entire | system got very slow...apparently the server had no quotas or | partitioning and the hundreds of copies of Tetris filled up 100% | of the hard drive space. It was a disaster. The computer | "specialist" had no idea how to fix the system and she was | teaching an adult education class that evening that required the | system to work. She was furious and wanted me to get suspended. | It didn't happen though because I spoke up about the problem | right when I knew there was a problem and also some other | teachers intervened on my behalf. | | The woman who was responsible for the computer system back then | is now the superintendent of the school system. I wonder if she | remembers me. | codazoda wrote: | She remembers you. | | I also graduated in the early 90's and my children recently | graduated from my alma mater. When I went with them to teacher | conferences some of the same teachers were still there. | Teachers that I didn't even have classes with remember me. | jackson1442 wrote: | About two years ago, I was in high school and decided to, as a | joke, "hack" the computer. By logging in as admn:password. I was | incredibly surprised when it actually ended up working as a | domain admin account. After checking this, I immediately signed | out. | | When my CS teacher filed a ticket asking "who has the user | account 'admin' and why is the password 'password?'" IT wanted to | revoke my network login and probably put me in ISS for a few | days. Fortunately, my CS teacher didn't reveal who I was. | | Very glad IT at this person's school took it in stride, | unfortunately this was just the MO of IT in my district. | themantra514 wrote: | This is the way. | kervantas wrote: | The s in IoT stands for security. | don-code wrote: | I'm impressed with how much foresight this high schooler had in | preparing for the prank. My impression is that most high school | age kids would out themselves within the first few weeks of | planning due to wanting to boast, here they instead took to | testing covertly, overnight. | mmaunder wrote: | Someone I know did something similar, was arrested in their | college dorm, and at the sentencing hearing in federal court was | fined and sentenced to 5 years probation, and now has a criminal | record. | | This kid is very very lucky. Obviously they violated the CFAA | which carries severe criminal penalties. They engaged in actual | hacking without any permission or defined scope. And they | exploited the system without any responsible disclosure process. | | Anyone in the field will tell you that this is an absolute | disaster of a post because it sends the signal to other young | aspiring cybersecurity professionals that this is OK, and the | school will laugh it off, and you'll be seen as an adorable | Matthew Broderick type Wargames character. I can't overemphasize | how far this is from the truth in 2021. | | Absolutely do not access systems you are not allowed to. If you | do want to do penetration testing, you need permission from the | systems owner and a clearly defined scope. And when you do find | issues, you don't exploit them, you responsibly disclose them | within a clearly defined framework. | | If you want to end up with a criminal record that will profoundly | effect the rest of your life, including your career prospects and | ability to travel internationally, then by all means, do what | this guy did. | | I wish it wasn't so. It never used to be. But this is how it is | now. Overzealous prosecutors have been given a huge amount of | power, and all you need is one embarrassed systems administrator, | school board or management team to trigger a disastrous outcome | in stories like this. | inputsecretcode wrote: | Wow that's terrifying, I'm from the EU and did 1000x worse | stuff than that, never suffered any consequence, which is not | right, but teenagers going to prison for hacking pranks it's | really fucked up. | bsza wrote: | > This kid is very very lucky. | | No, he is just smart. He did it anonymously. He knows how to | cover his a$$. | | > it sends the signal to other young aspiring cybersecurity | professionals that this is OK | | The post literally has a whole section dedicated to explaining | that this is not OK, but whatever. | jdkee wrote: | This post is 100% spot on. While the local school district may | treat it as a prank, in the U.S. the federal authorities may | not. To see how seriously the government takes this act, look | at the penalties section of the relevant U.S. code. | | https://www.law.cornell.edu/uscode/text/18/1030 | collegeburner wrote: | Yeah, go to them about ransomware gangs or nation state | actors and you basically get told "lol we cant do shit". | Complain about a kid prank and theyll go apeshit and make a, | uhh, federal case of it to make themselves feel needed. | dakna wrote: | And yet, there is overwhelming demand for what the government | calls "cyber security". As a developer it is easy to get good | at your craft by practicing and learning, how in the world is | a security specialist able to practice without asking for | permission or already having a job? A home lab setup? A | college degree and formal education? I'm curious how people | actually evaluate this career choice. | ActorNightly wrote: | In my personal experience with working in government | related cyber security, the positions are for dudes that | type bash commands to run tools that are all developed by | 3p companies, which end up hiring people regardless of | criminal history. | aerostable_slug wrote: | Capture The Flag challenges. You don't need much more than | a terminal. | rhexs wrote: | The leetcode of the security world! Thankfully not that | bad...yet. | jjoonathan wrote: | Gross but true. The administration has every incentive and | opportunity to spin this into a self-serving story about taking | down evil sinister hackers -- and maybe scapegoat a few | unrelated problems while they are at it. | | I am delighted that these admins had the character to resist | the perverse incentives of the system. | marvin wrote: | There is something obscenely totalitarian about this whole | mindset. You're making a very pragmatic point, but take a step | back and look at the whole thing. | | You're warning a teenager against making a brilliant, harmless, | funny and responsible prank so that they won't get their whole | life fucked up forever. Think a little about what kind of | political system necessitates that kind of ridiculous warning. | What sort of nation does this kind of thing to its kids? If we | strike the United States from the list, what sort of countries | are left? | | You guys really need to get your so-called justice system | sorted out. Sorry to make such a blunt point, but this is | depressing as hell. | mcbishop wrote: | Malicious hackers could have shown something unspeakably vile | on all those screens. If this kid reduced the likelihood of | that... he's a hero. Alas, I totally hear you. | Faaak wrote: | I agree, that feels wrong to me... | | When I was younger (~15) I also did some "fun" (aka stupid) | stuff with the school computer network and in the end they got | me and I received a "formal warning" (it was in France). | | In the end I'm glad for it because that scared me off and I | never tried again on stuff that I don't own. | | But putting a kid in jail/having a criminal record seems way to | excessive to me. Kids are dumb. And by punishing them that hard | they won't become a better person. hell, they won't be able to | have a job ! | WarOnPrivacy wrote: | > But putting a kid in jail/having a criminal record seems | way to excessive to me. | | It absolutely is. Society is clearly harmed by laws like the | CFAA. | | LEO do like overly broad laws though. There's nothing better | to ruin the lives of people that cops don't like. | donatj wrote: | When I was in High School in 2003 I discovered you could pretty | easily get around the tool that blocked running installers by | launching them by entering the full path to the installer in | the address bar of Internet Explorer. This was before Windows | and IE were decoupled. I installed VNC server on a couple | friends computers and used it for some light hearted pranks, | but didn't do anything else with it. | | One of my friends who I did this to went crazy with it and used | it to mess with his teachers computers. Ended up in huge | trouble, cops knocking on his door, and I believe probation. | This was the year after I graduated. | | On the one hand, I kind of feel responsible for showing him, on | the other hand, it's his fault he had to go off and be an idiot | with something I just thought was fun. | bellyfullofbac wrote: | Ah, 2021, such sad times, where we squash our creativities in | fear of the police, where you'd think twice before doing | something like one of the MIT hacks http://hacks.mit.edu ... | | I do wonder if they could've secured themselves with VPN and | "untraceable" anonymous emails (e.g. asking for a guarantee | that they won't be sued/charged), although the teenage bragging | rights would've been too tempting. | | I wonder if it was possible for the hacker to ask a lawyer to | represent them anonymously and make a contract, something like | the district promises not to file criminal charges, and if they | violate this deal they will have to pay a lot of money... | nucleardog wrote: | > I wonder if it was possible for the hacker to ask a lawyer | to represent them anonymously and make a contract, something | like the district promises not to file criminal charges, and | if they violate this deal they will have to pay a lot of | money... | | Criminal charges are generally filed by the prosecutor. | They'll generally follow the wishes of the victim, but are | not required to (think, e.g., domestic violence cases). There | is absolutely zero the school can do to guarantee that you | won't be charged if the prosecutor does catch wind of the | incident and decides to make an example of you. | petesergeant wrote: | My understanding is that in America, prosecutors are often | political appointees without much institutional oversight, | as compared to being a reasonably dull civil service | department who have to justify prosecutions as being in the | public interest | noodlesUK wrote: | This is generally true, but the CFAA is obviously not | violated by access which is authorised. In this case, you | could simply draw up a pentest agreement and get them to | say any such activity would be authorised. | whimsicalism wrote: | > I do wonder if they could've secured themselves with VPN | and "untraceable" anonymous emails (e.g. asking for a | guarantee that they won't be sued/charged), although the | teenage bragging rights would've been too tempting. | | If you read TFA, that is effectively what happened. Even with | the guarantee, only one of them revealed themselves. | paxys wrote: | No point in pulling off a complicated prank without | enjoying the notoriety gained from it. | pascalxus wrote: | yeah, it's pretty messed up that there's such extremely heavy | penalties for merely playing a youtube video on a few screens | whereas looting and stealing go completely unpunished. what | kind of message is that sending to our youth? | usmannk wrote: | > Anyone in the field will tell you that this is an absolute | disaster of a post because it sends the signal to other young | aspiring cybersecurity professionals that this is OK | | Maybe a bit overzealous with the reaction here. OK, sure, the | OP could have been even more serious about this but literally | the first labeled section is "DISCLAIMER" and says: | | > With that said, what we did was very illegal, and other | administrations may have pressed charges. We are grateful that | the D214 administration was so understanding. | tkinom wrote: | For anyone who like to hack legally and ethically, check out | https://www.hackerone.com/. If you're very good at hacking | devices, software, networks, etc, companies will pay bounties | for the vulnerabilities you find thru HackerOne. | | Looks like they paid out millions in bounty in 2020: | https://www.zdnet.com/article/hackerones-2020-top-10-public- | bug-bounty-programs/ | cwkoss wrote: | Worth a try, but I didn't have a good experience with it. | | Companies can mark items as duplicates without fixing the | underlying bug for an indefinite period of time. So the 3 | vulnerabilities I found all got marked as duplicates without | any compensation or even acknowledgement of my time writing | up the issues. Felt like a complete waste of time. | | If you're great, you can probably find novel stuff better | than I was able to, but if you're that great you likely | already have plenty of employment opportunities. | hparadiz wrote: | Posts like yours validate the insane over criminalization of | what essentially amounts to a prank. I had literally the exact | same experience in high school. Got expelled and had to get a | GED. They could have easily pressed charges. | | Part of the issue is people like you who advocate for | respecting "the system" and essentially scaring kids into not | doing anything. Except that simply re-enforces the draconian | laws that are currently in place. If more kids rebelled and | this was a regular occurrence it would help to desensitize | society to digital pranks instead of always treating these kids | like terrorists. | quasarj wrote: | What? How is warning someone that they are going to ruin | their lives the same as endorsing it? | testudovictoria wrote: | GP isn't validating over criminalization. GP is trying to | steer people clear of catching charges. The end results for | both is, "Don't hack your school district for a prank," but | the context of the two are very different. Students' minds | are still developing. You can tell them not to respect | Draconian laws surrounding hacking, but do the students | understand what's at stake? | | Yes, students get in trouble all the time, but most of the | consequences for their stupidity are slaps on the hand. Lunch | in a classroom, a parent-teacher conference, after school | detention, in-school suspension, getting grounded - none of | these things carry civil or criminal charges that are a | matter of record. What should be a harmless prank can turn | into a life altering civil and criminal charges. With high | school kids, things quickly go from, "I hacked the school | network to do a Rick Roll; they laughed and sent me on my | way," all the way to, "I gave my friend the exploit to do | something similar; I didn't know he was going to change | everyone's grades to 69%." | | Further, I would not want to teach in a district where | students doing digital pranks is the norm. I volunteer at a | high school. Unchecked digital pranks would quickly turn into | a constant stream of disruptions. Everyone would think that | their prank is better than the last. | chrisseaton wrote: | > a prank | | Why do we tolerate pranks? You shouldn't be able to interfere | with someone else and say 'just a prank bro'. Leave other | people's things alone. Don't create work for other people. | Don't bother people just trying to do their jobs. Don't | impose your sense of humour on others. These all seem like | basics to me? | | If you think someone's funny? Great. Just don't bother other | people with it. Do it with your own stuff, not other | people's. | guynamedloren wrote: | > Why do we tolerate pranks? | | Pranks can be an outlet for creativity and learning that | might not otherwise happen. | | The post concludes with: | | > This has been one of the most remarkable experiences I | ever had in high school and I thank everyone who helped | support me. That's all and thanks for reading! | | I'm certain this kid learned so much working through the | execution of this prank, and without being criminalized by | the district, he's better off for it. Likewise, the IT | department is better off with a more secure system, and | staff and students experienced shared moments of unexpected | joy. | | Call me naive, but I'd say this kid made his small slice of | the world a bit better, if only for a fleeting moment. | chrisseaton wrote: | > Pranks can be an outlet for creativity and learning | that might not otherwise happen. | | Great. | | But do it with your own things then. Don't bother anyone | else or touch anyone else's things. | | And no worker should ever have to do any work (such as | reset a computer system) because of your prank. Workers | have enough work to do and enough hassles in their lives. | guynamedloren wrote: | > But do it with your own things then. Don't bother | anyone else or touch anyone else's things. | | You're really oversimplifying here. Something tells me | this highschooler doesn't personally own the breadth of | commercial equipment that he hacked for this prank. | | > And no worker should ever have to do any work (such as | reset a computer system) because of your prank. Workers | have enough work to do and enough hassles in their lives. | | Okay, let's all be worker robots :) | chrisseaton wrote: | > Something tells me this highschooler doesn't personally | own the breadth of commercial equipment that he hacked | for this prank. | | So they shouldn't have done it. | | > Okay, let's all be worker robots :) | | It's not about what you want to do. It's about what some | low-paid worker who has to clean up after you thinks. | lr4444lr wrote: | Many criminal cases require establishing intent. Pranks may | be harmful as you allude to, but the intent still matters. | chrisseaton wrote: | How does that work? Can you murder someone for a prank | and say your intent was just a prank so it was fine? | 999900000999 wrote: | This is a very complicated problem. | | Unless you kill someone I generally don't believe in life | long criminal records. They only serve to drive people into | further criminality. | | I imagine for a robbery you could get 5 years in prison, 5 | years with it on your record and then automatically get it | expunged. | | Back to the topic at hand , what if the IT hack stopped | people from getting paid on time. How many suffered emotional | distress ? Evictions can literally cause suicide. | | Maybe someone can't afford medication, skip it and have a | stroke. | | The entire criminal justice system is broken. So you did | something stupid at 20, at 46 you still can't find a job due | to your record. | | People want simple easy solutions. Things are much more | complicated. If you release a dozen felons 5 years early and | 2 go on to commit horrific crimes it's easy to ignore the | good the other 10 did | WarOnPrivacy wrote: | > The entire criminal justice system is broken. So you did | something stupid at 20, at 46 you still can't find a job | due to your record. | | Welcome to the War On Redemption. Primary participants are | the harmful people who create these systems and the people | who remain silent while countless lives are ruined for no | good result. | lr4444lr wrote: | I dunno. Assault that permanently injures someone, rape, | kidnapping, and trafficking are lifelong scarring for the | victims. I may not rank computer hacking or selling drugs | as deserving of a permanent record, but there are lots of | other violent crimes short of homicide that do. | Gunax wrote: | I don't think it's the record's duty to keep you from being | employed. That's the employer's decision. | | Even if I agree that it's a dumb practice, you're proposing | a world where employers are free to refuse your hire if you | (eg.) were fired from a job 26 years ago, but not because | you were convicted of a crime. | drusepth wrote: | Unfortunately, "desensitizing" people to existing law by | illegal rebellions is a Pyrrhic victory at best when the | consequences are so impactful to the individuals that martyr | for The Cause. | | There are processes for changing the laws without sending | kids to jail, having to treat kids like terrorists, or | potentially making the law even _harsher_ because it isn 't | effective enough to dissuade lawbreaking. If the laws feel | draconian, perhaps following those processes might be a | better approach to change the system without as many | sacrifices. | drhayes9 wrote: | I don't think telling kids not to narc on themselves | "validates the insane over-criminalization". I think telling | legislators or parents would, though. | | The comment didn't say "respect the system", it said to deal | in the realpolitik and don't try to effect legislative change | by ruining your life as a high school student. | paxys wrote: | I don't understand this response. Having been on the wrong | end of it you should be advocating harder than anyone to | teach kids the complexities of cybersecurity law and ensure | they can make the right decisions rather than throw away | their future over a stupid prank. There is no "validation" | happening here, the OP is just stating reality. Random high | schoolers' rebellions aren't going to result in Congress | overturning the Computer Fraud and Abuse Act and a hundred | related laws. | rkk3 wrote: | > ensure they can make the right decisions rather than | throw away their future over a stupid prank. | | Is it a good system if a "stupid prank" can "throw away | your future" ? | paxys wrote: | No it is not a good system. But nothing I said is invalid | because of that. | skeaker wrote: | No, but that doesn't mean you should deliberately play | into it. | [deleted] | restingrobot wrote: | We need to have harsh penalties for this. People who don't | understand the complex systems they were able to access, | might introduce vulnerabilities that more malicious entities | can exploit. An example of this would be a student at a | university accessing internal network from a physical | terminal in a building, (intranet), and accidentally | disabling a firewall, (say to play a video from a remote | location). In doing so, its no longer just a prank as they | may have exposed the entire internal network to outside | internet. | | This is a super basic example, but it serves to illustrate my | point. It's not just a prank bro, even when it is. | javajosh wrote: | _validate the insane over criminalization_ | | I think you misread the GP. He's not defending the system, | just describing it, and how the OP was lucky that the people | in charge were unusual and open-minded. He's warning others | that the risk/reward implied by the OP's experience is | misleading. | | Let's say the OP had stolen his families life-savings and | bought lottery tickets with the money. He wins and pays them | back 10x, plus his own stash. This story might encourage | readers to steal their families life-savings, expecting a | similar outcome. But the more usual outcome is far different, | worse, and harmful, and this deserves emphasis. | | I suspect that _most_ commenters on this site applaud the | kids adventurousness and style. A great hack! But we are | uniquely aware of how rare it is that anyone with authority, | school administrators or law enforcement, would show any | leniency or self-restraint in these cases. On balance, the | instinct seems to go for the jugular, dehumanize the kid as a | criminal hacker, and ruin his life. No-one is saying that 's | good, or reasonable. It's just how it is. | tertius wrote: | Probably better to try and reform the law instead of suggest | children break the law and ruin their lives. | WarOnPrivacy wrote: | Clarifying that the ruination of lives here is the direct | result of profoundly bad laws that inappropriately | criminalize benign behaviors. | CobrastanJorji wrote: | I remember back in high school we had this computer lab that | was all locked down. Didn't allow opening the CD-ROM drives, | only allowed certain educational websites, etc. I put a little | remote access app on my share drive as a way to open my own CD | drive, mostly just to see if I could do it. The school's | computer guy came and found me and was like "hey, a file pinged | as malware, what's up with that" and we had a fun discussion | about it and I deleted it and we moved on with our lives. I | didn't think about it again. Years later, I looked back with | horror at how badly that could have gone for me. | aspenmayer wrote: | Your school didn't have paperclips? | klyrs wrote: | Can't get 'em through the metal detector. Gotta grind down | a toothbrush on concrete these days... | jfk13 wrote: | Ah, you young whippersnappers with your labs and networks and | CDs... my high school just got one Commodore PET, that was | "the school computer" in my day. | | Fortunately, I got on well with the math teacher who had | charge of it, and he'd let me take it home over the weekends. | Those were the days... | edoceo wrote: | Apple IIe gang over here. Don't bend my floppy! | Mizza wrote: | I know somebody - I think they post here, hi! - who ended up in | "weekend jail" with a conviction for sharing a school's WiFi | password without permission. I also once got reprimanded for | writing a blog post not too dissimilar to this one at a less | sympathetic school. I also remember the joy of hiding a server | in the ceiling of our school so we could play UT2K3 on the | library computers before that exploded similarly. Adults are so | boring. | mdip wrote: | Every district is different, heck -- every _school_ within a | district can be different in extreme discipline like this. | Frankly, the size of his district represented a lot of risk; | those often have the policies with the least wiggle-room -- | like "Weekend Jail for Sharing a WiFi password" (insane). | | At the school my child attends, I am confident he would have | ended up with a pat on the back if the circumstances were | similar. I can't speak for the district -- I'd be willing to | bet that'd be _very_ risky. At the school I had once | attended, I 'd expect the entire district would behave | similarly. I'm _sure_ there were people within the district | administration that wanted to throw the book at the kids | involved. | | Here's the thing for those people: the last thing a school | district wants is to become national news for punishing a | bunch of kids who the evening news can make out to look like | "Geniuses". Since nothing failed in their plan -- that's | _crazy important_ -- there would be very few ways to frame | the story that makes the administration look like anything | but bullies, and many will frame them as "petty bullies". I | have a friend I went to High School with who is now a High | School principal. He's still "that guy I went to High School | with." I have no doubt he would have given the kids an award | privately, if not publicly. | | It's sad that some public school districts are using | discipline approaches you'd expect to see in prisons, rather | than a school, and I'm sure in certain places in the country, | that might be a necessity. Context matters, too -- were these | kids who were constantly pulling pranks like this, had been | talked to in the past/impacted things in the past, etc, I'd | expect a harsh response: "Yes, we get it, you're smart, stop | breaking things already, read the horrors of the 1986 CFAA | because that's coming if it happens again." I'm guessing | these were otherwise good students. | baybal2 wrote: | This is ridiculous | outworlder wrote: | > because it sends the signal to other young aspiring | cybersecurity professionals that this is OK, | | There are _multiple_ disclaimers in the text, almost every | other paragraph. | runjake wrote: | That said, maybe we should lighten up on minors performing | harmless/non-destructive pranks. | | Not everything warrants felony charges for kids. | jjoonathan wrote: | Of course -- but we aren't the ones making the rules, and the | ones who do make the rules have certain incentives that lead | them in dark directions. | dec0dedab0de wrote: | _Anyone in the field will tell you that this is an absolute | disaster of a post because it sends the signal to other young | aspiring cybersecurity professionals that this is OK, and the | school will laugh it off, and you 'll be seen as an adorable | Matthew Broderick type Wargames character. I can't | overemphasize how far this is from the truth in 2021._ | | Or maybe it will shame other IT departments into not having a | stick up their butt. Especially if there is already a culture | of overlooking minor criminal activity in the name of harmless | pranks. | ActorNightly wrote: | Id actually wonder if criminal history matters when you have | skills like this that are very much in demand. | | If this went to court, the charges of malicious intent would | likely not stick, so jailtime could likely be avoided in leu of | fine/community service. | | Competent tech companies will not give a shit about criminal | record of this nature. | | Expulsion from school is pretty much irrelevant, especially for | CS careers. You can get a GED, find any college with CS program | that will take your money, spend a year having fun, apply for | an internship at a tech company, do a good job to be offered a | return, talk to HR to go directly into entry level role, and | you are set (have personally seen 2 cases of this happening | with an intern). | | The most functionally harmful thing would be monetary cost, | which is still inconsequential considering the salary this guy | would make. | kube-system wrote: | It depends on how regulated the particular industry is. If | you're building consumer web apps at a startup, it probably | won't matter. If you want to be a government contractor, it's | probably a nonstarter. | joezydeco wrote: | I live near this kid and I'd offer them an internship on the spot | if they came forward...but I fear they'd just be bored. ___________________________________________________________________ (page generated 2021-10-12 23:00 UTC)