[HN Gopher] IoT hacking and rickrolling my high school district
___________________________________________________________________
IoT hacking and rickrolling my high school district
Author : revicon
Score : 1611 points
Date : 2021-10-12 19:38 UTC (1 days ago)
(HTM) web link (whitehoodhacker.net)
(TXT) w3m dump (whitehoodhacker.net)
| octokatt wrote:
| This is awesome, and rock thee onwards.
|
| I wanted to make sure OP knows that "white hood" can mean
| something _very_ different, and "white hoodie hacker" might
| provide that distance.
| dmitrygr wrote:
| Many here, I am sure, got in trouble in high school for exposing
| security issues in school IT. So I imagine we're all very happy
| to see a sane response from school administration for once!
| h2odragon wrote:
| Stories of more enlightened school administrators are always
| welcome.
|
| My story: the "second best high school in the state" had an
| AT&T 3b2. They wouldn't let me take any classes that used it
| because they were afraid of what I might do to it (their
| words). I mean, they weren't actually _wrong_ to worry, but it
| din 't really have anything on it.
| dvtrn wrote:
| I got in trouble once in high school just for discovering and
| then using `net send` to send a message to my friend that said
| "Hi from lab 3".
|
| Computer lab access revoked for 6 weeks. Jokes on them, now I
| send socket messages to my friend that says "Hi from Chicago"
| and there's nothing they can do about it.
|
| My friend however keeps begging me to use this thing called
| 'email' because he claims he doesn't see the socket messages.
| flatiron wrote:
| everyone in my school net send bombed everyone all the time.
| Im not sure how they didn't figure out how to just turn it
| off.
|
| but i remember you had to do it from a library computer,
| because it said who it sent it from. so you had to do a
| little drive by walking net send as you walked out of the
| library to not get caught
| dvtrn wrote:
| That was _exactly_ how we used to do it, from where we used
| to do it, haha. Are you my friend? Rodrigo? How 's the
| weather in Miami? How 'bout those 'Canes?
| m0ngr31 wrote:
| We would write scripts to essentially make net send DOS
| attacks on different labs.
| snerbles wrote:
| In our case it escalated to scripts with silent, random
| time delays. Launch it from a floppy, walk away and 87
| minutes later everyone is wondering why a notice went out
| saying that a Toyota Corolla in the parking lot has its
| lights on.
| uudecoded wrote:
| Sorry you got access revoked. I accidentally did a net send
| (via the GUI) to the whole district domain instead of my
| friend in AP CS that said "Time for break!" right before the
| snack break.
|
| In my next class, the teacher was talking about "Time for
| break" virus going around... :/
|
| This was after the district IT wanted to suspend me for
| setting up a Windows 2000 domain for the yearbook lab, so I
| kept my mouth shut.
| pugworthy wrote:
| It happens at "adult" jobs too. I found a number of webcams in
| the organization with no password. I flipped the image on one,
| and sent an email to IT saying, "Hey something's wrong with the
| web cam - it's upside down. Oh and probably you should put a
| password on it ;)"
|
| It didn't go over so well. It embarrassed them and lead to some
| major reprimands for me, almost to the point of losing my job
| for unauthorized access to systems.
| ar_lan wrote:
| There was an excessively annoying kid in my high school and I
| learned to send remote commands to any computer in our lab, so
| I sent a command on loop that continuously opened his disk
| drive (it would automatically re-open after closing), and if he
| was particularly annoying I would shut down his computer.
|
| I never once got in trouble for it - the teacher would ask the
| class, directly looking at me, from time to time to stop it,
| but I never got in trouble.
|
| I imagine he was just using those announcements to get me to
| stop from time to time, but knew this kid deserved it so he
| never did more than that.
| AnIdiotOnTheNet wrote:
| I don't know. I feel like a lot of the people here celebrate
| their former exploits as though they weren't committing the
| computer equivalent of rifling through unlocked desk drawers
| and graffitiing the walls. They seem so surprised that
| overworked and underpaid public servants don't appreciate that.
| tubbs wrote:
| Story time, I guess.
|
| I went to a small private Christian school back in the late
| 200X's, and not the type of private school that had gobs of
| money. For two years, our desktop computers in the computer lab
| and the English classroom ran Ubuntu Linux (presumably because
| Windows licenses were >$0). The only students with Linux
| experience were myself and a friend that I introduced to Linux
| (who is also now an IT professional).
|
| For a month or two we systematically changed the remote desktop
| preferences to automatically accept new connections and not to
| display any messages saying that there is a connection. We
| tried to never sit at the same computer twice so that we could
| "adjust" as many computers as possible and to make a secret map
| of where each computer was by hostname.
|
| If we were in the computer lab and feeling mischievous
| (always), we'd poll around English classroom hostnames to see
| if any were in use, or vice versa. We'd "help" people write
| their papers (very creatively, I might add), speedrun through
| other students' typing lessons, open a terminal and run "telnet
| towel.blinkenlights.nl", or whatever else we could come up
| with.
|
| Well, wouldn't you know it, word gets around this is happening
| and we naturally get called in to the principal's office
| (because who else?). While expecting the worst, we were told
| "we know what you're doing, we don't know how to stop you, but
| we encourage you to stop and use your technical abilities
| productively instead" and were let off without punishment. We
| both came out of it with great respect for the administration
| because they showed us respect we didn't deserve, and we
| stopped.
| thomasfromcdnjs wrote:
| So much attention to detail that I can't help but think that the
| kids parents were helping along the way.
| ajford wrote:
| Maybe, maybe not. The author has graduated from High School,
| meaning they're about to enter college or the workforce. I
| wouldn't be surprised to see this level of detail from someone
| at that level academically. Delighted, yes. Would I expect if
| from everyone? Hell no.
|
| But surprised that a tech-enthusiast and eager learner might
| have put this much thought into this prank and it's potential
| consequences, not so much.
|
| Teenagers/young adults tend to have different stressors and
| other things to occupy their time than the average adult in the
| workforce, meaning the author likely gave this prank a fair
| amount of their free time, and that dedication showed through
| in the amount of planning done.
|
| Additionally it's likely, given they mentioned once or twice in
| the article they planned on posting a blog about the prank,
| that they might be hoping to use this on their resume or as a
| talking point in their career. If they're hoping to go into
| security or comp sci, this would be a decent feather in their
| cap and the amount of time spent is easily justified.
| donatj wrote:
| When I was in elementary school in the early 90's, I discovered
| you could use AppleTalk to print to just about any printer in the
| district.
|
| I would print pages and pages of "I AM THE MASS PAPER WASTER!!!"
| to random printers in other buildings. I'm genuinely curious if
| it actually worked.
| castis wrote:
| Free relatively harmless large-scale pen testing! Nice work.
| travelaminds221 wrote:
| looking for hscker for hire
| giantg2 wrote:
| My first thought when I read the headline was "another kid with a
| felony following them around for a prank that didn't harm
| anyone". Nice to see they weren't prosecuted.
| ianhawes wrote:
| Given the amount of press this is receiving and the fact that
| the message the administration sent to them _seemed_ a bit
| suspect, I wouldn 't be surprised if the kids did end up
| catching several charges.
| 0x000000001 wrote:
| No kidding, I was threatened with legal action for
| significantly less shenanigans back in my day.
| hnwd wrote:
| I'm interested to know how was he able to remote access to
| seemingly any machine in the network, from outside?
| WhiteHoodHacker wrote:
| I had Chrome RDP access on a few machines setup earlier, since
| I could come in-person with my team for security competitions.
| hnwd wrote:
| Hey, thanks for the reply. Appreciate the writeup too, it was
| a fun read. Hope you don't mind but I have a few more
| questions.
|
| How were you able to get Chrome RDP access setup without
| admin privileges? I assume this is automatically blocked via
| group policy.
|
| Now that you have Chrome RDP setup, how were you able to
| access these machines from outside the network from home?
|
| "since I could come in-person with my team for security
| competitions" I'm really intrigued now. What were these
| security competitions about and were they part of a class you
| were in?
| travelaminds221 wrote:
| looking for hacker for hire
| lyian wrote:
| I remember in my school days we all used Windows, but the
| teacher/admin administration software, the school bought was
| pretty cheap.
|
| The administration tool allowed teachers to stop students from
| using for example the mouse or keyboard, was written in Java and
| was installed on all computers as a service.
|
| My favorite part was, that the installation setup of the whole
| setup was laying around on a random network drive. Being naught
| little script kiddos we started to dump the code an voila no
| authentication or checks who is actually sending the commands.
| This resulted practically us, locking the teachers and even the
| admins out.
|
| Aaaah, good times...
| midwestemo wrote:
| Hey I know someone who goes to that school, interesting. He was
| telling me about this incident before
| jcims wrote:
| I've said this a bunch on here so please tell me to stuff it if
| it's tiresome, but having been on the far side of a large scale
| bug bounty i am incredibly impressed with the skills that young
| folks are developing in infosec. Probably not particularly unique
| but the industry is still a bit of a combination of tradecraft
| and academic pursuit and can be confusing for people to find a
| way in. I think this is why i really appreciate those that just
| bear down and get after it.
| sneak wrote:
| > _With that said, what we did was very illegal, and other
| administrations may have pressed charges. We are grateful that
| the D214 administration was so understanding._
|
| Note well that the victim of a crime does not get any say in
| whether or not a prosecutor prosecutes a crime. "Pressing
| charges" is a myth.
|
| The prosecutor decides. Period.
| sleepybrett wrote:
| 'white hood hacker' ... that has .. klan connotations.
| datavirtue wrote:
| Quick! Hire them before they can use their powers for the forces
| of good.
| gareiner wrote:
| I do really wished that my school wasn't strict and I'm allowed
| to tinker with my ideas in my school.
| ubermonkey wrote:
| Three things are remarkable about this, and make it a happy
| story.
|
| First, that the pranksters were so egregiously responsible in the
| way they went about it. They avoided disrupting any actual
| educational activities; it was meant to be harmless fun, not
| vandalism. No harm came to anything here.
|
| Second, that they documented their findings to the administration
| as part of the action, including recommendations for
| improvements.
|
| Third, the administration took this as exactly that: a harmless
| prank by smart, ethical kids who ALSO did them a favor by
| pointing out the vulnerabilities. If the admin had a panicked fit
| about this, they could have made it an ugly situation.
|
| My educational experience was populated far more by "freak out
| and yell" types than this school district, which was a shame.
| brundolf wrote:
| For contrast, I once got suspended from the school computer
| labs for two weeks for the heinous crime of... running an
| unauthorized executable from a flash drive.
|
| It was Rainmeter; I was showing it to a friend. The IT guy even
| was like "yeah Rainmeter's pretty cool, I read about it in a
| magazine". But it was auto-detected and school policy,
| apparently.
| zenithd wrote:
| Same story but with putty.
|
| My own child will never use a school-issued laptop or school
| wifi.
| nutwit wrote:
| The school district itself was relatively chill, however the
| individual deans freaked out. Because the penetration report
| was sent to the tech team and not the deans, the deans were
| intent on finding out exactly who did the hack to find
| something to report to their bosses (and according to them
| concern about the grade book system being exposed?? Not sure
| how you're supposed to rick roll a grade book but if anyone has
| an idea i'd love to know). As the earliest poster of footage of
| this event, I actually got tracked down (despite the fact that
| the only information they had to go off of was my youtube
| channel which had no references to my actual name whatsoever)
| and interrogated about what I knew of the event by the dean.
| The penetration report had been sent a while prior to this
| (which I knew about, as being a sibling of the original blog
| poster can have many benefits) which made the entire thing so
| much funnier. I was thankful that masks were a requirement for
| in person students at the time, as my mouth was literally
| twitching the entire time during the interrogation.
| dr_orpheus wrote:
| > grade book system being exposed
|
| In our high school they didn't expose the gradebook in that
| you could get in and change it, but we were able to see
| everyone else's grades. Teachers would post grades for their
| class and "obscure" it by posting it with the student ID (you
| were only supposed to know your own) next to the grade. But
| when the posted, the entire list was still in alphabetical
| order so it wasn't hard to figure out everyone's grade and
| student ID.
|
| And the cherry on top of this was that all the students'
| passwords were their student ID.
| MauranKilom wrote:
| > espite the fact that the only information they had to go
| off of was my youtube channel which had no references to my
| actual name whatsoever
|
| Assuming you took the video at the top of the article, it was
| presumably trivial to figure out who was in the class you
| were in and then rule out everyone who appears on camera as
| the camera man. Or just ask the teacher...
| saltminer wrote:
| >and according to them concern about the grade book system
| being exposed??
|
| Junior year in high school, I got suspended for "hacking."
|
| The tl;dr is that I was using a proxy to fetch assignments
| for class (because the county decided "yeah, this state run
| Moodle instance is obviously not appropriate for education"
| and one of my classes used Moodle) and got caught with the
| proxy configuration screen open. I wish I was joking.
|
| Anyway, when I was sitting in the guidance counselor's office
| as the teacher was talking up how "dangerous" I was, I
| noticed a sticky note with a username and password written on
| it. Turns out it was an admin account for the gradebook,
| though I think it was just intended for scheduling.
|
| I never did anything bad with those credentials, but that
| really tanked what little respect I still had for the
| administrators there.
|
| On a lighter note, when stack exchange & co got blocked the
| next year, I was good friends with the librarians since I
| helped out a fair amount fixing up their laptop carts (and
| doing other things the sysadmins were too busy to take care
| of), and they were able to get them unblocked. It taught me a
| lot about office politics: people are willing to return
| favors, so you should always make those connections.
| BBC-vs-neolibs wrote:
| Yep. It's also a general signal that you'r a good actor
| willing to do the work. An observer with no interaction can
| see what you did for the librarians and put in a good word
| for you somewhere without you ever even knowing.
| ubermonkey wrote:
| >but that really tanked what little respect I still had for
| the administrators there.
|
| I mean, why did you have any in the first place?
|
| I've met very, very few employees of high schools who were
| worthy of any sort of intellectual or professional respect.
| nutwit wrote:
| yeah, those inner connections were really important. guess
| it was a good thing my brother was friends with the tech
| person at our school.
| RubberShoes wrote:
| I went to Buffalo Grove High School in this same district and
| graduated many years ago. At the time no IPTV systems or EPIC
| bell systems were in place. However, as soon as I walked in my
| freshman year I noticed the 'teacher' WiFi was only using MAC
| Address Filtering. One minute scan and a spoof later I was poking
| around to discover a whole lot was visible from this privileged
| network. "...From the results, we found various devices exposed
| on the district network. These included printers, IP phones...
| and even security cameras without any password authentication!"
| It was even worse back then. It was all exposed on wide open
| WiFi!
|
| My senior prank was going to revolve around the printers. We were
| shocked to discover every printer not just in BG but across the
| entire district was accessible with no authentication of any
| kind. We cooked up ideas and were planning to print either porn
| or I has cheezburger/lolcat memes via telnet (I'm dating myself.)
|
| Ultimately I got into other trouble before we could execute and
| figured this wasn't worth not graduating over. I moved on and so
| happy to see a much better prank on this same network happen so
| many years later with almost no repercussions. Congratulations
| and great prank!
| driverdan wrote:
| In middle school all classrooms had their own printer. They
| were also shared on the entire school network with no security.
| We had a lot of fun printing stuff to other classes and never
| got caught.
| sodality2 wrote:
| I told my district that I could change my race at-will via a
| hidden form on the profile page. I changed it to "Purple". Got a
| call back from some IT guy telling me I accessed their computer
| without authorization, and that if it happened again, they'd
| press charges. I asked to be put through to the IT administrator,
| and he laughed and told me don't worry about it... Sometimes,
| they can handle it well. Very glad they did for you as well :)
| qmarchi wrote:
| I think the dilenation point comes in with whether they are an
| IT "person" or a school administrator.
|
| Regularly, I would end up in trouble in my High School for
| things like bypassing the root account (using ShellShock), or
| nullifying their executable restrictions (because I needed to
| run my own executables for a work/study program). If I got
| caught, the IT admin would sit down and we'd chat about what
| happened, how they could improve their security and such. An
| administrator caught on to one of my shenanigans, bypassing the
| content block because I wanted to read a "hacking" article, and
| threatened me with suspension. Supposedly, she reported the
| incident to IT, and IT told her to not bother me anymore.
| rajamaka wrote:
| This is spot on. I Used to work as a sysadmin for a large
| private school and always enjoyed the red/blue dynamic of
| tech team vs the smarter students trying to poke through the
| restrictions of their laptops and network.
|
| It was always disappointing when they took it too far and
| were directly caught by teachers or administration before I
| could tell them they were being a bit too blatantly
| malicious.
| sodality2 wrote:
| That's definitely true, my elementary school principal once
| got upset at me for unplugging and replugging the ethernet to
| fix the internet... I'm pretty sure the IT guys would have
| done the same :P
| bfirsh wrote:
| Reminds of me my school leaving prank. I rewrote the whole
| internet on my school's computers. Google's logo became "Leavers
| '08", Facebook became "Hatebook" and was red, YouTube only played
| videos of cats, amongst other things.
|
| These were the days when nothing had SSL, so you could just
| intercept and rewrite traffic!
|
| My only requirement was: _do no actual damage_
|
| It was implemented as a Debian live CD that you could drop into
| any school computer. It would boot up, then Ettercap would MITM
| the whole network by spoofing the router. It routed all HTTP
| traffic via Squid and a custom ICAP server that did the actual
| rewriting. If you removed the live CDs, the network just went
| back to normal within a couple of minutes.
|
| Routing the whole school's network through one old Pentium
| machine wouldn't work though, so I figured out a way of doing
| distributed load balancing: it would do the ARP spoofing slowly
| and randomly. So, as you added more machines, it would just
| magically balance between them.
|
| It worked great for about an hour then whole network mysteriously
| stopped working for the rest of the day. I left all the live CDs
| in the computers as a calling card.
|
| Sorry, school network admins.
| pfraze wrote:
| Used to be that Windows allowed programs to hook into each
| others' event busses. (It might still, I'm not sure.) This
| might be why a few of my Highschool's computers would interpret
| every 5th right click in minesweeper as a left click
| steerablesafe wrote:
| > This might be why a few of my Highschool's computers would
| interpret every 5th right click in minesweeper as a left
| click
|
| This is just pure evil.
| aimor wrote:
| I ran into a fun bug in W10 where my arrow keys were moving
| the mouse cursor around. Turns out MS Paint does this as a
| feature and somehow it leaked beyond Paint.
|
| https://superuser.com/questions/1467313/mouse-pointer-
| moving...
| Stratoscope wrote:
| Yup, you can still do that. AutoHotkey is a wonderful tool
| for this. You can intercept input events globally, and
| transform them or send completely different events to the
| target app.
|
| For example, I use AutoHotkey to implement my JKLmouse
| program, which turns certain keyboard events into mouse
| movement for precise control. It's similar to the MouseKeys
| that comes with Windows, but made for laptop keyboards
| without numeric keypads.
|
| And yes, you could definitely do that Minesweeper hack in
| AutoHotkey! :-)
|
| https://www.autohotkey.com/
| Quessked73 wrote:
| Would you mind sharing that script? I have been looking for
| something simmiliar, but didn't find anything that worked
| well and did not have the time yet to give it a try myself.
| I would really appreciate it.
| Stratoscope wrote:
| Sure. I didn't want to engage in self-promotion, but
| since you asked, here's the website and source code.
| There is an installer, but it's kind of old. I suggest
| installing AutoHotkey itself, then download the
| JKLmouse.ahk and JKLmouse.ico files from GitHub, and put
| a shortcut to the .ahk in your Startup folder.
|
| https://www.jklmouse.com/
|
| https://github.com/geary/jklmouse/tree/master/AutoHotkey/
| Sou...
|
| One thing to note is that I wrote this to use on my
| ThinkPads, which have physical mouse buttons. On a laptop
| where the touchpad itself is the mouse button, it may be
| difficult to avoid nudging the mouse position when you
| click.
|
| I've been thinking about adding support for using other
| keys as "mouse buttons", but haven't done anything about
| it yet.
| trashcat wrote:
| This is really cool. It's like the Mouse feature if QMK
| but works with any keyboard!
| anyfoo wrote:
| Wow, somehow that use of random and slowly ARP proxying as a
| duct-taped together load balancing mechanism makes this so much
| cooler.
|
| I'm not sure I quite understand the details, though. I assume
| there was only one gateway for the segment, so were the spoofed
| ARP replies unicast instead of broadcast? Otherwise, wouldn't
| all clients just switch to whatever machine announced their
| spoof for the gateway IP last?
| bfirsh wrote:
| This was 13 years ago so my memory is fuzzy... if I recall
| correctly, spoofed ARP replies were unicasted to every
| possible address on the network. It switched from machine to
| machine slowly, which is fine because they all served the
| same content.
|
| There were several subnets at the school, each with its own
| gateway. I remember having to set up live CDs in several
| computer labs to cover each of the subnets.
| scoot wrote:
| > I rewrote the whole internet
|
| The web is not the whole internet, and Google, Facebook and
| YouTube are not the whole web.
|
| Makes me sad to think that someone could possibly believe
| either of these things. I suspect the rest is just something
| you read somewhere, but don't understand what the words mean.
| Enjoy your MIPs (meaningless internet points).
| detaro wrote:
| based on http://www.ex-parrot.com/pete/upside-down-ternet.html
| by chance? or parallel evolution? :D
| bfirsh wrote:
| Hah! I have vague memories of this. I think this might have
| inspired it, yes.
| kortilla wrote:
| Unless you had a special case for the hijacking machines to
| ignore the spoofed ARPs, the whole thing probably fell apart
| when they ended up with a loop between each other rather than a
| path to the real gateway.
| bfirsh wrote:
| Oh, yeah. That's a very good point. That's probably why it
| stopped working. I always thought the network admins pulled
| the plug assuming they'd been hacked.
| WrtCdEvrydy wrote:
| That's a common issue with distributed systems.
|
| Something has to be "the leader" and you need a system for
| choosing a new one once the old one is offline for a
| certain amount of time.
|
| Add in a sprinkling of how to figure out if you have more
| than one leader active at a time.
| bfirsh wrote:
| Would it have needed leader election though? It's a
| stateless system. It might have been enough to ignore
| spoofed ARP replies, or to not attack machines of its own
| kind.
| bluedays wrote:
| I don't think this happened.
| samschooler wrote:
| Hypothetically it could happen and even if it isn't true, I
| feel it adds something to the conversation. Besides, you
| cited as many sources as they did.
| bluedays wrote:
| Sounds way overly complex for a high schooler to pull off.
| At least the OP sounded legitimate, the details didn't
| sound over the top.
| _jal wrote:
| Sounds like you hung out with the wrong kids in high
| school.
|
| A couple friends and I pulled off some stunts of
| comparable non-digital complexity. (This was the 80s,
| schools didn't have networks.) They were more of the
| logistics and misdirection sort; for instance, having
| your own version of the printed graduation programs
| delivered, instead of the boring, official one.
| anyfoo wrote:
| I think you're underestimating motivated high schoolers.
|
| When I was in high school I was a huge Linux fan and had
| a side job as a network administrator for small companies
| in my town. I don't know if I would have gotten the
| "random ARP load balancing" idea, but overall it seems
| well within the knowledge admins of the days had about
| TCP/IP.
|
| When I was between 15 and 17 or so, I wrote small HTTP,
| DNS servers etc. in C++ for fun (straightforward
| implementations and not better in any way, so in the end
| just learning exercises), and I definitely had friends
| who did similar things.
| AnIdiotOnTheNet wrote:
| Not really. Sounds like this was class of '08, and at the
| time BackTrack would have been readily available and
| popular enough for a curious highschooler with a bit of
| computing background to find. As I recall etercap was
| built in and I wouldn't be at all surprised if there were
| tutorials for setting up scenarios almost exactly like
| what is described.
|
| Even the ARP balancing thing is the kind of too-clever-
| by-a-half solution a naive youngin' would come up with
| since it would lead all the nodes thinking each other are
| the gateway and crushing the network with routing loops.
| anyfoo wrote:
| Maybe they hardcoded the real gateway's MAC Address.
| AnIdiotOnTheNet wrote:
| They did not:
| https://news.ycombinator.com/item?id=28846569
| bfirsh wrote:
| https://www.dropbox.com/s/hyt24p4j43szpdi/logo.gif?dl=0
| collegeburner wrote:
| Wow takes me back to old Google's former logo! It looked so
| much better with old logo.
| anyfoo wrote:
| I'm less skeptical. OP already mentioned that most things
| were not encrypted back then, so this was probably still in
| the days of transparent proxies, so OP could have "just"
| added one with some ARP spoofing. They were somewhat common
| in school and office networks, and like regular HTTP proxies
| (except the transparent ones had the traffic redirected
| forcefully to them) they essentially consumed HTTP requests
| and sent new ones out to _The Internet_. While mostly used
| for caching and blocking, it seems relatively simple to me
| that OP could have just replaced e.g. some stylesheets served
| back to the client.
| foooobaba wrote:
| I did some similar shenanigans when in 10th grade, with
| backtrack 3 and ettercap-ng it was pretty easy. I didn't do
| the load balancing, and ended up crashing the network when my
| laptop couldn't keep up lol.
| [deleted]
| mdip wrote:
| This is excellent; reminds me of (very much smaller and far less
| cleverly executed) grief that I caused the administration at my
| HS back in the day[0].
|
| There's a few comments about the risks along with a little
| surprise/at least applause for the administration choosing not to
| waste the courts/various other parts of the justice system with
| this prank. I completely agree -- I don't know if I'm _terribly_
| surprised they chose that route (whether or not they were truly
| upset in the first place). I applaud the students for executing
| this so carefully /well and if my kids pulled something like this
| off with this level of care -- well, they'd at least be getting a
| dinner out of their choosing -- probably a trip to a nearby theme
| park.
|
| I suspect the kids involved were also certain that their
| approach, attention paid to keep from disrupting class and
| (thankfully thorough) testing that helped avoid a harmless prank
| turning into expensive litigation/really pissed off parents. But
| I'll bet there was a lot of fear around that, anyway! Had
| something gone awry -- and that's always where the risk is -- I'm
| guessing the outcome would have been more severe for these kids.
|
| They really played the social engineering/covering their hind-
| quarters side of this prank very well. A large amount of effort
| was put toward making sure class was not interrupted[1], things
| worked and were tested and they provided detailed information to
| the administration on how to secure their systems -- that last
| piece allowing them to say "Without our minimally invasive prank
| and report you'd have never known these issues existed. We're not
| that special; a more malicious student could have discovered
| these flaws, opted for a _porn broadcast_ and made it difficult
| /impossible to find them to punish." They probably understand
| their own school's administration and took an educated guess as
| to how they might handle something like that, too. At least for
| the scope of anything I did, I _knew_ I wouldn 't hear from the
| Vice Principal or Principal -- I'd solved various computer
| problems for them by then that the worst I'd get would be "that
| was cool, but please don't do that again."
|
| I didn't get in trouble because the pranks worked similarly -- I
| tested/avoided disruption (most of the time), did no permanent
| damage and anything was resolved by a reboot (DOS and no fixed
| disk) and our harm was necessarily limited since there are only
| so many computers you can covertly pop a floppy disk in -- there
| was no network. The biggest factor, though, was that our
| programming teacher sometimes got involved, himself. He was the
| head of the math department, not your traditional "computer geek"
| and I was doing things that he wasn't teaching, so he encouraged
| it. The guy was amazing (passed away in the mid-00s).
|
| So, kids, if you _do_ try this at home, make _sure_ it all works,
| provably, very _very_ well and don 't do anything that will give
| them other reasons to throw the book at you. And if your
| administration has more than the typical "Zero Tolerance[2]"
| stance on things, it's just a bad idea regardless.
|
| I'm _sure_ there were a few among the ranks that became _furious_
| but cooler heads prevailed. The report at the end was a _nice_
| touch.
|
| [0] Mostly contained in the computer lab, which was non-
| networked, but when we discovered the three-letter-acronym TSR
| (DOS's Terminate and Stay Ready) and realized it was rare that
| another student would reboot an already booted machine (it took
| forever counting to the 512KB or so RAM installed). Incredibly, I
| graduated in the late 90s -- my Senior year, the lab that taught
| (Turbo, then Borland) Pascal was 15 years behind what most people
| had at home... these diskless all-in-one bastards wouldn't break.
|
| [1] I'm sure it took the kids a little longer to get to their
| classes after that all happened -- that's a minor, completely
| expected, situation here and at least a small reward for the
| efforts involved.
|
| [2] The school ten miles north of us was in a rural district and
| had a parking lot full of trucks with hunting rifles attached
| sitting in the parking lot every day (well after all of the
| schools installed additional locks and added security theater to
| make parents feel better post-Columbine)...that wasn't forbidden
| at least as far back as the early 00s and I wouldn't be surprised
| if a blind eye is mostly turned, today in some parts of that
| district.
| treszkai wrote:
| These devices were unsecured for a reason: there wasn't money to
| hire competent people who would make all services secure.
|
| Finding a vulnerability in the grade tracking system is much
| different than in IPTV: the first can have real-life
| implications, the latter only gives the attacker bragging rights.
| Only students would benefit from hacking IPTV (for funsies), but
| patching it requires funds nonetheless, and then further effort
| from staff when the default user/pass doesn't work. And then we
| complain about the hidden costs of low-trust societies.
|
| If the guy had written to the admins about it, they probably
| would've replied "yeah we know about it, please don't do it".
|
| "But I want to because I can and you're too lazy and incompetent
| to fix it."
|
| "Okay then here's 50 bucks, please fix it for us, we don't have
| time for this nonsense."
|
| "F off", and then proceeds to rick roll because that can get him
| to HN front page.
| joshuamoes wrote:
| Preface this by saying this was a smaller school, and the
| students had limited access to wifi. For example a teacher would
| create a set of radius credentials that would only be active for
| 1 hour. Since data was also expensive that was not an easy work
| around.
|
| In my grade 11 electronics class, one project we were assigned
| was to create a digital clock with notifications for one of the
| teachers. Me and a friend set up a raspberry pi with magic mirror
| installed on it, and modified some available plugins at the time
| to allow a google calendar for test dates embedded on the
| display. The teacher was quite pleased with this, but we
| convinced him to hard wire it to the network for "stability". In
| the background we had installed a vpn connection to one of my vps
| that I used to host my website, and created a new set of sudo
| enabled credentials naming it magic-mirror or something. The
| teacher then reviewed the project and changed the normal user
| credentials etc. Then right before it was installed in the
| ceiling, we attached a wifi adapter to the pi. A week or so later
| we remoted in through the tunnel and enabled a wireless hotspot
| from the pi. This provided us with internet while we were close
| to the classroom for the next year. People also over time learned
| that you could extend the range by hot spotting additional jumps
| using laptops.
| bowmessage wrote:
| Nice! I used to carry around a wireless router in my backpack
| for the same reason, and made sure to surreptitiously plug it
| in at the back of every class. Similarly, the school had very
| restricted WiFi, but no restrictions on the wired network. Fun
| times.
| joshuamoes wrote:
| For sure lots of fun, we also very quickly found the staff
| wifi password, and just cloned mac addresses of allowed
| devices to bypass the filtering.
| guynamedloren wrote:
| Fun story! Such incredible attention to detail and
| thoughtfulness, all the way up to automatically sending a pen
| test report to the district's technical supervisors, and sharing
| a presentation _after_ graduation. This kid was one step ahead
| all along.
|
| Great work, Minh.
| dyingkneepad wrote:
| I feel so dumb when I read kids doing these things. Back in High
| School all I knew was how I could run arbitrary executable files
| by renaming them to calc.exe. We also did the classic "take a
| screenshot of the desktop, set it as the wallpaper, then remove
| all icons and the start menu" thing.
| quadcore wrote:
| I told a friend who knew absolutely nothing about computers to
| go and type format c: on the school only computer and wait for
| the result. It turned a bit ugly but we're still friend :)
| alistairSH wrote:
| All this. Plus TI-86 king fu. Though this was 1991-1995, IoT
| didn't exist and email and web access was mostly through AOL or
| Prodigy.
| rmorey wrote:
| Another good one on that level was using the Windows keyboard
| shortcut ctrl-alt-down to rotate the display upside down -
| totally harmless, but absolutely maddening if you don't know
| how to undo it
| rocqua wrote:
| Even better if you combined it with an upside down screenshot
| of the desktop. So it looked like only the mouse was upside
| down and all buttons didn't work.
| gpt5 wrote:
| Unfortunately, this feature was discontinued by most graphics
| drivers.
| lysurgic wrote:
| This is still a common prank at work on win10 pc's
| nyanpasu64 wrote:
| I think it's a good thing that Ctrl+Alt+Arrow is no longer
| intercepted by graphics drivers, since IMO shortcuts not
| containing Win should be handled by apps and not the
| system.
| severak_cz wrote:
| Change wallpaper to some crap. Take a screenshot of desktop.
| Change wallpaper back and open screenshot with crap on the
| background in fullscreen mode.
| securiTee wrote:
| Neat story, and this is clearly harmless. But isn't the most
| basic, fundamental, number one rule of security/pen testing to
| try to break into a system (no matter how weak) if and only if
| you've been given clearance beforehand? Why doesn't that hold
| here?
| GavinMcG wrote:
| The rule does apply. Also, it was a senior prank, which by
| definition involves breaking the rules.
| jdmichal wrote:
| The author literally put in TWO disclaimers making that exact
| point...
| unethical_ban wrote:
| I think the OP is asking "Why are we applauding them if they
| broke the rules?". The answer is "Sometimes, people break the
| rules".
| ajford wrote:
| Glad to see a cooperative and supportive academic administration,
| and I'm sure the thoroughness and planning that the team
| demonstrated made it easier on the administration.
|
| The sheer amount of testing and verifying no major impact to
| academic testing took place probably helped, and cleaning up
| after themselves and documenting their finding and reporting it
| to IT was a cherry on the top.
|
| I like that the administration even requested that the team brief
| the district IT on the "attack".
| remix2000 wrote:
| I once wrote a script that would pluck the entire student's
| computer and rat them out hard in case they tried to exploit some
| vulnerability. Alas, no one got owned, at least not until I
| graduated.
| lxe wrote:
| In 2001, in 7th grade at the beginning of my web dev "career", so
| to speak, I made a website that looked exactly like our school
| district's "snow day" school closure and delay page -- and I
| allowed anyone to edit the message. I told a few kids about this
| -- it was a pinnacle of my PHP prowess back then.
|
| Got called into an office -- a gifted program administration, not
| the regular school office. I think one of the teachers there
| caught wind of my cool little trick, and asked me to take it down
| right then and there. I was terrified, as I wasn't really someone
| to get into any sort of trouble. I was able to take it down
| through their machine's windows explorer's FTP access.
|
| Now I realize that this teacher probably saved me from a lot of
| trouble. I wish these sort of stories were the norm -- where
| educators welcome the natural curiosity instead of throwing the
| law at kids who dare to think outside the box.
| sharmin123 wrote:
| Facebook Safety Tips: Take Steps Now and Avoid Hacking:
| https://www.hackerslist.co/facebook-safety-tips-take-steps-n...
| ar_lan wrote:
| TIL there is an Elk Grove that is not in California!
| ilaksh wrote:
| It's not hacking if you have ssh access. I missed the part that
| explained how they got that.
| duped wrote:
| Do prosecutors need consent from victims to file charges in cases
| like this?
|
| Also if you're going to commit a crime and brag about it, don't
| say "hey well they would point the finger at me anyway and I'm
| not going to name my partners." You've just told them there are
| coconspirators, and you don't have a right not to incriminate
| others.
| paxys wrote:
| They don't legally need it, but such cases are pretty much dead
| in court without the victim's cooperation so the prosecution
| will almost always drop it.
| duped wrote:
| What happens when the suspect publicly admits to doing it and
| providing detailed information on the motive and means
| EvanAnderson wrote:
| The Aaron Swartz prosecution continued, even after MIT and
| JSTOR said they didn't want to press charges, because of a
| zealous prosecutor.
| jerrysievert wrote:
| when I was in high school, we had been battling on the pdp11
| (running rsts), and when they finally upgraded to vax/vms they
| just gave up and gave us a small vax system to ourselves to
| battle on. it was much less disruptive than the hijinks we had
| previously been up to.
|
| of course, this was in the days when pad-pad was a thing out in
| the real world, so false logins on vt100/vt220 terminals was all
| too easy to fake.
|
| I am still thankful that they decided to set that up (we even had
| physical machine access) - such a better solution than just
| letting us go wild on the local network.
| pgcm1 wrote:
| This article was great.
|
| If you want to understand the IoT better, I can recommend this
| article: https://girlsplaining.substack.com/p/internet-of-things-
| and-...
| SavantIdiot wrote:
| Up until OP starts working out the frustrations of RTSP it was
| pretty much a yawner "scan for ports, http to them, see if
| sumthins there and unguarded". But the perseverance to make a
| prank work like that with a finicky protocol across a wide
| variety of different OEM hardware is really exceptional!
| bentcorner wrote:
| Using the school computer's webcam to test his exploit at night
| was genius. Very clean.
| jimt1234 wrote:
| Working in IT/tech for school district is the worst. My
| experience from many years ago - around 2002, I think:
|
| 1. First day on the job, email to boss: "Hey, the computer lab at
| Springfield High has a ton of known security flaws that are
| begging to be exploited."
|
| 2. Reply, 1 week later: "Sorry, we don't have any money for that.
| Just keep everything up-and-running."
|
| 3. 3 weeks later the computer lab at Springfield High got
| "hacked". All the computers displayed a popup window that said,
| "Miss Krabappel is a dyke!" (sorry for the offensive language)
|
| 4. Next day, email from boss: "The computer lab at Springfield
| High was hacked! Figure out how to fix this and make sure it
| doesn't happen again!"
|
| 5. A few days later Miss Krabappel filed to sue the school
| district. The local newspaper picked up the story.
|
| 6. Email from boss, in full panic mode: "I need you to figure out
| who hacked the computer lab at Springfield High so we can report
| him to the police!"
|
| 7. A week later an independent consulting firm was brought in to
| help identify the person behind the "hack". I heard they were
| paid $50K and found nothing. However, the kid got ratted out when
| he told all his friends. (It wasn't Bart Simpson! ;) )
|
| 8. Several weeks later: meeting to discuss working with a
| consulting firm that's gonna fix all the security issues because
| the current staff (me and my team) lacks the skills.
|
| 9. About 6 months later, I quit.
| worldsayshi wrote:
| > First day on the job, email to boss
|
| That email chain could be used to prove that you did what you
| could before the incident. If you were so inclined.
| JoeAltmaier wrote:
| School districts absolutely love consultants. Because they have
| to make difficult decisions, and they can hide behind a
| consultant. Its part of the bureaucracy survival suite.
| snerbles wrote:
| > All the computers displayed a popup window
|
| When I engaged in `net send` shenanigans at the local community
| college, at least the IT staff was smart enough to know where
| to scramble a runner whenever those dialog boxes popped up
| across campus.
|
| "ALL YOUR BASE ARE BELONG TO US" was quite the meme then, but
| apparently they thought it was some form of cyber-terrorism.
| cphoover wrote:
| O mannn I was suspended from HS, and banned for 2 years from
| touching school computers for net send shenanigans as I
| wasn't smart enough to cloak the originating workstation.
|
| My message to every single computer in our HS:
|
| "Hey what's up!"
|
| my friend added to this:
|
| "Your network (H:/) drive is being deleted."
|
| School administrators and teachers did not find this funny.
| smcl wrote:
| > and banned for 2 years from touching school computers for
| net send shenanigans
|
| Ha, yeah I got banned for using net send as an IM app with
| friends too. There were a couple of us in my school who
| were skilled, enthusiastic programmers - it is kinda stupid
| that the punishment they decided on was to _prevent_ us
| from being educated :- /
| iso1631 wrote:
| What year was this? I remember a time in the mid 90s (c.
| 1996?) when Novel had just upgraded to "intranetware" and
| all the computers had fancy "web browsers" which was fun,
| there was a 64k ISDN for the computer suite (we actually
| had two, but the other was RM Nimbus machines which could
| just about run netwars). This was in the UK
|
| I changed the homepage to a webpage which redirected to
| file://c:/con/con (which for those who don't know caused a
| windows BSOD at the time).
|
| IT teacher thought it was hilarious, used it as part of the
| lesson about how computers can be broken into, and told
| everyone "ok we've seen that, don't do it again".
|
| Another time I remember writing a simple program, probably
| in qbasic, which captured passwords to a file. It only
| wrote a the first 4 or so letters to the file - showed what
| we could do, had a little fun, tricked the teacher into
| logging in, and then told him "ha ha".
|
| As long as you came up with creative things (not just
| copying others, which is tedious), which didn't cause too
| much disruption (no deleting files), and stopped doing it
| once you proved it could be done, you were fine.
|
| Networked IT was new and exciting then though, to the
| students and the teachers. A few years earlier and it was
| all BBC Micros, a few years later and everyone was on the
| internet and trying to install backorifice, but for a brief
| moment well meaning harmless (for a teenager) curiosity was
| rewarded.
| snerbles wrote:
| About a year after the college prank, I was recounting the
| incident to a helpdesk coworker on a relatively quiet
| Saturday. He refused to believe that "net send" even
| existed, and dared me to do it. So I did, the content of
| that message being a rather tame "This is a test message,
| press OK to close."
|
| He was on phones, got about twenty calls including one from
| a VP - with even more popping in throughout the following
| week as people returned to workstations to see the dialog.
| We were able to play it off as "testing the network" (not
| wrong I suppose), but our manager was a responsible sort
| and had it blocked with a group policy shortly after.
| lysurgic wrote:
| Wow, almost the exact same thing happened to me and I was
| thrown out of that school, mainly for using another students
| account to send the base message.
| onionisafruit wrote:
| I haven't thought of net send in years. Circa 2000 I worked
| at Cisco and added some javascript to my profile in the
| corporate directory that sent me a net send message with the
| hostname of the computer that viewed my profile. At that time
| the hostname usually included the employees username, so I
| had a nice heads up that somebody was looking me up.
|
| I should have left it at that, but Ingot cheeky and also did
| a net send back to the origin saying something like "thanks
| for your interest in onionisafruit". That got escalated and I
| was threatened with disciplinary action. It didn't occur to
| IT that they shouldn't allow arbitrary script tags in user
| profiles. The best response was just to threaten the people
| who were creative with what they were given.
| mustardo wrote:
| Curious how you escaped a (browser?) With JS to do "native"
| net send? Assume it was some activeX?
| bmicraft wrote:
| The js probably pinged their own server with then did the
| 'net send'
| halgir wrote:
| When I had my net send fun back in school, an IT guy found me
| and just explained that if it becomes a recurring thing,
| they'll have to disable it on the network. And that they
| would prefer to keep the functionality available, so it would
| be a real shame if I ruined that for them. I never did
| another one, because I understood it would be a dick move.
|
| No condescension, no threats. Just treating me like an adult
| with a constructive conversation. It never occurred that
| anyone might overreact like many in this thread experienced.
| Makes me feel pretty fortunate now.
| skapadia wrote:
| Ah good ol net send... we had a lot of fun in high school
| with that in the 90s
| koboll wrote:
| A good buddy of mine did the same, but with the message
| "DOOM!"
|
| His punishment was community service, and the service was
| having to be basically an intern for the school IT guy. Smart
| administration, really.
| saltyfamiliar wrote:
| That's such a wholesome punishment.
| ipdashc wrote:
| That's the only proper response, really. You love to see
| it.
|
| I'll never understand braindead school administrators whose
| response is "throw the entire CFAA book at them" for kids
| who do the most harmless sort of "hacking". I mean, they're
| literally 16-year-olds. How disconnected from reality does
| one have to be to think that police/legal action is
| appropriate for this type of stuff? It's like they're
| specifically trying to ruin lives and create
| criminals/blackhats.
|
| Edit: And something I remembered while scrolling this
| thread... it's particularly disappointing when it's the
| actual IT staff who get mad and threaten to press charges.
| Like, sure, if it's a 60-year-old secretary who's worried
| about you starting WWIII by whistling into a payphone,
| that's just ignorance, that's one thing. But IT people
| ought to know enough about security/"hacking" to see how
| ridiculous they're being... just sad.
| judge2020 wrote:
| > How disconnected from reality does one have to be to
| think that police/legal action is appropriate for this
| type of stuff?
|
| They don't ask that. They just want their computers to
| always magically work and having to dedicate mental
| resources to events in IT at all is an intrusion to their
| time - to them, throwing CFAA at them is "setting an
| example".
| snerbles wrote:
| I received a similar punishment for running an autoclicker
| against some charity adware installed by a well-meaning
| administrator.
|
| That semester of internship was pretty fun, all things
| considered.
| sjapps wrote:
| Same punishment for me back in high school when I "guessed"
| the admin password. They all knew I didn't guess it and was
| given the job/community service. They kept the same
| password.
| appleskimer wrote:
| This bring back some experience of mine when we used to have
| old windows machine with a list of exploits to enter the admin
| portal and mess with marks
| javajosh wrote:
| People respond to incentives, and "fast-to-react" is easier to
| measure than "wisely proactive" in at least two ways. First,
| the risk is no longer theoretical; the damage was measured.
| Second, the fix is easy to measure: spend $X dollars on Y firm
| on date Z. This is all nice, easy to understand evidence of a
| manager doing their job.
|
| Alternatively, you have staff pointing out a possible flaw.
| That staff's time was already allocated; their noticing a flaw
| is a) taking time away from their allocation, and b) tacitly
| critical of decisions made above their pay grade. And even if
| they are right, the manager won't get credit for prevention,
| and in fact will get punished for "wasting" resources in an ad
| hoc way, rather than what they were acquired for.
|
| It is depressing in the extreme to work for such an
| organization, and you were right to quit, because over time
| these perverse incentives will start to shape _you_ whether you
| like it or not. The very idea of owning your work, of caring
| about real-world outcomes, becomes anathema as a matter of
| survival. You have to exist, along with your org, in a
| checking-the-boxes, don 't-notice-what-you-aren't-paid-to-
| notice, mode. It's safe and comfortable for the body; it is
| deadly to the soul.
| fennecfoxy wrote:
| Aaaaah good old net send *
| TeeMassive wrote:
| Oh yeah the early 2000s, not a great day to be a hacker (by
| hacker I mean actual hacker: http://catb.org/~esr/faqs/hacker-
| howto.html).
|
| I remember getting yelled at for changing the display
| resolution and typing a few commands in DOS to change file
| names quickly.
|
| Computers were never up to date of course, we had cathodic
| displays up to 2010.
| acidburnNSA wrote:
| I 'worked' for my own high school's IT dept, a few hours a
| week, as a student. It was an amazing experience working with
| those guys. I learned so many things, from how to punch,
| terminate, and run cables to how to set up a Ghost image and
| deploy it en masse across the district.
|
| One day one of the old macs was showing the frowny face in a
| in-session classroom. Boss sent me down there with specific
| instructions: "pull out the hard drive and beat it really hard
| with the handle of this screwdriver". I was like: "?" and he
| was like, "just do it".
|
| So I go down there and let myself in, trying not to interrupt
| the class. I climb behind the computer on a cart and pull out
| the HD. I beat it with the handle, like a good 10 times. Of
| course this got the class all riled up. I blushed, but told
| them this was normal operating procedure. Plug it back in and
| it works. I was (secretly) as amazed as everyone else in the
| class.
|
| Back in the IT office, I say it worked. IT boss smiles and
| nods. I ask how. Well as it turns out some of those old hard
| drives used a vegetable oil based lube that seizes up if it's
| not used for a while. So if you bash it it un-seizes and starts
| turning again.
|
| Anyway great times, fun memories. We all got our CompTIA A+
| certifications at the end, but don't ask me what IRQ number is
| for the parallel port these days.
| michaelcampbell wrote:
| "stiction". Well known in the Apple community in the ... late
| 80's/early 90's, IIRC? I want to say I remember some official
| Apple documentation saying to drop the machine from a few
| inches up in the air, but I may be misremembering.
| geoffpado wrote:
| This was supposedly true of the Apple III
| (https://www.techjunkie.com/apple-iii-drop/), but upon
| searching to find that link, it seems this story may be
| apocryphal: https://retrocomputing.stackexchange.com/questi
| ons/12283/did...
| shwoopdiwoop wrote:
| I believe the term for this is 'percussive maintenance'
| iso1631 wrote:
| I haven't needed to use it since....
|
| last Tuesday
| nemosaltat wrote:
| In the Navy, we called it "mechanical agitation" it raised
| fewer eyebrows than "I hit it with a wrench and it started
| working again."
| sandworm101 wrote:
| >> un-seizes and starts turning again.
|
| More likely an armature rather than a platter. Violence also
| worked when the drive would get stuck on a bad sector.
| Bashing the drive horizontally, while it was on, would
| sometimes move the arm enough for the drive to reacquire and
| hopefully not hit the same error on the next read attempt.
| specialist wrote:
| > _...pull out the HD. I beat it with the handle, like a good
| 10 times..._
|
| Heh. Nice.
|
| A coworker's Mac wouldn't boot. I couldn't hear the hard
| drive. It was a model with the tip of the spindle exposed. I
| found a pencil with a gummy eraser. Gave the spindle a twist
| as I turned the power on.
|
| Told the amazed user, "Do not turn off your computer until
| after you have backed up your data. That probably won't work
| twice."
|
| Good times.
| moepstar wrote:
| Had a similar experience with the external HDD of a friend
| of a friend.
|
| HDD wouldn't be recognized, sticking my ear to it i could
| only hear the motor emit a beep-like sound, no spin up.
|
| Her masters thesis on it, inaccessible, i've opened up the
| case, removed the HDD, unscrewed the top and there was the
| drive arm, stuck in the mid of the platters...
|
| Took a Torx screwdriver, turned the platters backwards and
| unstuck the drive arm...
|
| Copied all data off of it and sent here to the nearest
| computer hardware store to get another drive...
|
| Master thesis was successfully recovered!
| oaiey wrote:
| And now ... a group of 30 - no-longer - students treat their
| IT equipment with hits by a screw driver ... because it
| works.
|
| Our education system is amazing ;)
| yardie wrote:
| I did similar violence to my old HDD-based iPod. One day it
| just made a chugga chugga noise. Meaning the HDD was dead. In
| researching how to recover some music a forum member
| mentioned dropping it really hard. So I slammed it into my
| desk and terrified the office. And it continued working for
| the next few years.
| NetOpWibby wrote:
| SHEESH
| dfee wrote:
| I got two Saturday detentions for finding that same tool (also
| ~2002) - though I just typed "Hi" and hit send - to everyone on
| the school network.
|
| I of course didn't really know what I was doing. Looking back,
| this was a very strange punishment. Jokes on them I guess -
| left Oklahoma after HS and am now a software engineer in the
| Bay Area.
| zucked wrote:
| If only we could have reframed our approach to these
| situations.
|
| Provided what was sent/defaced/etc wasn't hate speech or
| punching down on someone else, we should have really used
| these events as flags for identifying kids who could hone
| their computer skills into something "productive".
| genmud wrote:
| Are you me?! This basically was my experience working for a
| very large school district in the early 2000's. My favorite was
| they asked me to train a school bus driver to be the newest
| member of the IT staff because "they wanted to learn
| computers", it also just so happened that this person was the
| only person their budget could afford (less than 40k/year).
|
| I worked for them as a contractor for a while and one of the
| big issues they had was they had tons of money to implement new
| technology (mostly from grants and things like that), but
| nearly nothing to maintain old tech. They could buy new
| computers all day long, but if something needed to be
| repaired/updated/maintained, there was no budget or resources
| to do it. So there were all sorts of fun issues, like they
| would buy computers and before they could get deployed their
| warranty would expire (since they weren't allowed to buy 3 year
| warranties on the computers) and computers with bad HDDs would
| get disposed of, even though the fix might be $50 and 10
| minutes of time.
| yakk0 wrote:
| That's funny, I worked for a school district about 10 years
| ago and our IT director was also the transportation director.
| He knew nothing about IT but I guess they had to give the
| role to someone at one point and it was him. I think I lasted
| 2 years before finding my current job.
| Cthulhu_ wrote:
| I've had an internship once at a chain of elementary schools,
| the main IT guy(s) at those schools were regular teachers
| that had computers as a hobby. I came in with a few years of
| school, doing some maintenance, installing some printers
| (really satisfying with the stick-on stuff), fiddling with
| the server (a workstation in a broom closet), and playing
| runescape / internetting in the dark, warm server room at the
| other location away from the main IT guy.
| whymauri wrote:
| The IT in my district was so bad the students basically ran
| it for my middle and high school. We did all the desktop
| repairs and component swaps for free. I don't even think we
| had an "IT guy." This was 2009-2014 for me.
|
| On the bright side, we got comfortable with computers and
| ended up building our own little projects (in and outside of
| school). In 10th grade we souped up one of the engineering
| lab computers by consolidating a bunch of old graphics cards
| and played games on it, lol.
| foooobaba wrote:
| That's hilarious, at a small school our bus driver was the
| local it admin... 7 minutes of rainbow tables with ophcrack
| live cd was all it took to become domain admin.. never
| changed it for all 4 years lol.
| gorgoiler wrote:
| When I was a teacher my school IT was run as a petty fiefdom. I
| don't know if it was outright maliciousness, or just extreme
| anxiety from the IT team lead about job security, but they were
| universally derided amongst staff (including some senior
| managers I knew) as being terrible to work with.
|
| If I wanted to do something I would be told that there weren't
| the resources. If I volunteered to be those resources -- in my
| spare time! -- I would be told it's against policy. If I asked
| if we could revisit the policy I would be told I was welcome to
| ask the IT committee (closed door meetings, unminuted) to
| consider it for their agenda. Time passes. Proposal rejected.
|
| I gave myself one term to see if we could find a working
| relationship. It obviously didn't work out so I ghosted them
| and just did everything myself without asking, out of my own
| pocket. I felt like an asshole but at some point you've just
| got to move on, especially if your end goal is improving
| teaching and learning for the pupils.
| lostlogin wrote:
| > It obviously didn't work out so I ghosted them and just did
| everything myself without asking, out of my own pocket.
|
| In my one experience in a university, this how it's done.
| Just set you own stuff up, hope you aren't discovered and
| ideally have a friend high up the ranks.
| mdip wrote:
| > I don't know if it was outright maliciousness, or just
| extreme anxiety from the IT team lead about job security
|
| It's probably anxiety about job security/being overworked
| rather than maliciousness, but it could be both. It is made
| more complex by the likelihood that the position pays far
| less than comparable positions pay elsewhere. This causes the
| district to hire whatever candidate they can get to take the
| job. The outcome of that works out one of two ways: (a) the
| employee leaves as soon as they have enough experience to be
| paid more to do less work by someone else or (b) the employee
| stays knowing nobody else will hire them and makes sure to
| only hire other people who know less than they do.
| > If I wanted to do something, I would be told that there
| weren't the resources.
|
| You were told correctly, but probably not told _just how bad
| it is_. If it works like it worked for folks I know in
| similar situations, 80% of the job -- regardless of what you
| were hired in for or what your title is -- is fixing things
| that teachers /administration broke or didn't know how to use
| correctly. Tell them the laptop is for school business only
| until you're blue in the face, they'll visit every web site
| offering Flash games, some will surf porn sites riddled with
| malware and if your IT guy doesn't have a mental breakdown by
| then, the only thing they're spending the rest of the 20% of
| time on is blocking teachers/non-IT staff from doing things
| that they've been told, clearly, not to do. The rest is spent
| locking things down _or_ softening security policies to keep
| teachers /non-IT staff from taking _more_ of that 80% time.
| > [Volunteering my time] is against policy.
|
| It could be against policy, but that's probably just an
| excuse being used because it's effective at shutting down the
| request. There's a _very good reason_ to say "no" in the IT
| person's mind: your volunteering will still involve their
| time, and if you're not as capable as you claim to be, it'll
| involve a _lot_ of their time. If you 're one of their users
| and you're claiming to know a lot about IT, you're more
| likely to be seen as "someone who knows enough to be
| dangerous"--the worst kind of user. Even if they believe you,
| they're confronted with the reality that you deploying/using
| this new "unapproved thing", will cause others to ask for it
| -- another teacher/staff member will want it and at some
| point that IT person is going to end up having to deploy it,
| patch it, fix it, and maintain it. You'll find this thinking
| prevalent in most IT support organizations -- the camel can
| barely walk so it's easier to say "No" and hopefully keep it
| that way than say "yes" and add enough load to the break its
| back. > I gave myself one term to see if we
| could find a working relationship.
|
| I feel your pain. I'm not sure what you've tried and you
| could very well have just run into a BOFH but assuming this
| IT person is typical of those I've worked with when I did
| this work, there are some options. You may have tried these
| -- it's not meant as "well, you obviously approached this all
| _wrong_ " but rather advice for others on what I have
| personally seen work (and had work on me when I did this sort
| of work, albeit a long time ago).
|
| For anyone in a similar situation, there are a few ways to
| "hack your IT person". It's nothing magical and can be
| applied well beyond IT folks, but I'm aiming at folks in this
| conundrum. While I've not worked for a school district, I
| spent the first 10 years of my career in several levels of
| support/systems and ultimately architecture with the first
| few being similar to the whole "small IT with too many users
| who hate IT[2]". First, understand what their motivation is
| -- less support, more time to improve/architect (or play WoW
| ;) ...). If you have the expertise, approach that person and
| "talk shop" -- don't reveal that you "have skills", just ask
| a question or two in an area that teachers/staff often know
| little about, or go with a simple "I wouldn't do what you do
| ... all these teachers, many of whom haven't touched a
| keyboard that wasn't on their phone since 2010 or so ... it's
| got to be hell". If you can get them to tell a "war story" or
| two you'll probably find a few opportunities to say something
| that will reveal that you have somewhat of a clue what you're
| talking about. Do this outside of work, on their schedule --
| Happy Hour or off-site lunch (not often possible during the
| school day due to time).
|
| If things go well, say something like "I can't imagine how
| you get anything done with such a computer illiterate staff
| to babysit (aligning yourself with IT over said staff) ...
| I'm happy to help out anywhere I can if you can think of
| something I can do to reduce that grief[0]" This IT person
| spends their work life dealing _mostly_ with people who are
| unhappy about things that are broken and the staff they
| support place blame for those breakages, not the resolution,
| at their feet[1].
|
| You're now in the magical role of "the teacher who believes
| IT isn't incompetent." If you are received well, make your
| ask. Make it _very_ limited -- if you need to be an admin of
| your laptop, insist that it be temporary and that you 'll
| call the IT person when you are done (offer to let them watch
| if they want. They won't). Insist that you'll not let people
| know IT made an exception and will provide the required
| excuse if someone notices you're running something they
| can't: usually "IT doesn't know about it" is settled on.
| Maybe it's something you want _every_ teacher to have -- don
| 't _dare_ explain that, and if you have to, outright lie:
| "I'm not interested in seeing the district adopt this, I just
| want to use it myself." You're not shooting your grand plans
| in the foot, you're giving yourself time to provide hard
| facts/evidence to make the case that it _should_ be deployed.
| If it works out well, start planting the seeds with your IT
| person: "I really love this application, thanks for letting
| me use it on my school laptop ... what do you think the
| support overhead for something like this would be if every
| teacher had it?" ... listen to their concerns, find answers
| to each of them, revisit the topic. Your IT person is used to
| management (administration in schools) saying "this is what
| we need on every PC" without care for what amount of
| work/grief IT will deal with to sort it out. Administration
| doesn't care about IT griping very much -- it's seen as IT,
| "yet, again", complaining about having to "do work" and
| treating completely reasonable (in their minds) requests as
| though they're equivalent to scaling Mount Everest. If you
| have the data from your unofficial pilot to back you up, and
| the right person in IT (at least) not working against you,
| and other financial considerations/contracts aren't in the
| way, you'll be successful. If you're successful and your
| project works, the next time you may not have to ask at all.
|
| Your IT person makes just as many judgements about you and
| their users as they make about IT but there's a lot more of
| you than their are IT folks. Having an ally/expert among the
| "clueless users" has a much higher value to your IT person
| than having that person as your ally does for you, even if it
| doesn't seem that way[1--(again)].
|
| [0] How much time is IT spending doing "Help Desk" kind of
| support for everyone outside of IT (regardless of
| title/responsibilities the IT person was hired in for)? It's
| probably 80% "User Support" and 20% "everything else" which
| means all of the effort put into "everything else" centers
| around reducing how often teachers have to take time away
| from IT. Your offer, if its trusted, will reduce that burden
| at no cost to the IT person. Don't make that promise if
| you're not willing to do it, but it's unlikely anything will
| be asked of you.
|
| [1] In the "Game of IT Support" (or it's variants: "The Game
| of Network Security Administration", etc), you can never have
| a score greater than "Zero". Zero is "everything works". When
| something breaks, you lose points. When you fix it, you gain
| points up to (but not always) your top score of "Zero". Roll
| out massive new infrastructure for WiFi? You're at Zero (or
| less since it probably won't work as conveniently as it does
| at home). You're an expense who's purpose it is to make
| things operate the way everyone expects they're
| designed/intended/meant to work. They also expect that you
| (IT) _shouldn 't_ be necessary -- these things _should just
| work like my router /PC/internet service at home works_ and
| shouldn't require so much "policy" to "avoid doing things".
|
| [2] While I was still living with my parents, my neighbor
| referred me to the IT job -- he was in Development. I'll
| never forget when my Dad called me up asking "why is IT
| (where I worked) at (company) so bad?" after listening to my
| neighbor berate my company's IT operations teams (never me,
| specifically). We were _so_ hated. By everyone, especially
| non-Support IT. That was an impossible conversation to have.
| gorgoiler wrote:
| Thanks for taking the time to write all this up.
| forgingahead wrote:
| This is not unique to school districts at all, but any
| organisation, large or small, that treats IT/tech only as a
| necessary inconvenience, instead of an actual part of the org
| deserving of resources, planning, and people.
|
| If you work in tech/IT, and the big bosses consider you and
| your org disparagingly, leave immediately. Something bad will
| happen with their IT, and you will be blamed, hassled, and
| harrassed for it.
| matheusmoreira wrote:
| > we don't have any money for that
|
| They always have the money. They just don't care about doing
| things properly. It simply isn't a priority for them.
|
| Makes me feel good when someone comes and exploits their
| negligence. It's like divine retribution and they're doing
| god's work. They tempt fate and the gods punish them by making
| them pay more than they would have paid had they done things
| right. Amazing.
| andrepd wrote:
| Except they don't pay themselves, that's why they don't care.
| pronlover723 wrote:
| Except they don't pay, you and all the other citizens pay via
| taxes
| judge2020 wrote:
| They don't personally pay. But they still have to balance
| the budget, and the more that's spent to help with
| gentrification of the surrounding area (such as via nice
| football fields, good teachers/a good greatschools rating,
| well-kept grounds and events) can help lead to increased
| future funding and thus a bigger paycheck, at least within
| 5-25 years.
| mdip wrote:
| My first thought: Your district had an IT department? I guess
| that's probably more common now than when I went to HS in the
| 90s but I'm fairly certain IT duties are still farmed out to a
| small business for the districts I live near.
|
| Outside of that, though, I've talked to folks who worked in IT
| at a nearby hospital[0] and knew several who worked in IT at a
| University a town over and heard variations of your story.
| After ransomware hit a few hospitals across the country, my
| hope is that this is less common but I'd be surprised if
| anything is meaningfully better.
|
| The problem with getting non-technical people to understand the
| importance of securing things is that they assume that
| everything provides a basic level of security. They read about
| hacks/attacks and hear about them on the news but they have
| probably not experienced one, personally[1]. They apply
| physical security considerations to the virtual world -- for
| instance, the keys you use to lock your front door are almost
| certainly _terrible_ [2] but requiring physical access to the
| lock makes attacks on them rare. And that's the rub, it's the
| mistake in thinking that "Nobody cares about my stuff enough to
| hack me" which is the evidence used to justify the "it's never
| going to happen to me". It's a failure to understand that _even
| if it were true_ that an attacker would literally have _no use_
| for anything you 're protecting with a password (which is
| absolutely false -- your identity is enough) that another
| target will be chosen ahead of you[3]. On the internet, every
| target can be attacked at once, silently, from a distance and
| targets are chosen based on whether or not the attack succeeds.
|
| In a High School, you can fully expect there's at least one of
| _me_ in every graduating class. I 'm surprised things like this
| don't happen _all the time_ given how little attention is paid
| to network security /endpoint security in these places. No
| amount of threats of expulsion, legal action, etc will serve to
| help when your attackers are High School students[4]. The same
| part of their brain that makes them believe they're
| immortal/causes irresponsible behavior early-on in driving
| causes them to not understand the real probability that they
| will face criminal charges which is coupled with them not fully
| understanding how badly those criminal charges will affect the
| rest of their lives.
|
| [0] The discussion arose after he had watched Season 1 of Mr.
| Robot and said "that's _exactly how it is here_ except we have
| a (technical) staff of two rather than one "
|
| [1] I can't tell you how many extended family members have
| shared that they still use a single password for every account
| and in a few cases, that password might as well be a variation
| of "Password".
|
| [2] I have a close friend who learned how to pick locks as a
| hobby; he filed me off a bump key and taught me how to use it,
| whacking it with a branch of a _tree_ ; I was able to open my
| supposedly "extra secure" dead bolt pretty consistently with
| about 15 minutes of practice, he's picked each of my locks at
| one time or another.
|
| [3] The old "You can't outrun the bear, but if you _and_ your
| friend are being chased by the same bear, you only need to
| outrun your friend ".
|
| [4] I used to tell my kids that our High School not only had no
| doors in the stalls of the mens room, there had _never been any
| doors_ designed into the plan. The partitions were brick, there
| were no holes, anywhere, where doors had been removed. I
| figured this was to make it easier to catch kids smoking but
| while fixing his PC, I asked the principal about it. His answer
| was "vandalism" -- students would rip them out. Reallt?! I
| couldn't imagine this. Fast forward to this year, the doors on
| the stalls at my kid's HS were ripped out by students during
| the first week of class. The kids were caught, criminally
| charged and had to pay for the damage. Their reason? They saw
| someone do it on TikTok and didn't think they'd get caught
| (there are _2_ dome cameras at the entry to each bathroom!).
| Despite paying for the damage, the doors are not coming back
| this year -- I 'd wager they'll never come back.
| nudgeee wrote:
| I got in trouble and subsequently suspended from school back in
| the '90s for causing BSOD's on classmates computers using WinNuke
| [0]. They classed it as vandalism even though the payload causes
| no permanent damage (apart from losing unsaved work).
|
| I found more severe vulnerabilities including being able to lift
| home addresses of students by querying an unprotected endpoint.
| Didn't get in trouble for this one, and reported it promptly to
| the IT administrator.
|
| [0] https://en.m.wikipedia.org/wiki/WinNuke
| cghendrix wrote:
| I thought I was cool being able to modify the ready message on
| printers across the school network. This is really impressive.
| drusepth wrote:
| In middle school I used Javascript to change Google's button
| text from "I'm feeling lucky!" to "Andrew is the best!"
| (javascript:getElementById('').text='blah')
|
| I showed some other students who were so freaked out that I had
| "hacked Google" that I got the attention of the librarian, who
| promptly banned me from the library computers for the rest of
| the year, even after I refreshed the page to show them it
| wasn't "real". Oof.
| cghendrix wrote:
| Haha when I was searching for printers across the district
| network the librarian was looking at my screen. She called me
| out across the room asking why I was looking at printers at a
| different school. Oof.
| person22 wrote:
| I wrote an infinite loop in postscript and sent it to all the
| printers. This was when postscript printers cost a fortune so
| there were not many of them. Fun days were those.
| earksiinni wrote:
| Serious question. What, if any, instruction do kids these days
| receive regarding what's allowed on computer systems?
|
| I remember in high school poking around a network drive until I
| found an executable with the name "SEND" in the name. I had a
| sense that it would send some kind of message somewhere, but I
| honestly didn't know where or to how many people. I was quite
| surprised when all the screens in our computer lab froze and,
| five seconds later, my message appeared on all of them. (I later
| learned that my message appeared on every desktop screen in the
| school!)
|
| I'm not sure exactly how they found me out, but I was called into
| the IT admin's office a couple of days later. She was furious
| with me. I told her the truth. I didn't know what exactly would
| happen when I ran that command, but she didn't buy it.
| Fortunately, nothing ended up happening after that.
|
| I've wondered to this day what exactly they could have done to me
| if they decided to press whatever legal authority they might have
| had to its fullest extent. I was never told "don't go to Z:\" or
| "don't run any program other than those on this list." Even after
| I was found out, I wasn't ever explicitly told that my actions
| constituted unauthorized access.
|
| It was a different, perhaps more innocent (or ignorant) time back
| then. How much have things changed now?
| quesera wrote:
| I can't answer your question, but I strongly suspect the
| backstory on your furious IT admin went something like this:
| * SEND happened * Minor kerfluffle ensued among various
| functionaries * Big Boss worried that something Big was
| going on * IT admin was questioned and had no answers
| * Simmer for a few days, Big Boss repeating questions and IT
| admin being flummoxed * Eventually adequate logs are
| found and correlated that place you as the likely responsible
| party * IT admin is lathered up about a big nothing
| because Big Boss keeps asking and their competence is in
| question * IT admin unleashes the pent up frustration of
| a few days of stupidity and job security uncertainty on you,
| and is not satisfied that all this drama was initiated by
| boredom and not malice * IT admin reports to Big Boss,
| who basically brushes it off because they have moved on to
| other things -- and at the end of the day knows they run an
| organization filled with kids, some of whom are more curious
| than others * Issue disappears
| thrashh wrote:
| Kids have been jumping fences for millennia.
|
| That said, I did know a kid that had charges pressed against
| him when I was in school so things weren't necessarily innocent
| back then either. He was admittedly an idiot and borderline
| malicious though.
| jovial_cavalier wrote:
| I graduated high school in 2015. I remember similarly poking
| around a network drive until I found a file in plaintext which
| contained everyone's student ID and whether or not they had a
| nut allergy (protected by HIPAA), for the bus system.
|
| I didn't think much of it, but some other students caught wind.
| Before I knew it, the superintendent threatened to have the
| police involved and press legal action for "hacking
| confidential student data."
|
| It's CYA all the way, usually at the expense of the person in
| the chain least equipped to cover their ass (the student).
| earksiinni wrote:
| Wow. That's terrifying. And you didn't even run anything!
|
| I'm guessing that they never told you "don't browse this
| network drive"?
| Buttons840 wrote:
| Never press F12 while browsing. Instant hacker.
|
| Seriously, I found a state website that appeared to be
| exposing NPI about certain people in an API response. So
| much NPI nicely formatted in a JSON response. I closed the
| page and never touched it again. You know the state will
| declare me a dangerous and sophisticated hacker because I
| pressed F12 to open the developer tools, that's much easier
| than admiring they made a mistake.
| 35fbe7d3d5b9 wrote:
| > whether or not they had a nut allergy (protected by HIPAA)
|
| Personal pet peeve:
|
| Your high school is not a covered entity and is not acting as
| a business associate of a covered entity. HIPAA does not
| apply. They are free to keep a plaintext file with your name,
| nut allergies, COVID vaccination status, and anything else
| they want to put in there - without HIPAA entering into the
| discussion.
|
| FERPA could apply, but I don't know much about that.
| drusepth wrote:
| Similar story: the dean of my "high school" [1] asked me to
| create our school website. Another student apparently poked
| around on a network drive and found an SQL dump of all the
| students' network username/passwords. I brought this file to
| the dean, told them it was available on a shared drive (so
| they could remove it), and asked if they'd like me to use it
| -- since I already had it -- to enable all the students to
| log in to the school website with their existing network
| usernames/passwords. They said that was a great idea and gave
| me the OK.
|
| A week later, police escorted me from my dorm and both I and
| the other student were eventually expelled and threatened
| with harsh legal action, which never came.
|
| [1] The "high school" was an early-entrance-to-college
| program where we started college at 16, lived on campus, took
| the normal freshman/sophomore college courses, and eventually
| received a high school diploma _and_ an Associate of Science
| when we graduated at 18. The website was for the school I
| attended, but the SQL dump included all of the university
| students as well. The school has since shut down.
| alexbrower wrote:
| Hope there was still time to amend the college applications with
| a link to this post.
| buzzert wrote:
| Hopefully everyone here has seen the movie Hackers, where a
| similar, but slightly more destructive prank involving the
| school's sprinkler system took place.
| theshrike79 wrote:
| We figured out that our computer class had a few computers
| infected by the Ambulance virus[0]. So of course we intentionally
| infected all the computers with it =)
|
| On the other hand me and a few of my friends were the only
| computer literate people in the school and were tasked with
| removing it in the end.
|
| But still, it was fun seeing a whole class of computers have an
| ambulance run at the bottom of the screen with the poor beeper
| emulating the siren.
|
| [0] https://en.wikipedia.org/wiki/Ambulance_(computer_virus)
| Timpy wrote:
| > I used a loop of the DVD bouncing logo to test stream quality.
|
| This is a beautiful touch, if somebody happened across his
| testing in the middle of the night they wouldn't suspect anything
| was amiss.
| Justsignedup wrote:
| My time in highschool was wasted. Kudos to these amazing kids.
| 1024core wrote:
| > In fact, he thanked us for our findings and wanted us to
| present a debrief to the tech team!
|
| This is the only acceptable response.
| azinman2 wrote:
| Reminds me lightly of when I was in high school, email was fairly
| new -- especially at a school. My friend at a fancy private
| school had a Linux machine to access, and she really wanted to
| know what someone else had said about her. I managed to script
| kiddy my way in leveraging her existing shell login, got root,
| and read the email. What I didn't realize was that my .history
| file contained everything I had done. Eventually the sysadmin
| wrote me an email saying he knew what was going on and wanted to
| meet up, stating 'he wouldn't cuff me' and that he was 'a chill
| dude'. I was obviously scared, deleted everything, and tried to
| pretend nothing ever had happened.
|
| Luckily no one got in trouble (meaning me or my friend). Not so
| sure this would happen in 2021.
| godtoldmetodoit wrote:
| Reminds me of when I attended my districts technical career
| center for 2 years. We had ~3 hours of various IT learning every
| morning with kids from high schools all over the county before we
| all went back to our normal schools.
|
| We'd of course run out of stuff to do and start messing around
| with our newly honed skills. Learning about net send wasn't too
| bad, we just sent dumb messages to each other. But learning
| vbscript combined with net send... you could DoS the other
| machines with a for loop.
|
| One morning I was playing around with the net send script, but
| accidentally plugged into the schoolwide LAN instead of our local
| network... every computer in the building got locked down with
| some idiotic message my 17 year old brain had come up with. IT
| took a educated guess and came down to our class and I fessed up,
| thankfully they let me off with a stern talking to and promises
| to never do it again.
| particulars02 wrote:
| Greatest rickroll since S2E10 of Ted Lasso.
| pkpioneer wrote:
| LG is acquiring automotive cybersecurity startup Cybellum in a
| $240M deal: https://pkpioneer.blogspot.com/2021/09/lg-is-
| acquiring-autom...
| CountDrewku wrote:
| Ugh. I worked school IT in the past. You're not as smart as you
| think you are. These vulnerabilities are typically known but
| there's not enough time, money, or the devices themselves can't
| really be locked down or hacker proofed anymore than they
| already.
|
| IF you do something like this at least consider that someone else
| is going to be cleaning your mess up.
|
| School kids are the worst users you can ask for. Unlike a normal
| business where they'd be punished or removed for something like
| this the kids will deliberately try to destroy the school
| network.
| ElFitz wrote:
| Fellow high school students just loved me when, after giving up
| on ophcrack, I found out that on Windows XP, a limited account
| could simply escalate privileges by scheduling a command.
|
| First installed some open source FPS on all computers. They got
| found and removed, and we all got moved to guest accounts.
|
| I then found something called DreampackPL. Just pop in the CD,
| boot on it, replace the pinball game with their executable,
| reboot. And voila, access to everything. Just remember to put the
| pinball back afterwards.
|
| That's when the BIOS got password protected.
|
| My next step? Opening the machines up to move a jumper. Do
| everything all over again, but this time on a hidden windows
| account.
|
| The IT admin was a student's parent. Just spent years making the
| poor guy run in circles before the school administration finally
| gave up.
| begueradj wrote:
| seriously scary stuff, than you for sharing
| 908B64B197 wrote:
| I just hope the author, at least, applied to MIT. He would fit
| right in.
|
| http://hacks.mit.edu/.
| mister_c_dub wrote:
| What a legend.
| elymar wrote:
| Pool on the roof must have a leak.
| belval wrote:
| The fact that the administration didn't choose to sue them to
| oblivion is refreshing. I hope we'll see a trend in the future of
| educator being smart enough to admit that they made a mistake and
| to encourage the students to develop their talent.
|
| One can only hope.
| _wldu wrote:
| Being a minor probably helps. There are so many laws today.
| It's too risky to do this. It's not like it was 25 years ago.
| flatiron wrote:
| I was suspended for a week for creating a network share in my
| typing class and dividing the work among my friends and we
| copied and pasted into a single document on the share. This
| was on Windows NT though so a LONG time ago. It's also I
| guess "cheating". But they got us on "computer hacking"
| johnebgd wrote:
| I used CACLS with an Office hack in NT / 9X to copy
| homework. Never got caught for that.
|
| They got me on propagating computer games through the
| network using shared drives the teachers were supposed to
| use for homework.
|
| We had BNC network cables in those days and the entire
| building shared a single T1 line for several hundred
| computers.
|
| The world has changed.
| squareof wrote:
| Same thing here. Teacher came into class with his multiple
| month investigation comparing all students work
| highlighting common errors. Found three different groups
| that were sharing work load. In school suspension for all
| of us, only like three kids left in class for the week.
| arenaninja wrote:
| Also in my typing class circa 2004 the teacher was about to
| kick me out because he thought I was on a chat room during
| his class. I was actually viewing page source on an HTML
| document
| the-dude wrote:
| _You were hacking a website_
| mrexroad wrote:
| 25 years ago wasn't any better... I recall several in my
| circle getting suspended for harmless things. The lesson:
| don't explore, don't be curious, and don't try to fix
| anything related to the school and computers. Sigh.
| AnIdiotOnTheNet wrote:
| People on HN always act like what they were doing was
| almost noble. You weren't. If you had been picking locks or
| even rummaging around unlocked desk drawers you'd get the
| same treatment and deserve it.
| PradeetPatel wrote:
| Consent is paramount when doing that type of exploration.
| Without explicit permission, how would an IT administrator
| distinguish the difference between a curious student and a
| malicious attacker?
| jhgb wrote:
| Well, I imagine that would require using a brain, which
| may an onerous requirement.
| burnished wrote:
| You're not wrong, but I think it might be helpful to
| think of this in different terms. Teenagers, with
| burgeoning agency, are being denied the ability to
| meaningfully impact their environment yet are bound to it
| for most of their lives.
|
| I agree with you that explicit permission is important,
| but it is also something that young people are frequently
| and explicitly denied. I don't think the solution is
| condoning that sort of 'extracurricular', but I think we
| should recognize the problem is probably starting with
| the adults in the situation.
| BackBlast wrote:
| You would think so, only this is a bit opaque when
| dealing with a local school and a district bureaucracy
| with various computer labs, internet and phone systems.
| As a student, you may think that the right person to ask
| is the local teacher who has control of the asset.
| Especially if that teacher has been assigned IT duties.
|
| But to many school administrators consent of teachers is
| meaningless. Those assets aren't owned by the teachers
| but by the district, even if they are the apparent
| authority figures and stewards in the eyes of the
| students.
| bluedino wrote:
| Yea , kids would get expelled in the old days for putting a
| screensaver password
| judge2020 wrote:
| It can get pretty messy. For example, they could wait until
| they're 21 to try them as an adult, even if it was committed
| at 17 or younger [0 p. 128]:
|
| > a person who committed the offense before his eighteenth
| birthday, but is over twenty-one on the date formal charges
| are filed, may be prosecuted as an adult.... This is true
| even where the government could have charged the juvenile
| prior to his twenty-first birthday, but did not.
|
| However, the statute of limitations for CFAA violations is 2
| years [1 p. 2] so this might not apply. If somehow they can
| still go after him at 21, this post could play a part in
| evidence for performing the hack (I truly hope not).
|
| 0: https://www.justice.gov/sites/default/files/criminal-
| ccips/l...
|
| 1: https://www.goodwinlaw.com/-/media/files/publications/10_0
| 1-...
| giantg2 wrote:
| The newest policy is to charge minors as adults unless
| there's a compelling and beneficial reason not to. I think
| that was a DOJ change around 2009. Not sure how many states
| followed suit. But in general, its increasingly likely that
| minors are being charged as adults.
| nielsbot wrote:
| Probably helps that "We prepared complete documentation of
| everything we did, including recommendations to remediate the
| vulnerabilities we discovered. We went a comprehensive 26-page
| penetration test report to the D214 tech team and worked with
| them to help secure their network."
| munificent wrote:
| In many cases, a 26-page report documenting the incompetency
| of a team would not be taken kindly.
| AnIdiotOnTheNet wrote:
| I find it annoying that people immediately assume
| incompetence and not inadequate staffing or conflicting
| priorities. I worked at a school district for a few years
| and we were woefully understaffed for what we had to cover.
| In situations like that you do what you have to so teachers
| can teach, move on to the next emergency, and hope like
| hell some self-important little shit doesn't burn
| everything to the ground.
| IshKebab wrote:
| That hasn't helped in the past. Frankly I think they were
| naive to reveal themselves no matter what the authorities
| said. It hasn't gone nearly as well for other people.
| treesknees wrote:
| The students were extremely lucky.
|
| The advice given to me in high school (I was working on
| tech projects after school for several teachers and groups)
| was to not even try or explore poking around the IT
| networks it no matter how good my intentions were. All it
| takes is one grumpy school administrator to feel undermined
| or to misunderstand your report and you could be expelled.
|
| When you're in a position like a student, you're still
| working your way up and building credibility. No need to
| risk it all for an IT group that doesn't want your security
| advice and didn't ask for your help.
| dylan604 wrote:
| It doesn't stop at the student level. Find something at
| the corp level with an arrogant IT dept, and you'll find
| yourself in uncomforatable situations as well.
| adventured wrote:
| It's always fascinating how dramatically different
| schools can be. When I was in high school, in the late
| 1990s, nobody would have cared so much about something
| along these lines. At worst it would have resulted in a
| three day suspension from school and lecture from the
| principle.
| PradeetPatel wrote:
| Seconded, the same advice has also been given to me back
| in India.
|
| "Know where your boundaries are and who your stakeholders
| are, don't do anything that will make your stakeholders
| look bad." It's a life advice given to me by my high
| school teacher that served me well in my professional
| life.
| [deleted]
| rootsudo wrote:
| Yep - I, like many of my friends and people who are
| naturally curious and work today in "Cybersecurity" had
| fun, poked around - but once you found little data troves
| - it reveals how inept alot of people can be.
|
| And you just volunteer to be thrown under the bus as that
| "hacker."
|
| Anonymous, maybe. As a student, under 18 - you're
| "immune" from many things - but it can be a stain.
| colinmhayes wrote:
| He had already graduated, so expulsion wasn't an option.
| ohazi wrote:
| Expulsion is one of the friendlier outcomes. Federal
| prosecution and prison time are also very realistic
| options here. It's happened to other well-meaning kids on
| many occasions.
| 63 wrote:
| He addresses this pretty well in the post imo. His co-
| conspiritors remained unnamed while he alone revealed
| himself because he wanted to publish this post and it's
| highly likely he would've been blamed anyway.
| dont__panic wrote:
| The poster/hacker actually addresses this -- he doesn't
| reveal himself until _after_ graduation, keeps his fellow
| hackers secret still, and mentions that he was most likely
| the prime suspect in the district anyway. Seems like a fair
| tradeoff if he wanted to make this blog post, though school
| districts could be nasty and litigious, I guess.
| throwawayboise wrote:
| Pretty sure there's nothing stopping the school district
| from retroactively recinding his graduation, or refusing
| to send transcripts to universities, or informing those
| universities of his transgressions, which would probably
| result in revoked admission.
| duped wrote:
| It's still a terrible idea to admit to committing a crime
| under your real name before the statute of limitations
| has run out
| generalizations wrote:
| Is there even a statute of limitations for this kind of
| thing? Seems way better to just never admit to it at all.
| greyface- wrote:
| The CFAA has a statute of limitations of 2 years.
| sneak wrote:
| "sue" suggests civil action and a decision by the wronged
| party.
|
| They're lucky a prosecutor didn't prosecute them for criminal
| activity. The school would not have any say about whether or
| not this happens.
| throwaway0a5e wrote:
| >The school would not have any say about whether or not this
| happens.
|
| Schools are members of the local government "club".
| Prosecutors don't generally burn political capital giving the
| bird to other members of the club like that without a good
| reason.
| Accujack wrote:
| I'm sure it helps a lot that they're in a high tax base area,
| and the quality of the educators hired probably reflects that.
|
| https://statisticalatlas.com/school-district/Illinois/Townsh...
| Waterluvian wrote:
| Yep. What they did was wrong. And by doing so they threw
| themselves at the mercy of the entity they hacked. The
| refreshing part is that the entity did the morally right thing
| and showed mercy.
| Angostura wrote:
| > What they did was wrong.
|
| It was certainly against the rules. I'm not so sure it was
| wrong.
| Waterluvian wrote:
| If I broke into your home tonight to play a prank on you
| and then handed you a white paper about how to better
| secure it, how would you feel?
| GreenWatermelon wrote:
| except in the case of my home all my doors were unlocked.
| I would definitely appreciate a paper about how to secure
| my home, especially if the intruder took great care not
| to cause any damage or disturbance.
| NaturalPhallacy wrote:
| Breaking and entering vs. playing a harmless video at the
| end of the day in school.
|
| False equivalence.
| Waterluvian wrote:
| Unlawful access to a computer network is often a far more
| serious crime with stiffer penalties.
|
| So perhaps you're right that it is a false equivalence.
| teddyh wrote:
| Now you're reverting to the "it's against the rules"
| stance again.
| edoceo wrote:
| Too right! Get this kid a job, not punishment.
| bluedino wrote:
| I'm glad to see a kid using bash and not something like _gulp_
| PowerShell
| codezero wrote:
| Not to diminish your comment, but a thing I've found late my
| career is to abandon dogma when it comes to young folks
| learning. If they can learn with PowerShell, they're a lot
| better off than a lot of young folks! There is no one-true-
| way and as soon as you find it, another generation will show
| up with another-true-way :)
| blacktriangle wrote:
| Credit where credit is due, we all WISH *nix had something
| like PowerShell. Passing strings from program to program is a
| pain, passing around .NET objects instead is a great step
| forward, as can be seen by the several attempts at similar
| shells passing around JSON objects.
| throwawayboise wrote:
| > Passing strings from program to program is a pain
|
| The internet has been pretty successful and many popular
| protocols (http, smtp, etc) are exactly "passing strings
| from program to program"
| AnIdiotOnTheNet wrote:
| Which is why all browsers render the same thing exactly
| the same way and there's no need at all to test more than
| one. Yep.
| oneplane wrote:
| The presentation layer has nothing to do with he protocol
| layer...
|
| If you pump some serialised binary into a browser it will
| still render wrong.
| majormajor wrote:
| And behind the scenes of internet-based services there's
| a whole ecosystem of "how can we do shit more robustly
| than just passing strings around" (or even for "better
| than XML or JSON").
| simorley wrote:
| > Credit where credit is due, we all WISH _nix had
| something like PowerShell.
|
| Who is "we". I've worked exclusively on a windows stack so
| used powershell on the job. But at home, I use bash. I
| don't want something like powershell in _nix and don't use
| powershell on _nix even though it 's been available on _nix
| for many years now.
|
| > Passing strings from program to program is a pain
|
| You can argue it's the basis of computer science and also
| pretty efficient.
|
| > passing around .NET objects instead is a great step
| forward, as can be seen by the several attempts at similar
| shells passing around JSON objects.
|
| Passing around objects can be slow, inefficient, wasteful,
| etc though it can be convenient.
|
| If you are on a windows stack then go with powershell. If
| not, then go with bash. Nobody should be on a windows stack
| but sadly, much of the business world has been captured by
| microsoft.
| bluedino wrote:
| Parsing strings in Powershell is super complicated compared
| to regular Unix tools
| jdmichal wrote:
| PowerShell has been available on Linux via .NET Core since
| 2016 and version 6.0. Even my Windows box with PowerShell
| 5.1 likes to remind me of this fact every time I start it:
| Windows PowerShell Copyright (C) Microsoft
| Corporation. All rights reserved. Try the
| new cross-platform PowerShell https://aka.ms/pscore6
| jerrysievert wrote:
| yep, always good to get ads on your shell when you start
| it.
|
| it's like those awesome ubuntu login motd's, I look
| forward to them every time I log in, just in case the ad
| changes.
|
| er ...
| judge2020 wrote:
| On that note, i'm saddened Windows 11 doesn't ship with
| Powershell 7. Are there that many breaking changes in the
| switch from 5 -> 6 or 5 -> 7?
| oneplane wrote:
| There have been REPLs like PowerShell for ages, it's
| nothing really new. The only nuance in this is that it is
| new in the Windows ecosystem to have something like that
| supported by Microsoft. Ironically, it hasn't managed to
| displace the command prompt or batch files, so instead of
| having to deal with one thing, you now have to deal with
| two things.
|
| As for the passing of strings: it might seem like a pain,
| but as soon as you start working with non-program I/O it's
| not like you'll have much of a choice. Keep in mind that it
| is the lowest form of communication and you can build on
| top of that. Same with I/O in general: nothing prevents you
| from using shared memory or a device instead.
| jve wrote:
| > Ironically, it hasn't managed to displace the command
| prompt or batch files
|
| It don't think they expect that people would rewrite
| their old scripts. That is actually silly to consider.
| Even with console vs terminal, they are concerned of
| backward compatibility and leaving it as is:
|
| > Windows Console will continue to ship within Windows
| for decades to come in order to ensure backward
| compatibility with the many millions of existing/legacy
| command-line scripts, apps, and tools
|
| https://devblogs.microsoft.com/commandline/windows-
| terminal-...
| oneplane wrote:
| They could just have an alternative interpreter mode to
| support batch files, or even have a cmdlet that does just
| that. If people like to point and click, associate that
| with a cmdlet (they can do that, right?) and there you
| go.
| IshKebab wrote:
| You're glad to see them using the ancient clusterfuck that is
| Bash, and not a modern relatively sane shell that is
| indisputably the most seminal shell in the last 30 years?
| orwin wrote:
| Nah, i actually used powershell before bash because i did a
| lot of android hacking stuff before learning to code. I
| worked with Powershell 3, powershell 4 and powershell 5.
| Powershell 3 was the most painfull thing to work with. No
| state accross session, the default were shit so i had to
| reconfigure more often than not. Slow, painfull, buggy...
| Around the same ime i learned how to bash pretty well in
| two days, use rsync, use ssh, use sed and awk... Powershell
| 3 was shit compared to this.
|
| Then i used powershell4, i guess it was better but honestly
| i don't think i've used it very much. Powershell5 might be
| better than bash for 90% of the dev population though.
| jhgb wrote:
| Well at least it's a racing horse and not a turtle.
| flerchin wrote:
| Seminal.
| Miner49er wrote:
| Powershell is actually good though.
| rsp1984 wrote:
| In case anyone else is wondering how the heck the kid got access
| to the district's network, the key sentence is hidden in the
| middle of the post:
|
| _Since freshman year, I had complete access to the IPTV system.
| I only messed around with it a few times and had plans for a
| senior prank, but it moved to the back of my mind and eventually
| went forgotten._
|
| Not sure why they don't go into more detail about how exactly
| "complete access" was obtained, since that is obviously the
| hardest part of hacking any system. Not trying to downplay the
| achievement here, just think that this would have deserved a bit
| more detail.
| ajcp wrote:
| He explains it quite clearly that him and his friends were port
| scanning the schools network for funsies.
|
| "From the results, we found various devices exposed on the
| district network. These included printers, IP phones... and
| even security cameras without any password authentication!"
| kevinsundar wrote:
| It seems like he just was on the school network and the IPTV
| devices were also on the same network with no authentication.
| mwcampbell wrote:
| I wonder how they managed to achieve perfect synchronization
| across the whole district, or even between IPTV players in one
| school. Sure, maybe that ability is built into the IPTV system,
| but I wonder how it's done. Did the players all sync their clocks
| from a central server, pre-buffer the stream, then start playing
| when the local clock hit a certain time?
| BeFlatXIII wrote:
| I remember being in elementary school and avoiding the net nanny
| by viewing one of the network drives that students (somehow) had
| access to but weren't told about. Eventually, someone in my class
| poked around enough to find BESS.exe and deleted it and we had
| unfiltered internet for a day.
| gjsman-1000 wrote:
| I was at my own community college 2 years ago, and they had those
| Smart TVs showing news and weather everywhere, as well as custom
| images uploaded by the clubs on campus.
|
| It was supposed to be that a club could log into them, make, and
| submit a graphic to display on the TVs, but the school would have
| to review them before they would be displayed.
|
| However, I would later find out, a software update had messed up
| the roles system and so that club username/password which was in
| a public document actually had the ability to post things
| immediately on the TVs, without review. I found this out when I
| made a Math Club poster, hit the button, and it was immediately
| live without a check.
|
| I just reported it and it was fixed the next day. My instructor
| said that could have been really really bad considering some more
| unscrupulous college kids who would have (not naming names)
| probably gotten a kick out of throwing pr0n on them...
| hx2a wrote:
| When I was in High School (early 90's) we got a new computer
| system that nobody was using yet. I discovered there was an email
| system of some kind and that every student had an email address
| that we were not told about. I also discovered Tetris installed
| in a directory on the server. I was able to play Tetris and I
| could show other students how to access it, but it was
| inconvenient to get to.
|
| Therefore I decided I would email Tetris to every student (I
| emailed the executable, not a link to Tetris), making it easier
| for everyone to play also. As soon as I did this the entire
| system got very slow...apparently the server had no quotas or
| partitioning and the hundreds of copies of Tetris filled up 100%
| of the hard drive space. It was a disaster. The computer
| "specialist" had no idea how to fix the system and she was
| teaching an adult education class that evening that required the
| system to work. She was furious and wanted me to get suspended.
| It didn't happen though because I spoke up about the problem
| right when I knew there was a problem and also some other
| teachers intervened on my behalf.
|
| The woman who was responsible for the computer system back then
| is now the superintendent of the school system. I wonder if she
| remembers me.
| codazoda wrote:
| She remembers you.
|
| I also graduated in the early 90's and my children recently
| graduated from my alma mater. When I went with them to teacher
| conferences some of the same teachers were still there.
| Teachers that I didn't even have classes with remember me.
| zengargoyle wrote:
| In like '89 when I was 19 and at university my work-study job
| was with the IT/ComputingResources department (old names). I
| worked as a graveyard shift NOC operator swapping tapes and
| handing out print-jobs, running system tests and stuff like
| that. We had several 24/7 computer labs full of Sun 3/50(60)
| workstations and things like that. But there was one lab that
| was closed from 10-5 overnight and I thought to myself "hey,
| there's a whole room of workstations not doing anything" so I
| wrote some scripts rsh/NFS and used that lab one night to run
| distributed ray-tracing jobs. The next day my account was
| disabled and I had to go talk to Security. They sorta laughed a
| bit then went like NO don't do that. I worked for the IT
| department for the next four years. Then I left for a decade.
| Then I came back and applied for a job. The interview lasted
| all of five minutes, I worked for a few months before being
| forcibly promoted up into the upper circle. My first task was
| to go around to the dozen others who had root and ask for
| advice and update the root-speech documentation. I got to
| Security.... tippity tappity "Oh, hello Mr. zengargoyle, let's
| see... '89 'misuse of computing resources'." LOL, still had
| root by the end of the day.
|
| So, this is just to say... that places like education where
| people may stick around for a long while in the system and
| such. They probably do remember a bunch of events from even a
| decade ago. It's the good places that have a sense of humor or
| appreciation for a worthy harmless infraction. They may even be
| secretly proud or have some admiration.
|
| Though I do sorta fear that I just happened to hit the tail end
| of old-school hackery where such things are such things are
| rewarded. Now get off my lawn.
| mingusreedus wrote:
| my old school used this old as hell system using two solaris
| servers that we would connect to via thin clients. i got root
| creds to everything in our school district and on my very last
| day at that school i decided i'd do everyone a favour and at
| least update the system from firefox 3 to firefox 12. well,
| shortly after installing the package everyones clients stopped
| responding and that's the day i learned about dependencies.
| everyone kind of knew it had to be me that screwed everything,
| but nobody said anything and they were grateful to have gotten
| rid of that horrible old system.
|
| Unfortunately they decided to replace it with windows now, but my
| little brother is doing a great job keeping the people managing
| that new system on their toes ;)
| jackson1442 wrote:
| About two years ago, I was in high school and decided to, as a
| joke, "hack" the computer. By logging in as admn:password. I was
| incredibly surprised when it actually ended up working as a
| domain admin account. After checking this, I immediately signed
| out.
|
| When my CS teacher filed a ticket asking "who has the user
| account 'admin' and why is the password 'password?'" IT wanted to
| revoke my network login and probably put me in ISS for a few
| days. Fortunately, my CS teacher didn't reveal who I was.
|
| Very glad IT at this person's school took it in stride,
| unfortunately this was just the MO of IT in my district.
| themantra514 wrote:
| This is the way.
| kervantas wrote:
| The s in IoT stands for security.
| don-code wrote:
| I'm impressed with how much foresight this high schooler had in
| preparing for the prank. My impression is that most high school
| age kids would out themselves within the first few weeks of
| planning due to wanting to boast, here they instead took to
| testing covertly, overnight.
| pranavnt wrote:
| This is amazing!!
| mmaunder wrote:
| Someone I know did something similar, was arrested in their
| college dorm, and at the sentencing hearing in federal court was
| fined and sentenced to 5 years probation, and now has a criminal
| record.
|
| This kid is very very lucky. Obviously they violated the CFAA
| which carries severe criminal penalties. They engaged in actual
| hacking without any permission or defined scope. And they
| exploited the system without any responsible disclosure process.
|
| Anyone in the field will tell you that this is an absolute
| disaster of a post because it sends the signal to other young
| aspiring cybersecurity professionals that this is OK, and the
| school will laugh it off, and you'll be seen as an adorable
| Matthew Broderick type Wargames character. I can't overemphasize
| how far this is from the truth in 2021.
|
| Absolutely do not access systems you are not allowed to. If you
| do want to do penetration testing, you need permission from the
| systems owner and a clearly defined scope. And when you do find
| issues, you don't exploit them, you responsibly disclose them
| within a clearly defined framework.
|
| If you want to end up with a criminal record that will profoundly
| effect the rest of your life, including your career prospects and
| ability to travel internationally, then by all means, do what
| this guy did.
|
| I wish it wasn't so. It never used to be. But this is how it is
| now. Overzealous prosecutors have been given a huge amount of
| power, and all you need is one embarrassed systems administrator,
| school board or management team to trigger a disastrous outcome
| in stories like this.
| inputsecretcode wrote:
| Wow that's terrifying, I'm from the EU and did 1000x worse
| stuff than that, never suffered any consequence, which is not
| right, but teenagers going to prison for hacking pranks it's
| really fucked up.
| bsza wrote:
| > This kid is very very lucky.
|
| No, he is just smart. He did it anonymously. He knows how to
| cover his a$$.
|
| > it sends the signal to other young aspiring cybersecurity
| professionals that this is OK
|
| The post literally has a whole section dedicated to explaining
| that this is not OK, but whatever.
| jdkee wrote:
| This post is 100% spot on. While the local school district may
| treat it as a prank, in the U.S. the federal authorities may
| not. To see how seriously the government takes this act, look
| at the penalties section of the relevant U.S. code.
|
| https://www.law.cornell.edu/uscode/text/18/1030
| collegeburner wrote:
| Yeah, go to them about ransomware gangs or nation state
| actors and you basically get told "lol we cant do shit".
| Complain about a kid prank and theyll go apeshit and make a,
| uhh, federal case of it to make themselves feel needed.
| dakna wrote:
| And yet, there is overwhelming demand for what the government
| calls "cyber security". As a developer it is easy to get good
| at your craft by practicing and learning, how in the world is
| a security specialist able to practice without asking for
| permission or already having a job? A home lab setup? A
| college degree and formal education? I'm curious how people
| actually evaluate this career choice.
| ActorNightly wrote:
| In my personal experience with working in government
| related cyber security, the positions are for dudes that
| type bash commands to run tools that are all developed by
| 3p companies, which end up hiring people regardless of
| criminal history.
| aerostable_slug wrote:
| Capture The Flag challenges. You don't need much more than
| a terminal.
| rhexs wrote:
| The leetcode of the security world! Thankfully not that
| bad...yet.
| jjoonathan wrote:
| Gross but true. The administration has every incentive and
| opportunity to spin this into a self-serving story about taking
| down evil sinister hackers -- and maybe scapegoat a few
| unrelated problems while they are at it.
|
| I am delighted that these admins had the character to resist
| the perverse incentives of the system.
| marvin wrote:
| There is something obscenely totalitarian about this whole
| mindset. You're making a very pragmatic point, but take a step
| back and look at the whole thing.
|
| You're warning a teenager against making a brilliant, harmless,
| funny and responsible prank so that they won't get their whole
| life fucked up forever. Think a little about what kind of
| political system necessitates that kind of ridiculous warning.
| What sort of nation does this kind of thing to its kids? If we
| strike the United States from the list, what sort of countries
| are left?
|
| You guys really need to get your so-called justice system
| sorted out. Sorry to make such a blunt point, but this is
| depressing as hell.
| mcbishop wrote:
| Malicious hackers could have shown something unspeakably vile
| on all those screens. If this kid reduced the likelihood of
| that... he's a hero. Alas, I totally hear you.
| Faaak wrote:
| I agree, that feels wrong to me...
|
| When I was younger (~15) I also did some "fun" (aka stupid)
| stuff with the school computer network and in the end they got
| me and I received a "formal warning" (it was in France).
|
| In the end I'm glad for it because that scared me off and I
| never tried again on stuff that I don't own.
|
| But putting a kid in jail/having a criminal record seems way to
| excessive to me. Kids are dumb. And by punishing them that hard
| they won't become a better person. hell, they won't be able to
| have a job !
| WarOnPrivacy wrote:
| > But putting a kid in jail/having a criminal record seems
| way to excessive to me.
|
| It absolutely is. Society is clearly harmed by laws like the
| CFAA.
|
| LEO do like overly broad laws though. There's nothing better
| to ruin the lives of people that cops don't like.
| donatj wrote:
| When I was in High School in 2003 I discovered you could pretty
| easily get around the tool that blocked running installers by
| launching them by entering the full path to the installer in
| the address bar of Internet Explorer. This was before Windows
| and IE were decoupled. I installed VNC server on a couple
| friends computers and used it for some light hearted pranks,
| but didn't do anything else with it.
|
| One of my friends who I did this to went crazy with it and used
| it to mess with his teachers computers. Ended up in huge
| trouble, cops knocking on his door, and I believe probation.
| This was the year after I graduated.
|
| On the one hand, I kind of feel responsible for showing him, on
| the other hand, it's his fault he had to go off and be an idiot
| with something I just thought was fun.
| bellyfullofbac wrote:
| Ah, 2021, such sad times, where we squash our creativities in
| fear of the police, where you'd think twice before doing
| something like one of the MIT hacks http://hacks.mit.edu ...
|
| I do wonder if they could've secured themselves with VPN and
| "untraceable" anonymous emails (e.g. asking for a guarantee
| that they won't be sued/charged), although the teenage bragging
| rights would've been too tempting.
|
| I wonder if it was possible for the hacker to ask a lawyer to
| represent them anonymously and make a contract, something like
| the district promises not to file criminal charges, and if they
| violate this deal they will have to pay a lot of money...
| nucleardog wrote:
| > I wonder if it was possible for the hacker to ask a lawyer
| to represent them anonymously and make a contract, something
| like the district promises not to file criminal charges, and
| if they violate this deal they will have to pay a lot of
| money...
|
| Criminal charges are generally filed by the prosecutor.
| They'll generally follow the wishes of the victim, but are
| not required to (think, e.g., domestic violence cases). There
| is absolutely zero the school can do to guarantee that you
| won't be charged if the prosecutor does catch wind of the
| incident and decides to make an example of you.
| petesergeant wrote:
| My understanding is that in America, prosecutors are often
| political appointees without much institutional oversight,
| as compared to being a reasonably dull civil service
| department who have to justify prosecutions as being in the
| public interest
| noodlesUK wrote:
| This is generally true, but the CFAA is obviously not
| violated by access which is authorised. In this case, you
| could simply draw up a pentest agreement and get them to
| say any such activity would be authorised.
| whimsicalism wrote:
| > I do wonder if they could've secured themselves with VPN
| and "untraceable" anonymous emails (e.g. asking for a
| guarantee that they won't be sued/charged), although the
| teenage bragging rights would've been too tempting.
|
| If you read TFA, that is effectively what happened. Even with
| the guarantee, only one of them revealed themselves.
| paxys wrote:
| No point in pulling off a complicated prank without
| enjoying the notoriety gained from it.
| teddyh wrote:
| > _the district promises not to file criminal charges, and if
| they violate this deal they will have to pay a lot of
| money..._
|
| "Your faith in the legal system is appalling."
|
| https://www.schlockmercenary.com/2009-06-26
| pascalxus wrote:
| yeah, it's pretty messed up that there's such extremely heavy
| penalties for merely playing a youtube video on a few screens
| whereas looting and stealing go completely unpunished. what
| kind of message is that sending to our youth?
| usmannk wrote:
| > Anyone in the field will tell you that this is an absolute
| disaster of a post because it sends the signal to other young
| aspiring cybersecurity professionals that this is OK
|
| Maybe a bit overzealous with the reaction here. OK, sure, the
| OP could have been even more serious about this but literally
| the first labeled section is "DISCLAIMER" and says:
|
| > With that said, what we did was very illegal, and other
| administrations may have pressed charges. We are grateful that
| the D214 administration was so understanding.
| tkinom wrote:
| For anyone who like to hack legally and ethically, check out
| https://www.hackerone.com/. If you're very good at hacking
| devices, software, networks, etc, companies will pay bounties
| for the vulnerabilities you find thru HackerOne.
|
| Looks like they paid out millions in bounty in 2020:
| https://www.zdnet.com/article/hackerones-2020-top-10-public-
| bug-bounty-programs/
| cwkoss wrote:
| Worth a try, but I didn't have a good experience with it.
|
| Companies can mark items as duplicates without fixing the
| underlying bug for an indefinite period of time. So the 3
| vulnerabilities I found all got marked as duplicates without
| any compensation or even acknowledgement of my time writing
| up the issues. Felt like a complete waste of time.
|
| If you're great, you can probably find novel stuff better
| than I was able to, but if you're that great you likely
| already have plenty of employment opportunities.
| hparadiz wrote:
| Posts like yours validate the insane over criminalization of
| what essentially amounts to a prank. I had literally the exact
| same experience in high school. Got expelled and had to get a
| GED. They could have easily pressed charges.
|
| Part of the issue is people like you who advocate for
| respecting "the system" and essentially scaring kids into not
| doing anything. Except that simply re-enforces the draconian
| laws that are currently in place. If more kids rebelled and
| this was a regular occurrence it would help to desensitize
| society to digital pranks instead of always treating these kids
| like terrorists.
| quasarj wrote:
| What? How is warning someone that they are going to ruin
| their lives the same as endorsing it?
| testudovictoria wrote:
| GP isn't validating over criminalization. GP is trying to
| steer people clear of catching charges. The end results for
| both is, "Don't hack your school district for a prank," but
| the context of the two are very different. Students' minds
| are still developing. You can tell them not to respect
| Draconian laws surrounding hacking, but do the students
| understand what's at stake?
|
| Yes, students get in trouble all the time, but most of the
| consequences for their stupidity are slaps on the hand. Lunch
| in a classroom, a parent-teacher conference, after school
| detention, in-school suspension, getting grounded - none of
| these things carry civil or criminal charges that are a
| matter of record. What should be a harmless prank can turn
| into a life altering civil and criminal charges. With high
| school kids, things quickly go from, "I hacked the school
| network to do a Rick Roll; they laughed and sent me on my
| way," all the way to, "I gave my friend the exploit to do
| something similar; I didn't know he was going to change
| everyone's grades to 69%."
|
| Further, I would not want to teach in a district where
| students doing digital pranks is the norm. I volunteer at a
| high school. Unchecked digital pranks would quickly turn into
| a constant stream of disruptions. Everyone would think that
| their prank is better than the last.
| chrisseaton wrote:
| > a prank
|
| Why do we tolerate pranks? You shouldn't be able to interfere
| with someone else and say 'just a prank bro'. Leave other
| people's things alone. Don't create work for other people.
| Don't bother people just trying to do their jobs. Don't
| impose your sense of humour on others. These all seem like
| basics to me?
|
| If you think someone's funny? Great. Just don't bother other
| people with it. Do it with your own stuff, not other
| people's.
| guynamedloren wrote:
| > Why do we tolerate pranks?
|
| Pranks can be an outlet for creativity and learning that
| might not otherwise happen.
|
| The post concludes with:
|
| > This has been one of the most remarkable experiences I
| ever had in high school and I thank everyone who helped
| support me. That's all and thanks for reading!
|
| I'm certain this kid learned so much working through the
| execution of this prank, and without being criminalized by
| the district, he's better off for it. Likewise, the IT
| department is better off with a more secure system, and
| staff and students experienced shared moments of unexpected
| joy.
|
| Call me naive, but I'd say this kid made his small slice of
| the world a bit better, if only for a fleeting moment.
| chrisseaton wrote:
| > Pranks can be an outlet for creativity and learning
| that might not otherwise happen.
|
| Great.
|
| But do it with your own things then. Don't bother anyone
| else or touch anyone else's things.
|
| And no worker should ever have to do any work (such as
| reset a computer system) because of your prank. Workers
| have enough work to do and enough hassles in their lives.
| guynamedloren wrote:
| > But do it with your own things then. Don't bother
| anyone else or touch anyone else's things.
|
| You're really oversimplifying here. Something tells me
| this highschooler doesn't personally own the breadth of
| commercial equipment that he hacked for this prank.
|
| > And no worker should ever have to do any work (such as
| reset a computer system) because of your prank. Workers
| have enough work to do and enough hassles in their lives.
|
| Okay, let's all be worker robots :)
| chrisseaton wrote:
| > Something tells me this highschooler doesn't personally
| own the breadth of commercial equipment that he hacked
| for this prank.
|
| So they shouldn't have done it.
|
| > Okay, let's all be worker robots :)
|
| It's not about what you want to do. It's about what some
| low-paid worker who has to clean up after you thinks. Or
| some other student inconvenienced by your prank thinks.
|
| If you're impacting on someone else's life then you're in
| the wrong!
| sodality2 wrote:
| Who had to clean up here? Author cleaned up their own
| problem and literally delivered a detailed security
| report on how to fix the issue (not the damage done by
| the prank, which was zero).
| chrisseaton wrote:
| Seems like it disrupts a class to me? What about the
| students who don't want to have their class disrupted?
| What about the teacher who has to catch up later?
|
| What if these people don't want your sense of humour
| imposed on them?
|
| I think it's ethically wrong.
| sodality2 wrote:
| >One of our top priorities was to avoid disrupting
| classes, meaning we could only pull off the prank before
| school started, during passing periods, or after school.
| chrisseaton wrote:
| Their own video literally shows a class of people
| watching it happen.
| kaibee wrote:
| I'm not sure what you think happens 5 minutes before the
| end of class on a Friday, but it isn't diligent learning.
| jancsika wrote:
| > Why do we tolerate pranks?
|
| As the author points out early on in this article, most
| school districts would _not_ have tolerated a prank like
| this. In fact this is the only example I know about a prank
| this big that got the response of toleration the author
| documented in the article.
|
| > You shouldn't be able to interfere with someone else and
| say 'just a prank bro'.
|
| The students made a report of what they did and presented
| it to the administration.
|
| I guess to be generous I could reinterpret your concern to
| be, "Do students in every school district in the U.S. get
| to avoid criminal prosecution under the draconian CFAA by
| constructing a complex hack tailored to avoid interrupting
| regular school business, then writing up a report and
| giving a powerpoint presentation to an apparently
| enlightened and tech-savvy administration to help them
| strengthen their network defenses?" In that case, point
| taken.
| chrisseaton wrote:
| > The students made a report of what they did and
| presented it to the administration.
|
| So what?
|
| Can I push you down in the street and then hand you a
| report explaining how I was able to push you down and
| that makes it all ok?
| c22 wrote:
| Of course that's not okay. But if you're wearing a device
| marketed to you as a 'force field' because you're afraid
| of being pushed down the street and someone demonstrates
| that your force field isn't working by dancing really
| close to you, that's probably okay.
| qiqitori wrote:
| By saying that you're imposing your sense of humor on
| others too (as in, the prankster's sense of humor is
| "pranks are funny"; your sense of humor is "pranks are not
| funny"; according to your comment your stance is that
| pranks shouldn't be tolerated). You don't have to laugh,
| and you're free to say you don't like pranks. But
| tolerating other people's opinions/sense of
| humor/whathaveyou seems like basics to me.
|
| (Maybe we just have different experiences and thus
| different definitions of the word.)
| chrisseaton wrote:
| It's like smoking. I should tolerate someone smoking in
| their own home. Should I have to tolerate someone smoking
| on public transport next to me? Absolutely not. Even if
| it's their opinion that smoke is nice.
| lr4444lr wrote:
| Many criminal cases require establishing intent. Pranks may
| be harmful as you allude to, but the intent still matters.
| chrisseaton wrote:
| How does that work? Can you murder someone for a prank
| and say your intent was just a prank so it was fine?
| lr4444lr wrote:
| Intent separates murder from manslaughter in most states
| in thr USA, so yeah, a death from a prank is tangible
| different.
| chrisseaton wrote:
| But they did intend to disrupt the systems in this case.
| The impact was their exact intent.
| kube-system wrote:
| When people say "establishing intent" in terms of
| criminal cases, this is usually a shorthand for something
| more specifically defined in the law, like "intent to do
| harm" or something.
|
| To use the murder example again: many people who commit
| manslaughter have all kinds of various intentions. The
| one murder is concerned with is whether or not they
| specifically had the intent _to kill_ the person.
| "Establishing intent" in this scenario is specifically
| regarding that _one_ intent. Not _any_ intent.
| mmaunder wrote:
| Warns kids against jumping off cliffs. Accused of causing
| gravity.
| 999900000999 wrote:
| This is a very complicated problem.
|
| Unless you kill someone I generally don't believe in life
| long criminal records. They only serve to drive people into
| further criminality.
|
| I imagine for a robbery you could get 5 years in prison, 5
| years with it on your record and then automatically get it
| expunged.
|
| Back to the topic at hand , what if the IT hack stopped
| people from getting paid on time. How many suffered emotional
| distress ? Evictions can literally cause suicide.
|
| Maybe someone can't afford medication, skip it and have a
| stroke.
|
| The entire criminal justice system is broken. So you did
| something stupid at 20, at 46 you still can't find a job due
| to your record.
|
| People want simple easy solutions. Things are much more
| complicated. If you release a dozen felons 5 years early and
| 2 go on to commit horrific crimes it's easy to ignore the
| good the other 10 did
| WarOnPrivacy wrote:
| > The entire criminal justice system is broken. So you did
| something stupid at 20, at 46 you still can't find a job
| due to your record.
|
| Welcome to the War On Redemption. Primary participants are
| the harmful people who create these systems and the people
| who remain silent while countless lives are ruined for no
| good result.
| lr4444lr wrote:
| I dunno. Assault that permanently injures someone, rape,
| kidnapping, and trafficking are lifelong scarring for the
| victims. I may not rank computer hacking or selling drugs
| as deserving of a permanent record, but there are lots of
| other violent crimes short of homicide that do.
| Gunax wrote:
| I don't think it's the record's duty to keep you from being
| employed. That's the employer's decision.
|
| Even if I agree that it's a dumb practice, you're proposing
| a world where employers are free to refuse your hire if you
| (eg.) were fired from a job 26 years ago, but not because
| you were convicted of a crime.
| emteycz wrote:
| You don't have to tell them you were fired
| drusepth wrote:
| Unfortunately, "desensitizing" people to existing law by
| illegal rebellions is a Pyrrhic victory at best when the
| consequences are so impactful to the individuals that martyr
| for The Cause.
|
| There are processes for changing the laws without sending
| kids to jail, having to treat kids like terrorists, or
| potentially making the law even _harsher_ because it isn 't
| effective enough to dissuade lawbreaking. If the laws feel
| draconian, perhaps following those processes might be a
| better approach to change the system without as many
| sacrifices.
| NaturalPhallacy wrote:
| > _There are processes for changing the laws without
| sending kids to jail, having to treat kids like terrorists,
| or potentially making the law even harsher because it isn
| 't effective enough to dissuade lawbreaking._
|
| And none of them work, or will ever work in this oligarchy.
| The rich own the congress, and the senate, and they benefit
| greatly from these things. America hasn't been a
| functioning republic in at least 50 years.
| drhayes9 wrote:
| I don't think telling kids not to narc on themselves
| "validates the insane over-criminalization". I think telling
| legislators or parents would, though.
|
| The comment didn't say "respect the system", it said to deal
| in the realpolitik and don't try to effect legislative change
| by ruining your life as a high school student.
| paxys wrote:
| I don't understand this response. Having been on the wrong
| end of it you should be advocating harder than anyone to
| teach kids the complexities of cybersecurity law and ensure
| they can make the right decisions rather than throw away
| their future over a stupid prank. There is no "validation"
| happening here, the OP is just stating reality. Random high
| schoolers' rebellions aren't going to result in Congress
| overturning the Computer Fraud and Abuse Act and a hundred
| related laws.
| rkk3 wrote:
| > ensure they can make the right decisions rather than
| throw away their future over a stupid prank.
|
| Is it a good system if a "stupid prank" can "throw away
| your future" ?
| paxys wrote:
| No it is not a good system. But nothing I said is invalid
| because of that.
| skeaker wrote:
| No, but that doesn't mean you should deliberately play
| into it.
| [deleted]
| restingrobot wrote:
| We need to have harsh penalties for this. People who don't
| understand the complex systems they were able to access,
| might introduce vulnerabilities that more malicious entities
| can exploit. An example of this would be a student at a
| university accessing internal network from a physical
| terminal in a building, (intranet), and accidentally
| disabling a firewall, (say to play a video from a remote
| location). In doing so, its no longer just a prank as they
| may have exposed the entire internal network to outside
| internet.
|
| This is a super basic example, but it serves to illustrate my
| point. It's not just a prank bro, even when it is.
| javajosh wrote:
| _validate the insane over criminalization_
|
| I think you misread the GP. He's not defending the system,
| just describing it, and how the OP was lucky that the people
| in charge were unusual and open-minded. He's warning others
| that the risk/reward implied by the OP's experience is
| misleading.
|
| I suspect that _most_ commenters on this site applaud the
| kids adventurousness and style. A great hack! But we are
| uniquely aware of how rare it is that anyone with authority,
| school administrators or law enforcement, would show any
| leniency or self-restraint in these cases. On balance, the
| instinct seems to go for the jugular, dehumanize the kid as a
| criminal hacker, and ruin his life. No-one is saying that 's
| good, or reasonable. It's just how it is.
| tertius wrote:
| Probably better to try and reform the law instead of suggest
| children break the law and ruin their lives.
| WarOnPrivacy wrote:
| Clarifying that the ruination of lives here is the direct
| result of profoundly bad laws that inappropriately
| criminalize benign behaviors.
| tertius wrote:
| Hence the need for reform.
| CobrastanJorji wrote:
| I remember back in high school we had this computer lab that
| was all locked down. Didn't allow opening the CD-ROM drives,
| only allowed certain educational websites, etc. I put a little
| remote access app on my share drive as a way to open my own CD
| drive, mostly just to see if I could do it. The school's
| computer guy came and found me and was like "hey, a file pinged
| as malware, what's up with that" and we had a fun discussion
| about it and I deleted it and we moved on with our lives. I
| didn't think about it again. Years later, I looked back with
| horror at how badly that could have gone for me.
| aspenmayer wrote:
| Your school didn't have paperclips?
| klyrs wrote:
| Can't get 'em through the metal detector. Gotta grind down
| a toothbrush on concrete these days...
| jfk13 wrote:
| Ah, you young whippersnappers with your labs and networks and
| CDs... my high school just got one Commodore PET, that was
| "the school computer" in my day.
|
| Fortunately, I got on well with the math teacher who had
| charge of it, and he'd let me take it home over the weekends.
| Those were the days...
| edoceo wrote:
| Apple IIe gang over here. Don't bend my floppy!
| Mizza wrote:
| I know somebody - I think they post here, hi! - who ended up in
| "weekend jail" with a conviction for sharing a school's WiFi
| password without permission. I also once got reprimanded for
| writing a blog post not too dissimilar to this one at a less
| sympathetic school. I also remember the joy of hiding a server
| in the ceiling of our school so we could play UT2K3 on the
| library computers before that exploded similarly. Adults are so
| boring.
| mdip wrote:
| Every district is different, heck -- every _school_ within a
| district can be different in extreme discipline like this.
| Frankly, the size of his district represented a lot of risk;
| those often have the policies with the least wiggle-room --
| like "Weekend Jail for Sharing a WiFi password" (insane).
|
| At the school my child attends, I am confident he would have
| ended up with a pat on the back if the circumstances were
| similar. I can't speak for the district -- I'd be willing to
| bet that'd be _very_ risky. At the school I had once
| attended, I 'd expect the entire district would behave
| similarly. I'm _sure_ there were people within the district
| administration that wanted to throw the book at the kids
| involved.
|
| Here's the thing for those people: the last thing a school
| district wants is to become national news for punishing a
| bunch of kids who the evening news can make out to look like
| "Geniuses". Since nothing failed in their plan -- that's
| _crazy important_ -- there would be very few ways to frame
| the story that makes the administration look like anything
| but bullies, and many will frame them as "petty bullies". I
| have a friend I went to High School with who is now a High
| School principal. He's still "that guy I went to High School
| with." I have no doubt he would have given the kids an award
| privately, if not publicly.
|
| It's sad that some public school districts are using
| discipline approaches you'd expect to see in prisons, rather
| than a school, and I'm sure in certain places in the country,
| that might be a necessity. Context matters, too -- were these
| kids who were constantly pulling pranks like this, had been
| talked to in the past/impacted things in the past, etc, I'd
| expect a harsh response: "Yes, we get it, you're smart, stop
| breaking things already, read the horrors of the 1986 CFAA
| because that's coming if it happens again." I'm guessing
| these were otherwise good students.
| baybal2 wrote:
| This is ridiculous
| NaturalPhallacy wrote:
| The CFAA exists to make sure that nobody can use computers and
| the internet to have any power over even tyrannical
| authorities.
|
| CFAA and the DMCA are some of the worst, most authoritarian
| laws ever created, and they exist to do nothing other ensure a
| system where being rich enough to afford lawyers means you
| don't have to do anything else.
|
| Use default passwords like an idiot and someone uses their
| autofill? They're the criminal, not you.
|
| Let people just change the account number in the address bar
| and switch accounts with zero authorization or authentication?
| They're the criminal, not you. (Bank of America literally did
| this.)
|
| Have open access for students to download papers and one of
| them uses it to download all of them? They're the criminal, not
| you. (RIP Aaron Swartz)
|
| I support jury nullification for the CFAA and DMCA and so
| should everyone reading this.
| outworlder wrote:
| > because it sends the signal to other young aspiring
| cybersecurity professionals that this is OK,
|
| There are _multiple_ disclaimers in the text, almost every
| other paragraph.
| runjake wrote:
| That said, maybe we should lighten up on minors performing
| harmless/non-destructive pranks.
|
| Not everything warrants felony charges for kids.
| jjoonathan wrote:
| Of course -- but we aren't the ones making the rules, and the
| ones who do make the rules have certain incentives that lead
| them in dark directions.
| dec0dedab0de wrote:
| _Anyone in the field will tell you that this is an absolute
| disaster of a post because it sends the signal to other young
| aspiring cybersecurity professionals that this is OK, and the
| school will laugh it off, and you 'll be seen as an adorable
| Matthew Broderick type Wargames character. I can't
| overemphasize how far this is from the truth in 2021._
|
| Or maybe it will shame other IT departments into not having a
| stick up their butt. Especially if there is already a culture
| of overlooking minor criminal activity in the name of harmless
| pranks.
| ActorNightly wrote:
| Id actually wonder if criminal history matters when you have
| skills like this that are very much in demand.
|
| If this went to court, the charges of malicious intent would
| likely not stick, so jailtime could likely be avoided in leu of
| fine/community service.
|
| Competent tech companies will not give a shit about criminal
| record of this nature.
|
| Expulsion from school is pretty much irrelevant, especially for
| CS careers. You can get a GED, find any college with CS program
| that will take your money, spend a year having fun, apply for
| an internship at a tech company, do a good job to be offered a
| return, talk to HR to go directly into entry level role, and
| you are set (have personally seen 2 cases of this happening
| with an intern).
|
| The most functionally harmful thing would be monetary cost,
| which is still inconsequential considering the salary this guy
| would make.
| kube-system wrote:
| It depends on how regulated the particular industry is. If
| you're building consumer web apps at a startup, it probably
| won't matter. If you want to be a government contractor, it's
| probably a nonstarter.
| ActorNightly wrote:
| Most of the industry where the guy will be paid
| appropriately is going to be private. Cyber security
| specialists for things like AWS get paid much more than any
| government contractor.
| kube-system wrote:
| That's not really the best example; AWS is a government
| contractor. It isn't a coincidence that HQ2 is a few
| blocks away from the Pentagon.
| Epitom3 wrote:
| I am glad everything went in a positive direction and the school
| didn't punish the students.
| joezydeco wrote:
| I live near this kid and I'd offer them an internship on the spot
| if they came forward...but I fear they'd just be bored.
| rejectfinite wrote:
| 30s crisis hurling at me when a high school senior is way better
| than me lmao. Amazing read!
___________________________________________________________________
(page generated 2021-10-13 23:00 UTC)