IoT hacking and rickrolling my high school district

(whitehoodhacker.net)

1907 points | by revicon 8 days ago

78 comments

  • jimt1234 7 days ago
    Working in IT/tech for school district is the worst. My experience from many years ago - around 2002, I think:

    1. First day on the job, email to boss: "Hey, the computer lab at Springfield High has a ton of known security flaws that are begging to be exploited."

    2. Reply, 1 week later: "Sorry, we don't have any money for that. Just keep everything up-and-running."

    3. 3 weeks later the computer lab at Springfield High got "hacked". All the computers displayed a popup window that said, "Miss Krabappel is a dyke!" (sorry for the offensive language)

    4. Next day, email from boss: "The computer lab at Springfield High was hacked! Figure out how to fix this and make sure it doesn't happen again!"

    5. A few days later Miss Krabappel filed to sue the school district. The local newspaper picked up the story.

    6. Email from boss, in full panic mode: "I need you to figure out who hacked the computer lab at Springfield High so we can report him to the police!"

    7. A week later an independent consulting firm was brought in to help identify the person behind the "hack". I heard they were paid $50K and found nothing. However, the kid got ratted out when he told all his friends. (It wasn't Bart Simpson! ;) )

    8. Several weeks later: meeting to discuss working with a consulting firm that's gonna fix all the security issues because the current staff (me and my team) lacks the skills.

    9. About 6 months later, I quit.

    • acidburnNSA 7 days ago
      I 'worked' for my own high school's IT dept, a few hours a week, as a student. It was an amazing experience working with those guys. I learned so many things, from how to punch, terminate, and run cables to how to set up a Ghost image and deploy it en masse across the district.

      One day one of the old macs was showing the frowny face in a in-session classroom. Boss sent me down there with specific instructions: "pull out the hard drive and beat it really hard with the handle of this screwdriver". I was like: "?" and he was like, "just do it".

      So I go down there and let myself in, trying not to interrupt the class. I climb behind the computer on a cart and pull out the HD. I beat it with the handle, like a good 10 times. Of course this got the class all riled up. I blushed, but told them this was normal operating procedure. Plug it back in and it works. I was (secretly) as amazed as everyone else in the class.

      Back in the IT office, I say it worked. IT boss smiles and nods. I ask how. Well as it turns out some of those old hard drives used a vegetable oil based lube that seizes up if it's not used for a while. So if you bash it it un-seizes and starts turning again.

      Anyway great times, fun memories. We all got our CompTIA A+ certifications at the end, but don't ask me what IRQ number is for the parallel port these days.

      • specialist 7 days ago
        > ...pull out the HD. I beat it with the handle, like a good 10 times...

        Heh. Nice.

        A coworker's Mac wouldn't boot. I couldn't hear the hard drive. It was a model with the tip of the spindle exposed. I found a pencil with a gummy eraser. Gave the spindle a twist as I turned the power on.

        Told the amazed user, "Do not turn off your computer until after you have backed up your data. That probably won't work twice."

        Good times.

        • moepstar 7 days ago
          Had a similar experience with the external HDD of a friend of a friend.

          HDD wouldn't be recognized, sticking my ear to it i could only hear the motor emit a beep-like sound, no spin up.

          Her masters thesis on it, inaccessible, i've opened up the case, removed the HDD, unscrewed the top and there was the drive arm, stuck in the mid of the platters...

          Took a Torx screwdriver, turned the platters backwards and unstuck the drive arm...

          Copied all data off of it and sent here to the nearest computer hardware store to get another drive...

          Master thesis was successfully recovered!

          • exikyut 5 days ago
            Just for the sake of clarification, where was the Torx screw located? The spindle axis or the drive arm axis? (Or somewhere else?) And how did you unstick the drive arm without allowing the head to contact platters? Just trying to visualize, and failing badly.

            Also, awesome ;)

            • moepstar 5 days ago
              iirc, that was on the spindle axis - i only was gently pushing the drive arm near its supporting point to avoid it touching the platters (chances are i did make it touch the platters)...

              Mind you, this was not in a clean room and i tried to be as quick as possible to not allow too much dust into the case..

              Here's an online article, might even be the same drive (this was a external WD drive, not sure about the capacity, i think 500GB or 1TB): https://dataanalyzers.com/external-hard-drive-western-digita...

              • exikyut 2 days ago
                Thanks!

                (...wow that read head is tiny)

          • Scoundreller 6 days ago
            It probably would. Static friction is a lot harder to overcome than dynamic friction in terms of torque.
          • oaiey 7 days ago
            And now ... a group of 30 - no-longer - students treat their IT equipment with hits by a screw driver ... because it works.

            Our education system is amazing ;)

            • croon 6 days ago
              Cargo culting in a nutshell.
            • sandworm101 7 days ago
              >> un-seizes and starts turning again.

              More likely an armature rather than a platter. Violence also worked when the drive would get stuck on a bad sector. Bashing the drive horizontally, while it was on, would sometimes move the arm enough for the drive to reacquire and hopefully not hit the same error on the next read attempt.

              • shwoopdiwoop 7 days ago
                I believe the term for this is ‘percussive maintenance’
                • niccl 6 days ago
                  A few years ago a friend ran a camera shop. From time to time someone would come in with an SLR that wouldn't behave (long exposure, no exposure, nothing in viewfinder). He'd take it, tell them to go away and come back in an hour, then hit it on a telephone directory. 9 times out of 10 that would free the stuck/sticking mirror and everything would be fine. He had to tell the customer to go away, though, so they didn't get agitated seeing him bash their expensive SLR around
                  • Scoundreller 6 days ago
                    I suspect people hand their parcels to the post office with the same care, blissfully unaware of what their parcel is about to go through.
                  • nemosaltat 7 days ago
                    In the Navy, we called it “mechanical agitation” it raised fewer eyebrows than “I hit it with a wrench and it started working again.”
                    • American components, Russian components, all made in Taiwan!
                      • iso1631 7 days ago
                        I haven't needed to use it since....

                        last Tuesday

                      • rypskar 6 days ago
                        The difference between a professional mechanic and an amateur is that the professional know where to hit something with the handle of a screwdriver
                        • yardie 7 days ago
                          I did similar violence to my old HDD-based iPod. One day it just made a chugga chugga noise. Meaning the HDD was dead. In researching how to recover some music a forum member mentioned dropping it really hard. So I slammed it into my desk and terrified the office. And it continued working for the next few years.
                          • "stiction". Well known in the Apple community in the ... late 80's/early 90's, IIRC? I want to say I remember some official Apple documentation saying to drop the machine from a few inches up in the air, but I may be misremembering.
                          • sciprojguy 6 days ago
                            Was this a Seagate drive?
                          • genmud 7 days ago
                            Are you me?! This basically was my experience working for a very large school district in the early 2000's. My favorite was they asked me to train a school bus driver to be the newest member of the IT staff because "they wanted to learn computers", it also just so happened that this person was the only person their budget could afford (less than 40k/year).

                            I worked for them as a contractor for a while and one of the big issues they had was they had tons of money to implement new technology (mostly from grants and things like that), but nearly nothing to maintain old tech. They could buy new computers all day long, but if something needed to be repaired/updated/maintained, there was no budget or resources to do it. So there were all sorts of fun issues, like they would buy computers and before they could get deployed their warranty would expire (since they weren't allowed to buy 3 year warranties on the computers) and computers with bad HDDs would get disposed of, even though the fix might be $50 and 10 minutes of time.

                            • foooobaba 7 days ago
                              That’s hilarious, at a small school our bus driver was the local it admin… 7 minutes of rainbow tables with ophcrack live cd was all it took to become domain admin.. never changed it for all 4 years lol.
                              • whymauri 7 days ago
                                The IT in my district was so bad the students basically ran it for my middle and high school. We did all the desktop repairs and component swaps for free. I don't even think we had an "IT guy." This was 2009-2014 for me.

                                On the bright side, we got comfortable with computers and ended up building our own little projects (in and outside of school). In 10th grade we souped up one of the engineering lab computers by consolidating a bunch of old graphics cards and played games on it, lol.

                                • yakk0 7 days ago
                                  That's funny, I worked for a school district about 10 years ago and our IT director was also the transportation director. He knew nothing about IT but I guess they had to give the role to someone at one point and it was him. I think I lasted 2 years before finding my current job.
                                  • Cthulhu_ 7 days ago
                                    I've had an internship once at a chain of elementary schools, the main IT guy(s) at those schools were regular teachers that had computers as a hobby. I came in with a few years of school, doing some maintenance, installing some printers (really satisfying with the stick-on stuff), fiddling with the server (a workstation in a broom closet), and playing runescape / internetting in the dark, warm server room at the other location away from the main IT guy.
                                  • gorgoiler 7 days ago
                                    When I was a teacher my school IT was run as a petty fiefdom. I don’t know if it was outright maliciousness, or just extreme anxiety from the IT team lead about job security, but they were universally derided amongst staff (including some senior managers I knew) as being terrible to work with.

                                    If I wanted to do something I would be told that there weren’t the resources. If I volunteered to be those resources — in my spare time! — I would be told it’s against policy. If I asked if we could revisit the policy I would be told I was welcome to ask the IT committee (closed door meetings, unminuted) to consider it for their agenda. Time passes. Proposal rejected.

                                    I gave myself one term to see if we could find a working relationship. It obviously didn’t work out so I ghosted them and just did everything myself without asking, out of my own pocket. I felt like an asshole but at some point you’ve just got to move on, especially if your end goal is improving teaching and learning for the pupils.

                                    • lostlogin 7 days ago
                                      > It obviously didn’t work out so I ghosted them and just did everything myself without asking, out of my own pocket.

                                      In my one experience in a university, this how it’s done. Just set you own stuff up, hope you aren’t discovered and ideally have a friend high up the ranks.

                                      • mdip 7 days ago

                                           >  I don’t know if it was outright maliciousness, or just extreme anxiety from the IT team lead about job security
                                        
                                        It's probably anxiety about job security/being overworked rather than maliciousness, but it could be both. It is made more complex by the likelihood that the position pays far less than comparable positions pay elsewhere. This causes the district to hire whatever candidate they can get to take the job. The outcome of that works out one of two ways: (a) the employee leaves as soon as they have enough experience to be paid more to do less work by someone else or (b) the employee stays knowing nobody else will hire them and makes sure to only hire other people who know less than they do.

                                           > If I wanted to do something, I would be told that there weren't the resources.
                                        
                                        You were told correctly, but probably not told just how bad it is. If it works like it worked for folks I know in similar situations, 80% of the job -- regardless of what you were hired in for or what your title is -- is fixing things that teachers/administration broke or didn't know how to use correctly. Tell them the laptop is for school business only until you're blue in the face, they'll visit every web site offering Flash games, some will surf porn sites riddled with malware and if your IT guy doesn't have a mental breakdown by then, the only thing they're spending the rest of the 20% of time on is blocking teachers/non-IT staff from doing things that they've been told, clearly, not to do. The rest is spent locking things down or softening security policies to keep teachers/non-IT staff from taking more of that 80% time.

                                           > [Volunteering my time] is against policy.
                                        
                                        It could be against policy, but that's probably just an excuse being used because it's effective at shutting down the request. There's a very good reason to say "no" in the IT person's mind: your volunteering will still involve their time, and if you're not as capable as you claim to be, it'll involve a lot of their time. If you're one of their users and you're claiming to know a lot about IT, you're more likely to be seen as "someone who knows enough to be dangerous"--the worst kind of user. Even if they believe you, they're confronted with the reality that you deploying/using this new "unapproved thing", will cause others to ask for it -- another teacher/staff member will want it and at some point that IT person is going to end up having to deploy it, patch it, fix it, and maintain it. You'll find this thinking prevalent in most IT support organizations -- the camel can barely walk so it's easier to say "No" and hopefully keep it that way than say "yes" and add enough load to the break its back.

                                           > I gave myself one term to see if we could find a working relationship. 
                                        
                                        I feel your pain. I'm not sure what you've tried and you could very well have just run into a BOFH but assuming this IT person is typical of those I've worked with when I did this work, there are some options. You may have tried these -- it's not meant as "well, you obviously approached this all wrong" but rather advice for others on what I have personally seen work (and had work on me when I did this sort of work, albeit a long time ago).

                                        For anyone in a similar situation, there are a few ways to "hack your IT person". It's nothing magical and can be applied well beyond IT folks, but I'm aiming at folks in this conundrum. While I've not worked for a school district, I spent the first 10 years of my career in several levels of support/systems and ultimately architecture with the first few being similar to the whole "small IT with too many users who hate IT[2]". First, understand what their motivation is -- less support, more time to improve/architect (or play WoW ;) ...). If you have the expertise, approach that person and "talk shop" -- don't reveal that you "have skills", just ask a question or two in an area that teachers/staff often know little about, or go with a simple "I wouldn't do what you do ... all these teachers, many of whom haven't touched a keyboard that wasn't on their phone since 2010 or so ... it's got to be hell". If you can get them to tell a "war story" or two you'll probably find a few opportunities to say something that will reveal that you have somewhat of a clue what you're talking about. Do this outside of work, on their schedule -- Happy Hour or off-site lunch (not often possible during the school day due to time).

                                        If things go well, say something like "I can't imagine how you get anything done with such a computer illiterate staff to babysit (aligning yourself with IT over said staff) ... I'm happy to help out anywhere I can if you can think of something I can do to reduce that grief[0]" This IT person spends their work life dealing mostly with people who are unhappy about things that are broken and the staff they support place blame for those breakages, not the resolution, at their feet[1].

                                        You're now in the magical role of "the teacher who believes IT isn't incompetent." If you are received well, make your ask. Make it very limited -- if you need to be an admin of your laptop, insist that it be temporary and that you'll call the IT person when you are done (offer to let them watch if they want. They won't). Insist that you'll not let people know IT made an exception and will provide the required excuse if someone notices you're running something they can't: usually "IT doesn't know about it" is settled on. Maybe it's something you want every teacher to have -- don't dare explain that, and if you have to, outright lie: "I'm not interested in seeing the district adopt this, I just want to use it myself." You're not shooting your grand plans in the foot, you're giving yourself time to provide hard facts/evidence to make the case that it should be deployed. If it works out well, start planting the seeds with your IT person: "I really love this application, thanks for letting me use it on my school laptop ... what do you think the support overhead for something like this would be if every teacher had it?" ... listen to their concerns, find answers to each of them, revisit the topic. Your IT person is used to management (administration in schools) saying "this is what we need on every PC" without care for what amount of work/grief IT will deal with to sort it out. Administration doesn't care about IT griping very much -- it's seen as IT, "yet, again", complaining about having to "do work" and treating completely reasonable (in their minds) requests as though they're equivalent to scaling Mount Everest. If you have the data from your unofficial pilot to back you up, and the right person in IT (at least) not working against you, and other financial considerations/contracts aren't in the way, you'll be successful. If you're successful and your project works, the next time you may not have to ask at all.

                                        Your IT person makes just as many judgements about you and their users as they make about IT but there's a lot more of you than their are IT folks. Having an ally/expert among the "clueless users" has a much higher value to your IT person than having that person as your ally does for you, even if it doesn't seem that way[1--(again)].

                                        [0] How much time is IT spending doing "Help Desk" kind of support for everyone outside of IT (regardless of title/responsibilities the IT person was hired in for)? It's probably 80% "User Support" and 20% "everything else" which means all of the effort put into "everything else" centers around reducing how often teachers have to take time away from IT. Your offer, if its trusted, will reduce that burden at no cost to the IT person. Don't make that promise if you're not willing to do it, but it's unlikely anything will be asked of you.

                                        [1] In the "Game of IT Support" (or it's variants: "The Game of Network Security Administration", etc), you can never have a score greater than "Zero". Zero is "everything works". When something breaks, you lose points. When you fix it, you gain points up to (but not always) your top score of "Zero". Roll out massive new infrastructure for WiFi? You're at Zero (or less since it probably won't work as conveniently as it does at home). You're an expense who's purpose it is to make things operate the way everyone expects they're designed/intended/meant to work. They also expect that you (IT) shouldn't be necessary -- these things should just work like my router/PC/internet service at home works and shouldn't require so much "policy" to "avoid doing things".

                                        [2] While I was still living with my parents, my neighbor referred me to the IT job -- he was in Development. I'll never forget when my Dad called me up asking "why is IT (where I worked) at (company) so bad?" after listening to my neighbor berate my company's IT operations teams (never me, specifically). We were so hated. By everyone, especially non-Support IT. That was an impossible conversation to have.

                                        • gorgoiler 7 days ago
                                          Thanks for taking the time to write all this up.
                                      • snerbles 7 days ago
                                        > All the computers displayed a popup window

                                        When I engaged in `net send` shenanigans at the local community college, at least the IT staff was smart enough to know where to scramble a runner whenever those dialog boxes popped up across campus.

                                        "ALL YOUR BASE ARE BELONG TO US" was quite the meme then, but apparently they thought it was some form of cyber-terrorism.

                                        • koboll 7 days ago
                                          A good buddy of mine did the same, but with the message "DOOM!"

                                          His punishment was community service, and the service was having to be basically an intern for the school IT guy. Smart administration, really.

                                          • ipdashc 7 days ago
                                            That's the only proper response, really. You love to see it.

                                            I'll never understand braindead school administrators whose response is "throw the entire CFAA book at them" for kids who do the most harmless sort of "hacking". I mean, they're literally 16-year-olds. How disconnected from reality does one have to be to think that police/legal action is appropriate for this type of stuff? It's like they're specifically trying to ruin lives and create criminals/blackhats.

                                            Edit: And something I remembered while scrolling this thread... it's particularly disappointing when it's the actual IT staff who get mad and threaten to press charges. Like, sure, if it's a 60-year-old secretary who's worried about you starting WWIII by whistling into a payphone, that's just ignorance, that's one thing. But IT people ought to know enough about security/"hacking" to see how ridiculous they're being... just sad.

                                            • judge2020 7 days ago
                                              > How disconnected from reality does one have to be to think that police/legal action is appropriate for this type of stuff?

                                              They don't ask that. They just want their computers to always magically work and having to dedicate mental resources to events in IT at all is an intrusion to their time - to them, throwing CFAA at them is "setting an example".

                                              • mastersummoner 6 days ago
                                                Nice Mitnick callback.
                                              • snerbles 7 days ago
                                                I received a similar punishment for running an autoclicker against some charity adware installed by a well-meaning administrator.

                                                That semester of internship was pretty fun, all things considered.

                                                • saltyfamiliar 7 days ago
                                                  That's such a wholesome punishment.
                                                  • sjapps 7 days ago
                                                    Same punishment for me back in high school when I "guessed" the admin password. They all knew I didn't guess it and was given the job/community service. They kept the same password.
                                                  • onionisafruit 7 days ago
                                                    I haven’t thought of net send in years. Circa 2000 I worked at Cisco and added some javascript to my profile in the corporate directory that sent me a net send message with the hostname of the computer that viewed my profile. At that time the hostname usually included the employees username, so I had a nice heads up that somebody was looking me up.

                                                    I should have left it at that, but Ingot cheeky and also did a net send back to the origin saying something like “thanks for your interest in onionisafruit”. That got escalated and I was threatened with disciplinary action. It didn’t occur to IT that they shouldn’t allow arbitrary script tags in user profiles. The best response was just to threaten the people who were creative with what they were given.

                                                    • mustardo 7 days ago
                                                      Curious how you escaped a (browser?) With JS to do "native" net send? Assume it was some activeX?
                                                      • onionisafruit 6 days ago
                                                        I don’t remember the details, but based on my skill level I know it wasn’t anything novel. At the time I was learning my first programming language, Perl. IIRC I had a Perl daemon running on my computer that accepted an http request, did a reverse dns on the origin and sent the hostname in a net send message. Some of my coworkers used Sun workstations. I could get notifications from them but obviously couldn’t send them a net send message in response.
                                                        • bmicraft 7 days ago
                                                          The js probably pinged their own server with then did the 'net send'
                                                          • efreak 5 days ago
                                                            IE supported vbscript, though I don't know how far back that goes. You can certainly run arbitrary commands from jscript or vbscript using an hta app (or wscript)
                                                        • halgir 7 days ago
                                                          When I had my net send fun back in school, an IT guy found me and just explained that if it becomes a recurring thing, they'll have to disable it on the network. And that they would prefer to keep the functionality available, so it would be a real shame if I ruined that for them. I never did another one, because I understood it would be a dick move.

                                                          No condescension, no threats. Just treating me like an adult with a constructive conversation. It never occurred that anyone might overreact like many in this thread experienced. Makes me feel pretty fortunate now.

                                                          • skapadia 7 days ago
                                                            Ah good ol net send… we had a lot of fun in high school with that in the 90s
                                                          • cphoover 7 days ago
                                                            O mannn I was suspended from HS, and banned for 2 years from touching school computers for net send shenanigans as I wasn't smart enough to cloak the originating workstation.

                                                            My message to every single computer in our HS:

                                                            "Hey what's up!"

                                                            my friend added to this:

                                                            "Your network (H:/) drive is being deleted."

                                                            School administrators and teachers did not find this funny.

                                                            • snerbles 7 days ago
                                                              About a year after the college prank, I was recounting the incident to a helpdesk coworker on a relatively quiet Saturday. He refused to believe that "net send" even existed, and dared me to do it. So I did, the content of that message being a rather tame "This is a test message, press OK to close."

                                                              He was on phones, got about twenty calls including one from a VP - with even more popping in throughout the following week as people returned to workstations to see the dialog. We were able to play it off as "testing the network" (not wrong I suppose), but our manager was a responsible sort and had it blocked with a group policy shortly after.

                                                              • iso1631 7 days ago
                                                                What year was this? I remember a time in the mid 90s (c. 1996?) when Novel had just upgraded to "intranetware" and all the computers had fancy "web browsers" which was fun, there was a 64k ISDN for the computer suite (we actually had two, but the other was RM Nimbus machines which could just about run netwars). This was in the UK

                                                                I changed the homepage to a webpage which redirected to file://c:/con/con (which for those who don't know caused a windows BSOD at the time).

                                                                IT teacher thought it was hilarious, used it as part of the lesson about how computers can be broken into, and told everyone "ok we've seen that, don't do it again".

                                                                Another time I remember writing a simple program, probably in qbasic, which captured passwords to a file. It only wrote a the first 4 or so letters to the file - showed what we could do, had a little fun, tricked the teacher into logging in, and then told him "ha ha".

                                                                As long as you came up with creative things (not just copying others, which is tedious), which didn't cause too much disruption (no deleting files), and stopped doing it once you proved it could be done, you were fine.

                                                                Networked IT was new and exciting then though, to the students and the teachers. A few years earlier and it was all BBC Micros, a few years later and everyone was on the internet and trying to install backorifice, but for a brief moment well meaning harmless (for a teenager) curiosity was rewarded.

                                                                • smcl 7 days ago
                                                                  > and banned for 2 years from touching school computers for net send shenanigans

                                                                  Ha, yeah I got banned for using net send as an IM app with friends too. There were a couple of us in my school who were skilled, enthusiastic programmers - it is kinda stupid that the punishment they decided on was to prevent us from being educated :-/

                                                                  • mavhc 6 days ago
                                                                    A computer teacher once threatened to kick me out of class for reading the help file, obviously because they were annoyed I knew more than they did.

                                                                    *HELP. on a BBC Master

                                                                  • habeebtc 6 days ago
                                                                    At a place I used to work, there was a lady who would prank folks. She was not very technical.

                                                                    Those folks came to me with a request for some sort of Net Send revenge.

                                                                    I wrote a VB script which ran in a loop, which randomly 8-10 times a day would get a new message from the BOFH excuse generator and net send it.

                                                                    Ahh, youth.

                                                                  • Cyphase 6 days ago
                                                                    Loving all these net send stories. Back in the day I wrote a C++ program that was basically an IM interface on top of net send. Fun times.
                                                                    • lysurgic 7 days ago
                                                                      Wow, almost the exact same thing happened to me and I was thrown out of that school, mainly for using another students account to send the base message.
                                                                    • JoeAltmaier 7 days ago
                                                                      School districts absolutely love consultants. Because they have to make difficult decisions, and they can hide behind a consultant. Its part of the bureaucracy survival suite.
                                                                      • matheusmoreira 7 days ago
                                                                        > we don't have any money for that

                                                                        They always have the money. They just don't care about doing things properly. It simply isn't a priority for them.

                                                                        Makes me feel good when someone comes and exploits their negligence. It's like divine retribution and they're doing god's work. They tempt fate and the gods punish them by making them pay more than they would have paid had they done things right. Amazing.

                                                                        • pronlover723 7 days ago
                                                                          Except they don't pay, you and all the other citizens pay via taxes
                                                                          • judge2020 7 days ago
                                                                            They don't personally pay. But they still have to balance the budget, and the more that's spent to help with gentrification of the surrounding area (such as via nice football fields, good teachers/a good greatschools rating, well-kept grounds and events) can help lead to increased future funding and thus a bigger paycheck, at least within 5-25 years.
                                                                          • andrepd 7 days ago
                                                                            Except they don't pay themselves, that's why they don't care.
                                                                          • dfee 7 days ago
                                                                            I got two Saturday detentions for finding that same tool (also ~2002) - though I just typed “Hi” and hit send - to everyone on the school network.

                                                                            I of course didn’t really know what I was doing. Looking back, this was a very strange punishment. Jokes on them I guess - left Oklahoma after HS and am now a software engineer in the Bay Area.

                                                                            • zucked 7 days ago
                                                                              If only we could have reframed our approach to these situations.

                                                                              Provided what was sent/defaced/etc wasn't hate speech or punching down on someone else, we should have really used these events as flags for identifying kids who could hone their computer skills into something "productive".

                                                                            • forgingahead 7 days ago
                                                                              This is not unique to school districts at all, but any organisation, large or small, that treats IT/tech only as a necessary inconvenience, instead of an actual part of the org deserving of resources, planning, and people.

                                                                              If you work in tech/IT, and the big bosses consider you and your org disparagingly, leave immediately. Something bad will happen with their IT, and you will be blamed, hassled, and harrassed for it.

                                                                              • javajosh 7 days ago
                                                                                People respond to incentives, and "fast-to-react" is easier to measure than "wisely proactive" in at least two ways. First, the risk is no longer theoretical; the damage was measured. Second, the fix is easy to measure: spend $X dollars on Y firm on date Z. This is all nice, easy to understand evidence of a manager doing their job.

                                                                                Alternatively, you have staff pointing out a possible flaw. That staff's time was already allocated; their noticing a flaw is a) taking time away from their allocation, and b) tacitly critical of decisions made above their pay grade. And even if they are right, the manager won't get credit for prevention, and in fact will get punished for "wasting" resources in an ad hoc way, rather than what they were acquired for.

                                                                                It is depressing in the extreme to work for such an organization, and you were right to quit, because over time these perverse incentives will start to shape you whether you like it or not. The very idea of owning your work, of caring about real-world outcomes, becomes anathema as a matter of survival. You have to exist, along with your org, in a checking-the-boxes, don't-notice-what-you-aren't-paid-to-notice, mode. It's safe and comfortable for the body; it is deadly to the soul.

                                                                                • ironmagma 6 days ago
                                                                                  Just in case any onlookers need it spelled out, the phrase “easier to measure” in this case is vastly different from “better.”
                                                                                • TeeMassive 7 days ago
                                                                                  Oh yeah the early 2000s, not a great day to be a hacker (by hacker I mean actual hacker: http://catb.org/~esr/faqs/hacker-howto.html).

                                                                                  I remember getting yelled at for changing the display resolution and typing a few commands in DOS to change file names quickly.

                                                                                  Computers were never up to date of course, we had cathodic displays up to 2010.

                                                                                  • worldsayshi 7 days ago
                                                                                    > First day on the job, email to boss

                                                                                    That email chain could be used to prove that you did what you could before the incident. If you were so inclined.

                                                                                  • Svperstar 6 days ago
                                                                                    I loved working IT for a school district. My favorite memory/story is the time a woman called the cops on me for talking on my cellphone in the parking lot. lol
                                                                                    • mdip 7 days ago
                                                                                      My first thought: Your district had an IT department? I guess that's probably more common now than when I went to HS in the 90s but I'm fairly certain IT duties are still farmed out to a small business for the districts I live near.

                                                                                      Outside of that, though, I've talked to folks who worked in IT at a nearby hospital[0] and knew several who worked in IT at a University a town over and heard variations of your story. After ransomware hit a few hospitals across the country, my hope is that this is less common but I'd be surprised if anything is meaningfully better.

                                                                                      The problem with getting non-technical people to understand the importance of securing things is that they assume that everything provides a basic level of security. They read about hacks/attacks and hear about them on the news but they have probably not experienced one, personally[1]. They apply physical security considerations to the virtual world -- for instance, the keys you use to lock your front door are almost certainly terrible[2] but requiring physical access to the lock makes attacks on them rare. And that's the rub, it's the mistake in thinking that "Nobody cares about my stuff enough to hack me" which is the evidence used to justify the "it's never going to happen to me". It's a failure to understand that even if it were true that an attacker would literally have no use for anything you're protecting with a password (which is absolutely false -- your identity is enough) that another target will be chosen ahead of you[3]. On the internet, every target can be attacked at once, silently, from a distance and targets are chosen based on whether or not the attack succeeds.

                                                                                      In a High School, you can fully expect there's at least one of me in every graduating class. I'm surprised things like this don't happen all the time given how little attention is paid to network security/endpoint security in these places. No amount of threats of expulsion, legal action, etc will serve to help when your attackers are High School students[4]. The same part of their brain that makes them believe they're immortal/causes irresponsible behavior early-on in driving causes them to not understand the real probability that they will face criminal charges which is coupled with them not fully understanding how badly those criminal charges will affect the rest of their lives.

                                                                                      [0] The discussion arose after he had watched Season 1 of Mr. Robot and said "that's exactly how it is here except we have a (technical) staff of two rather than one"

                                                                                      [1] I can't tell you how many extended family members have shared that they still use a single password for every account and in a few cases, that password might as well be a variation of "Password".

                                                                                      [2] I have a close friend who learned how to pick locks as a hobby; he filed me off a bump key and taught me how to use it, whacking it with a branch of a tree; I was able to open my supposedly "extra secure" dead bolt pretty consistently with about 15 minutes of practice, he's picked each of my locks at one time or another.

                                                                                      [3] The old "You can't outrun the bear, but if you and your friend are being chased by the same bear, you only need to outrun your friend".

                                                                                      [4] I used to tell my kids that our High School not only had no doors in the stalls of the mens room, there had never been any doors designed into the plan. The partitions were brick, there were no holes, anywhere, where doors had been removed. I figured this was to make it easier to catch kids smoking but while fixing his PC, I asked the principal about it. His answer was "vandalism" -- students would rip them out. Reallt?! I couldn't imagine this. Fast forward to this year, the doors on the stalls at my kid's HS were ripped out by students during the first week of class. The kids were caught, criminally charged and had to pay for the damage. Their reason? They saw someone do it on TikTok and didn't think they'd get caught (there are 2 dome cameras at the entry to each bathroom!). Despite paying for the damage, the doors are not coming back this year -- I'd wager they'll never come back.

                                                                                      • fennecfoxy 7 days ago
                                                                                        Aaaaah good old net send *
                                                                                        • NetOpWibby 7 days ago
                                                                                          SHEESH
                                                                                          • appleskimer 7 days ago
                                                                                            This bring back some experience of mine when we used to have old windows machine with a list of exploits to enter the admin portal and mess with marks
                                                                                          • bfirsh 8 days ago
                                                                                            Reminds of me my school leaving prank. I rewrote the whole internet on my school's computers. Google's logo became "Leavers '08", Facebook became "Hatebook" and was red, YouTube only played videos of cats, amongst other things.

                                                                                            These were the days when nothing had SSL, so you could just intercept and rewrite traffic!

                                                                                            My only requirement was: do no actual damage

                                                                                            It was implemented as a Debian live CD that you could drop into any school computer. It would boot up, then Ettercap would MITM the whole network by spoofing the router. It routed all HTTP traffic via Squid and a custom ICAP server that did the actual rewriting. If you removed the live CDs, the network just went back to normal within a couple of minutes.

                                                                                            Routing the whole school's network through one old Pentium machine wouldn't work though, so I figured out a way of doing distributed load balancing: it would do the ARP spoofing slowly and randomly. So, as you added more machines, it would just magically balance between them.

                                                                                            It worked great for about an hour then whole network mysteriously stopped working for the rest of the day. I left all the live CDs in the computers as a calling card.

                                                                                            Sorry, school network admins.

                                                                                            • kortilla 7 days ago
                                                                                              Unless you had a special case for the hijacking machines to ignore the spoofed ARPs, the whole thing probably fell apart when they ended up with a loop between each other rather than a path to the real gateway.
                                                                                              • bfirsh 7 days ago
                                                                                                Oh, yeah. That's a very good point. That's probably why it stopped working. I always thought the network admins pulled the plug assuming they'd been hacked.
                                                                                                • WrtCdEvrydy 7 days ago
                                                                                                  That's a common issue with distributed systems.

                                                                                                  Something has to be "the leader" and you need a system for choosing a new one once the old one is offline for a certain amount of time.

                                                                                                  Add in a sprinkling of how to figure out if you have more than one leader active at a time.

                                                                                                  • bfirsh 7 days ago
                                                                                                    Would it have needed leader election though? It's a stateless system. It might have been enough to ignore spoofed ARP replies, or to not attack machines of its own kind.
                                                                                                    • cinquemb 6 days ago
                                                                                                      Yeah, even in state systems, i think some sort of gossip protocol could work as long as the part of the state is being decided on is not in contention with another nodes response during a round of sampling.
                                                                                              • pfraze 7 days ago
                                                                                                Used to be that Windows allowed programs to hook into each others’ event busses. (It might still, I’m not sure.) This might be why a few of my Highschool’s computers would interpret every 5th right click in minesweeper as a left click
                                                                                                • aimor 7 days ago
                                                                                                  I ran into a fun bug in W10 where my arrow keys were moving the mouse cursor around. Turns out MS Paint does this as a feature and somehow it leaked beyond Paint.

                                                                                                  https://superuser.com/questions/1467313/mouse-pointer-moving...

                                                                                                  • Stratoscope 7 days ago
                                                                                                    Yup, you can still do that. AutoHotkey is a wonderful tool for this. You can intercept input events globally, and transform them or send completely different events to the target app.

                                                                                                    For example, I use AutoHotkey to implement my JKLmouse program, which turns certain keyboard events into mouse movement for precise control. It's similar to the MouseKeys that comes with Windows, but made for laptop keyboards without numeric keypads.

                                                                                                    And yes, you could definitely do that Minesweeper hack in AutoHotkey! :-)

                                                                                                    https://www.autohotkey.com/

                                                                                                    • Quessked73 7 days ago
                                                                                                      Would you mind sharing that script? I have been looking for something simmiliar, but didn't find anything that worked well and did not have the time yet to give it a try myself. I would really appreciate it.
                                                                                                      • Stratoscope 7 days ago
                                                                                                        Sure. I didn't want to engage in self-promotion, but since you asked, here's the website and source code. There is an installer, but it's kind of old. I suggest installing AutoHotkey itself, then download the JKLmouse.ahk and JKLmouse.ico files from GitHub, and put a shortcut to the .ahk in your Startup folder.

                                                                                                        https://www.jklmouse.com/

                                                                                                        https://github.com/geary/jklmouse/tree/master/AutoHotkey/Sou...

                                                                                                        One thing to note is that I wrote this to use on my ThinkPads, which have physical mouse buttons. On a laptop where the touchpad itself is the mouse button, it may be difficult to avoid nudging the mouse position when you click.

                                                                                                        I've been thinking about adding support for using other keys as "mouse buttons", but haven't done anything about it yet.

                                                                                                        • trashcat 7 days ago
                                                                                                          This is really cool. It's like the Mouse feature if QMK but works with any keyboard!
                                                                                                    • steerablesafe 7 days ago
                                                                                                      > This might be why a few of my Highschool’s computers would interpret every 5th right click in minesweeper as a left click

                                                                                                      This is just pure evil.

                                                                                                    • anyfoo 7 days ago
                                                                                                      Wow, somehow that use of random and slowly ARP proxying as a duct-taped together load balancing mechanism makes this so much cooler.

                                                                                                      I'm not sure I quite understand the details, though. I assume there was only one gateway for the segment, so were the spoofed ARP replies unicast instead of broadcast? Otherwise, wouldn't all clients just switch to whatever machine announced their spoof for the gateway IP last?

                                                                                                      • bfirsh 7 days ago
                                                                                                        This was 13 years ago so my memory is fuzzy... if I recall correctly, spoofed ARP replies were unicasted to every possible address on the network. It switched from machine to machine slowly, which is fine because they all served the same content.

                                                                                                        There were several subnets at the school, each with its own gateway. I remember having to set up live CDs in several computer labs to cover each of the subnets.

                                                                                                      • detaro 7 days ago
                                                                                                        based on http://www.ex-parrot.com/pete/upside-down-ternet.html by chance? or parallel evolution? :D
                                                                                                        • bfirsh 7 days ago
                                                                                                          Hah! I have vague memories of this. I think this might have inspired it, yes.
                                                                                                        • scoot 7 days ago
                                                                                                          > I rewrote the whole internet

                                                                                                          The web is not the whole internet, and Google, Facebook and YouTube are not the whole web.

                                                                                                          Makes me sad to think that someone could possibly believe either of these things. I suspect the rest is just something you read somewhere, but don't understand what the words mean. Enjoy your MIPs (meaningless internet points).

                                                                                                          • bluedays 7 days ago
                                                                                                            I don't think this happened.
                                                                                                            • bfirsh 7 days ago
                                                                                                              • collegeburner 7 days ago
                                                                                                                Wow takes me back to old Google's former logo! It looked so much better with old logo.
                                                                                                              • samschooler 7 days ago
                                                                                                                Hypothetically it could happen and even if it isn’t true, I feel it adds something to the conversation. Besides, you cited as many sources as they did.
                                                                                                                • bluedays 7 days ago
                                                                                                                  Sounds way overly complex for a high schooler to pull off. At least the OP sounded legitimate, the details didn't sound over the top.
                                                                                                                  • anyfoo 7 days ago
                                                                                                                    I think you're underestimating motivated high schoolers.

                                                                                                                    When I was in high school I was a huge Linux fan and had a side job as a network administrator for small companies in my town. I don't know if I would have gotten the "random ARP load balancing" idea, but overall it seems well within the knowledge admins of the days had about TCP/IP.

                                                                                                                    When I was between 15 and 17 or so, I wrote small HTTP, DNS servers etc. in C++ for fun (straightforward implementations and not better in any way, so in the end just learning exercises), and I definitely had friends who did similar things.

                                                                                                                    • Not really. Sounds like this was class of '08, and at the time BackTrack would have been readily available and popular enough for a curious highschooler with a bit of computing background to find. As I recall etercap was built in and I wouldn't be at all surprised if there were tutorials for setting up scenarios almost exactly like what is described.

                                                                                                                      Even the ARP balancing thing is the kind of too-clever-by-a-half solution a naive youngin' would come up with since it would lead all the nodes thinking each other are the gateway and crushing the network with routing loops.

                                                                                                                    • _jal 7 days ago
                                                                                                                      Sounds like you hung out with the wrong kids in high school.

                                                                                                                      A couple friends and I pulled off some stunts of comparable non-digital complexity. (This was the 80s, schools didn't have networks.) They were more of the logistics and misdirection sort; for instance, having your own version of the printed graduation programs delivered, instead of the boring, official one.

                                                                                                                  • foooobaba 7 days ago
                                                                                                                    I did some similar shenanigans when in 10th grade, with backtrack 3 and ettercap-ng it was pretty easy. I didn’t do the load balancing, and ended up crashing the network when my laptop couldn’t keep up lol.
                                                                                                                    • anyfoo 7 days ago
                                                                                                                      I'm less skeptical. OP already mentioned that most things were not encrypted back then, so this was probably still in the days of transparent proxies, so OP could have "just" added one with some ARP spoofing. They were somewhat common in school and office networks, and like regular HTTP proxies (except the transparent ones had the traffic redirected forcefully to them) they essentially consumed HTTP requests and sent new ones out to The Internet. While mostly used for caching and blocking, it seems relatively simple to me that OP could have just replaced e.g. some stylesheets served back to the client.
                                                                                                                  • ubermonkey 8 days ago
                                                                                                                    Three things are remarkable about this, and make it a happy story.

                                                                                                                    First, that the pranksters were so egregiously responsible in the way they went about it. They avoided disrupting any actual educational activities; it was meant to be harmless fun, not vandalism. No harm came to anything here.

                                                                                                                    Second, that they documented their findings to the administration as part of the action, including recommendations for improvements.

                                                                                                                    Third, the administration took this as exactly that: a harmless prank by smart, ethical kids who ALSO did them a favor by pointing out the vulnerabilities. If the admin had a panicked fit about this, they could have made it an ugly situation.

                                                                                                                    My educational experience was populated far more by "freak out and yell" types than this school district, which was a shame.

                                                                                                                    • nutwit 7 days ago
                                                                                                                      The school district itself was relatively chill, however the individual deans freaked out. Because the penetration report was sent to the tech team and not the deans, the deans were intent on finding out exactly who did the hack to find something to report to their bosses (and according to them concern about the grade book system being exposed?? Not sure how you’re supposed to rick roll a grade book but if anyone has an idea i’d love to know). As the earliest poster of footage of this event, I actually got tracked down (despite the fact that the only information they had to go off of was my youtube channel which had no references to my actual name whatsoever) and interrogated about what I knew of the event by the dean. The penetration report had been sent a while prior to this (which I knew about, as being a sibling of the original blog poster can have many benefits) which made the entire thing so much funnier. I was thankful that masks were a requirement for in person students at the time, as my mouth was literally twitching the entire time during the interrogation.
                                                                                                                      • dr_orpheus 7 days ago
                                                                                                                        > grade book system being exposed

                                                                                                                        In our high school they didn't expose the gradebook in that you could get in and change it, but we were able to see everyone else's grades. Teachers would post grades for their class and "obscure" it by posting it with the student ID (you were only supposed to know your own) next to the grade. But when the posted, the entire list was still in alphabetical order so it wasn't hard to figure out everyone's grade and student ID.

                                                                                                                        And the cherry on top of this was that all the students' passwords were their student ID.

                                                                                                                        • saltminer 7 days ago
                                                                                                                          >and according to them concern about the grade book system being exposed??

                                                                                                                          Junior year in high school, I got suspended for "hacking."

                                                                                                                          The tl;dr is that I was using a proxy to fetch assignments for class (because the county decided "yeah, this state run Moodle instance is obviously not appropriate for education" and one of my classes used Moodle) and got caught with the proxy configuration screen open. I wish I was joking.

                                                                                                                          Anyway, when I was sitting in the guidance counselor's office as the teacher was talking up how "dangerous" I was, I noticed a sticky note with a username and password written on it. Turns out it was an admin account for the gradebook, though I think it was just intended for scheduling.

                                                                                                                          I never did anything bad with those credentials, but that really tanked what little respect I still had for the administrators there.

                                                                                                                          On a lighter note, when stack exchange & co got blocked the next year, I was good friends with the librarians since I helped out a fair amount fixing up their laptop carts (and doing other things the sysadmins were too busy to take care of), and they were able to get them unblocked. It taught me a lot about office politics: people are willing to return favors, so you should always make those connections.

                                                                                                                          • ubermonkey 7 days ago
                                                                                                                            >but that really tanked what little respect I still had for the administrators there.

                                                                                                                            I mean, why did you have any in the first place?

                                                                                                                            I've met very, very few employees of high schools who were worthy of any sort of intellectual or professional respect.

                                                                                                                            • nutwit 7 days ago
                                                                                                                              yeah, those inner connections were really important. guess it was a good thing my brother was friends with the tech person at our school.
                                                                                                                              • BBC-vs-neolibs 7 days ago
                                                                                                                                Yep. It's also a general signal that you'r a good actor willing to do the work. An observer with no interaction can see what you did for the librarians and put in a good word for you somewhere without you ever even knowing.
                                                                                                                              • MauranKilom 7 days ago
                                                                                                                                > espite the fact that the only information they had to go off of was my youtube channel which had no references to my actual name whatsoever

                                                                                                                                Assuming you took the video at the top of the article, it was presumably trivial to figure out who was in the class you were in and then rule out everyone who appears on camera as the camera man. Or just ask the teacher...

                                                                                                                              • brundolf 7 days ago
                                                                                                                                For contrast, I once got suspended from the school computer labs for two weeks for the heinous crime of... running an unauthorized executable from a flash drive.

                                                                                                                                It was Rainmeter; I was showing it to a friend. The IT guy even was like "yeah Rainmeter's pretty cool, I read about it in a magazine". But it was auto-detected and school policy, apparently.

                                                                                                                                • noasaservice 6 days ago
                                                                                                                                  If they were that nazi-like with their IT policy, why wasn't AppLocker turned on?

                                                                                                                                  Why report when you can simply administratively deny?

                                                                                                                                  • zenithd 5 days ago
                                                                                                                                    Your presumption of competence is bold.
                                                                                                                                  • zenithd 7 days ago
                                                                                                                                    Same story but with putty.

                                                                                                                                    My own child will never use a school-issued laptop or school wifi.

                                                                                                                                • joshuamoes 8 days ago
                                                                                                                                  Preface this by saying this was a smaller school, and the students had limited access to wifi. For example a teacher would create a set of radius credentials that would only be active for 1 hour. Since data was also expensive that was not an easy work around.

                                                                                                                                  In my grade 11 electronics class, one project we were assigned was to create a digital clock with notifications for one of the teachers. Me and a friend set up a raspberry pi with magic mirror installed on it, and modified some available plugins at the time to allow a google calendar for test dates embedded on the display. The teacher was quite pleased with this, but we convinced him to hard wire it to the network for "stability". In the background we had installed a vpn connection to one of my vps that I used to host my website, and created a new set of sudo enabled credentials naming it magic-mirror or something. The teacher then reviewed the project and changed the normal user credentials etc. Then right before it was installed in the ceiling, we attached a wifi adapter to the pi. A week or so later we remoted in through the tunnel and enabled a wireless hotspot from the pi. This provided us with internet while we were close to the classroom for the next year. People also over time learned that you could extend the range by hot spotting additional jumps using laptops.

                                                                                                                                  • bowmessage 7 days ago
                                                                                                                                    Nice! I used to carry around a wireless router in my backpack for the same reason, and made sure to surreptitiously plug it in at the back of every class. Similarly, the school had very restricted WiFi, but no restrictions on the wired network. Fun times.
                                                                                                                                    • joshuamoes 7 days ago
                                                                                                                                      For sure lots of fun, we also very quickly found the staff wifi password, and just cloned mac addresses of allowed devices to bypass the filtering.
                                                                                                                                  • hx2a 8 days ago
                                                                                                                                    When I was in High School (early 90's) we got a new computer system that nobody was using yet. I discovered there was an email system of some kind and that every student had an email address that we were not told about. I also discovered Tetris installed in a directory on the server. I was able to play Tetris and I could show other students how to access it, but it was inconvenient to get to.

                                                                                                                                    Therefore I decided I would email Tetris to every student (I emailed the executable, not a link to Tetris), making it easier for everyone to play also. As soon as I did this the entire system got very slow...apparently the server had no quotas or partitioning and the hundreds of copies of Tetris filled up 100% of the hard drive space. It was a disaster. The computer "specialist" had no idea how to fix the system and she was teaching an adult education class that evening that required the system to work. She was furious and wanted me to get suspended. It didn't happen though because I spoke up about the problem right when I knew there was a problem and also some other teachers intervened on my behalf.

                                                                                                                                    The woman who was responsible for the computer system back then is now the superintendent of the school system. I wonder if she remembers me.

                                                                                                                                    • codazoda 8 days ago
                                                                                                                                      She remembers you.

                                                                                                                                      I also graduated in the early 90's and my children recently graduated from my alma mater. When I went with them to teacher conferences some of the same teachers were still there. Teachers that I didn't even have classes with remember me.

                                                                                                                                      • zengargoyle 7 days ago
                                                                                                                                        In like '89 when I was 19 and at university my work-study job was with the IT/ComputingResources department (old names). I worked as a graveyard shift NOC operator swapping tapes and handing out print-jobs, running system tests and stuff like that. We had several 24/7 computer labs full of Sun 3/50(60) workstations and things like that. But there was one lab that was closed from 10-5 overnight and I thought to myself "hey, there's a whole room of workstations not doing anything" so I wrote some scripts rsh/NFS and used that lab one night to run distributed ray-tracing jobs. The next day my account was disabled and I had to go talk to Security. They sorta laughed a bit then went like NO don't do that. I worked for the IT department for the next four years. Then I left for a decade. Then I came back and applied for a job. The interview lasted all of five minutes, I worked for a few months before being forcibly promoted up into the upper circle. My first task was to go around to the dozen others who had root and ask for advice and update the root-speech documentation. I got to Security.... tippity tappity "Oh, hello Mr. zengargoyle, let's see... '89 'misuse of computing resources'." LOL, still had root by the end of the day.

                                                                                                                                        So, this is just to say... that places like education where people may stick around for a long while in the system and such. They probably do remember a bunch of events from even a decade ago. It's the good places that have a sense of humor or appreciation for a worthy harmless infraction. They may even be secretly proud or have some admiration.

                                                                                                                                        Though I do sorta fear that I just happened to hit the tail end of old-school hackery where such things are such things are rewarded. Now get off my lawn.

                                                                                                                                      • dyingkneepad 8 days ago
                                                                                                                                        I feel so dumb when I read kids doing these things. Back in High School all I knew was how I could run arbitrary executable files by renaming them to calc.exe. We also did the classic "take a screenshot of the desktop, set it as the wallpaper, then remove all icons and the start menu" thing.
                                                                                                                                        • rmorey 7 days ago
                                                                                                                                          Another good one on that level was using the Windows keyboard shortcut ctrl-alt-down to rotate the display upside down - totally harmless, but absolutely maddening if you don’t know how to undo it
                                                                                                                                          • rocqua 7 days ago
                                                                                                                                            Even better if you combined it with an upside down screenshot of the desktop. So it looked like only the mouse was upside down and all buttons didn't work.
                                                                                                                                            • gpt5 7 days ago
                                                                                                                                              Unfortunately, this feature was discontinued by most graphics drivers.
                                                                                                                                              • nyanpasu64 7 days ago
                                                                                                                                                I think it's a good thing that Ctrl+Alt+Arrow is no longer intercepted by graphics drivers, since IMO shortcuts not containing Win should be handled by apps and not the system.
                                                                                                                                                • lysurgic 7 days ago
                                                                                                                                                  This is still a common prank at work on win10 pc’s
                                                                                                                                              • alistairSH 8 days ago
                                                                                                                                                All this. Plus TI-86 king fu. Though this was 1991-1995, IoT didn’t exist and email and web access was mostly through AOL or Prodigy.
                                                                                                                                                • quadcore 7 days ago
                                                                                                                                                  I told a friend who knew absolutely nothing about computers to go and type format c: on the school only computer and wait for the result. It turned a bit ugly but we're still friend :)
                                                                                                                                                  • severak_cz 7 days ago
                                                                                                                                                    Change wallpaper to some crap. Take a screenshot of desktop. Change wallpaper back and open screenshot with crap on the background in fullscreen mode.
                                                                                                                                                    • gmadsen 6 days ago
                                                                                                                                                      back in middle school we would just use proxys to play online games on the library that were regularly blocked
                                                                                                                                                    • RubberShoes 8 days ago
                                                                                                                                                      I went to Buffalo Grove High School in this same district and graduated many years ago. At the time no IPTV systems or EPIC bell systems were in place. However, as soon as I walked in my freshman year I noticed the 'teacher' WiFi was only using MAC Address Filtering. One minute scan and a spoof later I was poking around to discover a whole lot was visible from this privileged network. “...From the results, we found various devices exposed on the district network. These included printers, IP phones... and even security cameras without any password authentication!” It was even worse back then. It was all exposed on wide open WiFi!

                                                                                                                                                      My senior prank was going to revolve around the printers. We were shocked to discover every printer not just in BG but across the entire district was accessible with no authentication of any kind. We cooked up ideas and were planning to print either porn or I has cheezburger/lolcat memes via telnet (I'm dating myself.)

                                                                                                                                                      Ultimately I got into other trouble before we could execute and figured this wasn’t worth not graduating over. I moved on and so happy to see a much better prank on this same network happen so many years later with almost no repercussions. Congratulations and great prank!

                                                                                                                                                      • driverdan 7 days ago
                                                                                                                                                        In middle school all classrooms had their own printer. They were also shared on the entire school network with no security. We had a lot of fun printing stuff to other classes and never got caught.
                                                                                                                                                      • jcims 8 days ago
                                                                                                                                                        I’ve said this a bunch on here so please tell me to stuff it if it’s tiresome, but having been on the far side of a large scale bug bounty i am incredibly impressed with the skills that young folks are developing in infosec. Probably not particularly unique but the industry is still a bit of a combination of tradecraft and academic pursuit and can be confusing for people to find a way in. I think this is why i really appreciate those that just bear down and get after it.
                                                                                                                                                        • sodality2 8 days ago
                                                                                                                                                          I told my district that I could change my race at-will via a hidden form on the profile page. I changed it to "Purple". Got a call back from some IT guy telling me I accessed their computer without authorization, and that if it happened again, they'd press charges. I asked to be put through to the IT administrator, and he laughed and told me don't worry about it... Sometimes, they can handle it well. Very glad they did for you as well :)
                                                                                                                                                          • qmarchi 7 days ago
                                                                                                                                                            I think the dilenation point comes in with whether they are an IT "person" or a school administrator.

                                                                                                                                                            Regularly, I would end up in trouble in my High School for things like bypassing the root account (using ShellShock), or nullifying their executable restrictions (because I needed to run my own executables for a work/study program). If I got caught, the IT admin would sit down and we'd chat about what happened, how they could improve their security and such. An administrator caught on to one of my shenanigans, bypassing the content block because I wanted to read a "hacking" article, and threatened me with suspension. Supposedly, she reported the incident to IT, and IT told her to not bother me anymore.

                                                                                                                                                            • rajamaka 7 days ago
                                                                                                                                                              This is spot on. I Used to work as a sysadmin for a large private school and always enjoyed the red/blue dynamic of tech team vs the smarter students trying to poke through the restrictions of their laptops and network.

                                                                                                                                                              It was always disappointing when they took it too far and were directly caught by teachers or administration before I could tell them they were being a bit too blatantly malicious.

                                                                                                                                                              • sodality2 7 days ago
                                                                                                                                                                That's definitely true, my elementary school principal once got upset at me for unplugging and replugging the ethernet to fix the internet... I'm pretty sure the IT guys would have done the same :P
                                                                                                                                                            • Timpy 7 days ago
                                                                                                                                                              > I used a loop of the DVD bouncing logo to test stream quality.

                                                                                                                                                              This is a beautiful touch, if somebody happened across his testing in the middle of the night they wouldn't suspect anything was amiss.

                                                                                                                                                              • azinman2 8 days ago
                                                                                                                                                                Reminds me lightly of when I was in high school, email was fairly new -- especially at a school. My friend at a fancy private school had a Linux machine to access, and she really wanted to know what someone else had said about her. I managed to script kiddy my way in leveraging her existing shell login, got root, and read the email. What I didn't realize was that my .history file contained everything I had done. Eventually the sysadmin wrote me an email saying he knew what was going on and wanted to meet up, stating 'he wouldn't cuff me' and that he was 'a chill dude'. I was obviously scared, deleted everything, and tried to pretend nothing ever had happened.

                                                                                                                                                                Luckily no one got in trouble (meaning me or my friend). Not so sure this would happen in 2021.

                                                                                                                                                                • jackson1442 8 days ago
                                                                                                                                                                  About two years ago, I was in high school and decided to, as a joke, “hack” the computer. By logging in as admn:password. I was incredibly surprised when it actually ended up working as a domain admin account. After checking this, I immediately signed out.

                                                                                                                                                                  When my CS teacher filed a ticket asking “who has the user account ‘admin’ and why is the password ‘password?’” IT wanted to revoke my network login and probably put me in ISS for a few days. Fortunately, my CS teacher didn’t reveal who I was.

                                                                                                                                                                  Very glad IT at this person’s school took it in stride, unfortunately this was just the MO of IT in my district.

                                                                                                                                                                  • dmitrygr 8 days ago
                                                                                                                                                                    Many here, I am sure, got in trouble in high school for exposing security issues in school IT. So I imagine we're all very happy to see a sane response from school administration for once!
                                                                                                                                                                    • tubbs 8 days ago
                                                                                                                                                                      Story time, I guess.

                                                                                                                                                                      I went to a small private Christian school back in the late 200X's, and not the type of private school that had gobs of money. For two years, our desktop computers in the computer lab and the English classroom ran Ubuntu Linux (presumably because Windows licenses were >$0). The only students with Linux experience were myself and a friend that I introduced to Linux (who is also now an IT professional).

                                                                                                                                                                      For a month or two we systematically changed the remote desktop preferences to automatically accept new connections and not to display any messages saying that there is a connection. We tried to never sit at the same computer twice so that we could "adjust" as many computers as possible and to make a secret map of where each computer was by hostname.

                                                                                                                                                                      If we were in the computer lab and feeling mischievous (always), we'd poll around English classroom hostnames to see if any were in use, or vice versa. We'd "help" people write their papers (very creatively, I might add), speedrun through other students' typing lessons, open a terminal and run "telnet towel.blinkenlights.nl", or whatever else we could come up with.

                                                                                                                                                                      Well, wouldn't you know it, word gets around this is happening and we naturally get called in to the principal's office (because who else?). While expecting the worst, we were told "we know what you're doing, we don't know how to stop you, but we encourage you to stop and use your technical abilities productively instead" and were let off without punishment. We both came out of it with great respect for the administration because they showed us respect we didn't deserve, and we stopped.

                                                                                                                                                                      • dvtrn 8 days ago
                                                                                                                                                                        I got in trouble once in high school just for discovering and then using `net send` to send a message to my friend that said "Hi from lab 3".

                                                                                                                                                                        Computer lab access revoked for 6 weeks. Jokes on them, now I send socket messages to my friend that says "Hi from Chicago" and there's nothing they can do about it.

                                                                                                                                                                        My friend however keeps begging me to use this thing called 'email' because he claims he doesn't see the socket messages.

                                                                                                                                                                        • uudecoded 8 days ago
                                                                                                                                                                          Sorry you got access revoked. I accidentally did a net send (via the GUI) to the whole district domain instead of my friend in AP CS that said "Time for break!" right before the snack break.

                                                                                                                                                                          In my next class, the teacher was talking about "Time for break" virus going around... :/

                                                                                                                                                                          This was after the district IT wanted to suspend me for setting up a Windows 2000 domain for the yearbook lab, so I kept my mouth shut.

                                                                                                                                                                          • flatiron 8 days ago
                                                                                                                                                                            everyone in my school net send bombed everyone all the time. Im not sure how they didn't figure out how to just turn it off.

                                                                                                                                                                            but i remember you had to do it from a library computer, because it said who it sent it from. so you had to do a little drive by walking net send as you walked out of the library to not get caught

                                                                                                                                                                            • snerbles 7 days ago
                                                                                                                                                                              In our case it escalated to scripts with silent, random time delays. Launch it from a floppy, walk away and 87 minutes later everyone is wondering why a notice went out saying that a Toyota Corolla in the parking lot has its lights on.
                                                                                                                                                                              • m0ngr31 8 days ago
                                                                                                                                                                                We would write scripts to essentially make net send DOS attacks on different labs.
                                                                                                                                                                                • dvtrn 7 days ago
                                                                                                                                                                                  That was exactly how we used to do it, from where we used to do it, haha. Are you my friend? Rodrigo? How's the weather in Miami? How 'bout those 'Canes?
                                                                                                                                                                              • I don't know. I feel like a lot of the people here celebrate their former exploits as though they weren't committing the computer equivalent of rifling through unlocked desk drawers and graffitiing the walls. They seem so surprised that overworked and underpaid public servants don't appreciate that.
                                                                                                                                                                                • ar_lan 8 days ago
                                                                                                                                                                                  There was an excessively annoying kid in my high school and I learned to send remote commands to any computer in our lab, so I sent a command on loop that continuously opened his disk drive (it would automatically re-open after closing), and if he was particularly annoying I would shut down his computer.

                                                                                                                                                                                  I never once got in trouble for it - the teacher would ask the class, directly looking at me, from time to time to stop it, but I never got in trouble.

                                                                                                                                                                                  I imagine he was just using those announcements to get me to stop from time to time, but knew this kid deserved it so he never did more than that.

                                                                                                                                                                                  • h2odragon 8 days ago
                                                                                                                                                                                    Stories of more enlightened school administrators are always welcome.

                                                                                                                                                                                    My story: the "second best high school in the state" had an AT&T 3b2. They wouldn't let me take any classes that used it because they were afraid of what I might do to it (their words). I mean, they weren't actually wrong to worry, but it din't really have anything on it.

                                                                                                                                                                                    • pugworthy 7 days ago
                                                                                                                                                                                      It happens at "adult" jobs too. I found a number of webcams in the organization with no password. I flipped the image on one, and sent an email to IT saying, "Hey something's wrong with the web cam - it's upside down. Oh and probably you should put a password on it ;)"

                                                                                                                                                                                      It didn't go over so well. It embarrassed them and lead to some major reprimands for me, almost to the point of losing my job for unauthorized access to systems.

                                                                                                                                                                                    • earksiinni 8 days ago
                                                                                                                                                                                      Serious question. What, if any, instruction do kids these days receive regarding what's allowed on computer systems?

                                                                                                                                                                                      I remember in high school poking around a network drive until I found an executable with the name "SEND" in the name. I had a sense that it would send some kind of message somewhere, but I honestly didn't know where or to how many people. I was quite surprised when all the screens in our computer lab froze and, five seconds later, my message appeared on all of them. (I later learned that my message appeared on every desktop screen in the school!)

                                                                                                                                                                                      I'm not sure exactly how they found me out, but I was called into the IT admin's office a couple of days later. She was furious with me. I told her the truth. I didn't know what exactly would happen when I ran that command, but she didn't buy it. Fortunately, nothing ended up happening after that.

                                                                                                                                                                                      I've wondered to this day what exactly they could have done to me if they decided to press whatever legal authority they might have had to its fullest extent. I was never told "don't go to Z:\" or "don't run any program other than those on this list." Even after I was found out, I wasn't ever explicitly told that my actions constituted unauthorized access.

                                                                                                                                                                                      It was a different, perhaps more innocent (or ignorant) time back then. How much have things changed now?

                                                                                                                                                                                      • I graduated high school in 2015. I remember similarly poking around a network drive until I found a file in plaintext which contained everyone's student ID and whether or not they had a nut allergy (protected by HIPAA), for the bus system.

                                                                                                                                                                                        I didn't think much of it, but some other students caught wind. Before I knew it, the superintendent threatened to have the police involved and press legal action for "hacking confidential student data."

                                                                                                                                                                                        It's CYA all the way, usually at the expense of the person in the chain least equipped to cover their ass (the student).

                                                                                                                                                                                        • drusepth 8 days ago
                                                                                                                                                                                          Similar story: the dean of my "high school" [1] asked me to create our school website. Another student apparently poked around on a network drive and found an SQL dump of all the students' network username/passwords. I brought this file to the dean, told them it was available on a shared drive (so they could remove it), and asked if they'd like me to use it -- since I already had it -- to enable all the students to log in to the school website with their existing network usernames/passwords. They said that was a great idea and gave me the OK.

                                                                                                                                                                                          A week later, police escorted me from my dorm and both I and the other student were eventually expelled and threatened with harsh legal action, which never came.

                                                                                                                                                                                          [1] The "high school" was an early-entrance-to-college program where we started college at 16, lived on campus, took the normal freshman/sophomore college courses, and eventually received a high school diploma and an Associate of Science when we graduated at 18. The website was for the school I attended, but the SQL dump included all of the university students as well. The school has since shut down.

                                                                                                                                                                                          • 35fbe7d3d5b9 8 days ago
                                                                                                                                                                                            > whether or not they had a nut allergy (protected by HIPAA)

                                                                                                                                                                                            Personal pet peeve:

                                                                                                                                                                                            Your high school is not a covered entity and is not acting as a business associate of a covered entity. HIPAA does not apply. They are free to keep a plaintext file with your name, nut allergies, COVID vaccination status, and anything else they want to put in there - without HIPAA entering into the discussion.

                                                                                                                                                                                            FERPA could apply, but I don't know much about that.

                                                                                                                                                                                            • educationcto 7 days ago
                                                                                                                                                                                              Nut allergy info that was collected by the school (teacher, admin, nurse, whoever) is part of the student records and would be protected information under FERPA.
                                                                                                                                                                                            • earksiinni 8 days ago
                                                                                                                                                                                              Wow. That's terrifying. And you didn't even run anything!

                                                                                                                                                                                              I'm guessing that they never told you "don't browse this network drive"?

                                                                                                                                                                                              • Buttons840 8 days ago
                                                                                                                                                                                                Never press F12 while browsing. Instant hacker.

                                                                                                                                                                                                Seriously, I found a state website that appeared to be exposing NPI about certain people in an API response. So much NPI nicely formatted in a JSON response. I closed the page and never touched it again. You know the state will declare me a dangerous and sophisticated hacker because I pressed F12 to open the developer tools, that's much easier than admiring they made a mistake.

                                                                                                                                                                                            • quesera 8 days ago
                                                                                                                                                                                              I can't answer your question, but I strongly suspect the backstory on your furious IT admin went something like this:

                                                                                                                                                                                                * SEND happened
                                                                                                                                                                                                * Minor kerfluffle ensued among various functionaries
                                                                                                                                                                                                * Big Boss worried that something Big was going on
                                                                                                                                                                                                * IT admin was questioned and had no answers
                                                                                                                                                                                                * Simmer for a few days, Big Boss repeating questions and IT admin being flummoxed
                                                                                                                                                                                                * Eventually adequate logs are found and correlated that place you as the likely responsible party
                                                                                                                                                                                                * IT admin is lathered up about a big nothing because Big Boss keeps asking and their competence is in question
                                                                                                                                                                                                * IT admin unleashes the pent up frustration of a few days of stupidity and job security uncertainty on you, and is not satisfied that all this drama was initiated by boredom and not malice
                                                                                                                                                                                                * IT admin reports to Big Boss, who basically brushes it off because they have moved on to other things -- and at the end of the day knows they run an organization filled with kids, some of whom are more curious than others
                                                                                                                                                                                                * Issue disappears
                                                                                                                                                                                              • thrashh 8 days ago
                                                                                                                                                                                                Kids have been jumping fences for millennia.

                                                                                                                                                                                                That said, I did know a kid that had charges pressed against him when I was in school so things weren’t necessarily innocent back then either. He was admittedly an idiot and borderline malicious though.

                                                                                                                                                                                                • beambot 6 days ago
                                                                                                                                                                                                  Good old "net send." Out of all the things, that was the one I got chewed out about too.

                                                                                                                                                                                                  Wasn't a regular MS user, but we were in a computer training lab at a company for "computer day" field trip. Was bored during instructions, so naturally I logged in, found "net send", and sent a few crank messages to classmates using * as destination. Everyone, including the instructor, got a good laugh.

                                                                                                                                                                                                  Approached later in day by corporate IT. Apparently the lab had poor routing rules, no firewalls, and sat on the main Corp network. My messages were received on 25,000 terminals.

                                                                                                                                                                                                  Thankfully, they recognized this as (a) harmless, and (b) their own lax failure. No adverse outcome.

                                                                                                                                                                                                • mdip 8 days ago
                                                                                                                                                                                                  This is excellent; reminds me of (very much smaller and far less cleverly executed) grief that I caused the administration at my HS back in the day[0].

                                                                                                                                                                                                  There's a few comments about the risks along with a little surprise/at least applause for the administration choosing not to waste the courts/various other parts of the justice system with this prank. I completely agree -- I don't know if I'm terribly surprised they chose that route (whether or not they were truly upset in the first place). I applaud the students for executing this so carefully/well and if my kids pulled something like this off with this level of care -- well, they'd at least be getting a dinner out of their choosing -- probably a trip to a nearby theme park.

                                                                                                                                                                                                  I suspect the kids involved were also certain that their approach, attention paid to keep from disrupting class and (thankfully thorough) testing that helped avoid a harmless prank turning into expensive litigation/really pissed off parents. But I'll bet there was a lot of fear around that, anyway! Had something gone awry -- and that's always where the risk is -- I'm guessing the outcome would have been more severe for these kids.

                                                                                                                                                                                                  They really played the social engineering/covering their hind-quarters side of this prank very well. A large amount of effort was put toward making sure class was not interrupted[1], things worked and were tested and they provided detailed information to the administration on how to secure their systems -- that last piece allowing them to say "Without our minimally invasive prank and report you'd have never known these issues existed. We're not that special; a more malicious student could have discovered these flaws, opted for a porn broadcast and made it difficult/impossible to find them to punish." They probably understand their own school's administration and took an educated guess as to how they might handle something like that, too. At least for the scope of anything I did, I knew I wouldn't hear from the Vice Principal or Principal -- I'd solved various computer problems for them by then that the worst I'd get would be "that was cool, but please don't do that again."

                                                                                                                                                                                                  I didn't get in trouble because the pranks worked similarly -- I tested/avoided disruption (most of the time), did no permanent damage and anything was resolved by a reboot (DOS and no fixed disk) and our harm was necessarily limited since there are only so many computers you can covertly pop a floppy disk in -- there was no network. The biggest factor, though, was that our programming teacher sometimes got involved, himself. He was the head of the math department, not your traditional "computer geek" and I was doing things that he wasn't teaching, so he encouraged it. The guy was amazing (passed away in the mid-00s).

                                                                                                                                                                                                  So, kids, if you do try this at home, make sure it all works, provably, very very well and don't do anything that will give them other reasons to throw the book at you. And if your administration has more than the typical "Zero Tolerance[2]" stance on things, it's just a bad idea regardless.

                                                                                                                                                                                                  I'm sure there were a few among the ranks that became furious but cooler heads prevailed. The report at the end was a nice touch.

                                                                                                                                                                                                  [0] Mostly contained in the computer lab, which was non-networked, but when we discovered the three-letter-acronym TSR (DOS's Terminate and Stay Ready) and realized it was rare that another student would reboot an already booted machine (it took forever counting to the 512KB or so RAM installed). Incredibly, I graduated in the late 90s -- my Senior year, the lab that taught (Turbo, then Borland) Pascal was 15 years behind what most people had at home... these diskless all-in-one bastards wouldn't break.

                                                                                                                                                                                                  [1] I'm sure it took the kids a little longer to get to their classes after that all happened -- that's a minor, completely expected, situation here and at least a small reward for the efforts involved.

                                                                                                                                                                                                  [2] The school ten miles north of us was in a rural district and had a parking lot full of trucks with hunting rifles attached sitting in the parking lot every day (well after all of the schools installed additional locks and added security theater to make parents feel better post-Columbine)...that wasn't forbidden at least as far back as the early 00s and I wouldn't be surprised if a blind eye is mostly turned, today in some parts of that district.

                                                                                                                                                                                                  • SavantIdiot 8 days ago
                                                                                                                                                                                                    Up until OP starts working out the frustrations of RTSP it was pretty much a yawner "scan for ports, http to them, see if sumthins there and unguarded". But the perseverance to make a prank work like that with a finicky protocol across a wide variety of different OEM hardware is really exceptional!
                                                                                                                                                                                                    • bentcorner 8 days ago
                                                                                                                                                                                                      Using the school computer's webcam to test his exploit at night was genius. Very clean.
                                                                                                                                                                                                    • guynamedloren 8 days ago
                                                                                                                                                                                                      Fun story! Such incredible attention to detail and thoughtfulness, all the way up to automatically sending a pen test report to the district's technical supervisors, and sharing a presentation after graduation. This kid was one step ahead all along.

                                                                                                                                                                                                      Great work, Minh.

                                                                                                                                                                                                      • securiTee 8 days ago
                                                                                                                                                                                                        Neat story, and this is clearly harmless. But isn't the most basic, fundamental, number one rule of security/pen testing to try to break into a system (no matter how weak) if and only if you've been given clearance beforehand? Why doesn't that hold here?
                                                                                                                                                                                                        • GavinMcG 8 days ago
                                                                                                                                                                                                          The rule does apply. Also, it was a senior prank, which by definition involves breaking the rules.
                                                                                                                                                                                                          • jdmichal 8 days ago
                                                                                                                                                                                                            The author literally put in TWO disclaimers making that exact point...
                                                                                                                                                                                                            • unethical_ban 8 days ago
                                                                                                                                                                                                              I think the OP is asking "Why are we applauding them if they broke the rules?". The answer is "Sometimes, people break the rules".
                                                                                                                                                                                                          • belval 8 days ago
                                                                                                                                                                                                            The fact that the administration didn't choose to sue them to oblivion is refreshing. I hope we'll see a trend in the future of educator being smart enough to admit that they made a mistake and to encourage the students to develop their talent.

                                                                                                                                                                                                            One can only hope.

                                                                                                                                                                                                            • nielsbot 8 days ago
                                                                                                                                                                                                              Probably helps that "We prepared complete documentation of everything we did, including recommendations to remediate the vulnerabilities we discovered. We went a comprehensive 26-page penetration test report to the D214 tech team and worked with them to help secure their network."
                                                                                                                                                                                                              • munificent 8 days ago
                                                                                                                                                                                                                In many cases, a 26-page report documenting the incompetency of a team would not be taken kindly.
                                                                                                                                                                                                                • I find it annoying that people immediately assume incompetence and not inadequate staffing or conflicting priorities. I worked at a school district for a few years and we were woefully understaffed for what we had to cover. In situations like that you do what you have to so teachers can teach, move on to the next emergency, and hope like hell some self-important little shit doesn't burn everything to the ground.
                                                                                                                                                                                                                • IshKebab 8 days ago
                                                                                                                                                                                                                  That hasn't helped in the past. Frankly I think they were naive to reveal themselves no matter what the authorities said. It hasn't gone nearly as well for other people.
                                                                                                                                                                                                                  • treesknees 8 days ago
                                                                                                                                                                                                                    The students were extremely lucky.

                                                                                                                                                                                                                    The advice given to me in high school (I was working on tech projects after school for several teachers and groups) was to not even try or explore poking around the IT networks it no matter how good my intentions were. All it takes is one grumpy school administrator to feel undermined or to misunderstand your report and you could be expelled.

                                                                                                                                                                                                                    When you're in a position like a student, you're still working your way up and building credibility. No need to risk it all for an IT group that doesn't want your security advice and didn't ask for your help.

                                                                                                                                                                                                                    • PradeetPatel 8 days ago
                                                                                                                                                                                                                      Seconded, the same advice has also been given to me back in India.

                                                                                                                                                                                                                      "Know where your boundaries are and who your stakeholders are, don't do anything that will make your stakeholders look bad." It's a life advice given to me by my high school teacher that served me well in my professional life.

                                                                                                                                                                                                                    • rootsudo 8 days ago
                                                                                                                                                                                                                      Yep - I, like many of my friends and people who are naturally curious and work today in "Cybersecurity" had fun, poked around - but once you found little data troves - it reveals how inept alot of people can be.

                                                                                                                                                                                                                      And you just volunteer to be thrown under the bus as that "hacker."

                                                                                                                                                                                                                      Anonymous, maybe. As a student, under 18 - you're "immune" from many things - but it can be a stain.

                                                                                                                                                                                                                      • dylan604 8 days ago
                                                                                                                                                                                                                        It doesn't stop at the student level. Find something at the corp level with an arrogant IT dept, and you'll find yourself in uncomforatable situations as well.
                                                                                                                                                                                                                        • adventured 8 days ago
                                                                                                                                                                                                                          It's always fascinating how dramatically different schools can be. When I was in high school, in the late 1990s, nobody would have cared so much about something along these lines. At worst it would have resulted in a three day suspension from school and lecture from the principle.
                                                                                                                                                                                                                          • colinmhayes 8 days ago
                                                                                                                                                                                                                            He had already graduated, so expulsion wasn't an option.
                                                                                                                                                                                                                            • ohazi 8 days ago
                                                                                                                                                                                                                              Expulsion is one of the friendlier outcomes. Federal prosecution and prison time are also very realistic options here. It's happened to other well-meaning kids on many occasions.
                                                                                                                                                                                                                              • treesknees 6 days ago
                                                                                                                                                                                                                                He had already graduated when he wrote his blog post and told them, he was still a student when he performed the hacking.

                                                                                                                                                                                                                                I realize this is conjecture but I'm giving an example. Speaking from experience receiving "security reports" from users and students, often times they fail to understand the full picture of IT. As a student with no buy-in from the stakeholders, the risk isn't worth it.

                                                                                                                                                                                                                                For example, let's say this IoT network was managed by a vendor who, while having sloppy configuration practices, also had network monitoring looking for APT/anomalies (such as new connections in off-hours or unusual connection rates or bandwidth usage.)

                                                                                                                                                                                                                                While the student thinks they're being sneaky and hacking the system at night, opening ssh connections to a hundred devices from his laptop, there are now reports and alarms going off on a monitoring system. Some basic timestamps and VPN access logs would be enough to point to the student. So this student thinks they're creating an anonymous harmless prank, but the IT department is already investigating a malicious actor on their network. How do you think this would end?

                                                                                                                                                                                                                            • dont__panic 8 days ago
                                                                                                                                                                                                                              The poster/hacker actually addresses this -- he doesn't reveal himself until after graduation, keeps his fellow hackers secret still, and mentions that he was most likely the prime suspect in the district anyway. Seems like a fair tradeoff if he wanted to make this blog post, though school districts could be nasty and litigious, I guess.
                                                                                                                                                                                                                              • duped 8 days ago
                                                                                                                                                                                                                                It's still a terrible idea to admit to committing a crime under your real name before the statute of limitations has run out
                                                                                                                                                                                                                                • Is there even a statute of limitations for this kind of thing? Seems way better to just never admit to it at all.
                                                                                                                                                                                                                                  • greyface- 8 days ago
                                                                                                                                                                                                                                    The CFAA has a statute of limitations of 2 years.
                                                                                                                                                                                                                                • throwawayboise 8 days ago
                                                                                                                                                                                                                                  Pretty sure there's nothing stopping the school district from retroactively recinding his graduation, or refusing to send transcripts to universities, or informing those universities of his transgressions, which would probably result in revoked admission.
                                                                                                                                                                                                                                • 63 8 days ago
                                                                                                                                                                                                                                  He addresses this pretty well in the post imo. His co-conspiritors remained unnamed while he alone revealed himself because he wanted to publish this post and it's highly likely he would've been blamed anyway.
                                                                                                                                                                                                                              • edoceo 8 days ago
                                                                                                                                                                                                                                Too right! Get this kid a job, not punishment.
                                                                                                                                                                                                                                • _wldu 8 days ago
                                                                                                                                                                                                                                  Being a minor probably helps. There are so many laws today. It's too risky to do this. It's not like it was 25 years ago.
                                                                                                                                                                                                                                  • judge2020 8 days ago
                                                                                                                                                                                                                                    It can get pretty messy. For example, they could wait until they're 21 to try them as an adult, even if it was committed at 17 or younger [0 p. 128]:

                                                                                                                                                                                                                                    > a person who committed the offense before his eighteenth birthday, but is over twenty-one on the date formal charges are filed, may be prosecuted as an adult.... This is true even where the government could have charged the juvenile prior to his twenty-first birthday, but did not.

                                                                                                                                                                                                                                    However, the statute of limitations for CFAA violations is 2 years [1 p. 2] so this might not apply. If somehow they can still go after him at 21, this post could play a part in evidence for performing the hack (I truly hope not).

                                                                                                                                                                                                                                    0: https://www.justice.gov/sites/default/files/criminal-ccips/l...

                                                                                                                                                                                                                                    1: https://www.goodwinlaw.com/-/media/files/publications/10_01-...

                                                                                                                                                                                                                                    • giantg2 8 days ago
                                                                                                                                                                                                                                      The newest policy is to charge minors as adults unless there's a compelling and beneficial reason not to. I think that was a DOJ change around 2009. Not sure how many states followed suit. But in general, its increasingly likely that minors are being charged as adults.
                                                                                                                                                                                                                                    • flatiron 8 days ago
                                                                                                                                                                                                                                      I was suspended for a week for creating a network share in my typing class and dividing the work among my friends and we copied and pasted into a single document on the share. This was on Windows NT though so a LONG time ago. It's also I guess "cheating". But they got us on "computer hacking"
                                                                                                                                                                                                                                      • arenaninja 8 days ago
                                                                                                                                                                                                                                        Also in my typing class circa 2004 the teacher was about to kick me out because he thought I was on a chat room during his class. I was actually viewing page source on an HTML document
                                                                                                                                                                                                                                      • johnebgd 8 days ago
                                                                                                                                                                                                                                        I used CACLS with an Office hack in NT / 9X to copy homework. Never got caught for that.

                                                                                                                                                                                                                                        They got me on propagating computer games through the network using shared drives the teachers were supposed to use for homework.

                                                                                                                                                                                                                                        We had BNC network cables in those days and the entire building shared a single T1 line for several hundred computers.

                                                                                                                                                                                                                                        The world has changed.

                                                                                                                                                                                                                                        • squareof 8 days ago
                                                                                                                                                                                                                                          Same thing here. Teacher came into class with his multiple month investigation comparing all students work highlighting common errors. Found three different groups that were sharing work load. In school suspension for all of us, only like three kids left in class for the week.
                                                                                                                                                                                                                                        • mrexroad 8 days ago
                                                                                                                                                                                                                                          25 years ago wasn’t any better… I recall several in my circle getting suspended for harmless things. The lesson: don’t explore, don’t be curious, and don’t try to fix anything related to the school and computers. Sigh.
                                                                                                                                                                                                                                          • PradeetPatel 8 days ago
                                                                                                                                                                                                                                            Consent is paramount when doing that type of exploration. Without explicit permission, how would an IT administrator distinguish the difference between a curious student and a malicious attacker?
                                                                                                                                                                                                                                            • burnished 8 days ago
                                                                                                                                                                                                                                              You're not wrong, but I think it might be helpful to think of this in different terms. Teenagers, with burgeoning agency, are being denied the ability to meaningfully impact their environment yet are bound to it for most of their lives.

                                                                                                                                                                                                                                              I agree with you that explicit permission is important, but it is also something that young people are frequently and explicitly denied. I don't think the solution is condoning that sort of 'extracurricular', but I think we should recognize the problem is probably starting with the adults in the situation.

                                                                                                                                                                                                                                              • BackBlast 8 days ago
                                                                                                                                                                                                                                                You would think so, only this is a bit opaque when dealing with a local school and a district bureaucracy with various computer labs, internet and phone systems. As a student, you may think that the right person to ask is the local teacher who has control of the asset. Especially if that teacher has been assigned IT duties.

                                                                                                                                                                                                                                                But to many school administrators consent of teachers is meaningless. Those assets aren't owned by the teachers but by the district, even if they are the apparent authority figures and stewards in the eyes of the students.

                                                                                                                                                                                                                                                • jhgb 8 days ago
                                                                                                                                                                                                                                                  Well, I imagine that would require using a brain, which may an onerous requirement.
                                                                                                                                                                                                                                                • People on HN always act like what they were doing was almost noble. You weren't. If you had been picking locks or even rummaging around unlocked desk drawers you'd get the same treatment and deserve it.
                                                                                                                                                                                                                                                • bluedino 8 days ago
                                                                                                                                                                                                                                                  Yea , kids would get expelled in the old days for putting a screensaver password
                                                                                                                                                                                                                                                • Accujack 8 days ago
                                                                                                                                                                                                                                                  I'm sure it helps a lot that they're in a high tax base area, and the quality of the educators hired probably reflects that.

                                                                                                                                                                                                                                                  https://statisticalatlas.com/school-district/Illinois/Townsh...

                                                                                                                                                                                                                                                  • Waterluvian 8 days ago
                                                                                                                                                                                                                                                    Yep. What they did was wrong. And by doing so they threw themselves at the mercy of the entity they hacked. The refreshing part is that the entity did the morally right thing and showed mercy.
                                                                                                                                                                                                                                                    • Angostura 7 days ago
                                                                                                                                                                                                                                                      > What they did was wrong.

                                                                                                                                                                                                                                                      It was certainly against the rules. I'm not so sure it was wrong.

                                                                                                                                                                                                                                                      • Waterluvian 7 days ago
                                                                                                                                                                                                                                                        If I broke into your home tonight to play a prank on you and then handed you a white paper about how to better secure it, how would you feel?
                                                                                                                                                                                                                                                        • Breaking and entering vs. playing a harmless video at the end of the day in school.

                                                                                                                                                                                                                                                          False equivalence.

                                                                                                                                                                                                                                                          • Waterluvian 7 days ago
                                                                                                                                                                                                                                                            Unlawful access to a computer network is often a far more serious crime with stiffer penalties.

                                                                                                                                                                                                                                                            So perhaps you’re right that it is a false equivalence.

                                                                                                                                                                                                                                                            • teddyh 7 days ago
                                                                                                                                                                                                                                                              Now you’re reverting to the “it’s against the rules” stance again.
                                                                                                                                                                                                                                                          • except in the case of my home all my doors were unlocked. I would definitely appreciate a paper about how to secure my home, especially if the intruder took great care not to cause any damage or disturbance.
                                                                                                                                                                                                                                                      • bluedino 8 days ago
                                                                                                                                                                                                                                                        I'm glad to see a kid using bash and not something like gulp PowerShell
                                                                                                                                                                                                                                                        • codezero 8 days ago
                                                                                                                                                                                                                                                          Not to diminish your comment, but a thing I've found late my career is to abandon dogma when it comes to young folks learning. If they can learn with PowerShell, they're a lot better off than a lot of young folks! There is no one-true-way and as soon as you find it, another generation will show up with another-true-way :)
                                                                                                                                                                                                                                                          • Miner49er 8 days ago
                                                                                                                                                                                                                                                            Powershell is actually good though.
                                                                                                                                                                                                                                                            • IshKebab 8 days ago
                                                                                                                                                                                                                                                              You're glad to see them using the ancient clusterfuck that is Bash, and not a modern relatively sane shell that is indisputably the most seminal shell in the last 30 years?
                                                                                                                                                                                                                                                              • orwin 8 days ago
                                                                                                                                                                                                                                                                Nah, i actually used powershell before bash because i did a lot of android hacking stuff before learning to code. I worked with Powershell 3, powershell 4 and powershell 5. Powershell 3 was the most painfull thing to work with. No state accross session, the default were shit so i had to reconfigure more often than not. Slow, painfull, buggy... Around the same ime i learned how to bash pretty well in two days, use rsync, use ssh, use sed and awk... Powershell 3 was shit compared to this.

                                                                                                                                                                                                                                                                Then i used powershell4, i guess it was better but honestly i don't think i've used it very much. Powershell5 might be better than bash for 90% of the dev population though.

                                                                                                                                                                                                                                                                • jhgb 8 days ago
                                                                                                                                                                                                                                                                  Well at least it's a racing horse and not a turtle.
                                                                                                                                                                                                                                                                  • flerchin 8 days ago
                                                                                                                                                                                                                                                                    Seminal.
                                                                                                                                                                                                                                                                  • blacktriangle 8 days ago
                                                                                                                                                                                                                                                                    Credit where credit is due, we all WISH *nix had something like PowerShell. Passing strings from program to program is a pain, passing around .NET objects instead is a great step forward, as can be seen by the several attempts at similar shells passing around JSON objects.
                                                                                                                                                                                                                                                                    • jdmichal 8 days ago
                                                                                                                                                                                                                                                                      PowerShell has been available on Linux via .NET Core since 2016 and version 6.0. Even my Windows box with PowerShell 5.1 likes to remind me of this fact every time I start it:

                                                                                                                                                                                                                                                                          Windows PowerShell
                                                                                                                                                                                                                                                                          Copyright (C) Microsoft Corporation. All rights reserved.
                                                                                                                                                                                                                                                                          
                                                                                                                                                                                                                                                                          Try the new cross-platform PowerShell https://aka.ms/pscore6
                                                                                                                                                                                                                                                                      • judge2020 8 days ago
                                                                                                                                                                                                                                                                        On that note, i'm saddened Windows 11 doesn't ship with Powershell 7. Are there that many breaking changes in the switch from 5 -> 6 or 5 -> 7?
                                                                                                                                                                                                                                                                        • jerrysievert 7 days ago
                                                                                                                                                                                                                                                                          yep, always good to get ads on your shell when you start it.

                                                                                                                                                                                                                                                                          it's like those awesome ubuntu login motd's, I look forward to them every time I log in, just in case the ad changes.

                                                                                                                                                                                                                                                                          er ...

                                                                                                                                                                                                                                                                        • oneplane 8 days ago
                                                                                                                                                                                                                                                                          There have been REPLs like PowerShell for ages, it's nothing really new. The only nuance in this is that it is new in the Windows ecosystem to have something like that supported by Microsoft. Ironically, it hasn't managed to displace the command prompt or batch files, so instead of having to deal with one thing, you now have to deal with two things.

                                                                                                                                                                                                                                                                          As for the passing of strings: it might seem like a pain, but as soon as you start working with non-program I/O it's not like you'll have much of a choice. Keep in mind that it is the lowest form of communication and you can build on top of that. Same with I/O in general: nothing prevents you from using shared memory or a device instead.

                                                                                                                                                                                                                                                                          • jve 7 days ago
                                                                                                                                                                                                                                                                            > Ironically, it hasn't managed to displace the command prompt or batch files

                                                                                                                                                                                                                                                                            It don't think they expect that people would rewrite their old scripts. That is actually silly to consider. Even with console vs terminal, they are concerned of backward compatibility and leaving it as is:

                                                                                                                                                                                                                                                                            > Windows Console will continue to ship within Windows for decades to come in order to ensure backward compatibility with the many millions of existing/legacy command-line scripts, apps, and tools

                                                                                                                                                                                                                                                                            https://devblogs.microsoft.com/commandline/windows-terminal-...

                                                                                                                                                                                                                                                                            • oneplane 7 days ago
                                                                                                                                                                                                                                                                              They could just have an alternative interpreter mode to support batch files, or even have a cmdlet that does just that. If people like to point and click, associate that with a cmdlet (they can do that, right?) and there you go.
                                                                                                                                                                                                                                                                          • throwawayboise 8 days ago
                                                                                                                                                                                                                                                                            > Passing strings from program to program is a pain

                                                                                                                                                                                                                                                                            The internet has been pretty successful and many popular protocols (http, smtp, etc) are exactly "passing strings from program to program"

                                                                                                                                                                                                                                                                            • majormajor 7 days ago
                                                                                                                                                                                                                                                                              And behind the scenes of internet-based services there's a whole ecosystem of "how can we do shit more robustly than just passing strings around" (or even for "better than XML or JSON").
                                                                                                                                                                                                                                                                              • Which is why all browsers render the same thing exactly the same way and there's no need at all to test more than one. Yep.
                                                                                                                                                                                                                                                                                • oneplane 8 days ago
                                                                                                                                                                                                                                                                                  The presentation layer has nothing to do with he protocol layer...

                                                                                                                                                                                                                                                                                  If you pump some serialised binary into a browser it will still render wrong.

                                                                                                                                                                                                                                                                              • bluedino 7 days ago
                                                                                                                                                                                                                                                                                Parsing strings in Powershell is super complicated compared to regular Unix tools
                                                                                                                                                                                                                                                                                • simorley 8 days ago
                                                                                                                                                                                                                                                                                  > Credit where credit is due, we all WISH nix had something like PowerShell.

                                                                                                                                                                                                                                                                                  Who is "we". I've worked exclusively on a windows stack so used powershell on the job. But at home, I use bash. I don't want something like powershell in nix and don't use powershell on nix even though it's been available on nix for many years now.

                                                                                                                                                                                                                                                                                  > Passing strings from program to program is a pain

                                                                                                                                                                                                                                                                                  You can argue it's the basis of computer science and also pretty efficient.

                                                                                                                                                                                                                                                                                  > passing around .NET objects instead is a great step forward, as can be seen by the several attempts at similar shells passing around JSON objects.

                                                                                                                                                                                                                                                                                  Passing around objects can be slow, inefficient, wasteful, etc though it can be convenient.

                                                                                                                                                                                                                                                                                  If you are on a windows stack then go with powershell. If not, then go with bash. Nobody should be on a windows stack but sadly, much of the business world has been captured by microsoft.

                                                                                                                                                                                                                                                                              • sneak 7 days ago
                                                                                                                                                                                                                                                                                "sue" suggests civil action and a decision by the wronged party.

                                                                                                                                                                                                                                                                                They're lucky a prosecutor didn't prosecute them for criminal activity. The school would not have any say about whether or not this happens.

                                                                                                                                                                                                                                                                                • throwaway0a5e 7 days ago
                                                                                                                                                                                                                                                                                  >The school would not have any say about whether or not this happens.

                                                                                                                                                                                                                                                                                  Schools are members of the local government "club". Prosecutors don't generally burn political capital giving the bird to other members of the club like that without a good reason.

                                                                                                                                                                                                                                                                              • ElFitz 7 days ago
                                                                                                                                                                                                                                                                                Fellow high school students just loved me when, after giving up on ophcrack, I found out that on Windows XP, a limited account could simply escalate privileges by scheduling a command.

                                                                                                                                                                                                                                                                                First installed some open source FPS on all computers. They got found and removed, and we all got moved to guest accounts.

                                                                                                                                                                                                                                                                                I then found something called DreampackPL. Just pop in the CD, boot on it, replace the pinball game with their executable, reboot. And voilà, access to everything. Just remember to put the pinball back afterwards.

                                                                                                                                                                                                                                                                                That’s when the BIOS got password protected.

                                                                                                                                                                                                                                                                                My next step? Opening the machines up to move a jumper. Do everything all over again, but this time on a hidden windows account.

                                                                                                                                                                                                                                                                                The IT admin was a student’s parent. Just spent years making the poor guy run in circles before the school administration finally gave up.

                                                                                                                                                                                                                                                                                • kervantas 8 days ago
                                                                                                                                                                                                                                                                                  The s in IoT stands for security.
                                                                                                                                                                                                                                                                                  • theshrike79 7 days ago
                                                                                                                                                                                                                                                                                    We figured out that our computer class had a few computers infected by the Ambulance virus[0]. So of course we intentionally infected all the computers with it =)

                                                                                                                                                                                                                                                                                    On the other hand me and a few of my friends were the only computer literate people in the school and were tasked with removing it in the end.

                                                                                                                                                                                                                                                                                    But still, it was fun seeing a whole class of computers have an ambulance run at the bottom of the screen with the poor beeper emulating the siren.

                                                                                                                                                                                                                                                                                    [0] https://en.wikipedia.org/wiki/Ambulance_(computer_virus)

                                                                                                                                                                                                                                                                                    • dfox 5 days ago
                                                                                                                                                                                                                                                                                      Earlier versions of Intel Management Engine used ARC core. It is somewhat funny to see Intel licensing third-party CPU IP core to use in their CPUs of all the things…
                                                                                                                                                                                                                                                                                    • rsp1984 8 days ago
                                                                                                                                                                                                                                                                                      In case anyone else is wondering how the heck the kid got access to the district's network, the key sentence is hidden in the middle of the post:

                                                                                                                                                                                                                                                                                      Since freshman year, I had complete access to the IPTV system. I only messed around with it a few times and had plans for a senior prank, but it moved to the back of my mind and eventually went forgotten.

                                                                                                                                                                                                                                                                                      Not sure why they don't go into more detail about how exactly "complete access" was obtained, since that is obviously the hardest part of hacking any system. Not trying to downplay the achievement here, just think that this would have deserved a bit more detail.

                                                                                                                                                                                                                                                                                      • ajcp 7 days ago
                                                                                                                                                                                                                                                                                        He explains it quite clearly that him and his friends were port scanning the schools network for funsies.

                                                                                                                                                                                                                                                                                        "From the results, we found various devices exposed on the district network. These included printers, IP phones... and even security cameras without any password authentication!"

                                                                                                                                                                                                                                                                                        • kevinsundar 8 days ago
                                                                                                                                                                                                                                                                                          It seems like he just was on the school network and the IPTV devices were also on the same network with no authentication.
                                                                                                                                                                                                                                                                                        • nudgeee 8 days ago
                                                                                                                                                                                                                                                                                          I got in trouble and subsequently suspended from school back in the ‘90s for causing BSOD’s on classmates computers using WinNuke [0]. They classed it as vandalism even though the payload causes no permanent damage (apart from losing unsaved work).

                                                                                                                                                                                                                                                                                          I found more severe vulnerabilities including being able to lift home addresses of students by querying an unprotected endpoint. Didn’t get in trouble for this one, and reported it promptly to the IT administrator.

                                                                                                                                                                                                                                                                                          [0] https://en.m.wikipedia.org/wiki/WinNuke

                                                                                                                                                                                                                                                                                          • giantg2 8 days ago
                                                                                                                                                                                                                                                                                            My first thought when I read the headline was "another kid with a felony following them around for a prank that didn't harm anyone". Nice to see they weren't prosecuted.
                                                                                                                                                                                                                                                                                            • ianhawes 8 days ago
                                                                                                                                                                                                                                                                                              Given the amount of press this is receiving and the fact that the message the administration sent to them seemed a bit suspect, I wouldn't be surprised if the kids did end up catching several charges.
                                                                                                                                                                                                                                                                                              • 0x000000001 7 days ago
                                                                                                                                                                                                                                                                                                No kidding, I was threatened with legal action for significantly less shenanigans back in my day.
                                                                                                                                                                                                                                                                                              • don-code 8 days ago
                                                                                                                                                                                                                                                                                                I'm impressed with how much foresight this high schooler had in preparing for the prank. My impression is that most high school age kids would out themselves within the first few weeks of planning due to wanting to boast, here they instead took to testing covertly, overnight.
                                                                                                                                                                                                                                                                                                • mmaunder 8 days ago
                                                                                                                                                                                                                                                                                                  Someone I know did something similar, was arrested in their college dorm, and at the sentencing hearing in federal court was fined and sentenced to 5 years probation, and now has a criminal record.

                                                                                                                                                                                                                                                                                                  This kid is very very lucky. Obviously they violated the CFAA which carries severe criminal penalties. They engaged in actual hacking without any permission or defined scope. And they exploited the system without any responsible disclosure process.

                                                                                                                                                                                                                                                                                                  Anyone in the field will tell you that this is an absolute disaster of a post because it sends the signal to other young aspiring cybersecurity professionals that this is OK, and the school will laugh it off, and you'll be seen as an adorable Matthew Broderick type Wargames character. I can't overemphasize how far this is from the truth in 2021.

                                                                                                                                                                                                                                                                                                  Absolutely do not access systems you are not allowed to. If you do want to do penetration testing, you need permission from the systems owner and a clearly defined scope. And when you do find issues, you don't exploit them, you responsibly disclose them within a clearly defined framework.

                                                                                                                                                                                                                                                                                                  If you want to end up with a criminal record that will profoundly effect the rest of your life, including your career prospects and ability to travel internationally, then by all means, do what this guy did.

                                                                                                                                                                                                                                                                                                  I wish it wasn't so. It never used to be. But this is how it is now. Overzealous prosecutors have been given a huge amount of power, and all you need is one embarrassed systems administrator, school board or management team to trigger a disastrous outcome in stories like this.

                                                                                                                                                                                                                                                                                                  • hparadiz 8 days ago
                                                                                                                                                                                                                                                                                                    Posts like yours validate the insane over criminalization of what essentially amounts to a prank. I had literally the exact same experience in high school. Got expelled and had to get a GED. They could have easily pressed charges.

                                                                                                                                                                                                                                                                                                    Part of the issue is people like you who advocate for respecting "the system" and essentially scaring kids into not doing anything. Except that simply re-enforces the draconian laws that are currently in place. If more kids rebelled and this was a regular occurrence it would help to desensitize society to digital pranks instead of always treating these kids like terrorists.

                                                                                                                                                                                                                                                                                                    • GP isn't validating over criminalization. GP is trying to steer people clear of catching charges. The end results for both is, "Don't hack your school district for a prank," but the context of the two are very different. Students' minds are still developing. You can tell them not to respect Draconian laws surrounding hacking, but do the students understand what's at stake?

                                                                                                                                                                                                                                                                                                      Yes, students get in trouble all the time, but most of the consequences for their stupidity are slaps on the hand. Lunch in a classroom, a parent-teacher conference, after school detention, in-school suspension, getting grounded - none of these things carry civil or criminal charges that are a matter of record. What should be a harmless prank can turn into a life altering civil and criminal charges. With high school kids, things quickly go from, "I hacked the school network to do a Rick Roll; they laughed and sent me on my way," all the way to, "I gave my friend the exploit to do something similar; I didn't know he was going to change everyone's grades to 69%."

                                                                                                                                                                                                                                                                                                      Further, I would not want to teach in a district where students doing digital pranks is the norm. I volunteer at a high school. Unchecked digital pranks would quickly turn into a constant stream of disruptions. Everyone would think that their prank is better than the last.

                                                                                                                                                                                                                                                                                                      • drusepth 8 days ago
                                                                                                                                                                                                                                                                                                        Unfortunately, "desensitizing" people to existing law by illegal rebellions is a Pyrrhic victory at best when the consequences are so impactful to the individuals that martyr for The Cause.

                                                                                                                                                                                                                                                                                                        There are processes for changing the laws without sending kids to jail, having to treat kids like terrorists, or potentially making the law even harsher because it isn't effective enough to dissuade lawbreaking. If the laws feel draconian, perhaps following those processes might be a better approach to change the system without as many sacrifices.

                                                                                                                                                                                                                                                                                                        • >There are processes for changing the laws without sending kids to jail, having to treat kids like terrorists, or potentially making the law even harsher because it isn't effective enough to dissuade lawbreaking.

                                                                                                                                                                                                                                                                                                          And none of them work, or will ever work in this oligarchy. The rich own the congress, and the senate, and they benefit greatly from these things. America hasn't been a functioning republic in at least 50 years.

                                                                                                                                                                                                                                                                                                        • paxys 8 days ago
                                                                                                                                                                                                                                                                                                          I don't understand this response. Having been on the wrong end of it you should be advocating harder than anyone to teach kids the complexities of cybersecurity law and ensure they can make the right decisions rather than throw away their future over a stupid prank. There is no "validation" happening here, the OP is just stating reality. Random high schoolers' rebellions aren't going to result in Congress overturning the Computer Fraud and Abuse Act and a hundred related laws.
                                                                                                                                                                                                                                                                                                          • rkk3 8 days ago
                                                                                                                                                                                                                                                                                                            > ensure they can make the right decisions rather than throw away their future over a stupid prank.

                                                                                                                                                                                                                                                                                                            Is it a good system if a "stupid prank" can "throw away your future" ?

                                                                                                                                                                                                                                                                                                            • paxys 8 days ago
                                                                                                                                                                                                                                                                                                              No it is not a good system. But nothing I said is invalid because of that.
                                                                                                                                                                                                                                                                                                              • skeaker 8 days ago
                                                                                                                                                                                                                                                                                                                No, but that doesn't mean you should deliberately play into it.
                                                                                                                                                                                                                                                                                                            • 999900000999 8 days ago
                                                                                                                                                                                                                                                                                                              This is a very complicated problem.

                                                                                                                                                                                                                                                                                                              Unless you kill someone I generally don’t believe in life long criminal records. They only serve to drive people into further criminality.

                                                                                                                                                                                                                                                                                                              I imagine for a robbery you could get 5 years in prison, 5 years with it on your record and then automatically get it expunged.

                                                                                                                                                                                                                                                                                                              Back to the topic at hand , what if the IT hack stopped people from getting paid on time. How many suffered emotional distress ? Evictions can literally cause suicide.

                                                                                                                                                                                                                                                                                                              Maybe someone can’t afford medication, skip it and have a stroke.

                                                                                                                                                                                                                                                                                                              The entire criminal justice system is broken. So you did something stupid at 20, at 46 you still can’t find a job due to your record.

                                                                                                                                                                                                                                                                                                              People want simple easy solutions. Things are much more complicated. If you release a dozen felons 5 years early and 2 go on to commit horrific crimes it’s easy to ignore the good the other 10 did

                                                                                                                                                                                                                                                                                                              • lr4444lr 8 days ago
                                                                                                                                                                                                                                                                                                                I dunno. Assault that permanently injures someone, rape, kidnapping, and trafficking are lifelong scarring for the victims. I may not rank computer hacking or selling drugs as deserving of a permanent record, but there are lots of other violent crimes short of homicide that do.
                                                                                                                                                                                                                                                                                                                • WarOnPrivacy 8 days ago
                                                                                                                                                                                                                                                                                                                  > The entire criminal justice system is broken. So you did something stupid at 20, at 46 you still can’t find a job due to your record.

                                                                                                                                                                                                                                                                                                                  Welcome to the War On Redemption. Primary participants are the harmful people who create these systems and the people who remain silent while countless lives are ruined for no good result.

                                                                                                                                                                                                                                                                                                                  • Gunax 8 days ago
                                                                                                                                                                                                                                                                                                                    I don't think it's the record's duty to keep you from being employed. That's the employer's decision.

                                                                                                                                                                                                                                                                                                                    Even if I agree that it's a dumb practice, you're proposing a world where employers are free to refuse your hire if you (eg.) were fired from a job 26 years ago, but not because you were convicted of a crime.

                                                                                                                                                                                                                                                                                                                    • emteycz 7 days ago
                                                                                                                                                                                                                                                                                                                      You don't have to tell them you were fired
                                                                                                                                                                                                                                                                                                                  • drhayes9 8 days ago
                                                                                                                                                                                                                                                                                                                    I don't think telling kids not to narc on themselves "validates the insane over-criminalization". I think telling legislators or parents would, though.

                                                                                                                                                                                                                                                                                                                    The comment didn't say "respect the system", it said to deal in the realpolitik and don't try to effect legislative change by ruining your life as a high school student.

                                                                                                                                                                                                                                                                                                                    • tertius 8 days ago
                                                                                                                                                                                                                                                                                                                      Probably better to try and reform the law instead of suggest children break the law and ruin their lives.
                                                                                                                                                                                                                                                                                                                      • WarOnPrivacy 8 days ago
                                                                                                                                                                                                                                                                                                                        Clarifying that the ruination of lives here is the direct result of profoundly bad laws that inappropriately criminalize benign behaviors.
                                                                                                                                                                                                                                                                                                                        • tertius 7 days ago
                                                                                                                                                                                                                                                                                                                          Hence the need for reform.
                                                                                                                                                                                                                                                                                                                      • chrisseaton 8 days ago
                                                                                                                                                                                                                                                                                                                        > a prank

                                                                                                                                                                                                                                                                                                                        Why do we tolerate pranks? You shouldn't be able to interfere with someone else and say 'just a prank bro'. Leave other people's things alone. Don't create work for other people. Don't bother people just trying to do their jobs. Don't impose your sense of humour on others. These all seem like basics to me?

                                                                                                                                                                                                                                                                                                                        If you think someone's funny? Great. Just don't bother other people with it. Do it with your own stuff, not other people's.

                                                                                                                                                                                                                                                                                                                        • guynamedloren 8 days ago
                                                                                                                                                                                                                                                                                                                          > Why do we tolerate pranks?

                                                                                                                                                                                                                                                                                                                          Pranks can be an outlet for creativity and learning that might not otherwise happen.

                                                                                                                                                                                                                                                                                                                          The post concludes with:

                                                                                                                                                                                                                                                                                                                          > This has been one of the most remarkable experiences I ever had in high school and I thank everyone who helped support me. That's all and thanks for reading!

                                                                                                                                                                                                                                                                                                                          I'm certain this kid learned so much working through the execution of this prank, and without being criminalized by the district, he's better off for it. Likewise, the IT department is better off with a more secure system, and staff and students experienced shared moments of unexpected joy.

                                                                                                                                                                                                                                                                                                                          Call me naive, but I'd say this kid made his small slice of the world a bit better, if only for a fleeting moment.

                                                                                                                                                                                                                                                                                                                          • chrisseaton 8 days ago
                                                                                                                                                                                                                                                                                                                            > Pranks can be an outlet for creativity and learning that might not otherwise happen.

                                                                                                                                                                                                                                                                                                                            Great.

                                                                                                                                                                                                                                                                                                                            But do it with your own things then. Don't bother anyone else or touch anyone else's things.

                                                                                                                                                                                                                                                                                                                            And no worker should ever have to do any work (such as reset a computer system) because of your prank. Workers have enough work to do and enough hassles in their lives.

                                                                                                                                                                                                                                                                                                                            • guynamedloren 8 days ago
                                                                                                                                                                                                                                                                                                                              > But do it with your own things then. Don't bother anyone else or touch anyone else's things.

                                                                                                                                                                                                                                                                                                                              You're really oversimplifying here. Something tells me this highschooler doesn't personally own the breadth of commercial equipment that he hacked for this prank.

                                                                                                                                                                                                                                                                                                                              > And no worker should ever have to do any work (such as reset a computer system) because of your prank. Workers have enough work to do and enough hassles in their lives.

                                                                                                                                                                                                                                                                                                                              Okay, let's all be worker robots :)

                                                                                                                                                                                                                                                                                                                              • chrisseaton 8 days ago
                                                                                                                                                                                                                                                                                                                                > Something tells me this highschooler doesn't personally own the breadth of commercial equipment that he hacked for this prank.

                                                                                                                                                                                                                                                                                                                                So they shouldn't have done it.

                                                                                                                                                                                                                                                                                                                                > Okay, let's all be worker robots :)

                                                                                                                                                                                                                                                                                                                                It's not about what you want to do. It's about what some low-paid worker who has to clean up after you thinks. Or some other student inconvenienced by your prank thinks.

                                                                                                                                                                                                                                                                                                                                If you're impacting on someone else's life then you're in the wrong!

                                                                                                                                                                                                                                                                                                                                • sodality2 7 days ago
                                                                                                                                                                                                                                                                                                                                  Who had to clean up here? Author cleaned up their own problem and literally delivered a detailed security report on how to fix the issue (not the damage done by the prank, which was zero).
                                                                                                                                                                                                                                                                                                                                  • chrisseaton 7 days ago
                                                                                                                                                                                                                                                                                                                                    Seems like it disrupts a class to me? What about the students who don't want to have their class disrupted? What about the teacher who has to catch up later?

                                                                                                                                                                                                                                                                                                                                    What if these people don't want your sense of humour imposed on them?

                                                                                                                                                                                                                                                                                                                                    I think it's ethically wrong.

                                                                                                                                                                                                                                                                                                                                    • sodality2 7 days ago
                                                                                                                                                                                                                                                                                                                                      >One of our top priorities was to avoid disrupting classes, meaning we could only pull off the prank before school started, during passing periods, or after school.
                                                                                                                                                                                                                                                                                                                                      • chrisseaton 7 days ago
                                                                                                                                                                                                                                                                                                                                        Their own video literally shows a class of people watching it happen.
                                                                                                                                                                                                                                                                                                                                        • kaibee 7 days ago
                                                                                                                                                                                                                                                                                                                                          I'm not sure what you think happens 5 minutes before the end of class on a Friday, but it isn't diligent learning.
                                                                                                                                                                                                                                                                                                                          • jancsika 7 days ago
                                                                                                                                                                                                                                                                                                                            > Why do we tolerate pranks?

                                                                                                                                                                                                                                                                                                                            As the author points out early on in this article, most school districts would not have tolerated a prank like this. In fact this is the only example I know about a prank this big that got the response of toleration the author documented in the article.

                                                                                                                                                                                                                                                                                                                            > You shouldn't be able to interfere with someone else and say 'just a prank bro'.

                                                                                                                                                                                                                                                                                                                            The students made a report of what they did and presented it to the administration.

                                                                                                                                                                                                                                                                                                                            I guess to be generous I could reinterpret your concern to be, "Do students in every school district in the U.S. get to avoid criminal prosecution under the draconian CFAA by constructing a complex hack tailored to avoid interrupting regular school business, then writing up a report and giving a powerpoint presentation to an apparently enlightened and tech-savvy administration to help them strengthen their network defenses?" In that case, point taken.

                                                                                                                                                                                                                                                                                                                            • chrisseaton 7 days ago
                                                                                                                                                                                                                                                                                                                              > The students made a report of what they did and presented it to the administration.

                                                                                                                                                                                                                                                                                                                              So what?

                                                                                                                                                                                                                                                                                                                              Can I push you down in the street and then hand you a report explaining how I was able to push you down and that makes it all ok?

                                                                                                                                                                                                                                                                                                                              • c22 7 days ago
                                                                                                                                                                                                                                                                                                                                Of course that's not okay. But if you're wearing a device marketed to you as a 'force field' because you're afraid of being pushed down the street and someone demonstrates that your force field isn't working by dancing really close to you, that's probably okay.
                                                                                                                                                                                                                                                                                                                            • qiqitori 7 days ago
                                                                                                                                                                                                                                                                                                                              By saying that you're imposing your sense of humor on others too (as in, the prankster's sense of humor is "pranks are funny"; your sense of humor is "pranks are not funny"; according to your comment your stance is that pranks shouldn't be tolerated). You don't have to laugh, and you're free to say you don't like pranks. But tolerating other people's opinions/sense of humor/whathaveyou seems like basics to me.

                                                                                                                                                                                                                                                                                                                              (Maybe we just have different experiences and thus different definitions of the word.)

                                                                                                                                                                                                                                                                                                                              • chrisseaton 7 days ago
                                                                                                                                                                                                                                                                                                                                It’s like smoking. I should tolerate someone smoking in their own home. Should I have to tolerate someone smoking on public transport next to me? Absolutely not. Even if it’s their opinion that smoke is nice.
                                                                                                                                                                                                                                                                                                                              • lr4444lr 8 days ago
                                                                                                                                                                                                                                                                                                                                Many criminal cases require establishing intent. Pranks may be harmful as you allude to, but the intent still matters.
                                                                                                                                                                                                                                                                                                                                • chrisseaton 8 days ago
                                                                                                                                                                                                                                                                                                                                  How does that work? Can you murder someone for a prank and say your intent was just a prank so it was fine?
                                                                                                                                                                                                                                                                                                                                  • lr4444lr 7 days ago
                                                                                                                                                                                                                                                                                                                                    Intent separates murder from manslaughter in most states in thr USA, so yeah, a death from a prank is tangible different.
                                                                                                                                                                                                                                                                                                                                    • chrisseaton 7 days ago
                                                                                                                                                                                                                                                                                                                                      But they did intend to disrupt the systems in this case. The impact was their exact intent.
                                                                                                                                                                                                                                                                                                                                      • kube-system 7 days ago
                                                                                                                                                                                                                                                                                                                                        When people say "establishing intent" in terms of criminal cases, this is usually a shorthand for something more specifically defined in the law, like "intent to do harm" or something.

                                                                                                                                                                                                                                                                                                                                        To use the murder example again: many people who commit manslaughter have all kinds of various intentions. The one murder is concerned with is whether or not they specifically had the intent to kill the person. "Establishing intent" in this scenario is specifically regarding that one intent. Not any intent.

                                                                                                                                                                                                                                                                                                                              • javajosh 8 days ago
                                                                                                                                                                                                                                                                                                                                validate the insane over criminalization

                                                                                                                                                                                                                                                                                                                                I think you misread the GP. He's not defending the system, just describing it, and how the OP was lucky that the people in charge were unusual and open-minded. He's warning others that the risk/reward implied by the OP's experience is misleading.

                                                                                                                                                                                                                                                                                                                                I suspect that most commenters on this site applaud the kids adventurousness and style. A great hack! But we are uniquely aware of how rare it is that anyone with authority, school administrators or law enforcement, would show any leniency or self-restraint in these cases. On balance, the instinct seems to go for the jugular, dehumanize the kid as a criminal hacker, and ruin his life. No-one is saying that's good, or reasonable. It's just how it is.

                                                                                                                                                                                                                                                                                                                                • mmaunder 7 days ago
                                                                                                                                                                                                                                                                                                                                  Warns kids against jumping off cliffs. Accused of causing gravity.
                                                                                                                                                                                                                                                                                                                                  • restingrobot 8 days ago
                                                                                                                                                                                                                                                                                                                                    We need to have harsh penalties for this. People who don't understand the complex systems they were able to access, might introduce vulnerabilities that more malicious entities can exploit. An example of this would be a student at a university accessing internal network from a physical terminal in a building, (intranet), and accidentally disabling a firewall, (say to play a video from a remote location). In doing so, its no longer just a prank as they may have exposed the entire internal network to outside internet.

                                                                                                                                                                                                                                                                                                                                    This is a super basic example, but it serves to illustrate my point. It's not just a prank bro, even when it is.

                                                                                                                                                                                                                                                                                                                                    • quasarj 8 days ago
                                                                                                                                                                                                                                                                                                                                      What? How is warning someone that they are going to ruin their lives the same as endorsing it?
                                                                                                                                                                                                                                                                                                                                    • bellyfullofbac 8 days ago
                                                                                                                                                                                                                                                                                                                                      Ah, 2021, such sad times, where we squash our creativities in fear of the police, where you'd think twice before doing something like one of the MIT hacks http://hacks.mit.edu ...

                                                                                                                                                                                                                                                                                                                                      I do wonder if they could've secured themselves with VPN and "untraceable" anonymous emails (e.g. asking for a guarantee that they won't be sued/charged), although the teenage bragging rights would've been too tempting.

                                                                                                                                                                                                                                                                                                                                      I wonder if it was possible for the hacker to ask a lawyer to represent them anonymously and make a contract, something like the district promises not to file criminal charges, and if they violate this deal they will have to pay a lot of money...

                                                                                                                                                                                                                                                                                                                                      • whimsicalism 8 days ago
                                                                                                                                                                                                                                                                                                                                        > I do wonder if they could've secured themselves with VPN and "untraceable" anonymous emails (e.g. asking for a guarantee that they won't be sued/charged), although the teenage bragging rights would've been too tempting.

                                                                                                                                                                                                                                                                                                                                        If you read TFA, that is effectively what happened. Even with the guarantee, only one of them revealed themselves.

                                                                                                                                                                                                                                                                                                                                        • paxys 8 days ago
                                                                                                                                                                                                                                                                                                                                          No point in pulling off a complicated prank without enjoying the notoriety gained from it.
                                                                                                                                                                                                                                                                                                                                        • nucleardog 8 days ago
                                                                                                                                                                                                                                                                                                                                          > I wonder if it was possible for the hacker to ask a lawyer to represent them anonymously and make a contract, something like the district promises not to file criminal charges, and if they violate this deal they will have to pay a lot of money...

                                                                                                                                                                                                                                                                                                                                          Criminal charges are generally filed by the prosecutor. They'll generally follow the wishes of the victim, but are not required to (think, e.g., domestic violence cases). There is absolutely zero the school can do to guarantee that you won't be charged if the prosecutor does catch wind of the incident and decides to make an example of you.

                                                                                                                                                                                                                                                                                                                                          • noodlesUK 8 days ago
                                                                                                                                                                                                                                                                                                                                            This is generally true, but the CFAA is obviously not violated by access which is authorised. In this case, you could simply draw up a pentest agreement and get them to say any such activity would be authorised.
                                                                                                                                                                                                                                                                                                                                            • petesergeant 8 days ago
                                                                                                                                                                                                                                                                                                                                              My understanding is that in America, prosecutors are often political appointees without much institutional oversight, as compared to being a reasonably dull civil service department who have to justify prosecutions as being in the public interest
                                                                                                                                                                                                                                                                                                                                            • teddyh 7 days ago
                                                                                                                                                                                                                                                                                                                                              > the district promises not to file criminal charges, and if they violate this deal they will have to pay a lot of money...

                                                                                                                                                                                                                                                                                                                                              “Your faith in the legal system is appalling.”

                                                                                                                                                                                                                                                                                                                                              https://www.schlockmercenary.com/2009-06-26

                                                                                                                                                                                                                                                                                                                                            • CobrastanJorji 8 days ago
                                                                                                                                                                                                                                                                                                                                              I remember back in high school we had this computer lab that was all locked down. Didn't allow opening the CD-ROM drives, only allowed certain educational websites, etc. I put a little remote access app on my share drive as a way to open my own CD drive, mostly just to see if I could do it. The school's computer guy came and found me and was like "hey, a file pinged as malware, what's up with that" and we had a fun discussion about it and I deleted it and we moved on with our lives. I didn't think about it again. Years later, I looked back with horror at how badly that could have gone for me.
                                                                                                                                                                                                                                                                                                                                              • jfk13 8 days ago
                                                                                                                                                                                                                                                                                                                                                Ah, you young whippersnappers with your labs and networks and CDs... my high school just got one Commodore PET, that was "the school computer" in my day.

                                                                                                                                                                                                                                                                                                                                                Fortunately, I got on well with the math teacher who had charge of it, and he'd let me take it home over the weekends. Those were the days...

                                                                                                                                                                                                                                                                                                                                                • edoceo 8 days ago
                                                                                                                                                                                                                                                                                                                                                  Apple IIe gang over here. Don't bend my floppy!
                                                                                                                                                                                                                                                                                                                                                • aspenmayer 8 days ago
                                                                                                                                                                                                                                                                                                                                                  Your school didn’t have paperclips?
                                                                                                                                                                                                                                                                                                                                                  • klyrs 8 days ago
                                                                                                                                                                                                                                                                                                                                                    Can't get 'em through the metal detector. Gotta grind down a toothbrush on concrete these days...
                                                                                                                                                                                                                                                                                                                                                    • aspenmayer 14 hours ago
                                                                                                                                                                                                                                                                                                                                                      Oh, I meant to imply that you would procure and assemble your tools once on-site. What you don’t pack-in, you may not need to pack-out, etc.
                                                                                                                                                                                                                                                                                                                                                • The CFAA exists to make sure that nobody can use computers and the internet to have any power over even tyrannical authorities.

                                                                                                                                                                                                                                                                                                                                                  CFAA and the DMCA are some of the worst, most authoritarian laws ever created, and they exist to do nothing other ensure a system where being rich enough to afford lawyers means you don't have to do anything else.

                                                                                                                                                                                                                                                                                                                                                  Use default passwords like an idiot and someone uses their autofill? They're the criminal, not you.

                                                                                                                                                                                                                                                                                                                                                  Let people just change the account number in the address bar and switch accounts with zero authorization or authentication? They're the criminal, not you. (Bank of America literally did this.)

                                                                                                                                                                                                                                                                                                                                                  Have open access for students to download papers and one of them uses it to download all of them? They're the criminal, not you. (RIP Aaron Swartz)

                                                                                                                                                                                                                                                                                                                                                  I support jury nullification for the CFAA and DMCA and so should everyone reading this.

                                                                                                                                                                                                                                                                                                                                                  • Mizza 8 days ago
                                                                                                                                                                                                                                                                                                                                                    I know somebody - I think they post here, hi! - who ended up in "weekend jail" with a conviction for sharing a school's WiFi password without permission. I also once got reprimanded for writing a blog post not too dissimilar to this one at a less sympathetic school. I also remember the joy of hiding a server in the ceiling of our school so we could play UT2K3 on the library computers before that exploded similarly. Adults are so boring.
                                                                                                                                                                                                                                                                                                                                                    • mdip 8 days ago
                                                                                                                                                                                                                                                                                                                                                      Every district is different, heck -- every school within a district can be different in extreme discipline like this. Frankly, the size of his district represented a lot of risk; those often have the policies with the least wiggle-room -- like "Weekend Jail for Sharing a WiFi password" (insane).

                                                                                                                                                                                                                                                                                                                                                      At the school my child attends, I am confident he would have ended up with a pat on the back if the circumstances were similar. I can't speak for the district -- I'd be willing to bet that'd be very risky. At the school I had once attended, I'd expect the entire district would behave similarly. I'm sure there were people within the district administration that wanted to throw the book at the kids involved.

                                                                                                                                                                                                                                                                                                                                                      Here's the thing for those people: the last thing a school district wants is to become national news for punishing a bunch of kids who the evening news can make out to look like "Geniuses". Since nothing failed in their plan -- that's crazy important -- there would be very few ways to frame the story that makes the administration look like anything but bullies, and many will frame them as "petty bullies". I have a friend I went to High School with who is now a High School principal. He's still "that guy I went to High School with." I have no doubt he would have given the kids an award privately, if not publicly.

                                                                                                                                                                                                                                                                                                                                                      It's sad that some public school districts are using discipline approaches you'd expect to see in prisons, rather than a school, and I'm sure in certain places in the country, that might be a necessity. Context matters, too -- were these kids who were constantly pulling pranks like this, had been talked to in the past/impacted things in the past, etc, I'd expect a harsh response: "Yes, we get it, you're smart, stop breaking things already, read the horrors of the 1986 CFAA because that's coming if it happens again." I'm guessing these were otherwise good students.

                                                                                                                                                                                                                                                                                                                                                    • Faaak 8 days ago
                                                                                                                                                                                                                                                                                                                                                      I agree, that feels wrong to me...

                                                                                                                                                                                                                                                                                                                                                      When I was younger (~15) I also did some "fun" (aka stupid) stuff with the school computer network and in the end they got me and I received a "formal warning" (it was in France).

                                                                                                                                                                                                                                                                                                                                                      In the end I'm glad for it because that scared me off and I never tried again on stuff that I don't own.

                                                                                                                                                                                                                                                                                                                                                      But putting a kid in jail/having a criminal record seems way to excessive to me. Kids are dumb. And by punishing them that hard they won't become a better person. hell, they won't be able to have a job !

                                                                                                                                                                                                                                                                                                                                                      • WarOnPrivacy 8 days ago
                                                                                                                                                                                                                                                                                                                                                        > But putting a kid in jail/having a criminal record seems way to excessive to me.

                                                                                                                                                                                                                                                                                                                                                        It absolutely is. Society is clearly harmed by laws like the CFAA.

                                                                                                                                                                                                                                                                                                                                                        LEO do like overly broad laws though. There's nothing better to ruin the lives of people that cops don't like.

                                                                                                                                                                                                                                                                                                                                                      • dec0dedab0de 8 days ago
                                                                                                                                                                                                                                                                                                                                                        Anyone in the field will tell you that this is an absolute disaster of a post because it sends the signal to other young aspiring cybersecurity professionals that this is OK, and the school will laugh it off, and you'll be seen as an adorable Matthew Broderick type Wargames character. I can't overemphasize how far this is from the truth in 2021.

                                                                                                                                                                                                                                                                                                                                                        Or maybe it will shame other IT departments into not having a stick up their butt. Especially if there is already a culture of overlooking minor criminal activity in the name of harmless pranks.

                                                                                                                                                                                                                                                                                                                                                        • marvin 8 days ago
                                                                                                                                                                                                                                                                                                                                                          There is something obscenely totalitarian about this whole mindset. You're making a very pragmatic point, but take a step back and look at the whole thing.

                                                                                                                                                                                                                                                                                                                                                          You're warning a teenager against making a brilliant, harmless, funny and responsible prank so that they won't get their whole life fucked up forever. Think a little about what kind of political system necessitates that kind of ridiculous warning. What sort of nation does this kind of thing to its kids? If we strike the United States from the list, what sort of countries are left?

                                                                                                                                                                                                                                                                                                                                                          You guys really need to get your so-called justice system sorted out. Sorry to make such a blunt point, but this is depressing as hell.

                                                                                                                                                                                                                                                                                                                                                          • donatj 8 days ago
                                                                                                                                                                                                                                                                                                                                                            When I was in High School in 2003 I discovered you could pretty easily get around the tool that blocked running installers by launching them by entering the full path to the installer in the address bar of Internet Explorer. This was before Windows and IE were decoupled. I installed VNC server on a couple friends computers and used it for some light hearted pranks, but didn't do anything else with it.

                                                                                                                                                                                                                                                                                                                                                            One of my friends who I did this to went crazy with it and used it to mess with his teachers computers. Ended up in huge trouble, cops knocking on his door, and I believe probation. This was the year after I graduated.

                                                                                                                                                                                                                                                                                                                                                            On the one hand, I kind of feel responsible for showing him, on the other hand, it's his fault he had to go off and be an idiot with something I just thought was fun.

                                                                                                                                                                                                                                                                                                                                                            • jdkee 8 days ago
                                                                                                                                                                                                                                                                                                                                                              This post is 100% spot on. While the local school district may treat it as a prank, in the U.S. the federal authorities may not. To see how seriously the government takes this act, look at the penalties section of the relevant U.S. code.

                                                                                                                                                                                                                                                                                                                                                              https://www.law.cornell.edu/uscode/text/18/1030

                                                                                                                                                                                                                                                                                                                                                              • dakna 8 days ago
                                                                                                                                                                                                                                                                                                                                                                And yet, there is overwhelming demand for what the government calls "cyber security". As a developer it is easy to get good at your craft by practicing and learning, how in the world is a security specialist able to practice without asking for permission or already having a job? A home lab setup? A college degree and formal education? I'm curious how people actually evaluate this career choice.
                                                                                                                                                                                                                                                                                                                                                                • ActorNightly 8 days ago
                                                                                                                                                                                                                                                                                                                                                                  In my personal experience with working in government related cyber security, the positions are for dudes that type bash commands to run tools that are all developed by 3p companies, which end up hiring people regardless of criminal history.
                                                                                                                                                                                                                                                                                                                                                                  • Capture The Flag challenges. You don't need much more than a terminal.
                                                                                                                                                                                                                                                                                                                                                                    • rhexs 8 days ago
                                                                                                                                                                                                                                                                                                                                                                      The leetcode of the security world! Thankfully not that bad...yet.
                                                                                                                                                                                                                                                                                                                                                                  • collegeburner 8 days ago
                                                                                                                                                                                                                                                                                                                                                                    Yeah, go to them about ransomware gangs or nation state actors and you basically get told "lol we cant do shit". Complain about a kid prank and theyll go apeshit and make a, uhh, federal case of it to make themselves feel needed.
                                                                                                                                                                                                                                                                                                                                                                  • jjoonathan 8 days ago
                                                                                                                                                                                                                                                                                                                                                                    Gross but true. The administration has every incentive and opportunity to spin this into a self-serving story about taking down evil sinister hackers -- and maybe scapegoat a few unrelated problems while they are at it.

                                                                                                                                                                                                                                                                                                                                                                    I am delighted that these admins had the character to resist the perverse incentives of the system.

                                                                                                                                                                                                                                                                                                                                                                    • usmannk 8 days ago
                                                                                                                                                                                                                                                                                                                                                                      > Anyone in the field will tell you that this is an absolute disaster of a post because it sends the signal to other young aspiring cybersecurity professionals that this is OK

                                                                                                                                                                                                                                                                                                                                                                      Maybe a bit overzealous with the reaction here. OK, sure, the OP could have been even more serious about this but literally the first labeled section is "DISCLAIMER" and says:

                                                                                                                                                                                                                                                                                                                                                                      > With that said, what we did was very illegal, and other administrations may have pressed charges. We are grateful that the D214 administration was so understanding.

                                                                                                                                                                                                                                                                                                                                                                      • runjake 8 days ago
                                                                                                                                                                                                                                                                                                                                                                        That said, maybe we should lighten up on minors performing harmless/non-destructive pranks.

                                                                                                                                                                                                                                                                                                                                                                        Not everything warrants felony charges for kids.

                                                                                                                                                                                                                                                                                                                                                                        • jjoonathan 8 days ago
                                                                                                                                                                                                                                                                                                                                                                          Of course -- but we aren't the ones making the rules, and the ones who do make the rules have certain incentives that lead them in dark directions.
                                                                                                                                                                                                                                                                                                                                                                        • outworlder 8 days ago
                                                                                                                                                                                                                                                                                                                                                                          > because it sends the signal to other young aspiring cybersecurity professionals that this is OK,

                                                                                                                                                                                                                                                                                                                                                                          There are multiple disclaimers in the text, almost every other paragraph.

                                                                                                                                                                                                                                                                                                                                                                          • ActorNightly 8 days ago
                                                                                                                                                                                                                                                                                                                                                                            Id actually wonder if criminal history matters when you have skills like this that are very much in demand.

                                                                                                                                                                                                                                                                                                                                                                            If this went to court, the charges of malicious intent would likely not stick, so jailtime could likely be avoided in leu of fine/community service.

                                                                                                                                                                                                                                                                                                                                                                            Competent tech companies will not give a shit about criminal record of this nature.

                                                                                                                                                                                                                                                                                                                                                                            Expulsion from school is pretty much irrelevant, especially for CS careers. You can get a GED, find any college with CS program that will take your money, spend a year having fun, apply for an internship at a tech company, do a good job to be offered a return, talk to HR to go directly into entry level role, and you are set (have personally seen 2 cases of this happening with an intern).

                                                                                                                                                                                                                                                                                                                                                                            The most functionally harmful thing would be monetary cost, which is still inconsequential considering the salary this guy would make.

                                                                                                                                                                                                                                                                                                                                                                            • kube-system 8 days ago
                                                                                                                                                                                                                                                                                                                                                                              It depends on how regulated the particular industry is. If you're building consumer web apps at a startup, it probably won't matter. If you want to be a government contractor, it's probably a nonstarter.
                                                                                                                                                                                                                                                                                                                                                                              • ActorNightly 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                Most of the industry where the guy will be paid appropriately is going to be private. Cyber security specialists for things like AWS get paid much more than any government contractor.
                                                                                                                                                                                                                                                                                                                                                                                • kube-system 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                  That's not really the best example; AWS is a government contractor. It isn’t a coincidence that HQ2 is a few blocks away from the Pentagon.
                                                                                                                                                                                                                                                                                                                                                                            • tkinom 8 days ago
                                                                                                                                                                                                                                                                                                                                                                              For anyone who like to hack legally and ethically, check out https://www.hackerone.com/. If you're very good at hacking devices, software, networks, etc, companies will pay bounties for the vulnerabilities you find thru HackerOne.

                                                                                                                                                                                                                                                                                                                                                                              Looks like they paid out millions in bounty in 2020:

                                                                                                                                                                                                                                                                                                                                                                                  https://www.zdnet.com/article/hackerones-2020-top-10-public-bug-bounty-programs/
                                                                                                                                                                                                                                                                                                                                                                              • cwkoss 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                Worth a try, but I didn't have a good experience with it.

                                                                                                                                                                                                                                                                                                                                                                                Companies can mark items as duplicates without fixing the underlying bug for an indefinite period of time. So the 3 vulnerabilities I found all got marked as duplicates without any compensation or even acknowledgement of my time writing up the issues. Felt like a complete waste of time.

                                                                                                                                                                                                                                                                                                                                                                                If you're great, you can probably find novel stuff better than I was able to, but if you're that great you likely already have plenty of employment opportunities.

                                                                                                                                                                                                                                                                                                                                                                              • mcbishop 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                Malicious hackers could have shown something unspeakably vile on all those screens. If this kid reduced the likelihood of that... he's a hero. Alas, I totally hear you.
                                                                                                                                                                                                                                                                                                                                                                                • pascalxus 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                  yeah, it's pretty messed up that there's such extremely heavy penalties for merely playing a youtube video on a few screens whereas looting and stealing go completely unpunished. what kind of message is that sending to our youth?
                                                                                                                                                                                                                                                                                                                                                                                  • bsza 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                    > This kid is very very lucky.

                                                                                                                                                                                                                                                                                                                                                                                    No, he is just smart. He did it anonymously. He knows how to cover his a$$.

                                                                                                                                                                                                                                                                                                                                                                                    > it sends the signal to other young aspiring cybersecurity professionals that this is OK

                                                                                                                                                                                                                                                                                                                                                                                    The post literally has a whole section dedicated to explaining that this is not OK, but whatever.

                                                                                                                                                                                                                                                                                                                                                                                    • Wow that's terrifying, I'm from the EU and did 1000x worse stuff than that, never suffered any consequence, which is not right, but teenagers going to prison for hacking pranks it's really fucked up.
                                                                                                                                                                                                                                                                                                                                                                                      • baybal2 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                        This is ridiculous
                                                                                                                                                                                                                                                                                                                                                                                      • ajford 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                        Glad to see a cooperative and supportive academic administration, and I'm sure the thoroughness and planning that the team demonstrated made it easier on the administration.

                                                                                                                                                                                                                                                                                                                                                                                        The sheer amount of testing and verifying no major impact to academic testing took place probably helped, and cleaning up after themselves and documenting their finding and reporting it to IT was a cherry on the top.

                                                                                                                                                                                                                                                                                                                                                                                        I like that the administration even requested that the team brief the district IT on the "attack".

                                                                                                                                                                                                                                                                                                                                                                                        • michaelmior 6 days ago
                                                                                                                                                                                                                                                                                                                                                                                          Much less exciting, but when I was in high school I discovered an unsecured messaging service that could be accessed via a Web interface. This included the ability to send messages to any user logged in to any machine. And also the ability to broadcast messages to all machines in the school. I was never bold enough to test this feature but word got around after I showed a few friends and eventually someone decided to broadcast a rather crude message about our principal. One thing this student didn't realize is that all messages are logged and the sender was easily found and disciplined.

                                                                                                                                                                                                                                                                                                                                                                                          It could have been a lot of fun if schools in the early 2000s were as well-connected as they seem to be now. We were still working with overhead projectors at the time.

                                                                                                                                                                                                                                                                                                                                                                                          • nedt 5 days ago
                                                                                                                                                                                                                                                                                                                                                                                            When I was in school we were trying to improve the IT, but as we "knew too much" and prefered Linux over Netware we weren't trusted. Also everything was run by the teachers, we didn't help either.

                                                                                                                                                                                                                                                                                                                                                                                            Each summer they "improved" security and in less then a week we again had all of the important passwords. Even the one of the top sysadmin - which really was the one he told some students when he was trunk (everyone thought he was joking).

                                                                                                                                                                                                                                                                                                                                                                                            We didn't prank, but instead installed Duke Nukem on the Netware login drive or enabled internet access when the teachers weren't around or didn't want to give us access.

                                                                                                                                                                                                                                                                                                                                                                                            • unwind 6 days ago
                                                                                                                                                                                                                                                                                                                                                                                              Cool, I guess, but "scary" and as always a bit obnoxious to read about for me.

                                                                                                                                                                                                                                                                                                                                                                                              Anyway, it was fun to learn about the "obscure ARC architecture" used by the IoT devices in question. Unpacked to "Argonaut RISC Core", that made me curious enough to look it up since I hadn't heard of it. And sure enough, it was related to Argonaut as in "the UK game developers founded by Jez San" [1]. That's a really interesting development! :)

                                                                                                                                                                                                                                                                                                                                                                                              [1] https://en.wikipedia.org/wiki/Synopsys#ARC_International

                                                                                                                                                                                                                                                                                                                                                                                              • cghendrix 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                I thought I was cool being able to modify the ready message on printers across the school network. This is really impressive.
                                                                                                                                                                                                                                                                                                                                                                                                • drusepth 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                  In middle school I used Javascript to change Google's button text from "I'm feeling lucky!" to "Andrew is the best!" (javascript:getElementById('').text='blah')

                                                                                                                                                                                                                                                                                                                                                                                                  I showed some other students who were so freaked out that I had "hacked Google" that I got the attention of the librarian, who promptly banned me from the library computers for the rest of the year, even after I refreshed the page to show them it wasn't "real". Oof.

                                                                                                                                                                                                                                                                                                                                                                                                  • cghendrix 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                    Haha when I was searching for printers across the district network the librarian was looking at my screen. She called me out across the room asking why I was looking at printers at a different school. Oof.
                                                                                                                                                                                                                                                                                                                                                                                                  • person22 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                    I wrote an infinite loop in postscript and sent it to all the printers. This was when postscript printers cost a fortune so there were not many of them. Fun days were those.
                                                                                                                                                                                                                                                                                                                                                                                                  • Reminds me of when I attended my districts technical career center for 2 years. We had ~3 hours of various IT learning every morning with kids from high schools all over the county before we all went back to our normal schools.

                                                                                                                                                                                                                                                                                                                                                                                                    We'd of course run out of stuff to do and start messing around with our newly honed skills. Learning about net send wasn't too bad, we just sent dumb messages to each other. But learning vbscript combined with net send... you could DoS the other machines with a for loop.

                                                                                                                                                                                                                                                                                                                                                                                                    One morning I was playing around with the net send script, but accidentally plugged into the schoolwide LAN instead of our local network... every computer in the building got locked down with some idiotic message my 17 year old brain had come up with. IT took a educated guess and came down to our class and I fessed up, thankfully they let me off with a stern talking to and promises to never do it again.

                                                                                                                                                                                                                                                                                                                                                                                                    • duped 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                      Do prosecutors need consent from victims to file charges in cases like this?

                                                                                                                                                                                                                                                                                                                                                                                                      Also if you're going to commit a crime and brag about it, don't say "hey well they would point the finger at me anyway and I'm not going to name my partners." You've just told them there are coconspirators, and you don't have a right not to incriminate others.

                                                                                                                                                                                                                                                                                                                                                                                                      • paxys 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                        They don't legally need it, but such cases are pretty much dead in court without the victim's cooperation so the prosecution will almost always drop it.
                                                                                                                                                                                                                                                                                                                                                                                                        • EvanAnderson 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                          The Aaron Swartz prosecution continued, even after MIT and JSTOR said they didn't want to press charges, because of a zealous prosecutor.
                                                                                                                                                                                                                                                                                                                                                                                                          • duped 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                            What happens when the suspect publicly admits to doing it and providing detailed information on the motive and means
                                                                                                                                                                                                                                                                                                                                                                                                        • joezydeco 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                          I live near this kid and I'd offer them an internship on the spot if they came forward...but I fear they'd just be bored.
                                                                                                                                                                                                                                                                                                                                                                                                          • lxe 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                            In 2001, in 7th grade at the beginning of my web dev "career", so to speak, I made a website that looked exactly like our school district's "snow day" school closure and delay page -- and I allowed anyone to edit the message. I told a few kids about this -- it was a pinnacle of my PHP prowess back then.

                                                                                                                                                                                                                                                                                                                                                                                                            Got called into an office -- a gifted program administration, not the regular school office. I think one of the teachers there caught wind of my cool little trick, and asked me to take it down right then and there. I was terrified, as I wasn't really someone to get into any sort of trouble. I was able to take it down through their machine's windows explorer's FTP access.

                                                                                                                                                                                                                                                                                                                                                                                                            Now I realize that this teacher probably saved me from a lot of trouble. I wish these sort of stories were the norm -- where educators welcome the natural curiosity instead of throwing the law at kids who dare to think outside the box.

                                                                                                                                                                                                                                                                                                                                                                                                            • gjsman-1000 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                              I was at my own community college 2 years ago, and they had those Smart TVs showing news and weather everywhere, as well as custom images uploaded by the clubs on campus.

                                                                                                                                                                                                                                                                                                                                                                                                              It was supposed to be that a club could log into them, make, and submit a graphic to display on the TVs, but the school would have to review them before they would be displayed.

                                                                                                                                                                                                                                                                                                                                                                                                              However, I would later find out, a software update had messed up the roles system and so that club username/password which was in a public document actually had the ability to post things immediately on the TVs, without review. I found this out when I made a Math Club poster, hit the button, and it was immediately live without a check.

                                                                                                                                                                                                                                                                                                                                                                                                              I just reported it and it was fixed the next day. My instructor said that could have been really really bad considering some more unscrupulous college kids who would have (not naming names) probably gotten a kick out of throwing pr0n on them...

                                                                                                                                                                                                                                                                                                                                                                                                              • CountDrewku 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                Ugh. I worked school IT in the past. You're not as smart as you think you are. These vulnerabilities are typically known but there's not enough time, money, or the devices themselves can't really be locked down or hacker proofed anymore than they already.

                                                                                                                                                                                                                                                                                                                                                                                                                IF you do something like this at least consider that someone else is going to be cleaning your mess up.

                                                                                                                                                                                                                                                                                                                                                                                                                School kids are the worst users you can ask for. Unlike a normal business where they'd be punished or removed for something like this the kids will deliberately try to destroy the school network.

                                                                                                                                                                                                                                                                                                                                                                                                                • octokatt 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                  This is awesome, and rock thee onwards.

                                                                                                                                                                                                                                                                                                                                                                                                                  I wanted to make sure OP knows that “white hood” can mean something _very_ different, and “white hoodie hacker” might provide that distance.

                                                                                                                                                                                                                                                                                                                                                                                                                  • castis 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                    Free relatively harmless large-scale pen testing! Nice work.
                                                                                                                                                                                                                                                                                                                                                                                                                    • mwcampbell 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                      I wonder how they managed to achieve perfect synchronization across the whole district, or even between IPTV players in one school. Sure, maybe that ability is built into the IPTV system, but I wonder how it's done. Did the players all sync their clocks from a central server, pre-buffer the stream, then start playing when the local clock hit a certain time?
                                                                                                                                                                                                                                                                                                                                                                                                                      • charcircuit 6 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                        I had a teacher say that if I knew the root password to the machine students tested programs they made on that I didn't have to take the final.

                                                                                                                                                                                                                                                                                                                                                                                                                        Little did he know the kernel was old and had a privilege escalation vulnerability. I ended up leaving a note about it on the back of my final exam.

                                                                                                                                                                                                                                                                                                                                                                                                                        • sneak 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                          > With that said, what we did was very illegal, and other administrations may have pressed charges. We are grateful that the D214 administration was so understanding.

                                                                                                                                                                                                                                                                                                                                                                                                                          Note well that the victim of a crime does not get any say in whether or not a prosecutor prosecutes a crime. "Pressing charges" is a myth.

                                                                                                                                                                                                                                                                                                                                                                                                                          The prosecutor decides. Period.

                                                                                                                                                                                                                                                                                                                                                                                                                          • novok 6 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                            The probability of a prosecutor filing charges decreases significantly if the victim does not want a case to go forward, and even more if they actively do not want to cooperate with the court case.
                                                                                                                                                                                                                                                                                                                                                                                                                          • BeFlatXIII 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                            I remember being in elementary school and avoiding the net nanny by viewing one of the network drives that students (somehow) had access to but weren't told about. Eventually, someone in my class poked around enough to find BESS.exe and deleted it and we had unfiltered internet for a day.
                                                                                                                                                                                                                                                                                                                                                                                                                            • 1024core 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                              > In fact, he thanked us for our findings and wanted us to present a debrief to the tech team!

                                                                                                                                                                                                                                                                                                                                                                                                                              This is the only acceptable response.

                                                                                                                                                                                                                                                                                                                                                                                                                              • pgcm1 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                This article was great.

                                                                                                                                                                                                                                                                                                                                                                                                                                If you want to understand the IoT better, I can recommend this article: https://girlsplaining.substack.com/p/internet-of-things-and-...

                                                                                                                                                                                                                                                                                                                                                                                                                                • mingusreedus 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                  my old school used this old as hell system using two solaris servers that we would connect to via thin clients. i got root creds to everything in our school district and on my very last day at that school i decided i'd do everyone a favour and at least update the system from firefox 3 to firefox 12. well, shortly after installing the package everyones clients stopped responding and that's the day i learned about dependencies. everyone kind of knew it had to be me that screwed everything, but nobody said anything and they were grateful to have gotten rid of that horrible old system.

                                                                                                                                                                                                                                                                                                                                                                                                                                  Unfortunately they decided to replace it with windows now, but my little brother is doing a great job keeping the people managing that new system on their toes ;)

                                                                                                                                                                                                                                                                                                                                                                                                                                  • donatj 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                    When I was in elementary school in the early 90's, I discovered you could use AppleTalk to print to just about any printer in the district.

                                                                                                                                                                                                                                                                                                                                                                                                                                    I would print pages and pages of "I AM THE MASS PAPER WASTER!!!" to random printers in other buildings. I'm genuinely curious if it actually worked.

                                                                                                                                                                                                                                                                                                                                                                                                                                    • rejectfinite 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                      30s crisis hurling at me when a high school senior is way better than me lmao. Amazing read!
                                                                                                                                                                                                                                                                                                                                                                                                                                      • midwestemo 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                        Hey I know someone who goes to that school, interesting. He was telling me about this incident before
                                                                                                                                                                                                                                                                                                                                                                                                                                        • remix2000 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                          I once wrote a script that would pluck the entire student’s computer and rat them out hard in case they tried to exploit some vulnerability. Alas, no one got owned, at least not until I graduated.
                                                                                                                                                                                                                                                                                                                                                                                                                                          • jerrysievert 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                            when I was in high school, we had been battling on the pdp11 (running rsts), and when they finally upgraded to vax/vms they just gave up and gave us a small vax system to ourselves to battle on. it was much less disruptive than the hijinks we had previously been up to.

                                                                                                                                                                                                                                                                                                                                                                                                                                            of course, this was in the days when pad-pad was a thing out in the real world, so false logins on vt100/vt220 terminals was all too easy to fake.

                                                                                                                                                                                                                                                                                                                                                                                                                                            I am still thankful that they decided to set that up (we even had physical machine access) - such a better solution than just letting us go wild on the local network.

                                                                                                                                                                                                                                                                                                                                                                                                                                            • sleepybrett 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                              'white hood hacker' ... that has .. klan connotations.
                                                                                                                                                                                                                                                                                                                                                                                                                                              • datavirtue 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                Quick! Hire them before they can use their powers for the forces of good.
                                                                                                                                                                                                                                                                                                                                                                                                                                                • 908B64B197 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                  I just hope the author, at least, applied to MIT. He would fit right in.

                                                                                                                                                                                                                                                                                                                                                                                                                                                  http://hacks.mit.edu/.

                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Justsignedup 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                    My time in highschool was wasted. Kudos to these amazing kids.
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • buzzert 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                      Hopefully everyone here has seen the movie Hackers, where a similar, but slightly more destructive prank involving the school's sprinkler system took place.
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • ar_lan 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                        TIL there is an Elk Grove that is not in California!
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • gareiner 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                          I do really wished that my school wasn't strict and I'm allowed to tinker with my ideas in my school.
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • hnwd 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                            I'm interested to know how was he able to remote access to seemingly any machine in the network, from outside?
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • I had Chrome RDP access on a few machines setup earlier, since I could come in-person with my team for security competitions.
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • hnwd 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                                Hey, thanks for the reply. Appreciate the writeup too, it was a fun read. Hope you don't mind but I have a few more questions.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                How were you able to get Chrome RDP access setup without admin privileges? I assume this is automatically blocked via group policy.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Now that you have Chrome RDP setup, how were you able to access these machines from outside the network from home?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                "since I could come in-person with my team for security competitions" I'm really intrigued now. What were these security competitions about and were they part of a class you were in?

                                                                                                                                                                                                                                                                                                                                                                                                                                                            • particulars02 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                              Greatest rickroll since S2E10 of Ted Lasso.
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Epitom3 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                                I am glad everything went in a positive direction and the school didn't punish the students.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • ilaksh 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  It's not hacking if you have ssh access. I missed the part that explained how they got that.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • alexbrower 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Hope there was still time to amend the college applications with a link to this post.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • elymar 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Pool on the roof must have a leak.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • begueradj 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        seriously scary stuff, than you for sharing
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • pranavnt 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          This is amazing!!
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • themantra514 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            This is the way.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • mister_c_dub 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              What a legend.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • hills3523 1 day ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Hi Viewers, I am a computer wizard and INTERNET hacker. Get your Blank ATM card that works in all ATM machines all over the world.. We have specially programmed ATM cards that can be used to hack ATM machines you can withdraw $5000 daily without been caught.. we are also specialize in hacking and upgrades of course contact for more info smoothhackers006@gmail.com Whatsap +16572677149
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • lyian 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I remember in my school days we all used Windows, but the teacher/admin administration software, the school bought was pretty cheap.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  The administration tool allowed teachers to stop students from using for example the mouse or keyboard, was written in Java and was installed on all computers as a service.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  My favorite part was, that the installation setup of the whole setup was laying around on a random network drive. Being naught little script kiddos we started to dump the code an voilà no authentication or checks who is actually sending the commands. This resulted practically us, locking the teachers and even the admins out.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Aaaah, good times...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • sharmin123 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Facebook Safety Tips: Take Steps Now and Avoid Hacking: https://www.hackerslist.co/facebook-safety-tips-take-steps-n...
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • looking for hacker for hire
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • looking for hscker for hire
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • pkpioneer 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          LG is acquiring automotive cybersecurity startup Cybellum in a $240M deal: https://pkpioneer.blogspot.com/2021/09/lg-is-acquiring-autom...
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • So much attention to detail that I can't help but think that the kids parents were helping along the way.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • ajford 8 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Maybe, maybe not. The author has graduated from High School, meaning they're about to enter college or the workforce. I wouldn't be surprised to see this level of detail from someone at that level academically. Delighted, yes. Would I expect if from everyone? Hell no.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              But surprised that a tech-enthusiast and eager learner might have put this much thought into this prank and it's potential consequences, not so much.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Teenagers/young adults tend to have different stressors and other things to occupy their time than the average adult in the workforce, meaning the author likely gave this prank a fair amount of their free time, and that dedication showed through in the amount of planning done.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Additionally it's likely, given they mentioned once or twice in the article they planned on posting a blog about the prank, that they might be hoping to use this on their resume or as a talking point in their career. If they're hoping to go into security or comp sci, this would be a decent feather in their cap and the amount of time spent is easily justified.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • treszkai 7 days ago
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              These devices were unsecured for a reason: there wasn't money to hire competent people who would make all services secure.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Finding a vulnerability in the grade tracking system is much different than in IPTV: the first can have real-life implications, the latter only gives the attacker bragging rights. Only students would benefit from hacking IPTV (for funsies), but patching it requires funds nonetheless, and then further effort from staff when the default user/pass doesn't work. And then we complain about the hidden costs of low-trust societies.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              If the guy had written to the admins about it, they probably would've replied "yeah we know about it, please don't do it".

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "But I want to because I can and you're too lazy and incompetent to fix it."

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "Okay then here's 50 bucks, please fix it for us, we don't have time for this nonsense."

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "F off", and then proceeds to rick roll because that can get him to HN front page.