398 comments

[ 2.8 ms ] story [ 309 ms ] thread
The fact that the administration didn't choose to sue them to oblivion is refreshing. I hope we'll see a trend in the future of educator being smart enough to admit that they made a mistake and to encourage the students to develop their talent.

One can only hope.

Too right! Get this kid a job, not punishment.
I'm glad to see a kid using bash and not something like gulp PowerShell
Not to diminish your comment, but a thing I've found late my career is to abandon dogma when it comes to young folks learning. If they can learn with PowerShell, they're a lot better off than a lot of young folks! There is no one-true-way and as soon as you find it, another generation will show up with another-true-way :)
Credit where credit is due, we all WISH *nix had something like PowerShell. Passing strings from program to program is a pain, passing around .NET objects instead is a great step forward, as can be seen by the several attempts at similar shells passing around JSON objects.
PowerShell has been available on Linux via .NET Core since 2016 and version 6.0. Even my Windows box with PowerShell 5.1 likes to remind me of this fact every time I start it:

    Windows PowerShell
    Copyright (C) Microsoft Corporation. All rights reserved.
    
    Try the new cross-platform PowerShell https://aka.ms/pscore6
On that note, i'm saddened Windows 11 doesn't ship with Powershell 7. Are there that many breaking changes in the switch from 5 -> 6 or 5 -> 7?
yep, always good to get ads on your shell when you start it.

it's like those awesome ubuntu login motd's, I look forward to them every time I log in, just in case the ad changes.

er ...

> Passing strings from program to program is a pain

The internet has been pretty successful and many popular protocols (http, smtp, etc) are exactly "passing strings from program to program"

Which is why all browsers render the same thing exactly the same way and there's no need at all to test more than one. Yep.
The presentation layer has nothing to do with he protocol layer...

If you pump some serialised binary into a browser it will still render wrong.

And behind the scenes of internet-based services there's a whole ecosystem of "how can we do shit more robustly than just passing strings around" (or even for "better than XML or JSON").
> Credit where credit is due, we all WISH nix had something like PowerShell.

Who is "we". I've worked exclusively on a windows stack so used powershell on the job. But at home, I use bash. I don't want something like powershell in nix and don't use powershell on nix even though it's been available on nix for many years now.

> Passing strings from program to program is a pain

You can argue it's the basis of computer science and also pretty efficient.

> passing around .NET objects instead is a great step forward, as can be seen by the several attempts at similar shells passing around JSON objects.

Passing around objects can be slow, inefficient, wasteful, etc though it can be convenient.

If you are on a windows stack then go with powershell. If not, then go with bash. Nobody should be on a windows stack but sadly, much of the business world has been captured by microsoft.

There have been REPLs like PowerShell for ages, it's nothing really new. The only nuance in this is that it is new in the Windows ecosystem to have something like that supported by Microsoft. Ironically, it hasn't managed to displace the command prompt or batch files, so instead of having to deal with one thing, you now have to deal with two things.

As for the passing of strings: it might seem like a pain, but as soon as you start working with non-program I/O it's not like you'll have much of a choice. Keep in mind that it is the lowest form of communication and you can build on top of that. Same with I/O in general: nothing prevents you from using shared memory or a device instead.

> Ironically, it hasn't managed to displace the command prompt or batch files

It don't think they expect that people would rewrite their old scripts. That is actually silly to consider. Even with console vs terminal, they are concerned of backward compatibility and leaving it as is:

> Windows Console will continue to ship within Windows for decades to come in order to ensure backward compatibility with the many millions of existing/legacy command-line scripts, apps, and tools

https://devblogs.microsoft.com/commandline/windows-terminal-...

They could just have an alternative interpreter mode to support batch files, or even have a cmdlet that does just that. If people like to point and click, associate that with a cmdlet (they can do that, right?) and there you go.
Parsing strings in Powershell is super complicated compared to regular Unix tools
You're glad to see them using the ancient clusterfuck that is Bash, and not a modern relatively sane shell that is indisputably the most seminal shell in the last 30 years?
Well at least it's a racing horse and not a turtle.
Nah, i actually used powershell before bash because i did a lot of android hacking stuff before learning to code. I worked with Powershell 3, powershell 4 and powershell 5. Powershell 3 was the most painfull thing to work with. No state accross session, the default were shit so i had to reconfigure more often than not. Slow, painfull, buggy... Around the same ime i learned how to bash pretty well in two days, use rsync, use ssh, use sed and awk... Powershell 3 was shit compared to this.

Then i used powershell4, i guess it was better but honestly i don't think i've used it very much. Powershell5 might be better than bash for 90% of the dev population though.

Powershell is actually good though.
Being a minor probably helps. There are so many laws today. It's too risky to do this. It's not like it was 25 years ago.
I was suspended for a week for creating a network share in my typing class and dividing the work among my friends and we copied and pasted into a single document on the share. This was on Windows NT though so a LONG time ago. It's also I guess "cheating". But they got us on "computer hacking"
I used CACLS with an Office hack in NT / 9X to copy homework. Never got caught for that.

They got me on propagating computer games through the network using shared drives the teachers were supposed to use for homework.

We had BNC network cables in those days and the entire building shared a single T1 line for several hundred computers.

The world has changed.

Same thing here. Teacher came into class with his multiple month investigation comparing all students work highlighting common errors. Found three different groups that were sharing work load. In school suspension for all of us, only like three kids left in class for the week.
Also in my typing class circa 2004 the teacher was about to kick me out because he thought I was on a chat room during his class. I was actually viewing page source on an HTML document
Yea , kids would get expelled in the old days for putting a screensaver password
It can get pretty messy. For example, they could wait until they're 21 to try them as an adult, even if it was committed at 17 or younger [0 p. 128]:

> a person who committed the offense before his eighteenth birthday, but is over twenty-one on the date formal charges are filed, may be prosecuted as an adult.... This is true even where the government could have charged the juvenile prior to his twenty-first birthday, but did not.

However, the statute of limitations for CFAA violations is 2 years [1 p. 2] so this might not apply. If somehow they can still go after him at 21, this post could play a part in evidence for performing the hack (I truly hope not).

0: https://www.justice.gov/sites/default/files/criminal-ccips/l...

1: https://www.goodwinlaw.com/-/media/files/publications/10_01-...

The newest policy is to charge minors as adults unless there's a compelling and beneficial reason not to. I think that was a DOJ change around 2009. Not sure how many states followed suit. But in general, its increasingly likely that minors are being charged as adults.
25 years ago wasn’t any better… I recall several in my circle getting suspended for harmless things. The lesson: don’t explore, don’t be curious, and don’t try to fix anything related to the school and computers. Sigh.
Consent is paramount when doing that type of exploration. Without explicit permission, how would an IT administrator distinguish the difference between a curious student and a malicious attacker?
Well, I imagine that would require using a brain, which may an onerous requirement.
You're not wrong, but I think it might be helpful to think of this in different terms. Teenagers, with burgeoning agency, are being denied the ability to meaningfully impact their environment yet are bound to it for most of their lives.

I agree with you that explicit permission is important, but it is also something that young people are frequently and explicitly denied. I don't think the solution is condoning that sort of 'extracurricular', but I think we should recognize the problem is probably starting with the adults in the situation.

You would think so, only this is a bit opaque when dealing with a local school and a district bureaucracy with various computer labs, internet and phone systems. As a student, you may think that the right person to ask is the local teacher who has control of the asset. Especially if that teacher has been assigned IT duties.

But to many school administrators consent of teachers is meaningless. Those assets aren't owned by the teachers but by the district, even if they are the apparent authority figures and stewards in the eyes of the students.

People on HN always act like what they were doing was almost noble. You weren't. If you had been picking locks or even rummaging around unlocked desk drawers you'd get the same treatment and deserve it.
Probably helps that "We prepared complete documentation of everything we did, including recommendations to remediate the vulnerabilities we discovered. We went a comprehensive 26-page penetration test report to the D214 tech team and worked with them to help secure their network."
That hasn't helped in the past. Frankly I think they were naive to reveal themselves no matter what the authorities said. It hasn't gone nearly as well for other people.
The students were extremely lucky.

The advice given to me in high school (I was working on tech projects after school for several teachers and groups) was to not even try or explore poking around the IT networks it no matter how good my intentions were. All it takes is one grumpy school administrator to feel undermined or to misunderstand your report and you could be expelled.

When you're in a position like a student, you're still working your way up and building credibility. No need to risk it all for an IT group that doesn't want your security advice and didn't ask for your help.

It's always fascinating how dramatically different schools can be. When I was in high school, in the late 1990s, nobody would have cared so much about something along these lines. At worst it would have resulted in a three day suspension from school and lecture from the principle.
Seconded, the same advice has also been given to me back in India.

"Know where your boundaries are and who your stakeholders are, don't do anything that will make your stakeholders look bad." It's a life advice given to me by my high school teacher that served me well in my professional life.

(comment deleted)
Yep - I, like many of my friends and people who are naturally curious and work today in "Cybersecurity" had fun, poked around - but once you found little data troves - it reveals how inept alot of people can be.

And you just volunteer to be thrown under the bus as that "hacker."

Anonymous, maybe. As a student, under 18 - you're "immune" from many things - but it can be a stain.

It doesn't stop at the student level. Find something at the corp level with an arrogant IT dept, and you'll find yourself in uncomforatable situations as well.
He had already graduated, so expulsion wasn't an option.
Expulsion is one of the friendlier outcomes. Federal prosecution and prison time are also very realistic options here. It's happened to other well-meaning kids on many occasions.
He had already graduated when he wrote his blog post and told them, he was still a student when he performed the hacking.

I realize this is conjecture but I'm giving an example. Speaking from experience receiving "security reports" from users and students, often times they fail to understand the full picture of IT. As a student with no buy-in from the stakeholders, the risk isn't worth it.

For example, let's say this IoT network was managed by a vendor who, while having sloppy configuration practices, also had network monitoring looking for APT/anomalies (such as new connections in off-hours or unusual connection rates or bandwidth usage.)

While the student thinks they're being sneaky and hacking the system at night, opening ssh connections to a hundred devices from his laptop, there are now reports and alarms going off on a monitoring system. Some basic timestamps and VPN access logs would be enough to point to the student. So this student thinks they're creating an anonymous harmless prank, but the IT department is already investigating a malicious actor on their network. How do you think this would end?

He addresses this pretty well in the post imo. His co-conspiritors remained unnamed while he alone revealed himself because he wanted to publish this post and it's highly likely he would've been blamed anyway.
The poster/hacker actually addresses this -- he doesn't reveal himself until after graduation, keeps his fellow hackers secret still, and mentions that he was most likely the prime suspect in the district anyway. Seems like a fair tradeoff if he wanted to make this blog post, though school districts could be nasty and litigious, I guess.
Pretty sure there's nothing stopping the school district from retroactively recinding his graduation, or refusing to send transcripts to universities, or informing those universities of his transgressions, which would probably result in revoked admission.
It's still a terrible idea to admit to committing a crime under your real name before the statute of limitations has run out
Is there even a statute of limitations for this kind of thing? Seems way better to just never admit to it at all.
The CFAA has a statute of limitations of 2 years.
In many cases, a 26-page report documenting the incompetency of a team would not be taken kindly.
I find it annoying that people immediately assume incompetence and not inadequate staffing or conflicting priorities. I worked at a school district for a few years and we were woefully understaffed for what we had to cover. In situations like that you do what you have to so teachers can teach, move on to the next emergency, and hope like hell some self-important little shit doesn't burn everything to the ground.
Yep. What they did was wrong. And by doing so they threw themselves at the mercy of the entity they hacked. The refreshing part is that the entity did the morally right thing and showed mercy.
> What they did was wrong.

It was certainly against the rules. I'm not so sure it was wrong.

If I broke into your home tonight to play a prank on you and then handed you a white paper about how to better secure it, how would you feel?
Breaking and entering vs. playing a harmless video at the end of the day in school.

False equivalence.

Unlawful access to a computer network is often a far more serious crime with stiffer penalties.

So perhaps you’re right that it is a false equivalence.

Now you’re reverting to the “it’s against the rules” stance again.
except in the case of my home all my doors were unlocked. I would definitely appreciate a paper about how to secure my home, especially if the intruder took great care not to cause any damage or disturbance.
"sue" suggests civil action and a decision by the wronged party.

They're lucky a prosecutor didn't prosecute them for criminal activity. The school would not have any say about whether or not this happens.

>The school would not have any say about whether or not this happens.

Schools are members of the local government "club". Prosecutors don't generally burn political capital giving the bird to other members of the club like that without a good reason.

Many here, I am sure, got in trouble in high school for exposing security issues in school IT. So I imagine we're all very happy to see a sane response from school administration for once!
I got in trouble once in high school just for discovering and then using `net send` to send a message to my friend that said "Hi from lab 3".

Computer lab access revoked for 6 weeks. Jokes on them, now I send socket messages to my friend that says "Hi from Chicago" and there's nothing they can do about it.

My friend however keeps begging me to use this thing called 'email' because he claims he doesn't see the socket messages.

everyone in my school net send bombed everyone all the time. Im not sure how they didn't figure out how to just turn it off.

but i remember you had to do it from a library computer, because it said who it sent it from. so you had to do a little drive by walking net send as you walked out of the library to not get caught

We would write scripts to essentially make net send DOS attacks on different labs.
That was exactly how we used to do it, from where we used to do it, haha. Are you my friend? Rodrigo? How's the weather in Miami? How 'bout those 'Canes?
In our case it escalated to scripts with silent, random time delays. Launch it from a floppy, walk away and 87 minutes later everyone is wondering why a notice went out saying that a Toyota Corolla in the parking lot has its lights on.
Sorry you got access revoked. I accidentally did a net send (via the GUI) to the whole district domain instead of my friend in AP CS that said "Time for break!" right before the snack break.

In my next class, the teacher was talking about "Time for break" virus going around... :/

This was after the district IT wanted to suspend me for setting up a Windows 2000 domain for the yearbook lab, so I kept my mouth shut.

There was an excessively annoying kid in my high school and I learned to send remote commands to any computer in our lab, so I sent a command on loop that continuously opened his disk drive (it would automatically re-open after closing), and if he was particularly annoying I would shut down his computer.

I never once got in trouble for it - the teacher would ask the class, directly looking at me, from time to time to stop it, but I never got in trouble.

I imagine he was just using those announcements to get me to stop from time to time, but knew this kid deserved it so he never did more than that.

Story time, I guess.

I went to a small private Christian school back in the late 200X's, and not the type of private school that had gobs of money. For two years, our desktop computers in the computer lab and the English classroom ran Ubuntu Linux (presumably because Windows licenses were >$0). The only students with Linux experience were myself and a friend that I introduced to Linux (who is also now an IT professional).

For a month or two we systematically changed the remote desktop preferences to automatically accept new connections and not to display any messages saying that there is a connection. We tried to never sit at the same computer twice so that we could "adjust" as many computers as possible and to make a secret map of where each computer was by hostname.

If we were in the computer lab and feeling mischievous (always), we'd poll around English classroom hostnames to see if any were in use, or vice versa. We'd "help" people write their papers (very creatively, I might add), speedrun through other students' typing lessons, open a terminal and run "telnet towel.blinkenlights.nl", or whatever else we could come up with.

Well, wouldn't you know it, word gets around this is happening and we naturally get called in to the principal's office (because who else?). While expecting the worst, we were told "we know what you're doing, we don't know how to stop you, but we encourage you to stop and use your technical abilities productively instead" and were let off without punishment. We both came out of it with great respect for the administration because they showed us respect we didn't deserve, and we stopped.

Stories of more enlightened school administrators are always welcome.

My story: the "second best high school in the state" had an AT&T 3b2. They wouldn't let me take any classes that used it because they were afraid of what I might do to it (their words). I mean, they weren't actually wrong to worry, but it din't really have anything on it.

I don't know. I feel like a lot of the people here celebrate their former exploits as though they weren't committing the computer equivalent of rifling through unlocked desk drawers and graffitiing the walls. They seem so surprised that overworked and underpaid public servants don't appreciate that.
It happens at "adult" jobs too. I found a number of webcams in the organization with no password. I flipped the image on one, and sent an email to IT saying, "Hey something's wrong with the web cam - it's upside down. Oh and probably you should put a password on it ;)"

It didn't go over so well. It embarrassed them and lead to some major reprimands for me, almost to the point of losing my job for unauthorized access to systems.

Free relatively harmless large-scale pen testing! Nice work.
I’ve said this a bunch on here so please tell me to stuff it if it’s tiresome, but having been on the far side of a large scale bug bounty i am incredibly impressed with the skills that young folks are developing in infosec. Probably not particularly unique but the industry is still a bit of a combination of tradecraft and academic pursuit and can be confusing for people to find a way in. I think this is why i really appreciate those that just bear down and get after it.
(comment deleted)
Neat story, and this is clearly harmless. But isn't the most basic, fundamental, number one rule of security/pen testing to try to break into a system (no matter how weak) if and only if you've been given clearance beforehand? Why doesn't that hold here?
The rule does apply. Also, it was a senior prank, which by definition involves breaking the rules.
The author literally put in TWO disclaimers making that exact point...
I think the OP is asking "Why are we applauding them if they broke the rules?". The answer is "Sometimes, people break the rules".
Glad to see a cooperative and supportive academic administration, and I'm sure the thoroughness and planning that the team demonstrated made it easier on the administration.

The sheer amount of testing and verifying no major impact to academic testing took place probably helped, and cleaning up after themselves and documenting their finding and reporting it to IT was a cherry on the top.

I like that the administration even requested that the team brief the district IT on the "attack".

TIL there is an Elk Grove that is not in California!
Up until OP starts working out the frustrations of RTSP it was pretty much a yawner "scan for ports, http to them, see if sumthins there and unguarded". But the perseverance to make a prank work like that with a finicky protocol across a wide variety of different OEM hardware is really exceptional!
Using the school computer's webcam to test his exploit at night was genius. Very clean.
I thought I was cool being able to modify the ready message on printers across the school network. This is really impressive.
I wrote an infinite loop in postscript and sent it to all the printers. This was when postscript printers cost a fortune so there were not many of them. Fun days were those.
In middle school I used Javascript to change Google's button text from "I'm feeling lucky!" to "Andrew is the best!" (javascript:getElementById('').text='blah')

I showed some other students who were so freaked out that I had "hacked Google" that I got the attention of the librarian, who promptly banned me from the library computers for the rest of the year, even after I refreshed the page to show them it wasn't "real". Oof.

Haha when I was searching for printers across the district network the librarian was looking at my screen. She called me out across the room asking why I was looking at printers at a different school. Oof.
When I was in High School (early 90's) we got a new computer system that nobody was using yet. I discovered there was an email system of some kind and that every student had an email address that we were not told about. I also discovered Tetris installed in a directory on the server. I was able to play Tetris and I could show other students how to access it, but it was inconvenient to get to.

Therefore I decided I would email Tetris to every student (I emailed the executable, not a link to Tetris), making it easier for everyone to play also. As soon as I did this the entire system got very slow...apparently the server had no quotas or partitioning and the hundreds of copies of Tetris filled up 100% of the hard drive space. It was a disaster. The computer "specialist" had no idea how to fix the system and she was teaching an adult education class that evening that required the system to work. She was furious and wanted me to get suspended. It didn't happen though because I spoke up about the problem right when I knew there was a problem and also some other teachers intervened on my behalf.

The woman who was responsible for the computer system back then is now the superintendent of the school system. I wonder if she remembers me.

She remembers you.

I also graduated in the early 90's and my children recently graduated from my alma mater. When I went with them to teacher conferences some of the same teachers were still there. Teachers that I didn't even have classes with remember me.

In like '89 when I was 19 and at university my work-study job was with the IT/ComputingResources department (old names). I worked as a graveyard shift NOC operator swapping tapes and handing out print-jobs, running system tests and stuff like that. We had several 24/7 computer labs full of Sun 3/50(60) workstations and things like that. But there was one lab that was closed from 10-5 overnight and I thought to myself "hey, there's a whole room of workstations not doing anything" so I wrote some scripts rsh/NFS and used that lab one night to run distributed ray-tracing jobs. The next day my account was disabled and I had to go talk to Security. They sorta laughed a bit then went like NO don't do that. I worked for the IT department for the next four years. Then I left for a decade. Then I came back and applied for a job. The interview lasted all of five minutes, I worked for a few months before being forcibly promoted up into the upper circle. My first task was to go around to the dozen others who had root and ask for advice and update the root-speech documentation. I got to Security.... tippity tappity "Oh, hello Mr. zengargoyle, let's see... '89 'misuse of computing resources'." LOL, still had root by the end of the day.

So, this is just to say... that places like education where people may stick around for a long while in the system and such. They probably do remember a bunch of events from even a decade ago. It's the good places that have a sense of humor or appreciation for a worthy harmless infraction. They may even be secretly proud or have some admiration.

Though I do sorta fear that I just happened to hit the tail end of old-school hackery where such things are such things are rewarded. Now get off my lawn.

The s in IoT stands for security.
So much attention to detail that I can't help but think that the kids parents were helping along the way.
Maybe, maybe not. The author has graduated from High School, meaning they're about to enter college or the workforce. I wouldn't be surprised to see this level of detail from someone at that level academically. Delighted, yes. Would I expect if from everyone? Hell no.

But surprised that a tech-enthusiast and eager learner might have put this much thought into this prank and it's potential consequences, not so much.

Teenagers/young adults tend to have different stressors and other things to occupy their time than the average adult in the workforce, meaning the author likely gave this prank a fair amount of their free time, and that dedication showed through in the amount of planning done.

Additionally it's likely, given they mentioned once or twice in the article they planned on posting a blog about the prank, that they might be hoping to use this on their resume or as a talking point in their career. If they're hoping to go into security or comp sci, this would be a decent feather in their cap and the amount of time spent is easily justified.

My first thought when I read the headline was "another kid with a felony following them around for a prank that didn't harm anyone". Nice to see they weren't prosecuted.
Given the amount of press this is receiving and the fact that the message the administration sent to them seemed a bit suspect, I wouldn't be surprised if the kids did end up catching several charges.
No kidding, I was threatened with legal action for significantly less shenanigans back in my day.
I told my district that I could change my race at-will via a hidden form on the profile page. I changed it to "Purple". Got a call back from some IT guy telling me I accessed their computer without authorization, and that if it happened again, they'd press charges. I asked to be put through to the IT administrator, and he laughed and told me don't worry about it... Sometimes, they can handle it well. Very glad they did for you as well :)
I think the dilenation point comes in with whether they are an IT "person" or a school administrator.

Regularly, I would end up in trouble in my High School for things like bypassing the root account (using ShellShock), or nullifying their executable restrictions (because I needed to run my own executables for a work/study program). If I got caught, the IT admin would sit down and we'd chat about what happened, how they could improve their security and such. An administrator caught on to one of my shenanigans, bypassing the content block because I wanted to read a "hacking" article, and threatened me with suspension. Supposedly, she reported the incident to IT, and IT told her to not bother me anymore.

This is spot on. I Used to work as a sysadmin for a large private school and always enjoyed the red/blue dynamic of tech team vs the smarter students trying to poke through the restrictions of their laptops and network.

It was always disappointing when they took it too far and were directly caught by teachers or administration before I could tell them they were being a bit too blatantly malicious.

That's definitely true, my elementary school principal once got upset at me for unplugging and replugging the ethernet to fix the internet... I'm pretty sure the IT guys would have done the same :P
I feel so dumb when I read kids doing these things. Back in High School all I knew was how I could run arbitrary executable files by renaming them to calc.exe. We also did the classic "take a screenshot of the desktop, set it as the wallpaper, then remove all icons and the start menu" thing.
All this. Plus TI-86 king fu. Though this was 1991-1995, IoT didn’t exist and email and web access was mostly through AOL or Prodigy.
Another good one on that level was using the Windows keyboard shortcut ctrl-alt-down to rotate the display upside down - totally harmless, but absolutely maddening if you don’t know how to undo it
Unfortunately, this feature was discontinued by most graphics drivers.
This is still a common prank at work on win10 pc’s
I think it's a good thing that Ctrl+Alt+Arrow is no longer intercepted by graphics drivers, since IMO shortcuts not containing Win should be handled by apps and not the system.
Even better if you combined it with an upside down screenshot of the desktop. So it looked like only the mouse was upside down and all buttons didn't work.
I told a friend who knew absolutely nothing about computers to go and type format c: on the school only computer and wait for the result. It turned a bit ugly but we're still friend :)
Change wallpaper to some crap. Take a screenshot of desktop. Change wallpaper back and open screenshot with crap on the background in fullscreen mode.
back in middle school we would just use proxys to play online games on the library that were regularly blocked
About two years ago, I was in high school and decided to, as a joke, “hack” the computer. By logging in as admn:password. I was incredibly surprised when it actually ended up working as a domain admin account. After checking this, I immediately signed out.

When my CS teacher filed a ticket asking “who has the user account ‘admin’ and why is the password ‘password?’” IT wanted to revoke my network login and probably put me in ISS for a few days. Fortunately, my CS teacher didn’t reveal who I was.

Very glad IT at this person’s school took it in stride, unfortunately this was just the MO of IT in my district.

I'm impressed with how much foresight this high schooler had in preparing for the prank. My impression is that most high school age kids would out themselves within the first few weeks of planning due to wanting to boast, here they instead took to testing covertly, overnight.
Someone I know did something similar, was arrested in their college dorm, and at the sentencing hearing in federal court was fined and sentenced to 5 years probation, and now has a criminal record.

This kid is very very lucky. Obviously they violated the CFAA which carries severe criminal penalties. They engaged in actual hacking without any permission or defined scope. And they exploited the system without any responsible disclosure process.

Anyone in the field will tell you that this is an absolute disaster of a post because it sends the signal to other young aspiring cybersecurity professionals that this is OK, and the school will laugh it off, and you'll be seen as an adorable Matthew Broderick type Wargames character. I can't overemphasize how far this is from the truth in 2021.

Absolutely do not access systems you are not allowed to. If you do want to do penetration testing, you need permission from the systems owner and a clearly defined scope. And when you do find issues, you don't exploit them, you responsibly disclose them within a clearly defined framework.

If you want to end up with a criminal record that will profoundly effect the rest of your life, including your career prospects and ability to travel internationally, then by all means, do what this guy did.

I wish it wasn't so. It never used to be. But this is how it is now. Overzealous prosecutors have been given a huge amount of power, and all you need is one embarrassed systems administrator, school board or management team to trigger a disastrous outcome in stories like this.

This post is 100% spot on. While the local school district may treat it as a prank, in the U.S. the federal authorities may not. To see how seriously the government takes this act, look at the penalties section of the relevant U.S. code.

https://www.law.cornell.edu/uscode/text/18/1030

And yet, there is overwhelming demand for what the government calls "cyber security". As a developer it is easy to get good at your craft by practicing and learning, how in the world is a security specialist able to practice without asking for permission or already having a job? A home lab setup? A college degree and formal education? I'm curious how people actually evaluate this career choice.
In my personal experience with working in government related cyber security, the positions are for dudes that type bash commands to run tools that are all developed by 3p companies, which end up hiring people regardless of criminal history.
Capture The Flag challenges. You don't need much more than a terminal.
The leetcode of the security world! Thankfully not that bad...yet.
Yeah, go to them about ransomware gangs or nation state actors and you basically get told "lol we cant do shit". Complain about a kid prank and theyll go apeshit and make a, uhh, federal case of it to make themselves feel needed.
I agree, that feels wrong to me...

When I was younger (~15) I also did some "fun" (aka stupid) stuff with the school computer network and in the end they got me and I received a "formal warning" (it was in France).

In the end I'm glad for it because that scared me off and I never tried again on stuff that I don't own.

But putting a kid in jail/having a criminal record seems way to excessive to me. Kids are dumb. And by punishing them that hard they won't become a better person. hell, they won't be able to have a job !

> But putting a kid in jail/having a criminal record seems way to excessive to me.

It absolutely is. Society is clearly harmed by laws like the CFAA.

LEO do like overly broad laws though. There's nothing better to ruin the lives of people that cops don't like.

When I was in High School in 2003 I discovered you could pretty easily get around the tool that blocked running installers by launching them by entering the full path to the installer in the address bar of Internet Explorer. This was before Windows and IE were decoupled. I installed VNC server on a couple friends computers and used it for some light hearted pranks, but didn't do anything else with it.

One of my friends who I did this to went crazy with it and used it to mess with his teachers computers. Ended up in huge trouble, cops knocking on his door, and I believe probation. This was the year after I graduated.

On the one hand, I kind of feel responsible for showing him, on the other hand, it's his fault he had to go off and be an idiot with something I just thought was fun.

Ah, 2021, such sad times, where we squash our creativities in fear of the police, where you'd think twice before doing something like one of the MIT hacks http://hacks.mit.edu ...

I do wonder if they could've secured themselves with VPN and "untraceable" anonymous emails (e.g. asking for a guarantee that they won't be sued/charged), although the teenage bragging rights would've been too tempting.

I wonder if it was possible for the hacker to ask a lawyer to represent them anonymously and make a contract, something like the district promises not to file criminal charges, and if they violate this deal they will have to pay a lot of money...

> I do wonder if they could've secured themselves with VPN and "untraceable" anonymous emails (e.g. asking for a guarantee that they won't be sued/charged), although the teenage bragging rights would've been too tempting.

If you read TFA, that is effectively what happened. Even with the guarantee, only one of them revealed themselves.

No point in pulling off a complicated prank without enjoying the notoriety gained from it.
> I wonder if it was possible for the hacker to ask a lawyer to represent them anonymously and make a contract, something like the district promises not to file criminal charges, and if they violate this deal they will have to pay a lot of money...

Criminal charges are generally filed by the prosecutor. They'll generally follow the wishes of the victim, but are not required to (think, e.g., domestic violence cases). There is absolutely zero the school can do to guarantee that you won't be charged if the prosecutor does catch wind of the incident and decides to make an example of you.

This is generally true, but the CFAA is obviously not violated by access which is authorised. In this case, you could simply draw up a pentest agreement and get them to say any such activity would be authorised.
My understanding is that in America, prosecutors are often political appointees without much institutional oversight, as compared to being a reasonably dull civil service department who have to justify prosecutions as being in the public interest
> Anyone in the field will tell you that this is an absolute disaster of a post because it sends the signal to other young aspiring cybersecurity professionals that this is OK

Maybe a bit overzealous with the reaction here. OK, sure, the OP could have been even more serious about this but literally the first labeled section is "DISCLAIMER" and says:

> With that said, what we did was very illegal, and other administrations may have pressed charges. We are grateful that the D214 administration was so understanding.

I remember back in high school we had this computer lab that was all locked down. Didn't allow opening the CD-ROM drives, only allowed certain educational websites, etc. I put a little remote access app on my share drive as a way to open my own CD drive, mostly just to see if I could do it. The school's computer guy came and found me and was like "hey, a file pinged as malware, what's up with that" and we had a fun discussion about it and I deleted it and we moved on with our lives. I didn't think about it again. Years later, I looked back with horror at how badly that could have gone for me.
Your school didn’t have paperclips?
Can't get 'em through the metal detector. Gotta grind down a toothbrush on concrete these days...
Oh, I meant to imply that you would procure and assemble your tools once on-site. What you don’t pack-in, you may not need to pack-out, etc.
Ah, you young whippersnappers with your labs and networks and CDs... my high school just got one Commodore PET, that was "the school computer" in my day.

Fortunately, I got on well with the math teacher who had charge of it, and he'd let me take it home over the weekends. Those were the days...

Apple IIe gang over here. Don't bend my floppy!
I know somebody - I think they post here, hi! - who ended up in "weekend jail" with a conviction for sharing a school's WiFi password without permission. I also once got reprimanded for writing a blog post not too dissimilar to this one at a less sympathetic school. I also remember the joy of hiding a server in the ceiling of our school so we could play UT2K3 on the library computers before that exploded similarly. Adults are so boring.
Every district is different, heck -- every school within a district can be different in extreme discipline like this. Frankly, the size of his district represented a lot of risk; those often have the policies with the least wiggle-room -- like "Weekend Jail for Sharing a WiFi password" (insane).

At the school my child attends, I am confident he would have ended up with a pat on the back if the circumstances were similar. I can't speak for the district -- I'd be willing to bet that'd be very risky. At the school I had once attended, I'd expect the entire district would behave similarly. I'm sure there were people within the district administration that wanted to throw the book at the kids involved.

Here's the thing for those people: the last thing a school district wants is to become national news for punishing a bunch of kids who the evening news can make out to look like "Geniuses". Since nothing failed in their plan -- that's crazy important -- there would be very few ways to frame the story that makes the administration look like anything but bullies, and many will frame them as "petty bullies". I have a friend I went to High School with who is now a High School principal. He's still "that guy I went to High School with." I have no doubt he would have given the kids an award privately, if not publicly.

It's sad that some public school districts are using discipline approaches you'd expect to see in prisons, rather than a school, and I'm sure in certain places in the country, that might be a necessity. Context matters, too -- were these kids who were constantly pulling pranks like this, had been talked to in the past/impacted things in the past, etc, I'd expect a harsh response: "Yes, we get it, you're smart, stop breaking things already, read the horrors of the 1986 CFAA because that's coming if it happens again." I'm guessing these were otherwise good students.

That said, maybe we should lighten up on minors performing harmless/non-destructive pranks.

Not everything warrants felony charges for kids.

Of course -- but we aren't the ones making the rules, and the ones who do make the rules have certain incentives that lead them in dark directions.
Anyone in the field will tell you that this is an absolute disaster of a post because it sends the signal to other young aspiring cybersecurity professionals that this is OK, and the school will laugh it off, and you'll be seen as an adorable Matthew Broderick type Wargames character. I can't overemphasize how far this is from the truth in 2021.

Or maybe it will shame other IT departments into not having a stick up their butt. Especially if there is already a culture of overlooking minor criminal activity in the name of harmless pranks.

Gross but true. The administration has every incentive and opportunity to spin this into a self-serving story about taking down evil sinister hackers -- and maybe scapegoat a few unrelated problems while they are at it.

I am delighted that these admins had the character to resist the perverse incentives of the system.

For anyone who like to hack legally and ethically, check out https://www.hackerone.com/. If you're very good at hacking devices, software, networks, etc, companies will pay bounties for the vulnerabilities you find thru HackerOne.

Looks like they paid out millions in bounty in 2020:

    https://www.zdnet.com/article/hackerones-2020-top-10-public-bug-bounty-programs/
Worth a try, but I didn't have a good experience with it.

Companies can mark items as duplicates without fixing the underlying bug for an indefinite period of time. So the 3 vulnerabilities I found all got marked as duplicates without any compensation or even acknowledgement of my time writing up the issues. Felt like a complete waste of time.

If you're great, you can probably find novel stuff better than I was able to, but if you're that great you likely already have plenty of employment opportunities.

Posts like yours validate the insane over criminalization of what essentially amounts to a prank. I had literally the exact same experience in high school. Got expelled and had to get a GED. They could have easily pressed charges.

Part of the issue is people like you who advocate for respecting "the system" and essentially scaring kids into not doing anything. Except that simply re-enforces the draconian laws that are currently in place. If more kids rebelled and this was a regular occurrence it would help to desensitize society to digital pranks instead of always treating these kids like terrorists.

Probably better to try and reform the law instead of suggest children break the law and ruin their lives.
Clarifying that the ruination of lives here is the direct result of profoundly bad laws that inappropriately criminalize benign behaviors.
Hence the need for reform.
This is a very complicated problem.

Unless you kill someone I generally don’t believe in life long criminal records. They only serve to drive people into further criminality.

I imagine for a robbery you could get 5 years in prison, 5 years with it on your record and then automatically get it expunged.

Back to the topic at hand , what if the IT hack stopped people from getting paid on time. How many suffered emotional distress ? Evictions can literally cause suicide.

Maybe someone can’t afford medication, skip it and have a stroke.

The entire criminal justice system is broken. So you did something stupid at 20, at 46 you still can’t find a job due to your record.

People want simple easy solutions. Things are much more complicated. If you release a dozen felons 5 years early and 2 go on to commit horrific crimes it’s easy to ignore the good the other 10 did

> The entire criminal justice system is broken. So you did something stupid at 20, at 46 you still can’t find a job due to your record.

Welcome to the War On Redemption. Primary participants are the harmful people who create these systems and the people who remain silent while countless lives are ruined for no good result.

I dunno. Assault that permanently injures someone, rape, kidnapping, and trafficking are lifelong scarring for the victims. I may not rank computer hacking or selling drugs as deserving of a permanent record, but there are lots of other violent crimes short of homicide that do.
I don't think it's the record's duty to keep you from being employed. That's the employer's decision.

Even if I agree that it's a dumb practice, you're proposing a world where employers are free to refuse your hire if you (eg.) were fired from a job 26 years ago, but not because you were convicted of a crime.

You don't have to tell them you were fired
Unfortunately, "desensitizing" people to existing law by illegal rebellions is a Pyrrhic victory at best when the consequences are so impactful to the individuals that martyr for The Cause.

There are processes for changing the laws without sending kids to jail, having to treat kids like terrorists, or potentially making the law even harsher because it isn't effective enough to dissuade lawbreaking. If the laws feel draconian, perhaps following those processes might be a better approach to change the system without as many sacrifices.

>There are processes for changing the laws without sending kids to jail, having to treat kids like terrorists, or potentially making the law even harsher because it isn't effective enough to dissuade lawbreaking.

And none of them work, or will ever work in this oligarchy. The rich own the congress, and the senate, and they benefit greatly from these things. America hasn't been a functioning republic in at least 50 years.

I don't think telling kids not to narc on themselves "validates the insane over-criminalization". I think telling legislators or parents would, though.

The comment didn't say "respect the system", it said to deal in the realpolitik and don't try to effect legislative change by ruining your life as a high school student.

I don't understand this response. Having been on the wrong end of it you should be advocating harder than anyone to teach kids the complexities of cybersecurity law and ensure they can make the right decisions rather than throw away their future over a stupid prank. There is no "validation" happening here, the OP is just stating reality. Random high schoolers' rebellions aren't going to result in Congress overturning the Computer Fraud and Abuse Act and a hundred related laws.
> ensure they can make the right decisions rather than throw away their future over a stupid prank.

Is it a good system if a "stupid prank" can "throw away your future" ?

No it is not a good system. But nothing I said is invalid because of that.
No, but that doesn't mean you should deliberately play into it.
(comment deleted)
GP isn't validating over criminalization. GP is trying to steer people clear of catching charges. The end results for both is, "Don't hack your school district for a prank," but the context of the two are very different. Students' minds are still developing. You can tell them not to respect Draconian laws surrounding hacking, but do the students understand what's at stake?

Yes, students get in trouble all the time, but most of the consequences for their stupidity are slaps on the hand. Lunch in a classroom, a parent-teacher conference, after school detention, in-school suspension, getting grounded - none of these things carry civil or criminal charges that are a matter of record. What should be a harmless prank can turn into a life altering civil and criminal charges. With high school kids, things quickly go from, "I hacked the school network to do a Rick Roll; they laughed and sent me on my way," all the way to, "I gave my friend the exploit to do something similar; I didn't know he was going to change everyone's grades to 69%."

Further, I would not want to teach in a district where students doing digital pranks is the norm. I volunteer at a high school. Unchecked digital pranks would quickly turn into a constant stream of disruptions. Everyone would think that their prank is better than the last.

> a prank

Why do we tolerate pranks? You shouldn't be able to interfere with someone else and say 'just a prank bro'. Leave other people's things alone. Don't create work for other people. Don't bother people just trying to do their jobs. Don't impose your sense of humour on others. These all seem like basics to me?

If you think someone's funny? Great. Just don't bother other people with it. Do it with your own stuff, not other people's.

Many criminal cases require establishing intent. Pranks may be harmful as you allude to, but the intent still matters.
How does that work? Can you murder someone for a prank and say your intent was just a prank so it was fine?
Intent separates murder from manslaughter in most states in thr USA, so yeah, a death from a prank is tangible different.
But they did intend to disrupt the systems in this case. The impact was their exact intent.
When people say "establishing intent" in terms of criminal cases, this is usually a shorthand for something more specifically defined in the law, like "intent to do harm" or something.

To use the murder example again: many people who commit manslaughter have all kinds of various intentions. The one murder is concerned with is whether or not they specifically had the intent to kill the person. "Establishing intent" in this scenario is specifically regarding that one intent. Not any intent.

> Why do we tolerate pranks?

Pranks can be an outlet for creativity and learning that might not otherwise happen.

The post concludes with:

> This has been one of the most remarkable experiences I ever had in high school and I thank everyone who helped support me. That's all and thanks for reading!

I'm certain this kid learned so much working through the execution of this prank, and without being criminalized by the district, he's better off for it. Likewise, the IT department is better off with a more secure system, and staff and students experienced shared moments of unexpected joy.

Call me naive, but I'd say this kid made his small slice of the world a bit better, if only for a fleeting moment.

> Pranks can be an outlet for creativity and learning that might not otherwise happen.

Great.

But do it with your own things then. Don't bother anyone else or touch anyone else's things.

And no worker should ever have to do any work (such as reset a computer system) because of your prank. Workers have enough work to do and enough hassles in their lives.

> But do it with your own things then. Don't bother anyone else or touch anyone else's things.

You're really oversimplifying here. Something tells me this highschooler doesn't personally own the breadth of commercial equipment that he hacked for this prank.

> And no worker should ever have to do any work (such as reset a computer system) because of your prank. Workers have enough work to do and enough hassles in their lives.

Okay, let's all be worker robots :)

> Something tells me this highschooler doesn't personally own the breadth of commercial equipment that he hacked for this prank.

So they shouldn't have done it.

> Okay, let's all be worker robots :)

It's not about what you want to do. It's about what some low-paid worker who has to clean up after you thinks. Or some other student inconvenienced by your prank thinks.

If you're impacting on someone else's life then you're in the wrong!

Who had to clean up here? Author cleaned up their own problem and literally delivered a detailed security report on how to fix the issue (not the damage done by the prank, which was zero).
Seems like it disrupts a class to me? What about the students who don't want to have their class disrupted? What about the teacher who has to catch up later?

What if these people don't want your sense of humour imposed on them?

I think it's ethically wrong.

>One of our top priorities was to avoid disrupting classes, meaning we could only pull off the prank before school started, during passing periods, or after school.
Their own video literally shows a class of people watching it happen.
I'm not sure what you think happens 5 minutes before the end of class on a Friday, but it isn't diligent learning.
> Why do we tolerate pranks?

As the author points out early on in this article, most school districts would not have tolerated a prank like this. In fact this is the only example I know about a prank this big that got the response of toleration the author documented in the article.

> You shouldn't be able to interfere with someone else and say 'just a prank bro'.

The students made a report of what they did and presented it to the administration.

I guess to be generous I could reinterpret your concern to be, "Do students in every school district in the U.S. get to avoid criminal prosecution under the draconian CFAA by constructing a complex hack tailored to avoid interrupting regular school business, then writing up a report and giving a powerpoint presentation to an apparently enlightened and tech-savvy administration to help them strengthen their network defenses?" In that case, point taken.

> The students made a report of what they did and presented it to the administration.

So what?

Can I push you down in the street and then hand you a report explaining how I was able to push you down and that makes it all ok?

Of course that's not okay. But if you're wearing a device marketed to you as a 'force field' because you're afraid of being pushed down the street and someone demonstrates that your force field isn't working by dancing really close to you, that's probably okay.
By saying that you're imposing your sense of humor on others too (as in, the prankster's sense of humor is "pranks are funny"; your sense of humor is "pranks are not funny"; according to your comment your stance is that pranks shouldn't be tolerated). You don't have to laugh, and you're free to say you don't like pranks. But tolerating other people's opinions/sense of humor/whathaveyou seems like basics to me.

(Maybe we just have different experiences and thus different definitions of the word.)

It’s like smoking. I should tolerate someone smoking in their own home. Should I have to tolerate someone smoking on public transport next to me? Absolutely not. Even if it’s their opinion that smoke is nice.
We need to have harsh penalties for this. People who don't understand the complex systems they were able to access, might introduce vulnerabilities that more malicious entities can exploit. An example of this would be a student at a university accessing internal network from a physical terminal in a building, (intranet), and accidentally disabling a firewall, (say to play a video from a remote location). In doing so, its no longer just a prank as they may have exposed the entire internal network to outside internet.

This is a super basic example, but it serves to illustrate my point. It's not just a prank bro, even when it is.

What? How is warning someone that they are going to ruin their lives the same as endorsing it?
validate the insane over criminalization

I think you misread the GP. He's not defending the system, just describing it, and how the OP was lucky that the people in charge were unusual and open-minded. He's warning others that the risk/reward implied by the OP's experience is misleading.

I suspect that most commenters on this site applaud the kids adventurousness and style. A great hack! But we are uniquely aware of how rare it is that anyone with authority, school administrators or law enforcement, would show any leniency or self-restraint in these cases. On balance, the instinct seems to go for the jugular, dehumanize the kid as a criminal hacker, and ruin his life. No-one is saying that's good, or reasonable. It's just how it is.

Warns kids against jumping off cliffs. Accused of causing gravity.
> because it sends the signal to other young aspiring cybersecurity professionals that this is OK,

There are multiple disclaimers in the text, almost every other paragraph.

Id actually wonder if criminal history matters when you have skills like this that are very much in demand.

If this went to court, the charges of malicious intent would likely not stick, so jailtime could likely be avoided in leu of fine/community service.

Competent tech companies will not give a shit about criminal record of this nature.

Expulsion from school is pretty much irrelevant, especially for CS careers. You can get a GED, find any college with CS program that will take your money, spend a year having fun, apply for an internship at a tech company, do a good job to be offered a return, talk to HR to go directly into entry level role, and you are set (have personally seen 2 cases of this happening with an intern).

The most functionally harmful thing would be monetary cost, which is still inconsequential considering the salary this guy would make.

It depends on how regulated the particular industry is. If you're building consumer web apps at a startup, it probably won't matter. If you want to be a government contractor, it's probably a nonstarter.
Most of the industry where the guy will be paid appropriately is going to be private. Cyber security specialists for things like AWS get paid much more than any government contractor.
That's not really the best example; AWS is a government contractor. It isn’t a coincidence that HQ2 is a few blocks away from the Pentagon.
Wow that's terrifying, I'm from the EU and did 1000x worse stuff than that, never suffered any consequence, which is not right, but teenagers going to prison for hacking pranks it's really fucked up.
> This kid is very very lucky.

No, he is just smart. He did it anonymously. He knows how to cover his a$$.

> it sends the signal to other young aspiring cybersecurity professionals that this is OK

The post literally has a whole section dedicated to explaining that this is not OK, but whatever.

Malicious hackers could have shown something unspeakably vile on all those screens. If this kid reduced the likelihood of that... he's a hero. Alas, I totally hear you.
There is something obscenely totalitarian about this whole mindset. You're making a very pragmatic point, but take a step back and look at the whole thing.

You're warning a teenager against making a brilliant, harmless, funny and responsible prank so that they won't get their whole life fucked up forever. Think a little about what kind of political system necessitates that kind of ridiculous warning. What sort of nation does this kind of thing to its kids? If we strike the United States from the list, what sort of countries are left?

You guys really need to get your so-called justice system sorted out. Sorry to make such a blunt point, but this is depressing as hell.

yeah, it's pretty messed up that there's such extremely heavy penalties for merely playing a youtube video on a few screens whereas looting and stealing go completely unpunished. what kind of message is that sending to our youth?
The CFAA exists to make sure that nobody can use computers and the internet to have any power over even tyrannical authorities.

CFAA and the DMCA are some of the worst, most authoritarian laws ever created, and they exist to do nothing other ensure a system where being rich enough to afford lawyers means you don't have to do anything else.

Use default passwords like an idiot and someone uses their autofill? They're the criminal, not you.

Let people just change the account number in the address bar and switch accounts with zero authorization or authentication? They're the criminal, not you. (Bank of America literally did this.)

Have open access for students to download papers and one of them uses it to download all of them? They're the criminal, not you. (RIP Aaron Swartz)

I support jury nullification for the CFAA and DMCA and so should everyone reading this.

When I was in elementary school in the early 90's, I discovered you could use AppleTalk to print to just about any printer in the district.

I would print pages and pages of "I AM THE MASS PAPER WASTER!!!" to random printers in other buildings. I'm genuinely curious if it actually worked.

Fun story! Such incredible attention to detail and thoughtfulness, all the way up to automatically sending a pen test report to the district's technical supervisors, and sharing a presentation after graduation. This kid was one step ahead all along.

Great work, Minh.

Do prosecutors need consent from victims to file charges in cases like this?

Also if you're going to commit a crime and brag about it, don't say "hey well they would point the finger at me anyway and I'm not going to name my partners." You've just told them there are coconspirators, and you don't have a right not to incriminate others.

They don't legally need it, but such cases are pretty much dead in court without the victim's cooperation so the prosecution will almost always drop it.
The Aaron Swartz prosecution continued, even after MIT and JSTOR said they didn't want to press charges, because of a zealous prosecutor.
What happens when the suspect publicly admits to doing it and providing detailed information on the motive and means
Serious question. What, if any, instruction do kids these days receive regarding what's allowed on computer systems?

I remember in high school poking around a network drive until I found an executable with the name "SEND" in the name. I had a sense that it would send some kind of message somewhere, but I honestly didn't know where or to how many people. I was quite surprised when all the screens in our computer lab froze and, five seconds later, my message appeared on all of them. (I later learned that my message appeared on every desktop screen in the school!)

I'm not sure exactly how they found me out, but I was called into the IT admin's office a couple of days later. She was furious with me. I told her the truth. I didn't know what exactly would happen when I ran that command, but she didn't buy it. Fortunately, nothing ended up happening after that.

I've wondered to this day what exactly they could have done to me if they decided to press whatever legal authority they might have had to its fullest extent. I was never told "don't go to Z:\" or "don't run any program other than those on this list." Even after I was found out, I wasn't ever explicitly told that my actions constituted unauthorized access.

It was a different, perhaps more innocent (or ignorant) time back then. How much have things changed now?

I graduated high school in 2015. I remember similarly poking around a network drive until I found a file in plaintext which contained everyone's student ID and whether or not they had a nut allergy (protected by HIPAA), for the bus system.

I didn't think much of it, but some other students caught wind. Before I knew it, the superintendent threatened to have the police involved and press legal action for "hacking confidential student data."

It's CYA all the way, usually at the expense of the person in the chain least equipped to cover their ass (the student).

Wow. That's terrifying. And you didn't even run anything!

I'm guessing that they never told you "don't browse this network drive"?

Never press F12 while browsing. Instant hacker.

Seriously, I found a state website that appeared to be exposing NPI about certain people in an API response. So much NPI nicely formatted in a JSON response. I closed the page and never touched it again. You know the state will declare me a dangerous and sophisticated hacker because I pressed F12 to open the developer tools, that's much easier than admiring they made a mistake.

> whether or not they had a nut allergy (protected by HIPAA)

Personal pet peeve:

Your high school is not a covered entity and is not acting as a business associate of a covered entity. HIPAA does not apply. They are free to keep a plaintext file with your name, nut allergies, COVID vaccination status, and anything else they want to put in there - without HIPAA entering into the discussion.

FERPA could apply, but I don't know much about that.

Nut allergy info that was collected by the school (teacher, admin, nurse, whoever) is part of the student records and would be protected information under FERPA.
Similar story: the dean of my "high school" [1] asked me to create our school website. Another student apparently poked around on a network drive and found an SQL dump of all the students' network username/passwords. I brought this file to the dean, told them it was available on a shared drive (so they could remove it), and asked if they'd like me to use it -- since I already had it -- to enable all the students to log in to the school website with their existing network usernames/passwords. They said that was a great idea and gave me the OK.

A week later, police escorted me from my dorm and both I and the other student were eventually expelled and threatened with harsh legal action, which never came.

[1] The "high school" was an early-entrance-to-college program where we started college at 16, lived on campus, took the normal freshman/sophomore college courses, and eventually received a high school diploma and an Associate of Science when we graduated at 18. The website was for the school I attended, but the SQL dump included all of the university students as well. The school has since shut down.

Kids have been jumping fences for millennia.

That said, I did know a kid that had charges pressed against him when I was in school so things weren’t necessarily innocent back then either. He was admittedly an idiot and borderline malicious though.

I can't answer your question, but I strongly suspect the backstory on your furious IT admin went something like this:

  * SEND happened
  * Minor kerfluffle ensued among various functionaries
  * Big Boss worried that something Big was going on
  * IT admin was questioned and had no answers
  * Simmer for a few days, Big Boss repeating questions and IT admin being flummoxed
  * Eventually adequate logs are found and correlated that place you as the likely responsible party
  * IT admin is lathered up about a big nothing because Big Boss keeps asking and their competence is in question
  * IT admin unleashes the pent up frustration of a few days of stupidity and job security uncertainty on you, and is not satisfied that all this drama was initiated by boredom and not malice
  * IT admin reports to Big Boss, who basically brushes it off because they have moved on to other things -- and at the end of the day knows they run an organization filled with kids, some of whom are more curious than others
  * Issue disappears
Good old "net send." Out of all the things, that was the one I got chewed out about too.

Wasn't a regular MS user, but we were in a computer training lab at a company for "computer day" field trip. Was bored during instructions, so naturally I logged in, found "net send", and sent a few crank messages to classmates using * as destination. Everyone, including the instructor, got a good laugh.

Approached later in day by corporate IT. Apparently the lab had poor routing rules, no firewalls, and sat on the main Corp network. My messages were received on 25,000 terminals.

Thankfully, they recognized this as (a) harmless, and (b) their own lax failure. No adverse outcome.

My time in highschool was wasted. Kudos to these amazing kids.