372 comments

[ 0.15 ms ] story [ 391 ms ] thread
Fun story but the fact that he totally lost touch with his childhood friend over something so silly makes me sad.
It makes me even more sad that we haven't remedied that sort of thing everywhere by giving children rights, including free association with others. In other words, parents cannot govern friends and romantic partners.
There's definitely a balance to be had... Kids don't generally have those rights because they have far too little life experience to judge the effects of associating with people. Adults have seen the life paths of those around them and observed where certain directions can lead. So, parents look out for their kids. Sometimes the parents just have poor judgement, heh
Adults have seen the life paths of those around them and observed where certain directions can lead. So, parents look out for their kids. Sometimes the parents just have poor judgement, heh

That last bit is the issue. DO you really think a racist parent is going to allow a child to date somone that looks different - or a devout catholic is realistically going to allow their child to enter a same-sex relationship?

Ignoring, of course, the number of kids that DO just that, quite possibly BECAUSE of the parental idiocy.
So would you be alright with your son/daughter choosing their romantic partner as a 50 yr old pedophile, drug dealer, and/or avid supporter of whichever religion or cause you find the most perverse and destructive to humanity?
Obviously, no one should be OK with their child dating someone that is a pedophile. That is obviously child abuse, and call the authorities. I*m not about to let a child be abused, and I find this particular question a strange place to go, since it does seem to be a slippery slope argument.

The only real way a parent would know if someone is a drug dealer is if the parent does drugs, or if their friends have bought or sold to the child. Otherwise, I'm just being judgemental or listening to gossip. If i have suspicions that my child can get in trouble with them, the proper thing to do is to have a discussion with the child. After that, it is their decision.

I don't realistically find any one religion to be that, in general, but again, if it concerns you, talk to your child about your concerns and hope that you aren't being xenophobic instead of reasonable. Same thing with racism: Chances are, you'll just drive a wedge between you and your child.

For the first part your statement was

> parents cannot govern friends and romantic partners.

With absolutely no qualifiers. Unfortunately there are pro-pedophilia people out there, and some are quite public about it (for instance, Richard Stallman at one point). So I think it's important if you take that stance you clarify.

For the second part let's say that there is no question about it (maybe they were convicted). What if they are a violent person? Are you willing to let your child potentially harm themselves or others by being in the influence of violent people?

Lastly you misunderstood what I was saying. From your comment I assume you are against xenophobia and racism (rightly so). What if your child wanted to spend time with another child who openly hated black people or Jewish people?

What I'm saying is as a parent you do have a duty to take care of your child. You should prevent them from being hurt and hurting others. You need to instill in them moral values that make them a good person. If you do not have any power to say, prevent them from spending time with soemone who openly hurts them, then they aren't going to listen to you. They have to learn some things through experience, but other things would hurt them on such a great level that it could be permanently damaging. Yea they might not like it, but when you are a child you don't always have the mental capacity or experience to make all of these decisions logically. True love for someone is not always pretty, it sometimes involves telling them "no" to protect them.

I can agree some parents take this power too far and abuse it, but saying they should not have this power at all is not right.
Runs into the same problem the majority of people have in capitalist democracies: rights are tied to economic ability. Kids are usually economically tied to their parents, so if a parent decides "Wups, gotta take a new job across the country" or even "I'm sorry, I don't have time to drive you there."

(As a side note - dumb parents tell their kids "No, you can't be friends with ...." Smart parents ensure their kids will never meet ... before their kids are even born, through zoning laws and buying a home in a good neighborhood. I wonder if housing policy advocates realize how much of housing policy is driven by ensuring that your kids associate with "the right" sort of people.)

Are you a parent?
It doesn't matter whether or not I am. IF you agree, you do, and if not, you don't. I know some places have children's rights, which include freedom of association, especially as children get older. (Norway, for instance).
Not a parent then lol

Also, freedom of association doesn't refer to who a child can befriend or date. It refers to their ability to participate in causes that affect them, such as volunteering with NGOs.

What you're proposing is extreme by even Norway's standards.

This story (assuming it's true) should serve as an excellent example of why you need privacy even if you think that you don't. In peace time the NSA is only looking for "terrorist" and leaves everyone alone, but in case of war they would start creating lists for any and everything. All it takes is one "tough" agent trusting their gut feeling/algorithm based on your browsing history and shopping habits to put a target on your back and you are done.

EDIT: Replacing "if there's any truth to it" by "assuming it's true". I did not mean to imply that the author made up the whole story and thought both expressions were equivalent.

Combined with a continual state of "war on terror" and a post-conventional-warfare world, this time is basically all the time anyway.
The "if there is any truth to it" remark was unnecessary. The author was very well known on the net when it was a much smaller place (the old Usenet days), and implying that he made it up is, to say the least, impolite.

His Wikipedia page: https://en.wikipedia.org/wiki/Les_Earnest

You may know him but I did not, so I erred on the safe side and added the "if there is any truth to it" as it's a much safer default to assume that everything I read on the Internet is possibly made up.
I'd say it still sounds a bit hostile. I'd suggest "assuming it's true" as a nicer way of saying it.
Seeing the reply I'm getting, I think this is just the "English is my second language" showing on my side. I always assumed both expression were somewhat equivalent but clearly they aren't.
As a native speaker it appears to me that your audience is being a little uncharitable (they being, ironically, intellectually ungenerous toward you).
I wouldn't concern yourself with it too much. Both of your statements were entirely reasonable and polite in tone and candor. Hair trigger, induced outrage is common among Englisch. They are much less prone to such gewinsel in public, the knives only come out online for whatever reason.

Anyway, it is important to recall that with every move that is made, it will disturb someone else. Impudence should be avoided, but the trivialities and whims of Englisch are of little concern.

I think what /u/not2b was getting at in the bigger picture, is that we can decide for ourselves if something is not likely to be the truth.

But if you explicitly add "if there is any truth to it" to your post, then it suggests to the reader that the story is probably false and that's not a very useful premise to start from.

I don’t think assuming stories as untruthful is using good faith. I think this line of thinking heavily contributes to this post-truth society we live in; if everything online is a lie that leaves the individual to create their own truth from the lies leading to this idea of post-truth. Obviously there is more nuance than this because websites need views for ad revenue and people like lying online for imaginary internet points or attention, but I see little reason to lie on HN unless it’s for a company’s PR.
Not believing everything you read that causes searching for additional credible sources for corroboration should be the healthy approach. It's quite disengenious to assume the original poster immediately jumped to any conclusion without additional research and landing that it was fake.
I personally think it is the other way around. If people didn't blindly take any story someone they have never met before says as truth, because of "faith" in humanity or whatever, then there would be far less reason for people to be untruthful all the time.

This is a general comment that is in no way related to this particular case, of course.

Whether it's "using good faith" is frankly beside the point. Default skepticism is the only way to not get fooled over and over again. People demonstrably don't need a reason to lie beyond craving notoriety; no one on Reddit gets paid for the tall tales they tell. This doesn't mean you just get to make up your own truth either. Rather, it means that finding the truth is very difficult and sometimes you need to explicitly maintain agnosticism, you know, like GP did.

To lean on "good faith" is just another way to lose your nerve and fling yourself on the mercy of blind belief.

I know Les and I was also skeptical as to the truth of the story due to the creative style of writing. A bunch of computer nerds are into fiction writing.
> I erred on the safe side

The safe side is giving them the benefit of the doubt. Possibly made up, sure, but your "if there’s any truth to it" gave a most probably made up vibe. Not only is that uncalled for, it’s pretty inaccurate.

I believe that this happened, but I don’t think that details are accurate. Specifically stories told by FBI agents. Memory is flawed, kids tend to exaggerate things(he was 11 at the time). As far as I understand, it was retold him by his mother, etc.
"and you are done" While I agree about the need for privacy, I don't think this story is a good argument for it. One of the interesting aspects of this story is that the main actual consequence of this privacy invasion was that he got his glasses back.
But that's probably because he was a child, not of Japanese descent, and one of the two agent actually believed the story.

If he had been a 30 years old Japanese weirdo that likes to keep "codes" in his wallet I am pretty sure the story would be very different.

Only because he was white and born in US. Had he been the son of a middle-eastern immigrant in 2011, daddy would have disappeared.
> In peace time the NSA is only looking for "terrorist" and leaves everyone alone

If you say so.

You can't spell uNSAvory without NSA.
Very good point. Everything is framed under the status quo. If shit hits the fan, all those assumptions immediately fly out the window. If the writ of habeas corpus is suspended, NSA instantly transforms from shady to Stasi.
> In peace time

And honestly, when was the last time of any significant duration when the US was not involved in a military conflict?

Seems like the safest bet would be to fully inventory every human, know everything about them as well or better than they do, and then, once you're highly assured of their safety to the commonwealth of the country monitor them for even the slightest changes in their disposition or regular pattern of activity.

Of course, you would have to completely disregard any concept that people would have a freedom to privacy to do that, and you would also have to account for natural changes over time.

People make new friends, get exposed to new ideas, and gradually change no matter how hard you try to lock them in a box. The data storage and processing requirements to monitor America's 350 million people would be understated as staggering, the man hours for perfect enforcement incalculable, and even if you reached Pareto parity (monitoring 80% of the highest-risk individuals 100% of the time) you're still going to have people slip through the cracks.

I would place a $100 bet on this already being the practice of the 3 letter agencies and if they haven't fully rolled it out I would hazard an extra tenner on that they're within 5 years of completing it as long as their funding isn't disrupted.

The only defense most of us have against it is that we're not individually interesting so we probably never register as more than a blip on a hard drive somewhere under most circumstances, human eyes never prying into the worlds we make for ourselves.

Where this apparatus gets really interesting is the addition of AI.

Suddenly cross-referencing pockets of activity in the giant trove of permanently stored data can be done for every citizen, not just ones of interest.

You can start modeling and simulating behavior off that data to predict future actions like in Minority Report.

But if you look far enough into the future on that trend and link it into Microsoft's recent patent on resurrecting dead people as AI chatbots from social media data, the treasure trove of all online activity for every citizen becomes a curious anthropological artifact as the people in it die off.

Did you have a nuclear scientist on the verge of a fusion breakthrough die before they could finish their paper? Just feed the entirety of their digital life into the system and extrapolate the non-digital using generalized "human experience" models built off everyone else to resurrect a copy of them (or many copies) in a simulated continuation of their day to day thinking and working.

Very few people fully understand the extent of the digital footprints we are leaving behind in the context of trends in big data.

The data we are leaving behind in mass collection will eventually take on (literally) new life.

Yeah, he's for real, and I heard him tell this story (and a number of others) about 40 years ago, for what that's worth. In addition to his other info on the web mentioned elsewhere here, there are also quite a selection of his files from the Stanford AI Lab (SAIL) system, that have been pulled off of old backup tapes, and with permission appear at https://www.saildart.org/LES (note the 3-letter account name, and 3-letter, single-level subdirectory names that you can click down into).
Cool. I mean, wow, that's a great old resource. I like https://www.saildart.org/[OLD,LES]/ (always interested in what academic researchers at stanford and berkeley were doing around the time I was born, especially machine learning)
Well, then you're sure to like https://www.saildart.org/JMC (John McCarthy).
Thanks!

Some pretty amazing stuff in there including his comments before the four color theorem was proved

NSA is for foreign surveillance.
That is not true. The NSA operates domestically as well.
Oh, okay then, case closed.

In other news, North Korea says they're a democratic republic, so that's another thing we don't have to worry about.

The 4th Amendment
Doesn't mean shit without enforcement, which is conveniently also handled by the same cabal. I can't believe this basic fact has to still be argued in a tech focused forum despite the Snowden leaks.
A whole 6 years after the information was made public by a whistleblower who's still treated as a criminal. Surely you can see how little that means for constitutional enforcement?

All they have to do is mark everything as secret, aggressively pursue whistleblowers, and if they happen to get caught, just have the secret court admit guilt without consequences and let the public assume all is well again. Rinse and repeat.

After all, it isn't like they didn't know what they were doing, they explicitly ignored the restrictions placed on them by relying on secrecy and legal loopholes.

I don't want to go down a rabbit hole about Snowden- we are already far from the original topic.

You show some clear misgivings and biases that tell me it's not worth my time discussing.

Let's agree to disagree. :)

Haha sorry for coming off as too aggressive, but yes best to agree to disagree :)
Don't click on that link or they'll put you on their list of people who are spying on them!
Be sure to read the follow-up (https://web.stanford.edu/~learnest/cyclops/bash1.htm) about the challenges the author faced in trying to help move forward a reasonably safe standard for bicycle helmets.
Yeah, came to say the same. The multi-part saga of helmet safety is fascinating history, and enlightening to hear the story of the people who were fighting this fight for so long. I’m bookmarking this!
If bicycle helmets were essential for causal-speed, safe path, everyday bicycling, the Dutch would use them.

Interesting fact: in the US, riders without helmets receive more average buffer space from road vehicles than those with.

If you're downhill mountain biking, wear a proper helmet. If you're racing in Manhattan, wear an equally suitable helmet. If you're leisurely riding on a wide, empty side road in a residential area and cycle often, it may lend more placebo overconfidence to the rider than it confers necessary protection. It seems like gearing-up in knee and elbow pads to go for a simple walk.

I'm sorry, but what you're saying has nothing to do with what I linked to. The linked article is about the development of helmet safety standards and their use in bicycle racing.

Please read the linked article, you may find it interesting.

Those Dutch who don't wear helmets do it because they're idiots, it's as simple as that. Any fall - even if you're standing with your legs on the ground - on a bike can break your skull. You try to avoid a dog or a ball and pull the front brake instead of both - boom broken skull. It's just plain dumb.
Pulling the front or back brakes makes almost no difference at normal speeds (≤15 km/h), and even if it did you can't just say "emergency stop equals broken skull".

Many things can "break your skull", and there are many things you can do to improve safety. A whole bunch of years ago the then-UK government tried to promote "pedestrian helmets". No doubt this improved safety, but they were widely mocked. You need to draw a line somewhere.

It makes enough difference that I myself landed on my head a few times in my life. Fortunately I had a helmet. And yes I was going slow.

The line is drawn around your bike. Don't ride it without a helmet.

I agree you should be able to do that without consequences but there's nothing brave about pulling down an American flag and stepping on it.
In many time periods in this countries short history, you would be dead wrong. But, I was more pointing to the bravery of these FBI agents, investigating this horrendous crime
Assuming the flag wasn't your property (and that you weren't a four year old like in the story), you probably shouldn't be allowed to do it, but it should be at most a minor vandalism case for local police, not the FBI.
> you probably shouldn't be allowed to do it

Why, assuming it belongs to you?

I said to assume the opposite of that. The case they were citing was definitely not the owner of the flag doing it.
(comment deleted)
In Afghanistan? Maybe not. In the USA? That could be something very brave indeed. (Rabid patriots please recall brave does not mean good nor bad)
Reports aren't indictments or any curb of freedom from the government

You have to argue in front of a federal judge that the existence of reports chills your speech, but you also have to prove you were effected, so its like schrondinger’s speech where the judge cant curb a government behavior if you cant prove something you didnt do, happened.

(comment deleted)
Please don't start nationalistic flamewars on HN. They're tedious, repetitive, and nasty—just what we don't want here.

https://news.ycombinator.com/newsguidelines.html

You have a very odd reading of my comment Dang, how is criticizing the FBI's abuse of power nationalistic?
It isn't. But doing it with a snarky one-liner containing nationalistic flamebait is.

It's not hard to criticize something like "the FBI's abuse of power" in thoughtful, substantive ways. Plenty of HN users do that while staying within the site guidelines. From a moderation perspective, the issue here isn't the FBI or any other divisive topic—it's simply comment quality.

"Comments should get more thoughtful and substantive, not less, as a topic gets more divisive."

https://news.ycombinator.com/newsguidelines.html

I still don't see how you are parsing anything nationalistic from this (the comment being a snarky one-liner is what made it nationalistic?). But you are more than welcome to censure any snarky one-liners that you feel go against HN's posting guidelines, regardless of interpretation. Thanks Dang
The snarky one liner was quoting a national anthem.
That is the most ridiculous reason to label something as nationalistic that I think I have ever heard. Thanks Dang, I have a much better idea of what is and isn't acceptable after this conversation. I'll be sure to avoid posting snarky one liners about other nationalist topics in the future, like Apple Pie.
Sorry but I really don't think that was a borderline call!
So... the headline invokes an inappropriate image. The author attracted the attention of the FBI in 1942, when "cryptography" meant wartime codebreaking, and his amateur cypher got lost and then found and turned in by a genuinely concerned citizen.

I mean, OK. Sure, it's bad that kids interested in math get caught up in this. But come on, it was the middle of the biggest war in history and real spies were indeed doing real work with codes like that. This says nothing about modern enforcement regimes, nor should it.

This is the important take-away, here.

If he were dabbling with radios at the age of 11, in 1942, he'd have ran into the same kinds of problems.

Hell, simply being of the wrong ethnicity was more than enough to dump a world of problems on your head in that time period. 120,000 people were sent to internment camps for doing literally nothing, and we're wringing hands over a kid getting a house call from the FBI.

Hell, simply being of the wrong ethnicity was more than enough to dump a world of problems on your head in that time period. 120,000 people were sent to internment camps for doing literally nothing, and we're wringing hands over a kid getting a house call from the FBI.

Actually, wring hands at both things. The camps were atrocities, even if they didn't match quite the enemies' atrocities. But they were also doing this sort of thing to many different sorts of folks.

On the scale of hand-wringing, this doesn't even register. Nothing bad happened to him. The police looked into it, decided this was probably not an issue, filed it, and moved on. No laws were broken. No procedures were violated. Nobody's fundamental human rights were curtailed. The procedures or laws in place weren't unfair or excessive.

This isn't the Rosa Parks, or the Rodney King, or the George Floyd of police abuse. This isn't the springboard for broad, or even narrow reform. This is the system working. I understand that a tinkerer may feel offended by the fact that the police even looked into this in the middle of a world war[1], but if that's the poster child of your problems with the police, you are in a staggeringly privileged position, compared to on-going, actual problems, affecting millions of people every year (outside of the context of, well, a world war.)

[1] That was in large part won by intelligence and counter-intelligence.

Most importantly, there is something modern enforcement could learn from the story: nothing bad (aside from a stressful meeting) actually happened to the suspected but ultimately innocent kid
As it relates to the man's story, the most offensive part about it is the demeanor of the agents angry at the kid and being abrupt with the mother. The FBI rightfully investigated at the time what seemed to be a coded key, which is very uncommon. The boy did nothing wrong, and he wasn't punished.

But if the FBI wants to be pissy for hitting a false positive, do it at the water cooler, not toward innocent people. They should have offered the kid a job.

Lesson learned: "We traced the glasses to your son from the prescription by examining the files of all optometrists in the San Diego area." - if you want your possessions found, you can either attach a note with your home address or an AirTag... or simply something _so_ sketchy that an intelligence agency delivers your stuff together with an awesome story.
A gangster was in prison, when he received a letter from his mother. "We miss you very much, and it will be hard for your father to till the garden without you." "Don't do that, that's where I buried the guns!" he wrote back. A while later he received another note: "Some men from the prison completely dug up our garden looking for those guns, but they didn't find anything." "I know, mama. It was the least I could do for you."
How does one find out that you have an FBI record?
You probably don't find out unless you've been visited by the FBI. Once you are visited, though, you can be pretty certain that you do.
You can have an FBI file and never meet anyone working for the FBI. Similar to how you can have a FB profile while never joining FB.
I assume the easiest way is to do something that would cause you to get one.
Protip: an FBI record means nothing and you can check if you have one too!

There is a gov site somewhere maybe someone else knows the url

Is there something like that for foreigners from the NSA CIA WhateverA too?
They have records on you if you exist, and probably if you don't, too.
In other words. Assuming I spend lot of my youth with cryptography, tor, basically gray area things. I realize they may have a record on me, but is there any way to know if it is safe for me to ever enter the country without them making a huge deal out of it?

I wouldn't ask wouldn't I know people personally who had extended weird discussions for hours before they could enter the country.

I assume this one:

https://www.fbi.gov/services/cjis/identity-history-summary-c...

But it isn't clear to me if this would provide the kind of information presented in the article (e.g. if you've been simply investigated for a suspected crime).

> listing certain information taken from fingerprint submissions kept by the FBI and related to arrests and, in some instances, federal employment, naturalization, or military service.

This story contains a link to another of his stories (also published in Communications of the ACM, February 1989).

Old as it is, it seems quite relevant in our current race-obsessed culture: https://web.stanford.edu/~learnest/les/mongrel.htm

Yeah, I read that. I wonder if in another 75 years we'll have become as much more enlightened about race as we did from the 1950's to now and look back on some of our present policies and practices with horror and disgust.

Seems unlikely, the first 80% of improvement is the easiest and we've got to be somewhere close to that now, but I could be wrong.

The systems he described were pretty crazy, confusing race (physical characteristics) and ethnicity (culture). On the other hand, you get that everywhere. I don't even know how to describe my ethnicity. "Generic English-speaking" is my best attempt.
I got a CSIS record at the age of 12 for the same reason. It turned out after someone did a FOIA request that the IRC chatroom I was having some crypto fun in had a CSIS record.

Sadly after that a lot of people got spooked and I lost touch with many there. Never got to meet my friend despite living in the same city :(

This title needs to be qualified with "during World War II" or (1942).
He was able to tinker with a radio at age of 10, in 1940. I had my first electronic at 19, in 2003, growing up in India. Today, almost anyone in the world can have access to the latest tech easily. Great minds were there and are everywhere in the world, they just didn't have access to resources. Think how fast the research monopoly of US is going to shrink.
Growing up in a Third-World country, I was tinkering with electronics at age 10 and built my first crystal radio at age 11 from junk parts. Dumpster-diving isn't hard as long as you don't mind the occasional dead dog.
I've found entire, functional computers thrown out. My first web server was a 386 built from dumpster-dived parts, quickly upgraded to a 486 as I found new stuff. I still have those computers, too. It's amazing how wasteful people are with tech. People, please don't throw out working computers if you can avoid it. Take them to a thrift shop or a specialized place that will fix them up and sell them, like Free Geek. Post an ad on Craigslist "free" section.
A year and a half ago, I found an entire HP Elite 8300 standing by the dumpster in the rain. It was only missing a hard disk (likely removed to be shredded).

I brought it in, checked it for rust or damage, let it dry for several days, and ordered a hard drive for it. It runs fine, and I use it as a repo/build server.

Nice. I have an SGI Indigo that I will probably never be able to use again because I forgot its login credentials years ago. And I think the monitor was proprietary to SGI and I tossed because it took up too much room.

Then again, I could probably find a downloadable OS for it somewhere online.

Unless it's been secured, you can probably boot using the miniroot on the installation media, go to the password file and clear the root password and save.

Restart that Indigo, and log on as root, no password.

When doing various services on these machines, I would keep a drive ready to boot miniroot. Would clear the root password, archive the hash, then do the work, put it back and on to the next gig. Most of the time nobody even knew what that password was.

Took {big company IT} quite a while to finally call and ask how those services were getting done...

http://www.sgistuff.net/mirrors/4dfaq/index.html#bootsash

You can definitely boot that SGI in single-user mode or off a bootable OS and read the passwd file. Just found a guide on resetting the root password on an SGI machine[0]. Someone probably would have paid multiple $hundred for that monitor :(

[0] https://software.majix.org/irix/admin-password.shtml

That's awesome!! Great find indeed. The best working system I ever found was a Pentium 4.
Apart from the dead dogs my experience in a first world country was quite similar. But for some reason I'm more impressed with you, probably because here in NL electronics were relatively easy to come by because people were throwing away older generating electronics with great regularity to buy something newer.

Whereas I would expect that in the 3rd world by the time you got your fingers on it it must have been technically beyond salvage.

Crystal radios are neat!

Thank you. I found the same to be true, though. Most people don't know how to repair radios, or don't know anyone who can do it, so if it's anything more complex than a broken wire, it ended up in the trash. At least the cheap, handheld transistor radios did. Happily, everything was through-hole in the 70's so parts were easy to remove :-)
Yes, thank god for through hole parts, otherwise I don't think I ever would have made it this far. VLSI is killing poor kids' ability to get started with electronics.

What did you do your soldering with?

My first soldering iron(s) were simply screwdrivers in the stove :)

I even recycled the solder but it took a while to understand that you need flux as well as solder to make a good joint.

I don't think heating up a screwdriver ever occurred to me!

My first soldering iron was huge! I don't remember who gave it to me, but it was clearly not for electronics. It had a small wooden handle and a tip that looked like a large, bent flathead screwdriver. It could remove parts, but not much else. Ha! gotta love google. It looked something like this: https://www.amazon.com/Soldering-Handle-Chisel-Point-Copper/...

Thinking back, my grandfather was a carpenter and left a shop full of tools when he died, so it's possible that it used to be his.

I remember asking for a real soldering iron as a Christmas or birthday present and getting a low-wattage one since they didn't cost that much. Until then, everything was held together by wrapping wire onto leads.

The strange thing is that I remember having a small soldering iron, but I don't remember ever having actual solder.

Interesting thread this. You made me re-live a whole bunch of my past and I noticed something funny (or at least, I think it is funny): to this day I can't help myself, when I walk by a dumpster or the garbage before it is picked up I am still scanning for TVs, tape recorders etc. It's so automatic that if not for this thread I would not have caught on to what that was all about, it's simply a habit.

And I still can't stand waste.

One day we will look back to this age and wonder: how on earth could we have been so wasteful that perfectly good stuff ended up in a landfill.

That soldering iron of yours looks like the perfect tool for some SMD work.

I recall those in the hands of stained glass workers, either that or gas heated ones.

My first upgrade from a screwdriver looked like this:

https://i.ebayimg.com/images/g/pEUAAOSw621hLQqd/s-l1600.jpg

Which actually worked well enough for tube based electronics, (not even hole through, just built up in the air on metal frames). And it held the heat a lot longer than the screwdrivers, which tended to carbonize after a while.

A lot of functional electronics end up in third world countries as "e-waste." Never underestimate the wastefulness of American consumers.
My early years were in rural India, so even Motorcycles were rare to sight. However, I did my dumpster diving with Books and Magazines, and collected a lot of relics.
My FBI file was for hacking into my school district's AS/400 that handled my school's attendance and grading system. Somehow using a public IP address with no access restrictions allowed a clear telnet path in from home. Compounding username and passwords that were all the same for every employee. I didn't change a thing, just LOLed and told someone. Bad mistake. This was the late 90s.

Oh well, 2 week suspension and kicked off the computers for less than a year. A nice conference with FBI, police, my parents, IT and school administration. Fun times.

I learned my lesson to not talk about such things because their egoes were too fragile.

When they decided to give students in their website design class ftp accounts on the district wide web/email server running an ancient version of Debian, they didn't disable the shell, just added a login script to a menu for pine, etc. for people who telnetted in, which I'm sure the sysadmin was proud of. However, a few fast CTRL-C's broke out of his script menu loop and got me a shell, and they didn't shadow protect their password files. Ran it through john the ripper and had half the district's e-mail passwords in a default dictionary file including the root pw in a few minutes. LOLed and never told anyone about that.

Good times, the 90s....

> I learned my lesson to not talk about such things

I like how you shared how you learned lesson to not share mischievous activities with people in the same post you then go and share more things you haven't been caught for.

This is going on your permanent school record! /s

That's great. I know even as of recent of 2021 I've seen some places that had 0 security on things.

> I like how you shared how you learned lesson to not share mischievous activities with people in the same post you then go and share more things you haven't been caught for

American public schools are quite adept at teaching distrust in authority, particularly in bureaucrats. That doesn't mean distrust in everybody.

> American public schools are quite adept at teaching distrust in authority, particularly in bureaucrats.

It's an important lesson to teach kids while they're young! Strange, though, how you never see it on the formal curriculum.

it’s a hidden lesson, only for privileged kids.
How is that a lesson for privileged kids only?
Because in the United States, unprivileged kids often get thrown into what we call the "school-to-prison pipeline" for inconveniencing authority figures.

Unfortunately, they end up learning a different sort of hidden lesson.

(comment deleted)
I think the example is in the great grand parent comment

> Oh well, 2 week suspension and kicked off the computers for less than a year. A nice conference with FBI, police, my parents, IT and school administration. Fun times.

Something that most would believe as non-malicious and just for the lolz received a (what I personally think is) heavy punishment. So as a kid you learn to just keep that to yourself because you don't know if you'll get a "oh thanks for telling us" or a "you're expelled". Its not explicitly said to distrust but you learn from experience.

The American public school system likes to teach that they are an authority that should be trusted.
Lol, yup, we encounter the principal-agent problem early.
> American public schools are quite adept at teaching distrust in authority, particularly in bureaucrats.

I wonder to what extent that property is primarily due to them being schools, or primarily due to them being public, or primarily due to them being American, or is it some combination of the three?

My own impression (having experienced both as a child) is that private schools are less prone to bureaucratic inflexibility than public ones, which is one of the reasons why my wife & I have chosen private schooling for our children. But, not the US, so our experiences may not be directly comparable.

I love how student government teaches you how government really works. The election is a popularity contest for a puppet regime with no real power, but you can pat yourself on the back and take price in the democratic process.
This made me think of The Simpsons episode that parodies Evita. Lisa is elected but quickly becomes a tool of the school administration. Season 14 I think
Depending on where you go to school, I think student government actually does have responsibilities with planning events and such, and this gets far more important in college than in k12.

In k12, while it's not really meaningful, It's still an extracurricular activity, and at the same time it shows that you can work with others (theoretically) and that people like you enough to put you there.

Unless you're in an anime. The student council in anime not only has power in the school, but outside political and military power besides.

> it shows that you can work with others

Nope.

> and that people like you enough to put you there.

This. This is all it shows.

another thing probably learned is statute of limitations!
I think this is especially prevalent in schools. You'll see things like this even for things that aren't related to computers. When I was a kid, drugs in your locker were your drugs, even though breaking into the lockers was trivial and stashing drugs in other people's lockers was the way business was done.

I wouldn't have told the school of a theft I witnessed even if I knew there were cameras recording the entire thing. You're guilty unless you can prove someone else was more guilty and they're not really concerned about the truth of the matter so they're not trying to help you.

> I didn't change a thing, just LOLed and told someone

> Oh well, 2 week suspension

God damn, these idiot school people have no fucking clue that someone who points out a security flaw to you without inflicting any harm is actually doing something good, and that behavior should be encouraged and rewarded.

BRB, preparing my YC S22 application: "BugBakeSale"

"We're bug bounties for America's school districts: HackerOne for the K12 market. The product is free if you let our corporate partners, who also fund the bounties, recruit the winners."

This is actually an awesome idea, because everyone wins. Well, except school districts who have more work. ;) I hope someone creates this.
> and that behavior should be encouraged and rewarded

He gave the reason why, fragile ego.

I had sysadmin rights on my school’s Windows servers after some very simple social engineering (for a 10 year old). The real irony was that I was called to the principal’s office on multiple occasions because I seemed to be able to fix things on the network that the local “admin” (e.g. music teacher) couldn’t. Fun times indeed.

It completely ruined my respect for authority figures. Which in retrospect has been the most valuable outcome from being the local “that kid from Wargames”

> It completely ruined my respect for authority figures.

It sounds like they were right to trust you? Doesn't sound like you ever did anything bad with admin credentials. And you even used it to fix stuff.

My reading is that they weren't called to the principal's office to fix things, but after the fact and in a disciplinatory fashion.
I read the opposite, but it's still meaningful. A sysadmin who can't do his job and has to defer to a kid is embarrassing and at that point how can you trust the "authority" to know what they are doing.
>It completely ruined my respect for authority figures.

It looks like they realised they were out of their depth and found someone who could help. Were they wrong to trust you?

Edit: I may have misunderstood your post. Did you mean:

A. The principal and the music teacher asked you to help out a few times because they knew you were skilled

B. You were always the first suspect when anything went wrong

I understood it as A. If so I really don't see how you'd lose respect for them over that.

It sounds like they weren't called to the principal's office to fix things, but after the fact and in a disciplinatory fashion.
There's the educational, constructive "Hey lokimedes I hear you're pretty good with this computer stuff want to come and help me while I solve a problem?", then there's the not so educational and not so constructive "Hey lokimedes, I hear you're pretty good at this, want to solve this problem for us?".

The "admin" person calling you for the former? Pretty cool. The principal calling you to their office for the latter? It really does say weird things about authority figures to a kid who's paying attention, especially when mixed with the cluelessness about security.

It's not just the words though, here. Being called to the principal's office is an exceptional occasion. If they were called to the office that many times, they'd see through the words and recognise that the adults were out of their depth and that's why they were being called.
Had a similar problem with feeling betrayed by authority figures when I was called in to be questioned about a hacking incident while in middle school just because I was good at VB in programming glass. Can really ruin a kid's confidence for years to come in case anyone in such position is reading this now.
I can point to several false accusations I suffered as an elementary school student that made me deeply skeptical and wary of authority.

"Even if I color in the lines, or intentionally dabble in creative thinking, some adult might yell at me... Hm. I don't need their permissions. They obviously don't see how great I am so they are a dumb nuisance."

Same thing happened to my friend in high school, there was someone causing some mischief with some of the school computers, and just because he was into BBSs and computers, he was a big suspect, but he was a good talker and was able to avoid any punishment.

He was a good friend because he kept silent about the fact that I was the one doing it ;)

I was in high school from 2007 to 2011. Half of it in rural Alabama, the other half in the Bay.

Even being in the tech capital of the world, the school administration's views on technology and information access were so backwards. Our school basically didn't allow accessing any websites that weren't on some allowlist. Teachers had accounts to bypass the content filter.

We had a game design class that happened after school. Usually that period was reserved for making up classes you failed, but ROP courses that didn't align with the district's curriculum goals were taught as well.

Needless to say, pretty much every resource we needed was blocked. So the teacher would give out his content filter bypass credentials, because the school wouldn't entertain any exceptions to students not being allowed to have them even though they knew there were classes on campus that would have tremendous difficulty. A couple of times a student would leak the credentials to others on campus and it'd take all of 5 minutes to get to everyone on campus via social media.

They'd always treat everyone who knew the bypass accounts as "guilty unless proven otherwise". I ended up in detention a few times for even knowing it. Parents complained to the school a bunch, school just always blanket said "bypassing the content filter as a student is against policy for any reason. No exceptions."

Makes me think back to 1st grade in 1999 when I was first given internet access and being told not to use Google because "it wasn't safe". Couldn't have been that bad because it took another half decade for me to inadvertently end up on the "adult" part of the internet.

Similar time period, I used portable Firefox and then Chrome on a thumb drive to bypass our content filter. I actually find this surprising in retrospect, but I'd guess they were using Content Advisor on Internet Explorer[1]. I carefully guarded my secret.

[1] this pdf appears to lend credence to that idea(no affiliation). https://www.kvcc.edu/pdfs/MyItLab/myitlab_BestPractices_Home...

If I were smarter, I probably would have learned about proxy servers. I was tantalizingly close as is. I had set up port forwarding on our home router and a dyndns account to access my (Linux) desktop via ssh. I'm almost surprised it took me another few years to bump into SOCKS proxies. I already had 99% of the setup, just not the final step. Oh well I guess.

Our school was Windows land as well. They blocked execution of certain programs by some policy in Windows explorer in Windows XP (they had never adopted Vista, and 7 was still "too new"). Funny thing was, if you knew the path to them, you could just point Firefox or Chrome at a file:// URI and run it out of your downloads directory. Oops.

There was also that time I got detention for riding my bike in the school parking lot. Which was dumb, because I always showed up 30+ minutes before any cars did because I made a deal with the sculpting teacher that I wouldn't have to do sculpting if I showed up early to class and learned about the chemistry of clay glazes along with helping him mix them for class, which was honestly far more interesting to me.

Our AP Chemistry teacher was a nuclear engineering postdoc from MIT who spent her entire career helping clean up after US military nuclear accidents.

High school was a weird time. It just boggles my mind still to this day to have a school staffed by some wonderfully brilliant teachers and have an administration that seemed to lived in fear of a student body who dared learn something or learn from someone they didn't approve of.

> They blocked execution of certain programs by some policy in Windows explorer in Windows XP. Funny thing was, if you knew the path to them, you could just point Firefox or Chrome at a file:// URI and run it out of your downloads directory. Oops.

Microsoft security baffles me. You could run Windows Update in the browser (and also antiviruses using ActiveX). Who would think of making it possible to alter the OS… from the browser?

sacrificing security for convenience
I think those restrictions were really for ATMs and kiosks, but school administrators see them and decide to turn them on. If the user is able to open more than one application there is no hope in locking down functionality. Windows Help Viewer lets you open a web browser for example.

My school disabled right click in Windows Explorer, I'm still not sure why.

I set up a proxy server for myself to use at school and showed a few friends, and then suddenly everyone at my 2000 person highschool knew who I was. Incredibly I didn't get in trouble for it, my principal thought it was clever. Simpler days.
No need for Firefox/chrome to "download" software, you could get a java-based file manager; this allowed browsing the filesystem and running software on the public library computers, which were far more locked down than any school computer I've ever seen (they had software to enforce 15/60 minute session limits, session reservations, etc, and group policies that disabled external storage, explorer, and the start menu; most browser functions were disabled). If you've got a Citrix-based application available, there's usually some way to trick your way into that system; in my case it was by going to file->open in the weird processor, and right-clicking it to open it in (the remote session) explorer, which had my local media mounted (flash drive), and allowed access to the remote browser. If you can get a cmd prompt, you can also sometimes get around restrictions with that, possibly by using it to open task manager. In college, these weren't locked down so much as intended to be single-purpose (for running Photoshop, etc from home), and I used similar tricks to gain access to a command prompt so I could register fonts for my projects using FontLoader[1].

Of course, despite every PC being on a domain, there was still the local administrator account, which was easily obtained by leaving an unused computer running ophcrack overnight. Eventually I found out that the roaming network administrator account password was simply ford, as the admin left a local account on a computer that wasn't networked; this pretty much lasted me through high school. For bypassing the firewalls? That was simple; I got a free shell account, and later my own server, an early openvz vps.

Once I got my own server, I spent long amounts of time trying to increase the amount of RAM available to me (since it was fair-share CPU on a decent server, building and similar jobs ran far faster than my current digital ocean VPS). At this point, I found out about sshfs on my own computer, and spent ages trying to find a decently cheap Xen VPS so I could use kernel modules for sshfs and swap. Eventually, I gave up. One period of my last semester I was a TA, rarely with any work to do, so I spent most of my time on IRC and setting the wallpaper to be Cyanide & Happiness comics.

/me trouts Piper around a bit with a large slap

1: this used to be available at https://bitbucket.org/cryptw/fontloader but not anymore. This might be the source, not sure. https://github.com/stevenstrike/FontLoader

> Even being in the tech capital of the world, the school administration's views on technology and information access were so backwards. Our school basically didn't allow accessing any websites that weren't on some allowlist.

That sounds very big tech to me, exactly the model towards which Facebook et al. are moving.

Sounds like normal best practice for a secure environment full of shitheads to me. The hell does this have to do with Facebook? What website am I on?
I think they're alluding to the "walled garden" analogy that gets bandied about in reference to "big tech"
Public network shares, cain&abel, learning about NTLM downgrading and well, these were the days when Wifi was "new" and wireless B and G was considered wow, 54mbps.

Back then, everything really felt like magic.

Old netsend trick, pre windows xp SP2.

There were enough stories at this time online that I knew it was best to say nothing. Did nothing bad, just explored, learned quite a few things and well was surprised how really easy it was to do things.

Nowadays, I feel kids won't/don't get that chance to explore - which is sad. Internet is curated through apps and "enagement" user experience and cloud services/SAAS.

Maybe they can spot a lifetime link to a google sheets master password document. ;)

Netsend made me feel like a true spooky wizard. It bums me out to see how much of our computing has moved north-south.
(comment deleted)
When I was 11 I social engineered the son of the computing teacher to get all the admin passwords. Then I fucked around with a whole bunch of stuff and showed a friend. When they figured out it'd been hacked they weren't sure who did it, but my buddy broke down very quickly and let them know lol.

I was banned from the computer lab for the whole of my secondary school years. It didn't matter though, because when I was 12 (~1989) the headmaster dropped computing from the school curriculum as "computers are a passing fad". They just used the computers for typing up essays after that.

It's hard not to be critical of this headmaster, but I do have to question both the intelligence and the wisdom of someone who, in 1989, could not clearly see computers had no chance of becoming a "passing fad".

Picking up a copy of The Wall Street Journal at any point in the previous ten years could have clearly indicated that... and any school at which there's a "headmaster"... I would expect the WSJ is not a foreign entity to them.

The fact the parents allowed it to go through, in hindsight, is absurd. The computing teacher did try to teach us outside of school hours some times, but I failed the Computing GCSE (F grade), which is hilarious as at the exact same time I was being offered a job at Argonaut Games after Jez San tried out my 3D engine.
I found the password to my teacher's eBoard[1] in 4th grade (a five digit code) and started changing things as a practical joke. Then I started seeing more five digit codes just written on Post-it notes…

[1] https://www.eboard.com

I had two friends that did similar in the early 2000s, except that while the school knew there was a breach, they never caught who did it. Had all student social security numbers, grades, attendance, etc pulled into a thumb drive on the school network. I imagine this happened a lot around various school districts, especially in that time when school networks were less secure.
just curious - has this ever shown up on employer background checks?
Never been an issue for me. I was never charged with anything state or federal.
I was punished three times for computer curiosity before I learned my lesson. No good deed goes unpunished, especially when it makes somebody powerful look bad.
This reminds of a Costco bug I discovered, it appears that they fixed it lol.

So, Costco runs AS/400 in stores, and their online store is in .Net MVC. I worked with both technologies and often have to communicate with AS/400 devs and they are close to their retirement so little fucks are given. Plus, working with DB2 is annoying in general, the .NET data provider from IBM is expensive and sucks.

Now onto the bug, when you purchased items online at a discount, you were able to return to store at a full price as their systems were not communicating that a discount was applied. I returned several items, but did not realize until I bought a laptop that was $400 off and tried returning it. I ended up calling Costco and letting them know. Unfortunately, they didn't give me any lifetime membership or a good citizen award.

If any Costco devs read this and know about this send me some love.

Costco still has issues of resolving discounts on a return. I won't state the bug explicitly but I had a conversation with them about how they refunded me a significant amount I never paid on a large purchase and showed them the delta via receipts. Local management was appreciative but didn't seem to have an idea of how to proceed to make things right. Ultimately they said my account would be flagged as owing the difference so the next time I shopped I would be charged for the incorrect refund. The problem is that that didn't work either and I don't shop there often. I tried to do the right thing but ultimately it ends up being their responsibility to handle it when the customer is standing right in front of them showing their loss of revenue.
"I tried to do the right thing but ultimately it ends up being their responsibility to handle it when the customer is standing right in front of them showing their loss of revenue."

I bought some lions mane mushrooms from a grocery store, which cost $10-12 per lbs. The cashier rang them up as "regular" (button) mushrooms at $2 per lbs. I pointed out the mistake and she tried to correct it but chose the button mushroom again. I brought it up a second time and she selected a different incorrect mushroom at a slight increase ($4/lb?). At that point, I gave up. She's the one ringing it up. I tried.

(comment deleted)
Where in the world can you buy lions mane mushrooms in a grocery store? I have been seriously debating growing my own because i cant find them.
Wegmans has them sometimes. I have two local/independent stores that also carry them. Although, I grow my own due to price. Occasionally I'll get some from a small scale producer who sells to the two local stores.
Berkeley Bowl
I was in dire need of an Cat 5 cable a few years ago and went to Walmart to get one. Until this point I had always made my own cables, so when I saw the price ($40ish) I was floored. Unfortunately, I had to buy it anyway. As I was checking out I had that cable and a small bag of beef jerky. The cashier wasn’t paying attention and didn’t engage with me at all. She scanned the beef jerky and moved the cable across the scanner, but it didn’t register. She told me it would be ~$3.50. I considered telling her that missed the cable but given the fact I was mad about the cable costing so much I didn’t say anything. I always wondered if I would feel bad about doing that, but several years later I still don’t.
You just stole it. I don’t see how this is even a grey area. Can you walk me through the thinking of “the cashier touched it, so now it’s mine?”
I once made a purchase of multiple items where the cashier scanned the items, put them in a bag, charged me a total and I paid it. Only sometime later I found out they missed a $100 item.

Did I steal something? Did the cashier give me something for free? Who is responsible? What if I didn't notice the $100 charge absent from the bill? What if I was charged twice as much? What if I told the cashier and they did nothing?

What turns something into a crime, in your eyes?

I certainly don't think I stole anything, nor do I think OP stole anything.

In smaller stores (fast food restaurants for sure), when the cash doesn’t balance, the employees pay the difference i think. does it hurt walmart or does it hurt the employees in that case?
Who is at fault for that harm? The customer? The employee? The employer? Regulators? Society??

I'm not even sure this is relevant. We're not talking about a cashier returning too much change. In this scenario, there is nothing to not balance. The item wasn't scanned, isn't on a receipt, was simply given away. The balance in the till is still correct.

The OP knowingly walked out without being charged. At this point it’s not any different than if he/she had just pocketed it and walked out.

The different between this and the contrived shit you posted is knowing you didn’t pay and walking out of the store in the first place. There isn’t really any subtly here.

It is different. In the checkout case, the cashier's intervening negligent act led to you getting the item for free.

It might still be theft (or fraud or some related charge), but only if those laws create a strict liability crime out of keeping something that you know was given to you by mistake. I'm not sure but I think there might be specific laws to that effect if you knowingly take advantage of a bank's mistake. Whether there's a similar law in general, probably depends on where you live.

In the pure theft case, there's no intervening act by a store employee. It requires criminal intent.

The argument that if the customer knew, it's theft, applies equally to cases where the product is rung up incorrectly, which several other people in this thread have claimed to have witnessed. I guess we're all thieves now. I've been overcharged and undercharged at stores.

Also even if the intervening act by the store employee doesn't matter, it would be impossible to prosecute. They'd have to show that the customer knew the checkout person missed the item. How would they do that? Interrogating people you live with to find out if you mentioned it to them? No, they don't have access to admissions on HN years later.

> In the pure theft case, there's no intervening act by a store employee. It requires criminal intent

Yes there is, they have cameras and people who can frisk at the doors. I don’t think you want to go down the path of “if there was some action an employee could have taken to stop it, it’s not theft”.

> No, they don't have access to admissions on HN years later.

“They can’t prove it” is not an argument that something isn’t theft. You can go through whatever mental gymnastics you want to go over how difficult it will be to legally prove theft for prosecution, but it doesn’t change what it morally is at all.

Who doesn't take off the Man now and again, though? Honesty doesn't get you very far these days.
If an employee of the store quotes you a different price than the label on the shelf or item, you owe the store zero responsibility.

Retail stores change pricing on products and fail to update pricing on the shelf all the time. Home Depot, Walmart, etc have interactions like what OP described occur every day.

The responsibility rests with the corporation to train and reward employee behavior.

If the company has chosen to staff their store with someone that doesn't give a fuck (underpaid, poorly treated, mismanaged, improperly trained, not well rested, etc), then that is a gamble they chose to take, and the last thing I am going to do is rock their boat when they built and arranged it this way.

Opening stores in key areas to destroy local business. Draconic contracts with suppliers. Lowest possible quality. Highest possible price. Huge markup.

Can you walk me through the thinking of "corps fuck me over and I should be thankful"?

Two wrongs don't make it right, though. Not that you're wrong about Walmart.
FWIW, I don't think it was the moral or ethical thing to do. I didn't intend for my post to come off as if I thought it was. I shared this story in the context of process breakdown, not "stealing is ok".

As for my thinking, it was impulsive, I was a fresh grad and didn't have much money, I was upset about the price, I thought the cashier was being rude by completely ignoring me. I felt like I attempted to engage with the process of buying the cable in the correct way and the process broke down in my favor. I was not going to go out of my way to fix it.

Again, none of that makes it the right thing to do. I wouldn't have considered walking in and stuffing it into my pocket, but feeling like I did my best I shrugged my shoulders and went on with my day.

Lions Mane is incredible. Crazy to me that it’s not more widely recognized for what it is.
I met someone many years ago who bragged that they did this with sales tax. They purchased expensive items at Costco in Oregon, paying 0% sales tax, and then returned those items in Washington and received a full refund plus 10% sales tax. This was the first time I met a person who appeared normal but lacked social mores against fraud.
(comment deleted)
In grade school a class mate told me how to mail letters for free: print where the letter _should be sent_ in the return address, print anything for the apparent delivery address, apply no stamp, and drop in a public mail bin. The letter will be sent "back" to the return address because postage was not paid.

When I got home later that day I excitedly shared with my parents the new hack I had learned and they told me it was wrong because it was stealing. I had been so taken with the neatness of the scheme I did not register its immorality.

I would expect that postage scam to only work in the same geographic area. If you put a return as California but dropped it in the box in NY I dont know if they would return it, would they? If so I would imagine they have anti-fraud measures against doing this in mass.
A postmark is applied where the post office receives the letter. If the return address isn't in the post office's service area and there's no postmark, it's fraudulent. I'd be shocked if the automated systems don't check for that before applying a postmark.
Not refuting anything you said, but I personally have dropped letters while traveling on a weekend, just because, so like dropping a letter in Oregon on Saturday evenings, obviously with proper postage, and my return address as in different state 800 miles away. One reason is If the delivery address is in same direction, i.e. if I am travelling towards letter's destination halfway, I like to see it as quick delivery and help to Post, like I am covering half distance for them.
You're right, it's not necessarily fraudulent, and there are cases like yours, or when someone's on vacation and uses their real home address as the return address.

But there's no way to allow those while preventing abuse, so I can't imagine what good options they have other than to reject and trash those pieces of mail (since they have no way to return them). I guess they probably allow them and eat the losses due to abuse?

I use this exact scam as a way to explain email forging and how the Bad Guys (TM) get spam delivered.

Funny enough, my grandmother told me about a version of this scam, but as a prank. Get some roadkill, put it in a sealed bag. Put that bag in a box. Mail it the slowest way possible to a far away address that doesn't exist. Put your target's address for the Return Address. Be sure to do it in summer. By the time it gets to them... yuck.

Nana, you were weird. But still miss you.

I went on a tour of a USPS Bulk Mail Center and asked what was the weirdest thing they ever came across. Mail person said they had a box bleeding onetime. They set it aside for the postal inspectors. Turns out it was steaks.
In uni me and a friend who when to a university across the country (not US) did something similar - he mailed one letter to me once, then I'd replace the letter, cross out the address and write "return to sender". We'd do that over and over again. I think after 3 times the letter just got dropped and not delivered
Don't they need to show up the purchase recipt/bill? Wouldn't the store's location be identified on that?
Costco accepts returns without receipts. I assume their system can look up all items purchased with your Costco membership.
You need a membership to shop at Costco, so to return items you just use your membership card and they pull up your purchase history on the computer.

I would expect that history to include a price, but I guess it doesn't.

I'd expect Costco would require receipts for returns, even for online purchases, like most stores. Then the store would only refund the amount after discounts. But perhaps Costco is more trusting of their customers because they have to pay for membership.
I'm a member and am nearly certain they can just lookup what you've bought on the membership. They scan the member card for any purchase.
> I learned my lesson to not talk about such things because their egoes were too fragile.

Yip, ego's and people talk are the downfall of many an innocent `self-education` in the area of IT security.

Post 80's and laws started to change, prior, in the UK it was theft of electricity being the only way to nail some people. Crazy fun times.

Though I do miss the old phone system per-say, outdials, wardialing, things like that, was common with many and just seemed more mysterious as you could only learn thru word of mouth or self-education as no books or internets and BBS's were not as cheap in the UK or common as we never had the official free local calls aspect as you fine folks had in the US.

Do recall a chap getting kicked out of college for doing something I'd done previously, just that he had a bigger ego and not as delicate with the power to steal the admin password. Which involved an ICL George 3 OS mainframe in the times of very large disc platters and admin console journaling that had no encryption. so they rotated discs without adding extra wear of zeroing the previous content, only the file table so you could end up with a user disc platter that had formally been used as a admin console jounal reposatory and could create files without zeroing and dump the previous contents of the disc of that way...which eventually got you the admin password.

Do recall few instances of work related cases in which I needed to do things so, kinda hacked what I needed (resourcefulness) like upon a DPS7 Honeywell mini computer in which needed the admin password to do something and nobody had it at hand at that time of night and the passowrds were kept in a file that was encrypted so I worked out the encryption key by looking at the file as was poor encryption and text files have lots of spaces so saw a pattern with the word OPERA in and tried and tada, got what I needed. The spooked admin next day wondered how I did it so I told him fully, he then went and redid the encryption and challenged me to see if that was secure, I looked at the encrypted file and kinda worked out by the patterning that it had been encrypted twice....yes with the same password OPERA only encrypted with that and then encrypted again with the same. Educational for all back then. Today, not as easy to do that, but still a great story of times of old.

My ego prevents anything else and was an ethical hacker and the 90's was an era in which, we white hats would and was the internet security, bringing down pedo's and bad actors like that that frequented some platforms with ease (looking at you AOL). So whilst illegal per-say, was case of no real official policing of such things as we do today.

But darn, some things learned and worked out, well zero day exploits back then were not as financially economical as they are today and heck, and some never really appreciated how long they would stay obscured from the wild.

I also liked hardware back then, was also fun and many a hidden switch to get a feature you would normally pay silly money for some engineer to `install` though was just some hidden switch was not that uncommon. Heck even today you get kit that is same inside with a model up just adding some small thing and example would be some Fluke multimeters that you effectively pay hundred for a small capacitor and another digit on the outer shell, is a good example current today.

Fun times indeed, but darn, goalposts always moving.

Seriously, they would have deserved that the school mysteriously becomes littered with printed (or typed) sheets of paper explaining how to access the system and change everyone’s grade.

If it were me, for the second time I would have considered adding a file to everyone’s FTP account (including the admins & professors themselves) explaining how they too can escalate to root.

Good times indeed. I got into similar mischief, but my school didn't really mind. I got a slap on the wrist, because they were to prestigious to court negative attention. Then I got into similar shit in college. I reported it and got lucky again. The guy in charge of their cybersecurity program invited me to take his class which was all master's students and phd candidates as a freshman. I would have bombed as it was all over my head cryptography/math, but at the time I did some extracurricular research that got me a passing grade.
I’ve been on the other end of this dynamic. It’s really incredible what you can accomplish by providing someone with a passing grade.
Late 80s and my junior high school computerized attendance reporting (and some grades) through shared documents on a 'teacher' Appletalk share I had access to (because I set it up!) Well now... ;) Honestly though I never did any of that sort of thing for profit, I managed to satisfy my needs selling disks with games on them and then turning a blind eye when people were playing them during class hours (I was basically used as a free labour resource by the school so I don't feel bad about that in the slightest.) Ah, the things we did when we were teenagers...
> I learned my lesson to not talk about such things because their egoes were too fragile.

At my university in the early 90s I went the white hat route and had tons of fun. I managed to convince the computing center folks to give me a student job in the Unix group, and then spent the next three years hacking their systems and getting a pat on the back when I did it.

I was in junior high early 90s when I got into trouble with my school's networks. Setup was Novell Netware, DOS 6.x. I was never a Netware expert by any means, but by that time I'd been using DOS at home for quite a number of years and knew my way around pretty well. Anyways, the network crashed. I got accused of causing the crash because a teacher had seen me with "a black screen open", aka a DOS prompt. Our Netware setup didn't allow for direct DOS access; we had a limited set of DOS apps from a menu we could run. Well, among those apps was WordPerfect for DOS. There was some function key combo that'd suspend WordPerfect and dump you at a DOS command prompt (I forget the key combo, but we all had those keyboard templates at the time that listed out the various commands helpfully, right in front of you, at school, even!).

Well, being at a DOS prompt was enough circumstantial evidence for me to get suspended for a week (no FBI record, AFAIK). My parents, despite being strict, were also fair and asked me point blank, "Did you have anything to do with what you're being accused of?". Told them no, I was just at a DOS prompt (probably to play either nibbles or gorillas - those classic BASIC games). To their credit, their opinion was if I was going to serve the time, I might as well know how to do the crime (know, not actually do). I had already been tagging along to continuing education computer classes my mom was attending, but my parents started buying me more and more computer books. It got me started down the programming path. I'd already been pretty friendly with our sysadmin at school and he knew I had nothing to do with what happened and hadn't accused me, but the school needed a scape goat, and I was it. He felt bad for me and choose to help me out with my learning, too, instead of continuing the punishment. He gave me a copy of the software he used for after hours remote access over direct dialup. Think it was called Carbon Copy? It was basically just telnet over dialup that allowed me direct access to his PC on the network after hours before I even knew what telnet was. So, I'd connect after dinner and play around for hours as network admin. It wasn't multiprocessed, so I had to be patient. Typically when I'd log in, he was running a nightly backup manually that he'd kick off before he left for the night. I just had to wait for it to complete, then I could do whatever I wanted. I had full access to the grading/attendance system. I could message teachers as other teachers, etc. I could have granted admin access to anyone, but I was smart enough to never touch my own account, instead, created fake admin users and used those, instead. I'd hide files in plain sight using the ALT+255 trick to embed a nonprintable character in file/directory names. You could see them, you just couldn't directly access them without renaming them for most programs. Fun times. I never did anything destructive, though I could have easily.

Security in the 90s was a joke. They were good times, indeed :)

I continued my shenanigans into college. College was my first encounter with Windows NT networks & l0phtcrack. I remember one night, walking into my dorm room with the SAM file from a lab PC on a floppy. I popped it into my own PC, started cracking the passwords, expecting it to run all night. As I got up from my PC to head down for dinner, I was surprised to see that I'd already cracked the administrator password. It was just a 5 character password that was the building code & room number for campus IT. I already knew better than to do anything from my own PC, only ever worked from different lab PCs in different buildings and under assumed accounts. Never reported anything, either, for fear of reprisal.

When I was 11 or 12 we had a bunch of old Windows (2000?) boxes with a shared network folder — all the students' files were in the same folder. I had just learned about basic batch file "programming" so I made one called Change Your Grades Click Here!!.bat which asked for your username and password (we had individual accounts on the Mac computers) and saved them to a hidden text file in the same folder. Most people didn't fall for it, but I got one girl's login that actually worked, which scared the shit out of me, and I deleted the program. (I really wanted to tell her that "emma" is not a good password, but I thought it wouldn't turn out well for me.)

A few years later, I cracked the admin password (with a Ophcrack live USB) for a silly reason: they had the machines mostly locked down, and I wanted to change the desktop background hahah. I remember being quite disappointed in the sysadmins that the admin password for all the machines in school was a common dictionary word, cracked in 30 seconds.

Oh, once I met a guy who identified as a "hacker" (in the sense of breaking into systems illegally) and he told me (then a young teen) to "have my fun" before I turned 18 and then to stop, which in retrospect was very good advice.

> I got one girl's login that actually worked, which scared the shit out of me, and I deleted the program. (I really wanted to tell her that "emma" is not a good password, but I thought it wouldn't turn out well for me.

With all due respect for HN policy of nuanced, Intelligent debate.

"Wimp"

Did you ever had the courage to tell, that you lacked courage, once?
At least a few times a week.

Wimping out is par for the course.

Ah yes, grabbing the SAM file. That's still a valid attack vector if local admin password rotation isn't in play.
When dsl was deployed into my town, it was mostly for doctors offices and the local hospitals.

I was one of the first normal citizens to get dsl internet. I opened windows explorer, and saw all the hospitals and doctors office network folder shares, with patient data.

Yeah, big telecom internet company too.

> because their egoes were too fragile

If anyone else reading can learn vicariously, this line is almost universally true and manifests itself in a multitude of ways.

> they didn't shadow protect their password files

Could you please explain what this means? Googling didn't reveal much.

The UNIX family of operating system (Unices) historically stored passwords in /etc/passwd, which was readable (but passwords were soon hashed, i.e. passed through a one-way function to obfuscate them).

Eventually, shadow passwords were introduced to have the passwords themselves stored in another place with stricter access rights (readable only by the sysadmin or their group), so even the hashed versions were inaccessible to normal souls, whereas other information traditionally kept in /etc/passwd - e.g. the user's full name - could and can still be retrieved from that file by making it widely readable - just without the passwords, which were moved to the "shadows".

See also https://en.wikipedia.org/wiki/Passwd, section "Shadow file" for more details.

I always thought the shadow was just a way to refer to a hash -- the shadow of a thing being less detailed/unique but still capable of being used for recognition.

Maybe I read Plato around the same time as I heard of it and that biased my thinking.

Debian even back then did protect the passwd files appropriately out of the box, but in this server's case, they did an import from an older system where it wasn't protected, and they couldn't figure out how/bothered to convert it to shadow.
> Could you please explain what this means? Googling didn't reveal much.

An classic UNIX /etc/passwd file is readable by all local users and in the past used to contain the password hashes. One can download these hashes and crack the passwords offline. At some point the problem was recognized and password hashes were moved to special /etc/shadow file which is accessible only to root and members of shadow group making /etc/passwd useless for extracting passwords.

(comment deleted)
(comment deleted)
With all the shenanigans I was into as a turn of the century high school student, I'm incredibly lucky to have never had a (known) FBI run-in.

At my first high school I was expelled for selling teachers a boot floppy that disabled the district's security software (Fortress) on their machine.

At my second high school I was busted twice, once for selling CDs with a much anticipated unreleased movie, and the second time for finding (and copying) a network share that had every student's school photo from that year before they could even purchase it.

Nevermind all the unsavory nonsense I did outside of school and was luckily never busted for.

ouch. I once tried to grab a password file remotely that made the whole computer network crash for some reason. They found out it was me and they said, "please don't do that again." I was really lucky.
sadly, security hasn’t changed much since then
I cracked all the passwords in my MS-DOS based computer programming class by modifying the boot floppy. It was pointless since the assignments were easy and I had perfect grades in that class, and the only thing this allowed me to do was steal other peoples' homework. But eh, boredom....

I also figured out how to auto-crawl the networks of all the schools in our district, which, as a self 15 year old whose only experience was non-networked DOS, is still a proud accomplishment. The only things I found were a bunch of printer management, some office form templates, and a cool video game that was like sim-moonbase.

But then my teacher found the file in my home dir called passwords.txt, and I was busted. Oh well. Instead of an FBI file, I got a detention, and I had to teach him how to write-protect the boot floppies so no one else could do what I had. (he didn't need to know that you could reverse the write-protection with a piece of electrical tape)

>I learned my lesson to not talk about such things

And yet here we are, talking about it.

A quarter century later, statute of limitations expired, systems long gone and replaced with entirely different vendors/technology, nobody cares except you.
> they didn't disable the shell, just added a login script to a menu for pine, etc.

Very fancy, everyone was using elm and you got pine.

Oh yes. I remember the embarrassment / horror of having the admin just creepily poking my shoulder when at the computer and gently saying: "Hey, I promise I will NOT report you for antyhing, if you just tell me what the hell you just did with our network!"

I had no idea what I had done, honestly, I just sent a large ping packet to some IRC-user. Turns out it killed some vital things in the network.

Also the admin leaving anonymous FTP enabled with write access. That was one weekend with an extreme amount of illegal stuff apparently uploaded via the schools FTP, but that was my classmate which was involved in and not me.

This was at the time when people had dial-up at home so the 256kBps connection at school was awesome.

>After we left the form by her front door her parents somehow figured out who had done that and, when Bobby’s and my parents learned of this stunt they decreed that we would no longer play together. We followed that guidance for over 40 years.

oh

Ah, I wanted to hear more of adventures of Les and Bobby.
It’s sad that people on positions of authority are always paranoid someone is lying. I was recently pulled over and I was sure I hadn’t done anything and it was on a very busy highway through town and I was literally at a side road so turned off and immediately pulled over. It took seconds. The officer as he approached me put his thumb on the back of my car. From my reading they do that to leave their fingerprints if something goes wrong. He approached and said he just wanted to check if I had my license, something they are not supposed to do since it fosters racial profiling they are supposed to have a reason. But he said I noticed you don’t have an N on your car(the N indicated new drivers) and you looked a little young so wanted to check. Just a bullshit story since I am 40, had 2 teenage kids and a 6 year old in my car and enough facial hair to say I was way beyond a 5 o’clock shadow. Then he began to lecture me how when a car pulls onto a side street it makes him very suspicious. I said well I don’t want anyone getting hit from behind and he replied That he is not affraid of getting hit. All very well I am glad you are not but I had 3 kids in the car and have seen enough videos of officers getting plowed and I didn’t want to be part of that. He let me go and with that I am once again annoyed with the police. If I’ve done something ticket me I’ve never omce fought a ticket. I pay my dues. But like I say that rule is to stop racial profiling so I take it seriously.
What a wonderful and adventurous life! I really enjoyed reading that.

Makes me think about what stories I’ll have to tell about my life in 40-50 years.

It makes me wonder -- does everyone end up investigated for their interest in HTTPS and trying to think up encryption methods?

It seems even having a passive interest in computer science or cryptocurrency would inevitably lead to one taking a class or buying a book on these topics. The business person in me always brainstorms the various potential business applications of any technology -- and that inevitably leads to a lot of discussion.

Any system of policing that results in entire professions and swathes of hobbyists being considered and treated as enemies of the state is essentially the same level of injustice as the witch trials of old and shows our species has not improved all that much.

Not any more, but back in the 1970s and before cryptography was considered the province of the military and spies, not for civilians to mess with, in the US and the UK. State-of-the-art crypto was treated much like tech for nuclear weapons. The pioneers of public key cryptography had to fight for their right to publish.
I cannot imagine an entry level class in Web Development (or even a coding bootcamp) not dedicating some time to crypto and SSL / SSH.

Anyone doing a deepdive on these topics would seemingly be put on a list. It is absurd.

May I suggest, a brief reading of the Wikipedia article on Crypto Wars[0]:

The Crypto Wars is an unofficial name for the attempts of the United States (US) and allied governments to limit the public's and foreign nations' access to cryptography strong enough to thwart decryption by national intelligence agencies, especially the National Security Agency (NSA).

[0] https://en.wikipedia.org/wiki/Crypto_Wars

All of this just seems like government is developing an addiction for lazy police work.

A dragnet approach of digital malware and backdoors is a form of automated policing that will always be as unpopular as red light traffic ticket cameras.

Society has always accepted that some criminals going free is the price we pay for having our rights be respected.

I hope things get better here.

> Any system of policing that results in entire professions and swathes of hobbyists being considered and treated as enemies of the state is essentially the same level of injustice as the witch trials of old and shows our species has not improved all that much.

It's much worse now. Now data is collected on every last person in the US indiscriminately so we're all under constant investigation and being treated like enemies of the state. With detailed records of every person and who they associate with the state is free to pick and choose who to target and can easily find incriminating evidence against anyone they decide has become inconvenient for them. Inquisitors tormenting "witches" couldn't dream of having so much power to abuse.

Isn't it weird for Americans to know that their own secret service is monitoring their kids?
Generally, the secret service doesn't monitor kids unless they believe that they are somehow a threat to the president.

If you read the story, you'd know that the FBI wasn't "monitoring kids", they were investigating an incident that _could_ have had something to do with international espionage, colored significantly by wartime paranoia. They were obviously embarrassed when all of their leads pointed to a kid.

However, even today, the FBI doesn't monitor kids. Tech giants and social networks do that for them.

Well, maybe not anymore, but the Secret Service used to be charged with investigating computer crimes. I was the victim of one of their covert raids at the Pentagon City mall way back in the early 90s.

They dressed up like mall cops and searched us all. It even ended up on the front page of the Washington Post.

https://www.washingtonpost.com/archive/politics/1992/11/12/h...

I liked the old-school vibe of this page, so I decided to view source it. This was written using ... Microsoft Word(!)
in case you're not aware, the author of this is a known (but not well-known) AI researchers from way, way back.

He invented the "finger" protocol. I chose the university I went to based on the qualitty of the plan files so in some sense, he's the reason I ended up at UCSC.

Finger protocol, port 79:

    >dekhn[CRLF]
    <[dekhn's login status, .plan, etc.]
    <[EOF]
HTTP/0.9 protocol, port 80:

    >GET /~dekhn/[CRLF]
    <[dekhn's home page, etc.]
    <[EOF]
HTTP was a slightly enhanced finger, so in some sense he's the reason for the web.
I never made that connection before, thank you!
I'm not sure if there is any historical evidence backing that up (IE, Tim Berners-Lee used Finger protocol as an inspiration. A lot of the UNIX protocols of the time were like that (NNTP in particular), simple call/response with textual commands and arguments.
Let's ask. Also 79 -> 80... that's a bit of a hint.

Edit: asked.

I think that's because Dr. Lee picked the lowest unused port at that time.

But let us know.

According to https://www.iana.org/assignments/service-names-port-numbers/... the lowest unused ports are currently 4, 6, 8, and 10. I think these were originally the port numbers for the opposite direction of data transmission for services on ports 5, 7, 9, and 11 (RJE, echo, discard, and systat) but that function became obsolete with the switch from NCP to TCP in 01983. I may be misunderstanding this a bit because I don't really understand NCP.
I look forward to hearing what TimBL says!

I thought Finger itself was a copy of the Whois protocol, which runs on port 43. But that's backwards! According to https://datatracker.ietf.org/doc/html/rfc812, sri-nic.arpa supported Whois in 01982, saying, "The NICNAME[/WHOIS] protocol is similar to the NAME/FINGER protocol (RFC 742)," and https://datatracker.ietf.org/doc/html/rfc742 is from December 01977, explaining, "The FINGER program at SAIL, written by Les Earnest, was the inspiration for the NAME program on ITS."

Things like NNTP, SMTP, IRC, and FTP were pretty different from this family of protocols. They're textual, yes, but they're highly stateful protocols with lots of back-and-forth to get anything done. DNS, NFS, and SNMP (01988: https://datatracker.ietf.org/doc/html/rfc1067) were stateless, like Finger, Whois, and HTTP, but used optimized binary structures over UDP. In my view, though, the protocol semantics are a lot more important than its syntax, so I think HTTP is a lot more similar to DNS than to NNTP.

Later, FTP-like numerical status codes and long-lived connections got added back in to HTTP, but they weren't there in HTTP/0.9. Designed at the same time as HTTP, Gopher (port 70) was also a finger-style protocol, and I don't think it has status codes either.

Anyone else hear Dick Tracey’s voice for the “They are your son's alright” part?