

Ask HN: What's the most black hat hack you did as a young child? - bramgg

Just because these always make me laugh.
======
throwawayidiot1
2008, 15

Hung out in a private IRC channel where gamehackers resided, guys who made
cheats for valve games. A few of us exploited websites (complete skids, just
downloaded shit off milw0rm). Not too exciting a story, but one of the guys
links me his injected c99 shell to some site, and then links me their
directory of plaintext databases that include CC's and tons of info burried
into some stupid generated path like
a/w/da/w/r//13/g3/g/g/3/g1/g1/3ga/g/s/g/<csv files>.

Turns out all they did was parse this shit with a PHP script from their form
over HTTP. I emailed them this story. 3 weeks later police raid my house, I
give them every email I know of from the hackers I knew, and they spent hours
meticulously disassembling every part of my computer and filing it in these
special plastic bags and boxes. Then my Dads computers, and my Mom's. And all
our laptops/tablets.

The only scary part was when the cops picked me up in an unmarked van to take
me home to open the door for the agents or whoever they were. They asked me
one question, "when you're ready, tell us what you did". Obviously being 15
I'm shitting my pants and just start ratting myself out for the next 15
minutes until we got home, and even then I had no idea what the fuck I did
until it dawned on me. Cops probably tell this story to this day.

Goodbye $15k~ which I'm still on the hook for from my parents. Yet to hear
back from the police.

I still have no idea what the fuck happened.

------
jayhuang
~2008,~15.

I was interested in building websites and after my curiosity getting the
better of me, I ended up playing with SQL injection. Instead playing with my
own websites, I thought it would be more fun to find the same vulnerabilities
in other sites.

You can imagine my excitement and disbelief when one of the largest online DVD
retailers in the world ended up spitting out over 600,000 records complete
with SSN, full name, address, credit card number/expiry/CVV, email. Among
these records I found the information of a certain female CEO of the world's
2nd largest food and beverage company (or someone pretending to be her). Of
course, about 70% of these were expired, but I was just curious. I had no
intent to use them (okay maybe a little itch).

My excitement quickly turned into fear as I realized the legal implications of
such a feat. And against my better judgement, I contacted the company and let
them know about the vulnerability.

Fortunately, after warning me that they would use the law to its full extent
in punishing me if they ever found those records leaked/used, they left me
alone.

Around that same time I also compromised various government departments of
South Asian countries (think Indonesia, Malaysia, etc). But they never replied
when I notified them.

Still scares me to this day.

------
chatmasta
~2007 / 15 years old

I wrote a script that allowed me to create a Google account with the IP
address of a visitor to my website, all without them knowing. All I had to do
was open the registration page with a server side script, download the
CAPTCHA, display it to the user and ask them to fill it out. When they filled
it out, the submitted form targeted the Google registration form in a 1x1
iFrame, then another button targeted the logout form. Google was not checking
the referrer of the sign up form, nor was it comparing the IP address that
received the CAPTCHA to the one that submitted it.

I had a friend load that script into thousands of generated blogspot blogs,
which got long tail google traffic and asked the user to "fill the CAPTCHA to
continue." The script ran for ~2 weeks and generated ~60000 Google accounts
all from unique IP addresses.

That was around 2007, so obviously it's all patched up by now. I was 15 years
old and never did anything with the accounts, so if anyone from google is
reading this, keep the lawyers away from me please.

Blackhat SEO actually has a lot of clever tricks. I haven't been part of that
space in a while, for a lot of reasons, but I can attribute 99% of my
knowledge of marketing to time spent trawling through blackhat SEO forums
reading not only about that, but also landing page optimization, conversion
tracking, copywriting, etc. It was definitely a worthwhile learning experience
for me.

------
robodale
A friend and I in our early teens would purchase games for our C64 computers.
This was a time before store return policies prevented getting your money
back. The games were always on 5-1/4" floppies. We would attempt to crack the
copy protection via purchased cracking software, or our own cobbled-together
scripts. We wanted a copy for ourselves. This would usually work, and we would
then return the game, with some lame excuse like "we bought the wrong one".

Sometimes, we couldn't crack the game. As a last resort, we would gently peel
the game sticker off the store floppy, and glue it on an blank floppy. We
would go back to the store, and say "uhh...this game doesn't work". They would
give us our money back - rarely with any resistance.

We would then walk to the game section and pick out another game.

Muahahah.

~~~
ja27
Back in my C-64 days we had software rental stores. We could go in and rent
the latest C-64 games and tinker with floppy disk copiers until we could crank
out working copies. Or we'd swing by a friend-of-a-friend that must have been
an early warez distributor and see what he had that was new.

------
robodale
For my other stunt (see my "C64" post also on this page), I got in early to
the library room in 5th grade (1983). They had 20 or so Commodore PET
computers for us to use to learn from. The teacher was going to have us play
Oregon Trail and had already preloaded the game into the memory of all the
machines.

A simple LIST of the program revealed the supplies you had available. Another
command to update the line (lines?) of code to change supplies (Oxen becomes
Monkeys, Bullets becomes Bubble Yum, you get the idea).

Once we all started playing, the confusion and giggling ramped-up pretty fast.
It didn't take long for the teacher to figure out the perpetrator. It was the
first time I had to stay after school.

~~~
jayhuang
Man, my elementary had those old Apple computers back when the logo was
rainbow coloured, and only the librarians got to touch them...

Mind you this was only in ~2000 and I didn't get to touch a computer for the
first time years later.

~~~
dhagz
Mid 1990s, my elementary school had an entire room of Apple 2 computers. I
loved playing around on those things every Friday.

------
pixelperfect
2004 / age 14 I discovered an exploit on the GameFAQs message boards that
allowed me to use HTML in topic titles. I just used this to post some topics
with images as titles, instead of looking for SQL injections.

That same year I obtained every student's social security number from my
school's database, though I didn't write them down. I never told the school
about their massive security flaw because I was afraid I would get in trouble.

------
dhagz
Is it black hat to write a program to cheat on tests? Because I wrote a
program on a TI-84 for my Algebra courses in high school (2006-2008) that ran
the quadratic equation for me. And then I expanded it for my AP Physics course
to take care of solving every equation I needed, from Newtonian motion to
thermodynamics.

------
SamReidHughes
I borrowed my classmate's TI-83 PLUS calculator and archived all his
variables.

------
ja27
~1985 on a 12-user TRS-80 Model 16 running XENIX:

    
    
        cat > /dev/ttyNN
    

and drive other students nuts with seemingly random stuff appearing on their
screen.

I don't remember even knowing there was a root account or /etc/passwd then and
I was too busy trying to learn enough vi to get my COBOL programs done. The
things we endured to get to take "the computer class" at school.

------
mlitchard
When I discovered smtp I sent mail to people from santa@northpole.org telling
them they were very naughty this year and to expect coal in their stocking.

~~~
salesinvaders
president@whitehouse.gov here.

------
jackweirdy
14/15\. French Lessons (didn't like French). Spent about 6 weeks building a
program that listened for instructions and ran windows binaries for
lock/logout, or moved the mouse randomly across the screen.

Ran the program on teachers PC when she wasn't looking, ran the client on my
PC, spent the next hour confusing the teacher.

------
LeoSolaris
I reverse engineered a teacher's password in middle school because the
teachers' logins had access to Doom on the school computers. The IT monitor
noticed me playing after a few days and I was banned from the IT lab for the
rest of the year. (4 weeks or so, if I remember right)

------
Mugalon
~2000 ~15

Hacked the schools computer system during school hours and had access to ALL
passworts of every pupil and teacher in IT courses. Access to the admin
account was saved in a file on the networkserver you would normally not have
access to...

------
onetimeusename
age 13, wrote batch scripts that could A) open up a command prompt window that
otherwise was restricted and B) turned off monitor software that allowed
teachers and librarians to watch what someone was doing on a computer.

The only reason I was caught was because I complained to the sysadmin about
disk space and she looked up my account and happened to spot .bat files and
she came in and confronted me during a class and I became the youngest student
to be put on the permanent wall of shame for technology violations which was
usually reserved for students who look up porn.

