

Ask HN: My 13 year-old cousin hacked into his school's system. What advice would you give? - jsmoov

My 13 year-old cousin hacked into his school's computer system. He didn't do any major damage, but I want to make sure he knows why what he did was wrong and show him ways in which he can use his talent to make a positive impact on the world. What is the best way to approach him? Are there any good articles / books I can recommend to him?
======
sounddust
When I was in high school, I guessed the administrator password of our
computer lab (it was the administrator's daughter's first name) and basically
maintained the computer lab for the rest of the semester. I never did any harm
in the process. The administrator, upon finding out what I had done,
recognized that I knew what I was doing, and supported my work. I fixed
permissions that repaired apps that had been mysteriously broken for years,
reset other students' passwords at their request, and lots of other helpful
things..

Then one day my teacher switched places with the only other person who had the
admin password, and she didn't know about what I had been doing. When she
found out that I had administrator access, she was infuriated. She called me a
"hacker" and reported me to the principal. The principal planned to give me a
0 in the class and possibly expel me from school. The only people who were
allowed to be in the "hearing" which decided my fate was the pissed off
teacher and the principal. The administrator, who vouched for me, was told
that no one asked for his opinion and that it wasn't relevant. I almost failed
to graduate because of this, and it was only through being persistent and
involving every teacher I knew that I managed to not fail (the principal
reduced my grade to 75/100 instead of failing me).

I would tell your son that most adults who have authority (including
principals, teachers, judges and police officers) do not understand technology
and computers very well, and therefore it's important to not only operate
within the scope of the law and rules of his school, but to also not even
_appear_ to operate outside those rules. Computers are cheap, and in 2009
there's not much more interesting in his school's network than what he can set
up on a $200 netbook.

~~~
russell
A long time ago my son did a similar thing. He didn't get into trouble because
he told me first. We had a long adult talk about professionalism in
programming. Essentially, professionals dont crack, but also about writing
good code, testing, comments and such, so that it didn't come across as an
adult smacking a kid. It worked, because he started taking a more mature
approach to what he was doing.

~~~
swombat
To be fair, there are many professions in IT. Programming is just one of them.
Computer security and system administration are two other very different ones.
They don't necessary involve much "good code, testing, comments and such". On
the contrary, they can involve in-depth, hands-on knowledge and experience of
the kind of tools that other people will use, to be able to protect systems
from them.

~~~
russell
Agreed, but he was in 7th grade, 13 years old, so professionalism in that
context was about programming.

------
r11t
The best reference I can recommend would be Eric Raymond's "How To Become A
Hacker" : <http://www.catb.org/~esr/faqs/hacker-howto.html> The key point the
article points out is that "The basic difference is this: hackers build
things, crackers break them." The teenage thrill of breaking into computer
systems is certainly exciting but perhaps he will be even more enthusiastic
about learning to be curious about how things work under the hood, how to do
clever things via programming and how to develop a true hacker mind set. Of
course all this without the risk of getting into trouble like breaking into
his school's computer system. I am glad to know that he did not choose to do
any major damage but nevertheless I hope he grows up to become a fine hacker
and understand the true meaning of being one. Good luck and great effort on
your behalf to try to advise him in the correct path!

~~~
unalone
I have a problem with that essay. It makes good points, most of which I agree
with, but Raymond states them as values to be learned without explaining why.
He essentially states his own beliefs without giving reason for some of them
or explaining why such mindsets are useful. (Or: he shows rather than tells.)

The phrase that stands out most upon first glance is this:

 _Similarly, to be a hacker you have to get a basic thrill from solving
problems, sharpening your skills, and exercising your intelligence._

 _If you aren't the kind of person that feels this way naturally, you'll need
to become one in order to make it as a hacker. Otherwise you'll find your
hacking energy is sapped by distractions like sex, money, and social
approval._

I've found this not to be the case. Wanting sex, money, and social approval is
not necessarily detrimental. Similarly, I get no thrill from solving problems
per se. I don't think that that thrill is a necessity for hackers. Raymond
uses too broad a brush.

~~~
cschep
What is your connection to the hacker culture, if not problem solving?

~~~
unalone
From some lens, my approach could be seen as problem solving. I've always
viewed it as more of a creative art: I view the things I create as concepts.
"What would happen if a web site worked like _this_ , for instance, then I
create every to revolve around that central theme. Some of the stuff I do is
geared at problems, but I feel that viewing mistakes as bugs is a very sterile
approach and I hate it.

I don't have a lot of the traits that go alongside hackers, either. Coding
languages don't fascinate me, by-and-large. When I look at a language, I
figure out exactly how to get things done and then I don't look at it again.
As a result, I don't find much fascination in discussions about programming,
which is rare among hackers.

------
endtwist
Whatever you do, do _not_ punish him for this. While what he did was not right
(though your use of "hacking" here is very broad), instead of telling him how
wrong it was, simply try to push him in a more positive direction. My
suggestion would be to ask him to work on some sort of project for or with
you, perhaps even get him involved in something small and open source.
Starting a website may even push him in the right direction.

An alternative would be to talk to the school and see if they could give him
some sort of credit for helping administer the network, or work on a special
project for the school.

To give you an anecdote: in high school (and this was only a few years ago),
me and my friends consistently were cracking passwords and breaking into
various parts of our school's network. We never did anything harmful, nor did
we ever cheat, but we did it for the fun and the challenge. One day, we
happened to find a file containing all the passwords to every user on the
network -- teachers, guidance counselors, and principal included -- and we
turned it into the principal. Instead of telling us we were wrong for "hacking
the network" and questioning us, he thanked us profusely and got the file
deleted from the network. No punishment.

In middle school, however, I got in minor trouble for "hacking" by using
proxies to skirt around the school's filtering system. The "techs" in the
computer lab quite literally pulled me out of class and angrily questioned me,
telling me how I was wrong and what I did was bad. What happened? I continued
doing it, and just made sure not to be caught.

My point is that telling him he is wrong will not stop him, and he will likely
continue what he is doing because it stimulates him and he finds it exciting.
By nurturing that excitement and funneling it into something constructive,
such as an alternative project, he will learn what the better avenues are and
likely forget about "hacking"/cracking almost (if not) completely.

------
grouchyOldGuy
Just because you CAN screw around with someone else's property doesn't mean
you SHOULD. Although it can be exciting (especially at that age) to do
something forbidden, he can suffer the consequences if caught. He might
inadvertently harm the system and could wind up in serious legal trouble. It's
like walking up to someone's front door, twisting the knob and discovering
that they forgot to lock it when they left. That doesn't give him the right to
enter the house, even if all he wanted to do was "look around". Turn the
situation around: would he want someone hacking into his home computer because
he didn't have it properly secured? Would they have the right to do it to him?

------
noonespecial
I'd try the "with great power comes great responsibility" angle. They did the
best their muddled minds could do to secure their system. It was trivially
easy to break into it using your l33t haxor skillz, but might does not make
right. Have a little compassion.

Also, remember, embarrassing them in this way might cause them to use the
great power they have over you to make your life miserable as well. It goes
both ways. The luddites in charge of public schools are usually docile, slow
moving creatures, but they can become suddenly fierce if poked in the eye with
a sharp stick.

------
nsrivast
Show him this:

<http://www.paulgraham.com/hs.html>

~~~
jacquesm
I think that piece makes some assumptions about the attention span of 13 year
olds that are not present in the samples available to me :)

~~~
xenophanes
I knew a 13 year old, diagnosed with ADHD for not sitting quietly in class,
who could concentrate on a chess game for 4+ hours straight. And then play
another one after a short break.

I could do the same. I also read SICP when I was 13.

~~~
jacquesm
I have a son like that. He's great at the stuff that he is interested in,
anything else and he's bored instantly.

ADHD to me is just a convenient label for kids that are different than that
norm, so we trot out the medicine cabinet to make them conform instead of
helping them to cope with the world around them we make it easier for the
'rest' to cope with them.

~~~
unalone
When I was in high school, a friend told me he had been diagnosed with ADD.
His parents had him tested because his grades were suffering.

My friend and I have similar personalities, and my grades were similarly hit-
and-miss. I went home and asked my mother if I had ADD. Her response:
"Probably."

I'm grateful that I had parents who accepted my quirks as a part of my
personality and not as problems to be fixed.

~~~
jacquesm
I guess I got lucky, or I would have been on ritalin or some other fashionable
(or profitable) drug for sure.

I'm 43 now, 44 in March, when I was a kid ADD did not yet 'exist', and from my
experience with my sons teachers the teachers in the schools that I went to
were of a better grade than the teachers he has to content with (and that have
to contend with him) today.

I think the latter is the biggest factor in the diagnosis of all these
'children that we can't handle', it is striking that the %age of these kids
seems to go up with every generation. Hopefully soon there will be generation
of teachers that is as fast and as smart as the kids they are trying to teach.

To some extent I think it is the influence of our media rich world, and next
to that probably the enormous amount of technology and information available
to kids from a very young age onwards that causes kids to be so tremendously
fast at the stuff that these teachers can barely cope with.

Boredom is their lot, unless you can get them interested, and once you manage
that better hold on to your hat.

One thing I have found to be universal in dealing with 'gifted' or 'fast'
children (I prefer those terms), it is that once you have gained their respect
it gets a lot easier to communicate with them and to get them interested in
the stuff that they should know.

It's just that if you're a teacher and you get these knowledge seeking
missiles that can run rings around you your visceral response is probably to
want them to slow down to your level. I think that is the best way to lose
their respect.

Congratulations to your parents, they seem to have done just fine :)

~~~
unalone
_Hopefully soon there will be generation of teachers that is as fast and as
smart as the kids they are trying to teach._

As much as I would love to believe this, I'm at a college that's renowned for
its teaching program, and teaching majors came to me for quite a lot of tech
problems. (Two didn't understand basic algebra - worrysome.) The problem is
that people who decide they want to become teachers very rarely work well as
teachers. My favorite teachers were all passionate about their subject first
and foremost: many of them, even in high school, committed to their work
outside of just teaching. The people who say "I want to teach and I don't care
what" are very often the most problematic teachers.

I agree with you entirely about how enormous the world of media has become.
That's part of the problem. There are so many things to pay attention to that
the slow pace of the average classroom doesn't have enough to appeal to
students. With the exception of perhaps three teachers' classes, I learned
more online than I ever did in a class. (The solution is to develop teachers
who are more singularly fascinating than the Internet, which is a difficult
challenge.)

~~~
jacquesm
> The solution is to develop teachers who are more singularly fascinating than
> the Internet, which is a difficult challenge.

That had me chuckling out loud. I think we'll see a certain game program for
sale before that will happen.

~~~
unalone
It's possible. My English teacher in junior year absolutely was. I went in the
first day, tried to pick a snarky fight with him over James Joyce, and then
stayed after class to talk to him about _Ulysses_ and Nabakov's _Lolita._ (
_Ulysses_ is one of my favorite novels.) By the end of the week, he'd
recommended two bands to me that I fell in love with; before winter, he lent
me his copy of _69 Love Songs_ , which profoundly affected how I looked at
music.

Later, he was the reason I befriended a kid I'd been at odds with for years,
an arrogant film buff. When we started to have extended discussions covering
literature, cinema, and music, I started looking for some of the films they
were mentioning, and in doing so became close friends with the film kid. It
led to one of the best summers of my life, driving around the state in his
Wrangler to get a copy of _Spaced_.

(Meanwhile, the class we met in was a half-year course filled with a ton of
kids with short attention spans, and he managed to get us to read something
like 7-8 books and a ton of short stories, and crammed us with 5 excellent
films in between.)

How you isolate people like that and identify them, I don't know. They exist,
though.

(Game program? What do you mean?)

~~~
jacquesm
Amazing story...

Identifying people like that really would be a mission worth undertaking, food
for thought there.

The game reference is a /. meme reference about 'duke nukem forever', a game
that has been in production since '97. The running gag is which will come
first: hell freezes over, duke nukem forever is released or the Hurd is
finished.

My money is on hell to freeze over :)

~~~
unalone
Rumor has it that the game'll be out by 2010. I saw the intro video myself.
(And wasn't Chinese Democracy finally released?)

------
cabalamat
Don't get caught.

~~~
gamache
Seconded. I cannot imagine any good will come of his getting caught. He should
keep his head down -- not tell ANYONE about what he did, even his friends --
and hope no one notices.

Whether he gets caught or not, this strikes me as a good lesson to learn
before he's 18.

~~~
cabalamat
> _not tell ANYONE about what he did, even his friends_

Indeed -- I suspect the proportion of criminals who were caught because they
bragged to their friends is quite high.

------
jacquesm
Why was it wrong ?

He shouldn't have been able to do it anyway. Compare it to a kid kicking
against a fence and finding out that it swings open.

Simply explain that if you have no business in a system that you should not
try to gain access, that should be plenty.

~~~
jacquesm
Up/down up/down, if you disagree say so.

Do you take offense at my suggestion this kid did nothing wrong ? Why is that
? Enlighten me, for all I have read above the sysadmin is the person in the
wrong, if a 13 year old can walk all over your system you ought to be looking
for a job (and one that does not include system administration).

~~~
kajecounterhack
_He didn't do any major damage_

What do you mean he didn't do anything wrong? If all he did was find a way
into their systems and report his findings of insecurity or something,
certainly there would be nothing wrong with that (as long as he's following
his terms of use for the school computers, also -- he's held to the rules of
the school as a student). But it appears as if he's done something, maybe he
didn't report what he discovered, that is indeed wrong.

And I agree, the sysadmin must be pretty incompetent, but that is still no
reason to be doing that. It's like saying "the lock on this safe is weak and
easily broken, so I will go ahead and break it to access the contents inside."
It's still a safe, you're still not supposed to break it. If you do, you
should immediately recommend to the owner that they get a stronger lock.

He's a typical (in a sense) 13 year old. This hardly warrants punishment. But
he should indeed put his talents to better use, and that's what the author of
this thread is asking. What would we recommend?

~~~
jacquesm
If the kid was properly instructed beforehand on what was acceptable and what
was not then you have a point, but the story does not relate that, hence my
question.

I'm assuming that this kid is just as curious as any other kid at that age,
and the systems should be set up accordingly.

This is trying to close the gate after the horse has bolted, ok, so he looked,
big deal. Now catch up on the educational bit about privacy and minding your
own business, case closed.

No need to make an issue out of it. The overreaction in these cases does more
damage than the event itself.

------
andreyf
Do what my parents did when I got suspended for "hacking":

1) Get him a new computer (but with a crappy video card, if he's into gaming)

2) Find him programming internships and introduce him to programmers you know

I would also add:

Tell him that he isn't a real programmer unless he understands Prolog,
Haskell, C, and a flavor of Lisp (Scheme/Arc), although Python might be a good
first language to start with. Be prepared to spend lots of $ on books - all of
these topics have books which work for different people. I would recommend:

The Little Schemer series: <http://www.ccs.neu.edu/home/matthias/BTLS/> and
Programming in Haskell <http://www.cs.nott.ac.uk/~gmh/book.html>

These are solidly good books, there are others, but they really depend on
personality.

------
vaksel
define "hacking", did he do anything complicated, or did he just guess a
password?

~~~
utnick
indeed, this could mean anything, i got sent to the principal one time for
having a windows dos command prompt open, no joke

Apparently it was actually a rule in the rulebook that you arent allowed to
use the command line because you can do 'great damage'. On most computers it
was disabled, but this was computer science class and we wrote console
applications in c++ (through visual studio ide) so it had to be enabled.

They called my mom, who isn't very computer savvy, and told her that I was
'hacking'. She was so mad at me. I got 1 detention and had to write a
handwritten note of apology. It was a pretty bad experience overall.

~~~
Zev
I'll see your DOS prompt and match you a "changed the desktop background and
inverted the screen colors" trip to the principles office.

They wanted to suspend me for two days for that one. Happily, I was able to
get another teacher to talk to the principal and explain that computers is
"his thing" and that just because it was _possible_ that I knew how to do
something doesn't mean that I _did_ do it.

------
thomasswift
Tell him to stop before he gets caught. Even though he didn't do any damage, a
school's administration will not take kindly to the potential threat that he
is.

here's one example, a quick google search - 69 felonies for stealing tests and
changing grades <http://www.tgdaily.com/content/view/38012/118/>

Also, even though he got in, I wouldn't attempt to notify them of their
breach, because again the school will probably go ballistic on him, I think
there was a news story about this, but what happened escapes me.

------
ErrantX
Your approach depends on a lot of things really.

I often thing, personallly, that whilst reading books/articles is good it
doesn't help instill a lot into a young hacker.

First I would buy him Kevin Mitnicks books. I recommend them to every new
hacker because: a) some of the stories are unbelievably inspiring! b) it's all
real life stuff c) he manages to tell the stories of these great hacks without
glamourising the illegality. It does a lot to prove hacking can be great fun
within legal bounds.

The next thing I would do is encourage him to get involved with a programming
community. Get him to learn a language and start ot play with it. :)

in terms of cracking (as opposed to hacking) sometimes pushing the boundaries
happens (either for personal reasons or professional). I would teach your
cousin that breaking the law is wrong. Breaking into the schools system is
(speaking technically) as bad as breaking into a microsoft server. But the
impact of the 2 activities (assuming it was simply to look both times) is very
different. Try to show him that experimenting with something like the school
system is fairly harmless but still wrong and he should take it no further
unless he has permission :) (offer the school a pen test :D)

Finally a lot of people are saying "teach him not to get caught"
(essentially). This is a most important lesson. I crack for a living (White
Hat I hasten to add) and one of the things that makes me good at that is
paying attention to covering my actions :)

------
jollyjerry
If your cousin is interested in doing that kind of work, why not suggest him
to volunteer with the school? All the other responses seem to romanticize the
rogue hacker. Instead, I think he should come clean, and do his work in the
public. He could offer to audit the school's network. For a 13 year old, this
would be a great opportunity to teach him to be professional and helpful.

~~~
tptacek
This is a fantastic way to get your cousin expelled from school, and to
provide him with a shiny new juvenile criminal record.

~~~
theotherjimmy
from my experince at 16, you are correct. volenteering with te school will get
you into trouble. get the kid a computer of his own with an open source
operating system on it. this is a) harder to break than windows and b) a more
friendly platform for exploration. I did this at 13, but my parrents are
hacker literate.

I cannot comment on ethics though, or parrenting. Both of my parrents were
computer scientists at one time in there carreer, and I still bounce Ideas off
of my father. Personaly, I think this is the best way to grow up with such a
skill set. my only regret is that I have not had much motivation to hack when
I can have a rely interesting discussion with my father.

------
kirse
Tell your cousin he gets about 3 more years of goofing around like that where
he should use the "stupid kid" or "I dunno" defense and get off scott-free or
with a slap on the wrist. Once he's an adult though, the kiddy stuff has to
stop.

If he's messing with financial systems or other serious stuff, give him a
_thwock_ on the skull and remind him that it would be unfair and immoral to
screw with the systems more than the CEOs and bankers already have. =)

------
melvinram
I'd tell him to set himself up for success. His activity was innocent this
time but by creating situations where he has the opportunity to do so not-so-
innocent things, he'll give in to the temptation someday. It's like working at
McDonalds or KFC: there is a big chance that you'll gain 2-3 lbs ever month
you work there because sooner or later, you'll eat there. He shouldn't put
himself into such situations where he can screw up. Bad decisions snow-ball.

------
pavel_lishin
My only advice is to go for B's. A will be too suspicious.

------
dylanz
Just let him know what the potential consequences are, and your recommendation
(which I'm assuming is to "not" continue).

See if there is any way you can spin this toward the "good", by possibly
having a meeting with the schools principal and systems admin. This is
obviously a crap shoot, but could possibly be beneficial to your son's
education.

------
soulstoler
World is full of hackers. Some hackers are good...some are bad. He needs to
choice his site in this thing. If he is "good" hacker, i suggest continue, if
he is "bad" hacker, he can hack into government networks without getting
caught. But if he gets caught, he goes to jail for a long time, maybe less
than 10 years.

------
markup
I'm guessing "war games" wouldn't help :-)

------
whalesalad
Just don't let him blog about it... my dumb ass did that and got expelled.
Best thing that ever happened to me, looking back, but it caused a whole lot
of turmoil.

------
teyc
Firstly make sure he realizes if he gets caught, the government is going to
ground him from coming near another computer for 20 years.

------
xenophanes
he didn't do anything wrong. congratulate him, and offer him links to some
things you think he may enjoy to learn more.

if you fear he will make mistakes, the best way to combat that is with
knowledge, not by taking the school's side against him and calling his great
success immoral.

------
mburns
Being smart is not an excuse to be lazy. Also, don't be stupid.

------
Allocator2008
Each man has a right to his own property, including his intellectual property.
Therefore it is wrong to "hack" if this means breaking into somebody's system
without their permission, because it is a violation of the right to property.
A copy of 'Atlas Shrugged' could drive this point home I think. But there are
great jobs in computer security, in which people can get payed to "break into"
systems to smell out the security flaws. This might be a positive way of
channeling this individual's skill set.

