Hacker News new | past | comments | ask | show | jobs | submit login

I was expelled from university for pulling off the exact same exploit with the "workstation only" feature in Novell. In my case, they put a computer in every dorm room, and every single one of them had a domain-wide administrator account cached in its SAM file. It was inevitable that a student would find it. It's been almost 15 years now but I believe the password was rac3c4r or something trivial like that. I ran Ophcrack overnight and in the morning I had admin access to every machine on campus.

I also had the bright idea to try this on library computers and email kiosks around campus used by thousands of students. Rather than booting into Ophcrack I'd just log in with the admin account and run pwdump from a USB stick to collect password hashes. I figured out how to enumerate Windows machines over the network using NetBIOS and ran the pwdump utility remotely using psexec, so that I could hit every computer in the library at once, or every computer in a computer lab, etc.

I ended up cracking credentials for most students and faculty on the entire campus. I was really young at the time and thought this was some real cool James Bond shit. I never once used it for evil: never read anyone's email, never viewed anyone's private files, never poked around the academic file shares for test solutions, never tried to steal credit card numbers or social security numbers from the finance office's file share. It was purely a hack for the thrill of breaking down barriers and outsmarting the security. But MONTHS later after I had long since grown tired of tinkering with this stuff, a couple of uniformed police officers pulled me out of Calculus class and took me downtown. They tossed my dorm room and confiscated my computer and my phone and every piece of digital storage I owned. The school threw the book at me, I guess because they were so embarrassed by their incompetence on display from being beaten by a 16 year old.

(Posting on my alt account for obvious reasons.)






>I never once used it for evil: never read anyone's email, never viewed anyone's private files, never poked around the academic file shares for test solutions, never tried to steal credit card numbers or social security numbers from the finance office's file share.

I don't understand this justification. The system owners can't know that to be true and have to proceed as if the systems are compromised. Would you still feel safe if a burglar broke into your house and left a note saying they didn't take anything?


It's not a justification. What I did was wrong. I'm just telling you what I did and why I did it. I wasn't interested in hurting anyone or in gaining any advantage for myself, only in breaking the system.

Also, I didn't actually go in anyone's house. If passwords are really so inherently private even apart from their access implications, maybe we shouldn't be sharing Ken Thompson's old password.


Yes, a good defense against a charge of burglary would be not having stolen anything. In an imaginary perfect criminal justice system, charges/penalties are based on damage done. Less damage done is a lesser crime.

I was expelled for the same reason and here's what the school admins said about it. https://www.sandiegouniontribune.com/pomerado-news/sdpn-rbhs...

> In an imaginary perfect criminal justice system, charges/penalties are based on damage done.

Hell no. Otherwise you could just set up one gigantic crime by comitting a bunch of small "no damage done" crimes along the way-say, stealing a string of credentials one at a time, but not actually using them until you have all of them together and then you commit your major heist/crime.


Mens rea is an important consideration so it's not just about damage done (though the fear a key could be used in pursuit of a worse crime is also a harm) but the intent/recklessness of an act.

Well, the imaginary perfect criminal justice system would probably arrest you right as you had completely committed to causing the damage, instead of afterwards. But it should still be justifying the arrest based on the act that caused damage, not the harmless acts that set you up to be ready to do it.

Ah, like Minority Report

The crime in this hypothetical degrades from Burglary to Trespass, not "no crime."

A burglar might kill someone, book them on home invasion charges even if the house was empty.

Lesser punishment doesn't mean no punishment. Furthermore, you can always argue that the intent is to commit a major crime.

Isn't this more like duplicating everyones house key? He never actually went into the houses.

Except he went in the Admin's house:

> I'd just log in with the admin account and run pwdump


Just to be clear, in case this matters, it wasn't an account belonging to an administrator, it was a default superuser account called (if I remember right) "TECH" in all caps, and didn't have any files or anything in it. It's not like it was a person and I was poking around their private stuff.

Only if you can know he didn't actually go in. Even now, do you believe he never liked at a single private file?

What possible reason would I have to lie about it? You think I'm worried about investigators raiding my VPN service so they can track down and charge a grown-ass man in juvenile court for something that happened 15 years ago? You think I'm worried about my reputation on this throwaway account with a grand total of five previous comments? What's the point in believing that this whole escapade happened at all if you're going to randomly doubt a particular element of it?

I was a kid, I was stupid, but I wasn't an asshole. I didn't go peeking and violating people's privacy because that would have been a dick move. Just like tons of people on Hacker News today have access to personal data on SaaS systems we maintain and don't go peeking. Just like tons of people are perfectly capable of picking their neighbor's locks but don't walk into their house for no reason. It's not even tempting. I don't care what's in my neighbor's house, and I don't care what's in random other students' homework documents or email or whatever. The only interesting part was breaking the security.


If someone secretly stole my key and made a copy of it, I hope the court would send them to jail, regardless of why they made the copy.

No, it's generally not illegal to copy someones key. It's illegal to STEAL the key, of course, but copy? Not a crime. Some states have laws that prohibit "providing access" to a government facility which can be applied to copying government keys, but your house key? Nope.

SOURCE: am locksmith


> Would you still feel safe if a burglar broke into your house and left a note saying they didn't take anything?

That doesn't make it okay, but it certainly should result in a much lesser sentence than if the perpetrator had damaged or stolen property.


No. The serious crime is breaking in. Usually when someone's house is broken into they don't care about the stuff at all. They care that their personal space and sense of security has been violated. Also the criminal doesn't know what they'll find when they get in in but they are setting up a situation that can escalate quickly. Kids home alone? Someone with a shotgun? The very act of breaking in means they are ready to commit violence. If someone breaks into our house and sleeps there all weekend while we are on vacation, but doesn't take anything, does that deserve a lesser sentence than if they took a $100 TV? Not in my opinion.

"The very act of breaking in means they are ready to commit violence."

You really believe this? What makes you think you speak for people in general, or know the mind of the average burglar?

And how far does your equivalence view stretch, if someone trespasses and uses your pool is that the same as taking your outdoor furniture? Why not?


Well that's an opinion, but not how the law actually works, where misdemeanor/felony levels and minimum sentencing are based in dollar value stolen.

The purpose of the whole system is education. He used it exactly for that.

Just make it more secure so the next people can have a bigger challenge.


It was clearly an illusion of safety to begin with if they broke in. At that point you're at least informed, and it didn't cost you anything.

> Would you still feel safe if a burglar broke into your house and left a note saying they didn't take anything?

You might feel safe if he didn’t, but you wouldn’t actually be safe, would you?


Feelings are more important than reality!

See: NSA and mass surveillance

Yes! The SAM! It’s all coming back to me now.

Do you know how they ended up finding out about it and catching you?

Yeah. My technical tracks were covered. It was the roommate of one of my friends. He overheard me talking about it and ratted me out.

It's always that kid. I did something similar in high school with luckily no serious repercussions but yup it was another kid who ratted me out. I could have changed my grades and stuff but luckily I was pretty content. The network admin who I really looked up to and asked lots of technical questions vouched for me. I think the fact that I only played around with the admin account for fun and never touched anything else helped my case.

What a punk

That is an understatement. I wonder what kind of backstabber he grew up to be :/

The concerned kind. Refusing to keep their mouth shut when others exploit the system.

This is a problem, here GP is a hero, a hacker, a free spirit. But there is no point in romanticizing such behavior.

If you find a vulnerability in a system, you disclose it to the people that should know about it. You can do that anonymously, or you can alert people in a subtle way.

What you don't do is sit on it and brag to people what a clever person you are.


What the OP did is (in this case) irrelevant to what the asshole did. There were multiple ways he could have gone about dealing with the situation that did not involve fucking someone over, but he chose to do that instead.

I just cannot attribute something like that to altruism.


Listen, knowing only OP's side of the story it's easy to sympathize. Especially if he's a part of our inngroup of technical people.

Dismissing the whistle-blower as a "kid, that wanted to just fuck someone over" is hardly fair.


snitch

I was wondering when this one would come up. "Snitches end up in ditches" mentality is at fault here.

You pretend that someone cracking everyone's password is not a problem that the organization should address or even know about.

We should not turn our gaze away. "This is not my problem" is simply not a correct response. Snowden knew that, and yet, some people call him a snitch and a traitor.


Probably a politician.

wow, that's very scummy. That must feel worse than them finding you because you slipped up technically.

I think that if someone boasts that they've cracked everyones password, reporting them is the right thing to do.

Perhaps the discretionary thing to do in the case where the perpetrator is relatively whitehat is to mention to IT that "it appears common knowledge that all admin passwords are compromised" without exposing their identity.

High school kids or uni students being discretionary?

What an interesting alternate reality that would be.


> wow, that's very scummy.

You misspelled "prudent".


good citizen

Can't help but wonder, didn't you think about reporting this, anonimously at least?

If you figured this out, it wasn't all that unlikely that a less scrupulous hacker could have.

(Not judging, both because I don't like to and because you were a kid.)


Sigh, I grow tired of pointing this out, but if they were able to figure out someone was doing this, and even who it was, then you weren't a l33t hacker. You used common tools and used a known exploit that people were watching.

You broke rules for personal enjoyment and weren't even good enough to not get caught. You didn't beat them, they beat you. It doesn't matter if you went unnoticed for several months, the fact is standard monitoring and logs were your down fall. Nobody ever thinks of the log files and network monitoring tools as being part of security. Not being prevented from accessing the system is not the same thing as successfully hacking a system unless you aren't caught either.


> You broke rules for personal enjoyment and weren't even good enough to not get caught.

Otherwise known as being young and in their formative years. Plenty of HN had similar experiences and luckily even 15 years ago this harsh view on teenage stupidity was in the minority.

He also doesn't seem claim to be a l33t whatever.

> Not being prevented from accessing the system is not the same thing as successfully hacking a system unless you aren't caught either.

> You didn't beat them, they beat you.

They beat themselves, which was understandable back in the day but that's a popular narrative to this day. If a school kid with random scripts or untargeted ransomware gets into a system I put far more blame on the process that prevented them from being patched than said kid.


He points out below that he was caught because another student overheard him discussing it and ratted on him. I feel like a real hacker wouldn't make a bunch of untested assumptions about situations they have no context for.

Real Hacker™



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: