I also had the bright idea to try this on library computers and email kiosks around campus used by thousands of students. Rather than booting into Ophcrack I'd just log in with the admin account and run pwdump from a USB stick to collect password hashes. I figured out how to enumerate Windows machines over the network using NetBIOS and ran the pwdump utility remotely using psexec, so that I could hit every computer in the library at once, or every computer in a computer lab, etc.
I ended up cracking credentials for most students and faculty on the entire campus. I was really young at the time and thought this was some real cool James Bond shit. I never once used it for evil: never read anyone's email, never viewed anyone's private files, never poked around the academic file shares for test solutions, never tried to steal credit card numbers or social security numbers from the finance office's file share. It was purely a hack for the thrill of breaking down barriers and outsmarting the security. But MONTHS later after I had long since grown tired of tinkering with this stuff, a couple of uniformed police officers pulled me out of Calculus class and took me downtown. They tossed my dorm room and confiscated my computer and my phone and every piece of digital storage I owned. The school threw the book at me, I guess because they were so embarrassed by their incompetence on display from being beaten by a 16 year old.
(Posting on my alt account for obvious reasons.)
I don't understand this justification. The system owners can't know that to be true and have to proceed as if the systems are compromised. Would you still feel safe if a burglar broke into your house and left a note saying they didn't take anything?
Also, I didn't actually go in anyone's house. If passwords are really so inherently private even apart from their access implications, maybe we shouldn't be sharing Ken Thompson's old password.
Hell no. Otherwise you could just set up one gigantic crime by comitting a bunch of small "no damage done" crimes along the way-say, stealing a string of credentials one at a time, but not actually using them until you have all of them together and then you commit your major heist/crime.
> I'd just log in with the admin account and run pwdump
I was a kid, I was stupid, but I wasn't an asshole. I didn't go peeking and violating people's privacy because that would have been a dick move. Just like tons of people on Hacker News today have access to personal data on SaaS systems we maintain and don't go peeking. Just like tons of people are perfectly capable of picking their neighbor's locks but don't walk into their house for no reason. It's not even tempting. I don't care what's in my neighbor's house, and I don't care what's in random other students' homework documents or email or whatever. The only interesting part was breaking the security.
SOURCE: am locksmith
That doesn't make it okay, but it certainly should result in a much lesser sentence than if the perpetrator had damaged or stolen property.
You really believe this? What makes you think you speak for people in general, or know the mind of the average burglar?
And how far does your equivalence view stretch, if someone trespasses and uses your pool is that the same as taking your outdoor furniture? Why not?
Just make it more secure so the next people can have a bigger challenge.
You might feel safe if he didn’t, but you wouldn’t actually be safe, would you?
This is a problem, here GP is a hero, a hacker, a free spirit. But there is no point in romanticizing such behavior.
If you find a vulnerability in a system, you disclose it to the people that should know about it.
You can do that anonymously, or you can alert people in a subtle way.
What you don't do is sit on it and brag to people what a clever person you are.
I just cannot attribute something like that to altruism.
Dismissing the whistle-blower as a "kid, that wanted to just fuck someone over" is hardly fair.
You pretend that someone cracking everyone's password is not a problem that the organization should address or even know about.
We should not turn our gaze away. "This is not my problem" is simply not a correct response. Snowden knew that, and yet, some people call him a snitch and a traitor.
What an interesting alternate reality that would be.
You misspelled "prudent".
If you figured this out, it wasn't all that unlikely that a less scrupulous hacker could have.
(Not judging, both because I don't like to and because you were a kid.)
You broke rules for personal enjoyment and weren't even good enough to not get caught. You didn't beat them, they beat you. It doesn't matter if you went unnoticed for several months, the fact is standard monitoring and logs were your down fall. Nobody ever thinks of the log files and network monitoring tools as being part of security. Not being prevented from accessing the system is not the same thing as successfully hacking a system unless you aren't caught either.
Otherwise known as being young and in their formative years. Plenty of HN had similar experiences and luckily even 15 years ago this harsh view on teenage stupidity was in the minority.
He also doesn't seem claim to be a l33t whatever.
> Not being prevented from accessing the system is not the same thing as successfully hacking a system unless you aren't caught either.
> You didn't beat them, they beat you.
They beat themselves, which was understandable back in the day but that's a popular narrative to this day. If a school kid with random scripts or untargeted ransomware gets into a system I put far more blame on the process that prevented them from being patched than said kid.