The fact that the administration didn't choose to sue them to oblivion is refreshing. I hope we'll see a trend in the future of educator being smart enough to admit that they made a mistake and to encourage the students to develop their talent.
Probably helps that "We prepared complete documentation of everything we did, including recommendations to remediate the vulnerabilities we discovered. We went a comprehensive 26-page penetration test report to the D214 tech team and worked with them to help secure their network."
I find it annoying that people immediately assume incompetence and not inadequate staffing or conflicting priorities. I worked at a school district for a few years and we were woefully understaffed for what we had to cover. In situations like that you do what you have to so teachers can teach, move on to the next emergency, and hope like hell some self-important little shit doesn't burn everything to the ground.
That hasn't helped in the past. Frankly I think they were naive to reveal themselves no matter what the authorities said. It hasn't gone nearly as well for other people.
The advice given to me in high school (I was working on tech projects after school for several teachers and groups) was to not even try or explore poking around the IT networks it no matter how good my intentions were. All it takes is one grumpy school administrator to feel undermined or to misunderstand your report and you could be expelled.
When you're in a position like a student, you're still working your way up and building credibility. No need to risk it all for an IT group that doesn't want your security advice and didn't ask for your help.
Seconded, the same advice has also been given to me back in India.
"Know where your boundaries are and who your stakeholders are, don't do anything that will make your stakeholders look bad." It's a life advice given to me by my high school teacher that served me well in my professional life.
Yep - I, like many of my friends and people who are naturally curious and work today in "Cybersecurity" had fun, poked around - but once you found little data troves - it reveals how inept alot of people can be.
And you just volunteer to be thrown under the bus as that "hacker."
Anonymous, maybe. As a student, under 18 - you're "immune" from many things - but it can be a stain.
It doesn't stop at the student level. Find something at the corp level with an arrogant IT dept, and you'll find yourself in uncomforatable situations as well.
It's always fascinating how dramatically different schools can be. When I was in high school, in the late 1990s, nobody would have cared so much about something along these lines. At worst it would have resulted in a three day suspension from school and lecture from the principle.
Expulsion is one of the friendlier outcomes. Federal prosecution and prison time are also very realistic options here. It's happened to other well-meaning kids on many occasions.
He had already graduated when he wrote his blog post and told them, he was still a student when he performed the hacking.
I realize this is conjecture but I'm giving an example. Speaking from experience receiving "security reports" from users and students, often times they fail to understand the full picture of IT. As a student with no buy-in from the stakeholders, the risk isn't worth it.
For example, let's say this IoT network was managed by a vendor who, while having sloppy configuration practices, also had network monitoring looking for APT/anomalies (such as new connections in off-hours or unusual connection rates or bandwidth usage.)
While the student thinks they're being sneaky and hacking the system at night, opening ssh connections to a hundred devices from his laptop, there are now reports and alarms going off on a monitoring system. Some basic timestamps and VPN access logs would be enough to point to the student. So this student thinks they're creating an anonymous harmless prank, but the IT department is already investigating a malicious actor on their network. How do you think this would end?
The poster/hacker actually addresses this -- he doesn't reveal himself until after graduation, keeps his fellow hackers secret still, and mentions that he was most likely the prime suspect in the district anyway. Seems like a fair tradeoff if he wanted to make this blog post, though school districts could be nasty and litigious, I guess.
Pretty sure there's nothing stopping the school district from retroactively recinding his graduation, or refusing to send transcripts to universities, or informing those universities of his transgressions, which would probably result in revoked admission.
He addresses this pretty well in the post imo. His co-conspiritors remained unnamed while he alone revealed himself because he wanted to publish this post and it's highly likely he would've been blamed anyway.
It can get pretty messy. For example, they could wait until they're 21 to try them as an adult, even if it was committed at 17 or younger [0 p. 128]:
> a person who committed the offense before his eighteenth birthday, but is over twenty-one on the date formal charges are filed, may be prosecuted as an adult.... This is true even where the government could have charged the juvenile prior to his twenty-first birthday, but did not.
However, the statute of limitations for CFAA violations is 2 years [1 p. 2] so this might not apply. If somehow they can still go after him at 21, this post could play a part in evidence for performing the hack (I truly hope not).
The newest policy is to charge minors as adults unless there's a compelling and beneficial reason not to. I think that was a DOJ change around 2009. Not sure how many states followed suit. But in general, its increasingly likely that minors are being charged as adults.
I was suspended for a week for creating a network share in my typing class and dividing the work among my friends and we copied and pasted into a single document on the share. This was on Windows NT though so a LONG time ago. It's also I guess "cheating". But they got us on "computer hacking"
Also in my typing class circa 2004 the teacher was about to kick me out because he thought I was on a chat room during his class. I was actually viewing page source on an HTML document
Same thing here. Teacher came into class with his multiple month investigation comparing all students work highlighting common errors. Found three different groups that were sharing work load. In school suspension for all of us, only like three kids left in class for the week.
25 years ago wasn’t any better… I recall several in my circle getting suspended for harmless things. The lesson: don’t explore, don’t be curious, and don’t try to fix anything related to the school and computers. Sigh.
Consent is paramount when doing that type of exploration. Without explicit permission, how would an IT administrator distinguish the difference between a curious student and a malicious attacker?
You're not wrong, but I think it might be helpful to think of this in different terms. Teenagers, with burgeoning agency, are being denied the ability to meaningfully impact their environment yet are bound to it for most of their lives.
I agree with you that explicit permission is important, but it is also something that young people are frequently and explicitly denied. I don't think the solution is condoning that sort of 'extracurricular', but I think we should recognize the problem is probably starting with the adults in the situation.
You would think so, only this is a bit opaque when dealing with a local school and a district bureaucracy with various computer labs, internet and phone systems. As a student, you may think that the right person to ask is the local teacher who has control of the asset. Especially if that teacher has been assigned IT duties.
But to many school administrators consent of teachers is meaningless. Those assets aren't owned by the teachers but by the district, even if they are the apparent authority figures and stewards in the eyes of the students.
People on HN always act like what they were doing was almost noble. You weren't. If you had been picking locks or even rummaging around unlocked desk drawers you'd get the same treatment and deserve it.
Yep. What they did was wrong. And by doing so they threw themselves at the mercy of the entity they hacked. The refreshing part is that the entity did the morally right thing and showed mercy.
except in the case of my home all my doors were unlocked. I would definitely appreciate a paper about how to secure my home, especially if the intruder took great care not to cause any damage or disturbance.
Not to diminish your comment, but a thing I've found late my career is to abandon dogma when it comes to young folks learning. If they can learn with PowerShell, they're a lot better off than a lot of young folks! There is no one-true-way and as soon as you find it, another generation will show up with another-true-way :)
You're glad to see them using the ancient clusterfuck that is Bash, and not a modern relatively sane shell that is indisputably the most seminal shell in the last 30 years?
Nah, i actually used powershell before bash because i did a lot of android hacking stuff before learning to code. I worked with Powershell 3, powershell 4 and powershell 5. Powershell 3 was the most painfull thing to work with. No state accross session, the default were shit so i had to reconfigure more often than not. Slow, painfull, buggy... Around the same ime i learned how to bash pretty well in two days, use rsync, use ssh, use sed and awk... Powershell 3 was shit compared to this.
Then i used powershell4, i guess it was better but honestly i don't think i've used it very much. Powershell5 might be better than bash for 90% of the dev population though.
Credit where credit is due, we all WISH *nix had something like PowerShell. Passing strings from program to program is a pain, passing around .NET objects instead is a great step forward, as can be seen by the several attempts at similar shells passing around JSON objects.
PowerShell has been available on Linux via .NET Core since 2016 and version 6.0. Even my Windows box with PowerShell 5.1 likes to remind me of this fact every time I start it:
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
There have been REPLs like PowerShell for ages, it's nothing really new. The only nuance in this is that it is new in the Windows ecosystem to have something like that supported by Microsoft. Ironically, it hasn't managed to displace the command prompt or batch files, so instead of having to deal with one thing, you now have to deal with two things.
As for the passing of strings: it might seem like a pain, but as soon as you start working with non-program I/O it's not like you'll have much of a choice. Keep in mind that it is the lowest form of communication and you can build on top of that. Same with I/O in general: nothing prevents you from using shared memory or a device instead.
> Ironically, it hasn't managed to displace the command prompt or batch files
It don't think they expect that people would rewrite their old scripts. That is actually silly to consider. Even with console vs terminal, they are concerned of backward compatibility and leaving it as is:
> Windows Console will continue to ship within Windows for decades to come in order to ensure backward compatibility with the many millions of existing/legacy command-line scripts, apps, and tools
They could just have an alternative interpreter mode to support batch files, or even have a cmdlet that does just that. If people like to point and click, associate that with a cmdlet (they can do that, right?) and there you go.
And behind the scenes of internet-based services there's a whole ecosystem of "how can we do shit more robustly than just passing strings around" (or even for "better than XML or JSON").
> Credit where credit is due, we all WISH nix had something like PowerShell.
Who is "we". I've worked exclusively on a windows stack so used powershell on the job. But at home, I use bash. I don't want something like powershell in nix and don't use powershell on nix even though it's been available on nix for many years now.
> Passing strings from program to program is a pain
You can argue it's the basis of computer science and also pretty efficient.
> passing around .NET objects instead is a great step forward, as can be seen by the several attempts at similar shells passing around JSON objects.
Passing around objects can be slow, inefficient, wasteful, etc though it can be convenient.
If you are on a windows stack then go with powershell. If not, then go with bash. Nobody should be on a windows stack but sadly, much of the business world has been captured by microsoft.
>The school would not have any say about whether or not this happens.
Schools are members of the local government "club". Prosecutors don't generally burn political capital giving the bird to other members of the club like that without a good reason.
One can only hope.