Comment by nielsbot
4 years ago
Probably helps that "We prepared complete documentation of everything we did, including recommendations to remediate the vulnerabilities we discovered. We went a comprehensive 26-page penetration test report to the D214 tech team and worked with them to help secure their network."
In many cases, a 26-page report documenting the incompetency of a team would not be taken kindly.
I find it annoying that people immediately assume incompetence and not inadequate staffing or conflicting priorities. I worked at a school district for a few years and we were woefully understaffed for what we had to cover. In situations like that you do what you have to so teachers can teach, move on to the next emergency, and hope like hell some self-important little shit doesn't burn everything to the ground.
That hasn't helped in the past. Frankly I think they were naive to reveal themselves no matter what the authorities said. It hasn't gone nearly as well for other people.
The students were extremely lucky.
The advice given to me in high school (I was working on tech projects after school for several teachers and groups) was to not even try or explore poking around the IT networks it no matter how good my intentions were. All it takes is one grumpy school administrator to feel undermined or to misunderstand your report and you could be expelled.
When you're in a position like a student, you're still working your way up and building credibility. No need to risk it all for an IT group that doesn't want your security advice and didn't ask for your help.
Seconded, the same advice has also been given to me back in India.
"Know where your boundaries are and who your stakeholders are, don't do anything that will make your stakeholders look bad." It's a life advice given to me by my high school teacher that served me well in my professional life.
1 reply →
Yep - I, like many of my friends and people who are naturally curious and work today in "Cybersecurity" had fun, poked around - but once you found little data troves - it reveals how inept alot of people can be.
And you just volunteer to be thrown under the bus as that "hacker."
Anonymous, maybe. As a student, under 18 - you're "immune" from many things - but it can be a stain.
It doesn't stop at the student level. Find something at the corp level with an arrogant IT dept, and you'll find yourself in uncomforatable situations as well.
It's always fascinating how dramatically different schools can be. When I was in high school, in the late 1990s, nobody would have cared so much about something along these lines. At worst it would have resulted in a three day suspension from school and lecture from the principle.
He had already graduated, so expulsion wasn't an option.
2 replies →
The poster/hacker actually addresses this -- he doesn't reveal himself until after graduation, keeps his fellow hackers secret still, and mentions that he was most likely the prime suspect in the district anyway. Seems like a fair tradeoff if he wanted to make this blog post, though school districts could be nasty and litigious, I guess.
It's still a terrible idea to admit to committing a crime under your real name before the statute of limitations has run out
2 replies →
Pretty sure there's nothing stopping the school district from retroactively recinding his graduation, or refusing to send transcripts to universities, or informing those universities of his transgressions, which would probably result in revoked admission.
He addresses this pretty well in the post imo. His co-conspiritors remained unnamed while he alone revealed himself because he wanted to publish this post and it's highly likely he would've been blamed anyway.