Comment by IshKebab
4 years ago
That hasn't helped in the past. Frankly I think they were naive to reveal themselves no matter what the authorities said. It hasn't gone nearly as well for other people.
4 years ago
That hasn't helped in the past. Frankly I think they were naive to reveal themselves no matter what the authorities said. It hasn't gone nearly as well for other people.
The students were extremely lucky.
The advice given to me in high school (I was working on tech projects after school for several teachers and groups) was to not even try or explore poking around the IT networks it no matter how good my intentions were. All it takes is one grumpy school administrator to feel undermined or to misunderstand your report and you could be expelled.
When you're in a position like a student, you're still working your way up and building credibility. No need to risk it all for an IT group that doesn't want your security advice and didn't ask for your help.
Seconded, the same advice has also been given to me back in India.
"Know where your boundaries are and who your stakeholders are, don't do anything that will make your stakeholders look bad." It's a life advice given to me by my high school teacher that served me well in my professional life.
Yep - I, like many of my friends and people who are naturally curious and work today in "Cybersecurity" had fun, poked around - but once you found little data troves - it reveals how inept alot of people can be.
And you just volunteer to be thrown under the bus as that "hacker."
Anonymous, maybe. As a student, under 18 - you're "immune" from many things - but it can be a stain.
It doesn't stop at the student level. Find something at the corp level with an arrogant IT dept, and you'll find yourself in uncomforatable situations as well.
It's always fascinating how dramatically different schools can be. When I was in high school, in the late 1990s, nobody would have cared so much about something along these lines. At worst it would have resulted in a three day suspension from school and lecture from the principle.
He had already graduated, so expulsion wasn't an option.
Expulsion is one of the friendlier outcomes. Federal prosecution and prison time are also very realistic options here. It's happened to other well-meaning kids on many occasions.
He had already graduated when he wrote his blog post and told them, he was still a student when he performed the hacking.
I realize this is conjecture but I'm giving an example. Speaking from experience receiving "security reports" from users and students, often times they fail to understand the full picture of IT. As a student with no buy-in from the stakeholders, the risk isn't worth it.
For example, let's say this IoT network was managed by a vendor who, while having sloppy configuration practices, also had network monitoring looking for APT/anomalies (such as new connections in off-hours or unusual connection rates or bandwidth usage.)
While the student thinks they're being sneaky and hacking the system at night, opening ssh connections to a hundred devices from his laptop, there are now reports and alarms going off on a monitoring system. Some basic timestamps and VPN access logs would be enough to point to the student. So this student thinks they're creating an anonymous harmless prank, but the IT department is already investigating a malicious actor on their network. How do you think this would end?
The poster/hacker actually addresses this -- he doesn't reveal himself until after graduation, keeps his fellow hackers secret still, and mentions that he was most likely the prime suspect in the district anyway. Seems like a fair tradeoff if he wanted to make this blog post, though school districts could be nasty and litigious, I guess.
It's still a terrible idea to admit to committing a crime under your real name before the statute of limitations has run out
Is there even a statute of limitations for this kind of thing? Seems way better to just never admit to it at all.
1 reply →
Pretty sure there's nothing stopping the school district from retroactively recinding his graduation, or refusing to send transcripts to universities, or informing those universities of his transgressions, which would probably result in revoked admission.
He addresses this pretty well in the post imo. His co-conspiritors remained unnamed while he alone revealed himself because he wanted to publish this post and it's highly likely he would've been blamed anyway.