Comment by mmaunder
4 years ago
Someone I know did something similar, was arrested in their college dorm, and at the sentencing hearing in federal court was fined and sentenced to 5 years probation, and now has a criminal record.
This kid is very very lucky. Obviously they violated the CFAA which carries severe criminal penalties. They engaged in actual hacking without any permission or defined scope. And they exploited the system without any responsible disclosure process.
Anyone in the field will tell you that this is an absolute disaster of a post because it sends the signal to other young aspiring cybersecurity professionals that this is OK, and the school will laugh it off, and you'll be seen as an adorable Matthew Broderick type Wargames character. I can't overemphasize how far this is from the truth in 2021.
Absolutely do not access systems you are not allowed to. If you do want to do penetration testing, you need permission from the systems owner and a clearly defined scope. And when you do find issues, you don't exploit them, you responsibly disclose them within a clearly defined framework.
If you want to end up with a criminal record that will profoundly effect the rest of your life, including your career prospects and ability to travel internationally, then by all means, do what this guy did.
I wish it wasn't so. It never used to be. But this is how it is now. Overzealous prosecutors have been given a huge amount of power, and all you need is one embarrassed systems administrator, school board or management team to trigger a disastrous outcome in stories like this.
Posts like yours validate the insane over criminalization of what essentially amounts to a prank. I had literally the exact same experience in high school. Got expelled and had to get a GED. They could have easily pressed charges.
Part of the issue is people like you who advocate for respecting "the system" and essentially scaring kids into not doing anything. Except that simply re-enforces the draconian laws that are currently in place. If more kids rebelled and this was a regular occurrence it would help to desensitize society to digital pranks instead of always treating these kids like terrorists.
GP isn't validating over criminalization. GP is trying to steer people clear of catching charges. The end results for both is, "Don't hack your school district for a prank," but the context of the two are very different. Students' minds are still developing. You can tell them not to respect Draconian laws surrounding hacking, but do the students understand what's at stake?
Yes, students get in trouble all the time, but most of the consequences for their stupidity are slaps on the hand. Lunch in a classroom, a parent-teacher conference, after school detention, in-school suspension, getting grounded - none of these things carry civil or criminal charges that are a matter of record. What should be a harmless prank can turn into a life altering civil and criminal charges. With high school kids, things quickly go from, "I hacked the school network to do a Rick Roll; they laughed and sent me on my way," all the way to, "I gave my friend the exploit to do something similar; I didn't know he was going to change everyone's grades to 69%."
Further, I would not want to teach in a district where students doing digital pranks is the norm. I volunteer at a high school. Unchecked digital pranks would quickly turn into a constant stream of disruptions. Everyone would think that their prank is better than the last.
Unfortunately, "desensitizing" people to existing law by illegal rebellions is a Pyrrhic victory at best when the consequences are so impactful to the individuals that martyr for The Cause.
There are processes for changing the laws without sending kids to jail, having to treat kids like terrorists, or potentially making the law even harsher because it isn't effective enough to dissuade lawbreaking. If the laws feel draconian, perhaps following those processes might be a better approach to change the system without as many sacrifices.
>There are processes for changing the laws without sending kids to jail, having to treat kids like terrorists, or potentially making the law even harsher because it isn't effective enough to dissuade lawbreaking.
And none of them work, or will ever work in this oligarchy. The rich own the congress, and the senate, and they benefit greatly from these things. America hasn't been a functioning republic in at least 50 years.
I don't understand this response. Having been on the wrong end of it you should be advocating harder than anyone to teach kids the complexities of cybersecurity law and ensure they can make the right decisions rather than throw away their future over a stupid prank. There is no "validation" happening here, the OP is just stating reality. Random high schoolers' rebellions aren't going to result in Congress overturning the Computer Fraud and Abuse Act and a hundred related laws.
> ensure they can make the right decisions rather than throw away their future over a stupid prank.
Is it a good system if a "stupid prank" can "throw away your future" ?
2 replies →
This is a very complicated problem.
Unless you kill someone I generally don’t believe in life long criminal records. They only serve to drive people into further criminality.
I imagine for a robbery you could get 5 years in prison, 5 years with it on your record and then automatically get it expunged.
Back to the topic at hand , what if the IT hack stopped people from getting paid on time. How many suffered emotional distress ? Evictions can literally cause suicide.
Maybe someone can’t afford medication, skip it and have a stroke.
The entire criminal justice system is broken. So you did something stupid at 20, at 46 you still can’t find a job due to your record.
People want simple easy solutions. Things are much more complicated. If you release a dozen felons 5 years early and 2 go on to commit horrific crimes it’s easy to ignore the good the other 10 did
I dunno. Assault that permanently injures someone, rape, kidnapping, and trafficking are lifelong scarring for the victims. I may not rank computer hacking or selling drugs as deserving of a permanent record, but there are lots of other violent crimes short of homicide that do.
> The entire criminal justice system is broken. So you did something stupid at 20, at 46 you still can’t find a job due to your record.
Welcome to the War On Redemption. Primary participants are the harmful people who create these systems and the people who remain silent while countless lives are ruined for no good result.
I don't think it's the record's duty to keep you from being employed. That's the employer's decision.
Even if I agree that it's a dumb practice, you're proposing a world where employers are free to refuse your hire if you (eg.) were fired from a job 26 years ago, but not because you were convicted of a crime.
1 reply →
I don't think telling kids not to narc on themselves "validates the insane over-criminalization". I think telling legislators or parents would, though.
The comment didn't say "respect the system", it said to deal in the realpolitik and don't try to effect legislative change by ruining your life as a high school student.
Probably better to try and reform the law instead of suggest children break the law and ruin their lives.
Clarifying that the ruination of lives here is the direct result of profoundly bad laws that inappropriately criminalize benign behaviors.
1 reply →
> a prank
Why do we tolerate pranks? You shouldn't be able to interfere with someone else and say 'just a prank bro'. Leave other people's things alone. Don't create work for other people. Don't bother people just trying to do their jobs. Don't impose your sense of humour on others. These all seem like basics to me?
If you think someone's funny? Great. Just don't bother other people with it. Do it with your own stuff, not other people's.
> Why do we tolerate pranks?
Pranks can be an outlet for creativity and learning that might not otherwise happen.
The post concludes with:
> This has been one of the most remarkable experiences I ever had in high school and I thank everyone who helped support me. That's all and thanks for reading!
I'm certain this kid learned so much working through the execution of this prank, and without being criminalized by the district, he's better off for it. Likewise, the IT department is better off with a more secure system, and staff and students experienced shared moments of unexpected joy.
Call me naive, but I'd say this kid made his small slice of the world a bit better, if only for a fleeting moment.
8 replies →
> Why do we tolerate pranks?
As the author points out early on in this article, most school districts would not have tolerated a prank like this. In fact this is the only example I know about a prank this big that got the response of toleration the author documented in the article.
> You shouldn't be able to interfere with someone else and say 'just a prank bro'.
The students made a report of what they did and presented it to the administration.
I guess to be generous I could reinterpret your concern to be, "Do students in every school district in the U.S. get to avoid criminal prosecution under the draconian CFAA by constructing a complex hack tailored to avoid interrupting regular school business, then writing up a report and giving a powerpoint presentation to an apparently enlightened and tech-savvy administration to help them strengthen their network defenses?" In that case, point taken.
2 replies →
By saying that you're imposing your sense of humor on others too (as in, the prankster's sense of humor is "pranks are funny"; your sense of humor is "pranks are not funny"; according to your comment your stance is that pranks shouldn't be tolerated). You don't have to laugh, and you're free to say you don't like pranks. But tolerating other people's opinions/sense of humor/whathaveyou seems like basics to me.
(Maybe we just have different experiences and thus different definitions of the word.)
1 reply →
Many criminal cases require establishing intent. Pranks may be harmful as you allude to, but the intent still matters.
4 replies →
validate the insane over criminalization
I think you misread the GP. He's not defending the system, just describing it, and how the OP was lucky that the people in charge were unusual and open-minded. He's warning others that the risk/reward implied by the OP's experience is misleading.
I suspect that most commenters on this site applaud the kids adventurousness and style. A great hack! But we are uniquely aware of how rare it is that anyone with authority, school administrators or law enforcement, would show any leniency or self-restraint in these cases. On balance, the instinct seems to go for the jugular, dehumanize the kid as a criminal hacker, and ruin his life. No-one is saying that's good, or reasonable. It's just how it is.
Warns kids against jumping off cliffs. Accused of causing gravity.
We need to have harsh penalties for this. People who don't understand the complex systems they were able to access, might introduce vulnerabilities that more malicious entities can exploit. An example of this would be a student at a university accessing internal network from a physical terminal in a building, (intranet), and accidentally disabling a firewall, (say to play a video from a remote location). In doing so, its no longer just a prank as they may have exposed the entire internal network to outside internet.
This is a super basic example, but it serves to illustrate my point. It's not just a prank bro, even when it is.
What? How is warning someone that they are going to ruin their lives the same as endorsing it?
Ah, 2021, such sad times, where we squash our creativities in fear of the police, where you'd think twice before doing something like one of the MIT hacks http://hacks.mit.edu ...
I do wonder if they could've secured themselves with VPN and "untraceable" anonymous emails (e.g. asking for a guarantee that they won't be sued/charged), although the teenage bragging rights would've been too tempting.
I wonder if it was possible for the hacker to ask a lawyer to represent them anonymously and make a contract, something like the district promises not to file criminal charges, and if they violate this deal they will have to pay a lot of money...
> I do wonder if they could've secured themselves with VPN and "untraceable" anonymous emails (e.g. asking for a guarantee that they won't be sued/charged), although the teenage bragging rights would've been too tempting.
If you read TFA, that is effectively what happened. Even with the guarantee, only one of them revealed themselves.
No point in pulling off a complicated prank without enjoying the notoriety gained from it.
> I wonder if it was possible for the hacker to ask a lawyer to represent them anonymously and make a contract, something like the district promises not to file criminal charges, and if they violate this deal they will have to pay a lot of money...
Criminal charges are generally filed by the prosecutor. They'll generally follow the wishes of the victim, but are not required to (think, e.g., domestic violence cases). There is absolutely zero the school can do to guarantee that you won't be charged if the prosecutor does catch wind of the incident and decides to make an example of you.
This is generally true, but the CFAA is obviously not violated by access which is authorised. In this case, you could simply draw up a pentest agreement and get them to say any such activity would be authorised.
My understanding is that in America, prosecutors are often political appointees without much institutional oversight, as compared to being a reasonably dull civil service department who have to justify prosecutions as being in the public interest
> the district promises not to file criminal charges, and if they violate this deal they will have to pay a lot of money...
“Your faith in the legal system is appalling.”
https://www.schlockmercenary.com/2009-06-26
I remember back in high school we had this computer lab that was all locked down. Didn't allow opening the CD-ROM drives, only allowed certain educational websites, etc. I put a little remote access app on my share drive as a way to open my own CD drive, mostly just to see if I could do it. The school's computer guy came and found me and was like "hey, a file pinged as malware, what's up with that" and we had a fun discussion about it and I deleted it and we moved on with our lives. I didn't think about it again. Years later, I looked back with horror at how badly that could have gone for me.
Ah, you young whippersnappers with your labs and networks and CDs... my high school just got one Commodore PET, that was "the school computer" in my day.
Fortunately, I got on well with the math teacher who had charge of it, and he'd let me take it home over the weekends. Those were the days...
Apple IIe gang over here. Don't bend my floppy!
Your school didn’t have paperclips?
Can't get 'em through the metal detector. Gotta grind down a toothbrush on concrete these days...
1 reply →
The CFAA exists to make sure that nobody can use computers and the internet to have any power over even tyrannical authorities.
CFAA and the DMCA are some of the worst, most authoritarian laws ever created, and they exist to do nothing other ensure a system where being rich enough to afford lawyers means you don't have to do anything else.
Use default passwords like an idiot and someone uses their autofill? They're the criminal, not you.
Let people just change the account number in the address bar and switch accounts with zero authorization or authentication? They're the criminal, not you. (Bank of America literally did this.)
Have open access for students to download papers and one of them uses it to download all of them? They're the criminal, not you. (RIP Aaron Swartz)
I support jury nullification for the CFAA and DMCA and so should everyone reading this.
I know somebody - I think they post here, hi! - who ended up in "weekend jail" with a conviction for sharing a school's WiFi password without permission. I also once got reprimanded for writing a blog post not too dissimilar to this one at a less sympathetic school. I also remember the joy of hiding a server in the ceiling of our school so we could play UT2K3 on the library computers before that exploded similarly. Adults are so boring.
Every district is different, heck -- every school within a district can be different in extreme discipline like this. Frankly, the size of his district represented a lot of risk; those often have the policies with the least wiggle-room -- like "Weekend Jail for Sharing a WiFi password" (insane).
At the school my child attends, I am confident he would have ended up with a pat on the back if the circumstances were similar. I can't speak for the district -- I'd be willing to bet that'd be very risky. At the school I had once attended, I'd expect the entire district would behave similarly. I'm sure there were people within the district administration that wanted to throw the book at the kids involved.
Here's the thing for those people: the last thing a school district wants is to become national news for punishing a bunch of kids who the evening news can make out to look like "Geniuses". Since nothing failed in their plan -- that's crazy important -- there would be very few ways to frame the story that makes the administration look like anything but bullies, and many will frame them as "petty bullies". I have a friend I went to High School with who is now a High School principal. He's still "that guy I went to High School with." I have no doubt he would have given the kids an award privately, if not publicly.
It's sad that some public school districts are using discipline approaches you'd expect to see in prisons, rather than a school, and I'm sure in certain places in the country, that might be a necessity. Context matters, too -- were these kids who were constantly pulling pranks like this, had been talked to in the past/impacted things in the past, etc, I'd expect a harsh response: "Yes, we get it, you're smart, stop breaking things already, read the horrors of the 1986 CFAA because that's coming if it happens again." I'm guessing these were otherwise good students.
I agree, that feels wrong to me...
When I was younger (~15) I also did some "fun" (aka stupid) stuff with the school computer network and in the end they got me and I received a "formal warning" (it was in France).
In the end I'm glad for it because that scared me off and I never tried again on stuff that I don't own.
But putting a kid in jail/having a criminal record seems way to excessive to me. Kids are dumb. And by punishing them that hard they won't become a better person. hell, they won't be able to have a job !
> But putting a kid in jail/having a criminal record seems way to excessive to me.
It absolutely is. Society is clearly harmed by laws like the CFAA.
LEO do like overly broad laws though. There's nothing better to ruin the lives of people that cops don't like.
Anyone in the field will tell you that this is an absolute disaster of a post because it sends the signal to other young aspiring cybersecurity professionals that this is OK, and the school will laugh it off, and you'll be seen as an adorable Matthew Broderick type Wargames character. I can't overemphasize how far this is from the truth in 2021.
Or maybe it will shame other IT departments into not having a stick up their butt. Especially if there is already a culture of overlooking minor criminal activity in the name of harmless pranks.
There is something obscenely totalitarian about this whole mindset. You're making a very pragmatic point, but take a step back and look at the whole thing.
You're warning a teenager against making a brilliant, harmless, funny and responsible prank so that they won't get their whole life fucked up forever. Think a little about what kind of political system necessitates that kind of ridiculous warning. What sort of nation does this kind of thing to its kids? If we strike the United States from the list, what sort of countries are left?
You guys really need to get your so-called justice system sorted out. Sorry to make such a blunt point, but this is depressing as hell.
When I was in High School in 2003 I discovered you could pretty easily get around the tool that blocked running installers by launching them by entering the full path to the installer in the address bar of Internet Explorer. This was before Windows and IE were decoupled. I installed VNC server on a couple friends computers and used it for some light hearted pranks, but didn't do anything else with it.
One of my friends who I did this to went crazy with it and used it to mess with his teachers computers. Ended up in huge trouble, cops knocking on his door, and I believe probation. This was the year after I graduated.
On the one hand, I kind of feel responsible for showing him, on the other hand, it's his fault he had to go off and be an idiot with something I just thought was fun.
This post is 100% spot on. While the local school district may treat it as a prank, in the U.S. the federal authorities may not. To see how seriously the government takes this act, look at the penalties section of the relevant U.S. code.
https://www.law.cornell.edu/uscode/text/18/1030
And yet, there is overwhelming demand for what the government calls "cyber security". As a developer it is easy to get good at your craft by practicing and learning, how in the world is a security specialist able to practice without asking for permission or already having a job? A home lab setup? A college degree and formal education? I'm curious how people actually evaluate this career choice.
In my personal experience with working in government related cyber security, the positions are for dudes that type bash commands to run tools that are all developed by 3p companies, which end up hiring people regardless of criminal history.
Capture The Flag challenges. You don't need much more than a terminal.
1 reply →
Yeah, go to them about ransomware gangs or nation state actors and you basically get told "lol we cant do shit". Complain about a kid prank and theyll go apeshit and make a, uhh, federal case of it to make themselves feel needed.
Gross but true. The administration has every incentive and opportunity to spin this into a self-serving story about taking down evil sinister hackers -- and maybe scapegoat a few unrelated problems while they are at it.
I am delighted that these admins had the character to resist the perverse incentives of the system.
> Anyone in the field will tell you that this is an absolute disaster of a post because it sends the signal to other young aspiring cybersecurity professionals that this is OK
Maybe a bit overzealous with the reaction here. OK, sure, the OP could have been even more serious about this but literally the first labeled section is "DISCLAIMER" and says:
> With that said, what we did was very illegal, and other administrations may have pressed charges. We are grateful that the D214 administration was so understanding.
That said, maybe we should lighten up on minors performing harmless/non-destructive pranks.
Not everything warrants felony charges for kids.
Of course -- but we aren't the ones making the rules, and the ones who do make the rules have certain incentives that lead them in dark directions.
> because it sends the signal to other young aspiring cybersecurity professionals that this is OK,
There are multiple disclaimers in the text, almost every other paragraph.
Id actually wonder if criminal history matters when you have skills like this that are very much in demand.
If this went to court, the charges of malicious intent would likely not stick, so jailtime could likely be avoided in leu of fine/community service.
Competent tech companies will not give a shit about criminal record of this nature.
Expulsion from school is pretty much irrelevant, especially for CS careers. You can get a GED, find any college with CS program that will take your money, spend a year having fun, apply for an internship at a tech company, do a good job to be offered a return, talk to HR to go directly into entry level role, and you are set (have personally seen 2 cases of this happening with an intern).
The most functionally harmful thing would be monetary cost, which is still inconsequential considering the salary this guy would make.
It depends on how regulated the particular industry is. If you're building consumer web apps at a startup, it probably won't matter. If you want to be a government contractor, it's probably a nonstarter.
Most of the industry where the guy will be paid appropriately is going to be private. Cyber security specialists for things like AWS get paid much more than any government contractor.
1 reply →
For anyone who like to hack legally and ethically, check out https://www.hackerone.com/. If you're very good at hacking devices, software, networks, etc, companies will pay bounties for the vulnerabilities you find thru HackerOne.
Looks like they paid out millions in bounty in 2020:
Worth a try, but I didn't have a good experience with it.
Companies can mark items as duplicates without fixing the underlying bug for an indefinite period of time. So the 3 vulnerabilities I found all got marked as duplicates without any compensation or even acknowledgement of my time writing up the issues. Felt like a complete waste of time.
If you're great, you can probably find novel stuff better than I was able to, but if you're that great you likely already have plenty of employment opportunities.
Malicious hackers could have shown something unspeakably vile on all those screens. If this kid reduced the likelihood of that... he's a hero. Alas, I totally hear you.
yeah, it's pretty messed up that there's such extremely heavy penalties for merely playing a youtube video on a few screens whereas looting and stealing go completely unpunished. what kind of message is that sending to our youth?
> This kid is very very lucky.
No, he is just smart. He did it anonymously. He knows how to cover his a$$.
> it sends the signal to other young aspiring cybersecurity professionals that this is OK
The post literally has a whole section dedicated to explaining that this is not OK, but whatever.
Wow that's terrifying, I'm from the EU and did 1000x worse stuff than that, never suffered any consequence, which is not right, but teenagers going to prison for hacking pranks it's really fucked up.
This is ridiculous