Comment by earksiinni
4 years ago
Serious question. What, if any, instruction do kids these days receive regarding what's allowed on computer systems?
I remember in high school poking around a network drive until I found an executable with the name "SEND" in the name. I had a sense that it would send some kind of message somewhere, but I honestly didn't know where or to how many people. I was quite surprised when all the screens in our computer lab froze and, five seconds later, my message appeared on all of them. (I later learned that my message appeared on every desktop screen in the school!)
I'm not sure exactly how they found me out, but I was called into the IT admin's office a couple of days later. She was furious with me. I told her the truth. I didn't know what exactly would happen when I ran that command, but she didn't buy it. Fortunately, nothing ended up happening after that.
I've wondered to this day what exactly they could have done to me if they decided to press whatever legal authority they might have had to its fullest extent. I was never told "don't go to Z:\" or "don't run any program other than those on this list." Even after I was found out, I wasn't ever explicitly told that my actions constituted unauthorized access.
It was a different, perhaps more innocent (or ignorant) time back then. How much have things changed now?
I graduated high school in 2015. I remember similarly poking around a network drive until I found a file in plaintext which contained everyone's student ID and whether or not they had a nut allergy (protected by HIPAA), for the bus system.
I didn't think much of it, but some other students caught wind. Before I knew it, the superintendent threatened to have the police involved and press legal action for "hacking confidential student data."
It's CYA all the way, usually at the expense of the person in the chain least equipped to cover their ass (the student).
Similar story: the dean of my "high school" [1] asked me to create our school website. Another student apparently poked around on a network drive and found an SQL dump of all the students' network username/passwords. I brought this file to the dean, told them it was available on a shared drive (so they could remove it), and asked if they'd like me to use it -- since I already had it -- to enable all the students to log in to the school website with their existing network usernames/passwords. They said that was a great idea and gave me the OK.
A week later, police escorted me from my dorm and both I and the other student were eventually expelled and threatened with harsh legal action, which never came.
[1] The "high school" was an early-entrance-to-college program where we started college at 16, lived on campus, took the normal freshman/sophomore college courses, and eventually received a high school diploma and an Associate of Science when we graduated at 18. The website was for the school I attended, but the SQL dump included all of the university students as well. The school has since shut down.
> whether or not they had a nut allergy (protected by HIPAA)
Personal pet peeve:
Your high school is not a covered entity and is not acting as a business associate of a covered entity. HIPAA does not apply. They are free to keep a plaintext file with your name, nut allergies, COVID vaccination status, and anything else they want to put in there - without HIPAA entering into the discussion.
FERPA could apply, but I don't know much about that.
Nut allergy info that was collected by the school (teacher, admin, nurse, whoever) is part of the student records and would be protected information under FERPA.
Wow. That's terrifying. And you didn't even run anything!
I'm guessing that they never told you "don't browse this network drive"?
Never press F12 while browsing. Instant hacker.
Seriously, I found a state website that appeared to be exposing NPI about certain people in an API response. So much NPI nicely formatted in a JSON response. I closed the page and never touched it again. You know the state will declare me a dangerous and sophisticated hacker because I pressed F12 to open the developer tools, that's much easier than admiring they made a mistake.
I can't answer your question, but I strongly suspect the backstory on your furious IT admin went something like this:
Kids have been jumping fences for millennia.
That said, I did know a kid that had charges pressed against him when I was in school so things weren’t necessarily innocent back then either. He was admittedly an idiot and borderline malicious though.
Good old "net send." Out of all the things, that was the one I got chewed out about too.
Wasn't a regular MS user, but we were in a computer training lab at a company for "computer day" field trip. Was bored during instructions, so naturally I logged in, found "net send", and sent a few crank messages to classmates using * as destination. Everyone, including the instructor, got a good laugh.
Approached later in day by corporate IT. Apparently the lab had poor routing rules, no firewalls, and sat on the main Corp network. My messages were received on 25,000 terminals.
Thankfully, they recognized this as (a) harmless, and (b) their own lax failure. No adverse outcome.