This kid is very very lucky. Obviously they violated the CFAA which carries severe criminal penalties. They engaged in actual hacking without any permission or defined scope. And they exploited the system without any responsible disclosure process.
Anyone in the field will tell you that this is an absolute disaster of a post because it sends the signal to other young aspiring cybersecurity professionals that this is OK, and the school will laugh it off, and you'll be seen as an adorable Matthew Broderick type Wargames character. I can't overemphasize how far this is from the truth in 2021.
Absolutely do not access systems you are not allowed to. If you do want to do penetration testing, you need permission from the systems owner and a clearly defined scope. And when you do find issues, you don't exploit them, you responsibly disclose them within a clearly defined framework.
If you want to end up with a criminal record that will profoundly effect the rest of your life, including your career prospects and ability to travel internationally, then by all means, do what this guy did.
I wish it wasn't so. It never used to be. But this is how it is now. Overzealous prosecutors have been given a huge amount of power, and all you need is one embarrassed systems administrator, school board or management team to trigger a disastrous outcome in stories like this.
Part of the issue is people like you who advocate for respecting "the system" and essentially scaring kids into not doing anything. Except that simply re-enforces the draconian laws that are currently in place. If more kids rebelled and this was a regular occurrence it would help to desensitize society to digital pranks instead of always treating these kids like terrorists.
Why do we tolerate pranks? You shouldn't be able to interfere with someone else and say 'just a prank bro'. Leave other people's things alone. Don't create work for other people. Don't bother people just trying to do their jobs. Don't impose your sense of humour on others. These all seem like basics to me?
If you think someone's funny? Great. Just don't bother other people with it. Do it with your own stuff, not other people's.
As the author points out early on in this article, most school districts would not have tolerated a prank like this. In fact this is the only example I know about a prank this big that got the response of toleration the author documented in the article.
> You shouldn't be able to interfere with someone else and say 'just a prank bro'.
The students made a report of what they did and presented it to the administration.
I guess to be generous I could reinterpret your concern to be, "Do students in every school district in the U.S. get to avoid criminal prosecution under the draconian CFAA by constructing a complex hack tailored to avoid interrupting regular school business, then writing up a report and giving a powerpoint presentation to an apparently enlightened and tech-savvy administration to help them strengthen their network defenses?" In that case, point taken.