zlacker

The fact that the administration didn't choose to sue them to oblivion is refreshing. I hope we'll see a trend in the future of educator being smart enough to admit that they made a mistake and to encourage the students to develop their talent.

One can only hope.

>>belval+(OP)
Too right! Get this kid a job, not punishment.

>>belval+(OP)
I'm glad to see a kid using bash and not something like gulp PowerShell

>>bluedi+r
Not to diminish your comment, but a thing I've found late my career is to abandon dogma when it comes to young folks learning. If they can learn with PowerShell, they're a lot better off than a lot of young folks! There is no one-true-way and as soon as you find it, another generation will show up with another-true-way :)

>>belval+(OP)
Being a minor probably helps. There are so many laws today. It's too risky to do this. It's not like it was 25 years ago.

>>_wldu+91
I was suspended for a week for creating a network share in my typing class and dividing the work among my friends and we copied and pasted into a single document on the share. This was on Windows NT though so a LONG time ago. It's also I guess "cheating". But they got us on "computer hacking"

>>flatir+C1
I used CACLS with an Office hack in NT / 9X to copy homework. Never got caught for that.

They got me on propagating computer games through the network using shared drives the teachers were supposed to use for homework.

We had BNC network cables in those days and the entire building shared a single T1 line for several hundred computers.

The world has changed.

>>belval+(OP)
Probably helps that "We prepared complete documentation of everything we did, including recommendations to remediate the vulnerabilities we discovered. We went a comprehensive 26-page penetration test report to the D214 tech team and worked with them to help secure their network."

>>_wldu+91
Yea , kids would get expelled in the old days for putting a screensaver password

>>bluedi+r
Credit where credit is due, we all WISH *nix had something like PowerShell. Passing strings from program to program is a pain, passing around .NET objects instead is a great step forward, as can be seen by the several attempts at similar shells passing around JSON objects.

>>nielsb+i2
That hasn't helped in the past. Frankly I think they were naive to reveal themselves no matter what the authorities said. It hasn't gone nearly as well for other people.

>>blackt+u2
PowerShell has been available on Linux via .NET Core since 2016 and version 6.0. Even my Windows box with PowerShell 5.1 likes to remind me of this fact every time I start it:

    Windows PowerShell
    Copyright (C) Microsoft Corporation. All rights reserved.
    
    Try the new cross-platform PowerShell https://aka.ms/pscore6

>>_wldu+91
It can get pretty messy. For example, they could wait until they're 21 to try them as an adult, even if it was committed at 17 or younger [0 p. 128]:

> a person who committed the offense before his eighteenth birthday, but is over twenty-one on the date formal charges are filed, may be prosecuted as an adult.... This is true even where the government could have charged the juvenile prior to his twenty-first birthday, but did not.

However, the statute of limitations for CFAA violations is 2 years [1 p. 2] so this might not apply. If somehow they can still go after him at 21, this post could play a part in evidence for performing the hack (I truly hope not).

0: https://www.justice.gov/sites/default/files/criminal-ccips/l...

1: https://www.goodwinlaw.com/-/media/files/publications/10_01-...

>>bluedi+r
You're glad to see them using the ancient clusterfuck that is Bash, and not a modern relatively sane shell that is indisputably the most seminal shell in the last 30 years?

>>flatir+C1
Same thing here. Teacher came into class with his multiple month investigation comparing all students work highlighting common errors. Found three different groups that were sharing work load. In school suspension for all of us, only like three kids left in class for the week.

>>jdmich+x3
On that note, i'm saddened Windows 11 doesn't ship with Powershell 7. Are there that many breaking changes in the switch from 5 -> 6 or 5 -> 7?

>>flatir+C1
Also in my typing class circa 2004 the teacher was about to kick me out because he thought I was on a chat room during his class. I was actually viewing page source on an HTML document

>>IshKeb+N3
Seminal.

>>bluedi+r
Powershell is actually good though.

>>judge2+C3
The newest policy is to charge minors as adults unless there's a compelling and beneficial reason not to. I think that was a DOJ change around 2009. Not sure how many states followed suit. But in general, its increasingly likely that minors are being charged as adults.

>>IshKeb+j3
The students were extremely lucky.

The advice given to me in high school (I was working on tech projects after school for several teachers and groups) was to not even try or explore poking around the IT networks it no matter how good my intentions were. All it takes is one grumpy school administrator to feel undermined or to misunderstand your report and you could be expelled.

When you're in a position like a student, you're still working your way up and building credibility. No need to risk it all for an IT group that doesn't want your security advice and didn't ask for your help.

>>IshKeb+j3
He addresses this pretty well in the post imo. His co-conspiritors remained unnamed while he alone revealed himself because he wanted to publish this post and it's highly likely he would've been blamed anyway.

>>_wldu+91
25 years ago wasn’t any better… I recall several in my circle getting suspended for harmless things. The lesson: don’t explore, don’t be curious, and don’t try to fix anything related to the school and computers. Sigh.

>>IshKeb+j3
The poster/hacker actually addresses this -- he doesn't reveal himself until after graduation, keeps his fellow hackers secret still, and mentions that he was most likely the prime suspect in the district anyway. Seems like a fair tradeoff if he wanted to make this blog post, though school districts could be nasty and litigious, I guess.

>>arenan+q4
You were hacking a website

>>treesk+U4
It's always fascinating how dramatically different schools can be. When I was in high school, in the late 1990s, nobody would have cared so much about something along these lines. At worst it would have resulted in a three day suspension from school and lecture from the principle.

>>treesk+U4
Seconded, the same advice has also been given to me back in India.

"Know where your boundaries are and who your stakeholders are, don't do anything that will make your stakeholders look bad." It's a life advice given to me by my high school teacher that served me well in my professional life.

>>mrexro+Z5
Consent is paramount when doing that type of exploration. Without explicit permission, how would an IT administrator distinguish the difference between a curious student and a malicious attacker?

>>treesk+U4
Yep - I, like many of my friends and people who are naturally curious and work today in "Cybersecurity" had fun, poked around - but once you found little data troves - it reveals how inept alot of people can be.

And you just volunteer to be thrown under the bus as that "hacker."

Anonymous, maybe. As a student, under 18 - you're "immune" from many things - but it can be a stain.

>>belval+(OP)
Yep. What they did was wrong. And by doing so they threw themselves at the mercy of the entity they hacked. The refreshing part is that the entity did the morally right thing and showed mercy.

>>IshKeb+N3
Well at least it's a racing horse and not a turtle.

>>Pradee+p7
Well, I imagine that would require using a brain, which may an onerous requirement.

>>dont__+06
Pretty sure there's nothing stopping the school district from retroactively recinding his graduation, or refusing to send transcripts to universities, or informing those universities of his transgressions, which would probably result in revoked admission.

>>dont__+06
It's still a terrible idea to admit to committing a crime under your real name before the statute of limitations has run out

>>treesk+U4
It doesn't stop at the student level. Find something at the corp level with an arrogant IT dept, and you'll find yourself in uncomforatable situations as well.

>>Pradee+p7
You're not wrong, but I think it might be helpful to think of this in different terms. Teenagers, with burgeoning agency, are being denied the ability to meaningfully impact their environment yet are bound to it for most of their lives.

I agree with you that explicit permission is important, but it is also something that young people are frequently and explicitly denied. I don't think the solution is condoning that sort of 'extracurricular', but I think we should recognize the problem is probably starting with the adults in the situation.

>>blackt+u2
> Passing strings from program to program is a pain

The internet has been pretty successful and many popular protocols (http, smtp, etc) are exactly "passing strings from program to program"

>>mrexro+Z5
People on HN always act like what they were doing was almost noble. You weren't. If you had been picking locks or even rummaging around unlocked desk drawers you'd get the same treatment and deserve it.

>>throwa+Y9
Which is why all browsers render the same thing exactly the same way and there's no need at all to test more than one. Yep.

>>duped+o9
Is there even a statute of limitations for this kind of thing? Seems way better to just never admit to it at all.

>>treesk+U4
He had already graduated, so expulsion wasn't an option.

>>blackt+u2
> Credit where credit is due, we all WISH nix had something like PowerShell.

Who is "we". I've worked exclusively on a windows stack so used powershell on the job. But at home, I use bash. I don't want something like powershell in nix and don't use powershell on nix even though it's been available on nix for many years now.

> Passing strings from program to program is a pain

You can argue it's the basis of computer science and also pretty efficient.

> passing around .NET objects instead is a great step forward, as can be seen by the several attempts at similar shells passing around JSON objects.

Passing around objects can be slow, inefficient, wasteful, etc though it can be convenient.

If you are on a windows stack then go with powershell. If not, then go with bash. Nobody should be on a windows stack but sadly, much of the business world has been captured by microsoft.

>>colinm+Fc
Expulsion is one of the friendlier outcomes. Federal prosecution and prison time are also very realistic options here. It's happened to other well-meaning kids on many occasions.

>>IshKeb+N3
Nah, i actually used powershell before bash because i did a lot of android hacking stuff before learning to code. I worked with Powershell 3, powershell 4 and powershell 5. Powershell 3 was the most painfull thing to work with. No state accross session, the default were shit so i had to reconfigure more often than not. Slow, painfull, buggy... Around the same ime i learned how to bash pretty well in two days, use rsync, use ssh, use sed and awk... Powershell 3 was shit compared to this.

Then i used powershell4, i guess it was better but honestly i don't think i've used it very much. Powershell5 might be better than bash for 90% of the dev population though.

>>genera+rc
The CFAA has a statute of limitations of 2 years.

>>Pradee+p7
You would think so, only this is a bit opaque when dealing with a local school and a district bureaucracy with various computer labs, internet and phone systems. As a student, you may think that the right person to ask is the local teacher who has control of the asset. Especially if that teacher has been assigned IT duties.

But to many school administrators consent of teachers is meaningless. Those assets aren't owned by the teachers but by the district, even if they are the apparent authority figures and stewards in the eyes of the students.

>>nielsb+i2
In many cases, a 26-page report documenting the incompetency of a team would not be taken kindly.

>>AnIdio+xa
The presentation layer has nothing to do with he protocol layer...

If you pump some serialised binary into a browser it will still render wrong.

>>blackt+u2
There have been REPLs like PowerShell for ages, it's nothing really new. The only nuance in this is that it is new in the Windows ecosystem to have something like that supported by Microsoft. Ironically, it hasn't managed to displace the command prompt or batch files, so instead of having to deal with one thing, you now have to deal with two things.

As for the passing of strings: it might seem like a pain, but as soon as you start working with non-program I/O it's not like you'll have much of a choice. Keep in mind that it is the lowest form of communication and you can build on top of that. Same with I/O in general: nothing prevents you from using shared memory or a device instead.

>>belval+(OP)
I'm sure it helps a lot that they're in a high tax base area, and the quality of the educators hired probably reflects that.

https://statisticalatlas.com/school-district/Illinois/Townsh...

>>Waterl+P7
> What they did was wrong.

It was certainly against the rules. I'm not so sure it was wrong.

>>blackt+u2
Parsing strings in Powershell is super complicated compared to regular Unix tools

>>munifi+Mn
I find it annoying that people immediately assume incompetence and not inadequate staffing or conflicting priorities. I worked at a school district for a few years and we were woefully understaffed for what we had to cover. In situations like that you do what you have to so teachers can teach, move on to the next emergency, and hope like hell some self-important little shit doesn't burn everything to the ground.

>>Angost+dw
If I broke into your home tonight to play a prank on you and then handed you a white paper about how to better secure it, how would you feel?

>>Waterl+NH
Breaking and entering vs. playing a harmless video at the end of the day in school.

False equivalence.

>>throwa+Y9
And behind the scenes of internet-based services there's a whole ecosystem of "how can we do shit more robustly than just passing strings around" (or even for "better than XML or JSON").

>>belval+(OP)
"sue" suggests civil action and a decision by the wronged party.

They're lucky a prosecutor didn't prosecute them for criminal activity. The school would not have any say about whether or not this happens.

>>Natura+oJ
Unlawful access to a computer network is often a far more serious crime with stiffer penalties.

So perhaps you’re right that it is a false equivalence.

>>jdmich+x3
yep, always good to get ads on your shell when you start it.

it's like those awesome ubuntu login motd's, I look forward to them every time I log in, just in case the ad changes.

er ...

>>Waterl+6W
Now you’re reverting to the “it’s against the rules” stance again.

>>sneak+AQ
>The school would not have any say about whether or not this happens.

Schools are members of the local government "club". Prosecutors don't generally burn political capital giving the bird to other members of the club like that without a good reason.

>>onepla+Ro
> Ironically, it hasn't managed to displace the command prompt or batch files

It don't think they expect that people would rewrite their old scripts. That is actually silly to consider. Even with console vs terminal, they are concerned of backward compatibility and leaving it as is:

> Windows Console will continue to ship within Windows for decades to come in order to ensure backward compatibility with the many millions of existing/legacy command-line scripts, apps, and tools

https://devblogs.microsoft.com/commandline/windows-terminal-...

>>jve+y52
They could just have an alternative interpreter mode to support batch files, or even have a cmdlet that does just that. If people like to point and click, associate that with a cmdlet (they can do that, right?) and there you go.

>>Waterl+NH
except in the case of my home all my doors were unlocked. I would definitely appreciate a paper about how to secure my home, especially if the intruder took great care not to cause any damage or disturbance.

>>colinm+Fc
He had already graduated when he wrote his blog post and told them, he was still a student when he performed the hacking.

I realize this is conjecture but I'm giving an example. Speaking from experience receiving "security reports" from users and students, often times they fail to understand the full picture of IT. As a student with no buy-in from the stakeholders, the risk isn't worth it.

For example, let's say this IoT network was managed by a vendor who, while having sloppy configuration practices, also had network monitoring looking for APT/anomalies (such as new connections in off-hours or unusual connection rates or bandwidth usage.)

While the student thinks they're being sneaky and hacking the system at night, opening ssh connections to a hundred devices from his laptop, there are now reports and alarms going off on a monitoring system. Some basic timestamps and VPN access logs would be enough to point to the student. So this student thinks they're creating an anonymous harmless prank, but the IT department is already investigating a malicious actor on their network. How do you think this would end?