The whole district shared a T1 connection to the internet. Which was more than plenty for email, but as this world-wide-web thing started gaining traction, it became quite the bottleneck. And as some of us had discovered mp3 files, the slowness simply would not do.
One day there was some severe weather and a power hiccup during school hours, and every station got a message from ADMIN informing us that the server room was running on UPS power and we should save our files and log out immediately.
Hmmmm.
A few weeks later, one of the bright sparks in the technology program realized that having everyone log off would free up some bandwidth. So he logged onto the next machine over as GUEST, and used a NET SEND ALL "SERVER ROOM POWER FAILURE - 11 MIN OF BATTERY REMAIN - SAVE FILES AND LOG OFF" and sure enough, within about a minute, the whole T1 was his. Did what he needed to do (i.e. leeching an entire fserv) for about 8 minutes, then NET SEND ALL "POWER RESTORED - RESUME YOUR WORK".
A few weeks later some hot commodity had just dropped and he repeated the drill. It still worked.
Nobody noticed that these messages came from GUEST, even the district administrator, who eventually called an electrical contractor to figure out why the power in the server room was so flaky. Someone eventually pointed it out to him, which got a very red-faced "that's really clever but please knock it off", and no further punishment. The next day, the Guest account had a lot fewer privileges.
Miss those days and also miss playing soldat on those crappy PCs.
Anyway when he was caught (a fellow classmate ratted him out) he got 10 days out of school suspension. The VP threatened to call the police… for what offense I’m not really sure. There seems to be a fundamental misunderstanding of cybercrime and cybercrime laws. I mean was it really unauthorized access (they called it “hacking” of course) if his user account literally had permission to map network drives?
They removed the ability for student accounts to map network drives, but the district IT guy was not fired. I really don’t get that. Maybe the union saved him… but dog, everyone knows you can map network drives by right clicking on the desktop. I never thought to try it, but that doesn’t mean the district’s IT SME gets a pass.
My expectation is that laws probably specify that gaining access that you know you’re not supposed to be able to get is probably illegal, but I get your point.
Reminds me, however, of the pen-testers that got hired to infiltrate a court system and got harassed by a prosecutor despite having explicit approval to conduct an audit.
https://darknetdiaries.com/episode/59/
Our judicial system is ludicrous.
A few days later the principal calls me in. "Did you tell him to do this?" "I didn't tell him to, we were just talking about how to do it." "... well, he's done it before. Don't do anything like this again. Dismissed." I still can't believe that I got out of it; petty tyrants love to flex their power.
Our computer lab had Novel Netware, I forget which version. Every once in a while, our regular programming classes (Pascal in first two years, C and Assembly Language in third year, Prolog and Theory of Relational Databases in fourth year) would be held in the lab, instead of the classroom, and we would get to put what we learned to use and do some actual programming.
Now, some of us had computers at home and had been using them since before the high school, so we tended to finish our work really fast and then get bored. And just like a lone sharpie cap is the most terrifying thing a parent can stumble upon, so a bored high school kid is the worst thing for your computer security.
Each student had their own account, but teachers shared a limited number of teacher accounts, with special privileges, such as monitoring other students' screens, having full write access to every student's files, etc.
For some reason, I don't remember why, teachers would occasionally go to a student's workstation and log in as a teacher there, to fix the problem. I honestly can't remember why, but it was a common enough problem that it wouldn't raise any brows even if one of us "advanced" kids did it.
So, of course, I eventually came up with the idea of writing a really small and simple program that would look exactly like the Netware login prompt, with one small difference: when you entered the password, it would write it to a file on the filesystem spit out whatever the "incorrect password, try again" reply was, and then execv the actual login program.
The ruse worked perfectly: I called the teacher, they tried to log in, thought they mistyped the password, tried again, succeeded, did whatever it was they were supposed to do, and logged out. Now I had the teacher account password, and so did my best friends in mischief.
We had some innocent fun by pulling a couple of very minor pranks on our fellow students that flew under the radar, so none of the teachers realized that the security was compromised.
But then the annual programming competitions came, and those went all the way from school level, to municipality, to city, to republic, to federal. I was one of the people who qualified to the city-level competition, and what do you know, that year it was hosted in our school's lab.
I finished all the problems with plenty of time to spare, which is how I came up with the "brilliant" idea of helping some of my peers by sharing my solutions with them using the teacher account. Now, one thing they neglected to teach us was the importance of testing, but I'll be honest, even if they did that, I was a typical teenage "gifted kid", which meant I was overconfident and lazy. As a result, everyone who I shared my solutions with happened to have the exact same bugs in them.
A few days later, they called me to the teachers' room in the computer lab, and said that they knew I cheated, that I was already disqualified, and that I should save myself some trouble and explain what I did. So naturally, I came clean and I thought that was the end of it.
Indeed, it was the end of it for me. Nothing else happened, at least nothing of consequence for me. Years later, I found out that I almost got expelled. They held a teacher assembly or conference or whatever it's called when you get all of them together to make a decision, and the decision was whether to kick me out of the school. Fortunately, they decided to let me off with a warning and the official reprimand from the headmaster.
My mom didn't think that was funny at all.
You mention Netware, but as I recall the Netware function you describe was just "SEND" and "NET SEND" was a Microsoft networking thing. (But maybe there was some integration between the two after my experience with Netware, who knows.)
I mainly wanted to say, as someone who used/abused a Netware network in high school, I disassembled the SEND program and discovered that the username included in the message is not authenticated at all -- the IPX (or NETX, I forget which) software interrupt just took a string, and the SEND executable formatted the username into this string. So by crafting your own SEND program that used the software interrupt directly, you could easily forge any username you wanted. So you could very easily send a message from "ADMIN". :)
This should not be construed as a confession of any network shenanigans that may or may not have occurred at my high school. ;) :D :)
I’m legit trying to figure out who your calling the petty tyrant flexing their power: - The principal which let off with a warning - The other kid, popping circuit breakers - Or you, ‘corrupting’ other young minds :)
That admin became my mentor and is now a lifelong friend.
I got called into the police station, where a cop asked me, verbatim: "Son, did you copywrite them there CDs?"
Thanks for making such a fun game!
I'll check it out
It may not pass as hacking, but it certainly was unauthorized. Network policy in software should reflect reality, but the source of authority comes from humans. Your friend literally was not authorized to access teachers' files, regardless of poor software configuration permitting the capability.
The moral of the story, if there is one, is probably a cautionary tale about petty individuals prioritizing workplace politics over ethical integrity.
In my school, some jackass kid made a photocopy of a $20 bill, on a little mid-1990s HP Officejet in the library. Even in those days, they were programmed to make bad copies of US currency (I think they were enlarged and the color messed up). It was more of an innocent “woah look at this thing”, there was no intent or effort to glue it together and try to use it.
The assistant principal, who was a petty drunk who was uniquely unsuited for her job, flipped out and called the secret service. The kid was arrested & had a lot of issues over nothing.
It always stuck in my mind and accelerated the development of my contempt for petty tyrants who experience joy from the pain of others.
[0] >>28846895
There is a social expectation that people can generally only enter your home with explicit permission, and so if they didn't invite you it's trespassing even if the door is unlocked. But maybe you have some close friends who you get used to coming over and just entering even if you may be out at the moment -- and then it's not trespassing anymore.
Remote computer access is a much younger phenomenon than people living in houses, and so social expectations aren't as established. There's a legitimate need for discussion there.
For example, if you have an open webserver that you want people to access, is it trespassing if people fiddle a little with the URLs and encounter documents that you didn't mean to put out there? I'd argue it would make for a healthier and more tech-savvy society if we didn't consider that trespassing.
If we try to push the houses analogy further, it's a bit like inviting people into your house for a big party, and then somebody enters a room that you didn't want them to enter. It's a faux-pas, but you'd probably also have a hard time if you tried to label it trespassing.
As I said there, back in the day I wrote a C++ program that was basically an IM interface on top of NET SEND. Fun times.
The closest thing we had to a computer class was graphic design where you played with Photoshop and Premier for a year. God forbid we learned to write code or whatever.
The site displays random, ancient videos uploaded from the early iPhone YouTube app, often without people understanding what they were doing.
I tend to err on the side of caution: I don't expect most people to be tech savvy, and I think those of us who are must exercise restraint to avoid trespassing.
Made the mistake of telling a couple friends what happened. Said friends thought it would be hilarious to send swear words to the entire school (I was not there).
They played dumb saying they didn’t know what would happen and got off with one day each, I got suspended for three days.
I wouldn’t have minded so much except the next day was an inter-school chess tournament. Thankfully the sympathetic chess coach told me to wait behind the school the next morning and picked me up in the school bus.
Or... Maybe I was just 10 and hadn't really learned that lesson yet. ;-)
Don't steal. Don't share embarrassing or humiliating information you may come across.
At the same time, there should be safety from prosecution overreach.
I ask for this mostly not for my current self but for "kids" (including young adults, e.g. college students) who are on a hacker journey in the original sense of the word. As a society, we should encourage rather than stifle that sort of exploration.
It's entirely possible that it wasn't part of Netware, I don't remember the hard details as it was a very long time ago. However, it worked in DOS text-mode (we rarely ran Windows), and my impression was that Microsoft didn't do much network-aware stuff until well into Windows. So that's why I thought of it as a Novell thing rather than a Microsoft thing.
> the username included in the message is not authenticated at all
Oh.... oh dear.
Something about having healthy self esteem in childhood causes you to avoid education administration career paths.
Despite being phone support (think "cattle") I didn't get fired or indeed anything at all past a half-shocked, half-laughing "never ever do that again" sort of chat, and even that not from any of the floor mommies or daddies who were careful not to have to notice any of this, but just my line manager who might have been all of five years older than I was then. I assume this was slightly because I was extremely good at the job, and mainly for the sake of whoever in IT's job it was to make sure nobody could officially do what I, somehow, in the end turned out only unofficially to have done.