Anyway when he was caught (a fellow classmate ratted him out) he got 10 days out of school suspension. The VP threatened to call the police… for what offense I’m not really sure. There seems to be a fundamental misunderstanding of cybercrime and cybercrime laws. I mean was it really unauthorized access (they called it “hacking” of course) if his user account literally had permission to map network drives?
They removed the ability for student accounts to map network drives, but the district IT guy was not fired. I really don’t get that. Maybe the union saved him… but dog, everyone knows you can map network drives by right clicking on the desktop. I never thought to try it, but that doesn’t mean the district’s IT SME gets a pass.
My expectation is that laws probably specify that gaining access that you know you’re not supposed to be able to get is probably illegal, but I get your point.
Reminds me, however, of the pen-testers that got hired to infiltrate a court system and got harassed by a prosecutor despite having explicit approval to conduct an audit.
https://darknetdiaries.com/episode/59/
Our judicial system is ludicrous.
That admin became my mentor and is now a lifelong friend.
I got called into the police station, where a cop asked me, verbatim: "Son, did you copywrite them there CDs?"
It may not pass as hacking, but it certainly was unauthorized. Network policy in software should reflect reality, but the source of authority comes from humans. Your friend literally was not authorized to access teachers' files, regardless of poor software configuration permitting the capability.
The moral of the story, if there is one, is probably a cautionary tale about petty individuals prioritizing workplace politics over ethical integrity.
In my school, some jackass kid made a photocopy of a $20 bill, on a little mid-1990s HP Officejet in the library. Even in those days, they were programmed to make bad copies of US currency (I think they were enlarged and the color messed up). It was more of an innocent “woah look at this thing”, there was no intent or effort to glue it together and try to use it.
The assistant principal, who was a petty drunk who was uniquely unsuited for her job, flipped out and called the secret service. The kid was arrested & had a lot of issues over nothing.
It always stuck in my mind and accelerated the development of my contempt for petty tyrants who experience joy from the pain of others.
There is a social expectation that people can generally only enter your home with explicit permission, and so if they didn't invite you it's trespassing even if the door is unlocked. But maybe you have some close friends who you get used to coming over and just entering even if you may be out at the moment -- and then it's not trespassing anymore.
Remote computer access is a much younger phenomenon than people living in houses, and so social expectations aren't as established. There's a legitimate need for discussion there.
For example, if you have an open webserver that you want people to access, is it trespassing if people fiddle a little with the URLs and encounter documents that you didn't mean to put out there? I'd argue it would make for a healthier and more tech-savvy society if we didn't consider that trespassing.
If we try to push the houses analogy further, it's a bit like inviting people into your house for a big party, and then somebody enters a room that you didn't want them to enter. It's a faux-pas, but you'd probably also have a hard time if you tried to label it trespassing.
The closest thing we had to a computer class was graphic design where you played with Photoshop and Premier for a year. God forbid we learned to write code or whatever.
The site displays random, ancient videos uploaded from the early iPhone YouTube app, often without people understanding what they were doing.
I tend to err on the side of caution: I don't expect most people to be tech savvy, and I think those of us who are must exercise restraint to avoid trespassing.
Don't steal. Don't share embarrassing or humiliating information you may come across.
At the same time, there should be safety from prosecution overreach.
I ask for this mostly not for my current self but for "kids" (including young adults, e.g. college students) who are on a hacker journey in the original sense of the word. As a society, we should encourage rather than stifle that sort of exploration.
Something about having healthy self esteem in childhood causes you to avoid education administration career paths.