My FBI file was for hacking into my school district's AS/400 that handled my school's attendance and grading system. Somehow using a public IP address with no access restrictions allowed a clear telnet path in from home. Compounding username and passwords that were all the same for every employee. I didn't change a thing, just LOLed and told someone. Bad mistake.
This was the late 90s.
Oh well, 2 week suspension and kicked off the computers for less than a year. A nice conference with FBI, police, my parents, IT and school administration. Fun times.
I learned my lesson to not talk about such things because their egoes were too fragile.
When they decided to give students in their website design class ftp accounts on the district wide web/email server running an ancient version of Debian, they didn't disable the shell, just added a login script to a menu for pine, etc. for people who telnetted in, which I'm sure the sysadmin was proud of. However, a few fast CTRL-C's broke out of his script menu loop and got me a shell, and they didn't shadow protect their password files. Ran it through john the ripper and had half the district's e-mail passwords in a default dictionary file including the root pw in a few minutes. LOLed and never told anyone about that.
I had sysadmin rights on my school’s Windows servers after some very simple social engineering (for a 10 year old). The real irony was that I was called to the principal’s office on multiple occasions because I seemed to be able to fix things on the network that the local “admin” (e.g. music teacher) couldn’t.
Fun times indeed.
It completely ruined my respect for authority figures. Which in retrospect has been the most valuable outcome from being the local “that kid from Wargames”
I was in high school from 2007 to 2011. Half of it in rural Alabama, the other half in the Bay.
Even being in the tech capital of the world, the school administration's views on technology and information access were so backwards. Our school basically didn't allow accessing any websites that weren't on some allowlist. Teachers had accounts to bypass the content filter.
We had a game design class that happened after school. Usually that period was reserved for making up classes you failed, but ROP courses that didn't align with the district's curriculum goals were taught as well.
Needless to say, pretty much every resource we needed was blocked. So the teacher would give out his content filter bypass credentials, because the school wouldn't entertain any exceptions to students not being allowed to have them even though they knew there were classes on campus that would have tremendous difficulty. A couple of times a student would leak the credentials to others on campus and it'd take all of 5 minutes to get to everyone on campus via social media.
They'd always treat everyone who knew the bypass accounts as "guilty unless proven otherwise". I ended up in detention a few times for even knowing it. Parents complained to the school a bunch, school just always blanket said "bypassing the content filter as a student is against policy for any reason. No exceptions."
Makes me think back to 1st grade in 1999 when I was first given internet access and being told not to use Google because "it wasn't safe". Couldn't have been that bad because it took another half decade for me to inadvertently end up on the "adult" part of the internet.
Similar time period, I used portable Firefox and then Chrome on a thumb drive to bypass our content filter. I actually find this surprising in retrospect, but I'd guess they were using Content Advisor on Internet Explorer[1]. I carefully guarded my secret.
If I were smarter, I probably would have learned about proxy servers. I was tantalizingly close as is. I had set up port forwarding on our home router and a dyndns account to access my (Linux) desktop via ssh. I'm almost surprised it took me another few years to bump into SOCKS proxies. I already had 99% of the setup, just not the final step. Oh well I guess.
Our school was Windows land as well. They blocked execution of certain programs by some policy in Windows explorer in Windows XP (they had never adopted Vista, and 7 was still "too new"). Funny thing was, if you knew the path to them, you could just point Firefox or Chrome at a file:// URI and run it out of your downloads directory. Oops.
There was also that time I got detention for riding my bike in the school parking lot. Which was dumb, because I always showed up 30+ minutes before any cars did because I made a deal with the sculpting teacher that I wouldn't have to do sculpting if I showed up early to class and learned about the chemistry of clay glazes along with helping him mix them for class, which was honestly far more interesting to me.
Our AP Chemistry teacher was a nuclear engineering postdoc from MIT who spent her entire career helping clean up after US military nuclear accidents.
High school was a weird time. It just boggles my mind still to this day to have a school staffed by some wonderfully brilliant teachers and have an administration that seemed to lived in fear of a student body who dared learn something or learn from someone they didn't approve of.
> They blocked execution of certain programs by some policy in Windows explorer in Windows XP. Funny thing was, if you knew the path to them, you could just point Firefox or Chrome at a file:// URI and run it out of your downloads directory. Oops.
Microsoft security baffles me. You could run Windows Update in the browser (and also antiviruses using ActiveX). Who would think of making it possible to alter the OS… from the browser?
I think those restrictions were really for ATMs and kiosks, but school administrators see them and decide to turn them on. If the user is able to open more than one application there is no hope in locking down functionality. Windows Help Viewer lets you open a web browser for example.
My school disabled right click in Windows Explorer, I'm still not sure why.
I set up a proxy server for myself to use at school and showed a few friends, and then suddenly everyone at my 2000 person highschool knew who I was. Incredibly I didn't get in trouble for it, my principal thought it was clever. Simpler days.
No need for Firefox/chrome to "download" software, you could get a java-based file manager; this allowed browsing the filesystem and running software on the public library computers, which were far more locked down than any school computer I've ever seen (they had software to enforce 15/60 minute session limits, session reservations, etc, and group policies that disabled external storage, explorer, and the start menu; most browser functions were disabled).
If you've got a Citrix-based application available, there's usually some way to trick your way into that system; in my case it was by going to file->open in the weird processor, and right-clicking it to open it in (the remote session) explorer, which had my local media mounted (flash drive), and allowed access to the remote browser. If you can get a cmd prompt, you can also sometimes get around restrictions with that, possibly by using it to open task manager. In college, these weren't locked down so much as intended to be single-purpose (for running Photoshop, etc from home), and I used similar tricks to gain access to a command prompt so I could register fonts for my projects using FontLoader[1].
Of course, despite every PC being on a domain, there was still the local administrator account, which was easily obtained by leaving an unused computer running ophcrack overnight. Eventually I found out that the roaming network administrator account password was simply ford, as the admin left a local account on a computer that wasn't networked; this pretty much lasted me through high school. For bypassing the firewalls? That was simple; I got a free shell account, and later my own server, an early openvz vps.
Once I got my own server, I spent long amounts of time trying to increase the amount of RAM available to me (since it was fair-share CPU on a decent server, building and similar jobs ran far faster than my current digital ocean VPS). At this point, I found out about sshfs on my own computer, and spent ages trying to find a decently cheap Xen VPS so I could use kernel modules for sshfs and swap. Eventually, I gave up. One period of my last semester I was a TA, rarely with any work to do, so I spent most of my time on IRC and setting the wallpaper to be Cyanide & Happiness comics.
> Even being in the tech capital of the world, the school administration's views on technology and information access were so backwards. Our school basically didn't allow accessing any websites that weren't on some allowlist.
That sounds very big tech to me, exactly the model towards which Facebook et al. are moving.
Had a similar problem with feeling betrayed by authority figures when I was called in to be questioned about a hacking incident while in middle school just because I was good at VB in programming glass. Can really ruin a kid's confidence for years to come in case anyone in such position is reading this now.
I can point to several false accusations I suffered as an elementary school student that made me deeply skeptical and wary of authority.
"Even if I color in the lines, or intentionally dabble in creative thinking, some adult might yell at me... Hm. I don't need their permissions. They obviously don't see how great I am so they are a dumb nuisance."
Same thing happened to my friend in high school, there was someone causing some mischief with some of the school computers, and just because he was into BBSs and computers, he was a big suspect, but he was a good talker and was able to avoid any punishment.
He was a good friend because he kept silent about the fact that I was the one doing it ;)
Public network shares, cain&abel, learning about NTLM downgrading and well, these were the days when Wifi was "new" and wireless B and G was considered wow, 54mbps.
Back then, everything really felt like magic.
Old netsend trick, pre windows xp SP2.
There were enough stories at this time online that I knew it was best to say nothing. Did nothing bad, just explored, learned quite a few things and well was surprised how really easy it was to do things.
Nowadays, I feel kids won't/don't get that chance to explore - which is sad. Internet is curated through apps and "enagement" user experience and cloud services/SAAS.
Maybe they can spot a lifetime link to a google sheets master password document. ;)
When I was 11 I social engineered the son of the computing teacher to get all the admin passwords. Then I fucked around with a whole bunch of stuff and showed a friend. When they figured out it'd been hacked they weren't sure who did it, but my buddy broke down very quickly and let them know lol.
I was banned from the computer lab for the whole of my secondary school years. It didn't matter though, because when I was 12 (~1989) the headmaster dropped computing from the school curriculum as "computers are a passing fad". They just used the computers for typing up essays after that.
It's hard not to be critical of this headmaster, but I do have to question both the intelligence and the wisdom of someone who, in 1989, could not clearly see computers had no chance of becoming a "passing fad".
Picking up a copy of The Wall Street Journal at any point in the previous ten years could have clearly indicated that... and any school at which there's a "headmaster"... I would expect the WSJ is not a foreign entity to them.
The fact the parents allowed it to go through, in hindsight, is absurd. The computing teacher did try to teach us outside of school hours some times, but I failed the Computing GCSE (F grade), which is hilarious as at the exact same time I was being offered a job at Argonaut Games after Jez San tried out my 3D engine.
There's the educational, constructive "Hey lokimedes I hear you're pretty good with this computer stuff want to come and help me while I solve a problem?", then there's the not so educational and not so constructive "Hey lokimedes, I hear you're pretty good at this, want to solve this problem for us?".
The "admin" person calling you for the former? Pretty cool. The principal calling you to their office for the latter? It really does say weird things about authority figures to a kid who's paying attention, especially when mixed with the cluelessness about security.
It's not just the words though, here. Being called to the principal's office is an exceptional occasion. If they were called to the office that many times, they'd see through the words and recognise that the adults were out of their depth and that's why they were being called.
I found the password to my teacher's eBoard[1] in 4th grade (a five digit code) and started changing things as a practical joke. Then I started seeing more five digit codes just written on Post-it notes…
I read the opposite, but it's still meaningful. A sysadmin who can't do his job and has to defer to a kid is embarrassing and at that point how can you trust the "authority" to know what they are doing.
This reminds of a Costco bug I discovered, it appears that they fixed it lol.
So, Costco runs AS/400 in stores, and their online store is in .Net MVC. I worked with both technologies and often have to communicate with AS/400 devs and they are close to their retirement so little fucks are given. Plus, working with DB2 is annoying in general, the .NET data provider from IBM is expensive and sucks.
Now onto the bug, when you purchased items online at a discount, you were able to return to store at a full price as their systems were not communicating that a discount was applied. I returned several items, but did not realize until I bought a laptop that was $400 off and tried returning it. I ended up calling Costco and letting them know. Unfortunately, they didn't give me any lifetime membership or a good citizen award.
If any Costco devs read this and know about this send me some love.
Costco still has issues of resolving discounts on a return. I won't state the bug explicitly but I had a conversation with them about how they refunded me a significant amount I never paid on a large purchase and showed them the delta via receipts. Local management was appreciative but didn't seem to have an idea of how to proceed to make things right. Ultimately they said my account would be flagged as owing the difference so the next time I shopped I would be charged for the incorrect refund. The problem is that that didn't work either and I don't shop there often. I tried to do the right thing but ultimately it ends up being their responsibility to handle it when the customer is standing right in front of them showing their loss of revenue.
"I tried to do the right thing but ultimately it ends up being their responsibility to handle it when the customer is standing right in front of them showing their loss of revenue."
I bought some lions mane mushrooms from a grocery store, which cost $10-12 per lbs. The cashier rang them up as "regular" (button) mushrooms at $2 per lbs. I pointed out the mistake and she tried to correct it but chose the button mushroom again. I brought it up a second time and she selected a different incorrect mushroom at a slight increase ($4/lb?). At that point, I gave up. She's the one ringing it up. I tried.
Wegmans has them sometimes. I have two local/independent stores that also carry them. Although, I grow my own due to price. Occasionally I'll get some from a small scale producer who sells to the two local stores.
I was in dire need of an Cat 5 cable a few years ago and went to Walmart to get one. Until this point I had always made my own cables, so when I saw the price ($40ish) I was floored. Unfortunately, I had to buy it anyway. As I was checking out I had that cable and a small bag of beef jerky. The cashier wasn’t paying attention and didn’t engage with me at all. She scanned the beef jerky and moved the cable across the scanner, but it didn’t register. She told me it would be ~$3.50. I considered telling her that missed the cable but given the fact I was mad about the cable costing so much I didn’t say anything. I always wondered if I would feel bad about doing that, but several years later I still don’t.
I once made a purchase of multiple items where the cashier scanned the items, put them in a bag, charged me a total and I paid it. Only sometime later I found out they missed a $100 item.
Did I steal something? Did the cashier give me something for free? Who is responsible? What if I didn't notice the $100 charge absent from the bill? What if I was charged twice as much? What if I told the cashier and they did nothing?
What turns something into a crime, in your eyes?
I certainly don't think I stole anything, nor do I think OP stole anything.
The OP knowingly walked out without being charged. At this point it’s not any different than if he/she had just pocketed it and walked out.
The different between this and the contrived shit you posted is knowing you didn’t pay and walking out of the store in the first place. There isn’t really any subtly here.
It is different. In the checkout case, the cashier's intervening negligent act led to you getting the item for free.
It might still be theft (or fraud or some related charge), but only if those laws create a strict liability crime out of keeping something that you know was given to you by mistake. I'm not sure but I think there might be specific laws to that effect if you knowingly take advantage of a bank's mistake. Whether there's a similar law in general, probably depends on where you live.
In the pure theft case, there's no intervening act by a store employee. It requires criminal intent.
The argument that if the customer knew, it's theft, applies equally to cases where the product is rung up incorrectly, which several other people in this thread have claimed to have witnessed. I guess we're all thieves now. I've been overcharged and undercharged at stores.
Also even if the intervening act by the store employee doesn't matter, it would be impossible to prosecute. They'd have to show that the customer knew the checkout person missed the item. How would they do that? Interrogating people you live with to find out if you mentioned it to them? No, they don't have access to admissions on HN years later.
> In the pure theft case, there's no intervening act by a store employee. It requires criminal intent
Yes there is, they have cameras and people who can frisk at the doors. I don’t think you want to go down the path of “if there was some action an employee could have taken to stop it, it’s not theft”.
> No, they don't have access to admissions on HN years later.
“They can’t prove it” is not an argument that something isn’t theft. You can go through whatever mental gymnastics you want to go over how difficult it will be to legally prove theft for prosecution, but it doesn’t change what it morally is at all.
In smaller stores (fast food restaurants for sure), when the cash doesn’t balance, the employees pay the difference i think. does it hurt walmart or does it hurt the employees in that case?
Who is at fault for that harm? The customer? The employee? The employer? Regulators? Society??
I'm not even sure this is relevant. We're not talking about a cashier returning too much change. In this scenario, there is nothing to not balance. The item wasn't scanned, isn't on a receipt, was simply given away. The balance in the till is still correct.
If an employee of the store quotes you a different price than the label on the shelf or item, you owe the store zero responsibility.
Retail stores change pricing on products and fail to update pricing on the shelf all the time. Home Depot, Walmart, etc have interactions like what OP described occur every day.
The responsibility rests with the corporation to train and reward employee behavior.
If the company has chosen to staff their store with someone that doesn't give a fuck (underpaid, poorly treated, mismanaged, improperly trained, not well rested, etc), then that is a gamble they chose to take, and the last thing I am going to do is rock their boat when they built and arranged it this way.
FWIW, I don't think it was the moral or ethical thing to do. I didn't intend for my post to come off as if I thought it was. I shared this story in the context of process breakdown, not "stealing is ok".
As for my thinking, it was impulsive, I was a fresh grad and didn't have much money, I was upset about the price, I thought the cashier was being rude by completely ignoring me. I felt like I attempted to engage with the process of buying the cable in the correct way and the process broke down in my favor. I was not going to go out of my way to fix it.
Again, none of that makes it the right thing to do. I wouldn't have considered walking in and stuffing it into my pocket, but feeling like I did my best I shrugged my shoulders and went on with my day.
Opening stores in key areas to destroy local business. Draconic contracts with suppliers. Lowest possible quality. Highest possible price. Huge markup.
Can you walk me through the thinking of "corps fuck me over and I should be thankful"?
I met someone many years ago who bragged that they did this with sales tax. They purchased expensive items at Costco in Oregon, paying 0% sales tax, and then returned those items in Washington and received a full refund plus 10% sales tax. This was the first time I met a person who appeared normal but lacked social mores against fraud.
In grade school a class mate told me how to mail letters for free: print where the letter _should be sent_ in the return address, print anything for the apparent delivery address, apply no stamp, and drop in a public mail bin. The letter will be sent "back" to the return address because postage was not paid.
When I got home later that day I excitedly shared with my parents the new hack I had learned and they told me it was wrong because it was stealing. I had been so taken with the neatness of the scheme I did not register its immorality.
I use this exact scam as a way to explain email forging and how the Bad Guys (TM) get spam delivered.
Funny enough, my grandmother told me about a version of this scam, but as a prank. Get some roadkill, put it in a sealed bag. Put that bag in a box. Mail it the slowest way possible to a far away address that doesn't exist. Put your target's address for the Return Address. Be sure to do it in summer. By the time it gets to them... yuck.
I went on a tour of a USPS Bulk Mail Center and asked what was the weirdest thing they ever came across. Mail person said they had a box bleeding onetime. They set it aside for the postal inspectors. Turns out it was steaks.
I would expect that postage scam to only work in the same geographic area. If you put a return as California but dropped it in the box in NY I dont know if they would return it, would they? If so I would imagine they have anti-fraud measures against doing this in mass.
A postmark is applied where the post office receives the letter. If the return address isn't in the post office's service area and there's no postmark, it's fraudulent. I'd be shocked if the automated systems don't check for that before applying a postmark.
Not refuting anything you said, but I personally have dropped letters while traveling on a weekend, just because, so like dropping a letter in Oregon on Saturday evenings, obviously with proper postage, and my return address as in different state 800 miles away. One reason is If the delivery address is in same direction, i.e. if I am travelling towards letter's destination halfway, I like to see it as quick delivery and help to Post, like I am covering half distance for them.
You're right, it's not necessarily fraudulent, and there are cases like yours, or when someone's on vacation and uses their real home address as the return address.
But there's no way to allow those while preventing abuse, so I can't imagine what good options they have other than to reject and trash those pieces of mail (since they have no way to return them). I guess they probably allow them and eat the losses due to abuse?
In uni me and a friend who when to a university across the country (not US) did something similar - he mailed one letter to me once, then I'd replace the letter, cross out the address and write "return to sender". We'd do that over and over again. I think after 3 times the letter just got dropped and not delivered
I'd expect Costco would require receipts for returns, even for online purchases, like most stores. Then the store would only refund the amount after discounts. But perhaps Costco is more trusting of their customers because they have to pay for membership.
> I learned my lesson to not talk about such things
I like how you shared how you learned lesson to not share mischievous activities with people in the same post you then go and share more things you haven't been caught for.
This is going on your permanent school record! /s
That's great. I know even as of recent of 2021 I've seen some places that had 0 security on things.
> I like how you shared how you learned lesson to not share mischievous activities with people in the same post you then go and share more things you haven't been caught for
American public schools are quite adept at teaching distrust in authority, particularly in bureaucrats. That doesn't mean distrust in everybody.
Because in the United States, unprivileged kids often get thrown into what we call the "school-to-prison pipeline" for inconveniencing authority figures.
Unfortunately, they end up learning a different sort of hidden lesson.
I love how student government teaches you how government really works. The election is a popularity contest for a puppet regime with no real power, but you can pat yourself on the back and take price in the democratic process.
This made me think of The Simpsons episode that parodies Evita. Lisa is elected but quickly becomes a tool of the school administration. Season 14 I think
Depending on where you go to school, I think student government actually does have responsibilities with planning events and such, and this gets far more important in college than in k12.
In k12, while it's not really meaningful, It's still an extracurricular activity, and at the same time it shows that you can work with others (theoretically) and that people like you enough to put you there.
Unless you're in an anime. The student council in anime not only has power in the school, but outside political and military power besides.
> American public schools are quite adept at teaching distrust in authority, particularly in bureaucrats.
I wonder to what extent that property is primarily due to them being schools, or primarily due to them being public, or primarily due to them being American, or is it some combination of the three?
My own impression (having experienced both as a child) is that private schools are less prone to bureaucratic inflexibility than public ones, which is one of the reasons why my wife & I have chosen private schooling for our children. But, not the US, so our experiences may not be directly comparable.
I think the example is in the great grand parent comment
> Oh well, 2 week suspension and kicked off the computers for less than a year. A nice conference with FBI, police, my parents, IT and school administration. Fun times.
Something that most would believe as non-malicious and just for the lolz received a (what I personally think is) heavy punishment. So as a kid you learn to just keep that to yourself because you don't know if you'll get a "oh thanks for telling us" or a "you're expelled". Its not explicitly said to distrust but you learn from experience.
I think this is especially prevalent in schools. You'll see things like this even for things that aren't related to computers. When I was a kid, drugs in your locker were your drugs, even though breaking into the lockers was trivial and stashing drugs in other people's lockers was the way business was done.
I wouldn't have told the school of a theft I witnessed even if I knew there were cameras recording the entire thing. You're guilty unless you can prove someone else was more guilty and they're not really concerned about the truth of the matter so they're not trying to help you.
When I was 11 or 12 we had a bunch of old Windows (2000?) boxes with a shared network folder — all the students' files were in the same folder. I had just learned about basic batch file "programming" so I made one called Change Your Grades Click Here!!.bat which asked for your username and password (we had individual accounts on the Mac computers) and saved them to a hidden text file in the same folder. Most people didn't fall for it, but I got one girl's login that actually worked, which scared the shit out of me, and I deleted the program. (I really wanted to tell her that "emma" is not a good password, but I thought it wouldn't turn out well for me.)
A few years later, I cracked the admin password (with a Ophcrack live USB) for a silly reason: they had the machines mostly locked down, and I wanted to change the desktop background hahah. I remember being quite disappointed in the sysadmins that the admin password for all the machines in school was a common dictionary word, cracked in 30 seconds.
Oh, once I met a guy who identified as a "hacker" (in the sense of breaking into systems illegally) and he told me (then a young teen) to "have my fun" before I turned 18 and then to stop, which in retrospect was very good advice.
When dsl was deployed into my town, it was mostly for doctors offices and the local hospitals.
I was one of the first normal citizens to get dsl internet. I opened windows explorer, and saw all the hospitals and doctors office network folder shares, with patient data.
> I got one girl's login that actually worked, which scared the shit out of me, and I deleted the program. (I really wanted to tell her that "emma" is not a good password, but I thought it wouldn't turn out well for me.
With all due respect for HN policy of nuanced, Intelligent debate.
> I learned my lesson to not talk about such things because their egoes were too fragile.
At my university in the early 90s I went the white hat route and had tons of fun. I managed to convince the computing center folks to give me a student job in the Unix group, and then spent the next three years hacking their systems and getting a pat on the back when I did it.
I cracked all the passwords in my MS-DOS based computer programming class by modifying the boot floppy. It was pointless since the assignments were easy and I had perfect grades in that class, and the only thing this allowed me to do was steal other peoples' homework. But eh, boredom....
I also figured out how to auto-crawl the networks of all the schools in our district, which, as a self 15 year old whose only experience was non-networked DOS, is still a proud accomplishment. The only things I found were a bunch of printer management, some office form templates, and a cool video game that was like sim-moonbase.
But then my teacher found the file in my home dir called passwords.txt, and I was busted. Oh well. Instead of an FBI file, I got a detention, and I had to teach him how to write-protect the boot floppies so no one else could do what I had. (he didn't need to know that you could reverse the write-protection with a piece of electrical tape)
> I didn't change a thing, just LOLed and told someone
> Oh well, 2 week suspension
God damn, these idiot school people have no fucking clue that someone who points out a security flaw to you without inflicting any harm is actually doing something good, and that behavior should be encouraged and rewarded.
BRB, preparing my YC S22 application: "BugBakeSale"
"We're bug bounties for America's school districts: HackerOne for the K12 market. The product is free if you let our corporate partners, who also fund the bounties, recruit the winners."
I had two friends that did similar in the early 2000s, except that while the school knew there was a breach, they never caught who did it. Had all student social security numbers, grades, attendance, etc pulled into a thumb drive on the school network. I imagine this happened a lot around various school districts, especially in that time when school networks were less secure.
With all the shenanigans I was into as a turn of the century high school student, I'm incredibly lucky to have never had a (known) FBI run-in.
At my first high school I was expelled for selling teachers a boot floppy that disabled the district's security software (Fortress) on their machine.
At my second high school I was busted twice, once for selling CDs with a much anticipated unreleased movie, and the second time for finding (and copying) a network share that had every student's school photo from that year before they could even purchase it.
Nevermind all the unsavory nonsense I did outside of school and was luckily never busted for.
Good times indeed. I got into similar mischief, but my school didn't really mind. I got a slap on the wrist, because they were to prestigious to court negative attention. Then I got into similar shit in college. I reported it and got lucky again. The guy in charge of their cybersecurity program invited me to take his class which was all master's students and phd candidates as a freshman. I would have bombed as it was all over my head cryptography/math, but at the time I did some extracurricular research that got me a passing grade.
Oh yes. I remember the embarrassment / horror of having the admin just creepily poking my shoulder when at the computer and gently saying: "Hey, I promise I will NOT report you for antyhing, if you just tell me what the hell you just did with our network!"
I had no idea what I had done, honestly, I just sent a large ping packet to some IRC-user. Turns out it killed some vital things in the network.
Also the admin leaving anonymous FTP enabled with write access. That was one weekend with an extreme amount of illegal stuff apparently uploaded via the schools FTP, but that was my classmate which was involved in and not me.
This was at the time when people had dial-up at home so the 256kBps connection at school was awesome.
Late 80s and my junior high school computerized attendance reporting (and some grades) through shared documents on a 'teacher' Appletalk share I had access to (because I set it up!) Well now... ;) Honestly though I never did any of that sort of thing for profit, I managed to satisfy my needs selling disks with games on them and then turning a blind eye when people were playing them during class hours (I was basically used as a free labour resource by the school so I don't feel bad about that in the slightest.) Ah, the things we did when we were teenagers...
I was punished three times for computer curiosity before I learned my lesson. No good deed goes unpunished, especially when it makes somebody powerful look bad.
Seriously, they would have deserved that the school mysteriously becomes littered with printed (or typed) sheets of paper explaining how to access the system and change everyone’s grade.
If it were me, for the second time I would have considered adding a file to everyone’s FTP account (including the admins & professors themselves) explaining how they too can escalate to root.
ouch. I once tried to grab a password file remotely that made the whole computer network crash for some reason. They found out it was me and they said, "please don't do that again." I was really lucky.
I was in junior high early 90s when I got into trouble with my school's networks. Setup was Novell Netware, DOS 6.x. I was never a Netware expert by any means, but by that time I'd been using DOS at home for quite a number of years and knew my way around pretty well. Anyways, the network crashed. I got accused of causing the crash because a teacher had seen me with "a black screen open", aka a DOS prompt. Our Netware setup didn't allow for direct DOS access; we had a limited set of DOS apps from a menu we could run. Well, among those apps was WordPerfect for DOS. There was some function key combo that'd suspend WordPerfect and dump you at a DOS command prompt (I forget the key combo, but we all had those keyboard templates at the time that listed out the various commands helpfully, right in front of you, at school, even!).
Well, being at a DOS prompt was enough circumstantial evidence for me to get suspended for a week (no FBI record, AFAIK). My parents, despite being strict, were also fair and asked me point blank, "Did you have anything to do with what you're being accused of?". Told them no, I was just at a DOS prompt (probably to play either nibbles or gorillas - those classic BASIC games). To their credit, their opinion was if I was going to serve the time, I might as well know how to do the crime (know, not actually do). I had already been tagging along to continuing education computer classes my mom was attending, but my parents started buying me more and more computer books. It got me started down the programming path. I'd already been pretty friendly with our sysadmin at school and he knew I had nothing to do with what happened and hadn't accused me, but the school needed a scape goat, and I was it. He felt bad for me and choose to help me out with my learning, too, instead of continuing the punishment. He gave me a copy of the software he used for after hours remote access over direct dialup. Think it was called Carbon Copy? It was basically just telnet over dialup that allowed me direct access to his PC on the network after hours before I even knew what telnet was. So, I'd connect after dinner and play around for hours as network admin. It wasn't multiprocessed, so I had to be patient. Typically when I'd log in, he was running a nightly backup manually that he'd kick off before he left for the night. I just had to wait for it to complete, then I could do whatever I wanted. I had full access to the grading/attendance system. I could message teachers as other teachers, etc. I could have granted admin access to anyone, but I was smart enough to never touch my own account, instead, created fake admin users and used those, instead. I'd hide files in plain sight using the ALT+255 trick to embed a nonprintable character in file/directory names. You could see them, you just couldn't directly access them without renaming them for most programs. Fun times. I never did anything destructive, though I could have easily.
Security in the 90s was a joke. They were good times, indeed :)
I continued my shenanigans into college. College was my first encounter with Windows NT networks & l0phtcrack. I remember one night, walking into my dorm room with the SAM file from a lab PC on a floppy. I popped it into my own PC, started cracking the passwords, expecting it to run all night. As I got up from my PC to head down for dinner, I was surprised to see that I'd already cracked the administrator password. It was just a 5 character password that was the building code & room number for campus IT. I already knew better than to do anything from my own PC, only ever worked from different lab PCs in different buildings and under assumed accounts. Never reported anything, either, for fear of reprisal.
> I learned my lesson to not talk about such things because their egoes were too fragile.
Yip, ego's and people talk are the downfall of many an innocent `self-education` in the area of IT security.
Post 80's and laws started to change, prior, in the UK it was theft of electricity being the only way to nail some people. Crazy fun times.
Though I do miss the old phone system per-say, outdials, wardialing, things like that, was common with many and just seemed more mysterious as you could only learn thru word of mouth or self-education as no books or internets and BBS's were not as cheap in the UK or common as we never had the official free local calls aspect as you fine folks had in the US.
Do recall a chap getting kicked out of college for doing something I'd done previously, just that he had a bigger ego and not as delicate with the power to steal the admin password. Which involved an ICL George 3 OS mainframe in the times of very large disc platters and admin console journaling that had no encryption. so they rotated discs without adding extra wear of zeroing the previous content, only the file table so you could end up with a user disc platter that had formally been used as a admin console jounal reposatory and could create files without zeroing and dump the previous contents of the disc of that way...which eventually got you the admin password.
Do recall few instances of work related cases in which I needed to do things so, kinda hacked what I needed (resourcefulness) like upon a DPS7 Honeywell mini computer in which needed the admin password to do something and nobody had it at hand at that time of night and the passowrds were kept in a file that was encrypted so I worked out the encryption key by looking at the file as was poor encryption and text files have lots of spaces so saw a pattern with the word OPERA in and tried and tada, got what I needed. The spooked admin next day wondered how I did it so I told him fully, he then went and redid the encryption and challenged me to see if that was secure, I looked at the encrypted file and kinda worked out by the patterning that it had been encrypted twice....yes with the same password OPERA only encrypted with that and then encrypted again with the same. Educational for all back then. Today, not as easy to do that, but still a great story of times of old.
My ego prevents anything else and was an ethical hacker and the 90's was an era in which, we white hats would and was the internet security, bringing down pedo's and bad actors like that that frequented some platforms with ease (looking at you AOL). So whilst illegal per-say, was case of no real official policing of such things as we do today.
But darn, some things learned and worked out, well zero day exploits back then were not as financially economical as they are today and heck, and some never really appreciated how long they would stay obscured from the wild.
I also liked hardware back then, was also fun and many a hidden switch to get a feature you would normally pay silly money for some engineer to `install` though was just some hidden switch was not that uncommon. Heck even today you get kit that is same inside with a model up just adding some small thing and example would be some Fluke multimeters that you effectively pay hundred for a small capacitor and another digit on the outer shell, is a good example current today.
Fun times indeed, but darn, goalposts always moving.
The UNIX family of operating system (Unices) historically stored passwords in /etc/passwd, which was readable (but passwords were soon hashed, i.e. passed through a one-way function to obfuscate them).
Eventually, shadow passwords were introduced to have the passwords themselves stored in another place with stricter access rights (readable only by the sysadmin or their group), so even the hashed versions were inaccessible to normal souls, whereas other information traditionally kept in /etc/passwd - e.g. the user's full name - could and can still be retrieved from that file by making it widely readable - just without the passwords, which were moved to the "shadows".
Debian even back then did protect the passwd files appropriately out of the box, but in this server's case, they did an import from an older system where it wasn't protected, and they couldn't figure out how/bothered to convert it to shadow.
I always thought the shadow was just a way to refer to a hash -- the shadow of a thing being less detailed/unique but still capable of being used for recognition.
Maybe I read Plato around the same time as I heard of it and that biased my thinking.
> Could you please explain what this means? Googling didn't reveal much.
An classic UNIX /etc/passwd file is readable by all local users and in the past used to contain the password hashes. One can download these hashes and crack the passwords offline. At some point the problem was recognized and password hashes were moved to special /etc/shadow file which is accessible only to root and members of shadow group making /etc/passwd useless for extracting passwords.
A quarter century later, statute of limitations expired, systems long gone and replaced with entirely different vendors/technology, nobody cares except you.
Oh well, 2 week suspension and kicked off the computers for less than a year. A nice conference with FBI, police, my parents, IT and school administration. Fun times.
I learned my lesson to not talk about such things because their egoes were too fragile.
When they decided to give students in their website design class ftp accounts on the district wide web/email server running an ancient version of Debian, they didn't disable the shell, just added a login script to a menu for pine, etc. for people who telnetted in, which I'm sure the sysadmin was proud of. However, a few fast CTRL-C's broke out of his script menu loop and got me a shell, and they didn't shadow protect their password files. Ran it through john the ripper and had half the district's e-mail passwords in a default dictionary file including the root pw in a few minutes. LOLed and never told anyone about that.
Good times, the 90s....