In high school a friend figured out you could map any network drive to your desktop and access it (Windows XP), and since everyone in the entire school district had a username of {last name}{first initial}, you could gain read/write access to anyone’s network drive (essentially “home folder”). He used it to get test answers from teachers, I used it to create (empty) folders named “porn”, “porn 2”, et al.
Anyway when he was caught (a fellow classmate ratted him out) he got 10 days out of school suspension. The VP threatened to call the police… for what offense I’m not really sure. There seems to be a fundamental misunderstanding of cybercrime and cybercrime laws. I mean was it really unauthorized access (they called it “hacking” of course) if his user account literally had permission to map network drives?
They removed the ability for student accounts to map network drives, but the district IT guy was not fired. I really don’t get that. Maybe the union saved him… but dog, everyone knows you can map network drives by right clicking on the desktop. I never thought to try it, but that doesn’t mean the district’s IT SME gets a pass.
> I mean was it really unauthorized access (they called it “hacking” of course) if his user account literally had permission to map network drives?
My expectation is that laws probably specify that gaining access that you know you’re not supposed to be able to get is probably illegal, but I get your point.
Reminds me, however, of the pen-testers that got hired to infiltrate a court system and got harassed by a prosecutor despite having explicit approval to conduct an audit.
https://darknetdiaries.com/episode/59/
Our judicial system is ludicrous.
The Florida Computer Crimes Act was passed in 1978 so as you can imagine it’s very draconian. I’m pretty sure it was a misdemeanor for 16-year-old me to boot Linux from a live USB as a means to get around the IE-only web filter the school district used.
If someone didn't question, or otherwise call out, the pentesters activity, that would have been a blemish against the security training of the org being pentested. This is why pentesters need a way to immediately escalate to the hiring party, to satisfy legit concerns over access and ensure those claiming to be pentesters legitimately are.
In this case IIRC they did have exactly that but were caught up in drama between different factions within the justice system. Unfortunately a few of the people involved behaved in bad faith and thus they got stuck in jail for a while.
The moral of the story, if there is one, is probably a cautionary tale about petty individuals prioritizing workplace politics over ethical integrity.
If you listen to the episode you'll learn that such escalation did occur, and unfortunately the harrassment by local LEO did not cease.
> I mean was it really unauthorized access (they called it “hacking” of course) if his user account literally had permission to map network drives?
It may not pass as hacking, but it certainly was unauthorized. Network policy in software should reflect reality, but the source of authority comes from humans. Your friend literally was not authorized to access teachers' files, regardless of poor software configuration permitting the capability.
Is it still trespassing if the door was unlocked? Yes. Not sure why so many people have trouble applying the same principles of unauthorized access to computers.
The interesting bit is that social expectations matter.
There is a social expectation that people can generally only enter your home with explicit permission, and so if they didn't invite you it's trespassing even if the door is unlocked. But maybe you have some close friends who you get used to coming over and just entering even if you may be out at the moment -- and then it's not trespassing anymore.
Remote computer access is a much younger phenomenon than people living in houses, and so social expectations aren't as established. There's a legitimate need for discussion there.
For example, if you have an open webserver that you want people to access, is it trespassing if people fiddle a little with the URLs and encounter documents that you didn't mean to put out there? I'd argue it would make for a healthier and more tech-savvy society if we didn't consider that trespassing.
If we try to push the houses analogy further, it's a bit like inviting people into your house for a big party, and then somebody enters a room that you didn't want them to enter. It's a faux-pas, but you'd probably also have a hard time if you tried to label it trespassing.
There are echoes to discussions a few months ago about IMG_0001.
https://news.ycombinator.com/item?id=42314547
The site displays random, ancient videos uploaded from the early iPhone YouTube app, often without people understanding what they were doing.
I tend to err on the side of caution: I don't expect most people to be tech savvy, and I think those of us who are must exercise restraint to avoid trespassing.
I actually agree with you, but the point is the balance.
Don't steal. Don't share embarrassing or humiliating information you may come across.
At the same time, there should be safety from prosecution overreach.
I ask for this mostly not for my current self but for "kids" (including young adults, e.g. college students) who are on a hacker journey in the original sense of the word. As a society, we should encourage rather than stifle that sort of exploration.
Someone at my high school (late 90s/early 2000s) was apparently distributing something on CDRs.
I got called into the police station, where a cop asked me, verbatim: "Son, did you copywrite them there CDs?"
I did something similar in 7th grade, with the extra naughtiness of charging my peers 50 cents or so to drop the basic Windows games like pinball and Ski Free into their home drive. I created a couple of joke files in my favorite teachers' directories and then notified the IT admin before someone more nefarious saw what I was doing.
That admin became my mentor and is now a lifelong friend.
The IT admin at my high school was a prick and from what I’m told took it very personally when my friend was caught mapping network drives.
The closest thing we had to a computer class was graphic design where you played with Photoshop and Premier for a year. God forbid we learned to write code or whatever.
It sucks when school administrators are needlessly punitive.
In my school, some jackass kid made a photocopy of a $20 bill, on a little mid-1990s HP Officejet in the library. Even in those days, they were programmed to make bad copies of US currency (I think they were enlarged and the color messed up). It was more of an innocent “woah look at this thing”, there was no intent or effort to glue it together and try to use it.
The assistant principal, who was a petty drunk who was uniquely unsuited for her job, flipped out and called the secret service. The kid was arrested & had a lot of issues over nothing.
It always stuck in my mind and accelerated the development of my contempt for petty tyrants who experience joy from the pain of others.
I would imagine as in the professional world, there are certain school jobs that attract sociopaths/narcissists/psychopaths. Yes, I’m talking of course about vice principals. My elementary, middle and high school principals were very nice. The VPs were mostly unapproachable hardasses. It may have something to with the principal vs vice principal responsibilities in the U.S. I’m not sure how it is elsewhere in the world.
I've never met a principal or vice principal who was not either bullied as a child or a bully.
Something about having healthy self esteem in childhood causes you to avoid education administration career paths.