[fauxpersona]

Similar story here, but very different outcome. Messed around a bit in junior high, but in senior high our school had their home-built web-based intranet. Several security issues (at least half of OWASP 10 basically), so escalated that to full access of db with cracked account passwords. Windows AD network and I don't remember the details but it involved a service account with a weak password, Remote Desktoping into some admin server and getting a local copy of a database with NTLM hashed passwords, cracking those for all users. I didn't actually do anything much apart from just exploring the security aspects. Didn't probe in private messages between teachers (definitely in their internal message boards though!), try to look at the grading database, etc. Eventually got caught because one of my two friends who were in on this had got caught having the wrong window open at school and they got on to us.

That was nerve-wrecking.

There was a whole internal crisis around it - it was not a huge school, private IT and media school with less than 1000 students at the time. They had logs that made me have to admit and I effectively got cut off the AD. Game over.

However, I still had a private 0day for the intranet so I could see what they were writing about what to do with the situation. It seems like the consensus was to turn us in to the police - just like with the boys in the article. But then our head of school posted an MP3 file on an internal closed message-board arguing for how this was not a way to to this and instead we got "detention"; I had to build a web app and database for connecting students to companies for internships. Which was pretty fun.

Some time after graduation and military service, the head of school calls me out of the blue and wonders what I am up to now. Apparently he had moved on from the school and was now working with one of the most famous web entrepreneurs in our country with a small startup in the town where I went to high school.

So that's how I got my first full-time job, where I learned a lot.

Morality aside, which approach was more constructive here?