[catenate]

In high school I was blacklisted from an admin position for demonstrating that you could write in Digital Command Language a program that simulated the login environment, stored login attempts, and then after three tries exited to the real login environment to let the user in. In college I was nearly expelled for just mentioning to the IT guys that they didn't have a password on some database, and I could get in with just telnet. These attitudes haven't changed much since 1990 at least.

[maratd]

> These attitudes haven't changed much since 1990 at least.

Why would they?

A blatant oversight is a sign of incompetence and by making such incompetence public, you're threatening their job security. Why would anyone react positively?

You're better off making the disclosure anonymously.

[genwin]

> You're better off making the disclosure anonymously.

When the info comes from an anonymous source they can't take their frustration out on the messenger. (Instead of thanking the messenger as they should.) I don't get why these hackers often give up their anonymity.

[TeMPOraL]

> I don't get why these hackers often give up their anonymity.

My guess is that it's because they're hackers, and they don't expect that the other side consist mostly of boring incompetents with zero sense of humour or professional pride. Geez, if I were to ever be responsible for ITSEC in a school, I'd take such hacker for a beer and dare him to try and break some more stuff. The state of mind which leads people to prosecute hackers is a very sad one.

[edvinbesic]

Funny enough, I did the exact same thing when I was in high school, only we were running Novell on NT4 and I did it in basic and started it from autorun.bat which loaded before the network login screen.

It would let you try one time, tell you you entered the wrong password (saving it to file) and exit, at which point windows would load the novell login screen that looked exactly the same.

Good times.

[GrinningFool]

Hah! Exact same thing, I used... Borland Basic, IIRC, to build the executable that I called from autorun.

I collected many passwords - I never used them or intended to, I just wanted to see if I could do it.

I made the classic mistake though - I told someone about it. A few days later word got around. I was suspended for a week and was banned from computers for the rest of my time there.

Edit: Now that I think about it (I haven't in years): What kind of response is that? Someone shows some creative thinking and does so in a way that is obviously[1] quite naive/without ill intent. While I understand that you want to discourage the specific behavior, perhaps steering the culprit to use talents with more foresight would have been a better answer.

[1] Looking back, I was something of an asshat in the personal skills department so it's entirely possible that they simply didn't believe my lack of nefarious intent.

[javajosh]

Actually, I doubt it had anything to do with your personality (and if it did, shame on the authority figures - and the same is true if they were reacting to being made look foolish). No, instead I imagine this was a pure security play: you had a bunch of passwords, and you hadn't done anything with them yet. But they would have had to believe that (and chances are they had no way to independently verify this) and in addition that you would never do anything with them in the future. The second claim is rather tougher to believe than the first.

So in the simplest possible manner you became a "known threat", and they dealt with you in the simplest possible manner, digital ostracism.

Now we can all tell the alternative story, about the wise teacher who sees something special about us in the misdeed, and who takes the time and the risk to cultivate that positive seed rather than throw the baby out with the bathwater, so to speak. Our very own Mr. Miyagi to safe us from a misspent youth, and who understands our behavior as an expression of exploration ignoring limits, outsmarting the system, rather than your basic mean-spirited destruction for no reason. (Although tagging and hacking do share many qualities, and both are driven, I think, by a young man's desire to prove himself, and yes, even aggrandize himself as someone special - bold, clever, crafty, and someone who can't be "kept down by the man". Rebellious, but also desperately needing to prove himself.)

(Of course in this story the Mr. Miyagi would have hacked onto your personal systems, encrypted the passwords you'd stored, and then left a personal message notifying you that if you wish to understand what he did and how he did it, he'll meet you after school in room 10 for a primer on real hacking.)

[bradyd]

I too did something similar in high school. We were running Novel on either Windows 98 or 95 (Can't recall now the specific version). I started the Visual Basic program using the autorun.bat like you, except instead of presenting a fake login dialog, my program would listen for the OK button click event in the real dialog (using the Windows API) and would get the contents of the username and password textboxes and then POST them to a web server a fellow classmate had setup. This had the advantage that it was completely invisible to the end user. The program was also hidden from Task Manager (also using the Windows API).

We did end up getting the admin password and getting access to the server. I had written another program (also in VB) that would run hidden in the background and randomly open and close the CD-ROM drive. I uploaded this program to the server and attempted to get it to push to all of the computers in the school, but I don't believe I was successful as I didn't really know anything about Novell and never saw it working on any machines.

One of my fellow classmates also found the schools SOCKS proxy so we were able to run AIM and ICQ on the school machines. Our teacher pretty much let us do whatever we wanted in that class. It was my third year taking a programming class with her and she allowed the advanced students to work on their own projects. In that class I also wrote a Group/IM chat client in VB with a Perl server. As GrinningFool said, responding to teens who are obviously interested in computers with bans or expulsion or worse is just stupid. If I hadn't had the freedoms that my teacher gave us in those classes, I wouldn't have learned anywhere near as much as I did.

[richforrester]

Wasn't that autoexec.bat? I could be wrong here, but I think that's what I used ;) Same methods!

[perlpimp]

Witches were burned at the stake, basic human reactions have not evolved since dark ages. So basic premise of somewhat trivialistic movie "Hackers" the one with Jonny Lee Miller holds right - rest of the world is sheep(and it will get worse as we migrate from general purpose computing to specialized devices). Most of the world is made up of unwashed masses that consider computing something that resembles magic - you only scare and confuse them talking all the smart things that they do not really understand or grasp.

I'll conjure up respected Arthur C. Clarke - Third law: Any sufficiently advanced technology is indistinguishable from magic. Put scared people and magic together and you got bonfires going. This why hackers rot in jail for longer than murderous psychopaths.

But then again I was more of a black hat for most of my life than white.

my 2c

[monksy]

I was threatened with a ban on computers at high school from my middle school.. because I had copied game demos to other user's accounts. [They gave me their username and password]

I also figured out how to access the middle school's library database without a login. [That wasn't secured, nor did it require a password]

Also, nearly got in trouble with the IT administrators at my high school because I found out how to send Novell messages.

I was a very bored kid.