Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> The CFAA is a blunt and clumsy instrument that tends to injure bystanders.

I feel you. It's because of 1984's CFAA law that I was thrown in jail with a felony charge for rick-rolling my school.



Uuuuh. Could you add more details to this story?


Long story short - used a rainbow table against the Windows XP SAM file to get the password that they used globally - including the login credentials for modifying the content in their CMS for their website. As a joke, we threw Rick Astley up on the main page. The next day, they brought the site down, scoured the logs for my IP address and pressed felony charges against me (Made possible by the CFAA). It's all good now though, after a lot of explaining the judge eventually dropped the case.


Sending someone a link that turns out to go to Rick Astley is rick-rolling. Cracking a password, accessing a CMS, and defacing a site is slightly more than just "rick-rolling my school".

Yes, it probably should have resulted in a suspension, not a felony charge. No, it's not as benign as you implied.


While I admire the original hijinks, I think you have a point. There's a difference between showing someone a funny picture, and picking the lock to their house so you can leave a copy of it in their underwear drawer.


> No, it's not as benign as you implied.

Yes it is. He didn't hurt anyone or even mess with their files in a naughty way. I was so happy to get away from school and this kind of bullshit.


He purposely went out of his way to crack a password for the purpose of gaining unauthorized access to a system that wasn't his.

That's exactly the kind of thing the CFAA was created for.

I agree with the GP that he was harmless, and doesn't deserve anything terribly serious as punishment. But what he did is a lot more than using simple HTML injection to add a rick roll to something.


It sounds like what he did had exactly the same effect as "using simple HTML injection to add a rick roll to something".

'But he achieved it using leet hacker skills' should not be a factor in determining the nature of the charge or potential sentence. That's along the lines of making a big deal out of someone using a "Subversion" system to access and maintain code.


By "using simple HTML injection" I'm thinking of a form where they don't sanitize input so you could put a <video> tag in the 'name' field and suddenly the video would appear on the page.

Getting access to the administrator account is pretty different.


Not for a high school student. School networks tend to be very insecure, and the students tend to see them as just another resource in their education.


> He didn't hurt anyone or even mess with their files in a naughty way.

I've had people deface sites. It's stressful, upsetting, and a lot of work. You can't really trust a compromised server, and school IT is fairly unlikely to have great processes for it.

> I was so happy to get away from school and this kind of bullshit.

The real world isn't likely to look any more fondly on this sort of behavior.


The IT dept has no idea if he messed with their files in a naughty way. They will have to spend x hours and y moneys on checking now.

While finding the problem should never be punished if it's responsibly disclosed, exploiting it (publicly in this manner) should be.


I escalated access to my school district's webserver and accidentally took it down. For some reason I was trying to close the hole I had used; instead, I default denied all access. Whoops. I explained what happened to a teacher, he called in the IT group, my change was reverted and nothing was ever spoken about it again.

I also hacked the online grade review site, which was trivially hackable (javascript password protection, wtf), told a teacher, nothing happened to fix it (or to damage me) and I dropped the issue.

Both of those were done in attempt to be altruistic but technically both were completely illegal. Since no administrator ever found out, no cops were ever called and no prosecutorial discretion was in play, but I wouldn't want to bet I'd have been "let off", which is sort of terrifying.


Out of curiosity, could you expand on the story a bit? I've recently undergone a very similar experience. The administrators at my school alongside the IT Department freaked out and were considering legal action since they didn't really understand what had happened, however I was able to talk them down from it. The entire situation has kind of made me curious about other peoples experience.


You vandalised property and cost the school money.

You obviously don't deserve prison time, but you didn't get it either. It shouldn't have gotten as far as it did though.

But do you think the person/IT responsible for the website was not harmed? You get they are human and 'possibly' went under an amazing amount of stress?

They may have been disciplined for what happened, either officially or off the books.

There would have been a lot of hours work post mortem trying to fix the problem. This is money on a possibly tight IT budget. If the people who run the website care, which many do, this also is stressful.

I'm not saying don't prank or even don't do this prank. Pranks come at a cost, but they also make the world a better place. But be self aware of your own actions. You hacked and got caught it really has nothing to do with the CFAA.


> You obviously don't deserve prison time, but you didn't get it either.

Because they decided not to press charges, not because the CFAA makes any sense.

> But do you think the person/IT responsible for the website was not harmed? You get they are human and 'possibly' went under an amazing amount of stress?

There is a difference between inconvenience and harm. The vast majority of the "harm" caused in cases like this is a result of ridiculous overreactions to anything that involves a computer.

Imagine the analog version of this case. Some kid sitting in the main office sees the teacher enter the combination to the filing cabinet and then the kid unlocks it and sticks in a picture of Rick Astley. If that happened, would we still be hearing about a "post mortem" (as if serious level = human fatality) and the harm and stress the kid caused? Does a law allowing that kid to be prosecuted for a felony really make any sense?


I was thinking the analog version may be someone breaking into your house and leaving a picture of Rick Astley on your kitchen bench. You come home, find out someone has been in your home, but not what they've done in there. You don't know that it was your neighbour playing a prank or if it was some criminal that's put up little IP cameras all around your house until you do some investigation. Until you come to some conclusion you could be very worried and/or paranoid. Granted, this is the extreme version of the analogy.

Jail would be an over reaction for your neighbour, but you'd want that as an option for some creep breaking in, right? It sounds like in the parent posts case everything worked out more or less OK.


> I was thinking the analog version may be someone breaking into your house and leaving a picture of Rick Astley on your kitchen bench.

It was a school, not a home.

(It's also a notable contrast that when people are arguing for bad laws the fear is that criminals will invade your privacy, but when people are arguing for mass surveillance then it's all "nothing to hide" as if organized crime getting access to the surveillance apparatus isn't somewhere north of probable.)

> You don't know that it was your neighbour playing a prank or if it was some criminal that's put up little IP cameras all around your house until you do some investigation. Until you come to some conclusion you could be very worried and/or paranoid.

The criminal who is secretly trying to hide IP cameras in your house is going to leave you a picture of Rick Astley?

The problem with this theory in general is that it has nothing to do with any wrongdoing. Suppose your neighbor sees what kind of locks you have on your door and proceeds to pick them in front of you in ten seconds, then advises you to use better locks.

Now you're in exactly the same situation. You just learned that that person or anybody else with amateur-level lockpicking skills could have been in your house at any point after you installed those locks. If you're a paranoid person then that fact is going to distress you and you're going to search your house for IP cameras, but the source of that distress is the bad locks, not the person who brings them to your attention.

> Jail would be an over reaction for your neighbour, but you'd want that as an option for some creep breaking in, right?

That's the whole problem. You need to find something to distinguish those situations and codify it into law, instead of having a law so broad that it covers both and then having to rely on prosecutorial discretion. Whether you go to jail and for how long needs to depend more on what you did than how much the prosecutor likes you, or we're living in a police state where anybody can be imprisoned at will.

There is a reason we don't just have a single law that says "you must do the right thing; penalty up to life in prison" and then let prosecutors decide what the right thing is.


> It was a school, not a home.

It was someones network that they're in charge of securing.

> The criminal who is secretly trying to hide IP cameras in your house is going to leave you a picture of Rick Astley?

See anything from Anonymous-like hacking groups. Leaving troll notes behind isn't all that uncommon in network breaches. The point is you just don't know until you investigate.

> Suppose your neighbor sees what kind of locks you have on your door and proceeds to pick them in front of you in ten seconds

Or picks them while you're out and leaves a note saying "your locks suck". You discover it's your neighbour after checking your cameras. The OP did say they traced his IP to discover who it was, this wasn't some white hat pen test.

> That's the whole problem. You need to find something to distinguish those situations and codify it into law, instead of having a law so broad that it covers both and then having to rely on prosecutorial discretion.

Great point, I'm on board. But there's a lot to cover that isn't just "what harm did you cause once you were in?". There's potentially time and money (resources) that law enforcement spend investigating. Resources that the company spends investigating. If the breach is public, stock prices could be impacted. IP could be discovered - whether or not it is disseminated, sometimes you just can't know.

All of this because you wanted some lulz and to see if you could? How about stay out of the network you aren't meant to be in. Go into pen testing if you find that work so rewarding and fun.

Punishment isn't the only reason we have laws. Deterrence is also key.


> There's potentially time and money (resources) that law enforcement spend investigating. Resources that the company spends investigating. If the breach is public, stock prices could be impacted. IP could be discovered - whether or not it is disseminated, sometimes you just can't know.

Which is necessary because of the vulnerability, not because of the breach. If bad people could have gotten into your network and that is something you care to spend resources investigating then you need to do it regardless of whether the person who notified you of the vulnerability trolled you with it or not. Whether they troll you is independent of whether they steal your secrets; you can have either without the other or both or neither.

> All of this because you wanted some lulz and to see if you could? How about stay out of the network you aren't meant to be in.

It isn't a question of right and wrong, it's a question of proportionality. If you troll somebody you deserve to be chastised and given detention or community service, not thrown in prison.

> Deterrence is also key.

I'm not sure deterrence is working in your favor here. If your network is insecure and you get trolled then you look stupid and fix it and give the kids detention. If your network is insecure and you deter the trolls then it takes another year before someone who is harder to deter breaks in and then you get arrested because the people who broke in were using your servers to distribute child pornography.

I'll take the Rickroll please.


Not to mention all of the doors and windows appear to be undamaged. You have no idea how they got in and now you have to dig around in case there's a tunnel been dug into the basement, a secret hatch on the roof, do they have a spare key cut somehow - how did they get access to the key?


If you were applying the penal systems to kids, all kids would end up in jail, they spend their time fighting each others and telling each others nasty things.


Good god. I hope you are doing better.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: