Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I got into my school's network when I was 10, people were furious for my hacking, nobody questioned why was there a security issue so obvious that even a 10-years-old could break in. Few years later I accidentally found another way to get in. I sent an email to the school's IT department, got ignored. I sent it to the headmaster, he said "Thanks, will fix it". Except it was never fixed.

Maybe fixing the child is easier than fixing the software.



In low crime areas, people don't lock the doors. It is obvious security fault, but in fact, the people walking in and messing with their stuff are in the wrong.

Of course they were furious at your hacking. And of course you should have not done that regardless of what fault the system had. (They would be in the wrong of they tried to impose serious consequences on 10 years old, which I hope did not happened.)


Even in low-crime areas, banks still lock their vaults, military facilities still have fences and guards, etc. Not locking your own door that only has your own stuff behind it is in no way comparable to leaving a system with thousands or millions of users' (students/customers/citizens/whoever) data and property wide open.

"Hacking" isn't the same as "breaking in". Breaking into somewhere is usually destructive, dangerous, can be done b anyone and reveals no poor security (how did they forget to protect their vault door from a drill and plastic explosives??). A DDoS attack falls into this same category - a boring zero-skill brute force attack that can only be interpreted as malicious.

"Real hacking", however, isn't any of those things. If I put on an orange jumper and walk right into the back of my local bank and straight down to the vault without so much as a confused glance from a guard, they will, as they should, be more concerned with firing their guards for dangerous incompetence than prosecuting me for walking past an "employees only" sign. Especially if I, after arriving at the vault, called the bank manager and explained how bad their security is.


The op was not prosecuted. What happened was that adults were angry at 10 years old him. And he finds it unfair that they were angry at him. If 10 years old walks into vault with pretend confused look, it is perfectly ok to be angry at the kid and act like kid done something kid was not supposed to do.


No part of the internet can be considered “low crime” least of all a school system.

If you have an isolated network that is truly airgapped from any other network then and only then is it remotely acceptable to “leave your doors unlocked”. This doesn’t absolve the criminals who deface/destroy/steal your PII/data but rather you’ve got to adapt to the times.


The point is, the person who went through those front doors really don't get to blame owners for not locking the doors. Sometimes the line is fuzzy, yes.

But in situation described above, it sounds like it was not fuzzy at all.


Analogy is not about a home but a factory:

The infrastructure can be a danger to others, to employees, etc.

So yes, it's a mandatory duty for organization owners to secure their infrastructure.

There's a problem with the reaction to security issues in most of the countries.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: