My 13 year-old cousin hacked into his school's computer system. He didn't do any major damage, but I want to make sure he knows why what he did was wrong and show him ways in which he can use his talent to make a positive impact on the world. What is the best way to approach him? Are there any good articles / books I can recommend to him?
When I was in high school, I guessed the administrator password of our computer lab (it was the administrator's daughter's first name) and basically maintained the computer lab for the rest of the semester. I never did any harm in the process. The administrator, upon finding out what I had done, recognized that I knew what I was doing, and supported my work. I fixed permissions that repaired apps that had been mysteriously broken for years, reset other students' passwords at their request, and lots of other helpful things..
Then one day my teacher switched places with the only other person who had the admin password, and she didn't know about what I had been doing. When she found out that I had administrator access, she was infuriated. She called me a "hacker" and reported me to the principal. The principal planned to give me a 0 in the class and possibly expel me from school. The only people who were allowed to be in the "hearing" which decided my fate was the pissed off teacher and the principal. The administrator, who vouched for me, was told that no one asked for his opinion and that it wasn't relevant. I almost failed to graduate because of this, and it was only through being persistent and involving every teacher I knew that I managed to not fail (the principal reduced my grade to 75/100 instead of failing me).
I would tell your son that most adults who have authority (including principals, teachers, judges and police officers) do not understand technology and computers very well, and therefore it's important to not only operate within the scope of the law and rules of his school, but to also not even appear to operate outside those rules. Computers are cheap, and in 2009 there's not much more interesting in his school's network than what he can set up on a $200 netbook.
A long time ago my son did a similar thing. He didn't get into trouble because he told me first. We had a long adult talk about professionalism in programming. Essentially, professionals dont crack, but also about writing good code, testing, comments and such, so that it didn't come across as an adult smacking a kid. It worked, because he started taking a more mature approach to what he was doing.
To be fair, there are many professions in IT. Programming is just one of them. Computer security and system administration are two other very different ones. They don't necessary involve much "good code, testing, comments and such". On the contrary, they can involve in-depth, hands-on knowledge and experience of the kind of tools that other people will use, to be able to protect systems from them.
Thanks to everyone, I appreciate the participation so far. I asked this question so I could be better prepared in approaching him - so I haven't spoken to him and don't know any details beyond the fact that he is being brought into a meeting with the Principal for breaking into the system. I'll post more when I speak with him.
What worries me the most is that his parents and school are pretty much as described in some of these comments - scared of what they don't understand. I've spoken with the parents and done my best to let them know that this is bad, yes, but not something to be punished. This kid really has a gift. I can understand their concerns, however, when he (as a 13 year old) is so sure of his talent that he considers academics unimportant.
Now that I think of it, if there is any recommended reading for the PARENTS of budding hackers? If not, that might be a good idea for someone out there...
Spot on. And I sympathize with what you went through at school, times sure have changed. The overreaction to this sort of thing is something that never ceases to amaze me, anybody that is half decent with a computer gets looked at as some kind of force of evil.
I see this as a response to some kind of inner fear that there are kids out there that are more competent with this stuff than the adults. Invariably it's the clueless that start these witch-hunts.
When I was in elementary school around 4th , we always had to wait for the teachers/admins to come put there passwords in so we could log in. One day I just didn't want to wait. So I tried a simple password: The first letters of the schools name. Got on and did the work. The Administrator noticed she didn't have to put the password in and so later that night I got called from the school asking what I had done. I told them about it and what the password was. She was grateful since it was a password she hadn't known about, left by earlier Admins.
That was about five years ago. Today I am usually always at odds with the teachers. Either I can't sit still, I'm too quirky or snappy, or whatever the teachers want to make up. Then their computer acts up. Perfect opportunity. I go over and fix the simple problem and they now regard me as a demigod and no longer hate me.
That's how I fix my relationships with my teachers.
The best reference I can recommend would be Eric Raymond's "How To Become A Hacker" : http://www.catb.org/~esr/faqs/hacker-howto.html The key point the article points out is that "The basic difference is this: hackers build things, crackers break them." The teenage thrill of breaking into computer systems is certainly exciting but perhaps he will be even more enthusiastic about learning to be curious about how things work under the hood, how to do clever things via programming and how to develop a true hacker mind set. Of course all this without the risk of getting into trouble like breaking into his school's computer system. I am glad to know that he did not choose to do any major damage but nevertheless I hope he grows up to become a fine hacker and understand the true meaning of being one. Good luck and great effort on your behalf to try to advise him in the correct path!
Like most of ESR's aphorisms, this "building vs. breaking" thing misses the mark entirely, reflecting more about how ESR thinks about the world than how the world actually works.
There is lots of productive work to be done in "breaking" systems. Nobody thinks Arjen Lenstra or Paul Kocher are doing work of a lesser caliber than Alan Cox; it is (I think obviously) harder to break RSA than it is to build a new Linux virtual filesystem layer. It is only because people like ESR don't know about people like Paul Kocher that this "build vs. break" meme spreads. Let's try to kill it when it appears.
What teenagers need to have is a sense of ethics. This has nothing to do with whether you spend your time finding holes in things, and everything to do with respecting property, with not assuming that you know the impact of every action you take that invades someone else's property, and hopefully with having a productive goal.
Here's what you need to tell your cousin: nobody in the real world gives a shit about your ability to break into one computer system. Per-host network penetration testing is close to the bottom rung of the computer security career ladder. If he likes breaking things, what he should do is start picking up open source software, researching how it works, finding vulnerabilities, and reporting them.
He's going to find really quickly that knowing you could --- if you were a criminal and a moron --- break into tens of thousands of computer systems is a lot more fun than breaking into one badly-configured school computer. He's also going to learn real computer science, because really breaking systems involves really reading and understanding code, runtimes, layering, information modeling and representation, and any of a zillion other things.
Computer security is a really awesome tour of a lot of the fun stuff in a CS curricula. I've worked on compilers, crypto math, distributed commit protocols, filesystems, and language runtimes in just the last 12 months. If he likes this stuff, get him to stay with it.
You asked for books. How about:
* The Web Application Hacker's Handbook (bad title, great book).
* Eldad Eilam's "Reversing"
* The Art Of Software Security Assessment (our industry's bible)
* The Shellcoder's Handbook
* The last 10 years of Black Hat Briefings talks, which are all available online.
Books, articles... I'm afraid they're boring - they are cool to read if you're interested in the society, but that comes later on and you start to look for those things yourself. If he's interested in how things really work, then just make sure he knows the difference between exploration and breaking someone's work. The best learning material I have found are pages of people dealing with real security... stuff that you cannot find by googling "hacking".
That might both give him some new ideas, as well as show who is really considered important. For example, I always thought lcamtuf (http://lcamtuf.coredump.cx/) is a great example of a hacker of many skills (photography, network security, fuzzing, constructing robots with own 3d printer and many more random ideas). I guess you just don't have time to be a script kiddie if you have enough good ideas of your own...
Just make sure he finds securityfocus before he finds cDc :)
On the other hand you could let him know, that notifying the school officially about the security problem may be a bad idea. Typical teachers are as likely to say "thanks", as "OMG hacker! security audit to make sure you didn't change any data will cost X$/h - your parents are paying for it and you're suspended".
I have a problem with that essay. It makes good points, most of which I agree with, but Raymond states them as values to be learned without explaining why. He essentially states his own beliefs without giving reason for some of them or explaining why such mindsets are useful. (Or: he shows rather than tells.)
The phrase that stands out most upon first glance is this:
Similarly, to be a hacker you have to get a basic thrill from solving problems, sharpening your skills, and exercising your intelligence.
If you aren't the kind of person that feels this way naturally, you'll need to become one in order to make it as a hacker. Otherwise you'll find your hacking energy is sapped by distractions like sex, money, and social approval.
I've found this not to be the case. Wanting sex, money, and social approval is not necessarily detrimental. Similarly, I get no thrill from solving problems per se. I don't think that that thrill is a necessity for hackers. Raymond uses too broad a brush.
From some lens, my approach could be seen as problem solving. I've always viewed it as more of a creative art: I view the things I create as concepts. "What would happen if a web site worked like this, for instance, then I create every to revolve around that central theme. Some of the stuff I do is geared at problems, but I feel that viewing mistakes as bugs is a very sterile approach and I hate it.
I don't have a lot of the traits that go alongside hackers, either. Coding languages don't fascinate me, by-and-large. When I look at a language, I figure out exactly how to get things done and then I don't look at it again. As a result, I don't find much fascination in discussions about programming, which is rare among hackers.
Messing around with things, figuring out how they work and making them do something I want them to do. It's interesting to me. Doesn't really solve any practical problem though.
Just because you CAN screw around with someone else's property doesn't mean you SHOULD. Although it can be exciting (especially at that age) to do something forbidden, he can suffer the consequences if caught. He might inadvertently harm the system and could wind up in serious legal trouble. It's like walking up to someone's front door, twisting the knob and discovering that they forgot to lock it when they left. That doesn't give him the right to enter the house, even if all he wanted to do was "look around". Turn the situation around: would he want someone hacking into his home computer because he didn't have it properly secured? Would they have the right to do it to him?
I'd try the "with great power comes great responsibility" angle. They did the best their muddled minds could do to secure their system. It was trivially easy to break into it using your l33t haxor skillz, but might does not make right. Have a little compassion.
Also, remember, embarrassing them in this way might cause them to use the great power they have over you to make your life miserable as well. It goes both ways. The luddites in charge of public schools are usually docile, slow moving creatures, but they can become suddenly fierce if poked in the eye with a sharp stick.
Whatever you do, do not punish him for this. While what he did was not right (though your use of "hacking" here is very broad), instead of telling him how wrong it was, simply try to push him in a more positive direction. My suggestion would be to ask him to work on some sort of project for or with you, perhaps even get him involved in something small and open source. Starting a website may even push him in the right direction.
An alternative would be to talk to the school and see if they could give him some sort of credit for helping administer the network, or work on a special project for the school.
To give you an anecdote: in high school (and this was only a few years ago), me and my friends consistently were cracking passwords and breaking into various parts of our school's network. We never did anything harmful, nor did we ever cheat, but we did it for the fun and the challenge. One day, we happened to find a file containing all the passwords to every user on the network -- teachers, guidance counselors, and principal included -- and we turned it into the principal. Instead of telling us we were wrong for "hacking the network" and questioning us, he thanked us profusely and got the file deleted from the network. No punishment.
In middle school, however, I got in minor trouble for "hacking" by using proxies to skirt around the school's filtering system. The "techs" in the computer lab quite literally pulled me out of class and angrily questioned me, telling me how I was wrong and what I did was bad. What happened? I continued doing it, and just made sure not to be caught.
My point is that telling him he is wrong will not stop him, and he will likely continue what he is doing because it stimulates him and he finds it exciting. By nurturing that excitement and funneling it into something constructive, such as an alternative project, he will learn what the better avenues are and likely forget about "hacking"/cracking almost (if not) completely.
Seconded. I cannot imagine any good will come of his getting caught. He should keep his head down -- not tell ANYONE about what he did, even his friends -- and hope no one notices.
Whether he gets caught or not, this strikes me as a good lesson to learn before he's 18.
With the important addendum that operating on a network that's effectively in the hands of someone else, in a classroom that's in the hands of someone else, is a pretty sure-fire way to get caught.
Don't try to do funny stuff on a school's network from within the school. You are outgunned from the very start.
Also, I greatly enjoyed reading iWoz and it is be very accessible for a teenager. Woz' passion is very contagious and it may help him discover how fun constructive hacking is.
I knew a 13 year old, diagnosed with ADHD for not sitting quietly in class, who could concentrate on a chess game for 4+ hours straight. And then play another one after a short break.
I could do the same. I also read SICP when I was 13.
I have a son like that. He's great at the stuff that he is interested in, anything else and he's bored instantly.
ADHD to me is just a convenient label for kids that are different than that norm, so we trot out the medicine cabinet to make them conform instead of helping them to cope with the world around them we make it easier for the 'rest' to cope with them.
When I was in high school, a friend told me he had been diagnosed with ADD. His parents had him tested because his grades were suffering.
My friend and I have similar personalities, and my grades were similarly hit-and-miss. I went home and asked my mother if I had ADD. Her response: "Probably."
I'm grateful that I had parents who accepted my quirks as a part of my personality and not as problems to be fixed.
I guess I got lucky, or I would have been on ritalin or some other fashionable (or profitable) drug for sure.
I'm 43 now, 44 in March, when I was a kid ADD did not yet 'exist', and from my experience with my sons teachers the teachers in the schools that I went to were of a better grade than the teachers he has to content with (and that have to contend with him) today.
I think the latter is the biggest factor in the diagnosis of all these 'children that we can't handle', it is striking that the %age of these kids seems to go up with every generation. Hopefully soon there will be generation of teachers that is as fast and as smart as the kids they are trying to teach.
To some extent I think it is the influence of our media rich world, and next to that probably the enormous amount of technology and information available to kids from a very young age onwards that causes kids to be so tremendously fast at the stuff that these teachers can barely cope with.
Boredom is their lot, unless you can get them interested, and once you manage that better hold on to your hat.
One thing I have found to be universal in dealing with 'gifted' or 'fast' children (I prefer those terms), it is that once you have gained their respect it gets a lot easier to communicate with them and to get them interested in the stuff that they should know.
It's just that if you're a teacher and you get these knowledge seeking missiles that can run rings around you your visceral response is probably to want them to slow down to your level. I think that is the best way to lose their respect.
Congratulations to your parents, they seem to have done just fine :)
Hopefully soon there will be generation of teachers that is as fast and as smart as the kids they are trying to teach.
As much as I would love to believe this, I'm at a college that's renowned for its teaching program, and teaching majors came to me for quite a lot of tech problems. (Two didn't understand basic algebra - worrysome.) The problem is that people who decide they want to become teachers very rarely work well as teachers. My favorite teachers were all passionate about their subject first and foremost: many of them, even in high school, committed to their work outside of just teaching. The people who say "I want to teach and I don't care what" are very often the most problematic teachers.
I agree with you entirely about how enormous the world of media has become. That's part of the problem. There are so many things to pay attention to that the slow pace of the average classroom doesn't have enough to appeal to students. With the exception of perhaps three teachers' classes, I learned more online than I ever did in a class. (The solution is to develop teachers who are more singularly fascinating than the Internet, which is a difficult challenge.)
It's possible. My English teacher in junior year absolutely was. I went in the first day, tried to pick a snarky fight with him over James Joyce, and then stayed after class to talk to him about Ulysses and Nabakov's Lolita. (Ulysses is one of my favorite novels.) By the end of the week, he'd recommended two bands to me that I fell in love with; before winter, he lent me his copy of 69 Love Songs, which profoundly affected how I looked at music.
Later, he was the reason I befriended a kid I'd been at odds with for years, an arrogant film buff. When we started to have extended discussions covering literature, cinema, and music, I started looking for some of the films they were mentioning, and in doing so became close friends with the film kid. It led to one of the best summers of my life, driving around the state in his Wrangler to get a copy of Spaced.
(Meanwhile, the class we met in was a half-year course filled with a ton of kids with short attention spans, and he managed to get us to read something like 7-8 books and a ton of short stories, and crammed us with 5 excellent films in between.)
How you isolate people like that and identify them, I don't know. They exist, though.
Identifying people like that really would be a mission worth undertaking, food for thought there.
The game reference is a /. meme reference about 'duke nukem forever', a game that has been in production since '97. The running gag is which will come first: hell freezes over, duke nukem forever is released or the Hurd is finished.
Do you take offense at my suggestion this kid did nothing wrong ? Why is that ? Enlighten me, for all I have read above the sysadmin is the person in the wrong, if a 13 year old can walk all over your system you ought to be looking for a job (and one that does not include system administration).
What do you mean he didn't do anything wrong? If all he did was find a way into their systems and report his findings of insecurity or something, certainly there would be nothing wrong with that (as long as he's following his terms of use for the school computers, also -- he's held to the rules of the school as a student). But it appears as if he's done something, maybe he didn't report what he discovered, that is indeed wrong.
And I agree, the sysadmin must be pretty incompetent, but that is still no reason to be doing that. It's like saying "the lock on this safe is weak and easily broken, so I will go ahead and break it to access the contents inside." It's still a safe, you're still not supposed to break it. If you do, you should immediately recommend to the owner that they get a stronger lock.
He's a typical (in a sense) 13 year old. This hardly warrants punishment. But he should indeed put his talents to better use, and that's what the author of this thread is asking. What would we recommend?
If the kid was properly instructed beforehand on what was acceptable and what was not then you have a point, but the story does not relate that, hence my question.
I'm assuming that this kid is just as curious as any other kid at that age, and the systems should be set up accordingly.
This is trying to close the gate after the horse has bolted, ok, so he looked, big deal. Now catch up on the educational bit about privacy and minding your own business, case closed.
No need to make an issue out of it. The overreaction in these cases does more damage than the event itself.
addendum: the last thing you should do these days if you accidentally walk in to someones system is alert them to that fact, in schools it's a surefire way to get in to a lot of trouble, even if your intentions are noble.
But it strikes me in your original comment, you do state that what he did was wrong.
Certainly, I don't advocate anything more than the OP does. This strikes me as one of those "teachable moments" that will help the kid make these sorts of judgment calls in the future.
Hm, ok I see what you mean. Let me try to rephrase what I meant: He did something that could have been considered wrong, had he been in the possession of enough common sense to figure that out by himself. As it was I think he probably just thought it was an exciting puzzle to figure out, which in and of itself is not wrong.
It's up to the adults to help kids make the right judgement calls, so in this case I see it as failed parenting / eduction, not a failure on the part of the kid.
Fully agree with you on the 'teachable moment' thing, opportunities like that come by too little anyway.
The fact that an extended family member is asking about this on a public message board already makes me worried this has gotten way too big in comparison to the infraction.
As far as failed parenting...hmmm...I wouldn't go that far. Kids will make poor choices, no matter how great the parenting. I think we need to abstain from judging that without more details.
Do what my parents did when I got suspended for "hacking":
1) Get him a new computer (but with a crappy video card, if he's into gaming)
2) Find him programming internships and introduce him to programmers you know
I would also add:
Tell him that he isn't a real programmer unless he understands Prolog, Haskell, C, and a flavor of Lisp (Scheme/Arc), although Python might be a good first language to start with. Be prepared to spend lots of $ on books - all of these topics have books which work for different people. I would recommend:
indeed, this could mean anything, i got sent to the principal one time for having a windows dos command prompt open, no joke
Apparently it was actually a rule in the rulebook that you arent allowed to use the command line because you can do 'great damage'. On most computers it was disabled, but this was computer science class and we wrote console applications in c++ (through visual studio ide) so it had to be enabled.
They called my mom, who isn't very computer savvy, and told her that I was 'hacking'. She was so mad at me. I got 1 detention and had to write a handwritten note of apology. It was a pretty bad experience overall.
I'll see your DOS prompt and match you a "changed the desktop background and inverted the screen colors" trip to the principles office.
They wanted to suspend me for two days for that one. Happily, I was able to get another teacher to talk to the principal and explain that computers is "his thing" and that just because it was possible that I knew how to do something doesn't mean that I did do it.
In fairness to your otherwise overly twitchy school administration, it is in fact possible for dumb people with just enough DOS knowledge to screw up a standard PC build from the command line, enough to require a rebuild.
Tell him to stop before he gets caught. Even though he didn't do any damage, a school's administration will not take kindly to the potential threat that he is.
Also, even though he got in, I wouldn't attempt to notify them of their breach, because again the school will probably go ballistic on him, I think there was a news story about this, but what happened escapes me.
I often thing, personallly, that whilst reading books/articles is good it doesn't help instill a lot into a young hacker.
First I would buy him Kevin Mitnicks books. I recommend them to every new hacker because:
a) some of the stories are unbelievably inspiring!
b) it's all real life stuff
c) he manages to tell the stories of these great hacks without glamourising the illegality. It does a lot to prove hacking can be great fun within legal bounds.
The next thing I would do is encourage him to get involved with a programming community. Get him to learn a language and start ot play with it. :)
in terms of cracking (as opposed to hacking) sometimes pushing the boundaries happens (either for personal reasons or professional). I would teach your cousin that breaking the law is wrong. Breaking into the schools system is (speaking technically) as bad as breaking into a microsoft server. But the impact of the 2 activities (assuming it was simply to look both times) is very different. Try to show him that experimenting with something like the school system is fairly harmless but still wrong and he should take it no further unless he has permission :) (offer the school a pen test :D)
Finally a lot of people are saying "teach him not to get caught" (essentially). This is a most important lesson. I crack for a living (White Hat I hasten to add) and one of the things that makes me good at that is paying attention to covering my actions :)
If your cousin is interested in doing that kind of work, why not suggest him to volunteer with the school? All the other responses seem to romanticize the rogue hacker. Instead, I think he should come clean, and do his work in the public. He could offer to audit the school's network. For a 13 year old, this would be a great opportunity to teach him to be professional and helpful.
from my experince at 16, you are correct. volenteering with te school will get you into trouble. get the kid a computer of his own with an open source operating system on it. this is a) harder to break than windows and b) a more friendly platform for exploration. I did this at 13, but my parrents are hacker literate.
I cannot comment on ethics though, or parrenting. Both of my parrents were computer scientists at one time in there carreer, and I still bounce Ideas off of my father. Personaly, I think this is the best way to grow up with such a skill set. my only regret is that I have not had much motivation to hack when I can have a rely interesting discussion with my father.
I'd tell him to set himself up for success. His activity was innocent this time but by creating situations where he has the opportunity to do so not-so-innocent things, he'll give in to the temptation someday. It's like working at McDonalds or KFC: there is a big chance that you'll gain 2-3 lbs ever month you work there because sooner or later, you'll eat there. He shouldn't put himself into such situations where he can screw up. Bad decisions snow-ball.
Tell your cousin he gets about 3 more years of goofing around like that where he should use the "stupid kid" or "I dunno" defense and get off scott-free or with a slap on the wrist. Once he's an adult though, the kiddy stuff has to stop.
If he's messing with financial systems or other serious stuff, give him a thwock on the skull and remind him that it would be unfair and immoral to screw with the systems more than the CEOs and bankers already have. =)
Just let him know what the potential consequences are, and your recommendation (which I'm assuming is to "not" continue).
See if there is any way you can spin this toward the "good", by possibly having a meeting with the schools principal and systems admin. This is obviously a crap shoot, but could possibly be beneficial to your son's education.
World is full of hackers. Some hackers are good...some are bad. He needs to choice his site in this thing. If he is "good" hacker, i suggest continue, if he is "bad" hacker, he can hack into government networks without getting caught. But if he gets caught, he goes to jail for a long time, maybe less than 10 years.
Just don't let him blog about it... my dumb ass did that and got expelled. Best thing that ever happened to me, looking back, but it caused a whole lot of turmoil.
he didn't do anything wrong. congratulate him, and offer him links to some things you think he may enjoy to learn more.
if you fear he will make mistakes, the best way to combat that is with knowledge, not by taking the school's side against him and calling his great success immoral.
Each man has a right to his own property, including his intellectual property. Therefore it is wrong to "hack" if this means breaking into somebody's system without their permission, because it is a violation of the right to property. A copy of 'Atlas Shrugged' could drive this point home I think. But there are great jobs in computer security, in which people can get payed to "break into" systems to smell out the security flaws. This might be a positive way of channeling this individual's skill set.
Then one day my teacher switched places with the only other person who had the admin password, and she didn't know about what I had been doing. When she found out that I had administrator access, she was infuriated. She called me a "hacker" and reported me to the principal. The principal planned to give me a 0 in the class and possibly expel me from school. The only people who were allowed to be in the "hearing" which decided my fate was the pissed off teacher and the principal. The administrator, who vouched for me, was told that no one asked for his opinion and that it wasn't relevant. I almost failed to graduate because of this, and it was only through being persistent and involving every teacher I knew that I managed to not fail (the principal reduced my grade to 75/100 instead of failing me).
I would tell your son that most adults who have authority (including principals, teachers, judges and police officers) do not understand technology and computers very well, and therefore it's important to not only operate within the scope of the law and rules of his school, but to also not even appear to operate outside those rules. Computers are cheap, and in 2009 there's not much more interesting in his school's network than what he can set up on a $200 netbook.