Posted by goldenskye 3 days ago
The whole district shared a T1 connection to the internet. Which was more than plenty for email, but as this world-wide-web thing started gaining traction, it became quite the bottleneck. And as some of us had discovered mp3 files, the slowness simply would not do.
One day there was some severe weather and a power hiccup during school hours, and every station got a message from ADMIN informing us that the server room was running on UPS power and we should save our files and log out immediately.
Hmmmm.
A few weeks later, one of the bright sparks in the technology program realized that having everyone log off would free up some bandwidth. So he logged onto the next machine over as GUEST, and used a NET SEND ALL "SERVER ROOM POWER FAILURE - 11 MIN OF BATTERY REMAIN - SAVE FILES AND LOG OFF" and sure enough, within about a minute, the whole T1 was his. Did what he needed to do (i.e. leeching an entire fserv) for about 8 minutes, then NET SEND ALL "POWER RESTORED - RESUME YOUR WORK".
A few weeks later some hot commodity had just dropped and he repeated the drill. It still worked.
Nobody noticed that these messages came from GUEST, even the district administrator, who eventually called an electrical contractor to figure out why the power in the server room was so flaky. Someone eventually pointed it out to him, which got a very red-faced "that's really clever but please knock it off", and no further punishment. The next day, the Guest account had a lot fewer privileges.
You mention Netware, but as I recall the Netware function you describe was just "SEND" and "NET SEND" was a Microsoft networking thing. (But maybe there was some integration between the two after my experience with Netware, who knows.)
I mainly wanted to say, as someone who used/abused a Netware network in high school, I disassembled the SEND program and discovered that the username included in the message is not authenticated at all -- the IPX (or NETX, I forget which) software interrupt just took a string, and the SEND executable formatted the username into this string. So by crafting your own SEND program that used the software interrupt directly, you could easily forge any username you wanted. So you could very easily send a message from "ADMIN". :)
This should not be construed as a confession of any network shenanigans that may or may not have occurred at my high school. ;) :D :)
It's entirely possible that it wasn't part of Netware, I don't remember the hard details as it was a very long time ago. However, it worked in DOS text-mode (we rarely ran Windows), and my impression was that Microsoft didn't do much network-aware stuff until well into Windows. So that's why I thought of it as a Novell thing rather than a Microsoft thing.
> the username included in the message is not authenticated at all
Oh.... oh dear.
A few days later the principal calls me in. "Did you tell him to do this?" "I didn't tell him to, we were just talking about how to do it." "... well, he's done it before. Don't do anything like this again. Dismissed." I still can't believe that I got out of it; petty tyrants love to flex their power.
I’m legit trying to figure out who your calling the petty tyrant flexing their power: - The principal which let off with a warning - The other kid, popping circuit breakers - Or you, ‘corrupting’ other young minds :)
Or... Maybe I was just 10 and hadn't really learned that lesson yet. ;-)
Made the mistake of telling a couple friends what happened. Said friends thought it would be hilarious to send swear words to the entire school (I was not there).
They played dumb saying they didn’t know what would happen and got off with one day each, I got suspended for three days.
I wouldn’t have minded so much except the next day was an inter-school chess tournament. Thankfully the sympathetic chess coach told me to wait behind the school the next morning and picked me up in the school bus.
Anyway when he was caught (a fellow classmate ratted him out) he got 10 days out of school suspension. The VP threatened to call the police… for what offense I’m not really sure. There seems to be a fundamental misunderstanding of cybercrime and cybercrime laws. I mean was it really unauthorized access (they called it “hacking” of course) if his user account literally had permission to map network drives?
They removed the ability for student accounts to map network drives, but the district IT guy was not fired. I really don’t get that. Maybe the union saved him… but dog, everyone knows you can map network drives by right clicking on the desktop. I never thought to try it, but that doesn’t mean the district’s IT SME gets a pass.
My expectation is that laws probably specify that gaining access that you know you’re not supposed to be able to get is probably illegal, but I get your point.
Reminds me, however, of the pen-testers that got hired to infiltrate a court system and got harassed by a prosecutor despite having explicit approval to conduct an audit.
https://darknetdiaries.com/episode/59/
Our judicial system is ludicrous.
The moral of the story, if there is one, is probably a cautionary tale about petty individuals prioritizing workplace politics over ethical integrity.
It may not pass as hacking, but it certainly was unauthorized. Network policy in software should reflect reality, but the source of authority comes from humans. Your friend literally was not authorized to access teachers' files, regardless of poor software configuration permitting the capability.
There is a social expectation that people can generally only enter your home with explicit permission, and so if they didn't invite you it's trespassing even if the door is unlocked. But maybe you have some close friends who you get used to coming over and just entering even if you may be out at the moment -- and then it's not trespassing anymore.
Remote computer access is a much younger phenomenon than people living in houses, and so social expectations aren't as established. There's a legitimate need for discussion there.
For example, if you have an open webserver that you want people to access, is it trespassing if people fiddle a little with the URLs and encounter documents that you didn't mean to put out there? I'd argue it would make for a healthier and more tech-savvy society if we didn't consider that trespassing.
If we try to push the houses analogy further, it's a bit like inviting people into your house for a big party, and then somebody enters a room that you didn't want them to enter. It's a faux-pas, but you'd probably also have a hard time if you tried to label it trespassing.
https://news.ycombinator.com/item?id=42314547
The site displays random, ancient videos uploaded from the early iPhone YouTube app, often without people understanding what they were doing.
I tend to err on the side of caution: I don't expect most people to be tech savvy, and I think those of us who are must exercise restraint to avoid trespassing.
Don't steal. Don't share embarrassing or humiliating information you may come across.
At the same time, there should be safety from prosecution overreach.
I ask for this mostly not for my current self but for "kids" (including young adults, e.g. college students) who are on a hacker journey in the original sense of the word. As a society, we should encourage rather than stifle that sort of exploration.
I got called into the police station, where a cop asked me, verbatim: "Son, did you copywrite them there CDs?"
That admin became my mentor and is now a lifelong friend.
The closest thing we had to a computer class was graphic design where you played with Photoshop and Premier for a year. God forbid we learned to write code or whatever.
In my school, some jackass kid made a photocopy of a $20 bill, on a little mid-1990s HP Officejet in the library. Even in those days, they were programmed to make bad copies of US currency (I think they were enlarged and the color messed up). It was more of an innocent “woah look at this thing”, there was no intent or effort to glue it together and try to use it.
The assistant principal, who was a petty drunk who was uniquely unsuited for her job, flipped out and called the secret service. The kid was arrested & had a lot of issues over nothing.
It always stuck in my mind and accelerated the development of my contempt for petty tyrants who experience joy from the pain of others.
Something about having healthy self esteem in childhood causes you to avoid education administration career paths.
Miss those days and also miss playing soldat on those crappy PCs.
Thanks for making such a fun game!
I'll check it out
As I said there, back in the day I wrote a C++ program that was basically an IM interface on top of NET SEND. Fun times.
Our computer lab had Novel Netware, I forget which version. Every once in a while, our regular programming classes (Pascal in first two years, C and Assembly Language in third year, Prolog and Theory of Relational Databases in fourth year) would be held in the lab, instead of the classroom, and we would get to put what we learned to use and do some actual programming.
Now, some of us had computers at home and had been using them since before the high school, so we tended to finish our work really fast and then get bored. And just like a lone sharpie cap is the most terrifying thing a parent can stumble upon, so a bored high school kid is the worst thing for your computer security.
Each student had their own account, but teachers shared a limited number of teacher accounts, with special privileges, such as monitoring other students' screens, having full write access to every student's files, etc.
For some reason, I don't remember why, teachers would occasionally go to a student's workstation and log in as a teacher there, to fix the problem. I honestly can't remember why, but it was a common enough problem that it wouldn't raise any brows even if one of us "advanced" kids did it.
So, of course, I eventually came up with the idea of writing a really small and simple program that would look exactly like the Netware login prompt, with one small difference: when you entered the password, it would write it to a file on the filesystem spit out whatever the "incorrect password, try again" reply was, and then execv the actual login program.
The ruse worked perfectly: I called the teacher, they tried to log in, thought they mistyped the password, tried again, succeeded, did whatever it was they were supposed to do, and logged out. Now I had the teacher account password, and so did my best friends in mischief.
We had some innocent fun by pulling a couple of very minor pranks on our fellow students that flew under the radar, so none of the teachers realized that the security was compromised.
But then the annual programming competitions came, and those went all the way from school level, to municipality, to city, to republic, to federal. I was one of the people who qualified to the city-level competition, and what do you know, that year it was hosted in our school's lab.
I finished all the problems with plenty of time to spare, which is how I came up with the "brilliant" idea of helping some of my peers by sharing my solutions with them using the teacher account. Now, one thing they neglected to teach us was the importance of testing, but I'll be honest, even if they did that, I was a typical teenage "gifted kid", which meant I was overconfident and lazy. As a result, everyone who I shared my solutions with happened to have the exact same bugs in them.
A few days later, they called me to the teachers' room in the computer lab, and said that they knew I cheated, that I was already disqualified, and that I should save myself some trouble and explain what I did. So naturally, I came clean and I thought that was the end of it.
Indeed, it was the end of it for me. Nothing else happened, at least nothing of consequence for me. Years later, I found out that I almost got expelled. They held a teacher assembly or conference or whatever it's called when you get all of them together to make a decision, and the decision was whether to kick me out of the school. Fortunately, they decided to let me off with a warning and the official reprimand from the headmaster.
My mom didn't think that was funny at all.
It's just such a great example of how people could react either with uproarious laughter or by feeling that some boundary has been violated and can think that either reaction was the most self-evidently obvious one in the world and the reasons for it were entirely contingent. It's something where you can only really witness the irrationality of it if you're in the author's position.
I once heard it speculated that philosophy might have emerged in Greece because the circumstances of being merchants engaging in interstate trade, you could see the way that certain things regarded as received knowledge were really customs, peculiar to certain cultures and locations. When you're the prankster and you can see different people reacting in different ways that seem to be tied to patterns of the circumstances of how they experienced it, you can kind of witness the contingency of those reactions playing out in real time.
Back in college, they cut access to the printers for users off-campus, which had previously been a feature. Someone I knew wrote a printing service script in AppleScript that, when fed a PostScript doc, would ssh into one of the on-campus terminals with the user's credentials and feed the doc to the printer. He got in a bunch of trouble because apparently, computer services had cut off-campus access for data-tracking purposes as prelude to an as-yet-unannounced shift to pay-per-page printing (i.e., they wanted to see how much inconvenience the student body would tolerate), and having the inconvenience routed around in software fucked up their numbers.
... now that I tell this story, it occurs to me that nobody ever called computer services on the whole "Running an unsanctioned social experiment on the faculty and student body" part of all this...
(p.s: I think, perhaps, computer services learned the wrong lesson here, because when they rolled out the program at a uni with a massive computer science program, the techniques the students invented to route around paying for print jobs were legendary. Things like "wrap the PostScript job in a detector that tells the daemon tracking pagecount 'I am printing one blank page' and tells the daemon that feeds the job to the printer 'here are the actual pages'". Perhaps their takeaway should have been "If you add friction and cost to the process, bored students will volunteer time to reduce the friction and cost").
The problem was, we were a Sun campus, and my tablet PC ran Linux. So I could SSH in, open up StarOffice, and hit Print on a document - all from the tablet PC in the crook of my elbow - then walk into the lab and pick the documents up out of the tray.
I never got in "trouble" for this, per se, but I did have a lab technician once look at me as if to say, "that's not allowed..."
i.e. I wonder about the gap between clever little prank and sending a dry email to everyone re: a new printing policy.
Much of this hinges on the gradient from the "uproarious laughter" they received from some, to the frustration from others...which I find hard to believe as self-reported, in what context would this be uproariously funny?
I see the value as a simplistic fable re: empathy, and in having it before, not after.
I almost feel like I missed something huge in the email that signals it's a joke, or adds another layer of humor, but after multiple readings, it looks identical to a janitor emailing everyone on campus to tell them keys will be required for bathrooms from now on. Although, that is significantly more implausible than the IT worker emailing everyone on campus to tell them there are charges for printing.
With so many people, you’d actually have to make the price ridiculous or something like that. Because some people, once they read that the printing is five cents, are going to be upset enough to not read the rest of the email.
I wouldn’t actually do this prank, but if I like had to, it would be more like the “charge” was to sing a song and the email would actually say April Fools in it. Maybe less funny, but a lot more easily seen as a joke. Makes handling the calls to the admins much easier, too.
And then extra value upon retelling all of the above to others.
"prank" = IT guy sent campus wide email saying some printers will now charge $0.05/page
"that they probably didn't see with their own eyes" = they did not check physically very every printer on campus to verify none of the printers had the characteristic, the only way to falsify what the IT guy said, that some printers had a characteristic.
"Plus the retraction, and 2nd retraction." = 3x the time wasted for everyone on campus
"And reactions of other staff who fell for it" = people who believed the dry email from IT
"(and caused chaos)" = chaos isn't funny
"And then extra value upon retelling all of the above to others." = It sounds like we're assuming the relayer would get value from relating this, but the extra value is to the listener, it'd only harm the relayer.
As a listener, now I know that I have to verify 100% of everything the relayer tells me. They think a good prank is when you leverage your professional role to lie and cause chaos, which is justified because those poor sheep were complaining about something they didn't even verify with their own eyes. i.e. thousands of people should have gone through an absurdly onerous verification rather than trust communications you make in your professional role.
7:28 New Campus Policy printing now costs 5-cents per page
8:34 Re: New Campus Policy - April Fools! Printing is free.
9:14 Re: Re: New Campus Policy - Printing is still free, for now.
* modulo marking the IT department as spam
Note that finding something amusing isn't necessarily related to whether or not you feel the perpetrator conducted himself appropriately.
One could easily argue then that Plato was essentially a prankster and what we know as western civilization is a consequence of his trickery.
In one particular European tradition, maybe? But elsewhere the trickster may themselves be a divine source of insight. Hermes in Greek, the Southwest American Kokopelli, etc.
My point is that the trickster as philosophical root is an idea that has tendrils far beyond a Western viewpoint. I cant find the ref now but IIRC some Native American traditions have the viewpoint that connecting to the divine cannot be made without first laughing, as that opens the mind to the new experience. Reminds me of some Far Eastern traditions where you need a sharp break from your normal world view to achieve an enlightening breakthrough.
You expanded my mind today, and I thank you for that!
FTA,
> Having sent this out, I fielded a few anxious calls, who laughed uproariously when they realized, and I reset their printers manually afterwards. The people who knew me, knew I was a practical joker, took note of the date, and sent approving replies.
I doubt a single person "laughed uproariously". Most often they probably rolled their eyes and gave a sympathy chuckle. The people who knew he was a "practical joker" understood how much of this guy's ego was tied to his inaner sense of humor and laughed along to get out of the conversation with him.
Some Fridays (once a month?) were casual dress days where you could wear jeans instead of slacks (this was the distant past, when most professional workplaces still had real dress codes). This was an IT/Eng-wide thing, so we'd get an email reminder about this from an admin person in the department.
One time, I thought it would be funny to send my own email announcing pants-less Friday. So I took a copy of the email this admin sent and adjusted it accordingly. I did of course specify that you still had to wear underwear. I'm not a monster. Because I had programmer privileges in Notes, I was able to forge the sender so that it appeared to come from the department admin person, not me.
I _meant_ to send it to the small email group for just the other tech support folks (around 15 people or so). But I accidentally (?) sent it to all of IT/Eng, around 200-300 people, IIRC. Oops.
Needless to say, my boss's phone started ringing off the hook. I immediately went over to tell him what I'd done. He wasn't pleased, but I didn't get fired. I did have to write an apology email.
Of course, many folks in the department later told me it was the funniest thing they'd ever seen happen.
Soon after, I moved to programming at a different company. I think this was a good thing for many reasons, but one reason is that it was more challenging, so I wasn't bored with time on my hands to do stupid things like send prank emails to my coworkers.
My condolences.
I didn’t use notes much, but it was a platform ahead of its time, that thanks to IBM’s… IBM-ness was ignored and allowed to rot.
At my previous job they had been using Notes since the company was founded in the early 90’s, meaning they lived through it being Lotus Notes, then IBM Notes and now HCL Notes.
Everything was deeply entrenched - email, warehouse inventory, ERP system, all documentation made in the entire company… just everything.
And this is for a scandinavian company manufacturing high tech devices for telecom and aviation, among other things.
It was… an interesting nightmare, constantly got in the way of any sort of productivity. Definitely contributed to me leaving early
I never had to program any of that, so can't speak to that side of it, but where I worked we used Notes to quickly build a lot of internal forms and workflows, and had some internal discussion forums and documentation in it, it all worked pretty well as I recall.
The one weird thing was we had to run it on OS/2. The only OS/2 machine in the server room.
We didn't use it for email though.
Maybe I'd have a different opinion now, but I remember it working pretty well for that purpose back then.
I feel like that's the most relevant thing here. Bored people do ~stupid pranks. And under-challenge leads to boredom
If toilet humor is your thing -- more power to ya! I just have a hard time reconciling it with "best joke ever".
That went wrong also, because my retraction said that campus administration was not considering charging per-page fees when in fact they actually were, so I had to retract it and send a new retraction that didn't call attention to that factPrank 1: In high school we wrote a fake DOS for our Apple II+. It accepted commands and ran them, but occasionally would reply with a snarky message. Our teacher was not amused.
Prank 2: This was the late 1970s/early 1980s when laser printers cost many thousands of dollars, and neither me nor my high school peers had ever seen one. I found some CGI images in a computer magazine and Xeroxed them onto pin-feed paper for dot-matrix printers. I showed them to my friends and convinced them that I owned a laser printer. The pin-fed holes just added to the authenticity, since they had no idea how a real laser printer worked.
Prank 3: My parents changed checking accounts and had a whole book of unused checks. I told my father I wanted to do a prank and he agreed to write one of those checks for $600. I showed the check to one of my classmates at the beginning of the day and told him I was going to buy a computer after school, and he could come with me. When school ended and my classmate found me, I took out the check, declared I no longer wanted a computer, and ripped it up in his face. He was stunned.
Prank 4: The local library had an Atari 400 with a coin-operated TV screen ($0.25 for 15 minutes). Without the use of the screen, I wrote a simple BASIC program to emit a beep randomly every few minutes, started it running, and walked out the door.
Some 15+ years ago ThinkGeek productized this as the Annoy-a-Tron, a small magnetic circuit board which could run on a coin cell for weeks. Tuck one of these into a well-hidden place and it will dismantle the sanity of anyone spending enough time around it.
Other more refined versions exist now from a plethora of vendors, I will refrain from linking them here.
At first he seemed mildly annoyed but mostly ignored it. You couldn't always hear it depending on what song was playing, so that helped keep it hidden for a while. Fast forward one week, we came back from lunch to find that the guy had disassembled almost everything in his cubicle before finding it. He angrily held up the radio and called us all jackasses. I have a little chuckle every time I remember this!
Corporate Prank #1: Back in the DOS days, when the standard office computer was an IBM AT with a small built-in speaker capable of being programmed to beep, I set up the autoexec.bat file for several workstations to play (quickly, and at low volume) the first eight notes from the melody from "Brazil." The movie had just come out, and I thought the tune would be a fitting commentary on the parallels to the corporate life.
Corporate Prank #2: Every year or so the cafeteria would print surveys on blue cardstock and put them on all the tables asking questions like "Were the cashiers friendly?" and "How was the temperature of the food?" My friend and I found matching cardstock and mocked up copies, but changed the questions subtly, e.g. "How was the temperature of the cashiers?" and "Was the food friendly?" and distributed them to all the tables. Never found out what happened, but I'm sure management wasn't happy.
Corporate Prank #3: One day I went with my friends "B" and "C" to a different corporate cafeteria where you paid a flat rate just before exiting. "B" managed to find an emergency exit door just before the cashiers which let him make his way to the elevators without paying. Now the setup for the prank: every few months one of the departments would distribute company-wide security memos (on paper) which would get distributed to every desk. Me and "C" mocked up one of those security memos (complete with a police artist style sketch of "B", who had skipped out without paying) which warned everybody to be on the lookout for the suspect who was last seen exiting the cafeteria through an unmarked door, and should be considered dangerous. We made photocopies and put them on every desk.
This post has been removed by Redact for HN.
edit: hey that doesnt look like stars to me
To me your message appears as:
*******
edit: hey that doesnt look like stars to me(BTW I love bash.org!)
Warm regards,
edit: What now?
<Replying to this comment requires a Hacker News premium account>
<Parts of this comment are protected by Hacker News Premium Private Debates>
The funny part is that it wasn't actually an April Fools joke.
I wonder if the joke would have gone over better with the higher ups if it didn't coincide with their plans to implement an actual pay-to-print system. I'm sure they were none too happy about having attention drawn to an unpopular change they were already planning.