This deserves a better, less clickbaity (which I think has the opposite to intended affect with this audience) title.
Particularly towards the end, s/he comes across extremely self-aware, and makes some salient points around the state of school CS education in the UK. It certainly resonated with my experience.
He's way too young for this attitude.
I've hacked things in my teenage years too
and was obsessed with hacking for many years
before I started to do freelance work
- the feeling of being superior is a common problem
for all types of skills if you're young, no matter what,
so he definitely shares wisdom with his last paragraphs.
But I don't think the problem is not that society has problems finding
interesting challenges for highly skilled young people like him.
It's unfortunate his school doesn't have hackathons and other
activities, but he's not dependent on such circumstances.
I think his problem is that he doesn't recognize
that he's in full control of his life.
I've talked with several security researchers who hack IoT gadgets and other things
for a living - they write their own ROP chains, hack web applications
and test software for airlines with very high security standards
- and they told me that they take every talent they can get.
They're getting 4 to 5-digit daily rates for penetration test gigs and are
well-respected.
So there's demand and there are great people who want to share their knowledge.
So my question:
Instead of hacking printers, why not talk to companies who are searching for his talent?
I'm not defending the current state of CS education, it's really bad and decoupled from reality,
but it's no excuse for gifted people to give up and justify blackhat hacking - which is just
another word for being criminal.
I've always found these kind of comments unusual. How old is old enough? For me this usually came off as arrogant.
> the feeling of being superior is a common problem for all types of skills if you're young
I know plenty of people who still have that exhibit that sort of behavior in pretty much every age bracket. Arrogance doesn't correlate to age. It's kind of arrogant to say "You cant think that way, you're too young" too.
It's just sad to see that he's already so negative about his options. My comment wasn't about how old one has to be to justify his negativism, I'm sorry if it came across as such. I can relate to his feelings and it makes me sad, this is all I meant with this sentence.
When I was his age and doing similar things I felt the same way. I didn't understand how the university entrance game worked until it was too late because I was a poor first gen immigrant with no guidance or support. I thought I was going to be stuck washing dishes in the back of restaurants forever. Thankfully I finally got out of all that because I found people that actually valued my skills and would pay to take a chance on me, even though on paper I was probably not very attractive.
>So my question: Instead of hacking printers, why not talk to companies who are searching for his talent?
If you don't have debt, you have to prove you can already do the work required. I don't know where the idea comes from that software gets a magic exception to everything because 'potential'. Talent means you're already showing you can do what they want.
He tells us that he "was working on a sandbox to brush up [his] Linux kernel programming skills". I don't deny that he has to prove himself, but there's definitely potential. And I didn't mean that he will get paid like security professionals, he could even just search for an unpaid internship to get his foot in the door. - No unwarranted exception, but I can see what you mean.
I agree. It says a lot about society that someone who has clearly found his thing, due to some admittedly poor decision on his/her part, has basically zero options with which to pursue his interests in a controlled environment. I'm not from the UK so I will refrain from commenting on the state of their education system, but I've definitely seen this scenario play out here in the states. I'm not an educator but it's obvious that people are slipping through the cracks and that's something that should be deeply disturbing to most.
That was actually the genesis around the Raspberry Pi. Eben Upton was really frustrated with the state of CS education in the UK(from what I recall it was mix of Excel and "computer skills").
The RPi was intended to be low cost computer that kids could hack on similar to what happened with the C64 back in the day.
"Excel and computer skills" isn't CS - it's "ICT" which does not pretend to be computer science. When ICT as part of the curriculum in the early 1990s I think the country was doing the right thing - computer skills beyond using Facebook are essential and too many people still don't understand how spreadsheets work.
In the UK you can do proper Computer Science in high-school at A-Level (ages 16-18), I did it myself - I'd describe it as a somewhat cut-down version of my undergraduate computer-science degree: we did briefly cover the basics of fundamental computer architecture, formal logic and logic-gates, database theory, and software development - the problem is that very few schools actually offer the subject (like 90% of schools offer ICT at A-Level, but I reckon less than 50% offer Computer Science) - and that's due to the staffing: if you can teach Computer Science for A-Level then you're going to be qualified to work as a software developer for a multiple of a typical teacher's salary. My only real criticism of A-Level Computer Science (at least when I did it) was that schools could choose between Pascal/Delphi, VB6, and Java - my school chose VB6 - possibly the worst possible choice considering both how antiquated it was (this was in the mid-2000s so VB.NET/C# were already well-established) but also, more importantly, how it's a poor tool for computer science because VB6 lacks class inheritance and instills bad habits (e.g. SQL concatenation).
When I worked at Microsoft in the US, they took part in a programme called "TEALS" where professional software engineers employed by MS and other companies (Amazon, Facebook, Google all have Seattle offices) are invited to teach high-school AP class computer science classes part time, and I understand it's proving to be quite successful. I think this system should be expanded to allow other industries to take part - I'd sure love to have given chemical engineering or architecture a try in high-school - and kids often need decent exposure to industry if they've yet to decide what they'll do at university and beyond.
I'm glad it's being worked on, and I'm sure it will be better for those going through now - but if the subject of this post is in 'high school', s/he had none of that.
We had 'ICT', in which we learnt to operate Microsoft products.
Yup - though all the class literature was careful to use generic names like "spreadsheet software package" instead of naming Excel. We did get some exposure to other platforms though - we were taught about the existence of Netscape Navigator in 2001 - but naturally school computer policy meant we couldn't actually install it to use it.
The worst part about my school's IT classes was how we were supposed to officially document our progress by taking a screenshot of the work we did, printing it out, cutting it out with scissors and sticking it into our classbooks with PVA glue - like right out of primary school. The fact we were doing this right into Yr.10 just felt insulting - and surely a better demonstration of IT proficiency would be to maintain our work-logs in a purely electronic format? Isn't using a backwards format like (literally) pasted-in screenshots the antithesis of information technology?
>has basically zero options with which to pursue his interests in a controlled environment
No way, he could easily get his own lab in AWS and probably for not much cost since he is in Uni. Hell, buying used stuff from ebay or some other auction site and hacking those for legitimate research would also be a path. Medical devices are probably low effort, high reward.
I definitely get where he's coming from with not having peers interested in security. Message boards and chats only do so much, but there's ample knowledge out there to build a plan for how you want your life to go from this upbringing. Going to a few conventions (even alone) would probably do wonders for him in terms of making connections but those can be expensive.
I wholeheartedly agree! And you put it way better than me.
Maybe we're missing something here, but I got the impression that this is an incredible time for talented people.
I've learned all about hacking online - kernel hacking, remote exploits, DEP/ASLR bypass techniques, Kali Linux for penetration testing, exploit-db.com and Metasploit for inspiration, the great tutorials of corelan.be and other great minds and so much more - it's all there, readily available for free.
You don't even need a big budget to build a controlled environment - Raspberry Pi's, maybe some cheap routers and computers and you're ready to go.
Completely agree. It resonated with my experience as well.
Over my high school years I was incredibly frustrated by the things I was taught in ICT GCSE and ICT A Level (at the time there was no computing GCSE/A level offered by my high school). And even now, I'm studying for a BSc in Computer Science and I'm surrounded by people who probably can't write a hello world application without getting help from a TA.
I find the state of things really ridiculous and I wonder whether all UK universities are like this. What frustrates me the most is when my professors are seemingly putting a cap on my grades. It feels like they are pushing everyone who is lagging behind up (past the 40% pass mark) and everyone who's doing exceptionally well down (towards the 70% mark). I'm guessing that it makes sense to retain as many students as they can and at the same time ensure that the course isn't too easy, but it seems incredibly unfair.
Also, what is up with the grading system? A "first" is 70%+, and as soon as you achieve that as an average you're indistinguishable from anybody else.
The education system prioritizes that all students have a baseline knowledge above all else. It's not the goal to incentivize high achievers using a hard scoring system, because this'll prevent the success of others who aren't good in educational settings - and there is a group of people who are incredible programmers, but lack the skills to get good grades.
If you're really good, you have remarkably good grades and do interesting projects in your spare time.
w.r.t. your understanding of unfair:
Don't compare yourself to fellow students, because they are by definition average.
If you want to profit from your advantage: do stuff, get connected with great minds, build projects. This will get you years ahead of your fellow students who are busy passing the exams. What about this incredibly unfair advantage? ;)
I hate when talent does not get distinguished. Nonetheless the time spent chasing the busy-work to get an A in US CS courses seems more detrimental to personal projects and interests... I wish I could just get a cutoff at 80% and just not worry anymore.
Same problem in the US. Compsci education has been an absolute joke at both colleges I've been to (a community college then state university). The entire thing can feel downright fraudulent at times when you're writing yet another crappy implementation of merge sort in Java as part of a class you're taking one semester before graduating and your classmate can't figure out why their class with all the fields marked as static doesn't work when two instances are made of it. I haven't had to extend an iota beyond bare minimal effort to get any of my A's in compsci classes. It's almost always been the "professor" just checking that your program gives the right output but making you print it out anyway so they can draw a checkmark on it or some other horse baloney. At least I've been able to get real experience doing things on my own.
Reading the article I found myself dwelling on the quote,
"People need to take their printer out of the public internet unless it's needed..."
I'm trying to think of a single reason that a printer would need to be exposed to the public internet in any way at all. Even a corporation sharing printers between offices surely would rely on inter-site VPNs rather than just opening ports and exposing the printer to the world?
If anyone can think of a good reason to put a printer on the internet I'm all ears because I'm struggling to think of a good reason.
Credit to the teenager for not doing something malicious and in fact just being a little playful with it and educating the owners with a cheeky print out. Good work, I hope he can do well going forward and get a career from his skills despite his worries about grades etc.
Google's Cloud Print service (used on Chromebooks at least) has to constantly keep your printer in communication with the internet. To print to a printer on your LAN from a Chromebook, it goes out through the internet to Google's servers then back down to the printer. (And often times it stops working, so you can't even print to the thing 2 feet away).
There's a difference between being "connected to the Internet" and being "open to the Internet".
There are hundreds of thousands of printers, mostly at Universities, that can be installed just pasting their WAN IP address into the Windows "Add Printer" wizard...
At a university I worked at, every IP over DHCP was a public IP address. This means that all of the printers where by default open to the world. I always thought that this was crazy. Every so often a random page would be printed...
The setup was similar at my college. I'm not sure if the printers were open to the whole world, but I do know that with a little savvy (and I mean a little) you could use any printer on the campus network. While other students were flooding the library 10 minutes before class to print their assignment, I would print them out from my dorm room to an empty office on the same floor as the classroom, and just swing by to pick it up on my way to class.
I was also very tempted to just spam a bunch of gibberish to the printer on the network labeled "Presidents Office", but decided that might raise a few red flags.
Just because the addresses are publicly routable doesn't necessarily mean they're accessible to the public. I used to work at a place with a Class B block, but nevertheless advertised no routes for most of those IPs. Internally any traffic to the internet had to go through proxies.
Except here in the UK he has broken the computer misuse act and could face jail time if someone decided to prosecute so he technically did something "malicious".
Well yes, he did break the law of course there is no denying that. But in the spirit of what he did he wasn't malicious in that he kicked off a DDoS with these printers or anything more than that, it was of course illegal but at least those people now know. One of the few internet connected devices that is actually capable of giving some output to inform the owner that something is wrong!
I love how this guy thinks he has no future because he makes bad grades. LOL. So many great programmers I know were flunkies because they only cared about doing different hard things. Myself included.
Yah cuz we were all such paragons of responsiblity in our teen years. I got in trouble for hacking as a kid too. Now I coach VP's on how to manage app dev.
>One problem I have is that I'm not noticed at all for my skills. Everyone I know who is this age and has the skillset I have are either blackhat or legit depressed. There's nothing for us at this age.
Anyone else found this part a little bit sad and somewhat disturbing?
It is sad for sure, he is clearly very skilled but because it doesn't fit into the framework of the national curriculum for computer science or IT he is getting bad grades. It just goes to show that grades aren't everything, I just hope he can apply those skills and make it in the industry doing legitimate work not malicious work. Some employers are quite good at seeing past grades so fingers crossed for him!
How is this possible? If random restaurants are able to assign a public IPV4 address to every POS printer they have, do they all have their own /24 net? Why wouldn't they all use NAT?
FWIW, my old 20k-student university (a few years back) had tons of printers sitting wide open on IPv4. The university had a full /16 that was used a lot for misc. computers and other equipment (no firewalls).
Used to be very convenient that I could send off a few documents to print before I left home at morning, and have them waiting at the printer when I arrived at campus.
Even after they added "swipe your card to print" to reduce waste, using plain old lpr to the printer IP still worked (it even cut in front of the queue, to much grumbling from the chemistry students we shared computer labs with).
I know exactly what he did, and the only reason I didn't do it myself was because I didn't want the inevitable legal problems.
Best of luck to this kid, because as smart as he is, and as destructive as this isn't, the law takes a very dim view of taking over other's equipment, even if it's wide-open.
There's a great business opportunity hidden here. This kid (or anyone else) could set up a web site where people go to scan their own network for IoT vulnerabilities. Make it like the Qualys SSL testing service: let people test for free without installing anything, but charge for additional services like repairs, enterprise service, deeper inspection, etc. If there really are so many IoT vulnerabilities out there, this should be a slam-dunk business.
He isn't kidding about the state of computer 'science' in the UK being atrocious.
Up until sixth form college, it's pretty much 'how to use Microsoft Office the class', with programming being mostly non existent and even coding in HTML being rare in a lot of cases. So anyone who doesn't study IT past the age of 16 or have an interest in computers outside of school is likely going to be absolutely clueless in regards to how to use a computer.
Once you're in sixth form college, it's then hardly any better, with the worst ones literally being 'how to use Microsoft Office, Access and Front Page edition'. So you could theoretically get away with not writing a single line of code until university, despite doing 'IT' as much as humanly possible.
Add the lack of extra activities, and well... anyone who's done programming at all may as well skip GCSE and A level IT altogether, since it's got absolutely nothing of value to someone with even the simplest computer skills.
Thank god you don't need a degree to get work as a developer in this country. Otherwise we'd have barely anyone interested in programming at all.
He's also right about the internet of things being a security disaster... but hey, absolutely everyone with experience in this stuff knew that already.
That said, he should probably get out of this blackhat stuff now rather than later, since it's very likely he'll be caught and end up facing a pretty long prison sentence at some point in time if he doesn't. Especially when you realise most people will see what he's doing here and think it's somehow as serious as breaking national security.
I go to a good college in california. Im currently in the dining hall and the peraon across the table from me was using his laptop. He just walked away, presumably to get more food, leaving his open and unlocked laptop completely unattended. This is why there are still printers connected to the internet and why it wont change for a long time.
This is really not the same problem. For the most part, the people who are going to fuck with your shit are pretty rare, so the chances that one of them will happen to be around and ready to pounce in a dining hall in a good college (and that no one else around will notice) are reasonably low.
Compare that with the internet where everyone is just as far away as anyone else, you can automate the malicious actions, and attribution is a pain.
They are the same though because most people have no idea there is even a difference. They are titally unaware. Would you or anyone else who knows anything honestly leave your laptop open and unattended?
cringe I used to do this so often. I've now set my laptop to ask for a password after 5s (on Macs it's really easy to turn off the screen with Ctrl+Shift+Power). And the disk encryption from Apple puts my mind at rest somewhat, even in busy coffee shops.
edit: I feel like in small startup offices not locking your computer is a subtle sign that you trust your team, but this might be just my weird interpretation
Is it safe for this kid to have a "public" presence about these wonderful shenanigans? I feel like he's bound to have the feds knocking on his door pretty soon despite how harmless this is...
A classmate got hosed for doing something very similar years ago.
> I don't know enough people. I don't talk about any of this stuff with my friends. Nobody is interested in it. I've had my fair deal of shit from teachers when it comes to computing, too.
What a bummer. When I was a kid, I was nowhere as skilled as this guy, but I was online a lot and talked to a fair amount of people whom I would consider friends.
It seems that today, it should be even easier to reach out and connect to people with your shared interests, especially when those shared interests are effectively marketable skills and ought to translate into job offers out of high school.
Weev's use of every IP-connected printer in the US to publish antisemitic "samizdat" significantly predates this. There's no real exploit in most cases, just things connected to the internet doing what they're told.
Could anyone see the FTC creating some sort of unit test that crawls IP addresses in the US and tries to find vulnerabilities like this. Maybe printing out a message for the owner to contact some authority on the 'Internet of Things' ?
Hmmm, I have seen an extra '%3' occasionally... it never hurt anything so I didn't bother fixing it. Thanks dude now I'm going to be totally tormented until I fix my bookmarklet.
[EDIT:] ok moving that parenthesis and avoiding the update of document.location didn't take me too long...
I hope this guy realizes that school was designed to churn out factory workers in 1900s Prussia. The education system is so broken because of this, and it will never change. There's way too many people's job-security and momentum riding on this system.
I hate news organizations using curse words. Don't get me wrong, using curse words is completely fucking fine, but it's weird in the worst way seeing news organizations using these words, they're supposed to carry a voice of impartiality. It's extremely unprofessional, and it seems overly emotional and petulant to use curse words. The Vice is absolutely one of the worse offenders of this.
This criticism seems a bit misplaced levied against Vice. Their whole deal is edginess, defying the norms you think they should embody. Ignore them if you like, but it seems weird to say they should be fundamnentally something else.
> I hate news organizations using curse words. Don't get me wrong, using curse words is completely fucking fine, but it's weird in the worst way seeing news organizations using these words, they're supposed to carry a voice of impartiality
While Vice does run some good content, calling them a news organization is hardly accurate.
Something that really presses my buttons is this mentality of lots of people to just jump on the complain-train and blame the world that certain technologies for beeing not "as good" as others. And even worse are the people using that to create cheap articles to generate clicks.
"Javasript is sooo broken.. the world is unfair",
"Iot is sooo shit...",
"Language X is soo bad.. thanks Obama",
"Framework Y is soo 2016...".
Thousand people are trying to make a difference in the world and the ones just writing articles about "XY is shit" do mostly nothing. News about bad, bad "IoT", are so low hanging fruits to click-bait. There is almost never a constructive appraoch. Just complain and generate clicks.
Where are the leading ideas to make "IoT" better?
Where is the differentiation, that open printers installed by stupid users are not a prove how "shit" IoT is?
You might also say the "internet is shit" because there is major dataleak happens every week.
Thing is that.. JS is usually broken, the world is usually unfair, IoT has proven itself to be usually shit and most frameworks are bad.
Xerox is not a small startup that just wants to make printing easier. Even if it was, at least some basic security practices should be considered.
I mean i'm here writing a dinky little website using SQL and golang (i am a newbie at bout) and I am sterilizing inputs to make sure that SQL injection can't happen. Meanwhile the United Nations(!!) website has been exploited by same. There's even a defcon(?) talk about how a firm was hired to asses the security of that UN website and when the guy sent them an email saying that it is vulnerable to SQL injection, they responded by threatening him to never do that (year later it wasn't fixed). Wish i could find that talk.. it was great. Then there is the Technicolor router (big company) that my cousin has, that i just googled to find it vulnerable to all kinds of things and just horrid in general. Then there is ...
Agree, it's a terrible headline. Especially when, IN the interview itself, the interviewee says "I think the media blows it out of proportion a bit. People are thinking their toasters and shit are getting rooted on a daily basis."
There are constructive comments right at the top of the article. And companies are selling devices that put their users at risk, so until we get regulation, articles like this are the how people get informed about the problem.
Hacking, IMHO is finding something cool about a thing & then taking that something and mixing it up. Make the thing do something never intended. In this particular case a kid found that he could print to printers which were connected to the Internet and then decided to start printing to printers using what amounts to a script. This isn't hacking. It's not novel. People connect printers to the Internet and he abused those connections. This is therefore a prank, not a hack.
For a large class of cases — though not for all — in
which we employ the word meaning it can be explained
thus: the meaning of a word is its use in the language.
---Ludwig Wittgenstein
Your ellipsis suggests to are disagreeing with the original comment, else what you wrote is just a truism. The point of the original comment was that it was authorized by default as intended by design, and thus not a "hack."
Yup. Sending a print-job to an open printing port isn't special and IMHO doesn't rise to be anything remotely close to "Hacking" or "Hacked". Everything is essentially working as designed, but just poorly implemented. It's similar to how DDoS isn't "Hacking".
Particularly towards the end, s/he comes across extremely self-aware, and makes some salient points around the state of school CS education in the UK. It certainly resonated with my experience.