Back in 2000, when I was in high school, I developed a trojan similar to netbus and sub7, but just to use it in the school comp labs. The objective was only to have fun. Telling my friends their login passwords, controling their pcs, (screen streaming, key logging, file management, mouse and kb control, some nice screen effects like making the screen move like ocean waves, launch programs, it was fun, lol). There were like 200 machines connected. The infection was simple (auto-installed in services/run) and later it was even network-automated (when I got the admin pass). Then, I handed the commanding program to some friends who used it a little bit too uch. We even had the net admins credentials, so we started to get some extra benefits (like internet outside the internet lab, etc). The admins realized what was happening, and started to use Norton ghost in every pc, first once a week (before it was once every 2 weeks), then, as the infections didnt stop and they started to get very paranoid, they run Norton ghost every single day. It all ended when they discovered a copy of the the source code I had given to a friend of mine. They confronted him, but luckly he took the blame (as he later told me, it was very dumb of him to have saved a copy in his own account. But he managed to convince them that it was just a learning project that went little bit too far. They reprimanded but nothing serious happened to him. So, he is still one of my closest friends,=)
Most of the time those moments of getting caught turn into great opportunities to get out of trouble by going white hat for them. I figure if they threatened him with any real punishment, just offer some free security consulting.
In a perfect world that might happen. Sadly people are not happy, if you point their mistakes at them and they can get very agressive against you, especially when their job or their public reputation might be at stake. Add some age difference of over 20 years and an IT education that started with punching holes into cards and you are fd. Then going to offer them your assistence wouldn't be the smart thing to do, don't u think?
It really would make great sense to create an 'report exploits' link on your site/software so that people know they can freely contact you about this kind of thing without repercussions. I actually got one about 2 days ago for a forum I coded because of such a link I put there.
It might be interesting to even make a whole website dedicated to exploit hunting and allow companies to register themselves.
Well, we were kids back then, and I think they took it as one of the risks involved in teaching programming. They surely threatened him, but they just wanted us to stop. So, as we knew that if we kept on infecting the pcs, they would punish my friend, we had to stop. But at least we kept some of our benefits (internet access, etc)
