Unusual query re computer hacking and employment of teenagers

[rosienickname]

OK. I could do with some advice here from people that know about employment rights, possibly internationally. And also nerdy teenagers...

My DSS is just turned 16. He's never been a sociable child, doesn't really have friends. Only social interaction is when classmates ask him round to help them build computers, which are his obsession.

He's been spending all his time shut in his room lately saying he's doing homework, but clearly isn't (school grades aren't great lately, for a bright boy at a pushy school). Recently he's taken to staying up til 2 or 3 in the morning online. We've now stopped this by turning the router off at 11, which he got quite upset about.

Anyway, he's finally told us what he's been up to. Turns out he's made contracts with people who work for a major international software company doing tests on new software. He's been working for them by attempting to break the software ( ie hack into it) as part of the tests they do. As part of this he's signed some declaration of not telling anyone about what he's up to.

He does have form for hacking having been in trouble a few years ago for hacking school computers, and I do think he's telling the truth. I'm concerned though that he could be being quite exploited by these people. He's not being paid as he says they don't pay anyone under 18. I would have thought if they don't pay them, then they shouldn't be getting them to sign aggrements, or giving them work to do. He is hoping to get an internship out of them when he's 18.

Some of his contacts are visiting quite near us (from the US) in a few weeks and DSS wants to meet them socially. DH has said he'll go with him to make sure all is OK.

I guess I'm concerned about him as he quite naive in many ways and probably really excited by the work he's doing and the new contacts/ friends. I'm concerned he could be being exploited by them to work unpaid. Or is this really something we should be proud of him having set up for himself? DSS can be very private/secrative so it's hard to get much out of him.

llama - DSS is at his mum's this week - he'll be back with us at the weekend, so things are progressing slowly. DH has asked him for more info - DSS is saying he's working with a group of "developers" (who he's got to know online) who do it as a hobby and improve things like "kernal modifications" I don't understand much of what he says and DH admits he's not that clear on all of it either. DH is going to ask him to show him the Non-disclosure thing he signed, and thinks it should have a named contact at the company on it, which he would then be able to check out to confirm whether it's legit. DH doesn't think DSS is hacking online, he thinks he's used the term more losely to mean testing out bits of code that he's been sent on his computer, but we're neither of us very clear on exactly how this works. DH will speak with DSS properly at the weekend, but is anxious to go softly at first so that DSS opens up about what he's doing.

No pulps - DSS is the only one who has admin rights to his computer - he built the computer and I don't think DH really feels it's "his" to have control over, if that makes sense. It's hard to see how to undo these things when they've been in place for a long while, and now DSS would no doubt say he couldn't share his password with DH or me because of the non-disclosure thing he signed....

scouse - yes, I feel out of my depth on this sort of thing too

Sorry, it's just more nonsense.

The kernel of an operating system is the part of it that manages the hardware and schedules and controls resources like memory and disk. When you save a file out of Word (or whatever), it's the kernel that does the actual work of finding some space on disk and putting it there, and knowing where it is to get it back.

For practical purposes, there are only two kernels of importance that run on anything remotely approximating a standard PC your son might have built: Windows in its various flavours, and Unix and Linux in their various flavours.

Windows kernel source code is like rocking horse shit: in order to do kernel development work on Windows, you need to be an employee of Microsoft or one of its top-tier partners. There are some universities that have copies, but I don't think any in the UK. So it is inconceivable that he could have signed an NDA associated with doing work on Windows.

In the case of Linux, and of the Unix derivative used as a foundation for Macs, the kernel source code is entirely public and anyone can work on it without needing any legal paperwork at all. Grab the Linux kernel source code here:

github.com/torvalds/linux

or the public bits of the OSX kernel here:

www.opensource.apple.com

and make yourself famous with your special addition. There is closed source stuff in OSX, but no-one, no-one outside Apple's own staff gets to see it. There are other, minority Unixes, but the source is almost all publicly available as well.

So the claim that someone's doing kernel work and had to sign an NDA is almost certainly bollocks. Leaving aside the plausibility of your son actually having the deep programming skills required to mess about seriously in kernels (I help teach an MSc course on it and most of the students are pretty helpless for most of it), either his claim would be to be messing about with Windows (in which case an NDA would be the least of your requirements) or with a Unix of some sort (in which case why would you need an NDA?)

There's no such thing as a legit NDA signed by 16 year olds. When I worked in industry, I wasn't allowed to sign NDAs without my company lawyers playing too. In academia I have, with my fingers crossed, signed NDAs with industry partners when I know the material being discussed is trivial and the document just corporate arse covering, but the industry side of the document was nonetheless signed by a heavy hitter. A recent NDA I signed with Microsoft was signed by their UK general council or something, and it was only there to cover my wandering around a development group at a satellite office for a few hours mostly talking to one of my own students. People don't sign NDAs with minors: they would be meaningless.

He's being scammed. I can't tell you what the scam is, but he's being scammed. You are being naive. And having machines in the house that adults don't have admin rights over is an accident waiting to happen. I'm as hands off with the kids' computing as you want, to an extent that I suspect would scare many, but I have admin rights over everything and would go ballistic if I found machines in the house that I couldn't easily get at if necessary.

Hi OP

I'm as clueless as you in these matters, but I wonder if it might be worth you listening to Woman's Hour from last week. It was internet safety day.

It's a horrific story and I'm not posting to alarm you, it's just that the promises of future careers and wanting to meet rang a few bells.

link here

Thanks securitylecturer - that's really helpful. I think I wasn't quite clear though - the kernal thing wasn't what the NDA was about, it was just an example of the sorts of things they were doing. I would assume from what you say it must be open access stuff they're playing around with. The NDA apparently relates to pre-release coding, if that makes any sense - giving the company feedback on some of their APIs ( - I don't know what an API is)

Thanks for the link - Occam - I'll have a listen.

Wow op, I think you've been lucky with having a poster like security lecturer around! (even though I do not have the first clue about anything she has said!!) Why not give actionfraud a call? They deal with all fraud type stuff in GB. Might be worth seeking advice from them

An API is the application programmers interface. It's a list of functions that a library provides. It's no more mysterious than a published list of interface to a system.

Can you ask if it's the Linux kernel he's working on? If it is so, I think securitylecturer is right in that all modifcations have to be opensourced as the code is GPL. Does he have a GitHub account so you can post here for us to look at?

However I am not 100% sure you can't have a closed source fork of a Linux kernel. The sky box is Linux based and so are most routers. I think the code for them are closed source? Does securitylecturer or anyone know if it's under a looser license than GPL?

The other kernel that I think he could be working on is android btw.

Lost my long reply, but I think the computer stuff is a red herring and this is online grooming, the proposed meeting in the bowling alley is very significant. Speak to his school safeguarding coordinator and to the police. Does he have friends? Would you say he is potentially isolated and socially naive? Predators will
Go to big lengths to get close to children, by preying on their passions and interests.

This whole scenario would be making me incredibly nervous. Legitimate companies do not hire in this way. The fact that this also has a US dimension is worrying. If he is attempting to "hack"systems or assist in helping others to do so it may not just be for fraudulently purposes, stealing intellectual property. The authorities are increasing looking to prosecute under anti terrorist and money laundering legislation. A legitimate company would understand this risk and not put any employees, even 16 years old not being paid, at this risk and no legitimate company would expect this work to be done for free.
Him using your router and you knowing about this can also put you under suspicion.

Just read this and I am sorry to say that I am very concerned for his safety - I agree that it sounds like he is being groomed (and not necessarily for sex).

The internet can be a very scary, dangerous and addictive place and I am quite astonished at how laidback you both are about the fact that his online life is taking over his whole life. He needs help and guidance.

drownedgirl I'm more worried they are using the teen for some illegal hacking. Legitimate companies really do not operate this way. I can hand on heart say that lone smart hacker in the basement with no qualifications do not exist. (Or very very rarely). I can't see how the teen will have skills that are so sought after.

If he really has, he would be well known in the open sourced world. In that case the OP would have accompany him to conferences.

That Nick whatever who sold his idea to yahoo hired programmers and has an investment banking dad to bankroll him. He's not whizz kid but a very good businessman.

Two Little Terrors, most of the Linux kernel is under GPL2, so you cannot fork the kernel and take your fork closed if you want to be able to distribute the results. There are some narrowly drawn exceptions covering binary-only device drivers, but they're uncommon. Sky just use the Linux kernel and libraries and ship closed-source applications, which is fine.

The NDA apparently relates to pre-release coding, if that makes any sense - giving the company feedback on some of their APIs

Right. Because every time I want to make major invasive changes to a large piece of proprietary software with a public API, my first thought is "shall I pay an expensive lawyer in order to get an NDA with a fifteen year old to give me feedback, and meet him in a bowling alley?"

all modifcations have to be opensourced as the code is GPL

That's not quite right. You only have to distribute the source on the same basis as you distribute the binaries. So a company can modify the Linux kernel to its heart's content, keep the result proprietary within the business, and keep the source to their changes similarly secret. They can sell that product to customers, and if the customers don't ask for the source, they don't have to give it to third parties.

The point is that what you can't do is sell someone a copy of software with a GPL'd starting point and then keep the source code confidential from them. Anyone who legitimately receives the binaries is entitled to the sources. That's it.

Have you managed to stop him yet, OP? I've been worrying about him.

As others have said, you are being shockingly naive. He possibly is, or he knows more than he is letting on, and is using jargon you don't understand in order to blind you to the reality of what he is doing.

"White hat" or ethical hackers are proper company employees earning a proper salary, most of whom will have a degree or years of experience in computer science. Even though they are legit, my understanding is that this sort of hacking is not normally allowed through a family broadband connection. It is very, very unlikely he is doing this as a 15 year old just would not have the skills required, and companies are usually very careful about making sure everything appears above board.

The "black hat" or criminal hackers do so for a variety of reasons- they may want to steal intellectual property, people's personal details or gain access to data for some other reason. Some organisations that do this have terrorist links, and this is a really very serious offense. If the broadband is in your name, and you know what is going on, you could be seen as involved in the crime. These organisations recruit young teens, because they can distance themselves from the teens, if/when they get caught, and, of course, persuade them to work for free. This is more common than you seem to think it is.

The final possibility is, as other posters have said, that he is being groomed by someone, and they are using the "work" as an excuse to meet up with him.

You need to take away any internet access he has until you are sure what he is doing is legitimate. The absolute best case scenario is that he is lying to you, and is actually gaming or something, or he is just being exploited. You need to realise how serious this is. It sounds a bit like your DH does not want to admit how in over his head he is, either.

Is his mum aware? If he is using her internet connection, she could be implicated too.

Whilst its almost definitely bad news....and what Security Lecturer has said is absolutely right......allowing for a little 'lost in translation' between OP and her step son on what hes actually doing dev-wise.....

I run a pretty large development company that does all the things mentioned in this thread. We have recently taken on a 16 year old apprentice.....he is absolutely amazing and frankly walks all over the majority of coders we have had for many years including those well respected in our industry. They totally acknowledge this.

We found him via a random online discussion forum chat....he did a load of work on one of our projects off his own back (and yes, he signed an NDA of questionable value but we felt it meant he would think about it before telling everyone what he was doing), and we've taken him on. Okay we met him for the first time at our offices...but then we're in the same country!

This is an unusual situation, but then I think in a lot of ways digital is still an unusual market. Try finding a decent objective-C developer who's over 20 and doesn't want 100K a year.....Professional pen testing and load testing (for example) are HIDEOUSLY expensive.....it may just be they're trying to find a cheap and novel way to get something done.

All the above said - I still think its more likely a scam of some sort and I would want everything MUCH more verified before letting him do anything else.