There is lots of productive work to be done in "breaking" systems. Nobody thinks Arjen Lenstra or Paul Kocher are doing work of a lesser caliber than Alan Cox; it is (I think obviously) harder to break RSA than it is to build a new Linux virtual filesystem layer. It is only because people like ESR don't know about people like Paul Kocher that this "build vs. break" meme spreads. Let's try to kill it when it appears.

What teenagers need to have is a sense of ethics. This has nothing to do with whether you spend your time finding holes in things, and everything to do with respecting property, with not assuming that you know the impact of every action you take that invades someone else's property, and hopefully with having a productive goal.

Here's what you need to tell your cousin: nobody in the real world gives a shit about your ability to break into one computer system. Per-host network penetration testing is close to the bottom rung of the computer security career ladder. If he likes breaking things, what he should do is start picking up open source software, researching how it works, finding vulnerabilities, and reporting them.

He's going to find really quickly that knowing you could --- if you were a criminal and a moron --- break into tens of thousands of computer systems is a lot more fun than breaking into one badly-configured school computer. He's also going to learn real computer science, because really breaking systems involves really reading and understanding code, runtimes, layering, information modeling and representation, and any of a zillion other things.

Computer security is a really awesome tour of a lot of the fun stuff in a CS curricula. I've worked on compilers, crypto math, distributed commit protocols, filesystems, and language runtimes in just the last 12 months. If he likes this stuff, get him to stay with it.

You asked for books. How about:

* The Web Application Hacker's Handbook (bad title, great book).

* Eldad Eilam's "Reversing"

* The Art Of Software Security Assessment (our industry's bible)

* The Shellcoder's Handbook

* The last 10 years of Black Hat Briefings talks, which are all available online.

That might both give him some new ideas, as well as show who is really considered important. For example, I always thought lcamtuf (http://lcamtuf.coredump.cx/) is a great example of a hacker of many skills (photography, network security, fuzzing, constructing robots with own 3d printer and many more random ideas). I guess you just don't have time to be a script kiddie if you have enough good ideas of your own...

Just make sure he finds securityfocus before he finds cDc :)

On the other hand you could let him know, that notifying the school officially about the security problem may be a bad idea. Typical teachers are as likely to say "thanks", as "OMG hacker! security audit to make sure you didn't change any data will cost X$/h - your parents are paying for it and you're suspended".

The phrase that stands out most upon first glance is this:

Similarly, to be a hacker you have to get a basic thrill from solving problems, sharpening your skills, and exercising your intelligence.

If you aren't the kind of person that feels this way naturally, you'll need to become one in order to make it as a hacker. Otherwise you'll find your hacking energy is sapped by distractions like sex, money, and social approval.

I've found this not to be the case. Wanting sex, money, and social approval is not necessarily detrimental. Similarly, I get no thrill from solving problems per se. I don't think that that thrill is a necessity for hackers. Raymond uses too broad a brush.

I don't have a lot of the traits that go alongside hackers, either. Coding languages don't fascinate me, by-and-large. When I look at a language, I figure out exactly how to get things done and then I don't look at it again. As a result, I don't find much fascination in discussions about programming, which is rare among hackers.