HS Students Steal SSNs to Prove They Can

thatshortkid writes "Local news in Chicago is reporting about two Hinsdale Central High School students who breached their school's computer system and retrieved all of their peers' (plus staff's) Social Security Numbers. They claim they have destroyed the information and haven't given it out, but the SSA and FTC have been alerted for good measure. While they claim their motive was to prove that the breach could take place and no malice was involved, they face possible school disciplinary action and criminal charges."

ridiculous

[faldore]

They should be paying them not punishing them.

Re:ridiculous

Mods, I don't think that's funny at all. Parent is correct, punishing for revealing horrible security holes? "Hsshh... Let's be quiet, noone will notice our security sucks."

That's more like insightful.

Re:ridiculous

[mkotoole]

take that messenger!

Re:ridiculous

[zerbot]

From the article, it appears they didn't reveal the security flaws, they got caught. Besides, breaking into systems without permission just to show they are insecure isn't necessary. I've never had anybody who I reported a security problem to just pooh-pooh it, not even when I was a teenager.

Re:ridiculous

[davidesh]

they will pay for their stupidity for sure.

if they let them off... now that would be sad.

Re:ridiculous

[kenshin30]

Funny I was going to post the same thing when I read this article.

This really shows the negative feelings that society holds for those who can "hack" systems. We really need sane laws that do not allow some one to be prosecuted if there's no harm done, or no intent / conspiracy to harm. Of course there will always be those who claim that these victimless crimes are detrimental to society. Its funny how if you look at computer related laws the government is ALWAYS biased to the business and not the individual. Intellectual Property Laws is a good example of this. I for one am tired of the government spending millions of our tax dollars prosecuting and punishing victimless crimes. From smoking marijuana to speeding to hacking computer systems the US government really needs to way the cost against the benefits. Seriously what will prosecuting these high schools really do for society? Discourage them from such things again? If there is no one to test the stability of a system it makes it ALOT simpler to break into the system. These victimless crimes are a pure example of were the ends to not justify the means and society is damaged do to the laws put in place. If these kids get jail time the government has to fork over $40,000 a year to take care of them. IMHO this money would be better utilized paying for the kids education in a high level computer science program.

- Kenshin -

Re:ridiculous

[DustyShadow]

Breaking the law just to "prove you can" doesn't really fly. They would have been much smarter to just tell the school about the problem and then helped them to fix it. If the school ignored them, they could have easily made the issue public. High schools aren't very big so it's pretty easy to get the word about things. I don't agree that whistle blowers should be punished but these guys went past that point. These guys should be punished, and they most likely will.

Re:ridiculous

[davidesh]

This really shows the negative feelings that society holds for those who can "hack" systems.

lol that was great... you mean CRIMINALS
How about those folks who rob a convenience store to show their security holes... should we just let them off simply because they figured out how to do it and were caught? Yet they say oh, well we were going to return the money so it is ok and nobody was hurt.
Talk about flawed logic with your whole "We really need sane laws that do not allow some one to be prosecuted if there's no harm done". What a load of shit

Re:ridiculous

[maniac/dev/null]

Theres a big difference between whistle-blowing and breaking the law. Would you go into someone's house and steal their TV just to prove how ineffective their door lock is? HSs are rather small, if they spread word around, maybe at a PTA meeting, they might have gotten the same results without going to jail for computer crimes. Crime, even for a good reason, is still crime, and if we don't enforce the law all the time, we might as well not inforce it at all.

Re:ridiculous

[zerbot]

I disagree. Breaking into a system is not much different than breaking into my house. There is a ton of extremely sensitive data on a lot of systems. If I came home and found someone who had picked the lock on my house sitting on the couch watching TV, you'd better believe I'd call the police and press any charges possible. No harm/intent foo!

One of my daughter's friends keeps pressuring her to give out her passwords on various sites. I've suggested my daughter tell her friend, "You can have my password when I can have the key to your house."

Re:ridiculous

It is so cute how these youngsters have such a skewed view of the world and they way it should be before they leave the nest.

"I know I held up that liquor store, that convenience store, and that gas station, but I was planning to give all the take to the charity for orphans, war widows, and sick puppies."

Re:ridiculous

[iamacat]

Besides, breaking into systems without permission just to show they are insecure isn't necessary.

Oh, sure it is. Back in university, I read a newsgroup post by a system administrator that insisted that Sun's Yellow Pages were a secure way to manage passwords. I sent him a copy of his password file and his ypserv went down in a blink. If instead I gave a long technical explanation, he would likely just ignore it.

And today companies like Microsoft and Apple ignore critical security flaws until someone provides an obvious exploit on a public web page. What is not necessary is causing damage or using any information obtained for personal gain.

Re:ridiculous

[networkBoy]

Then you are the exception.

I spend time in the back of a squad car for stating there were security problems at my school (back in 93, I was a Jr.) The Principal did not believe me, and I was asked by the "computer teacher" to demonstrate, which I did. Upon completing the demo, a change of my grade (downward, ironicaly) I was detained in the office pending arrival of the authorities.

I now have a job where I get paid for those same skills, and the thread starter is correct about paying the students. The problem is that HS staff does not like being shown that their charge (the students) have more power than them, which this demonstrates.
-nB

Re:ridiculous

whatever

these kids were not heros. with all the social security numbers and personal information being stolen, did they think they would be considered heros for "stealing" the information.

yes, theft is a crime, and they think they're immune to such punishment because they didn't do anything with the information. so i guess if i steal $1,000,000, and just keep it under my mattress, it'll be OK.

my school (i graduated 2001) had all kinds of vulnerabilities, but you know what. it's a school. they're understaffed as is, and they don't need to have expensive consultants coming in and auditing their network all the time to stop these kids.

a school should be about education, and these kids learned a valuable lesson, because most school districts have a policy where if you are accused of committing a felony, you cannot join your regular classes. you have to go to an in-school suspension until they have a hearing to see if you're a threat to the school, or not. if not, you're returned to classes, however if you're deemed a threat, you have to attend alternative education, normally that portable at the back parking lot, or another school.

lesson learned, but a hard one.

Re:ridiculous

[davidesh]

I spend time in the back of a squad car for stating there were security problems at my school (back in 93, I was a Jr.) The Principal did not believe me, and I was asked by the "computer teacher" to demonstrate, which I did. Upon completing the demo, a change of my grade (downward, ironicaly) I was detained in the office pending arrival of the authorities.

So were you ever charged? or just questioned... story is misleading as written.

Re:ridiculous

[iamacat]

Breaking into a system is not much different than breaking into my house

Ok, lets make a deal then. Me and a few of my friends will give you access to all of our computers and accounts and in exchange you give us your house. Sounds good? Uh, didn't think so. Obviously you don't think "computer systems" are as valuable as real-life stuff. Why should people be punished in the same way then?

Re:ridiculous

Yes, take that, but there is no messenger here. They did the act and got caught. There was no "sending a message." The school found the evidence when they were investigating an unrelated report of a break-in.

The students commited the act months ago!

What a dumbass. I bet that if you were on the jury for someone who killed their parents, and that person threw himself on the mercy of the court on account of his being an orphan, you'd be weeping your eyes out. "That poor soul lost his parents and is alone in the world!"

Take that messenger, indeed. More like: Take that punks! I hope you like community college.

Re:ridiculous

[zerbot]

What you do then is offer to make a bet. Offer him something nice and juicy, and get it in writing. Never do security testing without written permission.

I would think that people would have learned from the example of Randall Schwartz. You especially don't want to do it with someone who would be publically embarrassed by it because you're at high risk that they will file charges.

Re:ridiculous

[SeventyBang]

I hope the English teacher(s) got a shot at you as well: "I spend time".

The better thing to do [both then and now] would be to have someone from the media with the informer. If the "powers that be" choose not to "go along with it" while it's on the record, then that still leaves the door open for the story to explain what's possible, what's been offered, and what's been refused...and by whom. You cannot win 1 vs. the world. Adding the media to equation, particularly one who knows what they are doing, can even the stakes a bit.

The question begs: do you have to report these problems or is it a case of bragging rights - even if you are the only one who knows - so you will have cool stories on slashdot, blog entries, or magazine articles in the future?

As always, you have to pick your battles. But when you are forced into a battle, you have to decide which weapons to use and how. That's where the media is inserted into the equation.

Re:ridiculous

[kenshin30]

I disagree with your statement First of all as i stated this was a victimless crim as opposing to robing a store

"How about those folks who rob a convenience store to show their security holes"

When you rob a store you remove a tangable good that hurts the store and thus has a victim. However in this case no harm was done. You do not understand the basics of my argument and YOUR logic is flawed. Second of all you stated that lol that was great... you mean CRIMINALS however they are only criminals in the sense that the broke a law on a technicality. in this case the law != morality and therefore i do not consider them a "criminal". Thats like comparing them to murders and calling them the same thing. Next time before you post such a thing you need to consider the issue at hand and not jump in the same boat as those who believe hackers=terriorists. - Kenshin -

Re:ridiculous

[kenshin30]

I disagree with your statement First of all as i stated this was a victimless crim as opposing to robing a store "How about those folks who rob a convenience store to show their security holes" When you rob a store you remove a tangable good that hurts the store and thus has a victim. However in this case no harm was done. You do not understand the basics of my argument and YOUR logic is flawed. Second of all you stated that "lol that was great... you mean CRIMINALS" however they are only criminals in the sense that the broke a law on a technicality. in this case the law != morality and therefore i do not consider them a "criminal". Thats like comparing them to murders and calling them the same thing. Next time before you post such a thing you need to consider the issue at hand and not jump in the same boat as those who believe hackers=terriorists. - Kenshin -

Re:ridiculous

[zerbot]

Your computers? That's like me saying, "I'll give you access to my empty garden shed out back." Not all systems are equally valuable. If I had to either give you the key to my house, or the root password on my systems, I'd rather give you the key to my house.

Re:ridiculous

[pjbgravely]

The question is why did they have the info on their hard drive. A Hacker finding holes doesn't need to have the data, they just need to be able to see it.

Re:ridiculous

[raehl]

Well, they're kinda screwed either way.

If it's made public, then people can compramise the data maliciously before it's fixed.

If they go in on their own, then they'll be punished for it. And they ahve to be - you can't let people mess around with the system as long as they don't do any damage, because people will messaround with systems and do damage even though they didn't mean to.

The correct thing to do is probably to inform the school, hopefully get them to let you demonstrate the flaw under supervision from theirr network people, and if they still don't do anything abotu it... move on. If you make it public, the data WILL get compramised, if you don't, at least there's a chacne no one will notice, AND you dodge any repercussions to yourself.

Re:ridiculous

[shaitand]

If they spread word around, maybe at a Parliment meeting, they might have gotten the same results without starting a revolution. Treason, even for a good reason, is still treason.

Crime is not synonymous with bad, wrong, or evil.

Re:ridiculous

[davidesh]

I disagree with your statement First of all as i stated this was a victimless crim as opposing to robing a store "How about those folks who rob a convenience store to show their security holes" When you rob a store you remove a tangable good that hurts the store and thus has a victim. However in this case no harm was done. You do not understand the basics of my argument and YOUR logic is flawed. Second of all you stated that "lol that was great... you mean CRIMINALS" however they are only criminals in the sense that the broke a law on a technicality. in this case the law != morality and therefore i do not consider them a "criminal". Thats like comparing them to murders and calling them the same thing. Next time before you post such a thing you need to consider the issue at hand and not jump in the same boat as those who believe hackers=terriorists. - Kenshin -

Well I see that it is easy for some people to rationalize breaking the law and I surely got your panties in a wad as I intended to do.

Victimless crime... data was stolen (people's private information). In my scenario the money was returned nobody was harmed, it was also victimless. "Victimless crime" is just a term people use to support their criminal activities and rationalize why they are ok. ie. prostitution, illegal drug use, gambling (where illegal). Just because it is a "victimless crime" as you say... doesn't make it justifiable, it is still a crime, the law was broken.

Next time before you post such a thing you need to consider the issue at hand and not jump in the same boat as those who believe hackers=terriorists

Next time you hack a site in the name of "I was trying to show them..." Just remember you are breaking a law. I never compared them to terrorists, I am discussing the issue at hand. Next time you reply get your head out of your hackers are the saviors of the world ass.

Re:ridiculous

[shaitand]

Ok, this dude is browsing the web on a system with valuable data. Attention all hackers!!!!

Re:ridiculous

[iamacat]

Do you think either Microsoft or Apple will take me on my bet? Will their customers be any safer because they refuse? When people are negligent about security and are putting others in danger (say, by exposing employees' private info or participating in a zombie net), someone bringing it to attention of everyone affected in a convincing manner is a good samaritan. Court made a mistake in Randall Schwartz's case, and we should fight it rather than cower. So far most people who publicized security weaknesses as a public service or even for personal fame haven't been bothered.

Re:ridiculous

[the+packrat]

They would have been much smarter to just tell the school about the problem and then helped them to fix it.

And how, pray tell, is such a problem to be verified if you don't attempt to exploit it?

Re:ridiculous

[Sancho]

yes, theft is a crime, and they think they're immune to such punishment because they didn't do anything with the information. so i guess if i steal $1,000,000, and just keep it under my mattress, it'll be OK.

Same mentality as "stealing" IP. If you steal $1mil but don't do anything with it, you are still depriving someone of their $1mil. If you copy some SSNs, you are depriving no one of anything.

Re:ridiculous

[enziarro]

You obviously don't watch enough 24.

Re:ridiculous

[Creepy+Crawler]

Fine. When you have MY intellectual property in YOUR house, Ill come in and confiscate it.

And I WILL have police accompanyment.

Re:ridiculous

[davidesh]

"Next time before your post such a thing you need to" look up the freaking definition of you BS.

victimless crime - An illegal act that is felt to have no direct or identifiable victim.

It means a crime where nobody is unwillingly involved... So you are saying the school, the students, and the faculty who were broken into and had private personal information stolen willingly allowed this and participated and are not identifiable somehow?

Re:ridiculous

[MoneyT]

There's a difference between publishing an exploit and breaking into a system you don't have rights to.

And I know it's fashionable to hate on business, but there are a lot of security flaws that get patched without an exploit being published or used.

Re:ridiculous

[davidesh]

Same mentality as "stealing" IP. If you steal $1mil but don't do anything with it, you are still depriving someone of their $1mil. If you copy some SSNs, you are depriving no one of anything.

but you are still stealing that which is not yours, and there is no good reason to have hundreds of other people's SSN's other than to sell them or do unscrupulous things...

Re:ridiculous

[MoneyT]

By not exploiting it. The problem these kids are facing is they actually took something. And SSN noumbers at that. Had they merely shown the hole existed and confirmed it by logging in and out, that would have probably had them in less trouble.

Re:ridiculous

[zerbot]

You don't need to break into Microsoft or Apple's corporate computers. You can demonstrate on your own computer or someone else's with their permission. I'm not saying that publicizing security weaknesses is a bad thing, but going the route of breaking into someone else's property to expose a security flaw is stupid and unnecessary, and should be prosecuted. I've had to notify many, many people that their systems were either vulnerable or already compromised, and I have never "had" to resort to illegal acts to convince them of that fact, even when I was nobody to them.

Re:ridiculous

[Sancho]

But you miss the point. You aren't STEALING anything. Stealing deprives them of it. Copying it does not. Not only is your analogy flawed, but there could be a use in copying it that is not unscrupulous.

It doesn't make it any more legal, but it certainly changes the connotation and is affected by the morals of the individual.

Re:ridiculous

[MoneyT]

You deprive them of their privacy. Now their SSN is in the hands of someone whom they did not authorize to have such information. It doesn't matter if you do anything with it, but that you have it in the first place.

Otherwise, please give me your full name and ssn. I promise I wont do anything with it.

Re:ridiculous

[BackInIraq]

my school (i graduated 2001) had all kinds of vulnerabilities, but you know what. it's a school. they're understaffed as is, and they don't need to have expensive consultants coming in and auditing their network all the time to stop these kids.

Bullshit. If they can't properly secure their student's sensitive information (such as SSN's) then they shouldn't be storing it. Or they should store it on paper only, in a vault. I never fully understood why my high school needed my SSN anyway, and now that I see things like this happening I'm tempted to go back and make sure they don't still have it lying around.

It's one thing to be nonchalant with your employees information (though I'm not a fan of that either)...employees generally have a viable option (work somewhere else). Students generally have no choice as to what school they attend...they're going where their parents send them. Maybe they can drop out at 16, but by then their SSN could be stolen. There's a great way to start life...a high-school dropout AND identity theft victim to boot!

Re:ridiculous

[izomiac]

Well, most school network admins that I've encountered are rather arrogant about their security. If you explained how something *could* be done then they're just as likely to either ignore it or say the next software update will fix it. Exploiting it is a sure way of making them fix it, although ideally you probably wouldn't want to get caught.

As for businesses, what about all the exploits they don't fix or check for because their software is "good enough"?

Re:ridiculous

[the+packrat]

Had they merely shown the hole existed and confirmed it by logging in and out, that would have probably had them in less trouble.

And if they had done this they would be

1. just as liable for unauthorised access to systems and
2. would not have shown that they could use this access to grab everyone's social security numbers. Which is the whole point.

The only way to demonstrate that you can download social security numbers is by downloading social security numbers. I should point out explictly that I'm not defending these kids. As I've said elsewhere in this thread, the real criminals (as opposed to these petty criminals) are the people who fail to protect such information. Moral criminals, anyway, since the US lacks data protection laws of any significance.

Re:ridiculous

[vegaspctech]

lol that was great... you mean CRIMINALS

Well yeah, that's what we've always called them. But hey... let's all meet at davidesh's house when he's not home, break in, rifle through his personal belongings, copy pages from his journal, etc., then leave secure in the knowledge that he won't press charges because he believes such things are victimless crimes. Or let's not, because we know he'll change his tune the moment he's the target of his 'victimless crime.'

Re:ridiculous

[NanoGator]

"How about those folks who rob a convenience store to show their security holes.."

How about an analogy that doesn't involve a gun to the face?

Re:ridiculous

[Vacant+Mind]

yea go ahead and try to get the administrators to listen to you. sometimes they don't even give you "permission" to go to the bathroom.

Re:ridiculous

[vegaspctech]

How about an analogy that doesn't involve a gun to the face?

You sneak into your neighbor's fenced and gated backyard and, through a window only visible from the backyard, watch her undress without her knowledge or consent.

Re:ridiculous

[Sancho]

Depriving people of privacy is a crime? Wow. Didn't know that one.

My SSN is all over the fucking place. In the hands of my mortgage company, my bank, hell, the university where I attended school used it as our Student IDs, so they were all over professor's roll sheets which I /saw/ Profs toss in the trash. For a secret number, it's not so secret.

You want it? Give me your e-mail address. I'm much more afraid of giving that out than my SSN at this point. If you rack up a bunch of charges, I can get it revoked and take action to sue your ass. If I start getting thousands of spams a day, there's not much I can get in the way of retribution.

Re:ridiculous

[vegaspctech]

If you copy some SSNs, you are depriving no one of anything.

So put up or shut up, in support of your argument; post your real name and your SSN.

Stealing an SSN is depriving someone of peace of mind. What's the value of that?

Re:ridiculous

[Sancho]

If I posted a name and SSN, would you really believe it was mine? My guess? You'd figure I was faking it and you'd still claim I was full of shit.

Re:ridiculous

[manojar]

I disagree. Breaking into my computer at home is like going through my dust bin looking for sensitive document when it has only old newspapers filled with my grandma's phlegm and my 1 year old nephew's doodoo. breaking into my computer at work is like going through my dust bin looking for discarded carbon copies and finding it. both are breaking in, but they are different, you see?

Re:ridiculous

Heh...I remeber doing the same stuff when I was in High School. I shoulda been expelled for the stuff I did repeatedly, but fortionately for me I was the only real person at the school that knew how to fix Macs and kept most the systems running for teachers that actually got the school some of it's biggest grants (and this was a pretty high end school full of computers). Ahhh those were the days.

Re:ridiculous

[alpha_foobar]

Well it helps to prove that you can get the data...

Of course, if they can see it they can use it... However, I'm from New Zealand and I don't quite understand what the big deal of having someones SSN is. Its not like you can use a number without any other proof of ID is it? So isn't this just a little media scare mongering about identity theft?

We don't have SSNs in New Zealand.

Re:ridiculous

the US government really needs to way the cost against the benefits

"weigh".

Re:ridiculous

[MoneyT]

[quote]Depriving people of privacy is a crime? Wow. Didn't know that one.
[/quote]

yes it is. Try putting cameras up in a bathroom or changing room or pointing into someone's windows. try tapping someone's phone line.

[quote]My SSN is all over the fucking place. In the hands of my mortgage company, my bank, hell, the university where I attended school used it as our Student IDs, so they were all over professor's roll sheets which I /saw/ Profs toss in the trash. For a secret number, it's not so secret.
[/quote]

You realize that:

1) That number was given voluntarily by you every time

2) That had you requested it, by law they must provide you with an ID number to use in lieu of an SSN

Re:ridiculous

"The question begs"?

I think you mean "It raises the question".

"Begging the question" is a logical fallacy which means to presume that which one is trying to prove.

I hope that helps. Have a nice day.

Re:ridiculous

[gtkuhn]

I agree that they should be paid instead of punished, and though we may never know their true motives, they may have known this too. Does anyone doubt that this will go in their resumes? Or that they will be hired because of it?

Re:ridiculous

[gtkuhn]

GP said they were a junior in high school. How many media contacts did you have in high school?

do you have to report these problems or is it a case of bragging rights

Hell yes, it's bragging rights. Again, GP was in high school. Back when teachers were believed. Now we're older and we know why those teachers never became college professors.

Re:ridiculous

[gtkuhn]

Then let me protect these kids (sort of). If they are in high school, they are most likely minors. So they were not looking at Leavenworth. They may well have looked up the maximum sentence and wagered that sentence against the value of comp security infamy in future job interviews. Hell, if they didn't plan it this way, it's likely to work out very well for them. Provided they want to go into comp security.

Re:ridiculous

[gtkuhn]

What I get from TFA is that they found this exploit earlier, and set about leaving their mark in posted files. It specificaly says there is no evidence that they had any ill intentions towards the SSN's themselves.

It's not like stealing a TV, more like telling your neighbor that their door lock doesn't work by leaving such a note inside the door, and demonstrating the weakness for them when they ask you to. At which point you call the cops and bust them. OK, maybe valid, but not quite as bad as you said.

So "not that bad" that I bet they get a fine. And some killer jobs on graduation.

Re:ridiculous

[Whqra+Enhf]

And I WILL have police accompanyment.

What, because you forgot your .357?

Re:ridiculous

[rikkards]

As for businesses, what about all the exploits they don't fix or check for because their software is "good enough"?

Approach the business saying you provide a service. If they say thanks but no thanks move along and take salacious glee in the fact that they may get comeuppance one day.

Re:ridiculous

yes, because everyone on slashdot gives a damn about fashion.

Re:ridiculous

[(1+-sqrt(5))*(2**-1)]

"The question begs"?

Yes, I think he was engaging in a little anthromorphologia quaestionis; next thing you know, he'll "beggar belief."

Re:ridiculous

[rikkards]

They're kids, chances are they didn't look up anything. They probably figured "hey let's see if this works".

Re:ridiculous

[Rakishi]

"The only way to demonstrate that you can download social security numbers is by downloading social security numbers."

And the proper way to show this is with a teacher or network person next to you, after telling the school of the possible problem and your desire to show them how it may be exploited (in writing). I am not sure of what type of exploit this was however it may have very well been possible to show that one can take the SSNs without taking everyones (take your friends or whatever).

Re:ridiculous

[l3v1]

If I came home and found someone who had picked the lock on my house sitting on the couch watching TV, you'd better believe I'd call the police and press any charges possible.

As very many other people, you're just being too general here. There are/were various examples - some also in this thread, just read back - when despite the warning, the letting-them-know, nothing is done to make the system better, the defenses better, etc. Then, when something bad happens, sometimes those get punished who intended no real harm. I alao don't think that the breaking-into-my-house or the breaking-into-some-store parallelisms are that correct, but they still pop up from time to time. But what I feel to be quite wrong, that when people like the guys in the article come around and provide proof of a system's holes, they get beaten, and the system still will not be made more bulletproof. And the people who intend to cause harm will _not_ come around and tell you your weaknesses so you have the chance to defend yourself: they just hack in, get what they want and get away, maybe you'll never know.

Re:ridiculous

[10101001+10101001]

You may be right that with MS and Apple commodity software that you already own that it's better to hack your own machine than to attack one you have no permission to attack; in fact, in such cases you can exploit your own machine, hand them a bug report, and then further release the exploit to the public if they don't fix it in a reasonable time.

But what about software you don't own (like the HS's server software) or is unique? Should the student have recreated/bought the software first, then found an exploit because he had a hunch? Even finding the exploit would be illegal (a misuse of the software to gain unauthorized access) if you don't own it. While I certainly agree that where there's the reasonable possibility of finding exploits without commiting an illegal act, it should be the legal standard. But it doesn't right/appropriate to set the same standard on a system which you could not reasonably have used another technique to discover and try to help correct the problem. It seems analogous to pointing out that a bank's window's locks are defective and being held for some crime.

Re:ridiculous

[shutdown+-p+now]

if they spread word around, maybe at a PTA meeting, they might have gotten the same results without going to jail for computer crimes

I tried "spreading the word" in my uni. I went to the IT department and told them, "guys, you know, you've got passwords flying around the network in cleartext, here's how you get them". The result? A year passed, still no changes.

Re:ridiculous

[giant_toaster]

When I was at college I "hacked" as in watched my tutor type in his password to our online register system, I could access details about everyone, including university references etc. I didn't make Slashdot, what did I do wrong?

Re:ridiculous

[sydsavage]

Its not like you can use a number without any other proof of ID is it?

You'd think that would be the case. Unfortunately, the answer is no.

From this article:

The SSN and Identity Theft

The widespread use of the SSN as an identifier and authenticator has lead to an increase in identity theft. According to the Privacy Rights Clearinghouse, identity theft now affects between 500,000 and 700,000 people annually. Victims often do not discover the crime until many months after its occurrence. Victims spend hundreds of hours and substantial amounts of money attempting to fix ruined credit or expunge a criminal record that another committed in their name.

Identity theft litigation also shows that the SSN is central to committing fraud. In fact, the SSN plays such a central role in identification that there are numerous cases where impostors were able to obtain credit with their own name but a victim's SSN, and as a result, only the victim's credit was affected. In June 2004, the Salt Lake Tribune reported: "Making purchases on credit using your own name and someone else's Social Security number may sound difficult -- even impossible -- given the level of sophistication of the nation's financial services industry...But investigators say it is happening with alarming frequency because businesses granting credit do little to ensure names and Social Security numbers match and credit bureaus allow perpetrators to establish credit files using other people's Social Security numbers." The same article reports that Ron Ingleby, resident agent in charge of Utah, Montana and Wyoming for the Social Security Administration's Office of Inspector General, as stating that SSN-only fraud makes up the majority of cases of identity theft.

What I find interesting that no one seems to be questioning why a high school needs to have the students SSN in the first place. Personally, I think that the administrator that made the decision to put SSN's into a (now proven) vulnerable database should get at least the same punishment as the students who cracked it. And if they are using products that are known to have weak security, they should get double. Why was this database even connected to the net, anyhow? Honestly, the real crime here is the lackadaisical handling of such sensitive information, when there is no good reason for them to have students SSN's in the first place.

Re:ridiculous

[ameoba]

Depriving people of privacy is a crime? Wow. Didn't know that one.

google://FERPA

check it out. If the database was leaking SSNs, I'm sure pretty much everything else was falling out too.

Re:ridiculous

[Kadin2048]

They're a pretty big deal. With your name and SSN someone can start up bank accounts in your name, and worse yet possibly pose as you and get into bank accounts you already own.

This is because most banks use a combination of your name, birthdate, and SSN as recovery questions if you want to get into an account. I know that when I call mine up on the telephone, those are the first three things they ask me. (Actually they also ask a number of other things also, some of which are less easily discovered, which is why I still do business with them.) Then you can proceed to do things with your account(s).

But anyway, I'm glad you don't have anything like SSNs where you are. Pray it stays that way. But the way it is here, they're sort of the big key someone needs to 'steal' your identity.

Re:ridiculous

[grolschie]

Here's your big chance. Seems no-one has done it yet.

Re:ridiculous

[huber]

So Should i go buy a gun and shoot several people just to prove that i can do it? Sorry But just because you can do something doesn't mean you always should.

Re:ridiculous

That's a silly contest; as running any web server with enough features turned off can be unhackable. In real life IIS 6 is even more hackable than IIS 5 and IIS 4.

Note that the big difference between IIS5 and IIS6 is that 6 runs as a kernel module. This is a nice trick to get speed for static content (like khttpd) at the expense of security.

Re:ridiculous

[networkBoy]

Suspended for 5 days pending expulsion. DA wouldn't do anything b/c he said there was no case.
(Didn't seem to matter to the school district though, and no I was not expelled.)
-nB

Re:ridiculous

Try putting cameras up in a ... changing room

Hate to burst your bubble here; but that's standard practice for almost all major retailers. Shoplifting would be almost unmanagable otherwise. There are plenty of laws restricting what they're supposed to do with those images; and most have policies even stricter than those laws (only same-sex monitors, no recording of the images, etc) - but you have no privacy expectation in the changing room that is someone else's property.

That had you requested it, by law they must provide you with an ID number to use in lieu of an SSN

Uh, what law?

Re:ridiculous

[networkBoy]

I think you have to report them. I suppose I could have simply changed my grades and made myself look better, and that would have haunted me for a long time, even if no one ever found out.

~/spend/spent/ (It wasn't me. I used preview. Cmdr Taco is out to get me. . . it's in the slashcode)
-nB

Re:ridiculous

[kyojin+the+clown]

Would you go into someone's house and steal their TV just to prove how ineffective their door lock is?

Facile analogy. this is more like taking a photo of someone's TV to prove to them that they left their door wide open, and should think about closing it.

Re:ridiculous

Darl, is that you?

Note that there's a good chance you have _my_ intellectual property in your house (depending what softwrae you use); but thankfully the way intellectual property works I can still use a different copy of it myself, and don't need to come take it from you.

And I WILL have police accompanyment.

And how will you manage that? They respond in person rarely enough to actual crimes (unlike your posession of my intellectual property, which isn't a crime at all).

Re:ridiculous

[vegaspctech]

Oops. I meant kenshin30's house. Sorry about that. Too many hours, not enough coffee....

Re:ridiculous

And how did you know exactly what to do for your demo if you hadn't been through the process beforehand?

Re:ridiculous

I hope you have kids, then have someone steal their SSN from their school and open a million credit cards in their name.

Re:ridiculous

[ScentCone]

The problem is that HS staff does not like being shown that their charge (the students) have more power than them, which this demonstrates.

Come on, it's not about power. The school system certainly doesn't like it being known that the information they keep about their students and staff is vulnerable to theft and manipulation - it doesn't matter who can do it. Students would presumably be the ones with most to gain by hacking their records, but identity theft is arguably a bigger threat when it comes to employment records and other data on the faculty.

But it's much more likely that a student will be bored enough, have enough time, and be allowed to physically have access to a machine on (or plug a machine into) the local network - so of course that's where the friction is going to be. And, since so many students imagine themselves to be in an adversarial relationship with the teachers, the staff has to be prepared to react accordingly. It's not about not liking a student having more "power," it's about not liking a student screwing around with sensitive data. High school students are notoriously lacking in almost any sort of judgement, and routinely fail to think through the consequences of their actions. This is often more true of the geek set, pleased as they are with their high IQ and skills, and distracted as they are from the daily tribulations of "normal" people (like teachers trying to maintain a career, health insurance, and a credit rating on next to no income).

And, of course, the odds that the staff of a particular high school have themselves chosen the network infrastructure, software, security model, and so on, upon which their daily system-based activities depend - pretty slim. But they've got to live with it, and when they catch a student deliberately breaking in, of course they're defensive. Hell, a student could also very easily break out a window of a science classroom to show that a determined thief could easily steal a microscope, what with the staff's ridiculous choice of obviously inferior mere glass as a deterrent. That doesn't make the staff power-obsessed when they bust on a student for putting that brick through the window.

Re:ridiculous

Please send to identifytheift@gmail.com

I could use a few credit cards. And yes, i'm not in the united states.

Re:ridiculous

[Retric]

That's one option.

Or you could start randomly changing peoples grades. Or have people pay you to change there grades. Or blackmail people into paying you to not change there grades to C's and D's. Or you could blackmail someone into paying you so you don't change all there grades to A and then report them. Or...

Anyway, if I had done what you did I would have had a chat with someone higher on the food chain about this mess. Once they say it's ok to try and hack there system then you are an authorised user and your allowed to crack all you want. Suspending you at that point would be something you could have sued over so if nothing else you could gotten those people repremanded.

-Sorry, no spellcheck installed after the reformat ... yet.

Re:ridiculous

[SatanicPuppy]

I have. People often won't believe there IS an exploit unless you actually demonstrate.

However, you need their permission to demonstrate to stay on the right side of the law. If you don't have that, it's illegal. If they refuse to give it, the next step is to inform the people whose data is at risk.

Re:ridiculous

[kilodelta]

Exactly - and I'd be willing to bet the hole they used to penetrate the system is still open.

We'd rather litigate security than actually improve security. I have seen that time and time again when knee-jerk legislation is passed in order to allegedly secure systems through the deterrence.

In the mean time, those of us who have a meager understanding of I.T. security know that it is comprised of multiple layers, be they passwords, firewalls, IDS, etc. I'm rather surpised that No Child Left Behind didn't touch on this, especially since that other government behemoth called HIPAA does.

So what if they can ruin your life, they still can't see your health records. Not for now.

Re:ridiculous

[Lifewish]

In some circumstances you do have to report these things. For example, in my old secondary school, a friend and I discovered that the admin server - with everyone's sensitive details on it - was running a version of IIS with the unicode directory traversal bug. We told the computer staff and they did fuck-all about it - apparently the admin server wasn't their turf and they weren't willing to be helpful to their fellow man.

In the end, the situation was resolved by my friend and I wandering round to the admin office and having a chat with them which led to us being let in to disable IIS on the server. However, if that hadn't been an option, we'd have been faced with a choice: 1) we could have sat back and waited until someone more malicious than ourselves noticed the vulnerability and played silly buggers or 2) we could have broken into the server, acquired some evidence of the hack and gone to visit the headmaster.

I like to think I'm a fairly moral person, and I think the latter is more "good samaritan"ish, as well as being healthier for my personal data, so that's what I would probably have chosen. The alternative would have been to sit and wait for the day that I pissed off the wrong person and my attendance record suddenly showed that I hadn't been in all year. However, if we *had* taken option 2, we could well have ended up in the same position the grandparent did. Talk about your rock and hard place...

Re:ridiculous

[Haydn+Fenton]

Catch 22 situation.
Either you:

1) Inform the admin of a possible security risk, and hope they're nice enough to take notice of you. Chances are you won't even get a single second of their thought. End Result: Security risk stays there and the admin thinks they have another 'im a teenage smartass' on their hands.
2) You hack their system to prove there is a security risk there. End Result: You could face criminal charges, get kicked out of college, and have one hell of a hard time getting back into one.

Either way you lose. It's better to go for the first option and if it fails, quit. If you're so bothered that you'd risk getting kicked out and charged, go ahead and prove it to them.

I told the admins at my secondary school about several security risks I found, they didn't even reply to me. A few months later and I'm playing around with some harmless files I made cos I'm bored in IT class. About half a year later when I ask for more disk space, they check my files breifly, think I'm trying to hack (which I wasn't, nothing harmful was there, I was just satisfiying my curiosity). They kick me out of school for 2 weeks, don't let me anywhere near computers for another week, and threaten to call the police if they suspect me doing anything I shouldn't ever again. They don't care what your aim was, all they care about is that some kid is doing stuff they shouldn't be.

Re:ridiculous

[Decameron81]

Like stealing someone's wallet without him noticing it? Then you can give it back to him to show him you were able to do it and I bet he will thank you with his fist in your nose.

Re:ridiculous

[snero3]

They should be paying them not punishing them.

By that logic, If I stole and striped thousands of Ford's and then pointed it out to Ford how easy it was, technically Ford should be paying me for proving how in-addequate there security is?

It is all to easy after the fact to say "hey I was just testing you security system!" Why not just come out up front and tell the IT department that "I don't trust you security and in the next few months I am going to try to break in is that OK with you." If they improve their security before you get around to trying it then you achieved what you wanted if not then you will have the green light to hack away (assuming they said yes) and you still proved your point.

Re:ridiculous

You're so clever.

You have such good logic.

You have never encountered stupidity personally, therefore, it cannot exist.

I hope you teach math, because you have such a strong grasp of basic logic.

Re:ridiculous

[TheStupidOne]

The Principal did not believe me, and I was asked by the "computer teacher" to demonstrate, which I did. Upon completing the demo, a change of my grade (downward, ironicaly) I was detained in the office pending arrival of the authorities.

Which is exactly what happened to me. I was a library computer tech at my school and I demonstrated to the district tech staff the many holes they had in their network. It was so bad I could easily escalade my user rights on the servers and gain admin access, allowing me to view everyone's network shares, including the staffs.

I also show them how kids were installing games and IM clients on their machines, getting by the security lockdowns imposed by Fortres, and demonstrated some setting they could change to improve security.

I was promply removed from the library tech staff for "AUP violations involving hacking and changing settings". I have also been blacklisted from all computers in my school. Not only do I no longer have a domain login, I cannot use any school computers, nor can my laptop be on school grounds.

Just goes to show you what happens when students show up paid "professionals"

Re:ridiculous

Your analogy is incredibly weak there. Try again.

Putting a brick thru a window causes property loss, which puts that situation in a completely different category.

Re:ridiculous

[Politburo]

That had you requested it, by law they must provide you with an ID number to use in lieu of an SSN

No. The SSA FAQ (get your own link) says that businesses cannot require your SSN. However, if you do not wish to provide your SSN, they do not have to provide their service to you. Tough titties, eh?

Re:ridiculous

[accessdeniednsp]

It's easier to ask for forgiveness rather than permission.

We've never progressed by asking the elders if it's ok to do something snazzy or to do something that shatters their brittle tether to reality.

These kids deserve highest honors.

Re:ridiculous

[SupremeTaco]

That is a different case though. This is purely a PR stunt to help find flaws, that most serious crackers are going to stay way from. A good exploit is worth much more than the puny prizes handed out from this contest.

Re:ridiculous

[accessdeniednsp]

Bureaucracy is crap. (btw that is a horrible word to spell)

"Throwing a rickety 'plane' into the air just to "prove you can" doesn't really fly" (ironic). Seems to have worked for those Wright boys in Ohio.

Challenge is the strongest way forward. Stand in the way of progress and you'll get squished.

Re:ridiculous

What is not necessary is causing damage or using any information obtained for personal gain.

It may not be necessary but it sure is fun.

Re:ridiculous

[maniac/dev/null]

Taking a picture of a TV set, assuming you did not enter the house, is not a crime. Breaking into a computer system you are not authorized to use, FOR ANY REASON AT ALL, is a crime.

You're trying to get people to change their habits. You might have an easier time if they don't hate your guts because you stole tiehr identies. And don't get me a load about how they deleted everything, if they memorized even one SSN, they deserve time behind bars.

Crime == Crime, if you don't like the law, try to change it. Call a senator, mayor, city council, let them know their money is being spend on a system that gives out private information. Works very well during election season.

Re:ridiculous

[swillden]

Just goes to show you what happens when students show up paid "professionals"

To be fair, it's not an issue of students vs professionals. The response you saw is typical in many organizations at many levels -- they want security, don't know how to achieve it or aren't willing to spend the time/money required to achieve it, and simply prefer to believe that the system is secure.

Demonstrating to them that the system is not secure doesn't work, because they don't want to believe the problem is with the system -- which implies that the administrators are the problem. They prefer, instead, to think that the person who can break in is somehow unique and that if they can only keep that individual away, they'll be fine. In other words, they focus on the hacker as the problem, in order to avoid admitting that they themselves are the problem.

A good example is one I used in another post in this thread; Richard Feynman's experience with trying to get the military brass to get more secure locks to protect their files on nuclear weapons during the Manhattan project. He demonstrated the locks were insecure by picking one. They responded by issuing a memo ordering everyone to change their combination whenever Feynman visited them -- effectively ordering them to keep Feynman away from their offices and their locks.

Re:ridiculous

[ultranova]

Which means that you should take option three: Do nothing and let it blow up on the admins face. After all, if you warn them, and they do nothing, and it blows up on their faces, they have a scapegoat to blame for their incompetence: you.

Why risk anything for your school / workplace / country ? You don't owe them anything, and they certainly won't hesitate for a second if screwing you over ever becomes profitable for them.

If you absolutely have to warn them, do so in such a way that your identity can't be confirmed. If they ignore anonymous warnings, it's their problem, not yours.

Re:ridiculous

[Haydn+Fenton]

Good call :)

Re:ridiculous

[Just+Some+Guy]

The problem is that HS staff does not like being shown that their charge (the students) have more power than them, which this demonstrates.

You got arrested while the teacher kept his job. I think your interpretation of who had the last laugh is a little backward.

Re:ridiculous

[davidesh]

who said there was a gun? How much do you want to candy coat crimes?

Re:ridiculous

[davidesh]

So according to your logic... you believe piracy is ok, because it is is only copying and that person may or may not use it for their own gain, and who is to know the difference?

It is stealing no matter how you look at it. You are taking something which is not yours, without permission.

Re:ridiculous

[kyojin+the+clown]

look, i don't mean to be rude, but switch your brain on before you post. i appreciate its monday morning and all, but;

HOW DO YOU TAKE A PHOTO OF THE TV SET WITHOUT ENTERING THE HOUSE?

seriously. its nice to simplify things with analogies, but you need to remove your head from your arse before trying it.

Re:ridiculous

Violating an access control in order to posess something you have no right to posess might not be theft. It's still wrong.

Also, you may deprive someone of money they could have expected to make from a product, or deprive them of the security/safety they could reasonably expect of their data being held by and authorized entity.

The definition of "theft" as only dealing with material goods is complete bullshit.

Re:ridiculous

[maniac/dev/null]

Through the open door?

Also, +1 for a nice strawman.

Re:ridiculous

[freedom_india]

Never do security testing without written permission. Absolutely Correct.

Testing seccurity without permission just pisses off lawyers of companies, and scares the hell out of admins.

They would then need a scapegoat just to prove they are OK and your scalp will be the first to be deep-fried.

Re:ridiculous

That sucks; I fared much better. I'm not "leet", as it were, but some network holes are just so obvious it'd be a terrible shame not to have them fixed.

Windows XP, in its infinite wisdom, caches secure user network drives in the insecure, local /Documents and Settings/$username/ folder, as it was set up.

Reread the preceding sentence.

I could have sent him an email, which he would have ignored. Instead, I showed him when he came into one of our labs briefly. I opened up a teacher's network drive and the locally cached copy of the final exam. The next day, the hole was (more or less) fixed, by having access to the C drive through explorer disabled. Now, you could do something complicated involving a live distro, or you could simply type "C:" in the address bar in firefox, but nobody knows about that; I figure security through obscurity will work reasonably well.

Re:ridiculous

[Creepy+Crawler]

I pay for em, why not use em.

And I prefer my Glock, but some of my frie.. officers might have a problem with me packing on an intimidation spree.

Re:ridiculous

What are you talking about!? I've made a living off of breaking into people's houses and leaving notes that usually read

"Your household security has been breached. If you want to know how and what to do to fix it, check the "Yes" box, fill out and sign the attached credit card authorization, and leave this note where you found it."

Re:ridiculous

[AviLazar]

Would you feel so cavalier about this if, instead of say MS files, someone busted into the DoD and got information about Nuclear Weapons. And then if the person said "but i safely destroyed the files" would you still be comfortable about it?

You need permission to do these things. If they won't give you permission, but you are adamant, then you need to create your own similar system and show them the flaw. Or find someone in the organization who will give you the time of day... And if all else fails, and it really is a high-risk situation (i.e. security hole in the DoD database) then you can make it public by going to the media (they love this gossip).

Re:ridiculous

[hazah]

Not about power? Pass the pipe... I guess. But more seriously, that's not true. This isn't a difficult situation, and worse, they didn't do anything other than provide useful information to those that can actually do something about it. Your problem is that you are generalizing when you can't. These were specific people (not just kids, as they are being just regular people in this case), who set forth in motion a specific course of action. That is, they *notified* the appropriate people, that can *do something* about it. What is this concequence that they should have concidered? Why shouldn't it stop right there and then? There's nothing that these "kids" are going to do more, especially if rewarded rather than prosecuted. So yeah... pass that pipe.

Re:ridiculous

[Irish_Samurai]

I think the problem with this is that the student was asked to show the security flaw. When he did, he was punished. Looks like a case of "You wouldn't have found it if you weren't where you weren't supposed to be." This is typical public school, Zero Tolerance BS. The "computer teacher" probably was embarassed, and had a little backroom talk with the principal to cover up his lack of knowledge. Once he convinced the principal that the student was the problem, while saving his own ass, it was all downhill for the student.

Re:ridiculous

[Malc]

Indeed. Stating that you've destroyed the data you retrieved isn't going to be good enough. How do you prove that you did? Somebody with criminal intent will lie and say exactly the same things. It's just not worth putting yourself in that position.

Re:ridiculous

[AviLazar]

Demonstrating to them that the system is not secure doesn't work, because they don't want to believe the problem is with the system -- which implies that the administrators are the problem

It is not that they do not want to know there is a problem, and its not that they aren't willing to fix it. It is the fact that the person did not follow proper protocols. Much of that information is under "lock and key" and allows for people with specific authorization (NDAs, bonding, security clearance, etc). By gaining access to this information w/o getting this clearance you broke their security measures. And they may have to (per their contracts, insurance, law) prosecute you. OR they just want to show that doing this sort of thing without permission (it is sort of like being a vigilante) is not acceptable.


Really I have no sympathy for intelligent people who fail to utilize a little bit of judgement. There are plenty of articles out there that show people who get in trouble for doing these things (i.e. this article).

Re:ridiculous

Anytime I reported a security threat it got pooh-poohed.

Until that time I printed Pam Anderson naked on a beach from one system in the High School to a printer in a 6th grade classroom. That got their attention fast.

It also got me suspended for five days (impacted my grades as I failed everything for five days), and banned from using computers in the high school for my entire sophmore year -- unless it was a class trip to a lab and required. Oh, and I wasn't allowed to enroll in a class that was computer based either.

Needless to say, I became a legend in my own right.

After that episode, they started to listen, even asked me to help support the computers in the High School my junior and senior years. Better to use me and keep me happy than to piss me off, I guess.

The place was mostly run on Macs, mind you.

That didn't stop me from putting "Conan the Librarian" on a particular asshole teachers computer remotely. Or from installing NetBunny in the yearbook / newspaper computer room (and triggering it during yearbook editing). God was that funny. I could hear the people yelling as the bunny went from one computer to the next and I was clear down the hallway.

Having worked for the it guy for the schools actually taught me a lot. Like admin passwords for nearly every box in the school, and his habbits of how to track people down. I was never caught for the Conan or NetBunny incidents. They were one-time shots, and most people played them off as freak accidents or people just being silly and making up weird stories. Who would believe a jackass teacher claiming his computer was telling him to "shut up?" Bwahahahaaaa.

Re:ridiculous

Why

Re:ridiculous

[kyojin+the+clown]

so, using a door to enter a house does not constitute 'entering'? are you all mad? -1 for inability to understand basic english vocabulary.

i'm not trying to be a strawman, i'm trying to replace a flawed analogy. unfortunately i hadn't realised that is was only flawed because the author and his gimp are apparently retarded.

Re:ridiculous

[Fulcrum+of+Evil]

Either way you lose. It's better to go for the first option and if it fails, quit. If you're so bothered that you'd risk getting kicked out and charged, go ahead and prove it to them.

Option 3: write up a flier on how to break into whatever thing you've found the hole in and pas it around. Perfectly legal and likely to get a response ;)

A few months later and I'm playing around with some harmless files I made cos I'm bored in IT class. About half a year later when I ask for more disk space, they check my files breifly, think I'm trying to hack (which I wasn't, nothing harmful was there, I was just satisfiying my curiosity). They kick me out of school for 2 weeks, don't let me anywhere near computers for another week, and threaten to call the police if they suspect me doing anything I shouldn't ever again.

Isn't this where you involve a lawyer? They really don't have the right to suspend you for coding random bits of stuff.

Re:ridiculous

[Jasin+Natael]

Hear, hear! Excellent description. In fact, sometimes it seems like the /. community has a collective lack of understanding of social motives. Fear of (other people | loss of revenue | technology | changes in the way company 'X' does business) and the resulting actions to defend oneself from the perceived threat account for a huge percentage of the articles posted here, but often they seem to be ignored in favor of a technical analysis of the situation.

In more extreme terms, think of a police department. Shouldn't they have a right to arrest and/or detain someone who (even innocently) gains access to a network of personal data about police officers (to protect the officers), or criminals (to protect the intruder)? This is one of the questions where the letter of the law gives way to survival instincts -- and it's in the interest of society, since these are people upon whom we depend.

It's not so different when the network has information about the student's whole world -- friends, enemies, and their authority figures. Until they know why and how the students got in, and what other students may have gotten information from them, the students may have to bear the burden of proof, and may suffer for it in the short term. In today's school system, teachers or administrators could lose their jobs over this, especially if it was a sanctioned test. Do you think anyone who voted for that vendor's software in committee will be ousted? I sure don't.

I just hope that, if these students truly were trying to help, they don't suffer too badly for it. There needs to be a clear channel for these security concerns, or a clear and exception-free condemnation thereof coupled with adult, external review. What's to prevent students from exposing flaws that have nothing to do with the technology, like the fact that their English teacher keeps her password on a Post-It stuck to her monitor? Maybe students just shouldn't be granted any rights to muck around in a system meant to control and evaluate their activities.

<sarcasm>Or maybe we should let students play in these networks without overly-strict rules. I mean, it hasn't hurt society as a whole to let the President, DoD, RIAA, MPAA, or any other industry groups influence Congress, has it? Who cares if they get partial control of their own regulation & evaluation?</sarcasm>

--Jasin Natael

Re:ridiculous

[NanoGator]

"How much do you want to candy coat crimes?"

I'm not advocating candy coating of crimes. Rather, I don't think we should be pooring blue cheese dressing all over them.

Re:ridiculous

Tell all the other students how it was done. Guaranteed it wasn't fixed...none of it. Tell them all, watch the system fall.

Re:ridiculous

Yeah, but the web server they have running is serving a public website... i.e., doing exactly what a web server is designed to do. They could't possibly disable enough features to make the website unhackable if you can still access it with your browser.

Re:ridiculous

[davidesh]

Guess I'm not following that one? Personally I hate blue cheese, it grosses me out...

Re:ridiculous

[ScentCone]

Point is, they didn't notify someone of a vulnerability... they took private info, and got caught (rather than stepping up). This wasn't about them being good sports.

Re:ridiculous

Whoa! Where did the gun come from? Even in Texas, a whole lot of robberies are done at knife-point, or some other weapon (think baseball bat).

Re:ridiculous

[iamacat]

If there is indeed a flaw in DoD system that endangers the public, I absolutely want someone to prove it by releasing some unclassified data that couldn't have been obtained elsewhere. People responsible for these computers would be risking jail time. I wouldn't trust them to own up to their mistake. If someone contacts them privately, they might lock up that person in jail as a "national security risk" and add some security-through-obscurity rather than a fundamental fix.

Re:ridiculous

[ScentCone]

No, my analogy is spot on. Pretending that cracking into a system is just a benign way to demonstrate the vulnerability of that system - out of the sweetness of the students' innocent little hearts - is BS. Nothing would have come of this if they hadn't been caught. The man hours than have to be spent evaluating whether any data was corrupted or exposed to the wrong people (and the enduring risk that it was, even it can't be detected) is every bit as damaging as the man hours that will have to be spent repairing the broken window. In both cases, the students set off a damaging/costly chain of events. The difference is that once they replace the window, there isn't really any dangling question of whether or not even more future damage will occur from the original event. With stolen SSNs, the damage could be very costly, career/finances-ruining, and so on.

We're not talking about infringing on someone's copyrights here... we're talking about unlawful access to and use of a system, which is treated just like trespass and theft for a reason. Having a legal copy of media, and doing something illegal with it (such as giving it to 1000 people) is infringing. And even though that's every bit as bad a stealing something physically if the assigner of the copyright doesn't want you to do it, it's handled differently than theft. But when the person has their hands on something (like faculty social security numbers and private information) that they had no permission to access, they're in completely different territory.

Those are separate points though: my analogy was intended to illustrate the absurdity of claiming a get-out-of-jail-free-card just because (after getting caught) the crackers said they were exposing a vulnerability. You could make the same argument about picking the lock on a teachers car door, or (by any means) gaining access to something or someplace you're not supposed to be. And that makes the argument BS. It's even more BS when you take something (which, Gee!, they claim to have later deleted) to somehow prove your point. Except, they weren't planning on making a point - because they weren't planning on getting caught.

Breaking through the security on the school's IT system, or breaking through a lock on the office's doors, are the same thing. Getting caught should result in the same thing. When a student notices an unlocked door to an A/V storage room... are they doing the right thing when they tell a school official, or are they doing the right thing when they grab a laptop and a video projector and stay quiet, claiming later, when someone discovers the loss (and their fingerprints) that they were being good citizens and helping the school see a vulnerability? If you go to a lot of trouble to split hairs over the granularity of this analogy, rather than simply seeing the basic ethical truth of it... then you're just exercising that part of your brain that makes you feel better about pirating music. That's my guess, anyway, Mr. Anonymous Coward.

Re:ridiculous

[AviLazar]

The problem is, how will that someone know what is releasable and what is not? Also classified data is probably in a more secure system then non-classified - hence classified.

In the end, the person needs to go through the proper channels or get in trouble. Imagine if it was publicized that you knew how to easily crack into the DoD....who do you think will get you first? The DoD, the CIA, the FBI, or some terrorist group that will ensure you help them out.

The only way people responsible for these computers would risk jailtime was if they did something grossly negligent with the intent of hurting our nation...just making an honest mistake will not net you jailtime...it probably won't even get you fired...they will just say "learn and try not to repeat."

If someone contacts them privately, they might lock up that person in jail as a "national security risk" and add some security-through-obscurity rather than a fundamental fix.

That is very understandable...if you do not have the proper security clearance, how are they to know you won't leak out the information (on purpose or accident)? Classified material is that way for a reason - and if someone wants to try and crack into a known classified area without permission they deserve what they get.

Re:ridiculous

[Fulcrum+of+Evil]

Like stealing someone's wallet without him noticing it? Then you can give it back to him to show him you were able to do it and I bet he will thank you with his fist in your nose.

Jim: Hey Bob, your wallet's hanging halfway out of your pocket. Bob: really, I've always worn it like that. J: Someone could grab it and you'd never even notice. Wanna see? B: Sure, show me. //J grabs Bob's wallet J: Maybe you should put it some other place... B: Damn, I didn't feel a thing!

Yeah, I can see how that'd earn a punch in the face.

Re:ridiculous

[notasheep]

How is this a victimless crime? Lots of people's identity and finances were put at risk. The fact these kids were doing enough probing to find the hole shows a lack of common sense.

Or maybe you'd like criminals to come in to your neighborhood, case out all of the houses, and break in to yours when your not there. Hey if they don't take anything they've done you a favor by showing you your security issues.

Instead of calling the police you'd probably write them a big check, right?

Re:ridiculous

[grumpyman]

Totally agree. Try to prove someone's home security system is insecure by breaking-in without breaking stuff, rearrange the entire house furniture, and get out without a trace. Now call the home owner. But in this case it was the authority that caught them first.

Re:ridiculous

[guaigean]

This is precisely why a lot of school's (and universities) are switching to Student ID's rather than SSN. A Student ID performs the same job in acting as a unique identifier, and if the number is compromised it limits any malicious actions to the school only.

Re:ridiculous

[Fulcrum+of+Evil]

That had you requested it, by law they must provide you with an ID number to use in lieu of an SSN

You bank and mortgage company use your SSN to report tax information. Your uni should have known better, though. Most will give you an alternate ID - how do you think they handle all the foreign students?

Re:ridiculous

Or you could start randomly changing peoples grades. Or have people pay you to change there grades. Or blackmail people into paying you to not change there grades to C's and D's. Or you could blackmail someone into paying you so you don't change all there grades to A and then report them. Or...

Yeah, that wouldn't get the school computer geek beaten up or anything...

Re:ridiculous

That's why you do your demos anonymously...

They cannot punish someone if they do not know who they are...

Re:ridiculous

[GregoryKJohnson]

I think you misunderstand his point. He thinks it isn't theft, but he doesn't think it's right (although, I presume, he does think it's less wrong). Since the aspect of theft that has traditionally made it objectionable is that it deprives the owner of the item, it seems entirely reasonable to use different terms for the acts, even if they're both objectionable.

Re:ridiculous

[AgentAce]

Crime, even for a good reason, is still crime, and if we don't enforce the law all the time, we might as well not inforce it at all.

Perhaps you could learn how to spell first, the word is enforce. So much for credibility.

Not to mention there's a huge difference between demonstrating that a vulnerability exists so that intangible property "may" be stolen, then notifying the proper people and breaking into someone's house and stealing physical property for self-gain.

"Cyber Crime" law, along with a ton of other useless laws need to be rewritten or just repealed.

Re:ridiculous

[antin0de]

These students can only be commended for looking out for their peers' privacy. However, the fact that before they could come forward they were 'caught' puts their motive in question. To this, I can only say they were wise to keep quiet. There are too many horror stories of kids suffering disciplinary action for far less alarming intrusions than this, even when intentions were good. I think the schools would rather demonize the little bastards than admit they had poor security. Which is why I never notified anyone of the gaping hole I found (locker combos, demographics, health info, etc...)

Re:ridiculous

[m3rajk]

lmao. ms actually responds even then??? please. there was a javascript problem that all scripts based on it shared. it was announced in an irc room by the peron that found it. took mozilla/netscape/firefox 8 hours to get a fix.
jscript, microsoft's javascript rip off, was also affected the same way. even after dozens of demos, ms still denied it was there. after a week of having demos on the web, they finally admitted it. then it took them another week and a half to fix.

and that's the best response time i can rmemeber from microsoft....which is precisely why this whole "we'll ignore the fact our ignoring the sandbox made massive problems for our os/browser/email and instead go into av/spyware" thing very scary.

as soon as they gain the majority marketshare the response times should end up getting cut down, becasue that's what haappens with everything they do.

they need to be chopped up into an os company and a software company, if not farther than that.

it's like the robberbarons of yesteryear. remember rockefeller? jpmorgan? these people owned parts of every facet of life, or tried to, making them not just monopolies of one facet (say os) but controlling how the people making the regulation make them. which was a danger to the populous. this is why there are anti-trust laws. unfortunately, the republicans killed that by letting microsoft win that case by pulling out.

Re:ridiculous

[Cramer]

Well, then you are the exception. The world wide standard for handling security is to shoot anyone pointing out any flaws. NCSU's standard policy was (might still be) to punish anyone pointing out any security issues -- "because how else would you know there's a flaw but by having exploited it?" This is, of course, very lame logic as students run across all kinds of things by accident. All such policies do is make sure no one ever reports anything.

Re:ridiculous

[m3rajk]

i graduate hs in 1998. a friend of mine was the network/system admin in the hs.
yes. i am serious. the kid is also one of those freaks that NEVER re-writes code. it always goes perfect the first time. and here's the scary thing, bach then he genereally wrote code with his back to the computer talking to friends.
at least while he was at school.
people think i'm talented. i am. i tested out of those courses too. but i'm no where near his level.
i know precisely what you mean. unless you show yourself as already mostly matured to someone the staff feels they can respect, they wont listen to you.
i doubt most people with andy's talent have that much respect from the teachers. he's extremely diplomatic. i wish i hadnt lost touch with him since graduating. it's been about 3 years since i spoke with him last.

Re:ridiculous

[Phred+T.+Magnificent]

The problem with that is, some of the data in the computers at your school / workplace is about you. If you do nothing, your data remains under the same risks as everyone else's.

The hard question, though, is: At what point do you decide that your risk is greater by doing nothing than by reporting the problem?

Re:ridiculous

[Marnhinn]

I was a student at a local JC some years ago when I was given a similar choice.

I had written an assigned research paper for Eng 111, on security flaws, physical and electronic, in the school's network. I turned the paper in and didn't think anything about it. About a month later, I was called in my a couple of lab supervisors and asked to "demonstrate" some of the flaws. (It was a surprise, as I didn't know my paper had been circulated at all.)

I asked for a paper stating that I had permission to do so (signed by Dean of Students), and was told that was too much of a hassle to get, and not to worry. Since I was unable to get one, I declined to demonstrate...

It proved to be the right choice. The lab admins, got another person I knew out of a System Security class (IS 370?) to demonstrate. He was successful, but when the results of his work were sent to higher ups, he got fried (since they hadn't approved of his work and didn't want to spend money to fix the problems). He was ultimately dismissed from the college and was unable to finish his degree there.

I look back, and consider myself lucky. If you're going to show up a "paid professional", get a document giving you permission to do so, not from them, but their boss / superiour - always.

Re:ridiculous

[Sancho]

Precisely. Finally, one reasonablly intelligent poster.

Re:ridiculous

We don't owe them anything, true, but they owe us the security of our privacy and grades.

We don't owe our politicians anything, but that doesn't mean we shouldn't vote.

Re:ridiculous

[Laz7]

As a high school network administrator, I can tell you I am pleased when students bring me items that have escaped me and show me errors in my security layout.

The last one who did got a summer job for two years and is now in a Comp Sci program at university (he will be working with us again this summer).

Not everyone is like the people you ran into.

Re:ridiculous

[swillden]

It is not that they do not want to know there is a problem, and its not that they aren't willing to fix it. It is the fact that the person did not follow proper protocols.

I disagree.

Although these students clearly did something foolish, my point is that even had they followed proper procedure (assuming they could determine what said procedure was), they almost certainly would have been ignored as long as all they did was talk.

Somewhere among the other comments about this story is a perfect example: A student who claims he discovered he could get into the grading system and took the information to the principal. The principal didn't believe him and called in the computer teacher to help analyze the kid's story. The teacher asked the kid to demonstrate the problem and the kid complied. The student was then banned from using any of the school's systems, and forbidden even to bring his laptop to school.

Now, there's certainly a strong possibility that the above story is slanted in the student's favor, but the story as it stands is believable, because things like that happen all of the time.

Re:ridiculous

[AviLazar]

Protocols are easy to follow:

1) Ask for permission (in writing)

2a) If you do not receive permission do nothing.

2b) If you receive permission do the job

If after you have done the job you still get penalized - sue the living tar out of them and show your contract.


Not that hard, especially for someone smart enough to hack; and I would presume that they have heard some of these "nightmare" stories, and seen EULA's, etc.

Re:ridiculous

[deaddrunk]

If someone broke into my house to expose the flaws in my alarm system, I'd be furious with them. How is this different?

Re:ridiculous

[Master+of+Transhuman]

"Would you feel so cavalier about this if, instead of say MS files, someone busted into the DoD and got information about Nuclear Weapons. And then if the person said "but i safely destroyed the files" would you still be comfortable about it?"

In fact, this is exactly what Navy SEAL Richard Marcinko's "Red Cell" SEAL Team did to the Navy. His team broke into Navy nuclear weapons lockers, put IEDs next to sub reactors on nuclear subs at Groton, broke into Navy offices and stole classified documents, and got several SEALS with several pounds of C4 within twenty yards of the President's cottage at Camp David.

All with the "permission" of his superiors since his job was to test military security. (I say "permissions" in quotes because he normally operates on the "UNODIR" principle: "UN Otherwise DIRected, I'll do whatever I please.")

In response, they charged him with bogus theft charges, convicted him, sent him to Federal prison (camp) for a year - whereupon he got out and wrote a book about it proving the US military a bunch of morons when it comes to security.

So, yes, sometimes you have to break the law to prove the authorities are incompetent - but you can expect to be punished for it.

Civil disobedience at its best.

Re:ridiculous

[Peaked]

Except, of course, the fact remains that their SSN were accessible along with everyone else. If they were doing this to expose a security flaw (which is quite unlikely as they never exposed it), then it was in their own interest in addition to any higher motive.

That said, I find this all rather funny. Hinsdale Central is my high school's rival school. :)

Re:ridiculous

[Queer+Boy]

The better thing to do [both then and now] would be to have someone from the media with the informer.

This worked for me when I was in High School. After school I used the computer labs to print out some material that was homosexual in nature but not explicit. I left my disk in the lab (on accident) along with a bad copy of what I was printing out in the trash.

My floppy used Stacker to compress the info since it was almost always going to be text I could get a huge amount of documents on a floppy. On my floppy were like 10 other people's papers for English class (because I always remember my disk and they don't). I was informed by the computer lab teacher that she had to open all the files to find out who the disk belonged to despite knowing that I was the only one using Stacker to compress my floppy (she had to give me permissions to run the program).

A trip to the principal's office and talk of expulsion came up because they claimed I "hacked" into the computers to get the papers. They also brought up the bad copy of the materials I printed out (which, before you make a comment, was not against usage policy). I told them I didn't believe that I was in there for what was on my disk but instead for what I printed out. Their faces went white. I told them that if I was expelled it would look bad for the school. Is that a threat? No, anytime a student is expelled it looks bad for the school.

The thing is school districts and school officials at that time were getting taken to court (or settling with lawyers) over things like taking a same-sex date to school dances or for cross-dressing and the media loved to be the champion of the high schooler. Incidentally, schools always lose in things like that, THANK YOU Mary Beth Tinker!

If you're not doing anything illegal, ALWAYS go to the local news if you're in danger of expulsion from school.

Re:ridiculous

You do realize that you completely fucked up on this one, right?

Not only is the administration angry at you, but if your fellow students had any idea what was going on, they'd probably label you an ass-kissing jackass who got their games and IM taken away. Not a good way to make friends.

Re:ridiculous

[AviLazar]

I am not familiar with Marcinko's incident so cannot comment on it.

You feel that breaking the law may be needed. I feel, when it compromises certain pieces of data (classified, my social security number and other perosnal information) it is wrong.

For example, lets say someone felt they needed to crack into IBX to prove to IBX that their security is faulty. While I trust IBX with my confidential data, do you think I trust this good somaritan? No I do not. He circumvented the system and I do not know what he is going to do with that data. Maybe he will destroy it, maybe he will do something bad with it. Maybe someone will hack him.

More like Civil disobedience at its worst. These people were not complaining about a bad legal system, unfair practices, etc they were trying to prove the security system was bad. While a noble act - they simply failed to do the proper thing and get permission - and that makes them guilty. In other words what if they saw the medical records of the students at the HS. Now they find out one of the kids in their class has HIV. Now they, in confidence, tell their friends this - everyone in the school knows this kid has HIV and he gets treated as an outcast...what a shame that would be.

Re:ridiculous

[drinkypoo]

We're talking about copying some information, not breaking in (which often involves damage to property itself) and walking off with a physical item. The two are not remotely analogous.

As for your statement about crime being crime, that's bullshit and you know it. First of all, we have three classes of "crime" - infractions, misdemeanors, and felonies. Secondly, it is well-known that not all of our laws make sense. Some of them are obsolete, and some of them were pushed by private interests and do not benefit society as a whole in any significant way, but provide great benefits for an elite few.

It should certainly be illegal to break into a computer system that is not yours. It should be illegal to copy personal data with the intent of using it for illicit purposes. It should be illegal to utilize that data without the knowledge and consent of the individual to whom it applies, which isn't true now, if you are "supposed" to have access to it to begin with.

In other words, these kids should get some kind of handslap, to remind them that if something isn't yours, you're not supposed to screw with it without permission. However, provided they haven't done anything bad with the data they collected, I don't think you can reasonably punish them very heavily.

I especially like your last sentence - I wholeheartedly agree. We have at minimum ten times the laws we actually need.

Re:ridiculous

[drinkypoo]

In the case of students breaking into a school computer system, it is unlikely that they could legally obtain access to the software and configurations that are utilized by the school. You do have a point about permission, but since I have not RTFA I don't know what was in their heads at the time.

Re:ridiculous

[SeventyBang]

You'd be surprised how many I knew. If it's for the bragging rights and not for the purpose of doing right, then whatever happens as a result is just deserts.

Re:ridiculous

[drinkypoo]

Gotta work the sex angle in there, eh? Maybe she's an exhibitionist. This is more like sneaking into her house, and reading her bank statements.

Re:ridiculous

Hey, I did this too! Back in '96, I found a back-door into the Labmanager software that controlled my university's student computer accounts. (plain text override password in the login shell script - the script was sitting on a publically accessible server!!)

I anonymously emailed the guy who wrote the script first saying that he should fix it. When he didn't after a week, I exploited the flaw, and downloaded a database of about 30,000 student account#s, last names and ssn#s, and then mailed part of it to him. I kept on to the database for a few weeks - it was fun being able to call people by the first name once I knew their account #, but then I eventually deleted once I got bored.

I probably would have been prosecuted if I'd been caught, but I was careful to never leave any identifiable info around. I "downloaded" the database from a public lab where I didn't have to sign-in, and I did it by PGP encoding the whole thing, and posting it to "alt.test" in small chunks, then I downloaded the posts from elsewhere, then cancelled them.

Re:ridiculous

[SeventyBang]

I agree it must be reported.

My point is that if it is (or must) be declared, you'd better have a good defense on your side. And that means arranging one in advance. Another student or a parent will not do. You're looking at severe legal consequences[1], no matter how small the scale you perceive it and now benevolent you consider your efforts.

This is why I said grabbing the media and giving them an opportunity to be in on this from the beginning. No matter what the school does, the media has the ability to supercede the school's actions and can bring a lot more pressure than you and a peer can.

It's one thing to be looking at this from a set of young eyes and an entirely different one for those of us who are probably old enough to be your parents and providing you [free] advice. This isn't just from what might happen.

If you cannot get the media, I'd schedule a meeting with your parents, the principal, and a couple of teachers you know do not "travel in the same circles" and perhaps some who do not even know you as a student. This would make them a bit more objective than "Johnny was such a good student. I know he'd never do anything wrong." You need someone impartial there. I'd also consider having a video camera there along with someone who actually knows how to run it and doesn't run into a situation like True Lies. Also, don't focus on the keyboard & screen, but the people in attendance - the dialogue, etc.. And during the activities, it would be good to describe what is being done (not character-by-character) in general for the record on the camera.

Regardless of the hurdles you have to jump before preparing evidence, if you do it alone, you have nothing to show your intentions. You may have good rapport with your principal and they will thank you. But if you don't...you may be the next one to Free {your name here} !



[1] Free Kevin!

Re:ridiculous

Just how likely is it that DoD computers containting senstitive data are even connected to the outside world?

Not every computer is connected to the internet you know. All the crap about hacking army sites or whatever is just that. Crap. They dont have sentive stuff connected to the internet, ya if you got a terminal in the pentagon or something you *might* beable to find something interesting. But that means you have be on location, not in your mom's basement.

Last time I was at the pentagon we had alot more checkpoints then going to the principals office.

Re:ridiculous

[maniac/dev/null]

The problem with information theft cases like this is you cannot 'return' in data, since in most cases you never 'took' it to begin with. This make enforcement all the more important: these students may have had good intentions, and only wanted to point out a flaw in a private system. But they could also turn around and sell the list of SSNs to any number of people who would want them for who-know-what. The only way to fully know their motives is to trust that they are telling the truth, and frankly I am not willing to trust my identity to these types of people.

I agree that we have a number of stupid laws, but for a crime of this nature, a crime that can effectivly ruin the victim's life (think credit scores, terrorist watch lists, etc) I feel we need to totally discourage people from this kind of vigilantism. Go to the authorities, go to the principal, go to your elected officals, go to the media, but do not take matters into you own hands unless you are ready to accept your punishment for breaking the law.

I feel it is far more important for these kids to learn respect for the laws as they are written today than it is to applaud them for finding this flaw in the computer system.

Re:ridiculous

If you can't imagine the negative ramifications (not just positive) of exploiting broken systems, in public and especially unsolicited, please don't ever quit your day job for a gig in the security industry. You would die of starvation.

Your proposal to reward unsolicited white hats is akin to rewarding "good" burglars who break into your house but don't steal anything, just to show you that your house is vulnerable to "real" burglars. The damage was done by the example, because the assistance wasn't solicited, and therefore (A) the guys who break in were never authorized to do so, and (B) there is no agreement or guarantee that actual data/property will never be lost, damaged, or modified in any way. Hell, you shouldn't run tests on production data without backups and the authority/ability to restore from backups anyway, but these guys did.

Bottom line: They showed up the people responsible for the data, fine. But they also put the data at risk without being authorized even to access it - greater risk than if they had never done anything (or better yet, submitted a pro bono security analysis proposal, if they were in the giving mood). If you're going to put a white hat on, you have to make sure people SEE it.

Re:ridiculous

The important thing to note here is if the IED and C4 they carried was real. You could stage a fake takeover using backpacks full of bricks for the same effect. However if they brought along REAL explosives then there was a REAL threat. Imagine if one of those SEALs had some second thoughts about what they were doing.

Other then that I've never heard of the incendent so I cant comment too much about it.

Re:ridiculous

Kinda funny how many exploits and probelms have popped up with Firefox and stuff since its started to become more popular.

Looks like another case of security through annomity. Its alot easier to distribute a patch to all of your 200 users then distribute a patch to 5 million people who mostly have no idea what a patch is.

IMO alot of the "security" with firefox is that less people use it and those that do keep it updated and are parinoid. Those that use IE are alot more common and has alot more novice users who dont download the updates microsoft provides.

Re:ridiculous

[networkBoy]

Bingo (as far as I could tell in my case).
-nB

Re:ridiculous

The question stands out: Who appointed you netcop?

This type of public service, declined by the public, is not public service. It's vigilantism, if not just vandalism. You're acting like a bounty hunter sans prize, which is the stupidest kind of person there is. Submit a patch or whitepaper, write a letter to your MS and your Apple and CC your own damn website, whatever. Don't make a bet, write a proposal and put a price tag on it. At best, you get paid to point out the problem. At worst, you draw attention to the problem by attatching a monetary value to its severity (companies always want to know whether there's something they SHOULD be paying for). Anything. But breaking into a network/home/store for free, and uninvited, just to be the good guy is the most bassackwards thing I can think of, and that's what these kiddies did.

I say be lenient on them just because they're kids, and kids are naturally ignorant. _Possibly_ punish them, but certainly do not reward them.

Re:ridiculous

[networkBoy]

I never claimed to get the last laugh.
I was mearly demonstrating that even following a reasonable procedure of reporting a flaw, then demonstrating upon request was still asking for trouble. The only reason I was not expelled was that the DA said there was no case for prosocution.
-nB

Re:ridiculous

[networkBoy]

The real problem (from what I can tell it hasn't changed in the 11 yeas since I graduated) is that you are in the minority, a very small one.
-nB

Re:ridiculous

Were you detained merely for demonstrating the security flaws, after you were invited to do so? That would have been terribly unjust, and I would sympathize with anyone in this situation.

However, that's not what happened here. These kids were never authorized by ANYONE to do what they did. They just did it. They didn't demonstrate their greater power on request like the above scenario; they USED greater power and got caught.

Re:ridiculous

People often gloat that IIS is full of security holes. Yet when it's time to put action behind those words, they cannot. The site is still standing. So what you are saying is that MS security is indeed robust and unhackable? Well unhackable to most script kiddies that visit /..

Re:ridiculous

[gregfortune]

Exactly. If those SSNs are comprimised, I'd bet money it was someone else at that school who realized they had a ready made scapegoat to exploit. If those SSNs show up somewhere, everyone *knows* those kids did it, right? They really set themselves up for a fall...

Re:ridiculous

Crime is bad, wrong, and even immoral (I'll give you not evil). Obeying laws is right, disobeying is wrong. That is black and white.

To live in a society with laws, disobeying the laws violates the law, and the social contract. Do you have a higher purpose in disobeying the law? Fine, you higher purpose might have been met, but you have still violated the social contract and have wronged me, a law abiding citizen, in a deeper, moral manner, even if I have no knowledge of your crime.

Don't say it isn't wrong. Say that your ends justify the means, but don't say the means aren't wrong. There is a big difference there.

Re:ridiculous

[drinkypoo]

Personally I feel if someone is actually harming the public, it's the people who make it possible to ruin your life with your SSN, by using it as a form of identification. It is explicitly never to be used as such except for financial purposes. My cellphone company is guilty of this, for example, and public utilities usually are as well. Why can someone get any information they want, or even get credit in my name, just because they know my name, DOB, and SSN?

I strongly disagree with your belief that they should learn respect for the laws as they are written today. Too many people respecting that crap is what keeps them around. It's public opinion that matters most. If we saw kids getting thrown in jail because of these stupid laws every day, they would go away :P

Re:ridiculous

[Danga]

Is your shift key broken?

Re:ridiculous

[swillden]

If you do not receive permission do nothing.

And leave the problems intact until they screw others and perhaps you as well.

With a CYA attitude like yours, you really should work for the government.

Granted, that's the way to stay out of trouble, but sometimes getting things done requires risking some trouble. I'm speaking in the abstract here, not necessarily referring to these kids.

Re:ridiculous

[bzipitidoo]

Breaking into a computer system is more like bumping a cheap table full of glasses and having the wobbles send one to the floor. Whose fault is it if a bump leads to broken glass? The school wants to shoot the interested messenger. (Interested, because one of those glasses belongs to the messenger.) First the messenger warns them the table isn't robust enough. They don't listen, so the messenger takes precautions and then bumps the table and a glass falls to the floor without breaking. Now who is in the wrong? For real tables, in public places, the owners have no case if someone bumps their table. Either the owners live with the risk and accept that they have no right to complain if accidents happen, or they take whatever reasonable precautions are available. Rope off the area, use a better table, put down thick carpet, or something. Extremely unlikely, but maybe there isn't any solution, and they have to live with a breakable system. Before upsetting people, the messenger would do well to put the lie to such thoughts and be sure there is a good solution. Otherwise, the message could seem like saying "Glass is fragile! See?" and then breaking some.

It's not just the school's "table" that is too weak. It's the wide use of the same info (in this case, Social Security numbers) as both public identity and as passwords to sensitive data. Having a social security number is like having a user ID on systems that don't use passwords. Having SSNs be public should be no big deal. Getting hysterical and heavy-handed is stupid. Yes, they're afraid of they know not what, same as those who burn witches. (Could be there's a bit of nerd hate involved too.) That's no excuse. The school doesn't get any respect. Nor do they deserve any. If the messenger really did go too far, the matter can be better handled with detentions, not jail.

Re:ridiculous

[shaitand]

There are numerous laws that are bad, wrong, blatantly immoral, and evil if anything is. Neither I, nor any other naitive born US citizen has agreed to the contract you speak of.

You and I are seperate people, I have no obligations or contracts to you. I have no obligation to participate in what you percieve as society in the manner you percieve I should.

"Don't say it isn't wrong. Say that your ends justify the means, but don't say the means aren't wrong. There is a big difference there."

No. There are a number of cases where the only moral action is violate the law. That is not mere justification.

Please, go back to your magic world of regulated morality. In my world the legal system defines the whims of corporations and the politicians they have bought and has no relation to right and wrong, moral or immoral.

Re:ridiculous

Why use firefox? Just right-click on the desktop, select New->Shortcut and type C: as the target...

Re:ridiculous

[Mattintosh]

Really I have no sympathy for intelligent people who fail to utilize a little bit of judgement.

Amen.

I found vulnerabilities in the school network when I was in high school, too. I found an unprotected (no password!) super user named "Ron". I fiddled with it for a while, then I deleted everyone's user accounts. On a Friday. Monday morning, the accounts were back, "Ron" was replaced by "Rob", and the teachers had dark circles under their eyes.

I repeated it with "Rob", "Roy", "Russ", and several other similar names. Mind you, all other accounts were like "jsmith" or "ajones", all first initial, last name stuff. These super user accounts were NAMED like a sore thumb. They could've named one "MOTHERFUCK" and it wouldn't have been any more obvious that it was a super user.

They finally wised up and just assigned a group of teachers to be admins without the safety net of a backdoor account. They ditched Novell soon after, I hear, but that was after I graduated.

And for those that want to know, I fessed up after I had my grades and transcript in hand. They said something to the effect of "well, at least we know that we can't trust anyone not to find a back door". Therein lies the lesson: don't tell them it's you until they have no means of harming you.

Re:ridiculous

[Gyorg_Lavode]

During HS I messed around with the computers, got into the grade book server, etc. No hacking, just back doors. Mainly because I wasn't being challenged because I had run out of math/physics type classes to take.

Anyway, at the end of the year I told a teacher about the problem and what to do to fix it. A month later a detective shows up at my door. Apperently I'd stepped on the sys-admin's ego and he'd pushed it to the police. On the other hand, they went through and rechecked all the gradebook files and found so many teacher-made mistakes that they dropped the whole thing.

Re:ridiculous

[swimin]

I sent an email to my admins, explaining that I knew of a vulnerability that could get my Local System on any machine in the network, and then possibly use other exploits that I haven't thought of to get as high as Domain Admin.

This scared them pretty bad. I had a meeting with them, and had Local system after 5 minutes (took me longer cuz they put scsi drives in the computers). They took me seriously after this, and are working with me to make the labs more secure.

Re:ridiculous

[Kadmos]

Teachers *not* being power hungry? I know more teachers than I care to and the vast majority of them do seem to have problems with their (perceived) power.

I haven't been in an educational institution for many years and teachers, for some reason, still feel the need to lean over and watch as I write. They also seem to have to point out if they think I am doing something wrong (in their eyes). I usually humour them because it takes to long to point out to them that I've been doing my job (and doing it well) for a long time.

I am not sure if they have developed this way because they are so insulated from the outside world (many have not had any other job other than teaching), or possibly because they get to tell other people/students what to do all day long. Maybe because of this they also get quite upset when corrected about even very small things (I try to avoid it if at all possible).

That said there are some good teachers out there. Those that teach people how to *think* for themselves, rather than think like themselves or to get students to mindlessly remember useless things. If anyone has had the unfortunate task of trying to recruit staff fresh out of school (or any educational institution) then you know what I mean (it's as if they are all borg) Once out of school the stuff learnt there is essentially useless, it's the ability to think for yourself and inititative that are the real skills.

Re:ridiculous

[pclminion]

Besides, breaking into systems without permission just to show they are insecure isn't necessary

In this specific case, I applaud the end result but disapprove of the method. This is a perfect example of why social security numbers MUST NOT be used for general purpose identification. A number so important and central to an individual's legal identity shouldn't be requested for inappropriate purposes and stored on insecure systems. I'm glad the school has egg on their face.

Did the teens do the "right" thing? To me, it depends on their motives. I'm a cynic, so I would tend to think these kids broke into the system because they could, or to show off. But the end result may be a positive one. If the school is forced to switch to alternate identifiers for students and teachers, that is a good end result.

The message here isn't "Secure your systems." The message is, don't use fucking social security numbers as personal identifiers.

Re:ridiculous

[syukton]

They don't care what your aim was, all they care about is that some kid is doing stuff they shouldn't be.

Oh, so true. School has so little to do with encouraging and enriching the lives of children and so much to do with putting them into boxes and ensuring that you "know your place."

A book I enjoy on the topic begins with this:

The shocking possibility that dumb people don't exist in sufficient numbers to warrant the millions of careers devoted to tending them will seem incredible to you. Yet that is my central proposition: the mass dumbness which justifies official schooling first had to be dreamed of; it isn't real.

http://www.johntaylorgatto.com/underground/toc1.ht m

This man, John Gatto, was NY State teacher of the year--the same year he quit, on the grounds that he wanted a career where it wasn't his job to hurt children any more. He's written a book called "The Underground History of American Education" which is available in its entirety online. Enjoy the read.

Re:ridiculous

[jbplou]

Its ridiculous to say they should be paid for committing a crime. If they knew a security flaw and wanted to show it to them they should have contacted a network admin and explained it. Your actions are what you are judged by not your intentions. How would you feel if your personnal info was in the hands of some kid, sure you'd be mad at the school but you'd also wish the kid never tried.

Re:ridiculous

[Dabido]

I can't agree more.

I was witness to a similar incedent where I used to work where the Sys Admins claimed their systems couldn't be hacked. The System architect challenged them, and the Sys Admin Manager bet him a years wages he couldn't do it.

The second in charge Sys Admin gave him [the architect] the IP address of the machine they claimed couldn't be hacked.

15 minutes later, the Architect had hacked into their system.

The aftermath of the situation was the Sys Admin team denied goving permission and tried to get the architect fired. There was nothing in writing and if I hadn't of been there to witness the bet, the guy would have lost his job.

Get permission & get it in writing.

Cheers.

Re:ridiculous

[Master+of+Transhuman]

SEAL teams - especially Red Cell - do not play, AFAIK. If they said they had C4, they had C4. Now, the IEDs they put on the nuke subs might have been fake, since you can't trust hardware and it would have been irresponsible to actually damage a sub's reactor in an exercise. But that didn't stop them from doing a lot of other stuff that actually damaged military property.

In any event, the real point is the reaction of the Pentagon brass - they bombed Marcinko for being too good at his job and put him in jail.

And the other point is that if you ask for permission - you won't get it. Nobody in a bureacracy is prepared to take the risk that they're wrong. That goes against basic human nature. Which is why Marcinko always went around his command authority to get something done.

A "tiger team" might be able to get permission from one level of bureacracy to pen-test against the tech staff, but if the test exposes flaws in management decision-making, it will be buried.

Look at Abu Ghraib - everybody involved except a few grunts has walked (or worse yet, been given medals and promotions) except the (female) general who gets busted for a phoney shoplifting charge...

Re:ridiculous

[burdalane]

Still, I can understand why they broke in instead of telling the school. It's much more fun to do something illegal, and other people's SSNs are a useful thing to have in case you want to steal their money or identity in the future. If you get caught, you'll just end up living on their tax money.

Re:ridiculous

[http]

"Treason doth never prosper, what's the reason?
If it does, none dare call it treason."
- John Harrington ?

Re:ridiculous

[Haydn+Fenton]

Heh, some of the things I've seen people excluded for are far less than this.

One time a teacher started saying things about a student's dad not being around because they flew into the twin towers (the student was coloured), so the student complained about it, and somehow the school turned it around and excluded him.

From my experience, they look after their own and if you're gonna start making claims, you could end up in more trouble than it's worth. Yeah, I probably could have got a lawyer and sorted it out, but it would be far too much time, effort and money considering how little long term damage was done to me. They didn't put it down on my record, so effectively I got a couple of weeks off school and that was the end of that.

Re:ridiculous

[cfuse]

Treason, even for a good reason, is still treason.

Unless your side wins, in which case you're a freedom fighter.

Re:ridiculous

I'm right with you on this... A couple of friends and I hacked our high school network to show the administrators 1:that we could and 2:that they had no idea how to administer a network. These two people ran many of the high school networks in the area and we ended up hurting their feelings I guess. They were threatening to notify authorities while the pricipal and a few other school administrators advised that they give us a job....

Re:ridiculous

[AviLazar]

Granted, that's the way to stay out of trouble, but sometimes getting things done requires risking some trouble. I'm speaking in the abstract here, not necessarily referring to these kids.

Please note that by do nothing I meant (and hopefully you did understand this) is do not go and try to hack on your own. You can still voice your complaints as usual which is doing something.

If that is still not good enough for you, do not complain when you go to jail. Do not complain when the people who did it go to jail. Again, this is akin to being a vigilante - and that is simply not permissable.

Re:ridiculous

[swillden]

You can still voice your complaints as usual which is doing something.

If the something you're doing accomplishes nothing, then you're not doing something, you're doing nothing.

If that is still not good enough for you, do not complain when you go to jail. Do not complain when the people who did it go to jail.

I most certainly will complain, and loudly, as well as send money to the EFF or whoever else will step up and provide legal defense. Hacking that damages nothing, loses no data, does not publish private data and causes no economic loss, should at most be a fine-and-community-service misdemeanor, it should not be a jail-time felony. Especially when it is clear that the hacker's only purpose was to expose a real problem that might have been used by others to do real damage, so that the problem would be fixed. In that case, and if it can be shown that the hacker tried to bring the problem to the attention of those responsible and was ignored, then there should be no punishment at all.

I think we need some legislation analogous to the whistleblower statutes to protect those who blow the whistle on bad security that affects the public interest, even if it's clear that it's necessary to demonstrate the flaw in order to get it fixed.

The alternative (and the more likely course of events) is that society will eventually suffer so much economic damage due to lax computer security, that eventually it will be possible to go to the press and get a reaction. Unfortunately, that course is dangerous in two ways. First, because it will be very painful and second, because it may cause us to create -- and legislate -- draconian monitoring systems so that system administrators can leave their systems insecure, confident that if anyone does hack the system it will be possible to track the perpetrator down. As a means of obtaining security, this approach would be effective, but the problem is the other uses to which such monitoring infrastructure can be put.

Re:ridiculous

[hazah]

So, of course, the logical course of action is punishment? That's the only way to solve a problem? That's the mentality that will put more people into a prison system that cannot sustain them. Good luck.

Forgive me, but I still fail to understand why this should not be handled with simplicity and minimal uproar. All this is doing is glorifying an otherwise insignificant event. Now these kids have fame. Talk about a waste of money and attention span... again.

Re:ridiculous

[AviLazar]

Hacking that damages nothing, loses no data, does not publish private data and causes no economic loss, should at most be a fine-and-community-service misdemeanor, it should not be a jail-time felony

So you hope no damage happen. Again, how would you feel if someone got a hold of YOUR personal information? How would you feel if someone got the specs to a nuclear device and its codes? Hacking into national defense systems is a flat out serious offense even if you do not believe so

Especially when it is clear that the hacker's only purpose was to expose a real problem that might have been used by others to do real damage

So lets imagine this scenario. A hacker is caught for breaking into the DoD. He has system files. He gets caught (I guess the system wasworking somewhat) and he says "Oh I was only doing this to prove your system is not 100% secure" then they slap him on the wrist with a minor fine and let him go home? And who is to say he is not working for a terrorist and gave them the information.


Sorry, you simply cannot persuade me to believe that breaking the law in the name of helping a company out is the way to go. If someone follows the proper channels there is always a legitimate way...to say there is not is flat out bogus... there is always a way. If person A doesn't listen, go to B, and if he doesn't then C and so forth. If it is that important to your "cause" then you will find someone to eventually listen.

Re:ridiculous

[TheStupidOne]

It is not that they do not want to know there is a problem, and its not that they aren't willing to fix it. It is the fact that the person did not follow proper protocols. Much of that information is under "lock and key" and allows for people with specific authorization (NDAs, bonding, security clearance, etc). By gaining access to this information w/o getting this clearance you broke their security measures. And they may have to (per their contracts, insurance, law) prosecute you. OR they just want to show that doing this sort of thing without permission (it is sort of like being a vigilante) is not acceptable.

I should have clarified this, but I was a student computer tech at the time. It was my job to fix the school computers, and I went and told them about severe security problems they had. I thought I was doing a good thing and fulfilling my job responsibilities when I notified them of the issues.

So I didn't sign form RX12512 and submit RFC 14125. So what? I was a tech, and it was my job to fix the computers. I felt it was my responsibility to expose flaws in their system and to fix things the right way, instead of just wiping the drive and imaging it again.

Re:ridiculous

[ScentCone]

So, of course, the logical course of action is punishment?

The logical course of action is consequences, and they sure don't deserve a reward. If they were looking for a reward, they'd be able to point out the paper trail they left while alerting the school system's IT people about the vulnerability. Or they'd be able to mention the time and date that they told their schools' principal about something just as bad as seeing the A/V storage room left unlocked by careless faculty. There are no such things to reference, because their intentions were not to defend the integrity of sensitive data, but to get a laugh and bragging rights out of taking it, with no intention of getting caught (classic high school hubris).

If every time a kid broke into a house, a car, a purse, or a computer network, we handled it quietly, we'd lose the deterrent effect of the punishment. Plenty of rationality-challenged kids will still resist some activities because "that other kid in my school" got time/fine/whatever for doing the same, and it was known that's what happened. The last thing I personally want to see is the glorification of this sort of thing... but I sure as hell want the bored kid in the high school computer lab to think of lifting lists of social security numbers or other sensitive (and potentially very damaging materials) to be just as wrong (and full of consequence) as taking a not-bolted-down laptop out of that computer lab "just to show that he can" or "to demonstrate that people can steal things."

Murderers get fame, too. There will always be people that, through a twisting of their sense of the world, will admire people who break into things, steal things, or take chances on a dare. Just like there are kids who think that the two twits who shot up Columbine are some sort of darkly attractive saints.

Breaking into a school computer system, no matter how well or weakly defended, is a deliberate act. There is absolutely no ambiguity about it, and I doubt that the kids are going to use the defense that they are so dumb - to the point of being mentally defective - that they don't have the capacity for understanding right/wrong. Attempting to use the "it was for your own good" argument only after being caught, illustrates their ongoing hope that they can game the system. That attitude is exactly what requires the punishment.

Personally, I think their punishment should be the random placement of their families' personal and financial data into places where honor and integrity play a role in protecting it, and then letting the families know that the information may (or may not) have been compromised. This way their parents can explain to the them that the erosion of their credit and the exhaustion of their time as they fight back from identity theft is one of the reasons they can't afford to send them anywhere prestigious for those computer science degrees. That way they'd get a sense of the anxiety that the faculty of the school (all people making not nearly enough money) are feeling (and now, must continue to feel), now that two idiots claim to have deleted their personal information after having been caught stealing it.

That's the mentality that will put more people into a prison system that cannot sustain them.

Most people actually doing time in actual prisons are repeat offenders. The longer they spend in, the lower the rate of recidivism, and the lower the crime rates tend to be. I don't think these two clowns would benefit from prison time - but they should feel the consequences of this sort of crap. Like, doing a few years' unpaid work for people who have lost money (or even careers) because of the side effects of identity theft.

Re:ridiculous

[AviLazar]

I should have clarified this, but I was a student computer tech at the time. It was my job to fix the school computers, and I went and told them about severe security problems they had. I thought I was doing a good thing and fulfilling my job responsibilities when I notified them of the issues. So I didn't sign form RX12512 and submit RFC 14125. So what? I was a tech, and it was my job to fix the computers. I felt it was my responsibility to expose flaws in their system and to fix things the right way, instead of just wiping the drive and imaging it again.

W/o knowing their end of the situation (what was their reasoning? I would imagine with disciplinary action they would have to give some kind of reasoning), that does sound bogus, and in situations like this I would advocate a lawyer (if you were in HS then have parents get a lawyer, or find a pro-bono advocate lawyer who wants his face in the papers for trying to right the wrongs done to an innocent kid).

Re:ridiculous

[Fulcrum+of+Evil]

From my experience, they look after their own and if you're gonna start making claims, you could end up in more trouble than it's worth. Yeah, I probably could have got a lawyer and sorted it out, but it would be far too much time, effort and money considering how little long term damage was done to me. They didn't put it down on my record, so effectively I got a couple of weeks off school and that was the end of that.

My parents have tangled with my high school before - they're basically pompous idiots. Kick them and they roll over. I got excused from my last period for freshman year because my gym teacher was more concerned about my uniform practices than my physical safety. If some teacher made a comment like that, I'd have her job.

Re:ridiculous

[hazah]

I take it you're an idealist. That's ok, so am I. But what you say is just not practical. Consequnces can be dealt with quietly. Giving fame is what causes the glorification. There's just no escaping that one. So it was a mistake to blow this out of proportion.

Punishing the parent is a horrible idea. Lets say your kid does something stupid that costs millions in damages, however, at home, everything had always seemed to be normal. How exactly did you do anything wrong? You didn't snoop? You gave trust? You should feel guilt for trusting when you shouldn't have? What would be the reason? This is so arbitrary, because like it or not, kids, are just like any other person, only "in development". Yours or mine, they'll have their own minds.

The deterant effect of punishment is questionable.

In your own words, you proved my point, not only are the prisons over filled, they're overfilled with repeat offenders. 1. Deterant of punishment???? 2. You're paying for it. Obviously, at your expence, the prisons do nothing of actual value to those involved.

I think the one thing I agree with you on, is that they are clowns. And not very bright ones.

Re:ridiculous

Never do security testing without written permission.

And if you do, don't be so dumb as to put your name on it. How obvious can it be that honesty has no place here? Just get the info out and let it be somebody else's problem.

Re:ridiculous

[swillden]

So you hope no damage happen. Again, how would you feel if someone got a hold of YOUR personal information?

You are presuming that deterring an honest person from getting in to demonstrate the existence of a weakness will prevent a dishonest person from getting in to exploit the weakness. That is a fallacious presumption.

To answer your question directly: I would not like it if someone got my personal information out of a database. However, if the retrieval was made by an honest person attempting to force the system administrators to do their jobs and close off a weakness whose existence they were aware of but didn't consider important, I'd be angry at the admin, not the hacker. Plus I'd question whether or not my personal information should have been in that database in the first place.

Here's a deal: I'll support prison time for honest hackers if you'll support prison time for negligent sysadmins. Actually, I think the *right* thing to do is to applaud the honest hackers (as long as their honest intentions can be proved) and jail the negligent sysadmins (as long as their negligence can be proved).

By the way, if you add criminal penalties for negligent sysadmins, and some sort of compsec police, then your analogy with vigilantism becomes apt.

A hacker is caught for breaking into the DoD. He has system files. He gets caught (I guess the system wasworking somewhat) and he says "Oh I was only doing this to prove your system is not 100% secure" then they slap him on the wrist with a minor fine and let him go home?

Did he attempt to alert them of the existence of the weaknesses beforehand? Is there evidence that they blew him off? Is there any evidence that indicates he had plans to do something else with the data other than use it to blow the whistle on security problems?

You have to answer those questions before you can determine a reasonable penalty (or reward!).

If someone follows the proper channels there is always a legitimate way...to say there is not is flat out bogus... there is always a way.

Many, many examples demonstrate the fallacy of your statement, both within the world of computer security and without. And, actually, the more important and more sensitive the information is, the harder it is to find a "legitimate" way to expose the flaw if the responsible parties aren't responsive to the complaints. Why? Because the more important the information is, the more important it is to avoid the sort of publicity that might force action. Publicity risks informing dishonest people who would abuse the weakness. The ideal way to force such problems to be fixed is to give the administrators proof they cannot ignore while alerting as few people as possible

Re:ridiculous

[AviLazar]

You are presuming that deterring an honest person from getting in to demonstrate the existence of a weakness will prevent a dishonest person from getting in to exploit the weakness. That is a fallacious presumption.

Speaking of assumptions, where on Gods green Earth did you get this assumption from? Where did I say that preventing a good somaritan from entering will prevent a malicious hacker?

However, if the retrieval was made by an honest person

And how do you know they are honest? Because they told you so? If they were so honest why didn't they go through the proper channels. I am sure if something like this happend to you, you would be in an uproar.


Here's a deal: I'll support prison time for honest hackers if you'll support prison time for negligent sysadmins

Now your just being plain old silly. That and you are assuming they are negligent which may not be the case. Just because a system is not perfect,doesn't mean the people are negligent.

applaud the honest hackers

For breaking the law? No, if they were "honest" they would have gotten permission to go through the proper channels. If after trying again and again and again they were ignored they could go to the press.

You have to answer those questions before you can determine a reasonable penalty

I do not have to answer those questions, his defense attorneys need to show those. But in all honesty, it doesn't matter. Nowhere in the law does it say "if the sys admin was negligent it is acceptable." Sorry, nope, notta. Not to mention (again), just because a system gets hacked does not mean it had poor security measures. It could have fine security measures - but nothing is hack proof...I would expect someone on /. to realize this.

Many, many examples demonstrate the fallacy of your statement

No that is false. There is always a way...the last resort is to go to the press. At no point should breaking the law be an excuse - you are putting yourself in jeapardy, ruining your credibility, and compromising data (again who is to say you are not hacked).

Publicity risks informing dishonest people who would abuse the weakness

You go to the people "hey your system is flawed." They ignore you over and over, so you give them warning "hey if you don't listen to me, i am going to the press." They have warning - they can even pull the plug on their system. Besides, you do not have ot give the schematics to the vulnerability when you go to the press - just give them enough news so they can report it. then when the organization calls you, you give them the schematics...THEN claim your reward.

Obviously we do not agree on this topic, so lets agree to disagree.

Re:ridiculous

[ScentCone]

they're overfilled with repeat offenders

They're only overfilled if there isn't actually room for them, which is a separate issue from why they're there.

People who commit a crime, face a judge/jury as a first-time offender of a not-too-horrible offense, almost always get off very lightly. They may do parole, or provide some sort of community service, make reparation to whomever they harmed, etc. Many, even most of those people learn from this - either they learn not to do it again, or (if they're smart but still mal-intented), they learn not to get caught again. But the people that demonstrate, through a repetition of their crimes, that they can't seem to muster the judgement or discipline to stop hurting people, stealing, etc... those are your repeat offenders, and that's who starts spending time in prison.

We've got a cultural problem (lack of personal accountability) that must be addressed in order to stop the endless cycle of parents producing kids like that, who in turn become more parents like that. Education is the key. But if you haven't got a kid's sense of basic right and wrong drilled into them by elementary school, it's pretty much too late. You might refine that person, scare them out of being a career criminal... but critical thinking skills, an ingrained sense of ethics, a moral compass if you will - that's early, developmental stuff. I'm not saying it's hopeless, but people who are already in their late teens and twenties (and older) who repeatedly demonstrate their contempt for you and me (and our property, our money, our businesses, etc) by stealing, mugging, threatening, or even by spending all day on a computer looking for ways to hijack someone's credit rating... it may not be too late for those people to eventually turn themselves around, but by repeatedly being busted for crap like that, they're showing us that they can't be trusted not to keep doing more of the same.

Consequnces can be dealt with quietly.

Not saying they can't be. I'm saying that other would-be offenders still have to know that there are consequences. For most young people, telling them that abstractly (in the form of anonymous case studies, for example) simply never connects.

But, "Hey, did you hear about Billy? You know how he hacked into the school computers and took the faculty payroll info? Well now he's got to pay a $5000 fine, and since he doesn't have it, his parents are going to have to pay it, and he'll be working it off all the way through next summer. Probation, too, and he's not allowed to go to any school events or get his driver's license until he's 19!" can really connect with people who think Billy's "cool" or somehow glamorous.

Lets say your kid does something stupid that costs millions in damages, however, at home, everything had always seemed to be normal

That's what judges are juries are for. But kids are called minors for a reason. They don't have a mature point of view, and don't think through what they're doing. That's why a strong deterrent is a big thing, but parents with a vested interest in hot having a hoodlum of a kid is an even better thing. Obviously a parent that can show how they were involved with Junior's daily life, and show that no reasonable person could have known that Junior was spending hours every day visiting web sites run by L334 Swedish H@XX0R5 looking for info on how to be a more effective script kiddie... well, a judge would have to agree that the parent has no culpability. Hence the word Judgement. But there are absolutely times when a kid's actions and general behavior is out of control, and the parents are simply uninterested in doing anything about it, leaving it up to academic instructors to be the parents. It's unacceptable. If the parents' attitude is that "we don't care what Junior does," then they also have to stipulate that they're essentially endorsing everything he does.

This is so arbitrary, because li

Re:ridiculous

[swillden]

Okay, here's a hypothetical:

There is a database that contains sufficient information about a large group of people to steal their identities. I notice that there is a huge security hole that allows anyone with half a clue to walk in and take the data.

I inform the administrators. They don't reply. I inform them again, in writing, and follow up with a phone call. They insist there's no problem, that I'm just being alarmist. I try to go over their heads, but their bosses don't respond to me.

What should I do?

I see three options:

1. I can figure I've done my part and ignore the situation, except perhaps to continue complaining, even though nothing happens.
2. I can go public with the information. Let's assume I find a reporter who will listen to me and can convince the editor to print the story.
3. I can use the security hole to plant an "I was here" message, then tell the administrators what I have done, forcing them to confront the fact that the problem is real.

What are the predictable outcomes of each approach?

Which outcomes does society want to encourage? Discourage?

Suppose you could rewrite the laws the way you want them, with the goal to ensure the safety of everyone's data. What laws would you make?

Re:ridiculous

[Decameron81]

When I said "...stealing someone's wallet without him noticing it..." I really meant it. Asking for permission before doing so kind of makes that impossible doesn't it?

By the way, who the fuck is talking about hanging wallets? You might actually want to read my post before replying.

Re:ridiculous

[AviLazar]

I see three options:

1. Continue complaining. Find different avenues, something might change.

2. Go to the public. If it is important enough there are plenty of reporters who are interested in juicy material - especially when it is to protect the "little-guy"

3. I do not recommend this. Likely outcome is you get in trouble. Do you want to go through a lot of litigation - perhaps sit in jail and/or get lots of fines? Not to mention you still may not change the system.

Society wants things fixed. Society also wants us to obey the laws. They believe what the media tells them. If the people you hacked spin it right you could be made out to be a terrorist!!!

Suppose you could rewrite the laws the way you want them, with the goal to ensure the safety of everyone's data. What laws would you make?

With regards to this topic. No i would not (as suggested by others) fine/arrest the sys admin. That is lame. It is very very rare where smoeone gets arrested for not doing their job and being GROSSLY negligent. It is almost impossible to get put in jail for an honest mistake. But there are so many laws to modify...in the end - you hacked into a private companies system. Thats against the law. In the end you broke into classified gov't databases - that is federally against the law. You may have honest intentions - but we are not mind readers and do not know this. Not to mention you may have been compromised and do not know this.

Re:ridiculous

[swillden]

You didn't answer any of my questions. You also seem constitutionally incapable of considering any options that involve changing the rules, or even thinking about how the existing rules may be less than optimal. I bow to your superior tenacity.

Re:ridiculous

[Fulcrum+of+Evil]

When I said "...stealing someone's wallet without him noticing it..." I really meant it. Asking for permission before doing so kind of makes that impossible doesn't it?

No, not really. Telling a teacher that there's a major security hole and demonstrating it when asked is hardly impossible.

Re:ridiculous

[Decameron81]

Wow, it keeps surprising me how you twist what I say. Re-read what I wrote. I didn't even mention a teacher. And I didn't say it was impossible to demonstrate there's a security hole in a system.

We are talking about a case in which you didn't ask for permission first. One guy said something along the lines of "even if you get no permission there's nothing bad in breaking into a system". He also said that victimless crimes are not crimes. Which is of course, a huge misconception.

Now before writing other examples that do not fit at all what the discussion was about re-read the thread (I can't stress that enough to you evidently). You keep posting about situations in which the script kiddie is not committing a crime at all.

Re:ridiculous

[hazah]

I still think that the deterring effect is questionable. It's a band-aid solution to an underliying problem. Usually, any social problem, has its roots in communication, or lack thereof.

Re:ridiculous

[AviLazar]

I am happy with the rules. You are not happy with the rules. Why should I propose to change something I do not want to change? Why don't YOU propose your rules changes.

Re:ridiculous

[swillden]

We'll see how long you continue to be happy with rules that support a black hat hacker-friendly environment, which is exactly what the current rules do. The current rules provide zero liability for administrators who don't properly secure their machines, lots of incentive for them to refuse to admit to problems when they're pointed out and strong negative incentives for anyone who wants to get problems fixed.

Expect to have your personal information compromised on a regular basis in such an environment. Keep in mind that computer-based crime is in its infancy... things will get much, much worse as it grows up.

You're damned right I want to change the rules. Allowing well-intentioned hackers to rub administrators' noses in the problems isn't really my preferred approach, it's just the one which requires the smallest changes in order to improve the situation. Basically, it just requires that we consider good-faith effort to notify plus evidence of good intent and proof that no real damage was done as a defense to charges of computer crime.

The better, but much more difficult, rule change is to hold system owners and administrators liable for the damage done to others when they don't take basic measures to secure their systems, and when they don't respond appropriately to warnings about system insecurity. I actually don't think criminal penalties are appropriate, but legislation is needed to make civil liability clear. I don't care if companies don't secure their own data, because they bear the loss if it's compromised. But when they old others' information, they need to be held responsible.

Putting the people who are trying to fix the problems in jail is ineffective at best. And it's really not hard to distinguish between those who really are trying to help and those who are trying to exploit for gain.

Re:ridiculous

[Fulcrum+of+Evil]

Wow, it keeps surprising me how you twist what I say. Re-read what I wrote. I didn't even mention a teacher. And I didn't say it was impossible to demonstrate there's a security hole in a system.

I was tying this strained analogy back to the original thread, where there was a teacher and permission was given.

Now before writing other examples that do not fit at all what the discussion was about re-read the thread (I can't stress that enough to you evidently). You keep posting about situations in which the script kiddie is not committing a crime at all.

I'm trying to explain to you how the HS kiddy isn't commiting a crime either. Pay attention.

Re:ridiculous

[Decameron81]

I was tying this strained analogy back to the original thread, where there was a teacher and permission was given.

You might want to point me at the "main thread" you're talking about, and how it is related to this discussion, since neither the article nor the discussion I was participating in mentions a kid asking for permission.

I'm trying to explain to you how the HS kiddy isn't commiting a crime either. Pay attention.

RTFA. It doesn't say the HS kid asked for permission. It was a plain intrusion. Pay attention.

Dumbasses.....

[Palal]

Unfortunately, people do not learn from others' mistakes. How many times have people broken into school databases only to be arrested! It does prove that you can break into a DB, but so what? Once again it goes to show you "no good deed goes unpunished!"

Re:Dumbasses.....

[Koiu+Lpoi]

And besides, Social Engineering is still the best way to obtain passwords and sensitive material. Here's a great (and true) example.

I was sitting in class one day (I am a High School Senior) and talking with a bunch of my friends. I don't remember the exact context, but I mentioned something about Social Security Numbers (the context possibly being college). I was mostly shocked to find the conversation switching to my group of friends telling each other the numbers and comparing them for similarity and silliness. If I had wanted to, I would have had 5-7 SSNs for which to use as I saw fit. What's especially scary is how easy it would have been.

Re:Dumbasses.....

[greyhoundpoe]

That's not all! I've been able to get the home addresses, telephone numbers, and email addresses of a large number of my friends as well!

Re:Dumbasses.....

I'd argue the "good deed" bit. All this shows is that most highschool kids feel rules are for others, and only a vague notion of what the law re: hacking, breaking in blah blah blah is.

After all, they could have used any number of virus infected road runner consumer accounts, broken in, and never leave a log to trace back to them. Stupid stupid stupid.

Re:Dumbasses.....

[kleinux]

Yeah, but try getting that from a girl...

I kid I kid.

Re:Dumbasses.....

[hawk]

*nods*

Yep, lots of profit in stealing the identity of high school students . . .

:)

hawk

Well

Was it a Microsoft 2003 server edition computer ?

Re:Well

[mp3LM]

Was it a Microsoft 2003 server edition computer ?

I hope I'm not the only one wondering what that is.

And FYI....apparently a Microsoft 2003 server edition computer can be pretty secure.

Re:Well

uhh maybe from port 80 on the outside, but give me 15 minutes on the intranet and that baby is owned..

tough way to prove point

[Bananatree3]

While it may be an obvious way to get the schools attention on the matter, it is, as the article said, a good way to get yourself expelled, etc. Maybe if they took the issue with the IT staff, and showed them one-on-one how it could be done, they would not be in any harms way.

Re:tough way to prove point

[Palal]

Even then, the IT staff would probably want to sweep this under the rug rather than deal with it. I've seen it happen too many times before :(.

Re:tough way to prove point

"Maybe if they took the issue with the IT staff"

hahahahahaha... .. whew. oh... you were serious?
They would have probably gotten the kids in trouble for thinking about "hacking" into the computers. Those hacker kids are nothing but trouble you know. School IT staffs are a JOKE in 90% of schools, and don't give a damn or don't know a damn thing.

Re:tough way to prove point

[tftp]

If the IT people don't care, why then the students should? Their "good intentions" can be better spent elsewhere, like putting together old computers for charities.

Besides, as people already commented, it is stupid to commit a crime just to show that a crime of this sort can be committed.

Re:tough way to prove point

[HiddenCamper]

a LOT of IT Staff in high schools dont listen to their students. I graduated from a chicago area HS last year, and i will say that not only my school, but many other schools in the area had staff that would not listen to students at all, or would press diciplinary action if a student would mention a problem. (finding a problem or trying to find a problem suspension at my school). My high school actually expelled one student for getting into the staff network.

Re:tough way to prove point

Absolutely. It's no different in Sydney, Australia. I told my school that the software package they were using (a non upgraded package supplied by the department of education) was wide open and could be accessed by anybody with a web browser within the school.

After being asked to demonstrate this, in front of the principal, I explained every part of the process, how I found out about it, and the simple steps they could do to fix things (hell, alll schools afaik had been given an upgrade CD to upgrade their software, they'd just been too lazy to apply it). I inserted a different middle initial within my name and saved the results.

I was suspended for six weeks. Go figure.

What's worse is they didn't fix the system until the next school year rolled around, 8 months later.

Re:tough way to prove point

[omeomi]

If the IT people don't care, why then the students should?

To keep others from getting access to their SSNs?

I know I had a definite issue with having others not take appropriate measures to keep my SSN private while I was in college. One of my professors insisted on posting grades on the wall outside the classroom with grades listed by social security number. By law (I think it's law...either that or school policy), they can't do that unless you sign a paper saying that they can, which I would never sign. The problem was that the teachers rarely check to see who signed the paper. So I had to complain over and over again. Some times it's a real pain in the ass to keep your SSN private...

I am, however, not advocating illegally breaking into computer systems to point out flaws. The mature thing to do would be to point out the flaws privately to the school's administration or IT staff, and if they ignored the notice, then I would make public the fact that they ignored the notice of the flaws (without exploiting them, or publicly pointing out exactly what the flaws are, which I believe is illegal).

Re:tough way to prove point

[hugzz]

why should the kids care? uh, because their SSNs are in the open waiting to be stolen..

Re:tough way to prove point

[Anonamused+Cow-herd]

If the IT people don't care, why then the students should?

Umm -- probably because some idiots without "good intentions" could steal enough information to steal the identity of everyone in the database? Yeah.

Re:tough way to prove point

[shutdown+-p+now]

Because it's their private information which is being compromised?

Re:tough way to prove point

[Theaetetus]

Maybe if they took the issue with the IT staff, and showed them one-on-one how it could be done, they would not be in any harms way.

Provided the IT staff care... and can get over their pride at being shown up.
I, an engineer, was recently requested by the IT department where I work to see if there were any security holes in an XP install they did (they had a program that had to run as Admin, so they did a "Run As..." batch script, but the account was user otherwise). Took less than 30 seconds, and it was the flaw I suggested to them ahead of time - go into the program, go into the Open... dialog, and right-click on any folder to get its properties, as an admin. Have ability to give users full privileges now, which I proved by giving full control to the Admin's user folder to the User.

I was then yelled at by the IT tech, and the IT director for "hacking" and "breaking" their computer.

End result - they're installing it anyway.

It comes down to pride - "we're the IT staff, how dare you presume to teach us about security or computers" and that kind of thinking always leads to problems, no matter what field you're in.

Re:tough way to prove point

School IT staffs are a JOKE in 90% of schools, and don't give a damn or don't know a damn thing.

Of course its a funding issue. Most "IT" people I've met working for schools try their best, but the salary doesn't match what a highly qualified or even competent tech expects. I have seen at least one school district that has done it right, but I'm guessing they place a higher priority on their technology than their football team.

Note: I'm not disagreeing with you, just adding some pointless ramblings...

Re:tough way to prove point

Of course school IT is a joke, passwords at my school are birthday in numbers and 3 random digits (student IDs).
Ie: 21488053
You could:
A: ask for thier birthday and brute-force the 3 remaining numbers in about a minute.
B: ask to borrow their id cards, they have the student ID printed on the back.
C: just ask the student.
Et Cetera.
To top it all off, They do that for the whole district. To make matters worse you can type / in internet explorer or safari then click on a few links an read someone's documents.

Over react much?

[r_glen]

Okay, I understand that what these kids did was stupid, and serious, but is it really necessary to include quotes like this...?

"When we grow up and get our jobs, that's our life right there. They can access anything about us. It just screws us up for the rest of our lives," said Julianne Junus, student.

Re:Over react much?

It shouldn't be, but since the SSNs are used for everything a person does for the rest of their lives, it should be included. As a reason not to use SSNs at Schools and the like.

Re:Over react much?

[Fortyseven]

You would think that would be all the more reason to have top security measures in place. Sigh.

Re:Over react much?

[L7_]

For the same reason that the SSN's are used for 'everything a person does' is the same reason that they need to be used in schools. Granted, SSN's do not need to be used as school IDs and that is where the problem lies (they were used a lot previously because they are automatically a primary key). I think that the majority of cases where SSNs are exposed and 'hacked' in institutions, like this school, are because they can get the public list of all the students and thier student ID's: which are generally thier SSN.

Re:Over react much?

[anagama]

It's just time to quit using SSNs as personal secret passcodes. In some ways, it's good. At what percentage point of compromised SSNs will it stop being used for its present purposes? A few hundred is just a drop in the bucket, but it happens every day. Eventually, SSNs will be meaningless. Like a phone number, at which a slightly better system will (hopefully) be devised.

Re:Over react much?

At what percentage point of compromised SSNs will it stop being used for its present purposes?

Have I got a Real ID for you!

Re:Over react much?

[ky11x]

She's right, you know? The school should be hit over the head for not securing sensitive information like this properly. Once your SSN is lost to the world at large, your headaches are never over. A conspiracy of credit bureaus and craven and stupid officials will make your life hell.

Re:Over react much?

I think it is a monument to the stupidity of the US in general, that they not only throw away hundreds of billions in slaughtering civilians in Iraq and building worldwide hatred of the US and leading Iraq into the self-destructive civil war that is now unavoidable, but also

US citizens widely believe the earth is only a few thousand years old, in direct contradiction to basic physics, biology, science, paleontology... showing their incapacity to grasp or deal with basic science

US citizens widely believe that SSN makes a good password, even though its most obvious features, that it is immutable and well-known, make it abundantly obvious to anyone with a modicum of understanding that it is a terrible password, one of the worst possible.

I think it goes to show you that the ignorance in the US is not only rampant but cross-generational and stretches across both science and technological fields. Therefore, it is no wonder that the US is losing both its basic and its high-tech industries, and obviously its imperial power is crumbling as it heads to bankruptcy and poverty.

Re:Over react much?

[accessdeniednsp]

In addition, the stupid cable company demands your SSN for TV SERVICE!!?!? WTF!?

They kind of deserve the punishment

[Zakabog]

I guess it kind of sucks that they're gonna get punished for this, but they deserve it. You can't legally break into someone's house just to show you can, they should have told the school (or some news stations) that they were planning to show how easy it would be to get into the system. Then under a controlled environment (with some type of supervisors there) they can show how easy it would be. That way everyone knows the attack is going on and the school knows what was done by the students rather than relying on their word.

Re:They kind of deserve the punishment

[EmbeddedJanitor]

Exactly so. 90% of the badness of being burgled is not that stuff was taken or tampered with, but that your private space was violated. This violation happens regardless of the violators intentions.

Being bust or not is not the issue. If they had been bust while trying to get in then they would have had no excuses. The broke in and that is bad.

Re:They kind of deserve the punishment

[BackInIraq]

You can't legally break into someone's house just to show you can...

That is a totally different story. What you keep in your house is, in general, your own stuff, so if you fail to properly secure it only you are hurt. But the school is keeping _other_ people's stuff (their sensitive information) and failing to properly secure it. Personally I think it's perfectly reasonable to probe the security of such systems, to make sure they are securing private information properly.

Re:They kind of deserve the punishment

[ZorbaTHut]

On the other hand . . .

. . . imagine you're legally required to keep your electronics and jewelry in someone else's house. And not only that, but several hundred of your friends are too. And imagine that you know the security in this house is bad, and you've tried telling the owner of the house that your possessions are in danger, but he doesn't care. And you've tried telling the government that your possessions are in danger, but they don't care either. Your friends care though, and they're really frustrated knowing that all their possessions are in danger, just like yours, and that nobody seems to be able to do anything about it.

Maybe then you'd break in, to demonstrate it's possible, and get the owner of the house to tighten up security for the sake of you and your friends?

Re:They kind of deserve the punishment

[wft_rtfa]

If they were really smart they would have found a way to expose the security problem anonymously or quitely.

I'm sure that many high school computer systems aren't secured properly, so I don't see how they were acomplishing much. However, there probably aren't a lot of real hackers out there that are interested in the SS#s of teenagers. The students probably knew what servers had what information on them before they started.

Re:They kind of deserve the punishment

"But the school is keeping _other_ people's stuff (their sensitive information) and failing to properly secure it."

So what? So it's more like breaking into a bank. The point remains that they didn't have any right to break in.

The students were most likely driven by ego more than public interest. Unless they have a reputation around town for doing charity work, picking up garbage, etc.

Re:They kind of deserve the punishment

Right, so I should be able to loot the bins at the self-lockup storage places and sell the stuff on Ebay. Hey, it is the storage company's fault; don't shoot the messenger! Gee I should be given a medal in addition to the stuff I get to rob.

Re:They kind of deserve the punishment

[danielk1982]

What you keep in your house is, in general, your own stuff, so if you fail to properly secure it only you are hurt. But the school is keeping _other_ people's stuff (their sensitive information) and failing to properly secure it.

My friend left his wallet at my house. Its still lying on my kitched counter.

Re:They kind of deserve the punishment

[daniel_mcl]

No, it's more like breaking into your own house to show your landlord that he's not doing his job. Their *own* identities were in harm's way because of the school's poor protection, which makes the situation entirely different.

Although, it would have probably been better to announce a lawsuit directly.

Re:They kind of deserve the punishment

But did the students really do all these things before breaking in? Besides, if you went through all of those steps and nobody cared, why should breaking in change anything?

Re:They kind of deserve the punishment

Where do you get the idea that these students were yelling from the rooftops about security lapses and were being ignored? Where did you get the idea that the student body was angry and frustrated and were being ignored? So why are you making up details and facts in this argument? Oh, that's right, the students would come off looking like smartass punks without your revisionist history writing.

Now reading the article, as I have done, I can see that the students were so worried about system security and coming to the aid of their angry and frustrated students that these two performed the act months before! I'm sure they were going to get around to alerting the IT staff, and I don't think I'm exagerating here, and saving the entire human race!

God bless our new saviors!!!

Re:They kind of deserve the punishment

[ZorbaTHut]

I don't. I'm just pointing out a hole in his analogy. I have no idea why these people did this, but I can easily think of plausible reasons.

Re:They kind of deserve the punishment

[TeraCo]

Sorry, it wasn't their house to break into.

This will be a good education for everyone, when it comes to criminal acts, you can't just step back and say "ha, ha.. I was just kidding."

Re:They kind of deserve the punishment

[ZorbaTHut]

Dunno. Maybe, maybe not. Go ask them. Or find a balanced factual news article. :)

And it might change something - it all depends on how much publicity it gets. Throw around a few terms like "identity theft" and "ChoicePoint" and "won't someone please think of the children" and "terrorism" and you're set.

Re:They kind of deserve the punishment

[TeraCo]

[Oh God, the commas :/]

Re:They kind of deserve the punishment

[Cecil]

Your analogy doesn't fit this case. To make it fit this case, you'd need to rob the self-storage places, take photographs of the "stolen" stuff sitting in your truck, then put it all right back where you found it and leave.

Re:They kind of deserve the punishment

[aussie_a]

So can people break into my school locker and it be perfectly alright? After all, the school should have had better security in place.

Re:They kind of deserve the punishment

>90% of the badness of being burgled is not that stuff was taken or tampered with, but that your private space was violated.

Uhh, Dude. If someone goes into your house and doesn't take anything, how will you know anyone was there? And if they tell you, but don't take anything, that is not EVEN close to having all your personal possessions stolen.

If somehow all your stuff could magically be burgled without anyone entering your house, and all your stuff is gone, that's only 1/9th as bad as if they went in but didn't take anything?

Re:They kind of deserve the punishment

[BackInIraq]

So what? So it's more like breaking into a bank. The point remains that they didn't have any right to break in.

Closer, but more specifically it would be like breaking into a bank and stealing from safe-deposit boxes (as compared to just taking money, which can be replaced). Hence the reason that banks are, in general, _much_ harder to break into than school networks.

My point (or more accurately, opinion) is that the school bears as much, if not more, blame as the students. There's a reason banks make sure they are hard to break into. But many schools treat their security like a joke. Hence the reason you hear about things like people managing to download student's private info over wireless networks.

When's the last time you heard about a bunch of kids breaking into a bank and cleaning out the safe-deposit boxes? Or even the cash? There's a reason.

Re:They kind of deserve the punishment

I'm not sure I agree with this.

First, this was a public institution which was apparently not storing private information correctly. I wouldn't exactly relate this situation with a simple home burglary, which happens on private property. Public institutions should respond to taxpayers.

Second, if the students made a reasonable effort to alert administration about the problems, and they blew them off, I don't think I could blame these students. In some sense, they were staging a protest against an administration that was not concerned with students' privacy. Their tactic worked - they got the local ABC news attention. Maybe I could draw comparisons between this and protesting against a war in front of the white house - that will definitely draw media attention somehow.

At least, If their administration didn't blow them off, their punishments should not be any worse than wartime protesters.

Re:They kind of deserve the punishment

[tftp]

Maybe then you'd break in, to demonstrate it's possible, and get the owner of the house to tighten up security for the sake of you and your friends?

No; I would have filed a civil lawsuit against the school. There are very good chances that the problem would be fixed in matter of hours - and I would get a useful experience in defending my rights in a completely legal way.

(I recall an old movie with Hulk Hogan where scenario of this sort was presented.)

Re:They kind of deserve the punishment

[Seumas]

What I want to know is - why does the school district have their social security numbers AT ALL?

Social security numbers can only be required by employers, your bank and the social security administration. It's intended solely to track your income and benefits directly related to social security. What does your schooling have to do with your social security number whatsoever?!

Re:They kind of deserve the punishment

[Shiu]

Chuck the clowns in juvenile detention. If some took my wallet on the street and gave it back to me, to prove that it could be done, i'd punch them in the head! Stupid turds just make the whole computing industry look bad from their irresponsible actions. I feel sorry for the kids that had their SSNs read, they've had their privacy violate from some stupid geeks. They should take turns in kicking their asses too!

Re:They kind of deserve the punishment

[BackInIraq]

So can people break into my school locker and it be perfectly alright? After all, the school should have had better security in place.

If a school had lockers that were incredibly easy to break into, and little security in place, I don't think it would be a bad idea to break into a locker, just to prove that I could, as long as I didn't steal anything. It would certainly get you to complain to the school about this lack of security. Otherwise, people are stupid enough to think that just because something _hasn't_ been broken into that it _can't_ be broken into. If the only think keeping your system secure is the threat of punishment for a break-in, then your system isn't secure at all.

The only real problem here is that we have to trust the perps have not kept copies of the SSNs...but to be fair to them they kinda had to steal them to prove the system was unsecured...otherwise people would have just assumed they couldn't get the SSNs. You'd hear people say "well it's not like they managed to steal everybody's SSNs or anything...the system must be secure enough!"

One thing that isn't mentioned in the summary (and I can't get the article to load at the moment) is whether they came forward after they did it, or they were caught. I will say that if I were a student or faculty member I'd rather have some dumbass students stealing my information be the catalyst for better security rather than, say, a ring of actual determined identity thieves making it happen.

Re:They kind of deserve the punishment

[gone_bush]

Off-topic, but I disagree with your .sig Real programmers have sixteen fingers. real programmers only need two fingers!

Re:They kind of deserve the punishment

[loraksus]

Some would see this as what is commonly reffered to as an "opportunity". Maybe it is a good thing to take advantage of the stupid.

Re:They kind of deserve the punishment

[jamesh]

That movie wouldn't be 'Suburban Commando' would it? In this one Hulk Hogan is a space hero (maybe an alien?) and is on vacation and is boarding at the house of a wimpy guy and his wife.

If i am correct, the scene you are referring to was where the guys next door keep parking their cars in front of the wimpy guys house, blocking his driveway. Hulk Hogan picks up one of the cars and shoves it away. The guys next door confront him and Hulk Hogan ask them what they're going to do about it, and lists of a bunch of violent actions they might take. They reply that no, they will be talking to their lawyers.

Re:They kind of deserve the punishment

To make it fit this case, you'd need to rob the self-storage places, take photographs of the "stolen" stuff sitting in your truck, then put it all right back where you found it and leave.

And then do what with the photos? You assume that these photos would have no real value, just as you assume these students didn't do anything wrong.

I don't understand your point. They downloaded data. Had it for months. They said they didn't do anything with it. By the way, they're still looking into what else they got into and who else was involved.

But you are probably right. They are clearly honest people and I'm sure they wouldn't lie about what they took and what they did with it.

I'll stick with my original analogy as I think it is still very relevant.

Re:They kind of deserve the punishment

You know what you just described is one of the classic scenarios of espionage. I don't see how it supports what you are trying to argue.

Re:They kind of deserve the punishment

No; I would have filed a civil lawsuit against the school. There are very good chances that the problem would be fixed in matter of hours - and I would get a useful experience in defending my rights in a completely legal way. I'll agree this is a better course of action than what these kids did, but thinking the problem would be solved so quickly is way beyond wishful thinking I'm afraid. For one thing, the data may not be centralized. We have student data in multiple databases that are unable to interact (various programs come from different vendors and don't provide options to sync to a standard database format. In fact it'd make our lives a LOT easier if this was the case.) Another problem is lazy users amoung the staff/faculty. Trying to get them to use secure passwords is almost impossible. If you force the issue by requiring complex passwords they'll just write them down and leave them by their computer making security even worse.

I'm afraid the reason you see these things pop up mostly for K-12 schools is there's a huge inertia to change. Teachers don't want to change the way anything is done. We have some teachers who are still using old Apple ][es and refuse to accept a newer replacement computer (Mac or Windows) because they don't want to change. Assigned passwords can be as short as _TWO CHARACTERS_, and that's on major databases. Why? Most teachers can't be bothered with memorizing anything longer.

So just a threat of a lawsuit won't stop the problem. In fact just suing the school district wouldn't be enough, you'd probably need to go after the teachers' union as well, since they tend to fight change too. Once you won in court and their was no getting around it, only then would you see the security improve. In the meantime, it's lousy and will stay that way. The best we can do is try to keep the underlying infrastructure secure (good solid admin/root passwords, restricting user rights to prevent ad/spy/malware, viruses and worms from getting installed, etc.)

Posted AC for obvious reasons, I doubt my school system would appreciate my saying all this publically.

Re:They kind of deserve the punishment

[Anonamused+Cow-herd]

Wow -- I had honestly never thought of that. Thank you; I think that was the most insightful comment I have ever read on Slashdot.

Re:They kind of deserve the punishment

[r6144]

And then they found that there is no security hole at all... even though they can enter arbitrary SQL in some test page, the associated database user had all privileges revoked when the admin put the site into production. So they just wasted everybody's time over nothing.

My point is that it is sometimes difficult to make sure that a security problem exists without seeing anything you should not see --- at least not sure enough to file a lawsuit. I still think they had better not do any cracking, but this is not a easily made decision.

Re:They kind of deserve the punishment

[gad_zuki!]

> I guess it kind of sucks that they're gonna get punished for this, but they deserve it.

Fine, but change doesnt happen unless there's some kind of catastrophe or embrassing incident. Gee, I wonder if this school and many other schools are going to take security a lot more seriously now.

Hell, they shouldnt even be using SSN numbers. They should be generating their own unique IDs.

This is simply human nature. A memo saying "the system is vulnerable" is meaningless. Action isn't. Action gets usually results and the kids who do this do get in trouble but in the long run it helps others. In other words, its ideology. And ideology isnt practical for the idealists. But the apathetics benefit from it quite well.

Re:They kind of deserve the punishment

Exactly so. 90% of the badness of being burgled is not that stuff was taken or tampered with, but that your private space was violated. This violation happens regardless of the violators intentions.

That's why, in California at least, burglary of a home is legally defined as a much more serious crime than burglary of a non-home. In this case, the analogy would be to a non-home, so the argument would be that these kids should not be punished as severely as if they had broken into someone's home to access their data.

Re:They kind of deserve the punishment

WTF would you need the second finger for? Carry?

Re:They kind of deserve the punishment

[Koiu+Lpoi]

Because it's much easier to be litigious than to actually take action, eh?

Re:They kind of deserve the punishment

[bryanp]

Having recently served grand jury duty I learned a bit about what constitutes burglary. If I break into your home with the intention of doing something illegal, even if I just break in, look around for a moment and then walk out the door again without touching anything, that constitutes burglary.

Re:They kind of deserve the punishment

[mpe]

I'm sure that many high school computer systems aren't secured properly, so I don't see how they were acomplishing much. However, there probably aren't a lot of real hackers out there that are interested in the SS#s of teenagers.

If they are used for purposes of "identity theft" it may be quite a while before anyone notices.

Re:They kind of deserve the punishment

[ats-tech]

This would make sense if the person that broke in only stole their own electronics and jewelry. It is hard to prove that you broke in and stole your own SSN.

Re:They kind of deserve the punishment

[Pakaran2]

BAD idea.

Most high school students can't afford lawyers. Most schools, OTOH, can. They'll drag out the suit forever until you and your parents go broke, and it may be cheaper than convincing a software vendor to fix the problem in question.

Re:They kind of deserve the punishment

[bluGill]

School boards are elected. A lawsuit that the school fights is a bad idea when you can go door to door in the district just before election bringing up how the school is unwilling to admin they have problems. Not to mention how they are wasting tax payer money fighting the request to change.

If you do this practice first. Make sure you have someone who is concerned and willing to serve on the board, so you can tell people who to vote for.

Of course you still have to deal with unions who may be unwilling to change. Courts do have power, once the suit is dropped the will give the orders that overpower the union.

Re:They kind of deserve the punishment

[hackstraw]

I guess it kind of sucks that they're gonna get punished for this, but they deserve it.

To me the "adults" in charge of such a weak system that high school students can break in and get a list of SSNs so easily deserve more of a punishment.

You can't legally break into someone's house just to show you can, they should have told the school (or some news stations) that they were planning to show how easy it would be to get into the system.

Odds are, the "adults" would simply not listen, or if they did, they probably would not care enough to spend the time with the kids to see what was really wrong.

You can legally open an unlocked door (provided there is not a "No Trespassing" sign or whatever) and say "Hello, I could have robbed you if that floats your boat. Reminds me of a time when a coworker would always run as root on her Linux box and "lock" the X-windows session with some screensaver. She logged in from a console and ran startx to, err, start X. Back then, a screen saver did not do much in that situation because you could do control-alt-backspace to kill X and get dropped back to the original console that ran startx. I suggested that she should not do such a thing multiple times, and one day when she left before me I dropped back to the console and typed at the command prompt something like "See how easy it is to get dropped to a root shell???"

Back to the original topic, the article is weak in that it does not say how the students were "caught" or if they turned themselves in. That is significant. If they turned themselves in, although by the letter of the law they have done something wrong, I actually believe that they were more beneficial than not. If they were found out some other way, I still believe that they should at most have to do some community service, but privately commended for doing a good. job. I mean this was a _remote_ compromise by high school students with software that is more than likely used by many other schools, governments, and/or companies. This is a screwed up situation.

Re:They kind of deserve the punishment

[aardwolf64]

To make your analogy accurate, you'd have to break in and steal ALL of the valuables (not just your own.)

Then, after stealing everyone's items... you kept them at your house for a month, where they were only discovered because someone had a warrant.

After getting busted, you claim that you only did it to increase security. Yeah, right...

Re:They kind of deserve the punishment

[Frank+T.+Lofaro+Jr.]

Huh?

No, I'd say the actual loss is far worse. That is why theft insurance is so popular.

Re:They kind of deserve the punishment

[KlomDark]

So it it real programmers have 10 fingers (hex), 10 fingers (decimal), or only need 10 (binary) fingers?

Will you people make up your minds already? :)

Re:They kind of deserve the punishment

[tftp]

Yes, that's the movie, thanks!

Re:They kind of deserve the punishment

[Quince+alPillan]

Usually those are called banks and the police get very upset when someone breaks into them "just to demonstrate its possible."

Re:They kind of deserve the punishment

[tftp]

You don't need a lawyer for that. For example, see here. A student has to file a complaint properly, of course, but all the materials for that are available. I guess if you don't claim any monetary damage and only want the judge to tell the other party to listen to your concerns, the judge will just do that. The filing cost is negligible ($30) and any student can afford it. This would be a useful experience anyway, and it's definitely safer than breaking into the database vigilante-style.

Re:They kind of deserve the punishment

[tftp]

Here is a more appropriate document, just fill the blanks and file.

Re:They kind of deserve the punishment

[ZorbaTHut]

Good idea. I wouldn't have thought of that, though, and I suspect these people wouldn't have either. :)

I'll have to remember that though.

Re:They kind of deserve the punishment

[ZorbaTHut]

No they aren't. Go find me the person who's being forced to use a bank against their will. :P

Demonstrate the Crime

[Azadre]

How can the exploit be fixed if the administartion will not admit it exists. These individuals should not receive punishments. If anything, they should receive jobs at their school. It's sad, but it seems High School computers are being ran more by pointy-haired bosses than actual IT individual. I just hope the trend can curb and go back to where data can be secured again in academic institutions.

Re:Demonstrate the Crime

You know what? I think one of the windows to the admin's office is left unlock overnight. Let's go in there and steal all the filing cabinets to prove that it can be done!

And let's not tell anyone, until after the fact!

They'll think we're heroes or something! They'll give us jobs there make sure all the windows are locked!

Re:Demonstrate the Crime

[HiddenCamper]

your right, i made another post on this, but its true. HS IT staff tend to have students suspended for even hinting at problems. Things like this have been a growing trend in the chicagoland area (i graduated from a chicago HS last year and we had at least 1 indcident a year)

Re:Demonstrate the Crime

[aussie_a]

Now, now. That's not the same situation. Instead break into the office and photo-copy all the documents (or take photos so you can read what's on the documents in the photo). That'd be a comparable situation. And I would hope the people who did such a crime would be punished. But I can't help but wonder, would they be punished to the same degree as these computer "hackers"?

Re:Demonstrate the Crime

[smashin234]

You honesty believe someone should be able to hack someone's system and not get punished for it?

Or lets reward them. You forget that they broke the law. Maybe their motivation was noble like you claim, but in our society the ends do not justify the means. Maybe they should, but thats another argument.

But in this case, I do believe you are really wrong. Their intensions were anything but good.

Quote from article:

"Hinsdale school officials say the accused students have had the Social Security numbers of their fellow students and teachers for months"

What were they doing holding onto this information for months? If their intentions were noble from the start, they should have informed the proper people about it immediatly, not wait months to do so.

Maybe IT personnal at HS's are stupid. But that is no excuse for stealing private SSN's and holding onto that information for an indefinate amount of time.

Re:Demonstrate the Crime

exactly. IT people hate to pe proven wrong. in highschool (a couple years ago for me), I told the system admin (county wide) that the schools network was insecure and I could bypass the security... well, when asked how to do it, we were told "that's not possible"... so, we (me and my friend) did it... and got our computer rights taken away for three days...

not only that, the problems are not only still there, but they've gotten worse. we even wrote up a paper on how they could fix it, but we got ignored.

granted, I'm not putting myself in the same boat as these kids, I'd never mess with anything that has SS#s... but that's just because I'm afraid of jail.

I say though, either the admin should thank the kids for pointing out the flaws and fix it, or, if he's unable to fix it, hire the kids as consultants. sounds like they know what's what.

Re:Demonstrate the Crime

[aralin]

Its really interesting that we have whistleblower laws for when someone does this in a corporation, but somehow the government organizations are safe? Nobody can point out their faults? This is somehow faulty system...

Re:Demonstrate the Crime

Please explain how this has anything to do with whistleblowing. They sat on the information they stole for months, and they didn't come forward---they got caught. They didn't point out any faults---they got caught. In fact, they got caught because the IT people were nosing around the system on an unrelated tip of a security break-in.

They got caught. Why do 75% of the posting idiots on this story not get this? RTFA people. Or find someone to read it to you if you can't understand all the big words.

Common Sense

[OverlordQ]

Just because you can doesn't mean you should.

I know people will come on here and say "OH but the administrators probably wouldn't listen so they had to do this to prove how serious it was". I'm sure if they followed good procedure and presented a good presentation to the Board/etc they would of gotten a better reception then what they did.

Re:Common Sense

[SimplyCosmic]

At the least, they should have made a very real effort to alert the school administration that this was a problem.

In that way, even if they were completely ignored, they'd at least have something to back them up when they make the futile claim that they tried all the normal means to make the school aware of the issue.

Sure, they'd still get in trouble with the school, but at least they'd have some credibility in the public's eye as doing this for a good reason rather than simply because they could.

Re:Common Sense

[Pyrion]

Nope. What you do if the school administration doesn't listen is simple:

Absolutely nothing.

If the school is more interested in tempting fate, by all means, let them. It's their network -- if they can't or won't take care of it, there's nothing compelling you to do it for them.

Re:Common Sense

[joako]

"Just because you can doesn't mean you should." In this case, if you can, you certainly should - simply to bring attention to a vulnerability that should be taken care of before malicious users discover it. and you're giving the school board too much credit. :P We've seen this before. In their eyes, a hacker is a hacker, and it's much easier to dismiss them as such than to actually confront the issues.

Re:Common Sense

[poopdeville]

Let's see what happens if we replace "school" with "Choicepoint":

Nope. What you do if Choicepoint administration doesn't listen is simple:

Absolutely nothing.

If Choicepoint is more interested in tempting fate, by all means, let them. It's their network -- if they can't or won't take care of it, there's nothing compelling you to do it for them.

Re:Common Sense

[Slashdot+is+dead]

Nope. What you do if the school administration doesn't listen is simple:

Absolutely nothing.

If the school is more interested in tempting fate, by all means, let them. It's their network -- if they can't or won't take care of it, there's nothing compelling you to do it for them.

But what about their own well-being? If they can hack the database, perhaps others can too. If the SSN is as important as "Julianne Junus" claims, then the hackers were saving their own identities from fraud. In the process, they saved a bunch of other people. They are heroes!

Re:Common Sense

[browngb]

If they wanted a quick turn around, they could have just put an advertisement in the paper on how to do it. I'm sure it would have been fixed within hours.

Yup.

[beavis88]

Nothing will bring pain to you quite like making someone (or some organization) look foolish. Even if you probably are at least somewhat in the right.

Re:Yup.

[Neo-Rio-101]

True, but I think the REAL problem occurs when someone else makes themselves look foolish and then blames you for it. Ok, in this case the students deserved the blame however - but in many other office scenarios, all it takes is some stupid manager who doesn't know what he's doing to make an ass of himself.

Re:Yup.

which is why d'alliances betweeen teachers and students at US high schools are so commonplace. The embarassment to the school outweighs the deterrant effect of exposing and punishing said people. It's like an unwritten rule.

Re:Yup.

Lesson:
Do not interact with your school beyond the minimum required to generate the grades you want. Go out of your way to socialise outside that environment. The teachers and staff will be too overwhelmed to notice if you don't do anything to attract attention. If you are smart or gifted, atke time to study and skillfully mimic the way slower folks interact.
Real victory isn't confronting stupid people, for that triggers resistance. Real victory is learning to manipulate and redirect people so they don't even know they are being guided.
You don't correct a malfunctioning computer with a hammer, and the cold logic that works with computers can be applied to people.

College SSNs may bring rewards

[Palal]

A bit off-topic, but still.... If someone steals SSNs of college students and uses them 10-20 years down the road, chances are these people will have perfect credit, and won't even know where the attack came from. It's a long shot, but still.

Re:College SSNs may bring rewards

In 20 years time you'll need more than a social security number to do anything in someone's name. Biometrics alone will ensure that.

Re:College SSNs may bring rewards

[corsec67]

You mean, you hope that you need more than a social security number to do anything in someone's name.

I want my SSN to be just an identifying number and not a password to my credit too, but I am not too sure that it is going to change quickly.

Re:College SSNs may bring rewards

[ComputerSlicer23]

If someone steals SSNs of college students and uses them 10-20 years down the road, chances are these people will have perfect credit, and won't even know where the attack came from

Where did you go to school? They actually teach college students about money management and how to improve your credit score. Don't post where it is, Discover will go there, and dump credit cards until they ruin a good thing.

In my experience, most college students do more harm to their credit scores in college then they can recover from in 10 years. Maybe 20 they could recover from. Most people leave college so debt laden it's silly. Credit card companies prey on students on college campuses. I was always shocked at home many places on campus had credit card offers. Remember, college is the new high school. College in the 1960's was a 25% of HS grads went. Now it's more like 75% go. Going to college isn't the indicator it used to be.

I happen to have decent credit, but that has a lot more to do with watching my family memebers have poor credit, and poor money management. I sure didn't learn a thing about it in college.

Kirby

Re:College SSNs may bring rewards

[mangu]

In 20 years time you'll need more than a social security number to do anything in someone's name. Biometrics alone will ensure that.

I'm not sure about that. 20 years ago they were already saying exactly what you said. Financial organizations are very conservative with their systems. Remember how it took a millennium change to get them to use four digits to record the year?

Re:College SSNs may bring rewards

[Short+Circuit]

Passwords are merely an additional form of identification that are only valid in the presence of other identification, such as usernames.

Until SSNs can be associated with a relatively secure additional password, they shouldn't be considered as as much of an identifying piece of info as they currently are. Combining them with a government-supplied password that's changed periodically would be a good start. And extend fraud-alert lengths to the duration of the password.

Re:College SSNs may bring rewards

[screenrc]

How can you steal SSN numbers? These numbers are
not meant to stay secret, they should be treated
in the same way we treat telephone numbers from
the telephone book. How can you steal telephone
numbers from the telephone book? In similar way, the SSN numbers
are public identifiers, not secrets.

Re:College SSNs may bring rewards

[Malc]

Why would a high school have their pupil's SSNs?

the real question is..

[zappepcs]

would anyone have listened to them if they hadn't gone public?

If kids can do it, why would this be a problem for the kids? Shouldn't it be publically shown that the system was insecure, not that it was breached?

When is it that our governments will be responsible?

just a thought....

Re:the real question is..

If kids can do it, why would this be a problem for the kids? Shouldn't it be publically shown that the system was insecure, not that it was breached?

Well I dunno...publically saying "hey...this database is insecure and holds valuable information of many people and it's part of school XYZ" kind of seems like saying advertising "HACK ME!" on your site. Although for some it works and proves a point...I don't think this is the same case.

just a thought...

Re:the real question is..

[Jim_Callahan]

Would anyone have listened to them if they hadn't gone public?

Probably, yes.

Re:the real question is..

would anyone have listened to them if they hadn't gone public?

Please inform me where they "went public." All I can see is that they did the act a long time ago, didn't say a damn word (to the school, at least), and then got caught.

Where or when the hell did they "go public"?

Also, these high school upper classmen are just "kids"? Are you also implying that they should not be held accountable for their actions (the ones for which they got caught) because they cannot tell the difference between right and wrong?

The school principal said, "The investigation is ongoing, and more students may be involved." Damn, I didn't know there was such a ring of alturistic high school upperclassmen.

the wrong people

[cryptoz]

The people who should be threatened with jail time are those who designed the poor system, not those who pointed out the mistakes. Yes, yes, I know that'll never happen, but honestly, this way is just plain stupid.

I mean seriously, if you were designing a car, and had released it. Millions of people were driving it. Someone takes theirs out to a desert and does some tests on it. They find that if you press the wrong button, it blows up. You decide to sue them and try to throw them in jail. Does that make ANY sense?

The stupidity in the system is really quite astounding.

Re:the wrong people

But, to borrow your analogy, they didn't take the car into the desert. That would be setting up an identical test server with no important information on it. As it is, they essentially "ran over" everyone in the school--they took real data, which has privacy implications for hundreds of people. And what makes you so sure that their intentions were honest?

If you're looking for someone to blame in this story, how about the ridiculous gung-ho hacker superhero attitudes that are reinforced by people on places like /.? It takes a good amount of hubris to cloud one's vision enough to make pissing off people in power by actually committing a crime seem like a good idea.

man oh man

[NetworkNed]

Those kids grow up so fast. When I was in high school we just worried about ways to drink alcohol, and what Denny's everyone was meeting at. Apparently now thats been taken over by identity theft and listening to NPR.

Re:man oh man

we worry about where to get weed from, ways to get alcohol and places to drink/smoke along with identity theft and listening to npr.

they need to see the problem to fix it

Often high school IT departments aren't that...trained in security.

There was an isuse at my school for over 2 years with anonymous ftp login to their server, databases for the grading software, and the web server.

Telling the IT department this at least 10 times never got anywhere because "who would actually do anything bad"

Eventually the website got defaced. It was then fixed..

Sometimes it takes a problem they can see before they'll actually fix it.. And a defaced website, is a problem they can see.

We worn our SS numbers around our necks...

We wore our social security numbers around our neck in our county.

Sure, it was after the Columbine crap and during all of the security increases, but tell me what kind of security is requiring all of the students and faculty to wear ID tags with Code39 encoded social security numbers around their neck due to pure lazyness and neglegence?

It's really easy to memorize Code 39, it's a * characters and numbers 0-9, so I'd ask the teachers and the vice principals to let me see their ID for a second and then hand them their social security number.

Security my ass.

yes,let the kids decide about your privacy

[Daffy+Duck]

Honestly, what a bunch of fuck ups. If you're trying to do a service by penetration testing, you at the very least notify the sysadmins of the vulnerability you plan to explore.

To go all the way through to stealing *everyone's* information, and then afterwards claim you only did it to help is bad judgment at best. In some states it's criminal.

Re:yes,let the kids decide about your privacy

If they would have told them, the librarians^Wadmins probably would have said "no" and called the cops anyway, just to be safe.

Good, throw them in jail!

[NitsujTPU]

Good, throw them in jail.

Those miscreants are a danger to society, and consider the cash value of all of the damage that they have done, not to mention the bruised egos!

They are terrorists, and should be executed!

</sarcasm>

Re:Good, throw them in jail!

Dude you forgot to use . Stop emitting bogons.

Re:Good, throw them in jail!

Yeah, and I'm sure they destroyed all files and documents they stole. Just like they said. Months ago, even. In fact, I don't know of any reason that high school students (you do know that there is reason to think there were more than just these two, don't you?) would want to break into school computer systems except for testing the school security.

These are honest, upstanding role models. Nay, heros. Modern day American heros. They selflessly took on "the man" in the name of the little person and all that is good and true. Sure, the act was months ago, but I'm sure they were spending all that time writing up a detailed report to give to the school.

But hey, these are just kids, right? I'm sure they can't even tell the difference between right and wrong. And let's face it, they are the real victims here. The Pollyanna looks on their sweet cherub faces are forever lost.

"Golly Beav, whatcha doing? I'm going down to the homeless shelter to volunteer to bathe the invalids. Wanna come?"

"Do I? You bet. But first we better do a security audit of the old high school. A safe computer is a happy computer."

"Ok, but I'm warning you, if we see anything that we shouldn't then I'm going to close my eyes!"

Re:Good, throw them in jail!

[NitsujTPU]

Do you think that these kids really deserve what probably awaits them?

It's one thing to get suspended for changing your grades (the teachers could audit their tests to assure that that did or didn't happen). It's another thing entirely to get tossed in jail for something like this.

Re:Good, throw them in jail!

[tres3]

Good god don't give President redneck any ideas!! When it comes to the cash value I think that liability should belong to the school that failed to protect their students' data. But that brings up the real problem: the data about the students isn't owned by the students but by whichever organization that collected it by mandating that you turn it over. The bruised egos and the terrorists comments are just reflective of the political climate that we now live in. Anything critical of the establishment must be kecpt silent so the establishment can be allowed to track us all and god forbid anyone disagreeing with that comment; they must be terrorists. The kids are the only ones that broke the law because the laws are bought and paid for by the corporations and you know damn well that they aren't going to take responsibility for their failures! Even mentioning something like this is considered wrong, anti-establishment, anti-American, and un-patriotic so to prevent their egos from getting bruised they have to have someone else to shift the blame to.

Somtimes a good piece of satire is what is needed to get people to see the trees through the forest. Good job.

Re:Good, throw them in jail!

For something like what? It is too early to know what they did do, as it is still under investigation. There is a suggestion that there might be others involved.

What do you think they were doing? To me it smells like attempted grade changing. Maybe they wanted to make/obtain fake IDs with that personal information so they could purchase alcohol. Maybe they wanted to dig up dirt on teachers, administrators, or students. I'll tell you what it wasn't: testing computer security. They did this act months ago, and they didn't come forward either (they were caught by the evidence they left behind).

I also differ in that I don't see them as "kids" but young adults. "Kids" implies that they really didn't understand the consequences of their actions.

Re:Good, throw them in jail!

No opening tag. The XML nazi will get you.

Re:Good, throw them in jail!

[NitsujTPU]

None of those things deserve jail time.

Re:Good, throw them in jail!

[NitsujTPU]

Nice moderation. Disagree with me, so you downmod me.

That's ok, you'll be comfortable in a society with no free speech, where high school kids are jailed for such petty mischief.

Well, is hacking...

[Creepy+Crawler]

Copying the openly readable, unencrypted database (say in MySQL) and parsing for XXX-YY-ZZZZ found to be hacking?

Well, for one, it is public knowledge that the SSN X's (in my representation) are in fact, state codes. I have some reason to believe that the Y might be county or some sort of district code, but I cant be soo sure unless I'd gather enough SSN's and location of birth

Yes, the mail center in which you were born is what the state code is attributed to, not the actual locale you live in. Say your parents lived in Phoenix, Arizona but went on a trip to New York City. The baby's SSN would start with 050 to 134, NOT the Arizona 526 prefix.

Well, hope this sparks up some replys (and mod points! yay mod points!)

Re:Well, is hacking...

[_Sharp'r_]

Different SSN prefixes are assigned to specific SS offices to give out. What determines which one you get is which office you get your numbers/original card through.

In many cases (especially recently), SSNs are applied for semi-automatically through the hospital someone is born in, so in that case the hospital location would determine the prefix.

Personally, I didn't have a SSN until I was 23 (and only then because I couldn't avoid it anymore without causing myself hassles with otherwise-decent employers that I didn't feel like hassling with), so my prefix is the same as the office I applied through when I got mine at age 23, nothing to do with my birth location.

Re:Well, is hacking...

[zerbot]

That isn't true, at least not when I got my SSN. It was assigned according to our mailing address when issued, not where I was born.

Of course, nowadays, babies are almost always assigned SSN's at birth, so it's a good rule of thumb, but it's not perfect.

Re:Well, is hacking...

[Creepy+Crawler]

---Personally, I didn't have a SSN until I was 23 (and only then because I couldn't avoid it anymore without causing myself hassles with otherwise-decent employers that I didn't feel like hassling with), so my prefix is the same as the office I applied through when I got mine at age 23, nothing to do with my birth location.

I should have clarified myself. The SSN state code is based off of the location of the mail collection where you requested it. So, if you lived in the sticks near a border of a state, and went to the other states Post office, you'd get a SSN associated to that state you requested it from.

Usually, it is requested automatically when you're born these days. For example, my parents were living in Indiana when I was born, but I was born in Ohio (neaest hospital). As a resulty, the request was sent from an Ohio Post office. Hence, I have a Ohio SSN.

Re:Well, is hacking...

yay mod points!

Yay! Someone who can't tell their ass from their elbow agrees with what I've said regardless of fact, and modded me up!

Not picking on your post, I just can't understand the excitement over points awarded by people who may or may not understand what you've written, and who vote by popularity of opinion more than anything else.

Re:Well, is hacking...

[Creepy+Crawler]

I dont care. Im a mod-whore and a troll. I say what I think would fly at the right time. Usually, it does.

Re:Well, is hacking...

[Jim_Callahan]

I'm fairly sure this isn't correct. My brother, sister and I are all born in the same state, and they were born in the same zip code, but we have different prefixes on our social security numbers.

Re:Well, is hacking...

[Creepy+Crawler]

Of course they would. There's ranges for many states. It's not just one number.

There's even some 10 digit SSN's out there. It has to do with the 1950 military personnel or something (Im still unclear about this one) and their distinctions therof.

Most systems that have SSN coding do not account for this, nor do they account for a few 8 digit SSN's used during the thirties (when SS was enacted). Most of the 8 digit ones were renewed to the now 9 standard, but it was not a requirement to have the 9 vs the 8.

Hopefully, this site will help you understand.http://www.ssa.gov/foia/stateweb.html

Re:Well, is hacking...

[Stealth+Potato]

Wow, at least you're honest. :-)

Re:Well, is hacking...

[Creepy+Crawler]

Truly, I really dont care.

I do more serious conversations over at kuro5hin.org anyways. Over here is tech-wankery. Pretty much people who cheer on Linux without knowing how it works or probably even used it, or cheers on copyright violations of big corps whilst whining and moaning about GPL copyright violations.

Why NOT whore and be a troll here?

btw, I have mod points now. I dont metamod, nor do I use mod points. I let em lapse. No sence in using what an editor can bitchslap and super-mod away. At least on k5, if the owner doesnt like what you say, he is listed along with every other person there. If you disagree, its publically noted.

Re:Well, is hacking...

[fLiXUs]

Well, how about this, related case: Our school use a unique ID at the exams. This ID is "secret". The reason for it being secret is that a sensor should not be able to infer whose exam (s)he's looking at. And your grades may be published along with this ID, and your grades are not public either.

So, in an attempt to identify appliers for student assistant jobs, a faculty had you enter your secret ID. And then went on to display your name... Practically a database interface to perform the assumed secret transition from ID to name.

So. Write a 3 line bash/perl script, exploiting the fact that most IDs are within a limited number range. Suddenly you've got the names and IDs of most students. Should this be accounted as a criminal act?

Note 1: It was rumoured that the developer of this page was informed of its exploitability, but choose to ignore it, as he apparently thought it an unimportant issue. This kinda made some people upset. I, for one, sent him and the person with formal responsibility an email, explaining in no uncertain terms that this was unacceptable. Unfortunately, this was friday afternoon, and some began to harvest information to prove this to some reporters.

Note 2: Local and national newspapers were informed as soon as much ID information had been gathered. The national ones didn't bother, but the local paper as well as a well regarded student newspaper printed the story, much to the frustration of the school. Newspapers are, for one, open during the weekend. However, except for bad publicity, nothing happened to the school or its employees. This was the third time they leaked personal information (and made it to the newspapers for it). And our country does have rather strict laws on the responsibility and accountability of people/companies holding personal information. Namely, "(...) must (...) ensure (...) adequate information security with respect to (...) confidentiality (...)" and "(...) may be punished with fines or up to one year in jail for (...) gross negligance (...)". So, does making a lookup table for secret database information consitute gross negligance? Hell, yeah, if you ask me.

Note 3: Our national law regarding the storing of personal information admits unauthorized storage of personal information as long as this is done with "journalistic intent", but IANAL, so who knows.

Epilogue: The school chose not to persue the case if the involved people (who made no attempt to hide their identity) deleted all their retrieved data and signed a statement saying they had done so. None had any intent except to stop the school from being so careless with information and signed. The student assistant application page was rewritten shortly after. With a scheme that identified you through a hash of your national ID (secret) in addition to your secret ID. Guessing both of these is not impossible, but adequately difficult, in my opinion. Listing all students is surely infeasible enough. It probably took 10 minutes to think out the new scheme and 15-20 minutes to implement. Hopefully these 30 minutes will be applied in the first place next time around, although I have my doubts (see someone else's post about who slashdotters trust).

Re:Well, is hacking...

[NJVil]

The first three digits are based on location.

http://www.ssa.gov/foia/stateweb.html

Re:Well, is hacking...

From what I've heard, I don't think there was actually much "hacking" in this case. The students in question where able to steal a few teacher's usernames and passwords and use that to enter the system.

Re:Well, is hacking...

[hackstraw]

XXX-YY-ZZZZ found to be hacking?

Well, for one, it is public knowledge that the SSN X's (in my representation) are in fact, state codes. I have some reason to believe that the Y might be county or some sort of district code

Actually, XXX is some kind of geographical location. YY is some kind of checksum digit, and ZZZZ is issued sequentially. All of this is from memory based on a google search that I did, you can do the same.

Re:Well, is hacking...

[SirCyn]

SSNs are give out to hospitals in blocks, similar to how phone companies are assigned numbers.

The first 3 digits, as you know, are a state code.
The next 2 are block codes.

Large hospitals may be assigned a whole block; but this is unusual. They usually get much smaller blocks, 100 or 500 is much more common.

County clerk offices also have blocks assigned to them for people who do not get a number at birth.

If you are in high school, ask your friends what hospital they were born at, and what the middle digits of their SSN are. You will almost certainly be able to find people who have match in xxx-yy numbers. If they were born particularly close (days appart), their zzzz numbers may be only a few different.

In the above SSN numbers are xxx-yyy-zzzz.

Re:Well, is hacking...

Yes, the mail center in which you were born

Americans are born in mail centers?

Just because they say they haven't...

[Zuke8675309]

...given any information out or haven't done anything malicious with it doesn't mean they're telling the truth.

faulty logic.

[ntxb229]

There's fault in your logic. They didn't test their own car. They broke into someone else's car and ran the tests.

Re:faulty logic.

[Creepy+Crawler]

But that "car" is a publically-owned bus.

If there were faults YOU knew about that bus, and let others ride on it knowing that injury might result, you would be at fault morally, and perhaps legally and crminally.

How is this different than the shock-journallists on the local news finding "naughty no-no subjects" and then prodding them until they're fixed? Our local (Indiana) problem is the channel 8 news WISH was going over the VX gas stockpiles and how the military was letting the barrels corrode and stuff. Investigator-8 pretty much drew maps on how to get to the VX stockpile.

And yes, because the big media attention, they're just now starting to incenerate the stockpile.

Re:faulty logic.

[cryptoz]

Fine. They break into someone else's car and do the tests. Doesn't really make much difference when you get right down to the point I was making.

Re:faulty logic.

[corsec67]

Yes, but what the kids were testing was the way that the IT department/person had set up the server, which is kind of hard to replicate without having much access to the school's server.

Your comment would be true if there was a flaw in the software itself that the school was using, like if they used IIS for a webserver that also had a database with the SSNs in it, and that version of IIS was vulerable.

Re:faulty logic.

[tftp]

But that "car" is a publically-owned bus.

And the public - who is the owner of the bus - wants to jail the "testers" who damaged the bus.

Public-owned things are not free for all; they are shared. For example, 100 people buy a bus; each owns 1% of it. If one of the owners destroys the bus, he is perfectly legal with regard to his 1%. But the other 99 co-owners want their loss compensated, and they are within their rights.

In case of SSNs, the information in the database belongs to a large group of people (employees and students.) It does not entirely belong to the thieves, though their own info is definitely their property. Access to someone's else information is illegal right there, and these guys don't have an excuse that is good enough (like saving the world, for example.)

As a stronger analogy, an opponent of firearms could want to buy an [illegal to own] machine gun, step outside and go postal - just to prove that guns may be dangerous. That may be so, and he can get a paper award for that; he can enjoy it while awaiting his own execution for the "proof" he made.

Civil Disobediance has its price.

[FatSean]

These two men broke the law to prove a point they held dear. I feel they did the right thing, but the law does exist and they may be punished. I hope that the judge presiding over a potential criminal case still has discrection to choose the punishment should they be found guilty of a crime. If they should be found guilty and sentenced, we should do our best to provide what support we can.

What did Jefferson say about the tree of liberty and the blood of martyrs? Perhaps a bit over the top, but I feel the sentiment is appropriate.

Re:Civil Disobediance has its price.

[renehollan]

What did Jefferson say about the tree of liberty and the blood of martyrs?

That would be "tyrants" and "patriots", not martyrs. (Though, I suppose a patriat who acts in a way that will result in his death for a noble effort, and recognotion thereof, is a martyr.)

Re:Civil Disobediance has its price.

Oh please, it was a couple of stupid ass high school kids that broke into their shitty ass computer lab.

Re:Civil Disobediance has its price.

These two men broke the law to prove a point they held dear.

Holy Shit! No wonder you are so hung up on martyrs! You are making these people into them!

Where, anywhere, in either the original link, or any other such as this one that even remotely suggests that this was some sort of act of civil disobediance.

You're quoting Thomas Jefferson too (well, you're trying, at least). Where do you come up with this crap? How big your ass must be to pull all this out of it! Where the hell do you get anything about their intentions?

Please tell me that Alan Funt is going to come walking out and say to me, YHBT HAND, because you have can't tell me that you believe the crap that you are spewing!

We wore our social security numbers around our nec

[meistaiwan]

We wore our social security numbers around our neck in our county. Sure, it was after the Columbine crap and during all of the security increases, but tell me what kind of security is requiring all of the students and faculty to wear ID tags with Code39 encoded social security numbers around their neck due to pure lazyness and neglegence? It's really easy to memorize Code 39, it's a * characters and numbers 0-9, so I'd ask the teachers and the vice principals to let me see their ID for a second and then hand them their social security number. Security my ass.

you can lock your credit

Not many people know this, but you can send a written letter to the major credit companies like Experien, Transworld, and whatever the 3rd most common one is (??). Then they will not release your credit until you contact them and "unlock" your credit report for 3 days, which can be done online. Then you can get your new credit card, online hooker, or crack. It's a bit of a pain in the ass, but I think it's worth it.

I myself have my horrible credit report locked tight, that way nobody can get approved for anything, even if my credit was approvable! Brilliant, I say.

Peace, love, nuclear weapons.

would you?

[zappepcs]

Personally, this makes me wonder why I would ever give anyone my SSN, unless they can prove they will live up to their federally mandated responsibilities.

This just shows that most companies and governments cannot do so.

High School Systems Insecure? You don't say!

[NoodleSlayer]

I had the "fun" of working in our school's server room my freshman year. We had the servers get hacked at least twice.

The first time was a simple brute force attack on a AppleShare server, because the main admin refused to put a limit on the number of password attempts because it was too inconvient to have them simply go up to an admin and reset their password, despite that's more or less exactly what would have to happen if someone forgot their password anyways. I found out that year who had done it, but congratulated the person.

The second time it was because the rather ancient admin password leaked out and they were able to use that to not only get into the teacher's file server but also the SASI server with all the grade data! Why did we use this password? Well be cause it was tradition! I found out only a couple months ago who did this, he didn't

There's so much incompetence at so many High Schools it wouldn't surprise me if it was something as simple as a server that hadn't been patched in ages. Aren't you glad to know that these are the people with all your insensitive data? As it stands at my college they use SS#s for *everything* even though they probably shouldn't.

Re:High School Systems Insecure? You don't say!

[X0563511]

At my college they used our SSNs as student numbers! What the fuck is that?

Get a glance at a student's/staff's ID (computer labs are pass controlled - so its easy. "I forgot my card, can you let me in?") and you have their SSN.

Re:High School Systems Insecure? You don't say!

[jon787]

All students run as local administrator on XP machines at the high school I work at during the summer. Why? I don't know, I'm trying to change it.

the config

Re:High School Systems Insecure? You don't say!

[aardwolf204]

My HS ran SASI as well. I remember wardialing the school's prefix and finding a SASI dialin, but never found a password. Thought about stealing a SASI manual from a vice principal, but never did happen. Ended up phreaking DATU instead. Good times. I'm suprised anyone still runs SASI.

Re:High School Systems Insecure? You don't say!

Various comments of mine...

Had the social security numbers for months? I would think that on the first day they would have alerted the school of the problem, otherwise it becomes "fishy".

One thing I have to say, and as detestful as this sounds, better them than a real identity thief. At least the school can try fixing the system.

There is a saying that a chain is only as secure as it's weakest link...

It doesn't matter how good a password sometimes. It doesn't matter if the system isn't protected against brute forcing. It doesn't matter if a password is set sometimes if there is a password recovery system that is flawed. And social security numbers shouldn't be used as identification.

Re:High School Systems Insecure? You don't say!

[dbIII]

There's so much incompetence at so many High Schools it wouldn't surprise me

So many people miss the incredibly obvious - you don't let the student network talk to the admin network without some serious form of filtering. The students shouldn't ever be on the computer the grades are stored on. That was obvious way before we even had computer networks in schools.

Re:High School Systems Insecure? You don't say!

[Neophytus]

Because the crippled XP accounts are next to useless, even some Microsoft Office programs expect to run as administrator!

Re:High School Systems Insecure? You don't say!

[Eric+S+Raymond]

No kidding. I winnuked my school's Windows NT 3.51 server. The next day at school I saw he was bumbling around saying how the network was down, and all kinds of bad stuff happened, like he didn't have a clue. And he was actually very smart. Which says that high school's need more people and money, which they won't get. Thanks Dubya!

Re:High School Systems Insecure? You don't say!

[Phanatic1a]

There's so much incompetence at so many High Schools it wouldn't surprise me if it was something as simple as a server that hadn't been patched in ages.

Imagine how much incompetence there is at universities.

During my senior year, my school's network was being brought to its knees on a regular basis by Napster. It wasn't students downloading that was the problem, it's that they'd go home for the weekends, leave their connections running, and everyone uploading god-knows-what from all over campus would just bring the T1 to its knees (Yeah, that's right: a single T1 for the entire university).

Roommates and I decided to do something about this. Turned out that this was pretty easy; most of the routers on campus had never been changed from their default password. So we just mapped the network status, and every time the network went to shit, we'd just check to see what dorm was causing the problem, and then we'd just shut it down. Campus radio station trying to stream some ridiculously high-bitrate live broadcast? No router for you, either!

My roommate once witnessed the head of the IT company the school contracted the network administration to type the string 'C:\' while logged in as root.

Re:High School Systems Insecure? You don't say!

[rob_squared]

Yeah, my school uses SSNs as well, now thankfully they only require them to be entered for scantron (fill in the bubble) forms. But one day some idiot TA or something *left* a page of them, the whole class list, outside of a bathroom. Since our physics class used an online homework system and the default password was the SSN I logged into about 5 accounts. I didn't do anything, but it amazed me that people were so inept in security measures. I quickly shredded the paper afterwards.

Re:High School Systems Insecure? You don't say!

[zippthorne]

My college assigns everyone a unique number as freshmen. Despite this, they still insist on using SSNs for everything. (Often you can use the other number, but you really have to be insistant and you get strange looks from people that think you shouldn't care.)

Punishment

[thedak]

Assuming the article is correct in that they have had the data for months and only started talking about it now that they school had sent home a letter regarding the matter, there is a perfectly good reason to punish them now, it has nothing to do with being punished for doing good. Had they alerted the school or the IT department of the break-in when they performed the attack, they would have had some credibility in saying that they had done it to prove that it could be done. Instead they held onto the data for months and only brought this to the attention of the school and other people involved when they had been found out. There is little reason to believe they did it for the good of the school.

Not the Real Problem

[Dr.+Mu]

The real problem is not that SSNs are so easy to get but that possesion of another person's SSN gives one so much power to do ill. I think it's time that agencies and institutions quit relying on such a dubious means of identification as a key to perform transactions. Heck, some of them only require the last four digits!

I'm certainly not suggesting something as draconian as RealID. But it should not be necessary to keep one's SSN any more secret than the account and routing numbers printed on personal checks.

Re:Not the Real Problem

[aaronl]

The private sector isn't supposed to use SSNs to begin with. Take a look at the Social Security Act (1936 I believe) and then at the Privacy Act of 1974.

We don't need RealID or anything other stupid thing, we just need to enforce the existing laws. Just like almost everything else Congress passes new laws about.

Re:Not the Real Problem

[Cro+Magnon]

The problem is, the SSN is an identifier, and people treat it like it was a password! Allowing someone access because they know your SSN is as dumb as me using "Cro Magnon" as my password. *changes password*

Re:Not the Real Problem

[hackstraw]

I think it's time that agencies and institutions quit relying on such a dubious means of identification as a key to perform transactions.

Hey, there doing the best they can. After all, they are going after high school students and other "bad guys" after they are caught doing "bad guy stuff".

Requiring people to issue their own unique identifiers (SSNs are not unique by the way) is obviously unreasonable.

Re:Not the Real Problem

[DoTheRightThing]

really...what the fuck is a social security number? what do u do with it? whats the big deal?

Re:Not the Real Problem

So true. It's silly to assume the SSN to be a secrect only known to me and hence a sufficient means of authentication.

Not only my current and former employers (each HR staff member and billing) know it, the leasing agents of the appartment complex I live in now and before, various bank clerks, the place where I got my current (and former) cell phone from, etc. My SSN is even the customer number of my dental insurance (and they print it all over the place). Who doesn't know my SSN?

Punish who?

[djdanlib]

I support punishment of the administrators who did not sufficiently secure that sensitive information. I also support to a lesser degree the punishment of the children who stole the information. However, had that event not taken place, some less scrupulous children might have misused the information that was so easily stolen.

Most databases and file servers have permissions systems in place that can authenticate by host and IP range. Most administrators assign different IP ranges for different purposes - staff should be different from student-accessible. Also, multiple passwords are required in most systems to access sensitive information: computer login, network login, database login. Passwords are also supposed to change often. Why were these precautions not taken, and why did the admin not notice anything suspicious until it was too late?

Never underestimate 15 year olds. Why? First, they have WAY more free time than any of us working folk. Come on. They get home at 3, and have maybe an hour or two of homework to do sometimes, then they stay up until 1-2 AM. Second, there are a lot of them for every administrator at any school. Third, they are hormonally imbalanced and do irrational stuff to prove irrational points. They can exploit all of those points to their advantage at almost no notice. I did, you did, most everyone did.

Someone needs to be made an example to prevent this sort of thing elsewhere. I think the administrator is the best choice, personally.

Re:Punish who?

[front]

"Never underestimate 15 year olds."

Right! I remember an instructor, in a sysadmin class, telling us a tale about how one of his daughter's boyfriends hacked his own home network through her machine... and though the instructor tried the hardest to keep him out over a couple of months, the daughter kept opening up the system to him through trojaned instant messages (despite the instructors warnings).

It finally took a call to cops to stop the intrusion as it got a bit out of hand but anyway...

His point was this:

"Never underestimate the intelligence of a 15 year-old. These kids are just as smart as anyone in this class BUT they have no moral compass."

Your comment "Third, they are hormonally imbalanced and do irrational stuff to prove irrational points." rang a bell with me on that one vis-a-vis his comments in the class.

No "moral compass"... I like that. The problem with the average school network admin is that their network is under constant attack. It must be horrible.

It only takes one kid every week to "undertake a penetration test"... and if the network is prone to previously undisclosed exploits then the admin is in for a hard time. The average school year lasts what... 160-180 days in the US? That is, at a maximum, 36 weeks of defense... and those kids are determined. They'll get serious respect from their peers if the "hack the network". They're not gonna give up. Meanwhile the average admin has to deal with a load of other issues... and will fall behind through overwork.

I wonder, in this case, what the fallout will be be for the admin of this school? As our old instructor finished up the class he made sure to tell us that if we were eventually to be employed in a school district and the children got into the network... then their intrusion would be "career limiting" towards the admin, regardless of where the essential problem might have been.

He was a good one for the quotes... and telling us not to stay longer than two years in a school district position if we could help it.

And as for those who talk about punishing the admin? These kids have ACCESS to the machines they use at school... physical access. Physical access to workstations AND servers.

You know how it is... these kids are going to get into that server room if they are in school late, wandering around the halls and notice that the janitor cleans the server room (conveniently located beside the computer lab) every Friday and leaves the door unlocked. They are going to get physical access to those computers and when they do?

Those boxes are'nt the admins anymore...

cheers

front

Re:Punish who?

[poot_rootbeer]

They get home at 3, and have maybe an hour or two of homework to do sometimes, then they stay up until 1-2 AM.

Yeah, I wish.

When I was 15, I had at least 3 hours of homework per night, plus I worked 20 hours a week at an after-school job. And I'm sure I was far from the exception.

Huh?

[__aaclcg7560]

So the schools are teaching high school students to be script kiddies? Man, I missed the old days where students were taught how to steal radios, hub caps and hood ornaments from the DINKs (Double Income No Kids). Now the script kiddies are ripping everyone off.

"...tongues were wagging..."

[Fortyseven]

Doesn't really give any hard data in the article on the intentions, other than "it appears" to be "just for sport". It did say, however, that this happened months ago. So it's not as if they cracked in, prove their theory, and then reported it the next day or something. I get the feeling that this was just kids fucking around and did something the felt was "cool" and have the info as a trophy of sorts (though how they can conclusively prove that, I don't know).

If it was done solely to draw attention to a security flaw, I'd be cheering a little more loudly for these unidentified kids, but at this point, to me, it just looks like schmucks needing a spanking. :(

I'm curious what tipped off the admins 'months later'...

Bad Timing

[nate+nice]

Rather, bad taste. They most likely had great intentions, but they were mislead. Certainly, they are teenagers who notoriously make poor decisions at times, so maybe this could be swept under the rug. It should, anyways, be obvious these kids probably should be in school and most likely go to college. I also wouldn't be surprised if they were able to get their teachers, office, etc, to fairly easily give them passwords, etc.

Anonymous snail mail to IT admins...

[rmdyer]

To prevent being expelled just send the SSNs to the IT administration through anonymous snail mail. Explain how you broke in, and hopefully they will fix the problem.

Re:Anonymous snail mail to IT admins...

[sharpestmarble]

Trouble with that is, they(the administration) isn't concerned with the security, they're concerned with catching whoever got the numbers. "They did it on their home computer through their server, they said. They got a court order and went and checked it and they found it,"

Re:Anonymous snail mail to IT admins...

[Xarius]

Well to you and me, that would be the obvious thing to do. But where is all the glory and attention if you do that, and I think that's what this is about. People saying "look at me, I r 1337 h4x0r n00b".

Please...

Re:Anonymous snail mail to IT admins...

Even that's risky, as they no doubt would contact the authorities anyway. You'd most likely have to do it from a public terminal within the school, and even then they'll likely know what terminal it was done from. Good luck dodging the security cameras, possible authentication, witnesses (the staff probably already knows who the savvy ones are and will be alterted what time it happened if there is any sort of logging), and other means of just figuring out who did it.

Ask yourself: why is a high school using SSNs?

[brg]

What I think this incident really underscores is that high schools, where security is (unfortunately) likely to be lax, should not be using or storing students' Social Security numbers. High schools are perfectly capable of assigning unique ID numbers of their own to students wherever they are necessary; if and when their security is breached, the numbers are not useful for anything beyond the school's own internal databases.

Keeping SSNs around obviously can't be avoided for the school's employees (for tax and other reasons), but employee databases should be separate from student records, and there are far fewer employees than students anyway.

Basically, SSNs seem to have become the knee-jerk instant universal ID number for American firms and institutions of all sorts, which is a pity. It's best if we (as IT professionals) try to encourage the keepers of old databases to transition away from using them, and to strongly recommend that new databases not use them at all, wherever possible.

Re:Ask yourself: why is a high school using SSNs?

[g-san]

Huh? Schools definitely need SSNs. How else do you think they put things on YOUR PERMANENT RECORD?!?!

Re:Ask yourself: why is a high school using SSNs?

[putaro]

This is a really good point. School security is never going to be tight. Period. And would you really want to be a student or a teacher in a well secured HS? However, if you're going to have lousy security then you should make sure that you don't have anything worth stealing or that will cause problems for people if it's stolen.

Re:Ask yourself: why is a high school using SSNs?

[Justin205]

What if a student in high school doesn't have a SSN? I'm in high school and I don't have a SSN yet.

Re:Ask yourself: why is a high school using SSNs?

[Coppit]

In Virginia, a new state law requires state institutions to not use SSNs. At the College of William and Mary, where I work, everyone had to get a new ID for this reason.

Re:Ask yourself: why is a high school using SSNs?

[aaronl]

In MA, Federal law says that schools can't make me use my SSN. If you're silly enough to *give* it to them, then they can use it. The Privacy Act of 1974 says that a government agency cannot deny you anything as a result of your refusal to disclose your SSN, unless the use of the SSN is mandated by statute. I wasn't able to find a statute that says a local school department needs any student's SSN.

If they're messing with you on it, I bet you have a lawsuit in the works. Try it out and see if maybe it helps to fix the problem. These sort of places really need to learn better.

Re:Ask yourself: why is a high school using SSNs?

[mpe]

Basically, SSNs seem to have become the knee-jerk instant universal ID number for American firms and institutions of all sorts, which is a pity.

It's rather more than "a pity" it's a fundermentally bad idea from the POV of security.

Re:Ask yourself: why is a high school using SSNs?

[Joseph+Vigneau]

Well, if you're in Canada, as your email and site suggest, you probably don't have much use for a SSN.

But, if you're in the States, and your parents want to claim you as a dependent, they need to put your SSN on their tax forms. A book I just read (Freakonomics) says that 10% of American "children" disappeared between 1987 and 1988, when the tax code changed to require parents to provide the SSNs for their claimed dependents.

Re:Ask yourself: why is a high school using SSNs?

[OneSmartFellow]

Did you ever think that may have been becuase those children did not yet have Social Security Numbers ?

My children didn't at that time, and lo-and-behold, that year I couldn't claim them either, but the following year, after receiving SSNs for them, they were right back on as dependants.

And I didn't bother to file an ammendment, too much hastle for too little return (excuse the pun)

And thus begins...

[Short+Circuit]

...a long career in cybersecurity.

Good time to get into it, too.

When I was in HS...

[WRoach]

I broke into my school's netware directory just because the sysadmin was such a S*B. I changed access rights and passwd of a random account and browsed around to find out the sysadmin had usernames and passwords for every account written in a text file. I then printed the whole thing and anonymously pinned it on the main bulletin board.

Re:When I was in HS...

[Creepy+Crawler]

You DO know, that since Novell petitioned to be C5 Mil spec, you can permnently disable the master account (forget what they call it in novellesque).

Yeah, it could have been bad as in call-Novell-engineers-for-emergency-reset.

Re:When I was in HS...

[PenGun]

What is this 'permnently' you speak of?

PenGun
Do What Now ??? ... Standards and Practices !

Re:When I was in HS...

[Motherfucking+Shit]

I broke into my school's netware directory just because the sysadmin was such a S*B.

"S*B?"

Must have been a Catholic school... Nobody else masks acronyms.

Similar situation

[FisherRider]

How curious. I go to a high school near this one (just outside Chicago), and we've had a couple similar incidents recently. One kid (a gray hat at best) busted into something because he could, did no damage, and brought it to the administration's (or perhaps IT staff's) attention. He was disciplined.

In another case, a student was cleaning up a messy computer lab, and accidently plugged both ends of the same cable into two network ports. He thought that the second end was leading to a computer (the room was cluttered). It brought down the entire network (>1000 nodes) for at least 12 hours, and he was nearly punished (the wizened up and let him off with a wrist-smacking).

Some students were found with command prompts on their student folders (stored on a school server). It was shown by the IT staff that they neither did nor intended any damage, and the IT staff saw no reason to punish them. While this was obviously stupid on the students' part, they were still punished (initally the school tried to suspend them but after administrative appeals settled for two Saturday detentions).

Just food for thought. It's obviously important that the IT in a high school keep up a secure network, and they should not trust students 100% (at least from the get-go). But punishing students for pointing out security flaws? The school should be thankful. It has always seemed to me that they could save a bundle by letting five or ten students come in over a weekend and, with supervision, try to crack the network. Rumor is that the IT department there instead hired independent consultants to evaluate their systems, and were told they needed either more consultants, or a larger IT staff. It's a tough job to administer a secure, functional network in a school. Especially a big high school.

Re:Similar situation

[daniel_mcl]

"Some students were found with command prompts on > their student folders (stored on a school server). It was shown by the IT staff that they neither did nor intended any damage, and the IT staff saw no reason to punish them. While this was obviously stupid on the students' part, they were still punished (initally the school tried to suspend them but after administrative appeals settled for two Saturday detentions)."

You're saying students should be disciplined for using the DOS prompt? Why?

Re:Similar situation

[ip_fired]

I don't think you can damage a network by plugging one cable into two ports. If it has 1000 nodes, then they are likely using switches that detect and prevent loops.

I guess if you had 1000 nodes on one gigantic hub it might do something weird, but still, sounds like your school has a messed up network topology if a simple thing like that is causing problems.

Re:Similar situation

[Creepy+Crawler]

Ive seen something similar to that.... well.. unintentionally.

A certain brand of switches in my High School I went to would fail-over into hub-mode if the onboard computer crashed.

Turns out, it couldnt handle the broadcast traffic from all the machines, so it created a 400-800 port HUB. Yes, 400-800 machines all sharing 1 100Mb stream of data.

The sad thing about this is the office was using a appletalk network (with the early Macs with the brick-mice) with no internet connection. Amazingly, its been running for the last 14 years with little to no problems.

Re:Similar situation

[pclminion]

I don't think you can damage a network by plugging one cable into two ports. If it has 1000 nodes, then they are likely using switches that detect and prevent loops.

I've seen it happen once. In that particular case, the packet was replicated each time it went through the loop, and the TTL was reset to the max. So it was an exponentially growing cascade of packets, each with maximum TTL. Yeah, it was a router configuration mistake, which was quickly rectified.

I'm not surprised in the slightest by it.

it's all about trust folks

[circletimessquare]

there will be a lot of teeth gnashing from slashdotters about this "injustice". usually because the average slashdotter trusts some anarchist high school students more than they probably trust their own police department. they will point out that a security system untested is never sound, and that this move will strengthen security. that better these high school students than someone with truly dark intent break in.

the problem has to do with what the word "trust" means. society at large doesn't trust an intelligent well-intentioned hacker (these students are hackers as in the old school sense if there ever was one, as opposed to the new school "hacker=terrorist" sense). but they DO trust a bumbling idiotic underpaid school administrator.

why?

it's about how the average slashdotter views "trust" and how society at large views "trust". the average slashdotter trusts intelligence, cleverness, technical literacy. but the average joe simply trusts accountability.

the school administrator's job is to keep security, he is trusted by society, paid by society to do this. he is accountable. the school administrator will be reprimanded by this breach, and the breach will be repaired. this is society at work. meanwhile, there is no social contract with the high school student. there is no trust. there is no accountability.

yes, security will be better because of what they did. yes, their intent is perfectly sound. but there is no trust, there is no accountability as far as the average joe sees it.

the lesson therein is for the average slashdotter then:

accountability is more important than cleverness.

to put it another way, the average joe doesn't care how technologically sophisticated the security is on their SSNs. the average joe just cares if THERE IS SOME ACCOUNTABILITY. so the SSNs could be on a text file on webserver, they don't care. the question si: is someone's job on the line for the theft? the average joe understands this concept: someone will suffer if my identity is stolen. there fore, someone out there is motivated to protect me.

meanwhile, these students have no social contract, no accountability. what is their intent? what is their motivation to do good by me? all i have to trust is their word, and i don't know them from adam. therefore, all that they have done for the average joe goes unheeded, unrecognized. the students helped the average joe, but the average joe sees them as criminals.

folks: gnash your teeth all you want, i'm just trying to give you all a heads up about the difference in thinking between the average joe and the average slashdotter. if you don't like what i am saying, don't be mad at me, don't shoot the messenger.

be angry that trust does not mean same thing to you and the average guy on the street.

Re:it's all about trust folks

[Creepy+Crawler]

Hi CTS ;)

Its The Amazing Idiot.

Still, mate, dont keep talking about terrorism. We ALL*(Err, umm, All 3 of us K5ers) know YOUR bias :P Yeah, me, you, and that half-deranged-testicle-website-whore.

Now get back to K5, STAT!

Re:it's all about trust folks

Hahahah, I thought I recognized your typing style, and was correct when I looked at the username.

Re:it's all about trust folks

[Creepy+Crawler]

which K5 miscreant are you? ;P

Re:it's all about trust folks

[evanbd]

It's an interesting point, and I think you're at least mostly right. However, there is an inconsistency in that no administrator appears to be losing their job over failing to protect these SSNs from the students. By your logic, if no one's job is on the line, where is the accountability?

That said, someone getting yelled at by the boss seems very likely here...

Re:it's all about trust folks

[hyfe]

meanwhile, these students have no social contract, no accountability. what is their intent? what is their motivation to do good by me? all i have to trust is their word, and i don't know them from adam. therefore, all that they have done for the average joe goes unheeded, unrecognized. the students helped the average joe, but the average joe sees them as criminals.

The difference for the students is the one between numbers and people.
For the school board (or however you're organized over there), there is a case of '500 SSN's got leaked, oh well.. the bad publicity will cost us less than hiring competent people'.
For the students it's, 'holy shit, they're practically giving away our SSN's, I don't want my bank-account suddenly emptied'

The victims have an inherit motivation in not becoming fucked over. The overseer's main motivation is not being yelled at.

Re:it's all about trust folks

[Cyno]

Why does a High School need your social security number?

Why expect any sort of "security" with a number that all employers, renters, lenders, etc. have stored in their databases. The risk of this number being stolen increases with time.

The only problem I see here is that they hacked their school computers to get it. But if they had obtained them through social engineering by posing as a door to door sales person with a simple order form that includes SSNs, etc. I wouldn't have a problem with it.

Its hard to do much without giving up your SSN these days. Just try to get around without it.

I would replacing the SSN system with something like a public key encryption system, possibly with different keys for each transaction. If its so important why not treat it that way? Or do we just like blaming our kids for our own stupidity?

Re:it's all about trust folks

Typing style? He's soooooo COOL because he uses no capital letters!

Re:it's all about trust folks

im sorry to have to be the first to inform you of this but the point of this excercise wasn't to "inform the average slashdotter" the point was abviously to prove that there is a criticial flaw with the way this school runs security. your pretending you havn't made up your mind about this but obviously you have to make a statement like
"their intent is perfectly sound. but there is no trust... all i have to trust is their word"
ok well obviously you can't trust their action, i mean they haven't used your ss or anyoby else's yet for any evil deed. i'm sorry what exactly are you claiming to be the messanger of?
these students have not betrayed anyones trust by proving that it is easy to hack this so called "protected information" dont encourage people to be angry it's bad for your karma

Re:it's all about trust folks

[Vellmont]

to put it another way, the average joe doesn't care how technologically sophisticated the security is on their SSNs. the average joe just cares if THERE IS SOME ACCOUNTABILITY. so the SSNs could be on a text file on webserver, they don't care. the question si: is someone's job on the line for the theft? the average joe understands this concept: someone will suffer if my identity is stolen. there fore, someone out there is motivated to protect me.


I guess I have to disagree with this. The average joe only cares about feeling that his data is safe. Accountability is bullshit. I guarantee you if the insecurity (and consequences of that insecurity) was easily understandable by the average joe, he'd be up in arms that the gaurdians of his information are incompetent fools.

The thing is that the technological nature of the insecurity is what masks it. If the average joe can't really understand why it's insecure, the feeling of insecurity never really registers very deeply.

I'll give an example. Let's say Average Joe's bank didn't lock the doors at night because they didn't think it was necessary. Well.. heads will fly if Average Joe finds out about this. It's blatantly obvious that not locking doors at night as a bank is bleedingly stupid. It's also obvious to Average Joe that his money not being robbed from the bank is important. The news that someone will get in trouble for "not being accountable" isn't really very comforting to Average Joe.

Let's say in the same bank scenario two bank customers realize the dumb practice of the bank and want to "teach them a lesson". They go into the bank, take the money and bury it in an empy lot somewhere. They then leave the bank a note saying where the money is. Have the bank customers commited a crime? Certainly. Have they also done some kind of service for other bank customers by showing how insecure their money is? Probbably. What's the balance between the two? Very difficult to say. It seems the same way in this case. The difference between Average Joe and Average Slashdotter in this case is only that Average Slashdotter understands that this is like leaving a door open.

I think there are people who do care about accountability. Mostly these people are the ones setting up procedures within large organizations. That's fine, accountability is a decent way to attempt to get actual security. But let's not forget that the real goal is the actual security, not having someone to blame at the end of the day.

Re:it's all about trust folks

[swillden]

the school administrator's job is to keep security,

Yes.

he is trusted by society,

Yes.

paid by society to do this.

Like clockwork.

he is accountable.

Sort of.

the school administrator will be reprimanded by this breach,

Maybe.

and the breach will be repaired.

In my experience, unlikely. It's more likely that these kids will be punished, and then kept as far as possible from the servers.

It's like Richard Feynman's experience with the lockable file cabinets used by the Manhattan Project at Los Alamos. For those who don't know the story, Feynman discovered that the combination locks on the cabinets used to protect important secrets were very easy to open. A few minutes fiddling with one allowed him to feel the combination out.

Feynman took this knowledge to the colonel directing the project he was working on, and proved it by opening the colonel's safe for him (it used the same sort of lock). This was a military organization, and few people take security as seriously as the military.

So what did the colonel do to fix the problem? Replace all the locks? Order documents moved to key-locked cabinets until better combination locks could be acquired? Start legal action against the seller of such substandard, insecure locks to the government?

None of the above. What the colonel did was to circulate a memo ordering everyone to keep Feynman away from their cabinets. Feynman had a very high security clearance and society was placing a great deal of trust in him -- they were paying him to help develop the first nuclear bomb! *HE* wasn't the problem, the crappy locks were. Yet the response was to treat him as the problem.

this is society at work.

The problem, of course, is how often society fails to work.

Maybe the lax security in this circumstance will get fixed. But I wouldn't bet on it.

Re:it's all about trust folks

[raxxerax]

I think the real truth lies somewhere between your two points. You're right; the average Joe doesn't understand that this is akin to leaving a door unlocked. But if average Joe knows that there is a bank manager who is accountable to lock that door, he will probably assume that the manager does so because it would be stupid to not do so. The proof of this is simple to see: how often have _you_ checked up to make sure your bank manager locks the door? If you hear someone robbed the bank, you are mad at the manager if the door was unlocked, but don't blame him if they break in the door. If you don't hear otherwise, you will likely assume it was a break in. Likewise, if average Joe knows that there is someone accountable for "locking the door" to his SSN, he assumes that this person will not act stupidly. However, in this case when the SSN's are stolen, average Joe cannot recognize if the door was unlocked. Since he assumes lack of stupidity, his tendency is to assume that "the door was broken-in" (i.e. the system was "hacked"). Often, even when those who _do_ understand point out his error, he cannot quite grasp it. It's so beyond his normal way of thinking that it's all just hacking to him. YMMV -raxxerax

Re:it's all about trust folks

[poot_rootbeer]

For the students it's, 'holy shit, they're practically giving away our SSN's, I don't want my bank-account suddenly emptied'

I'd be surprised if there are many high school students who think that way.

Go up to any teenager you know and ask them what their Social Security number is. Of those that actually know what theirs is, I'd wager that more will out and tell it to you than ask why you want to know.

Re:it's all about trust folks

Cracker != hacker.

Cracker breaks into things.

Hacker comes up with solutions to impossible problems, often ugly but darned if they don't work.

Re:it's all about trust folks

[Vitriol+Angst]

I trust none of the parties in your example. I don't trust the school administrators because they practice a tail-chasing bureaucracy to protect them, rather than any knowledge --and I don't trust the hackers because they are unaccountable. Meanwhile, the average Joe is too busy to care unless this takes food off his table. The average Joe used to care about accountability, but now he is too numb with sleep deprivation and satiated with high-carb meals and is watching the Apprentice as soon as he leaves work praying that he never has to work for any of the jerks on the show.

I don't get your point. The system only holds citizens accountable because they are the only ones affected by poor control of SSNs and the only ones damaged by it.

Why wouldn't I gnash my teeth? What the average guy on the street understands is told to him by CNN or Fox--which is crap-o-la. Why are we basing things on mass hysteria and common knowledge? Um, why are we 27th in the world in healthcare (tied with Saudi Arabia), 37th in education (tied with Cuba), #1 in crime and jails and really depressingly poor on pollution for a civilized country?

Well, that is a rhetorical question, really. It's like asking "why do we weaken pollution controls?" Because we want to shift the burden from the industrial polluters to the hospitals that take care of the Asthma and lung disease (and other issues). Now, not all regulation is good, but it isn't all bad either (trying to avoid flamewar wherein reactionaries call me a Socialist). Why NOT put the burden of securing information on the people entrusted with the information? The SSN system is like a screen door on a bank. And we expect the honor system is going to save us...

Hackers are the only reason we have some tiny bit of data security. The government wants to make the few bad hackers and few terrorists the reason to take control away from the citizens on numerous fronts while absolving themselves of responsibility. In this case, it is a school--and the real dynamic that costs in schools is the administration (not teachers) and their desire to control their fiefdoms. Why would schools not look to an open source security model for running school systems? That's like; Why wouldn't the government create an open source project at Universities that had the scrutiny of millions to create a low cost electronic voting system? Because an expensive, closed, secretive system benefits those in control of it. This isn't a knee jerk reaction because they were geeks. This seems like some kids who were not following the rules and disrespecting authority (which is the duty of anyone under 21) and who took a little initiative.

Always, always, always, when you have people who have control and no accountability coupled with secrecy, you get these kinds of problems. The kids who hacked this should have known better to cover their butts. They could have released the SSN of the admins at the school and never mentioned their own names and gotten real results for security and not this mountain of pain they are in. Good intentions, however, will never go unpunished when you embarrass incompetent people with power.

Re:it's all about trust folks

[Vellmont]

Accountability might give the average joe a sense of security, true. My only point was to refute CircleTimesSquares idea of the difference between slashdotters and average joe. The difference is one of information about security and value of the information, not a difference of what each values. (accountability vs cleverness).

Both slashdotters and average joes value a sense of security. Each has a different assesment of how the system failed. The slashdotter recognizes that these people are idiots, and should never be trying to protect such valueable information. Average Joe is befuddled by all the techo-geekness and thinks you need to be a super-genious to break the security (like something out of Oceans 11).

Re:it's all about trust folks

[kz45]

Hacker comes up with solutions to impossible problems, often ugly but darned if they don't work

not anymore. To the majority of the population, hacker is the same thing as cracker effectively changing the meaning of the word.

Well meaning but stupid

[Stickerboy]

Most of us live with really crappy security... in our place of residence.

Now, if you're like me, you've got a generic commercial alarm system and generic deadbolts on the front and rear doors, which is the extent of our "security", otherwise known as "just a little harder to rob than the house next door".

I know a determined thief could break in and steal everything I have in the house, thank you very much. If I have the option of choosing,

A) some kids actually breaking into my house during my vacation, stealing my stuff, then returning all of it when I get back with a postcard saying, "Hey! Your house is insecure!", or...

B) some kids pointing out in good faith that my home security model isn't all that secure, and ten ways a thief could bypass it,

I know which option I'd be pressing charges and which option I wouldn't.

Re:Well meaning but stupid

[daniel_mcl]

Again, the point is being missed here. The students' own sensitive data was in danger, so they were forced to act. Anyone who thinks that reporting the problems to the administration / IT staff would have accomplished anything at all has not attended high school in the past decade.

Re:Well meaning but stupid

[zerbot]

I don't think breaking in, stealing the data, and then sitting on it for months until they were caught falls under "forced to act".

Needs more info

[Draknor]

The article is sorely lacking. Did the kids 'fess up, or did someone find out? Were they really "hacking", or was there a case of some dumba$$ IT staff leaving an MS Access file sitting in a directory on the webserver? If these HS students "hacked" the SSNs a few months ago, how many other people have had access to them as well in those last few months? Did the students go to the administration first & get the "there's no problem here, leave us alone" PHB brush-off response?

Details, man - we need details!

never... ever...

[MultisSanguinisFluit]

...do pen testing without approval of the system's owner.

They probably felt there was little choice.

With all sorts of reports of database hacks and the big deal that's made of it, these kids probably felt the problem was very serious and should be addressed. Having graduated from high school relativly recently, I can tell anyone who was out before this was an issue that the administration does not listen to students' suggestions relating to IT. They would rather fear the intelligence that these students possess and punish them. Take it from me, I got kicked out of a comp sci class along with two other students for "hacking the registry" when what was actually happening was we were the top 3 students and we finished everything so we were working on different extra credit programs. That's all. It wasn't even freelance programming, they were extra credit projects offered to us. When I tried to explain this to the principal, he banned me from the computer lab. Unreasonable administration produces unreasonable students.

The way I look at it

[mcc]

If I ever found myself in such a situation, the way I would look at it is that my private space was violated by the people who put my personal information where it could be indirectly but publicly accessed, not the people who chose to take advantage of that.

Just a thought.

Re:The way I look at it

[TheFlyingGoat]

So if you forget to lock your windows when you leave one day and end up getting robbed, you won't blame the people that broke in? You'd blame yourself or the police department for not doing a good enough job with security?

Every time this argument comes up, someone tries using that line of logic. The fact is, though, that even though your actions were stupid, the burglar broke the law.

Re:The way I look at it

[mcc]

If someone else left the windows to my house unlocked, without my consent or knowledge

Yeah

Re:The way I look at it

[zkn]

So after a succesfull burglerring of your private property, you put you wife in jail for not closing the door, not the burglers for breaking the law?

Re:The way I look at it

[mrscorpio]

There's a difference between my private home and a public school that is entrusted to keep my personal information safe. I want to know about every security hole, and I'd rather it be done by white hats than to get a call from my credit card companies one day!

Re:The way I look at it

[DigitalCrackPipe]

Every time this argument comes up, someone tries using that line of logic

Someone tries using your line of logic every time the issue comes up as well. It's misleading. Sure the students should be reprimanded and possibly punished. However the school should be punished FAR more. Making private information (particularly SSNs) easily available to anyone who takes the initiative should be severely punished. Do you think everyone who knows how to get at the information would go public like this?

More about saving face (was:Dumbasses.....)

[Lead+Butthead]

They are being punished more for making the "adults" looked foolish than the severity of their mischief.

Re:More about saving face (was:Dumbasses.....)

[Jim_Callahan]

Well, that and engaging in criminal activity.

Re:More about saving face (was:Dumbasses.....)

[UlfGabe]

modparent up,

Students who demonstrate intelligence beyond their years or insight into problems which the teacher cannot comprehend are VERY threatening to the teacher.

I was identified as "gifted" between grades 2 and 3. People didn't have to tell me that, I was understanding concepts beyond the level of my peers, it worked out luckily that i had SEVERAL peers who were approaching the "Gifted" level, and one who was also "gifted".

I would note that due to the inherent difficulties with IQ/aptitude testing in general nothing beyond 2 standard deviations from the norm is measured. If you happen to be two standard deviations or further away (in the higher direction as IQ is measured) then you are considered gifted, to my knowledge.

A demonstration of what I could do was nessisary to myself upon entering university. I used one class with a 100% final (i opted out of the midterm which ws 40%, and the course outline was re-weighted), i skipped all lectures, and classes, and generally ignored the class for 2.5 months, then with about one week left until the final exam, i started studying. In that week i managed to "learn" or as i like to call it, play the system and procure an 85% in the course(Canadian University). I went from nothing to 85% in about 6 days.

Lots of my peers were very mad at me for that, most of them recieved lower than 85%... The teacher was amazed and called me up to see what was going on. He didn't believe that i wasn't cheating and checked my exam against those of students seated around me. Mine checked out perfectly.

long story short, teachers and peers are threatened by those who have exceptional skills and abilities. The government does not do enought to help "gifted" students. By grade 4, i had learned to shut up and stay put. They killed my inner spirit.

Who wants to teach someone who already knows the answers?

Re:More about saving face (was:Dumbasses.....)

[compwizrd]

I'm impressed that you were able to do this at Guelph, as from what I hear it's actually a good university to attend.

Now, if you'd done this at Windsor, I'd be rather unimpressed, as it seems most people are able to do this anyways.

Re:More about saving face (was:Dumbasses.....)

I entered the gifted program in 4th grade. I was one of the top people in the gifted program. I went to college a year early. I graduated at the top of my ME class by a fair margin.

My teachers liked me. I learned what they were teaching and looked like I would go on to be a useful member of society. Maybe I didn't need them like the other students did, but I never held it against them in any way. I showed up and paid attention.

It has little to do with intelligence, and a ton to do with attitude. If you are a dick, it doesn't matter how smart you are. I don't know you, and therefore I won't try to evaluate your personality, but I have to question why you went to this school if it wasn't going to challenge you. Did you 6-day that class just to prove you could, or to show that the class was pointless, or to show that you were smarter, or because you weren't interested in it and figured that was the easiest way out? For classes that interested you, did you show up and study, or did you skip those too, because you could pass without doing anything? Arrogance is unbecoming.

Re:More about saving face (was:Dumbasses.....)

This is off-topic solely to the parent of this post:

It is truely funny how age sometimes diminishes this attitude.

Growing up, I always knew I was 'smarter' than others, and even when I was tested I knew +3SD meant that I was smarter that 99% of the rest of the kids (atually only ~.3% are smarter than you at this point, +2 only give you advantage over 95%).

I got into a lot of physical fights with my 'peers' (the quotes are as envisioning the past) and I had a lot of verbal fights with my instructors. I thought both were idiots and I didn't feel the need to hide my contempt.

But guess what? I had no clue about the real world. I could figure out facts and statistics, but I had no clue how this related to anything at hand. I'd blame the others around me for being jealous or threatened. Some of the students felt threatened because I was a big guy, I am now 6"3 before I put on my redwings...and while I didn't like to fight, I didn't back down and I didn't stop til the other guy was on the floor. Teachers? I made sure I learned everything I needed to prove that I was smarter so that I could correct their laymans explanations in class. Sure, we are studying at grade school education, but fucking shit, I expected the instructor to explain it to us as if we were postdoctoral students, even though I was probably the only one that had knowledge of this subject.

Like you, I can make 85% in courses without trying. After a dozen other failed degrees (I'd get bored...eventually settled for gen ed degree as I had the credit hours), I am working on a degree in psychology and its amazing that my peers study like motherfuckers and yet with only picking up the book midsemmester for an hour, I came off just under 2 points from a friend that is working on his masters as well -- everytime I call him to see if he and his girlfriend wants to go for drinks on the weekend, its generally just me and her because he is too busy studying.

The one thing I am learning in my jaunt in psychology is that very few understand the 'gifted'. The population just can't support it. We are on our own.

What would I have done differently? I would have not assumed I knew the answers, even if I did, but would have learned to ask less pointed, better questions. I would have learned to understand others takes on the world. I would have learned that the facts do not always make up the truth and vice versa. I would have learned individual experience is far more important than the end.

Who wants to teach someone who already thinks they know the answers? That should be your end statement. It sounds as though you haven't come to the conclusion that you aren't the shiniest apple in your basket yet? You might have in the past, but there will always be someone better and a bushel where you are only average. I place myself into situations like this all the time. I don't want to be the smartest because I will never learn. I surround myself by folks much smarter and I challenge myself even though I don't get what they are saying half the time -- and once I do, I find another peer group.

No one killed your inner spirt but yourself. Stop blaming others and get on with life. If you aren't challenged, that is your fault. Stop being the picked on geek because a lot of us have been there and we got over it. Some of us never get over it...don't be one of those people because they you will have proven that the others were right and you were wrong.

By the by, the one area I was never great in was grammar or spelling as noted by this post.

Re:More about saving face (was:Dumbasses.....)

"nessisary"

Obviously didn't major in English.

As a teaching assistant at university for two years and as a part time trainer and "mentor" every since, I can tell you I much prefer to have students who get what I'm saying.

I got over 85% for courses that I did little study for and just scraped passes in courses I spent a lot of time working on. Some of the courses that most people I knew found easy I found difficult, some of the courses most people found difficult I found easy.

Your ability to get a good grade in one course does not make you particularly intelligent. Your apparent inability to realise you sound like a fool boasting about getting one good grade makes me think that you perhaps don't have a well rounded intelligence anyway.

I got a few stunningly good grades and a few stunningly bad grades. I beat a friend of mine in an exam once and she went on to get the highest GPA of anyone graduating from the entire university that year. Do I think I'm more intelligent than her? Of course not.

"The government does not do enought to help "gifted" students. By grade 4, i had learned to shut up and stay put. They killed my inner spirit."

Poor baby. I'm not normally a fascist like this but you need to get over it and realise that you aren't as smart as you think you are.

Re:More about saving face (was:Dumbasses.....)

[finkployd]

Students who demonstrate intelligence beyond their years or insight into problems which the teacher cannot comprehend are VERY threatening to the teacher.

True, but in this case I think the punishment is coming due to a flagrant violation of school policy and the law. Given the recent identity theft stories and the fact that is becoming a very serious problem, I question how "gifted" these students actually were to not have seen this coming.

More to your point, I think the problem is that gifted children often feel that demonstrating their intelligence is a key to social acceptance (which if course, it is not). I don't know if I am gifted or not, but I learned along the way that basically "nobody likes a know it all". There are certain peers, teachers, etc. along the way that encouraged me and I gravitated toward them. I would think that any gifted person should be able to apply their mind to social situations like any other problem and observe reactions to certain behaviors and respond accordingly.

Finkployd

Re:More about saving face (was:Dumbasses.....)

[NaruVonWilkins]

I went to an elementary school in Olympia, WA. During the time I served, in first grade, the teacher didn't want us to address negative numbers - she felt it was simpler to accept that 2-4=0. I was incredibly frustrated, because my parents had already taught me multiplication tables - I was quite a bit ahead of the class. I was actually marked off repeatedly on tests for answering several questions like the example with negative numbers.

Eventually, my mother showed the graded work to the principal and had the teacher disciplined. I only wish it were that simple for everyone.

Re:More about saving face (was:Dumbasses.....)

[blue_adept]

you happen to be two standard deviations or further away (in the higher direction as IQ is measured) then you are considered gifted, to my knowledge. A demonstration of what I could do was nessisary...

If your IQ is 2 standard deviations from the norm, shouldn't you know how to spell "necessary". Then again, you didn't specify in what direction.

Re:More about saving face (was:Dumbasses.....)

[Lodragandraoidh]

Having the ability to run a root kit does not make one 'gifted'.

Re:More about saving face (was:Dumbasses.....)

[poot_rootbeer]

Students who demonstrate intelligence beyond their years or insight into problems which the teacher cannot comprehend are VERY threatening to the teacher.

But what does that have to do with the story?

A good part of intelligence is having common sense. Breaking into a computer system and appropriating sensistive information from it, and then expecting to be THANKED for doing so, shows a distinct lack of common sense.

In that week i managed to "learn" or as i like to call it, play the system and procure an 85% in the course(Canadian University).

"Play the system" seems to be an appropriate term, since your behavior doesn't show to me that you were actually interested in LEARNING anything from that course.

Hey, at least you didn't waste much of the teacher's or other students' time while you were taking your shortcuts.

Re:More about saving face (was:Dumbasses.....)

"every since"

God speeling their youself.

Re:More about saving face (was:Dumbasses.....)

[rmitz]

Or, they could have simply approached the adults quietly, pointed out the flaws, worked with them in a process to get them fixed...

Making fools of people will never do anything good for you.

Re:More about saving face (was:Dumbasses.....)

[jc42]

Breaking into a computer system and appropriating sensistive information from it, and then expecting to be THANKED for doing so, shows a distinct lack of common sense.

Unfortunately, you're quite correct. "Common sense" does include understanding that most people don't want to hear about problems or get them fixed. Someone who demonstrates a problem and offers to fix it is usually punished. Understanding this is an important part of a young person's education.

In a similar story, about 20 years ago I was part of a team of consultants doing some work for a big corporation (which shall remain nameless). In addition to the small computers that we mostly worked on, we had to deal with some databases that lived on the big IBM mainframe. Out of the usual frustration with inter-departmental stuff that kept needed data out of our hands, one evening several of us stayed late and attacked the mainframe's file-security stuff. The next morning, we gave a demo that we could read any file on the system.

Now, in this case, our boss and the client's top management were overjoyed. They could get the reports they needed, and no amount of obstructionism from department DP people could block access to the databases. I even wrote some consistency-checking "sanity check" database programs and handed them over to users, so they could spot data-entry problems and fix them before they caused serious trouble. The DP people hated this loss of control, but the users were very happy.

Then our little gang of consultants had a serious discussion about whether we should inform IBM of what we'd done. Eventually we reached a concensus: Nah. IBM wouldn't reward us for the info. There would be lots of others that would pay us for giving them access to their own data. We'd be fools to do anything that could end this situation, which was good for nearly everyone involved.

You might say that we had "common sense" to keep quiet about our violation of file security. I'd have to agree. And I think this says a lot about the nature of most human organizations.

These kids should learn that they should never report such problems to the authorities. They should do as the authorities obvious want: They should keep what they've learned quiet, and look for people who will pay them for using the information.

If you don't like thinking of this, well, you should think about rewarding people who discover problems. Punishing them only leads to learning the obvious "common sense" lesson.

Re:More about saving face (was:Dumbasses.....)

[Fulcrum+of+Evil]

Lots of my peers were very mad at me for that, most of them recieved lower than 85%... The teacher was amazed and called me up to see what was going on. He didn't believe that i wasn't cheating and checked my exam against those of students seated around me. Mine checked out perfectly.

Your prof wasn't threatened - he was playing the odds. How many people do what you did without cheating?

Re:More about saving face (was:Dumbasses.....)

[DJCF]

You weren't the only -- exactly the same thing here. Unfortunately, in Asia the principle will almost always side with the teacher -- even if the teacher is wrong.

Re:More about saving face (was:Dumbasses.....)

[m3rajk]

ironically, by the time i was in second grade i did all class and homework in recess and still got outside.

pissed the teachers off that i was a massive distrubance and not showing up as "gifted" in testing. i lucked out. the teacher i had saw it as a challenge to get me to be prodcutive in class. (might have something to do with parents heading the pta, and volunteering in schools all the time, being on/head of the town''s school committee) in college i found out why. if they had done their job right they would have found that when you look at raw intelligence i can easily show up most of mensa. my ability to process on the other hand, is pathetic at best.

turns out anything more than 10 points is considered a sign of a learning disorder. my discrepency is 30 points. 99th percentile intelligence 69th processing.

ever heard of an idiot savant? prior to getting those test results, which saved me from flunking out due to an inability to get foreign languages as a diret result of what was found on the processing, i jokingly referred to myself as an idiot savant that's not idiot enough for people to realize i'm savant beacuse of my math/computer talent. my friends always laughed. now the friend i had when i found that out, and myself, wonder... did i somehow know i might actually be nearing that? how much farther of a discrepency until i would be idiot savant and completely unable to integrate with the world--ie: autisitc?

Re:More about saving face (was:Dumbasses.....)

Processing? Was this the WAIS you were tested on?

As for being a savant / autistic, you'd have a LONG ways to go. Being autistic is a whole realm of difference than being 2SD from your IQ...it'd almost have to be the inverse of the scores presented. You are simply learning disabled. Congrats, you are normal just like everyone else.

Most of us have something that we just can't do no matter how much we try. Me? Attention...I can't focus to save my life. As such, I'm not detail oriented -- I'm the big picture guy. It works out for me being a project manager on the IT side, but trying to get into psych, its killing me. I do well enough in classes, but not nearly as far as I'd like to go if I could pay attention for long periods of time. Luckily for me, I develop testing for this specialty for computers, so I do it once and I never have to test anyone again. I let my grad students (most of whom are actually peers in school, but employees in the workplace) do all the major work, while I throw the concepts at them.

We all have problems and if you find the right test that was factored to your specific deficiencies, I'm sure anyone can be considered learning diabled.

BTW -- I am crap at foreign languages as well. Pick up a foreign girlfriend and have her move in with you (yeah yeah, this is slashdot and unrealistic) and you might be able to overcome this. Its one thing to deal with processing when you are focused on that item, but when you start building these up into your normal day to day activities, it doesn't become just a classroom activity. You might be damaged in one way, but that doesn't mean that there aren't a dozen other ways that you can overcome the situation. Some might be unpractical...others might just work. Get out of the classroom and try something new if this is something you want to do.

Re:More about saving face (was:Dumbasses.....)

[drinkypoo]

Well, I'm no genius but I was always "the smart kid" in school, except in high school where my life was hell and I became extremely withdrawn, and I can speak from experience when I say that it can be difficult to attain a healthy level of social maturity when people treat you in a certain way.

Everyone thinks you're trying to make them look bad when you do something as simple as answering a question. You salt their game of underachievement and they will resent you for it. You're shunnned or attacked and held to a much higher standard than other people when you're labeled "gifted" - assuming you were "discovered" before you found a desire for social skills. Being attractive, graceful, athletic, or some combination of the above can help, but it can also hide the fact that you're bright. I was not particularly any of those things when I was a kid (I'm not amazingly any of them now, ho ho.)

Anyway I knew some smart kids who were popular or at least flew under the radar and about an equal number who were pretty much shit on. I was one of the latter number, but I went into the whole thing with the usual set of "issues" plus asthma. But it's hard to get perspective enough to logically consider what provoked a negative reaction from someone when someone's asking you "what did you do that made them angry" when it sounds like an accusation and you can't for the life of you understand why someone would be upset by anything you said. Most kids don't have enough experience to figure something like that out.

Re:More about saving face (was:Dumbasses.....)

[UlfGabe]

some systems can be gamed, especially in some memorization and regurgitate situations. In 6 days a person can memorize a great deal of information. Lists of figures and facts, along with associated points make for a great deal of knowledge, but applying that knowledge is important also. Knowledge is the first step to wisdom i would think.

of course i was interested in 6 daying the course, just to prove it was possible to myself and to go into the depths of my mind. I Put Myself Up Against The Wall And Knocked It Down The Hard Way.

doing things the hard way often gets you a great deal of animosity rather than being a yessir and following the accepted procedure.(in this case, going to class and lectures..) Attitude is important, but not so important.

And i never said this school didnt challenge me, only this course i wanted to try it on.

and i will not get into the can of worms which is the university education system in any country...(short history, education==bucks, people not getting into education==no bucks, schools decreasing standards to let less educated people in to make more money for the both of them == true)

Re:More about saving face (was:Dumbasses.....)

[UlfGabe]

i would wonder if you have ever been in a situation where your mind is totally focused on something and no other thoughts enter your mind, i call it "zen mode" or "death mode", because nothing really disurbs me, i just work.

if these kids were in "zen mode", they might not have realized their actions were reprehensable.

students POV:

Dude, we got in, took these SSN, didn't do anything with them, we are morally OK. (i and many of my gifted peers tend to factor morality strongly into daily situations)

Teacher POV:

Shit, some students got into the database, we need to make an example of them to show other students to fall into line.

nobody indeed likes a know-it-all, the same goes in competative sports.

"Geeze he won again"

"I hate it how he gets 25 points a game"

People are envyous of what they do not have.

Something in the bible about coveting something or other, (neighbors wife?) but it could be applied here too.(coveting the skills/traits of another)

I would also have you note that people who are away from the baseline on IQ tests suffer worse(and more numerous)neurological disorders.

Some people escape them, but often gifted students and up are drawn to focus on non socializing situations(or just get frusterated playing with non gifted peers with a different conception of fun, playing, entertainment, ect) and so have not developed those skills. As a result, their emotional development is limited.

Re:More about saving face (was:Dumbasses.....)

[UlfGabe]

there are ways to kill a mans inner spirit,

after finding a faster way to do a problem, or by skipping steps, and being able to demonstrate to all the teachers how to do complete solutions, in addition to being able to teach my peers...on many tests i recieved very very very very poor grades because i skipped steps, (which were for me, unnessisary because much or all of the math i could do in my head.)

i would proceed to talk to the teacher, (this is more Grade school and HS im talking about) and show them i knew what was going on. They would proceed in 95% of the cases to not increase the marks citing "you did not show the process", i would then state that i knew the process so well that i did not need to write it down 40 times on a test. At this point many of my teachers went into "denial" and cited how marks were given out for parts of the process, and i then rebuttaled with showing that my answer was correct, and an improper process would lead to the wrong answer.

all in all, the teachers were not out for someone who understood the work, but for someone who could replicate what they wrote down, there is precious little room for INNOVATION in the classroom, even at higher levels of learning, this INNOVATION is put very low on a list of things to do.

I liked Comp-Sci classes because i could innovate within a boundry of rules as much as possible. and it was probably my favourite class.

I have found a good peer group, it works out well.

I do blame others, because a 6 year old can only take so much of
"you're doing it the wrong way, this is the right way"
"but teacher, look at this"
"never mind that, do it how i showed you"

In conclusion, by BOLDLY following others, you get no new advancements, but by creating something of your own you innovate and advance yourself and others.(current self challenges are creating an UberFreeTextbook series that is pretty much the best thing for education(complete with quiz questions and many other tidbits, i anticipate it will take 20-30 years to complete)

ps. why is everyone responding anonymously to my original? Scared or something? :)

Re:More about saving face (was:Dumbasses.....)

[UlfGabe]

guelph isn't all its cracked up to be, im glad someone was able to key in on my local.

guelph admits as many people as possible to get the $$ from them, and from the government (apparently the school gets money for each student attending in each year with the money going up for every level of education that they pass.)

sure sure it gets the award for best undergrad something smorgashboard, but im not seeing anything special there at guelph.

and i think ill change my sig before guelph's grades or my personal info gets cracked by someone :)

i know some people at windsor, it is pretty easy.

Re:More about saving face (was:Dumbasses.....)

[RedBear]

If your IQ is 2 standard deviations from the norm, shouldn't you know how to spell "necessary". Then again, you didn't specify in what direction.

Einstein was dyslexic. Being able to spell well is not necessarily an indicator of general intelligence, and vice versa. The brain has a great many specialized areas that do specific tasks, like interpreting audio signals as language, or recognizing visual input as a face, or translating the concepts in your head into written words with correct spelling. In many people one or more of these areas doesn't work as well as the others. In fact it's hard to find a person in whose brain all these functions work equally well. That's why we often speaking of a person having particular "talent" or gift for doing a specific task or set of tasks. Conversely there are people who are bad at remembering names, or recognizing faces, or spelling.

I have an immediate relative whose general IQ tests were off the charts, but can't spell worth a damn. I think part of the problem a lot of smart people have with spelling properly is that English is a totally nonsensical mishmash of words from many different languages, where the exceptions to the spelling rules sometimes outnumber the words to which the rules may be applied. For instance, "nessisary" is a perfectly valid spelling from the standpoint of phonetics.

Re:More about saving face (was:Dumbasses.....)

[compwizrd]

well, every university does that.. windsor is just known for being the worst for it. after all, it's far cheaper to have one entry level professor teaching 200 first year students in a classroom than a professor teaching 25 3rd year students.

G I T M O

Right or wrong they might provide expertise to terrorists, or might engage in weapons of mass destruction related activity programs.

Not hard at my alumnus...

[Vegeta99]

Jesus. My ID has it printed right on it. If you forgot your ID, you had to tell them your social to get lunch.

MOD !^$# PARENT UP!

[daniel_mcl]

For goodness sake, anyone who's seen your driver's license -- say the bartender at whatever club or whatever -- can open a credit card under your name, and from that point on you're pretty much screwed. There is no reason that SSN should be legal proof-of-identity, because it's absurdly easy to steal.

Re:MOD !^$# PARENT UP!

[tftp]

If you have to show the license then hold it so your thumb covers the number. If they ask to see the number, tell them that they don't need it. Or put some easily detachable tape over it. If a police officer stops you, just remove the tape before giving the license to him.

Re:MOD !^$# PARENT UP!

[suwain_2]

I can't speak for other places, but in New Hampshire, license 'numbers' follow a predicatable form -- if I know your first name, the first letter of your first name, and your DOB, I can tell you your license number. (In 99.9% of cases; the last digit gets incremented if it's a duplicate.)

I can't honestly say I check it frequently, but looking at the license number provides a good quick check that the card isn't a blatant fake ID.

If part of your license is covered over, I'd be really suspicious of what you were up to.

Re:MOD !^$# PARENT UP!

[mpe]

For goodness sake, anyone who's seen your driver's license -- say the bartender at whatever club or whatever -- can open a credit card under your name, and from that point on you're pretty much screwed.

The solution here is very simple. Use these documents only for there proper purpose. i.e. driving cars. Indeed producing such a document should ensure not being served alcohol, since the implication is that you intend to drive a car.

There is no reason that SSN should be legal proof-of-identity, because it's absurdly easy to steal.

Any legal proof of identity should have as few functions as possible.

Re:MOD !^$# PARENT UP!

[mpe]

I can't speak for other places, but in New Hampshire, license 'numbers' follow a predicatable form -- if I know your first name, the first letter of your first name, and your DOB, I can tell you your license number.

Similarly you can work out someone's date of birth from this number. Which is information valuable to identity thieves. But isn't that much use for addressing the question of if you are qualified to operate the vehicle you are driving.

and...

[Tablizer]

when they were done, they climed a mountain.

Re:Notation?

[lachlan76]

if they can't or won't take care of it, there's nothing compelling you to do it for them.

Having my data on their servers seems compelling enough...

Former High School knew about problems

I graduated from Hinsdale Central High School in 1998 after my 4 required years before college. Every single teacher during that time had a computer with access to the network as well as the labs in the school. Each teacher and administrative assistant had access to the same SCO system (Where student's grades and private info, as well as the teachers, was stored) through telnet, and each student had open access to the labs and computers in the library. Each and every machine in the facility was slapped into a large rack hub and the concept of locking down was left to a graduate of DeVry who had to give the impression he knew what he was doing (He didn't).

Being stuck in a study hall in the library, I spent my time playing with the computers bored and got in trouble for it. I informed the administration of these issues (setting up a sniffer and grabbing about 10 logins in a day) at the time out of attempting to be helpful back in 95. Let me just say that responses were not exactly kind for pointing out problems and suggesting solutions. These people do not care about it until its thrown in their face like this and make magic happen to make problems vanish. The only impression I truly recieved was that if I told any other students about it, I would be severly reprimanded by the district.

Frankly I think these kids were idiots for not at least playing more with the system and keeping their mouths shut, who knows, they too might have ended up going to CMU/MIT/Stanford/McGill by blackmailing ... just kidding. You know what, I think I might just go buy em a beer and see if I can testify on their behalf about the ineptitude of the school. *cheers*

how about stealing 10-year-old records

How about stealing the records of those who were students 10-15 years ago ? Certainly you can use those right now.

Whistle Blower Laws?

[LordZardoz]

Since I am not any sort of legal expert, is there any reason why whistle blower laws dont at least indirectly apply?

I suppose that instead of exposing blatant wrong doing, they are instead exposing what could be considered gross negligence with the handling of sensitive information.

END COMMUNICATION

Re:Whistle Blower Laws?

[tftp]

There was no whistle.

Re:Notation?

[Pyrion]

Them storing your data on their servers only increases their liability in the event it all blows up in their faces. It doesn't compel you to break in just to prove to them that their doors aren't locked well enough.

Ultimately, if your data means that much to you, be all the wiser and don't give it to them.

Not Smart

[Starji]

Really, Really not smart. Despite their intentions, people totally freak out about things like this. "You hacked our computers? OMG you must be terrorist/credit fraudster/." It doesn't matter how insecure the system is; if you get inside, people think you need to be punished. Depending on how far the school wants to take this, the kids might end up with this on a criminal record, and computer intrusion is (IIRC) a felony. If they wanted to get the problem fixed they should have sent an anonymous email or something saying where the hole is and how to fix it. The downside to that would be you don't get people freaked out and aware of the vulnerabilities that exist. I just hope it ends up ok for them cause this could follow them for the rest of their lives.

Put everybody in jail

[mangu]

The people who should be threatened with jail time are those who designed the poor system, not those who pointed out the mistakes.

Both the system designers and the people wh broke in should be punished. We cannot let anyone out with the excuse that they were just trying to point out security weaknesses. Otherwise every criminal willl use that excuse. "Oh, yes, I did pick your pocket, but I was only trying to demonstrate how insecure your pocket is. You need to put your wallet in a pocket with a button", etc.

Re:Put everybody in jail

[Jim_Callahan]

Yeah, but you won't hear about the penalty the system designers take because being downsized doesn't make the news, whereas being jailed does ;)

Re:Anonymous snail mail- really?

Don't inkjet printers these days print yellow markers to indicate a GUID or serial #?

Plus there's the postmark info, fingerprints, the easily identified stocks of paper and ink you used... (hope you bought it w/cash) Not to mention the DNA on skin flakes you forgot to wipe off, and the saliva on the back of the stamp. And all the cameras that recorded you grinning as you bought the paper and then caught you later dropping in that public mailbox.

On the other hand, they never got the anthrax guy(s)...

I did this -- twice.

Once in high school, and once again in college, I discovered that the school's directory (Novell NDS and Microsoft Active Directory, respectively) was populated from the student and employee databases (which used the SSN as an "ID number"*) and that the somewhat naïve admins stored these numbers as world-readable attributes accessible through advertised LDAP servers.

Both times, I made discreet telephone calls to sysadmins I knew, who were somewhat embarassed that I knew more about permissions than they did, but fixed the problems.

I never got in trouble--everyone involved already understood that I would keep my mouth shut unless the problem wasn't fixed promptly, in which case my complaints to the Trustees or the U.S. Department of Education would've cost some people their jobs.

(* As a regular reader of the RISKS-DIGEST even at that age, I had already demanded that my own SSN not be used for that purpose; substitute student numbers were assigned.)

Re: what so good about it?

[SolitaryMan]

What so "good" about cracking that DB? If they wanted to prove that it is not secure, they could have offered their service to the authorities.

Good 'ol days

[dannyweb]

What ever happened to the good old days, when all high schoolers did was smoke pot and play video games?

That's pretty high security...

[tres3]

I actually went to a college that had email addresses in the form of stu_xxx-xx-xxxx@western.edu. And to make matters worse the school couldn't understand why I refused to use their email.

Re:That's pretty high security...

Not sure Western State College of Colorado appreciates that post so much.

Re:That's pretty high security...

[rob_squared]

Its students appreciate it even less.

Re:That's pretty high security...

[Fulcrum+of+Evil]

Not sure Western State College of Colorado appreciates that post so much.

Half the students know each others' SSN, name, and probably birthdate. Fuck 'em.

You're absolutely right

[foreverdisillusioned]

The correct quote is:

"When we grow up and get our jobs, that's our life right there. They can access anything about us. It just screws us up for the rest of our lives," said Julianne Junus, local fucktard.

Didn't they learn from history?

[hunterx11]

Randal Schwartz has taught us all a valuable lesson.

Nobody likes a smartass.

Wouldn't it be great. . .

[saterdaies]

Wouldn't it be great if there were two crimes here? The first being the students breaking into the system. The second being that the system was insecure. With so many systems containing our personal information today, doesn't the holder of said personal information have an obligation to keep it secure? I mean, my bank has to make sure that my money is secure and they insure it for $100,000. If someone breaks into the bank, the bank/insurance looses as well as the person robbing the bank (provided they are caught). Here, shouldn't the school have some responsibility? Maybe the school could pay for an identity protection service to monitor the identities of the students there who had their SSNs stolen. That way, the school is paying for their neglagence in protecting personal information by paying a third party to protect students from identity theft.

I want some responsibility from companies. I'm sick of hearing that "people need to be responsible for their actions, well, unless they're wealthy corportations."

Bad Analogies

[Detritus]

I guess it kind of sucks that they're gonna get punished for this, but they deserve it. You can't legally rape and pillage a city just to show you can, they should have told the school (or some news stations) that they were planning to show how easy it would be to get into the system.

Hacking a computer is hacking a computer, not sodomizing a hamster or breaking into your neighbor's house. It's a computer in a public school, not someone's private stash of Star Trek porn.

Unfortunately, they will probably discover that the adults in the school system view students as "potential discipline problems", not as human beings. Pointing out the stupidity or incompetence of the school system's staff is a serious offense. We do have to prepare them for the real world.

Re:Bad Analogies

[loraksus]

Exactly.
this is what the grown-up world is all about boys and girls. Bowing to authority figures and political "leaders", no matter how corrupt is what you're going to do.

Re:Bad Analogies

Hacking a computer is sodomizing a hamster, not breaking into your neighbor's house. It's a computer in a public school, they should be sodomized in public

Ok, they should be punished, but not that punished!

Everybody, repeat after me:

THERE WAS NO WHISTLEBLOWING!!!

This is not a case of playing the white knight (or hat) and bringing the problem to the public's, or even school's, attention. These students did the theft/intrusion months ago! They didn't come forward, THEY WERE CAUGHT! Read here, for one.

All of you apologists need to get a fucking clue! You are the reason bad people go unpunished. You fucking social relativists can rationalize anything you believe.

Re:Notation?

Ultimately, if your data means that much to you, be all the wiser and don't give it to them. Um. And how exactly do you propose to do that, since they're already students?

Hardly Uncommon

I'm an anonymous Fort Bend ISD student. I have found so much private/personal information, both on students and faculty, that it would make your cringe and probably embarass quite a few people here. I even have found grades.

The file shares are left open and easy to get in to as a regular user. Commonly, there are many accounts on each school's NT domain server that have 'Administrator' privileges, sometimes unintentionally (I think it is the default group membership when you add users or something). Each computer plugged into the school network that authenticates against that domain server can be easily breached - you can access any computers C$ share. Through this, I was able to get into the computers of principals and teachers.

Just a little tidbit of information for FBISD residents and students who would like to know how well their hundreds of millions of dollars in tax hikes are being used. This isn't hacking some obsucre exploit, this is incompetency by FBISD staff IT (MCSE toting idiots) department.

Re:Hardly Uncommon

Also in Fort Bend ISD (which is in suburban Houston, TX), the cash registers in the lunch room are a bunch of specialized serial terminals connected to a Linux box on the network at each school.

Each of these boxes has telnet open for administration of the system by the lunchroom manager or system administrator. You can get into the system with NO PASSWORD to mess with the system, change the prices of food, and probably even get access to the accounts of students who are on low-income assistance from the government.

Like I said, Fort Bend ISD is a pitiful joke. I have an acquaintence who informed FBISD about a comprimised IIS server. They refused to patch the publically facing box that said "Hacked by Chinese" because the box was too slow to run Norton Antivirus (I guess re-installing the OS was beyond them?). This remained for a year until that person posted here on Slashdot about the infected machine, which resulted in emails to the school superintendent which got the box fixed almost immediately. In retaliation, the IT staff tried to break into his home Linux box.

Funny stuff.

bloody easy

[TLouden]

I've accessed sensitive information on school computers and servers multiple times often without using more than a student user account and explorer. High school computers have got to be some of the shittiest in regards to security. And if default windows access exposes information imagine what I see when using a simple linux box ('hidden' shares are all shown by default and such fun things). The kids should be showing people how easy it is to see information so that it isn't stored like that.

Re:To show you can

You're an idiot. And I fed the troll, I know. Still, the fact is you're an idiot.

"To prove that they can"? Oh, that's great.

[clandestine_nova]

I think it should be fairly obvious that whatever they claim, they did something illegal. Add to that the fact that they did it months ago and no-one found out until now, and their claim is suspect even more.

Why is it that they had the sense to break into this system, but not to tell the administrators beforehand? If they were trying to show vulnerability, that means they had a little bit of common sense, right? Why not enough to figure out that doing it without permission won't get them anywhere good?

Why do schools need your SSN?

[rogueuk]

Why does a public high school even need your SSN? I can understand them needing the staff SSNs for payroll, but why do they need a kid's social security number?

Does anyone know? It's not like the students are paying any taxes towards social security through the high school

Thought Experiment

[The+Slashdolt]

When it comes to data, I'm wondering what possession actually means. Specifically, say I have a list of SSN's as S, and I apply an encryption function encrypt(), they become encrypt(S). Given only encrypt(S), am I illegally possessing data? Taken one step further. Clearly, applying decrypt() to encrypt(S) gives me back S. Assume I have some data D. If I can arrive at a function decrypt() that can turn D into the original S, shouldn't D be as illegal as encrypt(S)?

As a realistic example, imagine I was able to write a function decrypt() such that it could turn a text file of one of the works of shakespeare into a list of social security numbers. Would then, all people who have a text version of said shakespearean work be in possession of illegal material?

Quite honestly, if you take this to a logical extreme, no matter what the input data, given the ability to write any function, the output data could be anything you could conceive. What if your function is simply the concatenation of "illegal" data to the output. Would then the "reverse engineering" of said "encryption" function be illegal according to the DMCA? It is a "security device" at this point, right?

This all boils down to the difference between data and functions on data. It is illegal to hold certain data. But what if we lable data as functions on data. In fact, security device functions on data. Could we then distribute the functions and make it illegal for people to reverse engineer the functions without permission?

Re:Thought Experiment

[Fulcrum+of+Evil]

Quite honestly, if you take this to a logical extreme, no matter what the input data, given the ability to write any function, the output data could be anything you could conceive.

That's just mental masturbation. If you possess an encrypted data file, then you possess the file as well, provided that you encrypted it yourself. If you've forgotten the password, you possessed it at sometime in the past.

If someone is coming after you for possession of illicit data, they probably have a good evidentiary chain tying you to that data, so stupid mind games about what the file might be won't help you, especially if they seize the computer you used and recover fragments of the data from the drive's freespace.

Intention

[skasingularity]

While I'll agree with you that most people overreact to this sort of thing, and the kids *may* have been trying to help secure the network, how would they know it was insecure if they didn't try to hack it? Was it there job/business to hack the network without permission to see if it could be done?

It's true that if I thought my bank wasn't securing my money well enough, I might want to check it out, but I'm pretty sure sitting down one day, doing some random fund transfering, then transfering it back would make quite a few people unhappy.

My School

[dj245]

I suspect it might have something to do with security standards, maybe. My School has information freely available on the home address of every student as well as the email of every student, accesable right from the front page java menu (academics->Student Schedules Spring/fall).

The scary thing is until very recently (last semester) this information on every student included home phone numbers *and* Social Security numbers. Don't go to my school if you value your privacy. Our IT department is stuck in 1999.

Re:My School

[Xetrov]

Oh God!
You guys haven't even gone through Y2K yet!

You should look forward to all students suddenly aging 100 years...

Re:My School

[alien+at+large]

Be thankful it isn't 1984

Re:My School

Check out FERPA. Once you have finished reading that law then procede to your nearest lawyer. What they are doing is a major violation of the FERPA guidelines and they are just BEGGING to be sued over it.

Re:My School

Is it just me, or did anyone else check if archive.org had a mirror of the old page?? :)

Re:My School

[Just+Some+Guy]

<a href="http//www.mma.edu">My school</a>

Our IT department is stuck in 1999.

So is their HTML editor. ;-)

Re:My School

[DJCF]

Just you ;-)

Shoot the messenger

[shanen]

Hmm... To me I think it depends on how they went about it and how quickly they reported it, but the main problem was that the system was not secure. That the students managed to exploit the schools' failure to make the information secure is also wrong, but not the main problem. Actually, the biggest problem would be if the existing security hole/s was/were already exploited by someone else.

One easy scenario to imagine: They heard rumors that someone else had hacked into the database. Not knowing anything for sure, they started probing for how it might have been done, only to suddenly discover themselves in the middle of the data. I don't see any way to excuse it if they then copied some or all of the data, no matter what they claim about destruction of those copies--but that certainly won't do much if there actually was an earlier and more "discreet" breakin. Not nearly enough data in the article to really understand what went on there, though it sounds like they never actually reported it, but rather were caught for boasting about it. That makes me think they were idiots, too, and some more cunning and diabolical students may have followed the rumors and also obtained the data.

Story without substance

Hinsdale school officials say the accused students have had the Social Security numbers of their fellow students and teachers for months

So what happened in the intervening months? Did they only react with charges when it became public? Meanwhile, how did they only find out after "months?" Maybe the kids were cooperating until someone let the cat out of the bag and the administration decided that a public embarasment would have to be punished.

Nooooobody knows. WTG Reporting!

SSN in School

[DanteLysin]

I dunno about any of you. But when I was in college, the professors would post exam grades outside their offices using SSN. If you knew Jane Doe had the highest grade, it wasn't too hard to figure out her SSN.

The Perkins Loan (a federal loan) prints your SSN on each bill you receive. And you're supposed to print your SSN in the Memo section of your payment.

If SSN is going to be so critical, we should be able to change it routinely. According to the SSA website, you can only change it if you are changing your identity (as in to escape an abusive situation or a witeness protection action).

In a civilised country.

[the+packrat]

In a civilised country where personal data was actually protected and where personal responsibility existed, such an event would have generated very pointed questions of the people who failed to protect vital personal information for hundreds or thousand of students.

The focus on sound bites denouncing petty criminals makes a convenient smokescreen to avoid them though.

Know your "Audience"

[miyako]

I see a lot of debate about whether or not it's ok to break into a system to prove a vulnrability, and I think a lot of it comes down to knowing how the people who's system it is will react.
When I was in highschool, we had two sets of systems, one was a district wide computer system that held grades, attendence, things of that nature. A second system was shared among the two highschools in my district for the computer science classes. It served webspace, and held shell accounts for all the CS students.
I found vulnrabilities in both systems. On the local CS server we managed to root the server, a couple of my friends and I did a few practical jokes as a demonstration of the vulnrability (nothing to bad really, though certainly a little annoying, things like switching vim and emacs, or changing peoples login shells from bash to tcs). Our CS teacher found it amusing, and even gave us extra credit once we'd put everything back right and shown him the vulnrability. On the other hand, we found a couple of pretty bad vulnrabilities in the main district network. I pointed out to a friend of mine that it probably was a pooor idea to go about doing something similar to the district servers, but he decided that it would be more fun to make a big demostration. He ended up getting expelled for the remainder of the schoolyear. They also never patched the vulnrability.

How do SSNs work?

[pesc]

I'm not from the US and now I have to get this explained. I'm not trolling. I can't really understand how SSNs are supposed to work.

The SSN seems to be a number identifying a person. (We have that where I live too.) But somehow, this number is assumed to be secret, like a password. If yout can learn the number you can access anything about the person and you also seem to be able to hurt the person financially. Withdraw funds? The security seems to revolve around the fact that the number (the identity of the person) is secret! Because everyone here seems to be upset that these kids expose all those numbers!?!? This boggles my mind.

Are there no other attempts at authentication? IDs? If your SSN is your password, how do you change it? (I would like to have it changed several times a year, no matter what if there is no other security than secrecy.) Can someone explain?

Re:How do SSNs work?

[kobaz]

Social Security numbers were originally designed for use with the social security system, and that was *it*. The social security system is set up where the working class have a portion of their pay given to the government's social security program. People who have worked all their life and retire will start collecting money from social security that was paid for by the working class.

The SSN was only intended to be the number you would use to identify yourself to the social security department where they could look up your info and validate that you are ready to recieve your money when you retire.

Now your SSN is your life for the most part. If somsone has your number, they dont even need to know anything else to screw you over. With the number they can do searches and find your name and current residance. With that info they can sign up for credit cards in your name and screw over your credit. They can basicly steal your identity just by knowing that one special number. If someone with bad intentions has your SSN, you are basicly fscked unless you have alot of money to pay lawyers to fix everything.

It's basicly a fairly fscked up system.

Re:How do SSNs work?

[binary+paladin]

On top of that congress more or less promised the American people that it would NEVER be used for ID purposes. Back then there was still some semblance of the concept of states' rights. In fact if you can have a look at your grandparents' cards. they'll specifically say: "Not to be used for identification." (Or something very similar.)

Re:How do SSNs work?

[corblix]

The social security system is set up where the working class have a portion of their pay given to the government's social security program.

100% agreement, except for the "'s social security program" part. It's a tax. The government gets the money. The nonsense about "we put your money in this account and wait and then give it back" was written to pull the wool over the eyes of people who wouldn't stand for a new tax.

Re:How do SSNs work?

[FurryFeet]

SSNs are exactly as usernames without password.

It's exactly as idiotic as it sounds.

Schools and Security

[pootypeople]

When i was a sophomore in college, I discovered (completely by chance) that my college's email server was using non-shadowed password files. I did the requiste steps and showed security personnell the problem. Six months later I was kicked out of the RTA program (tech support guys in the dorms) and 3 months after that I was kicked out of school. .edu is not serious about security. They're just about keeping their jobs. All I ever saw from our campus IT people was excuses- their internet didn't run enough because students were running AIM too much, not because they built an inadequate network. IT at a college is the dregs of the IT degree world. You or I know more than the average director of IT at a college (hint: he doesn't read slashdot. Really, our colleges should have the best computer people, not the dregs. Unfortunately, that's a job for the legislature, which means it won't get done. oh wel.

Re:Schools and Security

sounds like WTAMU or one of the other Texas A&M University schools...

They have a history of banishing those that try to inform them of flaws in their systems.

This of course has led to a situation where those that discover the issues simply keep quiet in fear of such underhanded retaliation; leading to those systems being actively exploited....

Re:On the other hand...

[symbolic]

I could argue that those who are responsible for the safe-keeping of that information were at fault, not the ones to gained access to it. The access was only allowed to occur because of a faulty system. The faulty system could have been compromised by anyone. It just so happens that it was compromised by some students who wanted to show that it was indeed faulty- not so that they could criminally use the information they acquired, but so that those in charge might be inclined to take their responsibility more seriously, and get the problem fixed.

If this was the first effort on the part of the students to notify the school of the suspected problem, I will say that their modus operandus wasn't the smartest. If, however, the school had been notified earlier, by refused to take action, someone's head should roll...and I'm not talking about the students.

Re: what so good about it?

[Moofie]

Right, because the authorities would totally not blow them off or anything.

As far as the law states

[NightDragon]

What nobody here realizes is that to be convicted, those boys have to be found of "Mens Rhea", or guilty mind. Basically, their actions have to of been malicious for them to be guilty.

So what

I worked at a fast food restaurant for nearly three years. Their back office computer had a program that listed every employee's hours which us employees regularly checked to see how many hours we had built up. This same program also listed every single employee's social security number too! It wouldn't take much more than getting a job to get that list, fiddle with the computer for a few minutes, and hit print.

Nothing special about what these kids did. I was getting around my high school's computer security every day just so I could work. I even managed to the FTP password for the school's site out of an FTP program because I needed to punch it into another program.

School IT directors are clueless. That should be a scientific fact.

5,000 Social Security #'s from healthnet.com

Around 1998 or so I was mirroring with a mirroring website tool healthnet.com for our intranet. Most employees were not allowed internet access btw. Picked up a PDF with over 5,000 names, social security #'s, addresses, etc. Did I dare report it? Heck no....if I tried to be the good guy I'm sure I'd have some sort of record. Anyway I alerted a couple of my co-workers and needless to say we didn't register on their website to access our health records, etc.

Welcome to Schneiers law

[foo23]

"Anyone can come up with a security system so clever that he can't see its flaws."

The only way to find the flaws in security is to disclose the system's workings and invite public feedback. It is never helpful to punish those who help to find the flaws without causing damage.

This is the same for the circumvention laws. It is now illegal to prove if certain systems are flawed or not.

Re:Anonymous snail mail- really?

So wear rubber gloves, print on old stock you got for free in a parking lot somewhere with an older laser printer that you bought with cash at a computer repair place (easily under $50). Boxes of envelopes are so common that they're impossible to tie to any one person.

Expose it to some ozone (from an ozone generator) for a while and the only thing that will be on it when it arrives is the postman's DNA.

high schools are resource-constrained

[Infonaut]

High schools are perfectly capable of assigning unique ID numbers of their own to students wherever they are necessary

From my experiences doing pro-bono work at four different high schools, I'd say that most of them barely have the capability to deal with the most rudimentary data management tasks. I'm not saying this to be dismissive of schools or the people who work there, but they are in many cases so short on human and technology resources that creating and managing unique IDs for each student isn't something that would even cross their minds.

The SSN is, as you mentioned, the knee-jerk instant universal ID number precisely because it requires no extra effort. This is not a good situation, but it has come about because there is no compelling reason (that many institutions can see) to devote extra time and effort to coming up with alternate ID schemes for schools.

Re:high schools are resource-constrained

[jcuervo]

[...] but it has come about because there is no compelling reason (that many institutions can see) to devote extra time and effort to coming up with alternate ID schemes for schools.

One wonders if Hinsdale Central High now has a compelling reason.

Re:high schools are resource-constrained

[Infonaut]

One wonders if Hinsdale Central High now has a compelling reason.

My guess is that if you check in at Hinsdale in a year, they'll still be using SSNs for student identification. It's a compelling reason to you and I, but they'll likely try to beef up security before they'll switch to an alternate ID plan.

Re:high schools are resource-constrained

[Log+from+Blammo]

What's so hard about putting all the newly enrolled students in an alphabetical list, numbering them in order, and appending that number to the year they started? Even the "difficult problem" of mid-year enrollees can be solved by simply tacking them on after Zelda Zyzzgy.

Re:high schools are resource-constrained

Creating an alternate id system is a no brainer. Use counting numbers! The first student to apply is 1, the second is 2 ....

personal information is not property...

[Cryptnotic]

You seem to think that your personal information is your personal property. It is not. Your Social Security Number is not your property. It is a number the government uses to identify you. Your name is not your property. It is an identifier your parents gave you in order for society to identify you. Et cetera. Those things should be kept private from people who have no business with you, however they are not property and should not be compared to property.

Re:personal information is not property...

[jhoger]

My position on SSN's is that a SSN is a name, and therefore should be 100% public.

What's the point of a name that isn't public?

The big mistake is in attempting to use a name (which by definition is public) as a password of all things.

Why can't people understand this?

Re:personal information is not property...

[KlomDark]

What are you trying to say? You aren't making any sense.

Twisted logic:

[pumpknhd]

"Your house is not secure. I can prove it to you. All I need is a rock or baseball bat and I can show you that I can get inside." Yay! Now I won't get arrested! - just because it's tech doesn't mean that the laws don't apply

Re:Twisted logic:

[zmollusc]

It is more like "Your house is not as secure as the people who you pay to secure it tell you it is. I can prove it to you. All I need is a rock or baseball bat and I can show you that I can get through the supposedly rock and bat resistant glass that you paid good money for."

Whats really scary

As much as this shows up in the news, you'd think people would learn. In PA right now, there's a guy in the education department who wants to record all of your grades (per subject, per year), as well as statistics on your home life and any disciplinary problems. This will then follow you around for as long as your in school, not just highschool. The supposed purpose is allowing the teacher to bring up everything about you so they can better accomodate you. I can't imagine if all that information were to get into the open.

letter

[tdmg]

I sent this to District 86 in Chicago:

Dear Superintendent Miller,

I am sure you have been receiving a barrage of e-mails recently, so I'll make this short.
Recently I read about two of your students attending Hinsdale Central High School breaching network security and the stealing Social Security Numbers for students and staff. While I do not believe that stealing the SSNs was appropriate, I do not support the way your administration has handled the situation.
A communal perspective needs to be taken when looking at the actions of those two students. Often drastic measures, both vulgar and offensive to those in charge, has to be taken. At this moment the citizens of Arizona are spitting in the face of the government by protecting their on boarders. This is not very different from what these two students did at HCHS. While they did break the law by cracking though security, they were trying to protect the student body (including themselves) and the staff by alerting the school of its flaws. Lets say someone was to break into their bank and steal their safety deposit box, and then handed it back to the bank manager the next day. An conceited bank manager wouldn't be able to see the good in what this man had done and would call the cops. However, an intelligent bank manager would hire this man.
Also, I am well acquainted with system admins in school districts. A close friend of mine has been one of the head network admins for the Boston Public Schools for almost 15 years. While he works with gifted students to patch holes in security, many of the other admins disregard student warnings. They let their titles, status, and education get in the way of common sense.
Punishing these students is just another way that red tape and policy is destroying ingenuity in America. Strictly disciplining these students will only perpetuate the notion that students in America should strive for mediocrity and that being bold and initiating change should be shunned.

- Xxx Xxxxxxxxx-Xxxxxxx

Re:letter

It would be nice to see your letter in newspaper opinions section.

It works under certain circumstances.

[rdunnell]

Once about 6 years ago we had a similar situation involving an Ethernet splitter. Any ports that had a splitter on them had to have their settings changed because of a potential problem.

This port wasn't set up right, someone borrowed a splitter, then their contract was up so they tried to be "helpful" when packing up and plugged both ends of the cable into the splitter, then plugged it into the wall to "keep track of it." Apparently something in the switch didn't like what it saw, there was a huge problem with the spanning tree, and blamo - all the switches on the backbone had to be reset manually.

I could see how plugging one cable into two ports could cause similar (or even worse) confusion if such a bug existed.

This was an older Cisco switch, probably 55xx series, running CatOS. The problem that caused it is fixed by now, I'm sure, but the parent poster didn't say how long ago their failure was.

destroyed?

[d474]

"They claim they have destroyed the information and haven't given it out."

Don't you think the word "destroy" is over doing it a bit? How about just plain old "delete"?

Unless of course Beavis & Butthead here actually strapped some M-80s to there b0x, lit the match, and tossed it off the edge of Niagra Falls while shooting at it with sport rifles. Then "destroyed" would have been appropriate.

Cover up

[panurge]

Trying to get into places they shouldn't, whether it is safes or knickers, is something that adolescent boys are programmed to do. Anybody responsible for school systems has an obligation to understand this and deal with it. This is nothing to do with social relativism, as the more fascist /.ers seem to think: it's elementary precaution. Regardless of the motivation of the hackers, the people responsible for the system should be required to be trained in security (and perhaps be downgraded till they had passed their exam) because they failed to take account of something widely known in education. If the zoo keeper leaves the doors unlocked on the lion cages, the lions may escape and end up having to be shot, but what about the zoo keeper?

The truth is the lazy, idle and incompetent always prefer the cover up to the fix. Whether it is the Roman Catholic church and child abuse, torture at Guantanamo Bay, or security holes, the people in charge will conceal rather than cure. Two examples from my own career:

I was once asked to investigate the apparent failure of an automated component test system. Eventually a review of the hardware and software left the only option as being that the production personnel were deliberately falsifying results and passing rejected batches. Result: three senior managers demanding I be sacked. Fortunately at this point we acquired a new CEO who had several clues. One manager was fired, one left of his own accord and the other was downgraded. But customer confidence had been eroded and the plant eventually had to be shut down. The second example was less exciting: a production director who resisted for years the introduction of statistical process control because it would make clear where systems were failing.

I'm sure many of us have similar examples. It is not in fact important what the motivation of the whistle blower is, we need to change the culture to one in which the response is "Fix it", not "shoot the messenger". With hindsight, we may one day conclude that the tradition of open bug fixing is FOSS is its greatest social legacy.

Oh THAT kind of SSN!

[trash+eighty]

i feared it would be nuclear attack submarines (also known as SSNs), now THAT would have been a news story :D

Re:Oh THAT kind of SSN!

Ha, I'm glad I'm not the only one!

What are kids coming to these days?

[raehl]

How many times have people broken into school databases only to be arrested!

Back when I was in school, we only broke into the school database to change our grades.

Re:What are kids coming to these days?

[Beatbyte]

back in MY day I hacked the gibson to put myself in Kate Libby's english class. just beware of the "pool on the roof" ... it's just a trick guys!

Re:What are kids coming to these days?

[lost_n_confused]

Back when I was in school we had to break into the teacher's office and change the grade book.

Re:What are kids coming to these days?

[Marthisdil]

Funny - back when I was in school, we earned our grades - thus, no need to change them. Seems that only those who didn't want to excel had to find ways around the system to keep themselves from failing. Ah well, those people who cheat and steal, in the end, will get theirs. The rest of us who didn't do thise things can always tell ourselves we're better than people like you.

Re:What are kids coming to these days?

[raehl]

Back when I was in school, we only broke into the database to change our grades

back when I was in school, we earned our grades

Are you saying we didn't earn our grades? Breaking into the database was hard work, and our grades reflected it!

Why fail English, Math, Biology, Government and Economics when you can get 5 A's in Database Manipulation? The grades arn't any less "earned" just because they misprinted the course names on the report card.

knotty bits

[betasam]

How would they know that they could break into the system if they hadn't already? (I'm sure the 'IT' staff are bound to think that way.) So calling the 'IT' staff for a "controlled" demonstration wouldn't work either. So the (twisted) moral seems to be: The best way out of trouble is never to get caught (either by never attempting it, or doing it without getting caught.) Techie or Non-Techie, announced or unannounced, someone breaking into a system always triggers fear in the keeper.

Gross or willful negligence by school admin

[SgtChaireBourne]

You deprive them of their privacy.

Sorry, but their privacy was deprived the moment some idiot decided to put that information on an accessible server. More has to be known about what efforts the kids made to alert the school administration and get them to fix a problem.

Focusing on the kids is a load of bullshit anyway. What was the personal data doing on a server accessible from a home computer? It sounds to me like the school administration is trying to create a smoke screen for their gross or willful negligence.

If the personal data was on a Microsoft server AND it was connected to the Internet, then the school system is in for a world of hurt in the courts: Willful negligence.

Re:Gross or willful negligence by school admin

[MoneyT]

So because the school is also responsible the kids are innocent? No sorry the law doesn't work that way.

Pamela Jones EXPOSED

Who Is Pamela Jones?
By Maureen O'Gara

Friday May 6, 2005 - A few weeks ago I went looking for the elusive harridan who supposedly writes the Groklaw blog about the SCO v IBM suit.

The now-famous opinion-shaping open source leader Pamela Jones, aka PJ, doesn't give conventional face-to-face interviews. Never has, near as anyone knows. All communication is virtual. Only one person in the world has ever claimed to have met her - in the pressroom at LinuxWorld in Boston complete with a Pamela Jones badge - and described her as a fortyish reddish-blonde who giggled a lot.

Oh yeah? Wonder what cold crème she uses.

Pamela Jones is a 61-year-old Jehovah's Witness who lives in a shabby genteel garden apartment in desperate need of an interior decorator on a heavily trafficked commercial road at 304 North Central Avenue in Hartsdale, New York. Hartsdale is in Westchester and Westchester is IBM territory.

See, even though Groklaw treats cell phones like they were Kleenex and changes its unpublished numbers regularly, one number it left with a journalist led to this flat and - wouldn't you know it but - some calls from there had been placed to the courts in Utah and to the Canopy Group so obviously this just isn't any Pamela Jones.

Pamela has lived in apartment 1A for 10 years at least, according to the super, who says he's watched people move in, have children, and the children marry and move away.

Now, this isn't your usual anonymous New York apartment. It's practically a self-contained village where the super goes for the old ladies' groceries when there's snow on the ground and people know each other's business.

But the super didn't know much about Pamela except that she had a computer, worked at home (maybe sometimes) for a lawyer, was "paranoid" - his word - and "sensitive to smells."

He remembered how he was cleaning paintbrushes one day and she came running down the stairs screaming "Fire."

She was also missing and had been for weeks.

Nobody there knew where she was.

She had up and disappeared one day, and the super was worried about her. He said her son had dropped by and he didn't know where she was, and that some strange man that "nobody knew," as the super described him, had tried to get into her apartment while she was gone - the Medeco lock she had had installed on her door - something nobody else in the complex seemed to feel a need for - was more expensive than the door. But, as it happened, the super said, she had just sent in her rent in an envelope postmarked Connecticut.

Like an episode out of "Where in the World is Carmen San Diego," the trail led to 10 Bittersweet Trail in Norwalk, Connecticut, 24 miles away. Sure enough, parked in the driveway was Pamela's car, just as the super had described it, a dark gray '90s Japanese number with a bunch of Jehovah Witness pamphlets tossed on the backseat.

The woman at the house, Barbara Sharnik, told a disjointed story. She didn't know Pamela, Pamela hated her, Pamela wasn't there, Pamela left her car there because it got bumped, Pamela left her car there because she left town, and so on.

Afterwards Barbara called the cops, and then the cops called the number we left with her and the cops said that she was Pamela's mother and that Pamela was on the run and had shacked up with her mother because she had gotten "threatening mail" weeks before and that she had just gotten spooked again because "people were getting hurt around [my] stories" and had lighted out for Canada.

Odd, the subject of my stories - or any stories - never came up during our brief interview. I was just looking for Pamela.

That left Pamela's son, Nicolas Richards, who, as it happens, had been in the software business in Manhattan until - why, my goodness - things seem to have come a cropper right around the time Groklaw came into existence.

Nick and his ma were apparently involved together in Medabiliti Inc, an ISV, because one Pamela Jones with a Westches

Pamela Jones EXPOSED

Who Is Pamela Jones?
By Maureen O'Gara

Friday May 6, 2005 - A few weeks ago I went looking for the elusive harridan who supposedly writes the Groklaw blog about the SCO v IBM suit.

The now-famous opinion-shaping open source leader Pamela Jones, aka PJ, doesn't give conventional face-to-face interviews. Never has, near as anyone knows. All communication is virtual. Only one person in the world has ever claimed to have met her - in the pressroom at LinuxWorld in Boston complete with a Pamela Jones badge - and described her as a fortyish reddish-blonde who giggled a lot.

Oh yeah? Wonder what cold crème she uses.

Pamela Jones is a 61-year-old Jehovah's Witness who lives in a shabby genteel garden apartment in desperate need of an interior decorator on a heavily trafficked commercial road at 304 North Central Avenue in Hartsdale, New York. Hartsdale is in Westchester and Westchester is IBM territory.

See, even though Groklaw treats cell phones like they were Kleenex and changes its unpublished numbers regularly, one number it left with a journalist led to this flat and - wouldn't you know it but - some calls from there had been placed to the courts in Utah and to the Canopy Group so obviously this just isn't any Pamela Jones.

Pamela has lived in apartment 1A for 10 years at least, according to the super, who says he's watched people move in, have children, and the children marry and move away.

Now, this isn't your usual anonymous New York apartment. It's practically a self-contained village where the super goes for the old ladies' groceries when there's snow on the ground and people know each other's business.

But the super didn't know much about Pamela except that she had a computer, worked at home (maybe sometimes) for a lawyer, was "paranoid" - his word - and "sensitive to smells."

He remembered how he was cleaning paintbrushes one day and she came running down the stairs screaming "Fire."

She was also missing and had been for weeks.

Nobody there knew where she was.

She had up and disappeared one day, and the super was worried about her. He said her son had dropped by and he didn't know where she was, and that some strange man that "nobody knew," as the super described him, had tried to get into her apartment while she was gone - the Medeco lock she had had installed on her door - something nobody else in the complex seemed to feel a need for - was more expensive than the door. But, as it happened, the super said, she had just sent in her rent in an envelope postmarked Connecticut.

Like an episode out of "Where in the World is Carmen San Diego," the trail led to 10 Bittersweet Trail in Norwalk, Connecticut, 24 miles away. Sure enough, parked in the driveway was Pamela's car, just as the super had described it, a dark gray '90s Japanese number with a bunch of Jehovah Witness pamphlets tossed on the backseat.

The woman at the house, Barbara Sharnik, told a disjointed story. She didn't know Pamela, Pamela hated her, Pamela wasn't there, Pamela left her car there because it got bumped, Pamela left her car there because she left town, and so on.

Afterwards Barbara called the cops, and then the cops called the number we left with her and the cops said that she was Pamela's mother and that Pamela was on the run and had shacked up with her mother because she had gotten "threatening mail" weeks before and that she had just gotten spooked again because "people were getting hurt around [my] stories" and had lighted out for Canada.

Odd, the subject of my stories - or any stories - never came up during our brief interview. I was just looking for Pamela.

That left Pamela's son, Nicolas Richards, who, as it happens, had been in the software business in Manhattan until - why, my goodness - things seem to have come a cropper right around the time Groklaw came into existence.

Nick and his ma were apparently involved together in Medabiliti Inc, an ISV, because one Pamela Jones with a Westches

Sounds like they had it coming

[Frangible]

"But officer, I just jacked my neighbor's car to prove how insecure his door locks were! I was going to return it!" Sorry, but it's very easy to do any number of illegal things you can rationalize away all you want, some even of which are victimless, but just because you can do something doesn't mean you should. It would be very easy for someone to pop my sliding glass door open and enter my home. It doesn't mean it should be legal, regardless of their intentions. I fail to see how electronic crime is any different.

Re:Sounds like they had it coming

[Typing+Monkey]

I can see one major difference in this case. The school stored information about the students who broke in as well. Their information was just as accessible to everyone with the right skills.
According to the article they did it for sports, and not necessarily to reveal the weak security. I can see people having problems with that. But then again. Would it have been better if they didn't do it and further along the road someone did do it but with intent of using the information for some purpose other then proving they could?

Precisely

[Sycraft-fu]

I find a disturbing amount of geeks that seem to think if something is technicly feasable, they ought to be allowed to do it with no repercussions. The situation I generally like to pose is thus:

How would you fee if I broken in to your house, and went through your belongins? I mean 99.99% of people have crappy home security. Your locks are generally an easy point of entry. If you have a simple tumbler lock, that is nothing to pick. So how would you feel if I went and exposed your security weakness, and when I did I decided to go through everything you own, all your documents, everything on your computer, through all your drawers, etc, etc?

Now you'd find no one that would consider that acceptable. Confronted with that situation most people would at the very least call the police and possibly kill the intruder. However for some reason when it invloves breaking in to someone's computer, many on this site see no problem, that because there is a way in it's perfectly ok to barge in and so as you please.

At first this scared me..

[CdBee]

..because I thought they meant one of these SSNs

I went to school here -- I can believe this.

[hs-student]

Although I graduated several years ago, I don't doubt such a thing happened. Would you believe that they actually used your initials and the last 4 digits of your social security # as a hard-coded unchangeable password for all staff, faculty, and administrative accounts, assumable some with access to this stolen information? For the students, at least when I was there, the last 4 digits were substituted with the last 4 digits of your student ID. As you an imagine, this also was about as secure as the last 4 digits of your credit card number. Rumor has it that many years ago someone hacked the system and changed the principal's paycheck to 86 cents in resemblance of the school district #. Figures.

Brillian, but stupid.

[john_anderson_ii]

If they had plan, and a means to carry out said plan, then they should have gone to the media first.

Seriously. If these kids had cornered a reporter, made an argument for his/her involvement and brought along said reporter with the promises of an exclusive, their ass would be automatically covered. The presence of the media would have proved they were whistle blowers and not some renegade "vigilantes" that got caught in the act. Nothing could prove different once the film and commentaries went to air.

The moral is....Once you decide to show some self centered egotistical bastard which way the wind blows....bring a weathervane.

Re:Brillian, but stupid.

[Chriscypher]

Unless it's a large land-grant university with a cash cow of a football program (Go Vols!) and it involves evidence of adminstration-sanctioned changing of player grades over the objection of the professor. Then watch merrily as the reporter sells out the whistle-blower for a cushy public-relations position, and the whistle-blower gets threatened with being blackballed and backs down.

Do NOT trust reporters to value the story above alternative rewards. Hell, they often can't get stories correct, much less Defend Freedom (tm) or Do The Right Thing (tm).

They should have remained anonymous by mailing the information and a press release to *multiple* news desks.

They still deserve no punishment!

[r6144]

Assuming the students got the SSNs truly with the sole purpose of verifying the existence of the security flaw, then I think they deserve NO punishment. This is not a black-and-white issue, and the teacher should explain it to both the cracker and the other students very carefully. In this case the crack might do more harm than good, but if the school simply punishes the offending students hard without much explanation, the other students may easily extrapolate that to "don't do anything when you see something wrong", which is cold-blooded and wrong. If such people went into a company like Enron, they will not only cover up whatever seems wrong to them, they will lay the blame on the employee who reported the fraud when the company collapses and they lose their job.

As for someone here saying that they should report to the system admins first before testing the security, of course they should, but it is not always easy, and we should not expect these high school students to think that much. If you stumble into a page where you can enter arbitrary SQL, surely it looks very wrong, but there is still a possibility that the admin had simply revoked any privileges of that test account, instead of removing the test page, when the system went into production, therefore before you do a "SELECT * FROM students" and see something wrong, you cannot be sure that a security hole exists.

If I were the schoolmaster, I think I will explain to the students that, I understand the crackers' intentions are good, but what they are doing is still causing more harm than good, so they will receive neither praise nor punishment for this time, but they should swear that the SSN data are destroyed, and such action is strictly prohibited from now on. As for the website, if the school do lack the expertise to fix it, the system admins should publicly admit that the system has serious security problems, ask the students not to do such cracking again, and they should welcome any student who can and is willing to work with them to fix the problem.

Re:They still deserve no punishment!

[Chris+Burke]

If such people went into a company like Enron, they will not only cover up whatever seems wrong to them, they will lay the blame on the employee who reported the fraud when the company collapses and they lose their job.

How do you think Enron happened in the first place?

We like to think that ignoring dangerous/irresponsible/negligent/illegal activity is wrong and abnormal. But, as we can see, we teach our kids to do exactly that.

It's an unfortunate fact that kids are intelligent, and don't only learn what you want them to learn but instead learn what you actually teach them. In this case we're teaching them that sticking their necks out to fix a problem with the system will just get their heads chopped off.

I wonder if these kids learned their lesson?

Keyword : Hope

[MMaestro]

The correct thing to do is probably to inform the school, hopefully get them to let you demonstrate the flaw under supervision from theirr network people, and if they still don't do anything abotu it... move on.

This is the stem of all security problems.

If you DO blow the whistle, unless you have some SERIOUS clout behind you, chances are most people aren't going to listen to you. (See: Microsoft).
If you DON'T blow the whistle, do nothing and have a vested interest in the company/school then you risk having your money/time lost due to SOMEONE ELSE taking advantage of a flaw you knew about.
If you DO blow the whistle and try to gather attention to it by TAKING ADVANTAGE of the exploit, you SERIOUSLY risk being arrested yourself. (White hackers, black hackers, its all the same in the eyes of the uneducated masses!)

Etc, etc, etc. The list of what you can do and how ineffective it will ultimately be goes on. You can't go public or they slam you for trying to ruin their reputation. You can't go directly to the people cause they ignore you. You can't 'white hacker' them cause they slam you anyway. You can't ask for advice on Slashdot cause Slashdot is a wide, niche audience and is largely ineffective due to city/state/nation/international law differences. Its damned if you do, damned if you don't, damned if you ask for help and damned if you do nothing about it.

Re:Keyword : Hope

[rikkards]

The school may ignore you but you forgot one thing, go up a level. Maybe the school board will listen. If they won't keep going up. The thing is you have to work with the system. If you try going against it you are going to get slammed for it.

Punishment: audit the code for free

[r6144]

I think THAT would be the right punishment. The original admin must revise any change proposed by the offending student. If any further cracking incident happens, the student doing the auditing takes the blame. Of course, if the incident happens because of a backdoor inserted deliberately by the auditor, the admin would be fired and I don't care how hard you punish the auditor.

Re:G I T M O

[(1+-sqrt(5))*(2**-1)]

[...] weapons[-]of[-]mass[-]destruction[-]related[-]acti vity[-]programs.

Yeah, I've noticed that espousers of OO also phrasify substantive-ladenly.

Intelligent life on Slashdot!

Holy crap, you actually made a really good point. Several, actually.

"Motion to declare a writ of 'boys will be boys'.

I know what it's like...

[victorhooi]

hi,

ok, yeah, this isn't exactly anonymous but what the heck, who cares about one post among several thousand...

someone i umm...know...was asked to "transfer" from his school several few weeks before finishing after penetrating the school network, writing a report on it, submitting it to his principal, then being a little less than canny about it...

for some unfathomable reason *rolls eyes*, high school staff don't like being told that their IT security sucks, or that the consulting firm they hired in the 6 figures is staffed with incompetent inebriates who wouldn't know how to set up a network without the funky Wizard crutches offered by Windows 2000...

Or whose idea of security is to store all the critical admin passwords in cleartext in a .bat file, in the root folder of a world-readable server...

Oh well....they'll get their comeuppance when I make their microwaves spontaneously combust, their goldfish grow 3 eyes, and their televisions mysteriously lock on to a paytv adult channel...hehehe...

cya,

Victor

Not "theft"

Those people all still have SSNs, right? Thus, they copied them, but they didn't steal them.

Evidence?

[MarkByers]

A lawsuit with no evidence is not going to get very far. How will you prove that information is not secured? You would have to test it by trying to break in, in order to prove your case. That is what the students should have done, then after they have the evidence, they should go to court.

Oh wait... that's what happened.

mods on crack

+20 funny

SSNs in my science classroom

[macmaxbh]

Back in middle school, my 6th grade science teacher gave out weekly grade sheets (quite unusual) and posted grade updates in the back of her room. The thing was, so students couldn't compare grades, she used SSNs instead of names. So there was a list of 50-60 SSNs in the back of a science classroom, right out in the open. I always thought it was insecure, although it did force me to memorize my SSN, which was helpful.

Today, I think the whole school system has replaced using SSNs with using "NCWise" numbers, although in high school SSNs were/are only used as computer passwords (last five digits of your SSN was your password).

HA!

[MadMacSkillz]

Reading this thread this morning gave ME a boost, because I am a high school network admin. We're not all idiots, by the way. And I feel like my school measures up pretty well to the slashdot yardstick of this post.

My school district does NOT use student SSN for anything at the school level. We use district assigned 6 digit ID numbers. And I actually HAVE had two times when a student came to me to show me a vulnerability in the way we were doing things. In both cases I thanked him and fixed the problem. Now... if this same student ever wanted me to trust him with something confidential and important, I would not do it. Why not? Because he has bypassed our security on two separate occasions. Doesn't matter why. He's proven that he'll break rules if he feels like it. If the temptation is big enough.

Wow.

[Jas0nC]

See, this is why schools (and all businesses/organizations) need to keep better care of student/employee personal information. These kids just did it to alert the admins of the problem. I, myself have been in the same situation where nobody will take you seriously unless you actually demonstrate the problem.

Learn from history

[osgeek]

Randal Schwartz of Perl fame learned the hard way that doing something illegal to show the problems with a computer system still gets you into trouble.

Schools aren't secure anyways

[valnour]

Right now I'm posting from my school. I attend a high school, in the states, and have about a C average. I'm the school systems worst nightmare. I don't really have much to lose, and the teachers are too dumb to catch me doing anything wrong anyways.
The schools security policy is a joke. There is one password that covers almost everything. (the password starts with a "cl" and rhymes with "bass") I can, just navigate to the right place on the network, type in the pass, and see information on any student in the school. Now, changing grades are a little more difficult. Luckily, the software that the school uses to maintain grades in on the school's internal server. So all I had to do was download it, install it, and go nuts. Oh, and using that beautifully thought through password, I have installed some keyloggers on some machines, and have plenty of teachers passwords (i.e. can change my grades, or anyone elses).
So, long story short, school security sucks. I'm much more of a linux guy, than a windows guy, and I was able to fly through the network in one class period... Somebody needs to teach these schools right.

Students Rob Gas Station To Prove It Can Be Done

[reallocate]

Same difference.

Idiots. Book 'em. Dano.

Big deal

[NineNine]

Big deal. Who cares? Anybody can get anybody else's SSN. I did this exact same thing in 1990 in high school, too. I then told all of the school bullies/assholes/jocks that if they so much as looked at me wrong, I'd also change all of their grades lower. From then on, high school was a breeze.

The Emperor has no pants...

[Xiver]

After exposing that the emperor has no pants, don't expect him to be grateful and not have you drawn and quartered.

Legalities of SSN use

[aaronl]

No they really should never be used for anything other than social security. As in how the law that creates social security says that it may only be used for social security. All other uses are actually supposed to be illegal. Then Congress had to go and screw up and let the IRS use it in 1961. However, in 1974, they made it illegal for any government agency to require you to disclose your SSN unless specifically mandated by statute.

So really, no college, bank, or most anything else is allowed to make you give them your SSN. If you decided to actually sue that school, you might even win; then maybe places would stop trying to force you to use that damned number.

Re:Legalities of SSN use

[g1zmo]

It's required when applying for a passport. From the official website (down at the very bottom):

6. Provide a Social Security Number
If you do not provide your Social Security Number, the Internal Revenue Service may impose a $500 penalty. If you have any questions please call your nearest IRS office.

I don't know how exactly the state department can make he IRS impose a fine, but that's what they say.

Re:Legalities of SSN use

The State Department does not care about what the IRS is required to do. They only care about your SSN insofar as they are required to submit paperwork to the IRS. If you read the relevant statute, you will realize that you do not have to write your SSN on your passport application. All that is required is that the passport office submit to the IRS your statement listing four specific pieces of information (one being your TIN, usually the same as a SSN), if they apply to you, and if you don't provide one, all the state department has to do is put your name on the list of people that wouldn't comply and send that in instead. The space on the form is simply there to save the passport office the trouble of dealing with separate paperwork. You can't be denied the passport by reason of not giving a SSN.

(IANAL) You could write up a separate statement with your application, to avoid that potential $500 fine. But this is the government--they will screw that up, and you will end up on the terrorist watch list, or something. I would advise everyone to simply write in 000000000 on their forms instead, indicating you do not have a SSN, as the State Department couldn't care less if you have a SSN or not, and the IRS is pretty useless when it comes to dealing with people that aren't enumerated. (And if they already knew your SSN, they wouldn't need to ask you for it, would they?) There is no particular reason to make things easier on them.

It isn't exactly clear why the IRS needs to know who has passports, anyway. Since I am not aware of any re-entering the country tax, or visa stamp levy, I can only assume it is for various nefarious purposes.

Re:Legalities of SSN use

[aaronl]

They can't make the IRS charge you a fine, but I bet you that the IRS has that 500$ hidden in a regulation somewhere as an administrative fee or tax estimation or something. Perhaps they decided that you must be leaving the country to earn an income and not report it. I'm not sure what to tell you.

Like the above poster said, though, they can't refuse you the passport if you don't provide the SSN. They can throw a temper tantrum, but ultimately, they have to issue it without one.

You don't need to have a SSN as an US citizen until you're an adult, either. There are a few cases that can make you get one earlier, and most people just have one issued right away when they have a child. If you leave the country before one has been issued, you can still get that passport, they'll just threaten you with that potential fee. (See the "may" in your wording.)

Intelligence

[smoany]

It's quotes like these that make me afraid for oour future as a human race. "When we grow up and get our jobs, that's our life right there. They can access anything about us. It just screws us up for the rest of our lives," said Julianne Junus, student. And when I say that, I mean...

1) Wy does this deserve to be in the first 1/5th of the article, front and center? You know what, let's throw out any journalistic integrity for shock value... Oh wait, the news has been doing that for ten years.

2) On a closely related note, I don't know how old this kid is, but I just love how alarmist she is. "It just screws us up for the rest of our life." Why? did your social security account get pilfered? Anyway. I'm not going to go further down that path because everyone knows where that ends, but I just love how the most alarmist, non-sensical kid makes the top of the headline story.

Think of the Children!!!! Please!!!

The media is slow...

[tankd0g]

The reporter in this story clearly does not have the razor sharp awarness of what causes people to panic, like say a CNN headline writer does. But sooner or later someone will realize that these kids that got caught/came forward, are the ONLY ones in that school you DON'T have to worry about. It's the other 30 or 40 that already hacked the system or better yet, are trying it right now.

What?

Not the same.

Go look at your average gas station. Cameras, silent alarms, motion detectors, and sometimes even armed guards (only really seen this in Vegas), though you've got about a 50/50 chance of the cashier being armed in the first place, if not trained to memorize you and your weapon to identify you later.

There's a recognized threat there, and steps are taken to minimalize that threat.

Now go look at your average high school network. Run by librarians who have no idea what the hell they're doing, let alone how to do it. Not only is there no risk of physical harm (they weren't pwnzz0ring a hospital) and little risk of financial loss (they weren't haxx0r1ng a bank), but they say they had no intention of causing any real destruction, and they didn't. Your average robber/mugger is out to take your money and possibly kick your ass. These were bored, reckless kids.

Hey, maybe I misread you. Go ahead and explain to me how the fuck holding a gun to someone's face and demanding their money or their life is the same as what these kids did. Go ahead, I'll wait.

Re:What?

[reallocate]

Nuts.

If someone finds a security flaw, the appropriate thing to do is tell the people responsible for the system's security. If these kids discovered that SSN's were vulnerable on their school's system, all they should have done is make that fact known to school management, as in: Tell Them.

Justifying computer theft by trying to say you're just trying to expose the vulnerability is ethically bankrupt. It is, in fact, equivalent to robbing a gas station and then claiming you did it just to expose a vulernability. Or, shoplifting. Or, burglarizing your neighbor. Or, stealing a friend's car when he forgets to lock all the doors.

Theft is theft. Thieves don't get to redefine the word.

Re:What?

It's not theft if the school didn't lose their copies of the SSN. And since SSN's aren't copyrightable, it's not copyright infringement. At the most, it's unauthorized access to a computer network, and that's far different from theft.

Theft is theft. Thieves don't get to redefine the word, and neither do you.

Re:What?

Nuts.

If someone finds a security flaw, the appropriate thing to do is tell the people responsible for the system's security. If these kids discovered that SSN's were vulnerable on their school's system, all they should have done is make that fact known to school management, as in: Tell Them.

Justifying computer theft by trying to say you're just trying to expose the vulnerability is ethically bankrupt. It is, in fact, equivalent to robbing a gas station and then claiming you did it just to expose a vulernability. Or, shoplifting. Or, burglarizing your neighbor. Or, stealing a friend's car when he forgets to lock all the doors.

Theft is theft. Thieves don't get to redefine the word.

You're saying stealing a car, robbing a gas station, or breaking into someone's house is the same as shoplifting -- or breaking into a system?

See, I'd tend to equate breaking system security with shoplifting, in terms of grandness of scale. You want to equate it with armed robbery?!

And I agree with you that it's a Bad and Wrong thing to do to break someone's security while they're not looking.

Re:What?

[reallocate]

Pedantics. Crime is crime.

Happy now?

Re:What?

[reallocate]

>> You're saying stealing a car, robbing a gas station, or breaking into someone's house is the same as shoplifting -- or breaking into a system?

No. I didn't say that, did I? I was pointing to the silliness of arguing that unauthorized acquisition of data in a computer network (I call that theft, but that seems to create heartburn for a lot of folks around here who can't quite grasp the notion that the nonphysical can be stolen) can be excused because it highlights a security flaw. So do shoplifting, car theft, and breaking and entering, but try telling a judge or a jury that "I should be exonerated because I exposed how easy it is to steal that car."

What, no Soviet Russia jokes yet?

In Soviet Russia, students have teachers' social security numbers!

At least three layers that I count

[ianscot]

There's a problem with the specific security measures used at this particular school... and there's also another specific set of problems to do specifically with SSNs, which include no checksum digit for one example... and then there's a more general problem to do with any sort of attempted eggs-in-one-basket "universal ID".

it should not be necessary to keep one's SSN any more secret than the account and routing numbers printed on personal checks.

A whole lot of people don't think of those two numbers as being at all different in terms of how secure they keep them. I know people who carry their SSN card in their blinkin' wallets.

Similar problems

[N8F8]

I had a similar problem when I tied work and material schedules together at a large manufacturer and discovered that managers were intentionally fudging schedules when it was plainly obvious that certain material items would be very, very late. For six months they kept fighting my schedule reports until it was announced that the scheduling and meterial would be tied together in a new SAP ERP environment. Of course that caused a lot of other problems but my report paled in comparison to the accountability of a realtime scheduling program. As a side note, SAP was so painful it is still causing long ,even now. In a realtime system there is no real way to perform what-if analysis and it is difficult to move resources around rapidly without fear of a trainwreck.

SSN

[ThaReetLad]

Did anyone else read "SSN" and think the students had managed to steal a nuclear submarine, or was it just me?

Bigger Question

The bigger question is why does the school have the students SSN's anyway?
The law states the numbers are not to be used for identification, and that the only institutuions that can legally require them are your banker, broker, and employer.

Educators are Immune to Learning!

[PsibrII]

These kids should know all too well by about 3rd grade that teachers are incapable of learning. These NEA worshiping zombies spew out what they are told to and nothing more.

If the kids try to think for themselves or do anything remotely defiant they call the cops. Kid gets bored and writes something mildly violent, call the cops and have the kids dumped in the psych ward.

Too many urban blacks move to your white town, goof off in school and threaten to pull down average test scores, hell why not, bring in the drug sniffing dogs, have weekly drug raids, and put in metal detectors.

If that fails you can launch an "at risk" program. Dump your undesirable dark skins in there until their parents get sick of it all and put their kids into a private school. And when the parents of the white kids start doing it go on the news and cry and whine about privatization eating away at your funding.

These kids are obviously pretty clueless. Activism of this sort was obsolete in the 70s. You want to make a point of something you need shrub style "shock and awe". Sell those numbers to illegal aliens, street thugs, druggies who need to launder money under someone elses name.

Maybe after 20-30 years of this happening every time some two-bit bureucrat collects SS#s and keeps them in some insecure stash they'll wise up. My bet is it won't really happen until it becomes a federal offense for SS# hoarding in an insecure database. After a few thousand of these paper pushers end up in Club Fed it just MIGHT send a tiny little signal to the other idiots to take these security issues seriously, or don't collect the numbers in the first place.

So long as the punishment is appropriate

[hey!]

to the crime and also the criminals.

The thing about cybercrime is that it seems to provoke gross overreactions, which I'd speculate come from a sense of insecurity and vulnerability which in turn comes from ignorance about how to protect yourself.

The crime of these kids is akin to trespassing, and has the same kinds of motivations that, say, mucking around on the roof or finding ways into the building when it is supposed to be secure have (both of which I did when I was a teenager, and both of which were stupid and in some cases dangerous). As in that example, the ability to perform the trespass would be highly useful if they wanted to steal something, but clearly that wasn't their intent.

Arguably, they stole information, but information theft is somewhat different than theft of tangible properties. It can be both less serious (the owner is not deprived of the information) and more serious (the information can be reproduced indefinitely, causing serious and nearly irreprarable harm to the owner's privacy). However, there is no evidence at this time that the information was misued, either sold or employed in identity theft or anything like this. It's more a case of puerile trophy hunting.

What should happen is that a thorough investigation should take place with respect to whether the information was used or sold. If it was not, it should be treated as a trespass prank, and a relatively mild punishment administered through the school system should be used. It would be helpful if there were resources available to investigate information crimes, which the local authorities may not be competent to handle.

In any case, if no intent to harm the victims can be shown, we should take into account the age and maturity (lack thereof) of the perpetrators. Teenagers do not have the same cognitive capacity as adults to think through the consequences of their actions -- that part of their brain will still be developing for as much as another ten years. If they intended no harm, they may literally have been unable to see that there was anything wrong with a little information trespass.

If, by the way, you are a teenager and feel insulted by the above paragraph, look at it this way: you can look forward to being even smarter than you are today in a couple of years. Unfortunately, I can tell you from experience it doesn't feel that way.

Re:So long as the punishment is appropriate

[Frank+T.+Lofaro+Jr.]

Yeah why is information tresspass a felony (permanent loss of legal rights, etc) and normal tresspass (*) only a misdemeanor?

* Although in some states you can legally be shot to death by the owner in some cases.

I Know Several People at Hinsdale Central...

I do not know the cracker, but i know several students who do, and who knew exactly what he was up to. As usual, the media spin is different than the true story. He did not do this to steal SSN's. He did it more for Ferris Bueller type antics. I would assume there was some grade changing, but here is what i know for certain:

When a student needs to be excused from a class or a day, and a parent calls administration, the request is recorded electronically so all other faculty can see if it is allowed or not. I heard he was adding requests so that his friends would be able to ditch and it would appear to the faculty that there was a legit reason (the faculty would check the electronic records, the permission would be there, they would assume another faculty member took and granted the request.)

the second thing i know for sure is that he set up a separate web site with all the students pictures and student id #'s on it (which he got from the school's systems), then created his own version of yearbook superlatives (girl you would most likely beer-goggle with, guy most likely to hook up with another dude, etc.) and other students would vote. don't know this for certain, but that's probably what got him busted. I heard the site got quite popular- half the class logged in at night.

anyway... that's what i know. I haven't RTFA so it may say this, but the kid was expelled (my friend said the student didn't show up for a few days, then the news vans and helicoptors were there). And he had been accepted to college, ready to go in the fall- doubtful they will take him now without his HS diploma and this on his record. Maybe he has some tech skill, maybe he's a kiddie, but in my opinion he's still a dumbass. Don't crack, hack.

An alternative approach...

[Bigman]

.. with less risk would be to send a formal letter to someone high up that you believe that the information held on that server to be insecure, and ask that it be secured or your information be promptly removed. Offer to demonstrate how the information is insecure, maybe, but point out that since you have informed them of the possibility of an intrusion you will consider sueing (?) if *your* information is stolen. That will get their attention!

Ahhh, youth!

[Safety+Cap]

Hopefully these kids (and those who are following this story) will learn the following lesson:

It doesn't matter how many security holes a system has; never, ever talk about them or try to get them fixed.

Take, for example, the US's Airport "security." That system is a complete joke. I mean, it is not even funny how easy it is to sneak things past the "guards." If you try to point out where the flaws are, they will arrest you.

Remember, their goal is not to provide security, but rather the illusion of security. The unwashed masses need the government to "do something" so they can go on about their little lives without fear. It doesn't matter if that "something" works or not, or how much money is wasted.

No, no, no, not in the New Order of Regime

Herr Bush teaches that you must obey, and be a good Christian. Only a evil, child-eating, athiest moslem fanatics criticize our glorious leader, or disobey any of our Great Inspired God-given laws. We must hang these terrorists.

Also we must fix the nasty annoying Constitution, because it hinders the Fuhrer's attempts to save us from the evil child-eating terrorists.

Think of the children!

Re:it's all about fear folks

[BAM0027]

"Fear is the mind killer..." -- Frank Herbert

Cut one leg of a tripod and it leans over. Cut a second and the tripod is seriously compromised. (Yes, I know, cut the third and just make it shorter to compensate, but then the whole thing is diminished).

In the context of "mind/body/spirit", our society is deep in the throes of fear, just like much of civilization has been in history. Much of our social norms are based on fear. While fear is necessary, too much is "toxic" and abusive. Yet we think it's acceptable and normal (eg. Simon from American Idol).

I know that this next bit sounds like General Ripper's "precious bodily fluids" from Dr. Strangelove, but hear me out.

Our bodies get compromised from the unhealthy diets in our society (McDonalds, sulfites, yeast, sugar, etc...). That's the second leg of the stool. Our spirit is left with the burden of holding up the load. It's no wonder to me that so many people have a hard time finding balance in life.

This isn't to place blame on anyone at all, even though I subscribe to conspiracy theories at times. I am trying to say that we, as people in (American) society, have a very subtle burden of maintaining balance, let alone grow, in any of these ways (mind/body/spirit).

Am I surprised at the spiritual emptiness of our society/world? I know it takes a lot of time and energy to maintain myself and I don't do a good job of it. It takes time and effort to avoid fast or processed food, schedule in exercise every day, be productive the way we need to be (work/school), and it takes time and energy to be spiritual in whatever form a person practices.

I keep this in mind when I at work or on the highway, for example, and someone acts unreasonably. I imagine that they are having as hard a time, if not moreso, than I am at living life. That helps me maintain a positive attitude as a basis for affecting my world.

Anyway, I know I'm taking this off on a serious tangent, but this parent post just scrapes the proverbial "tip of the iceberg" of what I think are our deepest social ailments. Don't shoot the messenger.

When I was a kid...

[SpiritGod21]

my friend hacked our school system's main computers just to see if it could be done. We were the techies for our school and ran the local network, but he wanted to see what the district computers were like. Unfortunately, he (stupidly) left calling cards throughout the system, so he called me the next morning when I got in to ask if I'd call the head computer guy for the district and explain why they had so many security flags :-P lol The guy called my friend to tell him that they had fixed the security holes and would he please try and hack it again to find out? This went on for several months until we graduated.

This Reminds me

[part_of_you]

....of a friend of mine. He went through the city where we live, and was looking for wireless hotspots. He found one comming from the police station, and it was not incripted. He looked on it for a while, and discovered that all of their video cameras were tied into the system as well. He went inside the police station and had his laptop in hand. He showed it to the officer. They asked "What's that?" He replied "I think it's cell #4. If it's not #4, then it's #6. You guys have it wired wrong I think."

They did not arrest him, in fact, they offered him a very low-paying job with the city!

I can do the same...

[fivezerosixzero]

I can get SSN's, disciplinary reports, grades, personal information, etc. all through an UNPASSWORDED share on a school computer listed as ATTENDANCE. (the files can be opened in any text editor) I've already told tech guy, and he doesn't seem interested in fixing the problem. I even told him a few months ago. I know I should do something, but how should I go about doing it? I fear some school officials might overreact.

Re:Notation?

[lachlan76]

Yeah...because we really have a choice about whether we go to high school...

SSNs do not belong in a school computer anymore

How did the social security numbers of some students end up on a school computer to begin with? Schools are not supposed to ask or collect social security numbers from any student. In case a school does it would be stupid of anyone to give them his/her social security number instead of simply refusing and educating that school about the legal situation as well as the multitude of risks.

Re: what so good about it?

[jotok]

Right, because the authorities would totally not blow them off or anything.

And we can be sure of that because they went to the authorities first and...oh, wait, they didn't.

Let's not bullshit here...they weren't performing a general pen test...they were trying to crack the system and got CAUGHT. This exposes their defense as a lie. Nice try, fellas!

How would people do it differently?

[Lifewish]

I have no doubt that the majority of slashdotters, if given school admin jobs, would have more sympathy for the hackers than the current crop of sysadmins. How would you implement the value system that the parent described us as holding to? How would you organise things if you were in charge so that a) students could learn advanced computer use within the system, b) accountability could be imposed on students and c) normal use would not be impaired?

The best way I can think of is a three-tier approach. Tier one is a set of stand-alone computers that anyone can use regardless of whether they're an evil brat or not. No connection to any other computers and no internet connection, so damage done from playing silly buggers would be minimised. These computers would be monitored to the maximum extent physically and legally possible.

Tier two would be most of the computers in the school - standard desktops, connected to the internet via a firewall etc etc. Anyone playing silly buggers on these would get kicked off and only allowed to use the stand-alone machines (with the result that they'd have to transfer any files via floppy disks and so on). These computers would be monitored to make sure no-one was playing major silly buggers and no viruses were present etc, but would be mostly left alone.

Tier three would be a stand-alone network, with a variety of computers running a variety of different operating systems. Anyone with an interest in computers could come and try stuff out here, and anything would go, with the caveat that, if you break it, you have to fix it. Little or no monitoring required, since any damage done would be localised to this separate network, and silly buggers could thus be permitted to reign unchecked.

The advantages of this system would be that a) you'd have a place for all the teenage hackers to work off their hormones, b) you'd have a disciplinary system (play silly buggers on tier 2 and you get dropped to tier 1) and c) you'd have a cadre of well-trained young security experts who you could supervise in auditing the tier 2 network.

Does anyone have suggestions for improvements or see any problems with this (apart from cost)?

Re:How would people do it differently?

hoh, everybody just needs to lighten up. they broke into their schools computers. cool!

A bit too far

[dereference]

I agree with your main point that SSN has become far more than just an identifier for the SSA, and that indeed this is a bad thing. However:

Now your SSN is your life for the most part.

Yes, this is true--though only to a certain extent--but your following argument is quite overstated:

If somsone has your number, they dont even need to know anything else to screw you over. With the number they can do searches and find your name and current residance. With that info they can sign up for credit cards in your name and screw over your credit.

If this were true, nobody would ever bother to steal a "list of SSNs" from a database! They would just randomly choose any 9-digit number. The security (or lack thereof) is in the linkage between the SSN and a person.

They can basicly steal your identity just by knowing that one special number.

Again, this an oversimplification. They still need to know whom that SSN represents. A reverse-lookup, if it existed, would imply that lists of SSNs wouldn't need to be stolen in the first place. Of course the kids in TFA most likely obtained more than just a list of raw 9-digit numbers; they probably also got the linkages between the SSNs and their owners.

Re:A bit too far

[kobaz]

They would just randomly choose any 9-digit number. The security (or lack thereof) is in the linkage between the SSN and a person.

I'm sure people do that... there are many services online where you can just enter a social security number (and pay a fee) and it will search their databases.

They still need to know whom that SSN represents.

Having a SSN can ultimatly lead to finding who it represents.

What I want to know

[Y2]

What I want to know is ... why does the school have the students' social security numbers in the first place? There's no defensible reason for it. In fact a public school has to comply with 5USC552a before even asking for SSNs.

(When I hand out "more information" postcards for my alma mater, I black out the space that asks for the kids' SSNs.)

Those of you in the U$A and out of school may want to print and carry the piece of 5 USC 552a beginning at the words DISCLOSURE OF SOCIAL SECURITY NUMBER when they next go to renew their driver's license.

Lessons NOT learned

[AviLazar]

Haven't people learned, by now, that even if you have the best intentions at heart - doing this things will result in you getting in trouble. If you really want to test the security of an organization, get their upper management authorization (hell you could even make a profit).

If they were smart about it (and they have to be somewhat smart to do this) they could have spoken to their principal/advisor and gotten sanctions to do this - potentially earning some kind of HS credit or an award from the the school.

Re:Lessons NOT learned

[Frank+T.+Lofaro+Jr.]

If they were really smart about it, they'd get a business license, become a security company, offer to test their security for a nominal fee, draw up a contract and get paid for it. Never mind awards or credits, they'd have money and something good to put on their resume.

School IT staff?

[phorm]

Maybe it's different elsewhere... but back in the day my school IT staff were pretty reasonable. I remember that we had a fair bit of fun hacking other students accounts until the prof got annoyed, at which point we showed him the holes and he plugged 'em.

Nowadays, I am one of the school IT staff. If a student were to show me a flaw in the system I'd be quite happy to address and fix it... no suspensions etc. If a student were to exploit a hole in the system and then bring it to my attention... well that's a different story. I've had quite a few students claim "3l33t h4x0r 5ki11z" and the ability to crack the network, most are just running brute-force programs and never actually get anywhere anyhow...

Not my windows

[theunixman]

If it were the students' information on their own computers getting stolen, it would be much like someone breaking into their homes and stealing their things.

However, the school is holding the students' personal information, and not securing it properly. This requires a different analogy, and if one is required, it would be more like going into a restaurant, handing over your credit card, and the staff then allowing anyone who drives by to take a copy of your credit card number and signature.

If the school requires that the students' personal information be stored indefinitely, they should also be required to excercise reasonable care in protecting it from theft. Otherwise, the school should be held fully liable for whatever damage is caused by the theft of the information, much like a restaurant would be peanalized severely for handing out customer credit cards freely.

Why does a High School have student SSNs?

[jcr]

Since when did a high school become an employer of its students? I want someone to find out why the school had the kids' SSNs in the first place.

-jcr

Re:Why does a High School have student SSNs?

[eluusive]

Pretty much all schools have SSNs, and it is pretty friggin' lame. Most schools use them as Unique Identifiers instead of coming up with their own ID system.

Re:Why does a High School have student SSNs?

[rpillala]

Our school system recently (this year) went from SSN as the student identifier to a 5 digit random ID number. These are used for things such as attendance records, academic records, etc. I think one reason we do have (and we do) students' SSN is for communicating with other school systems who may have their own ID number scheme. Or maybe hospitals. I'm not saying this justifies the school having all this info but that's probably one reason.

Re:Why does a High School have student SSNs?

[/dev/trash]

Dude, get over it. The "SSN is for work only" boat sailed years ago. Once RealID comes into law, you'll want the SSN as UID back. Trust me.

Re:Why does a High School have student SSNs?

[jcr]

The "SSN is for work only" boat sailed years ago.

I don't give out my SSN to people who aren't giving me money that they have to report to IRS. That's non-negotiable.

-jcr

Good luck!

[orionware]

I've been trying to explain to the feds for months now that the SS#'s and personal info that I stole and subsequently used to open credit card accounts, buy cars and hit the roulette wheel was simply my way to show how easy it was go obtain that information and use it in a negative way.

BTW. Be careful. Not all supa-dope-hot escorts in Vegas are what they seem! She WAS hot for a cop though.

Blame the victim

[Lord+Faust]

That network was asking for it. Wearing those skimpy security protocols. I couldn't help myself.

Eye for an 3Y3

[Glamdrlng]

they face possible school disciplinary action and criminal charges

So do the school administration and schoolboard IT staff face disciplinary action and criminal charges? They could if they fall under HIPAA or GLB.

ben a long time

[kcim]

I went to Hinsdale south (in darien)A long time ago, I remember A guy Rob E., who changed all the teacher,etc.staff's pay check to one cent. Yup 1 penny.no kidding they had a main frame neer hinsdale central that the schools time shared.After that the schools went with apples, instead of the terminals.Back on topic I generly agree that you may need to demonstrate a weekness to get motivation for a fix. Providing that no harm is done and every thing is documented. been up all nite tired later:)

It's still a crime no matter what!

Comitting a crime just to prove it can be done, is still a crime. Would it be the same thing if they robbed a bank to prove it could be done, "But they didn't spend the money". Is that OK, too?

Punish them

[hkb]

I read all these posts about how they're "brilliant" and "harmless".

1.) You think they're brilliant for "hacking" the system? Have you seen how bad computer security is these days? Their hack probably involved reading a password off a sticky note on some teacher's machine.

2.) Harmless? In today's world, stealing someone's SSN is worse than stealing their TV, car, sandwich, and wife. A person's SSN is mind-boggingly valuable, these days.

Fuck 'em, punish them. They're not the victims and they need to take responsibility for their crimes. Yes, crimes. They committed a criminal act.

Gone are the harmless days of my youth re-enacting war games on my high school's VAX.

It makes me cringe and wonder why the fuck we're still using something as simple as a 9 digit number to control such huge portions of our lives.

Whoa!

[DarthVain]

Did anyone else read the title and think some studends stole some nuclear missles?

Just goes to show...

[atomic_toaster]

...that you should never demonstrate computer skills above and beyond that of a high school's staff.

Please note that I'm not saying what the students did wasn't wrong. I believe that the idea behind it, i.e. showing the security flaws in the system, was a good one, but they didn't have to go after the flaws in an illegal fashion. However, not only the students deserve a reprimand here -- what were the SSN's doing on an internet-accessible database in the first place?

Students who demonstrate intelligence beyond their years or insight into problems which the teacher cannot comprehend are VERY threatening to the teacher.

I've found this to be especially true in the realm of computers. If a student is extremely good at, say, math or English or biology, the teachers will often look at the student as a prodigy, although they may suspect the student of cheating in some way if they seem to do so well entirely without effort.

However, when it comes to computers, most teachers and staff at the elementary and high school levels only have the bare minumum knowledge required to turn on their computer and run the applications they have to use in order to keep their jobs. Don't blame the teachers, most of them had the computer age dumped on them with little to no training. But because most records are kept on computers these days, students who are extremely proficient with computers are the equivalent of students who could pick filing cabinet locks and alter their grades thirty years ago. The problem is, thirty years ago, if you learned how to pick locks and forge grades, you probably were doing it for "nefarious purposes." These days, computers aren't just a tool for "nefarious purposes," they are a tool that is used every single day by many students and they are a part of everyday life. But many teachers can only see a student who is good with computers as someone who carries a set of lock picks to school.

Case in point:

My little brother, who was the darling of my high school's (rather meager) computer department, happened to be in the library when another student hacked into the school's database through a terminal in the library. The other student was not known to the staff as being a computer geek, so the blame fell on my brother. But the staff of the school (with the exception of the computer teachers, who for some reason were not consulted on the matter) were not proficient enough with computers to prove who had actually broken the school rules. Based only on the fact that my brother was known to be good with computers, the staff then banned my brother from the school library for the rest of his high school career with no proof that he had done anything wrong. First of all, how is this helping him learn? Secondly, because the school staff did not understand enough about computers, my brother was banned only from the library, not from the school network, nor was his school network ID taken away. He proceeded to graduate from high school after taking every single computer class offered by the school (which were taught on computers that were on the same network as the library) and then to spend two semesters as a teaching assistant, teaching other students the same skills that got him banned in the first place.

The moral of the story is: with the possible exception of the computer teachers, never let elementary/high school teachers and/or staff know that you, as a student, are proficient with computers.

Still Illegal

[Flamesplash]

well it was still an illegal act. what if they had bought drugs on campus to demonstrate that it was possible and then turned around and gave the drugs to the police or administration? It's still illegal. They say they destroyed the SSNs/gave back all the weed, but who really knows. What if they sell the HD the numbers were stolen from and someone recovers them?

They could have done a little to cover their butts, like notifing a teacher ( anonymously ) about the intended act so there was foreknowledge they meant nothing about it, or even going to the principle and telling him the system was insecure and that they'd like to prove it.

Handy SSN generator

You could always uses this handy Social Security Number generator when someone who has no good reason to have your Social Security Number, like a school for example, asks for it.

http://kearney.servehttp.com/test/newssn.php

"Time to take these guys to school." - Robotech

[Xenophon+Fenderson,]

You are changing the subject. Attacking the person's spelling (trying to impugn his intelligence) instead of logically countering his arguments is a great way to earn emotional points with the crowd, but whether the poster is good at spelling (or typing, for that matter) has nothing to do with his argument over how to get along with teachers and classmates.

And let met tentatively agree with that poster. I had the same problems with my teachers and classmates until I learned that school was not about gaining knowledge and wisdom, but about social conditioning. As in the rest of the Real World, human beings who rely too heavily on style over substance can be easily manipulated in ways that can benefit the manipulator. That it took me until after college to realize this is perhaps testament to the fact that I have a sometimes abrasive, sometimes attention-seeking personality and am only 1 standard deviation above the norm on the IQ scale. (Now, where is my tongue? Oh yes, there it is, firmly planted in my cheek.)

Guilty as charged.

[vmfedor]

Did these students commit a crime? Certainly, they broke into a system unlawfully and stole sensitive information. They're guilty. Just because they didn't use the info they gathered doesn't mean that they didn't commit the crime.

On the other hand, I usually agree with "no harm, no foul." These are kids we're talking about, not malicious computer hackers. I don't see the need to press criminal charges since nothing was done with the social security numbers. Though I think they should be reprimanded by the school appropriately. They need to know they can't go around breaking into people's systems just to prove a point.

Poor secutiry procedures

As a Hinsdale Central student I would point to the teachers as being the biggest flaw in the schools security scheme. From what I know the students merely store one of their teacher's login and password. Through this they were able to change grades and view student SSNs. They could even access the school network from home through Novell NetStorage. It is not the software that is the weak link, but the human element.

Choicepoint jobs for these young ones

So a handful of SSNs brings about possible criminal charges while corporate criminal negligence compromises hundreds of thousands and is somewhat swept under the media-rug.

These kids raise the warning flag once again: more and more databases contain unnecessary private info and the people working day to day don't have a clue beyond point and click and field entries.

It's even easier when you're in college

[stevenm86]

Here is an article my friend wrote regarding SSNs and the magstripe ID cards most colleges use.
http://privacyumd.blogspot.com/

Yes, but...

[jpellino]

On Discovery channel they have a show called "It Takes A Thief" whose point it is to show people how vulnerable their houses are.

The difference is the 'victims' agree to all this.

The school did not.

I'm amazed we're still debating this and claiming its the only/best/useful way to make security better.

Individuals guessing that so and so might not have listened to a technical alert therefore you have to hijack passwords w/o permission is a risky guess. If you didn't try Plan A then you have no real reason to go to illegal Plan B.

Imagine someone picked your pocket to show you how insecure your back pocket was, copied all your credit cards and medical info and license, then gave you back your wallet and swore they'd destroyed the copies.

What would you do?

Re:Yes, but...

I don't know if this is what happened in this case, but it wouldn't surprise me if they did bring it up before getting the SSNs, and the school poo-poo'd it. Hell, I can remember when I was in school, if you were on ANY screen that the teacher didn't recognize, whether malicious or not, you got in trouble. Also, school officials who aren't really computer-literate tend to be scared of such things as command prompts, so if they were in a situation where opening a command prompt could get them in trouble, then just how were they supposed to handle this? If it had been me, I whould have just let the vulnerability sit there, and without letting anyone at the school know that I have such knowledge, I would pass the information to an external third party. Then the situation would have resolved itself without any harm to me.

Anonymous Email

[Dog135]

What he should have done is taken a screenshot of the admin's information, then emailed that anonymously to the admin.

Just use a yahoo email and send on the school library's computers. Include notes on what to do to fix it.

The key is: Don't let them know who you are. That protects you, and scares the admins even more.

Hiding your identity on the internet is about as easy as finding p0rn on it.

Typical

[brsmith4]

People, don't be naive and believe that doing things like this at your school, no matter the motive, will be appreciated. Whenever you "lend a hand" or insist that you were "only trying to help" you always get burned. Let the school deal with their own security problems and tend to your education. Its not worth the trouble, trying to help others that don't want your help anyway.

Apples vs. oranges

[coyote-san]

That situation is different since the very nature of NIS/YP is that it is publishing information. It might be a violation of policy to set up your own client, but it doesn't involving doing anything on the server other than using a service in the usual manner. If you're outside of the jurisdiction of that policy, e.g., due to an absent or misconfigured firewall, it can't be a violation of policy.

An analogy would be comparing somebody walking down the street seeing something in plain sight on a patio vs. entering the house (through an unlocked door) and snooping in the desk.

ahh youth

[neoThoth]

Normally I would give the same "make sure you have a contract" speech I've seen in other threads. But that's because I assume my audience is over 18. These KIDS will possibly get into trouble with their school but the criminal charges are total BS. Now when they graduate they should have some nice lucrative jobs lined up.
BTW since school is a government resource isn't this a terrorist action? :-o

Nonsensical analogies

If we absolutely have to use the hacker-evil-like-burglar analogy, in this case it's more like the school IT staff had the responsibility for storing their personal belongings. They forgot to put a lock on it, and the students took one item from each person there, and returned it promptly to the school to show that their items (as those of the others) weren't particularly well protected.

This was an idiotic act, but high school kids are generally idiots in any number of dimensions that they don't realize yet. Now nobody can be certain that a copy of their information isn't circulating somewhere, or kept for future malice.

However, this ill effect doesn't excuse the school neglecting its duties towards its students.

Re:On the other hand...

[tftp]

I could argue that those who are responsible for the safe-keeping of that information were at fault, not the ones to gained access to it.

There is no dichotomy; both are at fault, but their offenses are different. One group is guilty of poor data security, but they themselves have not committed any crime; you can sue them for negligence, but that's probably as far as it gets. The other group, however, committed an actual crime.

reminds me...

[42Penguins]

Being in high school myself, I have also stolen SSN #s and given them back, mainly to convince other students to be more careful. All of the information needed to steal an identity is printed on a 4x6" card, which most students tape into the front of their notebooks. I'm somewhat surprised by the lack of care, but at the same time, I'm not. By an odd coincidence, I'm also the only student tech, and I've found all sorts of lovely information on the servers accessibly to anyone. Identities waiting to be stolen :S

SSNs

HS Students Steal SSNs to Prove They Can

What? Some students stole a submarine?! :D

Local news in Chicago is reporting about two Hinsdale Central High School students who breached their school's computer system and retrieved all of their peers' (plus staff's) Social Security Numbers.

Social Security Numbers... How lame.

You can't compare this to breaking into a house

You can not compare hacking into a school network to expose its security flaws to breaking into a persons house to prove they can. It's just not a good analogy.
A person can foritfy their house as much or as little as they would like, because it's their own personal property in which they voluntarily live

But why shouldn't a student be able to protect his/her valuable information, such as a SSN? At school, a student has no choice in the matter of whether or not they give up their personal information. If I'm forced to give up my SSN, I want to know that it's protected, at least.

The students shouldn't be punished for protecting their own SSN's, as well as the SSN's of their peers.

charlie brown

It certainly made it easier for Charlie Brown to find out the telephone number of that red haired girl that he always admired.

No need to plumb your school's network.

[P0ldy]

Simply go down to your Register of Deeds office. Countless documents that are public record and available to anyone with a quarter have Social Security Numbers on them. The only restrictions are birth certificates, military discharges, and death certificates, which are available only to the immmediate family of the individual. And since a fake ID template can be downloaded from Kazaa, you've spent less time ripping off someone's identity than cooking dinner.

Deeds offices are becoming more cognizant of it, but in so many states with millions of documents already on record (and so many of which are available over the net), most of the states don't even have laws to redact SSNs, though legislation is pending in some states, and people don't know enough to understand that the SSN is never required (nor do the banks, lawyers, etc., it seems).

Check your mortgages and deeds of trust.

The worste has got to be

eating pussy

They deserve what they got

Something all the pro-hackers on here seem to be forgetting is they broke the law, plain and simple. Breaking into a network and stealing information, regardless of the intentions, is illegal and you will be punished. People who justify their illegal activity by stating that it's someone elses fault because the information wasn't secured properly are complete morons. Believe me, an argument that idiotic doesn't stand up in court.

And by the way, a reality check for the idealists. For every one person who breaks into a network, steals information and then gets paid by the company they broke into, 1000 others get thrown in jail for it. Feel lucky?

Re:They deserve what they got

[pclminion]

People who justify their illegal activity by stating that it's someone elses fault because the information wasn't secured properly are complete morons.

I don't think anybody is putting these kids up on a pedestal, but I'm glad it was a bunch of silly high school students who gained access to the data, and not somebody seeking to commit mass identity theft. A gigantic flaw has been revealed, and hopefully the echoes of that will instigate appropriate changes in the system.

And it IS somebody else's fault. If the school district chooses to stockpile the SSNs of all the students, and that system is vulnerable, those people ARE AT FAULT. When highschoolers are capable of committing mass identity theft, something is wrong, and it ain't just the kids.

Growing problem

" "This is a growing problem in the United States and to actually experience that it is going on at the high school level, really makes you concerned," said Curt Stennis, parent."

Yes, its called hiring a qualified System Admin. Period. I cannot tell you how many 1/2 ass'd admins that I see working day to day strutting their stuff when their heads are in their ass'.

I will say, with a head in the ass and struting make an interesting site. Period.

E (OT)

[OldMiner]

Dangit Erabus, the e-mail address you listed on /. is out of commission, and I don't remember your work e-mail. This is Cerebus, and I'd love to toss you a message. Contact me at Brian.Orlick@gmail.com if you could, please. Thanks.

It's never a good idea...

[SagaLore]

Even if you're a whitehat, there is a fine line between testing security, and breaching security.

That fine line is called "getting permission".

What the students did was just as stupid as the virus writers who think they're helping us out by sending out viruses that disable and patch for other viruses (with the added effect of Denial of Service).

Pick your fights

[AndreyF]

From a Paul Graham essay:

Suppose in the future there is a movement to ban the color yellow. Proposals to paint anything yellow are denounced as "yellowist", as is anyone suspected of liking the color. People who like orange are tolerated but viewed with suspicion. Suppose you realize there is nothing wrong with yellow. If you go around saying this, you'll be denounced as a yellowist too, and you'll find yourself having a lot of arguments with anti-yellowists. If your aim in life is to rehabilitate the color yellow, that may be what you want. But if you're mostly interested in other questions, being labelled as a yellowist will just be a distraction.

---

Pick your fights more wisely... it's obviously that the more you know, the more you realize there is left to learn. Wasting time explaining those that know even less than you that they don't know much may be easier than going out and trying to learn even more yourself, but doing so amounts to nothing but laziness.

Our society has systems of education not to inspire the Einsteins, but to educate the masses (how well it does that is a different topic).

Peace of Mind

[rastilin]

Probably somewhat less than the value of a good book on zen buddhism. For the record I don't have a social security number because I don't live in America.

Securing with fear

[Eminence]

You can secure something in two ways - by actually securing it (building barriers, posting guards, improving designs, educating users etc.) or by severely punishing anyone who breaks in, so severely that no others would dare to try.

Of course, the best course of action is to do both. If you want something to be really, really secure that is.

I like to think about my dog....

[jeephistorian]

When I forget and leave the garbage bag on the floor instead of taking it out to the dump, and she shreds it into millions of fouling smelling pieces, I don't beat my dog. I take note and try to remember not to be so vulnerable.

You have to understand....

[Gardenhead]

The Chicago Public School is completely backwards, and I'm saying this from personal experience. It's ridiculous how much they allow and limit on their servers. As long as the admins like the computer team, they can do whatever the hell they want, including running personal game servers and bringing in their own equipment. Most of the computer team executed DoS attacks just for fun. I'm suprised that this made national news, personally. God, CPS is so backwards.

For a second there...

[doctorjay]

It looked like a couple of highschool kids stole a SSN (Silent Service Nuclear) submarine just because they could.. was worried for a second

Actually, they didn't have to hack at all.

They knew the necessary people to just walk in the front door. They could have known absolutely nothing about computers and walked right in. A great deal of people, including students at that particular school, have easy access to this information. All they needed was the proper password to get in, which was essentially handed to them.

Aside from the spelling error...

[leonbrooks]

...that's a true story. Some tests say I'm a genius, others than I'm quite average. Real life reflects neither.