Slashdot Mirror
HS Students Steal SSNs to Prove They Can
thatshortkid writes "Local news in Chicago is reporting about two Hinsdale Central High School students who breached their school's computer system and retrieved all of their peers' (plus staff's) Social Security Numbers. They claim they have destroyed the information and haven't given it out, but the SSA and FTC have been alerted for good measure. While they claim their motive was to prove that the breach could take place and no malice was involved, they face possible school disciplinary action and criminal charges."
They should be paying them not punishing them.
Unfortunately, people do not learn from others' mistakes. How many times have people broken into school databases only to be arrested! It does prove that you can break into a DB, but so what? Once again it goes to show you "no good deed goes unpunished!"
-Palal
While it may be an obvious way to get the schools attention on the matter, it is, as the article said, a good way to get yourself expelled, etc. Maybe if they took the issue with the IT staff, and showed them one-on-one how it could be done, they would not be in any harms way.
I guess it kind of sucks that they're gonna get punished for this, but they deserve it. You can't legally break into someone's house just to show you can, they should have told the school (or some news stations) that they were planning to show how easy it would be to get into the system. Then under a controlled environment (with some type of supervisors there) they can show how easy it would be. That way everyone knows the attack is going on and the school knows what was done by the students rather than relying on their word.
How can the exploit be fixed if the administartion will not admit it exists. These individuals should not receive punishments. If anything, they should receive jobs at their school. It's sad, but it seems High School computers are being ran more by pointy-haired bosses than actual IT individual. I just hope the trend can curb and go back to where data can be secured again in academic institutions.
Just because you can doesn't mean you should.
I know people will come on here and say "OH but the administrators probably wouldn't listen so they had to do this to prove how serious it was". I'm sure if they followed good procedure and presented a good presentation to the Board/etc they would of gotten a better reception then what they did.
Your hair look like poop, Bob! - Wanker.
Nothing will bring pain to you quite like making someone (or some organization) look foolish. Even if you probably are at least somewhat in the right.
Honestly, what a bunch of fuck ups. If you're trying to do a service by penetration testing, you at the very least notify the sysadmins of the vulnerability you plan to explore.
To go all the way through to stealing *everyone's* information, and then afterwards claim you only did it to help is bad judgment at best. In some states it's criminal.
Good, throw them in jail.
Those miscreants are a danger to society, and consider the cash value of all of the damage that they have done, not to mention the bruised egos!
They are terrorists, and should be executed!
</sarcasm>
It shouldn't be, but since the SSNs are used for everything a person does for the rest of their lives, it should be included. As a reason not to use SSNs at Schools and the like.
These two men broke the law to prove a point they held dear. I feel they did the right thing, but the law does exist and they may be punished. I hope that the judge presiding over a potential criminal case still has discrection to choose the punishment should they be found guilty of a crime. If they should be found guilty and sentenced, we should do our best to provide what support we can.
What did Jefferson say about the tree of liberty and the blood of martyrs? Perhaps a bit over the top, but I feel the sentiment is appropriate.
Blar.
Personally, this makes me wonder why I would ever give anyone my SSN, unless they can prove they will live up to their federally mandated responsibilities.
This just shows that most companies and governments cannot do so.
Support NYCountryLawyer RIAA vs People
I'm certainly not suggesting something as draconian as RealID. But it should not be necessary to keep one's SSN any more secret than the account and routing numbers printed on personal checks.
To prevent being expelled just send the SSNs to the IT administration through anonymous snail mail. Explain how you broke in, and hopefully they will fix the problem.
Keeping SSNs around obviously can't be avoided for the school's employees (for tax and other reasons), but employee databases should be separate from student records, and there are far fewer employees than students anyway.
Basically, SSNs seem to have become the knee-jerk instant universal ID number for American firms and institutions of all sorts, which is a pity. It's best if we (as IT professionals) try to encourage the keepers of old databases to transition away from using them, and to strongly recommend that new databases not use them at all, wherever possible.
there will be a lot of teeth gnashing from slashdotters about this "injustice". usually because the average slashdotter trusts some anarchist high school students more than they probably trust their own police department. they will point out that a security system untested is never sound, and that this move will strengthen security. that better these high school students than someone with truly dark intent break in.
the problem has to do with what the word "trust" means. society at large doesn't trust an intelligent well-intentioned hacker (these students are hackers as in the old school sense if there ever was one, as opposed to the new school "hacker=terrorist" sense). but they DO trust a bumbling idiotic underpaid school administrator.
why?
it's about how the average slashdotter views "trust" and how society at large views "trust". the average slashdotter trusts intelligence, cleverness, technical literacy. but the average joe simply trusts accountability.
the school administrator's job is to keep security, he is trusted by society, paid by society to do this. he is accountable. the school administrator will be reprimanded by this breach, and the breach will be repaired. this is society at work. meanwhile, there is no social contract with the high school student. there is no trust. there is no accountability.
yes, security will be better because of what they did. yes, their intent is perfectly sound. but there is no trust, there is no accountability as far as the average joe sees it.
the lesson therein is for the average slashdotter then:
accountability is more important than cleverness.
to put it another way, the average joe doesn't care how technologically sophisticated the security is on their SSNs. the average joe just cares if THERE IS SOME ACCOUNTABILITY. so the SSNs could be on a text file on webserver, they don't care. the question si: is someone's job on the line for the theft? the average joe understands this concept: someone will suffer if my identity is stolen. there fore, someone out there is motivated to protect me.
meanwhile, these students have no social contract, no accountability. what is their intent? what is their motivation to do good by me? all i have to trust is their word, and i don't know them from adam. therefore, all that they have done for the average joe goes unheeded, unrecognized. the students helped the average joe, but the average joe sees them as criminals.
folks: gnash your teeth all you want, i'm just trying to give you all a heads up about the difference in thinking between the average joe and the average slashdotter. if you don't like what i am saying, don't be mad at me, don't shoot the messenger.
be angry that trust does not mean same thing to you and the average guy on the street.
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
If I ever found myself in such a situation, the way I would look at it is that my private space was violated by the people who put my personal information where it could be indirectly but publicly accessed, not the people who chose to take advantage of that.
Just a thought.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
They are being punished more for making the "adults" looked foolish than the severity of their mischief.
ELOI, ELOI, LAMA SABACHTHANI!?
if they can't or won't take care of it, there's nothing compelling you to do it for them.
Having my data on their servers seems compelling enough...
Why does a public high school even need your SSN? I can understand them needing the staff SSNs for payroll, but why do they need a kid's social security number?
Does anyone know? It's not like the students are paying any taxes towards social security through the high school
I can't speak for other places, but in New Hampshire, license 'numbers' follow a predicatable form -- if I know your first name, the first letter of your first name, and your DOB, I can tell you your license number. (In 99.9% of cases; the last digit gets incremented if it's a duplicate.)
I can't honestly say I check it frequently, but looking at the license number provides a good quick check that the card isn't a blatant fake ID.
If part of your license is covered over, I'd be really suspicious of what you were up to.
________________________________________________
suwain_2
In a civilised country where personal data was actually protected and where personal responsibility existed, such an event would have generated very pointed questions of the people who failed to protect vital personal information for hundreds or thousand of students.
The focus on sound bites denouncing petty criminals makes a convenient smokescreen to avoid them though.
Nihil Illegitemi Carborvndvm
It's just time to quit using SSNs as personal secret passcodes. In some ways, it's good. At what percentage point of compromised SSNs will it stop being used for its present purposes? A few hundred is just a drop in the bucket, but it happens every day. Eventually, SSNs will be meaningless. Like a phone number, at which a slightly better system will (hopefully) be devised.
What changed under Obama? Nothing Good
From my experiences doing pro-bono work at four different high schools, I'd say that most of them barely have the capability to deal with the most rudimentary data management tasks. I'm not saying this to be dismissive of schools or the people who work there, but they are in many cases so short on human and technology resources that creating and managing unique IDs for each student isn't something that would even cross their minds.
The SSN is, as you mentioned, the knee-jerk instant universal ID number precisely because it requires no extra effort. This is not a good situation, but it has come about because there is no compelling reason (that many institutions can see) to devote extra time and effort to coming up with alternate ID schemes for schools.
Read the EFF's Fair Use FAQ
"Your house is not secure. I can prove it to you. All I need is a rock or baseball bat and I can show you that I can get inside." Yay! Now I won't get arrested! - just because it's tech doesn't mean that the laws don't apply
The truth is the lazy, idle and incompetent always prefer the cover up to the fix. Whether it is the Roman Catholic church and child abuse, torture at Guantanamo Bay, or security holes, the people in charge will conceal rather than cure. Two examples from my own career:
I was once asked to investigate the apparent failure of an automated component test system. Eventually a review of the hardware and software left the only option as being that the production personnel were deliberately falsifying results and passing rejected batches. Result: three senior managers demanding I be sacked. Fortunately at this point we acquired a new CEO who had several clues. One manager was fired, one left of his own accord and the other was downgraded. But customer confidence had been eroded and the plant eventually had to be shut down. The second example was less exciting: a production director who resisted for years the introduction of statistical process control because it would make clear where systems were failing.
I'm sure many of us have similar examples. It is not in fact important what the motivation of the whistle blower is, we need to change the culture to one in which the response is "Fix it", not "shoot the messenger". With hindsight, we may one day conclude that the tradition of open bug fixing is FOSS is its greatest social legacy.
Panurge has posted for the last time. Thanks for the positive moderations.
This is the stem of all security problems.
If you DO blow the whistle, unless you have some SERIOUS clout behind you, chances are most people aren't going to listen to you. (See: Microsoft).
If you DON'T blow the whistle, do nothing and have a vested interest in the company/school then you risk having your money/time lost due to SOMEONE ELSE taking advantage of a flaw you knew about.
If you DO blow the whistle and try to gather attention to it by TAKING ADVANTAGE of the exploit, you SERIOUSLY risk being arrested yourself. (White hackers, black hackers, its all the same in the eyes of the uneducated masses!)
Etc, etc, etc. The list of what you can do and how ineffective it will ultimately be goes on. You can't go public or they slam you for trying to ruin their reputation. You can't go directly to the people cause they ignore you. You can't 'white hacker' them cause they slam you anyway. You can't ask for advice on Slashdot cause Slashdot is a wide, niche audience and is largely ineffective due to city/state/nation/international law differences. Its damned if you do, damned if you don't, damned if you ask for help and damned if you do nothing about it.
The reporter in this story clearly does not have the razor sharp awarness of what causes people to panic, like say a CNN headline writer does. But sooner or later someone will realize that these kids that got caught/came forward, are the ONLY ones in that school you DON'T have to worry about. It's the other 30 or 40 that already hacked the system or better yet, are trying it right now.
Haven't people learned, by now, that even if you have the best intentions at heart - doing this things will result in you getting in trouble. If you really want to test the security of an organization, get their upper management authorization (hell you could even make a profit).
If they were smart about it (and they have to be somewhat smart to do this) they could have spoken to their principal/advisor and gotten sanctions to do this - potentially earning some kind of HS credit or an award from the the school.
I mod down so you can mod up. Your welcome.
well it was still an illegal act. what if they had bought drugs on campus to demonstrate that it was possible and then turned around and gave the drugs to the police or administration? It's still illegal. They say they destroyed the SSNs/gave back all the weed, but who really knows. What if they sell the HD the numbers were stolen from and someone recovers them?
They could have done a little to cover their butts, like notifing a teacher ( anonymously ) about the intended act so there was foreknowledge they meant nothing about it, or even going to the principle and telling him the system was insecure and that they'd like to prove it.
"Not knowing when the dawn will come, I open every door." - Emily Dickinson