HS Students Steal SSNs to Prove They Can

thatshortkid writes "Local news in Chicago is reporting about two Hinsdale Central High School students who breached their school's computer system and retrieved all of their peers' (plus staff's) Social Security Numbers. They claim they have destroyed the information and haven't given it out, but the SSA and FTC have been alerted for good measure. While they claim their motive was to prove that the breach could take place and no malice was involved, they face possible school disciplinary action and criminal charges."

ridiculous

[faldore]

They should be paying them not punishing them.

Re:ridiculous

[DustyShadow]

Breaking the law just to "prove you can" doesn't really fly. They would have been much smarter to just tell the school about the problem and then helped them to fix it. If the school ignored them, they could have easily made the issue public. High schools aren't very big so it's pretty easy to get the word about things. I don't agree that whistle blowers should be punished but these guys went past that point. These guys should be punished, and they most likely will.

Re:ridiculous

[davidesh]

This really shows the negative feelings that society holds for those who can "hack" systems.

lol that was great... you mean CRIMINALS
How about those folks who rob a convenience store to show their security holes... should we just let them off simply because they figured out how to do it and were caught? Yet they say oh, well we were going to return the money so it is ok and nobody was hurt.
Talk about flawed logic with your whole "We really need sane laws that do not allow some one to be prosecuted if there's no harm done". What a load of shit

Re:ridiculous

[maniac/dev/null]

Theres a big difference between whistle-blowing and breaking the law. Would you go into someone's house and steal their TV just to prove how ineffective their door lock is? HSs are rather small, if they spread word around, maybe at a PTA meeting, they might have gotten the same results without going to jail for computer crimes. Crime, even for a good reason, is still crime, and if we don't enforce the law all the time, we might as well not inforce it at all.

Re:ridiculous

[zerbot]

I disagree. Breaking into a system is not much different than breaking into my house. There is a ton of extremely sensitive data on a lot of systems. If I came home and found someone who had picked the lock on my house sitting on the couch watching TV, you'd better believe I'd call the police and press any charges possible. No harm/intent foo!

One of my daughter's friends keeps pressuring her to give out her passwords on various sites. I've suggested my daughter tell her friend, "You can have my password when I can have the key to your house."

Re:ridiculous

[networkBoy]

Then you are the exception.

I spend time in the back of a squad car for stating there were security problems at my school (back in 93, I was a Jr.) The Principal did not believe me, and I was asked by the "computer teacher" to demonstrate, which I did. Upon completing the demo, a change of my grade (downward, ironicaly) I was detained in the office pending arrival of the authorities.

I now have a job where I get paid for those same skills, and the thread starter is correct about paying the students. The problem is that HS staff does not like being shown that their charge (the students) have more power than them, which this demonstrates.
-nB

Re:ridiculous

[SeventyBang]

I hope the English teacher(s) got a shot at you as well: "I spend time".

The better thing to do [both then and now] would be to have someone from the media with the informer. If the "powers that be" choose not to "go along with it" while it's on the record, then that still leaves the door open for the story to explain what's possible, what's been offered, and what's been refused...and by whom. You cannot win 1 vs. the world. Adding the media to equation, particularly one who knows what they are doing, can even the stakes a bit.

The question begs: do you have to report these problems or is it a case of bragging rights - even if you are the only one who knows - so you will have cool stories on slashdot, blog entries, or magazine articles in the future?

As always, you have to pick your battles. But when you are forced into a battle, you have to decide which weapons to use and how. That's where the media is inserted into the equation.

Re:ridiculous

[shaitand]

If they spread word around, maybe at a Parliment meeting, they might have gotten the same results without starting a revolution. Treason, even for a good reason, is still treason.

Crime is not synonymous with bad, wrong, or evil.

Re:ridiculous

[zerbot]

You don't need to break into Microsoft or Apple's corporate computers. You can demonstrate on your own computer or someone else's with their permission. I'm not saying that publicizing security weaknesses is a bad thing, but going the route of breaking into someone else's property to expose a security flaw is stupid and unnecessary, and should be prosecuted. I've had to notify many, many people that their systems were either vulnerable or already compromised, and I have never "had" to resort to illegal acts to convince them of that fact, even when I was nobody to them.

Re:ridiculous

[MoneyT]

You deprive them of their privacy. Now their SSN is in the hands of someone whom they did not authorize to have such information. It doesn't matter if you do anything with it, but that you have it in the first place.

Otherwise, please give me your full name and ssn. I promise I wont do anything with it.

Re:ridiculous

[BackInIraq]

my school (i graduated 2001) had all kinds of vulnerabilities, but you know what. it's a school. they're understaffed as is, and they don't need to have expensive consultants coming in and auditing their network all the time to stop these kids.

Bullshit. If they can't properly secure their student's sensitive information (such as SSN's) then they shouldn't be storing it. Or they should store it on paper only, in a vault. I never fully understood why my high school needed my SSN anyway, and now that I see things like this happening I'm tempted to go back and make sure they don't still have it lying around.

It's one thing to be nonchalant with your employees information (though I'm not a fan of that either)...employees generally have a viable option (work somewhere else). Students generally have no choice as to what school they attend...they're going where their parents send them. Maybe they can drop out at 16, but by then their SSN could be stolen. There's a great way to start life...a high-school dropout AND identity theft victim to boot!

Re:ridiculous

[izomiac]

Well, most school network admins that I've encountered are rather arrogant about their security. If you explained how something *could* be done then they're just as likely to either ignore it or say the next software update will fix it. Exploiting it is a sure way of making them fix it, although ideally you probably wouldn't want to get caught.

As for businesses, what about all the exploits they don't fix or check for because their software is "good enough"?

Re:ridiculous

[NanoGator]

"How about those folks who rob a convenience store to show their security holes.."

How about an analogy that doesn't involve a gun to the face?

Re:ridiculous

[sydsavage]

Its not like you can use a number without any other proof of ID is it?

You'd think that would be the case. Unfortunately, the answer is no.

From this article:

The SSN and Identity Theft

The widespread use of the SSN as an identifier and authenticator has lead to an increase in identity theft. According to the Privacy Rights Clearinghouse, identity theft now affects between 500,000 and 700,000 people annually. Victims often do not discover the crime until many months after its occurrence. Victims spend hundreds of hours and substantial amounts of money attempting to fix ruined credit or expunge a criminal record that another committed in their name.

Identity theft litigation also shows that the SSN is central to committing fraud. In fact, the SSN plays such a central role in identification that there are numerous cases where impostors were able to obtain credit with their own name but a victim's SSN, and as a result, only the victim's credit was affected. In June 2004, the Salt Lake Tribune reported: "Making purchases on credit using your own name and someone else's Social Security number may sound difficult -- even impossible -- given the level of sophistication of the nation's financial services industry...But investigators say it is happening with alarming frequency because businesses granting credit do little to ensure names and Social Security numbers match and credit bureaus allow perpetrators to establish credit files using other people's Social Security numbers." The same article reports that Ron Ingleby, resident agent in charge of Utah, Montana and Wyoming for the Social Security Administration's Office of Inspector General, as stating that SSN-only fraud makes up the majority of cases of identity theft.

What I find interesting that no one seems to be questioning why a high school needs to have the students SSN in the first place. Personally, I think that the administrator that made the decision to put SSN's into a (now proven) vulnerable database should get at least the same punishment as the students who cracked it. And if they are using products that are known to have weak security, they should get double. Why was this database even connected to the net, anyhow? Honestly, the real crime here is the lackadaisical handling of such sensitive information, when there is no good reason for them to have students SSN's in the first place.

Re:ridiculous

[ScentCone]

The problem is that HS staff does not like being shown that their charge (the students) have more power than them, which this demonstrates.

Come on, it's not about power. The school system certainly doesn't like it being known that the information they keep about their students and staff is vulnerable to theft and manipulation - it doesn't matter who can do it. Students would presumably be the ones with most to gain by hacking their records, but identity theft is arguably a bigger threat when it comes to employment records and other data on the faculty.

But it's much more likely that a student will be bored enough, have enough time, and be allowed to physically have access to a machine on (or plug a machine into) the local network - so of course that's where the friction is going to be. And, since so many students imagine themselves to be in an adversarial relationship with the teachers, the staff has to be prepared to react accordingly. It's not about not liking a student having more "power," it's about not liking a student screwing around with sensitive data. High school students are notoriously lacking in almost any sort of judgement, and routinely fail to think through the consequences of their actions. This is often more true of the geek set, pleased as they are with their high IQ and skills, and distracted as they are from the daily tribulations of "normal" people (like teachers trying to maintain a career, health insurance, and a credit rating on next to no income).

And, of course, the odds that the staff of a particular high school have themselves chosen the network infrastructure, software, security model, and so on, upon which their daily system-based activities depend - pretty slim. But they've got to live with it, and when they catch a student deliberately breaking in, of course they're defensive. Hell, a student could also very easily break out a window of a science classroom to show that a determined thief could easily steal a microscope, what with the staff's ridiculous choice of obviously inferior mere glass as a deterrent. That doesn't make the staff power-obsessed when they bust on a student for putting that brick through the window.

Re:ridiculous

[ultranova]

Which means that you should take option three: Do nothing and let it blow up on the admins face. After all, if you warn them, and they do nothing, and it blows up on their faces, they have a scapegoat to blame for their incompetence: you.

Why risk anything for your school / workplace / country ? You don't owe them anything, and they certainly won't hesitate for a second if screwing you over ever becomes profitable for them.

If you absolutely have to warn them, do so in such a way that your identity can't be confirmed. If they ignore anonymous warnings, it's their problem, not yours.

Dumbasses.....

[Palal]

Unfortunately, people do not learn from others' mistakes. How many times have people broken into school databases only to be arrested! It does prove that you can break into a DB, but so what? Once again it goes to show you "no good deed goes unpunished!"

tough way to prove point

[Bananatree3]

While it may be an obvious way to get the schools attention on the matter, it is, as the article said, a good way to get yourself expelled, etc. Maybe if they took the issue with the IT staff, and showed them one-on-one how it could be done, they would not be in any harms way.

Re:tough way to prove point

"Maybe if they took the issue with the IT staff"

hahahahahaha... .. whew. oh... you were serious?
They would have probably gotten the kids in trouble for thinking about "hacking" into the computers. Those hacker kids are nothing but trouble you know. School IT staffs are a JOKE in 90% of schools, and don't give a damn or don't know a damn thing.

Re:tough way to prove point

[tftp]

If the IT people don't care, why then the students should? Their "good intentions" can be better spent elsewhere, like putting together old computers for charities.

Besides, as people already commented, it is stupid to commit a crime just to show that a crime of this sort can be committed.

They kind of deserve the punishment

[Zakabog]

I guess it kind of sucks that they're gonna get punished for this, but they deserve it. You can't legally break into someone's house just to show you can, they should have told the school (or some news stations) that they were planning to show how easy it would be to get into the system. Then under a controlled environment (with some type of supervisors there) they can show how easy it would be. That way everyone knows the attack is going on and the school knows what was done by the students rather than relying on their word.

Re:They kind of deserve the punishment

[EmbeddedJanitor]

Exactly so. 90% of the badness of being burgled is not that stuff was taken or tampered with, but that your private space was violated. This violation happens regardless of the violators intentions.

Being bust or not is not the issue. If they had been bust while trying to get in then they would have had no excuses. The broke in and that is bad.

Re:They kind of deserve the punishment

[ZorbaTHut]

On the other hand . . .

. . . imagine you're legally required to keep your electronics and jewelry in someone else's house. And not only that, but several hundred of your friends are too. And imagine that you know the security in this house is bad, and you've tried telling the owner of the house that your possessions are in danger, but he doesn't care. And you've tried telling the government that your possessions are in danger, but they don't care either. Your friends care though, and they're really frustrated knowing that all their possessions are in danger, just like yours, and that nobody seems to be able to do anything about it.

Maybe then you'd break in, to demonstrate it's possible, and get the owner of the house to tighten up security for the sake of you and your friends?

Re:They kind of deserve the punishment

[tftp]

Maybe then you'd break in, to demonstrate it's possible, and get the owner of the house to tighten up security for the sake of you and your friends?

No; I would have filed a civil lawsuit against the school. There are very good chances that the problem would be fixed in matter of hours - and I would get a useful experience in defending my rights in a completely legal way.

(I recall an old movie with Hulk Hogan where scenario of this sort was presented.)

Yup.

[beavis88]

Nothing will bring pain to you quite like making someone (or some organization) look foolish. Even if you probably are at least somewhat in the right.

yes,let the kids decide about your privacy

[Daffy+Duck]

Honestly, what a bunch of fuck ups. If you're trying to do a service by penetration testing, you at the very least notify the sysadmins of the vulnerability you plan to explore.

To go all the way through to stealing *everyone's* information, and then afterwards claim you only did it to help is bad judgment at best. In some states it's criminal.

Re:Over react much?

It shouldn't be, but since the SSNs are used for everything a person does for the rest of their lives, it should be included. As a reason not to use SSNs at Schools and the like.

would you?

[zappepcs]

Personally, this makes me wonder why I would ever give anyone my SSN, unless they can prove they will live up to their federally mandated responsibilities.

This just shows that most companies and governments cannot do so.

Not the Real Problem

[Dr.+Mu]

The real problem is not that SSNs are so easy to get but that possesion of another person's SSN gives one so much power to do ill. I think it's time that agencies and institutions quit relying on such a dubious means of identification as a key to perform transactions. Heck, some of them only require the last four digits!

I'm certainly not suggesting something as draconian as RealID. But it should not be necessary to keep one's SSN any more secret than the account and routing numbers printed on personal checks.

Re:Common Sense

[SimplyCosmic]

At the least, they should have made a very real effort to alert the school administration that this was a problem.

In that way, even if they were completely ignored, they'd at least have something to back them up when they make the futile claim that they tried all the normal means to make the school aware of the issue.

Sure, they'd still get in trouble with the school, but at least they'd have some credibility in the public's eye as doing this for a good reason rather than simply because they could.

Ask yourself: why is a high school using SSNs?

[brg]

What I think this incident really underscores is that high schools, where security is (unfortunately) likely to be lax, should not be using or storing students' Social Security numbers. High schools are perfectly capable of assigning unique ID numbers of their own to students wherever they are necessary; if and when their security is breached, the numbers are not useful for anything beyond the school's own internal databases.

Keeping SSNs around obviously can't be avoided for the school's employees (for tax and other reasons), but employee databases should be separate from student records, and there are far fewer employees than students anyway.

Basically, SSNs seem to have become the knee-jerk instant universal ID number for American firms and institutions of all sorts, which is a pity. It's best if we (as IT professionals) try to encourage the keepers of old databases to transition away from using them, and to strongly recommend that new databases not use them at all, wherever possible.

it's all about trust folks

[circletimessquare]

there will be a lot of teeth gnashing from slashdotters about this "injustice". usually because the average slashdotter trusts some anarchist high school students more than they probably trust their own police department. they will point out that a security system untested is never sound, and that this move will strengthen security. that better these high school students than someone with truly dark intent break in.

the problem has to do with what the word "trust" means. society at large doesn't trust an intelligent well-intentioned hacker (these students are hackers as in the old school sense if there ever was one, as opposed to the new school "hacker=terrorist" sense). but they DO trust a bumbling idiotic underpaid school administrator.

why?

it's about how the average slashdotter views "trust" and how society at large views "trust". the average slashdotter trusts intelligence, cleverness, technical literacy. but the average joe simply trusts accountability.

the school administrator's job is to keep security, he is trusted by society, paid by society to do this. he is accountable. the school administrator will be reprimanded by this breach, and the breach will be repaired. this is society at work. meanwhile, there is no social contract with the high school student. there is no trust. there is no accountability.

yes, security will be better because of what they did. yes, their intent is perfectly sound. but there is no trust, there is no accountability as far as the average joe sees it.

the lesson therein is for the average slashdotter then:

accountability is more important than cleverness.

to put it another way, the average joe doesn't care how technologically sophisticated the security is on their SSNs. the average joe just cares if THERE IS SOME ACCOUNTABILITY. so the SSNs could be on a text file on webserver, they don't care. the question si: is someone's job on the line for the theft? the average joe understands this concept: someone will suffer if my identity is stolen. there fore, someone out there is motivated to protect me.

meanwhile, these students have no social contract, no accountability. what is their intent? what is their motivation to do good by me? all i have to trust is their word, and i don't know them from adam. therefore, all that they have done for the average joe goes unheeded, unrecognized. the students helped the average joe, but the average joe sees them as criminals.

folks: gnash your teeth all you want, i'm just trying to give you all a heads up about the difference in thinking between the average joe and the average slashdotter. if you don't like what i am saying, don't be mad at me, don't shoot the messenger.

be angry that trust does not mean same thing to you and the average guy on the street.

Re:it's all about trust folks

[hyfe]

meanwhile, these students have no social contract, no accountability. what is their intent? what is their motivation to do good by me? all i have to trust is their word, and i don't know them from adam. therefore, all that they have done for the average joe goes unheeded, unrecognized. the students helped the average joe, but the average joe sees them as criminals.

The difference for the students is the one between numbers and people.
For the school board (or however you're organized over there), there is a case of '500 SSN's got leaked, oh well.. the bad publicity will cost us less than hiring competent people'.
For the students it's, 'holy shit, they're practically giving away our SSN's, I don't want my bank-account suddenly emptied'

The victims have an inherit motivation in not becoming fucked over. The overseer's main motivation is not being yelled at.

The way I look at it

[mcc]

If I ever found myself in such a situation, the way I would look at it is that my private space was violated by the people who put my personal information where it could be indirectly but publicly accessed, not the people who chose to take advantage of that.

Just a thought.

Re:The way I look at it

[TheFlyingGoat]

So if you forget to lock your windows when you leave one day and end up getting robbed, you won't blame the people that broke in? You'd blame yourself or the police department for not doing a good enough job with security?

Every time this argument comes up, someone tries using that line of logic. The fact is, though, that even though your actions were stupid, the burglar broke the law.

More about saving face (was:Dumbasses.....)

[Lead+Butthead]

They are being punished more for making the "adults" looked foolish than the severity of their mischief.

Re:More about saving face (was:Dumbasses.....)

I entered the gifted program in 4th grade. I was one of the top people in the gifted program. I went to college a year early. I graduated at the top of my ME class by a fair margin.

My teachers liked me. I learned what they were teaching and looked like I would go on to be a useful member of society. Maybe I didn't need them like the other students did, but I never held it against them in any way. I showed up and paid attention.

It has little to do with intelligence, and a ton to do with attitude. If you are a dick, it doesn't matter how smart you are. I don't know you, and therefore I won't try to evaluate your personality, but I have to question why you went to this school if it wasn't going to challenge you. Did you 6-day that class just to prove you could, or to show that the class was pointless, or to show that you were smarter, or because you weren't interested in it and figured that was the easiest way out? For classes that interested you, did you show up and study, or did you skip those too, because you could pass without doing anything? Arrogance is unbecoming.

Re:More about saving face (was:Dumbasses.....)

This is off-topic solely to the parent of this post:

It is truely funny how age sometimes diminishes this attitude.

Growing up, I always knew I was 'smarter' than others, and even when I was tested I knew +3SD meant that I was smarter that 99% of the rest of the kids (atually only ~.3% are smarter than you at this point, +2 only give you advantage over 95%).

I got into a lot of physical fights with my 'peers' (the quotes are as envisioning the past) and I had a lot of verbal fights with my instructors. I thought both were idiots and I didn't feel the need to hide my contempt.

But guess what? I had no clue about the real world. I could figure out facts and statistics, but I had no clue how this related to anything at hand. I'd blame the others around me for being jealous or threatened. Some of the students felt threatened because I was a big guy, I am now 6"3 before I put on my redwings...and while I didn't like to fight, I didn't back down and I didn't stop til the other guy was on the floor. Teachers? I made sure I learned everything I needed to prove that I was smarter so that I could correct their laymans explanations in class. Sure, we are studying at grade school education, but fucking shit, I expected the instructor to explain it to us as if we were postdoctoral students, even though I was probably the only one that had knowledge of this subject.

Like you, I can make 85% in courses without trying. After a dozen other failed degrees (I'd get bored...eventually settled for gen ed degree as I had the credit hours), I am working on a degree in psychology and its amazing that my peers study like motherfuckers and yet with only picking up the book midsemmester for an hour, I came off just under 2 points from a friend that is working on his masters as well -- everytime I call him to see if he and his girlfriend wants to go for drinks on the weekend, its generally just me and her because he is too busy studying.

The one thing I am learning in my jaunt in psychology is that very few understand the 'gifted'. The population just can't support it. We are on our own.

What would I have done differently? I would have not assumed I knew the answers, even if I did, but would have learned to ask less pointed, better questions. I would have learned to understand others takes on the world. I would have learned that the facts do not always make up the truth and vice versa. I would have learned individual experience is far more important than the end.

Who wants to teach someone who already thinks they know the answers? That should be your end statement. It sounds as though you haven't come to the conclusion that you aren't the shiniest apple in your basket yet? You might have in the past, but there will always be someone better and a bushel where you are only average. I place myself into situations like this all the time. I don't want to be the smartest because I will never learn. I surround myself by folks much smarter and I challenge myself even though I don't get what they are saying half the time -- and once I do, I find another peer group.

No one killed your inner spirt but yourself. Stop blaming others and get on with life. If you aren't challenged, that is your fault. Stop being the picked on geek because a lot of us have been there and we got over it. Some of us never get over it...don't be one of those people because they you will have proven that the others were right and you were wrong.

By the by, the one area I was never great in was grammar or spelling as noted by this post.

Re:More about saving face (was:Dumbasses.....)

"nessisary"

Obviously didn't major in English.

As a teaching assistant at university for two years and as a part time trainer and "mentor" every since, I can tell you I much prefer to have students who get what I'm saying.

I got over 85% for courses that I did little study for and just scraped passes in courses I spent a lot of time working on. Some of the courses that most people I knew found easy I found difficult, some of the courses most people found difficult I found easy.

Your ability to get a good grade in one course does not make you particularly intelligent. Your apparent inability to realise you sound like a fool boasting about getting one good grade makes me think that you perhaps don't have a well rounded intelligence anyway.

I got a few stunningly good grades and a few stunningly bad grades. I beat a friend of mine in an exam once and she went on to get the highest GPA of anyone graduating from the entire university that year. Do I think I'm more intelligent than her? Of course not.

"The government does not do enought to help "gifted" students. By grade 4, i had learned to shut up and stay put. They killed my inner spirit."

Poor baby. I'm not normally a fascist like this but you need to get over it and realise that you aren't as smart as you think you are.

Re:Notation?

[lachlan76]

if they can't or won't take care of it, there's nothing compelling you to do it for them.

Having my data on their servers seems compelling enough...

high schools are resource-constrained

[Infonaut]

High schools are perfectly capable of assigning unique ID numbers of their own to students wherever they are necessary

From my experiences doing pro-bono work at four different high schools, I'd say that most of them barely have the capability to deal with the most rudimentary data management tasks. I'm not saying this to be dismissive of schools or the people who work there, but they are in many cases so short on human and technology resources that creating and managing unique IDs for each student isn't something that would even cross their minds.

The SSN is, as you mentioned, the knee-jerk instant universal ID number precisely because it requires no extra effort. This is not a good situation, but it has come about because there is no compelling reason (that many institutions can see) to devote extra time and effort to coming up with alternate ID schemes for schools.

Cover up

[panurge]

Trying to get into places they shouldn't, whether it is safes or knickers, is something that adolescent boys are programmed to do. Anybody responsible for school systems has an obligation to understand this and deal with it. This is nothing to do with social relativism, as the more fascist /.ers seem to think: it's elementary precaution. Regardless of the motivation of the hackers, the people responsible for the system should be required to be trained in security (and perhaps be downgraded till they had passed their exam) because they failed to take account of something widely known in education. If the zoo keeper leaves the doors unlocked on the lion cages, the lions may escape and end up having to be shot, but what about the zoo keeper?

The truth is the lazy, idle and incompetent always prefer the cover up to the fix. Whether it is the Roman Catholic church and child abuse, torture at Guantanamo Bay, or security holes, the people in charge will conceal rather than cure. Two examples from my own career:

I was once asked to investigate the apparent failure of an automated component test system. Eventually a review of the hardware and software left the only option as being that the production personnel were deliberately falsifying results and passing rejected batches. Result: three senior managers demanding I be sacked. Fortunately at this point we acquired a new CEO who had several clues. One manager was fired, one left of his own accord and the other was downgraded. But customer confidence had been eroded and the plant eventually had to be shut down. The second example was less exciting: a production director who resisted for years the introduction of statistical process control because it would make clear where systems were failing.

I'm sure many of us have similar examples. It is not in fact important what the motivation of the whistle blower is, we need to change the culture to one in which the response is "Fix it", not "shoot the messenger". With hindsight, we may one day conclude that the tradition of open bug fixing is FOSS is its greatest social legacy.