Slashdot Mirror
HS Students Steal SSNs to Prove They Can
thatshortkid writes "Local news in Chicago is reporting about two Hinsdale Central High School students who breached their school's computer system and retrieved all of their peers' (plus staff's) Social Security Numbers. They claim they have destroyed the information and haven't given it out, but the SSA and FTC have been alerted for good measure. While they claim their motive was to prove that the breach could take place and no malice was involved, they face possible school disciplinary action and criminal charges."
Okay, I understand that what these kids did was stupid, and serious, but is it really necessary to include quotes like this...?
"When we grow up and get our jobs, that's our life right there. They can access anything about us. It just screws us up for the rest of our lives," said Julianne Junus, student.
would anyone have listened to them if they hadn't gone public?
If kids can do it, why would this be a problem for the kids? Shouldn't it be publically shown that the system was insecure, not that it was breached?
When is it that our governments will be responsible?
just a thought....
Support NYCountryLawyer RIAA vs People
Often high school IT departments aren't that...trained in security.
There was an isuse at my school for over 2 years with anonymous ftp login to their server, databases for the grading software, and the web server.
Telling the IT department this at least 10 times never got anywhere because "who would actually do anything bad"
Eventually the website got defaced. It was then fixed..
Sometimes it takes a problem they can see before they'll actually fix it.. And a defaced website, is a problem they can see.
We wore our social security numbers around our neck in our county.
Sure, it was after the Columbine crap and during all of the security increases, but tell me what kind of security is requiring all of the students and faculty to wear ID tags with Code39 encoded social security numbers around their neck due to pure lazyness and neglegence?
It's really easy to memorize Code 39, it's a * characters and numbers 0-9, so I'd ask the teachers and the vice principals to let me see their ID for a second and then hand them their social security number.
Security my ass.
Copying the openly readable, unencrypted database (say in MySQL) and parsing for XXX-YY-ZZZZ found to be hacking?
Well, for one, it is public knowledge that the SSN X's (in my representation) are in fact, state codes. I have some reason to believe that the Y might be county or some sort of district code, but I cant be soo sure unless I'd gather enough SSN's and location of birth
Yes, the mail center in which you were born is what the state code is attributed to, not the actual locale you live in. Say your parents lived in Phoenix, Arizona but went on a trip to New York City. The baby's SSN would start with 050 to 134, NOT the Arizona 526 prefix.
Well, hope this sparks up some replys (and mod points! yay mod points!)
I had the "fun" of working in our school's server room my freshman year. We had the servers get hacked at least twice.
The first time was a simple brute force attack on a AppleShare server, because the main admin refused to put a limit on the number of password attempts because it was too inconvient to have them simply go up to an admin and reset their password, despite that's more or less exactly what would have to happen if someone forgot their password anyways. I found out that year who had done it, but congratulated the person.
The second time it was because the rather ancient admin password leaked out and they were able to use that to not only get into the teacher's file server but also the SASI server with all the grade data! Why did we use this password? Well be cause it was tradition! I found out only a couple months ago who did this, he didn't
There's so much incompetence at so many High Schools it wouldn't surprise me if it was something as simple as a server that hadn't been patched in ages. Aren't you glad to know that these are the people with all your insensitive data? As it stands at my college they use SS#s for *everything* even though they probably shouldn't.
I support punishment of the administrators who did not sufficiently secure that sensitive information. I also support to a lesser degree the punishment of the children who stole the information. However, had that event not taken place, some less scrupulous children might have misused the information that was so easily stolen.
Most databases and file servers have permissions systems in place that can authenticate by host and IP range. Most administrators assign different IP ranges for different purposes - staff should be different from student-accessible. Also, multiple passwords are required in most systems to access sensitive information: computer login, network login, database login. Passwords are also supposed to change often. Why were these precautions not taken, and why did the admin not notice anything suspicious until it was too late?
Never underestimate 15 year olds. Why? First, they have WAY more free time than any of us working folk. Come on. They get home at 3, and have maybe an hour or two of homework to do sometimes, then they stay up until 1-2 AM. Second, there are a lot of them for every administrator at any school. Third, they are hormonally imbalanced and do irrational stuff to prove irrational points. They can exploit all of those points to their advantage at almost no notice. I did, you did, most everyone did.
Someone needs to be made an example to prevent this sort of thing elsewhere. I think the administrator is the best choice, personally.
But that "car" is a publically-owned bus.
If there were faults YOU knew about that bus, and let others ride on it knowing that injury might result, you would be at fault morally, and perhaps legally and crminally.
How is this different than the shock-journallists on the local news finding "naughty no-no subjects" and then prodding them until they're fixed? Our local (Indiana) problem is the channel 8 news WISH was going over the VX gas stockpiles and how the military was letting the barrels corrode and stuff. Investigator-8 pretty much drew maps on how to get to the VX stockpile.
And yes, because the big media attention, they're just now starting to incenerate the stockpile.
Where did you go to school? They actually teach college students about money management and how to improve your credit score. Don't post where it is, Discover will go there, and dump credit cards until they ruin a good thing.
In my experience, most college students do more harm to their credit scores in college then they can recover from in 10 years. Maybe 20 they could recover from. Most people leave college so debt laden it's silly. Credit card companies prey on students on college campuses. I was always shocked at home many places on campus had credit card offers. Remember, college is the new high school. College in the 1960's was a 25% of HS grads went. Now it's more like 75% go. Going to college isn't the indicator it used to be.
I happen to have decent credit, but that has a lot more to do with watching my family memebers have poor credit, and poor money management. I sure didn't learn a thing about it in college.
Kirby
Jesus. My ID has it printed right on it. If you forgot your ID, you had to tell them your social to get lunch.
For goodness sake, anyone who's seen your driver's license -- say the bartender at whatever club or whatever -- can open a credit card under your name, and from that point on you're pretty much screwed. There is no reason that SSN should be legal proof-of-identity, because it's absurdly easy to steal.
I used to read Caltizzle. I was a lot cooler than you.
Besides, breaking into systems without permission just to show they are insecure isn't necessary.
Oh, sure it is. Back in university, I read a newsgroup post by a system administrator that insisted that Sun's Yellow Pages were a secure way to manage passwords. I sent him a copy of his password file and his ypserv went down in a blink. If instead I gave a long technical explanation, he would likely just ignore it.
And today companies like Microsoft and Apple ignore critical security flaws until someone provides an obvious exploit on a public web page. What is not necessary is causing damage or using any information obtained for personal gain.
Once in high school, and once again in college, I discovered that the school's directory (Novell NDS and Microsoft Active Directory, respectively) was populated from the student and employee databases (which used the SSN as an "ID number"*) and that the somewhat naïve admins stored these numbers as world-readable attributes accessible through advertised LDAP servers.
Both times, I made discreet telephone calls to sysadmins I knew, who were somewhat embarassed that I knew more about permissions than they did, but fixed the problems.
I never got in trouble--everyone involved already understood that I would keep my mouth shut unless the problem wasn't fixed promptly, in which case my complaints to the Trustees or the U.S. Department of Education would've cost some people their jobs.
(* As a regular reader of the RISKS-DIGEST even at that age, I had already demanded that my own SSN not be used for that purpose; substitute student numbers were assigned.)
I actually went to a college that had email addresses in the form of stu_xxx-xx-xxxx@western.edu. And to make matters worse the school couldn't understand why I refused to use their email.
Restore America: Dr. Ron Paul for President!
Also in Fort Bend ISD (which is in suburban Houston, TX), the cash registers in the lunch room are a bunch of specialized serial terminals connected to a Linux box on the network at each school.
Each of these boxes has telnet open for administration of the system by the lunchroom manager or system administrator. You can get into the system with NO PASSWORD to mess with the system, change the prices of food, and probably even get access to the accounts of students who are on low-income assistance from the government.
Like I said, Fort Bend ISD is a pitiful joke. I have an acquaintence who informed FBISD about a comprimised IIS server. They refused to patch the publically facing box that said "Hacked by Chinese" because the box was too slow to run Norton Antivirus (I guess re-installing the OS was beyond them?). This remained for a year until that person posted here on Slashdot about the infected machine, which resulted in emails to the school superintendent which got the box fixed almost immediately. In retaliation, the IT staff tried to break into his home Linux box.
Funny stuff.
When it comes to data, I'm wondering what possession actually means. Specifically, say I have a list of SSN's as S, and I apply an encryption function encrypt(), they become encrypt(S). Given only encrypt(S), am I illegally possessing data? Taken one step further. Clearly, applying decrypt() to encrypt(S) gives me back S. Assume I have some data D. If I can arrive at a function decrypt() that can turn D into the original S, shouldn't D be as illegal as encrypt(S)?
As a realistic example, imagine I was able to write a function decrypt() such that it could turn a text file of one of the works of shakespeare into a list of social security numbers. Would then, all people who have a text version of said shakespearean work be in possession of illegal material?
Quite honestly, if you take this to a logical extreme, no matter what the input data, given the ability to write any function, the output data could be anything you could conceive. What if your function is simply the concatenation of "illegal" data to the output. Would then the "reverse engineering" of said "encryption" function be illegal according to the DMCA? It is a "security device" at this point, right?
This all boils down to the difference between data and functions on data. It is illegal to hold certain data. But what if we lable data as functions on data. In fact, security device functions on data. Could we then distribute the functions and make it illegal for people to reverse engineer the functions without permission?
mp3's are only for those with bad memories
The scary thing is until very recently (last semester) this information on every student included home phone numbers *and* Social Security numbers. Don't go to my school if you value your privacy. Our IT department is stuck in 1999.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
Do you think either Microsoft or Apple will take me on my bet? Will their customers be any safer because they refuse? When people are negligent about security and are putting others in danger (say, by exposing employees' private info or participating in a zombie net), someone bringing it to attention of everyone affected in a convincing manner is a good samaritan. Court made a mistake in Randall Schwartz's case, and we should fight it rather than cower. So far most people who publicized security weaknesses as a public service or even for personal fame haven't been bothered.
I'm not from the US and now I have to get this explained. I'm not trolling. I can't really understand how SSNs are supposed to work.
The SSN seems to be a number identifying a person. (We have that where I live too.) But somehow, this number is assumed to be secret, like a password. If yout can learn the number you can access anything about the person and you also seem to be able to hurt the person financially. Withdraw funds? The security seems to revolve around the fact that the number (the identity of the person) is secret! Because everyone here seems to be upset that these kids expose all those numbers!?!? This boggles my mind.
Are there no other attempts at authentication? IDs? If your SSN is your password, how do you change it? (I would like to have it changed several times a year, no matter what if there is no other security than secrecy.) Can someone explain?
)9TSS
If the IT people don't care, why then the students should?
To keep others from getting access to their SSNs?
I know I had a definite issue with having others not take appropriate measures to keep my SSN private while I was in college. One of my professors insisted on posting grades on the wall outside the classroom with grades listed by social security number. By law (I think it's law...either that or school policy), they can't do that unless you sign a paper saying that they can, which I would never sign. The problem was that the teachers rarely check to see who signed the paper. So I had to complain over and over again. Some times it's a real pain in the ass to keep your SSN private...
I am, however, not advocating illegally breaking into computer systems to point out flaws. The mature thing to do would be to point out the flaws privately to the school's administration or IT staff, and if they ignored the notice, then I would make public the fact that they ignored the notice of the flaws (without exploiting them, or publicly pointing out exactly what the flaws are, which I believe is illegal).
ZuluPad, the wiki notepad on crack
And if they had done this they would be
The only way to demonstrate that you can download social security numbers is by downloading social security numbers. I should point out explictly that I'm not defending these kids. As I've said elsewhere in this thread, the real criminals (as opposed to these petty criminals) are the people who fail to protect such information. Moral criminals, anyway, since the US lacks data protection laws of any significance.
Nihil Illegitemi Carborvndvm
As much as this shows up in the news, you'd think people would learn. In PA right now, there's a guy in the education department who wants to record all of your grades (per subject, per year), as well as statistics on your home life and any disciplinary problems. This will then follow you around for as long as your in school, not just highschool. The supposed purpose is allowing the teacher to bring up everything about you so they can better accomodate you. I can't imagine if all that information were to get into the open.
I sent this to District 86 in Chicago:
Dear Superintendent Miller,
I am sure you have been receiving a barrage of e-mails recently, so I'll make this short.
Recently I read about two of your students attending Hinsdale Central High School breaching network security and the stealing Social Security Numbers for students and staff. While I do not believe that stealing the SSNs was appropriate, I do not support the way your administration has handled the situation.
A communal perspective needs to be taken when looking at the actions of those two students. Often drastic measures, both vulgar and offensive to those in charge, has to be taken. At this moment the citizens of Arizona are spitting in the face of the government by protecting their on boarders. This is not very different from what these two students did at HCHS. While they did break the law by cracking though security, they were trying to protect the student body (including themselves) and the staff by alerting the school of its flaws. Lets say someone was to break into their bank and steal their safety deposit box, and then handed it back to the bank manager the next day. An conceited bank manager wouldn't be able to see the good in what this man had done and would call the cops. However, an intelligent bank manager would hire this man.
Also, I am well acquainted with system admins in school districts. A close friend of mine has been one of the head network admins for the Boston Public Schools for almost 15 years. While he works with gifted students to patch holes in security, many of the other admins disregard student warnings. They let their titles, status, and education get in the way of common sense.
Punishing these students is just another way that red tape and policy is destroying ingenuity in America. Strictly disciplining these students will only perpetuate the notion that students in America should strive for mediocrity and that being bold and initiating change should be shunned.
- Xxx Xxxxxxxxx-Xxxxxxx
"Man, I am so unbelievably stupid."
What do you think they were doing? To me it smells like attempted grade changing. Maybe they wanted to make/obtain fake IDs with that personal information so they could purchase alcohol. Maybe they wanted to dig up dirt on teachers, administrators, or students. I'll tell you what it wasn't: testing computer security. They did this act months ago, and they didn't come forward either (they were caught by the evidence they left behind).
I also differ in that I don't see them as "kids" but young adults. "Kids" implies that they really didn't understand the consequences of their actions.
If you copy some SSNs, you are depriving no one of anything.
So put up or shut up, in support of your argument; post your real name and your SSN.
Stealing an SSN is depriving someone of peace of mind. What's the value of that?
Making the world a better place, one psychotic episode at a time.
Although I graduated several years ago, I don't doubt such a thing happened. Would you believe that they actually used your initials and the last 4 digits of your social security # as a hard-coded unchangeable password for all staff, faculty, and administrative accounts, assumable some with access to this stolen information? For the students, at least when I was there, the last 4 digits were substituted with the last 4 digits of your student ID. As you an imagine, this also was about as secure as the last 4 digits of your credit card number. Rumor has it that many years ago someone hacked the system and changed the principal's paycheck to 86 cents in resemblance of the school district #. Figures.
If they had plan, and a means to carry out said plan, then they should have gone to the media first.
Seriously. If these kids had cornered a reporter, made an argument for his/her involvement and brought along said reporter with the promises of an exclusive, their ass would be automatically covered. The presence of the media would have proved they were whistle blowers and not some renegade "vigilantes" that got caught in the act. Nothing could prove different once the film and commentaries went to air.
The moral is....Once you decide to show some self centered egotistical bastard which way the wind blows....bring a weathervane.
Be Safe! Sleep with a Marine. Semper Fi!
As for someone here saying that they should report to the system admins first before testing the security, of course they should, but it is not always easy, and we should not expect these high school students to think that much. If you stumble into a page where you can enter arbitrary SQL, surely it looks very wrong, but there is still a possibility that the admin had simply revoked any privileges of that test account, instead of removing the test page, when the system went into production, therefore before you do a "SELECT * FROM students" and see something wrong, you cannot be sure that a security hole exists.
If I were the schoolmaster, I think I will explain to the students that, I understand the crackers' intentions are good, but what they are doing is still causing more harm than good, so they will receive neither praise nor punishment for this time, but they should swear that the SSN data are destroyed, and such action is strictly prohibited from now on. As for the website, if the school do lack the expertise to fix it, the system admins should publicly admit that the system has serious security problems, ask the students not to do such cracking again, and they should welcome any student who can and is willing to work with them to fix the problem.
A lawsuit with no evidence is not going to get very far. How will you prove that information is not secured? You would have to test it by trying to break in, in order to prove your case. That is what the students should have done, then after they have the evidence, they should go to court.
Oh wait... that's what happened.
I'll probably be modded down for this...
Depriving people of privacy is a crime? Wow. Didn't know that one.
google://FERPA
check it out. If the database was leaking SSNs, I'm sure pretty much everything else was falling out too.
my sig's at the bottom of the page.
modparent up,
Students who demonstrate intelligence beyond their years or insight into problems which the teacher cannot comprehend are VERY threatening to the teacher.
I was identified as "gifted" between grades 2 and 3. People didn't have to tell me that, I was understanding concepts beyond the level of my peers, it worked out luckily that i had SEVERAL peers who were approaching the "Gifted" level, and one who was also "gifted".
I would note that due to the inherent difficulties with IQ/aptitude testing in general nothing beyond 2 standard deviations from the norm is measured. If you happen to be two standard deviations or further away (in the higher direction as IQ is measured) then you are considered gifted, to my knowledge.
A demonstration of what I could do was nessisary to myself upon entering university. I used one class with a 100% final (i opted out of the midterm which ws 40%, and the course outline was re-weighted), i skipped all lectures, and classes, and generally ignored the class for 2.5 months, then with about one week left until the final exam, i started studying. In that week i managed to "learn" or as i like to call it, play the system and procure an 85% in the course(Canadian University). I went from nothing to 85% in about 6 days.
Lots of my peers were very mad at me for that, most of them recieved lower than 85%... The teacher was amazed and called me up to see what was going on. He didn't believe that i wasn't cheating and checked my exam against those of students seated around me. Mine checked out perfectly.
long story short, teachers and peers are threatened by those who have exceptional skills and abilities. The government does not do enought to help "gifted" students. By grade 4, i had learned to shut up and stay put. They killed my inner spirit.
Who wants to teach someone who already knows the answers?
Check journal for info on Anti-TextBook, an idea by me.
No they really should never be used for anything other than social security. As in how the law that creates social security says that it may only be used for social security. All other uses are actually supposed to be illegal. Then Congress had to go and screw up and let the IRS use it in 1961. However, in 1974, they made it illegal for any government agency to require you to disclose your SSN unless specifically mandated by statute.
So really, no college, bank, or most anything else is allowed to make you give them your SSN. If you decided to actually sue that school, you might even win; then maybe places would stop trying to force you to use that damned number.
Catch 22 situation.
Either you:
1) Inform the admin of a possible security risk, and hope they're nice enough to take notice of you. Chances are you won't even get a single second of their thought. End Result: Security risk stays there and the admin thinks they have another 'im a teenage smartass' on their hands.
2) You hack their system to prove there is a security risk there. End Result: You could face criminal charges, get kicked out of college, and have one hell of a hard time getting back into one.
Either way you lose. It's better to go for the first option and if it fails, quit. If you're so bothered that you'd risk getting kicked out and charged, go ahead and prove it to them.
I told the admins at my secondary school about several security risks I found, they didn't even reply to me. A few months later and I'm playing around with some harmless files I made cos I'm bored in IT class. About half a year later when I ask for more disk space, they check my files breifly, think I'm trying to hack (which I wasn't, nothing harmful was there, I was just satisfiying my curiosity). They kick me out of school for 2 weeks, don't let me anywhere near computers for another week, and threaten to call the police if they suspect me doing anything I shouldn't ever again. They don't care what your aim was, all they care about is that some kid is doing stuff they shouldn't be.
The Principal did not believe me, and I was asked by the "computer teacher" to demonstrate, which I did. Upon completing the demo, a change of my grade (downward, ironicaly) I was detained in the office pending arrival of the authorities.
Which is exactly what happened to me. I was a library computer tech at my school and I demonstrated to the district tech staff the many holes they had in their network. It was so bad I could easily escalade my user rights on the servers and gain admin access, allowing me to view everyone's network shares, including the staffs.
I also show them how kids were installing games and IM clients on their machines, getting by the security lockdowns imposed by Fortres, and demonstrated some setting they could change to improve security.
I was promply removed from the library tech staff for "AUP violations involving hacking and changing settings". I have also been blacklisted from all computers in my school. Not only do I no longer have a domain login, I cannot use any school computers, nor can my laptop be on school grounds.
Just goes to show you what happens when students show up paid "professionals"
unable to resolve function slashdot.sig(), aborting...
Just goes to show you what happens when students show up paid "professionals"
To be fair, it's not an issue of students vs professionals. The response you saw is typical in many organizations at many levels -- they want security, don't know how to achieve it or aren't willing to spend the time/money required to achieve it, and simply prefer to believe that the system is secure.
Demonstrating to them that the system is not secure doesn't work, because they don't want to believe the problem is with the system -- which implies that the administrators are the problem. They prefer, instead, to think that the person who can break in is somehow unique and that if they can only keep that individual away, they'll be fine. In other words, they focus on the hacker as the problem, in order to avoid admitting that they themselves are the problem.
A good example is one I used in another post in this thread; Richard Feynman's experience with trying to get the military brass to get more secure locks to protect their files on nuclear weapons during the Manhattan project. He demonstrated the locks were insecure by picking one. They responded by issuing a memo ordering everyone to change their combination whenever Feynman visited them -- effectively ordering them to keep Feynman away from their offices and their locks.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Since when did a high school become an employer of its students? I want someone to find out why the school had the kids' SSNs in the first place.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
I went to an elementary school in Olympia, WA. During the time I served, in first grade, the teacher didn't want us to address negative numbers - she felt it was simpler to accept that 2-4=0. I was incredibly frustrated, because my parents had already taught me multiplication tables - I was quite a bit ahead of the class. I was actually marked off repeatedly on tests for answering several questions like the example with negative numbers.
Eventually, my mother showed the graded work to the principal and had the teacher disciplined. I only wish it were that simple for everyone.
Why would a high school have their pupil's SSNs?
I was a student at a local JC some years ago when I was given a similar choice.
I had written an assigned research paper for Eng 111, on security flaws, physical and electronic, in the school's network. I turned the paper in and didn't think anything about it. About a month later, I was called in my a couple of lab supervisors and asked to "demonstrate" some of the flaws. (It was a surprise, as I didn't know my paper had been circulated at all.)
I asked for a paper stating that I had permission to do so (signed by Dean of Students), and was told that was too much of a hassle to get, and not to worry. Since I was unable to get one, I declined to demonstrate...
It proved to be the right choice. The lab admins, got another person I knew out of a System Security class (IS 370?) to demonstrate. He was successful, but when the results of his work were sent to higher ups, he got fried (since they hadn't approved of his work and didn't want to spend money to fix the problems). He was ultimately dismissed from the college and was unable to finish his degree there.
I look back, and consider myself lucky. If you're going to show up a "paid professional", get a document giving you permission to do so, not from them, but their boss / superiour - always.
There is always a frontier where there is an open and willing mind