Slashdot Mirror
HS Students Steal SSNs to Prove They Can
thatshortkid writes "Local news in Chicago is reporting about two Hinsdale Central High School students who breached their school's computer system and retrieved all of their peers' (plus staff's) Social Security Numbers. They claim they have destroyed the information and haven't given it out, but the SSA and FTC have been alerted for good measure. While they claim their motive was to prove that the breach could take place and no malice was involved, they face possible school disciplinary action and criminal charges."
Okay, I understand that what these kids did was stupid, and serious, but is it really necessary to include quotes like this...?
"When we grow up and get our jobs, that's our life right there. They can access anything about us. It just screws us up for the rest of our lives," said Julianne Junus, student.
Copying the openly readable, unencrypted database (say in MySQL) and parsing for XXX-YY-ZZZZ found to be hacking?
Well, for one, it is public knowledge that the SSN X's (in my representation) are in fact, state codes. I have some reason to believe that the Y might be county or some sort of district code, but I cant be soo sure unless I'd gather enough SSN's and location of birth
Yes, the mail center in which you were born is what the state code is attributed to, not the actual locale you live in. Say your parents lived in Phoenix, Arizona but went on a trip to New York City. The baby's SSN would start with 050 to 134, NOT the Arizona 526 prefix.
Well, hope this sparks up some replys (and mod points! yay mod points!)
I had the "fun" of working in our school's server room my freshman year. We had the servers get hacked at least twice.
The first time was a simple brute force attack on a AppleShare server, because the main admin refused to put a limit on the number of password attempts because it was too inconvient to have them simply go up to an admin and reset their password, despite that's more or less exactly what would have to happen if someone forgot their password anyways. I found out that year who had done it, but congratulated the person.
The second time it was because the rather ancient admin password leaked out and they were able to use that to not only get into the teacher's file server but also the SASI server with all the grade data! Why did we use this password? Well be cause it was tradition! I found out only a couple months ago who did this, he didn't
There's so much incompetence at so many High Schools it wouldn't surprise me if it was something as simple as a server that hadn't been patched in ages. Aren't you glad to know that these are the people with all your insensitive data? As it stands at my college they use SS#s for *everything* even though they probably shouldn't.
I support punishment of the administrators who did not sufficiently secure that sensitive information. I also support to a lesser degree the punishment of the children who stole the information. However, had that event not taken place, some less scrupulous children might have misused the information that was so easily stolen.
Most databases and file servers have permissions systems in place that can authenticate by host and IP range. Most administrators assign different IP ranges for different purposes - staff should be different from student-accessible. Also, multiple passwords are required in most systems to access sensitive information: computer login, network login, database login. Passwords are also supposed to change often. Why were these precautions not taken, and why did the admin not notice anything suspicious until it was too late?
Never underestimate 15 year olds. Why? First, they have WAY more free time than any of us working folk. Come on. They get home at 3, and have maybe an hour or two of homework to do sometimes, then they stay up until 1-2 AM. Second, there are a lot of them for every administrator at any school. Third, they are hormonally imbalanced and do irrational stuff to prove irrational points. They can exploit all of those points to their advantage at almost no notice. I did, you did, most everyone did.
Someone needs to be made an example to prevent this sort of thing elsewhere. I think the administrator is the best choice, personally.
Besides, breaking into systems without permission just to show they are insecure isn't necessary.
Oh, sure it is. Back in university, I read a newsgroup post by a system administrator that insisted that Sun's Yellow Pages were a secure way to manage passwords. I sent him a copy of his password file and his ypserv went down in a blink. If instead I gave a long technical explanation, he would likely just ignore it.
And today companies like Microsoft and Apple ignore critical security flaws until someone provides an obvious exploit on a public web page. What is not necessary is causing damage or using any information obtained for personal gain.
I actually went to a college that had email addresses in the form of stu_xxx-xx-xxxx@western.edu. And to make matters worse the school couldn't understand why I refused to use their email.
Restore America: Dr. Ron Paul for President!
The scary thing is until very recently (last semester) this information on every student included home phone numbers *and* Social Security numbers. Don't go to my school if you value your privacy. Our IT department is stuck in 1999.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
Social Security numbers were originally designed for use with the social security system, and that was *it*. The social security system is set up where the working class have a portion of their pay given to the government's social security program. People who have worked all their life and retire will start collecting money from social security that was paid for by the working class.
The SSN was only intended to be the number you would use to identify yourself to the social security department where they could look up your info and validate that you are ready to recieve your money when you retire.
Now your SSN is your life for the most part. If somsone has your number, they dont even need to know anything else to screw you over. With the number they can do searches and find your name and current residance. With that info they can sign up for credit cards in your name and screw over your credit. They can basicly steal your identity just by knowing that one special number. If someone with bad intentions has your SSN, you are basicly fscked unless you have alot of money to pay lawyers to fix everything.
It's basicly a fairly fscked up system.
The goal of computer science is to build something that will last at least until we've finished building it.
The Principal did not believe me, and I was asked by the "computer teacher" to demonstrate, which I did. Upon completing the demo, a change of my grade (downward, ironicaly) I was detained in the office pending arrival of the authorities.
Which is exactly what happened to me. I was a library computer tech at my school and I demonstrated to the district tech staff the many holes they had in their network. It was so bad I could easily escalade my user rights on the servers and gain admin access, allowing me to view everyone's network shares, including the staffs.
I also show them how kids were installing games and IM clients on their machines, getting by the security lockdowns imposed by Fortres, and demonstrated some setting they could change to improve security.
I was promply removed from the library tech staff for "AUP violations involving hacking and changing settings". I have also been blacklisted from all computers in my school. Not only do I no longer have a domain login, I cannot use any school computers, nor can my laptop be on school grounds.
Just goes to show you what happens when students show up paid "professionals"
unable to resolve function slashdot.sig(), aborting...
Just goes to show you what happens when students show up paid "professionals"
To be fair, it's not an issue of students vs professionals. The response you saw is typical in many organizations at many levels -- they want security, don't know how to achieve it or aren't willing to spend the time/money required to achieve it, and simply prefer to believe that the system is secure.
Demonstrating to them that the system is not secure doesn't work, because they don't want to believe the problem is with the system -- which implies that the administrators are the problem. They prefer, instead, to think that the person who can break in is somehow unique and that if they can only keep that individual away, they'll be fine. In other words, they focus on the hacker as the problem, in order to avoid admitting that they themselves are the problem.
A good example is one I used in another post in this thread; Richard Feynman's experience with trying to get the military brass to get more secure locks to protect their files on nuclear weapons during the Manhattan project. He demonstrated the locks were insecure by picking one. They responded by issuing a memo ordering everyone to change their combination whenever Feynman visited them -- effectively ordering them to keep Feynman away from their offices and their locks.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Since when did a high school become an employer of its students? I want someone to find out why the school had the kids' SSNs in the first place.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."