HS Students Steal SSNs to Prove They Can

thatshortkid writes "Local news in Chicago is reporting about two Hinsdale Central High School students who breached their school's computer system and retrieved all of their peers' (plus staff's) Social Security Numbers. They claim they have destroyed the information and haven't given it out, but the SSA and FTC have been alerted for good measure. While they claim their motive was to prove that the breach could take place and no malice was involved, they face possible school disciplinary action and criminal charges."

Over react much?

[r_glen]

Okay, I understand that what these kids did was stupid, and serious, but is it really necessary to include quotes like this...?

"When we grow up and get our jobs, that's our life right there. They can access anything about us. It just screws us up for the rest of our lives," said Julianne Junus, student.

Re:ridiculous

[iamacat]

Besides, breaking into systems without permission just to show they are insecure isn't necessary.

Oh, sure it is. Back in university, I read a newsgroup post by a system administrator that insisted that Sun's Yellow Pages were a secure way to manage passwords. I sent him a copy of his password file and his ypserv went down in a blink. If instead I gave a long technical explanation, he would likely just ignore it.

And today companies like Microsoft and Apple ignore critical security flaws until someone provides an obvious exploit on a public web page. What is not necessary is causing damage or using any information obtained for personal gain.

Re:ridiculous

[TheStupidOne]

The Principal did not believe me, and I was asked by the "computer teacher" to demonstrate, which I did. Upon completing the demo, a change of my grade (downward, ironicaly) I was detained in the office pending arrival of the authorities.

Which is exactly what happened to me. I was a library computer tech at my school and I demonstrated to the district tech staff the many holes they had in their network. It was so bad I could easily escalade my user rights on the servers and gain admin access, allowing me to view everyone's network shares, including the staffs.

I also show them how kids were installing games and IM clients on their machines, getting by the security lockdowns imposed by Fortres, and demonstrated some setting they could change to improve security.

I was promply removed from the library tech staff for "AUP violations involving hacking and changing settings". I have also been blacklisted from all computers in my school. Not only do I no longer have a domain login, I cannot use any school computers, nor can my laptop be on school grounds.

Just goes to show you what happens when students show up paid "professionals"