Slashdot Mirror
HS Students Steal SSNs to Prove They Can
thatshortkid writes "Local news in Chicago is reporting about two Hinsdale Central High School students who breached their school's computer system and retrieved all of their peers' (plus staff's) Social Security Numbers. They claim they have destroyed the information and haven't given it out, but the SSA and FTC have been alerted for good measure. While they claim their motive was to prove that the breach could take place and no malice was involved, they face possible school disciplinary action and criminal charges."
They should be paying them not punishing them.
Unfortunately, people do not learn from others' mistakes. How many times have people broken into school databases only to be arrested! It does prove that you can break into a DB, but so what? Once again it goes to show you "no good deed goes unpunished!"
-Palal
While it may be an obvious way to get the schools attention on the matter, it is, as the article said, a good way to get yourself expelled, etc. Maybe if they took the issue with the IT staff, and showed them one-on-one how it could be done, they would not be in any harms way.
Okay, I understand that what these kids did was stupid, and serious, but is it really necessary to include quotes like this...?
"When we grow up and get our jobs, that's our life right there. They can access anything about us. It just screws us up for the rest of our lives," said Julianne Junus, student.
I guess it kind of sucks that they're gonna get punished for this, but they deserve it. You can't legally break into someone's house just to show you can, they should have told the school (or some news stations) that they were planning to show how easy it would be to get into the system. Then under a controlled environment (with some type of supervisors there) they can show how easy it would be. That way everyone knows the attack is going on and the school knows what was done by the students rather than relying on their word.
How can the exploit be fixed if the administartion will not admit it exists. These individuals should not receive punishments. If anything, they should receive jobs at their school. It's sad, but it seems High School computers are being ran more by pointy-haired bosses than actual IT individual. I just hope the trend can curb and go back to where data can be secured again in academic institutions.
Just because you can doesn't mean you should.
I know people will come on here and say "OH but the administrators probably wouldn't listen so they had to do this to prove how serious it was". I'm sure if they followed good procedure and presented a good presentation to the Board/etc they would of gotten a better reception then what they did.
Your hair look like poop, Bob! - Wanker.
Nothing will bring pain to you quite like making someone (or some organization) look foolish. Even if you probably are at least somewhat in the right.
Often high school IT departments aren't that...trained in security.
There was an isuse at my school for over 2 years with anonymous ftp login to their server, databases for the grading software, and the web server.
Telling the IT department this at least 10 times never got anywhere because "who would actually do anything bad"
Eventually the website got defaced. It was then fixed..
Sometimes it takes a problem they can see before they'll actually fix it.. And a defaced website, is a problem they can see.
Honestly, what a bunch of fuck ups. If you're trying to do a service by penetration testing, you at the very least notify the sysadmins of the vulnerability you plan to explore.
To go all the way through to stealing *everyone's* information, and then afterwards claim you only did it to help is bad judgment at best. In some states it's criminal.
Good, throw them in jail.
Those miscreants are a danger to society, and consider the cash value of all of the damage that they have done, not to mention the bruised egos!
They are terrorists, and should be executed!
</sarcasm>
Copying the openly readable, unencrypted database (say in MySQL) and parsing for XXX-YY-ZZZZ found to be hacking?
Well, for one, it is public knowledge that the SSN X's (in my representation) are in fact, state codes. I have some reason to believe that the Y might be county or some sort of district code, but I cant be soo sure unless I'd gather enough SSN's and location of birth
Yes, the mail center in which you were born is what the state code is attributed to, not the actual locale you live in. Say your parents lived in Phoenix, Arizona but went on a trip to New York City. The baby's SSN would start with 050 to 134, NOT the Arizona 526 prefix.
Well, hope this sparks up some replys (and mod points! yay mod points!)
Personally, this makes me wonder why I would ever give anyone my SSN, unless they can prove they will live up to their federally mandated responsibilities.
This just shows that most companies and governments cannot do so.
Support NYCountryLawyer RIAA vs People
I had the "fun" of working in our school's server room my freshman year. We had the servers get hacked at least twice.
The first time was a simple brute force attack on a AppleShare server, because the main admin refused to put a limit on the number of password attempts because it was too inconvient to have them simply go up to an admin and reset their password, despite that's more or less exactly what would have to happen if someone forgot their password anyways. I found out that year who had done it, but congratulated the person.
The second time it was because the rather ancient admin password leaked out and they were able to use that to not only get into the teacher's file server but also the SASI server with all the grade data! Why did we use this password? Well be cause it was tradition! I found out only a couple months ago who did this, he didn't
There's so much incompetence at so many High Schools it wouldn't surprise me if it was something as simple as a server that hadn't been patched in ages. Aren't you glad to know that these are the people with all your insensitive data? As it stands at my college they use SS#s for *everything* even though they probably shouldn't.
I'm certainly not suggesting something as draconian as RealID. But it should not be necessary to keep one's SSN any more secret than the account and routing numbers printed on personal checks.
I support punishment of the administrators who did not sufficiently secure that sensitive information. I also support to a lesser degree the punishment of the children who stole the information. However, had that event not taken place, some less scrupulous children might have misused the information that was so easily stolen.
Most databases and file servers have permissions systems in place that can authenticate by host and IP range. Most administrators assign different IP ranges for different purposes - staff should be different from student-accessible. Also, multiple passwords are required in most systems to access sensitive information: computer login, network login, database login. Passwords are also supposed to change often. Why were these precautions not taken, and why did the admin not notice anything suspicious until it was too late?
Never underestimate 15 year olds. Why? First, they have WAY more free time than any of us working folk. Come on. They get home at 3, and have maybe an hour or two of homework to do sometimes, then they stay up until 1-2 AM. Second, there are a lot of them for every administrator at any school. Third, they are hormonally imbalanced and do irrational stuff to prove irrational points. They can exploit all of those points to their advantage at almost no notice. I did, you did, most everyone did.
Someone needs to be made an example to prevent this sort of thing elsewhere. I think the administrator is the best choice, personally.
To prevent being expelled just send the SSNs to the IT administration through anonymous snail mail. Explain how you broke in, and hopefully they will fix the problem.
But that "car" is a publically-owned bus.
If there were faults YOU knew about that bus, and let others ride on it knowing that injury might result, you would be at fault morally, and perhaps legally and crminally.
How is this different than the shock-journallists on the local news finding "naughty no-no subjects" and then prodding them until they're fixed? Our local (Indiana) problem is the channel 8 news WISH was going over the VX gas stockpiles and how the military was letting the barrels corrode and stuff. Investigator-8 pretty much drew maps on how to get to the VX stockpile.
And yes, because the big media attention, they're just now starting to incenerate the stockpile.
Keeping SSNs around obviously can't be avoided for the school's employees (for tax and other reasons), but employee databases should be separate from student records, and there are far fewer employees than students anyway.
Basically, SSNs seem to have become the knee-jerk instant universal ID number for American firms and institutions of all sorts, which is a pity. It's best if we (as IT professionals) try to encourage the keepers of old databases to transition away from using them, and to strongly recommend that new databases not use them at all, wherever possible.
there will be a lot of teeth gnashing from slashdotters about this "injustice". usually because the average slashdotter trusts some anarchist high school students more than they probably trust their own police department. they will point out that a security system untested is never sound, and that this move will strengthen security. that better these high school students than someone with truly dark intent break in.
the problem has to do with what the word "trust" means. society at large doesn't trust an intelligent well-intentioned hacker (these students are hackers as in the old school sense if there ever was one, as opposed to the new school "hacker=terrorist" sense). but they DO trust a bumbling idiotic underpaid school administrator.
why?
it's about how the average slashdotter views "trust" and how society at large views "trust". the average slashdotter trusts intelligence, cleverness, technical literacy. but the average joe simply trusts accountability.
the school administrator's job is to keep security, he is trusted by society, paid by society to do this. he is accountable. the school administrator will be reprimanded by this breach, and the breach will be repaired. this is society at work. meanwhile, there is no social contract with the high school student. there is no trust. there is no accountability.
yes, security will be better because of what they did. yes, their intent is perfectly sound. but there is no trust, there is no accountability as far as the average joe sees it.
the lesson therein is for the average slashdotter then:
accountability is more important than cleverness.
to put it another way, the average joe doesn't care how technologically sophisticated the security is on their SSNs. the average joe just cares if THERE IS SOME ACCOUNTABILITY. so the SSNs could be on a text file on webserver, they don't care. the question si: is someone's job on the line for the theft? the average joe understands this concept: someone will suffer if my identity is stolen. there fore, someone out there is motivated to protect me.
meanwhile, these students have no social contract, no accountability. what is their intent? what is their motivation to do good by me? all i have to trust is their word, and i don't know them from adam. therefore, all that they have done for the average joe goes unheeded, unrecognized. the students helped the average joe, but the average joe sees them as criminals.
folks: gnash your teeth all you want, i'm just trying to give you all a heads up about the difference in thinking between the average joe and the average slashdotter. if you don't like what i am saying, don't be mad at me, don't shoot the messenger.
be angry that trust does not mean same thing to you and the average guy on the street.
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
If I ever found myself in such a situation, the way I would look at it is that my private space was violated by the people who put my personal information where it could be indirectly but publicly accessed, not the people who chose to take advantage of that.
Just a thought.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
They are being punished more for making the "adults" looked foolish than the severity of their mischief.
ELOI, ELOI, LAMA SABACHTHANI!?
Where did you go to school? They actually teach college students about money management and how to improve your credit score. Don't post where it is, Discover will go there, and dump credit cards until they ruin a good thing.
In my experience, most college students do more harm to their credit scores in college then they can recover from in 10 years. Maybe 20 they could recover from. Most people leave college so debt laden it's silly. Credit card companies prey on students on college campuses. I was always shocked at home many places on campus had credit card offers. Remember, college is the new high school. College in the 1960's was a 25% of HS grads went. Now it's more like 75% go. Going to college isn't the indicator it used to be.
I happen to have decent credit, but that has a lot more to do with watching my family memebers have poor credit, and poor money management. I sure didn't learn a thing about it in college.
Kirby
Right or wrong they might provide expertise to terrorists, or might engage in weapons of mass destruction related activity programs.
Jesus. My ID has it printed right on it. If you forgot your ID, you had to tell them your social to get lunch.
For goodness sake, anyone who's seen your driver's license -- say the bartender at whatever club or whatever -- can open a credit card under your name, and from that point on you're pretty much screwed. There is no reason that SSN should be legal proof-of-identity, because it's absurdly easy to steal.
I used to read Caltizzle. I was a lot cooler than you.
That would be "tyrants" and "patriots", not martyrs. (Though, I suppose a patriat who acts in a way that will result in his death for a noble effort, and recognotion thereof, is a martyr.)
You could've hired me.
if they can't or won't take care of it, there's nothing compelling you to do it for them.
Having my data on their servers seems compelling enough...
I actually went to a college that had email addresses in the form of stu_xxx-xx-xxxx@western.edu. And to make matters worse the school couldn't understand why I refused to use their email.
Restore America: Dr. Ron Paul for President!
Also in Fort Bend ISD (which is in suburban Houston, TX), the cash registers in the lunch room are a bunch of specialized serial terminals connected to a Linux box on the network at each school.
Each of these boxes has telnet open for administration of the system by the lunchroom manager or system administrator. You can get into the system with NO PASSWORD to mess with the system, change the prices of food, and probably even get access to the accounts of students who are on low-income assistance from the government.
Like I said, Fort Bend ISD is a pitiful joke. I have an acquaintence who informed FBISD about a comprimised IIS server. They refused to patch the publically facing box that said "Hacked by Chinese" because the box was too slow to run Norton Antivirus (I guess re-installing the OS was beyond them?). This remained for a year until that person posted here on Slashdot about the infected machine, which resulted in emails to the school superintendent which got the box fixed almost immediately. In retaliation, the IT staff tried to break into his home Linux box.
Funny stuff.
Why does a public high school even need your SSN? I can understand them needing the staff SSNs for payroll, but why do they need a kid's social security number?
Does anyone know? It's not like the students are paying any taxes towards social security through the high school
When it comes to data, I'm wondering what possession actually means. Specifically, say I have a list of SSN's as S, and I apply an encryption function encrypt(), they become encrypt(S). Given only encrypt(S), am I illegally possessing data? Taken one step further. Clearly, applying decrypt() to encrypt(S) gives me back S. Assume I have some data D. If I can arrive at a function decrypt() that can turn D into the original S, shouldn't D be as illegal as encrypt(S)?
As a realistic example, imagine I was able to write a function decrypt() such that it could turn a text file of one of the works of shakespeare into a list of social security numbers. Would then, all people who have a text version of said shakespearean work be in possession of illegal material?
Quite honestly, if you take this to a logical extreme, no matter what the input data, given the ability to write any function, the output data could be anything you could conceive. What if your function is simply the concatenation of "illegal" data to the output. Would then the "reverse engineering" of said "encryption" function be illegal according to the DMCA? It is a "security device" at this point, right?
This all boils down to the difference between data and functions on data. It is illegal to hold certain data. But what if we lable data as functions on data. In fact, security device functions on data. Could we then distribute the functions and make it illegal for people to reverse engineer the functions without permission?
mp3's are only for those with bad memories
The scary thing is until very recently (last semester) this information on every student included home phone numbers *and* Social Security numbers. Don't go to my school if you value your privacy. Our IT department is stuck in 1999.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
In a civilised country where personal data was actually protected and where personal responsibility existed, such an event would have generated very pointed questions of the people who failed to protect vital personal information for hundreds or thousand of students.
The focus on sound bites denouncing petty criminals makes a convenient smokescreen to avoid them though.
Nihil Illegitemi Carborvndvm
I'm not from the US and now I have to get this explained. I'm not trolling. I can't really understand how SSNs are supposed to work.
The SSN seems to be a number identifying a person. (We have that where I live too.) But somehow, this number is assumed to be secret, like a password. If yout can learn the number you can access anything about the person and you also seem to be able to hurt the person financially. Withdraw funds? The security seems to revolve around the fact that the number (the identity of the person) is secret! Because everyone here seems to be upset that these kids expose all those numbers!?!? This boggles my mind.
Are there no other attempts at authentication? IDs? If your SSN is your password, how do you change it? (I would like to have it changed several times a year, no matter what if there is no other security than secrecy.) Can someone explain?
)9TSS
From my experiences doing pro-bono work at four different high schools, I'd say that most of them barely have the capability to deal with the most rudimentary data management tasks. I'm not saying this to be dismissive of schools or the people who work there, but they are in many cases so short on human and technology resources that creating and managing unique IDs for each student isn't something that would even cross their minds.
The SSN is, as you mentioned, the knee-jerk instant universal ID number precisely because it requires no extra effort. This is not a good situation, but it has come about because there is no compelling reason (that many institutions can see) to devote extra time and effort to coming up with alternate ID schemes for schools.
Read the EFF's Fair Use FAQ
"Your house is not secure. I can prove it to you. All I need is a rock or baseball bat and I can show you that I can get inside." Yay! Now I won't get arrested! - just because it's tech doesn't mean that the laws don't apply
I sent this to District 86 in Chicago:
Dear Superintendent Miller,
I am sure you have been receiving a barrage of e-mails recently, so I'll make this short.
Recently I read about two of your students attending Hinsdale Central High School breaching network security and the stealing Social Security Numbers for students and staff. While I do not believe that stealing the SSNs was appropriate, I do not support the way your administration has handled the situation.
A communal perspective needs to be taken when looking at the actions of those two students. Often drastic measures, both vulgar and offensive to those in charge, has to be taken. At this moment the citizens of Arizona are spitting in the face of the government by protecting their on boarders. This is not very different from what these two students did at HCHS. While they did break the law by cracking though security, they were trying to protect the student body (including themselves) and the staff by alerting the school of its flaws. Lets say someone was to break into their bank and steal their safety deposit box, and then handed it back to the bank manager the next day. An conceited bank manager wouldn't be able to see the good in what this man had done and would call the cops. However, an intelligent bank manager would hire this man.
Also, I am well acquainted with system admins in school districts. A close friend of mine has been one of the head network admins for the Boston Public Schools for almost 15 years. While he works with gifted students to patch holes in security, many of the other admins disregard student warnings. They let their titles, status, and education get in the way of common sense.
Punishing these students is just another way that red tape and policy is destroying ingenuity in America. Strictly disciplining these students will only perpetuate the notion that students in America should strive for mediocrity and that being bold and initiating change should be shunned.
- Xxx Xxxxxxxxx-Xxxxxxx
"Man, I am so unbelievably stupid."
The truth is the lazy, idle and incompetent always prefer the cover up to the fix. Whether it is the Roman Catholic church and child abuse, torture at Guantanamo Bay, or security holes, the people in charge will conceal rather than cure. Two examples from my own career:
I was once asked to investigate the apparent failure of an automated component test system. Eventually a review of the hardware and software left the only option as being that the production personnel were deliberately falsifying results and passing rejected batches. Result: three senior managers demanding I be sacked. Fortunately at this point we acquired a new CEO who had several clues. One manager was fired, one left of his own accord and the other was downgraded. But customer confidence had been eroded and the plant eventually had to be shut down. The second example was less exciting: a production director who resisted for years the introduction of statistical process control because it would make clear where systems were failing.
I'm sure many of us have similar examples. It is not in fact important what the motivation of the whistle blower is, we need to change the culture to one in which the response is "Fix it", not "shoot the messenger". With hindsight, we may one day conclude that the tradition of open bug fixing is FOSS is its greatest social legacy.
Panurge has posted for the last time. Thanks for the positive moderations.
How many times have people broken into school databases only to be arrested!
Back when I was in school, we only broke into the school database to change our grades.
paintball
Focusing on the kids is a load of bullshit anyway. What was the personal data doing on a server accessible from a home computer? It sounds to me like the school administration is trying to create a smoke screen for their gross or willful negligence.
If the personal data was on a Microsoft server AND it was connected to the Internet, then the school system is in for a world of hurt in the courts: Willful negligence.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Although I graduated several years ago, I don't doubt such a thing happened. Would you believe that they actually used your initials and the last 4 digits of your social security # as a hard-coded unchangeable password for all staff, faculty, and administrative accounts, assumable some with access to this stolen information? For the students, at least when I was there, the last 4 digits were substituted with the last 4 digits of your student ID. As you an imagine, this also was about as secure as the last 4 digits of your credit card number. Rumor has it that many years ago someone hacked the system and changed the principal's paycheck to 86 cents in resemblance of the school district #. Figures.
If they had plan, and a means to carry out said plan, then they should have gone to the media first.
Seriously. If these kids had cornered a reporter, made an argument for his/her involvement and brought along said reporter with the promises of an exclusive, their ass would be automatically covered. The presence of the media would have proved they were whistle blowers and not some renegade "vigilantes" that got caught in the act. Nothing could prove different once the film and commentaries went to air.
The moral is....Once you decide to show some self centered egotistical bastard which way the wind blows....bring a weathervane.
Be Safe! Sleep with a Marine. Semper Fi!
As for someone here saying that they should report to the system admins first before testing the security, of course they should, but it is not always easy, and we should not expect these high school students to think that much. If you stumble into a page where you can enter arbitrary SQL, surely it looks very wrong, but there is still a possibility that the admin had simply revoked any privileges of that test account, instead of removing the test page, when the system went into production, therefore before you do a "SELECT * FROM students" and see something wrong, you cannot be sure that a security hole exists.
If I were the schoolmaster, I think I will explain to the students that, I understand the crackers' intentions are good, but what they are doing is still causing more harm than good, so they will receive neither praise nor punishment for this time, but they should swear that the SSN data are destroyed, and such action is strictly prohibited from now on. As for the website, if the school do lack the expertise to fix it, the system admins should publicly admit that the system has serious security problems, ask the students not to do such cracking again, and they should welcome any student who can and is willing to work with them to fix the problem.
This is the stem of all security problems.
If you DO blow the whistle, unless you have some SERIOUS clout behind you, chances are most people aren't going to listen to you. (See: Microsoft).
If you DON'T blow the whistle, do nothing and have a vested interest in the company/school then you risk having your money/time lost due to SOMEONE ELSE taking advantage of a flaw you knew about.
If you DO blow the whistle and try to gather attention to it by TAKING ADVANTAGE of the exploit, you SERIOUSLY risk being arrested yourself. (White hackers, black hackers, its all the same in the eyes of the uneducated masses!)
Etc, etc, etc. The list of what you can do and how ineffective it will ultimately be goes on. You can't go public or they slam you for trying to ruin their reputation. You can't go directly to the people cause they ignore you. You can't 'white hacker' them cause they slam you anyway. You can't ask for advice on Slashdot cause Slashdot is a wide, niche audience and is largely ineffective due to city/state/nation/international law differences. Its damned if you do, damned if you don't, damned if you ask for help and damned if you do nothing about it.
A lawsuit with no evidence is not going to get very far. How will you prove that information is not secured? You would have to test it by trying to break in, in order to prove your case. That is what the students should have done, then after they have the evidence, they should go to court.
Oh wait... that's what happened.
I'll probably be modded down for this...
Must have been a Catholic school... Nobody else masks acronyms.
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
No they really should never be used for anything other than social security. As in how the law that creates social security says that it may only be used for social security. All other uses are actually supposed to be illegal. Then Congress had to go and screw up and let the IRS use it in 1961. However, in 1974, they made it illegal for any government agency to require you to disclose your SSN unless specifically mandated by statute.
So really, no college, bank, or most anything else is allowed to make you give them your SSN. If you decided to actually sue that school, you might even win; then maybe places would stop trying to force you to use that damned number.
The reporter in this story clearly does not have the razor sharp awarness of what causes people to panic, like say a CNN headline writer does. But sooner or later someone will realize that these kids that got caught/came forward, are the ONLY ones in that school you DON'T have to worry about. It's the other 30 or 40 that already hacked the system or better yet, are trying it right now.
.. with less risk would be to send a formal letter to someone high up that you believe that the information held on that server to be insecure, and ask that it be secured or your information be promptly removed. Offer to demonstrate how the information is insecure, maybe, but point out that since you have informed them of the possibility of an intrusion you will consider sueing (?) if *your* information is stolen. That will get their attention!
*--BigMan--- Time flies like an arrow.. but personally I prefer a nice glass of wine!
Now your SSN is your life for the most part.
Yes, this is true--though only to a certain extent--but your following argument is quite overstated:
If somsone has your number, they dont even need to know anything else to screw you over. With the number they can do searches and find your name and current residance. With that info they can sign up for credit cards in your name and screw over your credit.
If this were true, nobody would ever bother to steal a "list of SSNs" from a database! They would just randomly choose any 9-digit number. The security (or lack thereof) is in the linkage between the SSN and a person.
They can basicly steal your identity just by knowing that one special number.
Again, this an oversimplification. They still need to know whom that SSN represents. A reverse-lookup, if it existed, would imply that lists of SSNs wouldn't need to be stolen in the first place. Of course the kids in TFA most likely obtained more than just a list of raw 9-digit numbers; they probably also got the linkages between the SSNs and their owners.
Haven't people learned, by now, that even if you have the best intentions at heart - doing this things will result in you getting in trouble. If you really want to test the security of an organization, get their upper management authorization (hell you could even make a profit).
If they were smart about it (and they have to be somewhat smart to do this) they could have spoken to their principal/advisor and gotten sanctions to do this - potentially earning some kind of HS credit or an award from the the school.
I mod down so you can mod up. Your welcome.
Since when did a high school become an employer of its students? I want someone to find out why the school had the kids' SSNs in the first place.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Why would a high school have their pupil's SSNs?
well it was still an illegal act. what if they had bought drugs on campus to demonstrate that it was possible and then turned around and gave the drugs to the police or administration? It's still illegal. They say they destroyed the SSNs/gave back all the weed, but who really knows. What if they sell the HD the numbers were stolen from and someone recovers them?
They could have done a little to cover their butts, like notifing a teacher ( anonymously ) about the intended act so there was foreknowledge they meant nothing about it, or even going to the principle and telling him the system was insecure and that they'd like to prove it.
"Not knowing when the dawn will come, I open every door." - Emily Dickinson