Slashdot Mirror

← Back to Stories (view on slashdot.org)

HS Students Steal SSNs to Prove They Can

Posted by Zonk on from the i-would-have-just-played-quake dept.

thatshortkid writes "Local news in Chicago is reporting about two Hinsdale Central High School students who breached their school's computer system and retrieved all of their peers' (plus staff's) Social Security Numbers. They claim they have destroyed the information and haven't given it out, but the SSA and FTC have been alerted for good measure. While they claim their motive was to prove that the breach could take place and no malice was involved, they face possible school disciplinary action and criminal charges."

21 of 701 comments (clear)

  1. ridiculous by faldore · · Score: 5, Insightful

    They should be paying them not punishing them.

    1. Re:ridiculous by zerbot · · Score: 5, Informative

      From the article, it appears they didn't reveal the security flaws, they got caught. Besides, breaking into systems without permission just to show they are insecure isn't necessary. I've never had anybody who I reported a security problem to just pooh-pooh it, not even when I was a teenager.

    2. Re:ridiculous by DustyShadow · · Score: 5, Insightful

      Breaking the law just to "prove you can" doesn't really fly. They would have been much smarter to just tell the school about the problem and then helped them to fix it. If the school ignored them, they could have easily made the issue public. High schools aren't very big so it's pretty easy to get the word about things. I don't agree that whistle blowers should be punished but these guys went past that point. These guys should be punished, and they most likely will.

    3. Re:ridiculous by iamacat · · Score: 5, Interesting

      Besides, breaking into systems without permission just to show they are insecure isn't necessary.

      Oh, sure it is. Back in university, I read a newsgroup post by a system administrator that insisted that Sun's Yellow Pages were a secure way to manage passwords. I sent him a copy of his password file and his ypserv went down in a blink. If instead I gave a long technical explanation, he would likely just ignore it.

      And today companies like Microsoft and Apple ignore critical security flaws until someone provides an obvious exploit on a public web page. What is not necessary is causing damage or using any information obtained for personal gain.

    4. Re:ridiculous by networkBoy · · Score: 5, Insightful

      Then you are the exception.

      I spend time in the back of a squad car for stating there were security problems at my school (back in 93, I was a Jr.) The Principal did not believe me, and I was asked by the "computer teacher" to demonstrate, which I did. Upon completing the demo, a change of my grade (downward, ironicaly) I was detained in the office pending arrival of the authorities.

      I now have a job where I get paid for those same skills, and the thread starter is correct about paying the students. The problem is that HS staff does not like being shown that their charge (the students) have more power than them, which this demonstrates.
      -nB

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    5. Re:ridiculous by zerbot · · Score: 5, Informative

      What you do then is offer to make a bet. Offer him something nice and juicy, and get it in writing. Never do security testing without written permission.

      I would think that people would have learned from the example of Randall Schwartz. You especially don't want to do it with someone who would be publically embarrassed by it because you're at high risk that they will file charges.

    6. Re:ridiculous by zerbot · · Score: 5, Insightful

      You don't need to break into Microsoft or Apple's corporate computers. You can demonstrate on your own computer or someone else's with their permission. I'm not saying that publicizing security weaknesses is a bad thing, but going the route of breaking into someone else's property to expose a security flaw is stupid and unnecessary, and should be prosecuted. I've had to notify many, many people that their systems were either vulnerable or already compromised, and I have never "had" to resort to illegal acts to convince them of that fact, even when I was nobody to them.

    7. Re:ridiculous by sydsavage · · Score: 5, Insightful
      Its not like you can use a number without any other proof of ID is it?

      You'd think that would be the case. Unfortunately, the answer is no.

      From this article:

      The SSN and Identity Theft

      The widespread use of the SSN as an identifier and authenticator has lead to an increase in identity theft. According to the Privacy Rights Clearinghouse, identity theft now affects between 500,000 and 700,000 people annually. Victims often do not discover the crime until many months after its occurrence. Victims spend hundreds of hours and substantial amounts of money attempting to fix ruined credit or expunge a criminal record that another committed in their name.

      Identity theft litigation also shows that the SSN is central to committing fraud. In fact, the SSN plays such a central role in identification that there are numerous cases where impostors were able to obtain credit with their own name but a victim's SSN, and as a result, only the victim's credit was affected. In June 2004, the Salt Lake Tribune reported: "Making purchases on credit using your own name and someone else's Social Security number may sound difficult -- even impossible -- given the level of sophistication of the nation's financial services industry...But investigators say it is happening with alarming frequency because businesses granting credit do little to ensure names and Social Security numbers match and credit bureaus allow perpetrators to establish credit files using other people's Social Security numbers." The same article reports that Ron Ingleby, resident agent in charge of Utah, Montana and Wyoming for the Social Security Administration's Office of Inspector General, as stating that SSN-only fraud makes up the majority of cases of identity theft.

      What I find interesting that no one seems to be questioning why a high school needs to have the students SSN in the first place. Personally, I think that the administrator that made the decision to put SSN's into a (now proven) vulnerable database should get at least the same punishment as the students who cracked it. And if they are using products that are known to have weak security, they should get double. Why was this database even connected to the net, anyhow? Honestly, the real crime here is the lackadaisical handling of such sensitive information, when there is no good reason for them to have students SSN's in the first place.

    8. Re:ridiculous by TheStupidOne · · Score: 5, Interesting

      The Principal did not believe me, and I was asked by the "computer teacher" to demonstrate, which I did. Upon completing the demo, a change of my grade (downward, ironicaly) I was detained in the office pending arrival of the authorities.

      Which is exactly what happened to me. I was a library computer tech at my school and I demonstrated to the district tech staff the many holes they had in their network. It was so bad I could easily escalade my user rights on the servers and gain admin access, allowing me to view everyone's network shares, including the staffs.

      I also show them how kids were installing games and IM clients on their machines, getting by the security lockdowns imposed by Fortres, and demonstrated some setting they could change to improve security.

      I was promply removed from the library tech staff for "AUP violations involving hacking and changing settings". I have also been blacklisted from all computers in my school. Not only do I no longer have a domain login, I cannot use any school computers, nor can my laptop be on school grounds.

      Just goes to show you what happens when students show up paid "professionals"

      --
      unable to resolve function slashdot.sig(), aborting...
  2. Dumbasses..... by Palal · · Score: 5, Insightful

    Unfortunately, people do not learn from others' mistakes. How many times have people broken into school databases only to be arrested! It does prove that you can break into a DB, but so what? Once again it goes to show you "no good deed goes unpunished!"

    --
    -Palal
    1. Re:Dumbasses..... by greyhoundpoe · · Score: 5, Funny

      That's not all! I've been able to get the home addresses, telephone numbers, and email addresses of a large number of my friends as well!

  3. tough way to prove point by Bananatree3 · · Score: 5, Insightful

    While it may be an obvious way to get the schools attention on the matter, it is, as the article said, a good way to get yourself expelled, etc. Maybe if they took the issue with the IT staff, and showed them one-on-one how it could be done, they would not be in any harms way.

  4. Over react much? by r_glen · · Score: 5, Interesting

    Okay, I understand that what these kids did was stupid, and serious, but is it really necessary to include quotes like this...?

    "When we grow up and get our jobs, that's our life right there. They can access anything about us. It just screws us up for the rest of our lives," said Julianne Junus, student.

    1. Re:Over react much? by Anonymous Coward · · Score: 5, Insightful

      It shouldn't be, but since the SSNs are used for everything a person does for the rest of their lives, it should be included. As a reason not to use SSNs at Schools and the like.

  5. yes,let the kids decide about your privacy by Daffy+Duck · · Score: 5, Insightful

    Honestly, what a bunch of fuck ups. If you're trying to do a service by penetration testing, you at the very least notify the sysadmins of the vulnerability you plan to explore.

    To go all the way through to stealing *everyone's* information, and then afterwards claim you only did it to help is bad judgment at best. In some states it's criminal.

  6. Not the Real Problem by Dr.+Mu · · Score: 5, Insightful
    The real problem is not that SSNs are so easy to get but that possesion of another person's SSN gives one so much power to do ill. I think it's time that agencies and institutions quit relying on such a dubious means of identification as a key to perform transactions. Heck, some of them only require the last four digits!

    I'm certainly not suggesting something as draconian as RealID. But it should not be necessary to keep one's SSN any more secret than the account and routing numbers printed on personal checks.

  7. Re:They kind of deserve the punishment by ZorbaTHut · · Score: 5, Insightful

    On the other hand . . .

    . . . imagine you're legally required to keep your electronics and jewelry in someone else's house. And not only that, but several hundred of your friends are too. And imagine that you know the security in this house is bad, and you've tried telling the owner of the house that your possessions are in danger, but he doesn't care. And you've tried telling the government that your possessions are in danger, but they don't care either. Your friends care though, and they're really frustrated knowing that all their possessions are in danger, just like yours, and that nobody seems to be able to do anything about it.

    Maybe then you'd break in, to demonstrate it's possible, and get the owner of the house to tighten up security for the sake of you and your friends?

    --
    Breaking Into the Industry - A development log about starting a game studio.
  8. Ask yourself: why is a high school using SSNs? by brg · · Score: 5, Insightful
    What I think this incident really underscores is that high schools, where security is (unfortunately) likely to be lax, should not be using or storing students' Social Security numbers. High schools are perfectly capable of assigning unique ID numbers of their own to students wherever they are necessary; if and when their security is breached, the numbers are not useful for anything beyond the school's own internal databases.

    Keeping SSNs around obviously can't be avoided for the school's employees (for tax and other reasons), but employee databases should be separate from student records, and there are far fewer employees than students anyway.

    Basically, SSNs seem to have become the knee-jerk instant universal ID number for American firms and institutions of all sorts, which is a pity. It's best if we (as IT professionals) try to encourage the keepers of old databases to transition away from using them, and to strongly recommend that new databases not use them at all, wherever possible.

  9. it's all about trust folks by circletimessquare · · Score: 5, Insightful

    there will be a lot of teeth gnashing from slashdotters about this "injustice". usually because the average slashdotter trusts some anarchist high school students more than they probably trust their own police department. they will point out that a security system untested is never sound, and that this move will strengthen security. that better these high school students than someone with truly dark intent break in.

    the problem has to do with what the word "trust" means. society at large doesn't trust an intelligent well-intentioned hacker (these students are hackers as in the old school sense if there ever was one, as opposed to the new school "hacker=terrorist" sense). but they DO trust a bumbling idiotic underpaid school administrator.

    why?

    it's about how the average slashdotter views "trust" and how society at large views "trust". the average slashdotter trusts intelligence, cleverness, technical literacy. but the average joe simply trusts accountability.

    the school administrator's job is to keep security, he is trusted by society, paid by society to do this. he is accountable. the school administrator will be reprimanded by this breach, and the breach will be repaired. this is society at work. meanwhile, there is no social contract with the high school student. there is no trust. there is no accountability.

    yes, security will be better because of what they did. yes, their intent is perfectly sound. but there is no trust, there is no accountability as far as the average joe sees it.

    the lesson therein is for the average slashdotter then:

    accountability is more important than cleverness.

    to put it another way, the average joe doesn't care how technologically sophisticated the security is on their SSNs. the average joe just cares if THERE IS SOME ACCOUNTABILITY. so the SSNs could be on a text file on webserver, they don't care. the question si: is someone's job on the line for the theft? the average joe understands this concept: someone will suffer if my identity is stolen. there fore, someone out there is motivated to protect me.

    meanwhile, these students have no social contract, no accountability. what is their intent? what is their motivation to do good by me? all i have to trust is their word, and i don't know them from adam. therefore, all that they have done for the average joe goes unheeded, unrecognized. the students helped the average joe, but the average joe sees them as criminals.

    folks: gnash your teeth all you want, i'm just trying to give you all a heads up about the difference in thinking between the average joe and the average slashdotter. if you don't like what i am saying, don't be mad at me, don't shoot the messenger.

    be angry that trust does not mean same thing to you and the average guy on the street.

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  10. Cover up by panurge · · Score: 5, Insightful
    Trying to get into places they shouldn't, whether it is safes or knickers, is something that adolescent boys are programmed to do. Anybody responsible for school systems has an obligation to understand this and deal with it. This is nothing to do with social relativism, as the more fascist /.ers seem to think: it's elementary precaution. Regardless of the motivation of the hackers, the people responsible for the system should be required to be trained in security (and perhaps be downgraded till they had passed their exam) because they failed to take account of something widely known in education. If the zoo keeper leaves the doors unlocked on the lion cages, the lions may escape and end up having to be shot, but what about the zoo keeper?

    The truth is the lazy, idle and incompetent always prefer the cover up to the fix. Whether it is the Roman Catholic church and child abuse, torture at Guantanamo Bay, or security holes, the people in charge will conceal rather than cure. Two examples from my own career:

    I was once asked to investigate the apparent failure of an automated component test system. Eventually a review of the hardware and software left the only option as being that the production personnel were deliberately falsifying results and passing rejected batches. Result: three senior managers demanding I be sacked. Fortunately at this point we acquired a new CEO who had several clues. One manager was fired, one left of his own accord and the other was downgraded. But customer confidence had been eroded and the plant eventually had to be shut down. The second example was less exciting: a production director who resisted for years the introduction of statistical process control because it would make clear where systems were failing.

    I'm sure many of us have similar examples. It is not in fact important what the motivation of the whistle blower is, we need to change the culture to one in which the response is "Fix it", not "shoot the messenger". With hindsight, we may one day conclude that the tradition of open bug fixing is FOSS is its greatest social legacy.

    --
    Panurge has posted for the last time. Thanks for the positive moderations.
  11. What are kids coming to these days? by raehl · · Score: 5, Funny

    How many times have people broken into school databases only to be arrested!

    Back when I was in school, we only broke into the school database to change our grades.

    --
    paintball