Slashdot Mirror
Kutztown Students get Felony Charges
gone6713 writes "The 13 students from Pennsylvania who were accused of hacking the iBooks provided to them by the school (Slashdot had a previous story on them back in June) have offically been charged. It seems that the admin passwords were taped to the back of the iBooks!"
If your going to charge the kids with felonies, then you should charge the IT administrators with aiding and abetting for leaving the password there.
Isn't it? To make example of certain people to buy the compliance of the rest of us (sheep)?
Especially in highschools. Or maybe just PA (I live 20 minutes from Kutztown). I remember a girl getting treated like a drug dealer because she a)bought aspirin to the school and didn't hand it over to the school nurse (so that she could subsequently go back to the school nurse when it's time to take them - talk about being treated like a 5 year old) and b)giving one to her friends that had a headache.
IIRC, she was kicked out of the district.
Variations of this heavy-handedness happens so often everywhere that I'm surprised it makes the news anymore. I think Columbine made it worse because now the administrators are going apeshit over every little thing - turning the schools into a sort of police state.
What would be news would be the punishment fitting the crime. But then the school administrators would have to admit that they are mostly at fault in this case (really: taping the passwords to the back of the computers?!)
I went to this high school and grew up in this town. Let me tell you this...The system administrators never had a firm grip on the students, I assure you...and they had been outdone several times before this. Suffice to say, the school tends to overreact about things that they don't understand...and Computers is one of those topics. I work in IT now and now that I understand security and such, I realized how much my high school sucked about security...they never really thought about it. Anyways...its kind of amusing to find my hometown on Slashdot...its little more then a farming town with a college in it. My graduating class was 140 people.
L8tr all.
Only the sensationalist news media has called the teens "hackers". Believe it or not, most judges understand the difference, and their defense lawyers will at least argue the point enough to inform any jury that gaining access is not the same as hacking.
Regardless
The law is not about hacking, it is about Unauthorized Entry. You don't have to pick the lock to be somewhere you shouldn't, and you don't have to cut through any fences to be prosecuted.
Rex is 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Having attended and later worked in an American high school where the mentality was definitely one of suspicion and enforcement (ala prison) rather than education, I'd suspect that these passwords were taped there on purpose to try to catch and then be able to endict nonconforming students, who, the thread of thought would go, are the same ones likely to create disciplinary problems through the introduction of unrest and disobedience.
STOP . AMERICA . NOW
It's shit like this that makes me want to leave the country.
I sympathize to some extent actually. Read the district press release:
"Unfortunately, after repeated warnings and disciplinary actions, a few students continued to misuse the school-issued laptops to varying degrees. The disciplinary actions included detentions, in-school suspensions, loss of Internet access, and loss of computer privileges. After each disciplinary action, parents received either written notification or telephone calls. Some parents felt that the disciplinary actions were ridiculous and even expressed the feeling that their son/daughter should be able to do non-school activities and use the laptop without restrictions. Some students acknowledged that they used their school-issued laptop inappropriately at home rather than their home computer for fear their parent would catch them."
There is a simple way to fix this problem. If you don't want them to use the laptop at home, don't let them take it home.
My concern about the trend towards computerization in our schools is that students will not have the oportunity to opt-out of restrictions (say, by providing their own laptops). This is not that different from a world where everybody would be unable to opt-out of a trusted computing world, or even a Microsoft Windows world.
A second thought (IANAL) is that such heavy-handed punishment as a felony charge in this case might very well seem like cruel and unusual punishment and it might be possible to challenge the constitutionality of the law as applied to this case. Charging minors with felonies for using passwords taped to the back of the computers they were issued seems both cruel and unusual to me. However, where exactly one draws this line in this case might be fairly difficult to answer.
Finally, students have some privacy rights even regarding school lockers. It seems to me that constant monitoring might infringe upon those legitimate rights. IANAL, again though....
LedgerSMB: Open source Accounting/ERP
I can tape the key to my house on to the front door of my house, and while that is extreme stupidity on my part, that does not give you permission to unlock the door and come inside.
However, your insurance company won't pay out.
And that's why I agree they should face consequences for their actions. Let's say someone goes to downtown Miami at 2 AM in the morning with their brand new BMW. They park it, walk away leaving the doors unlocked, and the car gets stolen 10 minutes later. Who actually did the stealing? The theives, of course. Should they be punished? Absolutly. But the person who owned the car easily enabled that to happen when he should have known that 1) He was in Miami, one of the highest crimerate cities in the nation, 2) at 2 AM in the morning, 3) With a $30k+ vehicle. His stupidity opened the door for the car to be stolen. Serves him right, in my opinion. Does that make the these kids guilty, though? Absolutly.
The Computations of AdamR
http://www.adamreyher.com
Leaving the ignition in the keys of your car does not justify someone stealing it (and its still illegal).
No, but if you leave the keys to your car in the ignition and it gets stolen. Its no longer Grand Theft Auto. Its just Theft. Amazingly the legal system is smart enough to realise that you are partly at fault for your car being stolen since you left the keys in it. What a conecpt. Accountability.
This is the same thing as writing the admin password on the bottom of the laptop.
The school officials should be charged for not properly securing public property.
Could you imagine if some highschool principal put the key to every door in a highschool under the door matt in front of each door. Once the school got robbed the general public would go ballistic when they learned the keys were everywhere. The principal would probably be brought up on charges for loosing thousands of dollars worth of school equipment.
But yet the same incident happens on a computer and nothing happens. Bizarre.
My sig can beat up your sig.
Or you could just call and complain:
l
:D
http://www.cutusabreak.org/Pages/policeletter.htm
Hmmmm can just see the police switchboard getting slashdotted now!
-={ Security does not exist - give up }=-
That's true ... but I won't get charged with breaking and entering! These kids are being charged with hacking as a criminal offense, not for "violating the schools terms and conditions". That's despicable.
last resort? how about take their laptops away. voila, no more problem.
just because I don't care doesn't mean I don't understand!
I didn't mean to suggest that the whole thing, bottom to top, was a scheme. I mean to suggest that the laptops were going to go to students anyway, and when the IT contractor asked the administrator, "Where do you want me to file the passwords away?" the administrator responded with, "Put them on the backs of the machines and we'll see who..."
Something nearly the same happened when I was contracting for high schools. The DOS machines they used (this was a few years ago) could have been configured to start students into a menu system that was uninterruptable (i.e. turn machine on, get menu of available applications, no alternatives, no way to break out of the menu structure).
Instead, they wanted me to use the AUTOEXEC.BAT batch file to launch the menu system rather than a menuing application started directly on bootup. Why? So that they could watch and see who hit CTRL-C at boot to exit the batch file. Those students were then expelled for "hacking" (even though these machines weren't on a network at all, this was ca. 1992) and they lost their computer priveleges at the high school for the rest of their high school career.
Why? That's a question that was never satisfactorily answered to me. I can tell you that the answer was something along the lines of what I mentioned in my previous post: such students were basically believed to be "too big for their own britches" and it was thus basically one more way to find a few more kids with "no respect for authority" and push them out of the system.
While I was still contracting there, I saw two kids expelled for hitting CTRL-C to dump to DOS and explore the C: drive. Both ended up enrolling at a local private high school, to my knowledge.
STOP . AMERICA . NOW
Agreed. However, if you read their account on the website, some of the students that had been charged attempted to turn their laptops in, but the school gave it back and told them they had to use the laptops -- they even told the administration that the laptops were a temptation to misbehave, and asked that the administration take the laptops. Requiring the children to have a laptop, which the children admitted posed a temptation is tantamount to encouraging the progression of a problem. In any other element of society, if you attempt to surrender something because it posses a danger to you or to someone else, the organization will take it. If I go to the DMV or the Sherifs office and state that I feel that my driving is a danger, they will gladly take my license away. Or if I go to the doctor and tell him that a medicane I am taking I am gettting adicted to, then he will change it. The main thing that I see is that the students are being punished after attempting to give up the temptation, when the administration forced them to have the temptation. The way I see this is that some of the students were responsable enough to admit the problem, seek help, but were turned away -- that, in my mind, is an endorsement of failure. The students parents might be able to make a claim of criminal neglegence. If the students had said that they were going to commit another criminal activity, and did, then the school would hold liability for failing to take preventative steps if the school indeed failed to take such steps.
Do the student's bear some of the responsability. Yes. It would assinine to say that they didn't. However, the school system should have taken the computer's security more seriously, and should have used stronger passwords, and should not have put them on the computers. When the problem was discovered, the school should have taken steps to provide new passwords, which are stronger and not publicly known. For students that had been disciplined for misbehaving on the computers, a more proactive steps should have been taken to make sure that future violations would be adverted.
The other question that I have, is what education about the use of computers was implemented? Was there an AUP? And did the students understand what the implications of using the computers in that manner would mean. Second question, did the student's parents know that they were being interrogated under the threat of prosecution? If the parents of the children were not present or given the opportunity to be present and if the children were not given their rights, then any evidence collected would be inadmissable in court. The third question, is what point would prosecuting these children accomplish?
The views expressed are mine own and do not express the views of my employer.
Forgive me for a moment, this post may seem slightly off topic but I think that what we are seeing is the symptom of a larger problem and that is what I want to address in this post. So, flame away if you want.
Kids, by their very nature are curious and, a bit rebelious. That hasn't changed in generations, kids have always been tempted by things that they know they should not do and kids have always been known to defy authority. I know I did, and I'll bet you did too!
I was very fortunate to have had several teachers who were actually able to harness my curiosity and my desire to "push the boundaries." To this day, I think they were the best teachers I had.
I also had the other kind of teacher; I remember specifically one English teacher who told us to read a specfic chapter. I got in trouble for reading beyond the chapter! I loved reading and simply got caught up in the story. Why he got upset is still beyond me.
Many teachers no longer teach kids, they teach cirruclium. They expect kids to march in lock-step to their plans. Kids going though this feel like they are prisoners and that their teachers are little more than glorified babysitters! They get bored, they don't understand why they are being limited and, they naturally fight this by defying the silly rules established by the people in authority. In short, the kids will be kids (just like they always have been).
Yeah, the kids hacked the computers and used them for things that maybe they shouldn't have. I have to say that the administrators of the school should have expected this.
It seems to me there were probably a number of other things that could have been done - including a policy of "if you hack this, we will take it away from you and you will fail the class". The way that it has happend smells like the administration has chosen, intentionally, to make examples out of these kids. I suspect that this was done to send a message to future students "Don't mess with us" - but this kind of thing against kids seldom works and can easily backfire (especially if nothing comes of the charges).
I feel for the kids, I really do. Not because they hacked the computers but because the administration and staff of the school have obviously made some poor choices along the way. This problem is a symptom of something wrong much deeper in the system. The teachers should realize they are teaching kids who are naturally curious, naturally push the limits, and naturally defy authority. If these kids were challenged, rather than restricted, they would learn a hell of a lot more.
Teachers, please go back to teaching kids, not cirriculum!
The taping of the password to the backs of the machines is what I call an "Attractive Nuisance", in my not so humble opinion. Here's a sample definition:
e -doctrine.htm
attractive nuisance doctrine
There is normally no particular care required of property owners to safeguard trespassers from harm, but an attractive nuisance is an exception. An attractive nuisance is any inherently hazardous object or condition of property that can be expected to attract children to investigate or play (for example, construction sites and discarded large appliances). The doctrine imposes upon the property owner either the duty to take precautions that are reasonable in light of the normal behavior of young children--a much higher degree of care than required toward adults--or the same care as that owed to "invitees"--a higher standard than required toward uninvited, casual visitors (licensees).
http://insurance.cch.com/rupps/attractive-nuisanc
By taping the passwords to the backs of the machines, the school system had created an attractive nuisance, especially considering the "behaviour of normal children". This was like installing a pool, placing a sign saying "Don't Swim", REFUSING to put up a fence, and then disclaiming all responsibility when someone drowns (violates policy).
The school administration in this case is a fucking waste of oxygen.
--
BMO
Then stop making me change my account passwords every 30 days! That is the most irritating, counter productive thing IT groups do with password management. Sure, make me type in garbage with no repeating characters. Sure, make the password 12 or more characters with at least 3 numbers. This I can accept. But once I type in a conforming password, don't ask me to change it!
Our IT department just implemented this 30 day policy on all of the IT services. Unfortunately they don't have a shared password system so each of the 10 applications I need to do my job have different passwords. And of course these passwords all expire at different times.
I never used to have to write down my passwords. I had one that worked for all my work-related services. But now I'm writing them all down. If someone happens to find it, it's not my problem.
Foist this stupid scheme on people and of course they're going to write them down. Better that than forgetting a password and have yourself locked out of the system you need to do your job. Next you waste 20 minutes of the day waiting for the arrogant IT guy to reset it all the while listening to him complain about all the password resets they've done that day.
So frustrating. What's the point when a little social engineering can get a password without too much trouble?
Things like that make it just as hard for someone to crack, but easier (for me at least) to remember
"In a time of universal deceit - telling the truth is a revolutionary act." - George Orwell
with kids.
You will lose. Any sane parent knows this. The educators, with their specialized training totally should know this. As a father I know this.
The policy should reflect the reality of computing today; namely, that any access control methods can and will be circumvented by those willing to do so. Period, end of story. There is very little the school could do to prevent this kind of thing, so why bother?
Either the kids play ball, or they don't get their own computer. Have a lab room setup for those not willing to agree to the terms of use and those that think they are willing, but end up on the wrong side of the rules.
Charging these kids with a felony crime is just wrong. It's going to affect their future far more than it helps the school keep control. I've a feeling this school is one of these zero tolerance, power tripping schools that does more actual harm than good.
So, they could have just taken the computers, booted the kids, put them on an alternative learning track, etc.... But, continuing to escalate the issue the way they did invited trouble, was counter productive, and could easily be considered rather draconian. --> "Lets make examples of a few of them to keep the others in line". Yeah, like I want my teen going to a school like that.
In the schools defense, the law has taken away a lot of their power these days. The school staff is sharply limited in what they can actually do without going to the courts. (Which makes a keen understanding of the whole power struggle thing all the more important!) When I went to HS, in the 80's, principles could still actually make kids *do* things. Breaking up fights, for example, often meant the principle stepping in there, grabbing some kids, and sorting things out. He was never in the office, walked around the school and kept order.
Things are far different today where even touching kids can get educators in trouble.
There is a fine line being crossed with the whole kids rights thing. In terms of things like expression, we should be yielding to the kids. However, in terms of behavior, we should let the schools do a bit more than they currently are, if we are to avoid the courts for teen struggles.
Also, where the fuck are the parents in this whole thing? If this were my kid, I would quite honestly start working that school and legal system over until the problem was corrected. I'm all for kids towing the line, but it's a two way street. If the school creates an environment for failure, (which they clearly have), the punishment for that failure needs to serve some greater end. (Which it clearly doesn't.)
This whole mess is a crock. Anyone, who has parented teens, who possesses just a bit of common sense would have been able to defuse this issue and move on. My gut says this whole small town is fucked up.
Blogging because I can...
GPG 0x1B479C78
If software requires that the admin knows the user's password to do basic administration, then you need to consider alternative technologies.
I can see both sides of this issue.
The reason Windows doesn't allow superusers to su to other accounts without their password is for accountability. It's a lot harder to notice a rogue admin reading and modifying files of execs when he/she can do it without knowing their password.
There are ways around the restriction in terms of necessary administration. If someone is fired or leaves the company, an administrator can transfer ownership of their files to another user, giving them access. If an admin really needs to log in as someone else without their consent (maybe for legal investigative reasons?) they can change the password on the user's account.
Now, where this breaks down is something like Exchange. My admin account at work is a member of the Exchange administrators' group, meaning I can read anyone's email in the company without knowing their password. That's frequently the information that should be the *hardest* to get to.
OTOH, logically I believe that *ix has it right when it lets the superuser do *anything*. Dear Microsoft: I'm not really an administrator if there are processes I can't kill, and files I can't delete.
The ownership stuff I mention above is an illusion anyway, since as an administrator I could install a keylogger on someone's workstation to get their password.
Anyway, that was kind of a ramble, but my point is that it's a philosophical difference. Windows is designed in most ways to be Nerfed so that you don't shoot your eye out, and most of your admins don't know how to access restricted information without leaving a trail.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
Rather than charging students with crimes for this type of activity, I'd be for the immediate termination of anyone on the high-school's "I.T. staff" who actually thought this was a good or even "workable" policy!
If there really is a "hidden agenda" of fishing for "troublemakers", that's a very poor way to accomplish anything. I mean, hey, why not issue knives to every incoming student too and just sit back and wait to see who starts stabbing people?
And anyway, historically speaking, the tinkerers/experimenters of the world are the ones who accomplished and contributed the most to society as a whole. "Respect for authority" be dammed.... Computers are all about exploring and experimentation. If you can't even create a "virtual sandbox" of sorts out of the system configuration you're issuing your students, so they have "boundaries" to what they can do on said machines, that just illustrates that the students are smarter than the faculty. The tools *are* and *have been* available to restrict usage of computers to only specific applications. If you opt not to use them, then I think you're making a de-facto vote for allowing students to do as they will with the laptops.
You know which ones are most likely to go off and install programs like iChat AV or take full advantage of "remote control" software they figure out how to use? That's right -- the smartest ones and the ones who actually *enjoy* using a computer! But no, we have to punish them and encourage the mediocrity instead. Teach students that computers are ONLY there for specific tasks we set up for them in advance. Don't "have fun" with it or you're a "hacker". Drum all the curiousity out of them. It's EVIL!
Why do people write down the real password?
Because no one ever suggested otherwise!
Seriously, the biggest part of "having a sane password police" is to TEACH THE USERS BEST PRACTICES.
Everywhere I've worked, and I've worked at a lot of places since I've been contracting since the early days of the internet bubble, there has been zero user education about passwords.
Typically the IT department comes up with some rules and they think their responsibility stops there. Since they never bother to teach their users the best way to follow the password rules, it is no surprise that the users come up with all kinds of cockamamie schemes.
These people aren't computer security experts, they are just regular schmoes who want to get their work done wit h the last amount of hassle. They've never had to think deeply about password security, so of course most of them never will on their own. They will take the path of least resistance to getting their work done and writing their password down in an easy to find place is very low resistance.
Teaching them smart and effective password techniques is one of the surest ways to improve security that there is.
When information is power, privacy is freedom.
This reminds me of a time in High School when I was called to the office and told my network folder had been cleared and my login disabled for downloading MP3s. What were these MP3's that I downloaded? JFK's speeches for a final project in one of my classes.
....Because it does not work when you have 10 or 20 different systems...
Computers are much better at remembering stuff like passwords than most of us. Let the computer remember all your passwords in an encrypted password file. Then all you have to remember the ONE very good password that unlocks that file. Macs come with a nifty thing called keychain, where all password are stored. Many Internet sites and other servers get the password from the keychain automatically if it is already unlocked. The default is to unlock your keychain with the same password when you log in to the Mac. However, that may be changed by the user. A separate password can be used for the keychain. I am sure there must be similar schemes available for Windows. Of course, this doesn't help anyone who must log in from many different computers in various places. Here is an opportunity for someone to come up with a cheap, calculator type gadget that stores passwords securely. It can then display the login data on a screen or feed it directly to a computer via a USB plug or bluetooth wireless. Such a function could easily be added to a cell phone.
All theory is gray