Slashdot Mirror
Kutztown Students get Felony Charges
gone6713 writes "The 13 students from Pennsylvania who were accused of hacking the iBooks provided to them by the school (Slashdot had a previous story on them back in June) have offically been charged. It seems that the admin passwords were taped to the back of the iBooks!"
If your going to charge the kids with felonies, then you should charge the IT administrators with aiding and abetting for leaving the password there.
Isn't it? To make example of certain people to buy the compliance of the rest of us (sheep)?
Especially in highschools. Or maybe just PA (I live 20 minutes from Kutztown). I remember a girl getting treated like a drug dealer because she a)bought aspirin to the school and didn't hand it over to the school nurse (so that she could subsequently go back to the school nurse when it's time to take them - talk about being treated like a 5 year old) and b)giving one to her friends that had a headache.
IIRC, she was kicked out of the district.
Variations of this heavy-handedness happens so often everywhere that I'm surprised it makes the news anymore. I think Columbine made it worse because now the administrators are going apeshit over every little thing - turning the schools into a sort of police state.
What would be news would be the punishment fitting the crime. But then the school administrators would have to admit that they are mostly at fault in this case (really: taping the passwords to the back of the computers?!)
I went to this high school and grew up in this town. Let me tell you this...The system administrators never had a firm grip on the students, I assure you...and they had been outdone several times before this. Suffice to say, the school tends to overreact about things that they don't understand...and Computers is one of those topics. I work in IT now and now that I understand security and such, I realized how much my high school sucked about security...they never really thought about it. Anyways...its kind of amusing to find my hometown on Slashdot...its little more then a farming town with a college in it. My graduating class was 140 people.
L8tr all.
Having attended and later worked in an American high school where the mentality was definitely one of suspicion and enforcement (ala prison) rather than education, I'd suspect that these passwords were taped there on purpose to try to catch and then be able to endict nonconforming students, who, the thread of thought would go, are the same ones likely to create disciplinary problems through the introduction of unrest and disobedience.
STOP . AMERICA . NOW
It's shit like this that makes me want to leave the country.
I sympathize to some extent actually. Read the district press release:
"Unfortunately, after repeated warnings and disciplinary actions, a few students continued to misuse the school-issued laptops to varying degrees. The disciplinary actions included detentions, in-school suspensions, loss of Internet access, and loss of computer privileges. After each disciplinary action, parents received either written notification or telephone calls. Some parents felt that the disciplinary actions were ridiculous and even expressed the feeling that their son/daughter should be able to do non-school activities and use the laptop without restrictions. Some students acknowledged that they used their school-issued laptop inappropriately at home rather than their home computer for fear their parent would catch them."
There is a simple way to fix this problem. If you don't want them to use the laptop at home, don't let them take it home.
My concern about the trend towards computerization in our schools is that students will not have the oportunity to opt-out of restrictions (say, by providing their own laptops). This is not that different from a world where everybody would be unable to opt-out of a trusted computing world, or even a Microsoft Windows world.
A second thought (IANAL) is that such heavy-handed punishment as a felony charge in this case might very well seem like cruel and unusual punishment and it might be possible to challenge the constitutionality of the law as applied to this case. Charging minors with felonies for using passwords taped to the back of the computers they were issued seems both cruel and unusual to me. However, where exactly one draws this line in this case might be fairly difficult to answer.
Finally, students have some privacy rights even regarding school lockers. It seems to me that constant monitoring might infringe upon those legitimate rights. IANAL, again though....
LedgerSMB: Open source Accounting/ERP
And that's why I agree they should face consequences for their actions. Let's say someone goes to downtown Miami at 2 AM in the morning with their brand new BMW. They park it, walk away leaving the doors unlocked, and the car gets stolen 10 minutes later. Who actually did the stealing? The theives, of course. Should they be punished? Absolutly. But the person who owned the car easily enabled that to happen when he should have known that 1) He was in Miami, one of the highest crimerate cities in the nation, 2) at 2 AM in the morning, 3) With a $30k+ vehicle. His stupidity opened the door for the car to be stolen. Serves him right, in my opinion. Does that make the these kids guilty, though? Absolutly.
The Computations of AdamR
http://www.adamreyher.com
Or you could just call and complain:
l
:D
http://www.cutusabreak.org/Pages/policeletter.htm
Hmmmm can just see the police switchboard getting slashdotted now!
-={ Security does not exist - give up }=-
I didn't mean to suggest that the whole thing, bottom to top, was a scheme. I mean to suggest that the laptops were going to go to students anyway, and when the IT contractor asked the administrator, "Where do you want me to file the passwords away?" the administrator responded with, "Put them on the backs of the machines and we'll see who..."
Something nearly the same happened when I was contracting for high schools. The DOS machines they used (this was a few years ago) could have been configured to start students into a menu system that was uninterruptable (i.e. turn machine on, get menu of available applications, no alternatives, no way to break out of the menu structure).
Instead, they wanted me to use the AUTOEXEC.BAT batch file to launch the menu system rather than a menuing application started directly on bootup. Why? So that they could watch and see who hit CTRL-C at boot to exit the batch file. Those students were then expelled for "hacking" (even though these machines weren't on a network at all, this was ca. 1992) and they lost their computer priveleges at the high school for the rest of their high school career.
Why? That's a question that was never satisfactorily answered to me. I can tell you that the answer was something along the lines of what I mentioned in my previous post: such students were basically believed to be "too big for their own britches" and it was thus basically one more way to find a few more kids with "no respect for authority" and push them out of the system.
While I was still contracting there, I saw two kids expelled for hitting CTRL-C to dump to DOS and explore the C: drive. Both ended up enrolling at a local private high school, to my knowledge.
STOP . AMERICA . NOW
Agreed. However, if you read their account on the website, some of the students that had been charged attempted to turn their laptops in, but the school gave it back and told them they had to use the laptops -- they even told the administration that the laptops were a temptation to misbehave, and asked that the administration take the laptops. Requiring the children to have a laptop, which the children admitted posed a temptation is tantamount to encouraging the progression of a problem. In any other element of society, if you attempt to surrender something because it posses a danger to you or to someone else, the organization will take it. If I go to the DMV or the Sherifs office and state that I feel that my driving is a danger, they will gladly take my license away. Or if I go to the doctor and tell him that a medicane I am taking I am gettting adicted to, then he will change it. The main thing that I see is that the students are being punished after attempting to give up the temptation, when the administration forced them to have the temptation. The way I see this is that some of the students were responsable enough to admit the problem, seek help, but were turned away -- that, in my mind, is an endorsement of failure. The students parents might be able to make a claim of criminal neglegence. If the students had said that they were going to commit another criminal activity, and did, then the school would hold liability for failing to take preventative steps if the school indeed failed to take such steps.
Do the student's bear some of the responsability. Yes. It would assinine to say that they didn't. However, the school system should have taken the computer's security more seriously, and should have used stronger passwords, and should not have put them on the computers. When the problem was discovered, the school should have taken steps to provide new passwords, which are stronger and not publicly known. For students that had been disciplined for misbehaving on the computers, a more proactive steps should have been taken to make sure that future violations would be adverted.
The other question that I have, is what education about the use of computers was implemented? Was there an AUP? And did the students understand what the implications of using the computers in that manner would mean. Second question, did the student's parents know that they were being interrogated under the threat of prosecution? If the parents of the children were not present or given the opportunity to be present and if the children were not given their rights, then any evidence collected would be inadmissable in court. The third question, is what point would prosecuting these children accomplish?
The views expressed are mine own and do not express the views of my employer.
The taping of the password to the backs of the machines is what I call an "Attractive Nuisance", in my not so humble opinion. Here's a sample definition:
e -doctrine.htm
attractive nuisance doctrine
There is normally no particular care required of property owners to safeguard trespassers from harm, but an attractive nuisance is an exception. An attractive nuisance is any inherently hazardous object or condition of property that can be expected to attract children to investigate or play (for example, construction sites and discarded large appliances). The doctrine imposes upon the property owner either the duty to take precautions that are reasonable in light of the normal behavior of young children--a much higher degree of care than required toward adults--or the same care as that owed to "invitees"--a higher standard than required toward uninvited, casual visitors (licensees).
http://insurance.cch.com/rupps/attractive-nuisanc
By taping the passwords to the backs of the machines, the school system had created an attractive nuisance, especially considering the "behaviour of normal children". This was like installing a pool, placing a sign saying "Don't Swim", REFUSING to put up a fence, and then disclaiming all responsibility when someone drowns (violates policy).
The school administration in this case is a fucking waste of oxygen.
--
BMO
Then stop making me change my account passwords every 30 days! That is the most irritating, counter productive thing IT groups do with password management. Sure, make me type in garbage with no repeating characters. Sure, make the password 12 or more characters with at least 3 numbers. This I can accept. But once I type in a conforming password, don't ask me to change it!
Our IT department just implemented this 30 day policy on all of the IT services. Unfortunately they don't have a shared password system so each of the 10 applications I need to do my job have different passwords. And of course these passwords all expire at different times.
I never used to have to write down my passwords. I had one that worked for all my work-related services. But now I'm writing them all down. If someone happens to find it, it's not my problem.
Foist this stupid scheme on people and of course they're going to write them down. Better that than forgetting a password and have yourself locked out of the system you need to do your job. Next you waste 20 minutes of the day waiting for the arrogant IT guy to reset it all the while listening to him complain about all the password resets they've done that day.
So frustrating. What's the point when a little social engineering can get a password without too much trouble?
Why do people write down the real password?
Because no one ever suggested otherwise!
Seriously, the biggest part of "having a sane password police" is to TEACH THE USERS BEST PRACTICES.
Everywhere I've worked, and I've worked at a lot of places since I've been contracting since the early days of the internet bubble, there has been zero user education about passwords.
Typically the IT department comes up with some rules and they think their responsibility stops there. Since they never bother to teach their users the best way to follow the password rules, it is no surprise that the users come up with all kinds of cockamamie schemes.
These people aren't computer security experts, they are just regular schmoes who want to get their work done wit h the last amount of hassle. They've never had to think deeply about password security, so of course most of them never will on their own. They will take the path of least resistance to getting their work done and writing their password down in an easy to find place is very low resistance.
Teaching them smart and effective password techniques is one of the surest ways to improve security that there is.
When information is power, privacy is freedom.