Slashdot Mirror
Student Charged With Three Felonies For Finding Security Flaw — and Report
Well, yet another teenage hacker who "did the right thing" by reporting a security flaw is being punished for his actions. Although it definitely sounds like the whole story may not be in the clear yet, a 15-year-old New York high school student has been charged with three felonies claiming that he accessed a file containing social security numbers, driver's license numbers, and home addresses of past and present employees ... and then sent an anonymous email to the principal alerting him to the security flaw. "All that was needed to access the information was a district password. School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks."
Was there any bit of responsible disclosure, because it sounds a bit like "killing the messenger". While there may be discipline in order, this seems to be overkill if he was really intending to do the right thing.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
The person who reports the crime is often the first suspect or person of interest.
Or simply, "Who ever smelt it, dealt it."
Forget that this kid was doing a service to report the flaw, they are more concerned with why the kid was trying to access the site in the first place.
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
Reporting a security hole is not noble, it's stupid.
damn... refresh-to-post time / etc was far too late... damn New Zealand / US internet relations :(
signature is pants
If the email was anonymous how did they find him?
After accessing the information, he sent an email alerting the principal to the breach and signed it "A student." With the help of the district's IT department, the principal identified the boy as the culprit.
Ah, looks like it wasn't anonymous at all.
If you read the whole article, it sounds a bit like he might have been trying to blackmail the school with the details of the hack. As theregister notes, the email contents aren't available, and the quote "He ... was looking to profit from his criminal act." also suggests that he may have been blackmailing the school.
I'd like to hope so, at least, because otherwise the school is going WAY overboard...
As in, being hit with the law book.
I RTFA but see no sign of this. At best is this bit from a followup link in TFA:
But for fuck's sake, three felonies at 15? For a fucking non-violent, non-destructive "offense"?
Poor kid is screwed for life.
too bad you weren't f
"Although it definitely sounds like the whole story may not be in the clear yet" ...we will still report our take on the story and present it as fact.
Replace the file with hello.jpg
It's just the screwed up legal system. They could just about get Computer trespass to stick, although probably wouldn't get a particularly harsh sentence passed. What they can do though is threaten the kid with these charges, mention that he could potentially serve 20 years and get him to plea bargain to a lesser crime.
If he maintained his innocence and demanded a jury trial he'd have a good chance of being found innocent and if not the penalty would probably be minor. His behaviour just isn't that of a criminal. The whole system is broken. It's a game of bluff, but the stakes are the liberty of innocent people.
sounds like the whole story may not be in the clear yet
Something being "in the clear" means to be out of danger. You mean "sounds like the whole story may not be clear yet".
stupid people fear smart people
The Admin and the Engineer
irst.
I just curious to know what charge the IT manager is going to face for aiding and abetting this 15 year old by failing to properly secure the IT systems.
In middle school, I got confessed to being able to read quiet a few teachers' emails. Most of their passwords were the same as their username or in the two cases it wasn't, I guessed... One was as easy as 'jesus' ... I had to write a 2 page paper on cyber ethics. From then on I never confessed to anything again... I'm a senior in highschool, but from time to time I still see if I can get in their accounts and there is one that hasn't changed after all this time. :P
He did the equivalent of finding a hole in someone's fence, breaking through the fence into the person's property, and then having a look around before telling the owner "hey, your fence has a hole in it". The kid was foolish here, assuming he had the best of intentions.
But hey, at least the kid learned a valuable (and sad) lesson in life:
No good deed goes unpunished.
"will be overtaken by the Italians" ???? The mafia is run by whom, in opinion ?
Damn it people! This just upsets me to no end! Do you have any idea how many systems are just wide open? Even I don't know how many systems I have "broken" into and done NOTHING but just let it be. If I tell someone I get arrested. If I do something with the data I am a thief. If I don't do anything at all I am a saint.
Sigh!
Uncle Mantis
This means this person, capable of not only using the internet but as a (clearly) (semi-) advanced user, is now no longer able to vote...because of something they did before they were legally eligible in the first place? And something they admitted to? Yet someone who doesn't know their left hand from a donkey's a-hole and votes based entirely on which guy they'd rather drink a beer with and/or whichever has a photo-op with someone who looks more like them is free to do the same AND drive drunk AND steal potentially thousands (but not over 10 thousand or so, depending on the state) AND even rape in some cases and still vote.
Ginga no Rekshiya Mata Each page.
"Simon Grybgersczywy" no idea who he is but he was obviously at the back of the queue when the vowels were handed out.
This is like Boston freaking out over Lite-Brites. I hope the kid not only calls their bluff and asks for a jury trial, but finds some way to counter-sue.
THE major contributors to our political campaigns are the Prison Guard Unions. No, really, I wish it wasn't true. It's why half of all black men will have a felony conviction and spend time in prison. We have more prisoners than South Africa or Russia ever did.
And our schools let an 18 year old finish with a 12 year old's education. Not good for much else in an internet world, guard or prisoner.
Jail the planet baby, it creates good paying jobs. Notice President Obama doesn't mention this in his campaigning, it's only going to get worse.
That's what's wrong with us.
And one who breaks security is like the one who alerts the king about wearing no clothes. You WILL get punished. You WILL be dealt with.
I saw this all the time at schools, jobs and like. People dont like smart people. People who intentionally find broken ideas and mechanisms will be dealt with, not glorified and congratulated. Highlighting a security problem means they have to put in the effort to fix what you brought to their attention, or threaten you to STFU.
If you are smart about security, keep your mouth shut. There's not much you can do, except yourself be a target.
This kid just received a lesson of life that he should have used these information performing criminal deeds and he'd probably never be caught.
This is why I send all my blackmail from my neighbor's WEP-enabled wireless.
This happened to me in winter of 2000. I found a open FTP-site on the LAN of my public school that contained sensitive information about the municipality elderly care. I reported it to the Swedish Data Inspection Board. I later found out that the municipality had filed a police report to find the alleged 'hacker' that were able to break the 10-digit code (read: IP-address).
My only comfort was that I had reported the findings anonymously.
And yes - they municipality were charged. The period for prosecution for my 'crime' has expired.
Break the sound barrier - bring the noise.
This is bullshit - I am really tired of hearing these scenarios where ignorant fascist assholes are doing serious damage to the reputation and future of kids who are doing the right thing.
The message being sent is that rather than being honest, helpful and productive member of networked society we're teaching kids that it's better to be deceptive and not expose dangerous security flaws. ...and FELONIES? What the fuck?!
I feel that there is a message that both the powers that be (and irresponsible sys admins who have been professionally shamed by these revelations) want to send - the sysadmins don't want to be embarrassed by kids - the feds or police either don't understand and are hearing sys admins tell them that "these meddling kids broke into our system, it's certainly not MY fault for not securing it" or people who should know better thinking that it's better to send the message that killing the messenger is the appropriate way to handle security, EG what people don't know won't hurt them and what we don't see we wont have to deal with.
I believe that this should be explained to those who aren't very computer/network literate with the following analogy: Let's say you live in one of those multifloor apartment buildings where there is an area in the lobby with many mailboxes which all lock. Each resident gets a key for their own box. This kid either accidentally (or just to see if his and other mailboxes are secure) plugs the key into the wrong box or a box that isn't his and finds that his key (and by logic every other resident's key) opens every mailbox in the building. The mailbox he tests the key on contains an envelope with a ton of cash sticking out of it. He goes to the landlord and says "hey, these keys provide no security because any key can open all mailboxes, and by the way, this mailbox had a ton of cash in it - here's the cash, I didn't want it to get stolen" and he is then arrested and charged with breaking and entering, grand larceny, and other such offenses.
I hope that if any high profile tech people get a chance to comment on this in the press or end up assisting the defense (if it was to go to trial) that they can send a message that criminalizing someone who is doing the right thing is just wrong...
Comment removed based on user account deletion
From my own personal experience as a student that used to do these sort of things (report network security flaws to the relevant department), the unfortunate truth is that it's much better to keep your mouth shut.
Kids like this should be praised. He decided to report something he could easily do a lot of mischief with.
... here here including the kid's name. Article notes this isnt the first time he's been in trouble for hacking, so it may explain the apparent over zealous charges.
If I had found something like this, I would have reported it (anonymously of course) to as many local investigative reporters that I could contact. That way, even if the school's administration wanted to find out who did it, hopefully the media wouldn't give me up as a source.
While white hat hackers get vilified and attacked for reporting their findings with the presumption of guilt until proven innocent, black hat hackers get hired by the top levels of government to do whatever the government wants without morals getting in the way.
This makes me sick to the stomach, not really because of what happened here, but because its another example where someone with a good moral standard is portrayed as evil while the people without morals (US Govt, US Christians, ...) run the nation.
Has the kid sold the film rights yet? I've got this great idea for using his story, basically a 'hacker' kid gets blamed for a crime bigger than just breaking into a computer system, it could involve a bunch of his hacker friends pissing off "the man" responsible for the kid's arrest, like signing him up to online dating services and changing medical records to show he's dead. Maybe we could get an a-lister in the cast like Angelina Jolie & some other well knowns like Jonny Lee Miller & Matthew Lillard.
Oh, wait, too late...
To do something right, you often have to roll up your sleeves and get busy.
... once more that people making and executing the laws are braindead idiots.
The only reason why the world still works despite gaping security holes in each and every operating system and application we use on a daily basis, is that 90% of all hackers are actually benevolent.
Go on pissing them off long enough till you finally get a giant baseball bat up your fucking asses like you deserve it =.=
If it ain't your problem don't try to fix it.
http://www.youtube.com/watch?v=O_lwGWfO_Mk
10 year old canada
http://www.youtube.com/watch?v=xakaLeLecvo&feature=related
10 year old florida
http://www.nydailynews.com/news/ny_crime/2008/08/07/2008-08-07_cop_cuffed_me_on_bus_kid_says_in_suit.html
10 year old girl NY
http://www.examiner.com/a-619947~Busted__7_year_old_cuffed__fingerprinted.html
7-- in baltimore
every day http://en.wikipedia.org/wiki/Special:Random
This is an article from the local newspaper here this is what we have been told about this and local comments regarding it. http://www.schny.info/cgi-bin/forum/Blah.pl?m-1224924704/ Being first time here I hope this is only a reply to and not a new thread I just created if so sorry.
Just remember kids, the correct course of action is to try and sell the information to highest bidder. Crims pay good money for this information - "honest" people will lock you up for it. If you're going to do the time, hell, might as well do the crime.
I'm not actually endorsing the behaviour I describe above, but this use of the legal system is sending this exact message.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
It doesn't matter that the server was misconfigured, or used a default password. What matters is what he did.
He didn't accidentally find this something. He went looking for security hole, found one, used it to look around where he was not supposed to have access, then reported it anonymously. Then, an investigation followed and they found him.
That is the equivalent of him walking down a street and trying each door and window to see if it was open, finding one, going in to the house and looking around, then anonymously reporting what he had done to the police. In the real world it is breaking and entering (look up the law before you say "no breaking occurred").
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
Uhh, wrong. here are a couple of links to help your pathetically bad psych 101 research. While the witness number may have been sensationalized (it was more like 11 or 12 confirmed witnesses), it's hard to say for sure who saw and didn't come forward.
Of course I don't expect you to pay any attention to evidence any more than the holocaust deniers, but at least the facts remain this time.
I wonder if any of those 'whistleblower' protection statutes would apply in this case.
Vintage computer games and RPG books available. Email me if you're interested.
In this case the kid used a master key and got into the house, stole and then tells the owner that he should put a 1000 usd lock and this 100 usd lock sucks!! Is it still not breaking into? Agreed, public offices should have very very good locks but does that weak lock(wrong) make the kid's theft right?
From law's prespective - Kid should get punishment for breaking into and the owner too should get punished for putting confidential records in weak security.
Forget that this kid was doing a service to report the flaw, they are more concerned with why the kid was trying to access the site in the first place.
OK, I know Slashdot is collectively in holier-than-thou rage over this poor, "innocent" kid, but why was the kid trying to access the site in the first place?
It seems to me that he's not being punished for reporting something, he'd being dealt with because he probably broke the law.
Of course, the officials responsible for the shoddy security and data protection should also be dealt with under whatever laws apply in that jurisdiction. But that doesn't excuse a kid who actively went on a fishing expedition. The end cannot be allowed to justify the means in cases like this, or you undermine the basic principle of the laws: you give carte blanche to crackers to have a go at whatever they like, since if they get in, they can just report it and pretend they were doing the world a favour.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Back when I was in High School, a friend of my brother and I was in a similar situation. (RIP Justin)
Our high school just started a laptop program and their class was piloting it. I was a year ahead so wasn't in it. The school was very 1984 with their networking policies and, being the geeks we were, we tried to get around it using proxies etc. Well, my friend had an account with someone he knew online on a server in Canada. Well, unbeknown to our friend, it wasn't a legitimate account his friend gave him. With all the traffic from our school going through this server, the owner contacted the IT people and our friend got in trouble. There was talk of charges being pressed from the Canadian company.
Now, all of that seems a but overboard; though you can't prove he was or wasn't accessing this server by illegitimate means. To him, it was a valid account. Afterwards, our friend Justin was trying to access his school file account from home and was unable to get in. Using his own username/password, he kept being denied. He was trying to get some homework to work on at home. The school never told him that they cut off his network access. Later, they saw he was trying to get into the network and said he was hacking their server.... using his own username to access his own files. Anyway, the school board suspended him for a year and pressed charges. Luckily he wasn't found guilty but the suspension stuck.
Schools are way too overprotective and blow the smallest things out of proportion. I wish someone would take a suit like this to trial and get some precedent set for whistleblowers. Letting someone know that your security is crap should be appreciated. Now, what this young man actually wanted to do is ambiguous from the facts in TFA. But, in my limited experience, officials will exaggerate to get the unknowing population on their site as they did with my friend. The Police Officer who is saying that he wanted to profit from the data is probably making things up. They did the same with my friend. They want sympathy as well as to blame someone else for their incompetence. It happens every time something like this happens; especially when it involves a school.
-SaNo
This isn't exactly a matter of the kid finding the loophole and notifying the principal. It sounds like the student may have actually emailed the principal and said "look what I have" ... I think there's more going on here than the Slashdot crowd thinks there is.
shouldn't that be "At School!"?
Do away with our corrupt tax code. Support the Fair Tax
What virus scanner is it? Maybe it also does automated checks to see if it can log in using common usernames or passwords via widely available methods, i.e. telnet, ftp, ssh, etc. Was it trying any particular usernames?
.
You are the administrator of a system that an alleged "Good Samaritan" has been trying to hack.
The successful hack would, of course, substantially increase your employer's legal and financial exposure.
But - as a fellow geek, and the trusting soul you are - you believe his motives were as pure as the driven snow.
You believe him when he says "no harm, no foul."
You see no reason for an audit - much less a re-build from scratch.
You have a new career opportunity opening up soon as a greeter at Wal-Mart.
1. The kid did them a favor; however, he should have reported the credentials were in the wild without actually doing his self-initiated penetration test. That's where he crossed the line.
2. The school district needs to immediately mail notices to all people whose personnal data may have been compromised (by the kid or anyone else who logged in), and be prepared for the civil suits should any of that data be used innapropriately.
3. I am not a fan of firing people for one-time incidents (assuming it was), but a top-down review of server configuration procedures and/or additional training for those involved is highly in order.
In Soviet Russia it is better to report such matters.
Wait, that does not work.
Now that's the State Troopers words, and may not be true
short: If it's a cop describing a case, it's a lie.
long: When the cops describe a case for the press and public, they state as true any assumptions they make, and as assumptions any speculations they can come up with. They are not looking to present the case in a fair and unbiased manner, rather they are attempting to prove guilt by tainting the jury pool as early as possible in order to find the suspect guilty in order to justify the arrest.
I am not a crackpot.
If he was able to get in, you need to do an audit, anyway, whether he reported the problem to you or not.
If he was able to get in, then hundreds of others are also able to get in.
If others are able to get in, then a significant security problem exists. Therefore, an audit is needed.
Whether you realized it or not before you were made aware of the situation is irrelevant.
"City hall" in German is "Rathaus" Kinda explains a few things......
Was his personal information in that file? Did he have reason to believe that the school district was not properly protecting his personal information?
If so, was he testing to make sure nobody else could steal his identity?
If there's not an exception for stuff like that in computer crime laws, there should be.
I've somehow got my name in a database of a realty company that I've never used here in the city, and I know for a fact that they have a WEP encrypted network, because I've warned them about it before.
They have no interest in fixing it. If I were to break in and erase my contact info from their database, am I breaking into a computer, or am I protecting myself?
"City hall" in German is "Rathaus" Kinda explains a few things......
You keep using that phrase, "copied the files to his computer". I don't think it means what you think it means.
In discussions like this, it might merely mean that the kid accessed a protected area by accident, and his web browser "copied the file to his computer". Law Enforcement sometimes misuses the mere presence of data on the suspect's computer as the standard for proof of guilt, which is sometimes only the browser cache or even the cache for a filesharing program, when the user may not even know what the heck was in it.
The file name undoubtedly was not "click here to get 3 felony charges file against you and seriously fuck up the rest of your life" . The kid appears to have been doing the right thing. Now, if he tried to sell any of the data that he saw, sure, charges might be appropriate. Based on what little public information is available, this appears to be a case of shooting the messenger.
If you mod me down, I shall become more powerful than you could possibly imagine.
We need better whistle blower laws that don't force you to use your own name. Just look at the guy who uncovered voter fraud and got hit with a few felonies.
Or to requote the above, Don't give a shit about anyone else, let them go hang.. Why do we bother with laws or any of that other shit. Every man for himself.
Trust (and laws, civic pride, and other solcial nicities) reduces the cost of everyday living; do you check under your car for IEDs every morning?
"giving a shit" and "doing the right thing" is what holds society together. It means education for everyone (that means less morons doing work that you rely on; where dos the water that comes out of my tap come from?), security for all (just broken your leg? walk to hospital yourself!).
To sum up in the words of John Dunne, "no man is an island ... ask not for who the bell tolls". Or in the words of a true Socialist, "Do unto others as you would have them do unto you."
I don't think we know enough about what he did to speculate very much on what his original intentions were.
It's not exactly as if every file that contains personal data will have a big sign on the outside saying "PRIVATE DATA INSIDE" - often the only way that you'd even suspect that would be to open up and actually look at it, which will usually involve some form of copying; therefore your argument that his primary offense was copying is bogus. The crucial thing is what he was doing there in the first place and what he had to do in order to get there.
If all he was doing was looking around in apparently "public" areas for a couple of racy pictures or some interesting games or other programs and stumbled on this file, then the administration is clearly overreacting. On the other hand, if he was deliberately trying to log in with different usernames and found one that didn't have a password on it (or something similar), that's very different - the administration should be grateful for having been alerted to the security problem but he shouldn't have been doing that in the first place. Or if he was trying lots of username and password combinations and found one that worked because the password was trivial, that's yet another thing. Or if he was trying to exploit one of any number of published security flaws and found that the school computers had not been secured against one of them, that's yet another. Clearly each of these examples represent an escalating level of culpability on his part, but we just don't know which (if any) of them correspond with what he did.
I do not think we can trust the police trooper's characterization of his actions - most law enforcement officials are clueless about computer security issues. The bottom line is that none of us have enough information to make an informed comment on the specifics of his case. And the sad part is, I suspect that the police don't either.
Was it 'pencil'?
If I were to break in and erase my contact info from their database, am I breaking into a computer, or am I protecting myself?
I think you're breaking in. Unauthorized access is just that, regardless of intent.
If you can't see the value in jet powered ants you should turn in your nerd card. - Dunbal (464142)
Was his personal information in that file? Did he have reason to believe that the school district was not properly protecting his personal information?
If he has legitimate reason to believe that, then he should be approaching the relevant authorities with his concerns. But "I tried to crack your network and succeeded" isn't exactly legitimate grounds.
If so, was he testing to make sure nobody else could steal his identity?
I don't know. Neither do you, I suspect, and neither would the court hearing his case.
Does it matter anyway? What was he going to do if he really was testing for this purpose and discovered that his information was vulnerable, shout and stamp his foot? If you couldn't trust the relevant authorities enough to act on reasonable suspicions as above, why would you expect to get any better result just because you cracked their network?
If there's not an exception for stuff like that in computer crime laws, there should be.
Why? What possible practical benefit could it bring?
There are useful things the law can do in cases like this, but I submit that penalising those who are insufficiently careful with data should be the priority.
I've somehow got my name in a database of a realty company that I've never used here in the city, and I know for a fact that they have a WEP encrypted network, because I've warned them about it before.
It's intriguing that you know the networking protocols and database contents of a local company you've never dealt with. Would you like to explain to the rest of us how you came to know those things through some legitimate mechanism?
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
i had the same thing happen to me when i was 15. I explained the security flaw, but they didn't understand a word i was saying. I ended up being suspended for three days and they deleted my login. Naturaly being 15 i wasn't to happy and used an apple computer to create an admin account. i spent the rest of my last year at the jr high (freshman are at the jr high at the school i went to) making the IT guy's (just some old guy who didn't know much about modern security) life a living hell.
The article says this kid and a "peer" accessed the info. How come there are no charges against this "peer"? Does this indicate the basis of the changes relate more towards the "intent to profit"? It would seem that this case may be more complicated than the facts on the table suggest.
And apparently the correct punishment is hanging by the neck until dead?
In the RTFA department: No where does it say that he guessed a password or used a stolen password. It says at this page, "All that was needed to access the information was a district password. School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks."
I read that as meaning ANY authenticated user had access. Sure the kid had a stupid way of telling them but what do you expect from a 15 year old that has caught the authorities in the act of stupidity?
I suggest emailing the school district and expressing an interest in their method of educating their students.
The contact list: http://www.shenet.org/district/fingertip%20_facts/FFaddressbook.htm
Email addresses are in the format: first four letters of the last name, first four of the first name @shenet.org
i.e. John Smith would be smitjohn@shenet.org
What, exactly, do they mean by that? Remember, we're talking about governmental entities that have a long history of not understanding much about computer security. For example:
$ ftp ftp.myschool.edu
Connected to ftp.myschool.edu
User (none): guest
331 Enter email address for anonymous login password
Password: myusername@yahoo.com
230 User guest logged in.
FTP>
Law Enforcement: "Clearly he was trying to impersonate Mr. Guest!"
You: !@#@#$
You think that's too silly? It's no worse than any number of other things I've heard about from such people. Or consider this:
You: "Let's see if that cute girl Angela in my English class has put up a home page on the school computer system. Let's see, use Firefox to browse to www.myschool.edu/~angela/ ... That's odd, doesn't look like what she'd have on her home page. What's this file?"
Cops: "Clearly he was trying to break into the Assistant Principal Angela H's computer work area!"
I don't think these examples are unrepresentative of the typical computer security understanding of law enforcement, unfortunately.
Who modded this insightful?
Assuming he is convicted, in New York he will be disenfranchised ONLY while IN prison or ON parole. After that he will be able to vote again.
Know your rights.
Know the law.
Don't be a sheep.
The student might have been wiser to openly identify himself and his intentions before conducting his security analysis and then to identify himself fully in the e-mail disclosing what he found. See discussion of white hat hacking--Ben
Benjamin Wright, Dallas, Texas, benjaminwright.us
"We have many levels of security, including internal and external protection. This information was not accessible outside of the school district," she said.
This quote comes from the Daily Gazette and I must say that if the levels of internal and external securities is easily broken with a simple password that is known by many of the faculty and students, then you have no security. This is simply a case of the Administration's Pride getting hurt and the only course of action to take is to beat down someone (in this case, the messenger).
Now, albeit one of the two teens involved (most likely the one arrested) has had some history of misuse of the computers:
One of the students has been disciplined in the past for breaking the school's code of conduct with computers
Although this could be anything from installing pirated software to setting the background to a penguin or even turning off the monitor (high schools are paranoid about students expressing individuality). I just hope that this witch trial isn't as bad as the last.
>>>You have a new career opportunity opening up soon as a greeter at Wal-Mart.
Any employer who would fire a safemaker because an expert thief cracked the safe open is NOT an employer I would want to work for. As I'm walking-out-the-door, I'd be dialing a gaggle of lawyers to sue the ____ out of the employer for unjustified dismissal.
No safe and no security is 100% foolproof. Ever. An employer should not have the unrealistic demand that his admin create a 100% hackerproof system.
FOX NEWS.com should be BANNED from television and internet. Have the Congress take it over and give us Truespeak.
I opened my laptop in the building this business is in, while there for some other purpose. I scanned for wireless networks, and one popped up with the name of this realty company, stating that the encryption was WEP. Not that difficult. Anybody with any knowledge of wireless at all would be able to do this.
As to how I know I'm in their database?
A couple of months ago they started sending me newsletters.
As to your other comment:
If he has legitimate reason to believe that, then he should be approaching the relevant authorities with his concerns.
I have approached this company with my concerns, as I stated in my previous post. Their response was:
"We use Company X for our computer support, and I'm sure they're competent, because they're a big company, so you must be wrong."
This was months ago, possibly as much as a year, and it's still not fixed.
That's frequently the result of "approaching the relevant authorities."
"City hall" in German is "Rathaus" Kinda explains a few things......
i did also the exact same thing when i was in high school. i found a few files with address and ssn of faculty and students. i reported it to the administration and they didn't do a thing for months. I had to personally show them the files at a workstation before they would do anything. the only thing i had going for me was that i was cleaning up the messes that sys admins left. years before this i was accused for bring down a computer lab.
I don't think this kid should have been charged for anything.
At least a couple of the articles say that the password he used (whatever that means, see my other comments on the subject) belonged to "another student." Oh, really?! Why did that other student have access to the data?! And why isn't he being charged?!
Clearly what we have been told about this incident is highly misleading. Either
(1) The file was in a location that could be accessed by ANYONE on the school network, or
(2) it had already been hacked by another student, who for some reason is not being charged, or
(3) He hacked into an administrative area, where the file may have been inadequately secured. Comments by the administration and law enforcement to the effect that the password he used belonged to another student are either incorrect or misleading.
Something is clearly rotten about this story, unfortunately it is difficult to tell if he did anything wrong or not, or whether he is a criminal or a scapegoat. Not only do we have to get information filtered through the administration and law enforcement (for whom computer security is usually at best an arcane art that they understand only poorly if at all), but all the primary sources are articles written by local news journalists rather than technical journalists, who are generally not much better at understanding the technical details.
It would appear however that unless he needed to hack into a reasonably well protected account in order to obtain the data, the school is clearly facing a serious HIPAA breach. That alone could be making them overreact, by trying to find some way - any way - to pin the blame on someone else.
...if he can't blow the whistle without getting caught.
who?
Your IT people are idiots. Even if antivirus software can do that, which I've never seen before, it wouldn't be random workstations that were trying it.
Escalate the problem.
If corporations are people, aren't stockholders guilty of slavery?
WTF is "unjustified dismissal"?
I live in an at-will employment state. An employer can fire you for any reason, or no reason at all. That's the way I want it to be, because one day, I will be the employer, and I don't want asshats like you taking me to court!
Learn about Photography Basics.
Yes, but I've personally been in situations where I was looking around on a network for a file (which I was supposed to try to find) and ended up wandering into a supposedly heavily restricted server (which I almost got fired for).
It sounds like a similar situation here. The kid is curious, so he's looking around the network. He shouldn't have used someone else's password, and I think that's the only thing he did wrong here. Its possible that his own account would have even worked.
And while it is true that you need to be cautious with people wandering through networks, it isn't that difficult to secure a network against people wandering, at least as such a basic level. That can all be controlled by aliases. Feh, I could start wandering into philosophy and analyze the differences between Consequentialist and Deontological ethics, but I don't think anyone wants to read another term paper.
The long and short of it is that you can't know anything more about why he was poking around than what he tells you.
> If so, was he testing to make sure nobody else could steal his identity?
> If there's not an exception for stuff like that in computer crime laws, there should be.
And if you just *happen* to stumble across someone else's identity while you're in there? Are we supposed to just trust that everyone who pokes around to make sure their info is secure isn't going to access anyone else's?
You put in an exception like this, and you'll get folks creating accounts pretty much everywhere so that they can claim they're "making sure their account is secure" while swiping everything they can find.
Honestly regardless of the illegality of what he did by tresspassing onto a computer and gaining access to confidential data; he did the right thing. And by punishing him for doing the right thing, the legal system is sending a message that basically says, "If you find something broken don't tell anyone or we will get ya". This kind of behavior promotes the "f the system" hacker mentality and in reality damages us all by allowing those holes to remain and be hacked by someone up to no good.
Dieec
Assuming that the student didn't do anything destructive, relay the password(s) to others, and so on, a first offense should be an infraction, not a criminal offense.
Meanwhile, when a public employee or official fails to adequately secure sensitive data, that should be a misdemeanor or felony, and civil awards should be doubled or tripled by statute.
I'm getting sick and tired of people who are obligated to protect sensitive information from misuse shifting blame to others for their own fundamental failure. I'm also sick of the lack of legislative response to this problem. If you leave a folder of classified information lying in the open, that's a crime. If you are someone entrusted with the security of a building, you leave it unlocked, and an intruder kills someone inside, you have both civil and criminal liability (you could easily be charged with involuntary manslaughter). If you leave private data that is protected by statute in the clear online or otherwise improperly protected, that should be a serious crime.
I've no idea how to get anyone to read this on a semiold thread, but...mods, help me out?
I think I found a security flaw at Denver International Airport this weekend. I wasn't looking to, I literally stumbled into it...but I didn't know how to tell someone without getting in trouble for it. (I've read too many horror stories like this one.) The trouble is, if I'm right about what happened, it might be a problem that exists in the way some specific hardware is implemented.
Does anyone know how to report this without retribution?
++
Youth: Umm, excuse me sir, but your fly is open.
Elder: How dare you look at my underwear! You could see my privates if you look hard enough! You should be registered as a Sex Offender!
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
This quote from the news article is especially telling:
All that was needed to access the information was a district password. School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks.
"A district password" in this quote sounds a lot like "a student or faculty account" to me. Doesn't sound like any hacking occurred at all.
20/20 hindsight says that the proper disclosure procedure would have been to use 4 proxies to post a message to /b/.
Oh well, he'll know what to do next time...when he gets out of prison...in 10 to 20 years...
People treat it like that because if the authorities actually had anything, they would be trumpeting it to whoever will listen. Details are sparse, so that usually means tail covering. ie kid is being hung out to dry.
If you are going to send an "anonymous" email then do it from your laptop in a public place, preferably a busy one that caters to lots of travelers who are there one day and gone the next so that new faces are nothing out of the ordinary, with open WiFi and for an added measure of security use TOR on top of that all combined with a throw away e-mail account (of course).
Actually they should make him a student intern and give him the break he needs in today's work world... real life experience.
Was his personal information in that file? Did he have reason to believe that the school district was not properly protecting his personal information?
If he has legitimate reason to believe that, then he should be approaching the relevant authorities with his concerns. But "I tried to crack your network and succeeded" isn't exactly legitimate grounds.
Just what have you been smoking? Perhaps you could tell me who "the relevant authorities" are for all the sites with have my information that i'm sure have some security lapses. And then for bonus points explain to me what exactly "the authorities" would do with that complaint to solve the issue.
I'm 100% certain that if you were to go to the FBI and complain that CitiBank or someone had lax network security (but only on your suspicion, not any hard data) not only would they not even tell me they would "look into it" it's possible they would laugh in your face at such an absurd complaint.
Does it matter anyway? What was he going to do if he really was testing for this purpose and discovered that his information was vulnerable, shout and stamp his foot? If you couldn't trust the relevant authorities enough to act on reasonable suspicions as above, why would you expect to get any better result just because you cracked their network?
Because it has been shown time and time again that companies respond to actual, publicized breaches and most of the time ignore "potential" holes even if they are being actively exploited.
It's intriguing that you know the networking protocols and database contents of a local company you've never dealt with. Would you like to explain to the rest of us how you came to know those things through some legitimate mechanism?
Are you just interested or are you attempting to somehow impugn the character of the poster by accusing him of illegal activities? And what does whatever he did have to do with the discussion of the topic? I didn't think character assassination was a reputable debating technique.
As an aside, if you have a wireless device, generally you can tell the protocols of broadcasting base stations if you are in range. Most computers are even good enough to tell you without a fuss. Also, something as simple as a mailing can let you know they have your data. Not that it makes any difference.
The kid had access to the network. There were obviously places on it that he WAS allowed to access, because his network login let him in. How can you be convicted of trespassing if there's no "No Trespassing" sign, and no indication until you're there that you shouldn't be there?
My blog. Good stuff (when I remember to update it). Read it.
Back in High School, I found out that with the newfangled computer network you could see the files of any student or teacher at any school in the district. I told the Librarian, who said I should tell the IT whore about that and what happened? My school computer privileges were stripped for the rest of the year and I was suspended for a week.
from 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
to 45 2F 6E 40 3C DF 10 71 4E 41 DF AA 25 7D 31 3F
In my mind, "unauthorized access" should require a material deception. That is, but for the deception, he would not have been able to access the material.
Otherwise, people set up open access where you can (but shouldn't) do all kinds of things and that laziness is used as an excuse to scapegoat anyone who does something to embarrass them. If people aren't authorized, they shouldn't have access. (But note that people might still have a duty of confidentiality, not to spread information they're authorized to access.)
Alas, the law doesn't make much sense in several regards. And this guy WAS smart enough to send the note anonymously. Just not anonymously enough, I guess. God knows, when I reported a security flaw to my university long ago, I made sure to take better precautions...
...when we need to explain to registered members how this kid is not guilty of a crime.
People just don't get it.. Once you set your eyes on those social security numbers, you're done, kaput! I don't care if you are a white, grey or black hackers! Are you telling me that this student was concerned about security and that's why he ventured out hacking into the system? These guys are simply out to get noticed plain and simple!
TOP DSLR Cameras Reviews of the top DSLRs
Wonder what outcome they were hoping for. "hey look at me I'm a incompetent admin and a teenager can prove it to you in a matter of minutes"
This exact same thing happened to me in my Grade 12 year. The server ran Debian Etch, and the sysop barely had enough knowledge to use ssh, and had zero experience with Linux, even though he had "years of university level education". (To be fair, the previous sysop was smart and well educated. He was the one I used to send flaws I found to, as he could use Linux.)
When I discovered that users could run php scripts, I also noticed they could run arbitrary commands. More so, the combination of AFS in our school system meant shadow passwords were not usable, and instead of migrating to something sane, they just left it.
In a script in any user's public_html directory would print a list of 2500+ hashed passwords, and most hashes were *identical*.
I sent an email to the sysop about it and got no response. Two months later after I was into my IT course, they removed me from school and permanently banned me from ever connecting to our school district's networks (including websites).
The "Incident Report" detailed a "malicious student" that "without a doubt" was the cause of every minute of IT downtime for two years in retrospect across our entire province and was the "perpetrator" of (scheduled) downtime of the province-wide mainframe.
Moral of the story: Never, ever, ever, do the right thing. You will ALWAYS lose if you tell someone, especially when they ARE inferior.
.
That isn't the problem.
The problem is the geek playing cowboy - and thinking that the ten gallon hat absolves him of all responsibility,
Say nothing.
Human nature is to "shoot the messenger." So don't tell.
Once upon a time in university I noted a file in the temporary directory on one of computer science's machines with read access to all on the entire student name/id list. This was a byproduct of registration, and the ids were used as the passwords for first log in. But student ids were used for much more, and this list was also bigger than computer science... I complained to the comp sci sys admins; who said "gee thanks, we'll change that." But the file kept appearing. So I contacted the computing services admins; who said "gee thanks, we'll talk to the comp sci guys." The result of which was "this doesn't happen any more". So I sent a current directory list. No response. Then I posted the file (two months after it was supposedly fixed) to the internal security newsgroup. [I lost my access privs and was almost expelled.]
The moral of the story... don't tell people they f*cked up and sure as heck don't show them, because you just make them look bad, and there is a fine line between ethical behavior and questionable judgement.
/\/\icro/\/\uncher
and can probably get this expunged from his record, I can't help but think this kid *could* become disenchanted and decided to learn all he can so he can go back someday and anonymously screw over the bastards charging him instead of CULTIVATING him.
WHAT is running through the minds of these low level dysfunctional functionaries to slam-dunk the kid rather than guide and develop his talent?
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Depends on how paranoid you are. For maximum protection I'd use a live CD like Ubuntu or something, and a secondhand PCMCIA wireless card (I have several laying around from who-knows-where, as do many people). Connect to a public AP at a coffee shop or something, and then use Tor or at the very least a web proxy to send email to the proper authorties from one of these services, making sure to verify your reported IP at ipchicken.com or similar beforehand. With all of this you would essentially be impossible to track down. Provide only the details about the flaw you think you found, and add nothing else, including how you found it or when (don't give them a chance to narrow it down and check security camera footage or anything).
mirrorshades radio -- darkwave, industrial, futurepop, ebm.
The lesson here is to get better at sending "anonymous" e-mail to report this stuff.
I might know what I'm talkin' about, but then again, this is Slashdot...
The article does say that he used someone else's credentials to access the system.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
"If you are smart about security, keep your mouth shut. There's not much you can do, except yourself be a target." - by Creepy Crawler (680178) on Tuesday October 28, @06:42AM (#25539061)
Small wonder you were "modded up" as insightful... because my man? You are totally right (unfortunately though)...
So, "Agreed, 110%" here, because - it has happened to me, & cost me a job!
Just for doing the RIGHT thing (& I didn't hack a damned thing @ all, I merely pointed out their antivirus was setup wrong, & was 6 months out of date, + the fact that end-user desktops (& yes, servers too) weren't as secured as is possible).
First off, I was hired to help secure programs (showing ss#'s on outputs/reports, etc. & scrambling them, helping secure the databases + more, making sure data we sent to other vendors for processing went out via SECURED FTP transfers in our programs etc. et al was also implemented successfully as well)
Well... that doesn't help a hell of a lot, if the network isn't secured in the first place!
Thus - I pointed it out, got yelled @, & had the network administrator (who was also the CIO, with no experience before this place, & a cert. only, you know the type) tried to say "he has a virus on his system, it's his fault"... not when the antivirus program is 6 months out of date it's not!
Funny part was, I was the one who discovered he set up TREND wrong, period, & that all the people were vulnerable (they quickly switched to AVG, funny that, eh?)... & when I approached him far prior to this attack on myself?
The guy tried to tell me "it would cost too much & take too much time to do"... WTF!?!?
It takes MINUTES of time to secure a rig with a few logon script .reg merge files for applying more secure settings &/or using Active Directory GROUP policies, & ACL's settings... a few minutes more to test a "TEST RIG" machine with all the companies' apps on it is all, to assure they all work correctly with new security settings! A few minutes, perhaps a 1/2 hr. MAX, per system (only need to do 1 prototype really, then mass deploy its settings OR even system image, en masse after it passes muster in tests)...
(I wonder how their shareholders &/or customers would feel if they knew he said that, right?)
I knew how I did!
I.E. -> I felt, right then, that I was working with an incompetent idiot & his cronies, who interpreted my suggestions as an attack... the usual case with dolts, unfortunately, is this.
I got fired, & the day I had delivered a program no less that was working & the users of it thanked me for, right in our a.m. departmental meeting no less they came in & said so... just for including THEM in the dev process!
(Other devs there literally called the users "stupid" & such, no less, & even though I pointed out that THEY are OUR lifeblood as devs, & know their jobs FAR better than we do)
It was funny, because that morning?
I was walking in, & said to myself while ready to deliver the program, "Yup - this is going to be a short-lived celebration in delivering a new proggie here, then it's off to work on the next one on my plate!" - (my 4th one @ that time for said company, an insurer)
Well, & all of a sudden? It did not work upon my trying it prior to deploying it & delivering it!
(Yes - I suspect they tried to "hijack/bushwhack" it, because someone had wiped a critical table's data (this just does not "just happen" spontaneously, & not on a secured db, & one that's not even in production yet no less)).
I got it from a backup, though, & delivered the code!
Then, I suddenly get asked to come speak to my boss (another boob who had never done the job in comp. sci. as well, admittedly on his part, & had his MBA etc. (again, you KNOW the type)), & they fired me.
I couldn't believe it.
APK
P.S.=> I am NOW with you, &
Why doesn't this bother you more? A great many of you even seem to think this is right. Why is punishing technical disobedience of the law to do the right thing so important?
Is it because he is a minor and attends the school, so is almost effectively helpless? Obedience to law must trump benefiting the public, nip it in the bud? Is it criminal and cocky to out smart people society has designated your superior?
Is there no principal, law or philosophy of what once made the USA a respected country that you will not tear down and piss on? Does it hurt to be reminded?
No, really. Its not funny anymore.
Why don't you guys freaking read the other two articles hyperlinked at the bottom of the main article. That article is biased!
I did the same thing when I was younger. In 1995 While spamming "who" on IRC one response was quite interesting.
I ftp'd to the ISP's server and downloaded some files (hey, it let me so why not right?) One of the binaries had plain text values inside it of customer's addresses phone numbers; the usual account information data.
I notified the user and said that THEY should call their ISP and tell them about it. Scary to think that perhaps I would have been busted if I notified them directly.
His talent for breaking the law? Oh wait, you forgot that part, didn't you.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
Did YOU forget about Kevin Mitnick, and a handful of others who now are consultants, and did FAR FAR more damage or probing than did the 15 y.o.?
Those guys could have been considered irredeemable, scourges, and refuse. This 15 y.o. kid is budding, and could be "steered", before he ends up with a "real" record. Strange, though, as I recall watching at least twice an episode of MI-5 in which Tom and others used, but promised a wayward, talented systems-busting kid a new life if he helped out MI-5. Yeh, it's just a BBC-leased TV show, but... Seems some prosecutors and cops and agents don't care to be inspired to redirect kids before fragging them in some cases-- or cases like these where you definitely COULD benefit from using these kids for public good rather than trouncing them to the point they seek revenge.
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
He accessed it because he was curious and doesn't have all that much common sense yet. What, were you never a teen or something?
was it running windows
The sad part of this story is, it isn't teaching people not to do things. Its teaching them that if they do bad things, to not tell anyone.
Reading the linked articles off of thereg quotes like these jump out at me:
The excitement they have about their ability to have caught him belies the fact that he got there in the first place. Much like other cases I've seen where the spokespeople go on and ON about the security features of locked doors etc after someone finds that the back wall is missing. Basically the kid embarrassed them and they are slapping him hard.
I think of this kind of like security with voting machines. You can point out its there but the officials will refuse to believe it until someone is willing to commit a felony. Then they'll burn that person at the stake all while going on and on about how great it is that they were caught rather than addressing that they could have avoided it but chose not to.
The captcha for this one is "accuse" how appropriate.
OK, I know Slashdot is collectively in holier-than-thou rage over this poor, "innocent" kid, but why was the kid trying to access the site in the first place?
Couple possibilities:
We're obviously only getting the "crimebuster" version of the story here, but until they show that he actually *did* something with the data, all he's guilty of is making the school look bad (which is punishable by ruinage of life and job possibilities, apparently).
In high school one of the guidance counselors logins was hacked and the password changed. I caught wind of it, changed it back then proceded to inform the in-duh-vidual in person (weak password on netware 4...)to change the current password to something more secure. Long story short the school almost FBI Computer Crimes Division and was almost arrested. The only reason why they weren't called was because there was an immediate parent-student-principal conference. Talk about shooting the messenger, Jesus Robert H. tapdancing Christ. I learned my lesson that day when it came to computer security. KEEP YOUR MOUTH SHUT!!!!!
I doubt HIPAA applies in this case. The school would fall under FERPA. HIPAA is only applicable to medical related institutions and records. This only protects patients in the case of HIPAA and students in the case of FERPA; I don't believe the employees of the institutions are covered unless they receive care or are educated by the institutions, and again only information in that specific context would be covered. The teacher's union would be those most likely to advocate for the teachers.
OK, I know Slashdot is collectively in holier-than-thou rage over this poor, "innocent" kid, but why was the kid trying to access the site in the first place?
Um, I dunno. Maybe he's just a 15 year old kid and they get into stuff they shouldn't sometimes. It's called "growing up". But I guess that you were probably the most upright ROTC guy in the church choir. Sorry about your missed childhood.
Just so you know--I did all sorts of hijinks when I was a kid--much worse than that too. I had so much fun it was ridiculous. Never got caught. Ok. I got caught--but I got out of it every time. Razor fine paperwork here, bro. So guess what: I had the fun and I get to enjoy the advantages of being a pillar of the community as an ADULT. My life has been good.
Just callin' it like I see it.
You show your age, grasshopper.
In my day you had to snatch the punchcards, you insensitive clod!
[cue the 'I had to solder the transistors, THEN write the code' posts! :-)]
Damn, I love the smell of a flamewar in the morning!
"This is just a fictional example. (with some humor to lighten the conversation)"
*disclosure* My only real experience with punchcards was as a child when Dad worked for NASA, and would bring them home so 'us kids' could use them for crafts/art projects-circa 1960-1965, or so.
yes, I'm in for the humour also!
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
Look back over the recent months and you'll notice immediately that the reaction of any government agency when faced with the public finding out they haven't secured something properly isn't that agency coming clean it is that agency immediately calling in law enforcement against the whistle blower. Right now for all we know, and all we'll ever know since they've probably locked down the system, is what the School and the politician who appointed those officials what you to hear. Notice that while they can't name the student because of his age we also haven't see any mention of who screwed up with security?
I was once a resident of the district mentioned and I'm betting that if, big if up there, the whole story comes out we find that the server was set up in such a way that when a student logged on for authorized information the "secure" file was sitting right amid that weeks home work assignments.
Fact of the matter is, most of you aren't reading the whole story. I'll fix that. "accessed personnel records on his school's poorly configured computer network and then notified his principal" "gained access to a file containing the personal information of 250 workers because of a district-wide error in setting up a new server" "School officials have admitted that thousands of students, faculty and employees could have accessed the same file" They've stated that some students have access to these files. They've stated that the network was flawed. They've stated that the boy informed them of their mistakes. He's obviously a monster and should be executed in a most horrendous fashion and the poor school district should be consoled and comforted for being the victim of such a vicious and sinister child.
So he was hacking into some system but cannot send an anon email properly... For fudgesicles sake!!! The most likely set of events was him finding someones password and stumbling upon an Excel sheet. That or the retards left the Administrator password blank... In which case I would have thrown the file on BT ... HAHAHHAHA... From the article it sounds like he used someone's ID and passwd... So that's not really hacking, it's just getting into sh1t you're not supposed to be in. Now... if he found some server that was not patched properly and used a known exploit on said server to gain control/access, that is hacking. Next time just leave a note.. you know .. those funny 8.5x11" things called sheets of paper... they can be written on. If you're smart enough you'll even change your writing. Those 5" sticks that make marks are called pens... PS: Your fingers have a bad habit of leaving markings called fingerprints lol... so wear gloves... or just stfu and move on... leave the honeypot for the rest of us :)
Eye for an eye and half of the world will have just one eye!
GOOD !! another one prepped and ready to join the dark side ... keep 'em coming ...
seriously, next time this guy will think twice about warning someone even though it is very unlikely that you can opress the curiosity of a young man ...
beware he who denies you access to information for in his mind, he already deems himself to be your master (SMAC-ish)
apparently, the only thing to do to people that punishes good intentions is this: next time someone find a security problem, destroy all you can. if they don't learn, is their problem...
Opening a closed but not locked door and entering a building without permission is still against the law. It is called breaking and entering.
Trespass. An unforced entry is not "breaking" unless there's some odd local law on B&E.
He is not being punished for "wanting to do" something, he has not been punished for anything yet. He has been charged with a crime for something he did, namely "computer trespass" for accessing a system without permission.
He used his student password to get in. The school gave him the password he used. And looking around a computer to which you have been given access is hardly hacking, finding documentation, schedules, and similar public administrative information is why they give students the password in the first place, I assume.
As a multi-time jurist, I think there's a boatload of reasonable doubt that he did anything wrong, much less illegal. I hope he has a real lawyer to keep him from doing a plea, at least based on the evidence currently in public.