Slashdot Mirror
Student Charged With Three Felonies For Finding Security Flaw — and Report
Well, yet another teenage hacker who "did the right thing" by reporting a security flaw is being punished for his actions. Although it definitely sounds like the whole story may not be in the clear yet, a 15-year-old New York high school student has been charged with three felonies claiming that he accessed a file containing social security numbers, driver's license numbers, and home addresses of past and present employees ... and then sent an anonymous email to the principal alerting him to the security flaw. "All that was needed to access the information was a district password. School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks."
Where and when did society decide that a problem is only a problem if it is found?
496 - 406 B.C.?
Watch this video, it's somewhat related to this:
http://video.google.com/videoplay?docid=8167533318153586646
It's probably the best video you will ever find if you're on the hot seat, worth 1,000,000 CSI episodes.
This helps too:)
http://www.youtube.com/watch?v=uj0mtxXEGE8
RTFA, not TFS...
"He deceitfully used someone else's name and password so he would not get caught and was looking to profit from his criminal act."
Now that's the State Troopers words, and may not be true, but it's right there in the article itself. I suppose you could infer that he wanted to use the information he obtained for something other than blackmail (eg fraud), but if he wanted to do that he wouldn't have emailed the principal giving the game away, so blackmail is the obvious conclusion.
Actually, according to the school's own website, "Due to a configuration error, this file was not completely secured from student password access after being moved to a new server." This implies that the kid could have done it with his own account.
The article I linked to explains exactly how they found him: they looked at the originating IP, which led them back to their own computer lab, and from there it was trivial to determine who was logged on to that machine at that time. He could have created a new email account just for this, but it would still be traceable without an anonymous proxy.
Blank until
... here here including the kid's name. Article notes this isnt the first time he's been in trouble for hacking, so it may explain the apparent over zealous charges.
Anybody who's ever administrated a school network should know that every kid is a potential "hacker," and you should be always keeping all the security up to date and patched regularly.
Not only that, but there should be an air-gap between the network students have access to and the faculty network that contains sensitive information.
And even faculty access to internal enterprise information fairly limited when logging into a student workstation.
Student-accessible computer nodes and network ports should be treated about as secure as unencrypted WiFi.
To access confidential materials from such a workstation, the teacher must connect to a VPN, preferably using 2-factor authentication with a token such as SecurID.
http://www.youtube.com/watch?v=O_lwGWfO_Mk
10 year old canada
http://www.youtube.com/watch?v=xakaLeLecvo&feature=related
10 year old florida
http://www.nydailynews.com/news/ny_crime/2008/08/07/2008-08-07_cop_cuffed_me_on_bus_kid_says_in_suit.html
10 year old girl NY
http://www.examiner.com/a-619947~Busted__7_year_old_cuffed__fingerprinted.html
7-- in baltimore
every day http://en.wikipedia.org/wiki/Special:Random
Opening a closed but not locked door and entering a building without permission is still against the law. It is called breaking and entering.
He is not being punished for "wanting to do" something, he has not been punished for anything yet. He has been charged with a crime for something he did, namely "computer trespass" for accessing a system without permission.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
Your analogy is flawed. Seeing that the elder's fly is open would be equivalent to somebody telling you the password. Logging in and poking around is like seeing the open fly and reaching in to see what you can find on the other side.
Simple rules, kids. If it's not yours, stay out. Most people have enough common sense to know that if my door isn't locked, or is even open, that does not constitute an invitation to come in. If discovered, you may be yelled at, soundly beaten, or arrested. Computer systems are the same way. If you access one against the wishes of the owner, they're going to be pissed and will do mean things to you for a multitude of fairly good reasons.
No, it's not. Breaking and entering actually requires you to either break in (forcing a door, picking a lock, breaking a window, etc.) or enter under false pretenses (lie about having permission to be allowed it, present false credentials, use a stolen ID card/entry card). Also, you must be shown to have had the intent to commit a felony, whether or not the felony actually occurred.
Therefore, if you open an unlocked door, and enter a building without permission, you are not breaking and entering. Trespassing, sure. But not B & E.
Mr. Hu is not a ninja.
The article says this kid and a "peer" accessed the info. How come there are no charges against this "peer"? Does this indicate the basis of the changes relate more towards the "intent to profit"? It would seem that this case may be more complicated than the facts on the table suggest.
The lock does not have to be "a super huge complex lock", merely a locking mechanism. You do not have the right to open or circumvent a lock just because the lock is flawed or flimsy.
If a piece of tape is placed over a door to keep it shut and you remove or break the tape, you are guilty of breaking and entering.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
breaking and entering
n. 1) the criminal act of entering a residence or other enclosed property through the slightest amount of force (even pushing open a door), without authorization. If there is intent to commit a crime, this is burglary. If there is no such intent, the breaking and entering alone is probably at least illegal trespass, which is a misdemeanor crime. 2) the criminal charge for the above.
You are both ignorant and wrong. How does it feel?
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
Who modded this insightful?
Assuming he is convicted, in New York he will be disenfranchised ONLY while IN prison or ON parole. After that he will be able to vote again.
Know your rights.
Know the law.
Don't be a sheep.
Even if someone gives you a key, that does not constitute permission to enter any time you wish.
Yes, it does. Now, if you enter and they ask you to leave, you are required to leave. But as long as you leave when asked, you have not committed any crime. Giving you the key gives implied consent that can only be countered by explicit declaration of non-consent.
At least, that's what the cops said when my ex tried to press trespassing charges against me several years ago...
...sometimes, in order to hurt someone very badly, you have to tell that person terrible lies. - PA
Your belief is irrelevant. What matters is what the law actually defines as breaking and entering.
breaking and entering
n. 1) the criminal act of entering a residence or other enclosed property through the slightest amount of force (even pushing open a door), without authorization. If there is intent to commit a crime, this is burglary. If there is no such intent, the breaking and entering alone is probably at least illegal trespass, which is a misdemeanor crime. 2) the criminal charge for the above.
No. Having the ability to access does not provide one with the right or permission to access.
Your analogy is false because it assumes he had permission to be in the school after-hours. It also puts the purse in an area where he might have permission to access. Move to purse to a teacher-only area and close the door and you have a true analogy.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
This quote from the news article is especially telling:
All that was needed to access the information was a district password. School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks.
"A district password" in this quote sounds a lot like "a student or faculty account" to me. Doesn't sound like any hacking occurred at all.