Slashdot Mirror

← Back to Stories (view on slashdot.org)

Student Charged With Three Felonies For Finding Security Flaw — and Report

Posted by ScuttleMonkey on from the no-good-deed-goes-unpunished dept.

Well, yet another teenage hacker who "did the right thing" by reporting a security flaw is being punished for his actions. Although it definitely sounds like the whole story may not be in the clear yet, a 15-year-old New York high school student has been charged with three felonies claiming that he accessed a file containing social security numbers, driver's license numbers, and home addresses of past and present employees ... and then sent an anonymous email to the principal alerting him to the security flaw. "All that was needed to access the information was a district password. School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks."

8 of 547 comments (clear)

  1. Re:Once again kids: by MrMr · · Score: 4, Informative

    Where and when did society decide that a problem is only a problem if it is found?
    496 - 406 B.C.?

  2. Re:Once again kids: by Anonymous Coward · · Score: 3, Informative

    Watch this video, it's somewhat related to this:

    http://video.google.com/videoplay?docid=8167533318153586646

    It's probably the best video you will ever find if you're on the hot seat, worth 1,000,000 CSI episodes.

    This helps too:)
    http://www.youtube.com/watch?v=uj0mtxXEGE8

  3. Re:Once again kids: by jamesh · · Score: 4, Informative

    Where was there any not of blackmail?

    RTFA, not TFS...

    "He deceitfully used someone else's name and password so he would not get caught and was looking to profit from his criminal act."

    Now that's the State Troopers words, and may not be true, but it's right there in the article itself. I suppose you could infer that he wanted to use the information he obtained for something other than blackmail (eg fraud), but if he wanted to do that he wouldn't have emailed the principal giving the game away, so blackmail is the obvious conclusion.

  4. Re:Once again kids: by Homr+Zodyssey · · Score: 4, Informative

    Actually, according to the school's own website, "Due to a configuration error, this file was not completely secured from student password access after being moved to a new server." This implies that the kid could have done it with his own account.

  5. Re:Improper disclosure? by mysidia · · Score: 4, Informative

    Anybody who's ever administrated a school network should know that every kid is a potential "hacker," and you should be always keeping all the security up to date and patched regularly.

    Not only that, but there should be an air-gap between the network students have access to and the faculty network that contains sensitive information.

    And even faculty access to internal enterprise information fairly limited when logging into a student workstation.

    Student-accessible computer nodes and network ports should be treated about as secure as unencrypted WiFi.

    To access confidential materials from such a workstation, the teacher must connect to a VPN, preferably using 2-factor authentication with a token such as SecurID.

  6. read more by way2trivial · · Score: 3, Informative

    http://www.youtube.com/watch?v=O_lwGWfO_Mk
    10 year old canada
    http://www.youtube.com/watch?v=xakaLeLecvo&feature=related
    10 year old florida
    http://www.nydailynews.com/news/ny_crime/2008/08/07/2008-08-07_cop_cuffed_me_on_bus_kid_says_in_suit.html
    10 year old girl NY
    http://www.examiner.com/a-619947~Busted__7_year_old_cuffed__fingerprinted.html
    7-- in baltimore

    --
    every day http://en.wikipedia.org/wiki/Special:Random
  7. Re:Improper disclosure? by DaveV1.0 · · Score: 4, Informative

    Opening a closed but not locked door and entering a building without permission is still against the law. It is called breaking and entering.

    He is not being punished for "wanting to do" something, he has not been punished for anything yet. He has been charged with a crime for something he did, namely "computer trespass" for accessing a system without permission.

    --
    There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
  8. Re:Improper disclosure? by SecurityGuy · · Score: 3, Informative

    Your analogy is flawed. Seeing that the elder's fly is open would be equivalent to somebody telling you the password. Logging in and poking around is like seeing the open fly and reaching in to see what you can find on the other side.

    Simple rules, kids. If it's not yours, stay out. Most people have enough common sense to know that if my door isn't locked, or is even open, that does not constitute an invitation to come in. If discovered, you may be yelled at, soundly beaten, or arrested. Computer systems are the same way. If you access one against the wishes of the owner, they're going to be pissed and will do mean things to you for a multitude of fairly good reasons.