Student Charged With Three Felonies For Finding Security Flaw — and Report

Well, yet another teenage hacker who "did the right thing" by reporting a security flaw is being punished for his actions. Although it definitely sounds like the whole story may not be in the clear yet, a 15-year-old New York high school student has been charged with three felonies claiming that he accessed a file containing social security numbers, driver's license numbers, and home addresses of past and present employees ... and then sent an anonymous email to the principal alerting him to the security flaw. "All that was needed to access the information was a district password. School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks."

Improper disclosure?

[sethstorm]

Was there any bit of responsible disclosure, because it sounds a bit like "killing the messenger". While there may be discipline in order, this seems to be overkill if he was really intending to do the right thing.

Re:Improper disclosure?

[SQLGuru]

I guess part of me wants to know how he found out. If he found out by accident, then yeah, this is a case of "No good deed goes unpunished"....but if he was looking around for something to hack and found more than he was expecting, then there should be some punishment (though probably not three felony charges).....

Layne

Re:Improper disclosure?

[eggled]

From TFA:

School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks

So, thousands of people have had access to this file, and the one person who tried to report it (and was tracked down) is being charged with felony counts of computer access and identity theft? And they're not checking to see if anybody else has tried to access this file, to indict them, as well? Definitely seems like a case of shoot the messenger. According to a state trooper interviewed in TFA,

He deceitfully used someone else's name and password so he would not get caught and was looking to profit from his criminal act.

I didn't see anything about him trying to profit, though... He sent an email to the principal (contents unknown), from an anonymous email address, signed 'A Student'. Without more info, I'm inclined to speculate that he didn't really appear to be attempting to profit. (Wouldn't it be better to keep this a secret and profit from the information, if that was really his intent?)

Re:Improper disclosure?

[Spazztastic]

I didn't see anything about him trying to profit, though... He sent an email to the principal (contents unknown), from an anonymous email address, signed 'A Student'. Without more info, I'm inclined to speculate that he didn't really appear to be attempting to profit. (Wouldn't it be better to keep this a secret and profit from the information, if that was really his intent?)

All they're doing is making an example out of him. A company did the same thing a few years back with a white hat (Whos name I can't remember, and I can't find my copy of The Art of Deception/Intrustion to look up his name). He produced the error, sent them a paper on it, then they claimed that in the span of 6 months he used their service illegitimately for his own benefit.

I guarantee whoever designed their security infrastructure had their ego shattered by this and in a fit of nerd rage decided to strike back with everything he could.

Re:Improper disclosure?

[theaveng]

A sniper rifle aimed at the head of the principal and/or prosecutor also works: "Don't try to 'make examples' of good, decent people trying to do the right thing. Else YOU will be made an example of how Liberty-loving people deal with out-of-control Tyrants."

Okay, I joke.

But any politician hearing about this unfair prosecution ought to update the "Good Samaritan Law" so it not only protects people trying to save injured persons, but also protects people trying to help schools/companies by revealing security flaws in their system.

Re:Improper disclosure?

[Sancho]

But any politician hearing about this unfair prosecution ought to update the "Good Samaritan Law" so it not only protects people trying to save injured persons, but also protects people trying to help schools/companies by revealing security flaws in their system.

That's one of the best ideas I've heard all day. Unfortunately, because politicians are about as dumb as a bag of bricks when it comes to computers, all they'll see is what the media shows them i.e. "Bad hacker got caught!"

Re:Improper disclosure?

[diskofish]

That is exactly right. From the sound of the article, the files were in plain sight for anyone who had access to the network (though it is unclear). If they are going to charge the kid, then the network engineer should be hit with the same charges. There is definitely some minimum amount of security required, or else it's just pure negligence. Anyone who's ever administered a server knows they are probed ALL the time.

Re:Improper disclosure?

[Spazztastic]

Anyone who's ever administered a server knows they are probed ALL the time.

Anybody who's ever administrated a school network should know that every kid is a potential "hacker," and you should be always keeping all the security up to date and patched regularly.

Re:Improper disclosure?

[dhasenan]

Even if he was looking for something to hack, he didn't do any damage. Instead, he performed a public service. Punishing a person for something he maybe was wanting to do is just stupid.

On the other hand, if he didn't phrase his message carefully, it could have been taken as a threat. If he said something along the lines of "Please use a more secure password on $SERVER -- I guessed it easily", then it's hard to sympathize with the administration. If he said "I accessed your server and now have the social security numbers for every faculty member", then it's much more ambiguous, and I'd expect the student to be investigated. Just investigated, not arrested.

Re:Improper disclosure?

[sukotto]

Using your post as an example:
Let's see here... you could be charged with
- a criminal death threat
- possession with intent (if you own a rifle)
- conspiracy to commit murder (since you discussed with all of us and presumably none of us called the police)
- making a terrorist threat
- material support for terrorism (if you donate to a charity the DA doesn't like)
- and a whole bunch of "minor" crimes.

So... have fun in prison... we'll see you in 150 years or so.

This started out as a "+1 funny"... but now I just feel "-1 WTH is happening to your country?" :-(

Re:Improper disclosure?

[kingsteve612]

Exactly. The article doesn't tell us all the facts. How did he find it, how did he get the password, did he even have access rights to the directory the file is on, if not how did he get access rights or get around it, did he use any of the information he found in any way at all? All of these questions need to be answered before any kind of judgment should be made, here or otherwise. The fact of the matter is we don't know all of the facts, therefore we cannot judge.

Re:Improper disclosure?

[onecheapgeek]

He deceitfully used someone else's name and password so he would not get caught

Kinda sounds like unauthorized access to a computer system to me.

Re:Improper disclosure?

[j00r0m4nc3r]

He's in trouble because he copied the file(s) to his computer. It's not like he just said, "Hey this looks insecure", he actually copied the data and looked at it. That's a huge violation. Yeah I'm not riding the "HE'S BEING PERSECUTED!" train. He copied people's private info to his personal computer. Who knows where it could end up from there? It doesn't matter if the network was insecure, he should have just called the administration and said, "I think this might need looking at..."

Re:Improper disclosure?

[theaveng]

U.S. Law requires, when a citizen makes a request, that organizations must assign a NEW number separate from their Social security number.

I don't do that myself, but I think maybe I should start, since the SSN makes me vulnerable to identity theft. I would be wise to demand new account numbers that are NOT tied to my SSN from my bank, school, credit company, et cetera. A thief acquiring my SSN now has access to every single account I own. ----- It would be inconvenient, but I should have a different number on everything, so as to limit the potential damage.

Re:Improper disclosure?

[booyabazooka]

Even if he was looking for something to hack, he didn't do any damage.

Not true - Any unauthorized access is "damage" because it requires expending time (read: money) to assess the situation and determine whether any "real" damage was done.

Look at it from the admin's perspective. Someone broke into your system. He claims that he didn't do anything bad while he was there. You can't just take his word on that - it has to be investigated.

That said, it's a rather bureaucratic way of looking at things, and the overall result of the scenario (discovery of security problems) may be advantageous. But you have to realize that is how people see it.

Re:Improper disclosure?

[DigitAl56K]

He copied people's private info to his personal computer. Who knows where it could end up from there?

Yes, and who knows where it might end up being accessible to "thousands of students, faculty and employees" if nobody ever reported the problem?

Fair enough, the law is the law. If you use someone else's password you've accessed a system in an unauthorized manner whether you copy a file or not. In fact if there is any doubt that you *were* authorized to use that password then you could argue whoever made the file accessible inherently granted you authorization to access it. But let's have some common sense here: by shooting the messenger they're essentially making fear/obscurity their main security measure, and that's exactly what landed them in this situation in the first place.

Does anyone know if the school is facing charges or a suit for breaking data protection laws btw?

Re:Improper disclosure?

[cromar]

I hate this line of "reasoning." Entering a computer network is not the same as entering a house or other physical place. Since the beginning of the internet, systems have been presumed open. Only after more and more time has gone by, is this idea changing. Hell, most systems at the beginning didn't even have passwords. And they were considered open. Now all of a sudden, because manufacturers are lazy and most users/administrators are ignorant, do we hear people make analogies to physical spaces. Guess what? Networks and computer systems are not physical spaces! They have their own history and organic rule sets that have grown over the last 30+ years.

If anything, a better analogy is to compare systems to stores. Both provide public services and are accessible through public thoroughfares. So, if I leave my store open and unattended, that does not mean you should not come in unless I specifically leave a sign saying "the door is unlocked but don't come in." That's ridiculous. Instead, if you went in, while certainly raising suspicion and probably causing the owner to become irate and the police to investigate you, you haven't done anything wrong or illegal. Same if you have a key to said store and the owner has not asked you to not come in after hours. You haven't done anything illegal. Now, if you're in there looking at unsecured credit card numbers (left out in a file cabinet), you still haven't done anything illegal. You might tell your friend the owner that he might want to be more careful with where he puts others' private information. Still nothing illegal. Only until you take those CC#'s and/or use them fraudulently have you committed a crime.

Re:Improper disclosure?

[theun4gven]

He did nothing of the sort. He in no way entered "a residence or other enclosed property through the slightest amount of force." He accessed data on a network he had password access to.

There was no physical space involved. The best this could relate to your analogy is that he knocked on the door and told the guy inside the password, asked for a listing of what was inside, asked for a specific item from the list and was handed the item without ever entering the premises.

This is in no way breaking and entering.

Therefore, your post is irrelevant.

Re:Improper disclosure?

[cecille]

That's all fine and good, but analogies can really only take you so far. The fact remains that physical space and a network are not the same thing. We can argue for days about the laws surrounding pushing open doors, but they don't necessarily apply. Look, I'm not a lawyer, and I don't know anything really about B&E vs. tresspass or how that relates to a computer. But common sense-wise...this seems like a dangerous precedent. Personally, I'm not in the habit of going about pushing open or trying my key in unlocked doors. But, I am in the habit of opening folders on shares, (especially if I can't remember where something is). If it requests a password, I'll try the one I have, with the idea that if my password works, I have permission to open the folder. It seems like something totally different. I'd hate to go to jail because I can't remember where the damn install guide is and my password opens some folder that was meant to be private but that my password opens.

Re:Improper disclosure?

[jp10558]

Wow. No, I don't think it's ok to do something because you *can* do something. I do think that it's not wrong to explore a little however... I don't mean wandering into people's houses, but you sound like wandering around a University is stupid and wrong... Browsing the stacks at a library is stupid and wrong. Only go where someone explicitly leads you... What a great life that must be.

Do you never just click around the Internet at random? Check out random links on Wikipedia? I'm not specifically talking about this incident, but it sounds like you think that users should never use Network Neighboorhood. And that you've never worked somewhere with public network shares for collaboration.

Finally, it really does sound like you're totally against the good samaritan. Extending your statements and everyone is silent all the time, no one ever says "Hey - did you really mean to do X". Because you don't know, because you didn't ever look outside you own little area that someone led you to.

I do understand privacy, but on a computer network, it's not obvious where you "should be" and "shouldn't be" without some outside clues. Generally speaking, if a system prompts for a password and it accepts mine, that usually implies I'm allowed or even expected to use it. The places I've worked almost never actually tell you all at once where everything is...

Once again kids:

[yttrstein]

Reporting a security hole is not noble, it's stupid.

Re:Once again kids:

[GrumblyStuff]

How did it ever come to this anyway?

Seriously, what the fuck happened to common sense? Where and when did society decide that a problem is only a problem if it is found?

At this rate, I'll be surprised if people even call the cops or the fire department to report a crime/fire.

Re:Once again kids:

[Swizec]

If I wasn't implicatly involved I'd never go to the trouble of calling the coppers for anything. Let the victim call them, I don't want to be involved in any way, because most of the time it's just more trouble than it's worth.

Think about it, if I report a problem I'll be the main suspect for a while, I'll have to be interogated and I don't think they're ever nice about it, I'll potentionally have to appear at court and it's just overall too much of a mess. I have my own shit to deal with.

Re:Once again kids:

A man approaches a stranger and says, "Hey, I noticed your shed is unlocked." The stranger responds, "What were you doing in my backyard?"

It's not that the unlocked shed isn't a problem. It's that there is also the issue of what the person was doing there in the first place and is anything missing.

With a shed, it's not much of a problem. Check to make sure nothing is missing. Charge them with trespassing if you are so inclined.

With a computer, especially a government or business computer, it's more complicated. You can't just take a peek and make sure nothing happened. Insurance issues alone probably require that they press charges to the full extent the law allows. Doing so also keeps the ball squarely in the court of the alleged victim.

If the person had a legitimate reason for being where he was, no charges are going to stick. If he didn't, he might be in some trouble.

In ANY case, the GP is right. Just don't do it.

While we're on the subject, don't talk to cops without a lawyer, either.

Re:Once again kids:

[cheater512]

I found plenty of holes.

The sys admins were smart enough to realize that I could be a asset to them.
I meant no harm so they gave me free reign basically.
All I needed to do was report back to them any flaws.

Mind you this was in Australia, not the US so less knee jerk and more common sense.

Re:Once again kids:

[Sancho]

And this fiber right here is exactly why it doesn't make sense to jump to conclusions. What sparse information we have is conflicting. Where does the profit motive come into play? Where's the profit in alerting the authorities when you find a hole like this? What do they mean by "used someone else's username and password?"

We don't know if the kid's being hung out to dry, or if this is an appropriate response to the actions taken. Yet all throughout the comments, you see people immediately assuming that the kid is being martyred.

I'm not even saying that the kid isn't. I'm just saying that we don't have any clue based upon the presented facts, so taking one side or the other is a bit like American politics--pick a side and pretend you're at a football match.

Re:Once again kids:

You are storing my personal details along with many other peoples in a 'garden shed'. I should have a right to expect the 'shed' is locked with some form of basic security.
I should be able to test such security to my satisfaction.
The 'shed' is locked. Everyone has a key with a paper tag on it with their name.
Each access only sees by default their own data based on the paper tag, if once opening the shed if the user 'looks' around they have access to all the other 'secure' data.
don't 'not do it', DO IT!
or suffer and someone else does.
maybe not today maybe not tomorrow, but sometime and for the rest of your ... PROFIT!

Re:Once again kids:

There's a big difference, using your metaphor, between walking past a shed (let's assume you have permission to be on the property in general, as this student did) and you try the handle and it swings open. Is telling the groundskeeper that his shed is wide open and unlocked a bad thing, or even potentially illegal? No. It's not like this kid broke through serious encryption, he just used a (well) known password used by "thousands of" other people, and as far as we can tell, then reported it.

This crap happened to me and I'm sure a lot of others on /. as well when I was in HS. Security was never strict enough - on my school's novell network they left the admin program wide open on a network mounted drive. When I pointed it out to the netadmin, I had to explain it 4 times before he understood, and then they suspended me for 2 weeks.

-R

Re:Once again kids:

[tsm_sf]

Now that's the State Troopers words, and may not be true

I think the general rule of thumb is that you can only trust a cop if you're under the age of 10. Assuming that this trooper a) knows what he's talking about and b) isn't lying to make the arrest look significant is quite a stretch.

Re:Once again kids:

[xouumalperxe]

Reading the Register article, and both linked Daily Gazette articles, only two things are certain: The kid saw the information, and he communicated with the school principal regarding it. We don't know the tone of the communication, we don't know how he acquired the password, we don't know whether he kept a copy of the data, only that he saw it. The district representative saying the kid said "Look what I got" to the principal is hearsay at best, bravado at worst. The articles all read like trying to make the best case possible that the kid is the "villain", yet there is no statement that he did, or intended to do, anything malicious to the effect of blackmail. There is no information that he did anything illegal to acquire the login details themselves. I would think that, if there had been any attempt at foul play, they would've jumped at the opportunity to post them.

Personally, and because of the rather damning tone of the (sparse in details) articles, I'm going with "knee-jerk reaction" myself, as my optimistic approach. The other reasonable alternative is "vilify the kid so people won't notice we cocked up". The kid having actually done anything wrong (as opposed to, eventually, illegal) comes as a distant third.

Re:Once again kids:

[VeNoM0619]

Boy, aren't we civilized? If he was attempting to steal the car, he would probably shut the door/get in the seat. Not stand next to it (outside) looking for the switch for the lights, it would be reasonable to get your bat (or attack) WHEN he fully enters the car.

To the AC above, "anything in the view of the public is public domain" comes to mind. There's plenty of cases where cops search cars (at schools) without warrants, claiming this. Trespassing is never even brought up as a concern.

Although strangers in your "personal" spaces is a creepy idea. They are more likely people just like you and me. Clothing/neighborhood/attitude (sadly gender and race too...) can be taken into account if you see someone standing outside your car, and maybe you assume the worst case scenario. A man in rags in a bad neighborhood would be reasonable to call the cops. But a well dressed/attractive woman in a rural area you wouldn't think twice would you, or you at least wouldn't grab your bat?

Re:Once again kids:

to take the risk of being accused and do the right thing.

Oh, so you just assumed that the car was left on by mistake? What if that was my car, and due to an battery problem I left it running so I could make it to work on time? Would you still feel like you have done "right"?

How about this- don't worry about other people's shit, period. THAT is the right thing to do.
I don't creep into your house & slide a condom on your pecker before you shag the hooker you picked up last night, although it would be the morally 'right' thing to do.

The last thing we need is a bunch of "do-gooders" going around messing with other people's business just because they think they are somehow 'doing the right thing'. That's how people get shot.

Well, another victim of "the book"

[GrumblyStuff]

As in, being hit with the law book.

"He deceitfully used someone else's name and password so he would not get caught and was looking to profit from his criminal act."

I RTFA but see no sign of this. At best is this bit from a followup link in TFA:

"He sent an e-mail to his principal saying, 'Look what I have,'" DeFeciani said.

But for fuck's sake, three felonies at 15? For a fucking non-violent, non-destructive "offense"?

Poor kid is screwed for life.

Re:Well, another victim of "the book"

[sortius_nod]

Where do you want someone to start with an answer to that?

Seriously though, this is what happens when you create a police state. This is no different to any other dictatorship where non-violent crimes (anti-government, anti-religion, etc) are punished with prolonged sentences or even death.

Seriously, wake up America, all this horseshit about peace, freedom, and democracy isn't even upheld in your own country. Do you really think the rest of the world are stupid enough to believe you can "bring freedom to the world"?

Re:Well, another victim of "the book"

[houghi]

Conjecture #2) He simply reported the problem and the typical knee-jerk reaction ensues.
        If this is the case, let him pay off his transgression by working with the people on the IT Team so he can be mentored and more easily monitored. Mentoring is the key element to his natural progression toward becoming a productive citizen.

Why should he be mentored? Let the people at IT be mentored. Let the kneejerkers be mentored.

He does not need to be monitored or mentored if this is the case. He needs to receive a medal and be an example for everybody to do the right thing.

news flash

[catmistake]

stupid people fear smart people

Re:news flash

[SmokeyTheBalrog]

And smart people fear stupid people even more.

Re:news flash

[characterZer0]

And they vote.

Re:news flash

Reminds me of a funny, but also deeply insightful saying:

Your superior intellect is no match for our puny weapons.

To be sure, this is a perfect way to describe the relationship between the thinking individual who demands his liberty, and the collective power who demands his oppression.

Re:news flash

[evilviper]

And smart people fear stupid people even more.

Only when they get together in large groups. Then they've got numbers on their side.], and become dangerous.

Re:Foolish, but a lesson learned

[Yvanhoe]

Well, if we are to play analogies war : yes it is a bit like that, except it is impossible to say that the fence has a hole in it without trying to go through.
Also, it may look like you have accessed the first fence of several concentric fence. Before reporting this hole as a problem, it sounds reasonable to assess if anything is put at risk first. Once you see that there are many valuable things accessible, you go away and go knock on the door "Hey do you know that all these valuables of yours are easily accessible ?" and also "I gave you some stuff of mine to keep safe, I hope you didn't put it in this easily accessible area ?"

Or you don't use fence metaphor...

Assuming he is convicted...

[kitsunewarlock]

This means this person, capable of not only using the internet but as a (clearly) (semi-) advanced user, is now no longer able to vote...because of something they did before they were legally eligible in the first place? And something they admitted to? Yet someone who doesn't know their left hand from a donkey's a-hole and votes based entirely on which guy they'd rather drink a beer with and/or whichever has a photo-op with someone who looks more like them is free to do the same AND drive drunk AND steal potentially thousands (but not over 10 thousand or so, depending on the state) AND even rape in some cases and still vote.

where's the intent?

[Uberbah]

This is like Boston freaking out over Lite-Brites. I hope the kid not only calls their bluff and asks for a jury trial, but finds some way to counter-sue.

The felonous emperor has no clothes.

[Creepy+Crawler]

And one who breaks security is like the one who alerts the king about wearing no clothes. You WILL get punished. You WILL be dealt with.

I saw this all the time at schools, jobs and like. People dont like smart people. People who intentionally find broken ideas and mechanisms will be dealt with, not glorified and congratulated. Highlighting a security problem means they have to put in the effort to fix what you brought to their attention, or threaten you to STFU.

If you are smart about security, keep your mouth shut. There's not much you can do, except yourself be a target.

Re:Anonymous

[Farmer+Tim]

If you're baiting your honeypot with real data, you're doing it wrong.

wtf

[moxley]

This is bullshit - I am really tired of hearing these scenarios where ignorant fascist assholes are doing serious damage to the reputation and future of kids who are doing the right thing.

The message being sent is that rather than being honest, helpful and productive member of networked society we're teaching kids that it's better to be deceptive and not expose dangerous security flaws. ...and FELONIES? What the fuck?!

I feel that there is a message that both the powers that be (and irresponsible sys admins who have been professionally shamed by these revelations) want to send - the sysadmins don't want to be embarrassed by kids - the feds or police either don't understand and are hearing sys admins tell them that "these meddling kids broke into our system, it's certainly not MY fault for not securing it" or people who should know better thinking that it's better to send the message that killing the messenger is the appropriate way to handle security, EG what people don't know won't hurt them and what we don't see we wont have to deal with.

I believe that this should be explained to those who aren't very computer/network literate with the following analogy: Let's say you live in one of those multifloor apartment buildings where there is an area in the lobby with many mailboxes which all lock. Each resident gets a key for their own box. This kid either accidentally (or just to see if his and other mailboxes are secure) plugs the key into the wrong box or a box that isn't his and finds that his key (and by logic every other resident's key) opens every mailbox in the building. The mailbox he tests the key on contains an envelope with a ton of cash sticking out of it. He goes to the landlord and says "hey, these keys provide no security because any key can open all mailboxes, and by the way, this mailbox had a ton of cash in it - here's the cash, I didn't want it to get stolen" and he is then arrested and charged with breaking and entering, grand larceny, and other such offenses.

I hope that if any high profile tech people get a chance to comment on this in the press or end up assisting the defense (if it was to go to trial) that they can send a message that criminalizing someone who is doing the right thing is just wrong...

Re:wtf

[cbiltcliffe]

Someone wouldn't have been able to do this to me, because I don't leave sensitive files on the network in public folders.

Therefore, I would not have been furious.

And if somebody did find a security flaw and told me about it, yes, I'd be embarrassed, as I like to think I understand security significantly better than the next guy.

But I'd sure as hell fix it, rather than calling the cops. Which may be why I think I understand security better than the next guy.....

personal experience says to keep your mouth shut

From my own personal experience as a student that used to do these sort of things (report network security flaws to the relevant department), the unfortunate truth is that it's much better to keep your mouth shut.

what should be done

[Friendly+Pyro]

Kids like this should be praised. He decided to report something he could easily do a lot of mischief with.

The RL equivalent is Breaking and Entering

[DaveV1.0]

It doesn't matter that the server was misconfigured, or used a default password. What matters is what he did.

He didn't accidentally find this something. He went looking for security hole, found one, used it to look around where he was not supposed to have access, then reported it anonymously. Then, an investigation followed and they found him.

That is the equivalent of him walking down a street and trying each door and window to see if it was open, finding one, going in to the house and looking around, then anonymously reporting what he had done to the police. In the real world it is breaking and entering (look up the law before you say "no breaking occurred").

But being an eye witness is not an active choice

[Anonymous+Brave+Guy]

Forget that this kid was doing a service to report the flaw, they are more concerned with why the kid was trying to access the site in the first place.

OK, I know Slashdot is collectively in holier-than-thou rage over this poor, "innocent" kid, but why was the kid trying to access the site in the first place?

It seems to me that he's not being punished for reporting something, he'd being dealt with because he probably broke the law.

Of course, the officials responsible for the shoddy security and data protection should also be dealt with under whatever laws apply in that jurisdiction. But that doesn't excuse a kid who actively went on a fishing expedition. The end cannot be allowed to justify the means in cases like this, or you undermine the basic principle of the laws: you give carte blanche to crackers to have a go at whatever they like, since if they get in, they can just report it and pretend they were doing the world a favour.

"copied" the files...

[Gary+W.+Longsine]

You keep using that phrase, "copied the files to his computer". I don't think it means what you think it means.

In discussions like this, it might merely mean that the kid accessed a protected area by accident, and his web browser "copied the file to his computer". Law Enforcement sometimes misuses the mere presence of data on the suspect's computer as the standard for proof of guilt, which is sometimes only the browser cache or even the cache for a filesharing program, when the user may not even know what the heck was in it.

The file name undoubtedly was not "click here to get 3 felony charges file against you and seriously fuck up the rest of your life" . The kid appears to have been doing the right thing. Now, if he tried to sell any of the data that he saw, sure, charges might be appropriate. Based on what little public information is available, this appears to be a case of shooting the messenger.

Re:"Using someone else's password"

[bcwright]

What, exactly, do they mean by that? Remember, we're talking about governmental entities that have a long history of not understanding much about computer security. For example:

$ ftp ftp.myschool.edu
Connected to ftp.myschool.edu
User (none): guest
331 Enter email address for anonymous login password
Password: myusername@yahoo.com
230 User guest logged in.
FTP>

Law Enforcement: "Clearly he was trying to impersonate Mr. Guest!"
You: !@#@#$

You think that's too silly? It's no worse than any number of other things I've heard about from such people. Or consider this:

You: "Let's see if that cute girl Angela in my English class has put up a home page on the school computer system. Let's see, use Firefox to browse to www.myschool.edu/~angela/ ... That's odd, doesn't look like what she'd have on her home page. What's this file?"

Cops: "Clearly he was trying to break into the Assistant Principal Angela H's computer work area!"

I don't think these examples are unrepresentative of the typical computer security understanding of law enforcement, unfortunately.

Re:Password use

[bcwright]

At least a couple of the articles say that the password he used (whatever that means, see my other comments on the subject) belonged to "another student." Oh, really?! Why did that other student have access to the data?! And why isn't he being charged?!

Clearly what we have been told about this incident is highly misleading. Either
(1) The file was in a location that could be accessed by ANYONE on the school network, or
(2) it had already been hacked by another student, who for some reason is not being charged, or
(3) He hacked into an administrative area, where the file may have been inadequately secured. Comments by the administration and law enforcement to the effect that the password he used belonged to another student are either incorrect or misleading.

Something is clearly rotten about this story, unfortunately it is difficult to tell if he did anything wrong or not, or whether he is a criminal or a scapegoat. Not only do we have to get information filtered through the administration and law enforcement (for whom computer security is usually at best an arcane art that they understand only poorly if at all), but all the primary sources are articles written by local news journalists rather than technical journalists, who are generally not much better at understanding the technical details.

It would appear however that unless he needed to hack into a reasonably well protected account in order to obtain the data, the school is clearly facing a serious HIPAA breach. That alone could be making them overreact, by trying to find some way - any way - to pin the blame on someone else.

Re:But being an eye witness is not an active choic

Yes, but I've personally been in situations where I was looking around on a network for a file (which I was supposed to try to find) and ended up wandering into a supposedly heavily restricted server (which I almost got fired for).

It sounds like a similar situation here. The kid is curious, so he's looking around the network. He shouldn't have used someone else's password, and I think that's the only thing he did wrong here. Its possible that his own account would have even worked.

And while it is true that you need to be cautious with people wandering through networks, it isn't that difficult to secure a network against people wandering, at least as such a basic level. That can all be controlled by aliases. Feh, I could start wandering into philosophy and analyze the differences between Consequentialist and Deontological ethics, but I don't think anyone wants to read another term paper.

The long and short of it is that you can't know anything more about why he was poking around than what he tells you.

Re:BZZZZT RTFA

[walt-sjc]

And apparently the correct punishment is hanging by the neck until dead?

In the RTFA department: No where does it say that he guessed a password or used a stolen password.

And apparently you must not have comprehended what you read. No where does it say that he will be punished by hanging. In fact, he is charged with felonies, but has NOT been convicted or sentenced. So before you fly off the handle, let's see how things go, M'Kay? Chances are that he will get off with a $250 fine and community service. Probably not a bad thing with some kid with too much time on his hands that he goes hacking around in shit he shouldn't be.

The lesson here

[catdevnull]

The lesson here is to get better at sending "anonymous" e-mail to report this stuff.