Student Charged With Three Felonies For Finding Security Flaw

← Back to Stories (view on slashdot.org)

Student Charged With Three Felonies For Finding Security Flaw — and Report

Posted by ScuttleMonkey on Monday October 27, 2008 @09:35PM from the no-good-deed-goes-unpunished dept.

Well, yet another teenage hacker who "did the right thing" by reporting a security flaw is being punished for his actions. Although it definitely sounds like the whole story may not be in the clear yet, a 15-year-old New York high school student has been charged with three felonies claiming that he accessed a file containing social security numbers, driver's license numbers, and home addresses of past and present employees ... and then sent an anonymous email to the principal alerting him to the security flaw. "All that was needed to access the information was a district password. School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks."

11 of 547 comments (clear)

Min score:

Reason:

Sort:

Improper disclosure? by sethstorm · 2008-10-27 21:38 · Score: 5, Insightful

Was there any bit of responsible disclosure, because it sounds a bit like "killing the messenger". While there may be discipline in order, this seems to be overkill if he was really intending to do the right thing.

--
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
1. Re:Improper disclosure? by eggled · 2008-10-27 22:46 · Score: 5, Insightful
  
  From TFA:
  
  School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks
  So, thousands of people have had access to this file, and the one person who tried to report it (and was tracked down) is being charged with felony counts of computer access and identity theft? And they're not checking to see if anybody else has tried to access this file, to indict them, as well? Definitely seems like a case of shoot the messenger. According to a state trooper interviewed in TFA,
  
  He deceitfully used someone else's name and password so he would not get caught and was looking to profit from his criminal act.
  I didn't see anything about him trying to profit, though... He sent an email to the principal (contents unknown), from an anonymous email address, signed 'A Student'. Without more info, I'm inclined to speculate that he didn't really appear to be attempting to profit. (Wouldn't it be better to keep this a secret and profit from the information, if that was really his intent?)
2. Re:Improper disclosure? by Spazztastic · 2008-10-27 23:16 · Score: 5, Insightful
  
  I didn't see anything about him trying to profit, though... He sent an email to the principal (contents unknown), from an anonymous email address, signed 'A Student'. Without more info, I'm inclined to speculate that he didn't really appear to be attempting to profit. (Wouldn't it be better to keep this a secret and profit from the information, if that was really his intent?)
  All they're doing is making an example out of him. A company did the same thing a few years back with a white hat (Whos name I can't remember, and I can't find my copy of The Art of Deception/Intrustion to look up his name). He produced the error, sent them a paper on it, then they claimed that in the span of 6 months he used their service illegitimately for his own benefit.
  
  I guarantee whoever designed their security infrastructure had their ego shattered by this and in a fit of nerd rage decided to strike back with everything he could.
  
  --
  Posts not to be taken literally. Almost everything is sarcasm.
3. Re:Improper disclosure? by theaveng · 2008-10-27 23:32 · Score: 5, Insightful
  
  A sniper rifle aimed at the head of the principal and/or prosecutor also works: "Don't try to 'make examples' of good, decent people trying to do the right thing. Else YOU will be made an example of how Liberty-loving people deal with out-of-control Tyrants."
  Okay, I joke.
  But any politician hearing about this unfair prosecution ought to update the "Good Samaritan Law" so it not only protects people trying to save injured persons, but also protects people trying to help schools/companies by revealing security flaws in their system.
  
  --
  FOX NEWS.com should be BANNED from television and internet. Have the Congress take it over and give us Truespeak.
4. Re:Improper disclosure? by diskofish · 2008-10-27 23:46 · Score: 5, Insightful
  
  That is exactly right. From the sound of the article, the files were in plain sight for anyone who had access to the network (though it is unclear). If they are going to charge the kid, then the network engineer should be hit with the same charges. There is definitely some minimum amount of security required, or else it's just pure negligence. Anyone who's ever administered a server knows they are probed ALL the time.
5. Re:Improper disclosure? by Spazztastic · 2008-10-27 23:54 · Score: 5, Insightful
  
  Anyone who's ever administered a server knows they are probed ALL the time.
  Anybody who's ever administrated a school network should know that every kid is a potential "hacker," and you should be always keeping all the security up to date and patched regularly.
  
  --
  Posts not to be taken literally. Almost everything is sarcasm.
Well, another victim of "the book" by GrumblyStuff · 2008-10-27 21:44 · Score: 5, Insightful

As in, being hit with the law book.

"He deceitfully used someone else's name and password so he would not get caught and was looking to profit from his criminal act."
I RTFA but see no sign of this. At best is this bit from a followup link in TFA:

"He sent an e-mail to his principal saying, 'Look what I have,'" DeFeciani said.
But for fuck's sake, three felonies at 15? For a fucking non-violent, non-destructive "offense"?
Poor kid is screwed for life.
Re:news flash by SmokeyTheBalrog · 2008-10-27 22:24 · Score: 5, Insightful

And smart people fear stupid people even more.
Re:Once again kids: by Anonymous Coward · 2008-10-27 22:35 · Score: 5, Insightful

A man approaches a stranger and says, "Hey, I noticed your shed is unlocked." The stranger responds, "What were you doing in my backyard?"
It's not that the unlocked shed isn't a problem. It's that there is also the issue of what the person was doing there in the first place and is anything missing.
With a shed, it's not much of a problem. Check to make sure nothing is missing. Charge them with trespassing if you are so inclined.
With a computer, especially a government or business computer, it's more complicated. You can't just take a peek and make sure nothing happened. Insurance issues alone probably require that they press charges to the full extent the law allows. Doing so also keeps the ball squarely in the court of the alleged victim.
If the person had a legitimate reason for being where he was, no charges are going to stick. If he didn't, he might be in some trouble.
In ANY case, the GP is right. Just don't do it.
While we're on the subject, don't talk to cops without a lawyer, either.
The felonous emperor has no clothes. by Creepy+Crawler · 2008-10-27 22:42 · Score: 5, Insightful

And one who breaks security is like the one who alerts the king about wearing no clothes. You WILL get punished. You WILL be dealt with.
I saw this all the time at schools, jobs and like. People dont like smart people. People who intentionally find broken ideas and mechanisms will be dealt with, not glorified and congratulated. Highlighting a security problem means they have to put in the effort to fix what you brought to their attention, or threaten you to STFU.
If you are smart about security, keep your mouth shut. There's not much you can do, except yourself be a target.
--
- Mod parent up! by Anonymous Coward (Score:1) Thurs, Nov 31, @13:37
Re:news flash by characterZer0 · 2008-10-28 00:53 · Score: 5, Insightful

And they vote.

--
Go green: turn off your refrigerator.