Student Charged With Three Felonies For Finding Security Flaw — and Report

Well, yet another teenage hacker who "did the right thing" by reporting a security flaw is being punished for his actions. Although it definitely sounds like the whole story may not be in the clear yet, a 15-year-old New York high school student has been charged with three felonies claiming that he accessed a file containing social security numbers, driver's license numbers, and home addresses of past and present employees ... and then sent an anonymous email to the principal alerting him to the security flaw. "All that was needed to access the information was a district password. School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks."

kind of like being an eyewitness

[Vandil+X]

The person who reports the crime is often the first suspect or person of interest.

Or simply, "Who ever smelt it, dealt it."

Forget that this kid was doing a service to report the flaw, they are more concerned with why the kid was trying to access the site in the first place.

Re:kind of like being an eyewitness

[houghi]

The person who reports the crime is often the first suspect or person of interest.

I was once questioned by police because I replied in a internet (anti)abuse usenet group because I was the first to reply about a site on kiddiporn and did not remove the URL.

The police thought as you. The fact that I informed the provider who were told not to take the site down, even though the guilty person was already known or the fact that I informed the police who told me at the investigation that their mail did not work.
Also the fact that they called the company and told them that I was wanted because of spreading child porn (luckily my employer understood when I showed him what I had done and that I was actually trying to take it offline)

The police did not question any of my actions to prevent it. The only question they had was why was I in that newsgroup in the first place. Well, I am not anymore and I have never ever seen anything even remotely illegal. If it is online, it must be legal, otherwise the smart police people would take it away.

This extends to life in the real world as well. I will not call the police for any reason any more.

I personally do not care why he was there. He should not have access to that data. Not by accident and not on purpose and certainly not undetected. If I am not allowed to take a cookie, do not put the cookie jar open on the table.

In many places leaving a car unlocked is forbidden by law and could be punished. The same should apply by easy accessible data.

Blackmail

[ChowRiit]

If you read the whole article, it sounds a bit like he might have been trying to blackmail the school with the details of the hack. As theregister notes, the email contents aren't available, and the quote "He ... was looking to profit from his criminal act." also suggests that he may have been blackmailing the school.

I'd like to hope so, at least, because otherwise the school is going WAY overboard...

Re:Blackmail

[CarbonShell]

No!
If anyone would have taken a minute to actually think about this, the claims do not make sense.

If the kid was trying to blackmail the school, why sign as 'a student'?
How will 'a student' profit from this?
Fix the grades of 'a student' in the database?

Blackmail is 'give me something or else'.
As there is no *me* involved, it is not blackmail.

Claiming that it is blackmail because the kids had reviled the security flaw and thus could repeat it is just wrong.

This smells of BS all the way. The school comes up with false allegations to cover their asses and make the kids look like criminals.

Sure, the kids were doing something they should not but their actions after that should null the previous offense.

He's not going to be tried for those crimes

[91degrees]

It's just the screwed up legal system. They could just about get Computer trespass to stick, although probably wouldn't get a particularly harsh sentence passed. What they can do though is threaten the kid with these charges, mention that he could potentially serve 20 years and get him to plea bargain to a lesser crime.

If he maintained his innocence and demanded a jury trial he'd have a good chance of being found innocent and if not the penalty would probably be minor. His behaviour just isn't that of a criminal. The whole system is broken. It's a game of bluff, but the stakes are the liberty of innocent people.

Re:Once again kids:

[WingedGlobe]

While there are doubtlessly many clueless administrators in the world, there's also something to be said about being smart in protecting yourself. During high school, I poked around aimlessly on some network drives and found an unsecure, unencrypted text file of sensitive personal information on a lot of students. I didn't really have any business looking, but there was also nothing at all keeping me out. Instead of talking to the first administrator I could find or shooting off a "Hey look at this" email, I spoke to the instructor with whom I had the best relationship with and could convince that I had no bad intentions, showed him the problem, and asked him to escalate it anonymously. He did so, the problem was fixed, case closed.

Re:Well, another victim of "the book"

[Like2Byte]

There are a few possible scenarios by this statement - all of them conjecture. At this time, the article is very light on detail.

"He sent an e-mail to his principal saying, 'Look what I have,'" DeFeciani said.

Conjecture #1) He was indeed using it for blackmail or other nefarious means.
      If this is the case, nail his behind to the wall.

Conjecture #2) He simply reported the problem and the typical knee-jerk reaction ensues.

    If this is the case, let him pay off his transgression by working with the people on the IT Team so he can be mentored and more easily monitored. Mentoring is the key element to his natural progression toward becoming a productive citizen.

Conjecture #3) He was showing off his leet h4x0r 5k1llz by attempting to embarrass the admins at that facility.

    This is a tough one. I don't want to see some kids life completely ruined because he didn't understand the ramifications of his actions. Certainly, he should be punished but lets not lose our minds. Again, mentoring would probably go a long way in waking this kid up.

Well

[mach1980]

This happened to me in winter of 2000. I found a open FTP-site on the LAN of my public school that contained sensitive information about the municipality elderly care. I reported it to the Swedish Data Inspection Board. I later found out that the municipality had filed a police report to find the alleged 'hacker' that were able to break the 10-digit code (read: IP-address).

My only comfort was that I had reported the findings anonymously.

And yes - they municipality were charged. The period for prosecution for my 'crime' has expired.

Re:Once again kids:

[jonaskoelker]

Reporting a security hole is not noble, it's stupid.

I can't help but wonder how much the slashdot perception of the stupidity of reporting security holes to your sysadmins is due to selective reporting.

Ever noticed all the stories that say "User thanked for quietly reporting a subsequently fixed security problem"? Not exciting.

But it happens. I've reported a security issue to root, with three user names (!= my own) that I'd found the password to and the method I used. They said it was okay and they'd changed them, and later enabled /etc/shadow.

Trying-to-balance-out-the-selective-reporting'ly yours --Jonas K

Re:Once again kids:

[PopeRatzo]

The stranger responds, "What were you doing in my backyard?"

My dad made a point of teaching me that if I see a car with the headlights left on, and unlocked, and the owner's not around, to reach in and turn them off. If I see something that looks like a neighbor's made a mistake, to take the risk of being accused and do the right thing. To even take the risk of being wrong and do what I think is the right thing. The older I get, the smarter he seems.

One of the benefits of getting older is the increased willingness to be counter to a trend.

Re:Improper disclosure?

[SanityInAnarchy]

Opening a closed but not locked door and entering a building without permission is still against the law. It is called breaking and entering.

IANAL, and I'm just guessing, but wouldn't that be tresspassing? I mean, if you're breaking and entering, I would assume that requires the breaking of something, right?

He has been charged with a crime for something he did, namely "computer trespass" for accessing a system without permission.

There you go.

I would also like to know more about the circumstances. I don't think curiosity should be a crime, and I do think there should be a much more rigid definition of what constitutes "unauthorized access" -- in particular, I think the burden should be to show that the access was, in fact, unauthorized, rather than requiring everyone to keep a clear record of authorization from every site we've ever accessed.

Having read TFA, it looks very much like, by any technological definition, he was authorized. There would have to be pretty clear indications that he wasn't supposed to be there.

And even if he was entirely at fault, this is also entirely the wrong way to go about it. The lesson to be learned here, from any other student who's paying attention, is simply to not tell anyone what you know.

Re:Improper disclosure?

[jp10558]

Am I the only one who finds this crazy? Are we to go around scared of opening doors? Is there any implied consent (i.e. should I call up the gas station attendant to open their store door so I'm not B&E when I go in to pay the bill?)