Slashdot Mirror
Student Charged With Three Felonies For Finding Security Flaw — and Report
Well, yet another teenage hacker who "did the right thing" by reporting a security flaw is being punished for his actions. Although it definitely sounds like the whole story may not be in the clear yet, a 15-year-old New York high school student has been charged with three felonies claiming that he accessed a file containing social security numbers, driver's license numbers, and home addresses of past and present employees ... and then sent an anonymous email to the principal alerting him to the security flaw. "All that was needed to access the information was a district password. School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks."
Was there any bit of responsible disclosure, because it sounds a bit like "killing the messenger". While there may be discipline in order, this seems to be overkill if he was really intending to do the right thing.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
The person who reports the crime is often the first suspect or person of interest.
Or simply, "Who ever smelt it, dealt it."
Forget that this kid was doing a service to report the flaw, they are more concerned with why the kid was trying to access the site in the first place.
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
Reporting a security hole is not noble, it's stupid.
If you read the whole article, it sounds a bit like he might have been trying to blackmail the school with the details of the hack. As theregister notes, the email contents aren't available, and the quote "He ... was looking to profit from his criminal act." also suggests that he may have been blackmailing the school.
I'd like to hope so, at least, because otherwise the school is going WAY overboard...
As in, being hit with the law book.
I RTFA but see no sign of this. At best is this bit from a followup link in TFA:
But for fuck's sake, three felonies at 15? For a fucking non-violent, non-destructive "offense"?
Poor kid is screwed for life.
It's just the screwed up legal system. They could just about get Computer trespass to stick, although probably wouldn't get a particularly harsh sentence passed. What they can do though is threaten the kid with these charges, mention that he could potentially serve 20 years and get him to plea bargain to a lesser crime.
If he maintained his innocence and demanded a jury trial he'd have a good chance of being found innocent and if not the penalty would probably be minor. His behaviour just isn't that of a criminal. The whole system is broken. It's a game of bluff, but the stakes are the liberty of innocent people.
stupid people fear smart people
The Admin and the Engineer
The astounding part is that the same IT department that left the security hole open succeeded in tracking the kid down. I don't think anyone would have seen that coming.
Blank until
He did the equivalent of finding a hole in someone's fence, breaking through the fence into the person's property, and then having a look around before telling the owner "hey, your fence has a hole in it". The kid was foolish here, assuming he had the best of intentions.
But hey, at least the kid learned a valuable (and sad) lesson in life:
No good deed goes unpunished.
This means this person, capable of not only using the internet but as a (clearly) (semi-) advanced user, is now no longer able to vote...because of something they did before they were legally eligible in the first place? And something they admitted to? Yet someone who doesn't know their left hand from a donkey's a-hole and votes based entirely on which guy they'd rather drink a beer with and/or whichever has a photo-op with someone who looks more like them is free to do the same AND drive drunk AND steal potentially thousands (but not over 10 thousand or so, depending on the state) AND even rape in some cases and still vote.
Ginga no Rekshiya Mata Each page.
This is like Boston freaking out over Lite-Brites. I hope the kid not only calls their bluff and asks for a jury trial, but finds some way to counter-sue.
And one who breaks security is like the one who alerts the king about wearing no clothes. You WILL get punished. You WILL be dealt with.
I saw this all the time at schools, jobs and like. People dont like smart people. People who intentionally find broken ideas and mechanisms will be dealt with, not glorified and congratulated. Highlighting a security problem means they have to put in the effort to fix what you brought to their attention, or threaten you to STFU.
If you are smart about security, keep your mouth shut. There's not much you can do, except yourself be a target.
If you're baiting your honeypot with real data, you're doing it wrong.
Blank until
This is why I send all my blackmail from my neighbor's WEP-enabled wireless.
The article I linked to explains exactly how they found him: they looked at the originating IP, which led them back to their own computer lab, and from there it was trivial to determine who was logged on to that machine at that time. He could have created a new email account just for this, but it would still be traceable without an anonymous proxy.
Blank until
This happened to me in winter of 2000. I found a open FTP-site on the LAN of my public school that contained sensitive information about the municipality elderly care. I reported it to the Swedish Data Inspection Board. I later found out that the municipality had filed a police report to find the alleged 'hacker' that were able to break the 10-digit code (read: IP-address).
My only comfort was that I had reported the findings anonymously.
And yes - they municipality were charged. The period for prosecution for my 'crime' has expired.
Break the sound barrier - bring the noise.
This is bullshit - I am really tired of hearing these scenarios where ignorant fascist assholes are doing serious damage to the reputation and future of kids who are doing the right thing.
The message being sent is that rather than being honest, helpful and productive member of networked society we're teaching kids that it's better to be deceptive and not expose dangerous security flaws. ...and FELONIES? What the fuck?!
I feel that there is a message that both the powers that be (and irresponsible sys admins who have been professionally shamed by these revelations) want to send - the sysadmins don't want to be embarrassed by kids - the feds or police either don't understand and are hearing sys admins tell them that "these meddling kids broke into our system, it's certainly not MY fault for not securing it" or people who should know better thinking that it's better to send the message that killing the messenger is the appropriate way to handle security, EG what people don't know won't hurt them and what we don't see we wont have to deal with.
I believe that this should be explained to those who aren't very computer/network literate with the following analogy: Let's say you live in one of those multifloor apartment buildings where there is an area in the lobby with many mailboxes which all lock. Each resident gets a key for their own box. This kid either accidentally (or just to see if his and other mailboxes are secure) plugs the key into the wrong box or a box that isn't his and finds that his key (and by logic every other resident's key) opens every mailbox in the building. The mailbox he tests the key on contains an envelope with a ton of cash sticking out of it. He goes to the landlord and says "hey, these keys provide no security because any key can open all mailboxes, and by the way, this mailbox had a ton of cash in it - here's the cash, I didn't want it to get stolen" and he is then arrested and charged with breaking and entering, grand larceny, and other such offenses.
I hope that if any high profile tech people get a chance to comment on this in the press or end up assisting the defense (if it was to go to trial) that they can send a message that criminalizing someone who is doing the right thing is just wrong...
Kids like this should be praised. He decided to report something he could easily do a lot of mischief with.
... here here including the kid's name. Article notes this isnt the first time he's been in trouble for hacking, so it may explain the apparent over zealous charges.
Has the kid sold the film rights yet? I've got this great idea for using his story, basically a 'hacker' kid gets blamed for a crime bigger than just breaking into a computer system, it could involve a bunch of his hacker friends pissing off "the man" responsible for the kid's arrest, like signing him up to online dating services and changing medical records to show he's dead. Maybe we could get an a-lister in the cast like Angelina Jolie & some other well knowns like Jonny Lee Miller & Matthew Lillard.
Oh, wait, too late...
To do something right, you often have to roll up your sleeves and get busy.
http://www.youtube.com/watch?v=O_lwGWfO_Mk
10 year old canada
http://www.youtube.com/watch?v=xakaLeLecvo&feature=related
10 year old florida
http://www.nydailynews.com/news/ny_crime/2008/08/07/2008-08-07_cop_cuffed_me_on_bus_kid_says_in_suit.html
10 year old girl NY
http://www.examiner.com/a-619947~Busted__7_year_old_cuffed__fingerprinted.html
7-- in baltimore
every day http://en.wikipedia.org/wiki/Special:Random
It doesn't matter that the server was misconfigured, or used a default password. What matters is what he did.
He didn't accidentally find this something. He went looking for security hole, found one, used it to look around where he was not supposed to have access, then reported it anonymously. Then, an investigation followed and they found him.
That is the equivalent of him walking down a street and trying each door and window to see if it was open, finding one, going in to the house and looking around, then anonymously reporting what he had done to the police. In the real world it is breaking and entering (look up the law before you say "no breaking occurred").
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
I wonder if any of those 'whistleblower' protection statutes would apply in this case.
Vintage computer games and RPG books available. Email me if you're interested.
In this case the kid used a master key and got into the house, stole and then tells the owner that he should put a 1000 usd lock and this 100 usd lock sucks!! Is it still not breaking into? Agreed, public offices should have very very good locks but does that weak lock(wrong) make the kid's theft right?
From law's prespective - Kid should get punishment for breaking into and the owner too should get punished for putting confidential records in weak security.
Forget that this kid was doing a service to report the flaw, they are more concerned with why the kid was trying to access the site in the first place.
OK, I know Slashdot is collectively in holier-than-thou rage over this poor, "innocent" kid, but why was the kid trying to access the site in the first place?
It seems to me that he's not being punished for reporting something, he'd being dealt with because he probably broke the law.
Of course, the officials responsible for the shoddy security and data protection should also be dealt with under whatever laws apply in that jurisdiction. But that doesn't excuse a kid who actively went on a fishing expedition. The end cannot be allowed to justify the means in cases like this, or you undermine the basic principle of the laws: you give carte blanche to crackers to have a go at whatever they like, since if they get in, they can just report it and pretend they were doing the world a favour.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
.
You are the administrator of a system that an alleged "Good Samaritan" has been trying to hack.
The successful hack would, of course, substantially increase your employer's legal and financial exposure.
But - as a fellow geek, and the trusting soul you are - you believe his motives were as pure as the driven snow.
You believe him when he says "no harm, no foul."
You see no reason for an audit - much less a re-build from scratch.
You have a new career opportunity opening up soon as a greeter at Wal-Mart.
You keep using that phrase, "copied the files to his computer". I don't think it means what you think it means.
In discussions like this, it might merely mean that the kid accessed a protected area by accident, and his web browser "copied the file to his computer". Law Enforcement sometimes misuses the mere presence of data on the suspect's computer as the standard for proof of guilt, which is sometimes only the browser cache or even the cache for a filesharing program, when the user may not even know what the heck was in it.
The file name undoubtedly was not "click here to get 3 felony charges file against you and seriously fuck up the rest of your life" . The kid appears to have been doing the right thing. Now, if he tried to sell any of the data that he saw, sure, charges might be appropriate. Based on what little public information is available, this appears to be a case of shooting the messenger.
If you mod me down, I shall become more powerful than you could possibly imagine.
We need better whistle blower laws that don't force you to use your own name. Just look at the guy who uncovered voter fraud and got hit with a few felonies.
The article says this kid and a "peer" accessed the info. How come there are no charges against this "peer"? Does this indicate the basis of the changes relate more towards the "intent to profit"? It would seem that this case may be more complicated than the facts on the table suggest.
Depends if that door is the only thing stopping them from walking off with a ton of private data other people have entrusted to you.
What, exactly, do they mean by that? Remember, we're talking about governmental entities that have a long history of not understanding much about computer security. For example:
$ ftp ftp.myschool.edu
Connected to ftp.myschool.edu
User (none): guest
331 Enter email address for anonymous login password
Password: myusername@yahoo.com
230 User guest logged in.
FTP>
Law Enforcement: "Clearly he was trying to impersonate Mr. Guest!"
You: !@#@#$
You think that's too silly? It's no worse than any number of other things I've heard about from such people. Or consider this:
You: "Let's see if that cute girl Angela in my English class has put up a home page on the school computer system. Let's see, use Firefox to browse to www.myschool.edu/~angela/ ... That's odd, doesn't look like what she'd have on her home page. What's this file?"
Cops: "Clearly he was trying to break into the Assistant Principal Angela H's computer work area!"
I don't think these examples are unrepresentative of the typical computer security understanding of law enforcement, unfortunately.
At least a couple of the articles say that the password he used (whatever that means, see my other comments on the subject) belonged to "another student." Oh, really?! Why did that other student have access to the data?! And why isn't he being charged?!
Clearly what we have been told about this incident is highly misleading. Either
(1) The file was in a location that could be accessed by ANYONE on the school network, or
(2) it had already been hacked by another student, who for some reason is not being charged, or
(3) He hacked into an administrative area, where the file may have been inadequately secured. Comments by the administration and law enforcement to the effect that the password he used belonged to another student are either incorrect or misleading.
Something is clearly rotten about this story, unfortunately it is difficult to tell if he did anything wrong or not, or whether he is a criminal or a scapegoat. Not only do we have to get information filtered through the administration and law enforcement (for whom computer security is usually at best an arcane art that they understand only poorly if at all), but all the primary sources are articles written by local news journalists rather than technical journalists, who are generally not much better at understanding the technical details.
It would appear however that unless he needed to hack into a reasonably well protected account in order to obtain the data, the school is clearly facing a serious HIPAA breach. That alone could be making them overreact, by trying to find some way - any way - to pin the blame on someone else.
This quote from the news article is especially telling:
All that was needed to access the information was a district password. School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks.
"A district password" in this quote sounds a lot like "a student or faculty account" to me. Doesn't sound like any hacking occurred at all.
And apparently the correct punishment is hanging by the neck until dead?
In the RTFA department: No where does it say that he guessed a password or used a stolen password.
And apparently you must not have comprehended what you read. No where does it say that he will be punished by hanging. In fact, he is charged with felonies, but has NOT been convicted or sentenced. So before you fly off the handle, let's see how things go, M'Kay? Chances are that he will get off with a $250 fine and community service. Probably not a bad thing with some kid with too much time on his hands that he goes hacking around in shit he shouldn't be.
A kid with too much time on his hands? Take it easy grandpa! Those damn kids. When i was a kid we had to walk 5 miles uphill in the snow each way to get time on our hands.
By hacking you mean logging into a system with the password they gave you?
Say nothing.
Human nature is to "shoot the messenger." So don't tell.
Once upon a time in university I noted a file in the temporary directory on one of computer science's machines with read access to all on the entire student name/id list. This was a byproduct of registration, and the ids were used as the passwords for first log in. But student ids were used for much more, and this list was also bigger than computer science... I complained to the comp sci sys admins; who said "gee thanks, we'll change that." But the file kept appearing. So I contacted the computing services admins; who said "gee thanks, we'll talk to the comp sci guys." The result of which was "this doesn't happen any more". So I sent a current directory list. No response. Then I posted the file (two months after it was supposedly fixed) to the internal security newsgroup. [I lost my access privs and was almost expelled.]
The moral of the story... don't tell people they f*cked up and sure as heck don't show them, because you just make them look bad, and there is a fine line between ethical behavior and questionable judgement.
/\/\icro/\/\uncher
The lesson here is to get better at sending "anonymous" e-mail to report this stuff.
I might know what I'm talkin' about, but then again, this is Slashdot...