Student Charged With Three Felonies For Finding Security Flaw

← Back to Stories (view on slashdot.org)

Student Charged With Three Felonies For Finding Security Flaw — and Report

Posted by ScuttleMonkey on Monday October 27, 2008 @09:35PM from the no-good-deed-goes-unpunished dept.

Well, yet another teenage hacker who "did the right thing" by reporting a security flaw is being punished for his actions. Although it definitely sounds like the whole story may not be in the clear yet, a 15-year-old New York high school student has been charged with three felonies claiming that he accessed a file containing social security numbers, driver's license numbers, and home addresses of past and present employees ... and then sent an anonymous email to the principal alerting him to the security flaw. "All that was needed to access the information was a district password. School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks."

41 of 547 comments (clear)

Improper disclosure? by sethstorm · 2008-10-27 21:38 · Score: 5, Insightful

Was there any bit of responsible disclosure, because it sounds a bit like "killing the messenger". While there may be discipline in order, this seems to be overkill if he was really intending to do the right thing.

--
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
1. Re:Improper disclosure? by SQLGuru · 2008-10-27 22:46 · Score: 4, Insightful
  
  I guess part of me wants to know how he found out. If he found out by accident, then yeah, this is a case of "No good deed goes unpunished"....but if he was looking around for something to hack and found more than he was expecting, then there should be some punishment (though probably not three felony charges).....
  Layne
2. Re:Improper disclosure? by eggled · 2008-10-27 22:46 · Score: 5, Insightful
  
  From TFA:
  
  School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks
  So, thousands of people have had access to this file, and the one person who tried to report it (and was tracked down) is being charged with felony counts of computer access and identity theft? And they're not checking to see if anybody else has tried to access this file, to indict them, as well? Definitely seems like a case of shoot the messenger. According to a state trooper interviewed in TFA,
  
  He deceitfully used someone else's name and password so he would not get caught and was looking to profit from his criminal act.
  I didn't see anything about him trying to profit, though... He sent an email to the principal (contents unknown), from an anonymous email address, signed 'A Student'. Without more info, I'm inclined to speculate that he didn't really appear to be attempting to profit. (Wouldn't it be better to keep this a secret and profit from the information, if that was really his intent?)
3. Re:Improper disclosure? by Spazztastic · 2008-10-27 23:16 · Score: 5, Insightful
  
  I didn't see anything about him trying to profit, though... He sent an email to the principal (contents unknown), from an anonymous email address, signed 'A Student'. Without more info, I'm inclined to speculate that he didn't really appear to be attempting to profit. (Wouldn't it be better to keep this a secret and profit from the information, if that was really his intent?)
  All they're doing is making an example out of him. A company did the same thing a few years back with a white hat (Whos name I can't remember, and I can't find my copy of The Art of Deception/Intrustion to look up his name). He produced the error, sent them a paper on it, then they claimed that in the span of 6 months he used their service illegitimately for his own benefit.
  
  I guarantee whoever designed their security infrastructure had their ego shattered by this and in a fit of nerd rage decided to strike back with everything he could.
  
  --
  Posts not to be taken literally. Almost everything is sarcasm.
4. Re:Improper disclosure? by theaveng · 2008-10-27 23:32 · Score: 5, Insightful
  
  A sniper rifle aimed at the head of the principal and/or prosecutor also works: "Don't try to 'make examples' of good, decent people trying to do the right thing. Else YOU will be made an example of how Liberty-loving people deal with out-of-control Tyrants."
  Okay, I joke.
  But any politician hearing about this unfair prosecution ought to update the "Good Samaritan Law" so it not only protects people trying to save injured persons, but also protects people trying to help schools/companies by revealing security flaws in their system.
  
  --
  FOX NEWS.com should be BANNED from television and internet. Have the Congress take it over and give us Truespeak.
5. Re:Improper disclosure? by Sancho · 2008-10-27 23:40 · Score: 4, Insightful
  
  But any politician hearing about this unfair prosecution ought to update the "Good Samaritan Law" so it not only protects people trying to save injured persons, but also protects people trying to help schools/companies by revealing security flaws in their system.
  That's one of the best ideas I've heard all day. Unfortunately, because politicians are about as dumb as a bag of bricks when it comes to computers, all they'll see is what the media shows them i.e. "Bad hacker got caught!"
6. Re:Improper disclosure? by diskofish · 2008-10-27 23:46 · Score: 5, Insightful
  
  That is exactly right. From the sound of the article, the files were in plain sight for anyone who had access to the network (though it is unclear). If they are going to charge the kid, then the network engineer should be hit with the same charges. There is definitely some minimum amount of security required, or else it's just pure negligence. Anyone who's ever administered a server knows they are probed ALL the time.
7. Re:Improper disclosure? by Spazztastic · 2008-10-27 23:54 · Score: 5, Insightful
  
  Anyone who's ever administered a server knows they are probed ALL the time.
  Anybody who's ever administrated a school network should know that every kid is a potential "hacker," and you should be always keeping all the security up to date and patched regularly.
  
  --
  Posts not to be taken literally. Almost everything is sarcasm.
8. Re:Improper disclosure? by dhasenan · 2008-10-28 00:32 · Score: 4, Insightful
  
  Even if he was looking for something to hack, he didn't do any damage. Instead, he performed a public service. Punishing a person for something he maybe was wanting to do is just stupid.
  On the other hand, if he didn't phrase his message carefully, it could have been taken as a threat. If he said something along the lines of "Please use a more secure password on $SERVER -- I guessed it easily", then it's hard to sympathize with the administration. If he said "I accessed your server and now have the social security numbers for every faculty member", then it's much more ambiguous, and I'd expect the student to be investigated. Just investigated, not arrested.
9. Re:Improper disclosure? by mysidia · 2008-10-28 00:43 · Score: 4, Informative
  
  Anybody who's ever administrated a school network should know that every kid is a potential "hacker," and you should be always keeping all the security up to date and patched regularly.
  Not only that, but there should be an air-gap between the network students have access to and the faculty network that contains sensitive information.
  And even faculty access to internal enterprise information fairly limited when logging into a student workstation.
  Student-accessible computer nodes and network ports should be treated about as secure as unencrypted WiFi.
  To access confidential materials from such a workstation, the teacher must connect to a VPN, preferably using 2-factor authentication with a token such as SecurID.
10. Re:Improper disclosure? by sukotto · 2008-10-28 00:44 · Score: 4, Insightful
  
  Using your post as an example:
  Let's see here... you could be charged with
  - a criminal death threat
  - possession with intent (if you own a rifle)
  - conspiracy to commit murder (since you discussed with all of us and presumably none of us called the police)
  - making a terrorist threat
  - material support for terrorism (if you donate to a charity the DA doesn't like)
  - and a whole bunch of "minor" crimes.
  So... have fun in prison... we'll see you in 150 years or so.
  This started out as a "+1 funny"... but now I just feel "-1 WTH is happening to your country?" :-(
  
  --
  Come play free flash games on Kongregate!
11. Re:Improper disclosure? by DaveV1.0 · 2008-10-28 01:33 · Score: 4, Informative
  
  Opening a closed but not locked door and entering a building without permission is still against the law. It is called breaking and entering.
  He is not being punished for "wanting to do" something, he has not been punished for anything yet. He has been charged with a crime for something he did, namely "computer trespass" for accessing a system without permission.
  
  --
  There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
12. Re:Improper disclosure? by j00r0m4nc3r · 2008-10-28 01:34 · Score: 4, Insightful
  
  He's in trouble because he copied the file(s) to his computer. It's not like he just said, "Hey this looks insecure", he actually copied the data and looked at it. That's a huge violation. Yeah I'm not riding the "HE'S BEING PERSECUTED!" train. He copied people's private info to his personal computer. Who knows where it could end up from there? It doesn't matter if the network was insecure, he should have just called the administration and said, "I think this might need looking at..."
13. Re:Improper disclosure? by SanityInAnarchy · 2008-10-28 01:53 · Score: 4, Interesting
  
  Opening a closed but not locked door and entering a building without permission is still against the law. It is called breaking and entering.
  IANAL, and I'm just guessing, but wouldn't that be tresspassing? I mean, if you're breaking and entering, I would assume that requires the breaking of something, right?
  
  He has been charged with a crime for something he did, namely "computer trespass" for accessing a system without permission.
  There you go.
  I would also like to know more about the circumstances. I don't think curiosity should be a crime, and I do think there should be a much more rigid definition of what constitutes "unauthorized access" -- in particular, I think the burden should be to show that the access was, in fact, unauthorized, rather than requiring everyone to keep a clear record of authorization from every site we've ever accessed.
  Having read TFA, it looks very much like, by any technological definition, he was authorized. There would have to be pretty clear indications that he wasn't supposed to be there.
  And even if he was entirely at fault, this is also entirely the wrong way to go about it. The lesson to be learned here, from any other student who's paying attention, is simply to not tell anyone what you know.
  
  --
  Don't thank God, thank a doctor!
14. Re:Improper disclosure? by DigitAl56K · 2008-10-28 02:34 · Score: 4, Insightful
  
  He copied people's private info to his personal computer. Who knows where it could end up from there?
  Yes, and who knows where it might end up being accessible to "thousands of students, faculty and employees" if nobody ever reported the problem?
  Fair enough, the law is the law. If you use someone else's password you've accessed a system in an unauthorized manner whether you copy a file or not. In fact if there is any doubt that you *were* authorized to use that password then you could argue whoever made the file accessible inherently granted you authorization to access it. But let's have some common sense here: by shooting the messenger they're essentially making fear/obscurity their main security measure, and that's exactly what landed them in this situation in the first place.
  Does anyone know if the school is facing charges or a suit for breaking data protection laws btw?
15. Re:Improper disclosure? by cromar · 2008-10-28 04:44 · Score: 4, Insightful
  
  I hate this line of "reasoning." Entering a computer network is not the same as entering a house or other physical place. Since the beginning of the internet, systems have been presumed open. Only after more and more time has gone by, is this idea changing. Hell, most systems at the beginning didn't even have passwords. And they were considered open. Now all of a sudden, because manufacturers are lazy and most users/administrators are ignorant, do we hear people make analogies to physical spaces. Guess what? Networks and computer systems are not physical spaces! They have their own history and organic rule sets that have grown over the last 30+ years.
  If anything, a better analogy is to compare systems to stores. Both provide public services and are accessible through public thoroughfares. So, if I leave my store open and unattended, that does not mean you should not come in unless I specifically leave a sign saying "the door is unlocked but don't come in." That's ridiculous. Instead, if you went in, while certainly raising suspicion and probably causing the owner to become irate and the police to investigate you, you haven't done anything wrong or illegal. Same if you have a key to said store and the owner has not asked you to not come in after hours. You haven't done anything illegal. Now, if you're in there looking at unsecured credit card numbers (left out in a file cabinet), you still haven't done anything illegal. You might tell your friend the owner that he might want to be more careful with where he puts others' private information. Still nothing illegal. Only until you take those CC#'s and/or use them fraudulently have you committed a crime.
kind of like being an eyewitness by Vandil+X · 2008-10-27 21:39 · Score: 5, Interesting

The person who reports the crime is often the first suspect or person of interest.

Or simply, "Who ever smelt it, dealt it."

Forget that this kid was doing a service to report the flaw, they are more concerned with why the kid was trying to access the site in the first place.

--
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
Once again kids: by yttrstein · 2008-10-27 21:40 · Score: 4, Insightful

Reporting a security hole is not noble, it's stupid.
1. Re:Once again kids: by GrumblyStuff · 2008-10-27 21:49 · Score: 4, Insightful
  
  How did it ever come to this anyway?
  Seriously, what the fuck happened to common sense? Where and when did society decide that a problem is only a problem if it is found?
  At this rate, I'll be surprised if people even call the cops or the fire department to report a crime/fire.
2. Re:Once again kids: by Swizec · 2008-10-27 22:05 · Score: 4, Insightful
  
  If I wasn't implicatly involved I'd never go to the trouble of calling the coppers for anything. Let the victim call them, I don't want to be involved in any way, because most of the time it's just more trouble than it's worth.
  
  Think about it, if I report a problem I'll be the main suspect for a while, I'll have to be interogated and I don't think they're ever nice about it, I'll potentionally have to appear at court and it's just overall too much of a mess. I have my own shit to deal with.
3. Re:Once again kids: by WingedGlobe · 2008-10-27 22:06 · Score: 5, Interesting
  
  While there are doubtlessly many clueless administrators in the world, there's also something to be said about being smart in protecting yourself. During high school, I poked around aimlessly on some network drives and found an unsecure, unencrypted text file of sensitive personal information on a lot of students. I didn't really have any business looking, but there was also nothing at all keeping me out. Instead of talking to the first administrator I could find or shooting off a "Hey look at this" email, I spoke to the instructor with whom I had the best relationship with and could convince that I had no bad intentions, showed him the problem, and asked him to escalate it anonymously. He did so, the problem was fixed, case closed.
4. Re:Once again kids: by MrMr · 2008-10-27 22:22 · Score: 4, Informative
  
  Where and when did society decide that a problem is only a problem if it is found?
  496 - 406 B.C.?
5. Re:Once again kids: by jamesh · 2008-10-27 22:32 · Score: 4, Informative
  
  Where was there any not of blackmail?
  RTFA, not TFS...
  "He deceitfully used someone else's name and password so he would not get caught and was looking to profit from his criminal act."
  Now that's the State Troopers words, and may not be true, but it's right there in the article itself. I suppose you could infer that he wanted to use the information he obtained for something other than blackmail (eg fraud), but if he wanted to do that he wouldn't have emailed the principal giving the game away, so blackmail is the obvious conclusion.
6. Re:Once again kids: by Anonymous Coward · 2008-10-27 22:35 · Score: 5, Insightful
  
  A man approaches a stranger and says, "Hey, I noticed your shed is unlocked." The stranger responds, "What were you doing in my backyard?"
  It's not that the unlocked shed isn't a problem. It's that there is also the issue of what the person was doing there in the first place and is anything missing.
  With a shed, it's not much of a problem. Check to make sure nothing is missing. Charge them with trespassing if you are so inclined.
  With a computer, especially a government or business computer, it's more complicated. You can't just take a peek and make sure nothing happened. Insurance issues alone probably require that they press charges to the full extent the law allows. Doing so also keeps the ball squarely in the court of the alleged victim.
  If the person had a legitimate reason for being where he was, no charges are going to stick. If he didn't, he might be in some trouble.
  In ANY case, the GP is right. Just don't do it.
  While we're on the subject, don't talk to cops without a lawyer, either.
7. Re:Once again kids: by Homr+Zodyssey · 2008-10-27 23:07 · Score: 4, Informative
  
  Actually, according to the school's own website, "Due to a configuration error, this file was not completely secured from student password access after being moved to a new server." This implies that the kid could have done it with his own account.
8. Re:Once again kids: by PopeRatzo · 2008-10-27 23:49 · Score: 5, Interesting
  
  The stranger responds, "What were you doing in my backyard?"
  My dad made a point of teaching me that if I see a car with the headlights left on, and unlocked, and the owner's not around, to reach in and turn them off. If I see something that looks like a neighbor's made a mistake, to take the risk of being accused and do the right thing. To even take the risk of being wrong and do what I think is the right thing. The older I get, the smarter he seems.
  One of the benefits of getting older is the increased willingness to be counter to a trend.
  
  --
  You are welcome on my lawn.
9. Re:Once again kids: by Sancho · 2008-10-27 23:52 · Score: 4, Insightful
  
  And this fiber right here is exactly why it doesn't make sense to jump to conclusions. What sparse information we have is conflicting. Where does the profit motive come into play? Where's the profit in alerting the authorities when you find a hole like this? What do they mean by "used someone else's username and password?"
  We don't know if the kid's being hung out to dry, or if this is an appropriate response to the actions taken. Yet all throughout the comments, you see people immediately assuming that the kid is being martyred.
  I'm not even saying that the kid isn't. I'm just saying that we don't have any clue based upon the presented facts, so taking one side or the other is a bit like American politics--pick a side and pretend you're at a football match.
10. Re:Once again kids: by xouumalperxe · 2008-10-28 01:04 · Score: 4, Insightful
  
  Reading the Register article, and both linked Daily Gazette articles, only two things are certain: The kid saw the information, and he communicated with the school principal regarding it. We don't know the tone of the communication, we don't know how he acquired the password, we don't know whether he kept a copy of the data, only that he saw it. The district representative saying the kid said "Look what I got" to the principal is hearsay at best, bravado at worst. The articles all read like trying to make the best case possible that the kid is the "villain", yet there is no statement that he did, or intended to do, anything malicious to the effect of blackmail. There is no information that he did anything illegal to acquire the login details themselves. I would think that, if there had been any attempt at foul play, they would've jumped at the opportunity to post them.
  Personally, and because of the rather damning tone of the (sparse in details) articles, I'm going with "knee-jerk reaction" myself, as my optimistic approach. The other reasonable alternative is "vilify the kid so people won't notice we cocked up". The kid having actually done anything wrong (as opposed to, eventually, illegal) comes as a distant third.
Blackmail by ChowRiit · 2008-10-27 21:42 · Score: 4, Interesting

If you read the whole article, it sounds a bit like he might have been trying to blackmail the school with the details of the hack. As theregister notes, the email contents aren't available, and the quote "He ... was looking to profit from his criminal act." also suggests that he may have been blackmailing the school.
I'd like to hope so, at least, because otherwise the school is going WAY overboard...
1. Re:Blackmail by CarbonShell · 2008-10-27 22:28 · Score: 4, Interesting
  
  No!
  If anyone would have taken a minute to actually think about this, the claims do not make sense.
  If the kid was trying to blackmail the school, why sign as 'a student'?
  How will 'a student' profit from this?
  Fix the grades of 'a student' in the database?
  Blackmail is 'give me something or else'.
  As there is no *me* involved, it is not blackmail.
  Claiming that it is blackmail because the kids had reviled the security flaw and thus could repeat it is just wrong.
  This smells of BS all the way. The school comes up with false allegations to cover their asses and make the kids look like criminals.
  Sure, the kids were doing something they should not but their actions after that should null the previous offense.
Well, another victim of "the book" by GrumblyStuff · 2008-10-27 21:44 · Score: 5, Insightful

As in, being hit with the law book.

"He deceitfully used someone else's name and password so he would not get caught and was looking to profit from his criminal act."
I RTFA but see no sign of this. At best is this bit from a followup link in TFA:

"He sent an e-mail to his principal saying, 'Look what I have,'" DeFeciani said.
But for fuck's sake, three felonies at 15? For a fucking non-violent, non-destructive "offense"?
Poor kid is screwed for life.
1. Re:Well, another victim of "the book" by sortius_nod · 2008-10-27 22:38 · Score: 4, Insightful
  
  Where do you want someone to start with an answer to that?
  Seriously though, this is what happens when you create a police state. This is no different to any other dictatorship where non-violent crimes (anti-government, anti-religion, etc) are punished with prolonged sentences or even death.
  Seriously, wake up America, all this horseshit about peace, freedom, and democracy isn't even upheld in your own country. Do you really think the rest of the world are stupid enough to believe you can "bring freedom to the world"?
He's not going to be tried for those crimes by 91degrees · 2008-10-27 21:50 · Score: 5, Interesting

It's just the screwed up legal system. They could just about get Computer trespass to stick, although probably wouldn't get a particularly harsh sentence passed. What they can do though is threaten the kid with these charges, mention that he could potentially serve 20 years and get him to plea bargain to a lesser crime.

If he maintained his innocence and demanded a jury trial he'd have a good chance of being found innocent and if not the penalty would probably be minor. His behaviour just isn't that of a criminal. The whole system is broken. It's a game of bluff, but the stakes are the liberty of innocent people.
news flash by catmistake · 2008-10-27 21:54 · Score: 4, Insightful

stupid people fear smart people

--
The Admin and the Engineer
1. Re:news flash by SmokeyTheBalrog · 2008-10-27 22:24 · Score: 5, Insightful
  
  And smart people fear stupid people even more.
2. Re:news flash by characterZer0 · 2008-10-28 00:53 · Score: 5, Insightful
  
  And they vote.
  
  --
  Go green: turn off your refrigerator.
Re:Anonymous by Farmer+Tim · 2008-10-27 21:57 · Score: 5, Funny

The astounding part is that the same IT department that left the security hole open succeeded in tracking the kid down. I don't think anyone would have seen that coming.

--
Blank until /. makes another boneheaded UI decision.
The felonous emperor has no clothes. by Creepy+Crawler · 2008-10-27 22:42 · Score: 5, Insightful

And one who breaks security is like the one who alerts the king about wearing no clothes. You WILL get punished. You WILL be dealt with.
I saw this all the time at schools, jobs and like. People dont like smart people. People who intentionally find broken ideas and mechanisms will be dealt with, not glorified and congratulated. Highlighting a security problem means they have to put in the effort to fix what you brought to their attention, or threaten you to STFU.
If you are smart about security, keep your mouth shut. There's not much you can do, except yourself be a target.
--
- Mod parent up! by Anonymous Coward (Score:1) Thurs, Nov 31, @13:37
Well by mach1980 · 2008-10-27 23:19 · Score: 5, Interesting

This happened to me in winter of 2000. I found a open FTP-site on the LAN of my public school that contained sensitive information about the municipality elderly care. I reported it to the Swedish Data Inspection Board. I later found out that the municipality had filed a police report to find the alleged 'hacker' that were able to break the 10-digit code (read: IP-address).

My only comfort was that I had reported the findings anonymously.

And yes - they municipality were charged. The period for prosecution for my 'crime' has expired.

--
Break the sound barrier - bring the noise.
"copied" the files... by Gary+W.+Longsine · 2008-10-28 02:14 · Score: 4, Insightful

You keep using that phrase, "copied the files to his computer". I don't think it means what you think it means.

In discussions like this, it might merely mean that the kid accessed a protected area by accident, and his web browser "copied the file to his computer". Law Enforcement sometimes misuses the mere presence of data on the suspect's computer as the standard for proof of guilt, which is sometimes only the browser cache or even the cache for a filesharing program, when the user may not even know what the heck was in it.

The file name undoubtedly was not "click here to get 3 felony charges file against you and seriously fuck up the rest of your life" . The kid appears to have been doing the right thing. Now, if he tried to sell any of the data that he saw, sure, charges might be appropriate. Based on what little public information is available, this appears to be a case of shooting the messenger.

--
If you mod me down, I shall become more powerful than you could possibly imagine.
Re:"Using someone else's password" by bcwright · 2008-10-28 03:36 · Score: 4, Insightful

What, exactly, do they mean by that? Remember, we're talking about governmental entities that have a long history of not understanding much about computer security. For example:
$ ftp ftp.myschool.edu
Connected to ftp.myschool.edu
User (none): guest
331 Enter email address for anonymous login password
Password: myusername@yahoo.com
230 User guest logged in.
FTP>
Law Enforcement: "Clearly he was trying to impersonate Mr. Guest!"
You: !@#@#$
You think that's too silly? It's no worse than any number of other things I've heard about from such people. Or consider this:
You: "Let's see if that cute girl Angela in my English class has put up a home page on the school computer system. Let's see, use Firefox to browse to www.myschool.edu/~angela/ ... That's odd, doesn't look like what she'd have on her home page. What's this file?"
Cops: "Clearly he was trying to break into the Assistant Principal Angela H's computer work area!"
I don't think these examples are unrepresentative of the typical computer security understanding of law enforcement, unfortunately.