Student Charged With Three Felonies For Finding Security Flaw — and Report

Well, yet another teenage hacker who "did the right thing" by reporting a security flaw is being punished for his actions. Although it definitely sounds like the whole story may not be in the clear yet, a 15-year-old New York high school student has been charged with three felonies claiming that he accessed a file containing social security numbers, driver's license numbers, and home addresses of past and present employees ... and then sent an anonymous email to the principal alerting him to the security flaw. "All that was needed to access the information was a district password. School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks."

Improper disclosure?

[sethstorm]

Was there any bit of responsible disclosure, because it sounds a bit like "killing the messenger". While there may be discipline in order, this seems to be overkill if he was really intending to do the right thing.

Re:Improper disclosure?

[eggled]

From TFA:

School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks

So, thousands of people have had access to this file, and the one person who tried to report it (and was tracked down) is being charged with felony counts of computer access and identity theft? And they're not checking to see if anybody else has tried to access this file, to indict them, as well? Definitely seems like a case of shoot the messenger. According to a state trooper interviewed in TFA,

He deceitfully used someone else's name and password so he would not get caught and was looking to profit from his criminal act.

I didn't see anything about him trying to profit, though... He sent an email to the principal (contents unknown), from an anonymous email address, signed 'A Student'. Without more info, I'm inclined to speculate that he didn't really appear to be attempting to profit. (Wouldn't it be better to keep this a secret and profit from the information, if that was really his intent?)

Re:Improper disclosure?

[Spazztastic]

I didn't see anything about him trying to profit, though... He sent an email to the principal (contents unknown), from an anonymous email address, signed 'A Student'. Without more info, I'm inclined to speculate that he didn't really appear to be attempting to profit. (Wouldn't it be better to keep this a secret and profit from the information, if that was really his intent?)

All they're doing is making an example out of him. A company did the same thing a few years back with a white hat (Whos name I can't remember, and I can't find my copy of The Art of Deception/Intrustion to look up his name). He produced the error, sent them a paper on it, then they claimed that in the span of 6 months he used their service illegitimately for his own benefit.

I guarantee whoever designed their security infrastructure had their ego shattered by this and in a fit of nerd rage decided to strike back with everything he could.

Re:Improper disclosure?

[theaveng]

A sniper rifle aimed at the head of the principal and/or prosecutor also works: "Don't try to 'make examples' of good, decent people trying to do the right thing. Else YOU will be made an example of how Liberty-loving people deal with out-of-control Tyrants."

Okay, I joke.

But any politician hearing about this unfair prosecution ought to update the "Good Samaritan Law" so it not only protects people trying to save injured persons, but also protects people trying to help schools/companies by revealing security flaws in their system.

Re:Improper disclosure?

[diskofish]

That is exactly right. From the sound of the article, the files were in plain sight for anyone who had access to the network (though it is unclear). If they are going to charge the kid, then the network engineer should be hit with the same charges. There is definitely some minimum amount of security required, or else it's just pure negligence. Anyone who's ever administered a server knows they are probed ALL the time.

Re:Improper disclosure?

[Spazztastic]

Anyone who's ever administered a server knows they are probed ALL the time.

Anybody who's ever administrated a school network should know that every kid is a potential "hacker," and you should be always keeping all the security up to date and patched regularly.

kind of like being an eyewitness

[Vandil+X]

The person who reports the crime is often the first suspect or person of interest.

Or simply, "Who ever smelt it, dealt it."

Forget that this kid was doing a service to report the flaw, they are more concerned with why the kid was trying to access the site in the first place.

Well, another victim of "the book"

[GrumblyStuff]

As in, being hit with the law book.

"He deceitfully used someone else's name and password so he would not get caught and was looking to profit from his criminal act."

I RTFA but see no sign of this. At best is this bit from a followup link in TFA:

"He sent an e-mail to his principal saying, 'Look what I have,'" DeFeciani said.

But for fuck's sake, three felonies at 15? For a fucking non-violent, non-destructive "offense"?

Poor kid is screwed for life.

He's not going to be tried for those crimes

[91degrees]

It's just the screwed up legal system. They could just about get Computer trespass to stick, although probably wouldn't get a particularly harsh sentence passed. What they can do though is threaten the kid with these charges, mention that he could potentially serve 20 years and get him to plea bargain to a lesser crime.

If he maintained his innocence and demanded a jury trial he'd have a good chance of being found innocent and if not the penalty would probably be minor. His behaviour just isn't that of a criminal. The whole system is broken. It's a game of bluff, but the stakes are the liberty of innocent people.

Re:Anonymous

[Farmer+Tim]

The astounding part is that the same IT department that left the security hole open succeeded in tracking the kid down. I don't think anyone would have seen that coming.

Re:Once again kids:

[WingedGlobe]

While there are doubtlessly many clueless administrators in the world, there's also something to be said about being smart in protecting yourself. During high school, I poked around aimlessly on some network drives and found an unsecure, unencrypted text file of sensitive personal information on a lot of students. I didn't really have any business looking, but there was also nothing at all keeping me out. Instead of talking to the first administrator I could find or shooting off a "Hey look at this" email, I spoke to the instructor with whom I had the best relationship with and could convince that I had no bad intentions, showed him the problem, and asked him to escalate it anonymously. He did so, the problem was fixed, case closed.

Re:news flash

[SmokeyTheBalrog]

And smart people fear stupid people even more.

Re:Once again kids:

A man approaches a stranger and says, "Hey, I noticed your shed is unlocked." The stranger responds, "What were you doing in my backyard?"

It's not that the unlocked shed isn't a problem. It's that there is also the issue of what the person was doing there in the first place and is anything missing.

With a shed, it's not much of a problem. Check to make sure nothing is missing. Charge them with trespassing if you are so inclined.

With a computer, especially a government or business computer, it's more complicated. You can't just take a peek and make sure nothing happened. Insurance issues alone probably require that they press charges to the full extent the law allows. Doing so also keeps the ball squarely in the court of the alleged victim.

If the person had a legitimate reason for being where he was, no charges are going to stick. If he didn't, he might be in some trouble.

In ANY case, the GP is right. Just don't do it.

While we're on the subject, don't talk to cops without a lawyer, either.

The felonous emperor has no clothes.

[Creepy+Crawler]

And one who breaks security is like the one who alerts the king about wearing no clothes. You WILL get punished. You WILL be dealt with.

I saw this all the time at schools, jobs and like. People dont like smart people. People who intentionally find broken ideas and mechanisms will be dealt with, not glorified and congratulated. Highlighting a security problem means they have to put in the effort to fix what you brought to their attention, or threaten you to STFU.

If you are smart about security, keep your mouth shut. There's not much you can do, except yourself be a target.

Well

[mach1980]

This happened to me in winter of 2000. I found a open FTP-site on the LAN of my public school that contained sensitive information about the municipality elderly care. I reported it to the Swedish Data Inspection Board. I later found out that the municipality had filed a police report to find the alleged 'hacker' that were able to break the 10-digit code (read: IP-address).

My only comfort was that I had reported the findings anonymously.

And yes - they municipality were charged. The period for prosecution for my 'crime' has expired.

Re:Once again kids:

[PopeRatzo]

The stranger responds, "What were you doing in my backyard?"

My dad made a point of teaching me that if I see a car with the headlights left on, and unlocked, and the owner's not around, to reach in and turn them off. If I see something that looks like a neighbor's made a mistake, to take the risk of being accused and do the right thing. To even take the risk of being wrong and do what I think is the right thing. The older I get, the smarter he seems.

One of the benefits of getting older is the increased willingness to be counter to a trend.

Re:news flash

[characterZer0]

And they vote.