Student charged after alerting principal to server hack
A 15-year-old high school student in New York State has been charged with three felonies after he allegedly accessed personnel records on his school's poorly configured computer network and then notified his principal of the security weakness. The unnamed student of Shenendehowa Central School was charged Thursday with computer …
Its just a normal response from a school with egg on its face. At least now the student is well aware that anything to do with security should never ever be mentioned to those charged with maintaining that security. (no thats not sarcasm thats really what you should avoid doing if you dont wanna end up like this poor kid)
I recall been excluded from the final week at my high school simply for casually mentioning to another tech friend while in a computer room how easy it would be to plant a virus of almost any kind up the schools system due their lack of any comprehensive A/V and the very lax security measures that would allow it to roam freely. Shame a teacher overheard me and thought I was planning on doing exactly that. Not even the protests of the IT staff (who all knew me and knew I wouldnt bother wasting my time doing that, theres no point or reward to it) could convince the school Admin I wasnt a nasty terrorist hacker. Oh well you live and learn, at least it was long enough ago that people didnt think about calling the police for everything thing.
Just another example of school systems neglecting students to cover their own asses.
Provided the child did nothing but get in and notify them of the vulnerability he should be praised for this... not charged with a felony.
Punishing someone for reporting a security fault is about the dumbest thing possible... unless of course they'd rather leak a couple hundred people's private information that admit they made a mistake. Oh wait, they probably would.
Even without any more information, it sounds like your utterly stereotypical kneejerk arse-covering by an incompetent management that was caught not only with its pants down around its ankles, but buggering the local goat.
Willing to be proven wrong though, but I've seen too much of this type of bullshit.
How many altruistic sociopaths need to commit petty larceny for us to take their "lessons by example" to heart??
Thank you, pimply hackerchild. By running your greasy fingers over the unclad private details of unsuspecting school workers you have shone the spotlight of truth on this failure of due care. Moreover, you have done it in a way that mere facts, gathered carefully, expressed coherently as words, written legibly on paper, enveloped and properly addressed, and delivered to the proper authorities by a certified postal carrier, could ever do...
Your sweaty frottage with the unprotected identities of strangers has not only taught us all the value of IT security - it has also emphasised the value of acne and social isolation as indicators of poor ethical judgment.
You are a hero - Kevin Zitnick in a white hat.
Fear not, the improvised cosh of karma. It wont be pummeling the bloodied carcass of your soul anytime soon.
Trust me.
Would they have tracked him down if he has just send a letter?
If he'd sent a letter, they'd probably have decoded the secret microdots created by his printer (assuming it wasn't hand written), and use that to find the owner of the printer via warranty registration information or other records of the purchase.
A friend of mine reported a security issue to the university network staff and they called the police. all he had done was rediscover the ypcat issues on the universities unix networks, but the passwords are synced between the unix and windows networks and the admins panicked.
For some reason, the result of honesty is pain.
(ypcat was an application that he had the right to execute, so the final argument was that it was not an unauthorised access. The purpose of the system is to allow learning, and when finding a command avaliable that he didn't know about, he set out to find out what it did. It won't be the last time I tell him to rtfm)
>and was looking to profit from his criminal act."
Before jumping to this lads defence it would be better, as the article says, to see in full the mail he sent in order to see what form of profit this is.
Ok, so he accessed the records, that was bad and wrong etc etc.
However he then alerted the school to the security flaw, so they could fix it.
Surely the alerting them to it outweights the accessing of the data? I mean come on. If a teenager can break through your so called security it's obvious it needs a lot of work. He did them a favour. He could have not mentioned it and caused havok, but he didn't.
Gone are the days when that sort of "find a way in, then tell those who own it how to fix it" mentality was acceptable, and even got you a job (Highschool and college, pointed it out, ended up working for the network teams there to increase the security).
When I was in the US Marine Corps I worked in a secure location and I did not have much access to the main frame, although I did have a top secret security clearance.
One day I blocked my system and called for tech support. These people did not have a top secret security clearance, so I had one log in as a superuser and then step away from the computer and give me the steps to resolve my problem. At the same time I gave myself the same rights as the mainframe administrator.
I finished, and let her log out. Then I created a second account for myself.
That evening when the secure facility was closed I drifted all through the mainframe and found a lot of classified information, which I removed (after printing the lead page for proof) I worked 14 hours non-stop.
9h00 the security officer comes to work and I asked for an appointment, he refused. So I went to his office and interrupted his meeting and handed him his own stack of classified info that locals had access to, as an admin. His meeting ended and ALL of my management was called in. Until they were all present I was yelled at. Once they were all present I gave the complete file to my boss to show what I had done.
From being yelled at and threats of posting in Afghanistan (when the Russians were still there) to an award and recommendation for promotion.
Security officer called the main frame admin folks and had them remove my privileges, to make me harmless again.
I went back to work as normal and then a month or 6 weeks later I went to our facility late Friday evening and didn't leave until Monday morning. They removed my privileges, but no one knew I made a second account, which I used to give myself my privileges back. This time I brought my boss to the Security Officer to hand over the classified information - yelling annoys me.
Same process of yelling and removing privileges.
Only after I did it the third time did someone think to ask how I kept getting access. Marines are taught to never lie to a superior officer, so I told them. Lost all access after that.
Long story, but the kid in question was doing what was right. Hacking to find a weakness is a profession these days.
Turns out the student may not have handled this in the best way if you read the dailygazette articles mentioned.
“He sent an e-mail to his principal saying, ‘look what I have,’ ” DeFeciani said. “That was at 1 [p.m.] Tuesday and within two hours we knew who he was.”
Obviously we can't be sure if that is the full email, or if there was some threatening intent behind it, but it appears to be some kids causing mischief and not just a simple security information release. Of course, if they wanted to pull pranks, probably best NOT to do it when such personal data is involved.
So will DNA, if he licked the stamp.
Why these muppets don't use Internet caffs beggars belief!
Paris, cos I'd lick her stamp any day. (well, 3 weeks out of 4)
Irrespective of motive the defendant deliberately mis-represented himself and gained access to resources which he had no right to do without the consent of the proper authorities, hence the criminal charges. What would we all be saying if he had stabbed and killed a police officer in order to "test the security of the stab proof vest the officer was wearing at the time"?
Hopefully he has now learned a lesson about covering his tracks better.
Whatever happened to discovering the vulnerability then notifying whomever can address it? If you feel the need to attach "evidence" of your discovery it would be wise to ensure such evidence is not illegal to transmit or would otherwise lead to criminal charges or disciplinary actions.
*sigh*
You wouldn't bomb your neighbor's house to prove it's vulnerable to bombings.... or would you?
All good stuff to add to his CV. Although not perhaps how the school intended.
This stuff only discourages reporting. Perhaps he should have 'notified' the school via a publicly accessible forum of wanna be script kiddies and given the info to the world at large, obviously not admitting anything.
Sounds to me like a case of a BOFH who wasn't up to the job (as happens alot of education IT due to the pitiful wages). Then decided to hit this kid in the only way he could to help his own bruised ego!
He notified his Principal, anonymously, of the security weakness, and yet he was attempting to profit from it???
He exposed them. Thats the worst thing you can do to people like that
1. Never (ever) expose those in charge of your school/job/life as foolish or incompetent, in public.
They don't like it. If you do so, the rules of CYA dictate that you must be destroyed.
2. If you want to expose those in charge of your school/job/life as foolish or incompetent (or just want to let them know that you are smarter than they are), don't tell them about it.
Tell the press instead. They will be happy for the story, and protect you in return.
Instead of "Local Punk Breaks Into School Network", Principal xx thwarted an attack on the public school network yesterday, and saved the city hundreds of millions of $. "We were able to contain the damage. I think the clean-up should only cost $3,000,000", said principal xx"... "I'm worried", said bus worker "I mean, my NAME is in that database"... local bad kid yy is being held in a faraday cage, on a $100,000 bail...
You could have had "Whistle Blower Arrested In BusGate Case", Local computer security expert yy was arrested yesterday over his alleged role in exposing the official incompetence that we first reported yesterday... "I don't know why principal xx is doing this", said yy "I was just trying to help"... When This Paper notified local bus driver xy of the insecure school computer systems, he said "I'm worried. My NAME is in that database"... "This sort of complete incompetence costs the taxpayer millions every day", says Dr Seuss. "If his parents sue, it may cost your city millions more"... This paper has tried to get a statement from principal xx, but an 8 PM call to his office went unanswered...
This is why I never told the teachers about all of the security holes I found in their systems when I was in high school.
This is exactly the opposite action from what they should have done and it really shows a lack of understanding of IT systems that is pervasive in our society. This kid is charged because he was the one to report the security problem when in fact hundreds of others could have accessed the files and doubtless someone else probably did and DID NOT report it.
In this case it truly is the squeaky wheel that gets blown off the cart with a shotgun blast.
He might uncover the conspiracy to hide the fact the county hires Martians and that a disused school building is really a UFO traffic control centre.
"Though shall not joke with a teacher" and "Though shall not point the teacher the error in his ways". It is part of the professional requirements - to be totally unable to accept that a student is right and to have the part of your humour gland dealing with students joking about teachers amputated prior to starting your teaching career. There are some exemptions, but they are very few.
I remember my dad explaining this to me after he got called to the headmaster on my first day in school and I am now having to explain it to junior.
The difference between then and now however, is that when I went to school the headmasters and teachers actually had the guts to handle nearly any situation themselves instead of abdicating all responsibility for children discipline and education, screaming ADHD at the first opportunity and calling the police straight away after that.
Of today's society...if he hadn't reported and had exploited it, nobody would have known and untold damage could have been done. But he is civically-minded enough to report it and that's not good citizen behaviour....our betters are just that and how dare we say otherwise!!!
This is stupidity to the extreme and they should be thanking this student, not punishing him!!
Maybe this is just part of how things are going...Nixon's days of "reds under the bed" may well be back and it's important that we all know where all the terrorists and pinkos among us are before it's too late and we still have some liberty left!!!
if some eager, talented, honest kid pointed out a weakness in my security. Just nail him to the wall. That'll teach him about moral values such as honesty and helpfulness. It will totally not motivate him to get medieval on my ass/system at any upcoming opportunity, which, given the poor state of my security, are plentiful.
He's learnt a valuable lesson, and one we should all heed, if you find a vulnrability, exploit it and sell what you get to the highest bidder.
I would go to the school and poing out to them that my records were left open to all and they can carry on if they want, but I will be taking my own action, or we can forget the whole thing right now.
Probably wouldent work, but worth a try.
In the 1970s, when I was an undergraduate, I made the mistake of correcting two facts for my history professor in a 101-level class. Six years later, having taken other courses from him and thinking he was generally a good guy, but not a great historian (we had one other tiny clash that I thought had ended amicably), I asked him to be a reference to get into a grad school and he more of less flamed me in his letter of reference, in spite of my 3.6 record, double major, etc etc. Needless to say, I lost the place.
A lesson in the cold long-term revenge teachers are capable of.
So the reaction to hammer the kid into the dirt is not really a surprise. Mine was a personal lesson and didn't, in the end, harm me (tried again with different referees and got into a different and better university), but this poor kid could have his whole life bent out of shape for this.
So how do you find a security breach without looking for it? How to you prove your system is secure without attempting to break in?
The school administration should be in the dock for incompetence.
You're an arsehole, Steve.
"Why these muppets don't use Internet caffs beggars belief!"
Internef caff?
Nah.
Wardriving.
> He notified his Principal, anonymously, of the security weakness, and yet he was attempting to profit from it???
Only the bleeding obvious. If you attempt to hold someone for ransom then you don't say who you are...
Classic response which ends in the School itself losing it's intregrity/trust to be approached and to be trusted to deal with pupils in a balanced manner.
Next time any security flaw is detected(Physical or electronic )you bet the school will be not be informed.
If anything the flaw will be left open for somone else to exploit it maliciously.
They caught him, didn't they?
Now, if he had just printed the letter on one of the schools printers and (covertly) dropped it off in the principals pigeonhole... (Assuming hid didn't call his file "l33t h4x0r" or something similar - just add an extra page to the latest essay.)
Of course there could still be ways to get him, but it starts to get really tricky - and thus expensive...
I still don't get why they didn't just fix the issue and keep it quite. Someone must have done something more with the data.
Er... intrusion testing a computer system cannot be equated to stabbing somone to see if it kills them or not.
The lad done good and if I were the school admin i'd be apologising and beggin them not to sack me. I would also be standing up for the kid.
I would like to see what evidence they provide that he intended to profit frmo this. I can only imagine that his full email contained a linie similar to...
"Let me pass my course or i'll post this secure info on the internet."
If so then he probably needs some lessons in social interactions...
However, he did tell them there was a flaw and also told them what was wrong - thus negating any chance of him being able to use the security flaw against them.
I say "let 'em crash..."
A similar thing happened to me at work.
Several years ago, I found myself looking at some files which I shouldn't have had access to, in the mistaken belief they were something I *was* looking for (they weren't particularly well-named). I straight away pointed out the gaping security hole, in confidence, to my boss.
She decided it was "too important" to maintain my confidence and reported me. My reward for this was demotion and a written warning, whilst those responsible (i.e. her) ran around hiding their ****-up.
The moral of the story is, just don't tell them. I don't any more.
I discover that my neighbour has left his front door unlocked and report it only to be subsequently charged with burglary.
I remember back in my school days spending quite some time re-writing a maths programme. At the time it was on BBC B's, so lots of disks with the relevant programme on. Some were re-coded to give the wrong results, some had altered start-up screens, some had hidden routines and so on.
My name lived on in infamy for years after i'd left - random students knew me in my home town, though i'd never been at school with them and had no idea who they were.
Still keep in touch with both the Computing teacher and the Maths teacher and they both still think it was funny.
The school is doing the right thing.
They want to make sure their system is secure.
If they shoot the messenger whenever a problem is reported, then nobody will report problems.
If no problems are reported, then that proves that there are no problems. So their system must be secure.
S othey can all relax and not worry about all that silly 'security' stuff.
People need to wake up and realise that "helping" is a point of view, not an absolute, you might be helping the people on the list, you might be helping to improve security, but you're stoning to death the administrator who now looks like a complete idiot and might have to fight for his job or be unemployed.
So what happens is people filter the information so that it looks good, if that administrator is doing the filtering, what do you think he will do? thats right kids! he'll filter it so that YOU HACKED THE SYSTEM and you're a terrorist!! you threatened him, he has the <clickety click> emails right here!!!!
I wrote a blog post about this, I think it's pretty much in the vein of the comments above, so I'll let you all read it.
http://chris-alex-thomas.com/blog/2008/10/28/remember-kids-never-do-the-right-thing/
Honesty always gets you in trouble and crime does pay (v.well in some circumstances).
i wish i could serve on that Jury... he'd mostly likely be not guilty in my eyes.
You are everything I've come to hate.
Coat/Hilton/Icon expanation are examples of memes horribly abused. They're only used now by those so devoid of imagination that they rely the "jokes" of others. Jokes that were barely funny at the time, let alone after 1-7 years of contant repitition. Jokes that in some cases, aren't fucking jokes.
You are the same people who, 20 years on, ape the same Monty Python scetches, using an unconvincing voice, all the while failing to see the irony of parrot (fuck you) like repetition of jokes where the charm and humour lie in their spontaneity and randomness. You know who you are.
Like Daily Mail readers, you base your opinions and actions on what other people are doing, not what you actually think. Think? You don't know HOW to think, like mindless automatons or ants in a nest you scurry about your business, never understanding or questioning.
Use your fucking brain and either say something that with enrich the converstaion, or shut the fuck up and resign yourself to obscurity. We don't fucking care. It isn't funny. It never was. I'm sick and fucking tired of it.
Mods: Censor this, edit it, whatever, just post it pls. I'm fed up to the back teeth and I know I'm not the only one.
It could be a lot worse than just a hacking charge. The Internet Watch Foundation want you to report images of child sexual abuse. http://news.bbc.co.uk/1/hi/technology/7689241.stm
"Hello police, I want to report that I've just looked at a picture which it is illegal for me to look at."
"Ah, thank you sir, we will now arrange to destroy your entire life."
Yes of course this is posted AC.
Heaps of outspoken opinions based on incomplete information - it's what the internet was made for!
C'mon people. The article itself here admits the full details aren't known. We don't know what this student did and we don't know what he said in his email. For all we know he may have committed fraud with the information obtained, then sent a taunting letter to the principal telling him how he did it.
Soon enough criminal records relating to "hacking" charges will be collected by all the cool kids, and be used as a badge of honour in the industry.... much like the ASBO is used in "respectable" communities up and down Britain today! :)
"It is dangerous to be right when those in power are wrong." No computers in the eighteenth century, but still just as valid.
Having a bit of a bad day, are we? Hope you are doing better tomorrow.
I've heard of reticulated and burmese, but not monty pythons....WTF?
Sad that this ends up like this for the kid and we really don't have enough information to know exactly what he did or said but it certainly appears that the admins are wankers who want to cover up their own incompetence.
"I've heard of reticulated and burmese, but not monty pythons....WTF?"
Return to your cave, there is nothing for you here.
http://en.wikipedia.org/wiki/Monty_Python
I'm a HS Network Admin in the US. I try to keep a good relationship with the kids, especially with the more computer saavy ones. As a result, I usually get good information about what is going on. I try to help them if they have computer questions and try to help them understand why I have do certain things (blocking websites). There is another school close by where the NetAdmin is a controlling jerk, I doubt the kids would do anything except be malicious, just because they hate him.
Unless I found a kid purposly attempting to be destructive or malicious, I don't care. Most of the time, if I do find something, I just go talk to them and say cut it out or else.
I am curious how our administration would handle something like this, I would hate to be caught in the middle.
Security? Private?
The kid could have just filed a Freedom of Information Act request.
Political parties in Michigan are using the FOIA to get info from school databases, to send political spam. From the Detroit Free Press http://www.freep.com/apps/pbcs.dll/article?AID=2008810270318
Sign up, sign up for The Register's weekly IT security newsletter - click here
