back to article Student charged after alerting principal to server hack

A 15-year-old high school student in New York State has been charged with three felonies after he allegedly accessed personnel records on his school's poorly configured computer network and then notified his principal of the security weakness. The unnamed student of Shenendehowa Central School was charged Thursday with …


This topic is closed for new posts.
  1. Dave

    Typical response really

    Its just a normal response from a school with egg on its face. At least now the student is well aware that anything to do with security should never ever be mentioned to those charged with maintaining that security. (no thats not sarcasm thats really what you should avoid doing if you dont wanna end up like this poor kid)

    I recall been excluded from the final week at my high school simply for casually mentioning to another tech friend while in a computer room how easy it would be to plant a virus of almost any kind up the schools system due their lack of any comprehensive A/V and the very lax security measures that would allow it to roam freely. Shame a teacher overheard me and thought I was planning on doing exactly that. Not even the protests of the IT staff (who all knew me and knew I wouldnt bother wasting my time doing that, theres no point or reward to it) could convince the school Admin I wasnt a nasty terrorist hacker. Oh well you live and learn, at least it was long enough ago that people didnt think about calling the police for everything thing.

  2. Travis

    This is insane.

    Just another example of school systems neglecting students to cover their own asses.

    Provided the child did nothing but get in and notify them of the vulnerability he should be praised for this... not charged with a felony.

  3. Paul
    Thumb Down

    #***ing Fail!

    Punishing someone for reporting a security fault is about the dumbest thing possible... unless of course they'd rather leak a couple hundred people's private information that admit they made a mistake. Oh wait, they probably would.

  4. yeah, right.

    even without info

    Even without any more information, it sounds like your utterly stereotypical kneejerk arse-covering by an incompetent management that was caught not only with its pants down around its ankles, but buggering the local goat.

    Willing to be proven wrong though, but I've seen too much of this type of bullshit.

  5. Anonymous Coward
    Thumb Up

    Darn it to heck!!

    How many altruistic sociopaths need to commit petty larceny for us to take their "lessons by example" to heart??

    Thank you, pimply hackerchild. By running your greasy fingers over the unclad private details of unsuspecting school workers you have shone the spotlight of truth on this failure of due care. Moreover, you have done it in a way that mere facts, gathered carefully, expressed coherently as words, written legibly on paper, enveloped and properly addressed, and delivered to the proper authorities by a certified postal carrier, could ever do...

    Your sweaty frottage with the unprotected identities of strangers has not only taught us all the value of IT security - it has also emphasised the value of acne and social isolation as indicators of poor ethical judgment.

    You are a hero - Kevin Zitnick in a white hat.

    Fear not, the improvised cosh of karma. It wont be pummeling the bloodied carcass of your soul anytime soon.

    Trust me.

  6. Moss Icely Spaceport

    Email will get you

    Would they have tracked him down if he has just send a letter?

  7. James Henstridge
    Black Helicopters

    Re: Email will get you

    If he'd sent a letter, they'd probably have decoded the secret microdots created by his printer (assuming it wasn't hand written), and use that to find the owner of the printer via warranty registration information or other records of the purchase.

  8. Anonymous Coward
    Black Helicopters

    A Tale from inside the M25 18 months ago

    A friend of mine reported a security issue to the university network staff and they called the police. all he had done was rediscover the ypcat issues on the universities unix networks, but the passwords are synced between the unix and windows networks and the admins panicked.

    For some reason, the result of honesty is pain.

    (ypcat was an application that he had the right to execute, so the final argument was that it was not an unauthorised access. The purpose of the system is to allow learning, and when finding a command avaliable that he didn't know about, he set out to find out what it did. It won't be the last time I tell him to rtfm)

  9. Anonymous Coward
    Anonymous Coward

    Re: All the typical kneejerk comments

    >and was looking to profit from his criminal act."

    Before jumping to this lads defence it would be better, as the article says, to see in full the mail he sent in order to see what form of profit this is.

  10. Anonymous Coward


    Ok, so he accessed the records, that was bad and wrong etc etc.

    However he then alerted the school to the security flaw, so they could fix it.

    Surely the alerting them to it outweights the accessing of the data? I mean come on. If a teenager can break through your so called security it's obvious it needs a lot of work. He did them a favour. He could have not mentioned it and caused havok, but he didn't.

    Gone are the days when that sort of "find a way in, then tell those who own it how to fix it" mentality was acceptable, and even got you a job (Highschool and college, pointed it out, ended up working for the network teams there to increase the security).

  11. richard

    What I Did

    When I was in the US Marine Corps I worked in a secure location and I did not have much access to the main frame, although I did have a top secret security clearance.

    One day I blocked my system and called for tech support. These people did not have a top secret security clearance, so I had one log in as a superuser and then step away from the computer and give me the steps to resolve my problem. At the same time I gave myself the same rights as the mainframe administrator.

    I finished, and let her log out. Then I created a second account for myself.

    That evening when the secure facility was closed I drifted all through the mainframe and found a lot of classified information, which I removed (after printing the lead page for proof) I worked 14 hours non-stop.

    9h00 the security officer comes to work and I asked for an appointment, he refused. So I went to his office and interrupted his meeting and handed him his own stack of classified info that locals had access to, as an admin. His meeting ended and ALL of my management was called in. Until they were all present I was yelled at. Once they were all present I gave the complete file to my boss to show what I had done.

    From being yelled at and threats of posting in Afghanistan (when the Russians were still there) to an award and recommendation for promotion.

    Security officer called the main frame admin folks and had them remove my privileges, to make me harmless again.

    I went back to work as normal and then a month or 6 weeks later I went to our facility late Friday evening and didn't leave until Monday morning. They removed my privileges, but no one knew I made a second account, which I used to give myself my privileges back. This time I brought my boss to the Security Officer to hand over the classified information - yelling annoys me.

    Same process of yelling and removing privileges.

    Only after I did it the third time did someone think to ask how I kept getting access. Marines are taught to never lie to a superior officer, so I told them. Lost all access after that.

    Long story, but the kid in question was doing what was right. Hacking to find a weakness is a profession these days.

  12. Anonymous Coward

    RE: even without info

    Turns out the student may not have handled this in the best way if you read the dailygazette articles mentioned.

    “He sent an e-mail to his principal saying, ‘look what I have,’ ” DeFeciani said. “That was at 1 [p.m.] Tuesday and within two hours we knew who he was.”

    Obviously we can't be sure if that is the full email, or if there was some threatening intent behind it, but it appears to be some kids causing mischief and not just a simple security information release. Of course, if they wanted to pull pranks, probably best NOT to do it when such personal data is involved.

  13. Andus McCoatover
    Paris Hilton

    Re: Email will get you

    So will DNA, if he licked the stamp.

    Why these muppets don't use Internet caffs beggars belief!

    Paris, cos I'd lick her stamp any day. (well, 3 weeks out of 4)

  14. Steve
    Black Helicopters

    One mans freedom fighter is anothers terrorist...

    Irrespective of motive the defendant deliberately mis-represented himself and gained access to resources which he had no right to do without the consent of the proper authorities, hence the criminal charges. What would we all be saying if he had stabbed and killed a police officer in order to "test the security of the stab proof vest the officer was wearing at the time"?

    Hopefully he has now learned a lesson about covering his tracks better.

  15. Rob

    Dear God

    Whatever happened to discovering the vulnerability then notifying whomever can address it? If you feel the need to attach "evidence" of your discovery it would be wise to ensure such evidence is not illegal to transmit or would otherwise lead to criminal charges or disciplinary actions.


    You wouldn't bomb your neighbor's house to prove it's vulnerable to bombings.... or would you?

  16. Anonymous Coward
    Anonymous Coward

    school backhandedly helped this kid

    All good stuff to add to his CV. Although not perhaps how the school intended.

    This stuff only discourages reporting. Perhaps he should have 'notified' the school via a publicly accessible forum of wanna be script kiddies and given the info to the world at large, obviously not admitting anything.

    Sounds to me like a case of a BOFH who wasn't up to the job (as happens alot of education IT due to the pitiful wages). Then decided to hit this kid in the only way he could to help his own bruised ego!

  17. Anthony Mark
    Paris Hilton

    Am I missing something?

    He notified his Principal, anonymously, of the security weakness, and yet he was attempting to profit from it???

  18. kain preacher

    What do you expect

    He exposed them. Thats the worst thing you can do to people like that

  19. Simpson
    Jobs Horns

    follow the rules

    1. Never (ever) expose those in charge of your school/job/life as foolish or incompetent, in public.

    They don't like it. If you do so, the rules of CYA dictate that you must be destroyed.

    2. If you want to expose those in charge of your school/job/life as foolish or incompetent (or just want to let them know that you are smarter than they are), don't tell them about it.

    Tell the press instead. They will be happy for the story, and protect you in return.

    Instead of "Local Punk Breaks Into School Network", Principal xx thwarted an attack on the public school network yesterday, and saved the city hundreds of millions of $. "We were able to contain the damage. I think the clean-up should only cost $3,000,000", said principal xx"... "I'm worried", said bus worker "I mean, my NAME is in that database"... local bad kid yy is being held in a faraday cage, on a $100,000 bail...

    You could have had "Whistle Blower Arrested In BusGate Case", Local computer security expert yy was arrested yesterday over his alleged role in exposing the official incompetence that we first reported yesterday... "I don't know why principal xx is doing this", said yy "I was just trying to help"... When This Paper notified local bus driver xy of the insecure school computer systems, he said "I'm worried. My NAME is in that database"... "This sort of complete incompetence costs the taxpayer millions every day", says Dr Seuss. "If his parents sue, it may cost your city millions more"... This paper has tried to get a statement from principal xx, but an 8 PM call to his office went unanswered...

  20. Jonathan
    Thumb Down


    This is why I never told the teachers about all of the security holes I found in their systems when I was in high school.

    This is exactly the opposite action from what they should have done and it really shows a lack of understanding of IT systems that is pervasive in our society. This kid is charged because he was the one to report the security problem when in fact hundreds of others could have accessed the files and doubtless someone else probably did and DID NOT report it.

    In this case it truly is the squeaky wheel that gets blown off the cart with a shotgun blast.

  21. Flocke Kroes Silver badge

    Silence him quick

    He might uncover the conspiracy to hide the fact the county hires Martians and that a disused school building is really a UFO traffic control centre.

  22. Anton Ivanov

    Educational system still the same

    "Though shall not joke with a teacher" and "Though shall not point the teacher the error in his ways". It is part of the professional requirements - to be totally unable to accept that a student is right and to have the part of your humour gland dealing with students joking about teachers amputated prior to starting your teaching career. There are some exemptions, but they are very few.

    I remember my dad explaining this to me after he got called to the headmaster on my first day in school and I am now having to explain it to junior.

    The difference between then and now however, is that when I went to school the headmasters and teachers actually had the guts to handle nearly any situation themselves instead of abdicating all responsibility for children discipline and education, screaming ADHD at the first opportunity and calling the police straight away after that.

  23. Alan Fisher

    Simply a symptom

    Of today's society...if he hadn't reported and had exploited it, nobody would have known and untold damage could have been done. But he is civically-minded enough to report it and that's not good citizen behaviour....our betters are just that and how dare we say otherwise!!!

    This is stupidity to the extreme and they should be thanking this student, not punishing him!!

    Maybe this is just part of how things are going...Nixon's days of "reds under the bed" may well be back and it's important that we all know where all the terrorists and pinkos among us are before it's too late and we still have some liberty left!!!

  24. Bad Beaver
    Thumb Up

    Well, that's just what I would do

    if some eager, talented, honest kid pointed out a weakness in my security. Just nail him to the wall. That'll teach him about moral values such as honesty and helpfulness. It will totally not motivate him to get medieval on my ass/system at any upcoming opportunity, which, given the poor state of my security, are plentiful.

  25. Anonymous Coward
    Anonymous Coward


    He's learnt a valuable lesson, and one we should all heed, if you find a vulnrability, exploit it and sell what you get to the highest bidder.

  26. Paul

    If I was him...

    I would go to the school and poing out to them that my records were left open to all and they can carry on if they want, but I will be taking my own action, or we can forget the whole thing right now.

    Probably wouldent work, but worth a try.

  27. Hollerith

    it's an old tradition

    In the 1970s, when I was an undergraduate, I made the mistake of correcting two facts for my history professor in a 101-level class. Six years later, having taken other courses from him and thinking he was generally a good guy, but not a great historian (we had one other tiny clash that I thought had ended amicably), I asked him to be a reference to get into a grad school and he more of less flamed me in his letter of reference, in spite of my 3.6 record, double major, etc etc. Needless to say, I lost the place.

    A lesson in the cold long-term revenge teachers are capable of.

    So the reaction to hammer the kid into the dirt is not really a surprise. Mine was a personal lesson and didn't, in the end, harm me (tried again with different referees and got into a different and better university), but this poor kid could have his whole life bent out of shape for this.

  28. Mark


    So how do you find a security breach without looking for it? How to you prove your system is secure without attempting to break in?

    The school administration should be in the dock for incompetence.

    You're an arsehole, Steve.

  29. Anonymous Coward
    Black Helicopters

    Re: Email will get you

    "Why these muppets don't use Internet caffs beggars belief!"

    Internef caff?



  30. Anonymous Coward
    Thumb Up

    Re: Am I missing something?

    > He notified his Principal, anonymously, of the security weakness, and yet he was attempting to profit from it???

    Only the bleeding obvious. If you attempt to hold someone for ransom then you don't say who you are...

  31. TimNevins
    Thumb Up

    Won the battle, lost the War

    Classic response which ends in the School itself losing it's intregrity/trust to be approached and to be trusted to deal with pupils in a balanced manner.

    Next time any security flaw is detected(Physical or electronic )you bet the school will be not be informed.

    If anything the flaw will be left open for somone else to exploit it maliciously.

  32. Thomas Vestergaard

    Obviously not a hacker

    They caught him, didn't they?

    Now, if he had just printed the letter on one of the schools printers and (covertly) dropped it off in the principals pigeonhole... (Assuming hid didn't call his file "l33t h4x0r" or something similar - just add an extra page to the latest essay.)

    Of course there could still be ways to get him, but it starts to get really tricky - and thus expensive...

    I still don't get why they didn't just fix the issue and keep it quite. Someone must have done something more with the data.

  33. Robert McGregor
    Thumb Up


    Er... intrusion testing a computer system cannot be equated to stabbing somone to see if it kills them or not.

    The lad done good and if I were the school admin i'd be apologising and beggin them not to sack me. I would also be standing up for the kid.

    I would like to see what evidence they provide that he intended to profit frmo this. I can only imagine that his full email contained a linie similar to...

    "Let me pass my course or i'll post this secure info on the internet."

    If so then he probably needs some lessons in social interactions...

    However, he did tell them there was a flaw and also told them what was wrong - thus negating any chance of him being able to use the security flaw against them.

    I say "let 'em crash..."

  34. Anonymous Coward

    I'm not surprised

    A similar thing happened to me at work.

    Several years ago, I found myself looking at some files which I shouldn't have had access to, in the mistaken belief they were something I *was* looking for (they weren't particularly well-named). I straight away pointed out the gaping security hole, in confidence, to my boss.

    She decided it was "too important" to maintain my confidence and reported me. My reward for this was demotion and a written warning, whilst those responsible (i.e. her) ran around hiding their ****-up.

    The moral of the story is, just don't tell them. I don't any more.

  35. Anonymous Coward
    Anonymous Coward


    I discover that my neighbour has left his front door unlocked and report it only to be subsequently charged with burglary.

  36. EvilGav

    How Times Change

    I remember back in my school days spending quite some time re-writing a maths programme. At the time it was on BBC B's, so lots of disks with the relevant programme on. Some were re-coded to give the wrong results, some had altered start-up screens, some had hidden routines and so on.

    My name lived on in infamy for years after i'd left - random students knew me in my home town, though i'd never been at school with them and had no idea who they were.

    Still keep in touch with both the Computing teacher and the Maths teacher and they both still think it was funny.

  37. Christoph

    Shoot the messenger

    The school is doing the right thing.

    They want to make sure their system is secure.

    If they shoot the messenger whenever a problem is reported, then nobody will report problems.

    If no problems are reported, then that proves that there are no problems. So their system must be secure.

    S othey can all relax and not worry about all that silly 'security' stuff.

  38. Chris Thomas

    Remember kids, dont help nobody

    People need to wake up and realise that "helping" is a point of view, not an absolute, you might be helping the people on the list, you might be helping to improve security, but you're stoning to death the administrator who now looks like a complete idiot and might have to fight for his job or be unemployed.

    So what happens is people filter the information so that it looks good, if that administrator is doing the filtering, what do you think he will do? thats right kids! he'll filter it so that YOU HACKED THE SYSTEM and you're a terrorist!! you threatened him, he has the <clickety click> emails right here!!!!

    I wrote a blog post about this, I think it's pretty much in the vein of the comments above, so I'll let you all read it.

  39. Winkypop Silver badge

    'puters are the devil's work!

    Leave well alone!

  40. Anonymous Coward

    2 Rules

    Honesty always gets you in trouble and crime does pay (v.well in some circumstances).

  41. Anonymous Coward

    Jury Duty

    i wish i could serve on that Jury... he'd mostly likely be not guilty in my eyes.

  42. EdwardP

    @Andus McCoatover: WHY??????????

    You are everything I've come to hate.

    Coat/Hilton/Icon expanation are examples of memes horribly abused. They're only used now by those so devoid of imagination that they rely the "jokes" of others. Jokes that were barely funny at the time, let alone after 1-7 years of contant repitition. Jokes that in some cases, aren't fucking jokes.

    You are the same people who, 20 years on, ape the same Monty Python scetches, using an unconvincing voice, all the while failing to see the irony of parrot (fuck you) like repetition of jokes where the charm and humour lie in their spontaneity and randomness. You know who you are.

    Like Daily Mail readers, you base your opinions and actions on what other people are doing, not what you actually think. Think? You don't know HOW to think, like mindless automatons or ants in a nest you scurry about your business, never understanding or questioning.

    Use your fucking brain and either say something that with enrich the converstaion, or shut the fuck up and resign yourself to obscurity. We don't fucking care. It isn't funny. It never was. I'm sick and fucking tired of it.

    Mods: Censor this, edit it, whatever, just post it pls. I'm fed up to the back teeth and I know I'm not the only one.

  43. Anonymous Coward

    It could be a lot worse

    It could be a lot worse than just a hacking charge. The Internet Watch Foundation want you to report images of child sexual abuse.

    "Hello police, I want to report that I've just looked at a picture which it is illegal for me to look at."

    "Ah, thank you sir, we will now arrange to destroy your entire life."

    Yes of course this is posted AC.

  44. Gav

    We don't know the full story.

    Heaps of outspoken opinions based on incomplete information - it's what the internet was made for!

    C'mon people. The article itself here admits the full details aren't known. We don't know what this student did and we don't know what he said in his email. For all we know he may have committed fraud with the information obtained, then sent a taunting letter to the principal telling him how he did it.

  45. Law
    IT Angle

    I wouldn't worry about the kid too much

    Soon enough criminal records relating to "hacking" charges will be collected by all the cool kids, and be used as a badge of honour in the industry.... much like the ASBO is used in "respectable" communities up and down Britain today! :)

  46. Phillip Bicknell


    "It is dangerous to be right when those in power are wrong." No computers in the eighteenth century, but still just as valid.

  47. Anonymous Coward


    Having a bit of a bad day, are we? Hope you are doing better tomorrow.

    I've heard of reticulated and burmese, but not monty pythons....WTF?

    Sad that this ends up like this for the kid and we really don't have enough information to know exactly what he did or said but it certainly appears that the admins are wankers who want to cover up their own incompetence.

  48. EdwardP

    Damnit El Reg Rule. Thx Moderatrix ;)

    "I've heard of reticulated and burmese, but not monty pythons....WTF?"

    Return to your cave, there is nothing for you here.

  49. Ben Lambert
    Black Helicopters

    Some Schools....

    I'm a HS Network Admin in the US. I try to keep a good relationship with the kids, especially with the more computer saavy ones. As a result, I usually get good information about what is going on. I try to help them if they have computer questions and try to help them understand why I have do certain things (blocking websites). There is another school close by where the NetAdmin is a controlling jerk, I doubt the kids would do anything except be malicious, just because they hate him.

    Unless I found a kid purposly attempting to be destructive or malicious, I don't care. Most of the time, if I do find something, I just go talk to them and say cut it out or else.

    I am curious how our administration would handle something like this, I would hate to be caught in the middle.

  50. Simpson


    Security? Private?

    The kid could have just filed a Freedom of Information Act request.

    Political parties in Michigan are using the FOIA to get info from school databases, to send political spam. From the Detroit Free Press

  51. Law

    @ EdwardP

    Unfortunately you are both right and wrong... people will always spout off crap in comments sections that don't relate to the article itself or convey an actual opinion, but at the same time as venting the venom that's built up inside you over those commentards, you have basically become the thing you hate, since you've done 2 posts on this article, yet not one gives us anything about the subject matter itself... just monty python and how you hate people? lol

    On the subject: I'm with the people who've said we don't know enough... my gut reaction was to think it was a witch hunt, but doesn't the article claim the police said the guy attempted to profit from the hack?? My guess it was an attempt at blackmail, but who knows... watch this space I guess. :)

    I've notice the effort in comments sections go down hill since we stopped having weekly Comments Roundup in the Letters section, usually by Robin Lettice and the gang.... what the hell Francine... when is it returning, it's been ages, last one was 9th June - if Robin doesn't want it anymore, pay Moderatrix more money and get her on the case... it was always a good read!!!

  52. EdwardP


    I never said stay on topic, I told people to "say something that with enrich the converstaion" or to button it.

    I don't give a toss what you say as long it doesn't look like it was generated by a fucking perl script. You want to rant? Then vent baby, vent. All I ask is you get those neurons firing and come up with SOMETHING to say, not fill the form with a variation of the same dreck you put in every day, presumably to get some sort of peverse feeling of acomplishment.

    Stupidity is doing the same thing over and over and expecting different results. Either these people derive some kind of depraved pleasure from making me go off like an incendiary bomb, or they are all but braindead, and these comments are the echos of their moribund intelects waning away as their few remaining synapses fire for the last time.

  53. Bounty

    wait a sec..

    "I discover that my neighbour has left his front door unlocked and report it only to be subsequently charged with burglary"

    Well how the hell would you know if your neighbor has his door unlocked? If you're going around your neighborhood turning door knobs, you should be arrested. Now, if you're walking down the street, and see the door open, that's different.

    It seems he needed a district password to do this. The question is, was it a password protected document in a shared area or what? If he was going through a set of shared files and opened the "office" folder looking for clipart, when it asked for a password, he typed in the schools' name, I don't see a problem. But, if he installed a keylogger on an unlocked PC to steal a username/password combo that's a problem. Especially if he then tried to use that info for some kind of extortion.

  54. Steve
    Black Helicopters

    Re: @Steve

    "So how do you find a security breach without looking for it? How to you prove your system is secure without attempting to break in?"

    I think you are missing the point - he wasn't authorised to do any instrusion testing - if he had been asked to test for flaws then that is another matter. Another analogy - a thief pops your door lock, has a nose around your house and copies some of your personal data - then leaves a note on your table to tell you that might get burgled!

    "The school administration should be in the dock for incompetence."

    Probably, but that doesn't excuse the what these kids did.

    "You're an <edited>, Steve."

    Hmmm maybe, but perhaps you ought to refine your vocabulary a bit - there's no need to get nasty just because my opinion doesn't match yours.

    "negating any chance of him being able to use the security flaw against them."

    Just beacuse he told them about the flaw doesn't mean he didn't intend to exploit the data he accessed for his own purposes - the data involved could easily have been used for identity fraud.

  55. Anonymous Coward
    Thumb Down

    Oooo ... scary police lady

    I bet it made state trooper Maureen Tuffey feel real big and tough to bust a 15 year old for doing something that anyone in the school could have done.

    And exactly *how* did the student intend to profit from it? If you're going to hold a network for ransom, you don't point out the vulnerability to the authoritiies - you send a note that says "all your data belong to me" and then make demands.

    Apparently, the police, DA, and school admins in that area have way too much free time - the latter should be using it to, you know, FIX THEIR CRAP.

    Kind of feel for the kid. So much for being a Good Samaritan.

  56. J

    @some raging bloke

    "Either these people derive some kind of depraved pleasure from making me go off like an incendiary bomb"

    Phew, it seems you finally got it. What took you so long?

  57. Law
    Paris Hilton

    RE: @Law

    "You want to rant? Then vent baby, vent." - might be the time of night, but that sentence made me chuckle! :)

    "Stupidity is doing the same thing over and over and expecting different results." - aka, General Elections.

    "... these people derive some kind of depraved pleasure from making me go off like an incendiary bomb" - wasn't that like the main arc for Heroes season one? ;)

    I agree that the commentards doing the same generic joke for multiple articles is extremely annoying - rage inducing even, but sometimes, just sometimes, they can hit gold - just like evolution, a small mutation of their usual crap becomes a site-wide phenomenon.

    Paris - because I've literally only ever spent one night in Paris.... true story

  58. Mark

    "What was he doing there?"

    You're presumed innocent until proven guilty here.

    Now, if he was there for nefarious purposes, why the HELL did he say what the security hole was?

    If you're just making shit up to ask a question, ask that one. Why did he say anything if he were intent on doing wrong?". Answer that one.

  59. Anonymous Coward
    Thumb Up

    Don't worry. What goes around...

    Not sure exactly what the kids said when he reported it, but somehow I can imagine that it was probably not sent in the most respectful way, combine that with teach being proved wrong and it's all going to go a bit Pete Tong!

    While he should be commended for his actions at the same time he needs warning not to mess about with stuff he shouldn't be in and some loss of privileges. The student learns that in the main it was useful, but next time there is a right way to do things. The teacher still knows he is technically right but needs to get on top of things, perhaps giving the student a menial punishment like cleaning out the dead ink dust from the printers.

    Been through it too. Crap paid job, used to put in hours of work just for the educational interest and dedication. Pointed out something was wrong after some consultant mate of the company loudmouth installed something dodgy. I shouldn't have been poking about, but did. Got hauled over the coals by the company loudmouth who had the CEOs ear. I was not allowed on premises outside 9-5 unless accompanied and stripped of all but limited system privs required. Lasted about 4 weeks, before I walked out and after 2 years drifting from job to job, finally found a company that did respect whistle-blowers contributions for the greater good. Later found out that original company X was having trouble finding anyone who would stay very long, due to the crap money and amount of work needed to maintain systems.

    As they say "What goes around...".

  60. I.M.Fantom

    Lesson learned: Do not report security breaches

    This is why I never mention security holes I have found.

    This is exactly the opposite action from what they should have done and it really shows a lack of understanding of IT systems that is pervasive in our society. This kid is charged because he was the one to report the security problem when in fact hundreds of others could have accessed the files and doubtless someone else probably did and DID NOT report it.

    The other kids now know to absolutely never report a security problem! It will just get you in trouble. Better to allow someone to really hack and slash the system than get it fixed.

  61. Steve Liddle

    nothing changes

    when was inn some low end contract job, got asked to copy some spreadsheet data, so selected all ctrl-c and then pasted ctrl-v

    it included everyone's salaries that were "hidden" by the boss who was not good with computers, by the time had realised, lots of people had the file and the sole girl in the office found she got £16k when everyone else doing the same job was on £22k or higher..

    Contract never got extended for some reason..

    Guess the lesson is to never tell anyone that they messed up :)

  62. Anonymous Coward
    Thumb Up


    The student is well on his way to learning one of life's most important lessons : do not tell anyone anything.

    Do not try to help. Do not be honest.

  63. Wayland Sothcott

    He did the right thing

    Getting punished for doing the right thing should not deter people. The way the world is at the moment if you are not getting punished then you are probably on the side of the baddies.

  64. Anonymous Coward
    Anonymous Coward

    Take help when it is offered

    I used to be the network manager in a school, and kids like this were a lifeline if properly managed. There is always going to someone smarter than you, or who has more time than you to look for the weaknesses - encourage them and make sure they are on the side of the angels - my ethos was to tell them they could go wherever they wanted so long as they broke nothing and told me where (and how) they had been. And then we locked down that vulnerability and the cycle begins again.

    You need to choose your people with care, but the ones who make themselves are mostly self selecting anyway.

    People should learn to not look a gift horse in the mouth.


  65. Aaron

    Yep, that sounds about right

    Just as with most the rest of the people on this thread, painful experience with this kind of thing is why I don't tell people about their security failures any more.

    Oh, also:

    "Getting punished for doing the right thing should not deter people."

    Maybe it shouldn't, but, strangely enough, it does. That's one feature of what we who live in it like to call "reality". You might want to give it a try; it's an interesting perspective to have.

  66. David Gillies

    No good deed goes unpunished

    Way back in the Middle Triassic Era (1985 or so) we discovered that the sysadmin password on the school's Econet fileserver could be obtained by hitting BREAK and peeking at a few bytes in low memory. We told the IT staff this: their response was to get very shirty and move the machine to a cupboard to which they supposedly had the only key (you could have picked the lock with your thumbnail). Needless to say this slowed us down for about five minutes until one enterprising lad wrote a nifty bit of 6502 assembler that switched the Econet card in a machine into promiscuous mode and sniffed the (unencrypted) username/password packets right off the wire. This we did not report.

  67. Anonymous Coward
    Anonymous Coward

    Heh. School security.

    <rant type="reminiscent">

    My HS used an online grading system, each student and each teacher had an account. When you logged into your account to view grades, your photo was displayed. Funny, not so surprising thing about that is, the photos were located in a public folder on the server, and named by student ID #. Another section of the School District's site allowed teachers to log in and look up any student's class schedule. There was one general username and password to access this part of the site, and this was used by all the faculty. Some teachers openly shared this information and encouraged students to use it to check their schedules.

    Conveniently, on that page, one could look up a student's schedule by ID # or name. On that schedule the student's name, ID#, and DOB were all listed.

    Any curious individual could obtain the photograph, DOB and schedule of any student with relative ease, my own included. When this was pointed out to the High School's IT staff, their response (two months later) was to change the password on the schedule log-in, and add a warning on the login page that it was meant only for staff use. Naturally, teachers continued to dole out the password information.

    That's bad enough, but it is nothing compared to our principal's utter lack of E-savvy. It was his habit to leave most of his vital passwords on sticky notes attached to the monitor in his office. Including, of course, that master password to the school's online grading system.

    In short, the information neccesary to build a basic stalker's dossier on any given student was handed out on a silver platter. Nothing was really done to protect student privacy. Although a number of years have passed since I left that place, it would not shock me if nothing had changed.

    </rant type="reminiscent">

  68. Tom

    Password Fun

    "That's bad enough, but it is nothing compared to our principal's utter lack of E-savvy. It was his habit to leave most of his vital passwords on sticky notes attached to the monitor in his office."

    We had someone like that in Sales. I used to pick up his pen and change the password. Turn an F into a P a 3 into an 8 an O into a Q and stuff like that. The next day he could not log on, so he would call me and swear that he didn't forget his password, and that no he would never write down his password.

This topic is closed for new posts.

Other stories you might like