Student charged after alerting principal to server hack

This is insane.

Just another example of school systems neglecting students to cover their own asses.

Provided the child did nothing but get in and notify them of the vulnerability he should be praised for this... not charged with a felony.

#***ing Fail!

Punishing someone for reporting a security fault is about the dumbest thing possible... unless of course they'd rather leak a couple hundred people's private information that admit they made a mistake. Oh wait, they probably would.

Darn it to heck!!

How many altruistic sociopaths need to commit petty larceny for us to take their "lessons by example" to heart??

Thank you, pimply hackerchild. By running your greasy fingers over the unclad private details of unsuspecting school workers you have shone the spotlight of truth on this failure of due care. Moreover, you have done it in a way that mere facts, gathered carefully, expressed coherently as words, written legibly on paper, enveloped and properly addressed, and delivered to the proper authorities by a certified postal carrier, could ever do...

Your sweaty frottage with the unprotected identities of strangers has not only taught us all the value of IT security - it has also emphasised the value of acne and social isolation as indicators of poor ethical judgment.

You are a hero - Kevin Zitnick in a white hat.

Fear not, the improvised cosh of karma. It wont be pummeling the bloodied carcass of your soul anytime soon.

Trust me.

Email will get you

Would they have tracked him down if he has just send a letter?

Re: Email will get you

If he'd sent a letter, they'd probably have decoded the secret microdots created by his printer (assuming it wasn't hand written), and use that to find the owner of the printer via warranty registration information or other records of the purchase.

A Tale from inside the M25 18 months ago

A friend of mine reported a security issue to the university network staff and they called the police. all he had done was rediscover the ypcat issues on the universities unix networks, but the passwords are synced between the unix and windows networks and the admins panicked.

For some reason, the result of honesty is pain.

(ypcat was an application that he had the right to execute, so the final argument was that it was not an unauthorised access. The purpose of the system is to allow learning, and when finding a command avaliable that he didn't know about, he set out to find out what it did. It won't be the last time I tell him to rtfm)

Shocking

Ok, so he accessed the records, that was bad and wrong etc etc.

However he then alerted the school to the security flaw, so they could fix it.

Surely the alerting them to it outweights the accessing of the data? I mean come on. If a teenager can break through your so called security it's obvious it needs a lot of work. He did them a favour. He could have not mentioned it and caused havok, but he didn't.

Gone are the days when that sort of "find a way in, then tell those who own it how to fix it" mentality was acceptable, and even got you a job (Highschool and college, pointed it out, ended up working for the network teams there to increase the security).

RE: even without info

Turns out the student may not have handled this in the best way if you read the dailygazette articles mentioned.

“He sent an e-mail to his principal saying, ‘look what I have,’ ” DeFeciani said. “That was at 1 [p.m.] Tuesday and within two hours we knew who he was.”

Obviously we can't be sure if that is the full email, or if there was some threatening intent behind it, but it appears to be some kids causing mischief and not just a simple security information release. Of course, if they wanted to pull pranks, probably best NOT to do it when such personal data is involved.

Re: Email will get you

So will DNA, if he licked the stamp.

Why these muppets don't use Internet caffs beggars belief!

Paris, cos I'd lick her stamp any day. (well, 3 weeks out of 4)

One mans freedom fighter is anothers terrorist...

Irrespective of motive the defendant deliberately mis-represented himself and gained access to resources which he had no right to do without the consent of the proper authorities, hence the criminal charges. What would we all be saying if he had stabbed and killed a police officer in order to "test the security of the stab proof vest the officer was wearing at the time"?

Hopefully he has now learned a lesson about covering his tracks better.

Dear God

Whatever happened to discovering the vulnerability then notifying whomever can address it? If you feel the need to attach "evidence" of your discovery it would be wise to ensure such evidence is not illegal to transmit or would otherwise lead to criminal charges or disciplinary actions.

*sigh*

You wouldn't bomb your neighbor's house to prove it's vulnerable to bombings.... or would you?

Am I missing something?

He notified his Principal, anonymously, of the security weakness, and yet he was attempting to profit from it???

follow the rules

1. Never (ever) expose those in charge of your school/job/life as foolish or incompetent, in public.

They don't like it. If you do so, the rules of CYA dictate that you must be destroyed.

2. If you want to expose those in charge of your school/job/life as foolish or incompetent (or just want to let them know that you are smarter than they are), don't tell them about it.

Tell the press instead. They will be happy for the story, and protect you in return.

Instead of "Local Punk Breaks Into School Network", Principal xx thwarted an attack on the public school network yesterday, and saved the city hundreds of millions of $. "We were able to contain the damage. I think the clean-up should only cost $3,000,000", said principal xx"... "I'm worried", said bus worker "I mean, my NAME is in that database"... local bad kid yy is being held in a faraday cage, on a $100,000 bail...

You could have had "Whistle Blower Arrested In BusGate Case", Local computer security expert yy was arrested yesterday over his alleged role in exposing the official incompetence that we first reported yesterday... "I don't know why principal xx is doing this", said yy "I was just trying to help"... When This Paper notified local bus driver xy of the insecure school computer systems, he said "I'm worried. My NAME is in that database"... "This sort of complete incompetence costs the taxpayer millions every day", says Dr Seuss. "If his parents sue, it may cost your city millions more"... This paper has tried to get a statement from principal xx, but an 8 PM call to his office went unanswered...

See

This is why I never told the teachers about all of the security holes I found in their systems when I was in high school.

This is exactly the opposite action from what they should have done and it really shows a lack of understanding of IT systems that is pervasive in our society. This kid is charged because he was the one to report the security problem when in fact hundreds of others could have accessed the files and doubtless someone else probably did and DID NOT report it.

In this case it truly is the squeaky wheel that gets blown off the cart with a shotgun blast.

Silence him quick

He might uncover the conspiracy to hide the fact the county hires Martians and that a disused school building is really a UFO traffic control centre.

Educational system still the same

"Though shall not joke with a teacher" and "Though shall not point the teacher the error in his ways". It is part of the professional requirements - to be totally unable to accept that a student is right and to have the part of your humour gland dealing with students joking about teachers amputated prior to starting your teaching career. There are some exemptions, but they are very few.

I remember my dad explaining this to me after he got called to the headmaster on my first day in school and I am now having to explain it to junior.

The difference between then and now however, is that when I went to school the headmasters and teachers actually had the guts to handle nearly any situation themselves instead of abdicating all responsibility for children discipline and education, screaming ADHD at the first opportunity and calling the police straight away after that.

Well, that's just what I would do

if some eager, talented, honest kid pointed out a weakness in my security. Just nail him to the wall. That'll teach him about moral values such as honesty and helpfulness. It will totally not motivate him to get medieval on my ass/system at any upcoming opportunity, which, given the poor state of my security, are plentiful.

Re: Email will get you

"Why these muppets don't use Internet caffs beggars belief!"

Internef caff?

Nah.

Wardriving.

Re: Am I missing something?

> He notified his Principal, anonymously, of the security weakness, and yet he was attempting to profit from it???

Only the bleeding obvious. If you attempt to hold someone for ransom then you don't say who you are...

Won the battle, lost the War

Classic response which ends in the School itself losing it's intregrity/trust to be approached and to be trusted to deal with pupils in a balanced manner.

Next time any security flaw is detected(Physical or electronic )you bet the school will be not be informed.

If anything the flaw will be left open for somone else to exploit it maliciously.

Obviously not a hacker

They caught him, didn't they?

Now, if he had just printed the letter on one of the schools printers and (covertly) dropped it off in the principals pigeonhole... (Assuming hid didn't call his file "l33t h4x0r" or something similar - just add an extra page to the latest essay.)

Of course there could still be ways to get him, but it starts to get really tricky - and thus expensive...

I still don't get why they didn't just fix the issue and keep it quite. Someone must have done something more with the data.

@Steve

Er... intrusion testing a computer system cannot be equated to stabbing somone to see if it kills them or not.

The lad done good and if I were the school admin i'd be apologising and beggin them not to sack me. I would also be standing up for the kid.

I would like to see what evidence they provide that he intended to profit frmo this. I can only imagine that his full email contained a linie similar to...

"Let me pass my course or i'll post this secure info on the internet."

If so then he probably needs some lessons in social interactions...

However, he did tell them there was a flaw and also told them what was wrong - thus negating any chance of him being able to use the security flaw against them.

I say "let 'em crash..."

I'm not surprised

A similar thing happened to me at work.

Several years ago, I found myself looking at some files which I shouldn't have had access to, in the mistaken belief they were something I *was* looking for (they weren't particularly well-named). I straight away pointed out the gaping security hole, in confidence, to my boss.

She decided it was "too important" to maintain my confidence and reported me. My reward for this was demotion and a written warning, whilst those responsible (i.e. her) ran around hiding their ****-up.

The moral of the story is, just don't tell them. I don't any more.

Remember kids, dont help nobody

People need to wake up and realise that "helping" is a point of view, not an absolute, you might be helping the people on the list, you might be helping to improve security, but you're stoning to death the administrator who now looks like a complete idiot and might have to fight for his job or be unemployed.

So what happens is people filter the information so that it looks good, if that administrator is doing the filtering, what do you think he will do? thats right kids! he'll filter it so that YOU HACKED THE SYSTEM and you're a terrorist!! you threatened him, he has the <clickety click> emails right here!!!!

I wrote a blog post about this, I think it's pretty much in the vein of the comments above, so I'll let you all read it.

http://chris-alex-thomas.com/blog/2008/10/28/remember-kids-never-do-the-right-thing/

'puters are the devil's work!

Leave well alone!

2 Rules

Honesty always gets you in trouble and crime does pay (v.well in some circumstances).

Jury Duty

i wish i could serve on that Jury... he'd mostly likely be not guilty in my eyes.

@Andus McCoatover: WHY??????????

You are everything I've come to hate.

Coat/Hilton/Icon expanation are examples of memes horribly abused. They're only used now by those so devoid of imagination that they rely the "jokes" of others. Jokes that were barely funny at the time, let alone after 1-7 years of contant repitition. Jokes that in some cases, aren't fucking jokes.

You are the same people who, 20 years on, ape the same Monty Python scetches, using an unconvincing voice, all the while failing to see the irony of parrot (fuck you) like repetition of jokes where the charm and humour lie in their spontaneity and randomness. You know who you are.

Like Daily Mail readers, you base your opinions and actions on what other people are doing, not what you actually think. Think? You don't know HOW to think, like mindless automatons or ants in a nest you scurry about your business, never understanding or questioning.

Use your fucking brain and either say something that with enrich the converstaion, or shut the fuck up and resign yourself to obscurity. We don't fucking care. It isn't funny. It never was. I'm sick and fucking tired of it.

Mods: Censor this, edit it, whatever, just post it pls. I'm fed up to the back teeth and I know I'm not the only one.

It could be a lot worse

It could be a lot worse than just a hacking charge. The Internet Watch Foundation want you to report images of child sexual abuse. http://news.bbc.co.uk/1/hi/technology/7689241.stm

"Hello police, I want to report that I've just looked at a picture which it is illegal for me to look at."

"Ah, thank you sir, we will now arrange to destroy your entire life."

Yes of course this is posted AC.

We don't know the full story.

Heaps of outspoken opinions based on incomplete information - it's what the internet was made for!

C'mon people. The article itself here admits the full details aren't known. We don't know what this student did and we don't know what he said in his email. For all we know he may have committed fraud with the information obtained, then sent a taunting letter to the principal telling him how he did it.

I wouldn't worry about the kid too much

Soon enough criminal records relating to "hacking" charges will be collected by all the cool kids, and be used as a badge of honour in the industry.... much like the ASBO is used in "respectable" communities up and down Britain today! :)

@EdwardP

Having a bit of a bad day, are we? Hope you are doing better tomorrow.

I've heard of reticulated and burmese, but not monty pythons....WTF?

Sad that this ends up like this for the kid and we really don't have enough information to know exactly what he did or said but it certainly appears that the admins are wankers who want to cover up their own incompetence.

Some Schools....

I'm a HS Network Admin in the US. I try to keep a good relationship with the kids, especially with the more computer saavy ones. As a result, I usually get good information about what is going on. I try to help them if they have computer questions and try to help them understand why I have do certain things (blocking websites). There is another school close by where the NetAdmin is a controlling jerk, I doubt the kids would do anything except be malicious, just because they hate him.

Unless I found a kid purposly attempting to be destructive or malicious, I don't care. Most of the time, if I do find something, I just go talk to them and say cut it out or else.

I am curious how our administration would handle something like this, I would hate to be caught in the middle.

@ EdwardP

Unfortunately you are both right and wrong... people will always spout off crap in comments sections that don't relate to the article itself or convey an actual opinion, but at the same time as venting the venom that's built up inside you over those commentards, you have basically become the thing you hate, since you've done 2 posts on this article, yet not one gives us anything about the subject matter itself... just monty python and how you hate people? lol

On the subject: I'm with the people who've said we don't know enough... my gut reaction was to think it was a witch hunt, but doesn't the article claim the police said the guy attempted to profit from the hack?? My guess it was an attempt at blackmail, but who knows... watch this space I guess. :)

I've notice the effort in comments sections go down hill since we stopped having weekly Comments Roundup in the Letters section, usually by Robin Lettice and the gang.... what the hell Francine... when is it returning, it's been ages, last one was 9th June - if Robin doesn't want it anymore, pay Moderatrix more money and get her on the case... it was always a good read!!!

@Law

I never said stay on topic, I told people to "say something that with enrich the converstaion" or to button it.

I don't give a toss what you say as long it doesn't look like it was generated by a fucking perl script. You want to rant? Then vent baby, vent. All I ask is you get those neurons firing and come up with SOMETHING to say, not fill the form with a variation of the same dreck you put in every day, presumably to get some sort of peverse feeling of acomplishment.

Stupidity is doing the same thing over and over and expecting different results. Either these people derive some kind of depraved pleasure from making me go off like an incendiary bomb, or they are all but braindead, and these comments are the echos of their moribund intelects waning away as their few remaining synapses fire for the last time.

Re: @Steve

"So how do you find a security breach without looking for it? How to you prove your system is secure without attempting to break in?"

I think you are missing the point - he wasn't authorised to do any instrusion testing - if he had been asked to test for flaws then that is another matter. Another analogy - a thief pops your door lock, has a nose around your house and copies some of your personal data - then leaves a note on your table to tell you that might get burgled!

"The school administration should be in the dock for incompetence."

Probably, but that doesn't excuse the what these kids did.

"You're an <edited>, Steve."

Hmmm maybe, but perhaps you ought to refine your vocabulary a bit - there's no need to get nasty just because my opinion doesn't match yours.

"negating any chance of him being able to use the security flaw against them."

Just beacuse he told them about the flaw doesn't mean he didn't intend to exploit the data he accessed for his own purposes - the data involved could easily have been used for identity fraud.

Oooo ... scary police lady

I bet it made state trooper Maureen Tuffey feel real big and tough to bust a 15 year old for doing something that anyone in the school could have done.

And exactly *how* did the student intend to profit from it? If you're going to hold a network for ransom, you don't point out the vulnerability to the authoritiies - you send a note that says "all your data belong to me" and then make demands.

Apparently, the police, DA, and school admins in that area have way too much free time - the latter should be using it to, you know, FIX THEIR CRAP.

Kind of feel for the kid. So much for being a Good Samaritan.

RE: @Law

"You want to rant? Then vent baby, vent." - might be the time of night, but that sentence made me chuckle! :)

"Stupidity is doing the same thing over and over and expecting different results." - aka, General Elections.

"... these people derive some kind of depraved pleasure from making me go off like an incendiary bomb" - wasn't that like the main arc for Heroes season one? ;)

I agree that the commentards doing the same generic joke for multiple articles is extremely annoying - rage inducing even, but sometimes, just sometimes, they can hit gold - just like evolution, a small mutation of their usual crap becomes a site-wide phenomenon.

Paris - because I've literally only ever spent one night in Paris.... true story

Don't worry. What goes around...

Not sure exactly what the kids said when he reported it, but somehow I can imagine that it was probably not sent in the most respectful way, combine that with teach being proved wrong and it's all going to go a bit Pete Tong!

While he should be commended for his actions at the same time he needs warning not to mess about with stuff he shouldn't be in and some loss of privileges. The student learns that in the main it was useful, but next time there is a right way to do things. The teacher still knows he is technically right but needs to get on top of things, perhaps giving the student a menial punishment like cleaning out the dead ink dust from the printers.

Been through it too. Crap paid job, used to put in hours of work just for the educational interest and dedication. Pointed out something was wrong after some consultant mate of the company loudmouth installed something dodgy. I shouldn't have been poking about, but did. Got hauled over the coals by the company loudmouth who had the CEOs ear. I was not allowed on premises outside 9-5 unless accompanied and stripped of all but limited system privs required. Lasted about 4 weeks, before I walked out and after 2 years drifting from job to job, finally found a company that did respect whistle-blowers contributions for the greater good. Later found out that original company X was having trouble finding anyone who would stay very long, due to the crap money and amount of work needed to maintain systems.

As they say "What goes around...".

nothing changes

when was inn some low end contract job, got asked to copy some spreadsheet data, so selected all ctrl-c and then pasted ctrl-v

it included everyone's salaries that were "hidden" by the boss who was not good with computers, by the time had realised, lots of people had the file and the sole girl in the office found she got £16k when everyone else doing the same job was on £22k or higher..

Contract never got extended for some reason..

Guess the lesson is to never tell anyone that they messed up :)

Great.

The student is well on his way to learning one of life's most important lessons : do not tell anyone anything.

Do not try to help. Do not be honest.

He did the right thing

Getting punished for doing the right thing should not deter people. The way the world is at the moment if you are not getting punished then you are probably on the side of the baddies.

No good deed goes unpunished

Way back in the Middle Triassic Era (1985 or so) we discovered that the sysadmin password on the school's Econet fileserver could be obtained by hitting BREAK and peeking at a few bytes in low memory. We told the IT staff this: their response was to get very shirty and move the machine to a cupboard to which they supposedly had the only key (you could have picked the lock with your thumbnail). Needless to say this slowed us down for about five minutes until one enterprising lad wrote a nifty bit of 6502 assembler that switched the Econet card in a machine into promiscuous mode and sniffed the (unencrypted) username/password packets right off the wire. This we did not report.