Student charged after alerting principal to server hack

This is insane.

Just another example of school systems neglecting students to cover their own asses.

Provided the child did nothing but get in and notify them of the vulnerability he should be praised for this... not charged with a felony.

#***ing Fail!

Punishing someone for reporting a security fault is about the dumbest thing possible... unless of course they'd rather leak a couple hundred people's private information that admit they made a mistake. Oh wait, they probably would.

Darn it to heck!!

How many altruistic sociopaths need to commit petty larceny for us to take their "lessons by example" to heart??

Thank you, pimply hackerchild. By running your greasy fingers over the unclad private details of unsuspecting school workers you have shone the spotlight of truth on this failure of due care. Moreover, you have done it in a way that mere facts, gathered carefully, expressed coherently as words, written legibly on paper, enveloped and properly addressed, and delivered to the proper authorities by a certified postal carrier, could ever do...

Your sweaty frottage with the unprotected identities of strangers has not only taught us all the value of IT security - it has also emphasised the value of acne and social isolation as indicators of poor ethical judgment.

You are a hero - Kevin Zitnick in a white hat.

Fear not, the improvised cosh of karma. It wont be pummeling the bloodied carcass of your soul anytime soon.

Trust me.

Email will get you

Would they have tracked him down if he has just send a letter?

Re: Email will get you

If he'd sent a letter, they'd probably have decoded the secret microdots created by his printer (assuming it wasn't hand written), and use that to find the owner of the printer via warranty registration information or other records of the purchase.

A Tale from inside the M25 18 months ago

A friend of mine reported a security issue to the university network staff and they called the police. all he had done was rediscover the ypcat issues on the universities unix networks, but the passwords are synced between the unix and windows networks and the admins panicked.

For some reason, the result of honesty is pain.

(ypcat was an application that he had the right to execute, so the final argument was that it was not an unauthorised access. The purpose of the system is to allow learning, and when finding a command avaliable that he didn't know about, he set out to find out what it did. It won't be the last time I tell him to rtfm)

Shocking

Ok, so he accessed the records, that was bad and wrong etc etc.

However he then alerted the school to the security flaw, so they could fix it.

Surely the alerting them to it outweights the accessing of the data? I mean come on. If a teenager can break through your so called security it's obvious it needs a lot of work. He did them a favour. He could have not mentioned it and caused havok, but he didn't.

Gone are the days when that sort of "find a way in, then tell those who own it how to fix it" mentality was acceptable, and even got you a job (Highschool and college, pointed it out, ended up working for the network teams there to increase the security).

RE: even without info

Turns out the student may not have handled this in the best way if you read the dailygazette articles mentioned.

“He sent an e-mail to his principal saying, ‘look what I have,’ ” DeFeciani said. “That was at 1 [p.m.] Tuesday and within two hours we knew who he was.”

Obviously we can't be sure if that is the full email, or if there was some threatening intent behind it, but it appears to be some kids causing mischief and not just a simple security information release. Of course, if they wanted to pull pranks, probably best NOT to do it when such personal data is involved.

Re: Email will get you

So will DNA, if he licked the stamp.

Why these muppets don't use Internet caffs beggars belief!

Paris, cos I'd lick her stamp any day. (well, 3 weeks out of 4)

One mans freedom fighter is anothers terrorist...

Irrespective of motive the defendant deliberately mis-represented himself and gained access to resources which he had no right to do without the consent of the proper authorities, hence the criminal charges. What would we all be saying if he had stabbed and killed a police officer in order to "test the security of the stab proof vest the officer was wearing at the time"?

Hopefully he has now learned a lesson about covering his tracks better.

Dear God

Whatever happened to discovering the vulnerability then notifying whomever can address it? If you feel the need to attach "evidence" of your discovery it would be wise to ensure such evidence is not illegal to transmit or would otherwise lead to criminal charges or disciplinary actions.

*sigh*

You wouldn't bomb your neighbor's house to prove it's vulnerable to bombings.... or would you?

Am I missing something?

He notified his Principal, anonymously, of the security weakness, and yet he was attempting to profit from it???

follow the rules

1. Never (ever) expose those in charge of your school/job/life as foolish or incompetent, in public.

They don't like it. If you do so, the rules of CYA dictate that you must be destroyed.

2. If you want to expose those in charge of your school/job/life as foolish or incompetent (or just want to let them know that you are smarter than they are), don't tell them about it.

Tell the press instead. They will be happy for the story, and protect you in return.

Instead of "Local Punk Breaks Into School Network", Principal xx thwarted an attack on the public school network yesterday, and saved the city hundreds of millions of $. "We were able to contain the damage. I think the clean-up should only cost $3,000,000", said principal xx"... "I'm worried", said bus worker "I mean, my NAME is in that database"... local bad kid yy is being held in a faraday cage, on a $100,000 bail...

You could have had "Whistle Blower Arrested In BusGate Case", Local computer security expert yy was arrested yesterday over his alleged role in exposing the official incompetence that we first reported yesterday... "I don't know why principal xx is doing this", said yy "I was just trying to help"... When This Paper notified local bus driver xy of the insecure school computer systems, he said "I'm worried. My NAME is in that database"... "This sort of complete incompetence costs the taxpayer millions every day", says Dr Seuss. "If his parents sue, it may cost your city millions more"... This paper has tried to get a statement from principal xx, but an 8 PM call to his office went unanswered...

See

This is why I never told the teachers about all of the security holes I found in their systems when I was in high school.

This is exactly the opposite action from what they should have done and it really shows a lack of understanding of IT systems that is pervasive in our society. This kid is charged because he was the one to report the security problem when in fact hundreds of others could have accessed the files and doubtless someone else probably did and DID NOT report it.

In this case it truly is the squeaky wheel that gets blown off the cart with a shotgun blast.

Silence him quick

He might uncover the conspiracy to hide the fact the county hires Martians and that a disused school building is really a UFO traffic control centre.

Educational system still the same

"Though shall not joke with a teacher" and "Though shall not point the teacher the error in his ways". It is part of the professional requirements - to be totally unable to accept that a student is right and to have the part of your humour gland dealing with students joking about teachers amputated prior to starting your teaching career. There are some exemptions, but they are very few.

I remember my dad explaining this to me after he got called to the headmaster on my first day in school and I am now having to explain it to junior.

The difference between then and now however, is that when I went to school the headmasters and teachers actually had the guts to handle nearly any situation themselves instead of abdicating all responsibility for children discipline and education, screaming ADHD at the first opportunity and calling the police straight away after that.

Well, that's just what I would do

if some eager, talented, honest kid pointed out a weakness in my security. Just nail him to the wall. That'll teach him about moral values such as honesty and helpfulness. It will totally not motivate him to get medieval on my ass/system at any upcoming opportunity, which, given the poor state of my security, are plentiful.

Re: Email will get you

"Why these muppets don't use Internet caffs beggars belief!"

Internef caff?

Nah.

Wardriving.

Re: Am I missing something?

> He notified his Principal, anonymously, of the security weakness, and yet he was attempting to profit from it???

Only the bleeding obvious. If you attempt to hold someone for ransom then you don't say who you are...

Won the battle, lost the War

Classic response which ends in the School itself losing it's intregrity/trust to be approached and to be trusted to deal with pupils in a balanced manner.

Next time any security flaw is detected(Physical or electronic )you bet the school will be not be informed.

If anything the flaw will be left open for somone else to exploit it maliciously.

Obviously not a hacker

They caught him, didn't they?

Now, if he had just printed the letter on one of the schools printers and (covertly) dropped it off in the principals pigeonhole... (Assuming hid didn't call his file "l33t h4x0r" or something similar - just add an extra page to the latest essay.)

Of course there could still be ways to get him, but it starts to get really tricky - and thus expensive...

I still don't get why they didn't just fix the issue and keep it quite. Someone must have done something more with the data.

@Steve

Er... intrusion testing a computer system cannot be equated to stabbing somone to see if it kills them or not.

The lad done good and if I were the school admin i'd be apologising and beggin them not to sack me. I would also be standing up for the kid.

I would like to see what evidence they provide that he intended to profit frmo this. I can only imagine that his full email contained a linie similar to...

"Let me pass my course or i'll post this secure info on the internet."

If so then he probably needs some lessons in social interactions...

However, he did tell them there was a flaw and also told them what was wrong - thus negating any chance of him being able to use the security flaw against them.

I say "let 'em crash..."

I'm not surprised

A similar thing happened to me at work.

Several years ago, I found myself looking at some files which I shouldn't have had access to, in the mistaken belief they were something I *was* looking for (they weren't particularly well-named). I straight away pointed out the gaping security hole, in confidence, to my boss.

She decided it was "too important" to maintain my confidence and reported me. My reward for this was demotion and a written warning, whilst those responsible (i.e. her) ran around hiding their ****-up.

The moral of the story is, just don't tell them. I don't any more.

Remember kids, dont help nobody

People need to wake up and realise that "helping" is a point of view, not an absolute, you might be helping the people on the list, you might be helping to improve security, but you're stoning to death the administrator who now looks like a complete idiot and might have to fight for his job or be unemployed.

So what happens is people filter the information so that it looks good, if that administrator is doing the filtering, what do you think he will do? thats right kids! he'll filter it so that YOU HACKED THE SYSTEM and you're a terrorist!! you threatened him, he has the <clickety click> emails right here!!!!

I wrote a blog post about this, I think it's pretty much in the vein of the comments above, so I'll let you all read it.

http://chris-alex-thomas.com/blog/2008/10/28/remember-kids-never-do-the-right-thing/

'puters are the devil's work!

Leave well alone!

2 Rules

Honesty always gets you in trouble and crime does pay (v.well in some circumstances).

Jury Duty

i wish i could serve on that Jury... he'd mostly likely be not guilty in my eyes.

@Andus McCoatover: WHY??????????

You are everything I've come to hate.

Coat/Hilton/Icon expanation are examples of memes horribly abused. They're only used now by those so devoid of imagination that they rely the "jokes" of others. Jokes that were barely funny at the time, let alone after 1-7 years of contant repitition. Jokes that in some cases, aren't fucking jokes.

You are the same people who, 20 years on, ape the same Monty Python scetches, using an unconvincing voice, all the while failing to see the irony of parrot (fuck you) like repetition of jokes where the charm and humour lie in their spontaneity and randomness. You know who you are.

Like Daily Mail readers, you base your opinions and actions on what other people are doing, not what you actually think. Think? You don't know HOW to think, like mindless automatons or ants in a nest you scurry about your business, never understanding or questioning.

Use your fucking brain and either say something that with enrich the converstaion, or shut the fuck up and resign yourself to obscurity. We don't fucking care. It isn't funny. It never was. I'm sick and fucking tired of it.

Mods: Censor this, edit it, whatever, just post it pls. I'm fed up to the back teeth and I know I'm not the only one.

It could be a lot worse

It could be a lot worse than just a hacking charge. The Internet Watch Foundation want you to report images of child sexual abuse. http://news.bbc.co.uk/1/hi/technology/7689241.stm

"Hello police, I want to report that I've just looked at a picture which it is illegal for me to look at."

"Ah, thank you sir, we will now arrange to destroy your entire life."

Yes of course this is posted AC.

We don't know the full story.

Heaps of outspoken opinions based on incomplete information - it's what the internet was made for!

C'mon people. The article itself here admits the full details aren't known. We don't know what this student did and we don't know what he said in his email. For all we know he may have committed fraud with the information obtained, then sent a taunting letter to the principal telling him how he did it.

I wouldn't worry about the kid too much

Soon enough criminal records relating to "hacking" charges will be collected by all the cool kids, and be used as a badge of honour in the industry.... much like the ASBO is used in "respectable" communities up and down Britain today! :)

@EdwardP

Having a bit of a bad day, are we? Hope you are doing better tomorrow.

I've heard of reticulated and burmese, but not monty pythons....WTF?

Sad that this ends up like this for the kid and we really don't have enough information to know exactly what he did or said but it certainly appears that the admins are wankers who want to cover up their own incompetence.

Some Schools....

I'm a HS Network Admin in the US. I try to keep a good relationship with the kids, especially with the more computer saavy ones. As a result, I usually get good information about what is going on. I try to help them if they have computer questions and try to help them understand why I have do certain things (blocking websites). There is another school close by where the NetAdmin is a controlling jerk, I doubt the kids would do anything except be malicious, just because they hate him.

Unless I found a kid purposly attempting to be destructive or malicious, I don't care. Most of the time, if I do find something, I just go talk to them and say cut it out or else.

I am curious how our administration would handle something like this, I would hate to be caught in the middle.