HS Students Steal SSNs to Prove They Can 701
thatshortkid writes "Local news in Chicago is reporting about two Hinsdale Central High School students who breached their school's computer system and retrieved all of their peers' (plus staff's) Social Security Numbers. They claim they have destroyed the information and haven't given it out, but the SSA and FTC have been alerted for good measure. While they claim their motive was to prove that the breach could take place and no malice was involved, they face possible school disciplinary action and criminal charges."
ridiculous (Score:5, Insightful)
G I T M O (Score:4, Funny)
Re:ridiculous (Score:3, Insightful)
Re:ridiculous (Score:5, Insightful)
Crime is not synonymous with bad, wrong, or evil.
Re:ridiculous (Score:5, Informative)
Re:ridiculous (Score:5, Interesting)
Oh, sure it is. Back in university, I read a newsgroup post by a system administrator that insisted that Sun's Yellow Pages were a secure way to manage passwords. I sent him a copy of his password file and his ypserv went down in a blink. If instead I gave a long technical explanation, he would likely just ignore it.
And today companies like Microsoft and Apple ignore critical security flaws until someone provides an obvious exploit on a public web page. What is not necessary is causing damage or using any information obtained for personal gain.
Re:ridiculous (Score:5, Informative)
I would think that people would have learned from the example of Randall Schwartz. You especially don't want to do it with someone who would be publically embarrassed by it because you're at high risk that they will file charges.
Re:ridiculous (Score:4, Interesting)
Re:ridiculous (Score:3, Insightful)
And I know it's fashionable to hate on business, but there are a lot of security flaws that get patched without an exploit being published or used.
Re:ridiculous (Score:4, Insightful)
As for businesses, what about all the exploits they don't fix or check for because their software is "good enough"?
Re:ridiculous (Score:3, Insightful)
Approach the business saying you provide a service. If they say thanks but no thanks move along and take salacious glee in the fact that they may get comeuppance one day.
Re:ridiculous (Score:3, Interesting)
Either you:
1) Inform the admin of a possible security risk, and hope they're nice enough to take notice of you. Chances are you won't even get a single second of their thought. End Result: Security risk stays there and the admin thinks they have another 'im a teenage smartass' on their hands.
2) You hack their system to prove there is a security risk there. End Result: You could face criminal charges, get kicked out of college, and have one hell of a hard time getting back into one.
Eithe
Re:ridiculous (Score:4, Insightful)
Which means that you should take option three: Do nothing and let it blow up on the admins face. After all, if you warn them, and they do nothing, and it blows up on their faces, they have a scapegoat to blame for their incompetence: you.
Why risk anything for your school / workplace / country ? You don't owe them anything, and they certainly won't hesitate for a second if screwing you over ever becomes profitable for them.
If you absolutely have to warn them, do so in such a way that your identity can't be confirmed. If they ignore anonymous warnings, it's their problem, not yours.
Re:ridiculous (Score:5, Insightful)
Re:ridiculous (Score:5, Insightful)
I spend time in the back of a squad car for stating there were security problems at my school (back in 93, I was a Jr.) The Principal did not believe me, and I was asked by the "computer teacher" to demonstrate, which I did. Upon completing the demo, a change of my grade (downward, ironicaly) I was detained in the office pending arrival of the authorities.
I now have a job where I get paid for those same skills, and the thread starter is correct about paying the students. The problem is that HS staff does not like being shown that their charge (the students) have more power than them, which this demonstrates.
-nB
Re:ridiculous (Score:3, Insightful)
The better thing to do [both then and now] would be to have someone from the media with the informer. If the "powers that be" choose not to "go along with it" while it's on the record, then that still leaves the door open for the story to explain what's possible, what's been offered, and what's been refused...and by whom. You cannot win 1 vs. the world. Adding the media to equation, particularly one who knows what they are doing,
Re:ridiculous (Score:5, Insightful)
Come on, it's not about power. The school system certainly doesn't like it being known that the information they keep about their students and staff is vulnerable to theft and manipulation - it doesn't matter who can do it. Students would presumably be the ones with most to gain by hacking their records, but identity theft is arguably a bigger threat when it comes to employment records and other data on the faculty.
But it's much more likely that a student will be bored enough, have enough time, and be allowed to physically have access to a machine on (or plug a machine into) the local network - so of course that's where the friction is going to be. And, since so many students imagine themselves to be in an adversarial relationship with the teachers, the staff has to be prepared to react accordingly. It's not about not liking a student having more "power," it's about not liking a student screwing around with sensitive data. High school students are notoriously lacking in almost any sort of judgement, and routinely fail to think through the consequences of their actions. This is often more true of the geek set, pleased as they are with their high IQ and skills, and distracted as they are from the daily tribulations of "normal" people (like teachers trying to maintain a career, health insurance, and a credit rating on next to no income).
And, of course, the odds that the staff of a particular high school have themselves chosen the network infrastructure, software, security model, and so on, upon which their daily system-based activities depend - pretty slim. But they've got to live with it, and when they catch a student deliberately breaking in, of course they're defensive. Hell, a student could also very easily break out a window of a science classroom to show that a determined thief could easily steal a microscope, what with the staff's ridiculous choice of obviously inferior mere glass as a deterrent. That doesn't make the staff power-obsessed when they bust on a student for putting that brick through the window.
Re:ridiculous (Score:5, Interesting)
The Principal did not believe me, and I was asked by the "computer teacher" to demonstrate, which I did. Upon completing the demo, a change of my grade (downward, ironicaly) I was detained in the office pending arrival of the authorities.
Which is exactly what happened to me. I was a library computer tech at my school and I demonstrated to the district tech staff the many holes they had in their network. It was so bad I could easily escalade my user rights on the servers and gain admin access, allowing me to view everyone's network shares, including the staffs.
I also show them how kids were installing games and IM clients on their machines, getting by the security lockdowns imposed by Fortres, and demonstrated some setting they could change to improve security.
I was promply removed from the library tech staff for "AUP violations involving hacking and changing settings". I have also been blacklisted from all computers in my school. Not only do I no longer have a domain login, I cannot use any school computers, nor can my laptop be on school grounds.
Just goes to show you what happens when students show up paid "professionals"
Re:ridiculous (Score:5, Interesting)
Just goes to show you what happens when students show up paid "professionals"
To be fair, it's not an issue of students vs professionals. The response you saw is typical in many organizations at many levels -- they want security, don't know how to achieve it or aren't willing to spend the time/money required to achieve it, and simply prefer to believe that the system is secure.
Demonstrating to them that the system is not secure doesn't work, because they don't want to believe the problem is with the system -- which implies that the administrators are the problem. They prefer, instead, to think that the person who can break in is somehow unique and that if they can only keep that individual away, they'll be fine. In other words, they focus on the hacker as the problem, in order to avoid admitting that they themselves are the problem.
A good example is one I used in another post in this thread; Richard Feynman's experience with trying to get the military brass to get more secure locks to protect their files on nuclear weapons during the Manhattan project. He demonstrated the locks were insecure by picking one. They responded by issuing a memo ordering everyone to change their combination whenever Feynman visited them -- effectively ordering them to keep Feynman away from their offices and their locks.
Re:ridiculous (Score:5, Insightful)
You'd think that would be the case. Unfortunately, the answer is no.
From this article [epic.org]:
What I find interesting that no one seems to be questioning why a high school needs to have the students SSN in the first place. Personally, I think that the administrator that made the decision to put SSN's into a (now proven) vulnerable database should get at least the same punishment as the students who cracked it. And if they are using products that are known to have weak security, they should get double. Why was this database even connected to the net, anyhow? Honestly, the real crime here is the lackadaisical handling of such sensitive information, when there is no good reason for them to have students SSN's in the first place.
Re:ridiculous (Score:5, Insightful)
Re:ridiculous (Score:3, Insightful)
If it's made public, then people can compramise the data maliciously before it's fixed.
If they go in on their own, then they'll be punished for it. And they ahve to be - you can't let people mess around with the system as long as they don't do any damage, because people will messaround with systems and do damage even though they didn't mean to.
The correct thing to do is probably to inform the school, hopefully get them to let you demonstrate the flaw under supervis
Keyword : Hope (Score:3, Insightful)
This is the stem of all security problems.
If you DO blow the whistle, unless you have some SERIOUS clout behind you, chances are most people aren't going to listen to you. (See: Microsoft).
If you DON'T blow the whistle, do nothing and have a vested interest in the company/school then you risk ha
Re:ridiculous (Score:3, Interesting)
And if they had done this they would be
The only way to demonstrate that you can download social security numbers is by downloading social security numbers. I should point out explictly that I
Re:ridiculous (Score:3, Informative)
And the proper way to show this is with a teacher or network person next to you, after telling the school of the possible problem and your desire to show them how it may be exploited (in writing). I am not sure of what type of exploit this was however it may have very well been possible to show that one can take the SSNs without taking everyones (take your friends or whatever).
Re:ridiculous (Score:3, Insightful)
lol that was great... you mean CRIMINALS
How about those folks who rob a convenience store to show their security holes... should we just let them off simply because they figured out how to do it and were caught? Yet they say oh, well we were going to return the money so it is ok and nobody was hurt.
Talk about flawed logic with your whole "We really need sane laws that do not allow some one to be prosecuted if t
Re:ridiculous (Score:4, Insightful)
How about an analogy that doesn't involve a gun to the face?
Re:ridiculous (Score:3, Insightful)
How about an analogy that doesn't involve a gun to the face?
You sneak into your neighbor's fenced and gated backyard and, through a window only visible from the backyard, watch her undress without her knowledge or consent.
Re:ridiculous (Score:3, Insightful)
Re:ridiculous (Score:3, Insightful)
One of my daughter's friends keeps pressuring her to give out her passwords on various sites. I've suggested my daughter tell her friend, "You can have my passwo
Re:ridiculous (Score:3, Funny)
Re:ridiculous (Score:3, Insightful)
Bullshit. If they can't properly secure their student's sensitive information (such as SSN's) then they shouldn't be storing it. Or they should store it on paper only, in a vault. I never fully understood why my high school needed my SSN anyway, and now that I s
Re:ridiculous (Score:5, Insightful)
Otherwise, please give me your full name and ssn. I promise I wont do anything with it.
Gross or willful negligence by school admin (Score:3, Informative)
Sorry, but their privacy was deprived the moment some idiot decided to put that information on an accessible server. More has to be known about what efforts the kids made to alert the school administration and get them to fix a problem.
Focusing on the kids is a load of bullshit anyway. What was the personal data doing on a server accessible from a home computer? It sounds to me like the school administration is trying to create a smoke screen for their gross or w
Re:ridiculous (Score:3, Insightful)
[/quote]
yes it is. Try putting cameras up in a bathroom or changing room or pointing into someone's windows. try tapping someone's phone line.
[quote]My SSN is all over the fucking place. In the hands of my mortgage company, my bank, hell, the university where I attended school used it as our Student IDs, so they were all over professor's roll sheets which I
[/quot
Re:ridiculous (Score:3, Interesting)
google://FERPA
check it out. If the database was leaking SSNs, I'm sure pretty much everything else was falling out too.
Re:ridiculous (Score:3, Interesting)
If you copy some SSNs, you are depriving no one of anything.
So put up or shut up, in support of your argument; post your real name and your SSN.
Stealing an SSN is depriving someone of peace of mind. What's the value of that?
Dumbasses..... (Score:5, Insightful)
More about saving face (was:Dumbasses.....) (Score:3, Insightful)
Re:More about saving face (was:Dumbasses.....) (Score:3, Interesting)
Students who demonstrate intelligence beyond their years or insight into problems which the teacher cannot comprehend are VERY threatening to the teacher.
I was identified as "gifted" between grades 2 and 3. People didn't have to tell me that, I was understanding concepts beyond the level of my peers, it worked out luckily that i had SEVERAL peers who were approaching the "Gifted" level, and one who was also "gifted".
I would note that due to the inherent difficulties with IQ/aptitude testing
My School (Score:5, Interesting)
The scary thing is until very recently (last semester) this information on every student included home phone numbers *and* Social Security numbers. Don't go to my school if you value your privacy. Our IT department is stuck in 1999.
What are kids coming to these days? (Score:5, Funny)
Back when I was in school, we only broke into the school database to change our grades.
Re:Dumbasses..... (Score:5, Funny)
tough way to prove point (Score:5, Insightful)
Re:tough way to prove point (Score:4, Insightful)
hahahahahaha...
They would have probably gotten the kids in trouble for thinking about "hacking" into the computers. Those hacker kids are nothing but trouble you know. School IT staffs are a JOKE in 90% of schools, and don't give a damn or don't know a damn thing.
Re:tough way to prove point (Score:5, Insightful)
Besides, as people already commented, it is stupid to commit a crime just to show that a crime of this sort can be committed.
Anonymous snail mail to IT admins... (Score:3, Insightful)
Over react much? (Score:5, Interesting)
"When we grow up and get our jobs, that's our life right there. They can access anything about us. It just screws us up for the rest of our lives," said Julianne Junus, student.
Re:Over react much? (Score:5, Insightful)
Re:Over react much? (Score:3, Insightful)
Legalities of SSN use (Score:3, Interesting)
So really, no college, bank, or most anything else is allowed to make
They kind of deserve the punishment (Score:5, Insightful)
Re:They kind of deserve the punishment (Score:5, Insightful)
Being bust or not is not the issue. If they had been bust while trying to get in then they would have had no excuses. The broke in and that is bad.
The way I look at it (Score:5, Insightful)
Just a thought.
Re:The way I look at it (Score:5, Insightful)
Every time this argument comes up, someone tries using that line of logic. The fact is, though, that even though your actions were stupid, the burglar broke the law.
They still deserve no punishment! (Score:3, Interesting)
Re:They kind of deserve the punishment (Score:5, Insightful)
. . . imagine you're legally required to keep your electronics and jewelry in someone else's house. And not only that, but several hundred of your friends are too. And imagine that you know the security in this house is bad, and you've tried telling the owner of the house that your possessions are in danger, but he doesn't care. And you've tried telling the government that your possessions are in danger, but they don't care either. Your friends care though, and they're really frustrated knowing that all their possessions are in danger, just like yours, and that nobody seems to be able to do anything about it.
Maybe then you'd break in, to demonstrate it's possible, and get the owner of the house to tighten up security for the sake of you and your friends?
Re:They kind of deserve the punishment (Score:5, Insightful)
No; I would have filed a civil lawsuit against the school. There are very good chances that the problem would be fixed in matter of hours - and I would get a useful experience in defending my rights in a completely legal way.
(I recall an old movie with Hulk Hogan where scenario of this sort was presented.)
Evidence? (Score:3, Interesting)
Oh wait... that's what happened.
Common Sense (Score:3, Insightful)
I know people will come on here and say "OH but the administrators probably wouldn't listen so they had to do this to prove how serious it was". I'm sure if they followed good procedure and presented a good presentation to the Board/etc they would of gotten a better reception then what they did.
Re:Common Sense (Score:5, Insightful)
In that way, even if they were completely ignored, they'd at least have something to back them up when they make the futile claim that they tried all the normal means to make the school aware of the issue.
Sure, they'd still get in trouble with the school, but at least they'd have some credibility in the public's eye as doing this for a good reason rather than simply because they could.
Re:Notation? (Score:5, Insightful)
Having my data on their servers seems compelling enough...
Yup. (Score:5, Insightful)
yes,let the kids decide about your privacy (Score:5, Insightful)
To go all the way through to stealing *everyone's* information, and then afterwards claim you only did it to help is bad judgment at best. In some states it's criminal.
Well, is hacking... (Score:5, Interesting)
Well, for one, it is public knowledge that the SSN X's (in my representation) are in fact, state codes. I have some reason to believe that the Y might be county or some sort of district code, but I cant be soo sure unless I'd gather enough SSN's and location of birth
Yes, the mail center in which you were born is what the state code is attributed to, not the actual locale you live in. Say your parents lived in Phoenix, Arizona but went on a trip to New York City. The baby's SSN would start with 050 to 134, NOT the Arizona 526 prefix.
Well, hope this sparks up some replys (and mod points! yay mod points!)
Re:Well, is hacking... (Score:5, Informative)
In many cases (especially recently), SSNs are applied for semi-automatically through the hospital someone is born in, so in that case the hospital location would determine the prefix.
Personally, I didn't have a SSN until I was 23 (and only then because I couldn't avoid it anymore without causing myself hassles with otherwise-decent employers that I didn't feel like hassling with), so my prefix is the same as the office I applied through when I got mine at age 23, nothing to do with my birth location.
Re:Well, is hacking... (Score:3, Informative)
I should have clarified myself. The SSN state code is based off of the location of the mail collection where you requested it. So, if you lived in the sticks near a border of a state, an
Re:Well, is hacking... (Score:3, Informative)
There's even some 10 digit SSN's out there. It has to do with the 1950 military personnel or something (Im still unclear about this one) and their distinctions therof.
Most systems that have SSN coding do not account for this, nor do they account for a few 8 digit SSN's used during the thirties (when SS was enacted). Most of the 8 digit ones were renewed to the now 9 standard, but it was not a requirement to have the 9 vs the 8.
would you? (Score:4, Insightful)
This just shows that most companies and governments cannot do so.
High School Systems Insecure? You don't say! (Score:5, Interesting)
The first time was a simple brute force attack on a AppleShare server, because the main admin refused to put a limit on the number of password attempts because it was too inconvient to have them simply go up to an admin and reset their password, despite that's more or less exactly what would have to happen if someone forgot their password anyways. I found out that year who had done it, but congratulated the person.
The second time it was because the rather ancient admin password leaked out and they were able to use that to not only get into the teacher's file server but also the SASI server with all the grade data! Why did we use this password? Well be cause it was tradition! I found out only a couple months ago who did this, he didn't
There's so much incompetence at so many High Schools it wouldn't surprise me if it was something as simple as a server that hadn't been patched in ages. Aren't you glad to know that these are the people with all your insensitive data? As it stands at my college they use SS#s for *everything* even though they probably shouldn't.
Re:High School Systems Insecure? You don't say! (Score:3, Interesting)
Imagine how much incompetence there is at universities.
During my senior year, my school's network was being brought to its knees on a regular basis by Napster. It wasn't students downloading that was the problem, it's that they'd go home for the weekends, leave their connections running, and everyone uploading god-knows-what from all over campus would ju
Not the Real Problem (Score:5, Insightful)
I'm certainly not suggesting something as draconian as RealID. But it should not be necessary to keep one's SSN any more secret than the account and routing numbers printed on personal checks.
MOD !^$# PARENT UP! (Score:4, Interesting)
Re:MOD !^$# PARENT UP! (Score:3, Insightful)
I can't honestly say I check it frequently, but looking at the license number provides a good quick check that the card isn't a blatant fake ID.
If part of your license is covered over, I'd be really suspicious of what you
Re:Not the Real Problem (Score:3, Informative)
We don't need RealID or anything other stupid thing, we just need to enforce the existing laws. Just like almost everything else Congress passes new laws about.
Punish who? (Score:5, Interesting)
Most databases and file servers have permissions systems in place that can authenticate by host and IP range. Most administrators assign different IP ranges for different purposes - staff should be different from student-accessible. Also, multiple passwords are required in most systems to access sensitive information: computer login, network login, database login. Passwords are also supposed to change often. Why were these precautions not taken, and why did the admin not notice anything suspicious until it was too late?
Never underestimate 15 year olds. Why? First, they have WAY more free time than any of us working folk. Come on. They get home at 3, and have maybe an hour or two of homework to do sometimes, then they stay up until 1-2 AM. Second, there are a lot of them for every administrator at any school. Third, they are hormonally imbalanced and do irrational stuff to prove irrational points. They can exploit all of those points to their advantage at almost no notice. I did, you did, most everyone did.
Someone needs to be made an example to prevent this sort of thing elsewhere. I think the administrator is the best choice, personally.
Ask yourself: why is a high school using SSNs? (Score:5, Insightful)
Keeping SSNs around obviously can't be avoided for the school's employees (for tax and other reasons), but employee databases should be separate from student records, and there are far fewer employees than students anyway.
Basically, SSNs seem to have become the knee-jerk instant universal ID number for American firms and institutions of all sorts, which is a pity. It's best if we (as IT professionals) try to encourage the keepers of old databases to transition away from using them, and to strongly recommend that new databases not use them at all, wherever possible.
Re:Ask yourself: why is a high school using SSNs? (Score:3, Funny)
high schools are resource-constrained (Score:4, Insightful)
From my experiences doing pro-bono work at four different high schools, I'd say that most of them barely have the capability to deal with the most rudimentary data management tasks. I'm not saying this to be dismissive of schools or the people who work there, but they are in many cases so short on human and technology resources that creating and managing unique IDs for each student isn't something that would even cross their minds.
The SSN is, as you mentioned, the knee-jerk instant universal ID number precisely because it requires no extra effort. This is not a good situation, but it has come about because there is no compelling reason (that many institutions can see) to devote extra time and effort to coming up with alternate ID schemes for schools.
it's all about trust folks (Score:5, Insightful)
the problem has to do with what the word "trust" means. society at large doesn't trust an intelligent well-intentioned hacker (these students are hackers as in the old school sense if there ever was one, as opposed to the new school "hacker=terrorist" sense). but they DO trust a bumbling idiotic underpaid school administrator.
why?
it's about how the average slashdotter views "trust" and how society at large views "trust". the average slashdotter trusts intelligence, cleverness, technical literacy. but the average joe simply trusts accountability.
the school administrator's job is to keep security, he is trusted by society, paid by society to do this. he is accountable. the school administrator will be reprimanded by this breach, and the breach will be repaired. this is society at work. meanwhile, there is no social contract with the high school student. there is no trust. there is no accountability.
yes, security will be better because of what they did. yes, their intent is perfectly sound. but there is no trust, there is no accountability as far as the average joe sees it.
the lesson therein is for the average slashdotter then:
accountability is more important than cleverness.
to put it another way, the average joe doesn't care how technologically sophisticated the security is on their SSNs. the average joe just cares if THERE IS SOME ACCOUNTABILITY. so the SSNs could be on a text file on webserver, they don't care. the question si: is someone's job on the line for the theft? the average joe understands this concept: someone will suffer if my identity is stolen. there fore, someone out there is motivated to protect me.
meanwhile, these students have no social contract, no accountability. what is their intent? what is their motivation to do good by me? all i have to trust is their word, and i don't know them from adam. therefore, all that they have done for the average joe goes unheeded, unrecognized. the students helped the average joe, but the average joe sees them as criminals.
folks: gnash your teeth all you want, i'm just trying to give you all a heads up about the difference in thinking between the average joe and the average slashdotter. if you don't like what i am saying, don't be mad at me, don't shoot the messenger.
be angry that trust does not mean same thing to you and the average guy on the street.
Re:it's all about trust folks (Score:3, Insightful)
That said, someone getting yelled at by the boss seems very likely here...
Re:it's all about trust folks (Score:5, Insightful)
The difference for the students is the one between numbers and people.
For the school board (or however you're organized over there), there is a case of '500 SSN's got leaked, oh well.. the bad publicity will cost us less than hiring competent people'.
For the students it's, 'holy shit, they're practically giving away our SSN's, I don't want my bank-account suddenly emptied'
The victims have an inherit motivation in not becoming fucked over. The overseer's main motivation is not being yelled at.
Re:it's all about trust folks (Score:3, Insightful)
to put it another way, the average joe doesn't care how technologically sophisticated the security is on their SSNs. the average joe just cares if THERE IS SOME ACCOUNTABILITY. so the SSNs could be on a text file on webserver, they don't care. the question si: is someone's job on the line for the theft? the average joe understands this concept: someone will suffer if my identity is stolen. there fore, someone out there is motivated to protect me.
I guess I have to disagree with this. The average joe onl
Not hard at my alumnus... (Score:3, Interesting)
That's pretty high security... (Score:5, Interesting)
Why do schools need your SSN? (Score:3, Insightful)
Does anyone know? It's not like the students are paying any taxes towards social security through the high school
Thought Experiment (Score:3, Interesting)
As a realistic example, imagine I was able to write a function decrypt() such that it could turn a text file of one of the works of shakespeare into a list of social security numbers. Would then, all people who have a text version of said shakespearean work be in possession of illegal material?
Quite honestly, if you take this to a logical extreme, no matter what the input data, given the ability to write any function, the output data could be anything you could conceive. What if your function is simply the concatenation of "illegal" data to the output. Would then the "reverse engineering" of said "encryption" function be illegal according to the DMCA? It is a "security device" at this point, right?
This all boils down to the difference between data and functions on data. It is illegal to hold certain data. But what if we lable data as functions on data. In fact, security device functions on data. Could we then distribute the functions and make it illegal for people to reverse engineer the functions without permission?
How do SSNs work? (Score:3, Interesting)
The SSN seems to be a number identifying a person. (We have that where I live too.) But somehow, this number is assumed to be secret, like a password. If yout can learn the number you can access anything about the person and you also seem to be able to hurt the person financially. Withdraw funds? The security seems to revolve around the fact that the number (the identity of the person) is secret! Because everyone here seems to be upset that these kids expose all those numbers!?!? This boggles my mind.
Are there no other attempts at authentication? IDs? If your SSN is your password, how do you change it? (I would like to have it changed several times a year, no matter what if there is no other security than secrecy.) Can someone explain?
Re:How do SSNs work? (Score:5, Interesting)
The SSN was only intended to be the number you would use to identify yourself to the social security department where they could look up your info and validate that you are ready to recieve your money when you retire.
Now your SSN is your life for the most part. If somsone has your number, they dont even need to know anything else to screw you over. With the number they can do searches and find your name and current residance. With that info they can sign up for credit cards in your name and screw over your credit. They can basicly steal your identity just by knowing that one special number. If someone with bad intentions has your SSN, you are basicly fscked unless you have alot of money to pay lawyers to fix everything.
It's basicly a fairly fscked up system.
letter (Score:3, Interesting)
Dear Superintendent Miller,
I am sure you have been receiving a barrage of e-mails recently, so I'll make this short.
Recently I read about two of your students attending Hinsdale Central High School breaching network security and the stealing Social Security Numbers for students and staff. While I do not believe that stealing the SSNs was appropriate, I do not support the way your administration has handled the situation.
A communal perspective needs to be taken when looking at the actions of those two students. Often drastic measures, both vulgar and offensive to those in charge, has to be taken. At this moment the citizens of Arizona are spitting in the face of the government by protecting their on boarders. This is not very different from what these two students did at HCHS. While they did break the law by cracking though security, they were trying to protect the student body (including themselves) and the staff by alerting the school of its flaws. Lets say someone was to break into their bank and steal their safety deposit box, and then handed it back to the bank manager the next day. An conceited bank manager wouldn't be able to see the good in what this man had done and would call the cops. However, an intelligent bank manager would hire this man.
Also, I am well acquainted with system admins in school districts. A close friend of mine has been one of the head network admins for the Boston Public Schools for almost 15 years. While he works with gifted students to patch holes in security, many of the other admins disregard student warnings. They let their titles, status, and education get in the way of common sense.
Punishing these students is just another way that red tape and policy is destroying ingenuity in America. Strictly disciplining these students will only perpetuate the notion that students in America should strive for mediocrity and that being bold and initiating change should be shunned.
- Xxx Xxxxxxxxx-Xxxxxxx
Cover up (Score:5, Insightful)
The truth is the lazy, idle and incompetent always prefer the cover up to the fix. Whether it is the Roman Catholic church and child abuse, torture at Guantanamo Bay, or security holes, the people in charge will conceal rather than cure. Two examples from my own career:
I was once asked to investigate the apparent failure of an automated component test system. Eventually a review of the hardware and software left the only option as being that the production personnel were deliberately falsifying results and passing rejected batches. Result: three senior managers demanding I be sacked. Fortunately at this point we acquired a new CEO who had several clues. One manager was fired, one left of his own accord and the other was downgraded. But customer confidence had been eroded and the plant eventually had to be shut down. The second example was less exciting: a production director who resisted for years the introduction of statistical process control because it would make clear where systems were failing.
I'm sure many of us have similar examples. It is not in fact important what the motivation of the whistle blower is, we need to change the culture to one in which the response is "Fix it", not "shoot the messenger". With hindsight, we may one day conclude that the tradition of open bug fixing is FOSS is its greatest social legacy.
I went to school here -- I can believe this. (Score:3, Interesting)
Brillian, but stupid. (Score:4, Interesting)
Seriously. If these kids had cornered a reporter, made an argument for his/her involvement and brought along said reporter with the promises of an exclusive, their ass would be automatically covered. The presence of the media would have proved they were whistle blowers and not some renegade "vigilantes" that got caught in the act. Nothing could prove different once the film and commentaries went to air.
The moral is....Once you decide to show some self centered egotistical bastard which way the wind blows....bring a weathervane.
An alternative approach... (Score:3, Informative)
Comment removed (Score:5, Interesting)
Re:faulty logic. (Score:3, Interesting)
If there were faults YOU knew about that bus, and let others ride on it knowing that injury might result, you would be at fault morally, and perhaps legally and crminally.
How is this different than the shock-journallists on the local news finding "naughty no-no subjects" and then prodding them until they're fixed? Our local (Indiana) problem is the channel 8 news WISH was going over the VX gas stockpiles and how the military was letting the barrels corrode and stuf
Re:College SSNs may bring rewards (Score:3, Interesting)
Where did you go to school? They actually teach college students about money management and how to improve your credit score. Don't post where it is, Discover will go there, and dump credit cards until they ruin a good thing.
In my experience, most college students do more harm to their credit scores in college then t
Re:Civil Disobediance has its price. (Score:3, Informative)
That would be "tyrants" and "patriots", not martyrs. (Though, I suppose a patriat who acts in a way that will result in his death for a noble effort, and recognotion thereof, is a martyr.)
Re:Hardly Uncommon (Score:3, Interesting)
Each of these boxes has telnet open for administration of the system by the lunchroom manager or system administrator. You can get into the system with NO PASSWORD to mess with the system, change the prices of food, and probably even get access to the accounts of students who are on low-income assistance from the go
Re:When I was in HS... (Score:3, Funny)
Must have been a Catholic school... Nobody else masks acronyms.