Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Education Government The Courts News

Student Charged With Three Felonies For Finding Security Flaw — and Report 547

Well, yet another teenage hacker who "did the right thing" by reporting a security flaw is being punished for his actions. Although it definitely sounds like the whole story may not be in the clear yet, a 15-year-old New York high school student has been charged with three felonies claiming that he accessed a file containing social security numbers, driver's license numbers, and home addresses of past and present employees ... and then sent an anonymous email to the principal alerting him to the security flaw. "All that was needed to access the information was a district password. School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks."
This discussion has been archived. No new comments can be posted.

Student Charged With Three Felonies For Finding Security Flaw — and Reporting it

Comments Filter:
  • by sethstorm ( 512897 ) * on Tuesday October 28, 2008 @05:38AM (#25538735) Homepage

    Was there any bit of responsible disclosure, because it sounds a bit like "killing the messenger". While there may be discipline in order, this seems to be overkill if he was really intending to do the right thing.

    • by SQLGuru ( 980662 ) on Tuesday October 28, 2008 @06:46AM (#25539075) Homepage Journal

      I guess part of me wants to know how he found out. If he found out by accident, then yeah, this is a case of "No good deed goes unpunished"....but if he was looking around for something to hack and found more than he was expecting, then there should be some punishment (though probably not three felony charges).....

      Layne

      • by dhasenan ( 758719 ) on Tuesday October 28, 2008 @08:32AM (#25539709)

        Even if he was looking for something to hack, he didn't do any damage. Instead, he performed a public service. Punishing a person for something he maybe was wanting to do is just stupid.

        On the other hand, if he didn't phrase his message carefully, it could have been taken as a threat. If he said something along the lines of "Please use a more secure password on $SERVER -- I guessed it easily", then it's hard to sympathize with the administration. If he said "I accessed your server and now have the social security numbers for every faculty member", then it's much more ambiguous, and I'd expect the student to be investigated. Just investigated, not arrested.

        • by DaveV1.0 ( 203135 ) on Tuesday October 28, 2008 @09:33AM (#25540311) Journal

          Opening a closed but not locked door and entering a building without permission is still against the law. It is called breaking and entering.

          He is not being punished for "wanting to do" something, he has not been punished for anything yet. He has been charged with a crime for something he did, namely "computer trespass" for accessing a system without permission.

          • by SanityInAnarchy ( 655584 ) <ninja@slaphack.com> on Tuesday October 28, 2008 @09:53AM (#25540553) Journal

            Opening a closed but not locked door and entering a building without permission is still against the law. It is called breaking and entering.

            IANAL, and I'm just guessing, but wouldn't that be tresspassing? I mean, if you're breaking and entering, I would assume that requires the breaking of something, right?

            He has been charged with a crime for something he did, namely "computer trespass" for accessing a system without permission.

            There you go.

            I would also like to know more about the circumstances. I don't think curiosity should be a crime, and I do think there should be a much more rigid definition of what constitutes "unauthorized access" -- in particular, I think the burden should be to show that the access was, in fact, unauthorized, rather than requiring everyone to keep a clear record of authorization from every site we've ever accessed.

            Having read TFA, it looks very much like, by any technological definition, he was authorized. There would have to be pretty clear indications that he wasn't supposed to be there.

            And even if he was entirely at fault, this is also entirely the wrong way to go about it. The lesson to be learned here, from any other student who's paying attention, is simply to not tell anyone what you know.

        • by j00r0m4nc3r ( 959816 ) on Tuesday October 28, 2008 @09:34AM (#25540333)
          He's in trouble because he copied the file(s) to his computer. It's not like he just said, "Hey this looks insecure", he actually copied the data and looked at it. That's a huge violation. Yeah I'm not riding the "HE'S BEING PERSECUTED!" train. He copied people's private info to his personal computer. Who knows where it could end up from there? It doesn't matter if the network was insecure, he should have just called the administration and said, "I think this might need looking at..."
          • by Gary W. Longsine ( 124661 ) on Tuesday October 28, 2008 @10:14AM (#25540815) Homepage Journal
            You keep using that phrase, "copied the files to his computer". I don't think it means what you think it means.

            In discussions like this, it might merely mean that the kid accessed a protected area by accident, and his web browser "copied the file to his computer". Law Enforcement sometimes misuses the mere presence of data on the suspect's computer as the standard for proof of guilt, which is sometimes only the browser cache or even the cache for a filesharing program, when the user may not even know what the heck was in it.

            The file name undoubtedly was not "click here to get 3 felony charges file against you and seriously fuck up the rest of your life" . The kid appears to have been doing the right thing. Now, if he tried to sell any of the data that he saw, sure, charges might be appropriate. Based on what little public information is available, this appears to be a case of shooting the messenger.
          • by DigitAl56K ( 805623 ) * on Tuesday October 28, 2008 @10:34AM (#25541051)

            He copied people's private info to his personal computer. Who knows where it could end up from there?

            Yes, and who knows where it might end up being accessible to "thousands of students, faculty and employees" if nobody ever reported the problem?

            Fair enough, the law is the law. If you use someone else's password you've accessed a system in an unauthorized manner whether you copy a file or not. In fact if there is any doubt that you *were* authorized to use that password then you could argue whoever made the file accessible inherently granted you authorization to access it. But let's have some common sense here: by shooting the messenger they're essentially making fear/obscurity their main security measure, and that's exactly what landed them in this situation in the first place.

            Does anyone know if the school is facing charges or a suit for breaking data protection laws btw?

            • by bcwright ( 871193 ) on Tuesday October 28, 2008 @11:36AM (#25541903)

              What, exactly, do they mean by that? Remember, we're talking about governmental entities that have a long history of not understanding much about computer security. For example:

              $ ftp ftp.myschool.edu
              Connected to ftp.myschool.edu
              User (none): guest
              331 Enter email address for anonymous login password
              Password: myusername@yahoo.com
              230 User guest logged in.
              FTP>

              Law Enforcement: "Clearly he was trying to impersonate Mr. Guest!"
              You: !@#@#$

              You think that's too silly? It's no worse than any number of other things I've heard about from such people. Or consider this:

              You: "Let's see if that cute girl Angela in my English class has put up a home page on the school computer system. Let's see, use Firefox to browse to www.myschool.edu/~angela/ ... That's odd, doesn't look like what she'd have on her home page. What's this file?"

              Cops: "Clearly he was trying to break into the Assistant Principal Angela H's computer work area!"

              I don't think these examples are unrepresentative of the typical computer security understanding of law enforcement, unfortunately.

            • Re:Password use (Score:4, Insightful)

              by bcwright ( 871193 ) on Tuesday October 28, 2008 @12:06PM (#25542381)

              At least a couple of the articles say that the password he used (whatever that means, see my other comments on the subject) belonged to "another student." Oh, really?! Why did that other student have access to the data?! And why isn't he being charged?!

              Clearly what we have been told about this incident is highly misleading. Either
              (1) The file was in a location that could be accessed by ANYONE on the school network, or
              (2) it had already been hacked by another student, who for some reason is not being charged, or
              (3) He hacked into an administrative area, where the file may have been inadequately secured. Comments by the administration and law enforcement to the effect that the password he used belonged to another student are either incorrect or misleading.

              Something is clearly rotten about this story, unfortunately it is difficult to tell if he did anything wrong or not, or whether he is a criminal or a scapegoat. Not only do we have to get information filtered through the administration and law enforcement (for whom computer security is usually at best an arcane art that they understand only poorly if at all), but all the primary sources are articles written by local news journalists rather than technical journalists, who are generally not much better at understanding the technical details.

              It would appear however that unless he needed to hack into a reasonably well protected account in order to obtain the data, the school is clearly facing a serious HIPAA breach. That alone could be making them overreact, by trying to find some way - any way - to pin the blame on someone else.

              • Re: (Score:3, Informative)

                This quote from the news article is especially telling:

                All that was needed to access the information was a district password. School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks.

                "A district password" in this quote sounds a lot like "a student or faculty account" to me. Doesn't sound like any hacking occurred at all.

          • Re: (Score:3, Interesting)

            Depending on the system you're accessing and the facilities available to that type of connection and system, it may not be possible to determine the contents of a file without obtaining a copy.

            If I've compromised a password and access a remote system using SSH, I have full control of the facilities available on that system. I can view the contents of files without transferring the files to my own system.

            On the other hand, if I'm accessing a remote system via Windows networking, I have few options. I can m

    • by eggled ( 1135799 ) on Tuesday October 28, 2008 @06:46AM (#25539079)
      From TFA:

      School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks

      So, thousands of people have had access to this file, and the one person who tried to report it (and was tracked down) is being charged with felony counts of computer access and identity theft? And they're not checking to see if anybody else has tried to access this file, to indict them, as well? Definitely seems like a case of shoot the messenger. According to a state trooper interviewed in TFA,

      He deceitfully used someone else's name and password so he would not get caught and was looking to profit from his criminal act.

      I didn't see anything about him trying to profit, though... He sent an email to the principal (contents unknown), from an anonymous email address, signed 'A Student'. Without more info, I'm inclined to speculate that he didn't really appear to be attempting to profit. (Wouldn't it be better to keep this a secret and profit from the information, if that was really his intent?)

      • by Spazztastic ( 814296 ) <spazztasticNO@SPAMgmail.com> on Tuesday October 28, 2008 @07:16AM (#25539213)

        I didn't see anything about him trying to profit, though... He sent an email to the principal (contents unknown), from an anonymous email address, signed 'A Student'. Without more info, I'm inclined to speculate that he didn't really appear to be attempting to profit. (Wouldn't it be better to keep this a secret and profit from the information, if that was really his intent?)

        All they're doing is making an example out of him. A company did the same thing a few years back with a white hat (Whos name I can't remember, and I can't find my copy of The Art of Deception/Intrustion to look up his name). He produced the error, sent them a paper on it, then they claimed that in the span of 6 months he used their service illegitimately for his own benefit.

        I guarantee whoever designed their security infrastructure had their ego shattered by this and in a fit of nerd rage decided to strike back with everything he could.

        • by theaveng ( 1243528 ) on Tuesday October 28, 2008 @07:32AM (#25539273)

          A sniper rifle aimed at the head of the principal and/or prosecutor also works: "Don't try to 'make examples' of good, decent people trying to do the right thing. Else YOU will be made an example of how Liberty-loving people deal with out-of-control Tyrants."

          Okay, I joke.

          But any politician hearing about this unfair prosecution ought to update the "Good Samaritan Law" so it not only protects people trying to save injured persons, but also protects people trying to help schools/companies by revealing security flaws in their system.

          • by Sancho ( 17056 ) * on Tuesday October 28, 2008 @07:40AM (#25539339) Homepage

            But any politician hearing about this unfair prosecution ought to update the "Good Samaritan Law" so it not only protects people trying to save injured persons, but also protects people trying to help schools/companies by revealing security flaws in their system.

            That's one of the best ideas I've heard all day. Unfortunately, because politicians are about as dumb as a bag of bricks when it comes to computers, all they'll see is what the media shows them i.e. "Bad hacker got caught!"

          • by sukotto ( 122876 ) on Tuesday October 28, 2008 @08:44AM (#25539809)

            Using your post as an example:
            Let's see here... you could be charged with
            - a criminal death threat
            - possession with intent (if you own a rifle)
            - conspiracy to commit murder (since you discussed with all of us and presumably none of us called the police)
            - making a terrorist threat
            - material support for terrorism (if you donate to a charity the DA doesn't like)
            - and a whole bunch of "minor" crimes.

            So... have fun in prison... we'll see you in 150 years or so.

            This started out as a "+1 funny"... but now I just feel "-1 WTH is happening to your country?" :-(

          • But any politician hearing about this unfair prosecution ought to update the "Good Samaritan Law" so it not only protects people trying to save injured persons, but also protects people trying to help schools/companies by revealing security flaws in their system.

            .

            You are the administrator of a system that an alleged "Good Samaritan" has been trying to hack.

            The successful hack would, of course, substantially increase your employer's legal and financial exposure.

            But - as a fellow geek, and the trusting soul

          • We need better whistle blower laws that don't force you to use your own name. Just look at the guy who uncovered voter fraud and got hit with a few felonies.

        • by diskofish ( 1037768 ) on Tuesday October 28, 2008 @07:46AM (#25539383)
          That is exactly right. From the sound of the article, the files were in plain sight for anyone who had access to the network (though it is unclear). If they are going to charge the kid, then the network engineer should be hit with the same charges. There is definitely some minimum amount of security required, or else it's just pure negligence. Anyone who's ever administered a server knows they are probed ALL the time.
          • by Spazztastic ( 814296 ) <spazztasticNO@SPAMgmail.com> on Tuesday October 28, 2008 @07:54AM (#25539445)

            Anyone who's ever administered a server knows they are probed ALL the time.

            Anybody who's ever administrated a school network should know that every kid is a potential "hacker," and you should be always keeping all the security up to date and patched regularly.

            • by mysidia ( 191772 ) on Tuesday October 28, 2008 @08:43AM (#25539805)

              Anybody who's ever administrated a school network should know that every kid is a potential "hacker," and you should be always keeping all the security up to date and patched regularly.

              Not only that, but there should be an air-gap between the network students have access to and the faculty network that contains sensitive information.

              And even faculty access to internal enterprise information fairly limited when logging into a student workstation.

              Student-accessible computer nodes and network ports should be treated about as secure as unencrypted WiFi.

              To access confidential materials from such a workstation, the teacher must connect to a VPN, preferably using 2-factor authentication with a token such as SecurID.

      • Re: (Score:3, Insightful)

        He deceitfully used someone else's name and password so he would not get caught

        Kinda sounds like unauthorized access to a computer system to me.

  • by Vandil X ( 636030 ) on Tuesday October 28, 2008 @05:39AM (#25538743)
    The person who reports the crime is often the first suspect or person of interest.

    Or simply, "Who ever smelt it, dealt it."

    Forget that this kid was doing a service to report the flaw, they are more concerned with why the kid was trying to access the site in the first place.
    • The person who reports the crime is often the first suspect or person of interest.

      Which is why you do it anonymously, with cutouts from magazine headlines [oh noes, teh police can identify your cut-and-paste gluing style]. If you want to send email, use tor and a one-time account.

      There, done. Next problem... Or not?

      --Jonas K

    • by Anonymous Brave Guy ( 457657 ) on Tuesday October 28, 2008 @09:24AM (#25540169)

      Forget that this kid was doing a service to report the flaw, they are more concerned with why the kid was trying to access the site in the first place.

      OK, I know Slashdot is collectively in holier-than-thou rage over this poor, "innocent" kid, but why was the kid trying to access the site in the first place?

      It seems to me that he's not being punished for reporting something, he'd being dealt with because he probably broke the law.

      Of course, the officials responsible for the shoddy security and data protection should also be dealt with under whatever laws apply in that jurisdiction. But that doesn't excuse a kid who actively went on a fishing expedition. The end cannot be allowed to justify the means in cases like this, or you undermine the basic principle of the laws: you give carte blanche to crackers to have a go at whatever they like, since if they get in, they can just report it and pretend they were doing the world a favour.

    • Comment removed (Score:4, Interesting)

      by account_deleted ( 4530225 ) on Tuesday October 28, 2008 @10:12AM (#25540799)
      Comment removed based on user account deletion
  • Once again kids: (Score:5, Insightful)

    by yttrstein ( 891553 ) on Tuesday October 28, 2008 @05:40AM (#25538745) Homepage
    Reporting a security hole is not noble, it's stupid.
    • by Kokuyo ( 549451 )

      As sad as it is, the smart thing to do is pump your fist in the air for a job well done and move along.

      There should be a law against stupid people.

    • by GrumblyStuff ( 870046 ) on Tuesday October 28, 2008 @05:49AM (#25538821)

      How did it ever come to this anyway?

      Seriously, what the fuck happened to common sense? Where and when did society decide that a problem is only a problem if it is found?

      At this rate, I'll be surprised if people even call the cops or the fire department to report a crime/fire.

      • by Swizec ( 978239 ) on Tuesday October 28, 2008 @06:05AM (#25538881) Homepage
        If I wasn't implicatly involved I'd never go to the trouble of calling the coppers for anything. Let the victim call them, I don't want to be involved in any way, because most of the time it's just more trouble than it's worth.

        Think about it, if I report a problem I'll be the main suspect for a while, I'll have to be interogated and I don't think they're ever nice about it, I'll potentionally have to appear at court and it's just overall too much of a mess. I have my own shit to deal with.
      • Re:Once again kids: (Score:5, Informative)

        by MrMr ( 219533 ) on Tuesday October 28, 2008 @06:22AM (#25538953)
        Where and when did society decide that a problem is only a problem if it is found?
        496 - 406 B.C. [bartleby.com]?
      • by Anonymous Coward on Tuesday October 28, 2008 @06:35AM (#25539017)

        A man approaches a stranger and says, "Hey, I noticed your shed is unlocked." The stranger responds, "What were you doing in my backyard?"

        It's not that the unlocked shed isn't a problem. It's that there is also the issue of what the person was doing there in the first place and is anything missing.

        With a shed, it's not much of a problem. Check to make sure nothing is missing. Charge them with trespassing if you are so inclined.

        With a computer, especially a government or business computer, it's more complicated. You can't just take a peek and make sure nothing happened. Insurance issues alone probably require that they press charges to the full extent the law allows. Doing so also keeps the ball squarely in the court of the alleged victim.

        If the person had a legitimate reason for being where he was, no charges are going to stick. If he didn't, he might be in some trouble.

        In ANY case, the GP is right. Just don't do it.

        While we're on the subject, don't talk to cops without a lawyer, either.

        • Re:Once again kids: (Score:5, Interesting)

          by PopeRatzo ( 965947 ) * on Tuesday October 28, 2008 @07:49AM (#25539407) Journal

          The stranger responds, "What were you doing in my backyard?"

          My dad made a point of teaching me that if I see a car with the headlights left on, and unlocked, and the owner's not around, to reach in and turn them off. If I see something that looks like a neighbor's made a mistake, to take the risk of being accused and do the right thing. To even take the risk of being wrong and do what I think is the right thing. The older I get, the smarter he seems.

          One of the benefits of getting older is the increased willingness to be counter to a trend.

    • Re:Once again kids: (Score:5, Interesting)

      by WingedGlobe ( 1394653 ) on Tuesday October 28, 2008 @06:06AM (#25538891)
      While there are doubtlessly many clueless administrators in the world, there's also something to be said about being smart in protecting yourself. During high school, I poked around aimlessly on some network drives and found an unsecure, unencrypted text file of sensitive personal information on a lot of students. I didn't really have any business looking, but there was also nothing at all keeping me out. Instead of talking to the first administrator I could find or shooting off a "Hey look at this" email, I spoke to the instructor with whom I had the best relationship with and could convince that I had no bad intentions, showed him the problem, and asked him to escalate it anonymously. He did so, the problem was fixed, case closed.
      • Re: (Score:3, Interesting)

        A rather nastier way:

        Get the file and take it home. Load it in a VM and do your stuff in there. Cut to all the juicy parts (like all the rich people's kids and such). Now, print about 50 of these, using yellow-dot hackers to obfuscate your printer.

        Now take these papers and litter them around at a PTO meeting. Heads Will Roll. Just make sure to make yourself scarce so yours wont.

      • Re: (Score:3, Insightful)

        by cheater512 ( 783349 )

        I found plenty of holes.

        The sys admins were smart enough to realize that I could be a asset to them.
        I meant no harm so they gave me free reign basically.
        All I needed to do was report back to them any flaws.

        Mind you this was in Australia, not the US so less knee jerk and more common sense.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Watch this video, it's somewhat related to this:

      http://video.google.com/videoplay?docid=8167533318153586646 [google.com]

      It's probably the best video you will ever find if you're on the hot seat, worth 1,000,000 CSI episodes.

      This helps too:)
      http://www.youtube.com/watch?v=uj0mtxXEGE8 [youtube.com]

    • Re:Once again kids: (Score:4, Interesting)

      by jonaskoelker ( 922170 ) <jonaskoelker@yahooBLUE.com minus berry> on Tuesday October 28, 2008 @07:25AM (#25539255)

      Reporting a security hole is not noble, it's stupid.

      I can't help but wonder how much the slashdot perception of the stupidity of reporting security holes to your sysadmins is due to selective reporting.

      Ever noticed all the stories that say "User thanked for quietly reporting a subsequently fixed security problem"? Not exciting.

      But it happens. I've reported a security issue to root, with three user names (!= my own) that I'd found the password to and the method I used. They said it was okay and they'd changed them, and later enabled /etc/shadow.

      Trying-to-balance-out-the-selective-reporting'ly yours --Jonas K

  • Blackmail (Score:5, Interesting)

    by ChowRiit ( 939581 ) on Tuesday October 28, 2008 @05:42AM (#25538759)

    If you read the whole article, it sounds a bit like he might have been trying to blackmail the school with the details of the hack. As theregister notes, the email contents aren't available, and the quote "He ... was looking to profit from his criminal act." also suggests that he may have been blackmailing the school.

    I'd like to hope so, at least, because otherwise the school is going WAY overboard...

    • Re:Blackmail (Score:4, Interesting)

      by CarbonShell ( 1313583 ) on Tuesday October 28, 2008 @06:28AM (#25538987)

      No!
      If anyone would have taken a minute to actually think about this, the claims do not make sense.

      If the kid was trying to blackmail the school, why sign as 'a student'?
      How will 'a student' profit from this?
      Fix the grades of 'a student' in the database?

      Blackmail is 'give me something or else'.
      As there is no *me* involved, it is not blackmail.

      Claiming that it is blackmail because the kids had reviled the security flaw and thus could repeat it is just wrong.

      This smells of BS all the way. The school comes up with false allegations to cover their asses and make the kids look like criminals.

      Sure, the kids were doing something they should not but their actions after that should null the previous offense.

  • by GrumblyStuff ( 870046 ) on Tuesday October 28, 2008 @05:44AM (#25538771)

    As in, being hit with the law book.

    "He deceitfully used someone else's name and password so he would not get caught and was looking to profit from his criminal act."

    I RTFA but see no sign of this. At best is this bit from a followup link in TFA:

    "He sent an e-mail to his principal saying, 'Look what I have,'" DeFeciani said.

    But for fuck's sake, three felonies at 15? For a fucking non-violent, non-destructive "offense"?

    Poor kid is screwed for life.

    • That is what he is being charged with. Not sentenced to. I'm sure that will change as long as he has a decent lawyer. A felony is a felony. Write your elected official and request to have the laws changed.

    • by Like2Byte ( 542992 ) <<Like2Byte> <at> <yahoo.com>> on Tuesday October 28, 2008 @06:37AM (#25539029) Homepage

      There are a few possible scenarios by this statement - all of them conjecture. At this time, the article is very light on detail.

      "He sent an e-mail to his principal saying, 'Look what I have,'" DeFeciani said.

      Conjecture #1) He was indeed using it for blackmail or other nefarious means.
            If this is the case, nail his behind to the wall.

      Conjecture #2) He simply reported the problem and the typical knee-jerk reaction ensues.

          If this is the case, let him pay off his transgression by working with the people on the IT Team so he can be mentored and more easily monitored. Mentoring is the key element to his natural progression toward becoming a productive citizen.

      Conjecture #3) He was showing off his leet h4x0r 5k1llz by attempting to embarrass the admins at that facility.

          This is a tough one. I don't want to see some kids life completely ruined because he didn't understand the ramifications of his actions. Certainly, he should be punished but lets not lose our minds. Again, mentoring would probably go a long way in waking this kid up.

  • by 91degrees ( 207121 ) on Tuesday October 28, 2008 @05:50AM (#25538825) Journal
    It's just the screwed up legal system. They could just about get Computer trespass to stick, although probably wouldn't get a particularly harsh sentence passed. What they can do though is threaten the kid with these charges, mention that he could potentially serve 20 years and get him to plea bargain to a lesser crime.

    If he maintained his innocence and demanded a jury trial he'd have a good chance of being found innocent and if not the penalty would probably be minor. His behaviour just isn't that of a criminal. The whole system is broken. It's a game of bluff, but the stakes are the liberty of innocent people.
    • by Uberbah ( 647458 )

      This is like Boston freaking out over Lite-Brites. I hope the kid not only calls their bluff and asks for a jury trial, but finds some way to counter-sue.

  • news flash (Score:5, Insightful)

    by catmistake ( 814204 ) on Tuesday October 28, 2008 @05:54AM (#25538837) Journal

    stupid people fear smart people

  • He did the equivalent of finding a hole in someone's fence, breaking through the fence into the person's property, and then having a look around before telling the owner "hey, your fence has a hole in it". The kid was foolish here, assuming he had the best of intentions.

    But hey, at least the kid learned a valuable (and sad) lesson in life:

    No good deed goes unpunished.

    • Re: (Score:3, Insightful)

      by Yvanhoe ( 564877 )
      Well, if we are to play analogies war : yes it is a bit like that, except it is impossible to say that the fence has a hole in it without trying to go through.
      Also, it may look like you have accessed the first fence of several concentric fence. Before reporting this hole as a problem, it sounds reasonable to assess if anything is put at risk first. Once you see that there are many valuable things accessible, you go away and go knock on the door "Hey do you know that all these valuables of yours are easily
      • Ok, I'll bite. Lets say I want to test the schools security without actually breaking in. I'd have a look and see what kind of set up they have (from an external view) and go mimic it on my own machine. Then I can poke around legally. Ok, I find that a service they're running has a security issue, I tell them so and viola! No prosecution for me!

        Sure, I can't see any internal problems but why should I? Unless I break in (illegal) and poke around (illegal) it shouldn't worry me anyway since the outside fence

  • by kitsunewarlock ( 971818 ) on Tuesday October 28, 2008 @06:36AM (#25539025) Journal
    This means this person, capable of not only using the internet but as a (clearly) (semi-) advanced user, is now no longer able to vote...because of something they did before they were legally eligible in the first place? And something they admitted to? Yet someone who doesn't know their left hand from a donkey's a-hole and votes based entirely on which guy they'd rather drink a beer with and/or whichever has a photo-op with someone who looks more like them is free to do the same AND drive drunk AND steal potentially thousands (but not over 10 thousand or so, depending on the state) AND even rape in some cases and still vote.
  • by Creepy Crawler ( 680178 ) on Tuesday October 28, 2008 @06:42AM (#25539061)

    And one who breaks security is like the one who alerts the king about wearing no clothes. You WILL get punished. You WILL be dealt with.

    I saw this all the time at schools, jobs and like. People dont like smart people. People who intentionally find broken ideas and mechanisms will be dealt with, not glorified and congratulated. Highlighting a security problem means they have to put in the effort to fix what you brought to their attention, or threaten you to STFU.

    If you are smart about security, keep your mouth shut. There's not much you can do, except yourself be a target.

  • by VocationalZero ( 1306233 ) on Tuesday October 28, 2008 @07:14AM (#25539199) Journal
    This is why I send all my blackmail from my neighbor's WEP-enabled wireless.
  • Well (Score:5, Interesting)

    by mach1980 ( 1114097 ) on Tuesday October 28, 2008 @07:19AM (#25539227)
    This happened to me in winter of 2000. I found a open FTP-site on the LAN of my public school that contained sensitive information about the municipality elderly care. I reported it to the Swedish Data Inspection Board. I later found out that the municipality had filed a police report to find the alleged 'hacker' that were able to break the 10-digit code (read: IP-address).

    My only comfort was that I had reported the findings anonymously.

    And yes - they municipality were charged. The period for prosecution for my 'crime' has expired.
  • wtf (Score:3, Insightful)

    by moxley ( 895517 ) on Tuesday October 28, 2008 @07:28AM (#25539263)

    This is bullshit - I am really tired of hearing these scenarios where ignorant fascist assholes are doing serious damage to the reputation and future of kids who are doing the right thing.

    The message being sent is that rather than being honest, helpful and productive member of networked society we're teaching kids that it's better to be deceptive and not expose dangerous security flaws. ...and FELONIES? What the fuck?!

    I feel that there is a message that both the powers that be (and irresponsible sys admins who have been professionally shamed by these revelations) want to send - the sysadmins don't want to be embarrassed by kids - the feds or police either don't understand and are hearing sys admins tell them that "these meddling kids broke into our system, it's certainly not MY fault for not securing it" or people who should know better thinking that it's better to send the message that killing the messenger is the appropriate way to handle security, EG what people don't know won't hurt them and what we don't see we wont have to deal with.

    I believe that this should be explained to those who aren't very computer/network literate with the following analogy: Let's say you live in one of those multifloor apartment buildings where there is an area in the lobby with many mailboxes which all lock. Each resident gets a key for their own box. This kid either accidentally (or just to see if his and other mailboxes are secure) plugs the key into the wrong box or a box that isn't his and finds that his key (and by logic every other resident's key) opens every mailbox in the building. The mailbox he tests the key on contains an envelope with a ton of cash sticking out of it. He goes to the landlord and says "hey, these keys provide no security because any key can open all mailboxes, and by the way, this mailbox had a ton of cash in it - here's the cash, I didn't want it to get stolen" and he is then arrested and charged with breaking and entering, grand larceny, and other such offenses.

    I hope that if any high profile tech people get a chance to comment on this in the press or end up assisting the defense (if it was to go to trial) that they can send a message that criminalizing someone who is doing the right thing is just wrong...

  • More info and name (Score:3, Informative)

    by RenderSeven ( 938535 ) on Tuesday October 28, 2008 @07:58AM (#25539467)
    ... here here [thetechherald.com] including the kid's name. Article notes this isnt the first time he's been in trouble for hacking, so it may explain the apparent over zealous charges.
  • by hack slash ( 1064002 ) on Tuesday October 28, 2008 @08:08AM (#25539541)
    Has the kid sold the film rights yet? I've got this great idea for using his story, basically a 'hacker' kid gets blamed for a crime bigger than just breaking into a computer system, it could involve a bunch of his hacker friends pissing off "the man" responsible for the kid's arrest, like signing him up to online dating services and changing medical records to show he's dead. Maybe we could get an a-lister in the cast like Angelina Jolie & some other well knowns like Jonny Lee Miller & Matthew Lillard.

    Oh, wait, too late... [imdb.com]
  • by DaveV1.0 ( 203135 ) on Tuesday October 28, 2008 @09:12AM (#25540053) Journal

    It doesn't matter that the server was misconfigured, or used a default password. What matters is what he did.

    He didn't accidentally find this something. He went looking for security hole, found one, used it to look around where he was not supposed to have access, then reported it anonymously. Then, an investigation followed and they found him.

    That is the equivalent of him walking down a street and trying each door and window to see if it was open, finding one, going in to the house and looking around, then anonymously reporting what he had done to the police. In the real world it is breaking and entering (look up the law before you say "no breaking occurred").

  • I wonder.... (Score:3, Interesting)

    by SuiteSisterMary ( 123932 ) <slebrun@gAAAmail.com minus threevowels> on Tuesday October 28, 2008 @09:15AM (#25540079) Journal

    I wonder if any of those 'whistleblower' protection statutes would apply in this case.

  • by adsl ( 595429 ) on Tuesday October 28, 2008 @11:18AM (#25541603)
    The article says this kid and a "peer" accessed the info. How come there are no charges against this "peer"? Does this indicate the basis of the changes relate more towards the "intent to profit"? It would seem that this case may be more complicated than the facts on the table suggest.
  • by micromuncher ( 171881 ) on Tuesday October 28, 2008 @04:43PM (#25547001) Homepage

    Say nothing.

    Human nature is to "shoot the messenger." So don't tell.

    Once upon a time in university I noted a file in the temporary directory on one of computer science's machines with read access to all on the entire student name/id list. This was a byproduct of registration, and the ids were used as the passwords for first log in. But student ids were used for much more, and this list was also bigger than computer science... I complained to the comp sci sys admins; who said "gee thanks, we'll change that." But the file kept appearing. So I contacted the computing services admins; who said "gee thanks, we'll talk to the comp sci guys." The result of which was "this doesn't happen any more". So I sent a current directory list. No response. Then I posted the file (two months after it was supposedly fixed) to the internal security newsgroup. [I lost my access privs and was almost expelled.]

    The moral of the story... don't tell people they f*cked up and sure as heck don't show them, because you just make them look bad, and there is a fine line between ethical behavior and questionable judgement.

  • The lesson here (Score:4, Insightful)

    by catdevnull ( 531283 ) on Tuesday October 28, 2008 @05:56PM (#25548013)

    The lesson here is to get better at sending "anonymous" e-mail to report this stuff.

The means-and-ends moralists, or non-doers, always end up on their ends without any means. -- Saul Alinsky

Working...