HS Students Steal SSNs to Prove They Can

thatshortkid writes "Local news in Chicago is reporting about two Hinsdale Central High School students who breached their school's computer system and retrieved all of their peers' (plus staff's) Social Security Numbers. They claim they have destroyed the information and haven't given it out, but the SSA and FTC have been alerted for good measure. While they claim their motive was to prove that the breach could take place and no malice was involved, they face possible school disciplinary action and criminal charges."

ridiculous

[faldore]

They should be paying them not punishing them.

Dumbasses.....

[Palal]

Unfortunately, people do not learn from others' mistakes. How many times have people broken into school databases only to be arrested! It does prove that you can break into a DB, but so what? Once again it goes to show you "no good deed goes unpunished!"

tough way to prove point

[Bananatree3]

While it may be an obvious way to get the schools attention on the matter, it is, as the article said, a good way to get yourself expelled, etc. Maybe if they took the issue with the IT staff, and showed them one-on-one how it could be done, they would not be in any harms way.

They kind of deserve the punishment

[Zakabog]

I guess it kind of sucks that they're gonna get punished for this, but they deserve it. You can't legally break into someone's house just to show you can, they should have told the school (or some news stations) that they were planning to show how easy it would be to get into the system. Then under a controlled environment (with some type of supervisors there) they can show how easy it would be. That way everyone knows the attack is going on and the school knows what was done by the students rather than relying on their word.

Demonstrate the Crime

[Azadre]

How can the exploit be fixed if the administartion will not admit it exists. These individuals should not receive punishments. If anything, they should receive jobs at their school. It's sad, but it seems High School computers are being ran more by pointy-haired bosses than actual IT individual. I just hope the trend can curb and go back to where data can be secured again in academic institutions.

Common Sense

[OverlordQ]

Just because you can doesn't mean you should.

I know people will come on here and say "OH but the administrators probably wouldn't listen so they had to do this to prove how serious it was". I'm sure if they followed good procedure and presented a good presentation to the Board/etc they would of gotten a better reception then what they did.

Yup.

[beavis88]

Nothing will bring pain to you quite like making someone (or some organization) look foolish. Even if you probably are at least somewhat in the right.

Re:tough way to prove point

[Palal]

Even then, the IT staff would probably want to sweep this under the rug rather than deal with it. I've seen it happen too many times before :(.

Re:ridiculous

[Anonymous Coward]

Mods, I don't think that's funny at all. Parent is correct, punishing for revealing horrible security holes? "Hsshh... Let's be quiet, noone will notice our security sucks."

That's more like insightful.

yes,let the kids decide about your privacy

[Daffy Duck]

Honestly, what a bunch of fuck ups. If you're trying to do a service by penetration testing, you at the very least notify the sysadmins of the vulnerability you plan to explore.

To go all the way through to stealing *everyone's* information, and then afterwards claim you only did it to help is bad judgment at best. In some states it's criminal.

Good, throw them in jail!

[NitsujTPU]

Good, throw them in jail.

Those miscreants are a danger to society, and consider the cash value of all of the damage that they have done, not to mention the bruised egos!

They are terrorists, and should be executed!

</sarcasm>

Re:Over react much?

[Anonymous Coward]

It shouldn't be, but since the SSNs are used for everything a person does for the rest of their lives, it should be included. As a reason not to use SSNs at Schools and the like.

Civil Disobediance has its price.

[FatSean]

These two men broke the law to prove a point they held dear. I feel they did the right thing, but the law does exist and they may be punished. I hope that the judge presiding over a potential criminal case still has discrection to choose the punishment should they be found guilty of a crime. If they should be found guilty and sentenced, we should do our best to provide what support we can.

What did Jefferson say about the tree of liberty and the blood of martyrs? Perhaps a bit over the top, but I feel the sentiment is appropriate.

Re:They kind of deserve the punishment

[EmbeddedJanitor]

Exactly so. 90% of the badness of being burgled is not that stuff was taken or tampered with, but that your private space was violated. This violation happens regardless of the violators intentions.

Being bust or not is not the issue. If they had been bust while trying to get in then they would have had no excuses. The broke in and that is bad.

Re:tough way to prove point

[Anonymous Coward]

"Maybe if they took the issue with the IT staff"

hahahahahaha... .. whew. oh... you were serious?
They would have probably gotten the kids in trouble for thinking about "hacking" into the computers. Those hacker kids are nothing but trouble you know. School IT staffs are a JOKE in 90% of schools, and don't give a damn or don't know a damn thing.

would you?

[zappepcs]

Personally, this makes me wonder why I would ever give anyone my SSN, unless they can prove they will live up to their federally mandated responsibilities.

This just shows that most companies and governments cannot do so.

Not the Real Problem

[Dr. Mu]

The real problem is not that SSNs are so easy to get but that possesion of another person's SSN gives one so much power to do ill. I think it's time that agencies and institutions quit relying on such a dubious means of identification as a key to perform transactions. Heck, some of them only require the last four digits!

I'm certainly not suggesting something as draconian as RealID. But it should not be necessary to keep one's SSN any more secret than the account and routing numbers printed on personal checks.

Re:They kind of deserve the punishment

[ZorbaTHut]

On the other hand . . .

. . . imagine you're legally required to keep your electronics and jewelry in someone else's house. And not only that, but several hundred of your friends are too. And imagine that you know the security in this house is bad, and you've tried telling the owner of the house that your possessions are in danger, but he doesn't care. And you've tried telling the government that your possessions are in danger, but they don't care either. Your friends care though, and they're really frustrated knowing that all their possessions are in danger, just like yours, and that nobody seems to be able to do anything about it.

Maybe then you'd break in, to demonstrate it's possible, and get the owner of the house to tighten up security for the sake of you and your friends?

Anonymous snail mail to IT admins...

[rmdyer]

To prevent being expelled just send the SSNs to the IT administration through anonymous snail mail. Explain how you broke in, and hopefully they will fix the problem.

Re:Common Sense

[SimplyCosmic]

At the least, they should have made a very real effort to alert the school administration that this was a problem.

In that way, even if they were completely ignored, they'd at least have something to back them up when they make the futile claim that they tried all the normal means to make the school aware of the issue.

Sure, they'd still get in trouble with the school, but at least they'd have some credibility in the public's eye as doing this for a good reason rather than simply because they could.

Ask yourself: why is a high school using SSNs?

[brg]

What I think this incident really underscores is that high schools, where security is (unfortunately) likely to be lax, should not be using or storing students' Social Security numbers. High schools are perfectly capable of assigning unique ID numbers of their own to students wherever they are necessary; if and when their security is breached, the numbers are not useful for anything beyond the school's own internal databases.

Keeping SSNs around obviously can't be avoided for the school's employees (for tax and other reasons), but employee databases should be separate from student records, and there are far fewer employees than students anyway.

Basically, SSNs seem to have become the knee-jerk instant universal ID number for American firms and institutions of all sorts, which is a pity. It's best if we (as IT professionals) try to encourage the keepers of old databases to transition away from using them, and to strongly recommend that new databases not use them at all, wherever possible.

it's all about trust folks

[circletimessquare]

there will be a lot of teeth gnashing from slashdotters about this "injustice". usually because the average slashdotter trusts some anarchist high school students more than they probably trust their own police department. they will point out that a security system untested is never sound, and that this move will strengthen security. that better these high school students than someone with truly dark intent break in.

the problem has to do with what the word "trust" means. society at large doesn't trust an intelligent well-intentioned hacker (these students are hackers as in the old school sense if there ever was one, as opposed to the new school "hacker=terrorist" sense). but they DO trust a bumbling idiotic underpaid school administrator.

why?

it's about how the average slashdotter views "trust" and how society at large views "trust". the average slashdotter trusts intelligence, cleverness, technical literacy. but the average joe simply trusts accountability.

the school administrator's job is to keep security, he is trusted by society, paid by society to do this. he is accountable. the school administrator will be reprimanded by this breach, and the breach will be repaired. this is society at work. meanwhile, there is no social contract with the high school student. there is no trust. there is no accountability.

yes, security will be better because of what they did. yes, their intent is perfectly sound. but there is no trust, there is no accountability as far as the average joe sees it.

the lesson therein is for the average slashdotter then:

accountability is more important than cleverness.

to put it another way, the average joe doesn't care how technologically sophisticated the security is on their SSNs. the average joe just cares if THERE IS SOME ACCOUNTABILITY. so the SSNs could be on a text file on webserver, they don't care. the question si: is someone's job on the line for the theft? the average joe understands this concept: someone will suffer if my identity is stolen. there fore, someone out there is motivated to protect me.

meanwhile, these students have no social contract, no accountability. what is their intent? what is their motivation to do good by me? all i have to trust is their word, and i don't know them from adam. therefore, all that they have done for the average joe goes unheeded, unrecognized. the students helped the average joe, but the average joe sees them as criminals.

folks: gnash your teeth all you want, i'm just trying to give you all a heads up about the difference in thinking between the average joe and the average slashdotter. if you don't like what i am saying, don't be mad at me, don't shoot the messenger.

be angry that trust does not mean same thing to you and the average guy on the street.

Re:ridiculous

[DustyShadow]

Breaking the law just to "prove you can" doesn't really fly. They would have been much smarter to just tell the school about the problem and then helped them to fix it. If the school ignored them, they could have easily made the issue public. High schools aren't very big so it's pretty easy to get the word about things. I don't agree that whistle blowers should be punished but these guys went past that point. These guys should be punished, and they most likely will.

The way I look at it

[mcc]

If I ever found myself in such a situation, the way I would look at it is that my private space was violated by the people who put my personal information where it could be indirectly but publicly accessed, not the people who chose to take advantage of that.

Just a thought.

More about saving face (was:Dumbasses.....)

[Lead Butthead]

They are being punished more for making the "adults" looked foolish than the severity of their mischief.

Re:tough way to prove point

[tftp]

If the IT people don't care, why then the students should? Their "good intentions" can be better spent elsewhere, like putting together old computers for charities.

Besides, as people already commented, it is stupid to commit a crime just to show that a crime of this sort can be committed.

Re:ridiculous

[davidesh]

This really shows the negative feelings that society holds for those who can "hack" systems.

lol that was great... you mean CRIMINALS
How about those folks who rob a convenience store to show their security holes... should we just let them off simply because they figured out how to do it and were caught? Yet they say oh, well we were going to return the money so it is ok and nobody was hurt.
Talk about flawed logic with your whole "We really need sane laws that do not allow some one to be prosecuted if there's no harm done". What a load of shit

Re:ridiculous

[maniac/dev/null]

Theres a big difference between whistle-blowing and breaking the law. Would you go into someone's house and steal their TV just to prove how ineffective their door lock is? HSs are rather small, if they spread word around, maybe at a PTA meeting, they might have gotten the same results without going to jail for computer crimes. Crime, even for a good reason, is still crime, and if we don't enforce the law all the time, we might as well not inforce it at all.

Re:Notation?

[lachlan76]

if they can't or won't take care of it, there's nothing compelling you to do it for them.

Having my data on their servers seems compelling enough...

Re:ridiculous

[zerbot]

I disagree. Breaking into a system is not much different than breaking into my house. There is a ton of extremely sensitive data on a lot of systems. If I came home and found someone who had picked the lock on my house sitting on the couch watching TV, you'd better believe I'd call the police and press any charges possible. No harm/intent foo!

One of my daughter's friends keeps pressuring her to give out her passwords on various sites. I've suggested my daughter tell her friend, "You can have my password when I can have the key to your house."

Re:ridiculous

[networkBoy]

Then you are the exception.

I spend time in the back of a squad car for stating there were security problems at my school (back in 93, I was a Jr.) The Principal did not believe me, and I was asked by the "computer teacher" to demonstrate, which I did. Upon completing the demo, a change of my grade (downward, ironicaly) I was detained in the office pending arrival of the authorities.

I now have a job where I get paid for those same skills, and the thread starter is correct about paying the students. The problem is that HS staff does not like being shown that their charge (the students) have more power than them, which this demonstrates.
-nB

Re:ridiculous

[Anonymous Coward]

whatever

these kids were not heros. with all the social security numbers and personal information being stolen, did they think they would be considered heros for "stealing" the information.

yes, theft is a crime, and they think they're immune to such punishment because they didn't do anything with the information. so i guess if i steal $1,000,000, and just keep it under my mattress, it'll be OK.

my school (i graduated 2001) had all kinds of vulnerabilities, but you know what. it's a school. they're understaffed as is, and they don't need to have expensive consultants coming in and auditing their network all the time to stop these kids.

a school should be about education, and these kids learned a valuable lesson, because most school districts have a policy where if you are accused of committing a felony, you cannot join your regular classes. you have to go to an in-school suspension until they have a hearing to see if you're a threat to the school, or not. if not, you're returned to classes, however if you're deemed a threat, you have to attend alternative education, normally that portable at the back parking lot, or another school.

lesson learned, but a hard one.

Re:ridiculous

[SeventyBang]

I hope the English teacher(s) got a shot at you as well: "I spend time".

The better thing to do [both then and now] would be to have someone from the media with the informer. If the "powers that be" choose not to "go along with it" while it's on the record, then that still leaves the door open for the story to explain what's possible, what's been offered, and what's been refused...and by whom. You cannot win 1 vs. the world. Adding the media to equation, particularly one who knows what they are doing, can even the stakes a bit.

The question begs: do you have to report these problems or is it a case of bragging rights - even if you are the only one who knows - so you will have cool stories on slashdot, blog entries, or magazine articles in the future?

As always, you have to pick your battles. But when you are forced into a battle, you have to decide which weapons to use and how. That's where the media is inserted into the equation.

Re:They kind of deserve the punishment

[tftp]

Maybe then you'd break in, to demonstrate it's possible, and get the owner of the house to tighten up security for the sake of you and your friends?

No; I would have filed a civil lawsuit against the school. There are very good chances that the problem would be fixed in matter of hours - and I would get a useful experience in defending my rights in a completely legal way.

(I recall an old movie with Hulk Hogan where scenario of this sort was presented.)

Re:ridiculous

[raehl]

Well, they're kinda screwed either way.

If it's made public, then people can compramise the data maliciously before it's fixed.

If they go in on their own, then they'll be punished for it. And they ahve to be - you can't let people mess around with the system as long as they don't do any damage, because people will messaround with systems and do damage even though they didn't mean to.

The correct thing to do is probably to inform the school, hopefully get them to let you demonstrate the flaw under supervision from theirr network people, and if they still don't do anything abotu it... move on. If you make it public, the data WILL get compramised, if you don't, at least there's a chacne no one will notice, AND you dodge any repercussions to yourself.

Re:ridiculous

[shaitand]

If they spread word around, maybe at a Parliment meeting, they might have gotten the same results without starting a revolution. Treason, even for a good reason, is still treason.

Crime is not synonymous with bad, wrong, or evil.

Why do schools need your SSN?

[rogueuk]

Why does a public high school even need your SSN? I can understand them needing the staff SSNs for payroll, but why do they need a kid's social security number?

Does anyone know? It's not like the students are paying any taxes towards social security through the high school

Re:MOD !^$# PARENT UP!

[suwain_2]

I can't speak for other places, but in New Hampshire, license 'numbers' follow a predicatable form -- if I know your first name, the first letter of your first name, and your DOB, I can tell you your license number. (In 99.9% of cases; the last digit gets incremented if it's a duplicate.)

I can't honestly say I check it frequently, but looking at the license number provides a good quick check that the card isn't a blatant fake ID.

If part of your license is covered over, I'd be really suspicious of what you were up to.

In a civilised country.

[the packrat]

In a civilised country where personal data was actually protected and where personal responsibility existed, such an event would have generated very pointed questions of the people who failed to protect vital personal information for hundreds or thousand of students.

The focus on sound bites denouncing petty criminals makes a convenient smokescreen to avoid them though.

Re:Over react much?

[anagama]

It's just time to quit using SSNs as personal secret passcodes. In some ways, it's good. At what percentage point of compromised SSNs will it stop being used for its present purposes? A few hundred is just a drop in the bucket, but it happens every day. Eventually, SSNs will be meaningless. Like a phone number, at which a slightly better system will (hopefully) be devised.

Re:ridiculous

[MoneyT]

There's a difference between publishing an exploit and breaking into a system you don't have rights to.

And I know it's fashionable to hate on business, but there are a lot of security flaws that get patched without an exploit being published or used.

Re:The way I look at it

[TheFlyingGoat]

So if you forget to lock your windows when you leave one day and end up getting robbed, you won't blame the people that broke in? You'd blame yourself or the police department for not doing a good enough job with security?

Every time this argument comes up, someone tries using that line of logic. The fact is, though, that even though your actions were stupid, the burglar broke the law.

Re:ridiculous

[zerbot]

You don't need to break into Microsoft or Apple's corporate computers. You can demonstrate on your own computer or someone else's with their permission. I'm not saying that publicizing security weaknesses is a bad thing, but going the route of breaking into someone else's property to expose a security flaw is stupid and unnecessary, and should be prosecuted. I've had to notify many, many people that their systems were either vulnerable or already compromised, and I have never "had" to resort to illegal acts to convince them of that fact, even when I was nobody to them.

Re:ridiculous

[MoneyT]

You deprive them of their privacy. Now their SSN is in the hands of someone whom they did not authorize to have such information. It doesn't matter if you do anything with it, but that you have it in the first place.

Otherwise, please give me your full name and ssn. I promise I wont do anything with it.

high schools are resource-constrained

[Infonaut]

High schools are perfectly capable of assigning unique ID numbers of their own to students wherever they are necessary

From my experiences doing pro-bono work at four different high schools, I'd say that most of them barely have the capability to deal with the most rudimentary data management tasks. I'm not saying this to be dismissive of schools or the people who work there, but they are in many cases so short on human and technology resources that creating and managing unique IDs for each student isn't something that would even cross their minds.

The SSN is, as you mentioned, the knee-jerk instant universal ID number precisely because it requires no extra effort. This is not a good situation, but it has come about because there is no compelling reason (that many institutions can see) to devote extra time and effort to coming up with alternate ID schemes for schools.

Re:ridiculous

[BackInIraq]

my school (i graduated 2001) had all kinds of vulnerabilities, but you know what. it's a school. they're understaffed as is, and they don't need to have expensive consultants coming in and auditing their network all the time to stop these kids.

Bullshit. If they can't properly secure their student's sensitive information (such as SSN's) then they shouldn't be storing it. Or they should store it on paper only, in a vault. I never fully understood why my high school needed my SSN anyway, and now that I see things like this happening I'm tempted to go back and make sure they don't still have it lying around.

It's one thing to be nonchalant with your employees information (though I'm not a fan of that either)...employees generally have a viable option (work somewhere else). Students generally have no choice as to what school they attend...they're going where their parents send them. Maybe they can drop out at 16, but by then their SSN could be stolen. There's a great way to start life...a high-school dropout AND identity theft victim to boot!

Re:ridiculous

[izomiac]

Well, most school network admins that I've encountered are rather arrogant about their security. If you explained how something *could* be done then they're just as likely to either ignore it or say the next software update will fix it. Exploiting it is a sure way of making them fix it, although ideally you probably wouldn't want to get caught.

As for businesses, what about all the exploits they don't fix or check for because their software is "good enough"?

Re:ridiculous

[NanoGator]

"How about those folks who rob a convenience store to show their security holes.."

How about an analogy that doesn't involve a gun to the face?

Re:Anonymous snail mail to IT admins...

[sharpestmarble]

Trouble with that is, they(the administration) isn't concerned with the security, they're concerned with catching whoever got the numbers. "They did it on their home computer through their server, they said. They got a court order and went and checked it and they found it,"

Twisted logic:

[pumpknhd]

"Your house is not secure. I can prove it to you. All I need is a rock or baseball bat and I can show you that I can get inside." Yay! Now I won't get arrested! - just because it's tech doesn't mean that the laws don't apply

Re:ridiculous

[Vacant Mind]

yea go ahead and try to get the administrators to listen to you. sometimes they don't even give you "permission" to go to the bathroom.

Re:ridiculous

[vegaspctech]

How about an analogy that doesn't involve a gun to the face?

You sneak into your neighbor's fenced and gated backyard and, through a window only visible from the backyard, watch her undress without her knowledge or consent.

Cover up

[panurge]

Trying to get into places they shouldn't, whether it is safes or knickers, is something that adolescent boys are programmed to do. Anybody responsible for school systems has an obligation to understand this and deal with it. This is nothing to do with social relativism, as the more fascist /.ers seem to think: it's elementary precaution. Regardless of the motivation of the hackers, the people responsible for the system should be required to be trained in security (and perhaps be downgraded till they had passed their exam) because they failed to take account of something widely known in education. If the zoo keeper leaves the doors unlocked on the lion cages, the lions may escape and end up having to be shot, but what about the zoo keeper?

The truth is the lazy, idle and incompetent always prefer the cover up to the fix. Whether it is the Roman Catholic church and child abuse, torture at Guantanamo Bay, or security holes, the people in charge will conceal rather than cure. Two examples from my own career:

I was once asked to investigate the apparent failure of an automated component test system. Eventually a review of the hardware and software left the only option as being that the production personnel were deliberately falsifying results and passing rejected batches. Result: three senior managers demanding I be sacked. Fortunately at this point we acquired a new CEO who had several clues. One manager was fired, one left of his own accord and the other was downgraded. But customer confidence had been eroded and the plant eventually had to be shut down. The second example was less exciting: a production director who resisted for years the introduction of statistical process control because it would make clear where systems were failing.

I'm sure many of us have similar examples. It is not in fact important what the motivation of the whistle blower is, we need to change the culture to one in which the response is "Fix it", not "shoot the messenger". With hindsight, we may one day conclude that the tradition of open bug fixing is FOSS is its greatest social legacy.

Re:it's all about trust folks

[evanbd]

It's an interesting point, and I think you're at least mostly right. However, there is an inconsistency in that no administrator appears to be losing their job over failing to protect these SSNs from the students. By your logic, if no one's job is on the line, where is the accountability?

That said, someone getting yelled at by the boss seems very likely here...

Re:it's all about trust folks

[hyfe]

meanwhile, these students have no social contract, no accountability. what is their intent? what is their motivation to do good by me? all i have to trust is their word, and i don't know them from adam. therefore, all that they have done for the average joe goes unheeded, unrecognized. the students helped the average joe, but the average joe sees them as criminals.

The difference for the students is the one between numbers and people.
For the school board (or however you're organized over there), there is a case of '500 SSN's got leaked, oh well.. the bad publicity will cost us less than hiring competent people'.
For the students it's, 'holy shit, they're practically giving away our SSN's, I don't want my bank-account suddenly emptied'

The victims have an inherit motivation in not becoming fucked over. The overseer's main motivation is not being yelled at.

Re:ridiculous

[MoneyT]

[quote]Depriving people of privacy is a crime? Wow. Didn't know that one.
[/quote]

yes it is. Try putting cameras up in a bathroom or changing room or pointing into someone's windows. try tapping someone's phone line.

[quote]My SSN is all over the fucking place. In the hands of my mortgage company, my bank, hell, the university where I attended school used it as our Student IDs, so they were all over professor's roll sheets which I /saw/ Profs toss in the trash. For a secret number, it's not so secret.
[/quote]

You realize that:

1) That number was given voluntarily by you every time

2) That had you requested it, by law they must provide you with an ID number to use in lieu of an SSN

Keyword : Hope

[MMaestro]

The correct thing to do is probably to inform the school, hopefully get them to let you demonstrate the flaw under supervision from theirr network people, and if they still don't do anything abotu it... move on.

This is the stem of all security problems.

If you DO blow the whistle, unless you have some SERIOUS clout behind you, chances are most people aren't going to listen to you. (See: Microsoft).
If you DON'T blow the whistle, do nothing and have a vested interest in the company/school then you risk having your money/time lost due to SOMEONE ELSE taking advantage of a flaw you knew about.
If you DO blow the whistle and try to gather attention to it by TAKING ADVANTAGE of the exploit, you SERIOUSLY risk being arrested yourself. (White hackers, black hackers, its all the same in the eyes of the uneducated masses!)

Etc, etc, etc. The list of what you can do and how ineffective it will ultimately be goes on. You can't go public or they slam you for trying to ruin their reputation. You can't go directly to the people cause they ignore you. You can't 'white hacker' them cause they slam you anyway. You can't ask for advice on Slashdot cause Slashdot is a wide, niche audience and is largely ineffective due to city/state/nation/international law differences. Its damned if you do, damned if you don't, damned if you ask for help and damned if you do nothing about it.

Re:ridiculous

[rikkards]

As for businesses, what about all the exploits they don't fix or check for because their software is "good enough"?

Approach the business saying you provide a service. If they say thanks but no thanks move along and take salacious glee in the fact that they may get comeuppance one day.

Re:Dumbasses.....

[Koiu Lpoi]

And besides, Social Engineering is still the best way to obtain passwords and sensitive material. Here's a great (and true) example.

I was sitting in class one day (I am a High School Senior) and talking with a bunch of my friends. I don't remember the exact context, but I mentioned something about Social Security Numbers (the context possibly being college). I was mostly shocked to find the conversation switching to my group of friends telling each other the numbers and comparing them for similarity and silliness. If I had wanted to, I would have had 5-7 SSNs for which to use as I saw fit. What's especially scary is how easy it would have been.

Re:ridiculous

[sydsavage]

Its not like you can use a number without any other proof of ID is it?

You'd think that would be the case. Unfortunately, the answer is no.

From this article [epic.org]:

The SSN and Identity Theft

The widespread use of the SSN as an identifier and authenticator has lead to an increase in identity theft. According to the Privacy Rights Clearinghouse, identity theft now affects between 500,000 and 700,000 people annually. Victims often do not discover the crime until many months after its occurrence. Victims spend hundreds of hours and substantial amounts of money attempting to fix ruined credit or expunge a criminal record that another committed in their name.

Identity theft litigation also shows that the SSN is central to committing fraud. In fact, the SSN plays such a central role in identification that there are numerous cases where impostors were able to obtain credit with their own name but a victim's SSN, and as a result, only the victim's credit was affected. In June 2004, the Salt Lake Tribune reported: "Making purchases on credit using your own name and someone else's Social Security number may sound difficult -- even impossible -- given the level of sophistication of the nation's financial services industry...But investigators say it is happening with alarming frequency because businesses granting credit do little to ensure names and Social Security numbers match and credit bureaus allow perpetrators to establish credit files using other people's Social Security numbers." The same article reports that Ron Ingleby, resident agent in charge of Utah, Montana and Wyoming for the Social Security Administration's Office of Inspector General, as stating that SSN-only fraud makes up the majority of cases of identity theft.

What I find interesting that no one seems to be questioning why a high school needs to have the students SSN in the first place. Personally, I think that the administrator that made the decision to put SSN's into a (now proven) vulnerable database should get at least the same punishment as the students who cracked it. And if they are using products that are known to have weak security, they should get double. Why was this database even connected to the net, anyhow? Honestly, the real crime here is the lackadaisical handling of such sensitive information, when there is no good reason for them to have students SSN's in the first place.

Re:it's all about trust folks

[Vellmont]

to put it another way, the average joe doesn't care how technologically sophisticated the security is on their SSNs. the average joe just cares if THERE IS SOME ACCOUNTABILITY. so the SSNs could be on a text file on webserver, they don't care. the question si: is someone's job on the line for the theft? the average joe understands this concept: someone will suffer if my identity is stolen. there fore, someone out there is motivated to protect me.


I guess I have to disagree with this. The average joe only cares about feeling that his data is safe. Accountability is bullshit. I guarantee you if the insecurity (and consequences of that insecurity) was easily understandable by the average joe, he'd be up in arms that the gaurdians of his information are incompetent fools.

The thing is that the technological nature of the insecurity is what masks it. If the average joe can't really understand why it's insecure, the feeling of insecurity never really registers very deeply.

I'll give an example. Let's say Average Joe's bank didn't lock the doors at night because they didn't think it was necessary. Well.. heads will fly if Average Joe finds out about this. It's blatantly obvious that not locking doors at night as a bank is bleedingly stupid. It's also obvious to Average Joe that his money not being robbed from the bank is important. The news that someone will get in trouble for "not being accountable" isn't really very comforting to Average Joe.

Let's say in the same bank scenario two bank customers realize the dumb practice of the bank and want to "teach them a lesson". They go into the bank, take the money and bury it in an empy lot somewhere. They then leave the bank a note saying where the money is. Have the bank customers commited a crime? Certainly. Have they also done some kind of service for other bank customers by showing how insecure their money is? Probbably. What's the balance between the two? Very difficult to say. It seems the same way in this case. The difference between Average Joe and Average Slashdotter in this case is only that Average Slashdotter understands that this is like leaving a door open.

I think there are people who do care about accountability. Mostly these people are the ones setting up procedures within large organizations. That's fine, accountability is a decent way to attempt to get actual security. But let's not forget that the real goal is the actual security, not having someone to blame at the end of the day.

The media is slow...

[tankd0g]

The reporter in this story clearly does not have the razor sharp awarness of what causes people to panic, like say a CNN headline writer does. But sooner or later someone will realize that these kids that got caught/came forward, are the ONLY ones in that school you DON'T have to worry about. It's the other 30 or 40 that already hacked the system or better yet, are trying it right now.

Re:ridiculous

[ScentCone]

The problem is that HS staff does not like being shown that their charge (the students) have more power than them, which this demonstrates.

Come on, it's not about power. The school system certainly doesn't like it being known that the information they keep about their students and staff is vulnerable to theft and manipulation - it doesn't matter who can do it. Students would presumably be the ones with most to gain by hacking their records, but identity theft is arguably a bigger threat when it comes to employment records and other data on the faculty.

But it's much more likely that a student will be bored enough, have enough time, and be allowed to physically have access to a machine on (or plug a machine into) the local network - so of course that's where the friction is going to be. And, since so many students imagine themselves to be in an adversarial relationship with the teachers, the staff has to be prepared to react accordingly. It's not about not liking a student having more "power," it's about not liking a student screwing around with sensitive data. High school students are notoriously lacking in almost any sort of judgement, and routinely fail to think through the consequences of their actions. This is often more true of the geek set, pleased as they are with their high IQ and skills, and distracted as they are from the daily tribulations of "normal" people (like teachers trying to maintain a career, health insurance, and a credit rating on next to no income).

And, of course, the odds that the staff of a particular high school have themselves chosen the network infrastructure, software, security model, and so on, upon which their daily system-based activities depend - pretty slim. But they've got to live with it, and when they catch a student deliberately breaking in, of course they're defensive. Hell, a student could also very easily break out a window of a science classroom to show that a determined thief could easily steal a microscope, what with the staff's ridiculous choice of obviously inferior mere glass as a deterrent. That doesn't make the staff power-obsessed when they bust on a student for putting that brick through the window.

Re:ridiculous

[Decameron81]

Like stealing someone's wallet without him noticing it? Then you can give it back to him to show him you were able to do it and I bet he will thank you with his fist in your nose.

Re:More about saving face (was:Dumbasses.....)

[Anonymous Coward]

I entered the gifted program in 4th grade. I was one of the top people in the gifted program. I went to college a year early. I graduated at the top of my ME class by a fair margin.

My teachers liked me. I learned what they were teaching and looked like I would go on to be a useful member of society. Maybe I didn't need them like the other students did, but I never held it against them in any way. I showed up and paid attention.

It has little to do with intelligence, and a ton to do with attitude. If you are a dick, it doesn't matter how smart you are. I don't know you, and therefore I won't try to evaluate your personality, but I have to question why you went to this school if it wasn't going to challenge you. Did you 6-day that class just to prove you could, or to show that the class was pointless, or to show that you were smarter, or because you weren't interested in it and figured that was the easiest way out? For classes that interested you, did you show up and study, or did you skip those too, because you could pass without doing anything? Arrogance is unbecoming.

Re:ridiculous

[ultranova]

Which means that you should take option three: Do nothing and let it blow up on the admins face. After all, if you warn them, and they do nothing, and it blows up on their faces, they have a scapegoat to blame for their incompetence: you.

Why risk anything for your school / workplace / country ? You don't owe them anything, and they certainly won't hesitate for a second if screwing you over ever becomes profitable for them.

If you absolutely have to warn them, do so in such a way that your identity can't be confirmed. If they ignore anonymous warnings, it's their problem, not yours.

Re:More about saving face (was:Dumbasses.....)

[Anonymous Coward]

This is off-topic solely to the parent of this post:

It is truely funny how age sometimes diminishes this attitude.

Growing up, I always knew I was 'smarter' than others, and even when I was tested I knew +3SD meant that I was smarter that 99% of the rest of the kids (atually only ~.3% are smarter than you at this point, +2 only give you advantage over 95%).

I got into a lot of physical fights with my 'peers' (the quotes are as envisioning the past) and I had a lot of verbal fights with my instructors. I thought both were idiots and I didn't feel the need to hide my contempt.

But guess what? I had no clue about the real world. I could figure out facts and statistics, but I had no clue how this related to anything at hand. I'd blame the others around me for being jealous or threatened. Some of the students felt threatened because I was a big guy, I am now 6"3 before I put on my redwings...and while I didn't like to fight, I didn't back down and I didn't stop til the other guy was on the floor. Teachers? I made sure I learned everything I needed to prove that I was smarter so that I could correct their laymans explanations in class. Sure, we are studying at grade school education, but fucking shit, I expected the instructor to explain it to us as if we were postdoctoral students, even though I was probably the only one that had knowledge of this subject.

Like you, I can make 85% in courses without trying. After a dozen other failed degrees (I'd get bored...eventually settled for gen ed degree as I had the credit hours), I am working on a degree in psychology and its amazing that my peers study like motherfuckers and yet with only picking up the book midsemmester for an hour, I came off just under 2 points from a friend that is working on his masters as well -- everytime I call him to see if he and his girlfriend wants to go for drinks on the weekend, its generally just me and her because he is too busy studying.

The one thing I am learning in my jaunt in psychology is that very few understand the 'gifted'. The population just can't support it. We are on our own.

What would I have done differently? I would have not assumed I knew the answers, even if I did, but would have learned to ask less pointed, better questions. I would have learned to understand others takes on the world. I would have learned that the facts do not always make up the truth and vice versa. I would have learned individual experience is far more important than the end.

Who wants to teach someone who already thinks they know the answers? That should be your end statement. It sounds as though you haven't come to the conclusion that you aren't the shiniest apple in your basket yet? You might have in the past, but there will always be someone better and a bushel where you are only average. I place myself into situations like this all the time. I don't want to be the smartest because I will never learn. I surround myself by folks much smarter and I challenge myself even though I don't get what they are saying half the time -- and once I do, I find another peer group.

No one killed your inner spirt but yourself. Stop blaming others and get on with life. If you aren't challenged, that is your fault. Stop being the picked on geek because a lot of us have been there and we got over it. Some of us never get over it...don't be one of those people because they you will have proven that the others were right and you were wrong.

By the by, the one area I was never great in was grammar or spelling as noted by this post.

Re:More about saving face (was:Dumbasses.....)

[Anonymous Coward]

"nessisary"

Obviously didn't major in English.

As a teaching assistant at university for two years and as a part time trainer and "mentor" every since, I can tell you I much prefer to have students who get what I'm saying.

I got over 85% for courses that I did little study for and just scraped passes in courses I spent a lot of time working on. Some of the courses that most people I knew found easy I found difficult, some of the courses most people found difficult I found easy.

Your ability to get a good grade in one course does not make you particularly intelligent. Your apparent inability to realise you sound like a fool boasting about getting one good grade makes me think that you perhaps don't have a well rounded intelligence anyway.

I got a few stunningly good grades and a few stunningly bad grades. I beat a friend of mine in an exam once and she went on to get the highest GPA of anyone graduating from the entire university that year. Do I think I'm more intelligent than her? Of course not.

"The government does not do enought to help "gifted" students. By grade 4, i had learned to shut up and stay put. They killed my inner spirit."

Poor baby. I'm not normally a fascist like this but you need to get over it and realise that you aren't as smart as you think you are.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Lessons NOT learned

[AviLazar]

Haven't people learned, by now, that even if you have the best intentions at heart - doing this things will result in you getting in trouble. If you really want to test the security of an organization, get their upper management authorization (hell you could even make a profit).

If they were smart about it (and they have to be somewhat smart to do this) they could have spoken to their principal/advisor and gotten sanctions to do this - potentially earning some kind of HS credit or an award from the the school.

Re:More about saving face (was:Dumbasses.....)

[Lodragandraoidh]

Having the ability to run a root kit does not make one 'gifted'.

Still Illegal

[Flamesplash]

well it was still an illegal act. what if they had bought drugs on campus to demonstrate that it was possible and then turned around and gave the drugs to the police or administration? It's still illegal. They say they destroyed the SSNs/gave back all the weed, but who really knows. What if they sell the HD the numbers were stolen from and someone recovers them?

They could have done a little to cover their butts, like notifing a teacher ( anonymously ) about the intended act so there was foreknowledge they meant nothing about it, or even going to the principle and telling him the system was insecure and that they'd like to prove it.

Re:ridiculous

[ScentCone]

No, my analogy is spot on. Pretending that cracking into a system is just a benign way to demonstrate the vulnerability of that system - out of the sweetness of the students' innocent little hearts - is BS. Nothing would have come of this if they hadn't been caught. The man hours than have to be spent evaluating whether any data was corrupted or exposed to the wrong people (and the enduring risk that it was, even it can't be detected) is every bit as damaging as the man hours that will have to be spent repairing the broken window. In both cases, the students set off a damaging/costly chain of events. The difference is that once they replace the window, there isn't really any dangling question of whether or not even more future damage will occur from the original event. With stolen SSNs, the damage could be very costly, career/finances-ruining, and so on.

We're not talking about infringing on someone's copyrights here... we're talking about unlawful access to and use of a system, which is treated just like trespass and theft for a reason. Having a legal copy of media, and doing something illegal with it (such as giving it to 1000 people) is infringing. And even though that's every bit as bad a stealing something physically if the assigner of the copyright doesn't want you to do it, it's handled differently than theft. But when the person has their hands on something (like faculty social security numbers and private information) that they had no permission to access, they're in completely different territory.

Those are separate points though: my analogy was intended to illustrate the absurdity of claiming a get-out-of-jail-free-card just because (after getting caught) the crackers said they were exposing a vulnerability. You could make the same argument about picking the lock on a teachers car door, or (by any means) gaining access to something or someplace you're not supposed to be. And that makes the argument BS. It's even more BS when you take something (which, Gee!, they claim to have later deleted) to somehow prove your point. Except, they weren't planning on making a point - because they weren't planning on getting caught.

Breaking through the security on the school's IT system, or breaking through a lock on the office's doors, are the same thing. Getting caught should result in the same thing. When a student notices an unlocked door to an A/V storage room... are they doing the right thing when they tell a school official, or are they doing the right thing when they grab a laptop and a video projector and stay quiet, claiming later, when someone discovers the loss (and their fingerprints) that they were being good citizens and helping the school see a vulnerability? If you go to a lot of trouble to split hairs over the granularity of this analogy, rather than simply seeing the basic ethical truth of it... then you're just exercising that part of your brain that makes you feel better about pirating music. That's my guess, anyway, Mr. Anonymous Coward.

Re:ridiculous

[swillden]

If you do not receive permission do nothing.

And leave the problems intact until they screw others and perhaps you as well.

With a CYA attitude like yours, you really should work for the government.

Granted, that's the way to stay out of trouble, but sometimes getting things done requires risking some trouble. I'm speaking in the abstract here, not necessarily referring to these kids.