Student Charged With Three Felonies For Finding Security Flaw — and Report 547
Well, yet another teenage hacker who "did the right thing" by reporting a security flaw is being punished for his actions. Although it definitely sounds like the whole story may not be in the clear yet, a 15-year-old New York high school student has been charged with three felonies claiming that he accessed a file containing social security numbers, driver's license numbers, and home addresses of past and present employees ... and then sent an anonymous email to the principal alerting him to the security flaw. "All that was needed to access the information was a district password. School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks."
Re:Once again kids: (Score:5, Informative)
496 - 406 B.C. [bartleby.com]?
Re:Once again kids: (Score:3, Informative)
Watch this video, it's somewhat related to this:
http://video.google.com/videoplay?docid=8167533318153586646 [google.com]
It's probably the best video you will ever find if you're on the hot seat, worth 1,000,000 CSI episodes.
This helps too:)
http://www.youtube.com/watch?v=uj0mtxXEGE8 [youtube.com]
Re:Once again kids: (Score:5, Informative)
RTFA, not TFS...
"He deceitfully used someone else's name and password so he would not get caught and was looking to profit from his criminal act."
Now that's the State Troopers words, and may not be true, but it's right there in the article itself. I suppose you could infer that he wanted to use the information he obtained for something other than blackmail (eg fraud), but if he wanted to do that he wouldn't have emailed the principal giving the game away, so blackmail is the obvious conclusion.
Re:Once again kids: (Score:5, Informative)
Re:Anonymous (Score:3, Informative)
The article I linked to explains exactly how they found him: they looked at the originating IP, which led them back to their own computer lab, and from there it was trivial to determine who was logged on to that machine at that time. He could have created a new email account just for this, but it would still be traceable without an anonymous proxy.
More info and name (Score:3, Informative)
Re:Improper disclosure? (Score:4, Informative)
Anybody who's ever administrated a school network should know that every kid is a potential "hacker," and you should be always keeping all the security up to date and patched regularly.
Not only that, but there should be an air-gap between the network students have access to and the faculty network that contains sensitive information.
And even faculty access to internal enterprise information fairly limited when logging into a student workstation.
Student-accessible computer nodes and network ports should be treated about as secure as unencrypted WiFi.
To access confidential materials from such a workstation, the teacher must connect to a VPN, preferably using 2-factor authentication with a token such as SecurID.
read more (Score:4, Informative)
http://www.youtube.com/watch?v=O_lwGWfO_Mk [youtube.com]
10 year old canada
http://www.youtube.com/watch?v=xakaLeLecvo&feature=related [youtube.com]
10 year old florida
http://www.nydailynews.com/news/ny_crime/2008/08/07/2008-08-07_cop_cuffed_me_on_bus_kid_says_in_suit.html [nydailynews.com]
10 year old girl NY
http://www.examiner.com/a-619947~Busted__7_year_old_cuffed__fingerprinted.html [examiner.com]
7-- in baltimore
Re:Improper disclosure? (Score:5, Informative)
Opening a closed but not locked door and entering a building without permission is still against the law. It is called breaking and entering.
He is not being punished for "wanting to do" something, he has not been punished for anything yet. He has been charged with a crime for something he did, namely "computer trespass" for accessing a system without permission.
Re:Improper disclosure? (Score:4, Informative)
Your analogy is flawed. Seeing that the elder's fly is open would be equivalent to somebody telling you the password. Logging in and poking around is like seeing the open fly and reaching in to see what you can find on the other side.
Simple rules, kids. If it's not yours, stay out. Most people have enough common sense to know that if my door isn't locked, or is even open, that does not constitute an invitation to come in. If discovered, you may be yelled at, soundly beaten, or arrested. Computer systems are the same way. If you access one against the wishes of the owner, they're going to be pissed and will do mean things to you for a multitude of fairly good reasons.
Re:Improper disclosure? (Score:2, Informative)
No, it's not. Breaking and entering actually requires you to either break in (forcing a door, picking a lock, breaking a window, etc.) or enter under false pretenses (lie about having permission to be allowed it, present false credentials, use a stolen ID card/entry card). Also, you must be shown to have had the intent to commit a felony, whether or not the felony actually occurred.
Therefore, if you open an unlocked door, and enter a building without permission, you are not breaking and entering. Trespassing, sure. But not B & E.
Why wasn't the "peer" charged? (Score:3, Informative)
Re:The RL equivalent is Breaking and Entering (Score:3, Informative)
The lock does not have to be "a super huge complex lock", merely a locking mechanism. You do not have the right to open or circumvent a lock just because the lock is flawed or flimsy.
If a piece of tape is placed over a door to keep it shut and you remove or break the tape, you are guilty of breaking and entering. [law.com]
Re:Improper disclosure? (Score:1, Informative)
breaking and entering [law.com]
n. 1) the criminal act of entering a residence or other enclosed property through the slightest amount of force (even pushing open a door), without authorization. If there is intent to commit a crime, this is burglary. If there is no such intent, the breaking and entering alone is probably at least illegal trespass, which is a misdemeanor crime. 2) the criminal charge for the above.
You are both ignorant and wrong. How does it feel?
mod down (Score:1, Informative)
Who modded this insightful?
Assuming he is convicted, in New York he will be disenfranchised ONLY while IN prison or ON parole. After that he will be able to vote again.
Know your rights.
Know the law.
Don't be a sheep.
Re:Improper disclosure? (Score:1, Informative)
Yes, it does. Now, if you enter and they ask you to leave, you are required to leave. But as long as you leave when asked, you have not committed any crime. Giving you the key gives implied consent that can only be countered by explicit declaration of non-consent.
At least, that's what the cops said when my ex tried to press trespassing charges against me several years ago...
Re:Improper disclosure? (Score:3, Informative)
Your belief is irrelevant. What matters is what the law actually defines as breaking and entering.
breaking and entering [law.com]
n. 1) the criminal act of entering a residence or other enclosed property through the slightest amount of force (even pushing open a door), without authorization. If there is intent to commit a crime, this is burglary. If there is no such intent, the breaking and entering alone is probably at least illegal trespass, which is a misdemeanor crime. 2) the criminal charge for the above.
No. Having the ability to access does not provide one with the right or permission to access.
Your analogy is false because it assumes he had permission to be in the school after-hours. It also puts the purse in an area where he might have permission to access. Move to purse to a teacher-only area and close the door and you have a true analogy.
Re:Password use (Score:3, Informative)
This quote from the news article is especially telling:
All that was needed to access the information was a district password. School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks.
"A district password" in this quote sounds a lot like "a student or faculty account" to me. Doesn't sound like any hacking occurred at all.