Student Charged With Three Felonies For Finding Security Flaw — and Report 547
Well, yet another teenage hacker who "did the right thing" by reporting a security flaw is being punished for his actions. Although it definitely sounds like the whole story may not be in the clear yet, a 15-year-old New York high school student has been charged with three felonies claiming that he accessed a file containing social security numbers, driver's license numbers, and home addresses of past and present employees ... and then sent an anonymous email to the principal alerting him to the security flaw. "All that was needed to access the information was a district password. School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks."
kind of like being an eyewitness (Score:5, Interesting)
Or simply, "Who ever smelt it, dealt it."
Forget that this kid was doing a service to report the flaw, they are more concerned with why the kid was trying to access the site in the first place.
Blackmail (Score:5, Interesting)
If you read the whole article, it sounds a bit like he might have been trying to blackmail the school with the details of the hack. As theregister notes, the email contents aren't available, and the quote "He ... was looking to profit from his criminal act." also suggests that he may have been blackmailing the school.
I'd like to hope so, at least, because otherwise the school is going WAY overboard...
Re:Once again kids: (Score:1, Interesting)
From reading between the lines in those articles, it's more of a case of, "Using a security hole to attempt to blackmail your principal is not just stupid, it's utterly moronic".
I don't think nobility even crossed the kid's mind.
Difficult to tell until there's more information though
He's not going to be tried for those crimes (Score:5, Interesting)
If he maintained his innocence and demanded a jury trial he'd have a good chance of being found innocent and if not the penalty would probably be minor. His behaviour just isn't that of a criminal. The whole system is broken. It's a game of bluff, but the stakes are the liberty of innocent people.
Re:Once again kids: (Score:5, Interesting)
Not asked? Don't tell! (Score:1, Interesting)
In middle school, I got confessed to being able to read quiet a few teachers' emails. Most of their passwords were the same as their username or in the two cases it wasn't, I guessed... One was as easy as 'jesus' ... I had to write a 2 page paper on cyber ethics. From then on I never confessed to anything again... I'm a senior in highschool, but from time to time I still see if I can get in their accounts and there is one that hasn't changed after all this time. :P
Re:Well, another victim of "the book" (Score:1, Interesting)
I don't understand the US.
In all Euro countries a kid would be sentenced according to juvenile law (with much, much lower sentences) and it would be highly unlikely that he could get any prison sentence for stuff like that.
Heck even the German guy who wrote the Blaster worm (?) just got some fine and social work to do.
Furthermore, all records are officially deleted after a relatively short time (2 years ?), so a kid would never be screwed for the rest of his life.
What's wrong with the US ?
Foolish, but a lesson learned (Score:2, Interesting)
He did the equivalent of finding a hole in someone's fence, breaking through the fence into the person's property, and then having a look around before telling the owner "hey, your fence has a hole in it". The kid was foolish here, assuming he had the best of intentions.
But hey, at least the kid learned a valuable (and sad) lesson in life:
No good deed goes unpunished.
Re:Blackmail (Score:4, Interesting)
No!
If anyone would have taken a minute to actually think about this, the claims do not make sense.
If the kid was trying to blackmail the school, why sign as 'a student'?
How will 'a student' profit from this?
Fix the grades of 'a student' in the database?
Blackmail is 'give me something or else'.
As there is no *me* involved, it is not blackmail.
Claiming that it is blackmail because the kids had reviled the security flaw and thus could repeat it is just wrong.
This smells of BS all the way. The school comes up with false allegations to cover their asses and make the kids look like criminals.
Sure, the kids were doing something they should not but their actions after that should null the previous offense.
Re:Well, another victim of "the book" (Score:4, Interesting)
There are a few possible scenarios by this statement - all of them conjecture. At this time, the article is very light on detail.
Conjecture #1) He was indeed using it for blackmail or other nefarious means.
If this is the case, nail his behind to the wall.
Conjecture #2) He simply reported the problem and the typical knee-jerk reaction ensues.
If this is the case, let him pay off his transgression by working with the people on the IT Team so he can be mentored and more easily monitored. Mentoring is the key element to his natural progression toward becoming a productive citizen.
Conjecture #3) He was showing off his leet h4x0r 5k1llz by attempting to embarrass the admins at that facility.
This is a tough one. I don't want to see some kids life completely ruined because he didn't understand the ramifications of his actions. Certainly, he should be punished but lets not lose our minds. Again, mentoring would probably go a long way in waking this kid up.
Re:Once again kids: (Score:3, Interesting)
A rather nastier way:
Get the file and take it home. Load it in a VM and do your stuff in there. Cut to all the juicy parts (like all the rich people's kids and such). Now, print about 50 of these, using yellow-dot hackers to obfuscate your printer.
Now take these papers and litter them around at a PTO meeting. Heads Will Roll. Just make sure to make yourself scarce so yours wont.
Well (Score:5, Interesting)
My only comfort was that I had reported the findings anonymously.
And yes - they municipality were charged. The period for prosecution for my 'crime' has expired.
Re:Once again kids: (Score:4, Interesting)
Reporting a security hole is not noble, it's stupid.
I can't help but wonder how much the slashdot perception of the stupidity of reporting security holes to your sysadmins is due to selective reporting.
Ever noticed all the stories that say "User thanked for quietly reporting a subsequently fixed security problem"? Not exciting.
But it happens. I've reported a security issue to root, with three user names (!= my own) that I'd found the password to and the method I used. They said it was okay and they'd changed them, and later enabled /etc/shadow.
Trying-to-balance-out-the-selective-reporting'ly yours --Jonas K
Re:Once again kids: (Score:1, Interesting)
Re:Once again kids: (Score:5, Interesting)
My dad made a point of teaching me that if I see a car with the headlights left on, and unlocked, and the owner's not around, to reach in and turn them off. If I see something that looks like a neighbor's made a mistake, to take the risk of being accused and do the right thing. To even take the risk of being wrong and do what I think is the right thing. The older I get, the smarter he seems.
One of the benefits of getting older is the increased willingness to be counter to a trend.
Re:Improper disclosure? (Score:2, Interesting)
Or trying to help people who have to give up their SSNs to organizations that are grossly incompetent...
Hrm.. since the student's own SSN was in the file, he should have a right to perform a reasoanble amount of testing (if he wishes), to ensure that unauthorized persons cannot gain access to his SSN.
Provided the student doesn't commit other crimes like breaking into an office and stealing a faculty member's sticky note with the district password on it.
Re:kind of like being an eyewitness (Score:2, Interesting)
I'm in your backyard getting my cat -- your house is on fire -- sure don't want to call the Fire Dept - I might get accused of trespassing.
Change your story a little. You saw a lot of smoke rising, and you were concerned about your neighbors, or about a possible safety hazard, so that's why you climbed the fence to go over and investigate...
The "trespassing" wasn't a crime, since there were exceeding circumstances that demanded your attention :-)
You have the right to defend your life and property against certain hazards (like an out of control fire), even if they are on an adjacent neighbor's property.
I wonder.... (Score:3, Interesting)
I wonder if any of those 'whistleblower' protection statutes would apply in this case.
If I use a cheap lock is it ok to steal? (Score:2, Interesting)
In this case the kid used a master key and got into the house, stole and then tells the owner that he should put a 1000 usd lock and this 100 usd lock sucks!! Is it still not breaking into? Agreed, public offices should have very very good locks but does that weak lock(wrong) make the kid's theft right?
From law's prespective - Kid should get punishment for breaking into and the owner too should get punished for putting confidential records in weak security.
When the shoe is on the other foot (Score:3, Interesting)
.
You are the administrator of a system that an alleged "Good Samaritan" has been trying to hack.
The successful hack would, of course, substantially increase your employer's legal and financial exposure.
But - as a fellow geek, and the trusting soul you are - you believe his motives were as pure as the driven snow.
You believe him when he says "no harm, no foul."
You see no reason for an audit - much less a re-build from scratch.
You have a new career opportunity opening up soon as a greeter at Wal-Mart.
Re:Improper disclosure? (Score:5, Interesting)
Opening a closed but not locked door and entering a building without permission is still against the law. It is called breaking and entering.
IANAL, and I'm just guessing, but wouldn't that be tresspassing? I mean, if you're breaking and entering, I would assume that requires the breaking of something, right?
He has been charged with a crime for something he did, namely "computer trespass" for accessing a system without permission.
There you go.
I would also like to know more about the circumstances. I don't think curiosity should be a crime, and I do think there should be a much more rigid definition of what constitutes "unauthorized access" -- in particular, I think the burden should be to show that the access was, in fact, unauthorized, rather than requiring everyone to keep a clear record of authorization from every site we've ever accessed.
Having read TFA, it looks very much like, by any technological definition, he was authorized. There would have to be pretty clear indications that he wasn't supposed to be there.
And even if he was entirely at fault, this is also entirely the wrong way to go about it. The lesson to be learned here, from any other student who's paying attention, is simply to not tell anyone what you know.
Re:Improper disclosure? (Score:2, Interesting)
Agreed, Dhasenan. How he came across the information is irrelevant. He didn't abuse the security breach and he reported it to the relevant authorities.
For years our society had the nasty habit of punishing women who reported rape, and where did that get us as a society? Let's not repeat this mistake with computer security issues.
Comment removed (Score:4, Interesting)
We need better whistleblower law that don't force (Score:3, Interesting)
We need better whistle blower laws that don't force you to use your own name. Just look at the guy who uncovered voter fraud and got hit with a few felonies.
Re:Improper disclosure? (Score:3, Interesting)
Depending on the system you're accessing and the facilities available to that type of connection and system, it may not be possible to determine the contents of a file without obtaining a copy.
If I've compromised a password and access a remote system using SSH, I have full control of the facilities available on that system. I can view the contents of files without transferring the files to my own system.
On the other hand, if I'm accessing a remote system via Windows networking, I have few options. I can move, copy or delete the file limited by permissions set on the remote system.
The police should be more interested in HOW he obtained the password. It's likely that he didn't guess it, but that someone told him what it was. He decided to do the right thing and notify the school administration. The police should attempt to work with the boy to determine how many other people have obtained copies of that file and were not noble enough to do the right thing.
Re:Is the boy the only guilty one? (Score:2, Interesting)
Depends if that door is the only thing stopping them from walking off with a ton of private data other people have entrusted to you.
Re:Once again kids: (Score:1, Interesting)
I'm the systems administrator for a medium sized public school district in the US and I would do exactly what your Australian sysadmin did. No need to paint everyone in the US with the same brush.
If a student here got access to a secured folder on a server through their own account, that's my fault, not theirs. I'll thank the student for telling me, ask them to keep me informed of future problems, close the security hole, and let my bosses know what happened.
Now, if the student was in ANY WAY doing anything dodgy to gain access to those secure areas then I would immediately ban them from using our computer systems then tell my bosses and let them deal with the student. That includes using any other user's account for ANY reason, which is strictly prohibited, good intentions or not.
Re:Improper disclosure? (Score:3, Interesting)
The poster above (below?) me with the law.com link is correct. And in case you think it's legalese or unenforced:
I opened a unlocked door once and entered a room I shouldn't have. I got arrested, and was never acquitted of, breaking and entering.
I was also facing felony trespass because they thought I was intending to commit a crime (I clearly wasn't). When pressed, they said the crime was trespassing. So, trespassing with intent to trespass. Thankfully, my lawyer was competent and the charge was dropped. But anywho, B&E does occur by simply pushing a door open.
Re:BZZZZT RTFA (Score:3, Interesting)
A kid with too much time on his hands? Take it easy grandpa! Those damn kids. When i was a kid we had to walk 5 miles uphill in the snow each way to get time on our hands.
By hacking you mean logging into a system with the password they gave you?
Re:Improper disclosure? (Score:4, Interesting)
Am I the only one who finds this crazy? Are we to go around scared of opening doors? Is there any implied consent (i.e. should I call up the gas station attendant to open their store door so I'm not B&E when I go in to pay the bill?)
do the right thing... (Score:3, Interesting)
Say nothing.
Human nature is to "shoot the messenger." So don't tell.
Once upon a time in university I noted a file in the temporary directory on one of computer science's machines with read access to all on the entire student name/id list. This was a byproduct of registration, and the ids were used as the passwords for first log in. But student ids were used for much more, and this list was also bigger than computer science... I complained to the comp sci sys admins; who said "gee thanks, we'll change that." But the file kept appearing. So I contacted the computing services admins; who said "gee thanks, we'll talk to the comp sci guys." The result of which was "this doesn't happen any more". So I sent a current directory list. No response. Then I posted the file (two months after it was supposedly fixed) to the internal security newsgroup. [I lost my access privs and was almost expelled.]
The moral of the story... don't tell people they f*cked up and sure as heck don't show them, because you just make them look bad, and there is a fine line between ethical behavior and questionable judgement.
Re:Improper disclosure? (Score:3, Interesting)
The statement still stands that he has been punished
Yes, and hopefully this will teach him a valuable lesson: When you find things like this, you shouldn't be so stupid as to report them to the people who might be able to fix the problem. You should keep the information to yourself, until you find someone who is willing to pay you for the information. Then, instead of giving your knowledge away for free like a fool, you are acting like a true entrepreneur and looking for ways to profit from your hard-earned knowledge. Such profit-making enterprise is the sort of thing that this world honors and praises, not helping people by volunteering your time and knowledge.
Maybe next time he'll know better.