Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Student Charged With Three Felonies For Finding Security Flaw — and Report

ScuttleMonkey posted more than 5 years ago | from the no-good-deed-goes-unpunished dept.

Security 547

Well, yet another teenage hacker who "did the right thing" by reporting a security flaw is being punished for his actions. Although it definitely sounds like the whole story may not be in the clear yet, a 15-year-old New York high school student has been charged with three felonies claiming that he accessed a file containing social security numbers, driver's license numbers, and home addresses of past and present employees ... and then sent an anonymous email to the principal alerting him to the security flaw. "All that was needed to access the information was a district password. School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks."

Sorry! There are no comments related to the filter you selected.

Improper disclosure? (5, Insightful)

sethstorm (512897) | more than 5 years ago | (#25538735)

Was there any bit of responsible disclosure, because it sounds a bit like "killing the messenger". While there may be discipline in order, this seems to be overkill if he was really intending to do the right thing.

Re:Improper disclosure? (4, Insightful)

SQLGuru (980662) | more than 5 years ago | (#25539075)

I guess part of me wants to know how he found out. If he found out by accident, then yeah, this is a case of "No good deed goes unpunished"....but if he was looking around for something to hack and found more than he was expecting, then there should be some punishment (though probably not three felony charges).....

Layne

Re:Improper disclosure? (5, Insightful)

eggled (1135799) | more than 5 years ago | (#25539079)

From TFA:

School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks

So, thousands of people have had access to this file, and the one person who tried to report it (and was tracked down) is being charged with felony counts of computer access and identity theft? And they're not checking to see if anybody else has tried to access this file, to indict them, as well? Definitely seems like a case of shoot the messenger. According to a state trooper interviewed in TFA,

He deceitfully used someone else's name and password so he would not get caught and was looking to profit from his criminal act.

I didn't see anything about him trying to profit, though... He sent an email to the principal (contents unknown), from an anonymous email address, signed 'A Student'. Without more info, I'm inclined to speculate that he didn't really appear to be attempting to profit. (Wouldn't it be better to keep this a secret and profit from the information, if that was really his intent?)

Re:Improper disclosure? (5, Insightful)

Spazztastic (814296) | more than 5 years ago | (#25539213)

I didn't see anything about him trying to profit, though... He sent an email to the principal (contents unknown), from an anonymous email address, signed 'A Student'. Without more info, I'm inclined to speculate that he didn't really appear to be attempting to profit. (Wouldn't it be better to keep this a secret and profit from the information, if that was really his intent?)

All they're doing is making an example out of him. A company did the same thing a few years back with a white hat (Whos name I can't remember, and I can't find my copy of The Art of Deception/Intrustion to look up his name). He produced the error, sent them a paper on it, then they claimed that in the span of 6 months he used their service illegitimately for his own benefit.

I guarantee whoever designed their security infrastructure had their ego shattered by this and in a fit of nerd rage decided to strike back with everything he could.

Re:Improper disclosure? (5, Insightful)

theaveng (1243528) | more than 5 years ago | (#25539273)

A sniper rifle aimed at the head of the principal and/or prosecutor also works: "Don't try to 'make examples' of good, decent people trying to do the right thing. Else YOU will be made an example of how Liberty-loving people deal with out-of-control Tyrants."

Okay, I joke.

But any politician hearing about this unfair prosecution ought to update the "Good Samaritan Law" so it not only protects people trying to save injured persons, but also protects people trying to help schools/companies by revealing security flaws in their system.

Re:Improper disclosure? (4, Insightful)

Sancho (17056) | more than 5 years ago | (#25539339)

But any politician hearing about this unfair prosecution ought to update the "Good Samaritan Law" so it not only protects people trying to save injured persons, but also protects people trying to help schools/companies by revealing security flaws in their system.

That's one of the best ideas I've heard all day. Unfortunately, because politicians are about as dumb as a bag of bricks when it comes to computers, all they'll see is what the media shows them i.e. "Bad hacker got caught!"

Re:Improper disclosure? (5, Insightful)

diskofish (1037768) | more than 5 years ago | (#25539383)

That is exactly right. From the sound of the article, the files were in plain sight for anyone who had access to the network (though it is unclear). If they are going to charge the kid, then the network engineer should be hit with the same charges. There is definitely some minimum amount of security required, or else it's just pure negligence. Anyone who's ever administered a server knows they are probed ALL the time.

Re:Improper disclosure? (5, Insightful)

Spazztastic (814296) | more than 5 years ago | (#25539445)

Anyone who's ever administered a server knows they are probed ALL the time.

Anybody who's ever administrated a school network should know that every kid is a potential "hacker," and you should be always keeping all the security up to date and patched regularly.

Re:Improper disclosure? (1)

rholtzjr (928771) | more than 5 years ago | (#25539335)

Disclosure has nothing to do with this, this is a 15 year old telling an adult he is full of s#!! and proving it in the process. My suggestion is to get a REAL network administrator!

That will show them. (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25538739)

How will our Nation produce more geniuses like George Bush or Simon Grybgersczywy if free computereing is punished by the authorities who eat cake and pies with impunitiy? We will be overtaken by Italians! This calls for

Re:That will show them. (0)

Anonymous Coward | more than 5 years ago | (#25538995)

"will be overtaken by the Italians" ???? The mafia is run by whom, in opinion ?

Re:That will show them. (1, Funny)

Anonymous Coward | more than 5 years ago | (#25539027)

"Simon Grybgersczywy" no idea who he is but he was obviously at the back of the queue when the vowels were handed out.

F1RST P0ST (-1, Redundant)

master5o1 (1068594) | more than 5 years ago | (#25538741)

Oh yeah I've been waiting to do this for ages... hope it lasts. Anyway... This is ridiculous. He should be awarded for not using them numbers for selfish personal gain rather than this.

Re:F1RST P0ST (1)

master5o1 (1068594) | more than 5 years ago | (#25538747)

damn... refresh-to-post time / etc was far too late... damn New Zealand / US internet relations :(

Re:F1RST P0ST (0)

Anonymous Coward | more than 5 years ago | (#25538777)

too bad you weren't f

Re:F1RST P0ST (0)

Anonymous Coward | more than 5 years ago | (#25538857)

irst.

kind of like being an eyewitness (5, Interesting)

Vandil X (636030) | more than 5 years ago | (#25538743)

The person who reports the crime is often the first suspect or person of interest.

Or simply, "Who ever smelt it, dealt it."

Forget that this kid was doing a service to report the flaw, they are more concerned with why the kid was trying to access the site in the first place.

Re:kind of like being an eyewitness (1)

jonaskoelker (922170) | more than 5 years ago | (#25539189)

The person who reports the crime is often the first suspect or person of interest.

Which is why you do it anonymously, with cutouts from magazine headlines [oh noes, teh police can identify your cut-and-paste gluing style]. If you want to send email, use tor and a one-time account.

There, done. Next problem... Or not?

--Jonas K

Once again kids: (4, Insightful)

yttrstein (891553) | more than 5 years ago | (#25538745)

Reporting a security hole is not noble, it's stupid.

Re:Once again kids: (1)

Kokuyo (549451) | more than 5 years ago | (#25538779)

As sad as it is, the smart thing to do is pump your fist in the air for a job well done and move along.

There should be a law against stupid people.

Re:Once again kids: (1, Interesting)

mabinogi (74033) | more than 5 years ago | (#25538787)

From reading between the lines in those articles, it's more of a case of, "Using a security hole to attempt to blackmail your principal is not just stupid, it's utterly moronic".

I don't think nobility even crossed the kid's mind.
Difficult to tell until there's more information though

Re:Once again kids: (1)

Zencyde (850968) | more than 5 years ago | (#25538883)

How exactly did you gain that from the article? There's always the chance that he was just curious about accessing it. Where was there any not of blackmail? You must remember that this sort of thing happens all the time.

Re:Once again kids: (4, Informative)

jamesh (87723) | more than 5 years ago | (#25539001)

Where was there any not of blackmail?

RTFA, not TFS...

"He deceitfully used someone else's name and password so he would not get caught and was looking to profit from his criminal act."

Now that's the State Troopers words, and may not be true, but it's right there in the article itself. I suppose you could infer that he wanted to use the information he obtained for something other than blackmail (eg fraud), but if he wanted to do that he wouldn't have emailed the principal giving the game away, so blackmail is the obvious conclusion.

Re:Once again kids: (1)

Zencyde (850968) | more than 5 years ago | (#25539039)

Would the kid really have a username and password to the server? Of COURSE he used someone else's username and password. Assuming it was a brute force (details on the hack?), he would have had to use it anyway. Also, it's smarter to cover your tracks by using another username and login.

Re:Once again kids: (4, Informative)

Homr Zodyssey (905161) | more than 5 years ago | (#25539161)

Actually, according to the school's own website [shenet.org] , "Due to a configuration error, this file was not completely secured from student password access after being moved to a new server." This implies that the kid could have done it with his own account.

Re:Once again kids: (1)

Zencyde (850968) | more than 5 years ago | (#25539243)

Interesting. Well, the report also noted that he had a friend helping him. Could it be possible that he used his friend's account?

Re:Once again kids: (4, Insightful)

Sancho (17056) | more than 5 years ago | (#25539425)

And this fiber right here is exactly why it doesn't make sense to jump to conclusions. What sparse information we have is conflicting. Where does the profit motive come into play? Where's the profit in alerting the authorities when you find a hole like this? What do they mean by "used someone else's username and password?"

We don't know if the kid's being hung out to dry, or if this is an appropriate response to the actions taken. Yet all throughout the comments, you see people immediately assuming that the kid is being martyred.

I'm not even saying that the kid isn't. I'm just saying that we don't have any clue based upon the presented facts, so taking one side or the other is a bit like American politics--pick a side and pretend you're at a football match.

Re:Once again kids: (1)

Uberbah (647458) | more than 5 years ago | (#25539081)

Now that's the State Troopers words, and may not be true, but it's right there in the article itself.

Sure, sure, just like how people who sit at home, smoke pot and order a pizza are a threat to society. Not buying it.

Re:Once again kids: (0)

Anonymous Coward | more than 5 years ago | (#25539537)

No, that he was giving them the information to fix the problem, without any other indication of malice (why would he report it if he wanted to make money from it) that is the obvious conclusion. Oh, and don't believe anything a cop says, they only want to get their suspect in jail, the attorney's should do the defending so in their mind that excludes them from any obligation to the actual truth.

Re:Once again kids: (4, Insightful)

GrumblyStuff (870046) | more than 5 years ago | (#25538821)

How did it ever come to this anyway?

Seriously, what the fuck happened to common sense? Where and when did society decide that a problem is only a problem if it is found?

At this rate, I'll be surprised if people even call the cops or the fire department to report a crime/fire.

Re:Once again kids: (4, Insightful)

Swizec (978239) | more than 5 years ago | (#25538881)

If I wasn't implicatly involved I'd never go to the trouble of calling the coppers for anything. Let the victim call them, I don't want to be involved in any way, because most of the time it's just more trouble than it's worth.

Think about it, if I report a problem I'll be the main suspect for a while, I'll have to be interogated and I don't think they're ever nice about it, I'll potentionally have to appear at court and it's just overall too much of a mess. I have my own shit to deal with.

Re:Once again kids: (2, Interesting)

LordAlced (1279598) | more than 5 years ago | (#25539287)

Two words (or one name, if you will): Kitty Genovese. The bystander syndrome is maladaptive.

Re:Once again kids: (1)

PopeRatzo (965947) | more than 5 years ago | (#25539357)

The bystander syndrome is maladaptive.

Then thank god there are so many of us who are maladapted.

Re:Once again kids: (4, Informative)

MrMr (219533) | more than 5 years ago | (#25538953)

Where and when did society decide that a problem is only a problem if it is found?
496 - 406 B.C. [bartleby.com] ?

Re:Once again kids: (5, Insightful)

Anonymous Coward | more than 5 years ago | (#25539017)

A man approaches a stranger and says, "Hey, I noticed your shed is unlocked." The stranger responds, "What were you doing in my backyard?"

It's not that the unlocked shed isn't a problem. It's that there is also the issue of what the person was doing there in the first place and is anything missing.

With a shed, it's not much of a problem. Check to make sure nothing is missing. Charge them with trespassing if you are so inclined.

With a computer, especially a government or business computer, it's more complicated. You can't just take a peek and make sure nothing happened. Insurance issues alone probably require that they press charges to the full extent the law allows. Doing so also keeps the ball squarely in the court of the alleged victim.

If the person had a legitimate reason for being where he was, no charges are going to stick. If he didn't, he might be in some trouble.

In ANY case, the GP is right. Just don't do it.

While we're on the subject, don't talk to cops without a lawyer, either.

Re:Once again kids: (0, Flamebait)

Jane_Dozey (759010) | more than 5 years ago | (#25539043)

Bah, posting to undo bad moderation (sorry)

Re:Once again kids: (5, Interesting)

PopeRatzo (965947) | more than 5 years ago | (#25539407)

The stranger responds, "What were you doing in my backyard?"

My dad made a point of teaching me that if I see a car with the headlights left on, and unlocked, and the owner's not around, to reach in and turn them off. If I see something that looks like a neighbor's made a mistake, to take the risk of being accused and do the right thing. To even take the risk of being wrong and do what I think is the right thing. The older I get, the smarter he seems.

One of the benefits of getting older is the increased willingness to be counter to a trend.

Re:Once again kids: (1, Insightful)

Anonymous Coward | more than 5 years ago | (#25539469)

You are storing my personal details along with many other peoples in a 'garden shed'. I should have a right to expect the 'shed' is locked with some form of basic security.
I should be able to test such security to my satisfaction.
The 'shed' is locked. Everyone has a key with a paper tag on it with their name.
Each access only sees by default their own data based on the paper tag, if once opening the shed if the user 'looks' around they have access to all the other 'secure' data.
don't 'not do it', DO IT!
or suffer and someone else does.
maybe not today maybe not tomorrow, but sometime and for the rest of your ... PROFIT!

Re:Once again kids: (1, Insightful)

Anonymous Coward | more than 5 years ago | (#25539535)

There's a big difference, using your metaphor, between walking past a shed (let's assume you have permission to be on the property in general, as this student did) and you try the handle and it swings open. Is telling the groundskeeper that his shed is wide open and unlocked a bad thing, or even potentially illegal? No. It's not like this kid broke through serious encryption, he just used a (well) known password used by "thousands of" other people, and as far as we can tell, then reported it.

This crap happened to me and I'm sure a lot of others on /. as well when I was in HS. Security was never strict enough - on my school's novell network they left the admin program wide open on a network mounted drive. When I pointed it out to the netadmin, I had to explain it 4 times before he understood, and then they suspended me for 2 weeks.

-R

Re:Once again kids: (5, Interesting)

WingedGlobe (1394653) | more than 5 years ago | (#25538891)

While there are doubtlessly many clueless administrators in the world, there's also something to be said about being smart in protecting yourself. During high school, I poked around aimlessly on some network drives and found an unsecure, unencrypted text file of sensitive personal information on a lot of students. I didn't really have any business looking, but there was also nothing at all keeping me out. Instead of talking to the first administrator I could find or shooting off a "Hey look at this" email, I spoke to the instructor with whom I had the best relationship with and could convince that I had no bad intentions, showed him the problem, and asked him to escalate it anonymously. He did so, the problem was fixed, case closed.

Re:Once again kids: (2, Interesting)

Creepy Crawler (680178) | more than 5 years ago | (#25539083)

A rather nastier way:

Get the file and take it home. Load it in a VM and do your stuff in there. Cut to all the juicy parts (like all the rich people's kids and such). Now, print about 50 of these, using yellow-dot hackers to obfuscate your printer.

Now take these papers and litter them around at a PTO meeting. Heads Will Roll. Just make sure to make yourself scarce so yours wont.

Re:Once again kids: (2, Insightful)

cheater512 (783349) | more than 5 years ago | (#25539327)

I found plenty of holes.

The sys admins were smart enough to realize that I could be a asset to them.
I meant no harm so they gave me free reign basically.
All I needed to do was report back to them any flaws.

Mind you this was in Australia, not the US so less knee jerk and more common sense.

Re:Once again kids: (0)

Anonymous Coward | more than 5 years ago | (#25538909)

My favorite line from "Love Actually": Hiya kids. Here is an important message from your Uncle Bill. Don't buy drugs. Become a pop star, and they give you them for free.

Don't report security problems to people whom you'll embarrass with your report. Report them to people who could exploit the bug and you'll even get some money for your information.

Re:Once again kids: (3, Informative)

Anonymous Coward | more than 5 years ago | (#25538981)

Watch this video, it's somewhat related to this:

http://video.google.com/videoplay?docid=8167533318153586646 [google.com]

It's probably the best video you will ever find if you're on the hot seat, worth 1,000,000 CSI episodes.

This helps too:)
http://www.youtube.com/watch?v=uj0mtxXEGE8 [youtube.com]

Re:Once again kids: (0)

Anonymous Coward | more than 5 years ago | (#25539055)

something similar happened in my uni, but in really small scale, so they just got angry and nothing else...

i did found some sec. holes, and i'm gonna report them
...

by printing a nice "howto: get everyone's password!" and taping it in our lab door :)

hey, i tried to tell them....

ac for obvius reasons

Re:Once again kids: (3, Interesting)

jonaskoelker (922170) | more than 5 years ago | (#25539255)

Reporting a security hole is not noble, it's stupid.

I can't help but wonder how much the slashdot perception of the stupidity of reporting security holes to your sysadmins is due to selective reporting.

Ever noticed all the stories that say "User thanked for quietly reporting a subsequently fixed security problem"? Not exciting.

But it happens. I've reported a security issue to root, with three user names (!= my own) that I'd found the password to and the method I used. They said it was okay and they'd changed them, and later enabled /etc/shadow.

Trying-to-balance-out-the-selective-reporting'ly yours --Jonas K

Re:Once again kids: (1)

n3tcat (664243) | more than 5 years ago | (#25539527)

And I skipped your post just as quickly as I skipped TFA too.

Anonymous (1)

Heather D (1279828) | more than 5 years ago | (#25538749)

If the email was anonymous how did they find him?

After accessing the information, he sent an email alerting the principal to the breach and signed it "A student." With the help of the district's IT department, the principal identified the boy as the culprit.

Ah, looks like it wasn't anonymous at all.

Re:Anonymous (0)

Anonymous Coward | more than 5 years ago | (#25538817)

He should have just posted as AnonymousCoward. Or signed his email that way.

-Anonymous Coward

Re:Anonymous (5, Funny)

Farmer Tim (530755) | more than 5 years ago | (#25538859)

The astounding part is that the same IT department that left the security hole open succeeded in tracking the kid down. I don't think anyone would have seen that coming.

Re:Anonymous (1)

Swizec (978239) | more than 5 years ago | (#25538887)

Something tells me the kid just wasn't smart enough to create a new e-mail address for this.

Re:Anonymous (1)

Farmer Tim (530755) | more than 5 years ago | (#25539071)

Ah, but then it wouldn't have been anonymous. Besides, from this article [dailygazette.com] :

"He sent an e-mail to his principal saying, 'Look what I have,'" DeFeciani said. "That was at 1 [p.m.] Tuesday, and within two hours we knew who he was."

As bad with computers as teachers are (in my experience, anyway), looking at the "From" field would have taken about two seconds. Then again, it's plausible that it really did take the IT people nearly two hours to find it...

Re:Anonymous (1)

Swizec (978239) | more than 5 years ago | (#25539115)

My bet is they looked at the "from" field, then had to somehow look-up the email and find out whose it was. People don't always put their full name in an e-mail address, but rather a nickname and then you have to look up the nickname and trace it to the name via the tubes.

Re:Anonymous (2, Informative)

Farmer Tim (530755) | more than 5 years ago | (#25539209)

The article I linked to explains exactly how they found him: they looked at the originating IP, which led them back to their own computer lab, and from there it was trivial to determine who was logged on to that machine at that time. He could have created a new email account just for this, but it would still be traceable without an anonymous proxy.

Re:Anonymous (1)

BiggerIsBetter (682164) | more than 5 years ago | (#25539049)

Honeypot.

Re:Anonymous (3, Insightful)

Farmer Tim (530755) | more than 5 years ago | (#25539103)

If you're baiting your honeypot with real data, you're doing it wrong.

Re:Anonymous (1)

TapeCutter (624760) | more than 5 years ago | (#25539351)

Pffft, New Zealander's aren't that easy to fool are they Richard...

Blackmail (4, Interesting)

ChowRiit (939581) | more than 5 years ago | (#25538759)

If you read the whole article, it sounds a bit like he might have been trying to blackmail the school with the details of the hack. As theregister notes, the email contents aren't available, and the quote "He ... was looking to profit from his criminal act." also suggests that he may have been blackmailing the school.

I'd like to hope so, at least, because otherwise the school is going WAY overboard...

Re:Blackmail (4, Interesting)

CarbonShell (1313583) | more than 5 years ago | (#25538987)

No!
If anyone would have taken a minute to actually think about this, the claims do not make sense.

If the kid was trying to blackmail the school, why sign as 'a student'?
How will 'a student' profit from this?
Fix the grades of 'a student' in the database?

Blackmail is 'give me something or else'.
As there is no *me* involved, it is not blackmail.

Claiming that it is blackmail because the kids had reviled the security flaw and thus could repeat it is just wrong.

This smells of BS all the way. The school comes up with false allegations to cover their asses and make the kids look like criminals.

Sure, the kids were doing something they should not but their actions after that should null the previous offense.

Re:Blackmail (1)

liquidpele (663430) | more than 5 years ago | (#25539309)

You serious?

1) Give all of 10th grade a pizza party every friday
2) Give the school 1 hour lunches
3) Leave money in a place I can pick it up later

There are a lot of ways you can try to be anonymous and still get things. I mean, he may have been setting it up for blackmail and wasn't even sure what exactly he wanted yet.

Anyway, the story sounds a little suspicious though, and I doubt the charges will actually stick unless he specifically stated some type of blackmail terms.

Re:Blackmail (1)

CarbonShell (1313583) | more than 5 years ago | (#25539495)

Then why did they not mention his 'demands'?

Let's be honest, people will pull of a lot of stuff to save face.

But anyway...

Say you gained access to my computer and sent me an email 'yo bro, look, I was able to read your files, you should close your firewall', how should I take this?

If I *wanted* to I could add in a mental 'or else' and call it blackmail, but that would be my doing and not your actual words.

Remember we are talking about 15 year olds who probably just want that 'pwnd' moment.

Let's just refresh one point again. These were two 15 year olds. Kids.
Not terrorists or criminals.

@Last line:
Exactly what I am trying to say. The school just might want to conceal the fact that some 10th grader got into their system.

The reaction to this by the admins pretty much reflects my point.
Someone (or multiple someones) is going to get in a *lot* of trouble and a why lose your job (and possibly face a fine/jail) when you can ruin a kids life?

Reminds me like all the incidents we hear about cops creating phony reasons to arrest people just to remove them from somewhere and/or demonize them to the public.

Re:Blackmail (1)

Sancho (17056) | more than 5 years ago | (#25539471)

What, it couldn't have been, "Let us all out of school early for the next week, or I'll post the contents of the file to Myspace?" You can profit anonymously in many, many ways. Terrorists try this tactic all the time.

Well, another victim of "the book" (5, Insightful)

GrumblyStuff (870046) | more than 5 years ago | (#25538771)

As in, being hit with the law book.

"He deceitfully used someone else's name and password so he would not get caught and was looking to profit from his criminal act."

I RTFA but see no sign of this. At best is this bit from a followup link in TFA:

"He sent an e-mail to his principal saying, 'Look what I have,'" DeFeciani said.

But for fuck's sake, three felonies at 15? For a fucking non-violent, non-destructive "offense"?

Poor kid is screwed for life.

Re:Well, another victim of "the book" (1)

Capt James McCarthy (860294) | more than 5 years ago | (#25538925)

That is what he is being charged with. Not sentenced to. I'm sure that will change as long as he has a decent lawyer. A felony is a felony. Write your elected official and request to have the laws changed.

Re:Well, another victim of "the book" (1, Interesting)

Anonymous Coward | more than 5 years ago | (#25538961)

I don't understand the US.
In all Euro countries a kid would be sentenced according to juvenile law (with much, much lower sentences) and it would be highly unlikely that he could get any prison sentence for stuff like that.
Heck even the German guy who wrote the Blaster worm (?) just got some fine and social work to do.
Furthermore, all records are officially deleted after a relatively short time (2 years ?), so a kid would never be screwed for the rest of his life.

What's wrong with the US ?

Re:Well, another victim of "the book" (4, Insightful)

sortius_nod (1080919) | more than 5 years ago | (#25539035)

Where do you want someone to start with an answer to that?

Seriously though, this is what happens when you create a police state. This is no different to any other dictatorship where non-violent crimes (anti-government, anti-religion, etc) are punished with prolonged sentences or even death.

Seriously, wake up America, all this horseshit about peace, freedom, and democracy isn't even upheld in your own country. Do you really think the rest of the world are stupid enough to believe you can "bring freedom to the world"?

Re:Well, another victim of "the book" (1)

Uberbah (647458) | more than 5 years ago | (#25539067)

It's because being tough in America is more important than being effective. See crime & punishment, military spending, Iraq invasion, etc.

what's wrong with US (0)

Anonymous Coward | more than 5 years ago | (#25539051)

THE major contributors to our political campaigns are the Prison Guard Unions. No, really, I wish it wasn't true. It's why half of all black men will have a felony conviction and spend time in prison. We have more prisoners than South Africa or Russia ever did.

And our schools let an 18 year old finish with a 12 year old's education. Not good for much else in an internet world, guard or prisoner.

Jail the planet baby, it creates good paying jobs. Notice President Obama doesn't mention this in his campaigning, it's only going to get worse.

That's what's wrong with us.

Re:Well, another victim of "the book" (0)

Anonymous Coward | more than 5 years ago | (#25539063)

they need to keep a reserve of low class people to maintain the rich lifestyle of the upper class (nobody could be rich, and those who are sought to maintain richness)

hence the life sentence of being a janitor for life, just for anything that has to be repaid starting with a day or two of prison.

Re:Well, another victim of "the book" (3, Interesting)

Like2Byte (542992) | more than 5 years ago | (#25539029)

There are a few possible scenarios by this statement - all of them conjecture. At this time, the article is very light on detail.

"He sent an e-mail to his principal saying, 'Look what I have,'" DeFeciani said.

Conjecture #1) He was indeed using it for blackmail or other nefarious means.
      If this is the case, nail his behind to the wall.

Conjecture #2) He simply reported the problem and the typical knee-jerk reaction ensues.

    If this is the case, let him pay off his transgression by working with the people on the IT Team so he can be mentored and more easily monitored. Mentoring is the key element to his natural progression toward becoming a productive citizen.

Conjecture #3) He was showing off his leet h4x0r 5k1llz by attempting to embarrass the admins at that facility.

    This is a tough one. I don't want to see some kids life completely ruined because he didn't understand the ramifications of his actions. Certainly, he should be punished but lets not lose our minds. Again, mentoring would probably go a long way in waking this kid up.

Yep (0)

Anonymous Coward | more than 5 years ago | (#25538799)

"Although it definitely sounds like the whole story may not be in the clear yet" ...we will still report our take on the story and present it as fact.

Simple fix (0)

Anonymous Coward | more than 5 years ago | (#25538803)

Replace the file with hello.jpg

Bizarre Anti Virus behaviour (-1, Offtopic)

MichaelSmith (789609) | more than 5 years ago | (#25538807)

Sorry for the offtopic post but I wonder if anybody has seen this behaviour:

On several linux workstations at work we noticed several other nodes on our LAN had been trying to get in via rsh, telnet and ssh. Typically the remote node tried several protocols over a second or so, too fast for a user to be doing it.

I called our IT people. They identified the windows boxes which generated the connections, pretty much as expected so far.

Then the weird bit. They claim that their virus scanner was the application trying to log on to the linux boxes. All very strange. Has anybody else seen anything similar?

He's not going to be tried for those crimes (5, Interesting)

91degrees (207121) | more than 5 years ago | (#25538825)

It's just the screwed up legal system. They could just about get Computer trespass to stick, although probably wouldn't get a particularly harsh sentence passed. What they can do though is threaten the kid with these charges, mention that he could potentially serve 20 years and get him to plea bargain to a lesser crime.

If he maintained his innocence and demanded a jury trial he'd have a good chance of being found innocent and if not the penalty would probably be minor. His behaviour just isn't that of a criminal. The whole system is broken. It's a game of bluff, but the stakes are the liberty of innocent people.

where's the intent? (3, Insightful)

Uberbah (647458) | more than 5 years ago | (#25539037)

This is like Boston freaking out over Lite-Brites. I hope the kid not only calls their bluff and asks for a jury trial, but finds some way to counter-sue.

Re:He's not going to be tried for those crimes (0)

Anonymous Coward | more than 5 years ago | (#25539511)

I was charged with Computer Trespass II years ago... Turn out the employee passwords on Radio Shack's POS terminals are stored in plain text. I searched for my password, opened up the file that contained it, and through the process of elimination I eventually figured out the password my boss used - giving me access to the inventory, and quite a few other things.

I used it to fix a few errors that my boss was too greedy and incompetent to take care of himself (things that were screwing myself and other workers out of commissions, etc.). When word got to him that I was going it, I got busted. Went to court, drunk and with a handful of klonopin in my system, and still walked away with nothing more than a strongly worded warning. If there's any justice, this kid will walk away with the same.

"In the clear" (0)

Anonymous Coward | more than 5 years ago | (#25538831)

sounds like the whole story may not be in the clear yet

Something being "in the clear" means to be out of danger. You mean "sounds like the whole story may not be clear yet".

news flash (4, Insightful)

catmistake (814204) | more than 5 years ago | (#25538837)

stupid people fear smart people

Re:news flash (5, Insightful)

SmokeyTheBalrog (996551) | more than 5 years ago | (#25538977)

And smart people fear stupid people even more.

The Justice System... (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25538879)

At work!

Is the boy the only guilty one? (0)

Anonymous Coward | more than 5 years ago | (#25538889)

I just curious to know what charge the IT manager is going to face for aiding and abetting this 15 year old by failing to properly secure the IT systems.

Not asked? Don't tell! (1, Interesting)

Anonymous Coward | more than 5 years ago | (#25538955)

In middle school, I got confessed to being able to read quiet a few teachers' emails. Most of their passwords were the same as their username or in the two cases it wasn't, I guessed... One was as easy as 'jesus' ... I had to write a 2 page paper on cyber ethics. From then on I never confessed to anything again... I'm a senior in highschool, but from time to time I still see if I can get in their accounts and there is one that hasn't changed after all this time. :P

Foolish, but a lesson learned (2, Interesting)

GFree678 (1363845) | more than 5 years ago | (#25538967)

He did the equivalent of finding a hole in someone's fence, breaking through the fence into the person's property, and then having a look around before telling the owner "hey, your fence has a hole in it". The kid was foolish here, assuming he had the best of intentions.

But hey, at least the kid learned a valuable (and sad) lesson in life:

No good deed goes unpunished.

Re:Foolish, but a lesson learned (2, Insightful)

Yvanhoe (564877) | more than 5 years ago | (#25539019)

Well, if we are to play analogies war : yes it is a bit like that, except it is impossible to say that the fence has a hole in it without trying to go through.
Also, it may look like you have accessed the first fence of several concentric fence. Before reporting this hole as a problem, it sounds reasonable to assess if anything is put at risk first. Once you see that there are many valuable things accessible, you go away and go knock on the door "Hey do you know that all these valuables of yours are easily accessible ?" and also "I gave you some stuff of mine to keep safe, I hope you didn't put it in this easily accessible area ?"

Or you don't use fence metaphor...

Re:Foolish, but a lesson learned (1)

Jane_Dozey (759010) | more than 5 years ago | (#25539123)

Ok, I'll bite. Lets say I want to test the schools security without actually breaking in. I'd have a look and see what kind of set up they have (from an external view) and go mimic it on my own machine. Then I can poke around legally. Ok, I find that a service they're running has a security issue, I tell them so and viola! No prosecution for me!

Sure, I can't see any internal problems but why should I? Unless I break in (illegal) and poke around (illegal) it shouldn't worry me anyway since the outside fence is OK.

The fence example, why is it impossible to see a great big bloody whole without going in? Are you blind? Can you not feel a whole there? Taking it to computer speak, why can't you go get a copy of Fence 1.0 and check it out like that? It'll be the same sort of fence with the same whole.

The kid in this case broke into the network. The security was weak but it was there and he broke it. He could have done things a different way and alerted the IT dept to a potential problem but he chose to break in, poke around and then tell someone.

That said I hope he just gets a slap on the wrist for being stupid rather than a criminal record.

Re:Foolish, but a lesson learned (1)

fedos (150319) | more than 5 years ago | (#25539509)

The problem wasn't just poorly implemented security, it was a password that was publicly available.

Imagine that you're in a building with many locked doors. You have a key that was given to you by the owners of the building. You notice that the key opens most of the doors. One of the doors is labeled indicating that it contains objects of value, and you know that your own valuables would be contained within. You therefore try the key on the lock to see if it opens the door. If you succeed then the door opens and you reveal the insecurity; however you have entered room that you shouldn't have.

Even if we did use your fence analogy, just getting your own fence would not be good enough: you have no idea if the other person installed it correctly.
---
If the kid did try to blackmail the school department, then he should be charged. But there are laws against blackmail, why didn't they charge him for it?

One more thing: Whole = "the entire thing"; Hole = "an opening in something". Please get these two words straight.

Remember (-1, Redundant)

TheSpatulaOfLove (966301) | more than 5 years ago | (#25539007)

Remember kids, no good deed goes unpunished.

Not all hackers are crimials! (1)

UncleMantis (933076) | more than 5 years ago | (#25539023)

Damn it people! This just upsets me to no end! Do you have any idea how many systems are just wide open? Even I don't know how many systems I have "broken" into and done NOTHING but just let it be. If I tell someone I get arrested. If I do something with the data I am a thief. If I don't do anything at all I am a saint.

Sigh!

Assuming he is convicted... (2, Insightful)

kitsunewarlock (971818) | more than 5 years ago | (#25539025)

This means this person, capable of not only using the internet but as a (clearly) (semi-) advanced user, is now no longer able to vote...because of something they did before they were legally eligible in the first place? And something they admitted to? Yet someone who doesn't know their left hand from a donkey's a-hole and votes based entirely on which guy they'd rather drink a beer with and/or whichever has a photo-op with someone who looks more like them is free to do the same AND drive drunk AND steal potentially thousands (but not over 10 thousand or so, depending on the state) AND even rape in some cases and still vote.

Re:Assuming he is convicted... (1)

Farmer Tim (530755) | more than 5 years ago | (#25539259)

I can see the bumper sticker now: "I'm a drunken, thieving rapist, and I vote!"

The felonous emperor has no clothes. (5, Insightful)

Creepy Crawler (680178) | more than 5 years ago | (#25539061)

And one who breaks security is like the one who alerts the king about wearing no clothes. You WILL get punished. You WILL be dealt with.

I saw this all the time at schools, jobs and like. People dont like smart people. People who intentionally find broken ideas and mechanisms will be dealt with, not glorified and congratulated. Highlighting a security problem means they have to put in the effort to fix what you brought to their attention, or threaten you to STFU.

If you are smart about security, keep your mouth shut. There's not much you can do, except yourself be a target.

terminator (0)

Anonymous Coward | more than 5 years ago | (#25539085)

This kid just received a lesson of life that he should have used these information performing criminal deeds and he'd probably never be caught.

Next time try wardriving (3, Funny)

VocationalZero (1306233) | more than 5 years ago | (#25539199)

This is why I send all my blackmail from my neighbor's WEP-enabled wireless.

Well (5, Interesting)

mach1980 (1114097) | more than 5 years ago | (#25539227)

This happened to me in winter of 2000. I found a open FTP-site on the LAN of my public school that contained sensitive information about the municipality elderly care. I reported it to the Swedish Data Inspection Board. I later found out that the municipality had filed a police report to find the alleged 'hacker' that were able to break the 10-digit code (read: IP-address).

My only comfort was that I had reported the findings anonymously.

And yes - they municipality were charged. The period for prosecution for my 'crime' has expired.

wtf (2, Insightful)

moxley (895517) | more than 5 years ago | (#25539263)

This is bullshit - I am really tired of hearing these scenarios where ignorant fascist assholes are doing serious damage to the reputation and future of kids who are doing the right thing.

The message being sent is that rather than being honest, helpful and productive member of networked society we're teaching kids that it's better to be deceptive and not expose dangerous security flaws. ...and FELONIES? What the fuck?!

I feel that there is a message that both the powers that be (and irresponsible sys admins who have been professionally shamed by these revelations) want to send - the sysadmins don't want to be embarrassed by kids - the feds or police either don't understand and are hearing sys admins tell them that "these meddling kids broke into our system, it's certainly not MY fault for not securing it" or people who should know better thinking that it's better to send the message that killing the messenger is the appropriate way to handle security, EG what people don't know won't hurt them and what we don't see we wont have to deal with.

I believe that this should be explained to those who aren't very computer/network literate with the following analogy: Let's say you live in one of those multifloor apartment buildings where there is an area in the lobby with many mailboxes which all lock. Each resident gets a key for their own box. This kid either accidentally (or just to see if his and other mailboxes are secure) plugs the key into the wrong box or a box that isn't his and finds that his key (and by logic every other resident's key) opens every mailbox in the building. The mailbox he tests the key on contains an envelope with a ton of cash sticking out of it. He goes to the landlord and says "hey, these keys provide no security because any key can open all mailboxes, and by the way, this mailbox had a ton of cash in it - here's the cash, I didn't want it to get stolen" and he is then arrested and charged with breaking and entering, grand larceny, and other such offenses.

I hope that if any high profile tech people get a chance to comment on this in the press or end up assisting the defense (if it was to go to trial) that they can send a message that criminalizing someone who is doing the right thing is just wrong...

personal experience says to keep your mouth shut (1, Insightful)

Anonymous Coward | more than 5 years ago | (#25539325)

From my own personal experience as a student that used to do these sort of things (report network security flaws to the relevant department), the unfortunate truth is that it's much better to keep your mouth shut.

what should be done (2, Insightful)

Friendly Pyro (1360639) | more than 5 years ago | (#25539373)

Kids like this should be praised. He decided to report something he could easily do a lot of mischief with.

More info and name (2, Informative)

RenderSeven (938535) | more than 5 years ago | (#25539467)

... here here [thetechherald.com] including the kid's name. Article notes this isnt the first time he's been in trouble for hacking, so it may explain the apparent over zealous charges.

Report it to the local media (1)

Isaac-Lew (623) | more than 5 years ago | (#25539493)

If I had found something like this, I would have reported it (anonymously of course) to as many local investigative reporters that I could contact. That way, even if the school's administration wanted to find out who did it, hopefully the media wouldn't give me up as a source.

JanSchotsmans (0)

Anonymous Coward | more than 5 years ago | (#25539513)

While white hat hackers get vilified and attacked for reporting their findings with the presumption of guilt until proven innocent, black hat hackers get hired by the top levels of government to do whatever the government wants without morals getting in the way.

This makes me sick to the stomach, not really because of what happened here, but because its another example where someone with a good moral standard is portrayed as evil while the people without morals (US Govt, US Christians, ...) run the nation.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?