Dear school administrators,
What’s the best way to ensure that your computer network remains riddled with security vulnerabilities that leave you, your personnel and [someone think of the] schoolchildren in danger? Why, to demonize the student who discovered the vulnerability and alerted you to it, of course. Have him charged with a felony while you’re at it.
A student in a Saratoga County (New York) school alerted his principal to a computer security vulnerability that could expose the names, social security numbers and addresses of school employees. While the student tried to do it anonymously, he was eventually tracked down. Then the school threw the book at him.
The student is now being charged with three felonies for his unauthorized use of the computer network. The best is this quote from a state trooper:
The kid committed an intentional criminal act. He deceitfully used someone else’s name and password so he would not get caught and was looking to profit from his criminal act.
The only thing we can take away from this is, even if you discover a security vulnerability, it’s completely in your best interest to keep it to yourself, otherwise you’ll be branded a criminal terrorist when you were merely trying to do a good deed. Or, if you insist on doing the right then, use Wikileaks.
Based on the details it sounds like we’re missing the entire story…I’d like to see the email he sent to the principal.
sOUNDS LIKE HE WAS USING A RANSOM TO COLLECT MONEY?
oops caps =(
Just to put things into perspective, what if, instead of network security, a kid was trying to show a business owner his store locks and alarms were shoddy, by picking the lock, entering the store and opening the cash register?
If he alerted the owner of the store to what he did, would those defending him in this school story be as understanding in this example?
This kid just had to type some buttons on his keyboard. They eventually left the store’s door wide open. I suppose you think receiving a video of a copyrighted movie is like walking into a store, grabbing a DVD and leaving without paying (although the unit cost is NIL).
“This kid just had to type some buttons on his keyboard”
Which is analogous to picking a cheap lock. He used someone’s name and password to enter a system he knew he had no business entering. They did not leave the stores door wide open. They just used a crappy lock. If a store owner uses a crappy lock, it does not make it acceptable for someone to pick it and enter.
“I suppose you think receiving a video of a copyrighted movie is like walking into a store, grabbing a DVD and leaving without paying”
Please stick to the topic and refrain from strawman arguments.
Correction: They *essentially* left the store’s door wide open.
“Correction: They *essentially* left the store’s door wide open.”
*essentially* being the operative word. If you went out to the store and only locked your screen door, but left the main door open, found someone sitting on your couch when you arrived back home and said to you:
“Hi I’m Bill Jones and I just happened to notice that your home was locked poorly and just wanted to warn you to be more careful. You got lucky that I wasn’t dangerous”
Would you thank him for his warning or would you call the cops? I hope to God that you would choose the latter.
Just because the school had lousy security, does not make it acceptable to exploit that lousy security to make a point. The kid could just have easily alerted an administrator to the weakness and asked permission to prove his point.
Just to clarify, what the kid did was wrong and he deserves school disciplinary action, the felony charges are a bit much as another article said that even the police believed that he did not intend harm with the information he gathered. My main issue was in articles making the kid appear that he was doing a public service by committing a crime. BTW, he has also been in trouble in the past for computer mischief.
http://www.thetechherald.com/article.php/200844/2329/Student-charged-with-three-felonies-after-alerting-school-of-poor-security-policies
All of your arguments are pretty sound. I know something needs to be done. Some kinds of legal precedents need to be set. So you certainly have your points. The issue I have is with making bytes or computer networks equivalent to physical objects/money or physical locations. I am just not convinced they are the same. I’m not making a straw man here, since I know you didn’t say that those things are equivalent. But I think the legal precedent being set here makes them legally equivalent, and I just haven’t been able to wrap my brain around that.
He should have alerted someone before he acted upon it. Like saying this could potentially happen so to speak. That way he would be in the clear as far as criminal charges. However I don’t think the punishment is justified. A little too harsh if you ask me.
Lol, no one saw the last Die Hard? This was the plot…
“hope to god you call the cops.”
yaeh. good one.