Student charged after alerting principal to server hack

The Register reported yesterday about a teenage high school student being suspended from school and being charged after finding a security weakness in his schools network.

A 15-year-old high school student in New York State has been charged with three felonies after he allegedly accessed personnel information on his school’s poorly configured computer network and then notified his principal of the security weakness.

The unnamed student of Shenendehowa Central School was charged Thursday with computer trespass, unlawful possession of a personal identification information and identity theft, according to news reports. He has been suspended from school and ordered to stand charges in family court in Saratoga County.

He and a peer allegedly gained access to file containing the personal information of 250 workers because of a district-wide error in setting up a new server. After accessing the information, he sent an email alerting the principal to the breach and signed it “A student.” With the help of the district’s IT department, the principal identified the boy as the culprit.

How stupid do you have to be? Surely you should applaud a student who shows enough initiative and responsibility to come forward to the school principal and alert them that such information is easily available?

The article then continues:

“The kid committed an intentional criminal act,” state trooper Maureen Tuffey told The Times Union. “He deceitfully used someone else’s name and password so he would not get caught and was looking to profit from his criminal act.”

Seriously? The kids 15! Give him a reward for coming forward instead of posting the information on the Internet and letting 250 workers identities be stolen properly.

All that was needed to access the information was a district password. School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks. The file contained the social security numbers, driver’s license numbers and home addresses of past and present employees, most of whom were bus drivers.

So thousands of people could have easily stolen the information and sold it, something that is apparently more and more common these days. Yet when one person comes forward, instead of being grateful we screw them over? Awesome. Why not encourage them to do the right thing, maybe even ask them to have a look around for any more exploits they can find? Maybe they know of a few more and now they’re pissed off enough to use them against you. Don’t we need more white hats instead of black hats these days? Or are we promoting a secret underground community that will eventually screw the governments of the world over and cripple everything as we know it.

Speaking from personal experience, things shouldn’t be handled this way. It should be the last scenario to charge someone, especially a 15 year old student. Co-operation goes a long way. Sure, we could all provide a better opinion if we knew what the student said in the email, but HES 15 YEARS OLD!

Lets try promoting a better community next time guys.

Because the world needs less of this:
http://www.darknet.org.uk/2008/07/san-fransisco-officials-locked-out-of-their-own-network/