What is Digg?Sponsored by Travelzoo
All-time Low Fares for Thanksgiving, Christmas & New Year view!
travelzoo.com - Flights $52 and up. Nifty all-airline calendar identifies absolute cheapest dates to fly.
374 Comments
- rpi22, on 10/26/2008, -5/+627¨If you give a damn about how ridiculous this is, feel free to shoot the reporter an e-mail at dyusko@timesunion.com encouraging him to get a viewpoint from someone who uses their computer for more than Solitaire. >:o ¨ - R. Adrián Lamo
Also, feel free to contact the school and EDUCATE them about why they should never shoot the messenger thats trying to warn them of a gaping hole in their security do to their own ineptitude, ignorance, and downright laziness.
Superintendent: Dr. L. Oliver Robinson
5 Chelsea Place, Clifton Park, NY 12065 • 518-881-0600
After-hours emergency number, 371-4004
Principal: Donald Flynt
970 Rte 146, Clifton Park, NY 12065
East Building 518-881-0310 • West Building 518-881-0330 - CVL4317, on 10/26/2008, -6/+447next time... just steal it, don't bother to alert... after all the result is the same.
- Junior612, on 10/26/2008, -4/+365Delete all the information and leave a text document explaining in vague terms something about accidentally the whole database.
- rcguy69, on 10/26/2008, -1/+338Years ago someone did me a great favor. They hacked into our business server and changed the name of a root folder to "your security sucks" or something like that. After getting over my anger, I realized my security did suck. I went on to become literate in security. That kid deserves a pat on the back.
- ThatGeek, on 10/26/2008, -1/+335this is ridiculous.
If someone finds something that should be confidential on an open network, and that person tells you, you shouldnt punish him for being honest. - emberjohn, on 10/26/2008, -2/+233Honest is the best policy..they proved it WRONG ..!!!
- kcapxis, on 10/26/2008, -2/+201Texas Tech University has a similar problem. I've been telling them for years that by entering a simple URL into a browser one could view and alter student grades, add or withdraw students from classes, and see plain-text passwords right next to student email addresses. No passwords to get in, no logs or traces, and no limits. If you know how to read source code it should take you about 5 minutes to get in and have about 60% of the passwords and student information for Texas Tech University students from 2002 or 2003 to present. It's the same system the teachers use (yes, TTU teachers can see their students' passwords in plain text whenever they like).
Don't bother informing Texas Tech University about it though. If you do they'll just call you a "terrorist" and start drumming up accusations of plagiarism. - jimbod, on 10/26/2008, -1/+182The results would not have been the same. If he had taken the information and not alerted the principal he would most likely not have been caught, and thus would not be in Jail. The outcome would have been better for him if he were to have taken the information and sold it online. A fine lesson we are teaching our youth today.
- depro9, on 10/26/2008, -7/+155***** sue the school & this ***** will be fired for his retardation.
- syda, on 10/26/2008, -0/+126hey principal, i need your help, i accidentally 93MB of your database... what should i do... is this dangerous?!!?
- whiteknives, on 10/26/2008, -2/+123No good deed goes unpunished.
- keithloughnane, on 10/26/2008, -0/+103In Germany the cops war drive to see if any business etc. have unsecured personal records, if they do they get a fine. Apparently doctors offices are particularly bad.
- Osiris19, on 10/26/2008, -2/+100Damn. My friends and I used to do this too, just minus the whole telling a school official part. Public School IT = Fail pretty much everywhere in my experience.
- inactive, on 10/26/2008, -0/+96Agreed, and it's pretty cool that you've went through the trouble to provide information to try help the kid out....
- azurepalm, on 10/26/2008, -0/+85no good deed goes unpunished
- Punkazz189, on 10/26/2008, -0/+76I went to the highschool and the people in charge of the network are nearly retarded. when I was a junior the password for the administrator account was "Password"
- johndavidjack, on 10/26/2008, -1/+73They should've made you play Russian Roulette with your hard disks, or answer a few riddles or risk losing your data.
Hackers, they're just not creative enough... - phroztbyt3, on 10/26/2008, -0/+67wow... that is not even a breach of privacy. The student used his given password to sought out these files. Because they are on his account, these are technically his just as anyone else's. If anyone should be given a fine its the system administrator for not doing his goddamn job.
Now, in a business situation, an employee would be greatly honored by a higher-up for telling them this warning. WHAT THE HELL IS THE DIFFERENCE... nothing. This kid should be thanked, not assumed guilty of helping. - Renton, on 10/26/2008, -1/+63"The student charged has a history of computer mischief but likely was not interested in stealing personal information, DeFeciani said, citing what investigators told her.
'It was more like 'Look at what I can do,'' she said."
Really? It seemed more like a case of "Hey guys, anybody with a password can see these files, you should probably secure them before somebody steals your identity." But hey, let's keep the general public in fear and ignorance of computers and play this guy off as some 15 year old super hacker. - Yookji, on 10/26/2008, -0/+61You can get paid to war drive?
- AikoMiko, on 10/26/2008, -0/+54The problem to me is that they the reporter didn't get the Kid's point of view. He relied on others to speak to the boys intent when doing what he did. Depending on his frame of mind when copying the db and notifying the owners he could very easily be a hero, A white hat riding in and showing them where they are vulnerable to others who would exploit the weakness for less altruistic reasons.
I am for once, writing the reporter. - striker1211, on 10/26/2008, -4/+57This is why you don't put databases in public shares... hmm \database-ts\students\sdsxplan.mdb yeah that takes computer savvy to find.
- inactive, on 10/26/2008, -0/+53Am I the only one who misread timesunion.com for theonion.com ?
- kakwakas, on 10/26/2008, -0/+48Ours was "cheese." :D
- AdrianLamo, on 10/26/2008, -0/+47Thanks for saving me the trouble of re-typing all that, rpi22 :)
Keep heat on the media involved in this case. Public perspective is this kids best chance of coming out of this OK.
And lastly - YES, he did nothing wrong. Security by fiat is no security at all. You give someone access to a resource, you can't later say that they hacked their way in.
Adrian Lamo - juliohm, on 10/26/2008, -1/+43Congratulations, Mr. Robinson.
You just raised the odds or losing your entire database by 1000%. - GradStudent4eva, on 10/26/2008, -0/+41"Known for computer mischief". Probably pulled a couple of harmless pranks and was labeled a potential terrorist.
"Subject #7382 is behaving rather non-standard today. Lock him on the dark hole for a couple weeks." - wunksta, on 10/26/2008, -0/+41where did you read he stole it? the article said he was accessed it and then sent an email, never said anything about duplicating it or anything
- johndavidjack, on 10/26/2008, -1/+41Come on, what would that do? An IT team as good as this one probably has hot/cold backups of Oracle, dozens of redo log files, and archiving enabled...
/sarcasm - brotherfranciz, on 10/27/2008, -0/+37The superintendent sounds like a dumbass:
"His genius was used in the wrong way."
LOL. Am I the only one who found this hilarious? - m0tbaillie, on 10/26/2008, -0/+35No, renaming a root folder is just a trivial kick in the ass. Deleting the entire directory hierarchy would have been 'being a prick'.
- casey3353, on 10/27/2008, -0/+35Knowing this, could you enroll yourself, and fake your grades to give yourself a degree without even sitting in 1 class?
You'd still be screwed though, as you could talk the talk, but not walk the walk. - Mononuclear, on 10/26/2008, -4/+39Before Digg goes all commando and email bombs the school you should find out the whole story. I remember when digg posted the article about the teacher suspending a kid for using firefox. People on digg started sending emails to the teacher and school. Many of the emails were filled with insults and bad language.
Then it turns out a couple days later that the whole thing was made up and never actually happened. The kid made a fake suspension report in photoshop and posted it on the internet. The whole story was a lie and people felt stupid because they told the teacher to go kill herself when she didn't even do anything wrong.
Moral of the story is, Don't believe everything you read on the internet and don't go sending letters and emails to people when you don't even know the story. - TheShad0w, on 10/26/2008, -0/+35So. Let met get this straight. Because that school district hired an idiot to do their IT infrastructure and any person with any amount of technical knowledge on how network shares work (genius my ass) could access these files they are using a 15 year old child as a scape goat. What-The-*****?! Sure the kid was wondering around on the network but any competent Sys Admin knows how to setup permissions for network shares. Hell Windows & Active Directory has a robust set of group and user permissions. Linux even more so! Idiots like this should be fired. They hired idiots to do a professionals job. Its like leaving the back door unlocked then throwing a good Samaritan in jail for walking in and telling you so.
- inactive, on 10/26/2008, -0/+34Gee I leave the gate open and the cows got out, some kid brings them back and I charge him with rustling my cows. Hang him Dan-O!
- anaesthetica, on 10/27/2008, -0/+34The best thing for him to do would be to contact a lawyer and file a lawsuit against his school for violating his right to privacy by leaving his personal information accessibly to unsecured access on the internet.
Now that he simply told the principal, he's on the defensive. If he had filed suit, not only would he be on the offensive, he might even walk away with a profit. - roebeet, on 10/26/2008, -10/+43I'll reserve judgment until someone reports on just what that email said. "You have a security hole that I accidentally stumbled upon, please be aware of this" would evoke a different response than say.... "I have a copy of your database, what will you pay to get it back and keep me quiet?"
- danielsamuels, on 10/26/2008, -0/+33It's a punishment - you are forced to play The Sims all day, with every expansion pack installed.
- syda, on 10/26/2008, -0/+30I remember when "hackers" (and this kid is no hacker) used to get offers for jobs to secure the network/servers, some of which if old enough, became CTO's of whatever company they breached.
Datek Online, now TDAmeritrade, had that exact situation. That CTO then left to start Vonage... And later was jailed... But not for hacking. - Ghostalker, on 10/26/2008, -0/+29I went to Mohon just south of Shen, and sadly even our ***** school had a better ITS department. Shen spends something like 4x more per student then any other school in the region, so nobody better say "The school doesn't have the money LOL". The people running the ITS department should all be fired. This is basic networking 101 - Data Permission.
- redwallhp, on 10/26/2008, -0/+29He didn't steal the data. He was able to pull it up, but he didn't make a copy of it.
- Hindu_Wardrobe, on 10/26/2008, -2/+29Similar things have happened to me many times. Never went as far as me getting arrested, but I've gotten in loads of trouble for letting the administration know about security flaws.
This year, they finally realized that if I don't tell them, someone else will discover the flaws and they WON'T tell the administration.
So now I'm teamed up with our IT guy. :) - akako, on 10/26/2008, -1/+26Agreed.
- Krissam, on 10/26/2008, -0/+25ours were xcv (right next to eachother)
not to mention any user had acces to edit the script that was run when a user logged in (damn, i got a few outwar clicks that way ^^) - JOJOFACE, on 10/27/2008, -0/+24If you left your door unlocked and your neighbor came by and was like, "Hey, your door is unlocked. Someone could come in and steal everything!" who's fault is it?
- Punkazz189, on 10/26/2008, -0/+23This story originates in my hometown and I just graduated from that highschool. My friend who still lives in town told me about this right before I saw this article. In this case, the story is true and the school should get a few emails. That's just my opinion on the case. The schools administration is known for making poor decisions towards students and faculty, and the Super Attendant is just there for the press coverage, His administration has just brought a lot of headache to the residents in the school district and the faculty.
- Retsam06, on 10/26/2008, -1/+23That is true. I'd like to see what the email said, as well. I'm not sure if anybody smart enough to go snooping around the computers would be stupid enough to try to extort money like that.
Yes, it was in public shares, but, at least at my school, most people don't have the time to go around the different files to see what is where. If you're on a school computer, it's usually only for a short time or during your lunch break, etc.
Kinda ridiculous, though. Stupid/lazy IT departments screw over the students.
At my school last year, a proxy was passed around through email (that would have been blocked had they kept WebSense updated) so people could get around the firewall. The administration finally found out about it, and gave everyone that had been emailed it 3 days of in-school suspension (about 400 kids, total). One of my friends didn't get caught by changing the extension to .jpeg, so the IT department didn't find it when they went searching for it. Of course, the use of proxies wasn't covered anywhere in the rules, and many students were using it, but nobody did anything about it. - gh0st3000, on 10/27/2008, -0/+22More likely is that they've got a box of 6 year old dusty floppies
-
Show 51 - 100 of 381 discussions
© Digg Inc. 2009
— Content created and posted by Digg users is