Jump to content

Student Hacks Into School System


farmteam
 Share

Recommended Posts

What do you guys think of this? Personally, I think criminal charges are excessive -- suspension was enough.

 

A New Trier Township High School senior was charged Wednesday with one count of misdemeanor computer tampering for allegedly breaking into the school's electronic student records in February, and some parents and students are coming to his defense.

 

Jonah Greenthal, 18, of Glencoe turned himself in to police and could face up to a year in jail and a $1,000 fine if convicted.

 

The arrest has prompted an outcry in the New Trier community by some who said that while Greenthal was in the wrong, the school already has punished him and involving police is overkill.

 

"They're carrying it too far," said parent Nancy Nazari of Wilmette, who is the mother of a freshman and a recent graduate. Nazari, who does not know the Greenthals, came to the police station Wednesday because she feels the school is overreacting: "New Trier could have just taken care of this themselves. No one was hurt by this."

 

 

Before charges were filed, parent Harveen Mann urged school officials in a letter to "weigh the 'criminality' of Jonah's act—an indiscretion of youth, more than any real criminal intent or act—against the very real and dangerous crimes in our society in general and to stop any further legal actions against the student."

 

In February, school officials alerted parents that a student, apparently trying to find out his class rank and the ranks of other students, had broken into the computer system and accessed files with ACT scores and semester grades more than once.

 

In a memo to parents in February, New Trier Township High School District 203 Supt. Linda Yonke said she did not believe the information was shared with other students and said "strong disciplinary and legal action" was in the works. Yonke could not be reached for comment Wednesday.

 

Winnetka Police Deputy Chief Patrick Kreis said New Trier staff contacted his office on Feb. 22, and the school requested the investigation.

 

One day, staff noticed the hacker was in the system as they were watching, and the hacker was working from a computer on school grounds, Kreis said. The staffers walked around the school looking at students' computer screens and caught Greenthal, who was using a personal laptop, looking at the information, Kreis said.

 

A woman who answered the door at the Greenthals' home Wednesday declined to comment.

 

New Trier student body president Mark Chou said Greenthal's punishment has been excessive. Chou said Greenthal has been out of school for three months on a suspension, and is not allowed to attend the school's prom next week or walk at graduation in June.

 

"We understand he wasn't supposed to do this. But his intent was never to hurt anyone, and he's really remorseful," Chou said.

 

Chou said students have been making T-shirts and wristbands to show their support for Greenthal. On his Facebook page Tuesday, Greenthal wrote he "just wants to disappear."

 

According to the Facebook page, Greenthal will attend the University of Illinois at Urbana-Champaign this fall to study electrical engineering and computer science.

 

He was released Wednesday on $1,000 bail and is scheduled to appear in court June 5 in Skokie.

 

eachenbaum@tribune.com

 

http://www.chicagotribune.com/news/local/c...0,2033130.story

 

Link to comment
Share on other sites

QUOTE (farmteam @ May 9, 2008 -> 12:32 AM)
What do you guys think of this? Personally, I think criminal charges are excessive -- suspension was enough.

 

 

 

http://www.chicagotribune.com/news/local/c...0,2033130.story

 

This is not an example of a brilliant child showing off his talents and how the computer system's security is lax. This is a petty competitive child who decided to see where he ranked, and then decided to download other students personal information to his computer ( transcripts, personal info, medical info ). Now think about this in our social networking context. The parents who they have interviewed who think he is some sort of brilliant kid who is just misunderstood would have a completely different tone if he was blasting their kids personal information on MySpace because he got access to it.

 

He is very lucky and this was a good lesson for the future. If he was a few years older and he was working at a company, he would be talking federal prison time and pretty much can kiss his career path dead.

 

And he is going to Urbana, good luck trying your cute little scams there. The only place worse in the midwest for a pseduo-hacker to go to is probably Purdue with the Cerias program. If he tries that there, there will be men in suits kicking in his door taking him away.

 

 

Edited by southsideirish71
Link to comment
Share on other sites

This is funny to me for multiple reasons.

 

First and foremost, because now that 'computer hacking' is somewhat of a pop-culture phenomenon, and in the public spotlight, they make a big deal out of next to nothing. Also, it seems that modern "hackers" don't recognize nor realize the added security and auditing that can be done that once didn't exist, so they don't take their time to cover their tracks or seriously screw up their tracks. Things like intrusion detection system and detailed logging was something that just didn't exist back in the day.

 

I'm 32 years old now, but not only did I hack my high-schools network (which was on of the very first networked schools in the city of Chicago), but I hacked UIC's and DeVry's, too.

 

1. Bogan High. I never got caught for this one. They had a multi room token ring lan based on an early version of Novell Netware. Owned. I had access to all student/teacher profiles (although the data was scant as they were JUST starting to implement), and all personal directories. Again, scant pickings since I was one of the few people in the school that knew anything about networking. We mostly used it to chat with an early non-graphical based method of text messaging across the network, so friends in different computer classes were able to talk throughout class, while constantly typing, so the teachers thought we were hard at work. :)

 

2. UIC. I *did* get caught on this one, and nearly expelled. Had to meet the dean face to face and explain myself to him and their network staff, how I did it, etc. I had full access to everything on this one, including student records, student directories, etc. It was VAX based with a live internet connection, so more or less a wierd system that most didn't understand. Keep in mind this was the early 90's, and most people had never heard of an "internet" at this time. One of the help files on the VAX system had extensive notes on how to use said system, and one of their many login examples was a superuser, which is their own fault. Instead of using their example to login as myself, I logged in as the example, and found infinite system control at my hands. :D They let me off for this one, and never made it public since it would have been an embarrassment since they published this account in an open forum, however, it just goes to show you...this was a major unversities network and not a thing was said/done. I do this same thing 10 years later and I guarantee my university days are over.

 

3. DeVry. Also Novell based in an era where Windows 95/NT was coming into it's own. This one was also easy as the holes in Novells software were gaping huge and you could exploit a malconfigured system quite easily. I used a simple brute force crack on their admin account and within minutes had access to everything. Never got caught for this one, either, but it aided my vast laziness throughout college. Rather than writing my own programs for whatever given class, I'd simply steal them from another students home directory, rewrite them and hand them in as my own. It's not suprising I didn't stay in programming, since I hardly knew how after a while. I did, however, go into network security before people thought about security, which now seems fitting. :D

 

If you don't want your network hacked, secure it, patch it and actively watch over it.

 

The only thing that should happen here, are the people in charge of this network should be fired for doing a terrible job. Maybe they should hire this kid to show them how stupid they are while their at it.

 

A little more on my history. At the age of 12 the men in suits arrived at my house, charged me a 750$ fine for "phreaking" credit and calling cards. They figured out I was war dialing because my "randomized" sequences were too tight. Still, I didn't have to pay for much in the way of computer equipment or skateboards for a good few years there. Thank God at the time such things were harder to trace than now, or I would have probably been charged upward of 7,000$. Wardialing, for those not in the know, is a name ripped from the movie Wargames, which uses randomized sequential blocks of numbers to test for validity. Such as 555-0001, 555-0002, 555-0003, etc...there are certain tones the companies once used to verify a valid card, if the computer dectected that tone, it would keep note of it. Ordering equipment via credit card was easy, as there was almost no security back in the day, so they'd just send the equipment right on over while charging to said card. Getting the name/exp date off the card was also easy as all you had to do was call the credit card company and ask, they'd give it right up without a fuss at the time. Then you have the stuff sent UPS to the neighbors while they're at work, slap a note on the door to "leave the stuff", and when they leave it, go grab it. The neighbor has no recollection of this since they weren't around...but, you get the point. :D

Edited by Y2HH
Link to comment
Share on other sites

QUOTE (Steve9347 @ May 9, 2008 -> 08:08 AM)
Y2HH. You are/were a bastard!

 

Yea, but it's funny how these things happen. For quite a few years since those days I've been doing network based security work, such as firewalls, intrusion detection/prevention, training, etc...

 

If I had been born 10 years later, I'd probably be in jail, instead.

Link to comment
Share on other sites

QUOTE (Y2HH @ May 9, 2008 -> 08:48 AM)
This is funny to me for multiple reasons.

 

First and foremost, because now that 'computer hacking' is somewhat of a pop-culture phenomenon, and in the public spotlight, they make a big deal out of next to nothing. Also, it seems that modern "hackers" don't recognize nor realize the added security and auditing that can be done that once didn't exist, so they don't take their time to cover their tracks or seriously screw up their tracks. Things like intrusion detection system and detailed logging was something that just didn't exist back in the day.

 

I'm 32 years old now, but not only did I hack my high-schools network (which was on of the very first networked schools in the city of Chicago), but I hacked UIC's and DeVry's, too.

 

1. Bogan High. I never got caught for this one. They had a multi room token ring lan based on an early version of Novell Netware. Owned. I had access to all student/teacher profiles (although the data was scant as they were JUST starting to implement), and all personal directories. Again, scant pickings since I was one of the few people in the school that knew anything about networking. We mostly used it to chat with an early non-graphical based method of text messaging across the network, so friends in different computer classes were able to talk throughout class, while constantly typing, so the teachers thought we were hard at work. :)

 

2. UIC. I *did* get caught on this one, and nearly expelled. Had to meet the dean face to face and explain myself to him and their network staff, how I did it, etc. I had full access to everything on this one, including student records, student directories, etc. It was VAX based with a live internet connection, so more or less a wierd system that most didn't understand. Keep in mind this was the early 90's, and most people had never heard of an "internet" at this time. One of the help files on the VAX system had extensive notes on how to use said system, and one of their many login examples was a superuser, which is their own fault. Instead of using their example to login as myself, I logged in as the example, and found infinite system control at my hands. :D They let me off for this one, and never made it public since it would have been an embarrassment since they published this account in an open forum, however, it just goes to show you...this was a major unversities network and not a thing was said/done. I do this same thing 10 years later and I guarantee my university days are over.

 

3. DeVry. Also Novell based in an era where Windows 95/NT was coming into it's own. This one was also easy as the holes in Novells software were gaping huge and you could exploit a malconfigured system quite easily. I used a simple brute force crack on their admin account and within minutes had access to everything. Never got caught for this one, either, but it aided my vast laziness throughout college. Rather than writing my own programs for whatever given class, I'd simply steal them from another students home directory, rewrite them and hand them in as my own. It's not suprising I didn't stay in programming, since I hardly knew how after a while. I did, however, go into network security before people thought about security, which now seems fitting. :D

 

If you don't want your network hacked, secure it, patch it and actively watch over it.

 

The only thing that should happen here, are the people in charge of this network should be fired for doing a terrible job. Maybe they should hire this kid to show them how stupid they are while their at it.

 

A little more on my history. At the age of 12 the men in suits arrived at my house, charged me a 750$ fine for "phreaking" credit and calling cards. They figured out I was war dialing because my "randomized" sequences were too tight. Still, I didn't have to pay for much in the way of computer equipment or skateboards for a good few years there. Thank God at the time such things were harder to trace than now, or I would have probably been charged upward of 7,000$. Wardialing, for those not in the know, is a name ripped from the movie Wargames, which uses randomized sequential blocks of numbers to test for validity. Such as 555-0001, 555-0002, 555-0003, etc...there are certain tones the companies once used to verify a valid card, if the computer dectected that tone, it would keep note of it. Ordering equipment via credit card was easy, as there was almost no security back in the day, so they'd just send the equipment right on over while charging to said card. Getting the name/exp date off the card was also easy as all you had to do was call the credit card company and ask, they'd give it right up without a fuss at the time. Then you have the stuff sent UPS to the neighbors while they're at work, slap a note on the door to "leave the stuff", and when they leave it, go grab it. The neighbor has no recollection of this since they weren't around...but, you get the point. :D

 

They don't have a network security guy at this high school, its probably some dolt who has been there for years that hired a consulting company to come in and put up a firewall. I bet they haven't had a security audit and wouldnt know what happened. And from what I heard this kid didn't "hack" into the system. He got his hands on a password ( much like Wargames) and got in. Today we dont have hackers, we have jackass kids who run tools they downloaded and have no clue what they do, then you have bots as well. The real hackers are the ones dropping malware on your system sending that data back to China.

 

I also had the men in suits come to the house. That could of ruined my life.

 

 

 

 

Link to comment
Share on other sites

I expected to be in the minority on this one. Once I saw where he was going and what he was majoring in, I guessed it wasn't some kid looking over a teacher's shoulder and snagging a password.

Link to comment
Share on other sites

I disagree with the majority too. Where was the malicious intent? Where was the broad dissemination? I think things like not being allowed to walk at graduation, not going to prom, and being out of school for almost an entire semester are sufficient.

Link to comment
Share on other sites

QUOTE (farmteam @ May 9, 2008 -> 04:36 PM)
I disagree with the majority too. Where was the malicious intent? Where was the broad dissemination? I think things like not being allowed to walk at graduation, not going to prom, and being out of school for almost an entire semester are sufficient.

 

The line was crossed when he decided to download other students info. People hacking for fun or to prove a point usually break into the system and take a trophy. The trophy is usually something that earmarks that you were on the system. The common way I would trophy a system was to place a file on the system, or to pull down the password file. Pulling down other students information is not a trophy, its more malicious.

 

According to police, Greenthal downloaded ID photos, names, transcripts and test scores of "dozens" of students. The information was saved to his personal laptop computer.

 

Looks like the bozo's at New Trier got jacked by using a wireless network tied into their production network. Someone realized that an unauthorized user was in the DB, and they walked around and caught him red handed with the data on his screen.

Edited by southsideirish71
Link to comment
Share on other sites

QUOTE (southsideirish71 @ May 9, 2008 -> 07:58 PM)
The line was crossed when he decided to download other students info. People hacking for fun or to prove a point usually break into the system and take a trophy. The trophy is usually something that earmarks that you were on the system. The common way I would trophy a system was to place a file on the :gosox1:system, or to pull down the password file. Pulling down other students information is not a trophy, its more malicious.

 

I don't see how that's malicious. To me, malicious would have been more than simply accessing the information -- it would have been disseminating that information or using it to harm someone.

 

I usually say to pay heed to the intent more than the action itself. But when the action is this blatant in it's breaking of the law, I must say I hope the kid enjoys the clink.

 

I disagree with the second sentence in that I'm not sure how this is more or less blatant that instances where your first sentence would apply.

 

Edited by farmteam
Link to comment
Share on other sites

QUOTE (farmteam @ May 10, 2008 -> 01:13 PM)
I don't see how that's malicious. To me, malicious would have been more than simply accessing the information -- it would have been disseminating that information or using it to harm someone.

 

 

 

I disagree with the second sentence in that I'm not sure how this is more or less blatant that instances where your first sentence would apply.

 

I hope you are so understanding if someone gets your personal information. I mean if you are so forgiving on this, you should just post your social security number, your bank account number, and maybe your medical records for review. I mean we just want to look, we are not going to doing anything malicious.

 

When you get a breach like this, and you find a person downloading someone elses personal files then we have gone beyond the story he gave on why he was there in the first place. What was the purpose of him downloading someone elses medical records.

 

Once data has been extracted from its secured location, you cannot verify that it is secure. It could be on a thumb drive, on an X drive, or sent via IM to a friend. That personal information is unlocked. Hence why in these situations the victims usual sue the school because of their failing in their security protocols. Now they were wrong for their lack of security. But this is why companies spend large amounts of money on security infrastructure and the people who run them.

 

I have been on both sides of this argument as a 15 year old kid, and as an adult. I see the investment, the fines, the law suits that happen over the breach of someones personal data.

 

 

Edited by southsideirish71
Link to comment
Share on other sites

QUOTE (southsideirish71 @ May 9, 2008 -> 09:46 AM)
They don't have a network security guy at this high school, its probably some dolt who has been there for years that hired a consulting company to come in and put up a firewall. I bet they haven't had a security audit and wouldnt know what happened. And from what I heard this kid didn't "hack" into the system. He got his hands on a password ( much like Wargames) and got in. Today we dont have hackers, we have jackass kids who run tools they downloaded and have no clue what they do, then you have bots as well. The real hackers are the ones dropping malware on your system sending that data back to China.

 

I also had the men in suits come to the house. That could of ruined my life.

 

What happened?

Link to comment
Share on other sites

Don't do the crime, if you can't do the time.

 

He knew, he did, he lost.

 

The law he broke does not make any allowances for intent, for maliciousness, etc. Apply the law to the crime. He'll have a second chance at prom. If he can't find a partner use a wooden chair

Link to comment
Share on other sites

QUOTE (southsideirish71 @ May 10, 2008 -> 05:11 PM)
I hope you are so understanding if someone gets your personal information. I mean if you are so forgiving on this, you should just post your social security number, your bank account number, and maybe your medical records for review. I mean we just want to look, we are not going to doing anything malicious.

 

Actually, that's exactly what happened, isn't it? The information the student gathered was used in no ill way whatsoever, even after it was apparently downloaded to his personal computer.

 

And actually intent and maliciousness do factor in somewhat, though not much at this point; however, I think they should have played a large role in determining whether or not to press charges.

 

Also, southsideirish, you mentioned people suing the school over them not protecting the records well enough, and I agree with that -- I was actually wondering why it wasn't brought up sooner.

Link to comment
Share on other sites

QUOTE (knightni @ May 10, 2008 -> 05:50 PM)
I've heard that...

 

96aaa9a0.jpg

Actually, upon further review by the replay official, that should be changed to

 

Don't do the crime unless you are in California, a celebrity, and can afford top tier legal help. ;)

Link to comment
Share on other sites

QUOTE (farmteam @ May 11, 2008 -> 02:18 AM)
Actually, that's exactly what happened, isn't it? The information the student gathered was used in no ill way whatsoever, even after it was apparently downloaded to his personal computer.

 

And actually intent and maliciousness do factor in somewhat, though not much at this point; however, I think they should have played a large role in determining whether or not to press charges.

 

Also, southsideirish, you mentioned people suing the school over them not protecting the records well enough, and I agree with that -- I was actually wondering why it wasn't brought up sooner.

 

Because the civil penalties are secondary to the inital crime. If he pulled this stunt at a company, he would be gone. He found a mickey mouse security setup at a school that is run by the PTA. You know the same motivated parents who think that because their kids commit crimes and they have money, that they shouldnt be held accountable. Much like in Hinsdale where the parents dont want the police to arrest people for underage drinking, the New Trier parents can frown on a crime like this as cute thing. Well when their children enter the corporate world, they will no longer be up against the computer science teacher who is also their security admin. And corporations file charges.

 

On the lawsuit angle. I would sue the school over their lack of protections, and then would sue the student as well for the max on his parents homeowners insurance over violations of my civil liberties. Its great that he wanted to see my SAT Scores, as well as as my medical records. I can only hope that the bags of money will make me feel better. I wonder how many of the kids and parents congratulating him right now would become equally outraged if some megabucks can drop into their kids laps.

 

Link to comment
Share on other sites

QUOTE (southsideirish71 @ May 11, 2008 -> 05:02 PM)
Because the civil penalties are secondary to the inital crime. If he pulled this stunt at a company, he would be gone. He found a mickey mouse security setup at a school that is run by the PTA. You know the same motivated parents who think that because their kids commit crimes and they have money, that they shouldnt be held accountable. Much like in Hinsdale where the parents dont want the police to arrest people for underage drinking, the New Trier parents can frown on a crime like this as cute thing. Well when their children enter the corporate world, they will no longer be up against the computer science teacher who is also their security admin. And corporations file charges.

 

On the lawsuit angle. I would sue the school over their lack of protections, and then would sue the student as well for the max on his parents homeowners insurance over violations of my civil liberties. Its great that he wanted to see my SAT Scores, as well as as my medical records. I can only hope that the bags of money will make me feel better. I wonder how many of the kids and parents congratulating him right now would become equally outraged if some megabucks can drop into their kids laps.

 

I understand your second paragraph is mostly in jest, but you honestly need to see the other side of the coin in regards to your consistent comments regarding lawsuits. Things really aren't like how you enjoy trying to portray them.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...