Student Hacks Into School System

[southsideirish71]

I understand your second paragraph is mostly in jest, but you honestly need to see the other side of the coin in regards to your consistent comments regarding lawsuits. Things really aren't like how you enjoy trying to portray them.

 

Well really how far am I off on this. The medical reports that this kid snagged are covered under Hipaa protections. All they need to prove is that they did not provide adequate levels of security.

 

 

[DrunkBomber]

Im surprised people are torn over this one. I completely agree with SSI. There is a fine line when it comes to the intentions people who do this kind of stuff have and accessing peoples personal info is over it. Like he said, if it was for show there would be some sort of trophy or a way to document youve been there. Hacking into peoples personal files is a much different issue than someone wanting to show off their hacking abilities.

[farmteam]

Im surprised people are torn over this one. I completely agree with SSI. There is a fine line when it comes to the intentions people who do this kind of stuff have and accessing peoples personal info is over it. Like he said, if it was for show there would be some sort of trophy or a way to document youve been there. Hacking into peoples personal files is a much different issue than someone wanting to show off their hacking abilities.

 

Of course there was an intent -- to find out the class rank of him and his friends.

[DrunkBomber]

Of course there was an intent -- to find out the class rank of him and his friends.

Thats the kind of intent that warrants a more serious punishment than someone who did it just to say they did it.

[iamshack]

Well really how far am I off on this. The medical reports that this kid snagged are covered under Hipaa protections. All they need to prove is that they did not provide adequate levels of security.

 

I haven't looked into the law on this particular issue, but cashing in on your civil liberties being violated is usually quite a difficult task.

[farmteam]

Thats the kind of intent that warrants a more serious punishment than someone who did it just to say they did it.

 

Why? It's no more (if not less) malicious than the other.

[DrunkBomber]

Why? It's no more (if not less) malicious than the other.

Its something that would be very hard to prove and Im not even quite sure how to explain my thought process. I guess the way I look at it is the school or whoever would be enforcing the rules more than likely have boundaries set and Im sure they might overlook some minor things ( like just getting into the sytem) and more serious problems (looking at other students personal records) Since the student was indeed looking at other kids stuff he made it clear that his intentions were to do more than simply show off to his friends. Now, even if he wasnt, thats what it looks like and it should be sufficient in proving his guilt.

[southsideirish71]

Why? It's no more (if not less) malicious than the other.

 

Its about intent.

 

What is more malicious. The hacker who breaks into a front end system, and puts a hidden file and sends a message to the admin saying I hacked your system, or the hacker who breaks into the system and pulls down all the medical records for the employees of that company. Both of these happen to companies, one of these gets the company in hot water with possible fines and litigation. The action of downloading a record is an action initiated by the hacker. He didnt stumble across it, he didnt accidentally view it. He looked for it, found it and downloaded it.

 

 

 

[southsideirish71]

I haven't looked into the law on this particular issue, but cashing in on your civil liberties being violated is usually quite a difficult task.

 

Maybe civil liberties was the wrong choice of words.

 

Personal information such as medical records, and your social security are protected by several state laws. There is plenty of examples where people have sued over the accidental disclosure of personal information.

Here are some Hipaa examples.

 

 

[iamshack]

Maybe civil liberties was the wrong choice of words.

 

Personal information such as medical records, and your social security are protected by several state laws. There is plenty of examples where people have sued over the accidental disclosure of personal information.

Here are some Hipaa examples.

 

Was the information in any of those examples discovered because of a computer hacker? It seems like in those examples the information was either inadvertently disclosed because of accident, or because of employees or the companies seeking to use the information in some other way.

 

In this example, the information was obtained by someone with absolutely no access to the system breaching the system. Seems like apples and oranges to me.

 

SSI, I understand you are in the business of network security. What does the law say the liability is for companies' who have their databases breached by hackers? I would assume standard negligence principles would apply, but perhaps there is some legal test that the majority of states use to determine what is negligence regarding network security and what isn't?

[DrunkBomber]

Also, even if it was only his friends stuff, he still has no right to look at it.

[southsideirish71]

Was the information in any of those examples discovered because of a computer hacker? It seems like in those examples the information was either inadvertently disclosed because of accident, or because of employees or the companies seeking to use the information in some other way.

 

In this example, the information was obtained by someone with absolutely no access to the system breaching the system. Seems like apples and oranges to me.

 

SSI, I understand you are in the business of network security. What does the law say the liability is for companies' who have their databases breached by hackers? I would assume standard negligence principles would apply, but perhaps there is some legal test that the majority of states use to determine what is negligence regarding network security and what isn't?

 

 

Here is the case of a company that didnt secure the data on their laptops.

 

 

TriWest Healthcare Alliance has been hit with a class-action lawsuit for negligence by customers whose identity information was stolen last month in a heist of computer data from the Phoenix-based defense contractor. The lawsuit was filed in the U.S. District Court for Arizona by Tucson attorneys David Karnas and Gary Bellovin on behalf of Lt. Col. Michael Stollenwerk and Andrea DeGatica, both of Virginia. They seek unspecified monetary damages for alleged negligence, breach of contract and violations of the federal Privacy Act. TriWest officials declined to comment on the civil complaint Wednesday, saying they had not had an opportunity to review the allegations. The company's offices were invaded Dec. 14 by thieves who made off with laptop computers containing files on 562,000 military personnel, retirees and family members who have health care through the company. The data included Social Security numbers, birth dates, duty stations, medical records and other information that could be used by identity thieves. The robbers targeted computer data and left more valuable items behind. Despite a $100,000 reward offer by TriWest, and intense investigations by the Defense Department, FBI and Phoenix police, no suspects have been identified. Neither the company nor criminal investigators have been willing to say whether the burgled office at Thunderbird Road and Interstate 17 had an alarm system, guards, video cameras or other security measures in place. The stolen computers contained data on active military personnel who could be called to fight in a war against Iraq. Some members of the armed forces have fretted that enemies or terrorists might obtain information and use it against American troops or their families. TriWest continues to emphasize that, to date, no stolen data has been used for criminal purposes. But authorities have divulged little about the theft, and even less about their investigation. Steven Anthony, a spokesman for the Defense Department's Office of the Inspector General, said investigators could not discuss the case. Robert Ellis Smith, publisher of the Rhode Island-base newsletter Privacy Journal, said litigation to protect privacy continues to accelerate, with large awards when plaintiffs prevail. (The Arizona Republic, Jan. 30, 2003 )

 

This latest class-action lawsuit alleges "the Davidson Companies failed to comply with the industry standards designed to protect such confidential personal and financial information from theft" and that the company did not provide "adequate safeguards in its storage and handling of its clients’ confidential personal and financial information." The lawsuit, which doesn't specify a monetary demand, was filed even though the plaintiffs aren't aware of any identity theft resulting from the breach. Attorneys for Davidson Companies said they haven't seen the paperwork and declined comment. Source: Dark Reading

 

 

Liable for poor security

 

Lawsuits may define future of Information Security

 

 

Edited May 12, 2008 by southsideirish71

[hammerhead johnson]

This is funny to me for multiple reasons.

 

First and foremost, because now that 'computer hacking' is somewhat of a pop-culture phenomenon, and in the public spotlight, they make a big deal out of next to nothing. Also, it seems that modern "hackers" don't recognize nor realize the added security and auditing that can be done that once didn't exist, so they don't take their time to cover their tracks or seriously screw up their tracks. Things like intrusion detection system and detailed logging was something that just didn't exist back in the day.

 

I'm 32 years old now, but not only did I hack my high-schools network (which was on of the very first networked schools in the city of Chicago), but I hacked UIC's and DeVry's, too.

 

1. Bogan High. I never got caught for this one. They had a multi room token ring lan based on an early version of Novell Netware. Owned. I had access to all student/teacher profiles (although the data was scant as they were JUST starting to implement), and all personal directories. Again, scant pickings since I was one of the few people in the school that knew anything about networking. We mostly used it to chat with an early non-graphical based method of text messaging across the network, so friends in different computer classes were able to talk throughout class, while constantly typing, so the teachers thought we were hard at work.

 

2. UIC. I *did* get caught on this one, and nearly expelled. Had to meet the dean face to face and explain myself to him and their network staff, how I did it, etc. I had full access to everything on this one, including student records, student directories, etc. It was VAX based with a live internet connection, so more or less a wierd system that most didn't understand. Keep in mind this was the early 90's, and most people had never heard of an "internet" at this time. One of the help files on the VAX system had extensive notes on how to use said system, and one of their many login examples was a superuser, which is their own fault. Instead of using their example to login as myself, I logged in as the example, and found infinite system control at my hands. They let me off for this one, and never made it public since it would have been an embarrassment since they published this account in an open forum, however, it just goes to show you...this was a major unversities network and not a thing was said/done. I do this same thing 10 years later and I guarantee my university days are over.

 

3. DeVry. Also Novell based in an era where Windows 95/NT was coming into it's own. This one was also easy as the holes in Novells software were gaping huge and you could exploit a malconfigured system quite easily. I used a simple brute force crack on their admin account and within minutes had access to everything. Never got caught for this one, either, but it aided my vast laziness throughout college. Rather than writing my own programs for whatever given class, I'd simply steal them from another students home directory, rewrite them and hand them in as my own. It's not suprising I didn't stay in programming, since I hardly knew how after a while. I did, however, go into network security before people thought about security, which now seems fitting.

 

If you don't want your network hacked, secure it, patch it and actively watch over it.

 

The only thing that should happen here, are the people in charge of this network should be fired for doing a terrible job. Maybe they should hire this kid to show them how stupid they are while their at it.

 

A little more on my history. At the age of 12 the men in suits arrived at my house, charged me a 750$ fine for "phreaking" credit and calling cards. They figured out I was war dialing because my "randomized" sequences were too tight. Still, I didn't have to pay for much in the way of computer equipment or skateboards for a good few years there. Thank God at the time such things were harder to trace than now, or I would have probably been charged upward of 7,000$. Wardialing, for those not in the know, is a name ripped from the movie Wargames, which uses randomized sequential blocks of numbers to test for validity. Such as 555-0001, 555-0002, 555-0003, etc...there are certain tones the companies once used to verify a valid card, if the computer dectected that tone, it would keep note of it. Ordering equipment via credit card was easy, as there was almost no security back in the day, so they'd just send the equipment right on over while charging to said card. Getting the name/exp date off the card was also easy as all you had to do was call the credit card company and ask, they'd give it right up without a fuss at the time. Then you have the stuff sent UPS to the neighbors while they're at work, slap a note on the door to "leave the stuff", and when they leave it, go grab it. The neighbor has no recollection of this since they weren't around...but, you get the point.

 

Wow, you know this guy's a virgin.

[farmteam]

Its about intent.

 

What is more malicious. The hacker who breaks into a front end system, and puts a hidden file and sends a message to the admin saying I hacked your system, or the hacker who breaks into the system and pulls down all the medical records for the employees of that company. Both of these happen to companies, one of these gets the company in hot water with possible fines and litigation. The action of downloading a record is an action initiated by the hacker. He didnt stumble across it, he didnt accidentally view it. He looked for it, found it and downloaded it.

 

The hacker who breaks in just for fun is simply doing it to piss people off -- he has no actual reason for doing what he's doing, he is, essentially, being a jerk just to be a jerk. On the other hand, someone who goes in finds, grades for him and his friends, has an actual reason. He didn't hack the system because he could or to prove a point, but because it was the means to an end. To me, that is less malicious.

 

Am I condoning what happened? Not at all. I just think punishments already handed out by the school were sufficient, and legal action was not necessary.

[NorthSideSox72]

By the way, if anyone ever wanted to know what its like to go to New Trier, look no further than this article. The level of competitiveness is ridiculous, and class rank is coveted like you wouldn't believe. Not surprising that some kid just had to try to find out. And I wouldn't be surprised if his parents encouraged him to do so. The pressure cooker of NT is obscene, and its just not like any other public high school.

 

No way I want my kids going there. The opportunities are great, but I think its just too hypercompetitive to be healthy. There are other suburban districts almost as good (or by some measures, as good or better), with a lot less pressure, and much lower taxes to boot.

 

[southsideirish71]

By the way, if anyone ever wanted to know what its like to go to New Trier, look no further than this article. The level of competitiveness is ridiculous, and class rank is coveted like you wouldn't believe. Not surprising that some kid just had to try to find out. And I wouldn't be surprised if his parents encouraged him to do so. The pressure cooker of NT is obscene, and its just not like any other public high school.

 

No way I want my kids going there. The opportunities are great, but I think its just too hypercompetitive to be healthy. There are other suburban districts almost as good (or by some measures, as good or better), with a lot less pressure, and much lower taxes to boot.

 

The funny thing is that in 4 years, their class rank means s*** as far as a resume is concerned. Their GPA and their SAT/ACT scores + extra curricular will get them into the school of their choice. I can't remember the last time I had someone say, I see you have a CCIE, but what was your ranking in high school. Unless you are the valedictorian, it doesnt matter.

[knightni]

Wow, you know this guy's a virgin.

Are you kidding?

 

He can buy any woman he wants...with your credit card.

[NorthSideSox72]

The funny thing is that in 4 years, their class rank means s*** as far as a resume is concerned. Their GPA and their SAT/ACT scores + extra curricular will get them into the school of their choice. I can't remember the last time I had someone say, I see you have a CCIE, but what was your ranking in high school. Unless you are the valedictorian, it doesnt matter.

I agree. I'm just saying, at New Trier, in order to get into the high end schools, you have a different competitive structure than at other schools. You have a lot more kids vying for those ivy league and other super-tough schools, so they get very competitive. For lots of those students, while they are there, it means everything at that time.

 

By the way, since I didn't say so earlier, I agree with your stance on this particular kid. He committed a crime, and he should be prosecuted for it.

 

[Texsox]

The hacker who breaks in just for fun is simply doing it to piss people off -- he has no actual reason for doing what he's doing, he is, essentially, being a jerk just to be a jerk. On the other hand, someone who goes in finds, grades for him and his friends, has an actual reason. He didn't hack the system because he could or to prove a point, but because it was the means to an end. To me, that is less malicious.

 

Am I condoning what happened? Not at all. I just think punishments already handed out by the school were sufficient, and legal action was not necessary.

 

So knowingly targeting private information makes it better? If he was just trying to see if he could get in, that's bad. Seeing if he could get in ~and~ find out private information about people is not as bad?

 

I would think if he broke in and did ~not~ look at anything that would be better.

[Texsox]

To a graduating Senior, class rank is huge. My daughter is trying to get into Northwestern. She is attending an International Baccalaureate program, and basically if your class rank is not in the top 2% it gets much harder to be accepted at Northwestern. So in a graduating class of 400, she needs to be 1-8. And of course have the necessary extracurricular resume. Texas - Austin automatically accepts any Texas student in the top 5% of their class. Again, lots of kids calculating that. What hurts are the kids dropping out that shrink that percentage number. I watched as my son passed 25 student between his Sophomore and Junior year and fell out of the top 10% because of all the drops.

 

And you are correct, in four years it will not matter. But that Northwestern degree will matter.

 

I think she is crazy, but she treats academics with the same competitiveness I treated athletics.

[farmteam]

So knowingly targeting private information makes it better? If he was just trying to see if he could get in, that's bad. Seeing if he could get in ~and~ find out private information about people is not as bad?

 

I would think if he broke in and did ~not~ look at anything that would be better.

 

Yeah, I see where that can get confusing.

 

I guess for people outside the culture, it's hard to understand. I'm not saying it's right or wrong, but I guess I can understand where he's coming from, and that's why I'm on the minority in this one.

[Texsox]

Yeah, I see where that can get confusing.

 

I guess for people outside the culture, it's hard to understand. I'm not saying it's right or wrong, but I guess I can understand where he's coming from, and that's why I'm on the minority in this one.

I happened to be thinking about this as I was walking tonight, and it is surprising you posted. While I think you missed the mark, you actually were close to a very good point, or perhaps this is more what you were thinking. He didn't hack in to see what info he could steal and use for financial gain, he had a specific bit of information he was looking for, and he probably was not going to gain financially from it.

 

But just like the thief who breaks a window and enters a business. It just doesn't matter if he broke in to polish the silver or to steal it, the first crime is breaking and entering.