Times Union – October 25, 2008:

A Shenendehowa (New York) student who alerted his principal that he could steal private employee information now is facing felony charges.

The 15-year-old sophomore allegedly breached the district’s system while in computer simulation class and gained access to 250 names of past and present Shen transportation employees. He used his student password to view their Social Security numbers, driver’s license numbers and more, Shenendehowa officials said.

Then he allegedly sent an e-mail at 1 p.m. Tuesday to High School Principal Donald Flynt, saying he had the database.

Flynt contacted police, who arrested the young man Thursday and charged him with computer trespass, unlawful possession of personal identification information and identity theft, all felonies. He will appear before Saratoga County Family Court at a later date, State Police said Friday.

I love this part, the Superintendent L. Oliver Robinson is obviously clueless about computers.

Officials said anyone with a district password thousands of people including students, faculty and other employees could have gotten access to the faulty file. But, Robinson said, getting to it would have required exploration and some computer savvy.

“His genius was used in the wrong way,” Robinson said.

To put it another way, anyone with a district password can access personal information if they actually know how to use a computer. It’s a good thing hackers and personal identity thieves don’t know how to use computers. But wait, they do!

You can access the school’s website here with all the contact information you’ll need.

  1. gquaglia says:

    Just because you are an educator doesn’t mean you are smart. This is a prime example.

  2. JulioHM says:

    wow.. pure jealousy

  3. doug says:

    another youngun learns a valuable life-lesson: the people in charge are not your friends and do not have your best interests in mind.

  4. Mac Guy says:

    I’ve actually seen this before firsthand in a school district, and what the media is reporting is not always exactly how it happened. I’m very skeptical of this article.

  5. Jägermeister says:

    I’ve had managers reacting the same way…

  6. Joe says:

    look, we live in a sue happy society. I bet you those bus drivers are right now finding attorneys to sue the kid, the school district, and the city for millions of dollars for possible identity theft and invasion of privacy. Arresting him is the cities way of saying we didn’t support or condone these actions so please don’t sue our pants off

  7. eggman9713 says:

    Well, lets see what kind of example has been set for the upcoming geeks…If you find a security hole that is exploitable, you don’t tell the owner because you will get thrown in the pokey. Now if you exploit the hole and don’t tell anyone it exists, you MIGHT get thrown in the pokey. I like the odds on the latter. Looks like this idiotic principal just contributed to the deliquency of the upcoming geek community and the cyber anarchy that will occur in the very near future. Very well done.

  8. ECA says:

    is it time to SPAM the principle??
    Is it time to insert a BOMB in the computer??
    We could insert a small file that directs Everyones email to EVERYONE, not just the person its sent to.

    i would like to know, WHO was in charge of the computer? WHo was supposed to setup the security?

  9. Jägermeister says:

    #8 – ECA – …WHO was in charge of the computer?

    Holy smoke, ECA… you might be onto something… it’s the evil UN after all…

  10. FRAGaLOT says:

    This reminds me once time I was at a local privately owned PC shop. This was in the late 90s when everyone was running Windows9x. I asked one of the employees to enter in the screensaver password so I could check out one of the machine on display. HE didn’t want to.

    So I just rebooted the machine and just started messing around with it. Then the guy noticed what we did and he said that they didn’t like hackers at their store and asked us to leave.

    I explained to him what I did but he still considered it “hacking” when all I did was hit the reset button that’s on the front of the PC, which HE probably installed. He went on talking about how I “hacked” the PC to get around his pointless screensaver password so I could use the computer. Which was just a DISPLAY model anyway. Not like the store payroll and sales records were on this PC or anything important. Jezzz…

  11. Improbus says:

    Moral of the story? No good deed goes unpunished. Welcome to the criminal “justice” system kid.

  12. pychosang says:

    I think similar events like this will eventually build up and cause a large consequences to the authorities and the hacker community

  13. ECA says:

    true…AND the best part is they ARNT hackers.
    But the laws and regulations will be MADE for the semi-smart person..

    You leave your car unlocked, and a person gets INTO the car, and DOES NOTHING…you call the cops, and he is arrested.

  14. Li says:

    Yet another example of the criminalization of basic competency. Before long we’ll be wearing noise machines in our ears to keep us from thinking straight, lest our scheming minds work against us.

  15. getitwrite says:

    These stories are always a bit skewed here.

    The “wacko principle” is not law enforcement.
    He can’t charge the kid with felonies.

    Also in the full story, it sounds like the
    kid did this kind of thing before.

    Did he “discreetly expose” a flaw or e-mail
    “Ha ha, I have part of the data-base!”
    In these situations how you present yourself
    makes a huge difference on how others respond.

  16. ECA says:

    Its STILL a basic security issue.

  17. Jess Hurchist says:

    anyone with a district password thousands of people including students, faculty and other employees could have gotten access to the faulty file.

    Sounds like the kid had a p.assword and it gave him access. Hard to see the felony in that.

  18. waldo says:

    I went to this school, and can’t begin to tell you how messed up those in control of it are (the teachers were mostly great). When I was there I was witness to the principal diverting money from classes to the football team. After I found this out, fellow students were able to learn that this had been going on for some time.

  19. Mr. Fusion says:

    The School gave the kid the password and access to the computer. The School Board left confidential information open and unprotected. The student, upon discovering the open information reports it to the Principal.

    Where is the crime? I know, it is early in the morning and my brain is still a little fuzzy, but come on, all crimes require intent.

  20. dawn says:

    So, I sent the school this email:

    “Administrators like this are an embarrassment to New Yorkers who actually know how to operate a computer. This sort of thing only exposes how ill-informed and tech-ignorant most administrators are.

    The kid did you a favor by telling you that any moron who knows how to enter a password can access your databases. and you respond by ARRESTING him? are you nuts? talk about shooting the messenger! Instead, you should HIRE the kid to work for you and tell you about all the security holes in your systems. ”

    and here’s the BOE reply:
    “We appreciate your feedback. Please understand that because this is a pending criminal matter, we were not able to provide all of the details of what happened. It is much more involved than what you read in the newspaper. I can say however, that the student’s motive was not to “do us a favor,” the file was not “stumbled upon,” and this was not a first offense by this student of the district’s acceptable use policy for computers and related technology.
    Another point that needs to be corrected is that we do not have the authority to “file criminal charges” as a school district. The New York State Police have worked cooperatively with the district and they have the authority to press charges based on the evidence that a crime was committed.”

    Granted, we don’t know the details behind this story, but I still suspect CYA as a main motivator here.

  21. qsabe says:

    What the school district does insist on providing to bush on every child over 2 years old. Isn’t this the same thing Hitler used for his youth corps.

  22. mouring says:

    Depending on if this is all the information or not. I can state something like this happen to me while in high school in the early 90s.

    Some kids were having problems in the Mac lab and teacher was busy helping others. They came to me (since they knew I did a lot of *UNPAIDED WORK* for the head of the IT department), and so I resolved it by moving files to where they belonged and making note of a machine that lost its copy of MS Office.

    Then I reported it to the teacher.

    She reported me for “malice destruction of school properity.” I was banned from the computer labs on her word alone, and I had no recourse. The only thing I was able to ensure it didn’t affect was my work on the yearbook (they had their own Mac lab).

    Had it been my 2nd or 3rd year in school I would have raised hell. Or had it been the start of the year I would have raised hell, but with three months left of my Sr year I pretty much didn’t care about the idiots that ran the school.

    – Ben

  23. brendal says:

    Just another case for home schooling…

  24. Freyar says:

    It’s odd. My Senior High School’s network admin was very cool. I worked with him “unofficially” a lot over the course of my three years uncovering flaws, and things like that.

    I found a CSV containing a database of all the students and teachers along with their classes, grades, SSNs, logins, and passwords.

    I copied the file, took it to the admin, and we had a talk about the network and some stuff while he did his work about closing each loophole I presented. I didn’t have to send an e-mail or something, I just said, “Oi, found these holes here. Got some SSNs, passwords, and stuff left out in the open. Might want to take care of that.”

    I don’t know, guess I was lucky. I went looking for these kinds of loopholes. Even more interesting is that I was never charged or anything.

  25. KarmaBaby says:

    Seems like looking for security holes is illegal, or at least likely to get you in hot water. Apparently its like walking through your neighborhood trying all the doors to see which ones are unlocked. Then leaving a note for the residents with your name and address informing them of their “vulnerability”. It probably won’t be well received. It would probably get you a visit from the police.

  26. I will not porn storm the principal any more.
    I will not porn storm the principal any more.
    I will not porn storm the principal any more.
    I will not porn storm the principal any more.
    I will not porn storm the principal any more.
    And etc.

  27. sportsboy2434 says:

    What the article neglects to explain is that the student planned on selling the personal information that he found. The principal was right in reporting to the police so as to protect this personal information. The student never should have came across the information in the first place, had he not been attempting to find it in some way. It’s not exactly something that just shows up on his screen. Therefore, he is a “computer hacker” and it does violate a law that would classify it as computer trespassing. The school is completely right and fair in this case and the student deserves what he got.


Bad Behavior has blocked 8562 access attempts in the last 7 days.