Student charged with three felonies after alerting school of poor security policies
by Steve Ragan - Oct 27 2008, 18:07In a prime example of shooting the messenger, a 15-year-old Clifton Park, NY, student is now under arrest for computer trespass, unlawful possession of personal identification information and identity theft.
The charges were brought after the student, a 10th-grader at Shenendehowa Central School, alerted his principal to the discovery of a database with 250 names of past and present transportation employees.
The school’s Web site explains the start of the story.
“About 1:00 p.m. on Tuesday an e-mail was received by our high school principal informing him that the sender had access to a file that had demographic data about bus drivers. It was signed “A student.” The N.Y.S. Police were immediately called and began their investigation into who sent the e-mail.”
“In the meantime, the district's Information Services Department (IMS) began to investigate and discovered that two high school students had accessed the file from an internal computer using their student password. Due to a configuration error, this file was not completely secured from student password access after being moved to a new server.”
After admitting the school improperly secured the employee data, instead of making heads roll within the Information Services Department, the school instead went after the student. The student, according to local news reports, has been in trouble in the past on unrelated computer mischief.
“This was a district computer at the high school," said Kelly DeFeciani, a school district spokesperson. “We have roaming profiles which show where the users have been when they are using the school computers. Everyone leaves footprints.”
According to school officials, anyone with a district password -- which includes staff and students -- could have accessed the employee data.
Superintendent L. Oliver Robinson, referring to the student charged, said: “His genius was used in the wrong way.”
State Police arrested the teen, charging him with computer trespass, unlawful possession of personal identification information and identity theft.
Yet, even investigators are positive the teen wasn’t after the information for criminal purposes. It was an instance of “Look what I can do,” explained Therese Assalian, spokeswoman for the Clifton Park Civil Service Employee Union, citing what investigators had told her.
State Trooper Maureen Tuffey revealed the student has now been suspended from school, and could face more school-related punishments pending a superintendent hearing. However, the boy's juvenile status would likely prevent him from serving time in jail if convicted, Tuffey added.
The question remains as to why he was charged to begin with? While the suspension fits the crime, and perhaps a lesson in IT ethics is in order (along with a ruler across his knuckles), it appears the teen is suffering extra punishment for past computer mischiefs.
In this case, the student discovered a mistake made by the school system and, roaming profiles or not, he reported it responsibly.
Again, the ethics lesson would include how to alert someone to an issue without saying: “Look what I have, you’ve been p0wn3d!” or something similar, but charging him with three felonies, that’s just plain silly.
Comment on this Story