A Chicken Little approach to computer insecurity
Posted on June 28, 2005
Filed Under /dev/null/ | 87 views |
This morning I woke up to read that thirteen students in Kutztown, Pennsylvania will be charged with the third-degree felony offence of “Computer Trespass” for learning and then exploiting the administration password for the iBook laptops their school gave them to use: 13 teens face felonies
According to parent testimony and confirmed by an otherwise vaguely-worded letter from the Kutztown Police Department, students got hold of the system’s secret administrative password and reconfigured their computers to achieve greater Internet and network access.
…
Shrawder said the secret password “50Trexler,” was widely-known among the student body and distributed early in the school year. It allowed between 80 and 100 students to reconfigure their laptops, he said.
Using this diabolical new-found power they apparently wreaked havok and mayhem by embarking upon a wave of online crime, ultimately culminating in using their illicit powers to ” download music and inappropriate images from the Internet”. In other words: they went pr0n-surfin’.
It seems to me that there is an epidemic raging in the States right now around so-called Computer Crime, but it is not being perpetrated by these criminals, it is being perpetrated by over-reactive administrative bodies who believe that computer trespass is somehow criminally on par with bank robbery, car jacking, and murder. It has quite literally become: learn a password, go to jail.
A few definitions of a felony:
A crime of a graver nature than a misdemeanor. Generally, an offense punishable by death or imprisonment in excess of one year. [source]
A serious crime, generally punishable by a term of incarceration in a state prison. [source]
A crime considered to be of a graver nature than a misdemeanor. Examples of felonies include murder, kidnapping, manslaughter, burglary, robbery, and certain types of sexual abuse. [source]
… and changing the admin password on your laptop so you can surf porn and listen to music.
The article itself is suitably vague on the specific details however I see at least two points of culpability in this - negligence if you will - by the schoolboard:
- The use of a single master password “50Trexler” across all the laptops shows gross incompetence on the part of the administrator. In a program in which any modification to the laptop could result in jail time for the students his failure to secure each laptop uniquely and to the fullest extend of his ability is criminal. Had each laptop had a unique master password, as is common standard practice in computer security, this damage would have been greatly mitigated by requiring each and every student to figure out their own password, rather than allowing one to spread like wildfire.
- A quick Google search of “Kutztown area high school” shows that “50Trexler” is in fact the address of the school. This too speaks to gross negligence on the part of the administrator. It is basic security procedure not to make an administrative password something susceptible to random guesses, dictionary attacks, or Googling. This is not an administrative password, this is a joke.
If I were these students I’d be arguing contrbutory negligence up the wazoo.
Kids are kids. Personally, give a bunch of kids computers and I would be very disappointed if they didn’t figure out how to make them do lots of things you never expected them to be used for. Reprimand? Sure. Felony record? That’s absolutely absurd.
Comments
2 Responses to “A Chicken Little approach to computer insecurity”
Leave a Reply
Personally I think the school is overacting. These students will no longer be able to recieve Pell Grants on GSL because of a Felony conviction. They have obviously committed Criminal Computer Mischief but that is all.
Additionally, that school is so moronic for its total lack of computer security it is almost criminal. However, you can not blame the school for this, the students still took advantage of the hole.
Actually I do blame the school for this in part in that their security policy and their security implementation is negligent. The school is quite obviously ngeligent in their role and attempting to solve that through legal means.
I don’t argue the kids aren’t culpable to some degree, I’m arguing that it should be a misdemeanor. In effect the kids are being punished so harshly due to the school’s negligence.