“Reid Ellison is a 15-year-old high school hacker who, for a time, had complete control over his school’s computer system. A hack attack from a smart kid is just about any school’s worst nightmare. But Ellison got a pat on the back for his exploits, rather than a slap on the wrist. This is actually a good news story about a kid who used his hacking talents for good rather than evil.” Read the full story at ABC News.
There are a lot of cases like this, I cannot find the article of the guy who told his state government that their wireless network was not secure. He showed them and was arrested.
As for Ashcroft, he wants to label them terrorists
This is kind of an old article.
http://online.securityfocus.com/news/257
I think if Reid was not some nice WASP kid that was a citizen. he would probably be arrested. INS wouldn’t say anything and he would have a private trial and be deported.
IMHO, if your computer system gets rooted by some 15yo kid who tells you how he did it afterwards and doesn’t destroy anything, you should probably be thanking him instead of trying to lock him up.
But on the other hand, if you were to successfully break into a bank in the middle of the night and didn’t steal anything, and then told the owner how you did it, what kind of punishment would you get?
On another hand, if you work for a company who’s system is insecure and you know it, it might be kind of hard to proove if you don’t demonstrate it, but then you run the risk of befire fired or arrested. So what to do ?
it is so inflexible in terms of configuration ….
there is always a place for a scapegoat and
knowledge kills
just a matter of finding the real bios irq address with some
info i’ve got from bboards. Those were the times of real hacking! not some kid that reads securityfocus or bugtraq!
Unfortunatedly I didnt get a pat in the back or a slip in the wrist. I’ve got a kick in the ass
Actually, if this is the same article that was on Wired, he used the Macs at the schools.
The security system at public schools are truly weak. You don’t need to be able to code or anything advanced. Public schools run windows OS which does not get updated. They often choose poor security systems which are EASILY cracked. And ofcource the most common one is human error. I was able to see which students were absent from school on certain days just by snooping around different folders.
You think that’s bad?
@ our school everybody used to log in as a domain admin because they forgot the other accounts. We’re talking about 150 pcs here. The grading system was accessible, the absence list, your PERSONAL RECORDS, MEDICAL FILES, etc.
I mentioned it to the teacher and he said (mind you, he was our “IT” teacher) “We run an open network so students can learn, but you really cant do any harm”. So i mounted some administrative shares, and renamed some winnt folders, including the pdc. Easy to fix, but they wont boot anymore.
Believe me, i didnt get a pat on the back, i got a foot up my ass.
Take Care
Kevin
The security system at public schools are truly weak.
Our school managed to deal with most of the hacking attempts by naming staff folders on the network with some ascii characters which Windows caren’t recognise. This works well, till a student tries either DOS (If they no how to network it) Or if they load some Unix (Not been done, but would work)
Interesting though… They will be slowly switching to Linux over the next few years, I will be helping. Hopefully that will be secure enough in it’s own right, without needing special ideas (Simple permissions and groups should do the trick, but we’ll see)
would anyone who is a sysadmin care to comment on how you could trust an individual like this? they say they didn’t do any damage, but they broke through your security and you didn’t know it. how do you know they didn’t install some backdoor and only tell you about part of their exploit?
the example of the bank is not quite the same as the bank counts the money and knows when and how much money is missing.
if someone cracked your system would you have the needed logging system (ie tripwire) if you couldn’t be bothered to otherwise secure the box?
i can understand this school’s trust system if the admin is making a genuine attempt to secure the box, but otherwise it seems self-defeating.
wasn’t this posted on cnn.com like 2 weeks ago?
p13as3:
Isn’t it illegal to have information like that “publically” available. I would have seriously considered to file a complaint at the local authority if they didn’t take it seriously.
-Rasmus
From: Chris Capoccia
would anyone who is a sysadmin care to comment on how you could trust an individual like this? they say they didn’t do any damage, but they broke through your security and you didn’t know it. how do you know they didn’t install some backdoor and only tell you about part of their exploit?
You don’t. I agree, that’s a valid concern. And one that a system administrator wouldn’t have nearly enough time to properly check the systems.
But, as the principal of the school pointed out, its’ better to reinforce honesty and doing the right thing by reporting security problems, than it is to reinforce paranoia that a student might have caused some malicious damage. This student was, according to the article, honest and complete about the security issues, and the school has no basis to implicitly distrust him.
Further, it would be hypocritical of the school to crack down on him; if he could get in easily, who’s to say that no-one else has? For all anyone knows, one or more other students, staff, or even members of the public have been getting inside the system for ages. Yes, it’s unlikely, but is that assumption really that much more unrealistic than what you mentioned above?
Slightly OT ObRant: The sort of legislation we’re moving towards is one where you are required to report security vulnerabilities if you find them, and can then be prosecuted or not entirely at the pleasure of the institution involved (where in reality it should be THEM being prosecuted for failing to properly secure their systems). This will lead to people being imprisoned through no real fault of their own, which is both unethical and immoral. Its’ high time that people reporting vulnerabilities get the thanks they deserve.
“I think if Reid was not some nice WASP kid that was a citizen. he would probably be arrested. INS wouldn’t say anything and he would have a private trial and be deported.”
Either that or he got WRITTEN PERMISSION to root around before he started.
this is funny because i once DoS’ed the entire class… 16 bluescreens at the same time… and i was 14…
the school server? hacked that… two hard drives wiped… they never traced it back to me… oh come on – you cant use redhat 6.2 and expect not to be hacked…
well they dont know it was me… but i once showed them how to exploit a cgi hole in the school server, ever since then, they’ve been bugging me to do linux support, fix computers, write php for the homepage etc…
the moral of the story is simple: do NOT hack – you’ll end up with more work than you could expect…
a lot of principals or IT teachers will see this and say “i must switch to linux/macosX/solaris immediately or it could be me”
which will only make things _less_ secure, as they don’t know how to administer or secure these unfamiliar OSses.
what they should do (imho) is get a capable and bright kid and gently give him some responsibility. maybe have a team of them, getting a few perks, working to make sure the system is up to date, secure and there havent been any break-ins.
the really sad thing is… it will never happen.
exactly, the day i see a school (which was run like mine) let a kid do stuff like that… Instead of letting us, who individually we knew more than any of the admins (when you have problems reseting a passwd in NT…), and together we knew quite a bit, they decided to run their system as it was. “Its an unhackable system” they said, well, we proved them wrong, within a few weeks we had the servers, we never did any damage though. Then when something went wrong (their fault) they went after us like you wouldnt believe.
School sysadmins have too much pride to let a kid help, even if the kid knows more.
… is a losing proposition.
I was the lone tech guy for a school of 2400. I supported an assortment of Mac, DOS, 3.1, and Win 9X machines in the classrooms. I ran the mail server, worked on the web page and did training for teachers. I managed 4 servers (2xNT4, Novell 4.11, and RH 6.1). I had a support guy that came out from the county 1 day a week to help keep the 488 desktops working.
In my spare time I reimaged machines that the 31337 h4X0rs managed to screw up. For every one kid like Reid, I claim there are 1000 who just want to set up a proxy so they can access pr0n in the back of the business classroom.
Folks can claim they know so much more than the poor overworked guys running these networks, but mostly they seemed to break things that we had to fix. It was tough job.
I am back in the classroom these days working as a part-time tech resource for a department and managing two RH servers on the intranet. I still do faculty training but let someone else deal with the Reids and their wannabe buddies.
What I don’t understand is why High Schools
don’t just install the system that they want,
input whatever programs that they’ll need and
then Image the system with whatever tool is of
personal prefference, then at a specified time
simply have them restored to their original
state each day. That’d probably eliminate most
problems with backdoors, viruses, ect.
Today I was talking to our schools IT guy, he has implemented a similar system. It restores the start menu, quick launch, desktop and particular parts of the registry, while the computers booting.
This process takes about 13 seconds, and most students won’t notice. “Oh, they’re just slow computers”.
As most of the “1337 h4><><Z0R5” aren’t really that elite all they really usually do is delete some entries from the start menu, cover the desktop in icons, rename things etc. In one instance, some one renamed a shortcut to “klik & play” to “klik & gay”. How clever, how elite, how hack-zor-ish. Anyway, this system basically restores these to their original state, very clever, and works well, till someone can break through.
I was hired as an intern, to do 2nd level support. I mean this company was big! Over 5000 in staff, and 1000’s of customers passing through each day. Well one day one the kisoks broke down, and I had to fix it, whilst testing it to make sure things were okay, I found some serious problems they had a security test over a period of time to see if anyone could hack in, i managed to penertrate the system within 20mins. Now the scary thing is not so much that I broke in, but when I told my superiors about this, I was expecting a pat on the back, maybe promotion who knows, instead what I was told was that only a few people were to know of this , infact they knew there was a problem with the system, just that they weren’t too fussed as they didn’t think it posed much of a threat. This was from the bureaucrates who in love with Micro$oft!!!
When I had a word with the Unix experts, they showed me how to scan for credit card details!!
I’m just surprised how, ignorant people are with security isn’t it obvious that Microsoft evovled for the single user in mind compared to unix for the network. Why do IT Managers still refuse to even look at the alternative. We keep slagging Micro$oft but if it weren’t for these stupid IT Managers we wouldn’t be so, ummm, insecure.
Peace everybody.
… if it had a network *grin*
If you break in the bank with the owner’s permission to test out the bank’s security system, it is completely legal. In fact many banks does this, they hire ex-bank robbers to test every part of the bank’s security system.
The same case for the company’s network, you can ask permission to prove it to them.
This teen (I didn’t read te article, but watched it on TechLinux on TechTV two days ago, so I guess it is the same) ask for permission to do what he did, and the school was impressed by his efforts.