Brickbats

Brickbat: Shall We Play a Game?

|

Password
Ginasanders / Dreamstime.com

It started in seventh grade, when Jeremy Currier and Seth Stephens found a sticky note with log-in information on a computer in the school library. Using that information, they were able to access files created by staff. A couple of years later, in high school, they found another sticky note with log-in information on the laptop of a school security guard. They used that to take control of the school's security cameras. Eventually, they hacked all of their Michigan school district's computer systems. Even though, according to Education Week, there's no evidence they "cheated or changed grades, disrupted classes or sold answers to tests, zeroed out lunch balances or broke into anyone's locker, installed malware or deleted files, harassed people online or stole anyone's identity" the two were expelled when their exploits were finally discovered, and they are now the subjects of a criminal investigation.

NEXT: Reporters Become Participants in Tribal Political Warfare

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. The boys were even using district servers to mine for cryptocurrency.
    Come on Reason, open up your servers so I can do a little mining.

    1. How did Bessie54 hack into the system?

      1. Probably another password on a Post-it.

  2. Now, the case is raising a number of big questions. Chief among them: How can schools better develop the potential of children with advanced computing skills and a penchant for probing boundaries?before things go bad?

    That’s a square peg. We don’t have any holes for that.

  3. Seventh grade was also the year the boys noticed a sticky note attached to one of the public computers in the middle school library. It had a username and password on it, they said, in case students or staff wanted to look up books but had forgotten their own credentials.

    What. The. Hell.

    Either the district’s contracted IT services are inadequate or the staff and leadership have willfully ignored good practices. Someone should be fired, not expelled.

    1. Shouldn’t this be like attorney-client privilege, where, if you expose your secret login information to a third party in a stupid way, your privilege goes away?

  4. But letters sent to the Stephens and Currier families as part of the disciplinary proceedings against their sons spell out the district’s perspective.

    While the boys “did not directly threaten the safety of staff or students,” Rochester officials wrote, their breach of the district’s network was “pre-mediated [sic], deliberate, and ongoing.”

    [sic] burn! This “blue ribbon” school district is failing on so many levels. The kids are better off out of its control.

  5. Even though, according to Education Week, there’s no evidence they “cheated or changed grades, disrupted classes or sold answers to tests, zeroed out lunch balances or broke into anyone’s locker, installed malware or deleted files, harassed people online or stole anyone’s identity” the two were expelled when their exploits were finally discovered,

    The boys also installed crypto-mining software on the district’s servers.

    Ah, I see. They didn’t do anything wrong – except for the thing they did wrong.

    I mean, if you found my password and installed cryptomining software on my gear without my permission, wouldn’t you consider that to be a crime?

    1. Hey. If you leave your door unlocked there is nothing wrong with people raiding your kitchen and watching some pay-per-view.

      1. This is more like they hung the master keys on the wall in case any teacher or student left theirs at home that morning.

        The crypto currency mining software, yeah that’s wrong and they must have known it. But the rest was school policy.

        1. Even if I leave my house keys hanging on the break room wall, that isn’t an invitation for you to rifle through my medicine cabinet.

    2. What if it wasn’t your gear but the gear taxpayers purchased for you to use to educate the children you’re accusing and for which taxpayers employ you to in part to manage with some level of fiduciary responsibility?

      The school district is failing these and likely all students on multiple levels but the only ones I see being punished are the children who exposed that fact. This is a brickbat.

      1. What is a brickbat supposed to be? I never know what. I just figured it was whatever the poor Dexied-up new meat found at 4AM to make him say, “Yeah, that’s fucked up, yeah, yeah!” while the oldsters sleep off their Beltway cocktail-party hangovers.

        1. The fact that no one knows what a brickbat is is itself a brickbat!

          1. brick?bat
            /?brik?bat/Submit
            noun
            a piece of brick, typically when used as a weapon.
            a remark or comment which is highly critical and typically insulting.
            “the plaudits were beginning to outnumber the brickbats”

  6. This is a weird case.

    On the one hand, you seem to have some familiar elements to make your blood boil. You have a supposedly elite, “blue-ribbon” suburban school district that is completely failing two nerdy boys with high aptitudes and earning potentials with its supposed “college prep” focused curriculum. Is that what their high-income blue collar parents moved to the district for? I know what it’s like to dread going to your shitty school every morning, because school means you have to stop learning and go to “school.” And that wasn’t even the Internet age; it was just piles of books from the library. I can only imagine the agony and frustration their parents feel.

    You also have kids who look like the very stereotypical picture of young bored people who could be won over to the profession of white hat hacking. They got their little rocks off on the thrill of the breach, but had enough of a moral compass that they did not do a single further unethical thing while they were in. (Though frankly I doubt these idiots would know if they had.)

    On the other hand…this “hacking” was more like social engineering where the victim does all the engineering. Some DNC-caliber idiot left the password around on a Post-It; and the system was engineered so that its exposure–the entire district’s–to such an attack was infinite. These boys might have indeed be computer whizzes, but they literally might well have been retarded kids.

    1. Addendum: “Single further unethical thing” is a horrible way to put it when you’re talking about someone who has broken into your property. Pretty much anything you do except leave immediately is unethical. I misspoke badly. I should have said they did nothing that indicated any further criminal proclivities beyond that of the “thrill burglar.” They didn’t do anything that might help them cheat or anything, for instance, and I think they did not spend their time snooping around either. Basically my point is, this is an almost stereotypical textbook case of why juvenile justice is different from adult–of kids who show an odd, characteristically juvenile mixture of serious moral flaws and moral strengths, who could easily be put on a path that is very helpful to society if they are shown the right guidance and their crimes–serious though they are, and should be treated in adults–are treated with some subtlety, and they are allowed to not have their youthful mistakes impede their future in legitimate society.

      1. this is an almost stereotypical textbook case of why juvenile justice is different from adult–of kids who show an odd, characteristically juvenile mixture of serious moral flaws and moral strengths, who could easily be put on a path that is very helpful to society if they are shown the right guidance

        This. There needs to be a lesson learned about how this is like someone leaving the keys to their house out, and that does not invite you to use them. But kids =/= adults, and unless the crime is so heinous as to show total depravity and so grave as to be unable to be overlooked, it’s hard to think they should face the same justice that adults do. Whatever punishment they face should be constructed as a corrective action.

  7. Username and password are they key to a computer. Someone leaving their username and password out is like someone leaving their keys out. You can’t say “It was OK for me to enter his house without permission! He left his keys in the door!” Well, you can, but it won’t get you anywhere. Same idea here. Staff leaving their computer keys in the door is dumb, but it doesn’t justify using them.

    1. Is anyone attempting to “justify” these actions though? I think it’s more an interest piece about a “blue ribbon” district that is failing its students, and perhaps a discipline system that is not showing the proper subtlety.

      One problem with this piece of journalism is that it does not live up to its ambitions by knowing what it wants to be–as for instance I just laid out. They should have interviewed private sector security employers and managers, both on and off the record, to determine more comprehensively whether an expulsion for this sort of offense would preclude employment in the field. And they should have gotten an official answer (it is likely cut and dry) about whether an expulsion is disqualifying for security clearance. These records are supposed to be sealed for precisely this sort of purpose, so that serious juvenile mistakes do not marginalize young adults from legitimate society, which would often suit no one.

    2. What about if you leaves your door unlocked and a tired/drunk/stupid cop who lives one floor down mistakes your apartment for hers and comes in and shoots you for being in “her” apartment?

      1. Prove your manliness by taking the bullet, and then beating her like you would your wife if she got violent with you?

        Bonus points if you do it Teddy Roosevelt style, and just plug the hole in your chest with a thumb and say “I’ll go to the hospital when I’m done!”

    3. Staff leaving their computer keys in the door is dumb, but it doesn’t justify using them.

      Seventh grade was also the year the boys noticed a sticky note attached to one of the public computers in the middle school library. It had a username and password on it, they said, in case students or staff wanted to look up books but had forgotten their own credentials.

      Except apparently these keys were left in the door with the explicit purpose of being used by passerby.

      1. A couple of years later, in high school, they found another sticky note with log-in information on the laptop of a school security guard.

    4. I disagree with this analogy. The children didn’t find someone’s username and password. These were credentials apparently posted so that teachers and students without their own could use the computer network. And considering how staggeringly insufficient the district’s IT security was, I’m guessing no one articulated to the students the limits of what should be done in the sandbox they provided.

      1. A couple of years later, in high school, they found another sticky note with log-in information on the laptop of a school security guard.

  8. Am I the only one getting 500 errors?

    1. Probably. Highly unlikely for a brickbat. Even a Chapman piece normally only makes something in the low two hundreds.

      1. I suppose that is my fault for using jargon.

        I meant I’m getting this

        This page isn’t working reason.com is currently unable to handle this request.
        HTTP ERROR 500

        when trying to view many pages on this site.

        1. No, you were perfectly clear. I was making a juvenile little joke. On a serious note, I haven’t been having any problems except accessing the FOIA article. First time in days everything is working right, matter of fact.

  9. You really need to read the whole article, so much fucked-up shit in such a small package. But here’s the problem in a nutshell.

    Their long-term employment prospects should have been bright. In the coming decade, for example, the federal government will be looking for thousands of skilled cybersecurity workers. The growing demand has only been underscored by a steady drumbeat of news stories about hacks, cyberattacks, and digital espionage.

    But the boys are unlikely to be eligible for many of those public-sector positions, said Davina Pruitt-Mentle, who helps head cybersecurity-education efforts at the U.S. Department of Commerce in Washington.

    “Will they be able to pass a background check and get a security clearance?” she said, noting that the process includes a review of candidates’ moral character, not just criminal background. “I’m not a lawyer, but my money would probably be on ‘No.'”

    Depending on how the possible criminal investigation unfolds, private-sector employers may be more accommodating.

    Amazing how the private sector provides incentives to find the most productive use of somebody’s skills and the public sector fails at creative thinking, isn’t it?

    1. Know what’s really fucked up? You don’t even need to be charged or convicted of something to be denied a security clearance. I was denied because of allegations in my high school days.

      1. Which is weird, because I still scored one despite having done basically the same thing as these kids back in 8th grade. (Well, no cryptocurrency mining, because that was like, 1990.)

    2. Well, if a man can become a woman because he feels like a woman to himself, these two should be able to become fine upstanding citizens later because they feel rehabilitated. Some judge somewhere can probably be conned into purging their record because the kids ‘feel’ honest now.
      Before the snark starts, check this one out;
      http://thefederalist.com/2018/11/13/ using-transgender-arguments-dutch-man-demands- birth-certificate-say-hes-20-years-younger/

      1. There was a saying “reality is a crutch”.
        I now begin to understand.

        1. google “anchor tag”

          1. He could just google “Sevo.”

      2. I feel old. I want a birth certificate that makes me eligible for senior discounts.

  10. Obviously what we need is common-sense sticky-note control.

    1. Does anyone actually need sticky notes? They are a luxury.

    2. Especially high-capacity sticky notes.

  11. I don’t think it’s hacking if you found the password lying around.

  12. Ah I miss the days where nobody got upset about computer shenanigans. I did the same thing as these kids, though had access to much less on the networks of the late 90s. Got a hold of the librarians password… three lowercase letters… and not only found myself with admin access locally, but could connect with read/write to the entire district. Back then all the teachers thought it was hilarious.
    Guess it’s like this article now. Can’t even imagine my crusade against the porn filters… They blocked domain names, I installed an IP lookup because going to the IP evaded it. They fixed that, I found entering the IP as a long evaded (go to http://918239451 and you’ll see the same as if you entered Reason’s IP, back then IPs generally led to the actual site). They fixed that, I started installing proxy software. They blocked execution of unauthorized programs, I found that MS Office was an authorized program, and had VBA, and the ShellExecuteEx API could launch any program). This made me quite popular and the school IT guys loved the battle as much as me.

  13. “Plenty Of Blame To Go Around” for $200 please, Alex.

  14. They made the school district look stupid. That’s the most serious offense.

  15. Did I miss the part where the librarian and security guard got fired for security violations?

Please to post comments

Comments are closed.