Is this hacking a “we set everyone’s login to their name and their password to ‘password’ and asked them to submit a quote for their yearbook photo” or is it a “he used some black hat infiltration method to get into an admin console that allowed him to set quotes for all students.” The article doesn’t really go into detail of what he did, and while both are inexcusable, if it was “the school set easily guessable default passwords for everyone” then that’s something the school needs to not do in the future.
There’s a long history of using the Computer Fraud and Abuse Act as a treasure trove of charging opportunities since some of the statutes are worded vaguely enough that doing something with a computer that a prosecutor doesn’t like can be charged.
The article doesn’t go into detail, but he’s not charged with “hacking” so it might not be relevant. He’s charged with “third degree computer crimes” which is broadly:
“theft of computer services, interruption of computer services, misuse of computer system information, or destruction of computer equipment” — “third degree” is for damage over $1,000 or conduct that puts someone else at risk.
This fool wandered into “light felony” territory with this one. He’s lucky he’s not being charged with a hate crime.
Not just that. The CFAA was written pre-internet so IIRC it allows for charging as a felony accessing a computer system across state lines: something so commonplace now it happens more often than not.
I do worry about the severity of the charges. The kid, and I stress kid, did something appalling. He also committed a crime that amounts to defacement, and possibly hate speech, but this is also not a mature human, and punting the possible repercussions up into the area where 10, 25 years in prison is on the table, is pretty extreme.
Really? It is not like they were running a bank or missile launch installation. It was a way to collect quotes for a high school yearbook, have some perspective.
Default passwords aren’t any good in any arena in 2021.
Aside from that, in the realm of: 'my threat model is not your threat model", I find it humorous you instantly jump to missiles and banking as the things worth needing a level of security above “default passwords”, but to cut it short, @LurksNoMore was making an entirely speculative statement about what might constitute “hacking” in this case. (They also said they had no idea that was the way in.)
I’ll say that high schools don’t have the resources to have competent IT / security in a lot of cases, but the idea that default passwords aren’t a problem is ridiculous.
Then there are the legal ramifications mentioned above, which I honestly think are more interesting questions to talk out in the general public, as the law is supposed to represent our consensus of what is allowed, and what the repercussions are for not following it.
Before the 'net things like this were run with a place where people could drop or post a simple xeroxed form. No ID checks, no controls, no nothing. This same “prank” could then have been executed much easier without any hacking.
Nobody then would argue for a password or ID check before throwing something in the box, right?
Agreed. I just don’t feel too cool with throwing criminal charges at someone at that age, that would literally land them somewhere where their only future would be crime.
For me, it depends on the charge, the punishment and the context. It does actually sound like he committed a computer crime, AKA a crime with a computer, but that covers an extremely wide gamut.
I’m no fan of the school-to-prison pipeline, but I’m also aware that his peers whom he targeted are routinely afforded far less leeway when they do far less harmful things.
I sincerely hope he gets some correction in the form of proportional consequences and hopefully the adult attention and perhaps counseling that all children deserve but few disprivileged are afforded.
I’m not convinced the charges are that severe. But IANAL.
US computer crime law is only now starting to soften, but as @CarlMud said above, the CFAA has been overly extensively applied in the past, and does have harsh penalties. (10, 25, to life.) I don’t expect this kid to get life. If I were to speculate, I imagine he will not even be convicted, due to race, gender, etc. (Which is also a problem, of course.)
Having seen the way the laws work when it becomes “computer crime” in the US though, I worry. Fixing the laws to match the crimes is really the goal, is it not? Scare the kid a bit. Make him realize what he did wrong, and hopefully rehabilitate.
When a non-lawyer hears “computer crime”, it’s of course going to make sense that it was a “crime with a computer”, but lawyers are very concerned about precedence, and definitions, and the definitions rapidly narrow.
Think of all of the people yelling out “Treason” after what happened on 1/6 in the US. There is a very strict definition of what treason is. partially because. we allow people to be executed for it, so you kind of want a high bar.
The Computer Fraud and Abuse act was written with a low bar, because the government was in a panic at the moment about “what do we do now?” and didn’t understand the playing field. It also can car
ry some extreme penalties.
The other thing I really wonder though is why the educators in this case, aren’t handling the problem and have escalated it to a “law enforcement” issue. I would wonder the same thing in the case of a black student that faced criminal charges for something they said in class.
There are structural issues from top to bottom, but the solution is certainly not to push everything into a crime and law enforcement arena.
I feel like part of the problem is that it’s way too easy for me to understand why this might have happened. I mean, the kid did this as a sort of last act before graduating, so they are pretty much out of the school’s reach now. I don’t know how big the school is or how much they charge for yearbooks, but defacing everyone’s yearbooks could easily be a crime doing $5,000 in damage or more (in the way people count damages from crimes). Parents of kids at the school may have been outraged and brought a lot of pressure to do something.
The logic that you should call the police is all there. The fact that I think Americans need to universally think twice before calling the police is really messed up.
I have a computer in my pocket at all times. If I use it to call or text my partner in whatever crime we are up to, am I also committing a crime with a computer? Or does the call or text have to be of a criminal nature, itself?
Whatever. The point is we ALL use computers for a huge number of things all the time. So the chances are if we commit a crime it may be a computer crime. The law needs tightening. (Which is not to excuse this jerk.)
It’s a permanent record – something genealogists use quite extensively, for example – and MASSIVELY expensive to reprint (with no guarantee everyone will return/destroy the original version). Also, a white 18yo who has been through the excellent, well-funded public school system in CT cannot pretend he didn’t know he was doing wrong. My guess is that he’s never seen any of his peers ever get in real trouble for anything they’ve done, and thus assumed even if he got caught, it would be NBD.
And of course, had he been even significantly younger but Black, this would almost certainly have had a very different trajectory.