A 14-year-old Florida boy has been charged with trespassing on his school’s computer system after he shoulder-surfed a teacher typing in his password, used it without permission to trespass in the network, and tried to embarrass a teacher he doesn’t like by swapping his desktop wallpaper with an image of two men kissing.
The Tampa Bay Times reports that the eighth-grader was arrested on Wednesday for “an offense against a computer system and unauthorized access”, which is a felony.
Sheriff Chris Nocco said that the teen logged onto the network of a Pasco County School District school on 31 March using an administrative-level password without permission.
Many who read the news have expressed outrage at the idea of overreach by the school and law enforcement.
But it turns out that there’s less overreach here than meets the eye.
In fact, it sounds like the boy has been treated as befits a kid doing dumb things.
It’s not like he was flung into jail, though initial news accounts mistakenly reported that the boy was brought to a nearby juvenile detention center.
In fact, a spokesman for the Pasco County Sheriff’s Office told Network World that the student was not detained. Rather, he was questioned at the school before being released to his mother.
His sentence remains to be seen, but at this point, it’s looking like the boy isn’t going to suffer much more than a 10-day school suspension and what sheriff’s detective Anthony Bossone says is likely to be “pretrial intervention” by a judge with regards to the felony charge, the Tampa Bay Times reports.
When the newspaper interviewed the student at home, he said that he’s not the only one who uses that password. Other students commonly log into the administrative account to screen-share with their friends, he said.
It’s a well-known trick, the student said, since the password was a snap to remember: it’s just the teacher’s last name, which the boy says he learned by watching the teacher type it in.
The sheriff says that the student didn’t just access the teacher’s computer to pull his wallpaper prank.
He also reportedly accessed a computer with sensitive data – the state’s standardized tests – while logged in as an administrator.
Those are files he well could have viewed or tampered with, though he denies having done so.
Nocco says that’s the reason why this can’t be dismissed as being just a bit of fun:
Even though some might say this is just a teenage prank, who knows what this teenager might have done.
The boy says he was on the computer with standardized tests because he didn’t realize it lacked a camera, so he hopped onto another computer:
I logged out of that computer and logged into a different one and I logged into a teacher's computer who I didn't like and tried putting inappropriate pictures onto his computer to annoy him.
He told the newspaper:
If they'd have notified me it was illegal, I wouldn't have done it in the first place. But all they said was 'You shouldn't be doing that.'
But here’s the thing: this is actually the second time he’s been caught.
Last year, the boy was one of multiple students who got in trouble for inappropriately accessing the school’s system. He was suspended for three days.
Should the school be taken to task for being lax on security?
Well, yes.
A commenter on Ars Technica’s writeup of the story who identifies themself as a school’s systems administrator – “friblo” – said that there’s nothing surprising here, given tech understaffing:
Schools are generally extremely understaffed technically which makes it difficult to put fires out, much less enforce good password policies. Most schools in my area (rural, decently well funded) have 1 tech for every 750-1000 computers.
It’s not fair to blame schools for a lack of technical savvy when tech troops are so thin on the ground.
But picking a secure password isn’t all that hard, and it doesn’t require calling in IT ninjas.
In fact, it doesn’t cost schools one measly nickel of their already strained budgets to watch this short, jargon-free video on how to pick a proper password.
Yes, the school’s staff are obviously guilty of using feeble passwords. But that doesn’t excuse this student for repeated naughtiness.
Knowingly using a prohibited system for his own kicks is unacceptable, just as it’s wrong to pick up a colleague’s phone and send a bogus message, or to “borrow” a friend’s credit card number to buy something that will look embarrassing on his or her statement.
Accessing a prohibited system is illegal for good reasons.
It can lead to the theft of security or trade secrets, software piracy, economic espionage, financial institution fraud, or to knocking essential systems offline, which can jeopardize public safety and/or cause millions in damages.
School is where kids should be learning not only that accessing off-limit data is illegal, but why.
They should be learning both what ethical computer behaviour looks like, and what happens to those who choose to act unethically, whether it’s by changing their grades to straight As, or writing taunting messages on a rival school’s calendar – both which resulted in felony charges, in spite of sounding like mere schoolboy pranks.
Image of school computers courtesy of Shutterstock.
TonyG
If what is reported is true, I wouldn’t be surprised if the teacher uses the same password for their online banking. When are people going to wake up to security? The Adobe breach a few years ago reminded me that in the early days (mid 90s) I reused a password or variations thereof, and so I then spent 3 days going through all the accounts I knew of (300+) checking which were active and setting up unique passwords. Painful, but necessary to avoid possible future misuse.
What we need is a simple electronic “key” that we could use to logon – a USB dongle – so you could keep it on a chain and ensure you take it with you.
Unfortunately school staff need to be aware that passwords are only too easy to be copied and misused. For anyone who has to use admin access level in front of students, I would seriously think of creating a second admin account, so that it can have the password changed much more frequently, and if practical, actually restrict the rights of that second “roaming admin” to the minimum necessary.
Of course, there is the other side – kids are not responsible and will push at boundaries – this is pretty much human nature. So it seems to me that although what the kid did was wrong, and we don’t know how malicious the intent was, that is, as we say “six of one and half a dozen of the other” – security was clearly too lax to enable it to happen.
Paul Ducklin
I always, regardless of if I think anyone is looking, or even if I trust every around (never know where those cameras are!) cover up the keyboard if a mobile device, or unashamedly ask people to look away when I enter a password.
Many years ago, I realised I was going to stick with my bank when I noticed that looking away was an ingrained discipline in all staff when sensitive info was to be entered…they made it obvious that they were doing it, so you didn’t need to ask (but might think of asking those people who didn’t bother).
Jim
I work tech support, so it’s common for someone to have to type their PW in my presence. But, I don’t even want to know it, so I always back up so I can’t see it. (This is easy for me, since I’m almost always wearing computer-distance glasses, so anything beyond 2 feet (60 cm) is just a blur.)
But, because I’m also aware that KNOWING about security is important, I try to always tell the person that I’m stepping out of my visual range specifically so that I can’t see them type it. Almost universally, their response is “oh, I don’t care”. To which I respond, “but I DO care”. Plus a short speech saying they should, too.
RBucci
I remember getting caught AFTER I deleted my name from the school’s database because I didn’t want to attend classes anymore. Instead of reprimanding me, they took me into the gifted-children program which allowed me to further explore the boundaries of my IQ. I was 7 years old back then and the school was North Beach Elementary, Miami, Florida.
Instead of making such a fuzz about a kid doing something like that, why not encourage him to help make a more secure computer environment?
Things have changed a lot since the US Government started that “cyber-security” nonsense.
Paul Ducklin
This chap’s a bit older than 7. And it’s his second offence. And he was trying to humiliate someone he didn’t like, apparently.
Seems he’s done the exploring and might be moving into the exploiting phase, perhaps?
Anonymous
wow
BlueKrait
First of all…YOU MADE YOUR STORY UP! It does not add up, except for the fact that you wanted to use a story to lead into your ideas. Your type of “encouragement” leads to lawlessness and irresponsibility! If you don’t TEACH that, our youth will be doomed…and so will our future!!!
Daniel
Felony though? He’s 14. Of course the 3 days of no school didn’t help – it’s not really a punishment to them at that age. A misdemeanor would be enough… if it came back for a round 3 then maybe a felony.
“Schools are generally extremely understaffed technically which makes it difficult to put fires out, much less enforce good password policies. Most schools in my area (rural, decently well funded) have 1 tech for every 750-1000 computers.”
Does the school not have any system admins? It’s literally as easy as setting the complexity requirements. Lastname1 is still better than lastname. There needs to be more fault placed on the school system as a whole, as “lack of IT staff” is not a good excuse for not securing the networks that maintain a lot of important information.
Jim
I have one question: Why is a teacher using an administrative-level account?
Rick
It would be a scary thought if he doubled as the sysadmin given the ‘strength’ of his password.
Anonymous
same
JR
Charging a child with a potentially life-altering and rights-restricting felony isn’t the correct course of action for a prank.
Anon
As Duck pointed out – this isn’t the kids first offense. Burn me once, shame on you. Burn me twice, shame on me. Lemme guess, you’d rather be your kids friend then a parent.
JR
Nope. But no prank should should be treated as a felony. I can understand academic sanctions, but not criminal charges. This activity, from what I understood, never crossed from prank to malicious, destructive, or nefarious. Let ME guess, you are a big fan of an all-obtrusive police state controlling the masses.
4caster
My son succeeded in deleting the entire records of the school he attended in 1988, in his last week of school. Never mind six of one and half a dozen of the other; in 1958 we’d have received six of the best for such a prank, but I don’t recommend it.
Charles
It isn’t as if 10 days suspension is nothing, it will probably result in his being held back a year, which could easily result in a huge loss financially, especially if it causes him to hate school enough not to attend college.
Mr Meme
I like the “Even though some might say this is just a teenage prank, who knows what this teenager might have done.”
That’s as ridiculous as me getting a parking ticket & the officer saying “well I know he only parked his car for 10mins longer then he should have, but he did something illegal in his car, he could have used it to rob a bank or ran over group of little old ladies crossing the road”.
Fact is he didn’t do anything more then a simple, harmless & (for the teacher & school) embarrassing prank. He could have done more .
Second time he’s done it? big whoops. who didn’t do silly pranks at school as a kid. Maybe reward his & his mates intellectual curiosity by involving them in tightening IT security at the school. It seems they know more about it then their IT admins.
.
pea-are
I’m assuming that this is a Windows environment. Windows 2008 doesn’t allow passwords to be any part of a user’s full name or account name. Which means that the school must be using 2003 and/or XP. It sounds like IT isn’t a top priority at the school at all.
Lance ==)------------------
As I began reading, I thought that here was an example of a school where measured response could be found, and further reading bears this out. (Yes, I *am* one of those parents that despises “zero tolerance” rules; I remember all too well how I “thought” at his age.)
However, this being his second offense and him claiming that he still didn’t know that what he’d done was illegal (not that it was likely to have stopped me), the school should include mandatory training in what may be regarded as CF&A and its potential consequences so that he doesn’t have this excuse.
As noted in comments above, the teacher who used such an obvious password and allowed it to be shoulder-surfed clearly has no appreciation for the sensitivity of the network to which he had access. He deserves some sanctions & training, as well.
Finally, school administrators who lack a computer security policy, have a policy that does not restrict admin access to the I.T. crew, or don’t enforce the policy also bear some blame. Workers respond to that which is measured, thinly stretched workers even more so; monthly or quarterly reports should include some measure of intrusions, both failed and successful. Even my eleven-year-old knows that I don’t spend much time in the admin account of our home network and why.
Lance ==)————-
-=[ Atypical by nature; paranoid by design ]=-