WTSP has provided a follow-up to a report noted earlier involving a 14-year old student at Paul R. Smith Middle School who is facing two felony charges for allegedly hacking into the Pasco County School District‘s network. Their new report addresses some of the questions I raised in my previous post about the incident.
In their update, the student, who is now named, claims:
“If they would have notified me it was illegal I wouldn’t have done it in the first place but all they said was you shouldn’t be doing that,” said Domanik Green.
Green had reportedly done something similar last year and was suspended for three days.
The district’s Responsible Electronic Use Guidelines for Students can be found here, and the Student Code of Conduct can be found here, if you’d like to see how much (or little) they describe computer offenses like hacking and the consequences. Is Green right? Did the district ever tell him that unauthorized access is hacking and that it’s a felony – and that if it happened again, he might be arrested? How did they follow-up on last year’s incident?
But here’s one of the stunning revelations in Casey Cumley’s report:
The sheriff’s office says Green got the password information 2 years ago from a teacher and several students might have had the ability to hack the system.
Why is a password from two years ago still working? And if he did something similar last year, are we to understand that even after that, they still didn’t change the password – or didn’t last year’s incident involve the same password? If it did involve the same password, this is just incredibly negligent on the district’s part, as it would appear they didn’t take what would be obvious, minimal, and reasonable steps to prevent a recurrence of the problem. Even if the password wasn’t involved in last year’s incident, their failure to regularly change passwords may have contributed to the current incident.
And if they’re correct that Green got the password from a teacher two years ago, how did that happen? Was it actually given to him or did he shoulder-surf it? A statement by a district administrator suggests that a teacher may have knowingly provided the password:
“Our department of employee relations are going to investigate why students were allowed to have the password,” said Cobbe.
Amazing, if true. But put down your preferred beverage before you read the next statement from a press conference about the case:
“You have somebody that clearly doesn’t learn their lesson.”
The sheriff was referring to the student. I think his statement is more applicable to the district.
The school district said it is still investigating employees and there will be disciplinary actions taken for anyone who might have shared password information.
Shouldn’t that investigation and any action have occurred last year after they first discovered the student had improperly accessed the network?
And this, children, may be a useful example of why school districts should never be allowed to collect and store sensitive student information and why we can’t have pretty things.
Read the full report on WTSP.