Did Travis Kiger Misuse His Access to FSD’s Network?

Fullerton Planning Commissioner Travis Kiger, who blogs for Friends for Fulleton’s Future which cross-posts on the Orange Juice Blog, put up an interesting post called “Access Denied.”  The gist of the post is that users of the Fullerton School District – district managers, teachers and employees – cannot access the Friends for Fullerton’s Future blog while they can access just about every other political and news blog in Orange County.  The amount of profanity displayed in FFFF posts and comments would be a likely culprit for blocking the site, but Travis is on a mission to expose censorship against FFFF which just about any other blog in OC experiences from city to city.

A barnburner of a post, except for one teeny detail.

We’ve learned Kiger got the password in order for FFFF to stream FSD’s meetings, but once in the network, Kiger used his access for what some could consider unauthorized use of FSD’s wireless network.  It could certainly be argued that Kiger’s post is an admission that his web surfing in search of censorship was unauthorized access to the FSD Network; Kiger, in effect, used social engineering – techniques used by hackers – to gain access to a closed network for purposes that were different than what he told the district he needed the password for.  Unauthorized access to a closed computer network is a felony under California law.

From the post:  “The other day I used a super secret password to utilize the Fullerton School District’s wireless network, for no particular reason. While connected, I tried to access some of my favorite and least favorite local blogs and news sites….It appears that Friends for Fullerton’s Future has been singularly snuffed from teacher and staff access at the Fullerton School District. Now why wouldn’t the administration want anyone to read our blog?”

Kiger, a Fullerton planing commissioner, was given access to the FSD network to stream the FSD board meeting only.  Hackers use a variety of ways to extract password data from individuals, and once in a network, hackers can run wild.  FSD’s IT administrators could also use “One Time Passwords,” fine-grained access control and security information/event management (SIEM) technology and  to limit the access folks like Kiger can have or track where he goes within FSD’s network. 

What Kiger did is akin to having someone knock on your door to use the bathroom, and you discover after they’ve used the bathroom, you find them at your kitchen table eating a sandwich from the fridge.  So it’s not just Kiger’s wandering around Fullerton School District’s network , but a lack of policy discipline on the part of people who run FSD’s technology infrastructure. They didn’t protect the network well.

Did Kiger commit a felony under California law?   “Unauthorized access” entails approaching, trespassing within, communicating with, storing data in, retrieving data from, or otherwise intercepting and changing computer resources without consent. These laws relate to either or both, or any other actions that interfere with computers, systems, programs or networks.

Kiger didn’t change computer resources or intercept data, nor did he interfere with the network, programs or files.  But what he did is the same thing as someone you discover in your house going through the drawers in your jewelry box but they haven’t stolen anything.  He abused his access to the network.  And FSD should actually thank Kiger for exposing a glaring weakness in their network operations — the human practice of giving out a password to a closed network.

FSD’s decision to block FFFF isn’t unique; try accessing this site from city run institutions in Santa Ana.  The City of Irvine used to block access to TheLiberalOC years ago, but I believe that policy has changed.  I’m told Santa Ana Unified has blocked access to the Orange Juice blog.  The County of Orange has also blocked sites from various blogs in the past. Censorship?  Probably.  Unauthorized access? Probably.  Poor management of acces to FUSD’s network.  Probably.  Do three wrongs make a right? No.

Section 502 of the California Penal code provides more detail on unauthorized access.  It’s provided below. 

502.  (a) It is the intent of the Legislature in enacting this
section to expand the degree of protection afforded to individuals,
businesses, and governmental agencies from tampering, interference,
damage, and unauthorized access to lawfully created computer data and
computer systems. The Legislature finds and declares that the
proliferation of computer technology has resulted in a concomitant
proliferation of computer crime and other forms of unauthorized
access to computers, computer systems, and computer data.
   The Legislature further finds and declares that protection of the
integrity of all types and forms of lawfully created computers,
computer systems, and computer data is vital to the protection of the
privacy of individuals as well as to the well-being of financial
institutions, business concerns, governmental agencies, and others
within this state that lawfully utilize those computers, computer
systems, and data.
   (b) For the purposes of this section, the following terms have the
following meanings:
   (1) “Access” means to gain entry to, instruct, or communicate with
the logical, arithmetical, or memory function resources of a
computer, computer system, or computer network.
   (2) “Computer network” means any system that provides
communications between one or more computer systems and input/output
devices including, but not limited to, display terminals and printers
connected by telecommunication facilities.
   (3) “Computer program or software” means a set of instructions or
statements, and related data, that when executed in actual or
modified form, cause a computer, computer system, or computer network
to perform specified functions.
   (4) “Computer services” includes, but is not limited to, computer
time, data processing, or storage functions, or other uses of a
computer, computer system, or computer network.
   (5) “Computer system” means a device or collection of devices,
including support devices and excluding calculators that are not
programmable and capable of being used in conjunction with external
files, one or more of which contain computer programs, electronic
instructions, input data, and output data, that performs functions
including, but not limited to, logic, arithmetic, data storage and
retrieval, communication, and control.
   (6) “Data” means a representation of information, knowledge,
facts, concepts, computer software, computer programs or
instructions. Data may be in any form, in storage media, or as stored
in the memory of the computer or in transit or presented on a
display device.
   (7) “Supporting documentation” includes, but is not limited to,
all information, in any form, pertaining to the design, construction,
classification, implementation, use, or modification of a computer,
computer system, computer network, computer program, or computer
software, which information is not generally available to the public
and is necessary for the operation of a computer, computer system,
computer network, computer program, or computer software.
   (8) “Injury” means any alteration, deletion, damage, or
destruction of a computer system, computer network, computer program,
or data caused by the access, or the denial of access to legitimate
users of a computer system, network, or program.
   (9) “Victim expenditure” means any expenditure reasonably and
necessarily incurred by the owner or lessee to verify that a computer
system, computer network, computer program, or data was or was not
altered, deleted, damaged, or destroyed by the access.
   (10) “Computer contaminant” means any set of computer instructions
that are designed to modify, damage, destroy, record, or transmit
information within a computer, computer system, or computer network
without the intent or permission of the owner of the information.
They include, but are not limited to, a group of computer
instructions commonly called viruses or worms, that are
self-replicating or self-propagating and are designed to contaminate
other computer programs or computer data, consume computer resources,
modify, destroy, record, or transmit data, or in some other fashion
usurp the normal operation of the computer, computer system, or
computer network.
   (11) “Internet domain name” means a globally unique, hierarchical
reference to an Internet host or service, assigned through
centralized Internet naming authorities, comprising a series of
character strings separated by periods, with the rightmost character
string specifying the top of the hierarchy.
   (c) Except as provided in subdivision (h), any person who commits
any of the following acts is guilty of a public offense:
   (1) Knowingly accesses and without permission alters, damages,
deletes, destroys, or otherwise uses any data, computer, computer
system, or computer network in order to either (A) devise or execute
any scheme or artifice to defraud, deceive, or extort, or (B)
wrongfully control or obtain money, property, or data.
   (2) Knowingly accesses and without permission takes, copies, or
makes use of any data from a computer, computer system, or computer
network, or takes or copies any supporting documentation, whether
existing or residing internal or external to a computer, computer
system, or computer network.
   (3) Knowingly and without permission uses or causes to be used
computer services.
   (4) Knowingly accesses and without permission adds, alters,
damages, deletes, or destroys any data, computer software, or
computer programs which reside or exist internal or external to a
computer, computer system, or computer network.
   (5) Knowingly and without permission disrupts or causes the
disruption of computer services or denies or causes the denial of
computer services to an authorized user of a computer, computer
system, or computer network.
   (6) Knowingly and without permission provides or assists in
providing a means of accessing a computer, computer system, or
computer network in violation of this section.
   (7) Knowingly and without permission accesses or causes to be
accessed any computer, computer system, or computer network.
   (8) Knowingly introduces any computer contaminant into any
computer, computer system, or computer network.
   (9) Knowingly and without permission uses the Internet domain name
of another individual, corporation, or entity in connection with the
sending of one or more electronic mail messages, and thereby damages
or causes damage to a computer, computer system, or computer
network.
   (d) (1) Any person who violates any of the provisions of paragraph
(1), (2), (4), or (5) of subdivision (c) is punishable by a fine not
exceeding ten thousand dollars ($10,000), or by imprisonment in the
state prison for 16 months, or two or three years, or by both that
fine and imprisonment, or by a fine not exceeding five thousand
dollars ($5,000), or by imprisonment in a county jail not exceeding
one year, or by both that fine and imprisonment.
   (2) Any person who violates paragraph (3) of subdivision (c) is
punishable as follows:
   (A) For the first violation that does not result in injury, and
where the value of the computer services used does not exceed nine
hundred fifty dollars ($950), by a fine not exceeding five thousand
dollars ($5,000), or by imprisonment in a county jail not exceeding
one year, or by both that fine and imprisonment.
   (B) For any violation that results in a victim expenditure in an
amount greater than five thousand dollars ($5,000) or in an injury,
or if the value of the computer services used exceeds nine hundred
fifty dollars ($950), or for any second or subsequent violation, by a
fine not exceeding ten thousand dollars ($10,000), or by
imprisonment in the state prison for 16 months, or two or three
years, or by both that fine and imprisonment, or by a fine not
exceeding five thousand dollars ($5,000), or by imprisonment in a
county jail not exceeding one year, or by both that fine and
imprisonment.
   (3) Any person who violates paragraph (6) or (7) of subdivision
(c) is punishable as follows:
   (A) For a first violation that does not result in injury, an
infraction punishable by a fine not exceeding one thousand dollars
($1,000).
   (B) For any violation that results in a victim expenditure in an
amount not greater than five thousand dollars ($5,000), or for a
second or subsequent violation, by a fine not exceeding five thousand
dollars ($5,000), or by imprisonment in a county jail not exceeding
one year, or by both that fine and imprisonment.
   (C) For any violation that results in a victim expenditure in an
amount greater than five thousand dollars ($5,000), by a fine not
exceeding ten thousand dollars ($10,000), or by imprisonment in the
state prison for 16 months, or two or three years, or by both that
fine and imprisonment, or by a fine not exceeding five thousand
dollars ($5,000), or by imprisonment in a county jail not exceeding
one year, or by both that fine and imprisonment.
   (4) Any person who violates paragraph (8) of subdivision (c) is
punishable as follows:
   (A) For a first violation that does not result in injury, a
misdemeanor punishable by a fine not exceeding five thousand dollars
($5,000), or by imprisonment in a county jail not exceeding one year,
or by both that fine and imprisonment.
   (B) For any violation that results in injury, or for a second or
subsequent violation, by a fine not exceeding ten thousand dollars
($10,000), or by imprisonment in a county jail not exceeding one
year, or in the state prison, or by both that fine and imprisonment.
   (5) Any person who violates paragraph (9) of subdivision (c) is
punishable as follows:
   (A) For a first violation that does not result in injury, an
infraction punishable by a fine not one thousand dollars.
   (B) For any violation that results in injury, or for a second or
subsequent violation, by a fine not exceeding five thousand dollars
($5,000), or by imprisonment in a county jail not exceeding one year,
or by both that fine and imprisonment.
   (e) (1) In addition to any other civil remedy available, the owner
or lessee of the computer, computer system, computer network,
computer program, or data who suffers damage or loss by reason of a
violation of any of the provisions of subdivision (c) may bring a
civil action against the violator for compensatory damages and
injunctive relief or other equitable relief. Compensatory damages
shall include any expenditure reasonably and necessarily incurred by
the owner or lessee to verify that a computer system, computer
network, computer program, or data was or was not altered, damaged,
or deleted by the access. For the purposes of actions authorized by
this subdivision, the conduct of an unemancipated minor shall be
imputed to the parent or legal guardian having control or custody of
the minor, pursuant to the provisions of Section 1714.1 of the Civil
Code.
   (2) In any action brought pursuant to this subdivision the court
may award reasonable attorney’s fees.
   (3) A community college, state university, or academic institution
accredited in this state is required to include computer-related
crimes as a specific violation of college or university student
conduct policies and regulations that may subject a student to
disciplinary sanctions up to and including dismissal from the
academic institution. This paragraph shall not apply to the
University of California unless the Board of Regents adopts a
resolution to that effect.
   (4) In any action brought pursuant to this subdivision for a
willful violation of the provisions of subdivision (c), where it is
proved by clear and convincing evidence that a defendant has been
guilty of oppression, fraud, or malice as defined in subdivision (c)
of Section 3294 of the Civil Code, the court may additionally award
punitive or exemplary damages.
   (5) No action may be brought pursuant to this subdivision unless
it is initiated within three years of the date of the act complained
of, or the date of the discovery of the damage, whichever is later.
   (f) This section shall not be construed to preclude the
applicability of any other provision of the criminal law of this
state which applies or may apply to any transaction, nor shall it
make illegal any employee labor relations activities that are within
the scope and protection of state or federal labor laws.
   (g) Any computer, computer system, computer network, or any
software or data, owned by the defendant, that is used during the
commission of any public offense described in subdivision (c) or any
computer, owned by the defendant, which is used as a repository for
the storage of software or data illegally obtained in violation of
subdivision (c) shall be subject to forfeiture, as specified in
Section 502.01.
   (h) (1) Subdivision (c) does not apply to punish any acts which
are committed by a person within the scope of his or her lawful
employment. For purposes of this section, a person acts within the
scope of his or her employment when he or she performs acts which are
reasonably necessary to the performance of his or her work
assignment.
   (2) Paragraph (3) of subdivision (c) does not apply to penalize
any acts committed by a person acting outside of his or her lawful
employment, provided that the employee’s activities do not cause an
injury, as defined in paragraph (8) of subdivision (b), to the
employer or another, or provided that the value of supplies or
computer services, as defined in paragraph (4) of subdivision (b),
which are used does not exceed an accumulated total of two hundred
fifty dollars ($250).
   (i) No activity exempted from prosecution under paragraph (2) of
subdivision (h) which incidentally violates paragraph (2), (4), or
(7) of subdivision (c) shall be prosecuted under those paragraphs.
   (j) For purposes of bringing a civil or a criminal action under
this section, a person who causes, by any means, the access of a
computer, computer system, or computer network in one jurisdiction
from another jurisdiction is deemed to have personally accessed the
computer, computer system, or computer network in each jurisdiction.
   (k) In determining the terms and conditions applicable to a person
convicted of a violation of this section the court shall consider
the following:
   (1) The court shall consider prohibitions on access to and use of
computers.
   (2) Except as otherwise required by law, the court shall consider
alternate sentencing, including community service, if the defendant
shows remorse and recognition of the wrongdoing, and an inclination
not to repeat the offense.

  8 comments for “Did Travis Kiger Misuse His Access to FSD’s Network?

  1. No Honor Among Thieves
    February 18, 2011 at 3:05 pm

    “The other day I used a super secret password to utilize the Fullerton School District’s wireless network, for no particular reason.

    “For no particular reason”? Hahahaha! What a liar! As Dan has pointed out, Travis Kiger was abusing, probably illegally, access to the FUSD wireless system. This is the same a– clown who called himself “honest” on his planning commissioner application.

    Travis is director of web services at a benefits company called Precept. Someone ought to notify them that their web guy also likes to hack into computer systems.

    Oh, and still waiting for Travis or Bushala to say anything about their friend Chris Thompson having his snout all the way in the taxpayer trough, sucking down full-time benefits for a position that hardly qualifies as part-time. Hypocrites, the lot of them!

  2. Dan Chmielewski is An A$$ Clown
    February 21, 2011 at 9:45 am

    Come on… you’ve got to be kidding me. A school board member gave Travis the password. Travis had free run on the network and he did a little fact checking. You would have done the same thing. You’re just pissed he is a better writer than you and more people read his blog! Go hang out with Keller and Sidhu and leave the rest of us in Fullerton alone! we don’t need your pettiness and false allegations.

  3. February 21, 2011 at 10:11 am

    Last time I checked FFFF’s Quantcast stats, their traffic didn’t even register. As far as Travis being a “better” writer than me, that is in the eye of the reader. As far as having free run on the network and the suggestion I would do the same thing is false. I was at a security conference in SF last week, and an unsecured wifi hot spot called “FBI Surveillance Van #7″ popped up as an option on my screen; now imagine all the fun one could have with that IP address? But, the FBI will find you..it’s only a matter of time. So I connected through my hotel and got my email. It’s a matter of knowing the law and exercising some self-restraint.

    So which School Board member gave out the password? That’s probably a violation of the district’s IT policy right there.

  4. Dan Chmielewski is An A$$ Clown
    February 21, 2011 at 12:58 pm

    I’m willing to bet it was the entire schoolboard that gave him the password. You’re still an AssClown and FFFF has a higher readership based on that one site than this site ever had. Just face it the fact that you are only going after Travis because it is the only way you can try and scrap up a tiny bit of traffic.

    It could be that you’re a racist going after a good german christian because you’re a polack. Why not gave after your union buddies for bankrupting the state out of simply greediness.

  5. February 21, 2011 at 1:05 pm

    I love how someone you writes as well as you do is so critical of my writing. Please demonstrate how what I’ve written is racist in any way; and please let me know, is the “polack” term you throw out evidence of your own racism or bigotry? I don’t understand “why not gave after…” And the word “Christian,” is capitalized in the context by whcih you’ve written it.

  6. February 21, 2011 at 1:10 pm

    Paul Lucas…is that you?

  7. Liberal 'Cause it's Right
    February 24, 2011 at 7:08 pm

    2+2= corrupt

    Curious that two FFFF people have gotten passwords to a school network that has a new board member who is also a FFFF contributor… ethical issue?

  8. February 25, 2011 at 8:00 am

    Well, I believe Kiger got the password from someone at the district for the purpose of streaming video; that doens’t entitle him to share it. Bushala may have gotten the password in the same way. There is no evidence that they got the password from Chris Thompson but there is significant evidence in the form of Kiger’s post and Bushala’s YouTube that they misused their access. I have an email into Mr. Lai at FUSD to ask about their security protocol. Security technology is only as strong as the weakest link and usually that link comes down to human beings. FFFF is correct to point out the censorship of their site by a government entity; but at the same time, they clearly violated “authorized access” of a network and exposed flaws in the network’s security. And for guys who scream that Harry Sidhu committed a felony when he didn’t, these guys are much closer to committing felonies than Harry ever was.

Comments are closed.