Harvard Biz Rejects Applicants Who Hacked Into Admissions Info

<p><a href="http://story.news.yahoo.com/news?tmpl=story&cid=564&ncid=564&e=7&u=/nm/20050308/ts_nm/life_harvard_dc%5B/url%5D"&gt;http://story.news.yahoo.com/news?tmpl=story&cid=564&ncid=564&e=7&u=/nm/20050308/ts_nm/life_harvard_dc&lt;/a&gt;&lt;/p>

<p>Yeah I saw that somewhere else, but how stupid could you be to actually do this? It's obvious that they would find out somehow.</p>

<p><a href="http://aolsvc.news.aol.com/news/article.adp?id=20050308103709990002%5B/url%5D"&gt;http://aolsvc.news.aol.com/news/article.adp?id=20050308103709990002&lt;/a&gt;&lt;/p>

<p>Looks like MIT, CMU, and other B-schools were also vulnerable to this hack. Some are rejecting applicants, others seem undecided.</p>

<p>The ethical questions here are interesting. Whether serious sanctions are warranted depends on how you view the intrusion. In the physical world, few people would blame the applicants if, say, the admissions director left the list of decisions on a table in the cafeteria and those present took a peek; conversely, if applicants picked the lock on the admissions office door to look around, few would argue with stringent penalties.</p>

<p>This particular intrusion seems to fall somewhere in between those two extremes. While the data was inadvertently exposed on the web, reading it wasn't as simple as just going to a web page and viewing it; reading the data required a couple of steps to decode it, making it quite clear that it wasn't public.</p>

<p>On the face of it, these decisions seem fairly harsh for the following reasons:</p>

<p>1) The security breach is ultimately the responsibility of the institute in question
2) Just because a certain applicant's files were browsed, can anyone automatically assume that it was the applicant in question that did the breaching? (i.e. if I were being extremely Machiavellian and I knew of someone applying who had a similar profile but was also an "enemy" - I'd browse his/her application in the hopes that this breach would result in a rejection)
3) Given that there is no way to confirm who has done these breachings, I find it extremely harsh that the default decision would be to reject all of these applicants</p>

<br>


<br>

<p>That's a good point, although IP addresses and other forensic data might provide fairly conclusive evidence of the identity of some of the snoopers.</p>

<p>If the schools enforce the rejections, I'm sure litigation will result.</p>

<p>
[quote]
That's a good point, although IP addresses and other forensic data might provide fairly conclusive evidence of the identity of some of the snoopers.

[/quote]
</p>

<p>Yeah, if anyone is stupid enough to do this snooping from home you deserve to get rejected.</p>

<p>But let's be real, if you are savvy enough, whats to stop someone from doing this snooping from an anonymous / public computer?</p>

<p>That's not hacking.</p>

<p>Using your own ID numbers on a known, public web page to get your admission decision is hardly unethical.</p>

<p>The second article is right. These schools are just ethically grandstanding.</p>

<p>I'm going to be a moderate-troll here and say that it IS hacking. What it is not, however, is cracking (which is what the students are actually being accused of). As someone who nearly got into very deep hot water for probing the security of my school's student database, I find the distinction very important.</p>

<p>I agree with Nom - It shows poor character (not to mention judgement) in what I also consider to be hacking. Let's face it if students are being rejected at colleges for cheating in high school why would we consider this less important. I would however want proof that the person's files where indeed hacked by the person & not someone else doing this as a prank etc.</p>

<p>"Stanford hasn't made a decision and urged applicants to explain their decision to follow the hacker's instructions."</p>

<p>That's why I like Stanford. They are a lot more rational and give you a chance to explain your actions in case there were any extrenuating circumstances.</p>

<p>Explain their decision??? What else would their decision be? To see if they are admitted or not! Maybe they thought the world was going to end tomorrow and they wanted to see their decision before they died. Hm? what else?</p>

<p>Let me clarify: I do NOT think that this "hack" is punishable. That's all that it was. A hack. Here is a bad analogy:</p>

<p>There is a door with a covered peephole. You want to see what's on the other side of the door. So, you think to look under the cover, find the peephole, and proceed to look through it. No damage was done to the door or the hole. You found a cheap shortcut, a loophole, a messy but effective way of doing something. This is hacking. [Some might not agree with this analogy, since this isn't really a shortcut . . . I know this was a bad analogy, though.]</p>

<p>Cracking a computer system is akin to taking out a wine-bottle opener on the peephole. You (usually maliciously) compromise the functionality of the peephole and actually reach the other side of the door. You're no longer just looking through.</p>

<p>I'm not sure how to best explain this. Obviously. ; )</p>

<p>The student who reported the loophole should be commended. The rest should be ignored.</p>

<hr>

<p>In response to Ivy_Grad's comment:
"Just because a certain applicant's files were browsed, can anyone automatically assume that it was the applicant in question that did the breaching?"</p>

<p>Yes. Absolutely. The applicants could only view their own decision because their account password was required to log in to the system in the first place. After logging in, they only were able to view their own ID# (or whatever it was that they used in the decision status login) in the HTML code. Unless a student shares their password, it is certain that they carried out the hack, not an enemy/parent/prankster.</p>

<p>Nom - After posting I realized what I said (I know that you don't want them punished). I do agree with you that they hacked into the program - they didn't crack into the system and hurt anything (but themselves). However, these students KNEW what they were doing was wrong. What they did was still akin to cheating and cheating is wrong. What I can't understand is why they did it? They had to realize that they might get caught & it sure wasn't worth the risk IMO! What if the colleges share who these people were with other colleges? They may not get into any college. It really scares me that people feel that this is not wrong.</p>

<p>I don't disagree that these applicants knew what they were doing was improper. I think there's a difference between cheating (altering your grade by copying, using answer lists, etc.) and what these people did (to continue the analogy, sneaking a peek at your test grade when the teacher left the room).</p>

<p>I'm sure that many didn't think they COULD get caught - even MBA applicants may not know about server logs, IP addresses, etc.</p>

<p>I don't even really think it was that unethical. Like the above analogy:</p>

<p>A teacher says that he isn't giving a test grade back until Monday because he hasn't finished grading them all. You walk by his desk and notice that yours is done and on the top of the stack (say you wrote in green ink or something and you could recognize your paper from a slight distance). Would it be unethical to walk close to his desk on the way out and sneak a peak?</p>

<p>The real idiots here are the people who put credentials for a website they werent supposed to be able to access yet in the source html code (& I think the url, as well). I check source code for websites all the time - dating back to when I took an advanced web design course at a local CC when I was in HS. Everytime I see something interesting or new I often look to see how they did it. If I was in their shoes I would have done the exact same thing without even thinking of it as wrong.</p>

<p>Think about it: there were two seperate areas of the system that had to be logged in to. One to see if all your credentials (recs ect) were in and the other to see your decision. To access your decision it asked for a student # or some other type of unique ID string that you need but don't have yet.</p>

<p>You're all saying that if, once you logged onto the part to check to make sure your app was complete and the url showed something like:</p>

<p><a href="http://xxxxxxxx.edu/admissions/appcheck/cgi-bin/completionchecker.php&studentnumber=35434534"&gt;http://xxxxxxxx.edu/admissions/appcheck/cgi-bin/completionchecker.php&studentnumber=35434534&lt;/a&gt;&lt;/p>

<p>you wouldn't enter 35434534 in the other section to see if that was the ID # it wanted? </p>

<p>Thats all these kids did. They weren't doing anything illegal or unethical. Also, I doubt that all 500+ kids who got caught doing this got their info from an obscure message board. This was probably right out in the open and obvious to anyone who had their eyes open.</p>

<p>"Yes. Absolutely. The applicants could only view their own decision because their account password was required to log in to the system in the first place. After logging in, they only were able to view their own ID# (or whatever it was that they used in the decision status login) in the HTML code. Unless a student shares their password, it is certain that they carried out the hack, not an enemy/parent/prankster"</p>

<p>but technically couldnt a bored hacker just type random numbers in and see if they could find out which were real?yeah, i know this doesnt seem likely that they would actually stumble on a real ID. but it sounds fairly possible to me.</p>

<p>"but technically couldnt a bored hacker just type random numbers in and see if they could find out which were real?"</p>

<p>No. They cannot. As I said before, one needs to use their OWN password. It's not as if you only log in to get your ID number. Also, these kids aren't even hackers. They're not even script kiddies. They needed only a rudimentary understanding of computers to do what they did. In fact, I doubt most of them even knew the implications of exploit exisiting at all. I wonder if the college administrators understand it either. This could be a phobic knee-jerk response based on the premise of security through obscurity. A bad, bad, bad idea.</p>

<p>[Edit: Sure, somebody can enter random characters for the ID and then random characters for the password, too. They could even try to crack somebody's password. The server admins would pick up on it pretty easily, though. Besides, it could take several days to crack a "strong" password. This IS illegal, anyway.]</p>

<p>"That's a good point, although IP addresses and other forensic data might provide fairly conclusive evidence of the identity of some of the snoopers."</p>

<p>True Roger, in some cases. However, plenty of these people may have wireless networks which change IP addresses upon each new connection. So many times the IP tracking is useless.</p>

<p>Dynamic IP addresses are irrelevant.</p>

<p>They probably needed their ID, SS#, PW, Birthdate, ect to get into the first part.</p>

<p>Nobody could get in without being very close to the person or trying to "brute-force" the server (something that would, if done at a rate that would get results in a few days, bring it their universities server to a crawl, take considerable resources - think 100's of cpus and an internet pipe bigger than your fist - and would be painfully obvious to the web admins after about 1/10th of a second looking at the server logs.</p>

<p>Once someone said they did an IP on me to see if it worked and it said I lived in Georgia. Which was across the country from California, where I lived at the time.</p>