High-minded Harvard slams door on hackers

March 10, 2005

Times
From Elaine Monaghan in Washington



MORE than 100 applicants for Harvard have been barred from entering the business school after hacking into an online admissions site.

Harvard accused 119 would-be students of an unethical act that amounted to a “serious breach of trust that cannot be countered by rationalisation”.

Other institutions, including Carnegie Mellon, the university in Pittsburgh, and the Massachusetts Institute of Technology in Cambridge, which rejected 32 applicants, took a similarly harsh stance.

The applicants learnt of the security flaw in the website when a hacker posted instructions on an online message board hosted by Business Week last week. The instructions told people to log on to their admissions web page and find their identification numbers in source material that was available on the site. On plugging those numbers into another web page address, they were directed to a page where their admissions decision could be found.

http://www.timesonline.co.uk/newspaper/0,,173-1518535,00.html

Now, they need to check their security.

But really: first lesson in business ethics for the future managerial class: don't be a schmuck your whole life!

It was URL munging, no hacking involved. It can be argued that they were wrong to snoop in places were they weren't invited, but the info Harvard wanted kept secret wasn't exactly protected with barriers to access either.

I think calling it hacking is going overboard, and I think the schools are over-reacting out of embarrassment.

IMO, they should have had their data secure, plain and simple.

It's absurd to punish students for an appalling lack of basic security in the construction of their web site.

If this information is not meant to be publically available, then it should have been displayed in a way that a simple URL change did not reveal the material. Simple log in validation should automatically redirect any unauthorized browsers away from the page.

Any web page viewable from a browser, without any hacking of code or illegal entry into the server, implies public display of the material.

better judgement and higher standards than "average" these are the people, like it or not, who will be running everything 30 years from now.

A folder filled with top secret documents is prominently labeled "Secret Government Military Installations" and then placed on an open shelf in the reading room of the local public library.

Curious library patrons take a peek inside the manilla folder and are promptly arrested by the FBI crying "You have no integrity!"

The charge may be technically valid, and perhaps the people really should have known better, but the context in which the documents were kept contradicts the claim for secrecy. The setting implies public domain access, despite the prominent labeling.

For internet-savvy computer users, a manual URL entry with attendant query string text is simply a navigational shortcut. The source article is registration protected, so I couldn't tell whether the students were clearly aware that this information was supposed to be kept secret despite the distressingly easy way to access it.

then they want it secret until then, I think that's a little obvious.

>>um, if Harvard says: we'll tell you on April 1 <<

Since I don't have access to the article, I didn't have any information on how clear Harvard had been about the terms of getting this information.

Not being privy to Ivy League traditions, I also don't have any sense for why this was viewed as such a serious breach of conduct. Not saying it wasn't a breach, mind you, just not one that has much meaning for me without some context.

Of course, when I went to school, there was no internet access to this information -- public or secret -- so I just opened my letter like all the other students without giving it much thought.

Now, as a computer programmer, my first thought is that Harvard needs a sharp rap on the knuckels for creating such gratuitous security holes in the first place. They're supposedly to be a seat of learning, not computer illiterates.

if someone breaks into your house? sure, but it's also the fault of the person who broke in.

Standard admissions procedure is to have a date on which the school sends out letters to applicants informing them of the decision. There was no advantage to getting the info earlier, beyond impatience. Every student who applies to HBS has come out of a school with an admissions process. They all know the rules, or they reasonably should.

by the way, Harvard wasn't hurt by having this information out, the letter were probably going out in the next ten days anyway. So I wouldn't put it past someone to use this as an ethics test.

...only if you equate a private residence with a public web site.

At the risk of being tediously pedantic, a more apt analogy would be a public park with an Employees Only area that has a swinging gate but no lock and relies on public awareness of propriety to keep them out of that area. Inevitably you'll get serious mischief makers and simply the idly curious intruding on the restricted area.

I'm still not entirely persuaded that this action by admittedly curious students is such a serious breach of ethics that demands barring them from attending Harvard. After all, breaking the rules can be considered a misdemeanor or a felony. Why is this a felony?

you are interviewing for a job. While you are in the HR director's office, she gets up to go get some coffee. You see a file on her desk with your name on it. do you rifle through it to see what it says about you? That's the equivalent. Free access, no real chance (in your mind) of getting caught, and the information is about you, not someone else, so it's not really stealing. Now imagine if you are that HR director, and you come back from getting coffee and you see the applicant, who you were about to hire, reading a file from your desk. Still offer him the job?

HBS accepts 13% of the applicants. Every year they turn down hundreds of very well qualified people for seemingly meaningless reasons. How do you compare two people with identical undergraduate records and test scores, equivalent work experience and glowing reccomendations? You can only take one of them. Somehow you pick, you have to. And then the one you picked makes a mistake. All of a sudden the other guy is more qualified. Isn't it unfair to him to the ones who didn't commit ethical violations to allow those who did to skate? Believe me, HBS will fill those spots, with equally talented people, most of whom will never know they were going to be rejected. It's easy for HBS to make this stand, they lose nothing.

http://www.timesonline.co.uk/printFriendly/0,,1-3564-1518535-3564,00.html

because it is rumoured that non-UK IP addresses are allowed to access the 'print friendly' version of Times articles.

Of course, some may consider this hacking ...

permission.

Admission files are not for casual perusal. The fact that someone was able to compromise the security on them is one thing, the wholesale peeking at them by third parties who were involved and had signed the agreement not to disclose any such information, and WHO WANT ADMISSION to to the top business school in America should know better.

If they don't, they don't deserve the spots. If they did know better and looked anyway, they definately don't deserve the spot.

Ethics is one of the things that school does teach. What graduates do with such information afterward is up to them.

>> the wholesale peeking at them by third parties who were involved and had signed the agreement not to disclose any such information,<<

Thank you, you're the first poster to provide specific support for the contention that the students knew this was not appropriate behavior. If they signed a letter of agreement to that effect, then YES, I agree, they were in serious violoation of ethics.

else they never would have admitted a Yale (barely) grad by the name of George W. Bush**, whose entire life is a "serious breach of trust that cannot be countered by rationalisation".