Forgot your password?
typodupeerror
Security Education The Internet

Stanford Rejects Business School Hackers 406

Posted by Zonk
from the don't-count-your-chickens dept.
robbarrett writes "The Stanford Report offers the next chapter in a continuing story about business school applicants manipulating URLs on the ApplyYourself system to determine their personal admission status. Harvard immediately rejected the 'hacker' applicants, but Stanford gave 'offenders' the opportunity to defend their actions. However, none of the competitive applicants 'was able to explain his/her actions to our satisfaction,' according to Stanford's dean, so all were rejected. The story mentions the decisions reached by other schools involved in the mess."
This discussion has been archived. No new comments can be posted.

Stanford Rejects Business School Hackers

Comments Filter:
  • They should have been immediately accepted!

    But in this case you get what you deserve. Whats the difference of finding out now or later that you didnt get accepted to Stanford?
    • by Anonymous Coward
      "Whats the difference of finding out now or later that you didnt get accepted to Stanford?"

      Knowing where, or where not to put your energy in perhaps ?
    • But in this case you get what you deserve.

      These kids didn't even know they were hacking. All they knew was that they received an url via MSN from their friends where they could look up their status...

      Sure, they should've know it wasn't supposed to go this way, but should they really be punished like this ?

      Personally, I don't think they should be the ones punished, but rather the person in charge of the security of the website...

      • Come On!

        It seems pretty obvious these folks knew what they were doing. Its requires pouring through a sites source code to extract sensitive info and writing down ids to basically get into a system they obviously didnt have official access to.
        As analogy lets assume during the day at a bank the vault is unlocked with access to those who are permitted but with no guard watching the entrace. OK, yes we should assume the bank is very stupid for not guarding it, but if someone walks in and takes off with a
      • by pedantic bore (740196) on Sunday May 29, 2005 @07:27AM (#12669133)
        These kids didn't even know they were hacking.

        What do you think that they thought they were doing? They didn't get a message from Stanford saying "here's how you check your admission status"; they got a message from their friends saying "here's how you craft a URL that let's you sneak in to the web site and check your admission status before the official date."

        Imagine if the email from their friends had said "Your admission status is kept in the filing cabinet in room 306 of the admissions office, and the guy who works in that office leaves the door unlocked when he eats lunch at noon every day."

        Walking into an unlocked office and looking in the filing cabinet versus cobbling together a URL that obviously circumvents the system. Tell me the difference.

        • WTF....

          The question I got on this goes beyond your lame example. Why was sensitive data in a web accessable area to begin with? Sure, the students shouldn't have done it but they aren't the real guilty party here are they? The real guilty party is the damned administrator. Did they punish the administrator as severely as the student by NOT PAYING HIS DUMB ASS?

          B.
        • by TheoMurpse (729043) on Sunday May 29, 2005 @08:24AM (#12669273) Homepage
          Imagine if the email from their friends had said "Your admission status is kept in the filing cabinet in room 306 of the admissions office, and the guy who works in that office leaves the door unlocked when he eats lunch at noon every day."

          No, the correct analogy is
          Imagine if the email from their friends had said "Your admission status is posted in the hall of the Natural Sciences building, indexed by SSN".
      • These kids didn't even know they were hacking.


        They were hacking as much as I'm hacking when I'm "guessing" an URL when the idiot webdesigner's used some IE-only javascript, making the whole site useless whenever I'm not using WinIE (which I never use)... or when I get an URL to a file not directly linked to anywhere on the web...
      • These people are deliberately trying to get MBAs. I'd say they deserve everything that happens to them, up to and including being boiled in oil. Fuck 'em.
      • These kids didn't even know they were hacking.

        Maybe not, but the situation was at least dubious. If they don't have the wits to check that out, God help any company they ever wind up running.

        Personally, I don't think they should be the ones punished, but rather the person in charge of the security of the website...

        The latter is certainly true; if the educational establishments in question are trying to make a point about how the real world works, then firing someone for gross incompetence is a

        • It's sad for the unlucky ones that this happened, but the harsh reality is that smaller mistakes are enough to let your competitors wipe you out in real business. Perhaps they'll learn something valuable from business school after all.

          You're treating them a lot like numbers there... sure, there is plenty replacement for them in this case, but a certain number of the ``hacking'' students were accepted, for valid reasons... those reasons are now being completely ignored, solely because they did something

    • by L.Bob.Rife (844620) on Sunday May 29, 2005 @06:56AM (#12669038)
      What they deserve? They applied to the school, and then somebody told them they could find out if they were admitted by typing in a url.

      How many students were even aware that it was a big secret whether they were admitted, and they werent allowed to actually know. Why was it even a big secret in the first place? Shouldn't they be telling the students as soon as its reasonably possible, and not dangle it over their heads making them waste time if they werent accepted.

      So, Stanford wants to make claims that these students are morally corrupt by typing a couple letters into their browser, when the school itself is keeping secrets about the students futures hidden for no reason at all and punishing them for being curious. Who is morally corrupt in this scenario i ask...
      • by mosel-saar-ruwer (732341) on Sunday May 29, 2005 @07:59AM (#12669224)

        Who is morally corrupt in this scenario i ask...

        Your modern-day University autocrat has about as much use for morality as a fish has for a bicycle.

        This is all about the elites that govern these institutions - they were embarrassed* by the applicants, and now it's payback time.

        ----------

        *Although, for the life of me, I don't see how this** sort of thing would embarrass a normal person, but that just goes to show you how introverted, self-obsessed, narcissistic, and arrogant these monomaniacal little twits really are.

        ----------

        ** i.e. typing a URL into a browser with the hope of finding out information ABOUT YOURSELF - information that, in theory, BELONGS TO YOU. Reminds me of hospital administrators who try to ban patients from reading THEIR OWN CHARTS, as if the medical records belonged to the hospital, rather than to THE PATIENTS THEMSELVES.

        Just thinking about these kinds of people makes my skin crawl.

        • "** i.e. typing a URL into a browser with the hope of finding out information ABOUT YOURSELF - information that, in theory, BELONGS TO YOU. Reminds me of hospital administrators who try to ban patients from reading THEIR OWN CHARTS, as if the medical records belonged to the hospital, rather than to THE PATIENTS THEMSELVES."

          Here's the thing: not all information about you belongs to you. Think abouut it like this: suppose I know you, and I form an opinion about you. Does my opinion about you belong to yo
      • It's because the later you hold off telling students they've been accepted, the less chance a student has of saying "See, I've been accepted to Colleges A, B, and C. Here are the increased aid packages B and C offered me when they heard you accepted me. What can you do to convince me to stay? And what if I get even better offers from the other schools?" I know someone who managed to swing a $40K full scholarship that way.

        Time and knowledge can always be used to advantage. Not only might a school end up ble
    • What, they should be accepted into Comp Sci because they can type in an URL?

      I know Comp Sci isnt as popular as it used to be, but isnt that setting the standards a bit low...?

      If you are not denied access when you're trying to access data then you can reasonably assume you're allowed to access that data. It's not like they were presented with a big 'permission denied' or 'access strictly prohibited' which they then tried to crack.
  • Heh (Score:2, Funny)

    by cloudkj (685320)
    However, none of the competitive applicants 'was able to explain...

    None of the posters of this article were accepted into Stanfurd [1] either.
    ---
    [1] The misspelling of the university is intentional.
    • Re:Heh (Score:3, Informative)

      by Anonymous Coward
      Subject verb agreement. The subject is none, not applicants.

      "None" is a special case of the singular. It should have a singular verb applied to it.
    • Re:Heh (Score:5, Informative)

      by Guido del Confuso (80037) on Sunday May 29, 2005 @07:04AM (#12669071)
      "None" is short for "not one" and so it uses the singular verb form. The subject of the sentence is "none", not "applicants", so the usage is correct.

      http://dictionary.reference.com/search?q=none [reference.com]
      • Re:Heh (Score:3, Insightful)

        by jwdb (526327)
        Are you sure? "Not one was accepted" I can see, but "None was accepted" just doesn't sound right.

        None may very well be singular (and even that is disputed - see your own link), but it refers to a group - can you therefore not use it in conjunction with a plural verb? I'd put it in the class of words like 'they', which aren't singular or plural themselves but get their number from the concept they embody.
        It may be the contraction of 'not one', where singular is definitely used, but none is a fully independe
        • by bersl2 (689221)
          The indefinite pronouns (http://englishplus.com/grammar/00000027.htm [englishplus.com]):

          Singular: another, anybody, anyone, anything, each, either, everybody, everyone, everything, little, much, neither, nobody, no one, nothing, one, other, somebody, someone, something

          Plural: both, few, many, others, several

          Singular or Plural: all, any, more, most, none, some

          For indefinite pronouns that can be singular or plural, it depends on what the indefinite pronoun refers to.

          Correct: All of the people clapped

        • by Tim C (15259)
          Does none refer to a group, or to each individual member of the group?

          In either case, I think you'll find that "none of the applicants was" and "none of the applicants were" are both acceptable, but the former is definitely correct, even if the latter is.
          • by jwdb (526327)
            I'd tend to disagree that the 'was' usage is correct.

            If you look at the links provided by other posters, it's claimed that 'none' is an indefinite pronoun, both singular and plural. The exact number therefore relies on with which word it is used.
            Now, look at the complete subject of the sentence you gave - "none of the applicants". None is used to define a subset of applicants (an empty set, but a set nontheless) and is therefore clearly plural in this case. This is a side effect of the construction "___ of
        • Re:Heh (Score:2, Insightful)

          None may very well be singular (and even that is disputed - see your own link), but it refers to a group - can you therefore not use it in conjunction with a plural verb?

          You can if you want--it's an accepted usage as well. I normally wouldn't though. "None was" sounds perfectly fine to me. A lot of things that are correct may not sound right at first--"the data are" for example.

          By the way, it's not disputed that "none" is singular. If you read the link carefully, you'll see that both the singular and
          • by jwdb (526327)
            Good point about the original poster, and you're correct about the accepted usage, but for me anything that is supposedly correct but just sounds wrong sets off alarm bells.

            I just posted another comment to this thread about how I believe that 'none' cannot be used in a singular manner and thus the was usage is an irregularity in the language left over from 'not one'.
            http://slashdot.org/comments.pl?sid=151031&cid=12 6 69287 [slashdot.org]

            As for 'data are', isn't that a special case where the singular and plural are
            • The datum is - the data are. It's Latin for "what is given".
    • Re:Heh (Score:2, Informative)

      by nacturation (646836)
      In addition to the other posts, it is worthwhile to note that the subject of the sentence is never located within a prepositional phrase. "of the ... applicants" is a prepositional phrase, where a preposition is "of", "on", "in", etc. So this should read "None ... was able to explain", which still sounds rather odd even though it's correct.
      • Wrong. "None" is a special case either way pronoun. None of the cake was eaten, and none of the students were eaten. "All" is the same way. Nobody is singular always (As with everybody).
  • CUNTinuing (Score:2, Insightful)

    by Anonymous Coward
    Yet more of this mindless usage of the word "hacker." Don't people understand that they can use these analytical type people, the ones who actually want to pursue information, to their advantage?

    ahh, in some ways i guess this is good...
  • by Anonymous Coward on Sunday May 29, 2005 @06:56AM (#12669039)
    Episode VI

    RETURN OF THE H@X0R

    Applicant-1337 has returned to
    his home planet of ParentsBasement in
    an attempt to rescue his
    friend University Education from the
    clutches of the vile gangster
    The Big Guy.

    Much does Hax0r know that the
    HARVARD EMPIRE has controversially
    begun construction on a new
    armored hax0r-rejection policy even
    more powerful than the first
    dreaded competitive admission system.

    When completed, this ultimate
    weapon will spell certain doom
    for the small band of hax0rs
    struggling to restore freedom
    to the interweb....
  • by Dancin_Santa (265275) <DancinSanta@gmail.com> on Sunday May 29, 2005 @06:56AM (#12669042) Journal
    They hardly ought to be called "hackers". It's like calling arsonists "pyrotechnicians". Sure, the tools may be the same, but the level of expertise is very different.
    • by ultranova (717540) on Sunday May 29, 2005 @07:16AM (#12669096)

      They hardly ought to be called "hackers". It's like calling arsonists "pyrotechnicians". Sure, the tools may be the same, but the level of expertise is very different.

      No, it's like calling the guy who lights candles to read by their light a "pyrotechnician with arsonistic tendencies". The word "hacker" implies skill with computers, and when used in place of the word "cracker", a certain amount of malicious intent. Since this incident implied neither, the word "hacker" is unapprooriate - and drawing any parallels with these people and arsonists is completely absurd.

    • by nacturation (646836) <nacturation@@@gmail...com> on Sunday May 29, 2005 @07:35AM (#12669160) Journal
      But they're not script kiddies either. What if you phoned up the admissions office and sweet talked someone there into letting you know whether or not you got accepted already. Would that be cause for a rejection letter? In effect, they knew what question to ask the webserver in order to get the answer.
      • No, it's not the same thing at all. The reason is simple: fully conscious and autonomous human agents are intervening causes, ethically speaking.

        These students used non-cognitive systems (the URL parsing system) to illegally acquire information. Your [hypothetical] student used a cognitive system (the person) to illegally acquire information. The difference is that in the former, the student is the only moral agent acting, while in the latter there are two.

        What this means is that the second one is
        • by MichaelPenne (605299) on Sunday May 29, 2005 @12:03PM (#12670205) Homepage
          at fault?

          If a human admissions officer put the info. on their door, and then hung a sheet of paper over it to 'secure it', would the students be 'hackers' if they lifted the paper up? Now in this case, perhaps the admissions folks really thought the paper was a form of security, it seems like an 'emperor wears no clothes' kind of thing: is the tailor at fault for telling the emperor he was wearing a suit? Is the emperor for not checking it out? In this case we are blaming the people who looked at the emperor and saw him naked!

          Anything that is accessble by an unsecured url is publicly published (it's a 'uniform resource LOCATOR', after all). There was a cognitive choice made at some point to call this system 'secure', --or someone didn't read the manual--and that person is the one who published the information at a public URL.

          The applicants just found the place it had been publically published before they were told to look there, which hardly seems a 'crime', really it seems more like initiative than anything else.
          • Your sheet-of-paper-as-security example is the best analogy I've seen yet, except that if it ever happened, I doubt it would be an accident, it would be a test. Any applicant who peeked would deserve to be rejected out of sheer stupidity.

            My speculation is that the security-by-not-so-obscure-URL was actually a mistake, not by the universities, but by the "experts" they hired. If the university administrators thought they needed to hire experts, they can't be blamed for selecting this method of security,
  • They didn't mention the speed at which they typed the new url? I'm *still* asked my WPM on silly web-based forms.
  • TFM... (Score:5, Insightful)

    by Viceice (462967) on Sunday May 29, 2005 @06:58AM (#12669054)
    "Joss noted that while Stanford was dismayed by the actions of the candidates who tried to gain unauthorized access, it "did not rush to judgment given the limited information available to us initially. By carefully reviewing the file of each applicant involved in these incidents, we upheld the business school's values while treating each applicant fairly. As an educational institution, we hope that the applicants involved in this incident might learn from their experience.""

    Sounds more like an attempt by the PR departments to cover their collective legal asses after their PHBs jumped the gun and block rejected applicants on the grounds that they committed a crime that technically isn't. IMHO, their position on the matter is weak.

    The students didn't steal passwords, spread a virus or trojan. All they did was akin to manually typing in an abiet complicated URL and accessed data on unprotected public servers.

    • "All they did was akin to walking up to an unlocked filing cabinet and rifling through it."

      If you can't trust staff to not go rifling through the filing cabinets, you don't have much trust around the office...
      • A better analogy would be if the filing cabinets were left out in the parking lot.

        If I spray paint my salary on my front door, I can't complain when my neighbors know how much money I make. Even if I do something like "I make $100^2" instead of $10000.

        Was it unethical? I'd have to say yes, but who hasn't hacked URL's if for no other reason than to navigate a poorly designed site.

        I found an online vendor who put the price in the URL, I was able to put items in by shopping basket for any price I wanted.
    • Re:TFM... (Score:5, Insightful)

      by nharmon (97591) on Sunday May 29, 2005 @09:48AM (#12669591) Homepage
      Bad analogy...here is a better one: Lets say the University had a toll-free telephone number that allowed applicants to find out whether or not they were accepted. The only steps the University takes to protect this information is to simply not publish the phone number. But, its the same phone number that was used last year.

      Now, why would a student, who was told last year what the correct URL format is to ask for their application status, now be considered an unethical computer hacker because this URL format returned information before the administration wanted it to be released.

      Perhaps we should stop considering URLs to be security devices, and compare them more to telephone numbers.
  • Unfair treatment (Score:5, Insightful)

    by omega_cubed (219519) <wongwwy.member@ams@org> on Sunday May 29, 2005 @07:02AM (#12669068) Journal
    Quote:

    Joss noted that while Stanford was dismayed by the
    actions of the candidates who tried to gain
    unauthorized access, it "did not rush to judgment
    given the limited information available to us
    initially. By carefully reviewing the file of each
    applicant involved in these incidents, we upheld
    the business school's values while treating each
    applicant fairly...

    That's quite a "holier than thou" sneer at Harvard and MIT.

    What I am truly surprised is that none of the schools took actions against ApplyYourSelf as far as I know: rather, the focus has all been on whether the schools took action against the students. I think this plays heavily on the public's fear of "hacking". Just because the applicants peeked using a computer, it suddenly made it such a grave matter.

    First, I think ApplyYourSelf should bear some responsibility for not properly securing their web-app in a way that such an action is possible. For many people (and I'd even venture to say that in public opinion), anything that is accessible by typing a URL into a browser window might as well be published. I don't really think the school has the right to penalize the applicants for accessing information that has been made available to them.

    Secondly, this whole business has been blown out of proportion: the students were only able to look at their admission status, and that even hinges on the fact that the schools have already published those information to the website. It is not as if the students were actually "hacking" in the sense of escalating their privilege and modifying their admission status. I just don't think this incident is an acurate enough illustration of their moral fibers to warrant such decisions (though I generally have no sympathy for business school applicants).

    Thirdly, I think the whole finding out the admission status thing is more akin to being impatient and calling up the admission office with the knowledge that the drunk receptionist would accidentally let the admission status slip out. So why the applicants were treated so harshly and why the ApplyYourself service was not is really troubling me.

    W
    • maybe those students should've hired you to write their essay. or maybe the school was looking for students who were willing to take the blame and accept the responsibility of their act they committed. which route would you have taken?
    • Re:Unfair treatment (Score:3, Interesting)

      by smchris (464899)
      That's quite a "holier than thou" sneer at Harvard and MIT.

      Exactly. And you'll gotta love Stanford for the playfulness.

      Reminds me of a philosophy professor of mine who would put "extra credit" at the bottom of his tests like, "'If one swallow does not a summer make', how many do?"

    • I suspect that they did this to give the appearance of due process. They may have already pre-rejected them but did this formality in the hopes of not looking rash in their judgement. I wonder if these schools could prove a particular person did the act, rather than an overeager parent in the same household or what not, assuming they compared IPs.
  • by KingSkippus (799657) on Sunday May 29, 2005 @07:03AM (#12669069) Homepage Journal

    Good grief. I'm guilty of doing this sort of thing all the time.

    I'd never really read about what exactly the applicants did before. If the article is right, all they did was poke around the system with URL munged from information they already had. It's not like they exploited buffer overflows to gain control of the system or anything.

    Like I said, I do this type of thing all the time. If I'm on a Web site with content I like and I see a series of URLs named something1.htm, something2.htm, something4.htm, etc., you'd better believe I'm going to type something3.htm in and see what happens. On my own dinky Web sites I have, if I don't want people browsing around the system, I take steps to prevent it, such as making sure the server doesn't allow one to list directories, always having an index.htm file in every directory in case I forget, naming files randomly instead of in series, etc.

    And, on top of all of that, as the post above states, all these candidates did was find out information that was going to be disclosed to them soon anyway.

    So I gotta ask, what the hell is the big deal here? Why is Stanford being such a hard ass about this? If anyone is to blame here for any significant wrongdoing, it has got to be the company that designed software that so easily gives up unauthorized information. I wonder what Stanford did to seek redress against them. (Probably nothing.)

    • by MichaelSmith (789609) on Sunday May 29, 2005 @07:18AM (#12669106) Homepage Journal
      If the article is right, all they did was poke around the system with URL munged from information they already had.

      About five years ago the Federal Government here in Australia introduced a new goods and services tax. Businesses had to register to use the new system and the ATO (tax office) provided a nifty web interface for them to query their account.

      One enterprising person changed the account number in the URL and accessed the details of other account holders.

      IIRC he called up the ATO and told them he had found a security hole, and exactly how he found it.

      Of course, he was charged with hacking the system.

      So the Stanford experience is not exactly isolated. For me it is a bit like going to a public office, and trying an unmarked door. It is not your fault if the door is not locked and they can't really charge you with breaking and entering as long as you didn't use the opportunity to commit a crime.

  • by jesdynf (42915) on Sunday May 29, 2005 @07:05AM (#12669072) Homepage

    I pledge, the next time I hear of such a possible exploit, to rip as much information from the system as the website gives me permission to retrieve. Every bit of it -- I shall construct scripts, pore over forums, and create a list of possible students whose data I will then attempt to extract.

    Additionally, with these links in hand, I shall paste them to random places on the internet, and specific places such as the most likely forums to find such students. I will also disguise their nature and essence, so that users will not know what they click on until it's too late.

    So the next time Stanford comes calling, you go ahead and /blame me/. I could've been the one to do it, after all. You don't know I didn't. They don't know I didn't.

    Or they could just accept that their own goddamn marketing department creates an illusion of prestige, and that people with a limited amount of time to waste on non-responsive colleges /sitting on/ important information like that are going to want to know who to stop wasting time on, and that if they don't like it they can /fix their fucking permissions/. Do they not know any decent webapp programmers? Who've they been graduating?

  • by Registered Coward v2 (447531) on Sunday May 29, 2005 @07:14AM (#12669090)
    They showed they lack good judgment and a sense of ethics.

    I don't want to work with somebody that cuts corners and refuses to play by the rules - what happens when it's a big contract and they decide to "see if we won?" or decide to see if "x is really going to buy Y?"

    If I can't trust you to do what is right, I don't want to work with you.

    Yes, waiting for B-school admission is a high stress period - but stressful situations is when people's character shows. I can understand HBS and Stanford's stance - they, and their alumni, don't want to be associated with the type of people that will create another Enron.

    Overall, they were probably to dumb to get in - from what I saw, the "hack" was a no-brainier - append some code to the end of the URL to hit a page rather than some smart piece of coding; more importantly - didn't they think that there would be alums of schools on the boards that would see th "hack" and let their schools now? And that these alums would be know who to talk to so that the school could investigate and take whatever action is deemed appropriate? If one of the "hackers" had been smart, they'd email the Dean of Admissions and ask - "Someone posted this as a way to check admissions status - is it OK if I use it?"

    • by ultranova (717540) on Sunday May 29, 2005 @07:31AM (#12669146)

      They showed they lack good judgment and a sense of ethics.

      Lack of good judgement maybe; but how is it unethical to try to get information concerning yourself ? Or are you trying to imply that Stanford is some sort of ethical authority ?

      I don't want to work with somebody that cuts corners and refuses to play by the rules - what happens when it's a big contract and they decide to "see if we won?" or decide to see if "x is really going to buy Y?"

      I'd imagine that they would become successfull and capable businessmen. After all, the ability to get good information is the cornerstone of making good decisions.

      If I can't trust you to do what is right, I don't want to work with you.

      Are you sure you aren't confusing moral right with your own expectations of human behiviour ? Because, to the best of my knowledge, there's absolutely nothing unethical in reading information concerning myself, even if someone else is trying to keep it a secret.

      Yes, waiting for B-school admission is a high stress period - but stressful situations is when people's character shows. I can understand HBS and Stanford's stance - they, and their alumni, don't want to be associated with the type of people that will create another Enron.

      Kindly explain what finding out whether you were admitted to a school has to do with forging accounts ?

      Overall, they were probably to dumb to get in - from what I saw, the "hack" was a no-brainier - append some code to the end of the URL to hit a page rather than some smart piece of coding; more importantly - didn't they think that there would be alums of schools on the boards that would see th "hack" and let their schools now? And that these alums would be know who to talk to so that the school could investigate and take whatever action is deemed appropriate?

      Maybe they made the mistake of assuming that the school would take appropriate action, as opposed to the action it actually took ?

      If one of the "hackers" had been smart, they'd email the Dean of Admissions and ask - "Someone posted this as a way to check admissions status - is it OK if I use it?"

      How would this have been smart ? These people had no obligations towards the Dean; why would they ask his permission to view information concerning them ?



      • They showed they lack good judgment and a sense of ethics.

        Lack of good judgement maybe; but how is it unethical to try to get information concerning yourself ? Or are you trying to imply that Stanford is some sort of ethical authority ?


        What matters is how they got the information - they could have calle dthe school and asked for, for example.

        I don't want to work with somebody that cuts corners and refuses to play by the rules - what happens when it's a big contract and they decide to "see
        • What matters is how they got the information - they could have calle dthe school and asked for, for example.

          They got the information from a public web server, by typing an URL into the URL bar of their browser. I fail to see any immorality in this.

          Besides, if they had called the school, it's always possible that whoever answered the phone had not been told that the information was supposed to be secret (why was it secret, BTW ?) and would have answered their question. That was exactly what happened,

        • You've been working as a consultant too long. The sort of people who think like you do fit in perfectly in the giant beuracracy that is the modern corporation because they follow all of the stupid rules and don't rock the boat. (Incedentally, because Harvard and Stanford target this mega-corporations with their graduates, it is likely that this is the reason for the rejections.)

          The kind of person who thinks out of the box and does rock the boat is the type of person you want running or working at your com

    • If I can't trust you to do what is right, I don't want to work with you.

      That's assuming that what they did was wrong. I fail to see how it was-the information was there, Stanford had it posted on public pages (granted, the URLs werent listed, but the fact that they were there at all without any encryption or password required shows that they were available to anyone).
      • That's assuming that what they did was wrong. I fail to see how it was-the information was there, Stanford had it posted on public pages (granted, the URLs werent listed, but the fact that they were there at all without any encryption or password required shows that they were available to anyone).

        That's like saying beacuse you're connected to the internet, and your security isn't 100%, it's OK to take a look at what's on your machine.

        The schools told the applicants when they would be informed of their de
        • That's like saying beacuse you're connected to the internet, and your security isn't 100%, it's OK to take a look at what's on your machine.

          No. It's like saying that because I'm connected to the Internet and running a publically available webserver, it's OK to take a look at what's available through that webserver. Replace the webserver with a P2P app, newsserver or whatever, and the point still stands.

          If I publish data, and accidentally publish something I didn't want to be known, that's my fault,

    • I don't want to work with somebody that cuts corners and refuses to play by the rules - what happens when it's a big contract and they decide to "see if we won?" or decide to see if "x is really going to buy Y?"
      Sorry, no, you have the wrong idea here. This would be akin to checking to see if the deposit from a contract had come through yet so that it could be used to do more work. This isn't like they were trying to obtain information they weren't entitled to know. It was them just seeing if they had
      • I don't want to work with somebody that cuts corners and refuses to play by the rules - what happens when it's a big contract and they decide to "see if we won?" or decide to see if "x is really going to buy Y?"

        Sorry, no, you have the wrong idea here. This would be akin to checking to see if the deposit from a contract had come through yet so that it could be used to do more work. This isn't like they were trying to obtain information they weren't entitled to know. It was them just seeing if they had be
      • I have really bad news for you, MOST engineers end up in management. Many of the guys applying to business school are engineers who either couldn't hack it and wanted out, or who were tough stuff and wanted to be able to get promoted. The trick is figuring out who is who....
    • by Znork (31774) on Sunday May 29, 2005 @08:21AM (#12669266)
      "They showed they lack good judgment and a sense of ethics."

      Um, no, they showed curiosity and a certain resourcefulness in finding data. Traits I can certainly appreciate in colleagues.

      Now, HBS and Stanford on the other hand showed a lack of good judgement and a sense of ethics. Their only concern appears to be to save face because they invested in a crap product that apparently doesnt even have proper access control. To blame some applicants to cover up their own incompetence is pretty low.

      "they'd email the Dean of Admissions and ask"

      Where do I send my mail asking if it is ok to access www.harvard.edu? Some guy said you could access their webpage if you typed that into your web browser, but I'm not sure I'm allowed to?

      If you can access it you can assume you're allowed to access it. It is not customary to be required to ask permission for looking at things in plain view.
  • Don't Harvard and Stanford have Business Ethics classes? Presumably, you teach a class to educate people on a subject. But apparantly, for these students, the test was administered before the lessons were given. Hurray for Higher Education.
  • by Anonymous Coward on Sunday May 29, 2005 @07:18AM (#12669103)
    the applicants, for the most part, are still 'just kids' and even as a woefully too well aged adult, I can still relate to the idea that taking a peek at 'hidde' information on a web site is not evil

    the proble is not the kids. i's this culture of zero tolerance which the otherwise liberal educational community has latched onto with a fervor one would normally expect from religous fanatics.

    back when i was attending college the attitudes were different. administration had a 'boys will be boys' attitude and was more concerned with helping us understand why certain activites were not acceptable, rather than striking us down like Zeus on the maountain.

    Based on the information I've encountered regarding this mess, there seems to be an extreme level of self righteous bigotry on the part of the 'adults'.

    Or perhaps they are just too lazy to do their job of education.
  • by Anonymous Coward
    Reuters were accused of hacking when they guessed the URL of an upcoming interim report from Swedish IT consulting firm Intentia. There's a Wired article about the incident [wired.com].
  • by donscarletti (569232) on Sunday May 29, 2005 @07:24AM (#12669123)
    It is sad that most decision makers don't understand what "hacking" actually is. A security breech that allows information to be extracted is simply a process of asking for information in the right way. Whether they like it or not, their own computer told these applicants what they wanted to know because of a simple trick of asking the right question. Their computers were not told to protect the information and so it blabbed to these students as soon as it was cued. This particular hack is analogous to walking to a front desk and asking the receptionist the hypothetical question: "imagine for a second that today was the Sunday two weeks from now, now in that situation, what would you tell me about my Stanford acceptance?" and getting a reply. In that situation the result would be the receptionist that was fired, not the questioner getting punished, I don't see why it should be any different for its electronic analogue.

    Of cause no institution should be forced to accept students it doesn't want to, but morally speaking, these students have done nothing wrong. There are many immoral things one can do on a computer: sabotaging other people's systems, destroying other people's data among others. But finding out personal information by asking a gullible computer the right question is perfectly understandable. If Stanford want this data safe, they should fix their computers so it protects the data. Computers are remote controlled and pretty much do what their asked to do. One wouldn't leave a priceless Monet strapped to a remote control truck that every kid with a toy car can control, so why do people complain about their loose lipped computer squealing numbers to some kid who knows how to use a URL bar? The sooner people see computers for what they are: devices that are told what to do by more people than they should and forget about the whole trespass on private land metaphors, the sooner people might take some responsibility about dumb machines being given too much information. They probably will end up a lot safer in the long term. It really makes me mad when people blame others for exploiting their own gullibility.

    • They understand your notion of ethics -- they're simply saying that they don't want students who hold that notion.

      I've been somewhat sympathetic to the students, who didn't do anything that was that blatantly inappropriate. But seeing the reasoning people deploy in their defense is making it clear why the universities decided that they offenders were facing a test and failed it.

      For example, let's say (and this happens constantly) a vendor mistakenly faxes sensitive information to us instead of to the corre

    • Actually, if they had got the same information from the secretary, I would expect them to be punished. It's reasonably obvious they shouldn't have the information, and getting it through trickery is wrong. If they'd simply asked the secretary "Have I been accepted?", and they'd mistakenly told them, that would be different, of course.

      I hate this idea of "It wasn't protected enough, so it's okay". Yes, the website screwed up, but that doesn't mean it's right for the students to have accessed a page they we
  • by Sam Nitzberg (242911) on Sunday May 29, 2005 @08:15AM (#12669256)
    Although the prospective students have been penalized by Stanford, there is something that I don't quite understand.

    It seems that Stanford made this information (acceptance status) available by entering a (guessable) address.

    Until this information was issued formally to the student, Stanford apparently considered this information confidential.

    By not utilizing an effective password / security system, Stanford then effectively made this information publicly available.

    One could argue that any student would have a right / entitlement to know what information on himself / herself was being made publicly available - especially if the information were supposed to have been confidential.

    It is arguable that Stanford effectively violated the privacy of the students, but is prepared to punish the (prospective) students for obtaining the information it made publiclay available.
  • So only the 'best' hackers are allowed into Stanford, ones who werent caught?
  • The issue is that Stanford regards this as the equivalent of being asked to wait at an office while someone is away and quickly taking a peek at the list of results lying on their desk. They clearly expected reasonable privacy and you knowingly violated that privacy, now imagine if that list was turned over face-down, or if it it was in a folder or a draw, the violation would be even clearer. Translating this to the Internet is hard and debatable: the user was 'logged in' (aka invited into the admissions of
  • Look (Score:2, Insightful)

    I know cheating is something of a sport these days, often performed almost competitively and without second thought to ethics. But when all the highest rated replies to this story are people defending the actions of those students who gained unauthorized access to that information, that's too much.

    What these (prospective) students did was wrong. Period. They willingly and knowingly gained unauthorized access to information that was not theirs to access. I generally hate analogies but here goes: if these st
    • What if the exam results were mistakenly posted on a public bulletin board. Would it be "cheating" to look at them?

      If you get drunk, and brag about killing your spouse, is it immoral for a bystander to pass that information on to the police?

    • "if these students found a key to their professor's room and snuck in to check on their exam results, do you think there'd be a furor as to whether they are guilty of cheatin or not?"

      Probably not. If they had snuck into a locked room to look at the answer key before the test, there probably would be. From what I understand, their knowledge of their admission status had no impact on that status until the colleges decided to bar all of the students involved from admission. It's kind of ironic, really.
    • Re:Look (Score:3, Insightful)

      by AK Marc (707885)
      I know cheating is something of a sport these days, often performed almost competitively and without second thought to ethics. But when all the highest rated replies to this story are people defending the actions of those students who gained unauthorized access to that information, that's too much.

      What is "cheating?" You equate "unauthorized access" (which is quite funny because to get to their page, they had to enter their username and password, no other username/password from a student or anonymous acc
  • As an educational institution, we hope that the applicants involved in this incident might learn from their experience.

    I hope the educational institution might have learned something too. Like have a secure system.

    Sure temptation is there and control should have been exercised. However it is really stupid just to brush everyone or any of them aside. It's just like the rules now days where the punishment is the punishment because you don't have to think.

    No one gains a thing out of it. Well except Ber
  • The applicants were evidently viewing publicly accessible pages, protected only because the applicants didn't actually have a link to them yet. Furthermore, the URL wasn't something obscure, it was a plain-text reference using the same applicant ID as all the other pages, just a different page.

    If viewing those kinds of pages violates anybody's rules, then that's a bad precedent. The intent of the applicants may have been bad, but punishing them for this sort of innocuous URL manipulation sets a bad prece
    • Re:bad precedent (Score:3, Insightful)

      by fbjon (692006)
      I don't think it sets a precedent to anything. Anyone's free to type in any URL they want, but that doesn't mean you should. Just because it's easy to do wrong doesn't justify it. Lack of moral integrity is lack of moral integrity.
  • by l00sr (266426)
    If you wish to register your disgust with Stanford's actions here, you might want to hit them where it hurts. Write other alums, perhaps circulate a petition, and threaten to withhold donations (or maybe just earmark donations specifically NOT to be used for the business school) until it changes its stance. Better yet, tell them you'll give them an opportunity to explain their actions, and that you might reconsider based on how satisfactory their explanation is :).
  • by blair1q (305137) on Sunday May 29, 2005 @09:35AM (#12669538) Journal
    "We're shocked - SHOCKED! to find that b-school applicants have no integrity."
    --American Business
  • by yagu (721525) <yayagu.gmail@com> on Sunday May 29, 2005 @11:04AM (#12669887) Journal

    Poor security doesn't justify the means. From a referenced slashdot article:

    The Graduate School of Business has rejected all 41 applicants who tried to gain unauthorized access to their application files after an unidentified hacker posted instructions on BusinessWeek's website March 2 about how to access the confidential information..

    This, in my opinion, is really the heart of the issue. I jumped into this discussion a little late, so I haven't had time to read all 150 posts, but what I've read so far I find a little disturbing. There seems to be a common theme that The school had bad security and the hackers were merely (in the words of one comment) asking the right question. I disagree.

    I don't think poorly obfuscated information intended to be kept confidential justifies hackers taking or accessing it, much less publicizing for others how to do the same. It seems unethical to me. And, I know I'm risking big time going down the chute of flamebait and troll modding hell for saying so, but I just think the pervasive "justification" of this hacking many of "us" perpetuates the stereotype of "in your face" behavior just because we know the technology and you (rhetorical) don't.

    The school blew it only in the sense they didn't have much of a mechanism to prevent access, but would we still be saying it was okay if the school had some huge encryption in place to hide data and someone had hacked that? It really isn't that much different. The fact that the school "hid" the information sets the bar high enough to define the standard as to what the hackers did as inappropriate hacking. Just my $.02

  • I didn't peak (Score:3, Interesting)

    by Besjon (781468) on Sunday May 29, 2005 @12:02PM (#12670200)
    I'm a geek and after many years of making fun of those MBA-types had a change of fate and applied to several business schools. I was waiting for my acceptance notification when the news about the "hack" broke.

    Due to the staggered and overlapping notification dates, it would have been extremely helpful to know results in advance. Imagine the scenario of being accepted to one school with your deposit deadline due before being notified if you got into your preferred, but more difficult to get into school. Do you pass on sure thing behind door #1 or skip it for a chance at door #2? When you're facing relocation and close to $100,000 of expenses (with no income) over the next two years you want to make as informed a choice as possible. So I understand the desire to get the extra information.

    HOWEVER, these are business schools. They all have a huge emphasis on ethics and take it very seriously (especially over the past several years due to high profile scandals). As soon as I saw the news I knew it would end badly for peakers. No matter if you believe it was acceptable or not to peak - as a business school candidate you should have realized peaking could get you into trouble.

    I found it amusing that the b-school(s) gave the accused an opportunity to defend their actions. It almost implies the ethics violation would have been tolerated had the candidate been persuasive enough to talk their way out of it.
  • by Thomas A. Anderson (114614) on Sunday May 29, 2005 @03:17PM (#12671299) Homepage
    Let me see if I have this straight....

    1) No hacking or cracking was involved - the information was available to anybody who had a login/password by adding freely available information (again, if one has a login/password) to the url.

    2) No one is claiming that someone viewed admission status for anyone but themselves (except for the sister but that's another story).

    3) No information on the server was changed by the students, simply viewed (ie, admission status was not changed not could it be via this process).

    4) Some posters are claiming that the students were told they shouldn't do this, but I have yet to read anything supporting this.

    5) In some cases, this act was the sole basis for a denial from the school.

    Simply put, the schools will and should get sued by the students who had their admissions taken away. No law was broken, and no attempt at cheating was made.

    If you put information on the web, it will be viewed. Period. You can bitch and moan all you want about it, but if the information is not protected, it's your own damn fault. Blaming the students is a sad attempt at diverting the focus from the real issue - security by obscurity does not work.

It is impossible to travel faster than light, and certainly not desirable, as one's hat keeps blowing off. -- Woody Allen

Working...