Stanford Rejects Business School Hackers 406
robbarrett writes "The Stanford Report offers the next chapter in a continuing story about business school applicants manipulating URLs on the ApplyYourself system to determine their personal admission status. Harvard immediately rejected the 'hacker' applicants, but Stanford gave 'offenders' the opportunity to defend their actions. However, none of the competitive applicants 'was able to explain his/her actions to our satisfaction,' according to Stanford's dean, so all were rejected. The story mentions the decisions reached by other schools involved in the mess."
If they had been Comp Sci students.... (Score:2, Insightful)
But in this case you get what you deserve. Whats the difference of finding out now or later that you didnt get accepted to Stanford?
CUNTinuing (Score:2, Insightful)
ahh, in some ways i guess this is good...
Re:If they had been Comp Sci students.... (Score:5, Insightful)
But in this case you get what you deserve.
These kids didn't even know they were hacking. All they knew was that they received an url via MSN from their friends where they could look up their status...
Sure, they should've know it wasn't supposed to go this way, but should they really be punished like this ?
Personally, I don't think they should be the ones punished, but rather the person in charge of the security of the website...
Re:If they had been Comp Sci students.... (Score:5, Insightful)
How many students were even aware that it was a big secret whether they were admitted, and they werent allowed to actually know. Why was it even a big secret in the first place? Shouldn't they be telling the students as soon as its reasonably possible, and not dangle it over their heads making them waste time if they werent accepted.
So, Stanford wants to make claims that these students are morally corrupt by typing a couple letters into their browser, when the school itself is keeping secrets about the students futures hidden for no reason at all and punishing them for being curious. Who is morally corrupt in this scenario i ask...
Hackers is a strong word for them (Score:5, Insightful)
TFM... (Score:5, Insightful)
Sounds more like an attempt by the PR departments to cover their collective legal asses after their PHBs jumped the gun and block rejected applicants on the grounds that they committed a crime that technically isn't. IMHO, their position on the matter is weak.
The students didn't steal passwords, spread a virus or trojan. All they did was akin to manually typing in an abiet complicated URL and accessed data on unprotected public servers.
Unfair treatment (Score:5, Insightful)
Joss noted that while Stanford was dismayed by the
actions of the candidates who tried to gain
unauthorized access, it "did not rush to judgment
given the limited information available to us
initially. By carefully reviewing the file of each
applicant involved in these incidents, we upheld
the business school's values while treating each
applicant fairly...
That's quite a "holier than thou" sneer at Harvard and MIT.
What I am truly surprised is that none of the schools took actions against ApplyYourSelf as far as I know: rather, the focus has all been on whether the schools took action against the students. I think this plays heavily on the public's fear of "hacking". Just because the applicants peeked using a computer, it suddenly made it such a grave matter.
First, I think ApplyYourSelf should bear some responsibility for not properly securing their web-app in a way that such an action is possible. For many people (and I'd even venture to say that in public opinion), anything that is accessible by typing a URL into a browser window might as well be published. I don't really think the school has the right to penalize the applicants for accessing information that has been made available to them.
Secondly, this whole business has been blown out of proportion: the students were only able to look at their admission status, and that even hinges on the fact that the schools have already published those information to the website. It is not as if the students were actually "hacking" in the sense of escalating their privilege and modifying their admission status. I just don't think this incident is an acurate enough illustration of their moral fibers to warrant such decisions (though I generally have no sympathy for business school applicants).
Thirdly, I think the whole finding out the admission status thing is more akin to being impatient and calling up the admission office with the knowledge that the drunk receptionist would accidentally let the admission status slip out. So why the applicants were treated so harshly and why the ApplyYourself service was not is really troubling me.
W
Getting to the goodies... (Score:5, Insightful)
Good grief. I'm guilty of doing this sort of thing all the time.
I'd never really read about what exactly the applicants did before. If the article is right, all they did was poke around the system with URL munged from information they already had. It's not like they exploited buffer overflows to gain control of the system or anything.
Like I said, I do this type of thing all the time. If I'm on a Web site with content I like and I see a series of URLs named something1.htm, something2.htm, something4.htm, etc., you'd better believe I'm going to type something3.htm in and see what happens. On my own dinky Web sites I have, if I don't want people browsing around the system, I take steps to prevent it, such as making sure the server doesn't allow one to list directories, always having an index.htm file in every directory in case I forget, naming files randomly instead of in series, etc.
And, on top of all of that, as the post above states, all these candidates did was find out information that was going to be disclosed to them soon anyway.
So I gotta ask, what the hell is the big deal here? Why is Stanford being such a hard ass about this? If anyone is to blame here for any significant wrongdoing, it has got to be the company that designed software that so easily gives up unauthorized information. I wonder what Stanford did to seek redress against them. (Probably nothing.)
They got what they deserve (Score:3, Insightful)
I don't want to work with somebody that cuts corners and refuses to play by the rules - what happens when it's a big contract and they decide to "see if we won?" or decide to see if "x is really going to buy Y?"
If I can't trust you to do what is right, I don't want to work with you.
Yes, waiting for B-school admission is a high stress period - but stressful situations is when people's character shows. I can understand HBS and Stanford's stance - they, and their alumni, don't want to be associated with the type of people that will create another Enron.
Overall, they were probably to dumb to get in - from what I saw, the "hack" was a no-brainier - append some code to the end of the URL to hit a page rather than some smart piece of coding; more importantly - didn't they think that there would be alums of schools on the boards that would see th "hack" and let their schools now? And that these alums would be know who to talk to so that the school could investigate and take whatever action is deemed appropriate? If one of the "hackers" had been smart, they'd email the Dean of Admissions and ask - "Someone posted this as a way to check admissions status - is it OK if I use it?"
Re:Return of the H@x0r (Score:1, Insightful)
You may have said that tongue in cheek, but look at it seriously.
I, for one, would rather have a family that loved me than all the riches in the world.
Re:Hackers is a strong word for them (Score:4, Insightful)
No, it's like calling the guy who lights candles to read by their light a "pyrotechnician with arsonistic tendencies". The word "hacker" implies skill with computers, and when used in place of the word "cracker", a certain amount of malicious intent. Since this incident implied neither, the word "hacker" is unapprooriate - and drawing any parallels with these people and arsonists is completely absurd.
culture of zero tolerance (Score:5, Insightful)
the proble is not the kids. i's this culture of zero tolerance which the otherwise liberal educational community has latched onto with a fervor one would normally expect from religous fanatics.
back when i was attending college the attitudes were different. administration had a 'boys will be boys' attitude and was more concerned with helping us understand why certain activites were not acceptable, rather than striking us down like Zeus on the maountain.
Based on the information I've encountered regarding this mess, there seems to be an extreme level of self righteous bigotry on the part of the 'adults'.
Or perhaps they are just too lazy to do their job of education.
Come on, this is stanfords own fault (Score:5, Insightful)
Of cause no institution should be forced to accept students it doesn't want to, but morally speaking, these students have done nothing wrong. There are many immoral things one can do on a computer: sabotaging other people's systems, destroying other people's data among others. But finding out personal information by asking a gullible computer the right question is perfectly understandable. If Stanford want this data safe, they should fix their computers so it protects the data. Computers are remote controlled and pretty much do what their asked to do. One wouldn't leave a priceless Monet strapped to a remote control truck that every kid with a toy car can control, so why do people complain about their loose lipped computer squealing numbers to some kid who knows how to use a URL bar? The sooner people see computers for what they are: devices that are told what to do by more people than they should and forget about the whole trespass on private land metaphors, the sooner people might take some responsibility about dumb machines being given too much information. They probably will end up a lot safer in the long term. It really makes me mad when people blame others for exploiting their own gullibility.
Re:If they had been Comp Sci students.... (Score:4, Insightful)
What do you think that they thought they were doing? They didn't get a message from Stanford saying "here's how you check your admission status"; they got a message from their friends saying "here's how you craft a URL that let's you sneak in to the web site and check your admission status before the official date."
Imagine if the email from their friends had said "Your admission status is kept in the filing cabinet in room 306 of the admissions office, and the guy who works in that office leaves the door unlocked when he eats lunch at noon every day."
Walking into an unlocked office and looking in the filing cabinet versus cobbling together a URL that obviously circumvents the system. Tell me the difference.
Re:They got what they deserve (Score:5, Insightful)
Lack of good judgement maybe; but how is it unethical to try to get information concerning yourself ? Or are you trying to imply that Stanford is some sort of ethical authority ?
I'd imagine that they would become successfull and capable businessmen. After all, the ability to get good information is the cornerstone of making good decisions.
Are you sure you aren't confusing moral right with your own expectations of human behiviour ? Because, to the best of my knowledge, there's absolutely nothing unethical in reading information concerning myself, even if someone else is trying to keep it a secret.
Kindly explain what finding out whether you were admitted to a school has to do with forging accounts ?
Maybe they made the mistake of assuming that the school would take appropriate action, as opposed to the action it actually took ?
How would this have been smart ? These people had no obligations towards the Dean; why would they ask his permission to view information concerning them ?
Re:Hackers is a strong word for them (Score:4, Insightful)
Re:Heh (Score:3, Insightful)
None may very well be singular (and even that is disputed - see your own link), but it refers to a group - can you therefore not use it in conjunction with a plural verb? I'd put it in the class of words like 'they', which aren't singular or plural themselves but get their number from the concept they embody.
It may be the contraction of 'not one', where singular is definitely used, but none is a fully independent word nowadays and, in my opinion, should be viewed separately from its origins.
On the other hand, the 'was' is part of a quote, a situation where normal grammar rules can become warped.
Jw
"Morality" and the great academic monolith... (Score:5, Insightful)
Who is morally corrupt in this scenario i ask...
Your modern-day University autocrat has about as much use for morality as a fish has for a bicycle.
This is all about the elites that govern these institutions - they were embarrassed* by the applicants, and now it's payback time.
----------
*Although, for the life of me, I don't see how this** sort of thing would embarrass a normal person, but that just goes to show you how introverted, self-obsessed, narcissistic, and arrogant these monomaniacal little twits really are.
----------
** i.e. typing a URL into a browser with the hope of finding out information ABOUT YOURSELF - information that, in theory, BELONGS TO YOU. Reminds me of hospital administrators who try to ban patients from reading THEIR OWN CHARTS, as if the medical records belonged to the hospital, rather than to THE PATIENTS THEMSELVES.
Just thinking about these kinds of people makes my skin crawl.
Stanford's liability? (Score:3, Insightful)
It seems that Stanford made this information (acceptance status) available by entering a (guessable) address.
Until this information was issued formally to the student, Stanford apparently considered this information confidential.
By not utilizing an effective password / security system, Stanford then effectively made this information publicly available.
One could argue that any student would have a right / entitlement to know what information on himself / herself was being made publicly available - especially if the information were supposed to have been confidential.
It is arguable that Stanford effectively violated the privacy of the students, but is prepared to punish the (prospective) students for obtaining the information it made publiclay available.
Re:Heh (Score:2, Insightful)
You can if you want--it's an accepted usage as well. I normally wouldn't though. "None was" sounds perfectly fine to me. A lot of things that are correct may not sound right at first--"the data are" for example.
By the way, it's not disputed that "none" is singular. If you read the link carefully, you'll see that both the singular and the plural are accepted usages. My point was that the original poster was trying to nitpick a grammar point that was actually the correct (and, in fact, is generally considered the "more correct") usage.
Re:They got what they deserve (Score:5, Insightful)
Um, no, they showed curiosity and a certain resourcefulness in finding data. Traits I can certainly appreciate in colleagues.
Now, HBS and Stanford on the other hand showed a lack of good judgement and a sense of ethics. Their only concern appears to be to save face because they invested in a crap product that apparently doesnt even have proper access control. To blame some applicants to cover up their own incompetence is pretty low.
"they'd email the Dean of Admissions and ask"
Where do I send my mail asking if it is ok to access www.harvard.edu? Some guy said you could access their webpage if you typed that into your web browser, but I'm not sure I'm allowed to?
If you can access it you can assume you're allowed to access it. It is not customary to be required to ask permission for looking at things in plain view.
Re:If they had been Comp Sci students.... (Score:5, Insightful)
No, the correct analogy is
Imagine if the email from their friends had said "Your admission status is posted in the hall of the Natural Sciences building, indexed by SSN".
Re:If they had been Comp Sci students.... (Score:3, Insightful)
Now get off of my property.
Re:I wouldn't want to employ those people (Score:3, Insightful)
If I spray paint my salary on my front door, I can't complain when my neighbors know how much money I make. Even if I do something like "I make $100^2" instead of $10000.
Was it unethical? I'd have to say yes, but who hasn't hacked URL's if for no other reason than to navigate a poorly designed site.
I found an online vendor who put the price in the URL, I was able to put items in by shopping basket for any price I wanted. I didn't try to buy them like that, and I notified both the vendor and the maker of the web commerce package.
Ironically, the vendor did not seem concerned. They figured if someone tried that they would notice.
Re:Come on, this is stanfords own fault (Score:3, Insightful)
I hate this idea of "It wasn't protected enough, so it's okay". Yes, the website screwed up, but that doesn't mean it's right for the students to have accessed a page they were not meant to.
Having said that, Stanford really need to make sure the people managing the website realise what went wrong, and why, and never make the same mistake again. There are too many coders out there who don't get simple ideas like verifying user input (let alone the input of hidden fields), and that needs to change.
Look (Score:2, Insightful)
What these (prospective) students did was wrong. Period. They willingly and knowingly gained unauthorized access to information that was not theirs to access. I generally hate analogies but here goes: if these students found a key to their professor's room and snuck in to check on their exam results, do you think there'd be a furor as to whether they are guilty of cheatin or not?
Now, whether that access gives them an unfair edge like cheating in exams does is irrelevant. Also, whether these students knew they were "hacking" or not is irrelevant. I am positive every single one of them knew of how the status of their application was to be informed to them, and I'm positive that didn't include manipulating the URL or getting instant messages from friends about how to do it. Just the act of getting access to these records is the offense.
The conclusion is that these students deserved the punishment they got. I am also very happy to learn that there are other schools than my alma mater which take honor of their students (and faculty) seriously.
I'm afraid the reaction to this story on
Re:Ridiculous (Score:3, Insightful)
Ask yourself, did the students do the Right Thing (tm)? Whether or not the admin, the company or whoever did a bad job of securing the information is a separate matter, which should be dealt with separately. The fact is that the students did the Wrong Thing ®, and the university don't want people like that. They don't want people who don't seem to have any moral spine, even though they might be good and intelligent students otherwise.
A lot of people here seem to have this idea: "If it isn't encrypted, I'm allowed to read it. If it isn't secured, locked down, and guarded by the army, I'm allowed to break in." Or that it's the admin's fault for "letting me break in".
Wrong, wrong, wrong. The admin may be at fault for not doing his job fully, but that has nothing whatsoever to do with the fact that the hacker has hacked. There are two faults involved, not one.
Conclusion: if you hack into a system, you have hacked into a system. Don't make irrelevant excuses.
Re:They got what they deserve (Score:1, Insightful)
Again, there is a right way and a wrong way to get information - people don't expect nor allow others to walk into their office and read whatever they want, ven if teh door is unlocked.
The information wasn't in your fucking office - it was published on a publically accessible website. It's exactly the same as posting the results on the side of the building, but not telling all the people standing out the front where to go.
Advice to Stanford alums (Score:2, Insightful)
Re:bad precedent (Score:3, Insightful)
Re:They got what they deserve (Score:3, Insightful)
They got the information from a public web server, by typing an URL into the URL bar of their browser. I fail to see any immorality in this.
Besides, if they had called the school, it's always possible that whoever answered the phone had not been told that the information was supposed to be secret (why was it secret, BTW ?) and would have answered their question. That was exactly what happened, in fact - only the uninformed party was a web server instead of a human being.
So you can't call and ask, either, without risking immorality ;(.
Maybe not, but the information was not in your office. It was in a public webserver. If you post your secret documents into the company webserver, don't be surprised if they get read.
Since no such thing or anything like it happened, what is your point ?
You keep on making the assumption that these people broke into a private machine. They did not. They read a publically available document in a publically available webserver. Absolutely no foul play was involved.
Stanford fucked up, and is now trying to cover it up by shifting the blame to innocent people. Then again, I suppose that is a good way of teaching todays business practices to them.
Re:TFM... (Score:5, Insightful)
Now, why would a student, who was told last year what the correct URL format is to ask for their application status, now be considered an unethical computer hacker because this URL format returned information before the administration wanted it to be released.
Perhaps we should stop considering URLs to be security devices, and compare them more to telephone numbers.
Re:They got what they deserve (Score:3, Insightful)
No. It's like saying that because I'm connected to the Internet and running a publically available webserver, it's OK to take a look at what's available through that webserver. Replace the webserver with a P2P app, newsserver or whatever, and the point still stands.
If I publish data, and accidentally publish something I didn't want to be known, that's my fault, not the fault of whoever reads it.
You know, just because someone expects someone else to abide by their decision, doesn't in any way oblige that other one to actually do so.
This does seem to come down to opinions, doesn't it ?
You keep on claiming that the information was in a private place, equivalent to home or office, and others keep on claiming that a publically availabe document in a publically available web server is not private by any definition.
You also keep on claiming that the students had an obligation to follow the schools timeline, and I keep on claiming that no such obligation exists.
One can reasonably expect that a filing cabinet in an office is not meant for public use (altought, if I can just walk to it and read the contents unchallenged, there is propably grounds for a lawsuit about breaking privacy laws - is that the real reason for the schools behaviour ? Try to label innocent people criminals to destroy their credibility, if they ever decide to go that route ?). However, one can just as reasonably expect that a publically available document in a publically available web server is meant to be public. If one can't, using the Internet is going to become mighty inconvenient, since one must always ask for permission before using any resource.
But if you go out of your way (run a webserver and post the document there) to make it possible for me, it is reasonable to expect that you meant it for my use.
Re:If they had been Comp Sci students.... (Score:3, Insightful)
It's sad for the unlucky ones that this happened, but the harsh reality is that smaller mistakes are enough to let your competitors wipe you out in real business. Perhaps they'll learn something valuable from business school after all.
You're treating them a lot like numbers there... sure, there is plenty replacement for them in this case, but a certain number of the ``hacking'' students were accepted, for valid reasons... those reasons are now being completely ignored, solely because they did something which is not more offending than walking into your teacher's room and check out what score you have for your test in advance... sure, it isn't nice, and sure, in certain ways it can be seen as a privacy infrigment, but is it enough to completely ignore the reasons you initially accepted them ?
Sounds to me the school doesn't know how to handle this situation, and basically are doing this to scare off other potential hacking-attempts, while in fact they should be getting their security straight...
Re:Ridiculous (Score:4, Insightful)
Hence, even if you fail to adequately advertise that the information is available till a later date, the information is published and available to anyone who does enough diligence in the researching of it.
By the same reasoning as Stanford would like you to believe, you cannot "find" a book and start reading it, you must first be given the book by it's publisher. Basically Stanford is indicating that if there's not a URL on thier web page pointing to another web page their server is offering, then the server isn't really offering the unreferenced web page. It's a non-sequiter, and Stanford will likely get sued over it, which is why it is so important to demonize the students and mold public opinion before they have a few hundered lawsuits on thier hand.
And if you don't think it won't go to court, consider this. Stanford ACCEPTED these students, which is part of a contract that indicates should the students decide to pay Stanford and perform well in classes, Stanford will provide them with an education at their facilities. Now Stanford is claiming that viewing certain web pages they publish violates this contract. And instead of a person making this blunder on Stanford's part privately (where it is unlikely to cause big problems) he made the statement in the media.
Stanford is in for some hard education, but I hope that there's not too much Alma Mater out there in the legal field to prevent it from being properly spanked on this one.
You read this article, did you "Do the right thing?" How do you know that it isn't meant to be public knowledge? Read your argument more carefully, if you concede that "I'm allowed to read it.", then you're allowed. Period. End of story. It's not breaking in if your allowed. If someone made the mistaked of allowing it, they can't call you a criminal afterwards for doing what you were allowed to do.
Don't Forget That... (Score:1, Insightful)
Re:"Morality" and the great academic monolith... (Score:3, Insightful)
Here's the thing: not all information about you belongs to you. Think abouut it like this: suppose I know you, and I form an opinion about you. Does my opinion about you belong to you? Do you have some right to demand that I inform you of my opinion? Of course not. These decisions by admissions committees are the same thing: they are opinions about the applicant formed by a private group of individuals. While you certainly have the right to be informed of that opinion within the schedule of the application process, you have no right to demand access to the opinion prior to the contracted release date. What these people did was break into a system to extract private information about them that didn't belong to them.
The analogy to the medical records is specious at best, and arguably a straw-man (since the anlogy fails so much that it may be viewed as an intentional effort on your part to deflect proper attention).
Re:Hackers is a strong word for them (Score:3, Insightful)
These students used non-cognitive systems (the URL parsing system) to illegally acquire information. Your [hypothetical] student used a cognitive system (the person) to illegally acquire information. The difference is that in the former, the student is the only moral agent acting, while in the latter there are two.
What this means is that the second one is notably less morally culpable. Solicitation of another to commit a morally wrong action cannot possibly be as wrong as the actual commission of that wrong, since to suggest otherwise would mean that one who encourages a wrong action is at least as culpable (which seems counterintuitive).
In other words, the presence of an intervening cause in the form of an intermediary moral agent must reduce the moral wrongness of whatever the student did.
poor security doesn't justify (Score:3, Insightful)
Poor security doesn't justify the means. From a referenced slashdot article:
This, in my opinion, is really the heart of the issue. I jumped into this discussion a little late, so I haven't had time to read all 150 posts, but what I've read so far I find a little disturbing. There seems to be a common theme that The school had bad security and the hackers were merely (in the words of one comment) asking the right question. I disagree.
I don't think poorly obfuscated information intended to be kept confidential justifies hackers taking or accessing it, much less publicizing for others how to do the same. It seems unethical to me. And, I know I'm risking big time going down the chute of flamebait and troll modding hell for saying so, but I just think the pervasive "justification" of this hacking many of "us" perpetuates the stereotype of "in your face" behavior just because we know the technology and you (rhetorical) don't.
The school blew it only in the sense they didn't have much of a mechanism to prevent access, but would we still be saying it was okay if the school had some huge encryption in place to hide data and someone had hacked that? It really isn't that much different. The fact that the school "hid" the information sets the bar high enough to define the standard as to what the hackers did as inappropriate hacking. Just my $.02
Re:If they had been Comp Sci students.... (Score:3, Insightful)
You're right though, accesing this url isn't the same as waltzing into the bank vault. That's why they weren't arrested, just merely unwanted.
If the emperor wears no clothes, who is (Score:4, Insightful)
If a human admissions officer put the info. on their door, and then hung a sheet of paper over it to 'secure it', would the students be 'hackers' if they lifted the paper up? Now in this case, perhaps the admissions folks really thought the paper was a form of security, it seems like an 'emperor wears no clothes' kind of thing: is the tailor at fault for telling the emperor he was wearing a suit? Is the emperor for not checking it out? In this case we are blaming the people who looked at the emperor and saw him naked!
Anything that is accessble by an unsecured url is publicly published (it's a 'uniform resource LOCATOR', after all). There was a cognitive choice made at some point to call this system 'secure', --or someone didn't read the manual--and that person is the one who published the information at a public URL.
The applicants just found the place it had been publically published before they were told to look there, which hardly seems a 'crime', really it seems more like initiative than anything else.
Re:Look (Score:3, Insightful)
What is "cheating?" You equate "unauthorized access" (which is quite funny because to get to their page, they had to enter their username and password, no other username/password from a student or anonymous access was allowed, so they were explicitly "authorized" to see that page) with "cheating." Cheating is manipulating your grade or outcome. If you steal the test before given to gain knowledge of the questions, that is cheating. If you take in notes to aid you while taking the test, that is cheating. If you alter your grade after the test, that is cheating.
What isn't cheating is seeing your test on the professor's desk, then taking a peek at your test to see what you got before it is handed back.
They willingly and knowingly gained unauthorized access to information that was not theirs to access.
It was information that only they (and presumably administrators) could access. They had to be authenticated. The information was information put up on the web site explicitly for them to view. So, I'm curious how it was "unauthorized access" and not information they were supposed to know?
The best analogy I can come up with out of all this is if a professor left the results of a test out where everyone looking through his window could see them. The first person walking past noticed that he could see his grade, so he let others know that there grades were done and available and you didn't have to wait until they were posted to see them.
Is it cheating to see your grade on the desk before it is posted? Is it wrong to know something they presented in the final form for your consumption, just that they were careless and left it where everyone could check their own grade early?
I'm afraid the reaction to this story on
So I guess it was "cheating" when I asked my boss what was going to be in my performance review before HR officially gave it to me. I guess it was "cheating" when I extrapolated this weeks movie times to next week to plan activities. After all, learning something that people want you to know is obviously "cheating" if you don't learn of it in some specific arbitrary manner. The real tradegy is the outporing of moral absolutism. Well, that and the gross misuse of the word "cheating." But that is standard on Slashdot, to misuse a word in order to conjure up more negative images than what really happened. It seems that the schools are over reacting to cover up the fact that they used a service that failed to deliver what they promised. The service used posted the informatino before it was intended to be viewed. If that is what the schools are upset about, then they need to drop their service, not punish the people that accessed the published information they were supposed to see.
Just to make it clear:
They were given access to a site.
They authenticate to the site.
They access information that was posted with the intention of them seeing it.
They are banned because of the timing of seeing the information that was posted for them to see.
Re:If the emperor wears no clothes, who is (Score:3, Insightful)
My speculation is that the security-by-not-so-obscure-URL was actually a mistake, not by the universities, but by the "experts" they hired. If the university administrators thought they needed to hire experts, they can't be blamed for selecting this method of security, they can only be blamed for picking stupid experts, and they can't turn back time and undo someone's mistake. But, they can choose to turn this into an ethics test. I hope that they have also taken recourse against the worthless experts they hired. It wouldn't be fair to the rejected applicants if anyone was allowed to get away with this.
You are (almost) all wrong (Score:3, Insightful)
1) No hacking or cracking was involved - the information was available to anybody who had a login/password by adding freely available information (again, if one has a login/password) to the url.
2) No one is claiming that someone viewed admission status for anyone but themselves (except for the sister but that's another story).
3) No information on the server was changed by the students, simply viewed (ie, admission status was not changed not could it be via this process).
4) Some posters are claiming that the students were told they shouldn't do this, but I have yet to read anything supporting this.
5) In some cases, this act was the sole basis for a denial from the school.
Simply put, the schools will and should get sued by the students who had their admissions taken away. No law was broken, and no attempt at cheating was made.
If you put information on the web, it will be viewed. Period. You can bitch and moan all you want about it, but if the information is not protected, it's your own damn fault. Blaming the students is a sad attempt at diverting the focus from the real issue - security by obscurity does not work.
Re:If they had been Comp Sci students.... (Score:1, Insightful)
p.s. I've noticed a sudden deterioration in the CAPTCHA font legibility. If it gets any worse, I'm not going to be able to pass as a human.