Stanford Rejects Business School Hackers 406
robbarrett writes "The Stanford Report offers the next chapter in a continuing story about business school applicants manipulating URLs on the ApplyYourself system to determine their personal admission status. Harvard immediately rejected the 'hacker' applicants, but Stanford gave 'offenders' the opportunity to defend their actions. However, none of the competitive applicants 'was able to explain his/her actions to our satisfaction,' according to Stanford's dean, so all were rejected. The story mentions the decisions reached by other schools involved in the mess."
Only one reply is possible. (Score:5, Interesting)
I pledge, the next time I hear of such a possible exploit, to rip as much information from the system as the website gives me permission to retrieve. Every bit of it -- I shall construct scripts, pore over forums, and create a list of possible students whose data I will then attempt to extract.
Additionally, with these links in hand, I shall paste them to random places on the internet, and specific places such as the most likely forums to find such students. I will also disguise their nature and essence, so that users will not know what they click on until it's too late.
So the next time Stanford comes calling, you go ahead and /blame me/. I could've been the one to do it, after all. You don't know I didn't. They don't know I didn't.
Or they could just accept that their own goddamn marketing department creates an illusion of prestige, and that people with a limited amount of time to waste on non-responsive colleges /sitting on/ important information like that are going to want to know who to stop wasting time on, and that if they don't like it they can /fix their fucking permissions/. Do they not know any decent webapp programmers? Who've they been graduating?
Re:If they had been Comp Sci students.... (Score:2, Interesting)
It seems pretty obvious these folks knew what they were doing. Its requires pouring through a sites source code to extract sensitive info and writing down ids to basically get into a system they obviously didnt have official access to.
As analogy lets assume during the day at a bank the vault is unlocked with access to those who are permitted but with no guard watching the entrace. OK, yes we should assume the bank is very stupid for not guarding it, but if someone walks in and takes off with a bunch of cash are they innocent?
Dont think so. Instead of stealing cash, these would-be students steal information. They got what they deserved.
URL "hacking" court case (Score:2, Interesting)
White/Grey/Black Hats..... (Score:1, Interesting)
Not only does this sound idiotic, but this gives the potential "good guys" more reasons to be "bad guys" (AKA Black Hats.)
The best course of action would be to accept these students, train them in the ways of ethical hacking, then give them a degree and place them in a field where they would be useful (There are many subdivisions of White Hats/Grey Hats/Black Hats, depends on the subject matter/programming language.)
By not accepting these bright minds, and giving them the education/tools they need for a decent and "acceptable" life, not only are they throwing away the security of the next generation, but IMHO, they're encouraging the proliferation of a more negative generation of problems. While, to some point, this may be economically sound (Can't have good hackers without bad hackers, right?) I fail to see how in the short term (our current generation's economy) where this will be beneficial. These people will to some degree inherently cause problems for us if they don't have the ethical presence of mind to know what's "Good" hacking and "Bad" hacking.
Again, I cannot stress how much Stephen Levy's "Hackers" should be a guiding book for these pupils. They'll learn exactly the original and "true" reasons for hacking. Information must remain public, asides that which is detrimental to any or many members of our society. Were this book a piece of core curriculum for college students, we'd have less problems as it is now, notwithstanding other unethical hackers from the USSR or China, or the Phillippines.... (No, I'm not just listing those out of spite, they're the proven most common occurances of unethical hacking recorded as far as countries go.)
Re:If they had been Comp Sci students.... (Score:3, Interesting)
Time and knowledge can always be used to advantage. Not only might a school end up bleeding out a little more just to keep enrollment up to par, but the students who peeked might be more able to scrounge up the leverage to get a bigger piece of the pie.
Re:Unfair treatment (Score:3, Interesting)
Exactly. And you'll gotta love Stanford for the playfulness.
Reminds me of a philosophy professor of mine who would put "extra credit" at the bottom of his tests like, "'If one swallow does not a summer make', how many do?"
Re:Heh (Score:3, Interesting)
Of course, common usage isn't everything, but it is what eventually defines a language.
Jw
Re:If they had been Comp Sci students.... (Score:2, Interesting)
As a more apt analogy, how about this. The same bank vault has a guard positioned at the front, who checks your identification (ie, you enter your login and password). You enter, and open your safety deposit box (ie, access your account). You then read a paper which someone placed in your box, and thus implicitly giving you access to it. This paper is an internal bank memo which they placed in everyone's deposit boxes for whatever reason, and then they still would expect you not to read it. After reading this memo the bank informs you that because of this illicit reading your application for a mortgage has been declined. Now granted, you could get a mortgage from another company, but it might be at a higher interest rate or require you to put down more of a deposit(ie, you end up going to a crappier or more expensive school). Now doesn't that seem a little extreme just for reading a document someone put in your box?
Re:If they had been Comp Sci students.... (Score:3, Interesting)
Yes, dear god yes it is. This is a serious ethical issue: these people felt there was nothing wrong with knowingly violating security measures.
And to what extend did they indeed know they were violating security measures ?
It could easily be mistaken for something very innocent, like guessing each other's hotmail passwords and such... i know a lot of kids who do that, is that unethical enough to deny them from a school application too ?
Think about it this way: if they'd been arrested for a drug bust, they'd have been excluded also, despite their previously valid acceptances. The difference is only the specific misdeed; there's no question that some misdeeds nullify the entire application.
Comparing an url modification with getting busted for drug posession really removed a lot of credibility from your post, I'm sorry...
Slashdot doesn't know the definition of hacking? (Score:1, Interesting)
Acording to dictionary.com, hacking is "To gain access to (a computer file or network) illegally or without authorization: "
Just type "What is hacking" in google, and you get all kinds of definitions
"Unauthorized access to or use of data"
"Unauthorized use, or attempts to circumvent or bypass the security mechanisms of an information system or network"
"The unauthorized access to a computer system."
Doesn't take a rocket scientist to figure what what it means to hack into a computer. From everything I can tell, they got access to this data and knew it wasn't unauthorized. Yea Stanford was being a dick by kicking them out for something that "we" in the computer biz would blaim the site for, and yea lost of "us" look much lighter upon "hacking" than "cracking", but there is no question in my mind the students accessed data that stanford had not authorized them to access.
Just because it's easy to do doesn't make it ok.
I didn't peak (Score:3, Interesting)
Due to the staggered and overlapping notification dates, it would have been extremely helpful to know results in advance. Imagine the scenario of being accepted to one school with your deposit deadline due before being notified if you got into your preferred, but more difficult to get into school. Do you pass on sure thing behind door #1 or skip it for a chance at door #2? When you're facing relocation and close to $100,000 of expenses (with no income) over the next two years you want to make as informed a choice as possible. So I understand the desire to get the extra information.
HOWEVER, these are business schools. They all have a huge emphasis on ethics and take it very seriously (especially over the past several years due to high profile scandals). As soon as I saw the news I knew it would end badly for peakers. No matter if you believe it was acceptable or not to peak - as a business school candidate you should have realized peaking could get you into trouble.
I found it amusing that the b-school(s) gave the accused an opportunity to defend their actions. It almost implies the ethics violation would have been tolerated had the candidate been persuasive enough to talk their way out of it.
Students should seek legal action (Score:1, Interesting)
from the ApplyYourSelf legal notice [applyyourself.com].
"If you do choose to provide us personally identifiable information, you can be assured that its sole purpose will be to support your customer and/or potential employee relationship(s) with ApplyYourself."