Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security

Princeton Hacks Yale, Harvard Not Surprised 305

Semji Rkim writes: "Yale Daily News is running a story of several occassions in which Princeton officials entered the Yale Online website and viewed admissions decisions. Princeton officials claim they were simply researching security for their own website. Reportedly the website, on initial log-in, would show applicants either a congratulatory fireworks display or a rejection notice. Princeton officials informally mentioned that they had accessed students' records on Yale's admissions site at an Ivy League deans' conference. The Yale website apparently used names, birth dates, and social security information as unique identifiers to allow access to the site. They are considering adding a PIN in the future."
This discussion has been archived. No new comments can be posted.

Princeton Hacks Yale, Harvard Not Surprised

Comments Filter:
  • by CaseyG ( 97275 )
    Zero comments, server overloaded. Did someone beat /. to the punch?

    Any mirrors out there?

    -c.
    • I saw this article on fark earlier today, maybe they're partly responsible. Here's a link to the msnbc article: http://www.msnbc.com/news/785677.asp?0si=-
    • Re:Wham! (Score:1, Informative)

      by Anonymous Coward
      Zero comments, server overloaded. Did someone beat /. to the punch?

      As of 7:00 EDT, Drudge Report [drudgereport.com] has a link to it. That's probably what "slashdotted" it.

    • ARTICLE HERE (Score:1, Redundant)

      Princeton officials broke into Yale online admissions decisions
      Yale to inform law enforcement officials of alleged network, privacy breach
      BY ELISE JORDAN AND ARIELLE LEVIN BECKER
      Staff Reporters

      Princeton admissions officers gained repeated, unauthorized access to the admissions decisions of 11 Yale applicants in early April by exploiting Yale's new online admission notification system, Yale and Princeton officials said Wednesday.

      A security report drafted by Yale's Information Technology Services showed that Princeton officials viewed Yale admissions decisions -- in several cases before applicants learned whether they had been accepted -- by inputting the applicants' birth dates and social security numbers to bypass Yale's security measures.

      Yale General Counsel Dorothy Robinson said the University considers Princeton's actions an abuse of the private information students provided on their applications, a violation of Yale's computer network, and possibly a breach of several criminal statutes. Robinson said the University will consult law enforcement officials Thursday and notify all the affected applicants of Princeton's actions.

      "We do believe there was a very serious violation of the privacy of the individuals," Robinson said. "It is a matter which we believe law enforcement should be informed about."

      Stephen LeMenager, a dean of admissions at Princeton, characterized Princeton's use of Yale's Web site as an innocent way to check whether the site was secure by using a random sampling of students whose social security numbers were listed on their applications to Princeton. He said he did not know why certain records were accessed several times.

      Yale officials said they learned of the security breach in June, after Princeton officials informally mentioned that they had accessed students' records on Yale's admissions Web site at an Ivy League deans' conference.

      Yale then commissioned an investigation, which found records of 18 separate log-ins to the site from Princeton computers, accessing the information of 11 applicants. Fourteen of the log-ins were traced to four different computers at the admissions office.

      In four cases, applicants did not view their sites -- or admissions decisions -- until after they had been accessed by computers at Princeton.

      Alexander Clark '04, who developed the admissions Web site and prepared the security report for Yale officials on June 20, said he double- and triple-checked data in his report. Clark said members of Yale's Information Security office also reviewed and signed off on his findings.

      The Web site, which was launched by the admissions office in December, was designed to allow applicants to access their admissions decisions online using their names, birth dates and social security number as passwords.

      Upon the first log-in, accepted students were greeted with a display of virtual fireworks. Rejected students also received notification. After the first log-in, the decision screen no longer appeared, making it unclear to a student whether they had been admitted or denied admission.

      Students were able to provide information about themselves, including extracurricular interests and a personal profile. By logging in, Princeton officials had access to those students' records and profiles.

      Princeton could face legal action as well as a loss of funding if the allegations are proven.

      The university could potentially lose its limited amount of federal funding if it is found to have violated the Family Educational Rights Privacy Act -- commonly known as the Buckley Amendment. The Buckley Amendment was designed to safeguard student information, and experts said the use of student social security numbers and access of protected information for Yale applicants may constitute a legal infraction.

      Jennifer Granick, the litigation director for the Stanford Law School Center for Internet and Society, said Princeton could also be sued for accessing Yale's Web site accounts without authorization.

      Granick said that requiring a name, birth date and social security number to access the Web site could legally be construed as meaning anyone with those three pieces of information could log in. But she added that the presence of a disclaimer screen, which warned users of the site that it was only intended for the personal use of the applicant, made Princeton officials' use of the site vulnerable to a lawsuit or even criminal charges.

      Granick said the standard for criminal charges included proof of criminal intent, and to be charged criminally in the federal system, someone would have to have caused $5,000 worth of damage. LeMenager said he and his colleagues meant no harm in accessing the information, and instead were attempting to assuage their own concerns about Web site security.

      "It was really an innocent way for us to check out the security," LeMenager said. "That was our main concern of having an online notification system, that it would be susceptible to people who had that information - parents, guidance counselors, and admissions officers at other schools."

      Harvard's director of admissions, Marlyn McGrath Lewis, said she was not surprised there had been unauthorized access to Yale's Web site.

      "Any system that could be cracked, I think will be," McGrath Lewis said.

      Clark, the designer of Yale's system, defended the security of the admissions site, and said security is only as good as the password. He said the passwords were chosen because of their "personally identifiable nature."

      He added that he expects Yale will use a similar notification system for the Class of 2007, but will require personal identification numbers to access the information. Robinson said Yale's Web site was secure, and that no other breaches of security had been recorded.

      "We did take a broader view and a broader look at the security of the system and we did not find evidence of any similar break-ins or wrongdoing," Robinson said. "So in other words, the activity that happened from Princeton was unique."
    • The index page (which isn't slashdotted) has the article. http://www.yaledailynews.com/ [yaledailynews.com]
  • All Info (Score:2, Interesting)

    by TheDick ( 453572 )
    The other school someone had applied to would have access too.

    Fucking shady.

    And then, the people Harvard Rejected, Princeton could offer enrollment to, without fear of losing to the rival......

    Makes your numbers look good to have everyone you accept enroll....
  • by Anonymous Coward on Thursday July 25, 2002 @07:14PM (#3954939)
    Just because you can do something with technology doesn't mean you should.
    • But if you're going to do it, do it right.

      I'd like to point out that if it's done right, making acceptance/rejection notification available online is a perfectly worthwhile and beneficial use of technology. Applying for college is very stressful and people want to know as soon as possible when a decision has been made. In fact, they often need to know in order to make future plans.

  • by tg_schlacht ( 570380 ) on Thursday July 25, 2002 @07:15PM (#3954946)

    Yaledailynews has met it's doom. Slashdotted that is.

    The Yale website apparently used names, birth dates, and social security information as unique identifiers to allow access to the site. They are considering adding a PIN in the future.

    Maybe they could use a credit card number as a PIN. Then it could be a one-stop shop for the lazy identity-thief.

  • Well, that's what you get when you put a bunch of clever people together - sneaky but interesting solutions to problems such as this.

    If anything, it shows that the guys at Princeton can 'think outside the box' more than those at Yale.

    I'm impressed.
  • by unicron ( 20286 ) <unicronNO@SPAMthcnet.net> on Thursday July 25, 2002 @07:16PM (#3954957) Homepage
    Sideshow Bob: Are you still angry about being kicked out of clown college?

    Cecil: I'll thank you not to refer to Princeton that way.
    • Wrong....

      the _correct_ quote is:

      Sideshow Bob: "You wanted to be Krusty's sidekick since you were five! What about the buffoon lessons, the four years at clown college."
      Cecil: "I'll thank you not to refer to Princeton that way."

      - "Brother From Another Series", The Simpsons Episode 4F14

      Thanks to Springfield Nuclear Power Planet [snpp.com]

      • which is pretty funny considering the "harvard is not surprised" cracks above. and considering how many Simpsons writers went to Harvard (ever wondered why Burns is a Yalie?)

        one of my favorite simpsons quotes

        one of the most pathetic attempts at security of information online ever. in many states, you could find out someone's admission status simply by looking at their driver's license (the number in some states is their SSN by default). pathetic.

  • by Anonymous Coward on Thursday July 25, 2002 @07:17PM (#3954963)
    Here's the original article:

    HTTP/1.1 Server Too Busy

  • Nice (Score:5, Funny)

    Reportedly the website, on initial log-in, would show applicants either a congratulatory fireworks display or a rejection notice.

    Fireworks? What's their rejection notice, then? Top rejection notice graphics:

    -- Picture of Nelson saying "HA! HA!"
    -- Picture of MacDonald's and link to "Hamburger University"
    -- Picture of funeral with the casket labelled "your future" slowly being lowered into ground
    -- The Dell guy saying, "Dude, you're goin' to Community College!"

  • working link! (Score:3, Informative)

    by joedoe ( 12577 ) on Thursday July 25, 2002 @07:21PM (#3954986)
    you might want to link to this [yaledailynews.com]--the "high traffic" version of the article, since it actually works.
  • MSNBC.com story (Score:3, Informative)

    by SoCalChris ( 573049 ) on Thursday July 25, 2002 @07:21PM (#3954991) Journal
    Here is the story on MSNBC.com.

    http://www.msnbc.com/news/785677.asp [msnbc.com]
  • Princeton: "Ha! We'll show those lousy Yale folks! Let's hack into their admissions website and accept the people they reject! That'll teach 'em!" Yale: "Those no-good ruffians at Princeton! That's it, we'll publish a scientific paper criticizing Princeton's actions as philosophical proof of their inferiority! That'll teach 'em!" Meanwhile, at, say, UT- UT: "OU beat us in football! Let's steal their president and shave him bald! That'll teach 'em!" OU: "That's it! Let's burn down their stadium! That'll teach 'em!"
    • by Anonymous Coward
      OU: "That's it! Let's burn down their stadium! That'll teach 'em!"

      Good thing UT didn't tangle with Texas A&M. You could have crispy Aggies all over the UT quad.
  • Security? (Score:3, Insightful)

    by hoowee ( 581244 ) on Thursday July 25, 2002 @07:22PM (#3954997)
    Names, birth dates, and social security numbers? So they're saying they didn't use any sort of security on the site, then. Hmmf.
  • by Elwood P Dowd ( 16933 ) <judgmentalist@gmail.com> on Thursday July 25, 2002 @07:25PM (#3955009) Journal
    Just think... if they had notified the Attorney General's office it would have been legal. Well. In a few months.
  • by anthony_dipierro ( 543308 ) on Thursday July 25, 2002 @07:25PM (#3955010) Journal
    This way stupid schools won't be tempted to use them as security codes.
    • What makes you think that'd stop them?
    • Preach on, brother. We were partially successful at convincing the admissions folks that I work with not to use SSN's like this.

      I think the people who work with student records, of all people, should realize how insecure SSNs really are. To their credit my co-workers did consider the issues and adjust the policy, but I don't think they'd have thought of if we hadn't been persistent. (Even more scary, the company that created the software assumed that SSNs would be used and was puzzled when we decided against it.)

      Schools have to be especially careful where privacy is concerned. FERPA, the Family Educational Rights & Privacy Act (aka the Buckley Amendment) limits the release of many kinds of academic information.
    • It's a good idea. It's now so easy for malicious types to get your SSN that companies, the government, banks, etc. shouldn't be using it as an ID (wasn't that supposed to be illegal anyway?) if SSNs were published publicly, they'd have to move to something a little more secure.
  • "hack" (Score:5, Interesting)

    by jd142 ( 129673 ) on Thursday July 25, 2002 @07:28PM (#3955034) Homepage
    How many times have people here wailed at the non-tech press for using the word "hack" to describe what most would technically term a "crack"? Well if you ever actually read the article, you'd see that Princeton didn't hack or crack. They used the ssn and birthdate supplied to them by their own applicants to access Yale's pages. In other words, they had the users' login and passwords and used them. Not a hack, not a crack. Thoroughly evil of course, but "merely" a lie.
    • How many times have people here wailed at the non-tech press for using the word "hack" to describe what most would technically term a "crack"?

      Sorry, but the press is right and all of you are wrong. From the Jargon File [tuxedo.org], sense 8:

      [deprecated] A malicious meddler who tries to discover sensitive information by poking around. Hence `password hacker', `network hacker'. The correct term for this sense is cracker.

      The problem with this is that the user of "hacker" as someone who breaks into computer systems WAS one of the original uses of the word. I don't recognize ESR's authority to "deprecate" the meaning of the word for his or anyone else's little ego reasons.

      That's one of the word's original computer uses. Get over it.

      • Re:"hack" (Score:4, Informative)

        by theLOUDroom ( 556455 ) on Thursday July 25, 2002 @07:43PM (#3955127)
        Actually the term hacker originally had nothing to do with unauthorized use of computer systems. Its a very old term (>20yrs). Read about it.
        You don't know what you talking about. Get over it.
        • Fine, give me a reference that shows that the usage of hacker was NEVER breaking into computer systems back in the 70s. I gave you a reference that shows that it was (which is why it's in the Jargon File).

          And by the way, I've used it in that meaning since the early 1980s. Hey, maybe it was invented right then! Maybe I invented it!

          But if you have something other than a unilateral declaration, go for it.

          • I didn't want to get into the jargon file and what is the "correct" usage of hack/hacker when I made the original comment. I was trying to point of the double standard. Slashdot can use "Hack" in a headline but if cnn or foxnews said that a hacker was arrested for stealing credit card numbers, people would be all over them for misuse.

        • But for the past 20-25 years it's been primarily used to refer to unauthorized use of computer systems. Only in the past 5 or so years have some people been trying to resurrect the original (long since obsolete) usage, which is about as likely to be successful as convincing people that "gay" merely means "happy" and has nothing to do with homosexuality.
      • Re:"hack" (Score:5, Insightful)

        by jd142 ( 129673 ) on Thursday July 25, 2002 @08:32PM (#3955373) Homepage

        ESR's authority to "deprecate" the meaning of the word for his or anyone else's little ego reasons.

        The correct term is amelioration - the changing of the definition of a word to a better connotation. Happens all the time in the world. ESR doesn't have the authority, but users of the language do. The opposite is pejoration. Examples of amelioration are praise (originally a synonym for appraise), knight (originally a servant), and earl(originally just a man). More examples of amelioration and pejoration are left as an exercise for the student.

    • Guess I got to agree with you here. When I saw the title, I thought "Cool, two colleges playing pracks on each other."
    • How many times have people here wailed at the non-tech press for using the word "hack" to describe what most would technically term a "crack"?

      Exactly! Here I thought Princeton was "[exploring] the basements, roof ledges, and steam tunnels of a large, institutional building, to the dismay of Physical Plant workers and (since this is usually performed at educational institutions) the Campus Police!"

    • It's hardly a secret that these universities collude to set admisions standards, numbers of seats available and, of course, prices. What's interesting, and more than likely fictional, is that they had to go to any real trouble to get the information.
  • I thought students sent information to Yale, and then Yale responded by accepting or rejecting them. There's no opportunity in that transaction for Yale to give the students a PIN.

    If there's a Yale form they have to fill out, then Yale could print a random PIN on every form (and require students to remember it). Hum, but what if the students forgot to copy down their PIN? Perhaps that would be an extra screening, Yale would only accept students who could keep track of your PIN?
    • They could do it that way, or they could have the student select a PIN on their admission form, just add an extra box that says "Enter PIN for online acceptance checking here." Keep in mind that this isn't *required* to find out whether or not you get in, so if someone forgot their PIN, it wouldn't be the end of the world...they'd just have to wait the extra week to get it in the mail. The online version is just for impatient students.
    • Rutgers University asks the applicant to pick a PIN in the application. The prospective student can then check their application's status on the web site using their social security number and PIN to log in.
  • Yale: I say o'l chap it appears you have been poking around in our computers. We can't have you hacking away at our students while they are playing tennis now can we?

    Princeton: Good show on that discovery my dear friend. We just simply couldn't resist seeing how similar are credit card transactions were, I dare say we are quite a like in many respects.

    Yale: Alright then, as long as its in good fun. I must be getting back to my weekly spa. Ta ta!
  • I wonder if the Princeton Officials will be arrested for cracking in to the site. After all, they did gain unauthorized access to the Yale site. I believe that is against the law now. Hmmm.

    This could be interesting.

  • I would think that using someones SSN to access something meant for them alone would be an illegal invasion of privacy. I could also see this as a gag some dumb office employees started when the realized that many people apply to the same universities. Or maybe the application form just asks for other schools they apply to.

    -Sean
  • MIT (Score:5, Interesting)

    by inburito ( 89603 ) on Thursday July 25, 2002 @08:04PM (#3955238)
    Fortunately MIT does this a little differently and slightly more hacker proof. They don't rely on any publicly (to any admissions office) available information but assign you with a unique 9-digit id number from the beginning of the application process and all of your online information is tied to this id.

    I should point out that you can only view your status (summary of received documents and final decision, nothing else) if you have this id and a last name but to actually update and change information on their information system you require a kerberos identity, the passphrases for which are sent (regular mail) after you're confirmed and accepted admission. I recall that the initial id-number is sent to you via regular mail with a confirmation that they received your application and assigned an interviewer etc.

    Basically as long as you're not a complete moron (I think it is safe to assume this if you have been admitted to MIT) you're probably not going to give out your ssl-certificates or give out your id/uname/pw-combo plaintext over internet (and if you do you're totally responsible for all the misuse - they're not going to clear your name).

    So I suppose MIT beat all the other ivy-league schools with respect to not getting hacked but then again what should you expect from the home of "hacks". [mit.edu]
    • Re:MIT (Score:3, Interesting)

      Fortunately MIT does this a little differently and slightly more hacker proof. They don't rely on any publicly (to any admissions office) available information but assign you with a unique 9-digit id number from the beginning of the application process and all of your online information is tied to this id.


      This is what all schools should be doing. If an institution receives public funding, they are required to abide by FERPA, Family Education Rights and Privacy Act. This Act prohibits disclosure of personally identifiable information without written consent. So anytime your local university distributes a class roster with SSN's, any time they print an SSN on your University ID, or any time they use your SSN as an identifier for you in a campus wide database system, that is a violation of FERPA. For some reason, most universities ignore this. http://www.privacyrights.org/fs/fs10-ssn.htm
  • Yale seems to be acting like Princeton 'hacked' into their computer but in fact they set up a system that was 'secured' by information that just about anybody would have, particularly any other university that they student had also applied to. And who would think that students would apply to both Yale and Princeton? The ones who should REALLY be embarrased is the school that set up their admissions approvals so that just about anybody could see them and then reply only that they are 'considering' adding a PIN number. Sorry, but if you put your data on a billboard it is not 'hacking' if other people see it.
  • by Valen Faerlwynd ( 452091 ) on Thursday July 25, 2002 @08:17PM (#3955317)
    I'm starting college in the fall, at Southern Polytechnic University. Going through the registration process (which they had us do entirely online [from the campus computer lab]), I noticed a few things that left me, well, disquited to say the least, paranoid to say the most. To login required a username and PIN. The username was of course you're student ID number. Unfortunately, your student ID number is *pause for dramatic effect* your social security number. And the PIN's not much better. A six digit number initially consisting of...guess. Yup, the student's birthdate. Needless to say, first thing I did was change my PIN. Just wish we didn't have to toss our SSN around so much. If you think I'm overly paranoid, well, you have a knack for discerning the obvious.

    Love and Peace,
    Valen
    • Blockquoth the poster:
      Unfortunately, your student ID number is *pause for dramatic effect* your social security number.
      I am no lawyer but I believe you have the right (Buckley amendment?) to force your school to issue you a new, non-SSN number.
    • I've been a student at two state schools (OSU and Kent), and both do exactly the same thing: your student ID is your social security number, and password is your birthday. Alternately, your username is first initial + last name, and your password is your social security number.

      Maybe if the schools treated your ssn as something even remotely private, it wouldn't be so unnerving. However, your ssn is your sid, and your sid is _everything_. "I'm not a man, I'm a number!" They might as well tatoo it to our foreheads. It's printed on our school id/debit cards, which we casually hand to local stores/restaurants. Any of them could be discretely copying them down for their own nefarious purposes.

      I once even recieved a letter from the school (financial aid info, I think) that had my social security number printed right on the envelope's address label - in plain sight for all to see! At least it wasn't identified as such, but that's not a huge comfort.

      Point is, school's really need to stop using our ssn's as a personal identifier. How hard is it to generate a new random number for each student?
    • Blame SCT [sctcorp.com], the people who make the student records system (Banner) that SP uses. While the decision to use SSN or whatever else for ID (an oracle VARCHAR2(9) field), the system forces you to use a 6 digit numeric pin.

      Why?

      Because they also have a voice response system (you know - press 1 for this) that you can remotly access your info, and this is why they have such a weak password.

      When they added the web product after the VR product, they should have added another field for a stronger password instead of just using the same table for all third party access.

      Now...on a different note, SCT's product is true open-source. Any of the database procedures, C/COBOL programs, forms, etc... all come as source and you have to build them on your system. Any school using this could modify the login to use anything (some have to use LDAP and other schemes).

      The only problem that keeps most places from doing this is that when you get upgrades/patches (and there are a lot) you have to make sure it doesn't wipeout/replace your customizations. Kind of a pain, but for somethings like this it's worth it.

      But here is a great way for open source to work - it's a ridiculously expensive package (and a huge one) but you have all the source and can fix things without having to wait for a vendor patch.

      This has helped form a community of users who freely share info, mods, etc... and the company regularly looks at what has been done and accepts patches/fixes, etc...

      Imagine that being done with other popular programs - I'd feel a lot safer using Outlook Express - how hard could it be to add a menu item saying "ignore all html and scripts"
  • by patrick146 ( 246559 ) on Thursday July 25, 2002 @08:28PM (#3955353)
    I work for UC Santa Barbara [ucsb.edu], and I've seen a lot of this before. We force users to select usernames and passwords, and until recently, did not encrypt the users passwords in our database. Just out of curiosity, I tried using the applicants username/password on the e-mail accounts they entered.

    Sure enough, I was able to access many of the e-mail accounts. I quickly stopped, realizing that some of these people probably also used the same username/password combinations for their bank accounts, etc.

    Now, when users log in, an MD5 hash is compared against the hashed password in the database.

    Many of the people were Hotmail users. Just think when your .NET Passport is also your bank and credit card authentication, or your NationalID card authentication, or...
  • Here's a summary of the article for those who couldn't get to it before it was /.ed.

    YALE: We have an insecure website, which allows anyone with a student's birth date and SSN to look at a student's personal details.

    PRINCETON: We took advantage of this and looked at the details of 11 students. We also got to find out whether or not they were accepted or rejected, so we could poach 'em. W00t!

    YALE: No fair! You're not supposed to get into our website like that! See you in court!

    PRINCETON: No fair! We were just checking out the security! Hell, it was an insecure system, anyway!

    YALE: STFU, WHINER!

  • CNN Article (Score:2, Informative)

    by ZeldorBlat ( 107799 )
  • I was a graduate student at Princeton. Each year at admissions time, the student newspaper would trumpet that once again Princeton was the 'most exclusive' university in the country. The justification for this was that they had accepted a smaller percentage of their applicants than any other university. This always struck me as a bizare measure of merit, as it is only loosely correlated to the quality of students.

    I can offer Princeton some advice on how to increase their exclusivity:

    1) Slash the application fee. Someone with a 1 in 1000 chance of being accepted will be more inclined to apply if it costs $10 than if it costs $50.

    2) With many more applications at a much lower fee, there will be problems with budget blow-out on evaluating them. No problem - save costs by heavy handed use of randomness in the selection process. This has the additional benefit if increasing the chances for borderline applicants to be accepted, which will even further increase applications.

    The ultimate extension of this is that you raffle off admissions places, and count everyone who bought a ticket as an applicant. This could push your exclusivity from about 1 in 6 to 1 in 10,000.
    • Well I think you seem to have made an error in your assesment of what "Princeton" wants. The arrogant kid who writes those articles is even less representative of the admisions office as they are of the rest of the student body. I dont give a fuck if princeton rejects ten thousand more students, im more interested in having bright interesting people as classmates and id bet 9 out of 10 people here would agree with me. likewise the admissions office's job is to create a intelligent well rounded student body, not to pump up numbers. of course they have some numbers that they are pressured to follow, such as percent of alumni kids accepted and athletic admissions, but their goal isnt to make princeton seem selective. In fact there are studies which show that the selectivness of ivy leauge schools deters minority students from even applying. That is quite obviously not something that princeton wants.

      so thanks for your analysis and we all know its fun to misrepresent princeton students because everyones already so biased that you can say whatever you want and theyll believe you. But next time id rather you didnt take a few articles youve read by some idiotic prince staff writer and present them as my point of view.
  • I need to see certain university deans doing prison time for this. Randal L. Schwartz, anyone?
    • (Mod parent up please?)

      Fishbowl is right. This is pretty similar to what Randal did several years ago--a trivial hack resulting in unauthorized access, no hard or money damage done, institution embarrassed, no attempt to obfuscate source of hack, yadda yadda.

      The main difference is that Randal could have reasonably argued (and ISTR he did) that the machines he broke into were at least somewhat close to his sysadmin responsibilities, giving him some expectation that running crack on them wouldn't be considered a hostile attack. I doubt the Princeton admissions officers have such an exculpatory excuse. They were after information that they had no right to, in order to use it competitively. (For example, they could have offered less financial aid to the students in question, knowing their other options were limited.)

      On the other hand, Randal was prosecuted under an Oregon law, which obviously doesn't apply between New Jersey and Connecticut.

      (Good grief, was that five years ago [lightlink.com] already? I feel old.)

  • Columbia University could not be reached for comment.
  • by karlm ( 158591 ) on Thursday July 25, 2002 @09:24PM (#3955577) Homepage
    Supposedly MIT and Harvard talk about who got admitted where. If you would have been admitted both places for engineering, they'll often only admit you at MIT and the other way arround for humanities and some of the pure sciences. And of course, if it seems you cn't live without "highest honors", they flag you for Brown. (Boo, hiss, yeah, I know. I really wanted to poke at Harvard, but Brown is so much worse in that respect.)

    There was some fuss a few years ago about all of the Ivy League schools talking about what they were going to offer for financial aid, and then offering identical packages to the same student. They claimed it was so that only the studen't opninion of the school made the difference, some students felt it was illegal anticompetitive behavior.

    In any case, schools always have gambles with who to let in. Admitting a student means you have to find space for her/him. Empty beds cost you money. The University of Michigan Anne Arbor is notorious for wait-listing students they think will go elsewhere. They wait-listed me and I got into MIT with no wait. The same thing happened to several of my friends at MIT.

    High acceptance percentages also help pestige, which give you better students and more proud alums. More proud alums are better donators and better students make for more rich alums.

    • I go to UM Ann Arbor...

      They are notorious for waitlisting people... but they don't do it based on where they think the person will go. They have a very numeric "scorecard" that takes into account test scores, racial profile, sex, socio-economic profile, high school grades, difficulty of high school, quality of essay, etc.

      In the end, they take the top chuck, accept them, and waitlist the middle chunk. People from the middle chuck they accept based upon how many non-acceptance notifications they had from the accepted group.

      One thing you can do, though, is call up UM and ask to talk to the person that is reviewing your application. This person can have *serious pull* in getting you accepted if you are on the waitlist. They can add something like 20% to your numeric score... my roomate freshman year was one of the waitlisted people, and he did this... he got in with no problem.

      • There is some things about Michigan residents getting priority and they don't look at the whole applicant pool due to "rolling admissions", so if you send in your application on the deadline (like I did), there may have already been too many people that met teh automatic admit criteria.

        I don't mean to sound arrogant, but I started taking mathematics at the Univeristy of Minnesota in 8th grade. My sr. year of high school, I was a full time student at the University of MN. I had 3 years of honors mathematics at the U, and streight A's save a B or B+ in World Polotics. I got perfect scores on several sections of the SAT I and SAT II, and scored above the 95th percentile on my worst sections. That doesn't make me a better person or a good person or anything. The U of MI Ann Arbor is one of the best engineering schools. I definately don't mean to disrespect it. I'm just saying it seems strange that there were many people that were 4.0+ (my U of MN GPA was above 4.0 from the honors math) college students instead of going to thier Sr. year of H.S. Maybe they got wierded out that I wasn't applying as a transfer student, but that's the way one of their people told me to apply.

        Anyway, I know several people that got waitlisted at the U of MI Ann Arbor and got into MIT without having to wait on any list. On the other hand, the U of MI didn't require an interview, if I remember correctly. Interviews change things so much. Someone who is "fast on their feet" can get a lot of help from an interview, so that skews things. I'm pretty sure MIT puts a fair ammount of weight in the interview as long as everything else is high enough. Talking with some kid that wants to go to MIT for a few minutes can tell ou a lot. If s/he thinks s/he is going to be hot shit at MIT just 'caus they're the hottest shit thier H.S. has ever seen, you can tell if they're going to be hot shit at MIT or if they're going to get thier world shattered. You can also tell if having their world shattered would do them good or if they would be better off somewhere else. I'm suprised UM Ann Arbor doesn't have a live interview.

  • I was an undergrad at MIT in the early 90's when the DoJ decided to sue 22 universities for violating the Sherman Anti-Trust act. It was called the "Overlap Case" [mit.edu]. The really funny thing about it all was that apparently, when proposing the Sherman Anti-Trust Act, Sherman himself stated that it should not be applied to schools. Anyway, I digress. Basically, the Ivies got on their knees and begged for mercy and only MIT was left fighting the DoJ. Eventually, MIT and the DoJ set up rules under which schools were allowed to pool admissions info (I think only financial aid info, but I'm not sure), and the DoJ dropped the charges.

    I wonder if this recent act violates those rules?

  • Let the bullshit grandstanding begin...

    "[accessing the site] could have provided informational advantage to Princeton beyond just whether a student was accepted or rejected," The editor in chief of The Yale Daily News, Chris Michel said. "As a student, it's especially disturbing to find that a university would exploit information like this. We put a lot of trust in universities."

    I cant say that im unbiased but this looks alot like a stupid but completely unmolitious decision which the yale daily is using to get some press.

    The facts support the asertion that princeton did gain access to the site only to test the security of hte web page, i mean 18 attempts 11 student accounts accessed? this isnt exactly a massive example of data mining to give princeton a competetive advantage. It makes more sense to me that someone was probably like hmm i wonder how secure yales site is, and after a cursory glance realized that he could access the pages with information on file.

    Also from a personal standpoint the people involved really arent the types to try and cheat lie or steal for anything, let alone to gain a slight advantage over a small handful of students. Take that with a grain of salt if you want, like i said im not unbiased.
  • I have Karma To Burn.... Let me tell you something. This is the result of the political machinations of Alexander Clark A yale microsoft drone. Clark has been working for M$ for a long ass time. Essentially, he made a website (yalestation.com^h^h^h.org when he realized people were on to him) in order to be powerful/whatever. He bamboozled our administration into thinking this was a "good thing" (tm) The real "nerd" (read: not m$ junkies) at our school were up in arms over this insanity. There's a whole dramatic background story (thats about 4 pages typed) if you'd like to know.... This "hack" is the result of one boy's ego trip. More info? reply to post and i'll email you the whole story.
  • by SMN ( 33356 ) on Thursday July 25, 2002 @11:54PM (#3956129)
    There's plenty of evidence to back Princeton's excuse that they were just "testing" the system. Princeton doesn't have any system up to inform students of their admissions decisions online; Yale does. Princeton IS evaluating ways to do this, and it would appear that they were actually testing how well Yale's system works. In doing so, they found that Yale's system did NOT work so well.

    And what did they do? Like the responsible hackers who merely hack to test for security holes and whose stories are sometimes linked here on Slashdot, they tried to tell the Yale people that their system was insecure. How does Yale respond? Do they thank Princeton for the warning? No, they report them to the police! If this were any "normal" hacker warning of security holes they found, everyone here would be up in arms!

    OK, so what Princeton did was obviously stupid, immoral, and probably illegal, and certainly deserving of punishment. But while the Yale Daily Herald does mention Princeton's explanation/excuse, they do so in very dismissive terms, and several friends of mine who read the article entirely missed the excuse and thought that this hacking was purely malicious. It was NOT, and it would be nice if that were noted. Then again, this is Slashdot, which isn't exactly famous for its impartiality =)

    (Disclaimer: I was one of the students who got into Princeton this year, so I'm biased. Any other current students or incoming freshmen here?)

    • Uninformed princetonian. Online admissions is being driven by a microsoft drone. That is why.
    • Hi, I'm a yalie.

      They told them the site was insecure long after accessing all that info, and they barely waited to check it after it came online. That's stupid and criminal. To be fair, I'd say criminal sanctions are unrealistic and unfair, but some people should get sacked.

      Needless to say, there's a lot of blame to go around here. . . we're not all as clueless as our admissions office, though.
    • The Slashdot article is a short note with a link elsewhere. The Slashdot "editors" cannot reasonably be held responsible for what others write, and this clearly is news that is interesting to nerds.

      And most of the talkbacks that I've read are about how irresponsible it is to put up a web site with such weak security.

      So I don't see why the sideswipe a Slashdot (this time).

  • by John Murdoch ( 102085 ) on Friday July 26, 2002 @12:29AM (#3956262) Homepage Journal

    I just linked to the Daily Yalie site, and in their comments on the article there's a note from a former columnist in the Yale Herald: back in 2000 he wrote a column [yaleherald.com] pointing out Yale's prediliction for using the SSN for a password, and how anybody with half a brain could use that to hack all sorts of Yale systems. Definitely worth a look--and it will lead you to the conclusion that Yale's admissions people are, well, stupid.

    John Murdoch
    Penn '80

  • by Artifex ( 18308 ) on Friday July 26, 2002 @02:13AM (#3956534) Journal
    At almost every credit card company, bank, and stock broker I have ever belonged, I have found them using a very simple set of data to identify callers as "legitimate":
    • Name (of course)
    • SSN (even though they are not supposed to, and variously the full number or just the last 4, which can vary between calls to the same company)
    • Mother's maiden name
    • address
    • zip code
    • phone number
    Only my last broker has taken the additional step of asking me what my major current holdings were...

    The problem, of course, is that everyone in my immediate family knows all of this information about me, including my SSN. So do all of my doctors/dentists, etc. In fact, a number of genealogical sites can find out almost all of that, too. Also, anyone intercepting my paper mail can find out from brokerage mailings what my holdings are. However, getting these people to add another form of ID to the accounts is always either impossible or very difficult.

    Anyone else notice this problem, and have other suggestions or comments? I feel like lying on my mother's maiden name line from now on, and putting a password in it.

How often I found where I should be going only by setting out for somewhere else. -- R. Buckminster Fuller

Working...