Slashdot Mirror
Princeton Hacks Yale, Harvard Not Surprised
Semji Rkim writes: "Yale Daily News is running a story of several occassions in which Princeton officials entered the Yale Online website and viewed admissions decisions. Princeton officials claim they were simply researching security for their own website. Reportedly the website, on initial log-in, would show applicants either a congratulatory fireworks display or a rejection notice. Princeton officials informally mentioned that they had accessed students' records on Yale's admissions site at an Ivy League deans' conference. The Yale website apparently used names, birth dates, and social security information as unique identifiers to allow access to the site. They are considering adding a PIN in the future."
Zero comments, server overloaded. Did someone beat /. to the punch?
Any mirrors out there?
-c.
Casey
More scratches on the cave wall, thanks be to anonymity.
The other school someone had applied to would have access too.
Fucking shady.
And then, the people Harvard Rejected, Princeton could offer enrollment to, without fear of losing to the rival......
Makes your numbers look good to have everyone you accept enroll....
John Nash had something to do with it. Or maybe we're all made up in his mind and he had to do it because that Dick Tracy looking guy told him too.
WWJD.... for a Klondike bar?
Just because you can do something with technology doesn't mean you should.
Yaledailynews has met it's doom. Slashdotted that is.
The Yale website apparently used names, birth dates, and social security information as unique identifiers to allow access to the site. They are considering adding a PIN in the future.
Maybe they could use a credit card number as a PIN. Then it could be a one-stop shop for the lazy identity-thief.
Well, that's what you get when you put a bunch of clever people together - sneaky but interesting solutions to problems such as this.
If anything, it shows that the guys at Princeton can 'think outside the box' more than those at Yale.
I'm impressed.
Just get posted on /. and *nobody* will be able to get in for a while.
So, how long before we get some form of legal action . . . .
Sideshow Bob: Are you still angry about being kicked out of clown college?
Cecil: I'll thank you not to refer to Princeton that way.
Finally, math books without any of that base 6 crap in them.
HTTP/1.1 Server Too Busy
Yale accuses Princeton of hacking
Princeton officials broke into Yale online admissions decisions
Yale to inform law enforcement officials of alleged network, privacy breach
BY ELISE JORDAN AND ARIELLE LEVIN BECKER
Staff Reporters
Princeton admissions officers gained repeated, unauthorized access to the admissions decisions of 11 Yale applicants in early April by exploiting Yale's new online admission notification system, Yale and Princeton officials said Wednesday.
A security report drafted by Yale's Information Technology Services showed that Princeton officials viewed Yale admissions decisions -- in several cases before applicants learned whether they had been accepted -- by inputting the applicants' birth dates and social security numbers to bypass Yale's security measures.
Yale General Counsel Dorothy Robinson said the University considers Princeton's actions an abuse of the private information students provided on their applications, a violation of Yale's computer network, and possibly a breach of several criminal statutes. Robinson said the University will consult law enforcement officials Thursday and notify all the affected applicants of Princeton's actions.
"We do believe there was a very serious violation of the privacy of the individuals," Robinson said. "It is a matter which we believe law enforcement should be informed about."
Stephen LeMenager, a dean of admissions at Princeton, characterized Princeton's use of Yale's Web site as an innocent way to check whether the site was secure by using a random sampling of students whose social security numbers were listed on their applications to Princeton. He said he did not know why certain records were accessed several times.
Yale officials said they learned of the security breach in June, after Princeton officials informally mentioned that they had accessed students' records on Yale's admissions Web site at an Ivy League deans' conference.
Yale then commissioned an investigation, which found records of 18 separate log-ins to the site from Princeton computers, accessing the information of 11 applicants. Fourteen of the log-ins were traced to four different computers at the admissions office.
In four cases, applicants did not view their sites -- or admissions decisions -- until after they had been accessed by computers at Princeton.
Alexander Clark '04, who developed the admissions Web site and prepared the security report for Yale officials on June 20, said he double- and triple-checked data in his report. Clark said members of Yale's Information Security office also reviewed and signed off on his findings.
The Web site, which was launched by the admissions office in December, was designed to allow applicants to access their admissions decisions online using their names, birth dates and social security number as passwords.
Upon the first log-in, accepted students were greeted with a display of virtual fireworks. Rejected students also received notification. After the first log-in, the decision screen no longer appeared, making it unclear to a student whether they had been admitted or denied admission.
Students were able to provide information about themselves, including extracurricular interests and a personal profile. By logging in, Princeton officials had access to those students' records and profiles.
Princeton could face legal action as well as a loss of funding if the allegations are proven.
The university could potentially lose its limited amount of federal funding if it is found to have violated the Family Educational Rights Privacy Act -- commonly known as the Buckley Amendment. The Buckley Amendment was designed to safeguard student information, and experts said the use of student social security numbers and access of protected information for Yale applicants may constitute a legal infraction.
Jennifer Granick, the litigation director for the Stanford Law School Center for Internet and Society, said Princeton could also be sued for accessing Yale's Web site accounts without authorization.
Granick said that requiring a name, birth date and social security number to access the Web site could legally be construed as meaning anyone with those three pieces of information could log in. But she added that the presence of a disclaimer screen, which warned users of the site that it was only intended for the personal use of the applicant, made Princeton officials' use of the site vulnerable to a lawsuit or even criminal charges.
Granick said the standard for criminal charges included proof of criminal intent, and to be charged criminally in the federal system, someone would have to have caused $5,000 worth of damage. LeMenager said he and his colleagues meant no harm in accessing the information, and instead were attempting to assuage their own concerns about Web site security.
"It was really an innocent way for us to check out the security," LeMenager said. "That was our main concern of having an online notification system, that it would be susceptible to people who had that information - parents, guidance counselors, and admissions officers at other schools."
Harvard's director of admissions, Marlyn McGrath Lewis, said she was not surprised there had been unauthorized access to Yale's Web site.
"Any system that could be cracked, I think will be," McGrath Lewis said.
Clark, the designer of Yale's system, defended the security of the admissions site, and said security is only as good as the password. He said the passwords were chosen because of their "personally identifiable nature."
He added that he expects Yale will use a similar notification system for the Class of 2007, but will require personal identification numbers to access the information. Robinson said Yale's Web site was secure, and that no other breaches of security had been recorded.
"We did take a broader view and a broader look at the security of the system and we did not find evidence of any similar break-ins or wrongdoing," Robinson said. "So in other words, the activity that happened from Princeton was unique."
Reportedly the website, on initial log-in, would show applicants either a congratulatory fireworks display or a rejection notice.
Fireworks? What's their rejection notice, then? Top rejection notice graphics:
-- Picture of Nelson saying "HA! HA!"
-- Picture of MacDonald's and link to "Hamburger University"
-- Picture of funeral with the casket labelled "your future" slowly being lowered into ground
-- The Dell guy saying, "Dude, you're goin' to Community College!"
Sometimes it's best to just let stupid people be stupid.
The same thing happened in York, Pennsylvania when the York community college hacked into the Southern Pennsylvania Business College's website last month. I'd provide a link but nobody really gave a shit.
you might want to link to this--the "high traffic" version of the article, since it actually works.
Here is the story on MSNBC.com.
http://www.msnbc.com/news/785677.asp
Princeton: "Ha! We'll show those lousy Yale folks! Let's hack into their admissions website and accept the people they reject! That'll teach 'em!" Yale: "Those no-good ruffians at Princeton! That's it, we'll publish a scientific paper criticizing Princeton's actions as philosophical proof of their inferiority! That'll teach 'em!" Meanwhile, at, say, UT- UT: "OU beat us in football! Let's steal their president and shave him bald! That'll teach 'em!" OU: "That's it! Let's burn down their stadium! That'll teach 'em!"
Names, birth dates, and social security numbers? So they're saying they didn't use any sort of security on the site, then. Hmmf.
Comic Book Guy: "There is no Groening in my store."
The index page (which isn't slashdotted) has the article. http://www.yaledailynews.com/
...uses Macs...
Just think... if they had notified the Attorney General's office it would have been legal. Well. In a few months.
There are no trails. There are no trees out here.
This way stupid schools won't be tempted to use them as security codes.
How many times have people here wailed at the non-tech press for using the word "hack" to describe what most would technically term a "crack"? Well if you ever actually read the article, you'd see that Princeton didn't hack or crack. They used the ssn and birthdate supplied to them by their own applicants to access Yale's pages. In other words, they had the users' login and passwords and used them. Not a hack, not a crack. Thoroughly evil of course, but "merely" a lie.
I thought students sent information to Yale, and then Yale responded by accepting or rejecting them. There's no opportunity in that transaction for Yale to give the students a PIN.
If there's a Yale form they have to fill out, then Yale could print a random PIN on every form (and require students to remember it). Hum, but what if the students forgot to copy down their PIN? Perhaps that would be an extra screening, Yale would only accept students who could keep track of your PIN?
Guess big schools and business will be free to hack away, while the little guys get sent off to jail...
The thing is, these schools have some incentive to share this sort of info with one another -- with the right knowledge, they could eaily bump their matriculation rates up.
Only it's against the rules. If they did shared, however, by allowing access through bad security -- but not _granting_ it at all -- they could collude with plausible deniability...
Yale: I say o'l chap it appears you have been poking around in our computers. We can't have you hacking away at our students while they are playing tennis now can we?
Princeton: Good show on that discovery my dear friend. We just simply couldn't resist seeing how similar are credit card transactions were, I dare say we are quite a like in many respects.
Yale: Alright then, as long as its in good fun. I must be getting back to my weekly spa. Ta ta!
http://www.yaledailynews.com/"
Test your net with Netalyzr
I wonder if the Princeton Officials will be arrested for cracking in to the site. After all, they did gain unauthorized access to the Yale site. I believe that is against the law now. Hmmm.
This could be interesting.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
...Slashdot hacks Yale Daily News to death. :-p
"It take 9 months to bear a child, no matter how many women you assign to the job."
Go figure.
So is this a violation of the DCMA? Just figured with all the attention it is getting lately...
The article is now on their homepage here.
.asp pages), but this page is static.
Looks like the IIS server still can't handle the load (try hitting any of the
It's nice to see an educational institution set an example for their students. Though, in future, I think another kind of example is in order, perhaps one that is a tad less illegal.
In unrelated news, the Big Five auditing firm Arthur Andersen today announced that they have decided to increase the number of job placement interviews at Princeton University in the upcoming year. A spokeperson for Arthur Andersen said that the academic and social environment at Princeton helps to produce the type of high quality people that they desired for their firm.
I would think that using someones SSN to access something meant for them alone would be an illegal invasion of privacy. I could also see this as a gag some dumb office employees started when the realized that many people apply to the same universities. Or maybe the application form just asks for other schools they apply to.
-Sean
Fortunately MIT does this a little differently and slightly more hacker proof. They don't rely on any publicly (to any admissions office) available information but assign you with a unique 9-digit id number from the beginning of the application process and all of your online information is tied to this id.
I should point out that you can only view your status (summary of received documents and final decision, nothing else) if you have this id and a last name but to actually update and change information on their information system you require a kerberos identity, the passphrases for which are sent (regular mail) after you're confirmed and accepted admission. I recall that the initial id-number is sent to you via regular mail with a confirmation that they received your application and assigned an interviewer etc.
Basically as long as you're not a complete moron (I think it is safe to assume this if you have been admitted to MIT) you're probably not going to give out your ssl-certificates or give out your id/uname/pw-combo plaintext over internet (and if you do you're totally responsible for all the misuse - they're not going to clear your name).
So I suppose MIT beat all the other ivy-league schools with respect to not getting hacked but then again what should you expect from the home of "hacks".
"The Yale website apparently used names, birth dates, and social security information as unique identifiers to allow access to the site."
That has been standard at all three of the colleges I have attended. Usually the 'pin' if they have one is the birthdate in the form of mm/dd/yy or the last four digist of the social security number.
Yale seems to be acting like Princeton 'hacked' into their computer but in fact they set up a system that was 'secured' by information that just about anybody would have, particularly any other university that they student had also applied to. And who would think that students would apply to both Yale and Princeton? The ones who should REALLY be embarrased is the school that set up their admissions approvals so that just about anybody could see them and then reply only that they are 'considering' adding a PIN number. Sorry, but if you put your data on a billboard it is not 'hacking' if other people see it.
I'm starting college in the fall, at Southern Polytechnic University. Going through the registration process (which they had us do entirely online [from the campus computer lab]), I noticed a few things that left me, well, disquited to say the least, paranoid to say the most. To login required a username and PIN. The username was of course you're student ID number. Unfortunately, your student ID number is *pause for dramatic effect* your social security number. And the PIN's not much better. A six digit number initially consisting of...guess. Yup, the student's birthdate. Needless to say, first thing I did was change my PIN. Just wish we didn't have to toss our SSN around so much. If you think I'm overly paranoid, well, you have a knack for discerning the obvious.
Love and Peace,
Valen
"The best compliment a girl ever gave me was 'Your hair smells nice.' I hate being the platonic friend." -Valen
This is what happens when low-tech "traditional" solutions are given undeserved prestige in the face of superior alternatives.
When society finds it commonplace to take the net to school, then businesses will not have such a difficult time conserving fuel and time, too.
I work for UC Santa Barbara, and I've seen a lot of this before. We force users to select usernames and passwords, and until recently, did not encrypt the users passwords in our database. Just out of curiosity, I tried using the applicants username/password on the e-mail accounts they entered.
.NET Passport is also your bank and credit card authentication, or your NationalID card authentication, or...
Sure enough, I was able to access many of the e-mail accounts. I quickly stopped, realizing that some of these people probably also used the same username/password combinations for their bank accounts, etc.
Now, when users log in, an MD5 hash is compared against the hashed password in the database.
Many of the people were Hotmail users. Just think when your
This kind of competitive, stupid abuses are what happens when low-tech "traditional" solutions are given undeserved prestige in the face of superior alternatives.
When society finds it commonplace to take the net to school, then businesses will not have such a difficult time conserving fuel and time, too.
Carnegie-Mellon sends out a PIN in the letter that confirms they have received your application.
Shouldn't this article have the "It's Funny. Laugh." foot rather than the padlock?
This sig no verb.
They are considering adding a PIN in the future.
It's obvious that they should, but the question is now 'How?' I wonder how they can do this while, at the same time, keep load down at the school. Just imagine the number of people that apply to Yale. You'd have to hire someone full-time just to give out PIN numbers to people (considering you wanted to give out PINs at someone's request.) However, Yale could mail the applicant a PIN when their application is received. Maybe Yale could add another small fee to the cost of applying to outweigh such cost?
Anyone else thought of any ideas that may work?
Yales "security" here is pretty laughable. They should be as embaressed as Princeton.
YALE: We have an insecure website, which allows anyone with a student's birth date and SSN to look at a student's personal details.
PRINCETON: We took advantage of this and looked at the details of 11 students. We also got to find out whether or not they were accepted or rejected, so we could poach 'em. W00t!
YALE: No fair! You're not supposed to get into our website like that! See you in court!
PRINCETON: No fair! We were just checking out the security! Hell, it was an insecure system, anyway!
YALE: STFU, WHINER!
Note to M1-ers: a curt but otherwise insightful message is not "Flamebait" or "Troll".
Here is the scoop from CNN:
p /index.html
http://www.cnn.com/2002/US/07/25/yale.princeton.a
I was a graduate student at Princeton. Each year at admissions time, the student newspaper would trumpet that once again Princeton was the 'most exclusive' university in the country. The justification for this was that they had accepted a smaller percentage of their applicants than any other university. This always struck me as a bizare measure of merit, as it is only loosely correlated to the quality of students.
I can offer Princeton some advice on how to increase their exclusivity:
1) Slash the application fee. Someone with a 1 in 1000 chance of being accepted will be more inclined to apply if it costs $10 than if it costs $50.
2) With many more applications at a much lower fee, there will be problems with budget blow-out on evaluating them. No problem - save costs by heavy handed use of randomness in the selection process. This has the additional benefit if increasing the chances for borderline applicants to be accepted, which will even further increase applications.
The ultimate extension of this is that you raffle off admissions places, and count everyone who bought a ticket as an applicant. This could push your exclusivity from about 1 in 6 to 1 in 10,000.
Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
I need to see certain university deans doing prison time for this. Randal L. Schwartz, anyone?
-fb Everything not expressly forbidden is now mandatory.
So I suppose MIT beat all the other ivy-league schools with respect to not getting hacked
Mit is a good school. Its a great school, in fact. It is NOT, however, an ivy league school. The ivy league schools are:
Brown (my school), Harvard, Yale, Princeton, Cornel, Dartmouth, UPenn, and Columbia.
I think they downloaded the information for Penn, and Penn offered to throw the basketball games this winter....
Columbia University could not be reached for comment.
The previous has been a secret message to my comrades.
Of course being an ivy league school means nothing other than bragging rights and grade inflation. So which of these two benefits do you take advantage of?
There was some fuss a few years ago about all of the Ivy League schools talking about what they were going to offer for financial aid, and then offering identical packages to the same student. They claimed it was so that only the studen't opninion of the school made the difference, some students felt it was illegal anticompetitive behavior.
In any case, schools always have gambles with who to let in. Admitting a student means you have to find space for her/him. Empty beds cost you money. The University of Michigan Anne Arbor is notorious for wait-listing students they think will go elsewhere. They wait-listed me and I got into MIT with no wait. The same thing happened to several of my friends at MIT.
High acceptance percentages also help pestige, which give you better students and more proud alums. More proud alums are better donators and better students make for more rich alums.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
"Columbia University could not be reached for comment."
Ahh, so Princeton is DDOS'ing them?
They're probably just "ensuring the capacity of Columbia's server is adequate to meet tomorrow's demand."
-- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
We've heard that line many times.
Almost every time a kid would get caught playing on somebody else's system, actually.
It's pretty funny to see a big ol' institution giving the same lame excuse.
Still, it's cuter than dumping the 4 or so employees that were messing around on the computers.
They might regret they didn't do it if this story gets bigger.
What, you wanna step outside? We can settle this right now!
(In other news, my dean can beat up your dean.)
-Justin
That's enough posting for now lads, there're trolls afoot.
Here's the original article:
Document contains no data.
Cal Poly (my school), Brown (deprecated), Harvard, Yale, Princeton, Cornell (deprecated), Dartmouth, UPenn, and Columbia (deprecated).
If ESR can fiddle with definitions, I can too!
IN TEH FUCHAR, LITERSY WLIL EB OPSHANAL!!!!!111
But for the past 20-25 years it's been primarily used to refer to unauthorized use of computer systems. Only in the past 5 or so years have some people been trying to resurrect the original (long since obsolete) usage, which is about as likely to be successful as convincing people that "gay" merely means "happy" and has nothing to do with homosexuality.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
1. Why would Princeton want Yale rejects?
2. How crap is Yale for allowing something stupid like this?
3. How stupid are Yale for getting caught?
The Final Word
Rumors have been flying about Rensselaer joing the ivy league; however, I've heard a really lame excuse as to why not. The "ivy league" declared we would have to drop Polytechnic Institute from our name and go by strictly Rensselaer, not RPI. This would anger alumni, so we said no.
Who runs the "ivy league"? Is there a board made up of members of each school?
I'm guessing you mean CPSLO, 'cause all the Pomona dweebs have to say Cal Poly Pomona since no one knows they exist.
Normally, something along the lines of "Go Mustangs!" would be appropriate, but then our athletic teams kinda suck.
Yale is dumb.
Princeton is unethical.
Harvard is laughing it's ass off.
Yay Alma Mater!
Let's get drunk and delete production data!
"We do believe there was a very serious violation of the privacy of the individuals," Robinson said. "It is a matter which we believe law enforcement should be informed about."
No shit sherlock. Even using a social security number as an identifier for students is a violation of FERPA, Family Education Rights and Privacy Act. http://www.privacyrights.org/fs/fs10-ssn.htm
I read stuff on Princeton/Yale/other 'big arse well known' schools when I was looking.
..I think they were actually telling the truth in regards to that. ;)
One of the fun things they used to stress is how many 'leaders' as in ceos/etc. come from the ivy league schools.
I wonder if this recent act violates those rules?
The original meaning was in use during the past 20-25 years. 10 & 20 years ago people were still using it and were bitching about its usage in describing any computer crime. Even if you like one of the usages more, you should be able to admit that.
Life is too short to proofread.
The Carnegie Mellon admissions site last year had a glaring validation error on its page that would allow the users to view anybodys info (test scores, etc) if you entered an invalid birthdate in the login. You would enter in an ID number to choose the person, which was somewhat based on zipcode, so I was able to check out the competition around my neighborhood. This was really disappoinging coming from a "top" computer science school.
I'm not going to claim it wasn't used at all in the original usage, but during the 1980s I primarily heard it used to describe unauthorized access to computer systems. This wasn't just by the media (which didn't use it all at until the mid-to-late 1980s when it became a major issue), but by the majority of people who frequented BBSs and local computer clubs.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Let the bullshit grandstanding begin...
"[accessing the site] could have provided informational advantage to Princeton beyond just whether a student was accepted or rejected," The editor in chief of The Yale Daily News, Chris Michel said. "As a student, it's especially disturbing to find that a university would exploit information like this. We put a lot of trust in universities."
I cant say that im unbiased but this looks alot like a stupid but completely unmolitious decision which the yale daily is using to get some press.
The facts support the asertion that princeton did gain access to the site only to test the security of hte web page, i mean 18 attempts 11 student accounts accessed? this isnt exactly a massive example of data mining to give princeton a competetive advantage. It makes more sense to me that someone was probably like hmm i wonder how secure yales site is, and after a cursory glance realized that he could access the pages with information on file.
Also from a personal standpoint the people involved really arent the types to try and cheat lie or steal for anything, let alone to gain a slight advantage over a small handful of students. Take that with a grain of salt if you want, like i said im not unbiased.
--aiee
You're an idiot. A social security number is a unique identifier. That's its sole purpose.
In the 80's is was between 0 & 10 years old. I don't think I began to understand the original meaning of hacking until I went to college. I have a feeling, if I'd been born 10 years earlier I would also have learned the original usage around the time I went to college. I think knowing that meaning of hacking has more to do with being around technical people, but I have not the firsthand knowedge across 50 years to know for sure.
Life is too short to proofread.
dude all those ivy league "additions" rumors are basically urban legends... sorry buddy
I have Karma To Burn.... Let me tell you something. This is the result of the political machinations of Alexander Clark A yale microsoft drone. Clark has been working for M$ for a long ass time. Essentially, he made a website (yalestation.com^h^h^h.org when he realized people were on to him) in order to be powerful/whatever. He bamboozled our administration into thinking this was a "good thing" (tm) The real "nerd" (read: not m$ junkies) at our school were up in arms over this insanity. There's a whole dramatic background story (thats about 4 pages typed) if you'd like to know.... This "hack" is the result of one boy's ego trip. More info? reply to post and i'll email you the whole story.
When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
It's hardly a secret that these universities collude to set admisions standards, numbers of seats available and, of course, prices. What's interesting, and more than likely fictional, is that they had to go to any real trouble to get the information.
Friends don't help friends install M$ junk.
And what did they do? Like the responsible hackers who merely hack to test for security holes and whose stories are sometimes linked here on Slashdot, they tried to tell the Yale people that their system was insecure. How does Yale respond? Do they thank Princeton for the warning? No, they report them to the police! If this were any "normal" hacker warning of security holes they found, everyone here would be up in arms!
OK, so what Princeton did was obviously stupid, immoral, and probably illegal, and certainly deserving of punishment. But while the Yale Daily Herald does mention Princeton's explanation/excuse, they do so in very dismissive terms, and several friends of mine who read the article entirely missed the excuse and thought that this hacking was purely malicious. It was NOT, and it would be nice if that were noted. Then again, this is Slashdot, which isn't exactly famous for its impartiality =)
(Disclaimer: I was one of the students who got into Princeton this year, so I'm biased. Any other current students or incoming freshmen here?)
-- Imagine how much more advanced our technology would be if we had eight fingers per hand.
They think princeton did it..hehehe ::evil grin::
Running a Windows server, it's no wonder Princeton could hack them.
[insert witty comment here]
the ivy league is an athletic league like the PAC 10, or Big 10. Its just that the Ivy league is all Division III athletic team in roughly the same geographical region.
arrogant redneck assholes
An arrogant redneck asshole who lives better than you ever will.
Bacon? Why the devil don't the call it Frycon?
Since when has Cow Poly been recognized as a university by people outside of California?
I just linked to the Daily Yalie site, and in their comments on the article there's a note from a former columnist in the Yale Herald: back in 2000 he wrote a column pointing out Yale's prediliction for using the SSN for a password, and how anybody with half a brain could use that to hack all sorts of Yale systems. Definitely worth a look--and it will lead you to the conclusion that Yale's admissions people are, well, stupid.
John Murdoch
Penn '80
My real problem with this is that Princeton was using private, confidential information to access the Yale site, to access an applicant's personal account. Princeton was bound to use this personal information (birthdate, SSN) for no other purpose than their own direct admissions process, and they violated this legally binding trust. Everyone must submit this information (along with their check) in order to be considered, so everyone must trust the system and the law. There was no hack. There was no crack. There was no 'testing of security'. I'd bet that no one at Princeton tried to run a program or even guess at possible login info - they probably just opened a file folder, read through a piece of paper, keyed in private information, and entered the site. It would be on par with your bank using your personal information, given to them in legal confidence, to check on an account at another bank, without your permission. Did Princeton want to test security? Did they want to check up on some borderline students that they were thinking about wait listing? Was someone just playing around to see what a fellow Ivy had just made? Who knows - hopefully, though, schools will now be more stringent about how they use personal information, and about how they protect that information. As stated elsewhere in this thread, universities are usually quite friendly with each other. I wonder what would have happened if Princeton would have just called up Yale and said "Hey, you mind if I check out your new site?" Looking at the actual events, no one appears to have been truly hurt; no lasting harm was done. But think of all the hype/press that this has generated, the grant money that (the article suggests) could be lost by Princeton... Moral: protect your information as though it was your life, treat confidentiality agreements as though they were a pact with the Creator, and collaberate with your peers instead of competing with them. Oh yeah, and public schools rock ;)
I am gonna acess slashdot with my ki5oshin email
Ivy league schools are Division I. MIT is Division III.
- Name (of course)
- SSN (even though they are not supposed to, and variously the full number or just the last 4, which can vary between calls to the same company)
- Mother's maiden name
- address
- zip code
- phone number
Only my last broker has taken the additional step of asking me what my major current holdings were...The problem, of course, is that everyone in my immediate family knows all of this information about me, including my SSN. So do all of my doctors/dentists, etc. In fact, a number of genealogical sites can find out almost all of that, too. Also, anyone intercepting my paper mail can find out from brokerage mailings what my holdings are. However, getting these people to add another form of ID to the accounts is always either impossible or very difficult.
Anyone else notice this problem, and have other suggestions or comments? I feel like lying on my mother's maiden name line from now on, and putting a password in it.
Get off my launchpad!
The term stems from the 1930's, when Stanford, MIT, and the other now-excellent schools were off the map. See http://etc.princeton.edu/CampusWWW/Companion/ivy_l eague.html
If you come from an Ivy League school, you tend to know what the 8 schools are. If not, then any good school must be an Ivy League school.
An arrogant redneck asshole who lives better than you ever will.
Inbetween jobs, you're on your way to an interview when you have a heart attack in your SUV* during rush-hour traffic on the interstate. Sadly, you are turned away from the nearest hospital because your HMO doesn't work with them. En route to a hospital that does, you croak. But that's OK, because your HMO's CEO shouldn't have to wear the same pair of socks twice. Portraits of George W. Bush and Dale Earnhardt, Jr. are laser etched on your $50,000 cubic zirconium tombstone. You are buried with copies of None Dare Call it Treason, Atlas Shrugged, and a coloring book. However, crayons are not covered under the terms of your burial insurance. You spend eternity reading moronic fiction and really wishing you had some crayons, only it's so hot where you are they'd melt anyway.
God, I envy you.
*=Saudi Underwriting Vehicle
--
Freeper Logic
It's ridiculous to think that Yale is unique in using SSNs. Sure, SSNs aren't the most secure form of identifiers, but Yale's not alone here.
They're using the same model in place at financial institutions, medical offices, etc. If Yale should have anticipated the problem, then this should be an alarm to practically every financial institution in the nation.
The reality is that Princeton abused confidential information. Plain and simple-- if they had used their information as the law requires that they do, an SSN would have been just fine.
Time to stop trying to be insightful or funny, looks like! Let the trolls lead the way!
All they've done is to take data they legitimately obtained and do a query on Yale's systems...
I get when I go to yaledailynews.com, "WARNING!, YOUR COMPUTER DATA IS AT RISK" Yeah no shit.
nytimes said princeton is gearing up to dump one, maybe more
Thank God we have real Universities over here in England.
Giving Princeton the benifit of the doubt, the New York Times reports that Mr. LeMenager did this because he was curious about its security. Is this really such a stretch. I mean, how many /. reader have hacked into a system just to check its security?
The college I went to a few years ago started out using SSN as our main identifier. I remember when I first got accepted and before and even after I got my student ID card we ended up plastering our SSN number on tons of documents. Once the scanner didn't work at the lunch line so we had to record our name and SSN on sheets of paper in plain view of everyone.
Finally the retards caught on and gave us pin numbers instead. We were required to use that and a password to log into the student system for our grade information, etc.
Of course they sent out grade/class info over a non-encrypted (not even password info) unsecure line from over a hundred miles distance from a known centeralized server.
A friend of mine ran a Linux box and using a sniffer could read basically everything. With a little filtering he could have done a ton of damage to a lot of people.
Now my old campus is trying to move to wireless *sigh*
-- Scientist: You aren't going to leave me here, are you? Boagh! Thump...
Comment removed based on user account deletion
You're absolutely correct and I should've definetly worded my last paragraph differently but it was late and blahblah..
I believe that one of the biggest reasons why MIT is not an ivy-league school is that they do not offer any athletic scholarships. And they'll be stuck with their current category until they do so. It is interesting to note that as a matter of fact MIT does not offer any scholarships as such!
All they have is need based financial assistance. Nothing to do with academics, sports, etc. If you got in and can't afford the 40K/year they'll cover up to 100% depending on your need (you do have to prove yourself pretty good) and as one of the few schools in country they do this for international students too.
I believe that one of the biggest reasons why MIT is not an ivy-league school is that they do not offer any athletic scholarships. And they'll be stuck with their current category until they do so. It is interesting to note that as a matter of fact MIT does not offer any scholarships as such!
Wrong! Yale does not do this either. They only offer need-based assistance, though various third parties may have Yale-related scholarships. As far as I know, we've never had athletic scholarships, and opinion is pretty strong against introducing them. The Ivy League also does not have football games after Thanksgiving, based on the premise that students are here to work, not play games.
I don't know if this applies to the other Ivies as well, but I suspect it does to most of them. Stanford, on the other hand, does have athletic scholarships, which as far as I'm concerned is the only thing keeping them from being in the same class as the Ivies. (their academics and research, of course, being about equal.)
The Yale network guys are always blaming the lack of security on everyone else. If any of you have ever been on the Yale network you would know. Yale's Information Security Office is a joke. When Nimda hit they blamed everyone but themselves. Any time a security breach of any kind happens it is "blame someone else, they didn't follow the guidlines we set up AFTER we found a problem" I was shocked that Yale even found out about the website breach but then I read a little further. Ahhh yes. "Yale then COMMISSIONED an investigation."
gnat = nat e?
When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
In fact, it does apply to all of the other Ivies. I believe that it's a requirement of the ivies to NOT give athletic scholarships. I don't know if this applies to other non-need-based scholarships or not. Harvard, for one, gives only need-based scholarships - they don't even give National Merit Scholarships because they're not need-based.
Wowee, state-of-the-art 14-bit security!
Put this story on the pile of reasons why we need a real, pervasive PKI.
Jennifer Grannick accurately cites Federal law limitations for prosecution (which Princeton probably didn't violate), but there may be state or local statutes/ordinances that involve penalties for simple trespass of computer systems. If I was a Yale official, I'd be looking seriously into that.
Vic (the anonymous coward too lazy to establish an account)
princeton university gives only need-based gifts, although they do allow third parties to give non-need-based scholarships.
of course, all this talk of "need-based" and non-"need-based" scholarships gets pretty flexible with athletics. sometimes alumni give money for need-based scholarships applying to "an outstanding lacrosse player from Connecticut with size 10 feet whose last name is Duffy-Cockthorpe."
jon
-- http://www.cerastes.org
Hang on a sec.. so Columbia doesn't count as Ivy League and Cornell does? Columbia is somewhat older...
Heheh.. good thing to get my facts straight before starting school so at least I don't make a fool out of myself over there.. =)
The Slashdot article is a short note with a link elsewhere. The Slashdot "editors" cannot reasonably be held responsible for what others write, and this clearly is news that is interesting to nerds.
And most of the talkbacks that I've read are about how irresponsible it is to put up a web site with such weak security.
So I don't see why the sideswipe a Slashdot (this time).
I think we've pushed this "anyone can grow up to be president" thing too far.
An Ivy League institution is not allowed to give merit-based aid or an atheletic scholarship.
Brown got caught a few years ago giving scholarships to the football players and they were stripped of the title and also weren't allowed to win the title for a few years.
It's ANN Arbor Dipshit. Hope you enjoyed MITE.
Sadly, you are turned away from the nearest hospital because your HMO doesn't work with them.
You know, people like you are so ignorant I think you actually believe that. Just for the record, HMO's don't stop you from going anywhere you want in an emergency.
On the hand, boy I wish I lived in one of the socialist paradises. Hey, you only have to wait 6 months for "elective" surgery, but at least it's free*! On the other hand, my elective surgery is done immediately with far better standard of care, but I have to pay a $10 copay. God our system sucks.
*Well, it actually end up costing you more in taxes, but since you don't see it, that must be OK! Well, no one ever said Socialists were good at math. As long as you "feel" better and superior, all is right with the world.
I'd imagine that the acceptance/rejection letters had standard copyright footers embedded within. Doesn't this mean that Princeton circumvented a security mechanism to obtain copyrighted information?
Yale, Princeton, Harvard, and every other university out there get hacked all the time. Probably by students of other schools too.
Domains for only $8.75/year! Transfer your domain for on
We're joking, bitch.