Slashdot Mirror

← Back to Stories (view on slashdot.org)

Princeton Hacks Yale, Harvard Not Surprised

Posted by timothy on from the mit-has-cooler-hacks dept.

Semji Rkim writes: "Yale Daily News is running a story of several occassions in which Princeton officials entered the Yale Online website and viewed admissions decisions. Princeton officials claim they were simply researching security for their own website. Reportedly the website, on initial log-in, would show applicants either a congratulatory fireworks display or a rejection notice. Princeton officials informally mentioned that they had accessed students' records on Yale's admissions site at an Ivy League deans' conference. The Yale website apparently used names, birth dates, and social security information as unique identifiers to allow access to the site. They are considering adding a PIN in the future."

10 of 304 comments (clear)

  1. Re:Wham! by Anonymous Coward · · Score: 1, Informative
    Zero comments, server overloaded. Did someone beat /. to the punch?

    As of 7:00 EDT, Drudge Report has a link to it. That's probably what "slashdotted" it.

  2. Re:Wham! by SpatchMonkey · · Score: 2, Informative

    Just go straight to http://www.yaledailynews.com, it has it on the front page which I would assume is static, and therefore less liable to give a HTTP 500 error.

  3. working link! by joedoe · · Score: 3, Informative

    you might want to link to this--the "high traffic" version of the article, since it actually works.

  4. MSNBC.com story by SoCalChris · · Score: 3, Informative

    Here is the story on MSNBC.com.

    http://www.msnbc.com/news/785677.asp

  5. Re:"hack" by theLOUDroom · · Score: 4, Informative

    Actually the term hacker originally had nothing to do with unauthorized use of computer systems. Its a very old term (>20yrs). Read about it.
    You don't know what you talking about. Get over it.

    --
    Life is too short to proofread.
  6. Re:Obligatory Simpson's Quote by amabbi · · Score: 2, Informative
    Wrong....

    the _correct_ quote is:

    Sideshow Bob: "You wanted to be Krusty's sidekick since you were five! What about the buffoon lessons, the four years at clown college."
    Cecil: "I'll thank you not to refer to Princeton that way."

    - "Brother From Another Series", The Simpsons Episode 4F14

    Thanks to Springfield Nuclear Power Planet

  7. CNN Article by ZeldorBlat · · Score: 2, Informative

    Here is the scoop from CNN:

    http://www.cnn.com/2002/US/07/25/yale.princeton.ap /index.html

  8. Re:SSN for Login is a bad idea by Sabalon · · Score: 3, Informative

    Blame SCT, the people who make the student records system (Banner) that SP uses. While the decision to use SSN or whatever else for ID (an oracle VARCHAR2(9) field), the system forces you to use a 6 digit numeric pin.

    Why?

    Because they also have a voice response system (you know - press 1 for this) that you can remotly access your info, and this is why they have such a weak password.

    When they added the web product after the VR product, they should have added another field for a stronger password instead of just using the same table for all third party access.

    Now...on a different note, SCT's product is true open-source. Any of the database procedures, C/COBOL programs, forms, etc... all come as source and you have to build them on your system. Any school using this could modify the login to use anything (some have to use LDAP and other schemes).

    The only problem that keeps most places from doing this is that when you get upgrades/patches (and there are a lot) you have to make sure it doesn't wipeout/replace your customizations. Kind of a pain, but for somethings like this it's worth it.

    But here is a great way for open source to work - it's a ridiculously expensive package (and a huge one) but you have all the source and can fix things without having to wait for a vendor patch.

    This has helped form a community of users who freely share info, mods, etc... and the company regularly looks at what has been done and accepts patches/fixes, etc...

    Imagine that being done with other popular programs - I'd feel a lot safer using Outlook Express - how hard could it be to add a menu item saying "ignore all html and scripts"

  9. points out a major security flaw some systems have by Artifex · · Score: 3, Informative
    At almost every credit card company, bank, and stock broker I have ever belonged, I have found them using a very simple set of data to identify callers as "legitimate":
    • Name (of course)
    • SSN (even though they are not supposed to, and variously the full number or just the last 4, which can vary between calls to the same company)
    • Mother's maiden name
    • address
    • zip code
    • phone number
    Only my last broker has taken the additional step of asking me what my major current holdings were...

    The problem, of course, is that everyone in my immediate family knows all of this information about me, including my SSN. So do all of my doctors/dentists, etc. In fact, a number of genealogical sites can find out almost all of that, too. Also, anyone intercepting my paper mail can find out from brokerage mailings what my holdings are. However, getting these people to add another form of ID to the accounts is always either impossible or very difficult.

    Anyone else notice this problem, and have other suggestions or comments? I feel like lying on my mother's maiden name line from now on, and putting a password in it.
    --
    Get off my launchpad!
  10. Ivy League schools by DebianGeek · · Score: 3, Informative
    Sorry folks, you're all wrong. There are actually only 8 schools in the Ivy League: Brown, Cornell, Columbia, Dartmouth, Harvard, Pennsylvania, Princeton, and Yale.

    The term stems from the 1930's, when Stanford, MIT, and the other now-excellent schools were off the map. See http://etc.princeton.edu/CampusWWW/Companion/ivy_l eague.html

    If you come from an Ivy League school, you tend to know what the 8 schools are. If not, then any good school must be an Ivy League school.