Princeton Hacks Yale, Harvard Not Surprised

Semji Rkim writes: "Yale Daily News is running a story of several occassions in which Princeton officials entered the Yale Online website and viewed admissions decisions. Princeton officials claim they were simply researching security for their own website. Reportedly the website, on initial log-in, would show applicants either a congratulatory fireworks display or a rejection notice. Princeton officials informally mentioned that they had accessed students' records on Yale's admissions site at an Ivy League deans' conference. The Yale website apparently used names, birth dates, and social security information as unique identifiers to allow access to the site. They are considering adding a PIN in the future."

Acceptance letters?

Just because you can do something with technology doesn't mean you should.

Security?

[hoowee]

Names, birth dates, and social security numbers? So they're saying they didn't use any sort of security on the site, then. Hmmf.

Re:SSNs should be published in the phone book

[ceejayoz]

What makes you think that'd stop them?

They used standard security measures for colleges

"The Yale website apparently used names, birth dates, and social security information as unique identifiers to allow access to the site."

That has been standard at all three of the colleges I have attended. Usually the 'pin' if they have one is the birthdate in the form of mm/dd/yy or the last four digist of the social security number.

Who's really at fault.

[InnovATIONS]

Yale seems to be acting like Princeton 'hacked' into their computer but in fact they set up a system that was 'secured' by information that just about anybody would have, particularly any other university that they student had also applied to. And who would think that students would apply to both Yale and Princeton? The ones who should REALLY be embarrased is the school that set up their admissions approvals so that just about anybody could see them and then reply only that they are 'considering' adding a PIN number. Sorry, but if you put your data on a billboard it is not 'hacking' if other people see it.

SSN for Login is a bad idea

[Valen+Faerlwynd]

I'm starting college in the fall, at Southern Polytechnic University. Going through the registration process (which they had us do entirely online [from the campus computer lab]), I noticed a few things that left me, well, disquited to say the least, paranoid to say the most. To login required a username and PIN. The username was of course you're student ID number. Unfortunately, your student ID number is *pause for dramatic effect* your social security number. And the PIN's not much better. A six digit number initially consisting of...guess. Yup, the student's birthdate. Needless to say, first thing I did was change my PIN. Just wish we didn't have to toss our SSN around so much. If you think I'm overly paranoid, well, you have a knack for discerning the obvious.

Love and Peace,
Valen

This happens all the time

[patrick146]

I work for UC Santa Barbara, and I've seen a lot of this before. We force users to select usernames and passwords, and until recently, did not encrypt the users passwords in our database. Just out of curiosity, I tried using the applicants username/password on the e-mail accounts they entered.

Sure enough, I was able to access many of the e-mail accounts. I quickly stopped, realizing that some of these people probably also used the same username/password combinations for their bank accounts, etc.

Now, when users log in, an MD5 hash is compared against the hashed password in the database.

Many of the people were Hotmail users. Just think when your .NET Passport is also your bank and credit card authentication, or your NationalID card authentication, or...

Re:"hack"

[jd142]

ESR's authority to "deprecate" the meaning of the word for his or anyone else's little ego reasons.

The correct term is amelioration - the changing of the definition of a word to a better connotation. Happens all the time in the world. ESR doesn't have the authority, but users of the language do. The opposite is pejoration. Examples of amelioration are praise (originally a synonym for appraise), knight (originally a servant), and earl(originally just a man). More examples of amelioration and pejoration are left as an exercise for the student.

Re:"hack"

[Reality+Master+101]

Happens all the time in the world. ESR doesn't have the authority, but users of the language do.

Exactly the point. A dictionary should reflect the language usage, not attempt to mold it. That's why I find ESR's attempt to change the meaning so offensive. He's corrupting the very purpose of a dictionary.

Re:Ah, a true nerd's war

[Otter]

My sister graduated from princeton and they teach you to hate hate hate yale and harvard. At their triangle shows (a really funny play that the theater group puts on), if they say Yale at any time during their show, everyone in the theater must immediately say SUCKS. There is something similar for harvard, but I haven't been to a show in so long so I forgot). From the outside it seems lame, but it sure is funny.

Well, what's lame about it is that the rivalry exists solely on the Princeton side. Yale and Harvard focus their mutual dislike on each other, with Princeton carrying on their one-sided grudge from New Jersey and MIT periodically playing geekish pranks on Harvard. (Pasadena being too far away for routine hacks.)

March, march on down the field, fighting for Eli,
Break through that crimson line, their strength to defy...

In Defense of Princeton

[SMN]

There's plenty of evidence to back Princeton's excuse that they were just "testing" the system. Princeton doesn't have any system up to inform students of their admissions decisions online; Yale does. Princeton IS evaluating ways to do this, and it would appear that they were actually testing how well Yale's system works. In doing so, they found that Yale's system did NOT work so well.

And what did they do? Like the responsible hackers who merely hack to test for security holes and whose stories are sometimes linked here on Slashdot, they tried to tell the Yale people that their system was insecure. How does Yale respond? Do they thank Princeton for the warning? No, they report them to the police! If this were any "normal" hacker warning of security holes they found, everyone here would be up in arms!

OK, so what Princeton did was obviously stupid, immoral, and probably illegal, and certainly deserving of punishment. But while the Yale Daily Herald does mention Princeton's explanation/excuse, they do so in very dismissive terms, and several friends of mine who read the article entirely missed the excuse and thought that this hacking was purely malicious. It was NOT, and it would be nice if that were noted. Then again, this is Slashdot, which isn't exactly famous for its impartiality =)

(Disclaimer: I was one of the students who got into Princeton this year, so I'm biased. Any other current students or incoming freshmen here?)

Re:I might just be an Oxbridge dummy but...

[the+gnat]

I just (barely) graduated from Yale, so I'll bite...

1. Why would Princeton want Yale rejects?

Because Yale (like many other schools of its type) gets so many good applicants that the admissions office claims you could get just as good a freshman class from the rejects each year. Since admissions is pretty much just dumb luck anyway, some quality people get rejected. And, of course, there's quite a bit of competition for applicants. Hell, some people get rejected from Yale and accepted at Harvard.

2. How crap is Yale for allowing something stupid like this?

Without going into too much detail, pretty dumb, yes. Most things here are given more careful thought.

3. How stupid are Yale for getting caught?

That's "Princeton" you meant. I think that's probably dumber. But it's hilarious all around. You just can't make this shit up...

Re:Ivy League schools

[Vengie]

The "Ivy League" is a hundred + year old football league.
No school will _EVER_ be asked to join the ivy league.
Get over yourselves.