Princeton Hacks Yale, Harvard Not Surprised

Semji Rkim writes: "Yale Daily News is running a story of several occassions in which Princeton officials entered the Yale Online website and viewed admissions decisions. Princeton officials claim they were simply researching security for their own website. Reportedly the website, on initial log-in, would show applicants either a congratulatory fireworks display or a rejection notice. Princeton officials informally mentioned that they had accessed students' records on Yale's admissions site at an Ivy League deans' conference. The Yale website apparently used names, birth dates, and social security information as unique identifiers to allow access to the site. They are considering adding a PIN in the future."

All Info

[TheDick]

The other school someone had applied to would have access too.

Fucking shady.

And then, the people Harvard Rejected, Princeton could offer enrollment to, without fear of losing to the rival......

Makes your numbers look good to have everyone you accept enroll....

SSNs should be published in the phone book

[anthony_dipierro]

This way stupid schools won't be tempted to use them as security codes.

"hack"

[jd142]

How many times have people here wailed at the non-tech press for using the word "hack" to describe what most would technically term a "crack"? Well if you ever actually read the article, you'd see that Princeton didn't hack or crack. They used the ssn and birthdate supplied to them by their own applicants to access Yale's pages. In other words, they had the users' login and passwords and used them. Not a hack, not a crack. Thoroughly evil of course, but "merely" a lie.

MIT

[inburito]

Fortunately MIT does this a little differently and slightly more hacker proof. They don't rely on any publicly (to any admissions office) available information but assign you with a unique 9-digit id number from the beginning of the application process and all of your online information is tied to this id.

I should point out that you can only view your status (summary of received documents and final decision, nothing else) if you have this id and a last name but to actually update and change information on their information system you require a kerberos identity, the passphrases for which are sent (regular mail) after you're confirmed and accepted admission. I recall that the initial id-number is sent to you via regular mail with a confirmation that they received your application and assigned an interviewer etc.

Basically as long as you're not a complete moron (I think it is safe to assume this if you have been admitted to MIT) you're probably not going to give out your ssl-certificates or give out your id/uname/pw-combo plaintext over internet (and if you do you're totally responsible for all the misuse - they're not going to clear your name).

So I suppose MIT beat all the other ivy-league schools with respect to not getting hacked but then again what should you expect from the home of "hacks".

Re:MIT

[Darth_Burrito]

Fortunately MIT does this a little differently and slightly more hacker proof. They don't rely on any publicly (to any admissions office) available information but assign you with a unique 9-digit id number from the beginning of the application process and all of your online information is tied to this id.


This is what all schools should be doing. If an institution receives public funding, they are required to abide by FERPA, Family Education Rights and Privacy Act. This Act prohibits disclosure of personally identifiable information without written consent. So anytime your local university distributes a class roster with SSN's, any time they print an SSN on your University ID, or any time they use your SSN as an identifier for you in a campus wide database system, that is a violation of FERPA. For some reason, most universities ignore this. http://www.privacyrights.org/fs/fs10-ssn.htm

Exclusive schools do all kinds of sneaky things

[karlm]

Supposedly MIT and Harvard talk about who got admitted where. If you would have been admitted both places for engineering, they'll often only admit you at MIT and the other way arround for humanities and some of the pure sciences. And of course, if it seems you cn't live without "highest honors", they flag you for Brown. (Boo, hiss, yeah, I know. I really wanted to poke at Harvard, but Brown is so much worse in that respect.)

There was some fuss a few years ago about all of the Ivy League schools talking about what they were going to offer for financial aid, and then offering identical packages to the same student. They claimed it was so that only the studen't opninion of the school made the difference, some students felt it was illegal anticompetitive behavior.

In any case, schools always have gambles with who to let in. Admitting a student means you have to find space for her/him. Empty beds cost you money. The University of Michigan Anne Arbor is notorious for wait-listing students they think will go elsewhere. They wait-listed me and I got into MIT with no wait. The same thing happened to several of my friends at MIT.

High acceptance percentages also help pestige, which give you better students and more proud alums. More proud alums are better donators and better students make for more rich alums.

Re:Exclusive schools do all kinds of sneaky things

[feldkamp]

I go to UM Ann Arbor...

They are notorious for waitlisting people... but they don't do it based on where they think the person will go. They have a very numeric "scorecard" that takes into account test scores, racial profile, sex, socio-economic profile, high school grades, difficulty of high school, quality of essay, etc.

In the end, they take the top chuck, accept them, and waitlist the middle chunk. People from the middle chuck they accept based upon how many non-acceptance notifications they had from the accepted group.

One thing you can do, though, is call up UM and ask to talk to the person that is reviewing your application. This person can have *serious pull* in getting you accepted if you are on the waitlist. They can add something like 20% to your numeric score... my roomate freshman year was one of the waitlisted people, and he did this... he got in with no problem.

Ever hear of the "Overlap Case"?

[jat2]

I was an undergrad at MIT in the early 90's when the DoJ decided to sue 22 universities for violating the Sherman Anti-Trust act. It was called the "Overlap Case". The really funny thing about it all was that apparently, when proposing the Sherman Anti-Trust Act, Sherman himself stated that it should not be applied to schools. Anyway, I digress. Basically, the Ivies got on their knees and begged for mercy and only MIT was left fighting the DoJ. Eventually, MIT and the DoJ set up rules under which schools were allowed to pool admissions info (I think only financial aid info, but I'm not sure), and the DoJ dropped the charges.

I wonder if this recent act violates those rules?

Yale Knew They Had a Problem--Or Should Have

[John+Murdoch]

I just linked to the Daily Yalie site, and in their comments on the article there's a note from a former columnist in the Yale Herald: back in 2000 he wrote a column pointing out Yale's prediliction for using the SSN for a password, and how anybody with half a brain could use that to hack all sorts of Yale systems. Definitely worth a look--and it will lead you to the conclusion that Yale's admissions people are, well, stupid.

John Murdoch
Penn '80