Slashdot Mirror
Princeton Hacks Yale, Harvard Not Surprised
Semji Rkim writes: "Yale Daily News is running a story of several occassions in which Princeton officials entered the Yale Online website and viewed admissions decisions. Princeton officials claim they were simply researching security for their own website. Reportedly the website, on initial log-in, would show applicants either a congratulatory fireworks display or a rejection notice. Princeton officials informally mentioned that they had accessed students' records on Yale's admissions site at an Ivy League deans' conference. The Yale website apparently used names, birth dates, and social security information as unique identifiers to allow access to the site. They are considering adding a PIN in the future."
The other school someone had applied to would have access too.
Fucking shady.
And then, the people Harvard Rejected, Princeton could offer enrollment to, without fear of losing to the rival......
Makes your numbers look good to have everyone you accept enroll....
Just because you can do something with technology doesn't mean you should.
Yaledailynews has met it's doom. Slashdotted that is.
The Yale website apparently used names, birth dates, and social security information as unique identifiers to allow access to the site. They are considering adding a PIN in the future.
Maybe they could use a credit card number as a PIN. Then it could be a one-stop shop for the lazy identity-thief.
Sideshow Bob: Are you still angry about being kicked out of clown college?
Cecil: I'll thank you not to refer to Princeton that way.
Finally, math books without any of that base 6 crap in them.
I saw this article on fark earlier today, maybe they're partly responsible. Here's a link to the msnbc article: http://www.msnbc.com/news/785677.asp?0si=-
WWJD.... for a Klondike bar?
HTTP/1.1 Server Too Busy
Unfortunately, they wandered into someone else's box.
-c.
Casey
More scratches on the cave wall, thanks be to anonymity.
Reportedly the website, on initial log-in, would show applicants either a congratulatory fireworks display or a rejection notice.
Fireworks? What's their rejection notice, then? Top rejection notice graphics:
-- Picture of Nelson saying "HA! HA!"
-- Picture of MacDonald's and link to "Hamburger University"
-- Picture of funeral with the casket labelled "your future" slowly being lowered into ground
-- The Dell guy saying, "Dude, you're goin' to Community College!"
Sometimes it's best to just let stupid people be stupid.
Just go straight to http://www.yaledailynews.com, it has it on the front page which I would assume is static, and therefore less liable to give a HTTP 500 error.
you might want to link to this--the "high traffic" version of the article, since it actually works.
Here is the story on MSNBC.com.
http://www.msnbc.com/news/785677.asp
Princeton: "Ha! We'll show those lousy Yale folks! Let's hack into their admissions website and accept the people they reject! That'll teach 'em!" Yale: "Those no-good ruffians at Princeton! That's it, we'll publish a scientific paper criticizing Princeton's actions as philosophical proof of their inferiority! That'll teach 'em!" Meanwhile, at, say, UT- UT: "OU beat us in football! Let's steal their president and shave him bald! That'll teach 'em!" OU: "That's it! Let's burn down their stadium! That'll teach 'em!"
Names, birth dates, and social security numbers? So they're saying they didn't use any sort of security on the site, then. Hmmf.
Comic Book Guy: "There is no Groening in my store."
Just think... if they had notified the Attorney General's office it would have been legal. Well. In a few months.
There are no trails. There are no trees out here.
This way stupid schools won't be tempted to use them as security codes.
How many times have people here wailed at the non-tech press for using the word "hack" to describe what most would technically term a "crack"? Well if you ever actually read the article, you'd see that Princeton didn't hack or crack. They used the ssn and birthdate supplied to them by their own applicants to access Yale's pages. In other words, they had the users' login and passwords and used them. Not a hack, not a crack. Thoroughly evil of course, but "merely" a lie.
I thought students sent information to Yale, and then Yale responded by accepting or rejecting them. There's no opportunity in that transaction for Yale to give the students a PIN.
If there's a Yale form they have to fill out, then Yale could print a random PIN on every form (and require students to remember it). Hum, but what if the students forgot to copy down their PIN? Perhaps that would be an extra screening, Yale would only accept students who could keep track of your PIN?
Yale: I say o'l chap it appears you have been poking around in our computers. We can't have you hacking away at our students while they are playing tennis now can we?
Princeton: Good show on that discovery my dear friend. We just simply couldn't resist seeing how similar are credit card transactions were, I dare say we are quite a like in many respects.
Yale: Alright then, as long as its in good fun. I must be getting back to my weekly spa. Ta ta!
http://www.yaledailynews.com/"
Test your net with Netalyzr
Go figure.
I would think that using someones SSN to access something meant for them alone would be an illegal invasion of privacy. I could also see this as a gag some dumb office employees started when the realized that many people apply to the same universities. Or maybe the application form just asks for other schools they apply to.
-Sean
Fortunately MIT does this a little differently and slightly more hacker proof. They don't rely on any publicly (to any admissions office) available information but assign you with a unique 9-digit id number from the beginning of the application process and all of your online information is tied to this id.
I should point out that you can only view your status (summary of received documents and final decision, nothing else) if you have this id and a last name but to actually update and change information on their information system you require a kerberos identity, the passphrases for which are sent (regular mail) after you're confirmed and accepted admission. I recall that the initial id-number is sent to you via regular mail with a confirmation that they received your application and assigned an interviewer etc.
Basically as long as you're not a complete moron (I think it is safe to assume this if you have been admitted to MIT) you're probably not going to give out your ssl-certificates or give out your id/uname/pw-combo plaintext over internet (and if you do you're totally responsible for all the misuse - they're not going to clear your name).
So I suppose MIT beat all the other ivy-league schools with respect to not getting hacked but then again what should you expect from the home of "hacks".
Yale seems to be acting like Princeton 'hacked' into their computer but in fact they set up a system that was 'secured' by information that just about anybody would have, particularly any other university that they student had also applied to. And who would think that students would apply to both Yale and Princeton? The ones who should REALLY be embarrased is the school that set up their admissions approvals so that just about anybody could see them and then reply only that they are 'considering' adding a PIN number. Sorry, but if you put your data on a billboard it is not 'hacking' if other people see it.
No really officer, I was just testing to see if these keys that I came by were enough to get in, or if there was also a security system. And I did it 18 times because I wanted to be really sure. Yes, I did see that "NO TRESSPASSING" sign, but its not like I stole anything.
Don't moderate flamebait as Troll. Know the difference or you will be Meta-moderated.
I'm starting college in the fall, at Southern Polytechnic University. Going through the registration process (which they had us do entirely online [from the campus computer lab]), I noticed a few things that left me, well, disquited to say the least, paranoid to say the most. To login required a username and PIN. The username was of course you're student ID number. Unfortunately, your student ID number is *pause for dramatic effect* your social security number. And the PIN's not much better. A six digit number initially consisting of...guess. Yup, the student's birthdate. Needless to say, first thing I did was change my PIN. Just wish we didn't have to toss our SSN around so much. If you think I'm overly paranoid, well, you have a knack for discerning the obvious.
Love and Peace,
Valen
"The best compliment a girl ever gave me was 'Your hair smells nice.' I hate being the platonic friend." -Valen
I work for UC Santa Barbara, and I've seen a lot of this before. We force users to select usernames and passwords, and until recently, did not encrypt the users passwords in our database. Just out of curiosity, I tried using the applicants username/password on the e-mail accounts they entered.
.NET Passport is also your bank and credit card authentication, or your NationalID card authentication, or...
Sure enough, I was able to access many of the e-mail accounts. I quickly stopped, realizing that some of these people probably also used the same username/password combinations for their bank accounts, etc.
Now, when users log in, an MD5 hash is compared against the hashed password in the database.
Many of the people were Hotmail users. Just think when your
YALE: We have an insecure website, which allows anyone with a student's birth date and SSN to look at a student's personal details.
PRINCETON: We took advantage of this and looked at the details of 11 students. We also got to find out whether or not they were accepted or rejected, so we could poach 'em. W00t!
YALE: No fair! You're not supposed to get into our website like that! See you in court!
PRINCETON: No fair! We were just checking out the security! Hell, it was an insecure system, anyway!
YALE: STFU, WHINER!
Note to M1-ers: a curt but otherwise insightful message is not "Flamebait" or "Troll".
Here is the scoop from CNN:
p /index.html
http://www.cnn.com/2002/US/07/25/yale.princeton.a
I was a graduate student at Princeton. Each year at admissions time, the student newspaper would trumpet that once again Princeton was the 'most exclusive' university in the country. The justification for this was that they had accepted a smaller percentage of their applicants than any other university. This always struck me as a bizare measure of merit, as it is only loosely correlated to the quality of students.
I can offer Princeton some advice on how to increase their exclusivity:
1) Slash the application fee. Someone with a 1 in 1000 chance of being accepted will be more inclined to apply if it costs $10 than if it costs $50.
2) With many more applications at a much lower fee, there will be problems with budget blow-out on evaluating them. No problem - save costs by heavy handed use of randomness in the selection process. This has the additional benefit if increasing the chances for borderline applicants to be accepted, which will even further increase applications.
The ultimate extension of this is that you raffle off admissions places, and count everyone who bought a ticket as an applicant. This could push your exclusivity from about 1 in 6 to 1 in 10,000.
Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
I need to see certain university deans doing prison time for this. Randal L. Schwartz, anyone?
-fb Everything not expressly forbidden is now mandatory.
Columbia University could not be reached for comment.
The previous has been a secret message to my comrades.
There was some fuss a few years ago about all of the Ivy League schools talking about what they were going to offer for financial aid, and then offering identical packages to the same student. They claimed it was so that only the studen't opninion of the school made the difference, some students felt it was illegal anticompetitive behavior.
In any case, schools always have gambles with who to let in. Admitting a student means you have to find space for her/him. Empty beds cost you money. The University of Michigan Anne Arbor is notorious for wait-listing students they think will go elsewhere. They wait-listed me and I got into MIT with no wait. The same thing happened to several of my friends at MIT.
High acceptance percentages also help pestige, which give you better students and more proud alums. More proud alums are better donators and better students make for more rich alums.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
"Columbia University could not be reached for comment."
Ahh, so Princeton is DDOS'ing them?
They're probably just "ensuring the capacity of Columbia's server is adequate to meet tomorrow's demand."
-- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
But for the past 20-25 years it's been primarily used to refer to unauthorized use of computer systems. Only in the past 5 or so years have some people been trying to resurrect the original (long since obsolete) usage, which is about as likely to be successful as convincing people that "gay" merely means "happy" and has nothing to do with homosexuality.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
I wonder if this recent act violates those rules?
I'm not going to claim it wasn't used at all in the original usage, but during the 1980s I primarily heard it used to describe unauthorized access to computer systems. This wasn't just by the media (which didn't use it all at until the mid-to-late 1980s when it became a major issue), but by the majority of people who frequented BBSs and local computer clubs.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Let the bullshit grandstanding begin...
"[accessing the site] could have provided informational advantage to Princeton beyond just whether a student was accepted or rejected," The editor in chief of The Yale Daily News, Chris Michel said. "As a student, it's especially disturbing to find that a university would exploit information like this. We put a lot of trust in universities."
I cant say that im unbiased but this looks alot like a stupid but completely unmolitious decision which the yale daily is using to get some press.
The facts support the asertion that princeton did gain access to the site only to test the security of hte web page, i mean 18 attempts 11 student accounts accessed? this isnt exactly a massive example of data mining to give princeton a competetive advantage. It makes more sense to me that someone was probably like hmm i wonder how secure yales site is, and after a cursory glance realized that he could access the pages with information on file.
Also from a personal standpoint the people involved really arent the types to try and cheat lie or steal for anything, let alone to gain a slight advantage over a small handful of students. Take that with a grain of salt if you want, like i said im not unbiased.
--aiee
I have Karma To Burn.... Let me tell you something. This is the result of the political machinations of Alexander Clark A yale microsoft drone. Clark has been working for M$ for a long ass time. Essentially, he made a website (yalestation.com^h^h^h.org when he realized people were on to him) in order to be powerful/whatever. He bamboozled our administration into thinking this was a "good thing" (tm) The real "nerd" (read: not m$ junkies) at our school were up in arms over this insanity. There's a whole dramatic background story (thats about 4 pages typed) if you'd like to know.... This "hack" is the result of one boy's ego trip. More info? reply to post and i'll email you the whole story.
When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
It's hardly a secret that these universities collude to set admisions standards, numbers of seats available and, of course, prices. What's interesting, and more than likely fictional, is that they had to go to any real trouble to get the information.
Friends don't help friends install M$ junk.
And what did they do? Like the responsible hackers who merely hack to test for security holes and whose stories are sometimes linked here on Slashdot, they tried to tell the Yale people that their system was insecure. How does Yale respond? Do they thank Princeton for the warning? No, they report them to the police! If this were any "normal" hacker warning of security holes they found, everyone here would be up in arms!
OK, so what Princeton did was obviously stupid, immoral, and probably illegal, and certainly deserving of punishment. But while the Yale Daily Herald does mention Princeton's explanation/excuse, they do so in very dismissive terms, and several friends of mine who read the article entirely missed the excuse and thought that this hacking was purely malicious. It was NOT, and it would be nice if that were noted. Then again, this is Slashdot, which isn't exactly famous for its impartiality =)
(Disclaimer: I was one of the students who got into Princeton this year, so I'm biased. Any other current students or incoming freshmen here?)
-- Imagine how much more advanced our technology would be if we had eight fingers per hand.
A microshaft drone has enthralled our administration with his whiz-bang fancy flowery bs. Trust me...our nerd community is already up in arms over this and probably will do something bout it. ;)
When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
I just linked to the Daily Yalie site, and in their comments on the article there's a note from a former columnist in the Yale Herald: back in 2000 he wrote a column pointing out Yale's prediliction for using the SSN for a password, and how anybody with half a brain could use that to hack all sorts of Yale systems. Definitely worth a look--and it will lead you to the conclusion that Yale's admissions people are, well, stupid.
John Murdoch
Penn '80
- Name (of course)
- SSN (even though they are not supposed to, and variously the full number or just the last 4, which can vary between calls to the same company)
- Mother's maiden name
- address
- zip code
- phone number
Only my last broker has taken the additional step of asking me what my major current holdings were...The problem, of course, is that everyone in my immediate family knows all of this information about me, including my SSN. So do all of my doctors/dentists, etc. In fact, a number of genealogical sites can find out almost all of that, too. Also, anyone intercepting my paper mail can find out from brokerage mailings what my holdings are. However, getting these people to add another form of ID to the accounts is always either impossible or very difficult.
Anyone else notice this problem, and have other suggestions or comments? I feel like lying on my mother's maiden name line from now on, and putting a password in it.
Get off my launchpad!
The term stems from the 1930's, when Stanford, MIT, and the other now-excellent schools were off the map. See http://etc.princeton.edu/CampusWWW/Companion/ivy_l eague.html
If you come from an Ivy League school, you tend to know what the 8 schools are. If not, then any good school must be an Ivy League school.
I just (barely) graduated from Yale, so I'll bite...
1. Why would Princeton want Yale rejects?
Because Yale (like many other schools of its type) gets so many good applicants that the admissions office claims you could get just as good a freshman class from the rejects each year. Since admissions is pretty much just dumb luck anyway, some quality people get rejected. And, of course, there's quite a bit of competition for applicants. Hell, some people get rejected from Yale and accepted at Harvard.
2. How crap is Yale for allowing something stupid like this?
Without going into too much detail, pretty dumb, yes. Most things here are given more careful thought.
3. How stupid are Yale for getting caught?
That's "Princeton" you meant. I think that's probably dumber. But it's hilarious all around. You just can't make this shit up...
Comment removed based on user account deletion
You're absolutely correct and I should've definetly worded my last paragraph differently but it was late and blahblah..
I believe that one of the biggest reasons why MIT is not an ivy-league school is that they do not offer any athletic scholarships. And they'll be stuck with their current category until they do so. It is interesting to note that as a matter of fact MIT does not offer any scholarships as such!
All they have is need based financial assistance. Nothing to do with academics, sports, etc. If you got in and can't afford the 40K/year they'll cover up to 100% depending on your need (you do have to prove yourself pretty good) and as one of the few schools in country they do this for international students too.
I believe that one of the biggest reasons why MIT is not an ivy-league school is that they do not offer any athletic scholarships. And they'll be stuck with their current category until they do so. It is interesting to note that as a matter of fact MIT does not offer any scholarships as such!
Wrong! Yale does not do this either. They only offer need-based assistance, though various third parties may have Yale-related scholarships. As far as I know, we've never had athletic scholarships, and opinion is pretty strong against introducing them. The Ivy League also does not have football games after Thanksgiving, based on the premise that students are here to work, not play games.
I don't know if this applies to the other Ivies as well, but I suspect it does to most of them. Stanford, on the other hand, does have athletic scholarships, which as far as I'm concerned is the only thing keeping them from being in the same class as the Ivies. (their academics and research, of course, being about equal.)
gnat = nat e?
When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
princeton university gives only need-based gifts, although they do allow third parties to give non-need-based scholarships.
of course, all this talk of "need-based" and non-"need-based" scholarships gets pretty flexible with athletics. sometimes alumni give money for need-based scholarships applying to "an outstanding lacrosse player from Connecticut with size 10 feet whose last name is Duffy-Cockthorpe."
jon
-- http://www.cerastes.org
The Slashdot article is a short note with a link elsewhere. The Slashdot "editors" cannot reasonably be held responsible for what others write, and this clearly is news that is interesting to nerds.
And most of the talkbacks that I've read are about how irresponsible it is to put up a web site with such weak security.
So I don't see why the sideswipe a Slashdot (this time).
I think we've pushed this "anyone can grow up to be president" thing too far.