Princeton Hacks Yale, Harvard Not Surprised

Semji Rkim writes: "Yale Daily News is running a story of several occassions in which Princeton officials entered the Yale Online website and viewed admissions decisions. Princeton officials claim they were simply researching security for their own website. Reportedly the website, on initial log-in, would show applicants either a congratulatory fireworks display or a rejection notice. Princeton officials informally mentioned that they had accessed students' records on Yale's admissions site at an Ivy League deans' conference. The Yale website apparently used names, birth dates, and social security information as unique identifiers to allow access to the site. They are considering adding a PIN in the future."

Acceptance letters?

Just because you can do something with technology doesn't mean you should.

Bing, bang, boom.

[tg_schlacht]

Yaledailynews has met it's doom. Slashdotted that is.

The Yale website apparently used names, birth dates, and social security information as unique identifiers to allow access to the site. They are considering adding a PIN in the future.

Maybe they could use a credit card number as a PIN. Then it could be a one-stop shop for the lazy identity-thief.

Obligatory Simpson's Quote

[unicron]

Sideshow Bob: Are you still angry about being kicked out of clown college?

Cecil: I'll thank you not to refer to Princeton that way.

In case of slashdotting

Here's the original article:

HTTP/1.1 Server Too Busy

Re:Sneaky

[CaseyG]

If anything, it shows that the guys at Princeton can 'think outside the box' more than those at Yale.

Unfortunately, they wandered into someone else's box.

-c.

Nice

[Reality+Master+101]

Reportedly the website, on initial log-in, would show applicants either a congratulatory fireworks display or a rejection notice.

Fireworks? What's their rejection notice, then? Top rejection notice graphics:

-- Picture of Nelson saying "HA! HA!"
-- Picture of MacDonald's and link to "Hamburger University"
-- Picture of funeral with the casket labelled "your future" slowly being lowered into ground
-- The Dell guy saying, "Dude, you're goin' to Community College!"

Re:Nice

[Reality+Master+101]

By the way, just in case anyone thought I was kidding, there really is a Hamburger University. :)

working link!

[joedoe]

you might want to link to this--the "high traffic" version of the article, since it actually works.

MSNBC.com story

[SoCalChris]

Here is the story on MSNBC.com.

http://www.msnbc.com/news/785677.asp

Security?

[hoowee]

Names, birth dates, and social security numbers? So they're saying they didn't use any sort of security on the site, then. Hmmf.

They weren't hacking.

[Elwood+P+Dowd]

Just think... if they had notified the Attorney General's office it would have been legal. Well. In a few months.

SSNs should be published in the phone book

[anthony_dipierro]

This way stupid schools won't be tempted to use them as security codes.

Re:SSNs should be published in the phone book

[ceejayoz]

What makes you think that'd stop them?

"hack"

[jd142]

How many times have people here wailed at the non-tech press for using the word "hack" to describe what most would technically term a "crack"? Well if you ever actually read the article, you'd see that Princeton didn't hack or crack. They used the ssn and birthdate supplied to them by their own applicants to access Yale's pages. In other words, they had the users' login and passwords and used them. Not a hack, not a crack. Thoroughly evil of course, but "merely" a lie.

Re:"hack"

[Reality+Master+101]

How many times have people here wailed at the non-tech press for using the word "hack" to describe what most would technically term a "crack"?

Sorry, but the press is right and all of you are wrong. From the Jargon File, sense 8:

[deprecated] A malicious meddler who tries to discover sensitive information by poking around. Hence `password hacker', `network hacker'. The correct term for this sense is cracker.

The problem with this is that the user of "hacker" as someone who breaks into computer systems WAS one of the original uses of the word. I don't recognize ESR's authority to "deprecate" the meaning of the word for his or anyone else's little ego reasons.

That's one of the word's original computer uses. Get over it.

Re:"hack"

[theLOUDroom]

Actually the term hacker originally had nothing to do with unauthorized use of computer systems. Its a very old term (>20yrs). Read about it.
You don't know what you talking about. Get over it.

Re:"hack"

[jd142]

ESR's authority to "deprecate" the meaning of the word for his or anyone else's little ego reasons.

The correct term is amelioration - the changing of the definition of a word to a better connotation. Happens all the time in the world. ESR doesn't have the authority, but users of the language do. The opposite is pejoration. Examples of amelioration are praise (originally a synonym for appraise), knight (originally a servant), and earl(originally just a man). More examples of amelioration and pejoration are left as an exercise for the student.

Re:"hack"

[Reality+Master+101]

Happens all the time in the world. ESR doesn't have the authority, but users of the language do.

Exactly the point. A dictionary should reflect the language usage, not attempt to mold it. That's why I find ESR's attempt to change the meaning so offensive. He's corrupting the very purpose of a dictionary.

Re:How would students get their PIN?

[mberman]

They could do it that way, or they could have the student select a PIN on their admission form, just add an extra box that says "Enter PIN for online acceptance checking here." Keep in mind that this isn't *required* to find out whether or not you get in, so if someone forgot their PIN, it wouldn't be the end of the world...they'd just have to wait the extra week to get it in the mail. The online version is just for impatient students.

MIT

[inburito]

Fortunately MIT does this a little differently and slightly more hacker proof. They don't rely on any publicly (to any admissions office) available information but assign you with a unique 9-digit id number from the beginning of the application process and all of your online information is tied to this id.

I should point out that you can only view your status (summary of received documents and final decision, nothing else) if you have this id and a last name but to actually update and change information on their information system you require a kerberos identity, the passphrases for which are sent (regular mail) after you're confirmed and accepted admission. I recall that the initial id-number is sent to you via regular mail with a confirmation that they received your application and assigned an interviewer etc.

Basically as long as you're not a complete moron (I think it is safe to assume this if you have been admitted to MIT) you're probably not going to give out your ssl-certificates or give out your id/uname/pw-combo plaintext over internet (and if you do you're totally responsible for all the misuse - they're not going to clear your name).

So I suppose MIT beat all the other ivy-league schools with respect to not getting hacked but then again what should you expect from the home of "hacks".

Re:MIT

[Darth_Burrito]

Fortunately MIT does this a little differently and slightly more hacker proof. They don't rely on any publicly (to any admissions office) available information but assign you with a unique 9-digit id number from the beginning of the application process and all of your online information is tied to this id.


This is what all schools should be doing. If an institution receives public funding, they are required to abide by FERPA, Family Education Rights and Privacy Act. This Act prohibits disclosure of personally identifiable information without written consent. So anytime your local university distributes a class roster with SSN's, any time they print an SSN on your University ID, or any time they use your SSN as an identifier for you in a campus wide database system, that is a violation of FERPA. For some reason, most universities ignore this. http://www.privacyrights.org/fs/fs10-ssn.htm

SSN for Login is a bad idea

[Valen+Faerlwynd]

I'm starting college in the fall, at Southern Polytechnic University. Going through the registration process (which they had us do entirely online [from the campus computer lab]), I noticed a few things that left me, well, disquited to say the least, paranoid to say the most. To login required a username and PIN. The username was of course you're student ID number. Unfortunately, your student ID number is *pause for dramatic effect* your social security number. And the PIN's not much better. A six digit number initially consisting of...guess. Yup, the student's birthdate. Needless to say, first thing I did was change my PIN. Just wish we didn't have to toss our SSN around so much. If you think I'm overly paranoid, well, you have a knack for discerning the obvious.

Love and Peace,
Valen

Re:SSN for Login is a bad idea

[Sabalon]

Blame SCT, the people who make the student records system (Banner) that SP uses. While the decision to use SSN or whatever else for ID (an oracle VARCHAR2(9) field), the system forces you to use a 6 digit numeric pin.

Why?

Because they also have a voice response system (you know - press 1 for this) that you can remotly access your info, and this is why they have such a weak password.

When they added the web product after the VR product, they should have added another field for a stronger password instead of just using the same table for all third party access.

Now...on a different note, SCT's product is true open-source. Any of the database procedures, C/COBOL programs, forms, etc... all come as source and you have to build them on your system. Any school using this could modify the login to use anything (some have to use LDAP and other schemes).

The only problem that keeps most places from doing this is that when you get upgrades/patches (and there are a lot) you have to make sure it doesn't wipeout/replace your customizations. Kind of a pain, but for somethings like this it's worth it.

But here is a great way for open source to work - it's a ridiculously expensive package (and a huge one) but you have all the source and can fix things without having to wait for a vendor patch.

This has helped form a community of users who freely share info, mods, etc... and the company regularly looks at what has been done and accepts patches/fixes, etc...

Imagine that being done with other popular programs - I'd feel a lot safer using Outlook Express - how hard could it be to add a menu item saying "ignore all html and scripts"

This happens all the time

[patrick146]

I work for UC Santa Barbara, and I've seen a lot of this before. We force users to select usernames and passwords, and until recently, did not encrypt the users passwords in our database. Just out of curiosity, I tried using the applicants username/password on the e-mail accounts they entered.

Sure enough, I was able to access many of the e-mail accounts. I quickly stopped, realizing that some of these people probably also used the same username/password combinations for their bank accounts, etc.

Now, when users log in, an MD5 hash is compared against the hashed password in the database.

Many of the people were Hotmail users. Just think when your .NET Passport is also your bank and credit card authentication, or your NationalID card authentication, or...

Exclusive schools do all kinds of sneaky things

[karlm]

Supposedly MIT and Harvard talk about who got admitted where. If you would have been admitted both places for engineering, they'll often only admit you at MIT and the other way arround for humanities and some of the pure sciences. And of course, if it seems you cn't live without "highest honors", they flag you for Brown. (Boo, hiss, yeah, I know. I really wanted to poke at Harvard, but Brown is so much worse in that respect.)

There was some fuss a few years ago about all of the Ivy League schools talking about what they were going to offer for financial aid, and then offering identical packages to the same student. They claimed it was so that only the studen't opninion of the school made the difference, some students felt it was illegal anticompetitive behavior.

In any case, schools always have gambles with who to let in. Admitting a student means you have to find space for her/him. Empty beds cost you money. The University of Michigan Anne Arbor is notorious for wait-listing students they think will go elsewhere. They wait-listed me and I got into MIT with no wait. The same thing happened to several of my friends at MIT.

High acceptance percentages also help pestige, which give you better students and more proud alums. More proud alums are better donators and better students make for more rich alums.

Re:Ah, a true nerd's war

[Otter]

My sister graduated from princeton and they teach you to hate hate hate yale and harvard. At their triangle shows (a really funny play that the theater group puts on), if they say Yale at any time during their show, everyone in the theater must immediately say SUCKS. There is something similar for harvard, but I haven't been to a show in so long so I forgot). From the outside it seems lame, but it sure is funny.

Well, what's lame about it is that the rivalry exists solely on the Princeton side. Yale and Harvard focus their mutual dislike on each other, with Princeton carrying on their one-sided grudge from New Jersey and MIT periodically playing geekish pranks on Harvard. (Pasadena being too far away for routine hacks.)

March, march on down the field, fighting for Eli,
Break through that crimson line, their strength to defy...

In Defense of Princeton

[SMN]

There's plenty of evidence to back Princeton's excuse that they were just "testing" the system. Princeton doesn't have any system up to inform students of their admissions decisions online; Yale does. Princeton IS evaluating ways to do this, and it would appear that they were actually testing how well Yale's system works. In doing so, they found that Yale's system did NOT work so well.

And what did they do? Like the responsible hackers who merely hack to test for security holes and whose stories are sometimes linked here on Slashdot, they tried to tell the Yale people that their system was insecure. How does Yale respond? Do they thank Princeton for the warning? No, they report them to the police! If this were any "normal" hacker warning of security holes they found, everyone here would be up in arms!

OK, so what Princeton did was obviously stupid, immoral, and probably illegal, and certainly deserving of punishment. But while the Yale Daily Herald does mention Princeton's explanation/excuse, they do so in very dismissive terms, and several friends of mine who read the article entirely missed the excuse and thought that this hacking was purely malicious. It was NOT, and it would be nice if that were noted. Then again, this is Slashdot, which isn't exactly famous for its impartiality =)

(Disclaimer: I was one of the students who got into Princeton this year, so I'm biased. Any other current students or incoming freshmen here?)

Yale Knew They Had a Problem--Or Should Have

[John+Murdoch]

I just linked to the Daily Yalie site, and in their comments on the article there's a note from a former columnist in the Yale Herald: back in 2000 he wrote a column pointing out Yale's prediliction for using the SSN for a password, and how anybody with half a brain could use that to hack all sorts of Yale systems. Definitely worth a look--and it will lead you to the conclusion that Yale's admissions people are, well, stupid.

John Murdoch
Penn '80

points out a major security flaw some systems have

[Artifex]

At almost every credit card company, bank, and stock broker I have ever belonged, I have found them using a very simple set of data to identify callers as "legitimate":

• Name (of course)
• SSN (even though they are not supposed to, and variously the full number or just the last 4, which can vary between calls to the same company)
• Mother's maiden name
• address
• zip code
• phone number

Only my last broker has taken the additional step of asking me what my major current holdings were...

The problem, of course, is that everyone in my immediate family knows all of this information about me, including my SSN. So do all of my doctors/dentists, etc. In fact, a number of genealogical sites can find out almost all of that, too. Also, anyone intercepting my paper mail can find out from brokerage mailings what my holdings are. However, getting these people to add another form of ID to the accounts is always either impossible or very difficult.

Anyone else notice this problem, and have other suggestions or comments? I feel like lying on my mother's maiden name line from now on, and putting a password in it.

Ivy League schools

[DebianGeek]

Sorry folks, you're all wrong. There are actually only 8 schools in the Ivy League: Brown, Cornell, Columbia, Dartmouth, Harvard, Pennsylvania, Princeton, and Yale.

The term stems from the 1930's, when Stanford, MIT, and the other now-excellent schools were off the map. See http://etc.princeton.edu/CampusWWW/Companion/ivy_l eague.html

If you come from an Ivy League school, you tend to know what the 8 schools are. If not, then any good school must be an Ivy League school.

Re:Ivy League schools

[Vengie]

The "Ivy League" is a hundred + year old football league.
No school will _EVER_ be asked to join the ivy league.
Get over yourselves.

Re:I might just be an Oxbridge dummy but...

[the+gnat]

I just (barely) graduated from Yale, so I'll bite...

1. Why would Princeton want Yale rejects?

Because Yale (like many other schools of its type) gets so many good applicants that the admissions office claims you could get just as good a freshman class from the rejects each year. Since admissions is pretty much just dumb luck anyway, some quality people get rejected. And, of course, there's quite a bit of competition for applicants. Hell, some people get rejected from Yale and accepted at Harvard.

2. How crap is Yale for allowing something stupid like this?

Without going into too much detail, pretty dumb, yes. Most things here are given more careful thought.

3. How stupid are Yale for getting caught?

That's "Princeton" you meant. I think that's probably dumber. But it's hilarious all around. You just can't make this shit up...