Slashdot Mirror
Harvard Business School: You Peek, You Lose
mosel-saar-ruwer writes "Seems Harvard Business school was using the ApplyYourself web service to process applications. Sometime in the last few days, an anonymous hacker, known as 'brookbond', was able to crack the system, and discovered that Harvard had already posted acceptance letters to the website fully a month before they were to be mailed to their recipients. He posted instructions on how applicants could view their letters at the BusinessWeek forums, and approximately 119 applicants followed his advice. Today, the dean of the Harvard Business School, one Kim Clark, announced that none of the 119 would be admitted: 'This behavior is unethical at best -- a serious breach of trust that cannot be countered by rationalization... Any applicant found to have done so will not be admitted to this school.'"
Wow. So even though only one person actually did the hard work of figuring out how to hack into the site, 119 other individuals figured they too should follow the directions to hack in and learn the results. Harvard (rightly so) decided to not admit any of the 119 even though some of them possibly were initially accepted. Is this a response to some of the unethical and deceptive practices that have been rampant in the business world (i.e. Worldcom, Enron, pick your fav.) of late? Perhaps, but this is especially important in that much of business school (especially in ivy league schools) is about establishing relationships and connections. Do we want a bunch of ethically challenged folks getting to know one another in Harvard business school? I think not. In light of many of the current scandals in the business world, I would like to believe that schools do pay attention to these issues and perform some filtering at the front end rather than filtering or correcting during the educational process. After all, there are some things that cannot be taught. By the time one applies to business school, patterns of behavior are fairly well entrenched and behavioral correction of things we were supposed to learn in kindergarten is not the business schools responsibility.
It would be interesting to find out what their stories are. Why did they do it and what were they possibly thinking? Do they believe they should be blacklisted?
It should also be noted that Harvard was not the only school affected by this hack. Other business schools (MIT, Stanford, Carnegie Mellon and Duke) were also compromised and I would encourage those schools to adopt the same actions as Harvard in this case.
Visit Jonesblog and say hello.
ApplyYourself web service isn't actually a web service (not SOAP, not REST). An *anonymous* hacker *known* as "brookbond." Their letters weren't *at* BusinessWeek Forums. Unethical behavior discouraged by a business school (pot meet kettle).
...Ahem...fp
See any serious problems with this story?
A programmer is a machine for converting coffee into code.
That's gotta hurt.
God knows that this sort of unethical behavior and borderline illegal practice is totally out of place in our business community. Obviously, these punks are only getting what they deserve.
Aside from that, hopefully those involved will learn a valuable life lesson from this: If you can't play by the rules, you'd better be able to run fast and catch, throw or hit a ball really well.
PS: I wonder if any prospective students were smart enough to just look at the admission status of the *other* students... Now that would be showing the sort of sense you'd need to get to the top of corporate America.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
So if I got instructions on how to read another persons acceptance letter, I could get them refused entry into Harvard?
Right on, I've always wanted to stick it to one of those yuppy bastards.
Feed the need: Digitaladdiction.net
and now I will get into Harvard Business School myself!
* evil laugh *
oh wait, business school. shit.
It's take charge, independent thinkers that the school needs in it's student body. they better not revoke my admission or i'll send a teenage grrl enforcer over to smack 'em upside their heads!
A feeling of having made the same mistake before: Deja Foobar
If they are going to break into the school's computer (it doesn't matter that someone else showed them how), they shouldn't be accepted.
But weren't even applying to go to Harvard?
My little site.
Re-arranging paths in a URL is not hacking but they all got what they deserved. The other schools will probably follow suit.
Does anyone know how complicated the instructions were? Is there any way the people could have thought they were just accessing the site, putting in a URL with their name or whatever at the end of it, and not 'hacking' it to get information they were not allowed to have?
How they want to prove that the person that looked at the "papers" was the "accepted one"... (if they didn't posted it all over blogs ;-))
They are already ahead of the game, what with all the liars, cheaters and general scumbags the ivy leagues spit out year after year.
I'm not sure that the remaining acceptees are really so holy and ethical. If all of the applicants had noticed this, maybe everyone would have peaked. The 119 caught were probably the only 119 out of the applicant pool who actually caught the story...curiousity got the better of them, and I'm sure that it probably would've the rest of the acceptees if they had only known...
That'd be interesting, too...if there suddenly was only a few people in the class of '09...but they'd probably fill the spots up with waitlisters...
Err... says noone could see anything but their own. Still don't quite trust this answer though. Looks like a setup to me after a second look.
My little site.
They would be reading those letters at any time later anyway, no?
The real culprit is the cracker who found the way in.
I think Harvard's reaction against the 119 who followed the indicated route is pitifully excessive.
But the 119 now have an early lesson in how certain business managers cynically deflect blame in order to save face.
It appears to be beyond Harvard's ability to track down the cracker, so they hit out at whoever is within reach.
-wb-
More like harvard business school is delusional.
Come on, they were just curious. This is too much. And Harvard should have been more careful.
One concern was classmates or relatives of the checking out the applicant. That would be unfair to the applicant. However, the article in Harvard Crimson seem to indicate that at some point you had login with a password. So only the applicant or spouse would have done it then.
The webserver probably could have recorded an IP address with each access, and many of those can be geographically verified. However, this would still have the problem of some one else than the applicant checking.
Before everybody accuses these "hackers" of unethical behaviour, you should look at what the "hack" was. As far as I can tell, you just had to log in, and then edit the URL. BusinessWeek is agressively removing any posts with the process in it, but there are some references to the basic idea still.
The information was there, the server gave them permission to see it, I don't see what is so unethical. Posting how to do that in a public forum could be considered unethical. But just following the instructions?
-- Colin Cross
Don't worry. For the ethically challenged Harvard Law school is a good alternative.
what happens if you POKE?
=P
e.
Build Your Own PVR/HTPC news, reviews, &
what if the actual peekers were imposters? in that case, harvard is unethical!! ; this shows what most people suspect in general about "business types" / suits ; do some knee jerk tomfoolery to look like you are in control; lets see if they can show with anydegree of certainty that the applicants themselves actually peeked at their supposed acceptance letters; ~ram http://distrowars.textdriven.com
If ethics was so important, how come it wasn't tested for in the actual application process?
Stanford Business School said it had 42 illegal accesses. However, Stanford's initial position is to ask the applicants who accessed to identify themselves. I wonder if they are making forgiveness for honesty, because like Harvard, they know exactly where the accesses occurred.
'This behavior is unethical at best -- a serious breach of trust that cannot be countered by rationalization... Any applicant found to have done so will not be admitted to this school.'"
What I'm sure was meant was that the so-called breach of trust was indefensible, but the first time I read this, it sounded to me like what they were saying was, "We don't know how to defend our reasoning for calling this a breach of trust."
Really odd. Harvard uses an insecure method of posting ahead of time news of who gets in and who doesn't. Anybody in the world can go view those documents, and they don't get in trouble. Meanwhile, the actual applicants go and view them, and they're locked out of Harvard. And it's not even like they can go fake letters of acceptance or anything through the process.
Looks like Harvard's adapting "Security by Legislation", that growing corporate policy of punishing whoever they can because they've been made out to look like idiots, through nobody else's fault but their own.
I love the department for this article.
:)
You can be accepted, or you can know you'll be accepted, but never both.
Steven R. Nelson, executive director of HBS's Master of Business Administration (MBA) program, said the letters were taken off the site early yesterday.
"These were just internal administrative devices," Nelson said.
Don't post internal-only information to a webserver. Ever. Whoever put them on the site should get a remedial course on security.
As for the applicants, they just saved mom and dad a couple hundred grand. Hopefully, they'll learn some sort of lesson from this, though I doubt it.
Give a man fire, and you warm him for the night. Set a man on fire, and you warm him for the rest of his life.
So they spent their whole friggin lives working to get into Harvard, and because out of burning curiousity and passion they wanted to know whether they had gotten in or not, they got un-accepted? BULLFECES!!
I hate Halo and GTA. Sue me.
No, they will not.
emt 377 emt 4
What prevents me from going in there and viewing a handful of people's applicants? Will they get kicked out? I wonder how many of those 119 weren't the real person -- or do they require some sort of user-auth?
...to spite their face. Harvard just regected 119 of the most qualified bussiness school bound students in the country. They will go to other, arguably equal, bussiness schools, while Harvard will take on 119 lesser qualified applicants to fill its vacancies. What schmucks...
Begorrah ! The ones who knew enough to find the "swag" on a relevant website are the ones who should be first in the queue to be admiited. After all they're the ones with the acumen.
:)
Ho hum... Just goes to show that if you play by the rules you'll get by by the rules (and if you play them well enough you'll "shine") But you'll never discover anything truly new
Mind you having said that... if you do discover something truly new, once you try to tell somebody, the rest of society will think you're mad and burn you at the stake. "This heretic says the Earth revolves around the sun... burn the witch..."
Sky subscribers are morons. They pay to be advertised at !
Would he have said "your fired" or "your hired" for this display of ingenuity?
Prospect business students rebuked for unethical behaviour? It simply defies human logic. They're studying how to be business men, are they not?
HAD
If your family is rich, they can pull strings. You can do almost anything and still get accepted. However people like that dont really need to take a peek to see if they were accepted, they know without even having to open the envelope.
Thanks to GW Bush, its become common knowledge that Harvard Business will accept any mediocre student for the right price.
What unfair advantage would anyone gain by reading their admission letter early? If harvard had their letter written and their minds made up, why didn't they just tell the admittees, instead of making them wait and sweat? I remember well that that's not pleasant anticipation.
On a related note, were those supposed to be on a web server at all? Would you want your admission letter on the web for the world to see? With the schools' ridiculous concern for student privacy, it seems strange that they're putting these on a web server at all.
Finally, I wonder how long it will be before someone tries to wriggle out of being unadmitted by claiming that someone else looked at his admission letter?
See what I've been reading.
1. Attend an interview session
2. Record the names of your competition
3. Hack the school's computer in their name
4. Get into Harvard
5. Profit!!!
Why is a university holding back acceptance letters for a whole month after theve already finalised the list :/
The results were there and it's probably not as scary and complex as TFA says it was to see the results. Maybe something as simple as modifying the URL. So when it's possible (probably very easily), who can resist from seeing it? Even if it's a bit complex to see, it's not like they had to be security experts or something. Just follow a few steps and you can see your results. This is just too much on Harvard's part.
OH THAT IS Commmedddddyyyyy!!!
I love it!
Yes, [I was] just following the instructions. is always a great defense!
This issue is a bit more complicated than you think.
If these had been computer science applicants, I think the slashdot responses would be much different. Shouldn't ApplyYourself and Harvard be to blame for posting information on the internet that they didn't want viewed? A sophisticated hack wasn't required, just simply knowing what to put in the URL. How can one of our leading business educating institutions show such a blatent disregard for information security? I'll bet choicepoint executives were educated at Harvard!
More than 100 applicants to top US business schools, including Harvard and Stanford, sought to end months of nail-biting over whether they would be admitted by hacking into MBA admissions sites. But even the ones who got good news may be in for an unwanted surprise. Harvard said it was reconsidering the status of the hackers who had initially been approved for admission.
--as posted on virtualkarma---
fuvoo: watch something
George Bush applied and was graduated from Harvard Business School. Woud he have peeked if he applied today?
Probably not, since he claims not to read books or magazines (in a Dateline interview) he probably would not of learned of the hack. Plus his father or grandfather would have pulled strings.
How many people equate "business" with unethical behavior? Wow! That's a lot of hands!
I think that's kinda the point here. The school where business is taught is exactly the training ground where ethics should be taught and ethical behavior observed.
The world is unethical... who knows... it could change maybe? But I wonder if they turned out of people that could lead to some serious problems in this Dean's future... it's no secret that some pretty powerful people try to get their kids into those schools whether they deserve it or not.
If people who bent the rules like this were allowed into a prestigious business school, they could possibly tarnish the outstanding reputation of America's CEOs in the future.
And then where would we be?
This is the same school that teaches it is ok to fire workers who have worked at a company for 10-20 years so the execs can make 5% more on their stocks by moving factories overseas. They also fail to teach what the words 'long term outlook' means to all these future ceo's.
HBS need to face the fact that when you train people who have no morals that you will attract people with no morals.
Given that they accepted the likes of George W. Bush, would you want to be accepted?
sulli
RTFJ.
and now their dreams of business school at harvard.
-----BEGIN PGP SIGNATURE-----
12345
-----END PGP SIGNATURE-----
What about the ethics of storing personal information in such an insecure system that 119 people were able to break into it? Nobody is responsible for that?
you little son of a bitch, Santa is coming TONIGHT and hes gonna take ALL your presents back, and hes not gonna give YOU anything except a cup of DIRT! but your BROTHER -- who didnt peek -- he'll get ALL his presents while you sit there with NOTHING!
and YOU'LL LIKE IT!
I'm having trouble finding any information that isn't mainstream media filtered or registration required. Anyone here use "partners.nytimes.com" to get news stories that the Times didn't want you to see before registering? I'm sure some reporters would still say you "cracked the system".
Unless whatever contract the person signed when then applied for the university prohibitied this behavior, isn't this just good business sense? All businesses twist the laws and contracts to wring every bit of usefulness out of them. In that sense, wouldn't finding out information ahead of time be a wise business tactic? Or would it be a better business tactic for the 119 applicants to get together and hire a lawyer sue Harvard for this?
--
Free iPod? Try a free Mac Mini
Or a free Nintendo DS, GC, PS2, Xbox
Wired article as proof
as to have set these potential students up for this? Sort of an extra "admissions test?" With the rampant ethics violations recently, they may have found this to be a good idea. Weed the baddies out early, not with a tough 101 class, but with a slick ethics test.
Yeah, I know it sounds like a goofy Oliver Stone conspiracy theory, but the Ivy League has been dirty before.
Course, maybe Brown has their admissions department on the line with these cats as we speak (er, as I write and as you type).
Ignore the rantings above. Poster is an idiot.
Seems like the school bears some responsibility for outsourcing the acceptance letters to an easy-to-hack site. The cynic in me tells me that half the reason they are coming down so hard on the students is to divert attention from their own security failure.
given that they really have no way to prove who checked what record, i don't think they should refuse entry to the students whose record has been visited.
most likely, all cheater visited their own record, but not all record visited belong to cheaters...
harvard choose to take the risk of refusing entry to someone who did nothing wrong but had his record checked by a friend...
The school messes up and has crap security, then punishes applicants for being curious if they were accepted or not, something potentially life altering for many people? Doesn't sound like I place I would ever want to go anyway.
Someone hacked into our server and posted the details of how to replicate it to the rest of the world. We're now embarassed, who can we lash out against?
Ah! the people who we can actually hurt without going to court or having to get law enforcement involved, the 119 18 years olds who were on tenterhooks to know if they'd been accepted and really couldn't contain themselves to wait another entire month when we'd already made the decisions.
Infact, if I understand from my rather hazy sources US law enforcement won't get involved unless the crime has cost $5000 (I could be way off here though, I didn't get this from an authoratitize site), so, since they're out the only other option to lash out and save face would be to sure, which is expensiv when you can just ruin 119 kids futures. Of course, doubtless it will end them up in court...
The ethics point isn't particularly strong, these are 18 year olds who want to know if their chosen college has accepted them and they find out that the decisions have been made and the letters written a month before they'll get them otherwise. The fact that they followed some instructions posted online to find some 'hidden' files reflects little on their ethics in the future - I spent hours in school trying to get into every nook & cranny of the systems (which the admin had tried to lock down) using as many non-invasive/agressive methods as I could find. Does that make me unethical? no. I did it entirely as an academic exercise to see how well locked down the systems were, would it have been unethical to find out information about me that the school held but didn't want to tell me? no, not in my opinion.
This seems to be the university lashing out against someone to save face. That 'someone' being the people who have least blood on their hands (out of the people actually involved) and who the university feels that it can get away with stomping on the easiest.
FGD 135
119 applicants? Or acceptees? With HBS's acceptance rates, there's a good chance that none (and it's almost certain that most) of these people were rejected anyways, so Harvard isn't actually changing any of its decisions, merely confirming what they already knew (albeit a month early).
Actually this is part of the entry class of low level physics titled: you can't observe stuff without affecting it.
By looking inside the box, they changed the content!
And with regard to exclusion, they could have at least given them a second chance, maybe with some punishment (like a work camp or something, and select only the 30 first). I thought that this was the land of the second chance.
School is about education. What did they learn? That they got screwed up after doing something that affected noone else?
Am I the only one to think like that?
Sneak teach kids Algebra using a game
Schools need to make better efforts to plug these holes.
I attend the University of Waterloo, and am in its co-op program. Their job application system, JobMine inadvertently informs students about the status of jobs they have been interviewed for. Students are not supposed to be informed of whether they have been offered or ranked for jobs prior to a certain date, however, the job disappears from the 'active applications' section as soon as the employer has made their decision not to offer or rank you. I initially thought this was something random, but every job that disappeared I had been rejected for, and every job that remained I had either been ranked or offered. Of course, I didn't have to do any special 'hacking' to find the results - it was linked directly (ok so I have to go through about five links to get there - really poorly designed for usability, but still) Any student could get this information through legitimate use of the system, without any special skill or instruction.
It's sometimes hard to believe that a school that prides itself in its specialty in computer science, co-op, and engineering has such bugs in its co-op site. Especially if employers are exposed to such systems - what will they think of its students?
--Mike Boos
I am betting that these are republican kids with similar ethics.
As a current Harvard MBA student and long-time /. reader, it's worth pointing out that these applicants didn't "hack" anything. They got instructions (now deleted from the BW forums) that if you took your login hash, appended it to a URL at the ApplyYourself, you could see the decision letter on your file, if it had already been posted. My guess is that someone asked a first round applicant (who had already heard) for the URL to the decision and tried it as an in-process second round applicant.
This isn't hacking. Nobody logged in as the Admissions Director or socially engineered their way into info by calling admissions and pretending to be a staffer out on the road. The only people at fault here are the coders at ApplyYourself (the 3rd party application site). Having used it last year, I can tell you that it is technically inferior to most products that other schools build themselves.
There's already some ideas above that with the Enron and Worldcom scandals, business schools need to have ethics at the highest standards, but this misses the point. The 119 people that just got rejected weren't the 119 least ethical applicants. They were the 119 of the (probably) 130 applicants who saw the instructions before they were deleted. The top tier b-school application process is very stressful and the idea of seeing your results early is hardly scandalous.
Furthermore, our new post-scandal "Leadership and Corporate Accountability" course spends a great deal of time discussing the ethical trade-offs inherent in business, such as weighing employee concerns vs. shareholder concerns vs. customer concerns. These decisions are rarely black and white and we spend a lot of time discussing relative merits of each stakeholder. The notion that we would portray ourselves as knowing an absolute ethical standard goes against much of what we teach and learn here.
Despite the small number of true criminals to have walked these halls, Harvard Business School is a great institution and most /.'ers would be surprised to meet all the ethical people here that will be future leaders (if past performance is predictive of future performance).
Allow me to take the (oddly not yet taken) anti-Harvard point-of-view. I may be speaking from naivety, though, so here we go.
Does it not strike anyone as odd that they knew who was in at least a month before the letters were due to be sent? Is there some reason why they don't send an acceptance/rejection letter as soon as someone is accepted/rejected?
Sure, I guess what the 119 students did was wrong, but is there nothing wrong about withholding this information?
OMG! Wau!
Remember when we laugh at SCO for complaining that IBM used a blank password for cracking their FTP server? This is no different.
So far most of the comments seem to be of the sort of "they got what they deserved!"
I simply cannot see how this is unethical. Harvard Business School was artificially forcing the students to wait to find out if they had been accepted, even though they had already made their decisions (why else would the letters be posted?).
I feel that the party that acted unethically in this case is the business school, not the students. It seems it is a similar sort of unethical behaviour to creating artificial scarcity in a marketplace.
I'm actually applying this year and had to use the ApplyYourself website. I spent an hour filling out the basic details (name, address, resume, etc) on one app only to come back later to find it blank. ApplyYourself requires a school # and an applicant # to log into each school. It turns out that I had typed in one school #, but used the applicant # for a different school (browser cache), and it STILL LET ME IN! I even tried the mismatched combination again, and it brought me back to the 'lost' app. If that's how strong their security is, you could just run random numbers and find everyone's apps....
... the practice of accepting money in exchange for your name on a building or the rampant nepotism and admission of high-donation family members seems strangely ethical to the administration. Go figure.
*AppleTRON*
Deciding who is at fault and who deserves what is a favorite online pastime, but we don't even know what it took to "hack" into the site to view the letters. Did the applicants do anything that would actually be illegal if they did it in the business world (where "ethical" seems to be synonymous with "legal" )? Or did they merely do something unexpected and embarassing?
If the business school is run by the same types who seem to run every other part of the school system, their automatic, totally predictable reaction would be to slam down hard on somebody and focus attention away from any possible mistake or oversight they themselves may have made. I'm not saying that's what happened here either, but we really don't know who the bad guys are.
Of course, they've probably closed the security hole by now....
I'm speechless. Completely speechless.
File under 'M' for 'Manic ranting'
Who needs Harvard then? I mean, seriously, in the voyeur community which I am sort of into, our motto is: You Peek, You Win!
This is absolutely stupid: Harvard (again!) and ApplyYourself can't keep their webservers safe, and 119 people get their future-plans set back? Man...
I wonder how carefully harvard checked on who actually read each letter.
If the guy figured out how to break in did he also figure out how to break in to each account?
This guy may truly be Harvard material.
Is this thinking outside the box or what?
Every year, Harvard is accepting 119 people that they shouldn't have. Maybe it's time to consider a new way to screen applicants?
Cyber Security program... ... and show off their MaD Ski11z.
This is more Adrian Lamo-style secret knock stuff. The 119 accused persons merely asked the web server for information that was publically available--you just had to know how to ask for it.
And it was not as if they changed their acceptance status. Or accessed someone else's acceptance status. They just viewed their own information, which I reiterate, was publically available on a public web server.
If it was not to be viewed, then why was it present in a production database queriable from a production website?
"We got hosed Timmy, we got hosed."
And if, indeed, 119 people read their own letters, what exactly is so dishonest or "trust breaching" about it?
Actually, I'd say, the school was not honest, if it delayed informing the applicants for over a month.
In Soviet Washington the swamp drains you.
If you don't want your information to be hacked, don't put in on an internet connected machine. It's as simple as that. We think we have a decade of web and internet wisdom to guide us but the fact is that all of this technology is still in its infancy. Was the hack ethical? No, but ethics aside, only an idiot would subject their important and confidential information to exposure on the web and then complain when it was hacked. Sorry, flamebait me if you must but the reports of vulnerabilities come fast and furious, regardless of platform, and nobody seems to care.
Don't want your data exposed? Don't put in on the web.
Somebody hired by HBS screws up and makes information that should have been kept private accessible on a public web server.
Instead of firing the people who made the boo-boo, the powers that be at HBS decide to punish anyone they can find who looked at their own admission letter.
First of all, it is not at all clear to me that it is ethically wrong to look at your own admission letter when it is posted on a public web site where *many* other people can already see it. For example, if I had heard about something like this I would probably try it just to see if it was really true. I would trust that HBS was not so bone-headed as to allow such a thing to happen.
Second, even if it were established that it was ethically wrong or questionable to peek, that is one heck of a temptation to put in front of someone since so much of their future plans depend upon what is in that letter.
Finally, I don't see that any harm is done by someone just peeking at the letter. If they act upon that information then that is another matter, for example by starting apartment hunting a month early. But just looking doesn't hurt anyone. According to my own ethics, if I am not hurting someone then I am not doing something bad.
I hope some of those people who got rejected band together and sue the pants off of HBS.
We don't see the world as it is, we see it as we are.
-- Anais Nin
Possibly, but I wouldn't worry too much about such a threat from an anonymous coward.
Harvards inability to keep private information private is *NOT* the fault of those who look. If I had found out about this, I would have gone looking just to see what sort of personal information was exposed by the incompetents running their admissions program.
the other 4881 applicants are suing Harvard for posting personal, confidential information on the internet for all to see.
Dan East
Better known as 318230.
Denying them admission is pretty harsh. I think a lot of otherwise ethical people would be tempted to take this opportunity if it presented itself. It's not like they were out to steal, defraud, or otherwise hurt anyone.
BURN!!!
https://www.accountkiller.com/removal-requested
A form submit hack to an open document is not illegal nor in my opinion, unethical. You are simply choosing a different way than intended to view open information. Kind of like reading the last chapter of a book first. Suppose that someone posted links containing the get statements to a web page and called it something along the lines of "Get your Harvard Info Here." This page could appear to be totally legit while totally screwing the people clicking the links. I think that this is a total over reaction on the part of Harvard.
I assume some of the accepted applicants were well connected and not wet-behind-the-ear freshmen. It's just a matter of time before someone finds grounds to sue or otherwise pull some strings and when they do there will be some very quiet backpedaling...
What should we expect from a school who said girls were naturally bad at math?
m ensci.html
What should we expect from a poster who misquotes and takes something out of context and posts off topic because it's political correct to do so? For some reason it's okay to jump on the hate/intolerance bandwagon if public perception is that the other side is intolerant or bigoted, even if that's not the case. Remember this? Enough PC witch-hunting. It's oppressive.
All the man was talking about was looking at the situation objectively. He explains some of that in his letter and even apologizes for stuff he had no control over, specifically, other peoples' misinterpretations and feelings.
http://www.president.harvard.edu/speeches/2005/wo
Hey, its like quantum mechanics: the simple act of observation changes the outcome!
Someone please give this man some mod loving'.
no text
If I were AL, how can I get a list of these 119 students. I think they have a case against Harvard. Can Harvard prove that each accessed file was accessed by the student whose record appeared in it. Let's see how much of a retainer from each of 119 future wealthy executives....?
If, on the other hand, it took some convoluted hacking that was clearly beyond the pale -- and, say, included things like cracking passwords, then I'd be more likely to say that they needed to get bitchslapped.
That having been said, it's not a carreer ending move -- unless Harvard puts them on a blacklist, anybody who could get accepted there probably has a choice of a few other good universities to go to.
On the other hand, these are also likely to be 'disposable' applicants -- not the children of alumni who probably had a separate, private, application process. In other words, the school could probably afford to hang them from the yardarm without having to pay for their high moral stance.
Free Software: Like love, it grows best when given away.
It sounds like you're saying the only person you could harm is yourself.
How could I possibly blame Harvard for not accepting me when I looked at something that was not ready to be sent out yet?
And no, this is not equivalent to . In the movie theater case, there is a fixed number of registers, so everyone has to wait their turn. In the acceptance letter case, all the letters are sent out at once - or at least not in any particular order. Someone else's results are not a blocking condition on your results.
I still fail to see the moral harm here.
+++ATH0
If you're going to do something unethical/unprofessional, make sure you don't/won't get caught! Otherwise, you lose. =)
That's a good, free lesson from Harvard for all Business students. =)
If any kind of proper security measures had been used this would not have been possible. Namely, not doing confirmation for admittance to one of the most prestigious school via the internet. I'm sure it's within their funding to allot 4-10 hours of someones time to print out a pile of generic acceptance letters, and then hand sign them and mail them out as opposed to doing it electronically where some sneaky cracker can find it and reveal to the world about who got accepted.
If this really is about ethics, then it's a complete hypocrisy, ethics and business go together about as well as ethics and war.
If you consider yourself ethical, you lose more. More money, more men, more whatever. There is no place for ethics in a capitalist business world, and by disallowing some future capitalist crooks, Harvard has just made them more angry and in the long run they will be perfectly molded into the business world as a typical crook and common thief, deserving of no respect.
Why is it Harvards fault?
They teach that ethics is important when in reality, it is money that matters in business and not much else more. If you think otherwise, you're kidding yourself.
They should have allowed the kids and given them a special class, for those that understand that ethics and business have no place together. Unless we were communist and everyone was treated the same whereas there's no motivation to succeed perhaps ethics could be a cornerstone of an economy like that. But in a cutthroat world of whos got the most money and who can take it from you, ethics is a small hurdle in a long marathon.
[cx]
Is it ok to read your sister's secret diary because she didn't lock it up in a big enough safe?
So, what about the n-119 applicants who didn't find out about the so-called "hack" before it was exposed? I hardly think none of them would have done the same.
IWARS.
People, in general, disappoint me. Politicians even more so.
I was not an Ivy League student, and I get no satisfaction from this.
Many of these kids were probably under enormous pressure to get in. I don't blame them, and it doesn't seem like any harm was done. I think a written reprimand would have been fine.
+++ATH0
Idiot.
"If they can't wait a month to find out if they got in or not, how well do you think they'll stand up to the ethical quandary involved in an opportunity for insider trading?"
I fail to see how this statement follows logically.
What does insider trading have to do with sweaty-palmed fear about not getting into an Ivy League school? In the first circumstance, other people are harmed. In the second, they are not.
+++ATH0
IANAL, however, this seems like something that Harvard should get sued over. You read something on a bulletin board, telling you a URL and telling you to type in your user name and password, and see whether you were accepted, and because of that, you get rejected? No Fucking Way!
But, even though I think they should get sued, likely no one will, because all these applicants are likely top of the line, with admissions to other top B schools, and this lawsuit could mess up their careers....
eat shiat and bark at the moon
You have to be logged in. Not ANYBODY IN THE WORLD.
Fucking moron.
Interesting And Funny! Schools As Usual Overreact To What They Consider A Potential Threat To Their Dominance. Sure I Understand Blacklisting The 119 People For Viewing Their Acceptance Letters, Nevertheless, 1 Person Exploits The Security Hole And All Take The Punishment. This Is Stupidity At It's Finest! Not Only Does It Not Solve The Problem Of Finding The Person Responsible It Just Pushes The Problem Forward. If The Security Team Done Their Job We Would Not Be Having This Problem. Unethical? I Think Not. People Naturally Fear What They Do Not Understand. So The Natural Response To A Security Breech Is to Blacklist 118 Innocent People? If Anyone Is In Need Of An Ethics Checkup, It's The Schools Who Blacklisted The Students. Find The Person Responsible And Let Him Be Responsible For His Own Actions! Punishing All Just Because It's Convient Is UnJust. - Not Surprised At The Stupidity Of People BTT-KLLER
Too bad he can't even spell Heisenberg. Pathetic.
Back in my junior year of high school, which is six years ago, I took my SATs. Everyone in my grade knew when the day would be that our scores became available from the College Board's for-pay dial up number. Yet, one of my friends decided to call up a couple days early and got his score. He then proceeded to tell everyone his score which prompted the rest of us to call up and find our scores. Because of this I found out my SAT scores a couple days early.
I feel that I did very well on my SATs and that my score was one of the major factors that helped me get into the school of my choice (the school famous for hacking into Yale's admissions web site). Yet, according to HBS's logic, my scores shouldn't be valid and I don't deserve such a good SAT score because I was impatient and dishonest by calling for my score early, essentially exploiting a loophole in the system.
Thank god I went to Princeton and not to Harvard because now that I have admitted this who knows if Harvard would call me up and ask for my diploma back...
A) It's not the school's computer.
B) They used a login hack to view their own data. Who was harmed here?
+++ATH0
Hey dumb fuck, it wasn't Harvard's "inability" to protect data, it was another company -- RTFA.
When was the last time high schools taught ethics courses, especially in regards to computers?
I could see the student suing not Harvard, but the application processing company for making their application data insecure.
And you know what? They'd have a case.
+++ATH0
ask him to give you 3 sarcasm pills, and post again in the morning ...
- sigs are for wimps.
"Perhaps the hack allowed you to see letters of provisional acceptance? Perhaps those letters were intended to be on a wait list? You do not really know what the intention was until you receive your letter from the school. Otherwise expectations would be unmet and you could not use that in a court of law to press your case. So imagine that you did read that you were accepted, but in reality your letter of acceptance was predicated upon somebody else ahead of you not accepting? You would start making decisions for an entire month to move, make preparations and get ready for business school at Harvard before receiving your letter of rejection because the person ahead of you chose to attend. This structure is in place in many places where people are placed on provisional acceptance lists."
The key portion of this scenario is "you would start making decisions." No one other than "you" has been harmed here. On the other hand, Harvard cannot be responsible for the consequences of your actions based on data that you were not intended to have at the time.
You still have yet to prove that anyone other than the applicant who views his own data is harmed here.
+++ATH0
"Come on, they were just curious."
Boys will be boys.
"This is too much."
Were do you draw the ethical line consistently throught the ages?* Too much? Too little? Ethics is now a quantity. Not a line to cross.
"And Harvard should have been more careful."
It's everyone elses responsability to "just say no" for you.
*Did you know that most majour crimminals started out with something small? If these 119 later bankrupty a company (Worldcom). Fleece the public (Enron). Will you later say; well why didn't you all notice the early signs, and act on them?
It really doesn't matter if it 'really' is hacking or HBS left the letters open on the bus. If they say you are not entitled to the information then you are not in fact entitled to that information. It seems like a cold cruel world out there that won't allow you to profit from your own ethical lapses but that's kind of the point of having ethnics, isn't it?
umm... no. the SAT score was reported to you via you calling up and getting the score from the SAT folks. that is the right way.
these people used a HACK to get into the system in an UNAUTHORIZED MANOR.
perhaps you should not have gotten into the college of your choice because you are incapable of reason.
I am the Alpha and the Omega-3
Congratulations on your A, you now have just enough knowledge of business ethics to make an ass of yourself.
Speaking of rationalizations:
/. geeks and will continue to promote and propagate the mythical Harvard mystique for yet another retarded generation.
'This behavior is unethical at best -- a serious breach of trust that cannot be countered by rationalization... Any applicant found to have done so will not be admitted to this school.'"
Those Harvard snobs are just punishing the cheeky lads who've successfully pulled down the Head Master's pants.
If this lack of humility and sense of humor doesn't convince you that Harvard is a stuffy, overhyped institution that charges a premium for an average education with a gold-plated rubber stamp, nothing will.
Nonetheless, the young poodles who've successfully learned that doggie treats are given to those who obey and jump through the hoops will continue to go there, befriend other student's influencial dads on the golf course, become young execs who hire and fire
Hmmph.
"What does insider trading have to do with sweaty-palmed fear about not getting into an Ivy League school? In the first circumstance, other people are harmed. In the second, they are not."
Considering how ethics is being presented in the world today. Your misunderstanding is quite understandable.
A part of ethics is self-control. The resisting of temptation. The ability to recognize a line, and not cross it. Harm to others is only a small part of it.*
*That and humanity has a poor track record discerning harmful, from harmless, especially over a long period of time.
UNAUTHORIZED MANOR Gee, I for one can't imaging anybody building a big house like that without permission, let alone host a server in it... perhaps you ment to say "unauthorized manner"?
I've abandoned my search for truth; now I'm just looking for some useful delusions.
When I applied for MBA a few years back, application results were still sent by snail mail. Sometimes schools would ask a second year student to phone you with the "yes, you were accepted" news. But there was no guarantee -- if you wanted to be sure you were rejected you had to wait, wait, wait for the mailman to come. Most stressful time of my life. It defined the meaning of anxiety to me.
Like many, I tried calling the admissions office a couple of days after the results were mailed, to ask about my acceptance status. (living outside the US those snail mailings could take forever). They just wouldn't tell me anything on the phone... even when the answer was YES (as I found out later).
BUT... and now comes my point -- was it unethical of me to call them before the snail mail letter reached me ? Would it be unethical if they had told me ? Should my "ACCEPTED" result be turned into a "DING! REJECTED" result because I called ?
Quem a paca cara compra, paca cara pagará.
totally classic behaviour you'd expect from an unethical corporation who wants to cover their ass and deflect blame of a major fuckup that's their own fault.
if you ever wondered about the ethical standards of harvard, here's a perfect example. instead of accepting responsibility for their fuckup, they take it out on others, in order to cover up their embarassment.
"Shit, if I try to change the URL to see if I can view my pay statement one day early at work, should I be fired for that too?"
You assume your boss needs a reason to fire you.
All but 6 ex CS grads were rejected from Harvard. When asked why 99% of the applicants were rejected it was for hacking. The 6 that were allowed in said they looked compliment their understanding of computers and security systems.
What they were doing was cruising a site/chatroom dedicated to cheating, and followed some links they found there. It's not like they came up with a real hack...these are wanna-be ivy league weasels, and they deserve to be banned, if indeed the schools can ID them.
"Furthermore, our new post-scandal "Leadership and Corporate Accountability" course spends a great deal of time discussing the ethical trade-offs inherent in business, such as weighing employee concerns vs. shareholder concerns vs. customer concerns. These decisions are rarely black and white and we spend a lot of time discussing relative merits of each stakeholder. The notion that we would portray ourselves as knowing an absolute ethical standard goes against much of what we teach and learn here."
A Business Tale: A Story of Ethics, Choices, Success and a Very Large Rabbit by Marianne M. Jennings
Read Page 78.
Almost the exact same thing just happened at the CMU business school; this was in the paper today. When I saw the slashdot article, I just assumed it was about the folks that broke into the CMU admissions website (and were also banned by the school as a consequence)
I have this "friend" who is actually my rival and I looked to see if he got accepted; he did. Now he is getting rejected for checking on his acceptance, something he didn't do; it was me.
--
WHO ATE MY BREAKFAST PANTS?
When you call a month early, you know that a) it's earlier than you are supposed to receive notification, and b) that they have a chance to refuse you.
In this case, they knew it was earlier than they were supposed to know, but they ALSO knew that they were guaranteed to see the results, whether or not Harvard wanted them to. In fact I'd say that they knew that Harvard did NOT want them to know at that time (because they knew that a) this was not a standard way of accessing information on a web site (plus it was posted as a hack), and b) it was significantly earlier than the notification day).
They knew they were subverting the rules of the application process as set out by Harvard. If they didn't know that, they're too stupid to go to Harvard anyway.
A gentleman of my acquaintance is a phenomenally successful retired CEO of a Fortune 500 company. He's now a visiting professor at a very prestigious B-school, a household name (although I won't name it). It's not too much to say that he was shocked at the lack of ethical sense among today's B-school students. It's probably no shock to slashdotters that PHBs-in-training are only in it for the money, but then we shouldn't be surprised when garbage like this happens either.
we need more ethical mba types. ...maybe those that got rejected should consider persuing a masters in ethics instead. They have a real good case study to write about now.
Dear Applicant. As you may be aware from news reports, recently a security issue has come to light regarding our use of the ApplyYourself service for application processing. Some sensitive student and applicant information may have been inadvertantly exposed to the public. We take this violation of your privacy very serious. Though the site was not built by Harvard itself, we of course take full resposibility for our decision to outsource the work, and feel we should have done more to audit the work afterward. We are currently reviewing our procedures to prevent this sort of thing from happening in the future. In your particular case, an initial investigation has shown that your account was indeed accessed, and your private information exposed to the public. We sincerely hope it was only you checking to see if this was indeed the case. In any case, we will keep in contact and forward you any information as soon as we get it, concerning possible identity theft or other misuse. Again, you have our sincere apologies. Harvard Business School.
http://blogs.law.harvard.edu/philg/2005/03/08
"If a school posts admission decisions by social security number in some obscure location and a student tells other students that it's there and they go look up their status before official notifications, have they committed an ethical violation? The school didn't tell them the information was there, but it was available to them for the getting if somebody else told them where to look for it."
Ethics isn't just about others telling you "don't do that", but about you telling yourself "I will not do that". The first line of defense all societies have against eventual dissolution is the individual. If you can't depend on that, then society has to substitute it's will for the missing one. Lather, rinse, repeat, and you have todays social ills, and a socio/legal structure that's as obese as it's citizens.
What would that have done if everyone peeked? Cancel the whole year?
now we need to go OSS in diesel cars
Burn the Admin Building!
or at least send a horse head to the Dean!
All they were doing was being ProActive students and
now they cannot attend....Harvard sux Go Miskatonic University!!!! High Flipper to the Deep Ones!
Personally, I'd have capitalised "unethical" rather than "illegal" as I consider it to be the more serious issue.
I recently wrote an IRC bot. That is currently illegal in the USA (read up on the ActiveBuddy patent) and will, as a result, probably be illegal in short order in the EU (where I live). However, I'm not bothered.
If I'd done something that I considered immoral, I would be worried. But my opinion is that allowing governments to define your morality is lazy at best and idiotic at worst. This applies particularly strongly in this situation where, as far as I can tell, people are being kicked out for receiving their letters before they were due to be sent.
I can't see any good reason why this should be a major offence, certainly not why people's lives should be messed up on this basis. Especially if they are able to produce a detailed argument as to why they considered their behaviour ethical.
Please, please get your priorities straight.
For the love of God, please learn to spell "ridiculous"!!!
My take is this. URL alterting is not hacking. This is akin to giving the online applicants each a key to their own room and then punishing them after someone told them that they could find their admissions letter in the closet and 119 of them decided to look.
Harvard and Applyweb messed up by not securing their site. They are embarrassed and have successfully put their PR departments out to spin the story and libel these applicants by accusing them of "hacking" which in todays media implies a criminal intrusion. IANAL but this intentional disparagement which Harvard knows is untrue, along with leaving their personal educational records out there, insecure, sounds like a lawsuit to me.
Harvard's decision to not accept or unaccept those 119 candidates has nothing to do with what they actually did. It has a lot to do with the view by admissions offices in every university that their admissions criteria and decision making process is secret and that we should submit every thing we have ever done in our lives for them to examine and judge in any way they choose without even so much as an explanation of the admissions decision in exchange for our $65 non-refundable fee.
Harvard is unadmitting these students because they found out some information about themselves, in their own file, that they had perfectly legal access to, that Harvard wanted to keep secret and it's service provider accidentally put out on the web.
As for ethics, not one University, especially the private ones have a leg to stand on. They mail out advertisements to students urging them to apply and implying they are 'what the school is looking for.' for no other reason than to increase the number of applicants and the included application fees. The private universities almost invariably reject the majority of transfer credits in order to charge exorbitant prices on repeated basic courses taught by unpaid/underpaid TA's. That is just the tip of the iceburg.
...after all we cant have bigotry at harvard
4 06 93-2005Feb20.html
http://www.washingtonpost.com/wp-dyn/articles/A
Since when did Business start having anything to do with Ethics? MBA = How to make money. End of Story.
Pop Culture Theme Quizzes posted onto my blog. Have fun.
If I were an applicant, my impression is that I would constrye the information as saying that "the university for some reason doesn't send you the URL right away, but if you have an admissions letter it may already be at $BASE_URL + "?" + "foo". I would have logged in and typed the URL without hesitation.
Based on your strong statements, I begin to see that the admissions committees would consider this cheating. I still have seen no explanation as to why this is the case, still less why the applicants would necessarily think this.
Unless any instruction to the contrary was very prominently stated in the login screen or terms of use, I see no reason for the applicant to have any presumption that typing in such a URL would be construed as even slightly inappropriate, much less rising to the level of obviously unethical.
For what it's worth I consider myself a highly ethical person. I am a person who has on several occasions acted significantly against my own interests on ethical grounds. Nevertheless, based on the information I've seen so far, I don't believe I would have even hesitated to type in the purportedly secret URL variable. I would not have had a moment's concern about being "caught" because I would have no expectation that what I was doing was even remotely inappropriate. I would also have been perfectly aware that my action would be unambiguously recorded in the server log.
I think it's very different to accuse someone of behaving contrary to *your own* ethics than to accuse them of behaving contrary to *generally accepted* ethics. It's simply not at all clear that the applicant would even have considered the matter to be ethically problematic, as is evidenced by the fact that they were logged into the system at the time!
Even if "ignorance of the law is no excuse" this seems like a prohibition promulgated retroactively.
Unless you can explain to me why the applicant should have known that the behavior was a violation of either an explicit agreement or an implicit trust, I conclude that it is the behavior of the university that is unethical. It is unconscionably unfair and arbitrary.
mt
"The fact is, these people were probably just curious about their application status. And the reason only those 119 probably checked theirs out was because they were the only ones that knew about it."
So what would the ethical action have been for these students upon finding out they could view privliged information?
How about not viewing the information, and telling the school that they had a hole in their security instead of taking advantage of the situation?
"I bet more crooked business majors have come out of the Harvard Business School."
If everyone jumps off a bridge...?
Ethics is about what YOU do. Not about what others do.
*I find the title of this thread ironic, especially in keeping with slashdot's position on lawyers, and the legal system. Guess you all like what you hate as long as there's something in it for you.
This gives Harvard the leverage to do this "bold" move. Otherwise they would be in a tough legal spot, and they wouldn't risk that.
I know that if I could have seen the outcome of my university replies early I would have done.
In this case why shouldn't they have checked their applications. I mean if I was accepted, I was accepted on the grounds that I was a good enough candidate. I am still the same candidate regardless of whether I checked the application status early. Why should I be excluded now?
Your sig is correct, but it misses something important. If marginal cost goes below average cost, a company cannot charge the marginal cost and still make money. These situations are normally refered to as a "natural monopoly". Something has to give - either the company has to operate in an inefficent manner, or someone has to subsidize the companies initial costs some other way.
"
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students."
Parents or eligible students have the right to inspect and review the student's education records maintained by the school. Schools are not required to provide copies of records unless, for reasons such as great distance, it is impossible for parents or eligible students to review the records. Schools may charge a fee for copies.
"
also...
TITLE 18 > PART I > CHAPTER 121 > 2701
(the good bits)
2701. Unlawful access to stored communications
(a) Offense.-- Except as provided in subsection (c) of this section whoever--
(2) intentionally exceeds an authorization to access that facility;
(2) in any other case--
(A) a fine under this title or imprisonment for not more than 1 year or both, in the case of a first offense under this paragraph; and
(HOWEVER...)
(c) Exceptions.-- Subsection (a) of this section does not apply with respect to conduct authorized--
(2) by a user of that service with respect to a communication of or intended for that user; or
It seems the law I was thinking of applys only to government agencies. So it would depend on if the school recieved funds from particular government programs. But, what they did probably wasn't illegal, or at least I doubt they would be convicted.
"Ditto. The difference is between trying to elicit a desired response by breaking the server (like in a buffer overflow or bypassing security with a password cracker), and utilizing a well-known protocol in a normal way. HTTP is just a way of asking for information, and if you simply ask a server for something it's the server's duty to make sure it wants to honor the request."
So basically you feel it's the responsability of A MACHINE to be your ethics? Technology, past, present, or future isn't were ethics comes from. Ethics SOLELY lies in your hands, and is your responsability. NOT A MACHINES.
In light of many of the current scandals in the business world, I would like to believe that . . . .
So, Boeing fired its CEO this week because he had an affair. To recap: (1) she's not complaining about the affair, (2) he's not complaining about the affair, (3) her coworkers aren't complaining about favoritism, (4) the bean-counters aren't complaining about his expense account, (5) his wife has yet to publically complain, (6) the shareholders weren't hurt, and (7) his government customers weren't coerced into buying anything. But, Boeing fired him anyway.
D'ya think maybe we've gone a little too far, too fast?
"We reject as false the choice between our safety and our ideals." --The American President (20.1.2009)
IMHO the Harvard administration should have gone to the faculty that teach business ethics and asked THEM for THEIR opinion of the ethics of peeking before frying the applicants.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
"knew that it was wrong to do so, since any business leader knows that there are strict laws prohibiting insider-trading"
This is not why insider-trading is unethical. Why is there such a culture of "law makes right" on Slashdot?
Insider-trading is wrong because when everyone can't do it, it destabilizes the stock market and hurts everyone. (I have a theory about how you could allow insider trading without harming other traders, but I am not an economist and my theory probably has holes in it I am not aware of - but that's neither here nor there.)
+++ATH0
... but ultimately, it signifies nothing.
Here is my arbitrary line. IF YOU CROSS IT, YOU ARE A BAD PERSON!
C'mon. Harm is the arbiter of ethics. It is what every ethical code (note that I distinguish between ethics and morality) boils down to.
+++ATH0
If this were a cheesy college-spoof movie, the 119 "cheaters" would be recruited to the goofball school for their display of initiative.
Kobayashi Maru indeed.
-- Gary Goldberg KA3ZYW 301/249-6501 AIM:OgGreeb Digital Marketing Inc., Bowie, MD
Harvard's failure to secure their server is not the fault of the applicants who checked their records.
Bullshit. This isn't fair to those who saw a message on a bulletin board, checked it out to see if it was true, and are now out of a very exclusive and potentially lucrative education at one of the nation's top business schools.
Harvard may not like that the cat is out of the bag, but this is their fault - not that of the applicants who checked their status.
For every applicant who peeked, there are 100 others who would have peeked but just didn't know about it. I think that if Harvard wants to filter applicants for ethical consideration that is great, but it should be built into the application process so that all applicants are tested for ethics, not just the few who happen across a website.
Oh baby, major lawsuit on this one. Harvard is making a big
mistake. The 119 person class action lawsuit will be easily won.
How is this evil?
Actually, I suspect that this hacker found out that the ivy league is violating the FERPA, a federal academic privacy law.
I have learned to post annonymously on discussions about ethics because most people do not understand ethics and flame me or mod me down when they confuse rules with ethics. Also many have a loose or bizzarre definition of "hack" that includes using the system in the normal way (such as changing URLs).
Which is irrelevant to a deontological analysis (the only analysis where intention is relevant). The only intent relevant to a deontological analysis is the intent of the person taking the action being analysed.
Again, irrelevant.
I see a lot of analogies on /. like "this is like you gave somebody a key" or "this is like the school laid out some papers in a room" or whatever. Analogies both "pro" and "con".
This is like NONE of those things. We're talking about software on a digital computer. You can enumerate all the possible inputs, and all the possible outputs. You can make it so the applicants can only see what they should see, and nothing else.
As Greenspun points out, it appears that Harvard hired some idiot and/or amateur programmers to write this software. This company made an error in the program. Harvard is responsible for hiring them. Harvard is responsible for the error.
If you don't want somebody to see some piece of information on a computer, and they don't even have physical access to the computer, then don't allow the information to get out. Otherwise you must *assume* the information will be viewed.
This action by Harvard just reinforces the same problem. Punish the actions of the software end-users, not the mistakes of the *programmers*. Were the programmers punished at all? I doubt it.
If you ever pause to reflect on just how crappy software is today, and how these inexperienced programmers can even get jobs, you just got another example of the mechanisms at work.
I don't know that it's a question of not differentiating between ethics and rules. In this particular case, it seems that there's an ethical violation, although I'd consider it fairly small. The physical analogue for me is: one person jimmies a window at the admissions office, sneaks in, and grabs a look at his file. Along the way, he shows a few hundred people how to jimmy the window. Then a lot of them do, either out of curiosity to see if they got in, or curiosity to see if the window will open that easily, or any other reason. Is it unethical? Yeah. Is it unethical on a scale that means you should no longer be accepted to the school? Probably not. A stern talking to, maybe a fine.
That being said, colleges, as a general rule, don't teach ethics. There's a lot of dissemination of political views in the classrooms, for good and evil. Oh, they generally punish you if you plagiarize and they catch you, either by suspending or expelling you. But ethics? Personal values? For the most part, these are things you have before you go, or you'll never pick them up at school. And for the degree that they're refined, that's mostly something that's done as a function of your peer group, rather than your institution.
Although this is mute in this case, because of Harvard's actions, anyone aspiring to do something similar for another school ought to be given a word of warning. Just because your name is next to the word "accept" in a database somewhere doesn't mean you're getting in. A lot of the time, admissions offices (including the one I work in) will establish an initial list of accepts but then pare it down if the class is too big. So just don't announce anything to your friends and family and make plans to move - you may yet be up for the axe. You won't know you're in until that thick envelope arrives.
Not to defend what the applicants did -- unethical, sure, although not horribly so, and easy to understand.
Still, the real story here is that Harvard screwed the pooch big time, but is going to try to deflect any blame from themselves by pointing out loudly how naughty the applicants were. This, they hope, will generate enough smoke so that nobody will notice their goof.
-Rob
Essentially what Harvard did here was to apply a filter that discriminates against people with Internet technical skills. A pretty weak filter, granted, but you have to have a little something on the ball to find and paste together significant fields from multiple URLs.
We have enough trouble with lack of Internet savvy in American business management as it is.
To a Lisp hacker, XML is S-expressions in drag.
Its hard to evaluate unless you see the context in which this 'unethical' behavior happened.
Reminds me of when I was at school. Something got stolen. The cops were called and everyone was taken out of class. They said: "We know who stole the [whatever]. We're giving you a chance to own up and be a man about it." Of course they didn't know, nobody owned up and nobody got bust....
Engineering is the art of compromise.
I've given up on it years and years ago, but I do see it archived in at least one place file dated 13-Dec-2000 (that version is at least 4 years older, but evidently when it was placed there).
Wouldn't this qualify as prior art? IRC private messages are definitely the first form of "Instant Messaging" widely available on the Internet.
If anyone is serious about pursuing this, I hereby release the code to the public domain as an act to shit on the heads of the IP Bastards.
This comment does not necessarily represent the views and opinions of the author.
However, a guy I know found a workaround -- if you went to SIO, logged in, and after getting the "SIO is offline until December XX" message, appended "grades.html" to the URL, you could view your grades anyway (provided your professors had already submitted them, anyway). This workaround quickly spread to most of the students in department.
Now, was what we were doing unethical? I would argue it wasn't, though it may have been "against the rules" in a strict sense. What Harvard is doing sounds like if my school had told us that everyone who "hacked into the system" by appending an obvious string to the URL would be failing all their classes for the semester. That seems disproportionate to the offense, unless this policy was spelled out in advance. I know that none of us who added "grades.html" to the end of the URL considered ourselves to be breaking into the university's system, and I'd wager the same is true of the people who appended their login hash to the Harvard system's URL, so it shouldn't be trivially covered by some policy about "hacking into systems" (which obviously would be unethical). Why such a drastic response?
I am the man with no sig!
Some people are beyond explanation. It'd be too nice to just say they're full of themselves. They've made the decision to deny admission based on only one factor, the desire to obtain knowledge. They'd rather have business students who'd wait for important information to come to them rather than seek it out with a passion.
please, I'd like to see how "bad" it really is
I'm a professor, former Director of Graduate Studies, and former Chairman of a major department. Just because a letter is in print -- but not in the hands of the student -- doesn't really mean that the applicant is accepted by the school -- sometimes there are questions about the funding for the student (and maybe the student might have received funding a bit later, but for the peek), sometimes it's about the "fit" with the department (lots of departments "conditionally admit" students, depending on an interview with the faculty), sometimes it's because the Dean of Graduate Studies needs to review all the provisional acceptances. Probably some other things I haven't thought of, too. And wouldn't looking at the admit list affect other choices by the schools? (Guess what: it really is the school that chooses, not the student, too. Sorry, geek readers.)
I'm sorry for the students who were too anxious. Every single year we have a list of students that our department has considered for admission. And every single year we're really supposed to keep our mouths shut, as much as we would like to tell our friends and future colleagues. I suppose it should not have been their burden, but if the putz who put the access codes and instructions out there made a cent from this, Dante has a new anteroom in Hell just for him. HBS over-reacted, but it is fully understandable as purely conventional policy.
I think HBS's response is way overboard.
In fact, a few years back I applied for business school and one of the schools on my list was MIT's Sloan. As I recall, there was some 'hack' (hack lite) one could use to determine whether one had been admitted and it consisted of this: you would basically ping the mail server and figure out if a UID had been created for you. If it had, then you were in; if it hadn't, then either you weren't in or your UID hadn't been created yet.
Near as I can tell this is exactly identical to what went on here; using some 'covert' mechanism to ascertain admission status.
I consider myself ethical to a ridiculous fault but I am sure I too would have checked and not thought much about it before hand (as being unethical). If you leave your pants down, you shouldn't be too surprised when people take a gander at what's there.
Invest $100k in a smart fund with part in other currencies giving you 10% return = 259k
Now invest 200k of that over another 10 years while living of 59k and getting some average job.
Compare 20year result to a degree that your still paying off 10 years after grad and working your guts off for measly 50k beginner jobs.
No wonder builders/plumbers are driving BMWs
Liberty freedom are no1, not dicks in suits.
I don't recall.
And anyone I'm doing an MSCS which I greatly prefer; never could quite sell myself on taking B-school classes; with the CS I really feel like I'm learning something hard, which I love.
For the record his email is kclark@hbs.edu, if anyone is mad just let him know I am sure he will love it.
Seems like the girl bears some responsibility for getting drunk and wearing revealing clothes. The cynic in me tells me that half the reason she is crying so loudly is to divert attention from her own safety failure.
"Ask not what your country can do for you." --John F. Kennedy
OK, it's already been pointed out that HBS is perhaps trying to deflect attention from its own mistake via harshly punishing those involved.
Is it also possible that a motivation for punishing *all* students and not just the student who posted the hack that in order to punish the poster, they'd have to get BusinessWeek to give them the real name of the login of the poster who told folks about the hack? Seems possible to me though as I recall, BusinessWeek was pretty cozy with admissions folks and probably would have given up the name of the poster without thinking twice.
Uh, isn't your sig:
"Feed the need: Digitaladdiction.net"
A straight link to a "domain discover" advert?
Is that what you meant, or is it time for a new sig?
1) If the "hack" is really just editing a URL, I think that is stupid that some would get rejected for looking their own information (we have something like that at my college, a computer on campus accessed information from school computers (unrestricted) and posted the information from many computers in one place, access was restricted to on campus only!!! But the school still got pissed). 2) How would you even know that some looked at you information and got you rejected, assuming the school does not change its stance on this. Will HBS send out rejection letters saying that since you looked at you own personal information you will therefore be rejected you, thank you and have a nice day.
Considering that the information being seen would become their property once the physical document arrived, and since they probably would have to wait another month before responding to another school or business opportunity, and that a large amount of debt or income might be swung by that timely knowledge, it can be argued that the acts were not only ethical, they also were reasonable and in the spirit of whatever Harvard is supposed to be teaching them. Of course they were alerting Harvard to their access apparently by id hash so they weren't all that smart, but the temptation to get news that is personally relevant only to your own future is so great that it is difficult to imagine people staying away from it.
Note that Harvard Business School uses a neat web-based intranet through which you get all the important information. Which I played with once as a family member went there. Maybe they have similar vulnerabilities in that system too? Also note that unless you win the lottery it is quite possible apparently that you will not get the ethernet in your dorm room that makes it so useful but hey..
The key to this issue is how will those out of the 119 who viewed positive acceptance letters (maybe 20?) contact each other to launch a class action suit in true HBS style to demand not only admission but also damages for Harvard's own unethical behavior in not only posting private information on public servers, but also then publicly punishing prospective applicants.
Finally let me say that I thank my stars that instead of going to Harvard for undergrad in 1985 I went to Cornell instead. I had a Nobel Prize Winner as my freshman chemistry teacher, unlike the grad students they foist on you at Harvard (or did then). The good things about HBS is they teach you how to eat lobster correctly (I don't know how), and they teach you how to go for the kill, and there is a lot of money connected to it. However Harvard has never even once struck me as a particularly ethical institution, and this (and the recent flap about female scientists from its president) just continues to add data points to the graph that says the world needs Harvard less than it needs the world. The days are past when people would freak out if you said you went there.
This is not about upholding some higher ethical standard. Harvard is simply protecting its primary asset - its reputation - and all of the money that follows.
There was a time, only a generation ago, when Dean Clark would have rejected you if you were a homosexual or a draft dodger or had received a less than Honorable discharge from the military or if you'd had an abortion or if you were convicted of sodomy. But today all those things are considered to be NOT immoral and not unethical by about half of Americans.
Dean Clark was stupid enough to think ''Obscurity is Security''. He got busted being careless and now he's going to punish a hundred people just to protect his ego.
So if you're going to throw away 119 accepted students (for showing bad judgement) then you should also throw out Dean Clark for showing bad judgement.
Typing in a URL to peek at a hidden file on a public server does not seem like a crime to me.
If you don't want people to see it then don't put it on a fucking public server.
More like you read on a public bulletin board how to check what your direct deposit check will be on the day before you get it.
There was no robbing going on here. Just people with valid user names and passwords logging in and looking at an unlinked page. The permissions of the system said it was OK. I don't see a crime here.
Coding Blog
I consider myself to be an extremely ethical person. I've never cheated on anything, stolen anything, pirated anything, and rarely even lie.
If, though, I stumbled across this little hack, what I would have done is not obvious! If the message had said something along the lines of, "Click here to hack into your application! See if you've been admitted!" then I surely would have ignored it. However, if it had said, "I found this link that lets you see your application status!" then I could have clicked, without even realizing that it was unethical at all. Perhaps that makes me stupid, but would that really be a reason to revoke my admission? Because I'm a little bit ditzy at times? Come on.
I'm sick of scrolling through comments, reading things like "Yeah, screw those twerps!", "Those assholes totally deserve it!" and "Thank heavens they were able to rid the business world of thus scum!" If I were one of those students, I might very well have had my admission revoked. Not to be self-promoting, but I am quite confident that I am a more ethical person than many of you, and many other Harvard admits.
I can be sure that at least one of those 119 is going through what I'd be going through, and I feel really bad for that student/those students.
Stop skapegoating, blaming all the world's troubles on these "scum," and realize that some of these students might have stronger moral fiber than any of you.
"Give me a lever long enough and a fulcrum on which to place it, and I shall move the world." -Archimedes
Email the Admissions Office and cc the school newspaper if you think these folks are getting a raw deal! (Just click the link and hit send).
If I read that my confidential information was publicly available on a website without my consent, I'd be angry and would check it out to see if it were true. If so, I'd ask the company hosting the website to remove my information. Is that unethical? I THINK NOT! Denying those 119 applicants admission to the business school on those grounds is wrong on so many levels!
Geez it is 10:50 Vancouver time and the and the friggin' applyourself server is still /.ed into oblivion!
While I understand a high caliber school can demand the best of breed which includes morals, did Harvard ever say that no student should ever check to see if they had been admited before they receive official notification?
I mean, all schools have ULAs that tell you what they expect of you - not to cheat, not to fight, whatever...
But did Harvard tell anyone not to find out even if they could? I mean, you decide you are going to save a bundle and streamline your admissions process and end up making a porr "business" decision and go with a company that obviously could not meet stringent security. But let's destroy over 100 prospective student's academic career aspirations because we are embarrased.
The students did not "cheat". They did not "steal". They found out information before you thought they would. They didn't have to pay to get it otherwise. They didn't have to take a test to receive their acceptance letter.
Harvard should be ashamed of themselves, for not wiping the pie of their face with grace. Frankly, maybe the 100+ students who were active, caring and astute enough to find out what Harvard posted but wasn't ready to share yet can be better served by a school who will appreciate their moxy by teaching them instead of judging them for something they did with no knowledge that Harvard would really care about.
Next time my 3 year old does something bad that I never taught him was wrong, I shall spank him doubly! Thanks Harvard for teaching me that lesson!
The trick was you had to type in the following URL.
p pl icantDecision.asp?AYID=89CFE0A-424C-4240-Z8D0-9CR5 2623F70&mode=decision&id=1234567
https://app.applyyourself.com/AyApplicantMain/A
The AYID=89CFE0A-424C-4240-Z8D0-9CR52623F70 was in the URL bar when you logged into the site. You could figure out the id=1234567 from hitting view source once you were logged in and searching for ID.
I look at that and I think, maybe they didn't make the URL clickable because of a bug in the system. These students basically just found a bug fix.
The hacker himself managed to get in, or did you miss that part?
Who want's to go to that shatty school anyway. The person that hacked it should be workin for the FBI and rest of those yuppies got what they deserved cheaters
And Boeing hopes to do big work for the gubbmint and being blackmailable is not considered a strength in the gov't bidding process.
As a middle-class, public-school attendee who was never "prepped" or tutored but is nonetheless attending an Ivy-league institution, I beg to differ. Sure, there are students at the top schools with rich parents, private-schooling, and a bevy of people to help them when necessary, but most of us got here the old-fashioned way: hard work, intelligence, good parenting, and a bit of luck.
You have to wonder if there is more to the story then is out in public so far. Like, how did 119 people happen to see the instructions? Do that many HSB applicants search the BusinessWeek forums? I bet those people used the same "elite school application consultant" and it was that person that tipped them off. Those pseudo-consultants are the snake oil salesmen of higher education. I guess that Harvard knows who the consultant was and is punishing him. I do not really feel sorry for the applicants. No doubt the consultant gives the applicants the idea that he has some kind of inside track. People who believe it don't deserve to get into Harvard.
And rightly so. After all, this is Harvard, not MIT.
These people understand how to submit form data. They might be geeks trying to sneak their way in to the Pointy-Haired Boss's club. These are the future corporate leaders of America, after all
Can you imagine a CEO who can use a mouse? and navigate the "interweb"? Someone like that might even be able to learn what his company does. It could upset the entire system of American capitalism as we know it.
Some here on Slashdot are so focused on "permissive" HTTP ("it's just a URL"), versus "exploitative" buffer overflow. The only difference between the two is the approach.
The problem in this situation (Harvard) is akin to an unlocked door that says "Management Only". In a website, that is accomplished by *not providing a link*. Opening the door is not breaking in (ie: buffer overflow), but it *is* circumventing the host's explicit desire to *not have you there*.
If you go poking around in places that you have not been given permission to enter, then you are violating the "sanctuary" (can't think of a better word) of that individual's server. Would it be just as permissive to look for abc.com/secret, or abc.com/financialhistory? They're both just URLs. But of course it's not all right.
Some people here need to realize that rules exist for a reason. If it weren't for rules (for example, physics), we wouldn't be able to build such wonderful machines as computers. It's because of rules that we have as much industry, economy, and technology that we do.
"Don't get caught."
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Your comment brings some good insight. I fail to see a few things that some of the Harvard supporters seem to assume.
1: Harvard has a legitimate reason to withhold information considering admission from their students?
2: Accessing a site with information pertaining to yourself is of course unethical considering you had help from a 1337 d00d.
What possible explanation does Harvard have for storing the status of their students on the same database as they serve their website on? What reason does Harvard have to with-hold this information from perspective students? Applications require planning ahead on the part of students, these students dont have a chance to apply to more schools after they've been turned down by one, etc.
Second, This information was about the perspective student who accessed it. There is no rule of ethics that says you can't discover something about yourself.
Finally, what did Harvard have to loose? This was not a teachers gradebook situation where you could assume someone was snooping in hopes of "fixing" a grade. The information is purely read-only, and it's not information that would not be disclosed, it's information that would be disclosed later. Why?
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
Uhh...in this case, that would mean not applying to Harvard, since it was the university that put the data on the web, not the individuals involved.
That's also the case in a lot of other personal data leaks - it's info you need to provide an organization to get a loan, get a job, etc.
Saying 'just don't do it' is naive, and deflects the conversation from the real issue, which is how do we get organizations to be accountable and responsible for the information that we provide?
Maybe after Harvard's School of Trolling, you'll learn.
We all know that Harvard has to say that they won't admit the students that checked their applications early but last time I recall knowledge wasn't illegal. Great thing this is coming from a college. I just happen to think that Harvard might not even take any action against those who did it, liberals (like john kerry) and liberal colleges do happen to be very good liars according to Mr. Bush.
What a horrible waste of time it is to announce that you refuse to accept students who want to go to your school. Why else would they check their status if not out of desperation to know.
Truly there is a void here between understanding and what really occured. Good thing they posted the information at the safest place possible, The Internet. Not only that but a month early. Wow.
Wow.
Somewhat depressing because even if you graduate from Harvard with a Cosmetics degree (had they had such a thing) you could go work for Donald Trump right away because you got out of an Ivy.
For anyone else applying to Harvard let this be a lesson to you! Don't use the internet if you wish to know things!
In fact you might as well castrate yourself right now and save them the trouble for when you accidentally try and pay your application fee online and seem to stumble into $8million dollars of unmarked, nonconsecutive bills.
C'mon.
Why do these two seem incompatible?
Perhaps it is the prevailing attitude that anything that makes money is OK today!
Nice to see that someone thinks differently.
Sorry, I didn't mean crime as in the usual sense of something that is against the law, just something more along the lines of, say, definition 3 or 4 here as something that is just a wrong.
Harm? Is anything that feels good okay? Cheating is only wrong if you get caught? Because if you don't get caught, no one suffers any harm, right?
It's important to get people who understand there are no short cuts. You're supposed to work hard to succeed. And sometimes, you have to wait too.
All in all, Harvard doesn't have to accept anyone. No one has a right to be there.
I not only don't look forward to the involvement of lawyers in this, but I certainly hope we don't see another group of people barging in where they aren't wanted just because they can find a high-priced lawyer to browbeat others.
You've got to be kidding: have you met many Ivy-leaguers recently? Let's take my school Stanford, it's not technically in the Ivy [athletic] league, but it will do. I'll grant you that there are plenty of rich kids (doctor rich, not $50m+ rich). There are also plenty of not so rich people. I know nobody who's taken SAT courses - I certainly haven't - and the vast majority of the people here went to public schools. Not a whole lot of legacy kids either.
It seems that Harvard set up the whole thing as part of a program they're calling "ethic cleansing..."
Your brain is not a computer.
In light of these events, I strongly believe those who were NOT going to be accepted should have received a similar punishment.
I propose that those who illegally checked status of their application and who were originally refused, be now ACCEPTED to the school and hence financially punished to the full extent of applicable tuition and other fees.
We know that 119 applicants hacked into the system -- and we know their names [...]
Any applicant found to have done so will not be admitted to this school
To me, the only logical reasoning to make such a decision is that none of these 119 was initialy admitted.
- Harvard most probably decides the final list of accepted peoples at the end only. They want to make sure no better candidate would show up before the end. Since the letters were ready 1 month ahead, it looks much more like a list of rejected people.
- if all people were initially rejected, it is not difficult to make such a decision, and to pretend to be harsch against non ethical people at a time it is a popular topic for business schools.
- if some people were initially accepted, that would hurt Harvard to let good candidates go to Stanford or elsewhere.
- finally, based on the Reuters news article, it is not said that the 119 were not accepted because of entering the system.
Kim Clark's reasoning is most probably business based, pragmatic, and not ethical or computer technology based. All the 119 were initially rejected, that's the only business explanation I can see.
1. use proxies 2. crack all 5000 account passwords 3. check *everyone's* application status 4. ??? 5. go to Harvard!
hacking 101: you always RM the log files!
Dude, it's not like this is like you're stealing from anyone. You're just looking ahead on whether you got accepted or not.
Jeebus, it's not like ROBBING A BANK!!!
As you mentioned these students probably have admissions at other schools. I can only hope that Harvard publicly publish their names so that they can be blacklisted throughout the nation.
If Harvard were to do that, they would be guilty of the same sort of "unethical behavior" they're accusing the students of. Honestly, I think the response to automatically blacklist those students in the first place is childish and is trying to cover up for their own inadequate security and process. Furthermore, what ever happend to the original cracker dude? If looking at your score is unethical, I'd say its not exactly good behavior to be posting exploits (even if it doesn't hurt anyone).
Make sure everyone's vote counts: Verified Voting
Well, it's clear that Harvard is just stupid or plain incompetent. Point 1: They fail to adequately secure their information. Point 2: They don't believe they are responsible. Point 3: They don't believe the hacker is responsible. Point 4: They keep admissions letters hidden that by all rights should have been mailed out to prospective students a month ago anyway. Point 5: They punish applicants for finding out the status of their application (to which they're entitled).
Frankly, the only blame here belongs to Harvard.
Let me get this right, it's a business school harping on ethics?
Next they'll have morals. And a common consious to support it.
...tells me about it, and then I go into your house using those instructions, the only one at fault is that first guy? I'm off the hook? I will be, according to your logic.
Think about this. Have you been invited to a friends house for a get together? Do you knock before entering? Or do you just walk in. You have been invited after all. They are expecting you, thus it should be ok just to enter.
Now if you find the door locked, would you feel unwelcome since they did not have their door unlocked for arrivals?
Would you think your friend had a problem if he found your entering his home without knocking inappropriate?
No crime is committed. But ruffled feathers non the less.
It's called courtesy.
I'm not versed in the rules for Harvard, but wouldn't this be like a coworker somehow taking a look at their yearly evaluation after sneaking in the manager's office. If they get caught they could get fired. How different is a university in the States to a company? Does a university have the right to kick someone out if they don't perform to expectations? Or steal? Or harm self or property? If these cases are the same I don't see why Harvard should admit these students. Besides patience is a virtue.
Early in the morning on March 2nd, someone calling himself "brookbond" on the BusinessWeek MBA Forums saw the results of his HBS application using a modified version of the link he'd use to see his results at another school also using the Apply Yourself system.
He saw a "ding" letter, meaning that he saw a form letter with the standard "We're sorry, we can't admit you to the class of 2007. Blah blah blah. Best of luck in your future endeavors." He then posts the technique he used to view the letter to the BW forums. This information is visible for roughly six to eight hours. After the beginning of the business day on the easy coast, all hell breaks loose. People are discussing the posting on the BW forums, with people wondering if the link works or not. People report seeing one of two things:
NO ONE SAW AN ADMIT LETTER.
Period, point blank. Anyone who says they did, is lying. At sometime between 8:00AM and 9:00AM EST, the BW forum moderators realize what's being discussed, either because of the activity level on threads related to HBS, or because they were contacted by HBS directly. BW begins deleting every single thread related to HBS, regardless of whether or not it contains information about the "hack" or not.
At this point, a blogger named PowerYogi posts the technique to his blog. A rather humorous thread insinuating HBS is sending snipers after PowerYogi starts up, then peters out after a while.
Eventually, Apply Yourself wakes up and patches the system to show "Your Decision is not yet available" messages instead of the dings and blank screens. This occurs between 10:00AM and noon EST.
Nearly 20 hours after the "hack" is first posted, HBS sends this letter to applicants:
Unfortunately, things don't stop there. Eventually, BW gives up trying to delete all the HBS postings, and people begin discussing the item. An article appears in the Harvard Crimson detailing the incident on March 3rd, and the article is used as source material for articles by the Boston Globe and the Associated Press. The AP article makes the front page of MSNBC.
By March 4th, other schools using Apply Yourself realize that their decision information may also have been available. In an amazing display of leadership, the Tepper School at Carnegie Mellon announces that they will reject anyone who tried to access their decision information early. Elsewhere, it is learned that a grand total of TWO people attempted to learn their fate at Tepper early, making it easy for CMU to grandstand.
With a precedent set, schools begin to announce their decisions on the fate of the "hackers". According to
Blogging Weight Loss, Distance Education, and more at verlin.com
Clearly, if you read the bio of Kim Clark, "By birth, Kim Clark is a westerner, having grown up in Washington and Utah. ... They are the parents of seven children and six grandchildren. Professor Clark is an avid golfer."
Damn, seven children? Utah? Oh, I think this guy went overboard on the "ethics", Mr. Flanders!
The third time was when they overreacted.
I see no unethical action by students here. Who was injured by this action? So someone found out that they were not accepted or were accepted a few weeks early. Big deal! The school was not injured. Other applicants were not injured.(other spots are still available and unknown, unless this hack was really a list of all accepted individuals which according to officials was not the case) The applicants however are being injured, by the school. The company was embarassed, but rightly so. Actually they should be ashamed of doing their job poorly. It is their job to make sure "hacks" do not happen. But what do they care. As long as the 200 dollar application fees are paid by 5000 applicants, they are all set. I bet there were no screw ups in the billing aspect of the site. The school is acting unethically in this situation, not the applicants. There was no injury to the school, yet they injure applicants who for some reason wish to better themselves in the presence of Harvard. Why harvard? who knows?
You obviously forget about something called money. Ivy league? Come on man, think about it....
Do they really want applicants who do not know how to use a browser? Modifying a URL isn't hacking, it's navigating. Just because Harvard didn't want people to look at their scores doesn't mean that it was unethical for people to look at their scores. Harvard should be ashamed for being so careless with its data. If it's out there with a URL, it's fair game.
actually...this time...it was hacking!
it's funny to see slashdotters arguing over the definition of the incorrect definition of the word.
char *mySig;
After reviewing a few of my pro-Harvard posts and seeing how they got modded down, and comparing them with the crap anti-Harvard posts that almost uniformly got modded 5-insightful, I have to presume that Harvard is one of those other institutions along with MS and big business in general that /. is all against. I should have saved my Karma points.
Assuming Harvard comes to their senses and accepts those who "peeked," I suggest those applicants sue and matriculate elsewhere. Teach Harvard a lesson.
Ethics? Are you fscking kidding me? Man, some people have their balloon-knots puckered a little tight.
Harvard--;
Please stop copy-and-pasting your pyramid scheme into your messages. Those of us who have disabled signatures have done so for a reason: We do not want to see your stupid advertisements. So please stop lest I find it necessary to shit on your head.
And perhaps you were trying to spell, "meant". I love it when the spelling police screw up.
(a) Harvard can't secure its systems properly, so it's partly their fault.
(b) No decisions were changed as a result of the access and no-one altered any data.
(c) Harvard has lost some bright students who passed their (presumably rigorous) selection process.
So is this a stupid decision, or what?
When I am king, you will be first against the wall.
... except that nobody found out.
I was admitted to the University of Helsinki law school (see fancy up-to-date web site in Finnish or the really crappy obsolete site in English) in 2001. The entrance exam is highly competitive and people pay insane amounts of money to attend preparatory courses to increase their chances of being admitted. I, for one, spent three months holed up in my apartment, studying non-stop to make sure I would get in. A lot of people would do anything to find out in advance whether they have been admitted or not.
The list of persons admitted to the law school was supposed to be posted on the web on July 20th, 2001 on the admissions 2001 home page (which was, at the time, part of a buggy frameset). If you were "clever" enough to strip the last part of the URL away (like I was), you ended up with a directory listing. This could be used to access the file that included the list of students admitted to the law school - two days before the results were made public, on July 18th, 2001. (The direct URL to the file was more or less un-guessable until the results were released.) Two days may not sound like much, but when you're talking about the display of insanity that is the Helsinki law school exam, it's a lot. More than a few people would undoubtedly have paid serious cash to know their results in advance.
About one year later, the list was "removed" from the web for privacy reasons. However, they simply changed the file extension to ".old", and the list of students admitted to the law school in 2001 is still accessible through the directory listing URL!
Of course, they never found out that the list could be accessed in advance. The lack of computer savviness among the law school faculty and staff never ceases to amaze me. At one point, they had a web page with the latest updates to the law school program for Fall 2004 - without doubt the most popular page on their web site. The file included about 20kB of text, but for some unfathomable reason, the HTML file was about 2,3MB! It's been fixed now, but the problem persisted for several months. (When I looked at the HTML, they had one million extra CR+LFs at the beginning of the file, adding over 2MB of 'bloat'.)
Idiots.
After all, it was their incompetence that created the problem in the first place.
Think of this as being like the yelping being done at the moment by the Italian government. They give terrorists over $10 million to free hostages, which the terrorists can use to kill more innocent Iraqi women and children, but whine because one of their agents, apparently a rather stupid one, approached a US checkpoint so fast he looked like a terrorist himself.
The greater the incompetence, the louder they yell. That's as true of Harvard as it is of Italy.
--Mike Perry, Inkling Books, Seattle
I don't get it. I thought in the USA every citizen was entitled to see any files kept on them simply by making a request (Freedom of Information Act). Typing in a URL in your web browser to view information about yourself doesn't seem illegal or unethical. It would seem to me that typing in a URL should be considered making a request and viewing the resulting information about yourself is well within your legal right. All I can figure is that there must have been some terms of service associated with the login process that I am unaware of, but even that seems illegal. I'm not a lawyer but maybe someone who understands this stuff could explain it for us normal folk so we don't get into trouble reading things about ourselves we aren't entitled to.
and they failed.
Best Slashdot Co
The applicants to Harvard's BS, Carnegie Mellon's Tepper, and any other top MBA programs are almost never going to be younger than 21. Not only do you need earn a bachelor's degree first, the best MBA programs also "strongly recommend" that you have at least 2 years of work experience post-undergraduate graduation.
You'll find that the average age of students admitted at the leading MBA programs to be in their late 20s.
Regards,
Spock_NPA
Why doesn't Harvard just do what everyone else does and replace the link with an undesireable image?
A modest proposal: Let's brute force each and every one of their applicants. After everyone has been revealed as being "unethical", let's see if Harvard sings the same tune. That, my friends, would be the true test of "ethical".
What a load of shit. I agree with the folks who say this is crap. If they can't secure their servers, they are at fault.
it's Yale for me!
In a way an exploit is like a slip that is showing.
- You could tell the lady discretely, which is commendable.
- You could point it out to your friend, snicker and say nothing which is low.
- You could notice it yourself and do noting, which is not really bad, but not good either.
- You could have it pointed out to you and look, that is only human, but then you can tell the lady her slip is showing or do nothing.
If you do nothing when you know others are looking and snickering, you are exposing her to ridicule, and you are less then a gentleman/lady."You read in a public bulletin board detailed instructions for robbing a bank by typing in an unpublished keycode into an ATM machine and you get arrested??? No F'n WAY!!!!"
Oh, I can play too:
You read in a public bulletin board a way to check your own account balance at a bank and get arrested? Yea! That's will teach those hackers!
"I for one applaud Harvard's decision to stand up and demand a certain moral fiber from the applicant's to it's instituions."
I'd rather they teach kids how to use a spell checker. And yes, you are are one. Congratulations for the having the courage to speak out in favor of... something. I'll bet you get upset when I loan my CD's to my friends to copy too. Whoohoo! Call the Eff Bee Eye on me!
Looking at your own information is neither unethical or illegal.
...oh, and Johnny, here's an ID and Password"
This is a case of Harvard covering their ass.
If I tell you
"Johnny, access this URL to apply:
http://apply-here.com/Johnny=apply
and then you type in
"http://apply-here.com/Johnny=checkstatus"
That's not illegal or immoral or unethical or anything. Its just stupidity from Harvard.
Of course, Harvard was never particularly know for the quality of their IT. At least MIT has the good grace to shut their trap over an obvious security breech.
But please, stop trying to pretend there is *any* moral issue here.
P.S. Nice hair. What size bowl do you use?
"I trust Harvard"
Why? What trustworthy things have they done as an institution?
Oh right. Their president just said that girls are not as good as boys in math. Wow. Welcome to nineteen-fuckin-fifty. Where does that stand with you? Where is that trust?
"a world renowned institution and teacher of ethics"
Yeah. As long as the girls stay in the kitchen, barefoot and pregnant. Heaven forbid they do some math.
"So cheating on your wife is ethical, so long as she never gets hurt?"
You're saying looking at your own information is the same as cheating on your wife?
I say its closer to the president of a prestigious university saying that girls aren't as good as boys at math.
Why would you make up an analogy that has no bearing on the matter? Seems unethical to me.
Giving someone enough rope to hang themselves isn't entrapment, even if it's not particularly nice.
Dewey, what part of this looks like authorities should be involved?
...unless you're on Google, in which case it becomes a Google Hack .
Mr. T pitied this fool on 27 July 1992.
Everything I'm reading in this story indicates that the decisions on the applicants was already made, yes? So what exactly is unethical about looking at a decision that has been finalized, but not disseminated? I can't see any way that this information could be used to anyone's advantage other then perhaps to adjust one's collegiate outlook. I think it would certainly be unethical if a person were able to use this information to their advantage in the process of getting admitted to the school, but the fact is that this information is (supposedly) telling people they are in or out. Why isn't anyone questioning the ethics of Harvard in this case? Why would a school delay informing it's applicants of their fate when it is obvious that the decisions have already been made?
:::: the insomniac's digest
No, its more like:
"Am I allowed to look at my own diary".
The answer is yes.
The other answer is Harvard is covering their own asses for incomptence.
"However, there was benefit by accessing information not made available to them by Harvard. "
What are those benefits, exactly?
I find it funny that security minded people on /. are saying editing a url is not hacking. Have you forgot the "phf" bug that exposed passwd files. Have we forgotted the urls for iss servers that could be used to hack them or cause them to Dos someone else... there are many cases where 'hacking' is as easy as typeing in a URL...
IT's one thing to access something that is public, its another to exploit a hole in an application to produce and unintended result.
Every day, there are urban myths circulated. Here comes an anonymous poster who says HBS applications are not secure. I can see an applicant might be (1) curious whether this is true or not, and (2) concerned that his confidential information is visible. There is more than one reason why an applicant might check out this guy's "hack". And because this is not a black-and-white ethical issue (as few things in the real world ever are), the way Harvard (and MIT) handled the situation reflects more on their faults than the dinged applicants whose motives I can't blindly determine.
Stanford made the right choice. Hear what the applicants have to say. Some of them might have sent warning e-mails to admins.
What about the ethics of having decided who gets into HBS but just waiting around for a month before letting them know?
How is this justified by Harvard? Sitting on this information for a month is a month that unsuccessful applicants don't have to apply at other schools. Alternately one month is a lot of extra time to tidy up your life if you are going to Business School.
The fact that the University had all this information sorted but chose to NOT distribute it to the people it directly affects (in a real material sense unlike this little hack) is unethical in my view.
A Universal Resource Location is a public address, just looking at it using your own ID number hardly constitutes any kind of serious infraction.
Certainly not half as bad as holding back on telling people about such a significant decision at the time it's been made.
It is strange that the Harvard Community is not really speaking out. Where is the Law School on this? or The MedicalSchool? The people at Harvard who have been developing digital rights management and copyright ideas to make sharing information legal and easier?
The problem is that one is considering the intent here. With ENRON the intent was to make money. It was calculated and planned over a long period of time. You cannot compare a person who would allow the city of Los Angeles to have rolling-black-outs to someone who wanted to know if a URL trick might work.
These people didn't even know if it would work it was curiousity. How many people would even believe what they were seeing? Until I get a formal letter of acceptance or
rejection I would not accept anything I saw on a website. What if the rejection letter is the default format until someone is accepted?
AND this was not a HACK as many have stated. It was not premeditated or done out of malice. I think that it is reasonable for a person to look at their own information. Now I agree that the students could have made an effort to alert the school to the problem, but the fact is their intent was not malicious.
Finally, making a sweeping no-tolerance decision is never a good idea. The Harvard Community is full of people leading the way in LAW, ETHICS, and Copyright standards. I think the community should have a say and not just a small group of administrators who are obviously angry at the incompetence of the software and services they have bought.
I basically do nothing.
HBS had a 2003 acceptance rate of 11.6%, only Stanford's 9.2% acceptance rate was lower. The math says of the 119 people who peeked, only 14 were accepted. But the autocrat bitch who runs the place had to puff the numbers and try to spite them. Pathetic.
Ethical or not there is a technical problem. Recall, if you will, the problem of the Betazoids. They can read anyone's mind so they don't even bother to hide their thoughts.
Word of advice: allow someone the chance to change his/her mind. If someone says their decision is not in effect until such time, what you see on the Internet may not really make sense until the particular threshold time has passed. Who knows what the information on the Internet really means? It may be just test data or intermediate data that is inadvertently visible.
Where there's smoke, there's fire. If you interact with a computer and you get a clue how the computer will respond, even if you don't have 100% confidence in your prediction, you still should be able to tweak your input to the computer to gain the most favorable response. The ethics as I see it:
- We are humans and are masters of computers.
- Life isn't a chess game where each side takes turns. We're allowed to probe and experiment. Clicking Submit does not mean one is submissive. Even on the grounds that one has made a simple mistake one may re-submit with something different.
- Speaking of trust, we don't trust computers that much when our future is at stake. Would you be operated on by a robot? Would you let a robot drive your car? Eventually, but not all at once.
BTW, what is Harvard about? See Legally Blonde!
Know your pads. One time pad: good for cryptography. Two timing pad: where to take your mistress.