Slashdot Mirror
Harvard Business School: You Peek, You Lose
mosel-saar-ruwer writes "Seems Harvard Business school was using the ApplyYourself web service to process applications. Sometime in the last few days, an anonymous hacker, known as 'brookbond', was able to crack the system, and discovered that Harvard had already posted acceptance letters to the website fully a month before they were to be mailed to their recipients. He posted instructions on how applicants could view their letters at the BusinessWeek forums, and approximately 119 applicants followed his advice. Today, the dean of the Harvard Business School, one Kim Clark, announced that none of the 119 would be admitted: 'This behavior is unethical at best -- a serious breach of trust that cannot be countered by rationalization... Any applicant found to have done so will not be admitted to this school.'"
Wow. So even though only one person actually did the hard work of figuring out how to hack into the site, 119 other individuals figured they too should follow the directions to hack in and learn the results. Harvard (rightly so) decided to not admit any of the 119 even though some of them possibly were initially accepted. Is this a response to some of the unethical and deceptive practices that have been rampant in the business world (i.e. Worldcom, Enron, pick your fav.) of late? Perhaps, but this is especially important in that much of business school (especially in ivy league schools) is about establishing relationships and connections. Do we want a bunch of ethically challenged folks getting to know one another in Harvard business school? I think not. In light of many of the current scandals in the business world, I would like to believe that schools do pay attention to these issues and perform some filtering at the front end rather than filtering or correcting during the educational process. After all, there are some things that cannot be taught. By the time one applies to business school, patterns of behavior are fairly well entrenched and behavioral correction of things we were supposed to learn in kindergarten is not the business schools responsibility.
It would be interesting to find out what their stories are. Why did they do it and what were they possibly thinking? Do they believe they should be blacklisted?
It should also be noted that Harvard was not the only school affected by this hack. Other business schools (MIT, Stanford, Carnegie Mellon and Duke) were also compromised and I would encourage those schools to adopt the same actions as Harvard in this case.
Visit Jonesblog and say hello.
So if I got instructions on how to read another persons acceptance letter, I could get them refused entry into Harvard?
Right on, I've always wanted to stick it to one of those yuppy bastards.
Feed the need: Digitaladdiction.net
It's take charge, independent thinkers that the school needs in it's student body. they better not revoke my admission or i'll send a teenage grrl enforcer over to smack 'em upside their heads!
A feeling of having made the same mistake before: Deja Foobar
Does anyone know how complicated the instructions were? Is there any way the people could have thought they were just accessing the site, putting in a URL with their name or whatever at the end of it, and not 'hacking' it to get information they were not allowed to have?
How they want to prove that the person that looked at the "papers" was the "accepted one"... (if they didn't posted it all over blogs ;-))
The real culprit is the cracker who found the way in.
I think Harvard's reaction against the 119 who followed the indicated route is pitifully excessive.
But the 119 now have an early lesson in how certain business managers cynically deflect blame in order to save face.
It appears to be beyond Harvard's ability to track down the cracker, so they hit out at whoever is within reach.
-wb-
Come on, they were just curious. This is too much. And Harvard should have been more careful.
If ethics was so important, how come it wasn't tested for in the actual application process?
...to spite their face. Harvard just regected 119 of the most qualified bussiness school bound students in the country. They will go to other, arguably equal, bussiness schools, while Harvard will take on 119 lesser qualified applicants to fill its vacancies. What schmucks...
Begorrah ! The ones who knew enough to find the "swag" on a relevant website are the ones who should be first in the queue to be admiited. After all they're the ones with the acumen.
:)
Ho hum... Just goes to show that if you play by the rules you'll get by by the rules (and if you play them well enough you'll "shine") But you'll never discover anything truly new
Mind you having said that... if you do discover something truly new, once you try to tell somebody, the rest of society will think you're mad and burn you at the stake. "This heretic says the Earth revolves around the sun... burn the witch..."
Sky subscribers are morons. They pay to be advertised at !
Seems like the school bears some responsibility for outsourcing the acceptance letters to an easy-to-hack site. The cynic in me tells me that half the reason they are coming down so hard on the students is to divert attention from their own security failure.
Someone hacked into our server and posted the details of how to replicate it to the rest of the world. We're now embarassed, who can we lash out against?
Ah! the people who we can actually hurt without going to court or having to get law enforcement involved, the 119 18 years olds who were on tenterhooks to know if they'd been accepted and really couldn't contain themselves to wait another entire month when we'd already made the decisions.
Infact, if I understand from my rather hazy sources US law enforcement won't get involved unless the crime has cost $5000 (I could be way off here though, I didn't get this from an authoratitize site), so, since they're out the only other option to lash out and save face would be to sure, which is expensiv when you can just ruin 119 kids futures. Of course, doubtless it will end them up in court...
The ethics point isn't particularly strong, these are 18 year olds who want to know if their chosen college has accepted them and they find out that the decisions have been made and the letters written a month before they'll get them otherwise. The fact that they followed some instructions posted online to find some 'hidden' files reflects little on their ethics in the future - I spent hours in school trying to get into every nook & cranny of the systems (which the admin had tried to lock down) using as many non-invasive/agressive methods as I could find. Does that make me unethical? no. I did it entirely as an academic exercise to see how well locked down the systems were, would it have been unethical to find out information about me that the school held but didn't want to tell me? no, not in my opinion.
This seems to be the university lashing out against someone to save face. That 'someone' being the people who have least blood on their hands (out of the people actually involved) and who the university feels that it can get away with stomping on the easiest.
FGD 135
As a current Harvard MBA student and long-time /. reader, it's worth pointing out that these applicants didn't "hack" anything. They got instructions (now deleted from the BW forums) that if you took your login hash, appended it to a URL at the ApplyYourself, you could see the decision letter on your file, if it had already been posted. My guess is that someone asked a first round applicant (who had already heard) for the URL to the decision and tried it as an in-process second round applicant.
This isn't hacking. Nobody logged in as the Admissions Director or socially engineered their way into info by calling admissions and pretending to be a staffer out on the road. The only people at fault here are the coders at ApplyYourself (the 3rd party application site). Having used it last year, I can tell you that it is technically inferior to most products that other schools build themselves.
There's already some ideas above that with the Enron and Worldcom scandals, business schools need to have ethics at the highest standards, but this misses the point. The 119 people that just got rejected weren't the 119 least ethical applicants. They were the 119 of the (probably) 130 applicants who saw the instructions before they were deleted. The top tier b-school application process is very stressful and the idea of seeing your results early is hardly scandalous.
Furthermore, our new post-scandal "Leadership and Corporate Accountability" course spends a great deal of time discussing the ethical trade-offs inherent in business, such as weighing employee concerns vs. shareholder concerns vs. customer concerns. These decisions are rarely black and white and we spend a lot of time discussing relative merits of each stakeholder. The notion that we would portray ourselves as knowing an absolute ethical standard goes against much of what we teach and learn here.
Despite the small number of true criminals to have walked these halls, Harvard Business School is a great institution and most /.'ers would be surprised to meet all the ethical people here that will be future leaders (if past performance is predictive of future performance).
Seriously, I think this is overboard. If I was applying and just happen to run across a link that let me look at the standing of my application, I would have done it. And I consider myself to be an ethical person. If I see someone drop a $5 bill out of their pocket walking down the street, I'll pick it up and give it back to them. If a guy left his iPod in a classroom, I would pick it up and find him to return it. If a business deal came by where I could make $10 million by duping an old lady out of her $100k house, I wouldn't take it. Hell, I even help old ladies across the street on occasion.
The fact is, these people were probably just curious about their application status. And the reason only those 119 probably checked theirs out was because they were the only ones that knew about it. I don't know what their application numbers are, but if 5000 applied and all of them knew about the hack, probably at least 4000 of them would have checked out their applications. As well, the hack was only open for what ? 9 hours total? Does everyone who applies to Harvard check every 8 hours to see if a hack is available that will let them view their application status? Gimme a break. Maybe they could use this as a final decision maker, but to totally nix these hapless few is ridiculous. I bet more crooked business majors have come out of the Harvard Business School.
totally classic behaviour you'd expect from an unethical corporation who wants to cover their ass and deflect blame of a major fuckup that's their own fault.
if you ever wondered about the ethical standards of harvard, here's a perfect example. instead of accepting responsibility for their fuckup, they take it out on others, in order to cover up their embarassment.
Many of these kids were probably under enormous pressure to get in.
Interesting (to me at least) riff from a recent Economist article...
One factor contributing to the stratification of US society is precisely that enormous pressure. There is extreme pressure in competition for entrance to top schools (and then to get good jobs at top employers and then to advance up the ranks at said employers). But, this competition is primarily localized to members of the upper and upper-middle classes.
Meanwhile, American society is measurably breaking into the haves and the have-nots with a shrinking middle-class. A similar bifurcation occurred in the early 1900s, but was checked by the very people at the top who recognized that American society needs to be dynamic in order to be robust. Thus came the creation of measures of merit like the SATs.
The difference between now and then is that in the early 1900s, the upper classes easily perceived the stratification making it relatively easy to motivate people to address the problem. With the extremes of the current merit system, all the upper-classes perceive is extreme competition - but only among themselves. From their perpsective it is still a merit based system. But when it takes a $90K prep-school and a $10K SAT-prep course plus a "legacy" contribution to gain entrance to a top-school, we are very close to where we were at the start of the 20th century -- excluding huge swathes of society from the opportunity to advance themselves.
Personally, I'd have capitalised "unethical" rather than "illegal" as I consider it to be the more serious issue.
I recently wrote an IRC bot. That is currently illegal in the USA (read up on the ActiveBuddy patent) and will, as a result, probably be illegal in short order in the EU (where I live). However, I'm not bothered.
If I'd done something that I considered immoral, I would be worried. But my opinion is that allowing governments to define your morality is lazy at best and idiotic at worst. This applies particularly strongly in this situation where, as far as I can tell, people are being kicked out for receiving their letters before they were due to be sent.
I can't see any good reason why this should be a major offence, certainly not why people's lives should be messed up on this basis. Especially if they are able to produce a detailed argument as to why they considered their behaviour ethical.
Please, please get your priorities straight.
For the love of God, please learn to spell "ridiculous"!!!
How can you compare robbing a bank to what occured here. I'm not saying the prospective students should not be punished, but robbing a bank is clearly against the law, while its possible that these students did not think or know that accessing this "hidden" url was against the rules. (or maybe they did but its not explicitly clear).
-kaplanfx
Visualize Whirled Peas
I couldn't have said it better myself. I've been applying to grad schools and am currently waiting for some decisions still. If I had been told I coul d find out my decision by changing the URL to page=decision or whatever it was, I would have absolutely done it.
You know, I have mixed feelings about this. I think that it is good that they are being taught a lesson, but I think the punishment may be too severe to fit the crime here. Your analogy to the bank robbery is totally absurd, since you would be taking money from the bank, whereas here you're just seeing if you'll be admitted earlier. (It's like the argument that is used sometimes with respect to file sharing, except here Harvard isn't even losing potential revenue.)
Publishing their names and getting them banned from other colleges would definitely be over the line into pure vindictiveness though. Screwing someone significantly, possibly for life if they truely are compeletly blacklisted, for one very small mistake is ludicrous.
Question is, as someone pointed out, did they know they shouldn't have?
If the "hack" was typing in an URL when logged in as mentioned, my guess is that many would type it in without even giving it any thought. Most of these 119 individuals probably wouldn't have gone through with this if it involved some serious hacking. People are curiuos by nature.
The problem here isn't curious youngsters, it is a world class business school practicing security by obscurity.
Ceterum censeo Microsoftem esse delendam
Your comment brings some good insight. I fail to see a few things that some of the Harvard supporters seem to assume.
1: Harvard has a legitimate reason to withhold information considering admission from their students?
2: Accessing a site with information pertaining to yourself is of course unethical considering you had help from a 1337 d00d.
What possible explanation does Harvard have for storing the status of their students on the same database as they serve their website on? What reason does Harvard have to with-hold this information from perspective students? Applications require planning ahead on the part of students, these students dont have a chance to apply to more schools after they've been turned down by one, etc.
Second, This information was about the perspective student who accessed it. There is no rule of ethics that says you can't discover something about yourself.
Finally, what did Harvard have to loose? This was not a teachers gradebook situation where you could assume someone was snooping in hopes of "fixing" a grade. The information is purely read-only, and it's not information that would not be disclosed, it's information that would be disclosed later. Why?
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
Most modern schools of ethics are based on the harm principle. In this case, no individual person would be harmed as a result of you looking into records early; there isn't even a physical crime taking place. The results had been predetermined, your viewing the data would not change the result (Heisenberg notwithstanding).
This is another example of Harvard trying to take the morale high ground and protect its reputation after the fact. Maybe the president would like to filter out the female applicants since business classes are so mathematically heavy? Or maybe he'd like to ensure only the best future CEOs of Worldcom, Enron, Nortel, and Haliburton are produced by his business school.
John Maynard Keynes: "When the facts change, I change my mind. What do you do?"
A certain moral fiber? This required a username and password. To access your personal information. Information they were going to send you in a few days anyway. This would be like finding out the ATM at the corner where the bank was moving into was already working, and going and making a withdrawl from your account.
Harvard got caught with a truly poorly secured computing environment, and is taking it out on their applicants. F*&k Harvard. Go with a vendor who knows that a "go live date" doesn't mean you post your site a month in advance and hope nobody finds it.
The longer I live here, the more I respect MIT and the less I respect Harvard.
The ______ Agenda
I see no unethical action by students here. Who was injured by this action? So someone found out that they were not accepted or were accepted a few weeks early. Big deal! The school was not injured. Other applicants were not injured.(other spots are still available and unknown, unless this hack was really a list of all accepted individuals which according to officials was not the case) The applicants however are being injured, by the school. The company was embarassed, but rightly so. Actually they should be ashamed of doing their job poorly. It is their job to make sure "hacks" do not happen. But what do they care. As long as the 200 dollar application fees are paid by 5000 applicants, they are all set. I bet there were no screw ups in the billing aspect of the site. The school is acting unethically in this situation, not the applicants. There was no injury to the school, yet they injure applicants who for some reason wish to better themselves in the presence of Harvard. Why harvard? who knows?
Yeah, this is a total crock of shit. It was a publicly accessible URL -- no "hacking" involved, just pressing backspace. I can't believe the ill will being directed at these poor applicants.
I think it's much more like accidentally putting up a bulletin board with everyone's admit status (actually, people could only view their own data), or my acceptance/rejection envelope arriving a few days early. They're the ones who screwed up. Okay, I realize that these analogies aren't perfect. But they're much closer than most of the ridiculous comparisons and discussions and hate-mongering going on here. It's not like any admin accounts were compromised or people were altering their admit/deny status.
It's sad that Harvard crucifies its applicants instead of sacking up to the fact that they (or ApplyYourself) didn't manage their data properly.
-fren
"Where are we going, and why am I in this handbasket?"
(a) Harvard can't secure its systems properly, so it's partly their fault.
(b) No decisions were changed as a result of the access and no-one altered any data.
(c) Harvard has lost some bright students who passed their (presumably rigorous) selection process.
So is this a stupid decision, or what?
When I am king, you will be first against the wall.
You've got to be kidding me. How on earth is this some ethical conundrum? Information was available, unsecured, from the public Internet, to him, regarding his personal status. I could see ethics coming into the issue if the post detailed a method to view other applicants' data, but this was about him and didn't involve breaching any security. While I'm not familiar with the system (my college application, um, pre-dates this system by a bit), the delay in being notified that the data is posted could just as easily be ascribed to technical delays.
The broader issue that you seem to be missing is that faux-ethical dilemma feelgood moments like this distract from genuine ethics problems. It's a shame Harvard can't train its awesome ethical standards (like admitting C-average future presidents) on more challenging targets.
If you know someone in admissions and ask them if they've heard about your status, is that equally unethical? (And before you go all black-and-white again and provide some remarkably obvious platitude from a first-year philosophy course -- yes, the individual in admissions would most likely be bound ethically not to divulge this information. And if you attempted to induce them to divulge the information after learning that they were so bound, yes, that would be unethical.)
This just isn't as neatly wrapped a package as you're saying. If the primary basis for your conclusion is a breach of trust, then it follows that the substance of that trust must be clearly communicated and agreed upon in advance. HBS saying "we'll get ahold of you on XX/XX" does not meet that standard in my opinion. Neither does a click-through EULA. A simple, plainly written agreement is closer to the mark. I don't really know enough about this service and the terms established to make a judgment here, but taking a peek is not a de facto ethical violation.
That's just my opinion. I'm willing to accept the fact that you may disagree.