Slashdot Mirror
Harvard Business School: You Peek, You Lose
mosel-saar-ruwer writes "Seems Harvard Business school was using the ApplyYourself web service to process applications. Sometime in the last few days, an anonymous hacker, known as 'brookbond', was able to crack the system, and discovered that Harvard had already posted acceptance letters to the website fully a month before they were to be mailed to their recipients. He posted instructions on how applicants could view their letters at the BusinessWeek forums, and approximately 119 applicants followed his advice. Today, the dean of the Harvard Business School, one Kim Clark, announced that none of the 119 would be admitted: 'This behavior is unethical at best -- a serious breach of trust that cannot be countered by rationalization... Any applicant found to have done so will not be admitted to this school.'"
But weren't even applying to go to Harvard?
My little site.
Whoa calm down, all they did was find out if they got accepted or denied. It's not like they cheated their way in... I'm not condoning what they did as right but it seems a little harsh to compare this to crimes like stock market fraud.
One concern was classmates or relatives of the checking out the applicant. That would be unfair to the applicant. However, the article in Harvard Crimson seem to indicate that at some point you had login with a password. So only the applicant or spouse would have done it then.
The webserver probably could have recorded an IP address with each access, and many of those can be geographically verified. However, this would still have the problem of some one else than the applicant checking.
Before everybody accuses these "hackers" of unethical behaviour, you should look at what the "hack" was. As far as I can tell, you just had to log in, and then edit the URL. BusinessWeek is agressively removing any posts with the process in it, but there are some references to the basic idea still.
The information was there, the server gave them permission to see it, I don't see what is so unethical. Posting how to do that in a public forum could be considered unethical. But just following the instructions?
-- Colin Cross
The instructions were basically to login to the system and then change the URL in a couple places to get it to cough up a screen they were not supposed to have access to. Not something they could do by accident. Not anonymous. No way to look at data for anyone else but themselves. Not exactly hacking but really stupid!
Praise "Bob"
And did any clever students log on and check their competitor's applications in the hope of getting them blacklisted and their own applications accepted.
"Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
If your family is rich, they can pull strings. You can do almost anything and still get accepted. However people like that dont really need to take a peek to see if they were accepted, they know without even having to open the envelope.
Thanks to GW Bush, its become common knowledge that Harvard Business will accept any mediocre student for the right price.
Why is a university holding back acceptance letters for a whole month after theve already finalised the list :/
This is the same school that teaches it is ok to fire workers who have worked at a company for 10-20 years so the execs can make 5% more on their stocks by moving factories overseas. They also fail to teach what the words 'long term outlook' means to all these future ceo's.
HBS need to face the fact that when you train people who have no morals that you will attract people with no morals.
Harvard (rightly so) decided to not admit any of the 119 even though some of them possibly were initially accepted .
I agree with you in principle. My problem with this decision is that it probably assumes that if an individual acceptance letter was looked up, that person was guilty. What if it was my sister that had applied and I happened to read about the hack. I may have decided to followed through with it to look her up without even mentioning it to her prior to doing so. I doubt this is the case for most, but I would bet something like this did happen several of these people. I think it would be unfair to potentially punish innocent bystanders.
as to have set these potential students up for this? Sort of an extra "admissions test?" With the rampant ethics violations recently, they may have found this to be a good idea. Weed the baddies out early, not with a tough 101 class, but with a slick ethics test.
Yeah, I know it sounds like a goofy Oliver Stone conspiracy theory, but the Ivy League has been dirty before.
Course, maybe Brown has their admissions department on the line with these cats as we speak (er, as I write and as you type).
Ignore the rantings above. Poster is an idiot.
I've waited in pain for letters of acceptance/denial from school, and I know how these people felt. I understand these peoples actions, and empathize with them. However, lets look at this from a moral/ethical standpoint: First, lets define Unethical as causing (potential) harm to others. This is fairly broad, and covers a large scope of actions. Now, lets look at their actions: They viewed their OWN status, and were informed, possibly, if they had been accepted or denied a month ahead of time. Now, where is the harm? They knew ahead of other people. Great, this means they can plan on going or not going to Harvard and plan accordingly, thus clearing up or closing out spaces on waiting lists for other business schools. This in turn helps other people on waiting lists, because they know their status on the waiting list sooner. Or they do nothing with the information and wait for it in the mail. I don't really see any harm or ethical violations. The people simply found out information ahead of time that harmed no one.
http://www.pterrys.com
Allow me to take the (oddly not yet taken) anti-Harvard point-of-view. I may be speaking from naivety, though, so here we go.
Does it not strike anyone as odd that they knew who was in at least a month before the letters were due to be sent? Is there some reason why they don't send an acceptance/rejection letter as soon as someone is accepted/rejected?
Sure, I guess what the 119 students did was wrong, but is there nothing wrong about withholding this information?
OMG! Wau!
I agree. And I think it's interesting to see how many Slashdotters, who normally rise to the defense of hackers, particularly when the hack is a really obvious hole that causes no harm to anyone, like this one, are sitting back and laughing at the people who got rejected because of this. Jesus, all the applicants did was change a URL, it's not like they used some root kit to break into Harvard's servers.
Shit, if I try to change the URL to see if I can view my pay statement one day early at work, should I be fired for that too?
I'm actually applying this year and had to use the ApplyYourself website. I spent an hour filling out the basic details (name, address, resume, etc) on one app only to come back later to find it blank. ApplyYourself requires a school # and an applicant # to log into each school. It turns out that I had typed in one school #, but used the applicant # for a different school (browser cache), and it STILL LET ME IN! I even tried the mismatched combination again, and it brought me back to the 'lost' app. If that's how strong their security is, you could just run random numbers and find everyone's apps....
Somebody hired by HBS screws up and makes information that should have been kept private accessible on a public web server.
Instead of firing the people who made the boo-boo, the powers that be at HBS decide to punish anyone they can find who looked at their own admission letter.
First of all, it is not at all clear to me that it is ethically wrong to look at your own admission letter when it is posted on a public web site where *many* other people can already see it. For example, if I had heard about something like this I would probably try it just to see if it was really true. I would trust that HBS was not so bone-headed as to allow such a thing to happen.
Second, even if it were established that it was ethically wrong or questionable to peek, that is one heck of a temptation to put in front of someone since so much of their future plans depend upon what is in that letter.
Finally, I don't see that any harm is done by someone just peeking at the letter. If they act upon that information then that is another matter, for example by starting apartment hunting a month early. But just looking doesn't hurt anyone. According to my own ethics, if I am not hurting someone then I am not doing something bad.
I hope some of those people who got rejected band together and sue the pants off of HBS.
We don't see the world as it is, we see it as we are.
-- Anais Nin
Furthermore, I would argue that an applicant couldn't really know that their acceptance status was considered confidential *from themselves* if the decision had already been made and posted to their account. The fact that the official notifications hadn't been sent out doesn't really reaffirm the confidentiality of the information.
Now, if somebody had used this technique to access somebody else's admissions status, I would say it is pretty clear cut that they committed an unethical act.
If a school posts admission decisions by social security number in some obscure location and a student tells other students that it's there and they go look up their status before official notifications, have they committed an ethical violation? The school didn't tell them the information was there, but it was available to them for the getting if somebody else told them where to look for it.
I can see that the school is upset, but it seems that their wrath is inappropriately directed. They should be pissed at the ApplyYourself folks and at their own admissions staff for botching things so badly.
If I were AL, how can I get a list of these 119 students. I think they have a case against Harvard. Can Harvard prove that each accessed file was accessed by the student whose record appeared in it. Let's see how much of a retainer from each of 119 future wealthy executives....?
IANAL, however, this seems like something that Harvard should get sued over. You read something on a bulletin board, telling you a URL and telling you to type in your user name and password, and see whether you were accepted, and because of that, you get rejected? No Fucking Way!
But, even though I think they should get sued, likely no one will, because all these applicants are likely top of the line, with admissions to other top B schools, and this lawsuit could mess up their careers....
eat shiat and bark at the moon
generally you have to login with your own credentials and unless you know other students' information, you can't really log in and check theirs.
Part of my current job is tracking down information on people that most would consider fairly confidential. It's one hell of a lot less difficult than most would think, or hope.
I was under the impression that business school applicants already have bachelor's degrees, and sometimes other advanced degrees. I don't think any of the people involved were 18 years old. Harvard Business School's admission requirements page lists "Self-reported transcripts from all undergraduate and graduate academic institutions attended (full- or part-time)". The implication of this and other statements is that you're expected to have prior degrees or work experience, or both. I doubt anyone is going to HBS right out of high school.
Just a clarification.
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
http://blogs.law.harvard.edu/philg/2005/03/08
My take is this. URL alterting is not hacking. This is akin to giving the online applicants each a key to their own room and then punishing them after someone told them that they could find their admissions letter in the closet and 119 of them decided to look.
Harvard and Applyweb messed up by not securing their site. They are embarrassed and have successfully put their PR departments out to spin the story and libel these applicants by accusing them of "hacking" which in todays media implies a criminal intrusion. IANAL but this intentional disparagement which Harvard knows is untrue, along with leaving their personal educational records out there, insecure, sounds like a lawsuit to me.
Harvard's decision to not accept or unaccept those 119 candidates has nothing to do with what they actually did. It has a lot to do with the view by admissions offices in every university that their admissions criteria and decision making process is secret and that we should submit every thing we have ever done in our lives for them to examine and judge in any way they choose without even so much as an explanation of the admissions decision in exchange for our $65 non-refundable fee.
Harvard is unadmitting these students because they found out some information about themselves, in their own file, that they had perfectly legal access to, that Harvard wanted to keep secret and it's service provider accidentally put out on the web.
As for ethics, not one University, especially the private ones have a leg to stand on. They mail out advertisements to students urging them to apply and implying they are 'what the school is looking for.' for no other reason than to increase the number of applicants and the included application fees. The private universities almost invariably reject the majority of transfer credits in order to charge exorbitant prices on repeated basic courses taught by unpaid/underpaid TA's. That is just the tip of the iceburg.
Since when did Business start having anything to do with Ethics? MBA = How to make money. End of Story.
Pop Culture Theme Quizzes posted onto my blog. Have fun.
For every applicant who peeked, there are 100 others who would have peeked but just didn't know about it. I think that if Harvard wants to filter applicants for ethical consideration that is great, but it should be built into the application process so that all applicants are tested for ethics, not just the few who happen across a website.
Essentially what Harvard did here was to apply a filter that discriminates against people with Internet technical skills. A pretty weak filter, granted, but you have to have a little something on the ball to find and paste together significant fields from multiple URLs.
We have enough trouble with lack of Internet savvy in American business management as it is.
To a Lisp hacker, XML is S-expressions in drag.
I think HBS's response is way overboard.
In fact, a few years back I applied for business school and one of the schools on my list was MIT's Sloan. As I recall, there was some 'hack' (hack lite) one could use to determine whether one had been admitted and it consisted of this: you would basically ping the mail server and figure out if a UID had been created for you. If it had, then you were in; if it hadn't, then either you weren't in or your UID hadn't been created yet.
Near as I can tell this is exactly identical to what went on here; using some 'covert' mechanism to ascertain admission status.
I consider myself ethical to a ridiculous fault but I am sure I too would have checked and not thought much about it before hand (as being unethical). If you leave your pants down, you shouldn't be too surprised when people take a gander at what's there.
Honeypot? Hope so. Maybe it was the final phase of admission. Very good way to check on the moral well bieng of your applicants. It might save us all trouble if we can keep these types out of the boardroom. Start by keeping them out of the classroom. We don't want them to contaminate the rest of the class. Please don't vote for any of them if they happen to run for political office. They sound like perfect candidates.
What?
They're law school students. And Harvard at that. This not only automatically gurantees that 99% of their admissions are not only sincere assholes, but that the remaining 1% is not only an asshole, and he would likely sell his grandma out to a tribe of cannibals if it meant he got whatever he wanted.
This is the place where far too many politicians come from... And by politicians I mean people whos only motivation is to obtain power, whatever the means. Scum of the Earth that never create anything, and never contribute to humanity, and all of that.
They collectively deserve to be tied to a 1970 Buick and drug till there was nothing left.
You have to wonder if there is more to the story then is out in public so far. Like, how did 119 people happen to see the instructions? Do that many HSB applicants search the BusinessWeek forums? I bet those people used the same "elite school application consultant" and it was that person that tipped them off. Those pseudo-consultants are the snake oil salesmen of higher education. I guess that Harvard knows who the consultant was and is punishing him. I do not really feel sorry for the applicants. No doubt the consultant gives the applicants the idea that he has some kind of inside track. People who believe it don't deserve to get into Harvard.
Too much of academe seems to have a twisted, inbred sense of what is right and wrong. Without delving into the many perverse ethical ideas in obscurer philosophy &c. I'll note that this Harvard case is just one practical example. It reminds me of the time I was browsing some .edu site where a prof had posted a scan of an antique book's pages, or something, and I edited the URL from ".../images/ximage" to ".../images", looking for more. Up popped a page with "What you are doing is very naughty and is being logged" on it. Huh? This sort of thing is the product of minds too isolated and with too much time on their hands.
what you speak of, is breaking and entering. i wouldn't even consider it that.
i think it's more like, "Hey everyone, our admissions coverpages that are posted in the admissions building hall on the coarkboard, our acceptance/rejection letters are on the back!"
if everyone walked over and flipped their coverpage over, i wouldn't say it's unethical.
when something doesn't have pains taken to make it hard to do, and it's not obviously unethical (like breaking and entering) i assume that i can do B since i can already do A.
mau mau
- I'd prefer not to.
from my understanding (based on other posts), the compromised information was served up via url manipulation.
sorry, if I can crawl a site obeying robots.txt and using MY OWN ACCOUNT to get that info, its not a crime.
Amazing for some reason, rather than tarnish Harvard's reputation (imagine if this were a banking institution!!!), they turn it around and crucify the applicants (not saying they don't deserve it, but still...)
Where exactly is the accountability? And why does Harvard get a free pass? If this were the University of Phoenix we'd all be laughing... I sence some degree of hypocracy here...
Here's to finally giving Bush his exit strategy in November
Early in the morning on March 2nd, someone calling himself "brookbond" on the BusinessWeek MBA Forums saw the results of his HBS application using a modified version of the link he'd use to see his results at another school also using the Apply Yourself system.
He saw a "ding" letter, meaning that he saw a form letter with the standard "We're sorry, we can't admit you to the class of 2007. Blah blah blah. Best of luck in your future endeavors." He then posts the technique he used to view the letter to the BW forums. This information is visible for roughly six to eight hours. After the beginning of the business day on the easy coast, all hell breaks loose. People are discussing the posting on the BW forums, with people wondering if the link works or not. People report seeing one of two things:
NO ONE SAW AN ADMIT LETTER.
Period, point blank. Anyone who says they did, is lying. At sometime between 8:00AM and 9:00AM EST, the BW forum moderators realize what's being discussed, either because of the activity level on threads related to HBS, or because they were contacted by HBS directly. BW begins deleting every single thread related to HBS, regardless of whether or not it contains information about the "hack" or not.
At this point, a blogger named PowerYogi posts the technique to his blog. A rather humorous thread insinuating HBS is sending snipers after PowerYogi starts up, then peters out after a while.
Eventually, Apply Yourself wakes up and patches the system to show "Your Decision is not yet available" messages instead of the dings and blank screens. This occurs between 10:00AM and noon EST.
Nearly 20 hours after the "hack" is first posted, HBS sends this letter to applicants:
Unfortunately, things don't stop there. Eventually, BW gives up trying to delete all the HBS postings, and people begin discussing the item. An article appears in the Harvard Crimson detailing the incident on March 3rd, and the article is used as source material for articles by the Boston Globe and the Associated Press. The AP article makes the front page of MSNBC.
By March 4th, other schools using Apply Yourself realize that their decision information may also have been available. In an amazing display of leadership, the Tepper School at Carnegie Mellon announces that they will reject anyone who tried to access their decision information early. Elsewhere, it is learned that a grand total of TWO people attempted to learn their fate at Tepper early, making it easy for CMU to grandstand.
With a precedent set, schools begin to announce their decisions on the fate of the "hackers". According to
Blogging Weight Loss, Distance Education, and more at verlin.com
Do they really want applicants who do not know how to use a browser? Modifying a URL isn't hacking, it's navigating. Just because Harvard didn't want people to look at their scores doesn't mean that it was unethical for people to look at their scores. Harvard should be ashamed for being so careless with its data. If it's out there with a URL, it's fair game.
... except that nobody found out.
I was admitted to the University of Helsinki law school (see fancy up-to-date web site in Finnish or the really crappy obsolete site in English) in 2001. The entrance exam is highly competitive and people pay insane amounts of money to attend preparatory courses to increase their chances of being admitted. I, for one, spent three months holed up in my apartment, studying non-stop to make sure I would get in. A lot of people would do anything to find out in advance whether they have been admitted or not.
The list of persons admitted to the law school was supposed to be posted on the web on July 20th, 2001 on the admissions 2001 home page (which was, at the time, part of a buggy frameset). If you were "clever" enough to strip the last part of the URL away (like I was), you ended up with a directory listing. This could be used to access the file that included the list of students admitted to the law school - two days before the results were made public, on July 18th, 2001. (The direct URL to the file was more or less un-guessable until the results were released.) Two days may not sound like much, but when you're talking about the display of insanity that is the Helsinki law school exam, it's a lot. More than a few people would undoubtedly have paid serious cash to know their results in advance.
About one year later, the list was "removed" from the web for privacy reasons. However, they simply changed the file extension to ".old", and the list of students admitted to the law school in 2001 is still accessible through the directory listing URL!
Of course, they never found out that the list could be accessed in advance. The lack of computer savviness among the law school faculty and staff never ceases to amaze me. At one point, they had a web page with the latest updates to the law school program for Fall 2004 - without doubt the most popular page on their web site. The file included about 20kB of text, but for some unfathomable reason, the HTML file was about 2,3MB! It's been fixed now, but the problem persisted for several months. (When I looked at the HTML, they had one million extra CR+LFs at the beginning of the file, adding over 2MB of 'bloat'.)
Idiots.
Why doesn't Harvard just do what everyone else does and replace the link with an undesireable image?
There are plenty of legal and ethical reasons to track down information that may be considered to be confidential. Maybe he does background checks for employment, or is in law enforcement, or a private investigator to name a few
Let's put it this way: if someone I don't know engages in business (ie. for profit) to dig up confidential information about me without my knowledge, their industry is unethical. They should be put down like a rabid dog.
I don't go digging around on others.
Law enforcement and employment are, arguably, not running background checks for profit. Private investigators, however, sit right next to lawyers.
fast as fast can be. you'll never catch me.