Slashdot Mirror
Harvard Business School: You Peek, You Lose
mosel-saar-ruwer writes "Seems Harvard Business school was using the ApplyYourself web service to process applications. Sometime in the last few days, an anonymous hacker, known as 'brookbond', was able to crack the system, and discovered that Harvard had already posted acceptance letters to the website fully a month before they were to be mailed to their recipients. He posted instructions on how applicants could view their letters at the BusinessWeek forums, and approximately 119 applicants followed his advice. Today, the dean of the Harvard Business School, one Kim Clark, announced that none of the 119 would be admitted: 'This behavior is unethical at best -- a serious breach of trust that cannot be countered by rationalization... Any applicant found to have done so will not be admitted to this school.'"
But weren't even applying to go to Harvard?
My little site.
The instructions were basically to login to the system and then change the URL in a couple places to get it to cough up a screen they were not supposed to have access to. Not something they could do by accident. Not anonymous. No way to look at data for anyone else but themselves. Not exactly hacking but really stupid!
Praise "Bob"
And did any clever students log on and check their competitor's applications in the hope of getting them blacklisted and their own applications accepted.
"Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
This is the same school that teaches it is ok to fire workers who have worked at a company for 10-20 years so the execs can make 5% more on their stocks by moving factories overseas. They also fail to teach what the words 'long term outlook' means to all these future ceo's.
HBS need to face the fact that when you train people who have no morals that you will attract people with no morals.
Harvard (rightly so) decided to not admit any of the 119 even though some of them possibly were initially accepted .
I agree with you in principle. My problem with this decision is that it probably assumes that if an individual acceptance letter was looked up, that person was guilty. What if it was my sister that had applied and I happened to read about the hack. I may have decided to followed through with it to look her up without even mentioning it to her prior to doing so. I doubt this is the case for most, but I would bet something like this did happen several of these people. I think it would be unfair to potentially punish innocent bystanders.
I've waited in pain for letters of acceptance/denial from school, and I know how these people felt. I understand these peoples actions, and empathize with them. However, lets look at this from a moral/ethical standpoint: First, lets define Unethical as causing (potential) harm to others. This is fairly broad, and covers a large scope of actions. Now, lets look at their actions: They viewed their OWN status, and were informed, possibly, if they had been accepted or denied a month ahead of time. Now, where is the harm? They knew ahead of other people. Great, this means they can plan on going or not going to Harvard and plan accordingly, thus clearing up or closing out spaces on waiting lists for other business schools. This in turn helps other people on waiting lists, because they know their status on the waiting list sooner. Or they do nothing with the information and wait for it in the mail. I don't really see any harm or ethical violations. The people simply found out information ahead of time that harmed no one.
http://www.pterrys.com
Allow me to take the (oddly not yet taken) anti-Harvard point-of-view. I may be speaking from naivety, though, so here we go.
Does it not strike anyone as odd that they knew who was in at least a month before the letters were due to be sent? Is there some reason why they don't send an acceptance/rejection letter as soon as someone is accepted/rejected?
Sure, I guess what the 119 students did was wrong, but is there nothing wrong about withholding this information?
OMG! Wau!
I agree. And I think it's interesting to see how many Slashdotters, who normally rise to the defense of hackers, particularly when the hack is a really obvious hole that causes no harm to anyone, like this one, are sitting back and laughing at the people who got rejected because of this. Jesus, all the applicants did was change a URL, it's not like they used some root kit to break into Harvard's servers.
Shit, if I try to change the URL to see if I can view my pay statement one day early at work, should I be fired for that too?
Somebody hired by HBS screws up and makes information that should have been kept private accessible on a public web server.
Instead of firing the people who made the boo-boo, the powers that be at HBS decide to punish anyone they can find who looked at their own admission letter.
First of all, it is not at all clear to me that it is ethically wrong to look at your own admission letter when it is posted on a public web site where *many* other people can already see it. For example, if I had heard about something like this I would probably try it just to see if it was really true. I would trust that HBS was not so bone-headed as to allow such a thing to happen.
Second, even if it were established that it was ethically wrong or questionable to peek, that is one heck of a temptation to put in front of someone since so much of their future plans depend upon what is in that letter.
Finally, I don't see that any harm is done by someone just peeking at the letter. If they act upon that information then that is another matter, for example by starting apartment hunting a month early. But just looking doesn't hurt anyone. According to my own ethics, if I am not hurting someone then I am not doing something bad.
I hope some of those people who got rejected band together and sue the pants off of HBS.
We don't see the world as it is, we see it as we are.
-- Anais Nin
Furthermore, I would argue that an applicant couldn't really know that their acceptance status was considered confidential *from themselves* if the decision had already been made and posted to their account. The fact that the official notifications hadn't been sent out doesn't really reaffirm the confidentiality of the information.
Now, if somebody had used this technique to access somebody else's admissions status, I would say it is pretty clear cut that they committed an unethical act.
If a school posts admission decisions by social security number in some obscure location and a student tells other students that it's there and they go look up their status before official notifications, have they committed an ethical violation? The school didn't tell them the information was there, but it was available to them for the getting if somebody else told them where to look for it.
I can see that the school is upset, but it seems that their wrath is inappropriately directed. They should be pissed at the ApplyYourself folks and at their own admissions staff for botching things so badly.
IANAL, however, this seems like something that Harvard should get sued over. You read something on a bulletin board, telling you a URL and telling you to type in your user name and password, and see whether you were accepted, and because of that, you get rejected? No Fucking Way!
But, even though I think they should get sued, likely no one will, because all these applicants are likely top of the line, with admissions to other top B schools, and this lawsuit could mess up their careers....
eat shiat and bark at the moon
http://blogs.law.harvard.edu/philg/2005/03/08
My take is this. URL alterting is not hacking. This is akin to giving the online applicants each a key to their own room and then punishing them after someone told them that they could find their admissions letter in the closet and 119 of them decided to look.
Harvard and Applyweb messed up by not securing their site. They are embarrassed and have successfully put their PR departments out to spin the story and libel these applicants by accusing them of "hacking" which in todays media implies a criminal intrusion. IANAL but this intentional disparagement which Harvard knows is untrue, along with leaving their personal educational records out there, insecure, sounds like a lawsuit to me.
Harvard's decision to not accept or unaccept those 119 candidates has nothing to do with what they actually did. It has a lot to do with the view by admissions offices in every university that their admissions criteria and decision making process is secret and that we should submit every thing we have ever done in our lives for them to examine and judge in any way they choose without even so much as an explanation of the admissions decision in exchange for our $65 non-refundable fee.
Harvard is unadmitting these students because they found out some information about themselves, in their own file, that they had perfectly legal access to, that Harvard wanted to keep secret and it's service provider accidentally put out on the web.
As for ethics, not one University, especially the private ones have a leg to stand on. They mail out advertisements to students urging them to apply and implying they are 'what the school is looking for.' for no other reason than to increase the number of applicants and the included application fees. The private universities almost invariably reject the majority of transfer credits in order to charge exorbitant prices on repeated basic courses taught by unpaid/underpaid TA's. That is just the tip of the iceburg.
For every applicant who peeked, there are 100 others who would have peeked but just didn't know about it. I think that if Harvard wants to filter applicants for ethical consideration that is great, but it should be built into the application process so that all applicants are tested for ethics, not just the few who happen across a website.
Honeypot? Hope so. Maybe it was the final phase of admission. Very good way to check on the moral well bieng of your applicants. It might save us all trouble if we can keep these types out of the boardroom. Start by keeping them out of the classroom. We don't want them to contaminate the rest of the class. Please don't vote for any of them if they happen to run for political office. They sound like perfect candidates.
What?
from my understanding (based on other posts), the compromised information was served up via url manipulation.
sorry, if I can crawl a site obeying robots.txt and using MY OWN ACCOUNT to get that info, its not a crime.
Amazing for some reason, rather than tarnish Harvard's reputation (imagine if this were a banking institution!!!), they turn it around and crucify the applicants (not saying they don't deserve it, but still...)
Where exactly is the accountability? And why does Harvard get a free pass? If this were the University of Phoenix we'd all be laughing... I sence some degree of hypocracy here...
Here's to finally giving Bush his exit strategy in November
Early in the morning on March 2nd, someone calling himself "brookbond" on the BusinessWeek MBA Forums saw the results of his HBS application using a modified version of the link he'd use to see his results at another school also using the Apply Yourself system.
He saw a "ding" letter, meaning that he saw a form letter with the standard "We're sorry, we can't admit you to the class of 2007. Blah blah blah. Best of luck in your future endeavors." He then posts the technique he used to view the letter to the BW forums. This information is visible for roughly six to eight hours. After the beginning of the business day on the easy coast, all hell breaks loose. People are discussing the posting on the BW forums, with people wondering if the link works or not. People report seeing one of two things:
NO ONE SAW AN ADMIT LETTER.
Period, point blank. Anyone who says they did, is lying. At sometime between 8:00AM and 9:00AM EST, the BW forum moderators realize what's being discussed, either because of the activity level on threads related to HBS, or because they were contacted by HBS directly. BW begins deleting every single thread related to HBS, regardless of whether or not it contains information about the "hack" or not.
At this point, a blogger named PowerYogi posts the technique to his blog. A rather humorous thread insinuating HBS is sending snipers after PowerYogi starts up, then peters out after a while.
Eventually, Apply Yourself wakes up and patches the system to show "Your Decision is not yet available" messages instead of the dings and blank screens. This occurs between 10:00AM and noon EST.
Nearly 20 hours after the "hack" is first posted, HBS sends this letter to applicants:
Unfortunately, things don't stop there. Eventually, BW gives up trying to delete all the HBS postings, and people begin discussing the item. An article appears in the Harvard Crimson detailing the incident on March 3rd, and the article is used as source material for articles by the Boston Globe and the Associated Press. The AP article makes the front page of MSNBC.
By March 4th, other schools using Apply Yourself realize that their decision information may also have been available. In an amazing display of leadership, the Tepper School at Carnegie Mellon announces that they will reject anyone who tried to access their decision information early. Elsewhere, it is learned that a grand total of TWO people attempted to learn their fate at Tepper early, making it easy for CMU to grandstand.
With a precedent set, schools begin to announce their decisions on the fate of the "hackers". According to
Blogging Weight Loss, Distance Education, and more at verlin.com
... except that nobody found out.
I was admitted to the University of Helsinki law school (see fancy up-to-date web site in Finnish or the really crappy obsolete site in English) in 2001. The entrance exam is highly competitive and people pay insane amounts of money to attend preparatory courses to increase their chances of being admitted. I, for one, spent three months holed up in my apartment, studying non-stop to make sure I would get in. A lot of people would do anything to find out in advance whether they have been admitted or not.
The list of persons admitted to the law school was supposed to be posted on the web on July 20th, 2001 on the admissions 2001 home page (which was, at the time, part of a buggy frameset). If you were "clever" enough to strip the last part of the URL away (like I was), you ended up with a directory listing. This could be used to access the file that included the list of students admitted to the law school - two days before the results were made public, on July 18th, 2001. (The direct URL to the file was more or less un-guessable until the results were released.) Two days may not sound like much, but when you're talking about the display of insanity that is the Helsinki law school exam, it's a lot. More than a few people would undoubtedly have paid serious cash to know their results in advance.
About one year later, the list was "removed" from the web for privacy reasons. However, they simply changed the file extension to ".old", and the list of students admitted to the law school in 2001 is still accessible through the directory listing URL!
Of course, they never found out that the list could be accessed in advance. The lack of computer savviness among the law school faculty and staff never ceases to amaze me. At one point, they had a web page with the latest updates to the law school program for Fall 2004 - without doubt the most popular page on their web site. The file included about 20kB of text, but for some unfathomable reason, the HTML file was about 2,3MB! It's been fixed now, but the problem persisted for several months. (When I looked at the HTML, they had one million extra CR+LFs at the beginning of the file, adding over 2MB of 'bloat'.)
Idiots.