Slashdot Mirror
Harvard Business School: You Peek, You Lose
mosel-saar-ruwer writes "Seems Harvard Business school was using the ApplyYourself web service to process applications. Sometime in the last few days, an anonymous hacker, known as 'brookbond', was able to crack the system, and discovered that Harvard had already posted acceptance letters to the website fully a month before they were to be mailed to their recipients. He posted instructions on how applicants could view their letters at the BusinessWeek forums, and approximately 119 applicants followed his advice. Today, the dean of the Harvard Business School, one Kim Clark, announced that none of the 119 would be admitted: 'This behavior is unethical at best -- a serious breach of trust that cannot be countered by rationalization... Any applicant found to have done so will not be admitted to this school.'"
But weren't even applying to go to Harvard?
My little site.
And did any clever students log on and check their competitor's applications in the hope of getting them blacklisted and their own applications accepted.
"Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
This is the same school that teaches it is ok to fire workers who have worked at a company for 10-20 years so the execs can make 5% more on their stocks by moving factories overseas. They also fail to teach what the words 'long term outlook' means to all these future ceo's.
HBS need to face the fact that when you train people who have no morals that you will attract people with no morals.
Harvard (rightly so) decided to not admit any of the 119 even though some of them possibly were initially accepted .
I agree with you in principle. My problem with this decision is that it probably assumes that if an individual acceptance letter was looked up, that person was guilty. What if it was my sister that had applied and I happened to read about the hack. I may have decided to followed through with it to look her up without even mentioning it to her prior to doing so. I doubt this is the case for most, but I would bet something like this did happen several of these people. I think it would be unfair to potentially punish innocent bystanders.
I've waited in pain for letters of acceptance/denial from school, and I know how these people felt. I understand these peoples actions, and empathize with them. However, lets look at this from a moral/ethical standpoint: First, lets define Unethical as causing (potential) harm to others. This is fairly broad, and covers a large scope of actions. Now, lets look at their actions: They viewed their OWN status, and were informed, possibly, if they had been accepted or denied a month ahead of time. Now, where is the harm? They knew ahead of other people. Great, this means they can plan on going or not going to Harvard and plan accordingly, thus clearing up or closing out spaces on waiting lists for other business schools. This in turn helps other people on waiting lists, because they know their status on the waiting list sooner. Or they do nothing with the information and wait for it in the mail. I don't really see any harm or ethical violations. The people simply found out information ahead of time that harmed no one.
http://www.pterrys.com
I agree. And I think it's interesting to see how many Slashdotters, who normally rise to the defense of hackers, particularly when the hack is a really obvious hole that causes no harm to anyone, like this one, are sitting back and laughing at the people who got rejected because of this. Jesus, all the applicants did was change a URL, it's not like they used some root kit to break into Harvard's servers.
Shit, if I try to change the URL to see if I can view my pay statement one day early at work, should I be fired for that too?
Somebody hired by HBS screws up and makes information that should have been kept private accessible on a public web server.
Instead of firing the people who made the boo-boo, the powers that be at HBS decide to punish anyone they can find who looked at their own admission letter.
First of all, it is not at all clear to me that it is ethically wrong to look at your own admission letter when it is posted on a public web site where *many* other people can already see it. For example, if I had heard about something like this I would probably try it just to see if it was really true. I would trust that HBS was not so bone-headed as to allow such a thing to happen.
Second, even if it were established that it was ethically wrong or questionable to peek, that is one heck of a temptation to put in front of someone since so much of their future plans depend upon what is in that letter.
Finally, I don't see that any harm is done by someone just peeking at the letter. If they act upon that information then that is another matter, for example by starting apartment hunting a month early. But just looking doesn't hurt anyone. According to my own ethics, if I am not hurting someone then I am not doing something bad.
I hope some of those people who got rejected band together and sue the pants off of HBS.
We don't see the world as it is, we see it as we are.
-- Anais Nin
Furthermore, I would argue that an applicant couldn't really know that their acceptance status was considered confidential *from themselves* if the decision had already been made and posted to their account. The fact that the official notifications hadn't been sent out doesn't really reaffirm the confidentiality of the information.
Now, if somebody had used this technique to access somebody else's admissions status, I would say it is pretty clear cut that they committed an unethical act.
If a school posts admission decisions by social security number in some obscure location and a student tells other students that it's there and they go look up their status before official notifications, have they committed an ethical violation? The school didn't tell them the information was there, but it was available to them for the getting if somebody else told them where to look for it.
I can see that the school is upset, but it seems that their wrath is inappropriately directed. They should be pissed at the ApplyYourself folks and at their own admissions staff for botching things so badly.
IANAL, however, this seems like something that Harvard should get sued over. You read something on a bulletin board, telling you a URL and telling you to type in your user name and password, and see whether you were accepted, and because of that, you get rejected? No Fucking Way!
But, even though I think they should get sued, likely no one will, because all these applicants are likely top of the line, with admissions to other top B schools, and this lawsuit could mess up their careers....
eat shiat and bark at the moon
My take is this. URL alterting is not hacking. This is akin to giving the online applicants each a key to their own room and then punishing them after someone told them that they could find their admissions letter in the closet and 119 of them decided to look.
Harvard and Applyweb messed up by not securing their site. They are embarrassed and have successfully put their PR departments out to spin the story and libel these applicants by accusing them of "hacking" which in todays media implies a criminal intrusion. IANAL but this intentional disparagement which Harvard knows is untrue, along with leaving their personal educational records out there, insecure, sounds like a lawsuit to me.
Harvard's decision to not accept or unaccept those 119 candidates has nothing to do with what they actually did. It has a lot to do with the view by admissions offices in every university that their admissions criteria and decision making process is secret and that we should submit every thing we have ever done in our lives for them to examine and judge in any way they choose without even so much as an explanation of the admissions decision in exchange for our $65 non-refundable fee.
Harvard is unadmitting these students because they found out some information about themselves, in their own file, that they had perfectly legal access to, that Harvard wanted to keep secret and it's service provider accidentally put out on the web.
As for ethics, not one University, especially the private ones have a leg to stand on. They mail out advertisements to students urging them to apply and implying they are 'what the school is looking for.' for no other reason than to increase the number of applicants and the included application fees. The private universities almost invariably reject the majority of transfer credits in order to charge exorbitant prices on repeated basic courses taught by unpaid/underpaid TA's. That is just the tip of the iceburg.
For every applicant who peeked, there are 100 others who would have peeked but just didn't know about it. I think that if Harvard wants to filter applicants for ethical consideration that is great, but it should be built into the application process so that all applicants are tested for ethics, not just the few who happen across a website.
from my understanding (based on other posts), the compromised information was served up via url manipulation.
sorry, if I can crawl a site obeying robots.txt and using MY OWN ACCOUNT to get that info, its not a crime.
Amazing for some reason, rather than tarnish Harvard's reputation (imagine if this were a banking institution!!!), they turn it around and crucify the applicants (not saying they don't deserve it, but still...)
Where exactly is the accountability? And why does Harvard get a free pass? If this were the University of Phoenix we'd all be laughing... I sence some degree of hypocracy here...
Here's to finally giving Bush his exit strategy in November
Early in the morning on March 2nd, someone calling himself "brookbond" on the BusinessWeek MBA Forums saw the results of his HBS application using a modified version of the link he'd use to see his results at another school also using the Apply Yourself system.
He saw a "ding" letter, meaning that he saw a form letter with the standard "We're sorry, we can't admit you to the class of 2007. Blah blah blah. Best of luck in your future endeavors." He then posts the technique he used to view the letter to the BW forums. This information is visible for roughly six to eight hours. After the beginning of the business day on the easy coast, all hell breaks loose. People are discussing the posting on the BW forums, with people wondering if the link works or not. People report seeing one of two things:
NO ONE SAW AN ADMIT LETTER.
Period, point blank. Anyone who says they did, is lying. At sometime between 8:00AM and 9:00AM EST, the BW forum moderators realize what's being discussed, either because of the activity level on threads related to HBS, or because they were contacted by HBS directly. BW begins deleting every single thread related to HBS, regardless of whether or not it contains information about the "hack" or not.
At this point, a blogger named PowerYogi posts the technique to his blog. A rather humorous thread insinuating HBS is sending snipers after PowerYogi starts up, then peters out after a while.
Eventually, Apply Yourself wakes up and patches the system to show "Your Decision is not yet available" messages instead of the dings and blank screens. This occurs between 10:00AM and noon EST.
Nearly 20 hours after the "hack" is first posted, HBS sends this letter to applicants:
Unfortunately, things don't stop there. Eventually, BW gives up trying to delete all the HBS postings, and people begin discussing the item. An article appears in the Harvard Crimson detailing the incident on March 3rd, and the article is used as source material for articles by the Boston Globe and the Associated Press. The AP article makes the front page of MSNBC.
By March 4th, other schools using Apply Yourself realize that their decision information may also have been available. In an amazing display of leadership, the Tepper School at Carnegie Mellon announces that they will reject anyone who tried to access their decision information early. Elsewhere, it is learned that a grand total of TWO people attempted to learn their fate at Tepper early, making it easy for CMU to grandstand.
With a precedent set, schools begin to announce their decisions on the fate of the "hackers". According to
Blogging Weight Loss, Distance Education, and more at verlin.com