Slashdot Mirror
Harvard Business School: You Peek, You Lose
mosel-saar-ruwer writes "Seems Harvard Business school was using the ApplyYourself web service to process applications. Sometime in the last few days, an anonymous hacker, known as 'brookbond', was able to crack the system, and discovered that Harvard had already posted acceptance letters to the website fully a month before they were to be mailed to their recipients. He posted instructions on how applicants could view their letters at the BusinessWeek forums, and approximately 119 applicants followed his advice. Today, the dean of the Harvard Business School, one Kim Clark, announced that none of the 119 would be admitted: 'This behavior is unethical at best -- a serious breach of trust that cannot be countered by rationalization... Any applicant found to have done so will not be admitted to this school.'"
Wow. So even though only one person actually did the hard work of figuring out how to hack into the site, 119 other individuals figured they too should follow the directions to hack in and learn the results. Harvard (rightly so) decided to not admit any of the 119 even though some of them possibly were initially accepted. Is this a response to some of the unethical and deceptive practices that have been rampant in the business world (i.e. Worldcom, Enron, pick your fav.) of late? Perhaps, but this is especially important in that much of business school (especially in ivy league schools) is about establishing relationships and connections. Do we want a bunch of ethically challenged folks getting to know one another in Harvard business school? I think not. In light of many of the current scandals in the business world, I would like to believe that schools do pay attention to these issues and perform some filtering at the front end rather than filtering or correcting during the educational process. After all, there are some things that cannot be taught. By the time one applies to business school, patterns of behavior are fairly well entrenched and behavioral correction of things we were supposed to learn in kindergarten is not the business schools responsibility.
It would be interesting to find out what their stories are. Why did they do it and what were they possibly thinking? Do they believe they should be blacklisted?
It should also be noted that Harvard was not the only school affected by this hack. Other business schools (MIT, Stanford, Carnegie Mellon and Duke) were also compromised and I would encourage those schools to adopt the same actions as Harvard in this case.
Visit Jonesblog and say hello.
ApplyYourself web service isn't actually a web service (not SOAP, not REST). An *anonymous* hacker *known* as "brookbond." Their letters weren't *at* BusinessWeek Forums. Unethical behavior discouraged by a business school (pot meet kettle).
...Ahem...fp
See any serious problems with this story?
A programmer is a machine for converting coffee into code.
God knows that this sort of unethical behavior and borderline illegal practice is totally out of place in our business community. Obviously, these punks are only getting what they deserve.
Aside from that, hopefully those involved will learn a valuable life lesson from this: If you can't play by the rules, you'd better be able to run fast and catch, throw or hit a ball really well.
PS: I wonder if any prospective students were smart enough to just look at the admission status of the *other* students... Now that would be showing the sort of sense you'd need to get to the top of corporate America.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
So if I got instructions on how to read another persons acceptance letter, I could get them refused entry into Harvard?
Right on, I've always wanted to stick it to one of those yuppy bastards.
Feed the need: Digitaladdiction.net
and now I will get into Harvard Business School myself!
* evil laugh *
oh wait, business school. shit.
It's take charge, independent thinkers that the school needs in it's student body. they better not revoke my admission or i'll send a teenage grrl enforcer over to smack 'em upside their heads!
A feeling of having made the same mistake before: Deja Foobar
But weren't even applying to go to Harvard?
My little site.
Test Prep Classes: $10,000
Donations to School by Parents: $5,000
Blowing your future because you can't wait a month: Priceless.
There are some levels of satisfaction that money can't buy, like watching 100+ snot-nosed future pointy hairs take it up the pooper from Harvard.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
Does anyone know how complicated the instructions were? Is there any way the people could have thought they were just accessing the site, putting in a URL with their name or whatever at the end of it, and not 'hacking' it to get information they were not allowed to have?
How they want to prove that the person that looked at the "papers" was the "accepted one"... (if they didn't posted it all over blogs ;-))
I'm not sure that the remaining acceptees are really so holy and ethical. If all of the applicants had noticed this, maybe everyone would have peaked. The 119 caught were probably the only 119 out of the applicant pool who actually caught the story...curiousity got the better of them, and I'm sure that it probably would've the rest of the acceptees if they had only known...
That'd be interesting, too...if there suddenly was only a few people in the class of '09...but they'd probably fill the spots up with waitlisters...
The real culprit is the cracker who found the way in.
I think Harvard's reaction against the 119 who followed the indicated route is pitifully excessive.
But the 119 now have an early lesson in how certain business managers cynically deflect blame in order to save face.
It appears to be beyond Harvard's ability to track down the cracker, so they hit out at whoever is within reach.
-wb-
Come on, they were just curious. This is too much. And Harvard should have been more careful.
One concern was classmates or relatives of the checking out the applicant. That would be unfair to the applicant. However, the article in Harvard Crimson seem to indicate that at some point you had login with a password. So only the applicant or spouse would have done it then.
The webserver probably could have recorded an IP address with each access, and many of those can be geographically verified. However, this would still have the problem of some one else than the applicant checking.
Before everybody accuses these "hackers" of unethical behaviour, you should look at what the "hack" was. As far as I can tell, you just had to log in, and then edit the URL. BusinessWeek is agressively removing any posts with the process in it, but there are some references to the basic idea still.
The information was there, the server gave them permission to see it, I don't see what is so unethical. Posting how to do that in a public forum could be considered unethical. But just following the instructions?
-- Colin Cross
Hardly...they'll be accepted at Columbia, or UPenn or any of the top tier bussiness schools, and all will be well...
If ethics was so important, how come it wasn't tested for in the actual application process?
''Once we learned about it, within literally 2½ hours, we had made appropriate adjustments to the system. . . . We still remain confident that it's a secure system."
Gotta love that ass-covering quote, too, from ApplyYourself. A secure system? Well, maybe marginally more secure, but how?
We moved the files from HBS to the NotReallyTheHBS directory, noone will ever figure that out!
A feeling of having made the same mistake before: Deja Foobar
Stanford Business School said it had 42 illegal accesses. However, Stanford's initial position is to ask the applicants who accessed to identify themselves. I wonder if they are making forgiveness for honesty, because like Harvard, they know exactly where the accesses occurred.
'This behavior is unethical at best -- a serious breach of trust that cannot be countered by rationalization... Any applicant found to have done so will not be admitted to this school.'"
What I'm sure was meant was that the so-called breach of trust was indefensible, but the first time I read this, it sounded to me like what they were saying was, "We don't know how to defend our reasoning for calling this a breach of trust."
Really odd. Harvard uses an insecure method of posting ahead of time news of who gets in and who doesn't. Anybody in the world can go view those documents, and they don't get in trouble. Meanwhile, the actual applicants go and view them, and they're locked out of Harvard. And it's not even like they can go fake letters of acceptance or anything through the process.
Looks like Harvard's adapting "Security by Legislation", that growing corporate policy of punishing whoever they can because they've been made out to look like idiots, through nobody else's fault but their own.
What prevents me from going in there and viewing a handful of people's applicants? Will they get kicked out? I wonder how many of those 119 weren't the real person -- or do they require some sort of user-auth?
...to spite their face. Harvard just regected 119 of the most qualified bussiness school bound students in the country. They will go to other, arguably equal, bussiness schools, while Harvard will take on 119 lesser qualified applicants to fill its vacancies. What schmucks...
Begorrah ! The ones who knew enough to find the "swag" on a relevant website are the ones who should be first in the queue to be admiited. After all they're the ones with the acumen.
:)
Ho hum... Just goes to show that if you play by the rules you'll get by by the rules (and if you play them well enough you'll "shine") But you'll never discover anything truly new
Mind you having said that... if you do discover something truly new, once you try to tell somebody, the rest of society will think you're mad and burn you at the stake. "This heretic says the Earth revolves around the sun... burn the witch..."
Sky subscribers are morons. They pay to be advertised at !
Would he have said "your fired" or "your hired" for this display of ingenuity?
Prospect business students rebuked for unethical behaviour? It simply defies human logic. They're studying how to be business men, are they not?
HAD
If your family is rich, they can pull strings. You can do almost anything and still get accepted. However people like that dont really need to take a peek to see if they were accepted, they know without even having to open the envelope.
Thanks to GW Bush, its become common knowledge that Harvard Business will accept any mediocre student for the right price.
Why is a university holding back acceptance letters for a whole month after theve already finalised the list :/
This is the same school that teaches it is ok to fire workers who have worked at a company for 10-20 years so the execs can make 5% more on their stocks by moving factories overseas. They also fail to teach what the words 'long term outlook' means to all these future ceo's.
HBS need to face the fact that when you train people who have no morals that you will attract people with no morals.
as to have set these potential students up for this? Sort of an extra "admissions test?" With the rampant ethics violations recently, they may have found this to be a good idea. Weed the baddies out early, not with a tough 101 class, but with a slick ethics test.
Yeah, I know it sounds like a goofy Oliver Stone conspiracy theory, but the Ivy League has been dirty before.
Course, maybe Brown has their admissions department on the line with these cats as we speak (er, as I write and as you type).
Ignore the rantings above. Poster is an idiot.
Seems like the school bears some responsibility for outsourcing the acceptance letters to an easy-to-hack site. The cynic in me tells me that half the reason they are coming down so hard on the students is to divert attention from their own security failure.
Someone hacked into our server and posted the details of how to replicate it to the rest of the world. We're now embarassed, who can we lash out against?
Ah! the people who we can actually hurt without going to court or having to get law enforcement involved, the 119 18 years olds who were on tenterhooks to know if they'd been accepted and really couldn't contain themselves to wait another entire month when we'd already made the decisions.
Infact, if I understand from my rather hazy sources US law enforcement won't get involved unless the crime has cost $5000 (I could be way off here though, I didn't get this from an authoratitize site), so, since they're out the only other option to lash out and save face would be to sure, which is expensiv when you can just ruin 119 kids futures. Of course, doubtless it will end them up in court...
The ethics point isn't particularly strong, these are 18 year olds who want to know if their chosen college has accepted them and they find out that the decisions have been made and the letters written a month before they'll get them otherwise. The fact that they followed some instructions posted online to find some 'hidden' files reflects little on their ethics in the future - I spent hours in school trying to get into every nook & cranny of the systems (which the admin had tried to lock down) using as many non-invasive/agressive methods as I could find. Does that make me unethical? no. I did it entirely as an academic exercise to see how well locked down the systems were, would it have been unethical to find out information about me that the school held but didn't want to tell me? no, not in my opinion.
This seems to be the university lashing out against someone to save face. That 'someone' being the people who have least blood on their hands (out of the people actually involved) and who the university feels that it can get away with stomping on the easiest.
FGD 135
Actually this is part of the entry class of low level physics titled: you can't observe stuff without affecting it.
By looking inside the box, they changed the content!
And with regard to exclusion, they could have at least given them a second chance, maybe with some punishment (like a work camp or something, and select only the 30 first). I thought that this was the land of the second chance.
School is about education. What did they learn? That they got screwed up after doing something that affected noone else?
Am I the only one to think like that?
Sneak teach kids Algebra using a game
As a current Harvard MBA student and long-time /. reader, it's worth pointing out that these applicants didn't "hack" anything. They got instructions (now deleted from the BW forums) that if you took your login hash, appended it to a URL at the ApplyYourself, you could see the decision letter on your file, if it had already been posted. My guess is that someone asked a first round applicant (who had already heard) for the URL to the decision and tried it as an in-process second round applicant.
This isn't hacking. Nobody logged in as the Admissions Director or socially engineered their way into info by calling admissions and pretending to be a staffer out on the road. The only people at fault here are the coders at ApplyYourself (the 3rd party application site). Having used it last year, I can tell you that it is technically inferior to most products that other schools build themselves.
There's already some ideas above that with the Enron and Worldcom scandals, business schools need to have ethics at the highest standards, but this misses the point. The 119 people that just got rejected weren't the 119 least ethical applicants. They were the 119 of the (probably) 130 applicants who saw the instructions before they were deleted. The top tier b-school application process is very stressful and the idea of seeing your results early is hardly scandalous.
Furthermore, our new post-scandal "Leadership and Corporate Accountability" course spends a great deal of time discussing the ethical trade-offs inherent in business, such as weighing employee concerns vs. shareholder concerns vs. customer concerns. These decisions are rarely black and white and we spend a lot of time discussing relative merits of each stakeholder. The notion that we would portray ourselves as knowing an absolute ethical standard goes against much of what we teach and learn here.
Despite the small number of true criminals to have walked these halls, Harvard Business School is a great institution and most /.'ers would be surprised to meet all the ethical people here that will be future leaders (if past performance is predictive of future performance).
Allow me to take the (oddly not yet taken) anti-Harvard point-of-view. I may be speaking from naivety, though, so here we go.
Does it not strike anyone as odd that they knew who was in at least a month before the letters were due to be sent? Is there some reason why they don't send an acceptance/rejection letter as soon as someone is accepted/rejected?
Sure, I guess what the 119 students did was wrong, but is there nothing wrong about withholding this information?
OMG! Wau!
Deciding who is at fault and who deserves what is a favorite online pastime, but we don't even know what it took to "hack" into the site to view the letters. Did the applicants do anything that would actually be illegal if they did it in the business world (where "ethical" seems to be synonymous with "legal" )? Or did they merely do something unexpected and embarassing?
If the business school is run by the same types who seem to run every other part of the school system, their automatic, totally predictable reaction would be to slam down hard on somebody and focus attention away from any possible mistake or oversight they themselves may have made. I'm not saying that's what happened here either, but we really don't know who the bad guys are.
If you don't want your information to be hacked, don't put in on an internet connected machine. It's as simple as that. We think we have a decade of web and internet wisdom to guide us but the fact is that all of this technology is still in its infancy. Was the hack ethical? No, but ethics aside, only an idiot would subject their important and confidential information to exposure on the web and then complain when it was hacked. Sorry, flamebait me if you must but the reports of vulnerabilities come fast and furious, regardless of platform, and nobody seems to care.
Don't want your data exposed? Don't put in on the web.
Somebody hired by HBS screws up and makes information that should have been kept private accessible on a public web server.
Instead of firing the people who made the boo-boo, the powers that be at HBS decide to punish anyone they can find who looked at their own admission letter.
First of all, it is not at all clear to me that it is ethically wrong to look at your own admission letter when it is posted on a public web site where *many* other people can already see it. For example, if I had heard about something like this I would probably try it just to see if it was really true. I would trust that HBS was not so bone-headed as to allow such a thing to happen.
Second, even if it were established that it was ethically wrong or questionable to peek, that is one heck of a temptation to put in front of someone since so much of their future plans depend upon what is in that letter.
Finally, I don't see that any harm is done by someone just peeking at the letter. If they act upon that information then that is another matter, for example by starting apartment hunting a month early. But just looking doesn't hurt anyone. According to my own ethics, if I am not hurting someone then I am not doing something bad.
I hope some of those people who got rejected band together and sue the pants off of HBS.
We don't see the world as it is, we see it as we are.
-- Anais Nin
the other 4881 applicants are suing Harvard for posting personal, confidential information on the internet for all to see.
Dan East
Better known as 318230.
A form submit hack to an open document is not illegal nor in my opinion, unethical. You are simply choosing a different way than intended to view open information. Kind of like reading the last chapter of a book first. Suppose that someone posted links containing the get statements to a web page and called it something along the lines of "Get your Harvard Info Here." This page could appear to be totally legit while totally screwing the people clicking the links. I think that this is a total over reaction on the part of Harvard.
If I were AL, how can I get a list of these 119 students. I think they have a case against Harvard. Can Harvard prove that each accessed file was accessed by the student whose record appeared in it. Let's see how much of a retainer from each of 119 future wealthy executives....?
IANAL, however, this seems like something that Harvard should get sued over. You read something on a bulletin board, telling you a URL and telling you to type in your user name and password, and see whether you were accepted, and because of that, you get rejected? No Fucking Way!
But, even though I think they should get sued, likely no one will, because all these applicants are likely top of the line, with admissions to other top B schools, and this lawsuit could mess up their careers....
eat shiat and bark at the moon
totally classic behaviour you'd expect from an unethical corporation who wants to cover their ass and deflect blame of a major fuckup that's their own fault.
if you ever wondered about the ethical standards of harvard, here's a perfect example. instead of accepting responsibility for their fuckup, they take it out on others, in order to cover up their embarassment.
Almost the exact same thing just happened at the CMU business school; this was in the paper today. When I saw the slashdot article, I just assumed it was about the folks that broke into the CMU admissions website (and were also banned by the school as a consequence)
Many of these kids were probably under enormous pressure to get in.
Interesting (to me at least) riff from a recent Economist article...
One factor contributing to the stratification of US society is precisely that enormous pressure. There is extreme pressure in competition for entrance to top schools (and then to get good jobs at top employers and then to advance up the ranks at said employers). But, this competition is primarily localized to members of the upper and upper-middle classes.
Meanwhile, American society is measurably breaking into the haves and the have-nots with a shrinking middle-class. A similar bifurcation occurred in the early 1900s, but was checked by the very people at the top who recognized that American society needs to be dynamic in order to be robust. Thus came the creation of measures of merit like the SATs.
The difference between now and then is that in the early 1900s, the upper classes easily perceived the stratification making it relatively easy to motivate people to address the problem. With the extremes of the current merit system, all the upper-classes perceive is extreme competition - but only among themselves. From their perpsective it is still a merit based system. But when it takes a $90K prep-school and a $10K SAT-prep course plus a "legacy" contribution to gain entrance to a top-school, we are very close to where we were at the start of the 20th century -- excluding huge swathes of society from the opportunity to advance themselves.
http://blogs.law.harvard.edu/philg/2005/03/08
Personally, I'd have capitalised "unethical" rather than "illegal" as I consider it to be the more serious issue.
I recently wrote an IRC bot. That is currently illegal in the USA (read up on the ActiveBuddy patent) and will, as a result, probably be illegal in short order in the EU (where I live). However, I'm not bothered.
If I'd done something that I considered immoral, I would be worried. But my opinion is that allowing governments to define your morality is lazy at best and idiotic at worst. This applies particularly strongly in this situation where, as far as I can tell, people are being kicked out for receiving their letters before they were due to be sent.
I can't see any good reason why this should be a major offence, certainly not why people's lives should be messed up on this basis. Especially if they are able to produce a detailed argument as to why they considered their behaviour ethical.
Please, please get your priorities straight.
For the love of God, please learn to spell "ridiculous"!!!
My take is this. URL alterting is not hacking. This is akin to giving the online applicants each a key to their own room and then punishing them after someone told them that they could find their admissions letter in the closet and 119 of them decided to look.
Harvard and Applyweb messed up by not securing their site. They are embarrassed and have successfully put their PR departments out to spin the story and libel these applicants by accusing them of "hacking" which in todays media implies a criminal intrusion. IANAL but this intentional disparagement which Harvard knows is untrue, along with leaving their personal educational records out there, insecure, sounds like a lawsuit to me.
Harvard's decision to not accept or unaccept those 119 candidates has nothing to do with what they actually did. It has a lot to do with the view by admissions offices in every university that their admissions criteria and decision making process is secret and that we should submit every thing we have ever done in our lives for them to examine and judge in any way they choose without even so much as an explanation of the admissions decision in exchange for our $65 non-refundable fee.
Harvard is unadmitting these students because they found out some information about themselves, in their own file, that they had perfectly legal access to, that Harvard wanted to keep secret and it's service provider accidentally put out on the web.
As for ethics, not one University, especially the private ones have a leg to stand on. They mail out advertisements to students urging them to apply and implying they are 'what the school is looking for.' for no other reason than to increase the number of applicants and the included application fees. The private universities almost invariably reject the majority of transfer credits in order to charge exorbitant prices on repeated basic courses taught by unpaid/underpaid TA's. That is just the tip of the iceburg.
If I were an applicant, my impression is that I would constrye the information as saying that "the university for some reason doesn't send you the URL right away, but if you have an admissions letter it may already be at $BASE_URL + "?" + "foo". I would have logged in and typed the URL without hesitation.
Based on your strong statements, I begin to see that the admissions committees would consider this cheating. I still have seen no explanation as to why this is the case, still less why the applicants would necessarily think this.
Unless any instruction to the contrary was very prominently stated in the login screen or terms of use, I see no reason for the applicant to have any presumption that typing in such a URL would be construed as even slightly inappropriate, much less rising to the level of obviously unethical.
For what it's worth I consider myself a highly ethical person. I am a person who has on several occasions acted significantly against my own interests on ethical grounds. Nevertheless, based on the information I've seen so far, I don't believe I would have even hesitated to type in the purportedly secret URL variable. I would not have had a moment's concern about being "caught" because I would have no expectation that what I was doing was even remotely inappropriate. I would also have been perfectly aware that my action would be unambiguously recorded in the server log.
I think it's very different to accuse someone of behaving contrary to *your own* ethics than to accuse them of behaving contrary to *generally accepted* ethics. It's simply not at all clear that the applicant would even have considered the matter to be ethically problematic, as is evidenced by the fact that they were logged into the system at the time!
Even if "ignorance of the law is no excuse" this seems like a prohibition promulgated retroactively.
Unless you can explain to me why the applicant should have known that the behavior was a violation of either an explicit agreement or an implicit trust, I conclude that it is the behavior of the university that is unethical. It is unconscionably unfair and arbitrary.
mt
While I laughed at your comment, I found: There are some levels of satisfaction that money can't buy, like watching 100+ snot-nosed future pointy hairs take it up the pooper from Harvard. and other similar comments on this post a bit insulting and actually stupid.
Stereotyping Ivy league students as being rich, snotty, heartless people is stupid and really not nice, especially since you probably don't know that many of them. Some of my friends attend an Ivy league school and they're some of the nicest and most intelligent people I've met. Yes, many rich people tend to be snotty and since they can afford these schools there are more of them there than at another typical school - but it's not nice just bashing these 100+ students because of a stereotype.
Out of these 100+, some might be rich and snotty, however I'm sure many are very intelligent and probably just acted on their curiosity.
Weather you consider their actions unethical or not, I'm sure that most of us have made mistakes, and therefore I think it's improper for us to laugh at them - especially those that originally got accepted - who now suffer a pretty big loss.
If this were a cheesy college-spoof movie, the 119 "cheaters" would be recruited to the goofball school for their display of initiative.
Kobayashi Maru indeed.
-- Gary Goldberg KA3ZYW 301/249-6501 AIM:OgGreeb Digital Marketing Inc., Bowie, MD
For every applicant who peeked, there are 100 others who would have peeked but just didn't know about it. I think that if Harvard wants to filter applicants for ethical consideration that is great, but it should be built into the application process so that all applicants are tested for ethics, not just the few who happen across a website.
I don't know that it's a question of not differentiating between ethics and rules. In this particular case, it seems that there's an ethical violation, although I'd consider it fairly small. The physical analogue for me is: one person jimmies a window at the admissions office, sneaks in, and grabs a look at his file. Along the way, he shows a few hundred people how to jimmy the window. Then a lot of them do, either out of curiosity to see if they got in, or curiosity to see if the window will open that easily, or any other reason. Is it unethical? Yeah. Is it unethical on a scale that means you should no longer be accepted to the school? Probably not. A stern talking to, maybe a fine.
That being said, colleges, as a general rule, don't teach ethics. There's a lot of dissemination of political views in the classrooms, for good and evil. Oh, they generally punish you if you plagiarize and they catch you, either by suspending or expelling you. But ethics? Personal values? For the most part, these are things you have before you go, or you'll never pick them up at school. And for the degree that they're refined, that's mostly something that's done as a function of your peer group, rather than your institution.
Essentially what Harvard did here was to apply a filter that discriminates against people with Internet technical skills. A pretty weak filter, granted, but you have to have a little something on the ball to find and paste together significant fields from multiple URLs.
We have enough trouble with lack of Internet savvy in American business management as it is.
To a Lisp hacker, XML is S-expressions in drag.
Reminds me of when I was at school. Something got stolen. The cops were called and everyone was taken out of class. They said: "We know who stole the [whatever]. We're giving you a chance to own up and be a man about it." Of course they didn't know, nobody owned up and nobody got bust....
Engineering is the art of compromise.
I think HBS's response is way overboard.
In fact, a few years back I applied for business school and one of the schools on my list was MIT's Sloan. As I recall, there was some 'hack' (hack lite) one could use to determine whether one had been admitted and it consisted of this: you would basically ping the mail server and figure out if a UID had been created for you. If it had, then you were in; if it hadn't, then either you weren't in or your UID hadn't been created yet.
Near as I can tell this is exactly identical to what went on here; using some 'covert' mechanism to ascertain admission status.
I consider myself ethical to a ridiculous fault but I am sure I too would have checked and not thought much about it before hand (as being unethical). If you leave your pants down, you shouldn't be too surprised when people take a gander at what's there.
The trick was you had to type in the following URL.
p pl icantDecision.asp?AYID=89CFE0A-424C-4240-Z8D0-9CR5 2623F70&mode=decision&id=1234567
https://app.applyyourself.com/AyApplicantMain/A
The AYID=89CFE0A-424C-4240-Z8D0-9CR52623F70 was in the URL bar when you logged into the site. You could figure out the id=1234567 from hitting view source once you were logged in and searching for ID.
I look at that and I think, maybe they didn't make the URL clickable because of a bug in the system. These students basically just found a bug fix.
As a middle-class, public-school attendee who was never "prepped" or tutored but is nonetheless attending an Ivy-league institution, I beg to differ. Sure, there are students at the top schools with rich parents, private-schooling, and a bevy of people to help them when necessary, but most of us got here the old-fashioned way: hard work, intelligence, good parenting, and a bit of luck.
"Don't get caught."
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
You've got to be kidding!
First of all: You're equating "hacking" with rape. That's just disgusting.
Second: Apparently, said "hacking" was typing in an URL into the location bar. Hardly hacking.
Third: The fact that the applicants were able to see their acceptance letters is obviously a security failure and a fault of ApplyYourself. If they are not supposed to see them, make sure they can't. It's really that simple.
Free Manning, jail Obama.
Your comment brings some good insight. I fail to see a few things that some of the Harvard supporters seem to assume.
1: Harvard has a legitimate reason to withhold information considering admission from their students?
2: Accessing a site with information pertaining to yourself is of course unethical considering you had help from a 1337 d00d.
What possible explanation does Harvard have for storing the status of their students on the same database as they serve their website on? What reason does Harvard have to with-hold this information from perspective students? Applications require planning ahead on the part of students, these students dont have a chance to apply to more schools after they've been turned down by one, etc.
Second, This information was about the perspective student who accessed it. There is no rule of ethics that says you can't discover something about yourself.
Finally, what did Harvard have to loose? This was not a teachers gradebook situation where you could assume someone was snooping in hopes of "fixing" a grade. The information is purely read-only, and it's not information that would not be disclosed, it's information that would be disclosed later. Why?
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
Early in the morning on March 2nd, someone calling himself "brookbond" on the BusinessWeek MBA Forums saw the results of his HBS application using a modified version of the link he'd use to see his results at another school also using the Apply Yourself system.
He saw a "ding" letter, meaning that he saw a form letter with the standard "We're sorry, we can't admit you to the class of 2007. Blah blah blah. Best of luck in your future endeavors." He then posts the technique he used to view the letter to the BW forums. This information is visible for roughly six to eight hours. After the beginning of the business day on the easy coast, all hell breaks loose. People are discussing the posting on the BW forums, with people wondering if the link works or not. People report seeing one of two things:
NO ONE SAW AN ADMIT LETTER.
Period, point blank. Anyone who says they did, is lying. At sometime between 8:00AM and 9:00AM EST, the BW forum moderators realize what's being discussed, either because of the activity level on threads related to HBS, or because they were contacted by HBS directly. BW begins deleting every single thread related to HBS, regardless of whether or not it contains information about the "hack" or not.
At this point, a blogger named PowerYogi posts the technique to his blog. A rather humorous thread insinuating HBS is sending snipers after PowerYogi starts up, then peters out after a while.
Eventually, Apply Yourself wakes up and patches the system to show "Your Decision is not yet available" messages instead of the dings and blank screens. This occurs between 10:00AM and noon EST.
Nearly 20 hours after the "hack" is first posted, HBS sends this letter to applicants:
Unfortunately, things don't stop there. Eventually, BW gives up trying to delete all the HBS postings, and people begin discussing the item. An article appears in the Harvard Crimson detailing the incident on March 3rd, and the article is used as source material for articles by the Boston Globe and the Associated Press. The AP article makes the front page of MSNBC.
By March 4th, other schools using Apply Yourself realize that their decision information may also have been available. In an amazing display of leadership, the Tepper School at Carnegie Mellon announces that they will reject anyone who tried to access their decision information early. Elsewhere, it is learned that a grand total of TWO people attempted to learn their fate at Tepper early, making it easy for CMU to grandstand.
With a precedent set, schools begin to announce their decisions on the fate of the "hackers". According to
Blogging Weight Loss, Distance Education, and more at verlin.com
I see no unethical action by students here. Who was injured by this action? So someone found out that they were not accepted or were accepted a few weeks early. Big deal! The school was not injured. Other applicants were not injured.(other spots are still available and unknown, unless this hack was really a list of all accepted individuals which according to officials was not the case) The applicants however are being injured, by the school. The company was embarassed, but rightly so. Actually they should be ashamed of doing their job poorly. It is their job to make sure "hacks" do not happen. But what do they care. As long as the 200 dollar application fees are paid by 5000 applicants, they are all set. I bet there were no screw ups in the billing aspect of the site. The school is acting unethically in this situation, not the applicants. There was no injury to the school, yet they injure applicants who for some reason wish to better themselves in the presence of Harvard. Why harvard? who knows?
Do they really want applicants who do not know how to use a browser? Modifying a URL isn't hacking, it's navigating. Just because Harvard didn't want people to look at their scores doesn't mean that it was unethical for people to look at their scores. Harvard should be ashamed for being so careless with its data. If it's out there with a URL, it's fair game.
(a) Harvard can't secure its systems properly, so it's partly their fault.
(b) No decisions were changed as a result of the access and no-one altered any data.
(c) Harvard has lost some bright students who passed their (presumably rigorous) selection process.
So is this a stupid decision, or what?
When I am king, you will be first against the wall.
... except that nobody found out.
I was admitted to the University of Helsinki law school (see fancy up-to-date web site in Finnish or the really crappy obsolete site in English) in 2001. The entrance exam is highly competitive and people pay insane amounts of money to attend preparatory courses to increase their chances of being admitted. I, for one, spent three months holed up in my apartment, studying non-stop to make sure I would get in. A lot of people would do anything to find out in advance whether they have been admitted or not.
The list of persons admitted to the law school was supposed to be posted on the web on July 20th, 2001 on the admissions 2001 home page (which was, at the time, part of a buggy frameset). If you were "clever" enough to strip the last part of the URL away (like I was), you ended up with a directory listing. This could be used to access the file that included the list of students admitted to the law school - two days before the results were made public, on July 18th, 2001. (The direct URL to the file was more or less un-guessable until the results were released.) Two days may not sound like much, but when you're talking about the display of insanity that is the Helsinki law school exam, it's a lot. More than a few people would undoubtedly have paid serious cash to know their results in advance.
About one year later, the list was "removed" from the web for privacy reasons. However, they simply changed the file extension to ".old", and the list of students admitted to the law school in 2001 is still accessible through the directory listing URL!
Of course, they never found out that the list could be accessed in advance. The lack of computer savviness among the law school faculty and staff never ceases to amaze me. At one point, they had a web page with the latest updates to the law school program for Fall 2004 - without doubt the most popular page on their web site. The file included about 20kB of text, but for some unfathomable reason, the HTML file was about 2,3MB! It's been fixed now, but the problem persisted for several months. (When I looked at the HTML, they had one million extra CR+LFs at the beginning of the file, adding over 2MB of 'bloat'.)
Idiots.
I don't get it. I thought in the USA every citizen was entitled to see any files kept on them simply by making a request (Freedom of Information Act). Typing in a URL in your web browser to view information about yourself doesn't seem illegal or unethical. It would seem to me that typing in a URL should be considered making a request and viewing the resulting information about yourself is well within your legal right. All I can figure is that there must have been some terms of service associated with the login process that I am unaware of, but even that seems illegal. I'm not a lawyer but maybe someone who understands this stuff could explain it for us normal folk so we don't get into trouble reading things about ourselves we aren't entitled to.
Why doesn't Harvard just do what everyone else does and replace the link with an undesireable image?