Slashdot Mirror
Harvard Business School: You Peek, You Lose
mosel-saar-ruwer writes "Seems Harvard Business school was using the ApplyYourself web service to process applications. Sometime in the last few days, an anonymous hacker, known as 'brookbond', was able to crack the system, and discovered that Harvard had already posted acceptance letters to the website fully a month before they were to be mailed to their recipients. He posted instructions on how applicants could view their letters at the BusinessWeek forums, and approximately 119 applicants followed his advice. Today, the dean of the Harvard Business School, one Kim Clark, announced that none of the 119 would be admitted: 'This behavior is unethical at best -- a serious breach of trust that cannot be countered by rationalization... Any applicant found to have done so will not be admitted to this school.'"
Wow. So even though only one person actually did the hard work of figuring out how to hack into the site, 119 other individuals figured they too should follow the directions to hack in and learn the results. Harvard (rightly so) decided to not admit any of the 119 even though some of them possibly were initially accepted. Is this a response to some of the unethical and deceptive practices that have been rampant in the business world (i.e. Worldcom, Enron, pick your fav.) of late? Perhaps, but this is especially important in that much of business school (especially in ivy league schools) is about establishing relationships and connections. Do we want a bunch of ethically challenged folks getting to know one another in Harvard business school? I think not. In light of many of the current scandals in the business world, I would like to believe that schools do pay attention to these issues and perform some filtering at the front end rather than filtering or correcting during the educational process. After all, there are some things that cannot be taught. By the time one applies to business school, patterns of behavior are fairly well entrenched and behavioral correction of things we were supposed to learn in kindergarten is not the business schools responsibility.
It would be interesting to find out what their stories are. Why did they do it and what were they possibly thinking? Do they believe they should be blacklisted?
It should also be noted that Harvard was not the only school affected by this hack. Other business schools (MIT, Stanford, Carnegie Mellon and Duke) were also compromised and I would encourage those schools to adopt the same actions as Harvard in this case.
Visit Jonesblog and say hello.
God knows that this sort of unethical behavior and borderline illegal practice is totally out of place in our business community. Obviously, these punks are only getting what they deserve.
Aside from that, hopefully those involved will learn a valuable life lesson from this: If you can't play by the rules, you'd better be able to run fast and catch, throw or hit a ball really well.
PS: I wonder if any prospective students were smart enough to just look at the admission status of the *other* students... Now that would be showing the sort of sense you'd need to get to the top of corporate America.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
and now I will get into Harvard Business School myself!
* evil laugh *
oh wait, business school. shit.
But weren't even applying to go to Harvard?
My little site.
Test Prep Classes: $10,000
Donations to School by Parents: $5,000
Blowing your future because you can't wait a month: Priceless.
There are some levels of satisfaction that money can't buy, like watching 100+ snot-nosed future pointy hairs take it up the pooper from Harvard.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
Does anyone know how complicated the instructions were? Is there any way the people could have thought they were just accessing the site, putting in a URL with their name or whatever at the end of it, and not 'hacking' it to get information they were not allowed to have?
If ethics was so important, how come it wasn't tested for in the actual application process?
Seems like the school bears some responsibility for outsourcing the acceptance letters to an easy-to-hack site. The cynic in me tells me that half the reason they are coming down so hard on the students is to divert attention from their own security failure.
Someone hacked into our server and posted the details of how to replicate it to the rest of the world. We're now embarassed, who can we lash out against?
Ah! the people who we can actually hurt without going to court or having to get law enforcement involved, the 119 18 years olds who were on tenterhooks to know if they'd been accepted and really couldn't contain themselves to wait another entire month when we'd already made the decisions.
Infact, if I understand from my rather hazy sources US law enforcement won't get involved unless the crime has cost $5000 (I could be way off here though, I didn't get this from an authoratitize site), so, since they're out the only other option to lash out and save face would be to sure, which is expensiv when you can just ruin 119 kids futures. Of course, doubtless it will end them up in court...
The ethics point isn't particularly strong, these are 18 year olds who want to know if their chosen college has accepted them and they find out that the decisions have been made and the letters written a month before they'll get them otherwise. The fact that they followed some instructions posted online to find some 'hidden' files reflects little on their ethics in the future - I spent hours in school trying to get into every nook & cranny of the systems (which the admin had tried to lock down) using as many non-invasive/agressive methods as I could find. Does that make me unethical? no. I did it entirely as an academic exercise to see how well locked down the systems were, would it have been unethical to find out information about me that the school held but didn't want to tell me? no, not in my opinion.
This seems to be the university lashing out against someone to save face. That 'someone' being the people who have least blood on their hands (out of the people actually involved) and who the university feels that it can get away with stomping on the easiest.
FGD 135
As a current Harvard MBA student and long-time /. reader, it's worth pointing out that these applicants didn't "hack" anything. They got instructions (now deleted from the BW forums) that if you took your login hash, appended it to a URL at the ApplyYourself, you could see the decision letter on your file, if it had already been posted. My guess is that someone asked a first round applicant (who had already heard) for the URL to the decision and tried it as an in-process second round applicant.
This isn't hacking. Nobody logged in as the Admissions Director or socially engineered their way into info by calling admissions and pretending to be a staffer out on the road. The only people at fault here are the coders at ApplyYourself (the 3rd party application site). Having used it last year, I can tell you that it is technically inferior to most products that other schools build themselves.
There's already some ideas above that with the Enron and Worldcom scandals, business schools need to have ethics at the highest standards, but this misses the point. The 119 people that just got rejected weren't the 119 least ethical applicants. They were the 119 of the (probably) 130 applicants who saw the instructions before they were deleted. The top tier b-school application process is very stressful and the idea of seeing your results early is hardly scandalous.
Furthermore, our new post-scandal "Leadership and Corporate Accountability" course spends a great deal of time discussing the ethical trade-offs inherent in business, such as weighing employee concerns vs. shareholder concerns vs. customer concerns. These decisions are rarely black and white and we spend a lot of time discussing relative merits of each stakeholder. The notion that we would portray ourselves as knowing an absolute ethical standard goes against much of what we teach and learn here.
Despite the small number of true criminals to have walked these halls, Harvard Business School is a great institution and most /.'ers would be surprised to meet all the ethical people here that will be future leaders (if past performance is predictive of future performance).
I agree. And I think it's interesting to see how many Slashdotters, who normally rise to the defense of hackers, particularly when the hack is a really obvious hole that causes no harm to anyone, like this one, are sitting back and laughing at the people who got rejected because of this. Jesus, all the applicants did was change a URL, it's not like they used some root kit to break into Harvard's servers.
Shit, if I try to change the URL to see if I can view my pay statement one day early at work, should I be fired for that too?
Somebody hired by HBS screws up and makes information that should have been kept private accessible on a public web server.
Instead of firing the people who made the boo-boo, the powers that be at HBS decide to punish anyone they can find who looked at their own admission letter.
First of all, it is not at all clear to me that it is ethically wrong to look at your own admission letter when it is posted on a public web site where *many* other people can already see it. For example, if I had heard about something like this I would probably try it just to see if it was really true. I would trust that HBS was not so bone-headed as to allow such a thing to happen.
Second, even if it were established that it was ethically wrong or questionable to peek, that is one heck of a temptation to put in front of someone since so much of their future plans depend upon what is in that letter.
Finally, I don't see that any harm is done by someone just peeking at the letter. If they act upon that information then that is another matter, for example by starting apartment hunting a month early. But just looking doesn't hurt anyone. According to my own ethics, if I am not hurting someone then I am not doing something bad.
I hope some of those people who got rejected band together and sue the pants off of HBS.
We don't see the world as it is, we see it as we are.
-- Anais Nin
IANAL, however, this seems like something that Harvard should get sued over. You read something on a bulletin board, telling you a URL and telling you to type in your user name and password, and see whether you were accepted, and because of that, you get rejected? No Fucking Way!
But, even though I think they should get sued, likely no one will, because all these applicants are likely top of the line, with admissions to other top B schools, and this lawsuit could mess up their careers....
eat shiat and bark at the moon
totally classic behaviour you'd expect from an unethical corporation who wants to cover their ass and deflect blame of a major fuckup that's their own fault.
if you ever wondered about the ethical standards of harvard, here's a perfect example. instead of accepting responsibility for their fuckup, they take it out on others, in order to cover up their embarassment.
Many of these kids were probably under enormous pressure to get in.
Interesting (to me at least) riff from a recent Economist article...
One factor contributing to the stratification of US society is precisely that enormous pressure. There is extreme pressure in competition for entrance to top schools (and then to get good jobs at top employers and then to advance up the ranks at said employers). But, this competition is primarily localized to members of the upper and upper-middle classes.
Meanwhile, American society is measurably breaking into the haves and the have-nots with a shrinking middle-class. A similar bifurcation occurred in the early 1900s, but was checked by the very people at the top who recognized that American society needs to be dynamic in order to be robust. Thus came the creation of measures of merit like the SATs.
The difference between now and then is that in the early 1900s, the upper classes easily perceived the stratification making it relatively easy to motivate people to address the problem. With the extremes of the current merit system, all the upper-classes perceive is extreme competition - but only among themselves. From their perpsective it is still a merit based system. But when it takes a $90K prep-school and a $10K SAT-prep course plus a "legacy" contribution to gain entrance to a top-school, we are very close to where we were at the start of the 20th century -- excluding huge swathes of society from the opportunity to advance themselves.
Personally, I'd have capitalised "unethical" rather than "illegal" as I consider it to be the more serious issue.
I recently wrote an IRC bot. That is currently illegal in the USA (read up on the ActiveBuddy patent) and will, as a result, probably be illegal in short order in the EU (where I live). However, I'm not bothered.
If I'd done something that I considered immoral, I would be worried. But my opinion is that allowing governments to define your morality is lazy at best and idiotic at worst. This applies particularly strongly in this situation where, as far as I can tell, people are being kicked out for receiving their letters before they were due to be sent.
I can't see any good reason why this should be a major offence, certainly not why people's lives should be messed up on this basis. Especially if they are able to produce a detailed argument as to why they considered their behaviour ethical.
Please, please get your priorities straight.
For the love of God, please learn to spell "ridiculous"!!!
Early in the morning on March 2nd, someone calling himself "brookbond" on the BusinessWeek MBA Forums saw the results of his HBS application using a modified version of the link he'd use to see his results at another school also using the Apply Yourself system.
He saw a "ding" letter, meaning that he saw a form letter with the standard "We're sorry, we can't admit you to the class of 2007. Blah blah blah. Best of luck in your future endeavors." He then posts the technique he used to view the letter to the BW forums. This information is visible for roughly six to eight hours. After the beginning of the business day on the easy coast, all hell breaks loose. People are discussing the posting on the BW forums, with people wondering if the link works or not. People report seeing one of two things:
NO ONE SAW AN ADMIT LETTER.
Period, point blank. Anyone who says they did, is lying. At sometime between 8:00AM and 9:00AM EST, the BW forum moderators realize what's being discussed, either because of the activity level on threads related to HBS, or because they were contacted by HBS directly. BW begins deleting every single thread related to HBS, regardless of whether or not it contains information about the "hack" or not.
At this point, a blogger named PowerYogi posts the technique to his blog. A rather humorous thread insinuating HBS is sending snipers after PowerYogi starts up, then peters out after a while.
Eventually, Apply Yourself wakes up and patches the system to show "Your Decision is not yet available" messages instead of the dings and blank screens. This occurs between 10:00AM and noon EST.
Nearly 20 hours after the "hack" is first posted, HBS sends this letter to applicants:
Unfortunately, things don't stop there. Eventually, BW gives up trying to delete all the HBS postings, and people begin discussing the item. An article appears in the Harvard Crimson detailing the incident on March 3rd, and the article is used as source material for articles by the Boston Globe and the Associated Press. The AP article makes the front page of MSNBC.
By March 4th, other schools using Apply Yourself realize that their decision information may also have been available. In an amazing display of leadership, the Tepper School at Carnegie Mellon announces that they will reject anyone who tried to access their decision information early. Elsewhere, it is learned that a grand total of TWO people attempted to learn their fate at Tepper early, making it easy for CMU to grandstand.
With a precedent set, schools begin to announce their decisions on the fate of the "hackers". According to
Blogging Weight Loss, Distance Education, and more at verlin.com