Slashdot Mirror
Stanford Rejects Business School Hackers
robbarrett writes "The Stanford Report offers the next chapter in a continuing story about business school applicants manipulating URLs on the ApplyYourself system to determine their personal admission status. Harvard immediately rejected the 'hacker' applicants, but Stanford gave 'offenders' the opportunity to defend their actions. However, none of the competitive applicants 'was able to explain his/her actions to our satisfaction,' according to Stanford's dean, so all were rejected. The story mentions the decisions reached by other schools involved in the mess."
But in this case you get what you deserve.
These kids didn't even know they were hacking. All they knew was that they received an url via MSN from their friends where they could look up their status...
Sure, they should've know it wasn't supposed to go this way, but should they really be punished like this ?
Personally, I don't think they should be the ones punished, but rather the person in charge of the security of the website...
- Leon Mergen
http://www.solatis.com
What they deserve? They applied to the school, and then somebody told them they could find out if they were admitted by typing in a url.
How many students were even aware that it was a big secret whether they were admitted, and they werent allowed to actually know. Why was it even a big secret in the first place? Shouldn't they be telling the students as soon as its reasonably possible, and not dangle it over their heads making them waste time if they werent accepted.
So, Stanford wants to make claims that these students are morally corrupt by typing a couple letters into their browser, when the school itself is keeping secrets about the students futures hidden for no reason at all and punishing them for being curious. Who is morally corrupt in this scenario i ask...
Episode VI
RETURN OF THE H@X0R
Applicant-1337 has returned to
his home planet of ParentsBasement in
an attempt to rescue his
friend University Education from the
clutches of the vile gangster
The Big Guy.
Much does Hax0r know that the
HARVARD EMPIRE has controversially
begun construction on a new
armored hax0r-rejection policy even
more powerful than the first
dreaded competitive admission system.
When completed, this ultimate
weapon will spell certain doom
for the small band of hax0rs
struggling to restore freedom
to the interweb....
They hardly ought to be called "hackers". It's like calling arsonists "pyrotechnicians". Sure, the tools may be the same, but the level of expertise is very different.
"Joss noted that while Stanford was dismayed by the actions of the candidates who tried to gain unauthorized access, it "did not rush to judgment given the limited information available to us initially. By carefully reviewing the file of each applicant involved in these incidents, we upheld the business school's values while treating each applicant fairly. As an educational institution, we hope that the applicants involved in this incident might learn from their experience.""
Sounds more like an attempt by the PR departments to cover their collective legal asses after their PHBs jumped the gun and block rejected applicants on the grounds that they committed a crime that technically isn't. IMHO, their position on the matter is weak.
The students didn't steal passwords, spread a virus or trojan. All they did was akin to manually typing in an abiet complicated URL and accessed data on unprotected public servers.
Sometimes I wish I was a plumber, then I'd know how to deal with other people's shit.
Quote:
Joss noted that while Stanford was dismayed by the
actions of the candidates who tried to gain
unauthorized access, it "did not rush to judgment
given the limited information available to us
initially. By carefully reviewing the file of each
applicant involved in these incidents, we upheld
the business school's values while treating each
applicant fairly...
That's quite a "holier than thou" sneer at Harvard and MIT.
What I am truly surprised is that none of the schools took actions against ApplyYourSelf as far as I know: rather, the focus has all been on whether the schools took action against the students. I think this plays heavily on the public's fear of "hacking". Just because the applicants peeked using a computer, it suddenly made it such a grave matter.
First, I think ApplyYourSelf should bear some responsibility for not properly securing their web-app in a way that such an action is possible. For many people (and I'd even venture to say that in public opinion), anything that is accessible by typing a URL into a browser window might as well be published. I don't really think the school has the right to penalize the applicants for accessing information that has been made available to them.
Secondly, this whole business has been blown out of proportion: the students were only able to look at their admission status, and that even hinges on the fact that the schools have already published those information to the website. It is not as if the students were actually "hacking" in the sense of escalating their privilege and modifying their admission status. I just don't think this incident is an acurate enough illustration of their moral fibers to warrant such decisions (though I generally have no sympathy for business school applicants).
Thirdly, I think the whole finding out the admission status thing is more akin to being impatient and calling up the admission office with the knowledge that the drunk receptionist would accidentally let the admission status slip out. So why the applicants were treated so harshly and why the ApplyYourself service was not is really troubling me.
W
Engineers also speak PDE, only in a different dialect.
Good grief. I'm guilty of doing this sort of thing all the time.
I'd never really read about what exactly the applicants did before. If the article is right, all they did was poke around the system with URL munged from information they already had. It's not like they exploited buffer overflows to gain control of the system or anything.
Like I said, I do this type of thing all the time. If I'm on a Web site with content I like and I see a series of URLs named something1.htm, something2.htm, something4.htm, etc., you'd better believe I'm going to type something3.htm in and see what happens. On my own dinky Web sites I have, if I don't want people browsing around the system, I take steps to prevent it, such as making sure the server doesn't allow one to list directories, always having an index.htm file in every directory in case I forget, naming files randomly instead of in series, etc.
And, on top of all of that, as the post above states, all these candidates did was find out information that was going to be disclosed to them soon anyway.
So I gotta ask, what the hell is the big deal here? Why is Stanford being such a hard ass about this? If anyone is to blame here for any significant wrongdoing, it has got to be the company that designed software that so easily gives up unauthorized information. I wonder what Stanford did to seek redress against them. (Probably nothing.)
"None" is short for "not one" and so it uses the singular verb form. The subject of the sentence is "none", not "applicants", so the usage is correct.
http://dictionary.reference.com/search?q=none
I pledge, the next time I hear of such a possible exploit, to rip as much information from the system as the website gives me permission to retrieve. Every bit of it -- I shall construct scripts, pore over forums, and create a list of possible students whose data I will then attempt to extract.
Additionally, with these links in hand, I shall paste them to random places on the internet, and specific places such as the most likely forums to find such students. I will also disguise their nature and essence, so that users will not know what they click on until it's too late.
So the next time Stanford comes calling, you go ahead and /blame me/. I could've been the one to do it, after all. You don't know I didn't. They don't know I didn't.
Or they could just accept that their own goddamn marketing department creates an illusion of prestige, and that people with a limited amount of time to waste on non-responsive colleges /sitting on/ important information like that are going to want to know who to stop wasting time on, and that if they don't like it they can /fix their fucking permissions/. Do they not know any decent webapp programmers? Who've they been graduating?
Yahoo! Pipes are awesome. How awesome? http://pipes.yahoo.com/jesdynf/slashdot
the applicants, for the most part, are still 'just kids' and even as a woefully too well aged adult, I can still relate to the idea that taking a peek at 'hidde' information on a web site is not evil
the proble is not the kids. i's this culture of zero tolerance which the otherwise liberal educational community has latched onto with a fervor one would normally expect from religous fanatics.
back when i was attending college the attitudes were different. administration had a 'boys will be boys' attitude and was more concerned with helping us understand why certain activites were not acceptable, rather than striking us down like Zeus on the maountain.
Based on the information I've encountered regarding this mess, there seems to be an extreme level of self righteous bigotry on the part of the 'adults'.
Or perhaps they are just too lazy to do their job of education.
Of cause no institution should be forced to accept students it doesn't want to, but morally speaking, these students have done nothing wrong. There are many immoral things one can do on a computer: sabotaging other people's systems, destroying other people's data among others. But finding out personal information by asking a gullible computer the right question is perfectly understandable. If Stanford want this data safe, they should fix their computers so it protects the data. Computers are remote controlled and pretty much do what their asked to do. One wouldn't leave a priceless Monet strapped to a remote control truck that every kid with a toy car can control, so why do people complain about their loose lipped computer squealing numbers to some kid who knows how to use a URL bar? The sooner people see computers for what they are: devices that are told what to do by more people than they should and forget about the whole trespass on private land metaphors, the sooner people might take some responsibility about dumb machines being given too much information. They probably will end up a lot safer in the long term. It really makes me mad when people blame others for exploiting their own gullibility.
When Argumentum ad Hominem falls short, try Argumentum ad Matrem
Lack of good judgement maybe; but how is it unethical to try to get information concerning yourself ? Or are you trying to imply that Stanford is some sort of ethical authority ?
I'd imagine that they would become successfull and capable businessmen. After all, the ability to get good information is the cornerstone of making good decisions.
Are you sure you aren't confusing moral right with your own expectations of human behiviour ? Because, to the best of my knowledge, there's absolutely nothing unethical in reading information concerning myself, even if someone else is trying to keep it a secret.
Kindly explain what finding out whether you were admitted to a school has to do with forging accounts ?
Maybe they made the mistake of assuming that the school would take appropriate action, as opposed to the action it actually took ?
How would this have been smart ? These people had no obligations towards the Dean; why would they ask his permission to view information concerning them ?
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Who is morally corrupt in this scenario i ask...
Your modern-day University autocrat has about as much use for morality as a fish has for a bicycle.
This is all about the elites that govern these institutions - they were embarrassed* by the applicants, and now it's payback time.
----------
*Although, for the life of me, I don't see how this** sort of thing would embarrass a normal person, but that just goes to show you how introverted, self-obsessed, narcissistic, and arrogant these monomaniacal little twits really are.
----------
** i.e. typing a URL into a browser with the hope of finding out information ABOUT YOURSELF - information that, in theory, BELONGS TO YOU. Reminds me of hospital administrators who try to ban patients from reading THEIR OWN CHARTS, as if the medical records belonged to the hospital, rather than to THE PATIENTS THEMSELVES.
Just thinking about these kinds of people makes my skin crawl.
"They showed they lack good judgment and a sense of ethics."
Um, no, they showed curiosity and a certain resourcefulness in finding data. Traits I can certainly appreciate in colleagues.
Now, HBS and Stanford on the other hand showed a lack of good judgement and a sense of ethics. Their only concern appears to be to save face because they invested in a crap product that apparently doesnt even have proper access control. To blame some applicants to cover up their own incompetence is pretty low.
"they'd email the Dean of Admissions and ask"
Where do I send my mail asking if it is ok to access www.harvard.edu? Some guy said you could access their webpage if you typed that into your web browser, but I'm not sure I'm allowed to?
If you can access it you can assume you're allowed to access it. It is not customary to be required to ask permission for looking at things in plain view.
Imagine if the email from their friends had said "Your admission status is kept in the filing cabinet in room 306 of the admissions office, and the guy who works in that office leaves the door unlocked when he eats lunch at noon every day."
No, the correct analogy is
Imagine if the email from their friends had said "Your admission status is posted in the hall of the Natural Sciences building, indexed by SSN".