Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

IP: Princeton Admissions office hacks into Yale Admissions list

From: Dave Farber <dave () farber net>
Date: Mon, 29 Jul 2002 18:48:14 -0400


-----Original Message-----
From: "Rich Wiggins"<wiggins () msu edu>
Sent: 7/29/02 10:36:20 AM
To: "Dave Farber"<dave () farber net>
Subject: Princeton Admissions office hacks into Yale Admissions list


Dave,

Last week a story broke about the Admissions office at Princeton
breaking into the database that shows prospective Yale students
whether they were admitted or not.  This was trivial because
the Yale signon only required the applicant's Social Security Number
and date of birth for authentication.  Since Princeton required
the same information, they could check on any applicant they
surmised had applied both places.

The Princeton director claimed that he did this only to check out
security on the Yale site.  But a Washington Post article says that
the same applicant was checked on multiple times, and that it appears
that President Bush's niece as well as the grandson of Notre Dame
coach Ara Parseghian were checked.

http://www.washingtonpost.com/wp-dyn/articles/A7815-2002Jul26.html

Of course this story makes Princeton look bad, though they are coming down
hard, having placed the director on leave and issued a strong statement.
But it also makes everyone look bad:

-- Yale's database used weak authentication.  They should've assigned an
ID/PW or a random PIN to each new applicant.  Web merchants have had
the protocol right for years now.  They opened themselves up to this
sort of attack -- and not only from other universities, but any
unscrupulous staff member at a credit card provider, bank, hospital, etc.

-- Yale's database notified students of admission in a rather childish
way, it seems.  The first time you logged in, if you were admitted,
you saw fireworks.  If you logged in again later, you didn't see
the fireworks.  Thus if Princeton looked you up you didn't get the
happy treatment.

Yale has turned this over to the FBI.  Whether or not there's a
prosecution, the important point here is not what Princeton did
to Yale, but rather what Princeton did to the privacy of prospective
students.  The Admissions staff could've used the same information
to change an applicant's address and apply for a credit card --
"to test security".

/rich


For archives see:
http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: