Interesting People mailing list archives
A Sense of Proportion
From: David Farber <dave () farber net>
Date: Sat, 12 Mar 2005 11:04:18 -0500
------ Forwarded Message From: John Adams <jadams01 () sprynet com> Date: Fri, 11 Mar 2005 23:22:29 -0600 To: <dave () farber net> Subject: For IP: A Sense of Proportion Hi, Dave, The "hacking" story has certainly brought out some strong opinions--here's what I wrote earlier today, responding to brian d foy's piece: http://www.oreillynet.com/pub/wlg/6631 There's better formatting in my original post: http://www.oreillynet.com/pub/wlg/6648 A Sense of Proportion That¹s what¹s missing in the brouhaha about college applicants who took advantage of poor security to peek at confidential information. In one corner, we have overwrought commentary, like this gem from Patricia Keefe, editor of Information Week: "Hacking isn't just wrong, it's a crime. As noted by MIT dean Richard Schmalensee, the students who peeked made a conscious decision to do so and invested the necessary time. Their self-interest trumped their personal ethics. And that's what this incident really turns on. The last thing we need in this country is more unethical people coming out of business schools. Haven't we learned anything from the last two years of corporate debauchery and scandal?... "If these schools don't take a stand now, to what standard will they later hold these students? If these schools really believe ethics is a serious matter, then they need to reject the students who hacked." If what those students unwisely did was criminal, then the universities should be prosecuting them. They aren¹t. It¹s even a stretch to call what the students did hacking, but that¹s to be expected from a business publication. Most corporations are actively distrustful of, if not hostile toward, their IT departments. It¹s a not entirely rational idea which, for instance, drives much of the fervor for outsourcing. The business computing press, which should know better, expresses this point of corporate ideology by confusing cracking with hacking. Post-dot-com-boom, management believes that hackers in the original sense of the word are bad, so why not conflate them with crackers? They¹re bad, too. The off-with-their-heads brigade is balanced, if that¹s the word, by the unlocked-doors-are-an-invitation-to-enter crowd. Here¹s brian d foy, writing here in his weblog: "...They weren't being sneaky or trying to get information on anyone else other than themselves. "The information each student needed to get to the application status was gladly given to them by the web pages they were already allowed to view. I don't see any "hacking" here. "Harvard Business School calls this "unethical". Most businesses would call it "resourceful", but that's just another way schools and reality diverge..." How can you say someone isn¹t being sneaky who is trying to get information before it¹s been officially released? Who is using a hack (not much of one, granted) to peek at information they aren¹t supposed to have? The anthropomorphism of ³gladly given to them by the web pages² (web pages aren¹t glad--that¹s human) hides the underlying issue that the people in charge of admissions information--which is information about both the student and the university, so the students were not just looking for information about themselves--intended for the students not to have that information at that time. The university personnel involved weren¹t a bit glad. As for businesses calling this ³resourceful², I¹m thinking about what would happen at, say, a telecom company where a ³resourceful² employee took deliberately separated data and reporting about, say, local service and long distance service, and then aggregated them to get sales leads. That would be resourceful as long as no one knew about it, but once the FCC realized that information which, by law, is not supposed to be aggregated had been, the consequences could be substantial. We¹re talking millions of dollars in penalties here. So, back to that sense of proportion. What these applicants did was wrong. It¹s just not so wrong as to be a disqualification. What they did wasn¹t that different from what I do when I get a malformed URL to a news site--if I feel it¹s justified, I poke around by altering the URL and seeing whether I can find what I¹m looking for. What¹s accessible on a public server is probably intended for public viewing, and trying to find that isn¹t unreasonable--I¹d even call it resourceful. In this case, though, the applicants who peeked were consciously trying to find out information they knew (or should have known) was intended not to be public. What would be proportionate? Well, what are the universities doing internally to the people responsible for the information leak? Are they firing directors of admission? Are they terminating contracts with ApplyYourself, or suing them for exposing private information? If so, then perhaps rejecting otherwise qualified applicants is fair. Are they doing so? If they are, I haven¹t heard about it. Are there ³lessons learned² sessions for university employees who contributed to this screwup? There should be--and perhaps the applicants who peeked should be a part of those sessions. Maybe they should have to show up for school a few days early and spend some time living in the real world (ha!) of meetings and get their head cheese processed. That¹s more reasonable, more fair than outright rejection. The admissions departments might learn something about proportion from this process, as well. At prestigious schools, the admissions process has been turned into a circus. (Again, this comes down to corporate ideology, this time intruding itself into academia.) The process of admissions is deliberately and unnecessarily mystified, and some brave university that hasn¹t yet been stampeded into Fudd-like ³Kill the wabbit hacker student!² reaction should take this as a wake-up call to make admissions more transparent. If Empire State decides in January that it might be best not to admit both Reed Richards and Victor von Doom, and that, as von Doom is a legacy student, Richards needs to make do with MIT, then what is the point of making Richards wait until April to hear about it? Mystique, hoopla, and branding--that¹s all. There¹s no educational purpose served by stretching things out--it¹s inter-university corporate gamesmanship, the educational equivalent of what I saw succinctly described on Slashdot as ³marketecture². Universities should also examine whether the corporate ideology that drives much outsourcing in business is affecting their decisions about outsourcing, say, parts of the admissions process. Is it really necessary to have a company handle your admissions for you? Is it an appropriate way to deal with sensitive information? Mightn¹t that be better handled in-house? Or through a cooperative effort among universities? Perhaps an open-source system for handling admissions, peer-reviewed with security and privacy in mind, might be in the interest of both the universities and the applicants. What the applicants who peeked did was wrong--no security model doesn¹t mean no obligation to act ethically--but the greater wrong was committed and the greater harm done by those who allowed confidential information to be exposed, and there¹s where the primary obligation to act, to repent, to reform lies. ------ End of Forwarded Message ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- A Sense of Proportion David Farber (Mar 12)