Interesting People mailing list archives
IP: Princeton Admissions office hacks into Yale Admissions list
From: Dave Farber <dave () farber net>
Date: Mon, 29 Jul 2002 18:48:14 -0400
-----Original Message----- From: "Rich Wiggins"<wiggins () msu edu> Sent: 7/29/02 10:36:20 AM To: "Dave Farber"<dave () farber net> Subject: Princeton Admissions office hacks into Yale Admissions list Dave, Last week a story broke about the Admissions office at Princeton breaking into the database that shows prospective Yale students whether they were admitted or not. This was trivial because the Yale signon only required the applicant's Social Security Number and date of birth for authentication. Since Princeton required the same information, they could check on any applicant they surmised had applied both places. The Princeton director claimed that he did this only to check out security on the Yale site. But a Washington Post article says that the same applicant was checked on multiple times, and that it appears that President Bush's niece as well as the grandson of Notre Dame coach Ara Parseghian were checked. http://www.washingtonpost.com/wp-dyn/articles/A7815-2002Jul26.html Of course this story makes Princeton look bad, though they are coming down hard, having placed the director on leave and issued a strong statement. But it also makes everyone look bad: -- Yale's database used weak authentication. They should've assigned an ID/PW or a random PIN to each new applicant. Web merchants have had the protocol right for years now. They opened themselves up to this sort of attack -- and not only from other universities, but any unscrupulous staff member at a credit card provider, bank, hospital, etc. -- Yale's database notified students of admission in a rather childish way, it seems. The first time you logged in, if you were admitted, you saw fireworks. If you logged in again later, you didn't see the fireworks. Thus if Princeton looked you up you didn't get the happy treatment. Yale has turned this over to the FBI. Whether or not there's a prosecution, the important point here is not what Princeton did to Yale, but rather what Princeton did to the privacy of prospective students. The Admissions staff could've used the same information to change an applicant's address and apply for a credit card -- "to test security". /rich For archives see: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- IP: Princeton Admissions office hacks into Yale Admissions list Dave Farber (Jul 29)