Business-School Applicants, Under Cover of Anonymity, Dispute'Hacker' Label

[David Farber <dave () farber net>]

> From 




Dave,

We have an article today about the business-school 'hackers' that I
thought might interest your readers. I'm attaching below.

-Jeff Youngjeff.young () chronicle com


Friday, March 11,
2005

Business-School Applicants, Under Cover of Anonymity, Dispute
'Hacker' Label
By DAN CARNEVALE

Business-school applicants who tried to sneak early peaks at their
admissions status online are sniping anonymously at Harvard University
and two other institutions, saying administrators have overreacted by
labeling the applicants hackers and denying admission to all of them.
Their claims are winning them some support, although not from
business-school officials.
By Thursday the applicants had achieved an unusual kind of
notoriety, as bloggers, professors of ethics, and other members of the
professionally opinionated classes debated whether breaking into the
business schools' online admissions systems was really wrong -- and if
so, how wrong. 
The applicants in question include more than 200 individuals who had
applied online to six business schools and then tried last week to
skirt the admissions systems' security after someone posted
instructions on a forum on Business Week's Web site explaining
how to do it (The Chronicle,
March 4). 
Carnegie Mellon University, Harvard University, and the
Massachusetts Institute of Technology said that they knew which of
their applicants had tried to break into their computer systems, and
that none of those applicants would be admitted. Carnegie Mellon had
two applicants attempt to sneak into the system; Harvard, 119; and MIT,
32. 
The other three institutions -- Dartmouth College, Duke University,
and Stanford University -- are still debating what action to take
against the applicants they caught trying to preview their admissions
status. All six of the institutions were using the same commercial
online-application software, licensed by ApplyYourself Inc. Programmers
at the software company patched the security flaw about nine hours
after the hacker posted the instructions to the online forum.
One of the Harvard applicants, who asked to remain anonymous, said
in an interview on Thursday that although he now sees that what he did
was wrong, he wasn't thinking about that at the time -- he just
followed the hacker's posted instructions out of curiosity. And, he
said, he doesn't consider what he did to be "hacking," because even
somebody with his novice computer skills could easily follow the posted
instructions. 
"I'm not an IT person by any sense of the imagination," he said.
"I'm not even a great typist."
After he found out that Harvard was looking into the situation, he
wrote the university a letter to apologize. "I admitted that I got
curious and had a lapse in judgment," he said. "I pointed out that I
wasn't trying to harm anyone and wasn't trying to get an advantage over
anyone." 
Although he will be denied admission to Harvard Business School, he
said he had been accepted by another top school.
According to the posted instructions, obtained by The Chronicle,
an applicant had to log into the admissions system using his or her
name and password and then view the source code of the Web page to find
a unique identification number. The applicant then had to add that ID
number to a URL provided by the hacker. Whatever information was in the
applicant's file then appeared.
Len Metheny, chief executive officer and president of ApplyYourself,
said the applicants should have known, simply by how complicated the
procedure was, that they were gaining access to something they were not
supposed to see. 
"These students used this procedure that was posted by a
self-identified hacker himself to get unauthorized access to an
otherwise restricted page," Mr. Metheny said in an interview on
Thursday. "That is wrong."
But Richard M. Smith, an Internet security and privacy consultant
based in Boston, said what the applicants did hardly qualified as a
"hack." He said it is not uncommon for people who are familiar with the
Internet to check a Web site's source code to see what is available.
"Since I go through source code a lot, you're probably asking the wrong
guy," he said. "I wouldn't characterize what they were doing as hacking
into the Web site."
The applicants should have known better, he said, but he thought the
applicants hadn't done anything seriously wrong, especially since they
couldn't change anything in their files or view anybody else's
information. 
"I don't think the applicants are blameless here," Mr. Smith said.
"I think they did cross the line, but I think the punishment is a
little harsh." 
Harvard officials referred to a previously released written
statement by Kim B. Clark, dean of the Harvard Business School. Any
applicant who tried to look up his or her information, the statement
said, "will not be admitted to this school."
It continued: "Our mission is to educate principled leaders who make
a difference in the world. To achieve that, a person must have many
skills and qualities, including the highest standards of integrity,
sound judgment, and a strong moral compass -- an intuitive sense of
what is right and wrong. Those who have hacked into this Web site have
failed to pass that test."
Another Harvard applicant, who also wished to remain anonymous, said
he knew he had made a poor judgement call. But he said he was offended
by having his ethics called into question.
"I had no idea that they would have considered this a big deal," he
said. "The attacks that Harvard has been putting out are ludicrous."
One poster on the Business Week forum who identified himself
as "GaelicPrice" said he had applied to Harvard's business school and
had given his wife access to his admissions Web account. According to
his post, his wife found the instructions and tried to check whether
her husband was accepted -- and didn't tell him until the next day.
"I'm really distraught over this," the post said. "My wife is
tearing her hair out. Honestly HBS has dropped several notches in my
eyes."

Copyright © 2005 by The
Chronicle of Higher Education


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/