more on good piece on MIT says it won't admit hackers

[David Farber <dave () farber net>]

------ Forwarded Message
From: Mary Shaw <mary.shaw () gmail com>
Reply-To: Mary Shaw <mary.shaw () gmail com>
Date: Fri, 11 Mar 2005 13:12:28 -0500
To: <dave () farber net>
Subject: Re: [IP] MIT says it won't admit hackers

Dave,

Four things are being confounded here:
1. Was it hacking?
2. Was it unethical?
3. If it was unethical, what should the B-schools do about it?
4. Should the B-schools and ApplyYourself have had better security?


With respect to hacking, it is conceivable that the original discovery
of the loophole was a hack, but saying that someone else who followed
the instructions was hacking dilutes the meaning of "hacking" beyond
all reason.  Incidentally, the defense "they were doing <who?> a favor
by revealing the vulnerability" holds absolutely no water for the
applicants who exercised the loophole and only holds a very tiny
amount of water for the discoverer, who should have told ApplyYourself
instead of the applicants

With respect to ethics, I haven't seen enough information to say.  Was
there, for example, a clear statement that decisions are embargoed
until some date? Was there something in the user agreement or terms of
service of ApplyYourself or of each school's application that
restricted applicants from messing around on the site?  Following
convoluted instructions to construct a URL that provides information
before a clearly announced release date seems to me to be over the
edge, but I don't have all the information. The analogies to offices
that are only casually secured are on point.  So, based on what I know
at the moment, maybe.

With respect to whether B-schools should consider ethical misbehavior
in evaluating applications, I think the answer is clearly "yes". Do we
really want students who think it's OK to try to get the national
economic data in advance of its release date? who think it's OK to
hunt around corporate web sites for insider information? who think
it's OK to hunt around university web sites for early access to copies
of exams? The argument that they gained no advantage from peeking is
neither convincing (some said they were positioning themselves in
their current jobs based on the information) nor compelling (is
prurient interest more noble than personal advantage?).

So, if innocent browsing could get you to the information, the
B-schools are over-reacting.  On the other hand, if the process was
advertised by a known hacker, was sufficiently convoluted to be
unreasonable, and clearly circumvented published policies (let alone
user agreements), then the B-schools are doing the right thing. This
being the Real World, the situation probably isn't quite that clear.

The argument that rejecting unethical applicants will reduce the pool
of smart students seems to be based on the assumption that sheer
smartness or cleverness should be the only criterion for selecting
students.  The suggestion that B-schools should only reject unethical
applicants if they revoke degrees for transgressions after graduation
assumes a symmetry that simply doesn't exist: Admissions decisions are
trying to select the best raw material for the program so that the
program can produce the best graduates -- and the degree is a
certification at a point in time, not a guarantee of future behavior
(in other words, schools should try to select their inputs but the
only control they have over the outputs is through what they instilled
during the program).

With respect to whether the B-schools and ApplyYourself should have
had better security, of course they should. I haven't seen clear
indications of whether this was a design error or an operational error
(some bit accidentally got unset).  Much of the criticism has assumed
it was a design error. But B-school admissions are seeking candidates
who can be expected to become responsible professionals, and it's no
more reasonable to blame ApplyYourself for not being absolutely secure
than it would be reasonable to post armed guards at the door to the
office where the admissions paperwork is stored.

Mary

------ End of Forwarded Message

-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/