Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

A Sense of Proportion

From: David Farber <dave () farber net>
Date: Sat, 12 Mar 2005 11:04:18 -0500

------ Forwarded Message
From: John Adams <jadams01 () sprynet com>
Date: Fri, 11 Mar 2005 23:22:29 -0600
To: <dave () farber net>
Subject: For IP: A Sense of Proportion

Hi, Dave,

 The "hacking" story has certainly brought out some strong
opinions--here's what I wrote earlier today, responding to brian d
foy's piece: http://www.oreillynet.com/pub/wlg/6631 There's better
formatting in my original post: http://www.oreillynet.com/pub/wlg/6648

A Sense of Proportion

That¹s what¹s missing in the brouhaha about college applicants who took
advantage of poor security to peek at confidential information.

In one corner, we have overwrought commentary, like this gem from
Patricia Keefe, editor of Information Week:

     "Hacking isn't just wrong, it's a crime. As noted by MIT dean
Richard Schmalensee, the students who peeked made a conscious decision
to do so and invested the necessary time. Their self-interest trumped
their personal ethics. And that's what this incident really turns on.
The last thing we need in this country is more unethical people coming
out of business schools. Haven't we learned anything from the last two
years of corporate debauchery and scandal?...

     "If these schools don't take a stand now, to what standard will
they later hold these students? If these schools really believe ethics
is a serious matter, then they need to reject the students who hacked."


If what those students unwisely did was criminal, then the universities
should be prosecuting them. They aren¹t.

It¹s even a stretch to call what the students did hacking, but that¹s
to be expected from a business publication. Most corporations are
actively distrustful of, if not hostile toward, their IT departments.
It¹s a not entirely rational idea which, for instance, drives much of
the fervor for outsourcing. The business computing press, which should
know better, expresses this point of corporate ideology by confusing
cracking with hacking. Post-dot-com-boom, management believes that
hackers in the original sense of the word are bad, so why not conflate
them with crackers? They¹re bad, too.

The off-with-their-heads brigade is balanced, if that¹s the word, by
the unlocked-doors-are-an-invitation-to-enter crowd. Here¹s brian d
foy, writing here in his weblog:

     "...They weren't being sneaky or trying to get information on
anyone else other than themselves.

     "The information each student needed to get to the application
status was gladly given to them by the web pages they were already
allowed to view. I don't see any "hacking" here.

     "Harvard Business School calls this "unethical". Most businesses
would call it "resourceful", but that's just another way schools and
reality diverge..."


How can you say someone isn¹t being sneaky who is trying to get
information before it¹s been officially released? Who is using a hack
(not much of one, granted) to peek at information they aren¹t supposed
to have?

The anthropomorphism of ³gladly given to them by the web pages² (web
pages aren¹t glad--that¹s human) hides the underlying issue that the
people in charge of admissions information--which is information about
both the student and the university, so the students were not just
looking for information about themselves--intended for the students not
to have that information at that time. The university personnel
involved weren¹t a bit glad.

As for businesses calling this ³resourceful², I¹m thinking about what
would happen at, say, a telecom company where a ³resourceful² employee
took deliberately separated data and reporting about, say, local
service and long distance service, and then aggregated them to get
sales leads. That would be resourceful as long as no one knew about it,
but once the FCC realized that information which, by law, is not
supposed to be aggregated had been, the consequences could be
substantial. We¹re talking millions of dollars in penalties here.

So, back to that sense of proportion. What these applicants did was
wrong. It¹s just not so wrong as to be a disqualification.

What they did wasn¹t that different from what I do when I get a
malformed URL to a news site--if I feel it¹s justified, I poke around
by altering the URL and seeing whether I can find what I¹m looking for.
What¹s accessible on a public server is probably intended for public
viewing, and trying to find that isn¹t unreasonable--I¹d even call it
resourceful. In this case, though, the applicants who peeked were
consciously trying to find out information they knew (or should have
known) was intended not to be public.

What would be proportionate?

Well, what are the universities doing internally to the people
responsible for the information leak? Are they firing directors of
admission? Are they terminating contracts with ApplyYourself, or suing
them for exposing private information? If so, then perhaps rejecting
otherwise qualified applicants is fair. Are they doing so? If they are,
I haven¹t heard about it.

Are there ³lessons learned² sessions for university employees who
contributed to this screwup? There should be--and perhaps the
applicants who peeked should be a part of those sessions. Maybe they
should have to show up for school a few days early and spend some time
living in the real world (ha!) of meetings and get their head cheese
processed. That¹s more reasonable, more fair than outright rejection.

The admissions departments might learn something about proportion from
this process, as well. At prestigious schools, the admissions process
has been turned into a circus. (Again, this comes down to corporate
ideology, this time intruding itself into academia.) The process of
admissions is deliberately and unnecessarily mystified, and some brave
university that hasn¹t yet been stampeded into Fudd-like ³Kill the
wabbit hacker student!² reaction should take this as a wake-up call to
make admissions more transparent.

If Empire State decides in January that it might be best not to admit
both Reed Richards and Victor von Doom, and that, as von Doom is a
legacy student, Richards needs to make do with MIT, then what is the
point of making Richards wait until April to hear about it? Mystique,
hoopla, and branding--that¹s all. There¹s no educational purpose served
by stretching things out--it¹s inter-university corporate gamesmanship,
the educational equivalent of what I saw succinctly described on
Slashdot as ³marketecture².

Universities should also examine whether the corporate ideology that
drives much outsourcing in business is affecting their decisions about
outsourcing, say, parts of the admissions process. Is it really
necessary to have a company handle your admissions for you? Is it an
appropriate way to deal with sensitive information? Mightn¹t that be
better handled in-house? Or through a cooperative effort among
universities? Perhaps an open-source system for handling admissions,
peer-reviewed with security and privacy in mind, might be in the
interest of both the universities and the applicants.

What the applicants who peeked did was wrong--no security model doesn¹t
mean no obligation to act ethically--but the greater wrong was
committed and the greater harm done by those who allowed confidential
information to be exposed, and there¹s where the primary obligation to
act, to repent, to reform lies.

------ End of Forwarded Message


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: