FC: Princeton admissions officers "hack" into Yale computers

[Declan McCullagh <declan () well com>]

Bonus question: Did this unauthorized access violate the Computer Fraud and 
Abuse Act? (http://www4.law.cornell.edu/uscode/18/1030.html)

---

To: declan () well com
Subject: Security of student admissions decisions
Date: Thu, 25 Jul 2002 12:11:01 -0400 (EDT)
From: Tony Engel <tengel at pobox dot com>

Hi Declan,

Here is an interesting article that you might want to share on Politech about
Princeton admissions officers (illicitly) accessing student admission decisions
on Yale computer systems.

Essentially the Princeton employees "impersonated" the students in question by
using their SSN and birthdate information to log on as them in the Yale system.
Clearly not a very good way to secure sensitive information, but one also
wonders what the Princeton employees thought they were doing...

http://www.yaledailynews.com/article.asp?AID=19454

Thanks!
Tony Engel

P.S. Please mask my email address (tengel at pobox dot com is fine) if you
choose to share this story.

---

From: "Richard M. Smith" <rms () computerbytesman com>
To: <declan () well com>, "'Richard M. Smith'" <rms () computerbytesman com>
Subject: Princeton accused of Ivy League hacking
Date: Thu, 25 Jul 2002 22:54:05 -0400

Hi Declan,

I guess that everyone is into "hacking" these days.  The security
problem talked about in the CNN article is something that is possible
all over the Internet.  If I create an account at Web site "A" with a
username and password, an employee at this Web site can check Web sites
"B", "C", and "D" to see if I've used the same username/password
combination at these other sites.

In this case, Princeton had people's names, birthdates, and SSNs from
Princeton applications and probably tried them at them at the Yale Web
site.  If the story is true, it would be interesting to know what
Princeton did with the data.  If Yale accepted someone, then would
Princeton also accept them or would they reject them?

Richard M. Smith
http://www.ComputerBytesMan.com


Princeton accused of Ivy League hacking
http://www.cnn.com/2002/US/07/25/yale.princeton/index.html

NEW HAVEN, Connecticut (CNN) -- Princeton University admissions
officials gained unauthorized access to a Web site at rival Yale
University containing personal information about applicants to the Ivy
League school, according to officials at both institutions.

Information on 11 applicants was accessed during 18 unauthorized log-ins
to the site by Princeton officials, a Yale official told CNN. The
log-ins were traced to computers in Princeton's admissions office.

...

The Web site, launched in December, allowed prospective Yale students to
find out whether they had been accepted to the school. They could access
the site with their names, birth dates and Social Security numbers. 




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------