Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security Education

Harvard Business School: You Peek, You Lose 802

mosel-saar-ruwer writes "Seems Harvard Business school was using the ApplyYourself web service to process applications. Sometime in the last few days, an anonymous hacker, known as 'brookbond', was able to crack the system, and discovered that Harvard had already posted acceptance letters to the website fully a month before they were to be mailed to their recipients. He posted instructions on how applicants could view their letters at the BusinessWeek forums, and approximately 119 applicants followed his advice. Today, the dean of the Harvard Business School, one Kim Clark, announced that none of the 119 would be admitted: 'This behavior is unethical at best -- a serious breach of trust that cannot be countered by rationalization... Any applicant found to have done so will not be admitted to this school.'"
This discussion has been archived. No new comments can be posted.

Harvard Business School: You Peek, You Lose

Comments Filter:
  • Deserved (Score:5, Insightful)

    by BWJones ( 18351 ) * on Tuesday March 08, 2005 @08:05PM (#11883156) Homepage Journal

    Wow. So even though only one person actually did the hard work of figuring out how to hack into the site, 119 other individuals figured they too should follow the directions to hack in and learn the results. Harvard (rightly so) decided to not admit any of the 119 even though some of them possibly were initially accepted. Is this a response to some of the unethical and deceptive practices that have been rampant in the business world (i.e. Worldcom, Enron, pick your fav.) of late? Perhaps, but this is especially important in that much of business school (especially in ivy league schools) is about establishing relationships and connections. Do we want a bunch of ethically challenged folks getting to know one another in Harvard business school? I think not. In light of many of the current scandals in the business world, I would like to believe that schools do pay attention to these issues and perform some filtering at the front end rather than filtering or correcting during the educational process. After all, there are some things that cannot be taught. By the time one applies to business school, patterns of behavior are fairly well entrenched and behavioral correction of things we were supposed to learn in kindergarten is not the business schools responsibility.

    It would be interesting to find out what their stories are. Why did they do it and what were they possibly thinking? Do they believe they should be blacklisted?

    It should also be noted that Harvard was not the only school affected by this hack. Other business schools (MIT, Stanford, Carnegie Mellon and Duke) were also compromised and I would encourage those schools to adopt the same actions as Harvard in this case.

    • Re:Deserved (Score:5, Interesting)

      by Surt ( 22457 ) on Tuesday March 08, 2005 @08:16PM (#11883279) Homepage Journal
      And did any clever students log on and check their competitor's applications in the hope of getting them blacklisted and their own applications accepted.
      • Re:Deserved (Score:5, Informative)

        by Pastis ( 145655 ) on Tuesday March 08, 2005 @08:22PM (#11883353)
        From the article:

        Metheny also noted that individuals could only access their own personal admissions responses--not those of other applicants.
        • Re:Deserved (Score:5, Insightful)

          by anon* ( 637224 ) <slashdot@b[ ]karma.com ['aud' in gap]> on Tuesday March 08, 2005 @08:37PM (#11883506) Journal
          And of course, they can't access their own personal response before... oh wait, they can.

          Last week, Metheny would have told you that his companies site was totally secure. This week, he's telling you that yeah, it got hacked, but individuals could only access their own stuff. And of course, he's totally sure about this.

          Check back next week, though.

          • Re:Deserved (Score:3, Interesting)

            by iminplaya ( 723125 )
            Honeypot? Hope so. Maybe it was the final phase of admission. Very good way to check on the moral well bieng of your applicants. It might save us all trouble if we can keep these types out of the boardroom. Start by keeping them out of the classroom. We don't want them to contaminate the rest of the class. Please don't vote for any of them if they happen to run for political office. They sound like perfect candidates.
            • Re:Deserved (Score:5, Interesting)

              by PopCulture ( 536272 ) <PopCulture.hotmail@com> on Wednesday March 09, 2005 @01:11AM (#11885447)
              from my understanding (based on other posts), the compromised information was served up via url manipulation.

              sorry, if I can crawl a site obeying robots.txt and using MY OWN ACCOUNT to get that info, its not a crime.

              Amazing for some reason, rather than tarnish Harvard's reputation (imagine if this were a banking institution!!!), they turn it around and crucify the applicants (not saying they don't deserve it, but still...)

              Where exactly is the accountability? And why does Harvard get a free pass? If this were the University of Phoenix we'd all be laughing... I sence some degree of hypocracy here...
        • This sounds like a nice way to make people shut up and not brag about the fact that they got the info.

          Reminds me of when I was at school. Something got stolen. The cops were called and everyone was taken out of class. They said: "We know who stole the [whatever]. We're giving you a chance to own up and be a man about it." Of course they didn't know, nobody owned up and nobody got bust....

    • Re:Deserved (Score:5, Interesting)

      by puck01 ( 207782 ) * on Tuesday March 08, 2005 @08:23PM (#11883362)
      Harvard (rightly so) decided to not admit any of the 119 even though some of them possibly were initially accepted .

      I agree with you in principle. My problem with this decision is that it probably assumes that if an individual acceptance letter was looked up, that person was guilty. What if it was my sister that had applied and I happened to read about the hack. I may have decided to followed through with it to look her up without even mentioning it to her prior to doing so. I doubt this is the case for most, but I would bet something like this did happen several of these people. I think it would be unfair to potentially punish innocent bystanders.
    • Re:Deserved (Score:5, Insightful)

      by Anonymous Coward on Tuesday March 08, 2005 @08:26PM (#11883392)
      Maybe I'm ethically challenged and should have failed that class, rather than get an A, but please tell me why seeing your own acceptance letter before it is mailed is unethical.

      From a Utilitarian point of view it may improve everyone's quality of life (immeasurably small though) by preventing you from needlessly wasting resources applying to other schools. But looking at your own acceptance letter harms noone. From a deontological point of view, it does not cause others to not be able to see their own results (although harvard's overreaction to it may).

      One might try to argue that it is counter to rule utilitarianism, but since the prohibition to see your own enrollment status is not based on utilitarian principles, it is not.

      I think the lack of ethics in the business world has a lot to do with the schools themselves not knowing the differect between ethics and rules. Just because something is against the rules does not mean that it is unethical; Just because something is within the rules (or won't be caught) does not make it ethical.
    • Re:Deserved (Score:4, Interesting)

      by myheroBobHope ( 842869 ) on Tuesday March 08, 2005 @08:27PM (#11883413) Homepage Journal
      I've waited in pain for letters of acceptance/denial from school, and I know how these people felt. I understand these peoples actions, and empathize with them. However, lets look at this from a moral/ethical standpoint: First, lets define Unethical as causing (potential) harm to others. This is fairly broad, and covers a large scope of actions. Now, lets look at their actions: They viewed their OWN status, and were informed, possibly, if they had been accepted or denied a month ahead of time. Now, where is the harm? They knew ahead of other people. Great, this means they can plan on going or not going to Harvard and plan accordingly, thus clearing up or closing out spaces on waiting lists for other business schools. This in turn helps other people on waiting lists, because they know their status on the waiting list sooner. Or they do nothing with the information and wait for it in the mail. I don't really see any harm or ethical violations. The people simply found out information ahead of time that harmed no one.
      • Re:Deserved (Score:3, Insightful)

        by temojen ( 678985 )
        But you see, in business school you're supposed to know that anything within the rules or that you won't be caught doing is ethical, and that anything that's outside the rules and that you'll be caught for is unethical. Business ethics has nothing to do with any concept of Harm, Benefit, or intention.
      • Re:Deserved (Score:3, Insightful)

        by mbrother ( 739193 )
        Let's go one further. Harvard fucked up twice here. They apparently made their decisions a month early and didn't share them in a timely manner. Perhaps there are good reasons for that, perhaps not. But they also used an insecure system. I mean, if they left a list posted in a closet somewhere, and people found out about it, who is to blame? The people who look, or the person who put the list in the closet? I think Harvard is going on the offensive here to cover up their own error, and I think it kin
      • Re:Deserved (Score:3, Insightful)

        by Fortran IV ( 737299 )
        I don't really see any harm or ethical violations. The people simply found out information ahead of time that harmed no one.

        So cheating on your wife is ethical, so long as she never gets hurt? You can sleep around all you want, as long as your wife never finds out and you never bring any diseases home and your girlfriends never go Fatal Attraction?

        Ethics isn't about who gets hurt. Ethics is about doing the right thing the right way--

        even when you don't have to.

        I've lied, I've cheated, I've st

      • Re:Deserved (Score:3, Insightful)

        by GPFCharlie ( 98543 )
        The core assumption in all of arguments saying "no harm was done" is that the status of the letters were final. Until the letter was signed, stamped, and dropped in the mail - there was no legal requirement for harvard to accept those students, and they could change their mind for any reason.

        The same thing occurs in the business world all the time. Let's say I have a person working for me, and I put them in for a promotion. Their promotion letter goes onto a (supposedly) restricted server until approved b

    • So Quick to Judge (Score:3, Insightful)

      by serutan ( 259622 )
      Deciding who is at fault and who deserves what is a favorite online pastime, but we don't even know what it took to "hack" into the site to view the letters. Did the applicants do anything that would actually be illegal if they did it in the business world (where "ethical" seems to be synonymous with "legal" )? Or did they merely do something unexpected and embarassing?

      If the business school is run by the same types who seem to run every other part of the school system, their automatic, totally predictable
    • Re:Deserved (Score:5, Insightful)

      by zapadoo ( 807744 ) on Tuesday March 08, 2005 @08:52PM (#11883636)

      The only "ethically challenged" group we can assert and assume with any certainty is the company providing the Apply Yourself services.

      Its ethically criminal to provide a confidential service on the internet with virtually no security.

      From (almost) the horses mouth: Noted web application developer and MIT professor Phillip Greenspun [harvard.edu] notes on his Harvard weblog:

      • The ApplyYourself code had a bug such that editing the URL in the "Address" or "Location" field of a Web browser window would result in an applicant being able to find out his admissions status several weeks before the official notification date. This would be equivalent to a 7-year-old being offered a URL of the form [greenspun.com] http://philip.greenspun.com/images/20030817-utah-a ir-to-air/ [greenspun.com]and editing it down to [greenspun.com] http://philip.greenspun.com/images/ [greenspun.com] to see what else of interest might be on the server.
      • Someone figured this out and posted the URL editing idea on the BusinessWeek discussion forum, where all B-school hopefuls hang out and a bunch of curious applicants tried it out.

      Liable and culpable? Apply Yourself and the B-Schools who outsourced to a cheesy service provider without, apparently, commissioning even a basic security audit.

      Its of no consequence - no doubt there is at least one bright former-B-school student wannabe now contracting the services of a lawyer to sue Haavard - not for denying them access, but for allowing confidential information to be exposed to the internet. Seems to me such a suit is likely to return more than the cost of tuition to any other school in the world...

    • Re:Deserved (Score:5, Insightful)

      by AK Marc ( 707885 ) on Tuesday March 08, 2005 @09:00PM (#11883740)
      Harvard (rightly so) decided to not admit any of the 119

      Why is it "rightly so?" How is this any different from, say, calling the admissions department after the letters were sent, but before they were received to see if you were admitted? The information was published on the web site. The login given to the students was capable of opening up the page that contained their information. Just because they didn't have a link to it so you had to type it in yourself doesn't make it "hacking." They typed in a valid URL to a page they were intended to be able to view. If Harvard didn't want them looking there, they should have left the pages off or secured them until they were intended to be accessed.

      This is as stupid as turning off directory browsing and assuming that all pages not explicitly linked to elsewhere are "secure." If they want to exclude these 119 students, they should have dropped $100 bills in front of all the students and refused those that didn't return them. It seems pretty close to entrapment to me, other than Harvard did it out of stupidity, rather than malice. They accessed information they were intended to see, harming no one in the process, and were punished for it.
    • Re:Deserved (Score:3, Funny)

      by FatAlb3rt ( 533682 )
      yeah, i can't believe these students would have the audacity to do such a thing. they got what they deserved indeed.

      [meanwhile, downloading another gig of mp3s...]

    • Re:Deserved (Score:3, Insightful)

      by jangobongo ( 812593 )
      As to the blacklisting, according this interesting article in the Boston Globe [boston.com]:
      • Clark [dean of Harvard Business School] said that rejected applicants won't be barred from reapplying in future years, but he said admissions officials would weigh the hacking incident in considering such applications. Only students expelled from the school are prohibited from reapplying, he said.

        As to the possibility of applicants sending apologies, something discussed on message boards over the weekend, Clark said: ''Whethe
  • by Skyshadow ( 508 ) * on Tuesday March 08, 2005 @08:05PM (#11883164) Homepage
    I think I speak for everyone in the business community when I say: Thank God they caught and punished these twerps.

    God knows that this sort of unethical behavior [motherjones.com] and borderline illegal practice [cnn.com] is totally out of place in our business community. Obviously, these punks are only getting what they deserve [marthastewart.com].

    Aside from that, hopefully those involved will learn a valuable life lesson from this: If you can't play by the rules, you'd better be able to run fast and catch, throw or hit a ball really well.

    PS: I wonder if any prospective students were smart enough to just look at the admission status of the *other* students... Now that would be showing the sort of sense you'd need to get to the top of corporate America.

  • Cool (Score:4, Insightful)

    by Jailbrekr ( 73837 ) <jailbrekr@digitaladdiction.net> on Tuesday March 08, 2005 @08:06PM (#11883166) Homepage
    So if I got instructions on how to read another persons acceptance letter, I could get them refused entry into Harvard?

    Right on, I've always wanted to stick it to one of those yuppy bastards.

  • by Anonymous Coward on Tuesday March 08, 2005 @08:06PM (#11883169)
    and now I will get into Harvard Business School myself!

    * evil laugh *

    oh wait, business school. shit.
  • by ackthpt ( 218170 ) * on Tuesday March 08, 2005 @08:06PM (#11883170) Homepage Journal
    'This behavior is unethical at best -- a serious breach of trust that cannot be countered by rationalization... Any applicant found to have done so will not be admitted to this school.'"

    It's take charge, independent thinkers [thecrimson.com] that the school needs in it's student body. they better not revoke my admission or i'll send a teenage grrl enforcer [slashdot.org] over to smack 'em upside their heads!

  • But weren't even applying to go to Harvard?
  • Instructions? (Score:5, Insightful)

    by LurkerXXX ( 667952 ) on Tuesday March 08, 2005 @08:09PM (#11883196)
    Does anyone know how complicated the instructions were? Is there any way the people could have thought they were just accessing the site, putting in a URL with their name or whatever at the end of it, and not 'hacking' it to get information they were not allowed to have?
    • Re:Instructions? (Score:3, Interesting)

      by geoffb91 ( 448693 )
      The instructions were basically to login to the system and then change the URL in a couple places to get it to cough up a screen they were not supposed to have access to. Not something they could do by accident. Not anonymous. No way to look at data for anyone else but themselves. Not exactly hacking but really stupid!
    • Re:Instructions? (Score:5, Insightful)

      by mattOzan ( 165392 ) < vispuslo@matt3.14ozan.net minus pi> on Tuesday March 08, 2005 @08:30PM (#11883437) Homepage Journal
      According to this [blogspot.com] it was a simple form submit hack.

      And as this author also brings up, if someone tells you that personal and confidential information about your grad school application is unprotected on a public web server, would you be negligent not to check it out?

    • Re:Instructions? (Score:4, Informative)

      by TCQuad ( 537187 ) on Wednesday March 09, 2005 @12:19AM (#11885147)
      O'Reilly has an article (appropriately titled "Not linking is not security" [oreillynet.com]) which includes a link to the detailed instructions [blogspot.com] for this "hack".

      Basically, you scan the source of the page after login for your ID number and the security hash. Then you append that to your URL. The process is a whole seven steps and in the realm of nefarious hacks it's... neither.
  • How to prove... (Score:4, Insightful)

    by Libor Vanek ( 248963 ) <libor.vanek @ g m ail.com> on Tuesday March 08, 2005 @08:09PM (#11883198) Homepage
    How they want to prove that the person that looked at the "papers" was the "accepted one"... (if they didn't posted it all over blogs ;-))
  • by waterbear ( 190559 ) on Tuesday March 08, 2005 @08:10PM (#11883208)
    The real culprit is the cracker who found the way in.

    I think Harvard's reaction against the 119 who followed the indicated route is pitifully excessive.

    But the 119 now have an early lesson in how certain business managers cynically deflect blame in order to save face.

    It appears to be beyond Harvard's ability to track down the cracker, so they hit out at whoever is within reach.

  • Curious (Score:5, Insightful)

    by northcat ( 827059 ) on Tuesday March 08, 2005 @08:11PM (#11883215) Journal
    Come on, they were just curious. This is too much. And Harvard should have been more careful.
    • Re:Curious (Score:5, Interesting)

      by jgalun ( 8930 ) on Tuesday March 08, 2005 @08:33PM (#11883465) Homepage
      I agree. And I think it's interesting to see how many Slashdotters, who normally rise to the defense of hackers, particularly when the hack is a really obvious hole that causes no harm to anyone, like this one, are sitting back and laughing at the people who got rejected because of this. Jesus, all the applicants did was change a URL, it's not like they used some root kit to break into Harvard's servers.

      Shit, if I try to change the URL to see if I can view my pay statement one day early at work, should I be fired for that too?
      • Re:Curious (Score:5, Informative)

        by thelen ( 208445 ) on Tuesday March 08, 2005 @09:45PM (#11884127) Homepage

        Ditto. The difference is between trying to elicit a desired response by breaking the server (like in a buffer overflow or bypassing security with a password cracker), and utilizing a well-known protocol in a normal way. HTTP is just a way of asking for information, and if you simply ask a server for something it's the server's duty to make sure it wants to honor the request.

        Beyond that, I can easily imagine someone leaping at the chance to figure out if they're going to get into their dream school. This is a major overreaction on the part of HBS.

  • by peter303 ( 12292 ) on Tuesday March 08, 2005 @08:11PM (#11883217)
    One concern was classmates or relatives of the checking out the applicant. That would be unfair to the applicant. However, the article in Harvard Crimson seem to indicate that at some point you had login with a password. So only the applicant or spouse would have done it then.

    The webserver probably could have recorded an IP address with each access, and many of those can be geographically verified. However, this would still have the problem of some one else than the applicant checking.
  • Makes you wonder. (Score:5, Insightful)

    by Telastyn ( 206146 ) on Tuesday March 08, 2005 @08:13PM (#11883242)
    If ethics was so important, how come it wasn't tested for in the actual application process?
  • by peter303 ( 12292 ) on Tuesday March 08, 2005 @08:14PM (#11883249)
    Stanford Business School said it had 42 illegal accesses. However, Stanford's initial position is to ask the applicants who accessed to identify themselves. I wonder if they are making forgiveness for honesty, because like Harvard, they know exactly where the accesses occurred.
  • by sailforsingapore ( 833339 ) <sailforsingapore@gmail.com> on Tuesday March 08, 2005 @08:16PM (#11883273) Homepage
    ...to spite their face. Harvard just regected 119 of the most qualified bussiness school bound students in the country. They will go to other, arguably equal, bussiness schools, while Harvard will take on 119 lesser qualified applicants to fill its vacancies. What schmucks...
    • Essentially what Harvard did here was to apply a filter that discriminates against people with Internet technical skills. A pretty weak filter, granted, but you have to have a little something on the ball to find and paste together significant fields from multiple URLs.

      We have enough trouble with lack of Internet savvy in American business management as it is.
  • by TractorBarry ( 788340 ) on Tuesday March 08, 2005 @08:16PM (#11883276) Homepage
    Begorrah ! The ones who knew enough to find the "swag" on a relevant website are the ones who should be first in the queue to be admiited. After all they're the ones with the acumen.

    Ho hum... Just goes to show that if you play by the rules you'll get by by the rules (and if you play them well enough you'll "shine") But you'll never discover anything truly new :)

    Mind you having said that... if you do discover something truly new, once you try to tell somebody, the rest of society will think you're mad and burn you at the stake. "This heretic says the Earth revolves around the sun... burn the witch..."
  • by peter303 ( 12292 ) on Tuesday March 08, 2005 @08:16PM (#11883278)
    Would he have said "your fired" or "your hired" for this display of ingenuity?
  • by NoMercy ( 105420 ) on Tuesday March 08, 2005 @08:18PM (#11883300)
    Why is a university holding back acceptance letters for a whole month after theve already finalised the list :/
  • by DAldredge ( 2353 ) <SlashdotEmail@GMail.Com> on Tuesday March 08, 2005 @08:21PM (#11883348) Journal
    This is the same school that teaches it is ok to fire workers who have worked at a company for 10-20 years so the execs can make 5% more on their stocks by moving factories overseas. They also fail to teach what the words 'long term outlook' means to all these future ceo's.

    HBS need to face the fact that when you train people who have no morals that you will attract people with no morals.
  • by fred fleenblat ( 463628 ) on Tuesday March 08, 2005 @08:27PM (#11883402) Homepage
    Seems like the school bears some responsibility for outsourcing the acceptance letters to an easy-to-hack site. The cynic in me tells me that half the reason they are coming down so hard on the students is to divert attention from their own security failure.
  • I see... (Score:5, Insightful)

    by Anonymous Cowpat ( 788193 ) on Tuesday March 08, 2005 @08:27PM (#11883406) Journal
    Someone hacked into our server and posted the details of how to replicate it to the rest of the world. We're now embarassed, who can we lash out against?
    Ah! the people who we can actually hurt without going to court or having to get law enforcement involved, the 119 18 years olds who were on tenterhooks to know if they'd been accepted and really couldn't contain themselves to wait another entire month when we'd already made the decisions.
    Infact, if I understand from my rather hazy sources US law enforcement won't get involved unless the crime has cost $5000 (I could be way off here though, I didn't get this from an authoratitize site), so, since they're out the only other option to lash out and save face would be to sure, which is expensiv when you can just ruin 119 kids futures. Of course, doubtless it will end them up in court...
    The ethics point isn't particularly strong, these are 18 year olds who want to know if their chosen college has accepted them and they find out that the decisions have been made and the letters written a month before they'll get them otherwise. The fact that they followed some instructions posted online to find some 'hidden' files reflects little on their ethics in the future - I spent hours in school trying to get into every nook & cranny of the systems (which the admin had tried to lock down) using as many non-invasive/agressive methods as I could find. Does that make me unethical? no. I did it entirely as an academic exercise to see how well locked down the systems were, would it have been unethical to find out information about me that the school held but didn't want to tell me? no, not in my opinion.

    This seems to be the university lashing out against someone to save face. That 'someone' being the people who have least blood on their hands (out of the people actually involved) and who the university feels that it can get away with stomping on the easiest.
    • Re:I see... (Score:3, Interesting)

      by Dirtside ( 91468 )
      I was under the impression that business school applicants already have bachelor's degrees, and sometimes other advanced degrees. I don't think any of the people involved were 18 years old. Harvard Business School's admission requirements [hbs.edu] page lists "Self-reported transcripts from all undergraduate and graduate academic institutions attended (full- or part-time)". The implication of this and other statements is that you're expected to have prior degrees or work experience, or both. I doubt anyone is goi
  • by Pastis ( 145655 ) on Tuesday March 08, 2005 @08:29PM (#11883427)
    Actually this is part of the entry class of low level physics titled: you can't observe stuff without affecting it.

    By looking inside the box, they changed the content!

    And with regard to exclusion, they could have at least given them a second chance, maybe with some punishment (like a work camp or something, and select only the 30 first). I thought that this was the land of the second chance.

    School is about education. What did they learn? That they got screwed up after doing something that affected noone else?

    Am I the only one to think like that?
  • by oopy_-_ ( 32174 ) on Tuesday March 08, 2005 @08:31PM (#11883447)

    As a current Harvard MBA student and long-time /. reader, it's worth pointing out that these applicants didn't "hack" anything. They got instructions (now deleted from the BW forums) that if you took your login hash, appended it to a URL at the ApplyYourself, you could see the decision letter on your file, if it had already been posted. My guess is that someone asked a first round applicant (who had already heard) for the URL to the decision and tried it as an in-process second round applicant.

    This isn't hacking. Nobody logged in as the Admissions Director or socially engineered their way into info by calling admissions and pretending to be a staffer out on the road. The only people at fault here are the coders at ApplyYourself (the 3rd party application site). Having used it last year, I can tell you that it is technically inferior to most products that other schools build themselves.

    There's already some ideas above that with the Enron and Worldcom scandals, business schools need to have ethics at the highest standards, but this misses the point. The 119 people that just got rejected weren't the 119 least ethical applicants. They were the 119 of the (probably) 130 applicants who saw the instructions before they were deleted. The top tier b-school application process is very stressful and the idea of seeing your results early is hardly scandalous.

    Furthermore, our new post-scandal "Leadership and Corporate Accountability" course spends a great deal of time discussing the ethical trade-offs inherent in business, such as weighing employee concerns vs. shareholder concerns vs. customer concerns. These decisions are rarely black and white and we spend a lot of time discussing relative merits of each stakeholder. The notion that we would portray ourselves as knowing an absolute ethical standard goes against much of what we teach and learn here.

    Despite the small number of true criminals to have walked these halls, Harvard Business School is a great institution and most /.'ers would be surprised to meet all the ethical people here that will be future leaders (if past performance is predictive of future performance).

    • by Fnkmaster ( 89084 ) on Tuesday March 08, 2005 @08:52PM (#11883642)
      Furthermore, I would argue that an applicant couldn't really know that their acceptance status was considered confidential *from themselves* if the decision had already been made and posted to their account. The fact that the official notifications hadn't been sent out doesn't really reaffirm the confidentiality of the information.

      Now, if somebody had used this technique to access somebody else's admissions status, I would say it is pretty clear cut that they committed an unethical act.

      If a school posts admission decisions by social security number in some obscure location and a student tells other students that it's there and they go look up their status before official notifications, have they committed an ethical violation? The school didn't tell them the information was there, but it was available to them for the getting if somebody else told them where to look for it.

      I can see that the school is upset, but it seems that their wrath is inappropriately directed. They should be pissed at the ApplyYourself folks and at their own admissions staff for botching things so badly.
  • by Khakionion ( 544166 ) on Tuesday March 08, 2005 @08:31PM (#11883449)
    Allow me to take the (oddly not yet taken) anti-Harvard point-of-view. I may be speaking from naivety, though, so here we go.

    Does it not strike anyone as odd that they knew who was in at least a month before the letters were due to be sent? Is there some reason why they don't send an acceptance/rejection letter as soon as someone is accepted/rejected?

    Sure, I guess what the 119 students did was wrong, but is there nothing wrong about withholding this information?
  • by PingXao ( 153057 ) on Tuesday March 08, 2005 @08:43PM (#11883558)
    If you don't want your information to be hacked, don't put in on an internet connected machine. It's as simple as that. We think we have a decade of web and internet wisdom to guide us but the fact is that all of this technology is still in its infancy. Was the hack ethical? No, but ethics aside, only an idiot would subject their important and confidential information to exposure on the web and then complain when it was hacked. Sorry, flamebait me if you must but the reports of vulnerabilities come fast and furious, regardless of platform, and nobody seems to care.

    Don't want your data exposed? Don't put in on the web.
  • This is insane (Score:5, Interesting)

    by DrJimbo ( 594231 ) on Tuesday March 08, 2005 @08:44PM (#11883564)
    Somebody hired by HBS screws up and makes information that should have been kept private accessible on a public web server.

    Instead of firing the people who made the boo-boo, the powers that be at HBS decide to punish anyone they can find who looked at their own admission letter.

    First of all, it is not at all clear to me that it is ethically wrong to look at your own admission letter when it is posted on a public web site where *many* other people can already see it. For example, if I had heard about something like this I would probably try it just to see if it was really true. I would trust that HBS was not so bone-headed as to allow such a thing to happen.

    Second, even if it were established that it was ethically wrong or questionable to peek, that is one heck of a temptation to put in front of someone since so much of their future plans depend upon what is in that letter.

    Finally, I don't see that any harm is done by someone just peeking at the letter. If they act upon that information then that is another matter, for example by starting apartment hunting a month early. But just looking doesn't hurt anyone. According to my own ethics, if I am not hurting someone then I am not doing something bad.

    I hope some of those people who got rejected band together and sue the pants off of HBS.
  • by Dan East ( 318230 ) on Tuesday March 08, 2005 @08:46PM (#11883577) Journal
    the other 4881 applicants are suing Harvard for posting personal, confidential information on the internet for all to see.

    Dan East
  • by bani ( 467531 ) on Tuesday March 08, 2005 @09:21PM (#11883940)
    totally classic behaviour you'd expect from an unethical corporation who wants to cover their ass and deflect blame of a major fuckup that's their own fault.

    if you ever wondered about the ethical standards of harvard, here's a perfect example. instead of accepting responsibility for their fuckup, they take it out on others, in order to cover up their embarassment.
  • Weird... (Score:4, Informative)

    by CrazyTalk ( 662055 ) on Tuesday March 08, 2005 @09:32PM (#11884014)
    Almost the exact same thing just happened at the CMU business school; this [postgazette.com] was in the paper today. When I saw the slashdot article, I just assumed it was about the folks that broke into the CMU admissions website (and were also banned by the school as a consequence)
  • A hacker's take (Score:4, Interesting)

    by rawshark ( 603493 ) on Tuesday March 08, 2005 @09:42PM (#11884100)
  • My take (Score:5, Interesting)

    by Facekhan ( 445017 ) on Tuesday March 08, 2005 @09:50PM (#11884177)
    My take is this. URL alterting is not hacking. This is akin to giving the online applicants each a key to their own room and then punishing them after someone told them that they could find their admissions letter in the closet and 119 of them decided to look.

    Harvard and Applyweb messed up by not securing their site. They are embarrassed and have successfully put their PR departments out to spin the story and libel these applicants by accusing them of "hacking" which in todays media implies a criminal intrusion. IANAL but this intentional disparagement which Harvard knows is untrue, along with leaving their personal educational records out there, insecure, sounds like a lawsuit to me.

    Harvard's decision to not accept or unaccept those 119 candidates has nothing to do with what they actually did. It has a lot to do with the view by admissions offices in every university that their admissions criteria and decision making process is secret and that we should submit every thing we have ever done in our lives for them to examine and judge in any way they choose without even so much as an explanation of the admissions decision in exchange for our $65 non-refundable fee.

    Harvard is unadmitting these students because they found out some information about themselves, in their own file, that they had perfectly legal access to, that Harvard wanted to keep secret and it's service provider accidentally put out on the web.

    As for ethics, not one University, especially the private ones have a leg to stand on. They mail out advertisements to students urging them to apply and implying they are 'what the school is looking for.' for no other reason than to increase the number of applicants and the included application fees. The private universities almost invariably reject the majority of transfer credits in order to charge exorbitant prices on repeated basic courses taught by unpaid/underpaid TA's. That is just the tip of the iceburg.

  • by OgGreeb ( 35588 ) <og@digimark.net> on Tuesday March 08, 2005 @10:19PM (#11884370) Homepage

    If this were a cheesy college-spoof movie, the 119 "cheaters" would be recruited to the goofball school for their display of initiative.

    Kobayashi Maru indeed.

  • by 3l1za ( 770108 ) on Tuesday March 08, 2005 @10:46PM (#11884561)
    I think HBS's response is way overboard.

    In fact, a few years back I applied for business school and one of the schools on my list was MIT's Sloan. As I recall, there was some 'hack' (hack lite) one could use to determine whether one had been admitted and it consisted of this: you would basically ping the mail server and figure out if a UID had been created for you. If it had, then you were in; if it hadn't, then either you weren't in or your UID hadn't been created yet.

    Near as I can tell this is exactly identical to what went on here; using some 'covert' mechanism to ascertain admission status.

    I consider myself ethical to a ridiculous fault but I am sure I too would have checked and not thought much about it before hand (as being unethical). If you leave your pants down, you shouldn't be too surprised when people take a gander at what's there.
  • by Error27 ( 100234 ) <error27 @ g m ail.com> on Tuesday March 08, 2005 @11:49PM (#11884944) Homepage Journal
    The trick was you had to type in the following URL.

    https://app.applyyourself.com/AyApplicantMain/Ap pl icantDecision.asp?AYID=89CFE0A-424C-4240-Z8D0-9CR5 2623F70&mode=decision&id=1234567

    The AYID=89CFE0A-424C-4240-Z8D0-9CR52623F70 was in the URL bar when you logged into the site. You could figure out the id=1234567 from hitting view source once you were logged in and searching for ID.

    I look at that and I think, maybe they didn't make the URL clickable because of a bug in the system. These students basically just found a bug fix.
  • Fit of pique (Score:4, Insightful)

    by Zog The Undeniable ( 632031 ) on Wednesday March 09, 2005 @04:56AM (#11886440)
    Let's see...

    (a) Harvard can't secure its systems properly, so it's partly their fault.

    (b) No decisions were changed as a result of the access and no-one altered any data.

    (c) Harvard has lost some bright students who passed their (presumably rigorous) selection process.

    So is this a stupid decision, or what?

Never worry about theory as long as the machinery does what it's supposed to do. -- R. A. Heinlein