Harvard Business School: You Peek, You Lose 802
mosel-saar-ruwer writes "Seems Harvard Business school was using the ApplyYourself web service to process applications. Sometime in the last few days, an anonymous hacker, known as 'brookbond', was able to crack the system, and discovered that Harvard had already posted acceptance letters to the website fully a month before they were to be mailed to their recipients. He posted instructions on how applicants could view their letters at the BusinessWeek forums, and approximately 119 applicants followed his advice. Today, the dean of the Harvard Business School, one Kim Clark, announced that none of the 119 would be admitted: 'This behavior is unethical at best -- a serious breach of trust that cannot be countered by rationalization... Any applicant found to have done so will not be admitted to this school.'"
Deserved (Score:5, Insightful)
Wow. So even though only one person actually did the hard work of figuring out how to hack into the site, 119 other individuals figured they too should follow the directions to hack in and learn the results. Harvard (rightly so) decided to not admit any of the 119 even though some of them possibly were initially accepted. Is this a response to some of the unethical and deceptive practices that have been rampant in the business world (i.e. Worldcom, Enron, pick your fav.) of late? Perhaps, but this is especially important in that much of business school (especially in ivy league schools) is about establishing relationships and connections. Do we want a bunch of ethically challenged folks getting to know one another in Harvard business school? I think not. In light of many of the current scandals in the business world, I would like to believe that schools do pay attention to these issues and perform some filtering at the front end rather than filtering or correcting during the educational process. After all, there are some things that cannot be taught. By the time one applies to business school, patterns of behavior are fairly well entrenched and behavioral correction of things we were supposed to learn in kindergarten is not the business schools responsibility.
It would be interesting to find out what their stories are. Why did they do it and what were they possibly thinking? Do they believe they should be blacklisted?
It should also be noted that Harvard was not the only school affected by this hack. Other business schools (MIT, Stanford, Carnegie Mellon and Duke) were also compromised and I would encourage those schools to adopt the same actions as Harvard in this case.
Re:Deserved (Score:5, Interesting)
Re:Deserved (Score:5, Informative)
Metheny also noted that individuals could only access their own personal admissions responses--not those of other applicants.
Re:Deserved (Score:5, Insightful)
Last week, Metheny would have told you that his companies site was totally secure. This week, he's telling you that yeah, it got hacked, but individuals could only access their own stuff. And of course, he's totally sure about this.
Check back next week, though.
Re:Deserved (Score:3, Interesting)
Re:Deserved (Score:5, Interesting)
sorry, if I can crawl a site obeying robots.txt and using MY OWN ACCOUNT to get that info, its not a crime.
Amazing for some reason, rather than tarnish Harvard's reputation (imagine if this were a banking institution!!!), they turn it around and crucify the applicants (not saying they don't deserve it, but still...)
Where exactly is the accountability? And why does Harvard get a free pass? If this were the University of Phoenix we'd all be laughing... I sence some degree of hypocracy here...
Smells like bullshit (Score:3, Insightful)
Reminds me of when I was at school. Something got stolen. The cops were called and everyone was taken out of class. They said: "We know who stole the [whatever]. We're giving you a chance to own up and be a man about it." Of course they didn't know, nobody owned up and nobody got bust....
Re:Deserved (Score:5, Interesting)
I agree with you in principle. My problem with this decision is that it probably assumes that if an individual acceptance letter was looked up, that person was guilty. What if it was my sister that had applied and I happened to read about the hack. I may have decided to followed through with it to look her up without even mentioning it to her prior to doing so. I doubt this is the case for most, but I would bet something like this did happen several of these people. I think it would be unfair to potentially punish innocent bystanders.
Re:Deserved (Score:3, Insightful)
Re:Deserved (Score:4, Informative)
So they can be pretty sure that if person X's letter was viewed, it was viewed by person X or someone who knows the password of person X.
This cries out for a lawsiut against Harvard! (Score:5, Interesting)
But, even though I think they should get sued, likely no one will, because all these applicants are likely top of the line, with admissions to other top B schools, and this lawsuit could mess up their careers....
Re:This cries out for a lawsiut against Harvard! (Score:5, Insightful)
The fact is, these people were probably just curious about their application status. And the reason only those 119 probably checked theirs out was because they were the only ones that knew about it. I don't know what their application numbers are, but if 5000 applied and all of them knew about the hack, probably at least 4000 of them would have checked out their applications. As well, the hack was only open for what ? 9 hours total? Does everyone who applies to Harvard check every 8 hours to see if a hack is available that will let them view their application status? Gimme a break. Maybe they could use this as a final decision maker, but to totally nix these hapless few is ridiculous. I bet more crooked business majors have come out of the Harvard Business School.
Re:This cries out for a lawsiut against Harvard! (Score:4, Insightful)
In addition (Score:5, Interesting)
Re:This cries out for a lawsiut against Harvard! (Score:4, Insightful)
This is another example of Harvard trying to take the morale high ground and protect its reputation after the fact. Maybe the president would like to filter out the female applicants since business classes are so mathematically heavy? Or maybe he'd like to ensure only the best future CEOs of Worldcom, Enron, Nortel, and Haliburton are produced by his business school.
Re:This cries out for a lawsiut against Harvard! (Score:3, Insightful)
What a great world Americans live in...
Maybe spitting on the sidewalk will have the same legal penalties as murder next?
I seriously doubt they can confirm that every person who followed the instructions was infact the same as the application they checked.
N.
Re:This cries out for a lawsiut against Harvard! (Score:4, Insightful)
-kaplanfx
Re:This cries out for a lawsiut against Harvard! (Score:5, Insightful)
Publishing their names and getting them banned from other colleges would definitely be over the line into pure vindictiveness though. Screwing someone significantly, possibly for life if they truely are compeletly blacklisted, for one very small mistake is ludicrous.
Yeah, what crime? (Score:5, Insightful)
1: Harvard has a legitimate reason to withhold information considering admission from their students?
2: Accessing a site with information pertaining to yourself is of course unethical considering you had help from a 1337 d00d.
What possible explanation does Harvard have for storing the status of their students on the same database as they serve their website on? What reason does Harvard have to with-hold this information from perspective students? Applications require planning ahead on the part of students, these students dont have a chance to apply to more schools after they've been turned down by one, etc.
Second, This information was about the perspective student who accessed it. There is no rule of ethics that says you can't discover something about yourself.
Finally, what did Harvard have to loose? This was not a teachers gradebook situation where you could assume someone was snooping in hopes of "fixing" a grade. The information is purely read-only, and it's not information that would not be disclosed, it's information that would be disclosed later. Why?
Re:Yeah, what crime? (Score:4, Insightful)
I have several clear problems with the ethics of Harvard itself though:
1. In the UK we have a law called the "Data Protection Act 1974 - amended 1990" which gives any adult the absolute right to see _any_ personal information stored about them on computer systems. If Harvard had done this in the UK then every student had the right to see that data anyway. I can't imagine anything more personal than someone's acceptance or rejection by a prestigious University.
2. Which cretin at Harvard decided to put sensitive data on a system available for public access? Is the real reason for the heavy-handed approach that Harvard academics are worried by inquisitive students? If this data was available to candidates - what assurance can Harvard credibly offer that they took proper precautions with the applicants' personal information?
3. How can Harvard expect to enforce such a decision? If every candidate whose details were exposed is declined then this is clearly unethical as there is no evidence of the involvement of the excluded candidate in any wrongdoing. If they rely on admission of guilt then this is clearly unreasonable as they would exclude exactly those students whose sound ethical principles prevent them from denying their own involvement!
The only sensible course of action for Harvard would have been to warn the candidates that the data that was accessed could not be assumed a final decision and that all applications were under review up-until letters are sent. Only this course of action would minimise damage, which (in my opinion) is primarily due to incompetence on the part of Harvard administrators and not due to the expected inquisitive behaviour of anxious applicants.
Re:This cries out for a lawsiut against Harvard! (Score:5, Insightful)
Harvard got caught with a truly poorly secured computing environment, and is taking it out on their applicants. F*&k Harvard. Go with a vendor who knows that a "go live date" doesn't mean you post your site a month in advance and hope nobody finds it.
The longer I live here, the more I respect MIT and the less I respect Harvard.
Re:This cries out for a lawsiut against Harvard! (Score:5, Insightful)
If the "hack" was typing in an URL when logged in as mentioned, my guess is that many would type it in without even giving it any thought. Most of these 119 individuals probably wouldn't have gone through with this if it involved some serious hacking. People are curiuos by nature.
The problem here isn't curious youngsters, it is a world class business school practicing security by obscurity.
Re:Deserved (Score:5, Insightful)
From a Utilitarian point of view it may improve everyone's quality of life (immeasurably small though) by preventing you from needlessly wasting resources applying to other schools. But looking at your own acceptance letter harms noone. From a deontological point of view, it does not cause others to not be able to see their own results (although harvard's overreaction to it may).
One might try to argue that it is counter to rule utilitarianism, but since the prohibition to see your own enrollment status is not based on utilitarian principles, it is not.
I think the lack of ethics in the business world has a lot to do with the schools themselves not knowing the differect between ethics and rules. Just because something is against the rules does not mean that it is unethical; Just because something is within the rules (or won't be caught) does not make it ethical.
Re:Deserved (Score:3, Insightful)
Ok, I'll post in the clear: I don't think what they did was particularly bad. Illegal, probably, but I just can't see where anyone was harmed here, and even in your hypothetical scenario the only harm is to the student himself.
Interesting priorities (Score:5, Insightful)
I recently wrote an IRC bot. That is currently illegal in the USA (read up on the ActiveBuddy patent) and will, as a result, probably be illegal in short order in the EU (where I live). However, I'm not bothered.
If I'd done something that I considered immoral, I would be worried. But my opinion is that allowing governments to define your morality is lazy at best and idiotic at worst. This applies particularly strongly in this situation where, as far as I can tell, people are being kicked out for receiving their letters before they were due to be sent.
I can't see any good reason why this should be a major offence, certainly not why people's lives should be messed up on this basis. Especially if they are able to produce a detailed argument as to why they considered their behaviour ethical.
Please, please get your priorities straight.
Re:Deserved (Score:5, Insightful)
Are you suggesting that it might be illegal to type in a URL without the express, written consent of the domain owner? From what I've read, that's all this "hack" entailed. The only people who should be punished are the admins who made the letters accessible to begin with.
Not to put words into your mouth, but I'm guessing from your tone that you would find this comparable to a theif going door to door at night, jiggling doornobs to find an unlocked house. Some people might say the victims were asking for it by not locking their doors, but most would put the blame solely on the theif for his 'ethical lapse' in taking advantage of the situation.
The problem is that the Internet has created an ethical gray area in victimless, profitless "crimes" such as file trading (i'm stepping in a mine field there, i know), that are effortless enough to be committed almost as an afterthought. Society (okay... me and a bunch of other slashdotters) has a hard time condemning others for these acts.
Bottom line for me, there was no criminal intent. At worst, this was mischief on par with an 11 year old digging through the attic on December 23rd to find out what he's getting for Christmas. Now that the problem has been fixed and the Harvard applicants made an example of, I seriously doubt that MIT and the other affected schools will be so harsh.
Re:Deserved (Score:3, Insightful)
Nonsense. You're conflating two points of Harvard's position. Harvard claims what they did is unethical and some of us disagree with that claim. Now, Harvard's claim that there is no way to rationalize the behavior is merely a statement saying that no excuse will be enough to ge
Re:Deserved (Score:5, Insightful)
If I were one of those students, I'd be screaming entrapment at the top of my lungs to anyone who would listen. Maybe it's just me.
Re:Deserved (Score:5, Insightful)
- Log in to your Harvard online application account
- In the url change 'viewindex' to 'viewletter'.
- Press Enter.
Hacking to view your acceptance status is unethical. Changing a URL is not hacking. The phrase "in plain sight" holds an awful lot of legal water.I would not want to be one of Harvard's lawyers when it hits the fan.
Re:Deserved (Score:5, Insightful)
Re:Deserved (Score:4, Interesting)
Re:Deserved (Score:3, Insightful)
Re:Deserved (Score:3, Insightful)
Re:Deserved (Score:3, Insightful)
So cheating on your wife is ethical, so long as she never gets hurt? You can sleep around all you want, as long as your wife never finds out and you never bring any diseases home and your girlfriends never go Fatal Attraction?
Ethics isn't about who gets hurt. Ethics is about doing the right thing the right way--
I've lied, I've cheated, I've st
Re:Deserved (Score:3, Insightful)
The same thing occurs in the business world all the time. Let's say I have a person working for me, and I put them in for a promotion. Their promotion letter goes onto a (supposedly) restricted server until approved b
Who's being unethical here? Re:What? (Score:3, Insightful)
Based on your strong statements, I begin to see that the admissions committees would consider this cheating. I still have seen no explanation as to why this is the case, still less why the applicants would
So Quick to Judge (Score:3, Insightful)
If the business school is run by the same types who seem to run every other part of the school system, their automatic, totally predictable
Re:Deserved (Score:5, Insightful)
The only "ethically challenged" group we can assert and assume with any certainty is the company providing the Apply Yourself services.
Its ethically criminal to provide a confidential service on the internet with virtually no security.
From (almost) the horses mouth: Noted web application developer and MIT professor Phillip Greenspun [harvard.edu] notes on his Harvard weblog:
Liable and culpable? Apply Yourself and the B-Schools who outsourced to a cheesy service provider without, apparently, commissioning even a basic security audit.
Its of no consequence - no doubt there is at least one bright former-B-school student wannabe now contracting the services of a lawyer to sue Haavard - not for denying them access, but for allowing confidential information to be exposed to the internet. Seems to me such a suit is likely to return more than the cost of tuition to any other school in the world...
Re:Deserved (Score:5, Insightful)
Why is it "rightly so?" How is this any different from, say, calling the admissions department after the letters were sent, but before they were received to see if you were admitted? The information was published on the web site. The login given to the students was capable of opening up the page that contained their information. Just because they didn't have a link to it so you had to type it in yourself doesn't make it "hacking." They typed in a valid URL to a page they were intended to be able to view. If Harvard didn't want them looking there, they should have left the pages off or secured them until they were intended to be accessed.
This is as stupid as turning off directory browsing and assuming that all pages not explicitly linked to elsewhere are "secure." If they want to exclude these 119 students, they should have dropped $100 bills in front of all the students and refused those that didn't return them. It seems pretty close to entrapment to me, other than Harvard did it out of stupidity, rather than malice. They accessed information they were intended to see, harming no one in the process, and were punished for it.
Re:Deserved (Score:3, Funny)
[meanwhile, downloading another gig of mp3s...]
Re:Deserved (Score:3, Insightful)
As to the possibility of applicants sending apologies, something discussed on message boards over the weekend, Clark said: ''Whethe
Since I'm one of the 119... (Score:5, Interesting)
Early in the morning on March 2nd, someone calling himself "brookbond" on the BusinessWeek MBA Forums saw the results of his HBS application using a modified version of the link he'd use to see his results at another school also using the Apply Yourself system.
He saw a "ding" letter, meaning that he saw a form letter with the standard "We're sorry, we can't admit you to the class of 2007. Blah blah blah. Best of luck in your future endeavors." He then posts the technique he used to view the letter to the BW forums. This information is visible for roughly six to eight hours. After the beginning of the business day on the easy coast, all hell breaks loose. People are discussing the posting on the BW forums, with people wondering if the link works or not. People report seeing one of two things:
NO ONE SAW AN ADMIT LETTER.
Period, point blank. Anyone who says they did, is lying. At sometime between 8:00AM and 9:00AM EST, the BW forum moderators realize what's being discussed, either because of the activity level on threads related to HBS, or because they were contacted by HBS directly. BW begins deleting every single thread related to HBS, regardless of whether or not it contains information about the "hack" or not.
At this point, a blogger named PowerYogi posts the technique to his blog. A rather humorous thread insinuating HBS is sending snipers after PowerYogi starts up, then peters out after a while.
Eventually, Apply Yourself wakes up and patches the system to show "Your Decision is not yet available" messages instead of the dings and blank screens. This occurs between 10:00AM and noon EST.
Nearly 20 hours after the "hack" is first posted, HBS sends this letter to applicants:
Unfortunately, things don't stop there. Eventually, BW gives up trying to delete all the HBS postings, and people begin discussing the item. An article appears in the Harvard Crimson detailing the incident on March 3rd, and the article is used as source material for articles by the Boston Globe and the Associated Press. The AP article makes the front page of MSNBC.
By March 4th, other schools using Apply Yourself realize that their decision information may also have been available. In an amazing display of leadership, the Tepper School at Carnegie Mellon announces that they will reject anyone who tried to access their decision information early. Elsewhere, it is learned that a grand total of TWO people attempted to learn their fate at Tepper early, making it easy for CMU to grandstand.
With a precedent set, schools begin to announce their decisions on the fate of the "hackers". According to
Re:Since I'm one of the 119... (Score:5, Insightful)
I think it's much more like accidentally putting up a bulletin board with everyone's admit status (actually, people could only view their own data), or my acceptance/rejection envelope arriving a few days early. They're the ones who screwed up. Okay, I realize that these analogies aren't perfect. But they're much closer than most of the ridiculous comparisons and discussions and hate-mongering going on here. It's not like any admin accounts were compromised or people were altering their admit/deny status.
It's sad that Harvard crucifies its applicants instead of sacking up to the fact that they (or ApplyYourself) didn't manage their data properly.
-fren
Re:Since I'm one of the 119... (Score:4, Informative)
Re:Since I'm one of the 119... (Score:5, Insightful)
You've got to be kidding me. How on earth is this some ethical conundrum? Information was available, unsecured, from the public Internet, to him, regarding his personal status. I could see ethics coming into the issue if the post detailed a method to view other applicants' data, but this was about him and didn't involve breaching any security. While I'm not familiar with the system (my college application, um, pre-dates this system by a bit), the delay in being notified that the data is posted could just as easily be ascribed to technical delays.
The broader issue that you seem to be missing is that faux-ethical dilemma feelgood moments like this distract from genuine ethics problems. It's a shame Harvard can't train its awesome ethical standards (like admitting C-average future presidents) on more challenging targets.
Re:Since I'm one of the 119... (Score:5, Insightful)
If you know someone in admissions and ask them if they've heard about your status, is that equally unethical? (And before you go all black-and-white again and provide some remarkably obvious platitude from a first-year philosophy course -- yes, the individual in admissions would most likely be bound ethically not to divulge this information. And if you attempted to induce them to divulge the information after learning that they were so bound, yes, that would be unethical.)
This just isn't as neatly wrapped a package as you're saying. If the primary basis for your conclusion is a breach of trust, then it follows that the substance of that trust must be clearly communicated and agreed upon in advance. HBS saying "we'll get ahold of you on XX/XX" does not meet that standard in my opinion. Neither does a click-through EULA. A simple, plainly written agreement is closer to the mark. I don't really know enough about this service and the terms established to make a judgment here, but taking a peek is not a de facto ethical violation.
That's just my opinion. I'm willing to accept the fact that you may disagree.
Disaster Averted, US Business Community Saved (Score:5, Funny)
God knows that this sort of unethical behavior [motherjones.com] and borderline illegal practice [cnn.com] is totally out of place in our business community. Obviously, these punks are only getting what they deserve [marthastewart.com].
Aside from that, hopefully those involved will learn a valuable life lesson from this: If you can't play by the rules, you'd better be able to run fast and catch, throw or hit a ball really well.
PS: I wonder if any prospective students were smart enough to just look at the admission status of the *other* students... Now that would be showing the sort of sense you'd need to get to the top of corporate America.
Re:Disaster Averted, US Business Community Saved (Score:3, Funny)
Re:Disaster Averted, US Business Community Saved (Score:5, Funny)
Re:Disaster Averted, US Business Community Saved (Score:3, Insightful)
You know, sometimes it makes sense to hold a priviledged class responsible for its actions.
Re:Disaster Averted, US Business Community Saved (Score:3)
I wish I was bitter enough to believe in a "privileged class". It would make life so much easier to be able to blame someone else for all my problems.
Re:Disaster Averted, US Business Community Saved (Score:3, Insightful)
Even if it was a simple hack, it was presented as a hack (a means of circumventing the system), therefore they weren't just lemmings - they were black sheep.
Cool (Score:4, Insightful)
Right on, I've always wanted to stick it to one of those yuppy bastards.
Good, my plan worked, I've removed the competition (Score:5, Funny)
* evil laugh *
oh wait, business school. shit.
Harvard Loses More Lustre (Score:3, Insightful)
It's take charge, independent thinkers [thecrimson.com] that the school needs in it's student body. they better not revoke my admission or i'll send a teenage grrl enforcer [slashdot.org] over to smack 'em upside their heads!
What about those who just went in and looked... (Score:5, Interesting)
Re:What about those who just went in and looked... (Score:5, Funny)
Re:What about those who just went in and looked... (Score:3, Funny)
Instructions? (Score:5, Insightful)
Re:Instructions? (Score:3, Interesting)
Re:Instructions? (Score:5, Insightful)
True enough. Just the other day I was clicking on a list of items on a web page and one link was broken. I noticed that the URL pattern was item1.html, item2.html, and so on and that the broken link read itme6.html (sic).
I manually edited the URL to read item6.html and voila' I got the page. Is that hacking? I think not. If all the students did was editing the URL, I do not think they should be punished. IF on the other hand they had to enter someone else's password then I say: fry 'em!
Re:Instructions? (Score:4, Funny)
Re:Instructions? (Score:5, Insightful)
And as this author also brings up, if someone tells you that personal and confidential information about your grad school application is unprotected on a public web server, would you be negligent not to check it out?
Re:Instructions? (Score:4, Informative)
Basically, you scan the source of the page after login for your ID number and the security hash. Then you append that to your URL. The process is a whole seven steps and in the realm of nefarious hacks it's... neither.
How to prove... (Score:4, Insightful)
An early lesson in business mismanagement (Score:4, Insightful)
I think Harvard's reaction against the 119 who followed the indicated route is pitifully excessive.
But the 119 now have an early lesson in how certain business managers cynically deflect blame in order to save face.
It appears to be beyond Harvard's ability to track down the cracker, so they hit out at whoever is within reach.
-wb-
Re:An early lesson in business mismanagement (Score:3, Insightful)
I kinda want some candy now
Curious (Score:5, Insightful)
Re:Curious (Score:5, Interesting)
Shit, if I try to change the URL to see if I can view my pay statement one day early at work, should I be fired for that too?
Re:Curious (Score:5, Informative)
Ditto. The difference is between trying to elicit a desired response by breaking the server (like in a buffer overflow or bypassing security with a password cracker), and utilizing a well-known protocol in a normal way. HTTP is just a way of asking for information, and if you simply ask a server for something it's the server's duty to make sure it wants to honor the request.
Beyond that, I can easily imagine someone leaping at the chance to figure out if they're going to get into their dream school. This is a major overreaction on the part of HBS.
how did they verify it? (Score:3, Interesting)
The webserver probably could have recorded an IP address with each access, and many of those can be geographically verified. However, this would still have the problem of some one else than the applicant checking.
Makes you wonder. (Score:5, Insightful)
Stanford B-school position (Score:5, Informative)
Cutting of their nose... (Score:4, Insightful)
It's actually worse than that... (Score:3, Interesting)
We have enough trouble with lack of Internet savvy in American business management as it is.
They've got this the wrong way round ! (Score:4, Insightful)
Ho hum... Just goes to show that if you play by the rules you'll get by by the rules (and if you play them well enough you'll "shine") But you'll never discover anything truly new
Mind you having said that... if you do discover something truly new, once you try to tell somebody, the rest of society will think you're mad and burn you at the stake. "This heretic says the Earth revolves around the sun... burn the witch..."
What would Donald trump have done? (Score:4, Funny)
Who gives a monkies about the 118... (Score:3, Interesting)
This is the same school that... (Score:5, Interesting)
HBS need to face the fact that when you train people who have no morals that you will attract people with no morals.
Re:This is the same school that... (Score:5, Interesting)
Jeffrey Skilling, former CEO of Enron
Robert S. McNamara, US Secretary of Defense, 1961 - 1968, 4th President of the World Bank 1968 - 1981
H. John Heinz III, US Senator
Donald J. Carty, former chairman and CEO of AMR, the parent company of American Airlines
George W. Bush, 43rd President of the United States
Donald W. Riegle, Jr.
--00--00--
Now that is a bunch of winners, most of whom ran the orgs they were responsable for into the ground. Their has to be a balance between shareholder value and workes, but the line has been pushed way over to the executive side. Sometimes it seams like those in the F500 forget that those they fire so they can buy a 10,000 US shower curtian also can vote.
diversionary tactic? (Score:5, Insightful)
I see... (Score:5, Insightful)
Ah! the people who we can actually hurt without going to court or having to get law enforcement involved, the 119 18 years olds who were on tenterhooks to know if they'd been accepted and really couldn't contain themselves to wait another entire month when we'd already made the decisions.
Infact, if I understand from my rather hazy sources US law enforcement won't get involved unless the crime has cost $5000 (I could be way off here though, I didn't get this from an authoratitize site), so, since they're out the only other option to lash out and save face would be to sure, which is expensiv when you can just ruin 119 kids futures. Of course, doubtless it will end them up in court...
The ethics point isn't particularly strong, these are 18 year olds who want to know if their chosen college has accepted them and they find out that the decisions have been made and the letters written a month before they'll get them otherwise. The fact that they followed some instructions posted online to find some 'hidden' files reflects little on their ethics in the future - I spent hours in school trying to get into every nook & cranny of the systems (which the admin had tried to lock down) using as many non-invasive/agressive methods as I could find. Does that make me unethical? no. I did it entirely as an academic exercise to see how well locked down the systems were, would it have been unethical to find out information about me that the school held but didn't want to tell me? no, not in my opinion.
This seems to be the university lashing out against someone to save face. That 'someone' being the people who have least blood on their hands (out of the people actually involved) and who the university feels that it can get away with stomping on the easiest.
Re:I see... (Score:3, Interesting)
Low level physics - course #1 (Score:3, Funny)
By looking inside the box, they changed the content!
And with regard to exclusion, they could have at least given them a second chance, maybe with some punishment (like a work camp or something, and select only the 30 first). I thought that this was the land of the second chance.
School is about education. What did they learn? That they got screwed up after doing something that affected noone else?
Am I the only one to think like that?
The articles miss the point (Score:5, Insightful)
As a current Harvard MBA student and long-time /. reader, it's worth pointing out that these applicants didn't "hack" anything. They got instructions (now deleted from the BW forums) that if you took your login hash, appended it to a URL at the ApplyYourself, you could see the decision letter on your file, if it had already been posted. My guess is that someone asked a first round applicant (who had already heard) for the URL to the decision and tried it as an in-process second round applicant.
This isn't hacking. Nobody logged in as the Admissions Director or socially engineered their way into info by calling admissions and pretending to be a staffer out on the road. The only people at fault here are the coders at ApplyYourself (the 3rd party application site). Having used it last year, I can tell you that it is technically inferior to most products that other schools build themselves.
There's already some ideas above that with the Enron and Worldcom scandals, business schools need to have ethics at the highest standards, but this misses the point. The 119 people that just got rejected weren't the 119 least ethical applicants. They were the 119 of the (probably) 130 applicants who saw the instructions before they were deleted. The top tier b-school application process is very stressful and the idea of seeing your results early is hardly scandalous.
Furthermore, our new post-scandal "Leadership and Corporate Accountability" course spends a great deal of time discussing the ethical trade-offs inherent in business, such as weighing employee concerns vs. shareholder concerns vs. customer concerns. These decisions are rarely black and white and we spend a lot of time discussing relative merits of each stakeholder. The notion that we would portray ourselves as knowing an absolute ethical standard goes against much of what we teach and learn here.
Despite the small number of true criminals to have walked these halls, Harvard Business School is a great institution and most /.'ers would be surprised to meet all the ethical people here that will be future leaders (if past performance is predictive of future performance).
Re:The articles miss the point (Score:5, Interesting)
Now, if somebody had used this technique to access somebody else's admissions status, I would say it is pretty clear cut that they committed an unethical act.
If a school posts admission decisions by social security number in some obscure location and a student tells other students that it's there and they go look up their status before official notifications, have they committed an ethical violation? The school didn't tell them the information was there, but it was available to them for the getting if somebody else told them where to look for it.
I can see that the school is upset, but it seems that their wrath is inappropriately directed. They should be pissed at the ApplyYourself folks and at their own admissions staff for botching things so badly.
Maybe it's just me... (Score:3, Interesting)
Does it not strike anyone as odd that they knew who was in at least a month before the letters were due to be sent? Is there some reason why they don't send an acceptance/rejection letter as soon as someone is accepted/rejected?
Sure, I guess what the 119 students did was wrong, but is there nothing wrong about withholding this information?
People Just Don't Get It (Score:3, Insightful)
Don't want your data exposed? Don't put in on the web.
This is insane (Score:5, Interesting)
Instead of firing the people who made the boo-boo, the powers that be at HBS decide to punish anyone they can find who looked at their own admission letter.
First of all, it is not at all clear to me that it is ethically wrong to look at your own admission letter when it is posted on a public web site where *many* other people can already see it. For example, if I had heard about something like this I would probably try it just to see if it was really true. I would trust that HBS was not so bone-headed as to allow such a thing to happen.
Second, even if it were established that it was ethically wrong or questionable to peek, that is one heck of a temptation to put in front of someone since so much of their future plans depend upon what is in that letter.
Finally, I don't see that any harm is done by someone just peeking at the letter. If they act upon that information then that is another matter, for example by starting apartment hunting a month early. But just looking doesn't hurt anyone. According to my own ethics, if I am not hurting someone then I am not doing something bad.
I hope some of those people who got rejected band together and sue the pants off of HBS.
In related news... (Score:5, Funny)
Dan East
this is classic CYA and deflect blame (Score:5, Insightful)
if you ever wondered about the ethical standards of harvard, here's a perfect example. instead of accepting responsibility for their fuckup, they take it out on others, in order to cover up their embarassment.
Weird... (Score:4, Informative)
A hacker's take (Score:4, Interesting)
My take (Score:5, Interesting)
Harvard and Applyweb messed up by not securing their site. They are embarrassed and have successfully put their PR departments out to spin the story and libel these applicants by accusing them of "hacking" which in todays media implies a criminal intrusion. IANAL but this intentional disparagement which Harvard knows is untrue, along with leaving their personal educational records out there, insecure, sounds like a lawsuit to me.
Harvard's decision to not accept or unaccept those 119 candidates has nothing to do with what they actually did. It has a lot to do with the view by admissions offices in every university that their admissions criteria and decision making process is secret and that we should submit every thing we have ever done in our lives for them to examine and judge in any way they choose without even so much as an explanation of the admissions decision in exchange for our $65 non-refundable fee.
Harvard is unadmitting these students because they found out some information about themselves, in their own file, that they had perfectly legal access to, that Harvard wanted to keep secret and it's service provider accidentally put out on the web.
As for ethics, not one University, especially the private ones have a leg to stand on. They mail out advertisements to students urging them to apply and implying they are 'what the school is looking for.' for no other reason than to increase the number of applicants and the included application fees. The private universities almost invariably reject the majority of transfer credits in order to charge exorbitant prices on repeated basic courses taught by unpaid/underpaid TA's. That is just the tip of the iceburg.
In an alternate reality. (Score:4, Funny)
If this were a cheesy college-spoof movie, the 119 "cheaters" would be recruited to the goofball school for their display of initiative.
Kobayashi Maru indeed.
Way overboard; projection anyone (Score:3, Interesting)
In fact, a few years back I applied for business school and one of the schools on my list was MIT's Sloan. As I recall, there was some 'hack' (hack lite) one could use to determine whether one had been admitted and it consisted of this: you would basically ping the mail server and figure out if a UID had been created for you. If it had, then you were in; if it hadn't, then either you weren't in or your UID hadn't been created yet.
Near as I can tell this is exactly identical to what went on here; using some 'covert' mechanism to ascertain admission status.
I consider myself ethical to a ridiculous fault but I am sure I too would have checked and not thought much about it before hand (as being unethical). If you leave your pants down, you shouldn't be too surprised when people take a gander at what's there.
Not hacking. Bug fixing (Score:5, Informative)
https://app.applyyourself.com/AyApplicantMain/A
The AYID=89CFE0A-424C-4240-Z8D0-9CR52623F70 was in the URL bar when you logged into the site. You could figure out the id=1234567 from hitting view source once you were logged in and searching for ID.
I look at that and I think, maybe they didn't make the URL clickable because of a bug in the system. These students basically just found a bug fix.
Fit of pique (Score:4, Insightful)
(a) Harvard can't secure its systems properly, so it's partly their fault.
(b) No decisions were changed as a result of the access and no-one altered any data.
(c) Harvard has lost some bright students who passed their (presumably rigorous) selection process.
So is this a stupid decision, or what?
Re:Ouch (Score:5, Funny)
Test Prep Classes: $10,000
Donations to School by Parents: $5,000
Blowing your future because you can't wait a month: Priceless.
There are some levels of satisfaction that money can't buy, like watching 100+ snot-nosed future pointy hairs take it up the pooper from Harvard.
Re:Funny. (Score:5, Insightful)
Interesting (to me at least) riff from a recent Economist article...
One factor contributing to the stratification of US society is precisely that enormous pressure. There is extreme pressure in competition for entrance to top schools (and then to get good jobs at top employers and then to advance up the ranks at said employers). But, this competition is primarily localized to members of the upper and upper-middle classes.
Meanwhile, American society is measurably breaking into the haves and the have-nots with a shrinking middle-class. A similar bifurcation occurred in the early 1900s, but was checked by the very people at the top who recognized that American society needs to be dynamic in order to be robust. Thus came the creation of measures of merit like the SATs.
The difference between now and then is that in the early 1900s, the upper classes easily perceived the stratification making it relatively easy to motivate people to address the problem. With the extremes of the current merit system, all the upper-classes perceive is extreme competition - but only among themselves. From their perpsective it is still a merit based system. But when it takes a $90K prep-school and a $10K SAT-prep course plus a "legacy" contribution to gain entrance to a top-school, we are very close to where we were at the start of the 20th century -- excluding huge swathes of society from the opportunity to advance themselves.