Hacking applicants turned down by Stanford

[exequor]

Stanford, CA, May. 31 (UPI) -- California's Stanford University has rejected 41 prospective students for following a computer hacker's advice to check admissions status.

The students had been seeking entrance into Stanford's Business School with the goal of a master's of business administration, but all have been denied admission, the San Francisco Chronicle reported Tuesday.

The applicants allegedly followed the advice of a person who hacked into computer system that stored application information for several colleges and universities. The applicants were able to see only their own information, some of which was incomplete when the hacking occurred in March, media reports at the time stated.

The schools involved said they considered the checking an ethics violation.

Dean of the Graduate School of Business Robert Joss said each of the applications was considered individually, however, none of the prospective students could offer a good explanation for taking the hacker's advise.

I still don't get the reason for turning down their applications, maybe if they did something to influence their admissions decision I would understand.

 

[Evo]

I still don't get the reason for turning down their applications, maybe if they did something to influence their admissions decision I would understand.

Because hacking into the school's computer system is unethical, at the very least. Not to mention dumb.

 

[Pengwuino]

Because hacking into the school's computer system is unethical, at the very least. Not to mention dumb.

exactly! And besides! The business world can't have its good name tarnished by introducing such unethical people into the bloodline ;)

 

[Evo]

exactly! And besides! The business world can't have its good name tarnished by introducing such unethical people into the bloodline ;)

These people got caught being unethical before even getting started, they'd never stand a chance in business.

 

[Pengwuino]

haha... who knows, maybe their action would have qualified for course credit if they hacked someone else :D

 

[dduardo]

I think it is the web developers fault for allowing this to happen. It would be completely irresponsible to not have some type of effective timestamp that prevents a page from generating before an acceptable time. This is basic security 101.

This happens all the time with corporate press releases. For example if a company has their press releases as such:

http://www.companyA.com/pr/release-2005-05-24.html

I don't consider it hacking or unethical if I try entering dates in the future such as:

http://www.companyA.com/pr/release-2005-06-24.html

 

[Pengwuino]

I think its the hackers fault for hacking in

 

[Hurkyl]

I think it is the web developers fault for allowing this to happen.

And it's the homeowner's fault for leaving his door open, allowing people to steal his stuff too, eh?

I don't consider it hacking or unethical if I try entering dates in the future such as:

Same analogy. (I'm feeling lazy!)

 

[Jameson]

Stanford looked bad and needed to do something to take away the attention. If they had allowed the students to attend their school it would be like inviting hackers from all over the globe to take a stab at Standford.

 

[exequor]

The applicants more or less took advice from a hacker (I know that is no excuse). I don't think what they did was right either but I'm sure if every one of you on this board come across some website one day that had information about the future, most of you would stop and read every single line.

Let's say that you came across some government website showing all the lucky people that won't be taxed, would you look? I'm dying to see who replies and says that they won't.

 

[Hurkyl]

Why would I?

 

[dduardo]

And it's the homeowner's fault for leaving his door open, allowing people to steal his stuff too, eh?

If you leave your Aston Martin in a bad neighborhood with the doors unlocked and the keys in the ignition, then your an idiot. All I'm trying to say is that there should be a level of accountability on the part of the company writing the software.

Also, what's so wrong about knowing if you got accepted or not? It's not like your changing your admission status.

 

[Huckleberry]

As a citizen the government is responsible to me. It is my right to view my public records. Stanford is a private university. Their records belong to them, not prospective students. The students cheated and got caught. Maybe their ethical violation was that they couldn't come up with a convincing lie. They'd never make it in the business world anyway.

Deny, deny, deny. "My mom must have done it because she was anxious for me." "The hacker did it." "What are you talking about? Did I get in?" "I'll sue unless you can prove I did it."

 

[Evo]

If you leave your Aston Martin in a bad neighborhood with the doors unlocked and the keys in the ignition, then your an idiot. All I'm trying to say is that there should be a level of accountability on the part of the company writing the software.

Yes, they should have better security, but that doesn't making hacking ethical. And why do we all need security? Because of unethical people. :grumpy:

Also, what's so wrong about knowing if you got accepted or not? It's not like your changing your admission status.

Ok, let's say that you've applied for a job at XYZ company and some hacker tells you how you can break into XYZ company's computer and see the status of your application. XYZ finds out what you've done and decides not to hire you. Can you guess why?

 

[Evo]

As a citizen the government is responsible to me. It is my right to view my public records.

Tried hacking into the IRS website to check your tax status lately?

 

[dduardo]

First its cracking, not hacking.

Second of all, they aren't breaking into any computers and trying to gain privilege escalation. They are simply manipulating the url string. For all I know some 3rd party javascript from a sketchy site changed the url.

Url modification is hardly cracking. Stanford just doesn't want to look bad in light of the current identity theft mess (LexisNexis, etc). They are just trying to cover their behind. You know there are people out there asking "If they can easily find out their admission status, what else can they find out?(SS Numbers, Addresses, etc of other people)"

It also doesn't help that the media is sentationalizing this story.

 

[Evo]

They accessed information which did not belong to them and had no authorization to view. They got what they deserved.

Let's change the scenario from computer to real life. I want to check on my application status so I go to the admissions office, the door is closed, but unlocked, (or closer to the computer scenario, the door is locked, but I found the key on the secretary's desk) I let myself in, no one is there, I start going through the filing cabinets looking for my application status, the administrator walks in and finds me. They decide that my behavior is unethical and dismiss my application.

The students didn't want to wait. Well who does? Sorry, I do not feel sorry for these students, they took a chance (for a really stupid reason) and got caught. There is just no way you can look at this and say they were within their rights to do it. They displayed immaturity and lack of restraint.

 

[Huckleberry]

Tried hacking into the IRS website to check your tax status lately?

I can barely operate a computer, nevermind try to hack or crack. But I still think I should have the right to view my own information. I think the government is wrong in this case.

 

[Evo]

I can barely operate a computer, nevermind try to hack or crack. But I still think I should have the right to view my own information. I think the government is wrong in this case.

Your tax information is available online, without hacking.

 

[Huckleberry]

Your tax information is available online, without hacking.

Ok, now your just playing with me.

 

[Evo]

Ok, now your just playing with me.

Well, except your information, that they're withholding.

 

[Huckleberry]

Not very sporting to go after small game. You really need more of a challenge. My 8 year old niece probably knows more about computers than I do. I'm such a luddite.

 

[dduardo]

"No material from these pages may be copied, reproduced, posted, transmitted, or distributed in any way, except that you may print or download on any single computer one copy of the materials for non-commercial use only, provided you keep intact all copyright and other proprietary notices."

If ApplyYourself.com is KNOWNINGLY putting information on their website, don't they expect people to view its content, especially if no password is required? Based on the legal notice people visiting the site have every right to download a copy of the material being hosted on the site for noncommericial purposes.

Let me ask you this: Is it unethical for a google bot to index and cache a page which was not specifically denied in robots.txt?

You can't compare url modification to breaking and entering just as you can't compare robbing a music store to downloading a copy of music off the web. In the real world you deal with physical property while on the net you deal with intellectual property. Two different beasts entirely.

 

[exequor]

I'm saying it again, I don't think what they did was right but think about it. Most universities allow students to check their admission status (thats what the applicants did). It's true, if Stanford wanted them to do that they would have put a link on the site, but I think the university has to take some of the responsibility because they should know that students may have other plans too.

And I think the story is exagerrated because this is not even hacking, think about this, I can do a WHOIS search for a particular IP address, you may not want me to look up your IP address, so what are you saying, I'm being unethical (this may be a bad analogy). Bottom line, they did not do anything to their advantage, they simply viewed information. If I saw the PS3 three months before E3 am I being unethical?

 

[Hurkyl]

If you leave your Aston Martin in a bad neighborhood with the doors unlocked and the keys in the ignition, then your an idiot.

Certainly. That doesn't mean it's not a crime when someone steals it.

All I'm trying to say is that there should be a level of accountability on the part of the company writing the software.

Whether you were trying or not, you also said the students were blameless.

 

[Minorail]

Is Stanford famou sin us, i never heard of it fame in asia. here we heard only of mit and berkely, and perhpas another is Usc. i tell truthfully.

 

[Minorail]

i only wonder why such an infamos school is having people applying for buz, some other like mit, berk isn't better better. graduate always easier then undergraduate.
and those graduates only concetrte on a special subject, some are even unable to clearly state reason why assembly is not used for making sofware. blive me.
If some professor from stanforx are here,please check this out with all of your graduate student to see if i am correct. , espeially those who specialise in software development. :tongue:

 

[Pengwuino]

@Minorail

Stanford is one of the top universities in the United States.

@Topic

Does anyone know if this was a hack or a simple url change?

If any security was bypassed, that's completely unethical. If they simply changed urls and had full intent of viewing their application, that's still unethical but a lawyer would be able to convince you differently.

 

[franznietzsche]

Yes, they should have better security, but that doesn't making hacking ethical. And why do we all need security? Because of unethical people. :grumpy:

Hacking is perfectly ethical. Cracking on the other hand... </being an ass>

 

[franznietzsche]

Is Stanford famou sin us, i never heard of it fame in asia. here we heard only of mit and berkely, and perhpas another is Usc. i tell truthfully.

The only difference between Stanford, MIT, and Berkely is that Stanford gives everyone a 4.0 (not really, but their grades are notorioualy inflated, medical schools ignore GPAs from Stanford altogether, or so I've been told (Of course, it was a Berkely alumn who told me this so...meh).

 

[franznietzsche]

First its cracking, not hacking.

And i thought i was going to be the first to point out the insulting mis-use of teminology.

Hackers build things. Crackers break them. There is a difference.

Second of all, they aren't breaking into any computers and trying to gain privilege escalation. They are simply manipulating the url string. For all I know some 3rd party javascript from a sketchy site changed the url.

Url modification is hardly cracking. Stanford just doesn't want to look bad in light of the current identity theft mess (LexisNexis, etc). They are just trying to cover their behind. You know there are people out there asking "If they can easily find out their admission status, what else can they find out?(SS Numbers, Addresses, etc of other people)"

Url modification is nothing. I don't think you can even call that unethical. It'd be akin to me trying to guess someone's password once or twice for the hell of it, to see if i could. I could never seriously expect it to work, and if it did, then whoever set the password was an idiot. Same with url modificaiton.

It also doesn't help that the media is sentationalizing this story.

When have they ever done anything useful?

 

[Anttech]

"No material from these pages may be copied, reproduced, posted, transmitted, or distributed in any way, except that you may print or download on any single computer one copy of the materials for non-commercial use only, provided you keep intact all copyright and other proprietary notices."

If ApplyYourself.com is KNOWNINGLY putting information on their website, don't they expect people to view its content, especially if no password is required? Based on the legal notice people visiting the site have every right to download a copy of the material being hosted on the site for noncommericial purposes.

Let me ask you this: Is it unethical for a google bot to index and cache a page which was not specifically denied in robots.txt?

You can't compare url modification to breaking and entering just as you can't compare robbing a music store to downloading a copy of music off the web. In the real world you deal with physical property while on the net you deal with intellectual property. Two different beasts entirely.

I aggree, changing a URL to view information that isn't protected but just isn't linked to isn't cracking.. Its a bad error on the sys admins half..

I would think/hope that if this went to court, it would be chucked out

 

[Evo]

You guys are missing the point, how they obtained the information is not the issue. It does NOT matter how they got into the computer. If the papers were laying on a pedestal in an empty room, it would still be unethical for them to read the results. It's the fact that they tried to obtain information by bypassing normal allowable procedures. It was unethical.

Dictinary definition of unethical

unethical - not conforming to approved standards of social or professional behavior

 

[dduardo]

Evo, you still have the wrong analogy. The Internet is like a library, a public place where anyone is allowed. A page on the site is like a book. ApplyYourself.com knowningly published the books in the library, therefore you would expect people to checkout the books.

I have to agree with Ed Felten, a respected Princeton Professor, that the punishment was too harish.

"I might feel differently if I knew that the applicants were aware that they were breaking the rules. But I’m not sure that an applicant, on being told that his letter was already on the web and could be accessed by constructing a particular URL, would necessarily conclude that accessing it was against the rules. And it’s hard to justify punishing somebody who caused no real harm and didn’t know that he was breaking the rules." - Ed Felten

 

[Evo]

Evo, you still have the wrong analogy. The Internet is like a library, a public place where anyone is allowed. A page on the site is like a book. ApplyYourself.com knowningly published the books in the library, therefore you would expect people to checkout the books.

No, the correct analogy is that the internet is a system of roads and along these roads there are homes and businesses. Each one can be reached by an address (URL, IP address). Some are public some are private. Even in public places there are rules. They broke the rules.

These people were applying to school for their masters. They knew what they were doing was wrong. Just because no damage was done doesn't mean they didn't act unethically, which is why they were denied.

Can I go into someone's house and rumage around as long as I don't steal or damage anything? No, it's called trespassing, illegal entry.