Hacking applicants turned down by Stanford

[franznietzsche]

First its cracking, not hacking.

And i thought i was going to be the first to point out the insulting mis-use of teminology.

Hackers build things. Crackers break them. There is a difference.

Second of all, they aren't breaking into any computers and trying to gain privilege escalation. They are simply manipulating the url string. For all I know some 3rd party javascript from a sketchy site changed the url.

Url modification is hardly cracking. Stanford just doesn't want to look bad in light of the current identity theft mess (LexisNexis, etc). They are just trying to cover their behind. You know there are people out there asking "If they can easily find out their admission status, what else can they find out?(SS Numbers, Addresses, etc of other people)"

Url modification is nothing. I don't think you can even call that unethical. It'd be akin to me trying to guess someone's password once or twice for the hell of it, to see if i could. I could never seriously expect it to work, and if it did, then whoever set the password was an idiot. Same with url modificaiton.

It also doesn't help that the media is sentationalizing this story.

When have they ever done anything useful?

 

[Anttech]

"No material from these pages may be copied, reproduced, posted, transmitted, or distributed in any way, except that you may print or download on any single computer one copy of the materials for non-commercial use only, provided you keep intact all copyright and other proprietary notices."

If ApplyYourself.com is KNOWNINGLY putting information on their website, don't they expect people to view its content, especially if no password is required? Based on the legal notice people visiting the site have every right to download a copy of the material being hosted on the site for noncommericial purposes.

Let me ask you this: Is it unethical for a google bot to index and cache a page which was not specifically denied in robots.txt?

You can't compare url modification to breaking and entering just as you can't compare robbing a music store to downloading a copy of music off the web. In the real world you deal with physical property while on the net you deal with intellectual property. Two different beasts entirely.

I aggree, changing a URL to view information that isn't protected but just isn't linked to isn't cracking.. Its a bad error on the sys admins half..

I would think/hope that if this went to court, it would be chucked out

 

[Evo]

You guys are missing the point, how they obtained the information is not the issue. It does NOT matter how they got into the computer. If the papers were laying on a pedestal in an empty room, it would still be unethical for them to read the results. It's the fact that they tried to obtain information by bypassing normal allowable procedures. It was unethical.

Dictinary definition of unethical

unethical - not conforming to approved standards of social or professional behavior

 

[dduardo]

Evo, you still have the wrong analogy. The Internet is like a library, a public place where anyone is allowed. A page on the site is like a book. ApplyYourself.com knowningly published the books in the library, therefore you would expect people to checkout the books.

I have to agree with Ed Felten, a respected Princeton Professor, that the punishment was too harish.

"I might feel differently if I knew that the applicants were aware that they were breaking the rules. But I’m not sure that an applicant, on being told that his letter was already on the web and could be accessed by constructing a particular URL, would necessarily conclude that accessing it was against the rules. And it’s hard to justify punishing somebody who caused no real harm and didn’t know that he was breaking the rules." - Ed Felten

 

[Evo]

Evo, you still have the wrong analogy. The Internet is like a library, a public place where anyone is allowed. A page on the site is like a book. ApplyYourself.com knowningly published the books in the library, therefore you would expect people to checkout the books.

No, the correct analogy is that the internet is a system of roads and along these roads there are homes and businesses. Each one can be reached by an address (URL, IP address). Some are public some are private. Even in public places there are rules. They broke the rules.

These people were applying to school for their masters. They knew what they were doing was wrong. Just because no damage was done doesn't mean they didn't act unethically, which is why they were denied.

Can I go into someone's house and rumage around as long as I don't steal or damage anything? No, it's called trespassing, illegal entry.

 

[Pengwuino]

I don't understand something here. Are some of you privy to more information then the others? Some people are saying that they simply changed the URL or were told there applications were online and they could go retrieve it. Where are they getting this information? Its not in the article so I am assuming some people have a different source of information and i would like to see it too.

 

[Anttech]

Can I go into someone's house and rumage around as long as I don't steal or damage anything? No, it's called trespassing, illegal entry.

Of course not, but in this case that isn't what happened (imo)...

They had a huge billboard in there living room with secret info, but didnt close the curtains...So they just 'walked past' and had a peek through the window, they didnt tresspass, they did what we are doing right now, looking at a public www site... ie looking through the window at publically available info, if the info wasnt supposed to be public then don't put it up on the www site...

Anyway the person who was the most unethical was the person who told them, if you look at such and such url you will find info on your application!

 

[dduardo]

Here is how they did it:

http://poweryogi.blogspot.com/2005/03/hbsapplyyourself-admit-status-snafu.html

 

[Pengwuino]

Oh well if that's how htey did it, that's completely unethical. They were snooping around, plain and simple. I think the 'peek through your window' analogy would now have to be modified so that there was a curtain blocking the billboard and you walked through the door and opened hte curtain to see the billboard...

which to me is unethical.

 

[PerennialII]

I'd place the "blame", if there actually is any to place, 50/50 after reading the description ... being turned down because of sloppy software & admin seems like another act of PC PR . Ethics ougth to be reserved for issues which actually matter.

 

[exequor]

I'd place the "blame", if there actually is any to place, 50/50 after reading the description ... being turned down because of sloppy software & admin seems like another act of PC PR . Ethics ougth to be reserved for issues which actually matter.

I agree with you, it is 50/50. I've seen lots of cases like this on Judge Judy and it ends up with the resposibility going 50/50.

unethical - not conforming to approved standards of social or professional behavior

Maybe ethics is the problem after all because what someone may perceive as unethical another person may not and that's how the world is. People always try to put limits on these things but I guess that's one of the pitfalls of "freedom". I heard of the story where a burglar broke into a house, got injured, and still sued the owner of the house. Now, is this ethical?

Oh I got the answer to the problem; Stanford should just let all prospective students view their admissions status. I can't believe the solution was that easy (sarcastically).

 

[Pengwuino]

But isn't judge judy just... stupid :D. I mean, arent there normally 2 people who both did something rather unethical/illegal and not just 1 person (like in this case)

 

[exequor]

But isn't judge judy just... stupid :D. I mean, arent there normally 2 people who both did something rather unethical/illegal and not just 1 person (like in this case)

True, because whenever its only one person, the case only takes 5 minutes to solve.

It all falls back to ethics, its the same reason why hacking is considered unethical. In the past social engineering was the main way for the hackers to get into a system and maybe it still is today, its too bad guys like Kevin Mitnick had to go to jail for nothing (my opinion).

 

[franznietzsche]

No, the correct analogy is that the internet is a system of roads and along these roads there are homes and businesses. Each one can be reached by an address (URL, IP address). Some are public some are private. Even in public places there are rules. They broke the rules.

These people were applying to school for their masters. They knew what they were doing was wrong. Just because no damage was done doesn't mean they didn't act unethically, which is why they were denied.

Can I go into someone's house and rumage around as long as I don't steal or damage anything? No, it's called trespassing, illegal entry.

No its not. If i put up a file that has public read permissions on it on a website, that i don't want someone to see, that is my own damn fault. Granted, what these kids did was stupid and unethical, but it is not akin to trespassing or breaking and entering in anyway.

 

[Evo]

No its not. If i put up a file that has public read permissions on it on a website, that i don't want someone to see, that is my own damn fault. Granted, what these kids did was stupid and unethical, but it is not akin to trespassing or breaking and entering in anyway.

That's what I've been saying in every single one of my posts...it's unethical.

Trespassing and illegal entry had to do only with going in someone else's house.

 

[franznietzsche]

That's what I've been saying in every single one of my posts...it's unethical.

Trespassing and illegal entry had to do only with going in someone else's house.

I don't think it deserves a bold unethical. It was unethical only in the sense that they were abusing someone else's stupid mistake. In so far that they profited from it, or that the other suffered from it (other than humiliation), I don't see how you can make a case for that. So they saw their admissions status early. And? Again, they shouldn't have done it, and they knew they weren't suppsoed to, but a far bigger deal is being made out of it than should be.

After all, its not like they were illegaly stealing computer lab time from their university for personal profit *cough**cough*.

edit: Further, maybe you don't really realize how much this is the fault of the people running the website. All it takes to keep people from seeing a page who aren't supposed to is 'chmod 660 filename' (on a *nix platform, Windows I don't know, I don't use windows for any real purpose anymore). Thats all it takes. One command, and voila, they can't see the page even if they try that trick with the url. And any competent webadmin should know not to have readable permissions for anyone other than the owner UNTIL you want the page seen. PERIOD.

 

[Evo]

I don't think it deserves a bold unethical. It was unethical only in the sense that they were abusing someone else's stupid mistake. In so far that they profited from it, or that the other suffered from it (other than humiliation), I don't see how you can make a case for that. So they saw their admissions status early. And? Again, they shouldn't have done it, and they knew they weren't suppsoed to, but a far bigger deal is being made out of it than should be.

After all, its not like they were illegaly stealing computer lab time from their university for personal profit *cough**cough*.

edit: Further, maybe you don't really realize how much this is the fault of the people running the website. All it takes to keep people from seeing a page who aren't supposed to is 'chmod 660 filename' (on a *nix platform, Windows I don't know, I don't use windows for any real purpose anymore). Thats all it takes. One command, and voila, they can't see the page even if they try that trick with the url. And any competent webadmin should know not to have readable permissions for anyone other than the owner UNTIL you want the page seen. PERIOD.

I know what you are saying, but I have been called in as an expert witness in a number of cases that went to court. The fault mainly lies on the perpetrator. Just because he finds a weakness does not give him authority to then enter the site and do as he pleases. It would be like a robber finding the home owner dropped their keys outside, he finds them, then let's himself inside to do whatever he wants. It is illegal entry and trespassing, even if there is no theft. That person has no right inside your home. We have a right to expect reasonable use on the internet. Anything that goes beyond that is not ok.

As with anything illegal, if it does not adhere to the rules you've been given, don't do it. I'm talking about the world of corporate business here. Stanford has a good reputation in business, which is why their MBA graduates are sought after. If it became known that a number of applicants had used questionable methods with which to obtain status and Stanford had not cracked down on them, Stanford would have lost a lot of respect in the business community. People want to get their MBA from Stanford because it's reputation opens doors. That reason is because they are respected for high quality academics and ethics. If Stanford would have brushed this under the rug, they would have lost faith of many large corporations that look to them to produce applicants of high ethical character.

So if the actions by Stanford seemed steep, yes they were and for a reason. The very same reason these applicants wanted to go there, "the name" and the credibility. Stanford does not wish to lose either.

Hey there are shopping strip mall colleges that give out MBA's, they can always go to one of these, they probably won't mind if they check on status without permission...a match made in heaven.

 

[franznietzsche]

I know what you are saying, but I have been called in as an expert witness in a number of cases that went to court. The fault mainly lies on the perpetrator. Just because he finds a weakness does not give him authority to then enter the site and do as he pleases.

I agree.

It would be like a robber finding the home owner dropped their keys outside, he finds them, then let's himself inside to do whatever he wants. It is illegal entry and trespassing, even if there is no theft. That person has no right inside your home. We have a right to expect reasonable use on the internet. Anything that goes beyond that is not ok.

I would think its more akin to leaving your belongings on the front lawn, under a tarp, than leaving your house open.

I'm not saying what the kids did was permissible.

As with anything illegal

There is nothing illegal about what they did (AFAIK. They did not gain unauthorized access to the system (user access), did not do anything to the university's system, did not steal anything, aside from information about themselves).

, if it does not adhere to the rules you've been given, don't do it. I'm talking about the world of corporate business here. Stanford has a good reputation in business, which is why their MBA graduates are sought after. If it became known that a number of applicants had used questionable methods with which to obtain status and Stanford had not cracked down on them, Stanford would have lost a lot of respect in the business community. People want to get their MBA from Stanford because it's reputation opens doors. That reason is because they are respected for high quality academics and ethics. If Stanford would have brushed this under the rug, they would have lost faith of many large corporations that look to them to produce applicants of high ethical character.

I'm not saying Stanford had any choice. Of course they had to reject the students as a result, doesn't mean the punishment fit the crime though. Stanford had to protect its reputation. Looking incompetent by admitting the mistake was their own (or whoever was maintaining the site, seems it was actually used by a number of universities) would have hurt them, as would letting the students in. They did what they had to do. I have no complaint with that, that's how reality works.

So if the actions by Stanford seemed steep, yes they were and for a reason. The very same reason these applicants wanted to go there, "the name" and the credibility. Stanford does not wish to lose either.

Indeed. If I had been forced to make the decision for Stanford in their best interests I would have done the same thing they did.

However vilifying these kids (who are actually all older than me, but that's beside the point) is unnecessary, and not warranted.