When universities created business schools in the 20th Century traditional academics decried the collapse of standards. Instead of students studying Literature, Art, History, and Science they would be going through the motions of a scholar while occupying their minds with things that formerly had been learned at a desk as an apprentice in a dreary Victorian counting house. Now in the 21st century the B-schools are degrading the term “computer hacking”.
Here are the facts:
- Harvard and a bunch of other B-schools with a collective IT budget of maybe $50 million decided that writing Perl scripts was too hard so they outsourced Web-based applications to a company called ApplyYourself.
- You’d think that the main advantage of a centralized service such as ApplyYourself would be that a prospective student could fill out one application and the information be sent simultaneously to many schools. However, this is not how it works. Each school has a totally separate area with ApplyYourself.
- All the smart young Americans have gone to law, business, and medical school. Companies don’t like to hire old people (> 30 years) to write computer programs because it saddens them to see old folks doing something so degrading. Thus ApplyYourself hired whoever was rejected by professional schools to write up some Visual Basic scripts to process HBS and other B-school applications.
- The ApplyYourself code had a bug such that editing the URL in the “Address” or “Location” field of a Web browser window would result in an applicant being able to find out his admissions status several weeks before the official notification date. This would be equivalent to a 7-year-old being offered a URL of the form http://philip.greenspun.com/images/20030817-utah-air-to-air/ and editing it down to http://philip.greenspun.com/images/ to see what else of interest might be on the server.
- Someone figured this out and posted the URL editing idea on the BusinessWeek discussion forum, where all B-school hopefuls hang out and a bunch of curious applicants tried it out.
- Now all the curious applicants, having edited their URLs, are being denied admission to Harvard and, due to the fact that universities form cartels to fix tuition prices and other policies, presumably to the other B-schools as well.
One interesting data point is that I once supervised a couple of MIT students building an online system for submission of essays to be graded. MIT and a bunch of other schools have writing requirements. Students submit essays. These are held in confidence from other students. A subset of users are authorized to grade essays and they are handed essays to evaluate. One server with a single database is programmed to handle students and evaluators from many different schools and keep everything that should be separate separated. The students building this system had never programmed in SQL before. Nor had they ever written a Web script to glue their SQL code to an HTML template. Nor had they ever written HTML before. The entire project, which requires the same workflow and main features of the ApplyYourself service, took them three months at 20 hours per week. Those kids are probably just graduating from med school now and preparing for their careers in radiology…
In the 1960s the term “hacking” meant smart people developing useful and innovative computer software. In the 1990s the term meant smart evil people developing and running programs to break into computer systems and gain shell access to those systems. Thanks to Harvard Business school the term now means “people of average IQ poking around curiously by editing URLs on public servers and seeing what comes back in the form of directory listings, etc.”
[Update: People have been asking me whether I think the schools are justified in rejecting the applicants who mucked with ApplyYourself’s URLs. Had I been an MBA applicant and heard about this security hole I probably would have tested it out. Not so much out of curiosity as to whether I’d gotten in but mostly to see if a school with nearly $30 billion in assets really was so contemptuous of quality in IT and also to see just how far the Web development industry has slid from its apex (probably 1994, when 5 reformed Lisp hackers built Amazon.com out of C CGI scripts talking to Oracle). I did something similar when writing Philip and Alex’s Guide to Web Publishing. I needed examples of Microsoft Active Server Page source code. There was at one time a bug in IIS/ASP that enabled anyone to view the source code by appending “::$DATA” to any .asp URL. Months after Microsoft had released a patch for this bug, I surfed around and found scripts at lots of prominent public servers, some of which scripts contained database usernames and passwords. I published the results in http://philip.greenspun.com/panda/server-programming#ASP, which was turned into a hardcopy textbook by Harcourt. So it seems that my curiosity into just how incompetent an institution with $billions in assets could be would have led to me failing the ethics test, being convicted of hacking, and being denied admission to a top business school.
Where would I personally draw the line? A grad student at MIT figured out that Fandango, the movie ticketing service, was passing the price of the movie ticket as a hidden form variable in the HTML instead of doing the pricing on the server at the final page. He was able to edit the HTML form in Emacs and submit it to Fandango and buy tickets for any price that he felt was fair (being a grad student, his preferred price for tickets was $0.25). He invited me to try it out but it but I thought that either Fandango or a movie theater would end up having to make up the difference and it didn’t feel right to take their money. The HBS/ApplyYourself situation falls into the “poking around with a browser” category where you get to see stuff but the Web publisher hasn’t been injured because they still have the stuff on their server (one of the strange characteristics of the digital age). As progressively dumber programmers build progressively more complex systems we will see more of this kind of attempt to paper over coding mistakes with lawyers, sanctions, policies, and laws. Hollywood and the RIAA are usually the most successful at getting the government to do their bidding. Thus I predict that one day Disney will have a Web site where you can buy access to any of their movies. Because all of their profits are being used to pay executive salaries this will have to be built at extremely low cost. Deficiencies in the softwrae will enable vast numbers of Americans to download Bambi for free, their ISPs will be forced to rat them out, and they will all get to see Martha’s Stewart’s cell in West Virginia first hand…]
If changing a url is hacking, then almost everyone with as web browser is a hacker!
That’s like saying every woman with one too-many buttons loose on her blouse is a hooker or every man with a zipper not all the way up is a flasher.
Doesn’t HBS management have better things to do with their time?
Don
And how do they know who actually “hacked” the URL? What if I did that to your application? Would you be banned? Dumb.
UFB!!
Being blamed for doing what comes naturally – checking different URLs on a web site – is outrageous. Can you imagine… “Warning! If you manually dick around with the URL to OUR web site in YOUR browser then WE will punish YOU.”
The lack of accountability and responsibility from HBS is so laughably absurd.
Hopefully at least one bright light in that crowd will realize the folly of attending B-School and do something more productive. Politics? Or maybe start a web services company that produces shoddy work, such as Apply Yourself?
This company is a joke. Check it out: http://fluxt.org/wordpress/index.php?p=74 – they can’t even get their own homepage to render properly in Firefox! Harvard, you want to kick someone around, go after the people holding your thousands of your dollars, not the ones who want to give you thousands of theirs.
One question: How do they know which students looked at what? Did they trace the IP addresses? Were the students logged in at the time?
Hey, waitaminute. That was two questions, wasn’t it? My bad.
What did they check out? Their own application? If that’s the case, then one could actually use the reverse to improve one’s odds. Check every application but your own… That would get all the other people banned, ensuring easy entry into HBS for anyone who didn’t check the URL 🙂
I won’t argue that the students who looked at records were guilty of something really bad, or that Harvard should punish them. I’m not sure that becasue a hack is easy excuses what is clearly illicit behavior… it’s a hair-splitter either way. Just as a thought exercise, however, what if that bit of hackery had put them on an edit page which enabled them easily to *change* their records. Would you similarly absolve them if they had taken that opportunity?
Anyway, what was clearly and blamefully illicit was that the person who discovered the vulnerability made it public rather than informing the school. The very fact of posting it — rather than just keeping it to himself — shows that he clearly understood that this was something extraordinary, something of value to the applicants and of detriment to the school. Whatever way they can, Harvard should definitely go after him.
hey,
david lewis, i have an elevator pass you might be interested in. i also specialize in bridge sales.
Worse, Lisa: three!
Congratulations, you’re invited at HBS for the right business spirit!
What was the name of the university cartel (Ivy League and Stanford or MIT?) that was broken up for price-fixing?
It was called something like the Clearing Group or the Offset Group.
Thanks.
The way I see it, each of the people were informed that their personal, confidential application information was publicly viewable. It was their right to see if their information was affected by this vulnerability. HBS owes all their prospective students a major apology for being such a careless steward of their applicant data.
HBS is clearly trying to shift the question from “how could one of the nation’s top b-schools contract the management of applicant data to a firm who mishandled it so badly?” to “why did the students look at their files?”
HBS is an institution in decline in so many ways — this is just a symptom.
None of the bullet facts you posted about this deal surprise me in the least, though I’m surprised at the outrage you express, given that this is an extremely tame example considering what I witness every day in the corporate business world where hundreds of thousands of dollars are thrown at outfits like this to produce shoddy software goods that the company would have been better served by having a few bright folks hammer out a couple of scripts.
Today I spent nearly 4 hours in an offsite meeting where over a thousand “IT professionals” gathered to hear a CIO speak. I gazed around and I wager that there really is only a handful of folks who are capable of writing those Perl scripts that could serve the function described in your blog post. You see, there’s the Project Managers who have their diplomas from the “Project Management Institute”, the desktop jockeys who can reinstall Windows but not the needed business application suite required (including your certificates), the help desk workers who can’t even pass on tickets to the proper group, the business analysts who don’t know the systems or the business, the architects designing the systems who’ve never written a line of code, the system administrators who have never setup the web servers but are responsible for maintaining and troubleshooting, etc… …meanwhile, senior executives make numerous cracks about the “low-level”, replaceable coder grunts who toil for the Indian offshore vendors…
And of course, SAP & Oracle are touted as the “silver bullet” that will solve all the ills that prevent rapid development, quality software… …all the while, hundreds of thousands of dollars are thrown at web based systems like the one you described, with the preponderance of bugs, security holes, and poor performance.
I can remember back in the day when one would be ashamed and ridiculed to release systems where the response time was anything but sub-second. Now, a chain of ass-kissing email floats about, saying how great a given service desk application is, despite 5+ second response times and inability to search on relevant information, like you know, information updates in the ticket that could serve as a natural history repository of past systems behavoir… …but most of the offshore coders can’t access that stuff anyway, so WGAF…
…sorry, I’m way OT now…
If these are the same guys who created the software running this blog, they probably did all us dumb programmers a favor by moving into medicine. 🙂
[IT] Death becomes it.
Management makes a dumb decision that screws everything up, and rather than own up to its mistake, it responds by getting rid of underlings.
The irony of this situation is that the B-school students are getting a more realistic business education through this mishap than they will receive in a Harvard classroom.
Response from the opposing viewpoint to a couple of things in this thread:
First, Lisa, if you take a look at the instructions that you would have to follow (which I pointed to yesterday on my own blog), you’ll see that the first step is to log into the system so that you can grab a unique ID from the resulting URL. That unique ID is used to identify the student’s records by the web page that was vulnerable to being hacked. So you had to have a user ID and password as an applicant before you could perform the exploit–unless you were packet-sniffing and just happened to randomly grab the right unique ID value.
Second, I think that calling this the equivalent of going up one directory in a URL structure is a little misleading, Philip. I agree with your überpoint that calling this a “hack” trivializes the word hack. However, the students had to look up not only a session ID but also another hidden variable from the system before they inserted that information into a URL that was handed out.
That’s not just deleting everything after the last slash in a URL that you know about. A better analogy might be to a script kiddie who sees information on a BBS that you can exploit a remote server by running an executable.
I had reservations initially about whether HBS’s actions were justified, but I don’t now. There’s curiosity, but there are also consequences.
That said, if they don’t publicly get rid of ApplyYourself’s services, then heads really should roll.
Hard to tell precisely what happened with this BSchool flap.
We can speculate as to the technical specifics as much as we want & really not know exactly what happened.
My speculation is thus… sounds like the website left the keys in the door & (potentially to the applicants) a stack of $100 bills on the coffee table. When someone on the BusinessWeek blog/site announced the door was effectively open motivated applicants “simply” went & opened the door. Sounds like basic human nature to me.
From what little I can see of this flap, the BSchools (or their website/agent) are the ones that screwed up, not the applicants.
As a comment on the world of business ethics… when I was doing trade shows, I was instructed by my boss that when he’d worked at XYZ company it was considered a firing offense for someone to attend a trade show (at company expense) & NOT return with an attendees list.
By the way, walking up a URL is as easier as Command-clcking on title bar if you’re using Safari on Mac OS X.
If a company is getting paid big bucks to do a webdesign, wouldn’t they take a few additional minutes to include one line redirect index.html files within the directory structure to keep out the peeps?
<META HTTP-EQUIV=”Refresh” CONTENT=”0; URL=http://www. .com”>
Er, Tim, I think your analogy is WAY off base. Fiddling with the URL is like walking up to the admissions desk, asking to see your own file, and them handing it to you. In this case the website is playing the role of the admissions desk. It’s their fault that they had insufficient controls on the distribution of admissions files.
Just thought that since I am one of the ostracized, I should put my 2 cents in here.
What IF the link was not to a decisions page, but to the page with my credit card info on the ApplyYourself site? hmmm, would I be a hacker then? The fact that this was so easy that a 7 year-old could figure it out absolutely invites everyone to check it out for themselves, in my opinion.
There is absolutely no other place in the world with as much personal information about myself than my Harvard App… shall I describe:
– current phone, address, email addresses, credit card info, SS#
– parents name, addresses, phone numbers
– place of business over the last 8-9 years, including phone, adresses,etc.
– managers’ names, emails, phone numbers
– every school I attended since high school
– ever grade I received in college
ok, I could continue but you get the picture. The application is about 15 pages long. Hmmmm, does anyone see a problem with this? That’s a lot of info that HBS has about me. To have that data in there coupled with inexcusably poor security does not make me a bad person. But shall I also remind people where the ‘feces rolls’….downhill, ya? There’s no one lower than an MBA applicant in this instance. Hence, I take all blame.
I don’t mind getting the ding for poor judgment (which is still arguable, I believe), but to call me unethical is plain wrong. If HBS does not hesitate to declare to the world that I am unethical, I would at least appreciate an equally flattering statement that applyyourself is completely incompetent.
I added my comments to Tim’s blog- but I think some of the responses here are a bit over the top.
I’m not sure I’d call this hacking- in fact, I’d admit that technical curiosity would absolutely have gotten the best of me. Would everyone feel the same if applicants were left in a room with a filing cabinet marked “Admissions Decisions” and those that peeked were denied acceptance?
I think the punishment is a bit extreme given the simple nature of the hack. Still B-schools are under tremendous pressure to develop and implement ethics curriculums. It would be hypocritical of them not to consider this a violation of ethics. Every one of these applicants knew the decision date AND that they were viewing something that the general public wasn’t being allowed to view.
When I was applying to business school the “hack” was to figure out what your email address was and send it an email. If it bounced, the answer was unknown, if it didn’t, you were in. They fixed that “hack”. So sure people sent emails, but there was too much uncertainty to feel like you were crossing the line.
No doubt, ApplyYourself should be ashamed that they built such a terrible process for such personal data.
Where the heck did the web programming mantra of “don’t trust any user input” disappear to? This is even more important these days with SQL injection attacks, XSS attacks, etc.
something of this sort happened in India this yr. The results of the biggest management exam in India,CAT got “Leaked” because of a bug in the result section. One could access this years result by changing the year in last years URL.Many saw their result days before it was actually announced. This flaw was gracefully accepted by the Test makers and no action was taken against ppl who saw their results. This showed mature thinking by the Test makers unlike HBS who are passing their fault onto poor students
I wonder what decision-making process the drivers of the ApplyYourself decision used. I wonder how they evaluated the situation and how they selected the vendor.
I wonder who’d want a MBA degree from a university that doesn’t take their own good advice, which they presumably sell to you at a premium in their curriculum.
I wonder …
As an aside, what would have been funnier is if someone (not necessarily even an applicant) took copies of everyone’s admission information and reposted it anonymously somewhere. This would leave details in their access logs that everyone’s information was accessed (thus not being able to single out any individual student’s admission because “they peeked”) — which reminds me of this urban legend. Similar technique.
oh yeah….it’s all gone a little bit pear shaped. next on alarmistnews: IBM global services bankrupted by high school class of script kiddies
btw JWB your analogy is way off also. The files were not visible from the navigation of the site…it was not the intention to post them publicly. its more like, you walk up to the admissions desk, and see the whole folder of letters sitting on the reading table next to people f-in magazine and the clerk is not around…so you open up the folder and have a look.
theSlayer: Isn’t that considered “hidden in plain sight”? It’s not illegal for police officers in the US to seize stuff without a warrant if it’s in plain sight, so why is it unethical for students to access data that exists in a similar fashion?
Could HBS be sued for violating some confidentiality agreement here? Is this whole thing a distraction in order to avoid lawsuits from applicants? Hmm …
Actually, Dossy, I believe HBS’s decision not to release the names of the 119 is in order to avoid lawsuits from them in case other schools reject them. HBS can reject whomever they want, for whatever reason.
This situation is a disgrace and I’m glad some facts are getting out. Yet the mainstream media still seems clueless about the whole thing preferring to use “hacker” to describe normal web surfing. It’s disgusting.
Here is a post from the BW forum
“My two cents on HBS saga: I am a techie and a also affected by this.
Try a browse called opera or firefox. Click on tools>links. You would see all links from this page to anywhere else. One of those is status link. NO URL EDITING.
click it.
welcome yourself to HBS, MIT, and what not ding club. So much for ethics, and for doing things after listening to one side of rant. Is this right informed decision making, where consulting is not done with someone qualified enough to make a comment but only with one of the parties that has an interest in decision?”
Now may be HBS/MIT will ban all use of FF/Opera by applicants n students!
theSlayer, I’m still not with you. Suppose the documents are not linked anywhere on the site, and therefore can be considered nominally “secret”. A real-world analog would be, you walk into the document control department at HBS and politely ask the nice old ladies who work there “may I please see the secret document”, and they *give* it to you willingly. Most organizations have highly structured document control policies (ISO9000, anyone?) and these policies should apply to Internet document control, as well! But here’s HBS making a big blunder, and instead of realizing they have a document control error, they are blaming people for having asked for and gotten the Super Secret Thing. It’s dumb, and in my opinion not the fault of the applicants.
Moreover, these applicants did not misrepresent their identity to gain access. They were logged in under their own accounts. So imagine the guy in the analogy is wearing his own, legitimate security badge around his neck the whole time.
Ranting on your blog is one thing. Ranting in the Dean’s office is another.
“Thus I predict that one day Disney will have a Web site where you can buy access to any of their movies. Because all of their profits are being used to pay executive salaries this will have to be built at extremely low cost. Deficiencies in the softwrae will enable vast numbers of Americans to download Bambi for free, their ISPs will be forced to rat them out, and they will all get to see Martha’s Stewart’s cell in West Virginia first hand…]”
That is classic. One of the best things I’ve read all day.
I love it…
If this is the thinking of the faculty, maybe the world should question the qualifications of past and future graduates.
Through all these, there have been people who said curiosity has a cost (fine by me, though i seem to disagree on the cost of curiosity in this case).
As an IS Security expert, I am surprised that the Management of HBS acted in this way, (they have their reasons for applying the penaly, if they think what the students did was actually immoral, fine its up to them) But what happens to the Vendor which provided such a solution!!! 🙁
Is there any action taken on this team? I would love to hear some public information about the action taken on the vendor and the IT managers out there.!!!
Sarath.
Did the students login to the site? Did they knowingly go someplace they knew they were NOT suppose to be? Did the 119 students make some type of effort to “CHEAT” the system? Did they do it on their OWN accord? Answers are YES to all. These are people who want to be future business leaders!! If you play with fire and you get burned, you can’t blame the fire (unless you buy into the blamegame!) Doing something you know you shouldn’t should carry a penalty regardless if was easy or difficult. If you were accepted and now your not, then sit out a year and evaluate why you didn’t get through gate. Our nation’s youth have embraced how you can play the blamegame and say it wasn’t really there fault. Our country reaks of irresponsibility instilled at an early age. It wasn’t their fault because the software vendor had a bug? Give me a freakin’ break.
HBS and Applyyourself obviously have business to discuss but that’s a whole other issue.
The legal doctrine of “attractive nuisance” may be worth considering. HBS (through its agent Applyyourself) exposed something *very* attractive with only a very low fence (that a 7 year old could step over 🙂 protecting it.
Sure – checking one’s own results isn’t truly pure behavior, but, as with an attractive nuisance, the major blame should be on the business schools.
I could easily accept the schools saying “naughty! naughty!” to the applicants – and even using this as a “teachable moment”.
But rejecting them in a knee-jerk reaction seems to me to be a spasm of CYA.
As an MIT alum and security professional, this is a massive disgrace.
The real lessons being taught are “don’t offend those in power” and “don’t seek truth.” While very accurate for classic business school, it is -not- what ought to be taught in post-Enron B-school.
There are no “ethics” issues here besides “don’t embarrass the boss.”
If MIT doesn’t fix this soon, someone very high level should be fired. Like the Dean of Admissions.
Say I’m an admissions officer. You are an applicant in my office for an interview. On my desk is your application file, in which I am making notes. During our interview I am called out of the office. I say “excuse me,” place the file in my desk drawer, close the drawer without locking it, and leave the room. While I’m gone you open my drawer, remove the file, and look at the notes. The thrust of most of these comments is that if I’m upset that you’ve looked at your file it’s my own damn fault for not locking my drawer. This is true at the most simplistic level and misses the point by a mile. One who applies for a position at HBS, MIT, etc. should need to be told that it is wrong to look into someone else’s desk drawer, whether or not it is locked. These files could have been better secured. I would take steps to ensure it didn’t happen again. I also would reject the applicant who looked through my drawer. An adult who doesn’t know this behavior is wrong should not be placed on the fast track to business success. Bernie Ebbers didn’t think he didn’t anything wrong. He’s facing 85 years in prison.
You should realize that accessing any web page which you can get to by just typing a html address is not the same as looking at your papers on the desk of the officer. The web is open, anyone can look at anything unless it is password-protected, which obviously should have been the case. Think about it: you’ve applied, and a friend calls you and says that you can actually see the results of your application on the web. Then you do according to the instructions he/she gave, and bam, you’re banned from the school. This is just really, really ridiculous.
Well, I’ve come across even more absurd definitions of “hacking”. Friend of mine is was with a wireless broadband ISP (Uninetwork) here in South Africa. I think he had the 256Kbps package. He subscribed to Easynews and downloaded Gigs and gigs of movies (NB: it’s actually illegal to download movies if there is a copyright).
Anyways, the ISP soon realised he was smoking them, so they started port shaping, especially on port 119 (for newsgroups). *Luckily* Easynews’s servers support other ports too (which weren’t shaped). So he just changed his news reader to port 21 I think, and continued smoking them. A week later his internet was cut off (without any warning). Upon his query, they stated that in the Terms of Use they clearly stated that no hacking was permitted, and that using other ports than 119 to download from news groups was considered *hacking*. Ridiculous, in my opinion.
Ok, so he pleaded guilty, and started using Easynews’s HTTP interface! Not ideal, but nothing a download manager can’t make better. Same story… a week later, internet was off, and they claim that the HTTP interface for the news server is HACKING!
You can’t really argue with idiots like that.
And oh, turns out that he never even received the Terms of Use in the first place, and neither is it on Uninetwork.co.za’s website!
Happy New Year to Everyone!
WOW ! very informative …and i like those pics of ur nephew , so cute !! can see that u put a lot of effort in it so KEEP IT UP!
http://www.computer-addons.info
Hello. WSDLJB2 [url=http://www.tWSDLJB3.com] WSDLJB3 [/url] Thanks