Hacking applicants turned down by Stanford

[exequor]

Stanford, CA, May. 31 (UPI) -- California's Stanford University has rejected 41 prospective students for following a computer hacker's advice to check admissions status.

The students had been seeking entrance into Stanford's Business School with the goal of a master's of business administration, but all have been denied admission, the San Francisco Chronicle reported Tuesday.

The applicants allegedly followed the advice of a person who hacked into computer system that stored application information for several colleges and universities. The applicants were able to see only their own information, some of which was incomplete when the hacking occurred in March, media reports at the time stated.

The schools involved said they considered the checking an ethics violation.

Dean of the Graduate School of Business Robert Joss said each of the applications was considered individually, however, none of the prospective students could offer a good explanation for taking the hacker's advise.

I still don't get the reason for turning down their applications, maybe if they did something to influence their admissions decision I would understand.

 

[Evo]

I still don't get the reason for turning down their applications, maybe if they did something to influence their admissions decision I would understand.

Because hacking into the school's computer system is unethical, at the very least. Not to mention dumb.

 

[Pengwuino]

Because hacking into the school's computer system is unethical, at the very least. Not to mention dumb.

exactly! And besides! The business world can't have its good name tarnished by introducing such unethical people into the bloodline ;)

 

[Evo]

exactly! And besides! The business world can't have its good name tarnished by introducing such unethical people into the bloodline ;)

These people got caught being unethical before even getting started, they'd never stand a chance in business.

 

[Pengwuino]

haha... who knows, maybe their action would have qualified for course credit if they hacked someone else :D

 

[dduardo]

I think it is the web developers fault for allowing this to happen. It would be completely irresponsible to not have some type of effective timestamp that prevents a page from generating before an acceptable time. This is basic security 101.

This happens all the time with corporate press releases. For example if a company has their press releases as such:

http://www.companyA.com/pr/release-2005-05-24.html

I don't consider it hacking or unethical if I try entering dates in the future such as:

http://www.companyA.com/pr/release-2005-06-24.html

 

[Pengwuino]

I think its the hackers fault for hacking in

 

[Hurkyl]

I think it is the web developers fault for allowing this to happen.

And it's the homeowner's fault for leaving his door open, allowing people to steal his stuff too, eh?

I don't consider it hacking or unethical if I try entering dates in the future such as:

Same analogy. (I'm feeling lazy!)

 

[Jameson]

Stanford looked bad and needed to do something to take away the attention. If they had allowed the students to attend their school it would be like inviting hackers from all over the globe to take a stab at Standford.

 

[exequor]

The applicants more or less took advice from a hacker (I know that is no excuse). I don't think what they did was right either but I'm sure if every one of you on this board come across some website one day that had information about the future, most of you would stop and read every single line.

Let's say that you came across some government website showing all the lucky people that won't be taxed, would you look? I'm dying to see who replies and says that they won't.

 

[Hurkyl]

Why would I?

 

[dduardo]

And it's the homeowner's fault for leaving his door open, allowing people to steal his stuff too, eh?

If you leave your Aston Martin in a bad neighborhood with the doors unlocked and the keys in the ignition, then your an idiot. All I'm trying to say is that there should be a level of accountability on the part of the company writing the software.

Also, what's so wrong about knowing if you got accepted or not? It's not like your changing your admission status.

 

[Huckleberry]

As a citizen the government is responsible to me. It is my right to view my public records. Stanford is a private university. Their records belong to them, not prospective students. The students cheated and got caught. Maybe their ethical violation was that they couldn't come up with a convincing lie. They'd never make it in the business world anyway.

Deny, deny, deny. "My mom must have done it because she was anxious for me." "The hacker did it." "What are you talking about? Did I get in?" "I'll sue unless you can prove I did it."

 

[Evo]

If you leave your Aston Martin in a bad neighborhood with the doors unlocked and the keys in the ignition, then your an idiot. All I'm trying to say is that there should be a level of accountability on the part of the company writing the software.

Yes, they should have better security, but that doesn't making hacking ethical. And why do we all need security? Because of unethical people.

Also, what's so wrong about knowing if you got accepted or not? It's not like your changing your admission status.

Ok, let's say that you've applied for a job at XYZ company and some hacker tells you how you can break into XYZ company's computer and see the status of your application. XYZ finds out what you've done and decides not to hire you. Can you guess why?

 

[Evo]

As a citizen the government is responsible to me. It is my right to view my public records.

Tried hacking into the IRS website to check your tax status lately?

 

[dduardo]

First its cracking, not hacking.

Second of all, they aren't breaking into any computers and trying to gain privilege escalation. They are simply manipulating the url string. For all I know some 3rd party javascript from a sketchy site changed the url.

Url modification is hardly cracking. Stanford just doesn't want to look bad in light of the current identity theft mess (LexisNexis, etc). They are just trying to cover their behind. You know there are people out there asking "If they can easily find out their admission status, what else can they find out?(SS Numbers, Addresses, etc of other people)"

It also doesn't help that the media is sentationalizing this story.

 

[Evo]

They accessed information which did not belong to them and had no authorization to view. They got what they deserved.

Let's change the scenario from computer to real life. I want to check on my application status so I go to the admissions office, the door is closed, but unlocked, (or closer to the computer scenario, the door is locked, but I found the key on the secretary's desk) I let myself in, no one is there, I start going through the filing cabinets looking for my application status, the administrator walks in and finds me. They decide that my behavior is unethical and dismiss my application.

The students didn't want to wait. Well who does? Sorry, I do not feel sorry for these students, they took a chance (for a really stupid reason) and got caught. There is just no way you can look at this and say they were within their rights to do it. They displayed immaturity and lack of restraint.

 

[Huckleberry]

Tried hacking into the IRS website to check your tax status lately?

I can barely operate a computer, nevermind try to hack or crack. But I still think I should have the right to view my own information. I think the government is wrong in this case.

 

[Evo]

I can barely operate a computer, nevermind try to hack or crack. But I still think I should have the right to view my own information. I think the government is wrong in this case.

Your tax information is available online, without hacking.

 

[Huckleberry]

Your tax information is available online, without hacking.

Ok, now your just playing with me.

 

[Evo]

Ok, now your just playing with me.

Well, except your information, that they're withholding.

 

[Huckleberry]

Not very sporting to go after small game. You really need more of a challenge. My 8 year old niece probably knows more about computers than I do. I'm such a luddite.

 

[dduardo]

"No material from these pages may be copied, reproduced, posted, transmitted, or distributed in any way, except that you may print or download on any single computer one copy of the materials for non-commercial use only, provided you keep intact all copyright and other proprietary notices."

If ApplyYourself.com is KNOWNINGLY putting information on their website, don't they expect people to view its content, especially if no password is required? Based on the legal notice people visiting the site have every right to download a copy of the material being hosted on the site for noncommericial purposes.

Let me ask you this: Is it unethical for a google bot to index and cache a page which was not specifically denied in robots.txt?

You can't compare url modification to breaking and entering just as you can't compare robbing a music store to downloading a copy of music off the web. In the real world you deal with physical property while on the net you deal with intellectual property. Two different beasts entirely.

 

[exequor]

I'm saying it again, I don't think what they did was right but think about it. Most universities allow students to check their admission status (thats what the applicants did). It's true, if Stanford wanted them to do that they would have put a link on the site, but I think the university has to take some of the responsibility because they should know that students may have other plans too.

And I think the story is exagerrated because this is not even hacking, think about this, I can do a WHOIS search for a particular IP address, you may not want me to look up your IP address, so what are you saying, I'm being unethical (this may be a bad analogy). Bottom line, they did not do anything to their advantage, they simply viewed information. If I saw the PS3 three months before E3 am I being unethical?

 

[Hurkyl]

If you leave your Aston Martin in a bad neighborhood with the doors unlocked and the keys in the ignition, then your an idiot.

Certainly. That doesn't mean it's not a crime when someone steals it.

All I'm trying to say is that there should be a level of accountability on the part of the company writing the software.

Whether you were trying or not, you also said the students were blameless.

 

[Minorail]

Is Stanford famou sin us, i never heard of it fame in asia. here we heard only of mit and berkely, and perhpas another is Usc. i tell truthfully.

 

[Minorail]

i only wonder why such an infamos school is having people applying for buz, some other like mit, berk isn't better better. graduate always easier then undergraduate.
and those graduates only concetrte on a special subject, some are even unable to clearly state reason why assembly is not used for making sofware. blive me.
If some professor from stanforx are here,please check this out with all of your graduate student to see if i am correct. , espeially those who specialise in software development.

 

[Pengwuino]

@Minorail

Stanford is one of the top universities in the United States.

@Topic

Does anyone know if this was a hack or a simple url change?

If any security was bypassed, that's completely unethical. If they simply changed urls and had full intent of viewing their application, that's still unethical but a lawyer would be able to convince you differently.

 

[franznietzsche]

Yes, they should have better security, but that doesn't making hacking ethical. And why do we all need security? Because of unethical people.

Hacking is perfectly ethical. Cracking on the other hand... </being an ass>

 

[franznietzsche]

Is Stanford famou sin us, i never heard of it fame in asia. here we heard only of mit and berkely, and perhpas another is Usc. i tell truthfully.

The only difference between Stanford, MIT, and Berkely is that Stanford gives everyone a 4.0 (not really, but their grades are notorioualy inflated, medical schools ignore GPAs from Stanford altogether, or so I've been told (Of course, it was a Berkely alumn who told me this so...meh).

 

[franznietzsche]

First its cracking, not hacking.

And i thought i was going to be the first to point out the insulting mis-use of teminology.

Hackers build things. Crackers break them. There is a difference.

Second of all, they aren't breaking into any computers and trying to gain privilege escalation. They are simply manipulating the url string. For all I know some 3rd party javascript from a sketchy site changed the url.

Url modification is hardly cracking. Stanford just doesn't want to look bad in light of the current identity theft mess (LexisNexis, etc). They are just trying to cover their behind. You know there are people out there asking "If they can easily find out their admission status, what else can they find out?(SS Numbers, Addresses, etc of other people)"

Url modification is nothing. I don't think you can even call that unethical. It'd be akin to me trying to guess someone's password once or twice for the hell of it, to see if i could. I could never seriously expect it to work, and if it did, then whoever set the password was an idiot. Same with url modificaiton.

It also doesn't help that the media is sentationalizing this story.

When have they ever done anything useful?

 

[Anttech]

"No material from these pages may be copied, reproduced, posted, transmitted, or distributed in any way, except that you may print or download on any single computer one copy of the materials for non-commercial use only, provided you keep intact all copyright and other proprietary notices."

If ApplyYourself.com is KNOWNINGLY putting information on their website, don't they expect people to view its content, especially if no password is required? Based on the legal notice people visiting the site have every right to download a copy of the material being hosted on the site for noncommericial purposes.

Let me ask you this: Is it unethical for a google bot to index and cache a page which was not specifically denied in robots.txt?

You can't compare url modification to breaking and entering just as you can't compare robbing a music store to downloading a copy of music off the web. In the real world you deal with physical property while on the net you deal with intellectual property. Two different beasts entirely.

I aggree, changing a URL to view information that isn't protected but just isn't linked to isn't cracking.. Its a bad error on the sys admins half..

I would think/hope that if this went to court, it would be chucked out

 

[Evo]

You guys are missing the point, how they obtained the information is not the issue. It does NOT matter how they got into the computer. If the papers were laying on a pedestal in an empty room, it would still be unethical for them to read the results. It's the fact that they tried to obtain information by bypassing normal allowable procedures. It was unethical.

Dictinary definition of unethical

unethical - not conforming to approved standards of social or professional behavior

 

[dduardo]

Evo, you still have the wrong analogy. The Internet is like a library, a public place where anyone is allowed. A page on the site is like a book. ApplyYourself.com knowningly published the books in the library, therefore you would expect people to checkout the books.

I have to agree with Ed Felten, a respected Princeton Professor, that the punishment was too harish.

"I might feel differently if I knew that the applicants were aware that they were breaking the rules. But I’m not sure that an applicant, on being told that his letter was already on the web and could be accessed by constructing a particular URL, would necessarily conclude that accessing it was against the rules. And it’s hard to justify punishing somebody who caused no real harm and didn’t know that he was breaking the rules." - Ed Felten

 

[Evo]

Evo, you still have the wrong analogy. The Internet is like a library, a public place where anyone is allowed. A page on the site is like a book. ApplyYourself.com knowningly published the books in the library, therefore you would expect people to checkout the books.

No, the correct analogy is that the internet is a system of roads and along these roads there are homes and businesses. Each one can be reached by an address (URL, IP address). Some are public some are private. Even in public places there are rules. They broke the rules.

These people were applying to school for their masters. They knew what they were doing was wrong. Just because no damage was done doesn't mean they didn't act unethically, which is why they were denied.

Can I go into someone's house and rumage around as long as I don't steal or damage anything? No, it's called trespassing, illegal entry.

 

[Pengwuino]

I don't understand something here. Are some of you privy to more information then the others? Some people are saying that they simply changed the URL or were told there applications were online and they could go retrieve it. Where are they getting this information? Its not in the article so I am assuming some people have a different source of information and i would like to see it too.

 

[Anttech]

Can I go into someone's house and rumage around as long as I don't steal or damage anything? No, it's called trespassing, illegal entry.

Of course not, but in this case that isn't what happened (imo)...

They had a huge billboard in there living room with secret info, but didnt close the curtains...So they just 'walked past' and had a peek through the window, they didnt tresspass, they did what we are doing right now, looking at a public www site... ie looking through the window at publically available info, if the info wasnt supposed to be public then don't put it up on the www site...

Anyway the person who was the most unethical was the person who told them, if you look at such and such url you will find info on your application!

 

[dduardo]

Here is how they did it:

http://poweryogi.blogspot.com/2005/03/hbsapplyyourself-admit-status-snafu.html

 

[Pengwuino]

Oh well if that's how htey did it, that's completely unethical. They were snooping around, plain and simple. I think the 'peek through your window' analogy would now have to be modified so that there was a curtain blocking the billboard and you walked through the door and opened hte curtain to see the billboard...

which to me is unethical.

 

[PerennialII]

I'd place the "blame", if there actually is any to place, 50/50 after reading the description ... being turned down because of sloppy software & admin seems like another act of PC PR . Ethics ougth to be reserved for issues which actually matter.

 

[exequor]

I'd place the "blame", if there actually is any to place, 50/50 after reading the description ... being turned down because of sloppy software & admin seems like another act of PC PR . Ethics ougth to be reserved for issues which actually matter.

I agree with you, it is 50/50. I've seen lots of cases like this on Judge Judy and it ends up with the resposibility going 50/50.

unethical - not conforming to approved standards of social or professional behavior

Maybe ethics is the problem after all because what someone may perceive as unethical another person may not and that's how the world is. People always try to put limits on these things but I guess that's one of the pitfalls of "freedom". I heard of the story where a burglar broke into a house, got injured, and still sued the owner of the house. Now, is this ethical?

Oh I got the answer to the problem; Stanford should just let all prospective students view their admissions status. I can't believe the solution was that easy (sarcastically).

 

[Pengwuino]

But isn't judge judy just... stupid :D. I mean, arent there normally 2 people who both did something rather unethical/illegal and not just 1 person (like in this case)

 

[exequor]

But isn't judge judy just... stupid :D. I mean, arent there normally 2 people who both did something rather unethical/illegal and not just 1 person (like in this case)

True, because whenever its only one person, the case only takes 5 minutes to solve.

It all falls back to ethics, its the same reason why hacking is considered unethical. In the past social engineering was the main way for the hackers to get into a system and maybe it still is today, its too bad guys like Kevin Mitnick had to go to jail for nothing (my opinion).

 

[franznietzsche]

No, the correct analogy is that the internet is a system of roads and along these roads there are homes and businesses. Each one can be reached by an address (URL, IP address). Some are public some are private. Even in public places there are rules. They broke the rules.

These people were applying to school for their masters. They knew what they were doing was wrong. Just because no damage was done doesn't mean they didn't act unethically, which is why they were denied.

Can I go into someone's house and rumage around as long as I don't steal or damage anything? No, it's called trespassing, illegal entry.

No its not. If i put up a file that has public read permissions on it on a website, that i don't want someone to see, that is my own damn fault. Granted, what these kids did was stupid and unethical, but it is not akin to trespassing or breaking and entering in anyway.

 

[Evo]

No its not. If i put up a file that has public read permissions on it on a website, that i don't want someone to see, that is my own damn fault. Granted, what these kids did was stupid and unethical, but it is not akin to trespassing or breaking and entering in anyway.

That's what I've been saying in every single one of my posts...it's unethical.

Trespassing and illegal entry had to do only with going in someone else's house.

 

[franznietzsche]

That's what I've been saying in every single one of my posts...it's unethical.

Trespassing and illegal entry had to do only with going in someone else's house.

I don't think it deserves a bold unethical. It was unethical only in the sense that they were abusing someone else's stupid mistake. In so far that they profited from it, or that the other suffered from it (other than humiliation), I don't see how you can make a case for that. So they saw their admissions status early. And? Again, they shouldn't have done it, and they knew they weren't suppsoed to, but a far bigger deal is being made out of it than should be.

After all, its not like they were illegaly stealing computer lab time from their university for personal profit *cough**cough*.

edit: Further, maybe you don't really realize how much this is the fault of the people running the website. All it takes to keep people from seeing a page who aren't supposed to is 'chmod 660 filename' (on a *nix platform, Windows I don't know, I don't use windows for any real purpose anymore). Thats all it takes. One command, and voila, they can't see the page even if they try that trick with the url. And any competent webadmin should know not to have readable permissions for anyone other than the owner UNTIL you want the page seen. PERIOD.

 

[Evo]

I don't think it deserves a bold unethical. It was unethical only in the sense that they were abusing someone else's stupid mistake. In so far that they profited from it, or that the other suffered from it (other than humiliation), I don't see how you can make a case for that. So they saw their admissions status early. And? Again, they shouldn't have done it, and they knew they weren't suppsoed to, but a far bigger deal is being made out of it than should be.

After all, its not like they were illegaly stealing computer lab time from their university for personal profit *cough**cough*.

edit: Further, maybe you don't really realize how much this is the fault of the people running the website. All it takes to keep people from seeing a page who aren't supposed to is 'chmod 660 filename' (on a *nix platform, Windows I don't know, I don't use windows for any real purpose anymore). Thats all it takes. One command, and voila, they can't see the page even if they try that trick with the url. And any competent webadmin should know not to have readable permissions for anyone other than the owner UNTIL you want the page seen. PERIOD.

I know what you are saying, but I have been called in as an expert witness in a number of cases that went to court. The fault mainly lies on the perpetrator. Just because he finds a weakness does not give him authority to then enter the site and do as he pleases. It would be like a robber finding the home owner dropped their keys outside, he finds them, then let's himself inside to do whatever he wants. It is illegal entry and trespassing, even if there is no theft. That person has no right inside your home. We have a right to expect reasonable use on the internet. Anything that goes beyond that is not ok.

As with anything illegal, if it does not adhere to the rules you've been given, don't do it. I'm talking about the world of corporate business here. Stanford has a good reputation in business, which is why their MBA graduates are sought after. If it became known that a number of applicants had used questionable methods with which to obtain status and Stanford had not cracked down on them, Stanford would have lost a lot of respect in the business community. People want to get their MBA from Stanford because it's reputation opens doors. That reason is because they are respected for high quality academics and ethics. If Stanford would have brushed this under the rug, they would have lost faith of many large corporations that look to them to produce applicants of high ethical character.

So if the actions by Stanford seemed steep, yes they were and for a reason. The very same reason these applicants wanted to go there, "the name" and the credibility. Stanford does not wish to lose either.

Hey there are shopping strip mall colleges that give out MBA's, they can always go to one of these, they probably won't mind if they check on status without permission...a match made in heaven.

 

[franznietzsche]

I know what you are saying, but I have been called in as an expert witness in a number of cases that went to court. The fault mainly lies on the perpetrator. Just because he finds a weakness does not give him authority to then enter the site and do as he pleases.

I agree.

It would be like a robber finding the home owner dropped their keys outside, he finds them, then let's himself inside to do whatever he wants. It is illegal entry and trespassing, even if there is no theft. That person has no right inside your home. We have a right to expect reasonable use on the internet. Anything that goes beyond that is not ok.

I would think its more akin to leaving your belongings on the front lawn, under a tarp, than leaving your house open.

I'm not saying what the kids did was permissible.

As with anything illegal

There is nothing illegal about what they did (AFAIK. They did not gain unauthorized access to the system (user access), did not do anything to the university's system, did not steal anything, aside from information about themselves).

, if it does not adhere to the rules you've been given, don't do it. I'm talking about the world of corporate business here. Stanford has a good reputation in business, which is why their MBA graduates are sought after. If it became known that a number of applicants had used questionable methods with which to obtain status and Stanford had not cracked down on them, Stanford would have lost a lot of respect in the business community. People want to get their MBA from Stanford because it's reputation opens doors. That reason is because they are respected for high quality academics and ethics. If Stanford would have brushed this under the rug, they would have lost faith of many large corporations that look to them to produce applicants of high ethical character.

I'm not saying Stanford had any choice. Of course they had to reject the students as a result, doesn't mean the punishment fit the crime though. Stanford had to protect its reputation. Looking incompetent by admitting the mistake was their own (or whoever was maintaining the site, seems it was actually used by a number of universities) would have hurt them, as would letting the students in. They did what they had to do. I have no complaint with that, that's how reality works.

So if the actions by Stanford seemed steep, yes they were and for a reason. The very same reason these applicants wanted to go there, "the name" and the credibility. Stanford does not wish to lose either.

Indeed. If I had been forced to make the decision for Stanford in their best interests I would have done the same thing they did.

However vilifying these kids (who are actually all older than me, but that's beside the point) is unnecessary, and not warranted.