Rejected Harvard applicants say school’s reaction to Web page “hack” excessive
What happened here is something referred to in my industry as script kiddies. One “hacker” finds a loop hole and creates instructions or a program which can replicate this vulnerability. He feeds it to othersthat are not as skilled and they can “hack” in at the push of a button. 119 script kiddies attacked the ApplyYourself web site trying to find out if they were admitted early. A rabid user of the Business Week forum posed what seemed to be a repeating, and totally untrue, meme.
“Its easy to speculate on the motives and thoughts of those who did from a safe position, but “not having a link” doesn’t make something confidential”
This is not correct. Yes, the page was available via the public facing internet. So are the credit card numbers you enter into Amazon and other e-commerce web sites. One merely needs to know how to manipulate the database from within the web application. If you heard that you could access a list of credit card numbers by inputting a “special url” wouldn’t that be unethical? Actually, that would also qualify as illegal in most countries.
Another simple example would be a web servers password file. A long time ago directory traversal was a common problem with web servers. This vulnerability would allow one to “traverse” backwards through directories by inputting “../” into the URL. On most UNIX based servers the passwords to every users accounts were located in a file in the /etc directory. So if the server was affected by this bug then
http://www.vulnerablesite.com/../../../../../etc/passwd would display everyone’s username and encrypted password. Tools like John the Ripper would allow the newly purloined passwords to be cracked. So here is a case where one simply entered a URL to a file that “didn’t have a link” yet I think it’s pretty widely held that this activity would be considered illegal and unethical.
I work as a consultant who is paid to find security holes in web applications (obviously I was never hired by AY) and most of the issues I find could be construed as public files. Not to belabor the point but when Adrian Lamo, the “homeless hacker”, was arrested for breaking into the NY Times and using their Lexis Nexis account he was accessing via special URL’s too.
There was a lot of chatter in the Business Week forum about a lawsuit against HBS. I find it unlikely that an attorney would bother taking up this cause. One poster asked,
“Does HBS have it anywhere in writing that figuring out to how access the site through changing links is grounds for immediate rejection and did any applicant sign that statement? Probably not. Thus, no contract was established that applicants agreed not to use obvious loopholes to access their own files earlier than the set date.”
An interesting argument. I would imagine that HBS has the authority to deny applicants on whatever grounds it sees fit so long as they don’t violate civil rights. This issue has nothing to do with race, color, sex, sexual orientation, religion, age, national or ethnic origin, political beliefs, veteran status, or handicap. It is based on what HBS believes to be an impaired judgment.
Let’s assume for a moment that one of these future leaders saw a post somewhere that claimed to allow “special access” to a potential clients contract database. The database was housed in a law firms not so secure website but is not supposed to be viewed by anyone except the law firm and it’s clients. This future leader enters into the web application to see whether or not he had won the bid and upon seeing that he didn’t calls in a lower price. Is this illegal? It’s questionable but I would lean towards yes. Is this unethical? Absolutely.
“For all that to be trumped by a poor decision made in the middle of the night is incredibly unfair,”
This is a very fair statement for all concerned. It is unfair and unfortunate. From HBS’s perspective though this incident served as a quick litmus test for one of the biggest traits that I like to see in business leaders. Ethics. From what I’ve read about 900 students are admitted to each class. For those 900 slots THOUSANDS apply each year. I would imagine that more then 900 are qualified to attend and this puts HBS in the unfortunate position of rejecting perfectly qualified candidates. These 119 students simply made the task easier.
I’ll leave with this thought. Of all the analogies I read the best one supposes that “200 students are waiting around in the admissions office when the person behind the desk runs out on an emergency. The filing cabinet behind the desk has a clear label stating ‘Admissions: Acceptance List’. A few students walk behind the desk and open the cabinet and peek inside. Little do they know the entire thing is captured on a video camera overhead. Upon seeing this the review board rejects all the students involved.”
The Rejected Harvard applicants say school’s reaction to Web page “hack” excessive by Zeroday 01100100011010010, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Share Alike 3.0 License.
Comments (2) to “Rejected Harvard applicants say school’s reaction to Web page “hack” excessive”
Post a Comment
You must be logged in to post a comment.
Anonymous wrote:
The question is interesting and subtle. I think some points count in favor of the applicants. First, as I understand the description of the so-called “hack,” applicants were able to access the file only after providing a username and password; this creates a presumption that they were allowed to look at the file. Second, the applicants could locate the file simply by listing the directory they were in and seeing what files were listed; this amounts to publishing the file’s location, even though the publication wasn’t intentional. If a file is in a directory which I’ve been given access to, and I’m able to list the directory, this doesn’t sound like a file which I’m not allowed to access.
The situation is different from others you describe in that the users didn’t have to navigate outside their own directory (I think), and in that they weren’t obtaining information on anyone except themselves. I don’t consider the situation comparable to the others you describe. Downloading a file of credit card numbers is wrong, for example, even if it’s done through a published URL. I compare the Apply Yourself situation not to opening up a cabinet to pick at a list, but to looking at a sheet that’s been left in plain sight on a table.
But I have to admit that what really ticks me off is that the Apply Yourself website didn’t — if the accounts are correct — pay the slightest attention to security issues, allowing access by the most elementary of means, and yet those who just typed a URL are called “hackers” and “script kiddies” as if they’d discovered some devious means to bypass security measures. Whether or not they deserve a black mark for their ethics, they certainly don’t deserve the compliment to their intelligence. This strikes me as a way to divert attention from how bad the security of the website was.
Posted on 11-Mar-05 at 10:05 am | Permalink
zeroday wrote:
I had drafted an entire response to you and then rebooted before actually posting it. So this one may seem a bit rushed. I do empathize with those applicants who were caught but I don’t think it makes it any more ethical. They all knew when the official response date was and it wasn’t as if there was an active link in the interface that said “click here for your results”. Now I do agree that the word “hacker” is far too strong for these individuals. Just because I changed my windshield fluid doesn’t make me a car mechanic. And I’m not trying to denigrate them but “script kiddies” really does fit the situation. SK’s generally have no clue as to what they are doing. They simply download a tool or set of instructions from someone who does. In this case the original “hacker” (again this term may be a bit strong) seems to have found an unprotected virtual directory. Or from the sounds of it, according to your post, a directory that had directory listing turned on.
I don’t think that logging in completely exonerates them from any wrong doing either. In my longer post I had constructed a scenario in a large corporation with an online HR website. In this scenario the “attacker” logs in and uses this same technique to find information regarding a raise or similar information. Since this is time sensitive information and affects more then just myself (think of the others who were also hoping for promotion) I think the analogy may fit. That being said I think your modification of my original analogy (where the acceptance list was in a cabinet) still works better if the list isn’t in the open. I say this because this information wasn’t in the open. It was hidden in a directory that, from the sound of it, wasn’t supposed to allow listing. If there was an accidental email sent or a link was provided in their main portal interface then I would readily agree.
Where I do agree with you is in regard to AY.com. Allowing for a directory listing with confidential information is a pretty lame security flaw. There didn’t seem to be any notice on the official website acknowledging this flaw and how they fixed it. Or an apology to the schools for creating this awful situation. I can only hope that this incident will convince them to perform an independent third party assessment of their site’s security. Or better yet, convince it’s clients such as HBS, Stanford, MIT, etc to provide one for them. Chances are if a flaw of this magnitude was found there are others as well.
PS. Thanks for responding to my blog. You’re actually the first post!
Posted on 13-Mar-05 at 6:47 pm | Permalink