Harvard Snubs Hackers....I'm lovin' it

[InorganicMatter]

lmao, this is good:

http://www.reuters.com/printerFriendlyPopup.jhtml?type=oddlyEnoughNews&storyID=7841543

You think it will be a lesson to future hackers? Probably not, but here's hoping.

 

[Karandras]

Hahaha....awesome! It would be nice if there was a nice big dbase of all the hackers out there and they couldn't apply to any school at any time...haha

 

[Tiny]

I am loving it also. Though, you know for a fact at least one will bring a lawsuite against Harvard.

 

[MeanieMan]

From the reports I read, one only "hacker" found where the acceptence letters were being kept online. Then emailed the "look here" info to all the new students.

Those that looked got burned.

 

[SYN ACK]

was it possible to look at others reports, or just your own ... if not ...

that could thicken the plot

 

[lomn75]

You think it will be a lesson to future hackers? Probably not, but here's hoping.

Of course it'll be a lesson. Next time, look at everyone's entry but your own. Be the last man standing.

I guess this is the point SYN_ACK is making, too.

 

[Scheizekopf]

Sucks if any of those 119 actually got accepted.

 

[MeanieMan]

Sucks if any of those 119 actually got accepted.

They all got accepted, and now cause they looked early. Harvard is saying no.
EDIT: Or not, I must have read the slashdot post a little too fast:
"Seems Harvard Business school was using the ApplyYourself web service to process applications. Sometime in the last few days, an anonymous hacker, known as 'brookbond', was able to crack the system, and discovered that Harvard had already posted acceptance letters to the website fully a month before they were to be mailed to their recipients. He posted instructions on how applicants could view their letters at the BusinessWeek forums, and approximately 119 applicants followed his advice. Today, the dean of the Harvard Business School, one Kim Clark, announced that none of the 119 would be admitted: 'This behavior is unethical at best -- a serious breach of trust that cannot be countered by rationalization... Any applicant found to have done so will not be admitted to this school.'"

 

[deuce868]

You might find this interesting...posted from /. comment on this article.

Since I'm one of the 119, I figure I'll let you guys know how it really went down.

Early in the morning on March 2nd, someone calling himself "brookbond" on the BusinessWeek MBA Forums saw the results of his HBS application using a modified version of the link he'd use to see his results at another school also using the Apply Yourself system.

He saw a "ding" letter, meaning that he saw a form letter with the standard "We're sorry, we can't admit you to the class of 2007. Blah blah blah. Best of luck in your future endeavors." He then posts the technique he used to view the letter to the BW forums. This information is visible for roughly six to eight hours. After the beginning of the business day on the easy coast, all hell breaks loose. People are discussing the posting on the BW forums, with people wondering if the link works or not. People report seeing one of two things:

1. A ding letter, like the one brookbond saw. (Which is what I saw.)
2. A blank screen.

NO ONE SAW AN ADMIT LETTER.

Period, point blank. Anyone who says they did, is lying. At sometime between 8:00AM and 9:00AM EST, the BW forum moderators realize what's being discussed, either because of the activity level on threads related to HBS, or because they were contacted by HBS directly. BW begins deleting every single thread related to HBS, regardless of whether or not it contains information about the "hack" or not.

At this point, a blogger named PowerYogi posts the technique to his blog. A rather humorous thread insinuating HBS is sending snipers after PowerYogi starts up, then peters out after a while.

Eventually, Apply Yourself wakes up and patches the system to show "Your Decision is not yet available" messages instead of the dings and blank screens. This occurs between 10:00AM and noon EST.

Nearly 20 hours after the "hack" is first posted, HBS sends this letter to applicants:

We understand that some users of ApplyYourself, the on-line application and decision notification system we employ, have inappropriately attempted to access decision information about their own applications before the specified notification date. We take this abuse of the ApplyYourself system very seriously. Such behavior is unethical and inconsistent with the behavior we expect from high-potential leaders we seek to admit to our program. We want to assure all applicants, however, that:

* HBS decision information housed within ApplyYourself is neither complete nor final until our application notification dates
* The application information that all applicants and recommenders submitted to us has been, and continues to be, secure

We appreciate your interest in Harvard Business School, and we want to underscore to all our applicants our commitment to make and communicate our admissions decisions in the most rigorous, fair, and secure fashion.

Sincerely,
Brit K. Dewey, Managing Director of MBA Admissions & Financial Aid
Harvard Business School
Soldiers Field Road
Dillon House
Boston, MA 02163

Unfortunately, things don't stop there. Eventually, BW gives up trying to delete all the HBS postings, and people begin discussing the item. An article appears in the Harvard Crimson detailing the incident on March 3rd, and the article is used as source material for articles by the Boston Globe and the Associated Press. The AP article makes the front page of MSNBC.

By March 4th, other schools using Apply Yourself realize that their decision information may also have been available. In an amazing display of leadership, the Tepper School at Carnegie Mellon announces that they will reject anyone who tried to access their decision information early. Elsewhere, it is learned that a grand total of TWO people attempted to learn their fate at Tepper early, making it easy for CMU to grandstand.

With a precedent set, schools begin to announce their decisions on the fate of the "hackers". According to a BW poster, MIT actually sends ding letters to their "hackers" and updates their status - rejecting them all. (I don't have any independent confirmation of this)

Stanford University is one of the few schools where cooler heads prevail, announcing that they want "hackers" to come forward and explain themselves, but that they will not issue blanket rejections.

On March 8th, Slashdot finally notices the story.

Personally, I think the whole thing is a tempest in a teapot. HBS has to reject fully 90% of its applicants. It's easy to grandstand and reject people when you can simply fill the class with other, equally talented people. The "hackers", as long as they didn't make the mistake of checking their status at every school they applied to, will probably all get in somewhere else. By the numbers, only 10 to 15 or so would have made it in anyway.

Personally, I'm glad I checked my own status. Do I think I'm unethical? I'm willing to bet 90%+ of the people who actually saw the technique and applied to HBS in Round 2 (the round currently awaiting decisions) tried it. Seeing the ding got me off my duff and got me preparing another app to get another iron in the fire. Sitting until the 30th would have been too late. Am I upset that I'm not going to HBS? Of course. But at least I found out sooner, rather than later. Obviously, since I already had the ding letter, I'm not as crushed as someone who saw a blank screen and thus had hope. But they'll move on. HBS will continue to turn out people we can all admire, like Jeff Skilling, and the world will continue turning. No big deal, unless you're a reporter with a deadline and no story ideas.

I'm going to turn lemons into lemonade, though. I'll be selling t-shirts to commemorate the saga of the HBS 119. Buy one [cafepress.com], and put me through b-school.

 

[ltickett]

Harvard may well say no but you can bet ya bottom dollar they'll get head-hunted into top security companies, large corporations require network security analysts, consultants etc...

Afraid it's the way forward... hackers merely exploit weak/poor coding... Not neccessarily aiming to harm anyone or anything... depending on what they do once they've exploited them

 

[cyr0n_k0r]

Harvard may well say no but you can bet ya bottom dollar they'll get head-hunted into top security companies, large corporations require network security analysts, consultants etc...

Afraid it's the way forward... hackers merely exploit weak/poor coding... Not neccessarily aiming to harm anyone or anything... depending on what they do once they've exploited them

I don't think you were actually reading. There was only ONE hacker. All the other 119 people simply clicked on a link posted on a webforum. They themselves are not hackers, nor should they be considered as such.

 

[draconius]

I don't think you were actually reading. There was only ONE hacker. All the other 119 people simply clicked on a link posted on a webforum. They themselves are not hackers, nor should they be considered as such.

quoted for truth

 

[Stugots]

A school like Harvard should have more secure systems running. It was allready said before, they cant go to Harvard anymore but i wouldnt be suprised if a company like checkpoint hired them.

 

[draconius]

I don't think you were actually reading. There was only ONE hacker. All the other 119 people simply clicked on a link posted on a webforum. They themselves are not hackers, nor should they be considered as such.

for great justice

and harvard wasnt even running the systems, they were 'outsourced' to another company

 

[Nybbles]

Early in the morning on March 2nd, someone calling himself "brookbond" on the BusinessWeek MBA Forums saw the results of his HBS application using a modified version of the link he'd use to see his results at another school also using the Apply Yourself system.

This is BS..... apparently, the Apply Yourself system was so poorly designed and maintained that it lacked sufficient authentication mechanisms to prevent such a thing. It's not right that someone could merely be rejected from a school by clicking on a link. Links can SAY they are anything, but not many people check the properties of it before they click to see where it goes. On top of that, if something is accessible on the internet, authorization to access such material is implied unless the visitor is challenged for a username/password, or some other authentication mechanism.

The reality is that this was not a hack. It was a pretty standard bug in a poorly designed system. To deny entrance to these people simply because of their application services' shortcomings is retarted.

These people are not "hackers". This is nothing more than Harvard trying to wipe the egg off its face by demonizing its "unethical" applicants.

 

[Stugots]

damn, i didnt know that all they did was mess with the url. they probobly learned it from scoring free porn pics from the preview section of pay sites

 

[Tiny]

still did something they were not supposed to. So the action to no longer admit them is just in my eyes.

 

[XOR != OR]

still did something they were not supposed to. So the action to no longer admit them is just in my eyes.

Eh. How do you know "they" actually looked at "their" application? I could have a younger sibling that found the exploit and decided to try it out. Knowing that I applied, they could have used my name.

I agree with the intention of the ban, but not the reality of it, assuming the applicants knew they weren't supposed to see the results until they were officially posted.