What happened here is something referred to in my industry as script kiddies. One “hacker” finds a loop hole and creates instructions or a program which can replicate this vulnerability. He feeds it to othersthat are not as skilled and they can “hack” in at the push of a button. 119 script kiddies attacked the ApplyYourself web site trying to find out if they were admitted early. A rabid user of the Business Week forum posed what seemed to be a repeating, and totally untrue, meme.
“Its easy to speculate on the motives and thoughts of those who did from a safe position, but “not having a link” doesn’t make something confidential”
This is not correct. Yes, the page was available via the public facing internet. So are the credit card numbers you enter into Amazon and other e-commerce web sites. One merely needs to know how to manipulate the database from within the web application. If you heard that you could access a list of credit card numbers by inputting a “special url” wouldn’t that be unethical? Actually, that would also qualify as illegal in most countries.
Another simple example would be a web servers password file. A long time ago directory traversal was a common problem with web servers. This vulnerability would allow one to “traverse” backwards through directories by inputting “../” into the URL. On most UNIX based servers the passwords to every users accounts were located in a file in the /etc directory. So if the server was affected by this bug then
http://www.vulnerablesite.com/../../../../../etc/passwd would display everyone’s username and encrypted password. Tools like John the Ripper would allow the newly purloined passwords to be cracked. So here is a case where one simply entered a URL to a file that “didn’t have a link” yet I think it’s pretty widely held that this activity would be considered illegal and unethical.
I work as a consultant who is paid to find security holes in web applications (obviously I was never hired by AY) and most of the issues I find could be construed as public files. Not to belabor the point but when Adrian Lamo, the “homeless hacker”, was arrested for breaking into the NY Times and using their Lexis Nexis account he was accessing via special URL’s too.
There was a lot of chatter in the Business Week forum about a lawsuit against HBS. I find it unlikely that an attorney would bother taking up this cause. One poster asked,
“Does HBS have it anywhere in writing that figuring out to how access the site through changing links is grounds for immediate rejection and did any applicant sign that statement? Probably not. Thus, no contract was established that applicants agreed not to use obvious loopholes to access their own files earlier than the set date.”
An interesting argument. I would imagine that HBS has the authority to deny applicants on whatever grounds it sees fit so long as they don’t violate civil rights. This issue has nothing to do with race, color, sex, sexual orientation, religion, age, national or ethnic origin, political beliefs, veteran status, or handicap. It is based on what HBS believes to be an impaired judgment.
Let’s assume for a moment that one of these future leaders saw a post somewhere that claimed to allow “special access” to a potential clients contract database. The database was housed in a law firms not so secure website but is not supposed to be viewed by anyone except the law firm and it’s clients. This future leader enters into the web application to see whether or not he had won the bid and upon seeing that he didn’t calls in a lower price. Is this illegal? It’s questionable but I would lean towards yes. Is this unethical? Absolutely.
“For all that to be trumped by a poor decision made in the middle of the night is incredibly unfair,”
This is a very fair statement for all concerned. It is unfair and unfortunate. From HBS’s perspective though this incident served as a quick litmus test for one of the biggest traits that I like to see in business leaders. Ethics. From what I’ve read about 900 students are admitted to each class. For those 900 slots THOUSANDS apply each year. I would imagine that more then 900 are qualified to attend and this puts HBS in the unfortunate position of rejecting perfectly qualified candidates. These 119 students simply made the task easier.
I’ll leave with this thought. Of all the analogies I read the best one supposes that “200 students are waiting around in the admissions office when the person behind the desk runs out on an emergency. The filing cabinet behind the desk has a clear label stating ‘Admissions: Acceptance List’. A few students walk behind the desk and open the cabinet and peek inside. Little do they know the entire thing is captured on a video camera overhead. Upon seeing this the review board rejects all the students involved.”
Post a Comment