Stanford rejects students based on extremely loose claim of "hacking"

This is absurd. The security on the Stanford's admissions site was so piss poor that you could do a view source, get your ID number, and then plug it into a query page to see if you were rejected or not. Rather than apologizing for exposing confidential data to the public, they denied all 41 students who applied.

If someone is stupid enough to put an ID number on a webpage, and then use that ID number to directly access private documents with no password verification, that person should lose his/her job and never work in IT ever again.

http://www.cnn.com/2005/EDUCATION/05/30/hackers.rejected.ap/index.html

Stanford rejects hacker applicants
Applicants tried to access school's admissions files
Monday, May 30, 2005 Posted: 8:40 PM EDT (0040 GMT)

STANFORD, California (AP) -- Stanford University's Graduate School of Business has rejected 41 applicants who tried to access an admissions Web site earlier this year in hopes of learning their fate ahead of schedule.

School officials said the applicants were given the opportunity to explain why they attempted to gain access to their admissions files before the date when the university was to tell them if they were admitted.

"At the end of the day, we didn't hear any stories that we thought were compelling enough to counterbalance the act," said Robert Joss, dean of the business school.

Admissions sites of at least six schools were accessed by applicants for about 10 hours in early March after a hacker posted instructions in a BusinessWeek Online forum.

The instructions told people to log onto their admissions Web page and find their identification numbers in source material that was available on the site. By plugging those numbers into another Web page address, they were directed to a page where their admissions decision would be found.

Some applicants saw blank pages and others viewed rejection letters before access was denied.

Within a week of the incident, Harvard University announced it would reject 119 applicants for following the hacker's instructions and visiting the school's admissions site. The Massachusetts Institute of Technology followed suit, rejecting 32 applicants.

Stanford decided not to take action until hearing the applicants' explanations, but in the end they, too, lost out. The 41 Stanford applicants did not find out their admissions status at the time, as the university had not posted its decisions yet, Joss said.

The school admits just 8 percent of those who apply to the business school each year, so "it's a low probability of getting in anyway," Joss said.

It's the School of Business. Ethics must be a top priority. I agree the decision is questionable, but I suspect it was a good way to ween down the number of applicants.

If it can be accomplished in the address window of a browser, it's not hacking. It may or may not be ethical, but it lacks the technical finesse that is the hallmark of a true hacker.

Personally, I'd say that if the information can be accessed that easily, there's no clear intent on the part of the programmer to secure it and it's fair game. But maybe that's just me.

I completely agree. If information is that easy to access and you don't need to set up packet sniffers or employ server flaws, it should be fair game. I think MIT should have accepted most of them, being a school that embraces these sorts of people anyways.

I think MIT should slink away with its tail between its legs. For that matter, so should Stanford and Harvard. I certainly hope those systems weren't designed by graduates of those fine upstanding institutions. That's a rookie error.

"Breach of ethics" in this context means "embarassing the hell out of the administration".

I think I read elsewhere this weekend that the application system was a third party provider, which is why all 3 school were vulnerable to the same url manipulation attack. Again I can't speak for the universities questionable decisions but I'm sure they were trying to send a clear messege. This "hack" may have been the Uni's fault, but at least there decisions discourage others from getting more creative with the admissions systems.

Reeeeal nice.

Ass.

So you mean all those people who's admissions I looked up just for curiosity are now being rejected? Whoops. Sorry to them all.

On one hand it shows determination on the part of the student to use all resources available. But on the other hand, if you were taking a test and the prof left the answer keys near your desk, using your available resources would get you in trouble, even if the school technically left it out in the open like this example.