BusinessWeak: The Power Issue.
I was thinking about it on my plane ride today and what struck me is that this is a case study on the powers people hold, and how they employ them. This is how I see it.
This is where the saga starts. A computer-literate applicant decided to play around with the online application system using HIS OWN ACCOUNT INFORMATION and discovered that the system had no semblance of security. All he had to do was use a different format of sending a request to the webserver, which by the way is what one does as the first exercise in a Web 101 class, and lo and behold, he got a response.
I think people need to take a pause here before judging his next steps. If he was really a 'hacker' who realized that the backend system was so childishly designed, don't you think he would have tried to muck with it. Maybe change the posted results. For starters. I was talking about this with a friend who deals with webservers and he said that every day they get many hits from users who try to make their well-protected systems run rogue scripts etc. If it was a 'hacker' with any sort of malicious intent, he could have tried to wreck havoc on the systems.
So, there was no real malicious intent. What were his options? either publicize this vulnerability, or quietly go to the authorities concerned. Why not the latter, is a very valid question to ask, since it seems that it could have been the ideal way to fix the issue without the ensuing brouhaha. Obviously, I cannot speak for him. But, I see a parallel to how corporate managements behave. If they do not create an environment where employees feel no fear of retribution for bringing up bad news, they will only hear about it when things get worse. I suspect this is the case here too. From observing the reaction of people on the boards, HBS seems to inspire fear rather than trust. Maybe the 'hacker' was scared that the consequence of letting them know would be that he would be shot down for 'hacking' in the first place. Which is what has ultimately been HBS' reaction.
Fellow 'hackers': Now, this is an interesting camp. Two, actually. By and large, those that didn't access the record, post HBS' warning, have suddenly become the upholders of all values ethical, and those that did check are being cast as sinners who will get their now-determined verdicts on March 30. This is my observation, so blame me for it.
Again, step back for a second. Jane Doe applied to HBS, and in the process provided them with initimate details of her life experiences, contact information, credit card number, resume etcetera trusting that the systems used to store these are secure. All of a sudden, she finds out that there seems to be a way to get to information about results that one should NOT have been able to. Can she really be faulted for trying to see if this was indeed true ? Is she not allowed to check for herself if the system is indeed broken ? Is it not valid for her to worry that something else may be up for grabs ?
HBS is making the case that she should not. But then, the system WAS broken. So, isn't HBS complicit for assuring applicants of running a secure shop when in reality they weren't ?
ApplyYourself: These guys I feel for. There must be engineers and management spending sleepless nights trying to fix their systems as well as smooth relationships with schools. But, if anyone is to blame for the entire fiasco, it has to be them. As a software designer, I see two big issues with their application. One, intermediate results (i believe HBS on this one) were being uploaded to a production database ? And two, there is no protection on accessing these results before the due date ? Heck, there seems not to be even a simple check like (if date < march 30; don't give them out). I hope the powers-that-be are asking these guys for accountability.
Now, according to media reports, HBS' and other schools are poring thru logs trying to find out. The hits were to AY's systems. The logs will be in their systems. So, I can only infer that they are doing everything in their power to give whatever they are asked of.
I hoped to see better decision making from the school that claims to write the book on these kind of things. HBS is fully aware of the awesome power it commands. Why not come out the minute they found out about this and release a statement on the lines of: We think someone did XYZ to find out results that he was not supposed to and we view this as a serious breach and will not take it lightly if someone else tries to do it. End of matter. Do you think any HBS applicant would have dared to check this out after such a pre-emptive message from the school? If someone did, the school can justify any further actions on a we-warned-you-so argument. Instead, they went into reactive mode and the ominous message sent AFTER things got out of control sounds almost vendetta-ish.
I stand accused by some of being a 'hacker' myself for posting the steps. I think that is a very misinformed accusation. I am a believer in free speech, or whatever is left of it these days. I also design software for a living. On linux. So, I come from the philosophy that problems are best solved when everyone knows what the problem is. Knowledge shared is real power. I believe these steps need to preserved so that people know what exactly was done.
Man, what can I say. The Harvard Crimson was the first one with the story that said that 'hackers' had broken into impregnable Harvard systems. Related to my previous point, I invite them to send a computer literate correspondent to read the post and assess for themselves how much of a 'hack' it really was.
And, now MSNBC. These guys wield power given their enormous audience, but they are just mouthing the same PR spin that was handed out to them by the schools and ApplyYourself. If they did take a minute to make their OWN judgements, maybe relate this incident to comparable events that involved real hacking ...
Disappointing. Killing every thread that even says the words HBS was just plain lame. I, along with others, think they were doing it at the behest of the school. If not, were they trying to use this opportunity to suck up to them so that they might get back on the ratings bandwagon ? Did they have to get this i-own-your-ass on the posters? The way I read it, the message really is quite simple. They care two hoots for the applicants who use their message boards. Sad.
I'm running out of battery, so got to end this rant.