Rather than writing their own code, Harvard and a bunch of other well-funded business schools outsourced the job of creating an online application system to a firm called ApplyYourself. The firm did such a craptastic job of coding even the most basic security into their application that students soon discovered they could learn the status of their application simply by sticking their name onto the end of the URL.
You’d think that would be bad for ApplyYourself, and it probably is. But guess who it’s worse for? Every student who got curious and tried the URL “hacking” trick is being denied admission. So: Strike one against Harvard for hiring a lame development firm. Strike two against Harvard for punishing students for their own security holes. Strike three goes to students who failed to learn from Curious George that curiosity can only lead to trouble. It’s not like the students broke into the system — they walked in through the side door. And without malicious intent or consequences.
Thanks Rob
You are missing the point entirely. Did the students know what they were doing was against proper procedure (ie. were they trying to “cheat” the system?) The answer is yes. They got caught. It doesn’t matter whether it was easy or difficult. As adults and future business leaders (who hopefully will be teaching ethics and integrity in there future companies) should know that what they did was against the rules. In a post-Enron world, business ethics must be paramount. 119 students learned a valuable lesson. I would be willing to bet that there were at least 119 other students who knew about the “opportunity” that didn’t cross the line and decided to play by the rules. I agree they students didn’t do anything malicious but they did do it without thinking about the consequences. I say welcome to real world! I guarantee the next time there is an “open door” they know they are not suppose to enter, they will think long and hard about the consequences of entering.
Willie – I understand what you’re saying, but I think you’re overstating the “cheating” quotient of an action like this. Peeking at your own application may be improper procedure, but so is glancing down someone’s blouse, or looking into somebody’s open window as you walk by their house. There is no crime here. Nothing was stolen, and no harm was done. And I’d take your bet on there being 119 other students who knew they could look but didn’t – I’d imagine that almost no one would hesitate to look once they knew how.
Re: “Welcome to the real world!” That’s ironic considering that they’re trying to get into business school — high-finance business in America is about as far from ethical as any industry one cares to imagine — it’s not like they were trying to get into philosophy or journalism schools, where ethics actually matter.
I’ve got to side with Scot on this one. I heard the news story, but never heard the particulars of the “hack”. Normally deep links are a poor substitute for real security, but any design scheme which makes links so obvious falls less on the “secure” side, and more on the “poor UI” side. I, and I’m sure anyone who’s spent any amount of time on the web, has had to deduce broken links in this way, and I wouldn’t think twice about looking at an open page (if it’s supposed to be secure, I shouldn’t be able to get to it). I hope the kids push their case; their crime was so casual it’s almost entrapment.