Princeton Disciplining Staff for Yale Web Site Break-Ins (NY Times)
August 14, 2002 4:53 PM   Subscribe

Princeton Disciplining Staff for Yale Web Site Break-Ins (NY Times) What a great example to set for the students. Princeton officials in the admissions department hack into the Yale Admissions department system. No one gets fired and the university official who first performed the dastardly deed, Stephen E. LeMenager, "...would be moved to another job at Princeton." as punishment. Also, "...its longtime dean of admission and Mr. LeMenager's boss, to remain in place until next June, when he will retire as previously planned.
What is Yale's take on this? "Yale's president, Richard C. Levin, said in a statement yesterday that he was impressed by the thoroughness of Princeton's investigation,...".
This is the best, "...when Mr. LeMenager told a Yale admissions official of his ability to enter the Yale Web site at a meeting of Ivy League admissions officials in May, Dr. Tilghman said, the ensuing discussion at the meeting was about security issues, not about the impropriety of the action."
The president of Princetons final words on the situation, "We will learn from this and make changes," she said, "and move on as a better place."
And now who is surprised by what happened at WorldCom, ENRON, TYCO and on Wall Street ?
Shouldn't Princeton make an example of these clowns?
Shouldn't Yale demand more satisfaction?
I guess they don't call it the Ivy League for nothing.
Fire the bastards!
posted by flatlander (17 comments total)
 
This scandal may not be as black-and-white as you think.
posted by ptermit at 4:57 PM on August 14, 2002


Thanks for the link ptermit. Not exactly Enron-grade scandal material after all...
posted by chrisgrau at 5:07 PM on August 14, 2002


I'm not exactly sure if all the boldface and the length was necessary. After all, we could have clicked on the link ourselves...
posted by Kevin Sanders at 5:16 PM on August 14, 2002


This link is a little long, flatlander. Maybe the 2nd through 8th paragraphs should have been put here using [more inside].
posted by timeistight at 5:17 PM on August 14, 2002


I'm of mixed feelings on this. Really I never saw this story as a big deal Princeton didn't steal anything or get any inside dope, and the security was horrible. No real harm, no foul in my book
posted by bitdamaged at 5:38 PM on August 14, 2002


Imagine what kind of trouble a student would been in if they had innocently decided to check out Yale's security using university information. I hope students at Yale now feel free to access any of Princeton's computer systems without permission.

Look here (scroll down to section on trespass (#4)) for a list of cases that involved people simply accessing computers in unauthorized ways and were convicted. Kevin Mitnick sat in a jail for years without trial because he used confidential information in order to gain passwords and access to unauthorized systems. He never destroyed anything, and his biggest crime was copying information. Yet, no one here is even considering charges.

In addition to that:

LeMenager logged onto Yale's site, using the birth date and Social Security number of a Princeton applicant who he thought had also applied to Yale.

He was taking the information of people who had only applied to his school, and sending it to other web sites! He had no idea if these students had actually applied to Yale or not until he submitted their SSN. How do you feel knowing that it's apparently not a big deal for a university to take whatever personal information and try to gain access to a site only intended for you? Hey, what's the harm in using your financial aid information to try to access your bank's online banking if it's only to look around?
posted by betaray at 5:49 PM on August 14, 2002


I am a Princeton alum and this is one of the most shameful and stupid things I can remember anyone doing there. Either this guy is too stupid to realize what potential harm he has done using Princeton computers and much, much worse the social security numbers from confidential application files, or he just did not care. Either way, his punishment did not fit the crime. He should have been sacked, with no new Princeton job.

I have very lenient ideas when it comes to corporate slacker abuse, such as surfing porn, trashing your congressman from a work account [http://www.metafilter.com/mefi/19151] (just don't do it, it's not worth it) or the like. If these were my employees I would not do anything other than let them know how stupid the behavior was. But this moron,....
posted by caddis at 6:06 PM on August 14, 2002


I dont see the big deal. If they were hideing and got caught thats one thing but they came out and told Yale what they were doing. Entirely diffrent ballgame, people have made this a political issue.
posted by stbalbach at 6:16 PM on August 14, 2002


The big deal here is taking social security numbers from applications submitted with an expectation that such private information will not be abused. If all this turkey did was hack into Yale's computers having such lackluster security using a Princeton computer, I do not think he would, or should, lose his job. Once he took an SSN of someone's application and used it to enter Yale's system he crossed the line. Without the SSN: stupid act, don't fire him, perhaps just hold him back a grade. Use the SSN - launch the nukes.

Many are given trust of confidential information, perhaps including politically sensitive information such as social security numbers or health information from customers. Those who abuse this trust should not be surprised to pay a heinous penalty.

Would you hire this moron? If you did, would you give him access to confidential information?
posted by caddis at 6:33 PM on August 14, 2002


No Princeton decision was changed by Mr. LeMenager's actions. Those whose Yale decisions were viewed by the Princeton admission office have been notified (and Princeton has presumably apologized to them individually). Those at Princeton responsible for this have been disciplined. Why persist in highlighting a non-event?

Calling the continued complaints "much ado about nothing" would imply that they have some merit remaining at this point.
posted by oaf at 6:45 PM on August 14, 2002


I believe the "sealed envelope" quote was telling. I'm glad they're taking it seriously, even belatedly, and this may help set an example. (Probably this was causing poor intereducational relations at a high level, possibly leading to a trade embargo or missile exchange.) I would hope the eventual "white-hat" disclosures meant something, e.g. that they weren't fired outright. But it's pretty clear that Princeton was chiefly concerned about its reputation with its customer base.

And yes, Yale ought to be taking their part of the blame for such poor security in the first place. At this point, the orange and black is in the lead. The Slate story overlooks how Princeton's strong and swift reaction will bury this story.

Also, flatlander: italics or "just quotes" are sufficient for quoting, and you don't need to make every sentence its own paragraph. Really. We'll read it even if you don't yell at us.
posted by dhartung at 7:07 PM on August 14, 2002


Eh..

What!?

Sorry, dhartung, but my Foxy Grandma Ear Trumpet is full of wax

...or somethin'...
posted by y2karl at 8:34 PM on August 14, 2002


This problem here isn't some BS white hat hackers ethic, but of privacy and disclosure. When I give a college my SSN its for the purposes of application and identification. Its not for trolling the net and hacking sites. Its not for spying on me. Its not for marketers. Its not for the police. caddis also makes some good points regarding SSN in his post.


This should be a firable offense. I'm cynically certain that if a lower level emloyee did this he would have been fired in an ivy league heartbeat.
posted by skallas at 9:37 PM on August 14, 2002


k
posted by flatlander at 9:48 PM on August 14, 2002


I think people ought to be concerned that a relatively benign action, just because it involves a computer network, can be branded an offense worthy of dismissal and even prosecution.

Another example: At Harvard Law School back in 1999, a similar thing happened when a student found that, on the school's student homepage, he could gain access to all students' social security numbers simply by backing out the URL address. He then wrote an article in the school's paper about this, blaming HLS for not protecting students' privacy. The school read the article, then threatened to expel him for "hacking" the system. Do you all think you ought to be subject to prosecution for backing out the URL on someone's site?

If this was really an issue of privacy, then it would be up to the students injured to take action (and I'm not saying such a suit wouldn't have merit). I doubt Yale would have standing to sue under a privacy action. I think the students affected could also have a negligence suit against Yale, too. And so, as it's evolved, this case is a hacking issue. And the fact is, the current regime of "cyber" regulation is incredibly reactionary (and getting moreso) and protective of certain vested interests. The average person ought to be very alarmed.
posted by caramba! at 3:26 AM on August 15, 2002


This post is being discussed on MetaTalk.
posted by timeistight at 8:51 AM on August 15, 2002


flatlander gets big big points for the gratuitous William Gaddis/Jack Green reference. As someone currently affiliated with the Princeton campus (though I found out about the "scandal" when I was in London, where it occupied all of page 3 of the Guardian for no clear reason I could see), this seems pretty trivial, and the university has worse things to worry about right now: for example, the Robertson family, who supplied the funds for the Woodrow Wilson school, is suing for the return of a $600-million endowment (the article's in the most recent issue of The Chronicle of Higher Education, though I can't find an online link except for the one at the Chronicle's site, which requires a subscription).

Not that two wrongs make a right, but Princeton's snooping was made possible in part by Yale's shoddy security. Not much harm, and not much of a foul.
posted by Prospero at 8:50 PM on August 15, 2002


« Older Another smoking gun.   |   Screw you Newer »


This thread has been archived and is closed to new comments