Harvard rejects
March 8, 2005 6:46 PM   Subscribe

Well, get them now or in 40 years once they've become the leaders of tomorrow... (Enron)
posted by tiamat at 6:53 PM on March 8, 2005

What were these students thinking? Of course they would get caught as they could only get to their page. Anyone stupid enough to try this is too stupid for Harvard.
posted by caddis at 6:54 PM on March 8, 2005

More information on the backdoor.
posted by trharlan at 6:58 PM on March 8, 2005

Why is that wrong?
posted by MegoSteve at 7:12 PM on March 8, 2005

Yeah, what is the big deal. I entered my neighbor's house without permission. I didn't steal anything, I just went inside and looked around. I have never been in there before but it's cool because they invited me to come over and look around in a couple of weeks after they get it fixed-up. C'mon, man, they left the key under the mat, were they expecting I wouldn't look there? Why is this wrong.
posted by caddis at 7:28 PM on March 8, 2005

How does Harvard know that the person who saw the script and checked the data wasn't the mother or father of the person applying? Presumably, they'd have the password for the login. Alternatively, how will Harvard know that someone is lying if they offer this excuse?
posted by mediareport at 7:40 PM on March 8, 2005

Why would you presume that?
posted by caddis at 7:43 PM on March 8, 2005

It's wrong to gain access to a system to which you are not invited. Same thing with entering a house to which you are not invited. Key under the mat, window wasn't properly latched, wall was thin enough to drive through... Their lack of totally perfect precaution does not an invitation make.

When I'm at home I don't even keep the front door locked, but where I live people still know to ring the doorbell. I'm waiting to hear if I'm getting into a few law schools. I am NOT off on the web looking for ways to break into their computers, nor would I if I were to stumble across instructions on some magazine forum. Because to do so is unethnical, even if it isn't always illegal.

(Yeah, I know, IHBT)
posted by tiamat at 7:44 PM on March 8, 2005

Boy, that's tough. I can see the issue is pretty black and white, really. Trying to circumvent the system isn't strictly above board. However, I'm fairly certaint that if I had applied and heard about this, I might have tried it out. I mean, I have to admit that I wouldn't expect the school to react so harshly, even though I have to concede they have every right.
posted by PigAlien at 7:45 PM on March 8, 2005

they left the key under the mat

Oh come on, caddis; they left the key under the mat for *someone else,* not you. Pretending that there's not any kind of ethical issue at all here is absurd. Seems to me that what Harvard, Duke, et al have here is a practical problem. Stanford seems to understand that better than Harvard, since it's calling for the students to turn themselves in before announcing a decision about punishment:

"Business schools teach students to make decisions and to be accountable for those decisions," Derrick Bolton, the assistant dean and director of MBA admissions at Stanford, said in an e-mail statement. "We hope that the applicants who accessed their accounts might contact us to explain their behavior and to take ownership for their actions. We will take appropriate steps in the cases that warrant further scrutiny."

Yeah, if I was a Stanford applicant reading that, I'd rush right in to admit I was guilty.

Fer sure.
posted by mediareport at 7:45 PM on March 8, 2005

Thought experiment: You're in a Harvard interview for this program. The interviewer leaves but does not take their breifcase - would any rational person think it would be acceptable to look in the case to see their file/notes on the interview? I think not.

If the interviewer came back in and you were reading the file the excuse of "you didn't try hard enough to stop me" would be wasted breath.
posted by tiamat at 7:48 PM on March 8, 2005

mediareport, perhaps I should have read this MeTa thread before I posted.
posted by caddis at 7:50 PM on March 8, 2005

I consider myself an ethically upstanding person, but if I had the chance to get my admission decision a little early just by visiting a certain URL I would have jumped at the chance. Comparing it to invasion of property is like comparing downloading mp3s to stealing the CDs from your neighbors car.
posted by rafter at 7:53 PM on March 8, 2005

Harvard Law prof Philip Greenspun weighs in with a blog post titled, Business schools redefine hacking to "stuff that a 7-year-old could do":

Here are the facts:

* Harvard and a bunch of other B-schools with a collective IT budget of maybe $50 million decided that writing Perl scripts was too hard so they outsourced Web-based applications to a company called ApplyYourself.

* You'd think that the main advantage of a centralized service such as ApplyYourself would be that a prospective student could fill out one application and the information be sent simultaneously to many schools. However, this is not how it works. Each school has a totally separate area with ApplyYourself...

* The ApplyYourself code had a bug such that editing the URL in the "Address" or "Location" field of a Web browser window would result in an applicant being able to find out his admissions status several weeks before the official notification date. This would be equivalent to a 7-year-old being offered a URL of the form http://philip.greenspun.com/images/20030817-utah-air-to-air/ and editing it down to http://philip.greenspun.com/images/ to see what else of interest might be on the server.

* Someone figured this out and posted the URL editing idea on the BusinessWeek discussion forum, where all B-school hopefuls hang out and a bunch of curious applicants tried it out.

* Now all the curious applicants, having edited their URLs, are being denied admission to Harvard and, due to the fact that universities form cartels to fix tuition prices and other policies, presumably to the other B-schools as well...

In the 1960s the term "hacking" meant smart people developing useful and innovative computer software. In the 1990s the term meant smart evil people developing and running programs to break into computer systems and gain shell access to those systems. Thanks to Harvard Business school the term now means "people of average IQ poking around curiously by editing URLs on public servers and seeing what comes back in the form of directory listings, etc." [via the Slashdot thread]
posted by mediareport at 8:15 PM on March 8, 2005

Aargh, sorry. Greenspun teaches compsci at MIT.

*sits on hands while rethinking position*
posted by mediareport at 8:18 PM on March 8, 2005

I think to Harvard it seemed like a trespass, albeit an electronic one. The whole process of guarding the admission decisions until a particular day is a big deal to them. Having applicants circumvent that process hurts. Ethically it seems to you or me like such a small intrusion, just a hacked url, but I think they see it as being more. In any event, the chances of getting caught were just about 100%, hence my comment about their stupidity.

If I were a Stanford applicant who had used the bug, I would definitely rush to tell them, apologize profusely and beg their forgiveness. Too often it is the cover-up rather than the misdeed which sinks ya. Repent and you might get forgiveness. They know who did it anyway so what have you got to lose?
posted by caddis at 8:34 PM on March 8, 2005

I have a number of files on an HTTP server for which I don't make the URLs known to the general public, mostly because they are of interest to only a few people and there's no reason to.

That doesn't mean I expect that they're secure, or not publicly accessible, or that it would be unethical for someone to view them.

There was no hacking or intrusion. It's not like breaking into a mall - it's like walking through the open doors of a brightly lit mall and getting in trouble because the mall didn't advertise it was open. If they had accidentally mailed everyone the results early, would it be unethical to open the mail?
posted by TheOnlyCoolTim at 10:25 PM on March 8, 2005

It's not like breaking into your neighbor's house. Unless your neighbor's house is a major educational institution that happens to be in the process of deciding whether you're going to be accepted.

What, exactly, is the justification for keeping the admissions process a secret? Transparent government is good, transparent corporations are good. Why not transparent institutions of higher education?

I don't see how - morally speaking - Harvard has any right to keep any that information secret from the applicants for any length of time.
posted by Clay201 at 10:40 PM on March 8, 2005

It's wrong to gain access to a system to which you are not invited.

Please scan and post your invitation to read the ComputerWorld article, Tiamat.

And what TheOnlyCoolTim said. Cutting the ends off of URLs is not hacking in any way, shape, or form. Putting something upon a webserver such that it is publicly accessible is an invitation. As someone who, like TOCT, has files that are available on servers but not linked from anywhere, I am acutely aware of the security issues and would never make anything available that way that I wouldn't be comfortable having linked from the front page of MeFi. Anyone who configures their servers otherwise — especially a commercial operation which has the gall to charge people for the service of posting its clients' private information for all the world to see — deserves what it gets.
posted by IshmaelGraves at 11:18 PM on March 8, 2005

I've got to agree with IshmaelGraves here, chopping the end off the URL isn't hacking in any way, shape, or form. tiamat's briefcase analogy isn't quite right, this is like if the interviewer left the notes directly in front of you on the desk, albeit turned away from you. This is no more "hacking" than cocking your head so you could read them.
posted by TungstenChef at 12:00 AM on March 9, 2005

Its insane. And here I thought all the evil was restricted to Yale. Hrmph!
posted by Goofyy at 12:16 AM on March 9, 2005

Well, to be fair, it was a bit tougher than just backspacing the URL. According to trharlan's link above, you had to 'view source' and nose around to get an ID number, and then insert it with your own ID code into a (perhaps not very intuitive) URL to view the data. Not saying it alters the ethical status, just noting it's a bit more work than implied by some above.

Also, someone claiming to be one of the 119 folks summarily rejected from Harvard has just posted her/his version of the past week's events at Slashdot.
posted by mediareport at 12:20 AM on March 9, 2005

this is like if the interviewer left the notes directly in front of you on the desk, albeit turned away from you. This is no more "hacking" than cocking your head so you could read them.

Oddly enough, I agree. I assumed, before I had RTFA, that there must be something more to this story - alterations of records by applicants, something. But no, they were just spying on their application status ahead of time.

In a court of law, there is no way this could be construed as a crime. The files which were accessed were being served up publicly via HTTP, you just had to know the URL. There is zero right to privacy here. Blame the incompetent techies at ApplyYourself.
posted by mek at 12:52 AM on March 9, 2005

Updating previously analogies with new information:

The faculty lounge of a high school is next to the gym. One night, during a dance, someone notices that the door to the faculty lounge has been left unlocked and stacks of midterm grades have been left on the table. A few students say "cool" and wander into the lounge to check out their grades.

Should the students be expelled? I think not. Should the person who left the grades out and the door unlocked get a wrist-slap? Certainly.
posted by alms at 2:12 AM on March 9, 2005

Should the students be expelled?

In the case of Harvard, we aren't talking about expelling them, we're talking about not letting them in in the first place.

In the case of the high school students, they *should* expect to be punished for entering the faculty lounge without permission - they shouldn't even have known the midterm grades where there, because they shouldn't be in that room. (Although I doubt they'd be expelled, at least not from a Canadian high school.)

IshmaelGraves, that site requires neither login nor editing the URL to view. In the case of the applyyourself it wouldn't be possible for someone to generate a URL to click, you have to login, view the source to get the database ID and then edit the URL and paste in your applicant ID and database ID in the same session of the browser you were previously logged in on, in a way that would not be known to someone who hadn't previously used or read up on the software. When you or someone else has to do reseach on how to bypass the system, a flag should go up. It doesn't take an ethicisist to figure out that ComputerWorld is a public website a public space, the invitation is implied, legally speaking. In the same way, placing a key under your mat or leaving your window open does not constitute an invitation. Nor does having a less than perfect system.
posted by tiamat at 4:17 AM on March 9, 2005

I work for HBS and am unsurprised by this. The campus has been on a huge ethical kick since Enron and WorldCom (Crimson Greetings, the first required teambuilding exercise that HBS students undergo, wherein they make construction paper greeting cards ala second graders, even has a new ethical "toxic glitter" element to it).

The fact that the ethical stance helps cover for shoddy third party software (which covers campus like a plague of locusts) is just icing on the cake.

Part of the problem is that HBS goes about recruiting a slew of Type-A vicious would be tycoons and always acts surprised when said Type-As act the part. In the library, it is not uncommon for students to hide and horde shared resources from other groups.
posted by robocop is bleeding at 4:48 AM on March 9, 2005

"Business schools teach students to make decisions and to be accountable for those decisions,"

Not singling out MBAs here, but truthfully, if you haven't developed those qualities by the time you've reach grad school, it's unlikely/impossible that you ever will regardless of whatever "teaching" is administered upon you.
posted by psmealey at 4:53 AM on March 9, 2005

the real crime is the application of orwellian principles in the reporting of this non-story, but that is a crime which occurs many thousands of times per day and for the most part goes entirely unnoticed.
posted by quonsar at 5:26 AM on March 9, 2005

Maybe the students shouldn't be expelled, but they should be in some sort of trouble. They know that the faculty lounge is off-limits--whether or not the door is locked.

The idea some folks are suggesting seems to be that people will just do stuff, like water flowing from a river into a tributary, unless dams are set up to stop them, and HBS didn't set up any dams. By this logic it's Harvard's fault for not assuming that its applicants would want to get their results early and taking precautions to make it impossible.

... Whereas, from HBS's point of view, people should have at least some degree of self-control and be able to police themselves. HBS shouldn't have to erect super-strong barriers; there should be some integrity on the part of the applicants as well. In the same way the high school kids shouldn't just automatically rush into the teacher's lounge; there should be some kind of ethical sense that is itself a barrier to bad behavior, even when the door to it is left open. The admissions process should not be assumed to be a battle in which admissions staff have to hide the results from the applicants. The applicants should learn to wait.

I think HBS is perfectly fair in denying the applicants with, in this instance, no self-control and no autonomous ethical sense, admission.
posted by josh at 5:29 AM on March 9, 2005

It is slightly more complex than simply changing the URL, but I don't know where people are getting the idea that viewing, examining, analyzing and/or playing around with the "source" (of a web page you've accessed 100% legitimately!!!!) is unethical. It most certainly is not. If you don't understand that, then you don't understand how the internets works. Period.
posted by magullo at 6:00 AM on March 9, 2005

josh nailed it. These kids knew the rules--you wait for Harvard to tell you if you're in or not. They broke the rules. They suffer. End of bloody story.
posted by dirtynumbangelboy at 6:44 AM on March 9, 2005

Basic question is, does the implied social contract get modified by the medium? Should it? I can easily enter your house uninvited if the door's unlocked, or I can break in via the window. The first is the equivalent of entering a servicable URL, the second is what the public thinks of as 'hacking'. Now, in this real world analogy, you have the right of owning property and within the confines of the law, can enforce access restrictions. If I violate those, you can send the arm of the law to pick me up. There's an implied social contract that I live in, or have to. I never went to the police station and announced that I agree to follow the law. It's expected*. On the web, we have HTTP servers, which take in input, and depending on certain conditions, return output. In terms of time and effort, it is much simpler to check whether there are unlocked "doors". But the key question is does the relative ease and lack of a distinct online enforcement modify the online social contract that I'm expected to obey? Should the applicants been aware of the answer?

*Whether under threat of force, or your own moral sense. That's irrelevant, really.
posted by Gyan at 6:44 AM on March 9, 2005

They gained access to information they knew they were not supposed to. They cannot plead ignorance on this issue. Their only defense is that it was easy to get to. How that suddenly makes it right to access is totally beyond me. "Well, yeah, he had a combination lock on his briefcase, but the combination was 999... how could he consider that secure?"

Whether they did it by changing a URL, opening an unlocked door, having a co-conspirator read it over the telephone, or viewed it via telescope from a rooftop across campus, they knew what they were doing was wrong, and they were bypassing the agreed upon process.

I don't think very many people are claiming illegality, they are claiming unethical behavior, which it surely is.

Perhaps a tech-oriented clarification:

I am the systems administrator for all my company's servers. I can read other people's email by simply navigating from one folder to another. No "hacking" or even effort required beyond a mouse click.

Doing so certainly wouldn't be illegal. But would it be unethical?

In my opinion, yes. And for someone who can't see that, then they don't understand how the world works. Period.
posted by Ynoxas at 7:13 AM on March 9, 2005

Private homes and http servers = apples and oranges. Ditto for sysadmin and casual user of a public website.

Harvard has every right to reject these applicants since they have the right to reject *any* application for *no* reason in the first place. That doesn't change one bit that fact that they've made asses out of themselves by investing a shitload of money in creating a system that pukes its guts out to the first *legit* visitor that comes along.

In my opinion, this would be painfully obvious had this happened to an institution of lesser prestige. But since it's some of the top colleges in the world the ones that got duped, they have a good chance of getting away with it by taking the high road.
posted by magullo at 7:42 AM on March 9, 2005

Its not just Harvard that rejected them. Also MIT, Carnegie Mellon, and possibly Dartmouth and Stanford. See here.

Business schools are sensitive to ethical issues, even oversensitive. There have been big pushes at most of them to add more ethical training, etc. That this smacked of an ethics problem, even if it was defensible from some points of view, seemed like a good reason to reject the candidates. Yes, they did not really "hack," but they shouldn't have expected that it would be okay to subvert the notification process.
posted by blahblahblah at 7:55 AM on March 9, 2005

How great that all these business applicants end up with a strong ethics education! And how great to see MeFi deep in an ethical philosophical discussion. How I adore this!

And wish me luck, applying for masters in ethical philosophy for Fall 05. I'm not even gonna visit the website!

Josh has it right. These kids are wanting to be business leaders and can't distinguish between ethical and unethical behavior. I wouldn't want them in my institution and I'm not surprised HBS doesn't either. Heck, I don't want them in business!
posted by Dantien at 7:58 AM on March 9, 2005

Business ethics 101: in the event of an blatant IT failure, blame the user.

... or you'll end up looking like an ass .
posted by magullo at 8:34 AM on March 9, 2005

Magullo:

Suppose the site was password protected, and their password was to be mailed out at notification time.

Then suppose someone noticed that the password was "password"... and was for every account.

So, the users login prematurely, even though they know they are supposed to wait for their password to arrive.

Do you still see no ethical lapse in what they did?

What I am getting from you is that this is a technical problem and ethics doesn't even enter into it.

Are you suggesting that ethical behavior has some sort of limit, that an unethical task has to have a minimum floor of difficulty to qualify?

Is there any point that the ethics would enter into it from your viewpoint?

Or more precisely, what would be the threshold that it would become unethical to you?
posted by Ynoxas at 8:42 AM on March 9, 2005

magullo: Private homes and http servers = apples and oranges.

Not in some aspects, like in this case. The IT failure's like leaving door unlocked. Pragmatically, that's a bad move, given the ease of someone snooping around. But we're discussing ethics, not pragmatism. The line's unclear since online ethics has fuzzily evolved via loose adaptive social consensus and precedents, whereas most real world ethics has history as grounding, giving it a sense of firmness. Doesn't obscure the fact that public hyperlinks are invitations to explore, access by poking around is not. Whether online ethics should change to not make a big deal of it, is an open question, with technology a key but not total input.
posted by Gyan at 8:44 AM on March 9, 2005

So, in theory, if I was playing with Metafilter URLs and found mathowie's secret development page for Metafilter 2.0, and posted instructions on how to check it out from Metatalk, you guys would support breaking and entering charges against everyone who followed my instructions?

Or at least, you would have the common sense to stay away, and would call for immediate bans against all those who looked, because it was a serious ethical breach?
posted by rafter at 8:48 AM on March 9, 2005

rafter, Matt would be within his right to permanently ban you and anyone else who decides to follow your instructions.

That's the long and short of it.

Feel free to do whatever you want, but know that if the person or institution wishes to keep it hidden, and you know it's supposed to be hidden, but you view it anyway, be prepared to pay the consequences.

Harvard is not punishing the user to cover their mistake in investing in ApplyYourself. Harvard is making a decision on how to treat a user that decides to do something that user KNOWS is not allowed.

Ethics, legality, whatever. No shoes, no service. Prematurely view a decision, get rejected.

Period.

Same goes for the "morality" of preventing the release of admission decisions -- you make your own rules for your house, Harvard will make its own rules for it's house. Or would you like to shove your sense of morality up everyone's backside?
posted by linux at 9:29 AM on March 9, 2005

I agree with josh.

This has nothing to do with technology and everything to do with ethics. I'm really surprised at some of the responses here.

If I find a wallet on the street with cash in it, sure I can blame the guy who lost it for not taking the right measure to "secure" his wallet and I can argue that, whereas, it would be wrong to take the wallet out of his pocket, its ok now because its on a public street.

Sure, I could use all those rationalizations, but its clear to me that the ethical thing to do is to return the wallet. Likewise, the failure of technology here doesnt alter ethical boundaries: Its still true that there is an implied social contract between you and other people, between you and your admissions officers and the application process. Once you walk outside those boundaries you've crossed the threshold into a potentially unethical situation, regardless of whether someone else made it easier for you or not.
posted by vacapinta at 9:57 AM on March 9, 2005

In the 1960s the term "hacking" meant smart people developing useful and innovative computer software. In the 1990s the term meant smart evil people developing and running programs to break into computer systems and gain shell access to those systems. Thanks to Harvard Business school the term now means "people of average IQ poking around curiously by editing URLs on public servers and seeing what comes back in the form of directory listings, etc."

Also, I dont know but Greenspun seems to have some axe to grind against HBS.

I mean, they weren't "poking around curiously", they were there for a specific reason. I know better than to poke around "curiously" at the website of my Bank. I also know better than to poke around "curiously" looking for illegal pornography or hacker sites.

I'll turn the argument around and say that it is the people making this "public servers" argument that don't understand the nature of the Internet.
posted by vacapinta at 10:22 AM on March 9, 2005

While I agree this is primarily an ethics issue, there is some technical culpability too. Web servers are much more public than houses, so the "unlocked door" analogy fails. To me it's more like there's a concert in the park and to listen you're obligated to pay $5 to get a seat. But you could also sit elsewhere in the park and hear the music. Are you ethically liable to pay? Sure, a little. But if the concert organizers really cared they wouldn't have put it in the park. Similarly if ApplyYourself really cared about the time-release nature of accept/rejection notification, they'd have done something about it. They either aren't very diligent web programmers or they weren't given good requirements by their clients.

And vacapinta: you really should poke around curiously on your bank's website. How do you know it's secure? If there turns out to be something as trivially exposed as the ApplyYourself form bug on your bank, I'd cancel my account before lunch.
posted by todbot at 10:52 AM on March 9, 2005

todbot: Web servers are much more public than houses, so the "unlocked door" analogy fails. To me it's more like there's a concert in the park and to listen you're obligated to pay $5 to get a seat. But you could also sit elsewhere in the park and hear the music.

I thought Mirabilis' "Server Push technology" hype died years ago :)
posted by Gyan at 10:59 AM on March 9, 2005

TheOnlyCoolTim: I have a number of files on an HTTP server for which I don't make the URLs known to the general public, mostly because they are of interest to only a few people and there's no reason to.

That doesn't mean I expect that they're secure, or not publicly accessible, or that it would be unethical for someone to view them.

This is the disconnect between people who pursue commercialization of the internet and those who see it as a big ol' shared playground. I've had to work hard to see the viewpoint (not necessarily agree with that viewpoint mind you) of those who put a "hidden" file on a web server and then get all outraged when someone "oh my god" downloads it. It's like those stores whose sales prices are just little pieces of paper covering the original price on the shelf who get outraged when you look under the sale price to see the non sale price.
posted by Mitheral at 11:18 AM on March 9, 2005

vacapintaSure, I could use all those rationalizations, but its clear to me that the ethical thing to do is to return the wallet.

Agree totally. However do you think it would be unethical to inventory the contents of the wallet? How about look at the pictures of the guy's dog? His wife? His car?

Matt would be within his right to permanently ban you and anyone else who decides to follow your instructions.

Of course he would because he has absolute authority to control access to his shared space in anyway he wants. But what if the ban wasn't enforced in any technical way? Say matt just asked in Meta "Anyone who viewed my super secret (but publicly accessible) MeFi 2.0 to please not view anything else at MeFi, ever". Would it then be unethical for the users who looked at the bottom secret new design to load the front page? Would it still be unethical if they viewed the page accidently by following a link from a site that hides URLS (like FARK)?
posted by Mitheral at 11:31 AM on March 9, 2005

Here's my analogy:

You're told the scores are going to be posted on a board next week. The board is publically accessible and you walk by it every day. Someone then tells you that all of the scores are already on the board, and all you have to do is lift up the McDonald's ad which is on top of them. You do.

That's unethical?
posted by callmejay at 11:45 AM on March 9, 2005

I really don't see the ethics of this case as clear-cut as some of you apparently do. All this talk about the teachers' lounge, wallets sitting on the street and keys under the front-door mats seems very very very far away from the world of computer technology and the training of business captains.

I am not so sure that curiosity (nosiness, if you will) and ambition, the two character traits that clearly drove this effort can be tossed overboard so quickly given the context. To me, a more interesting aspect is the spectacular technological failure (naivety, if you will) of a world leader in business tuition.

Suppose that you find that the bank has deposited some extra money in your account. And you call and report it. And they say: nope, that cash is yours. And you insist, and they insist back. Where does it end?

One has to wonder what exactly is the conceptual model of the internets that HBS works with. This is an elite institution caught raping a whore in the most ordinary of manners: teaching top-level competitive strategy and at the same facilitating their strict enrollment procedures via a crappy website that, apart from leaking confidential info all over the place, is shared with the competition, who is similarly affected. And it doesn't end there.

I might be very conservative when it comes to business, but I tend to think that if you can't do it right, most of the time it's better not to do it at all, due to the very certain risk of ending up being taken for a ride.

A webserver sends code to your machine. Before you see anything popping on your screen, that code has been around the block several times. In fact, some people consider part of their responsibilities to analyze that code thoroughly via local tools before taking further action. Placing any information intended to be hidden to the user in a plain vanilla HTML page is a blatant irresponsibility; the first one in a chain that, in my opinion, tips the balance here. The server *provides you with the info* (mistake 1), the server then *accepts the code* (mistake 2), and thus a *simple trick* (mistake 3) *brings down a truckload of portals* (mistake 4) to world-class universities. That's four in a row; tell how many more do you need, because there are plenty.

Do I miss the fact that some human had to take that info and type it into their url bar and get on with it? No, but in real life, most of the time it's not about what to do if you find a wallet on the street, it's more about how much do you *need* that money. Many times a day all over the world, this is not motivated by greed, but by sheer necessity (hunger, medical needs, etc.)

We're talking about top business education here. Generally speaking, the higher you are, the more twisted your morals necessarily become (if only because you *know* more). So I'm not going to place the applicants in a test tube and forget about all the other folks running around that never got caught.

Or faced the music, for that matter.
posted by magullo at 12:10 PM on March 9, 2005

In order for a serious ethical transgression to occur, there should be some harm inflicted, some harm intended, or perhaps some gross negligence that a reasonable person could expect would lead to harm.

I can't see what the harm here is. Some students found out their admission status a little early. So what? Perhaps some found out they were rejected and decided to go on a trip to Spain to console themselves. Unless Harvard has a vested interest in keeping people out of Spain, no harm done.

The ethical lapse here is at the level of eavesdropping on an intimate conversation at a restaurant. Sure, the eavesdroppees might prefer to have their conversation treated as private, but they have no reason to expect that it is. And it might be more polite for the eavesdroppers to try to ignore it, but it's right there. Munging a URL is a little more work than just listening, but just a little.
posted by adamrice at 12:20 PM on March 9, 2005

adamrice: In order for a serious ethical transgression to occur, there should be some harm inflicted, some harm intended, or perhaps some gross negligence that a reasonable person could expect would lead to harm.

You can make this argument when the world switches to adaptive utilitarian ethics. Personally, I don't think this was a big deal, at all. But going by the ethics which, I believe, are observed today, this crossed the line.
posted by Gyan at 12:28 PM on March 9, 2005

As for the Metafilter/ApplyYourself analogy - wasn't there an user that created an account after registrations was closed by google-cache accessing the signup page after the link to the signup page was wiped?

I recall he wrote Matt to ask if it was ok or not... apparently, it was allowed to slide.
posted by PurplePorpoise at 12:49 PM on March 9, 2005

Free The HBS 119! T-Shirts Now Available.

...from the enterprising Fortunato_NC who "peeked" online and saw that he was already rejected (dinged) by HBS.

"Seeing the ding got me off my duff and got me preparing another app to get another iron in the fire. Sitting until the 30th would have been too late. Am I upset that I'm not going to HBS? Of course. But at least I found out sooner, rather than later."
posted by ericb at 1:00 PM on March 9, 2005

So.... Harvard is like a drunk girl that passed out in my neighbor's house but left her login to Metafilter in the cushions of my couch? Oh god I'm so confused by all these analogies.
posted by Stan Chin at 1:47 PM on March 9, 2005

How about this one Stan Chin: If a website only allows users to visit if they are using IE is it unethical to hack your user-agent string to pretend you have IE and therefor access their content?
posted by Mitheral at 2:11 PM on March 9, 2005

Well I don't know, is this IE person attractive? Or am I drunk enough?
posted by Stan Chin at 2:23 PM on March 9, 2005

Well it is the internet, let's just go with the possiblity it's your dog doing the surfing.
posted by Mitheral at 2:49 PM on March 9, 2005

Of course he would because he has absolute authority to control access to his shared space in anyway he wants. But what if the ban wasn't enforced in any technical way? Say matt just asked in Meta "Anyone who viewed my super secret (but publicly accessible) MeFi 2.0 to please not view anything else at MeFi, ever". Would it then be unethical for the users who looked at the bottom secret new design to load the front page? Would it still be unethical if they viewed the page accidently by following a link from a site that hides URLS (like FARK)?

1. The application decision page is not publicly available.
2. It requires viewing and editing source code, so it's not just a hidden URL you accidentally click -- you need to work to gain access to that page.

So let's say your example is now this:

Matt has a Beta 2.0 He says he'll reveal it on a proposed date. The URL requires a login cookie and an obfuscated URL. Someone other than Matt publishes the URL against his wishes on a different site before the reveal date. Users log in to MetaFilter and paste the URL to access the beta site.

Ethics has nothing to do with it, as everyone has a different moral compass. The point is Matt can do whatever he wants, ethical or otherwise, to your account.

Same goes for Harvard.
posted by linux at 3:01 PM on March 9, 2005

Harvard - as does any private educational institution - has the right to reject applications based on the criteria for acceptance they set for themselves.

This current situation brings to mind the saga of Moorestown (NJ) High School student - Blair Hornstine.

She is memorable for filing suit against her high school for not naming her sole valedictorian, but naming her a co-valedictorian (previously discussed here, here and here).

"Her acceptance [to Harvard] came under scrutiny after her local newspaper, the Courier-Post, reported that Hornstine had 'misused sources' in five stories she wrote for the paper and had lifted extensive material directly from speeches and papers published on the Internet. The media attention followed her decision to sue the Moorestown, N.J. school system to ensure she graduate as sole valedictorian of her high school." [Harvard Crimson | July 11, 2003].

Harvard regarded her plagiarism as an ethical breach and reason enough to withdraw its earlier offer of acceptance. "Harvard admission is contingent on five conditions enumerated for students upon their acceptance—including one which stipulates admission will be revoked 'if you engage in behavior that brings into question your honesty, maturity, or moral character.'"
posted by ericb at 3:45 PM on March 9, 2005

The two situations are different - one involves "questionable" and unsanctioned behavior in pursuit of learning one's pending status for admission to the Graduate School of Business Administration; while the other involves the rescinding of any already granted acceptance to the undergraduate institution, Harvard College, as a result of previous instances of plagiarism. Both situations, however, center around issues of "standards" for acceptance, as set forth by the University (and its subsidiary institutions).
posted by ericb at 3:58 PM on March 9, 2005

"We seek candidates who have the highest ethical standards and respect for others..." [Admission Criteria - HBS MBA Program].
posted by ericb at 4:13 PM on March 9, 2005

The HBS community defines itself by and actively embraces three fundamental standards: (1) Respect for the rights, differences, and dignity of others, (2) Honesty and integrity in dealing with all members of the community, (3) Accountability for personal behavior. [Community Standards - HBS].
posted by ericb at 4:18 PM on March 9, 2005

So, a buddy figures this out and sends me an email which says:

Hey, HBS has their admissions results online. Click here to see your status.

clicking that link justifies denying me entry to a school? That's a bizarre position.
posted by NortonDC at 7:55 PM on March 9, 2005

Comments above make it clear that it wasn't a matter of clicking on a link. You had to go into your account, scan the raw html code, extract the relevant bits and pieces for your account and password, and then hand-construct the appropriate URL. Or something like that.
posted by ROU_Xenophobe at 10:26 PM on March 9, 2005

It was clear that someone had to be the first, but if it was impossible for someone to construct a link on someone else's behalf, then that's a fact that I missed. Is that explicitly stated somewhere?
posted by NortonDC at 9:43 AM on March 10, 2005

Lots of websites like to present videos (MPEGs, wmvs, whatever) in a little box on webpage, and serve them as streaming video (mms).

To watch them, you have to have a Microsoft browser plug-in, which I suspect, but only suspect, may be insecure and thus allow malicious web sites to hack my computer.

And streaming video can s l o w   d o w n depending on network conditions.

For these two reasons, I'll often do a reveal codes, find the address of the mpg or wmv that's being streamed, and just download it rather than stream it.

Am I an unethical hacker?

Similarly, at least two public radio stations play their broadcasts over the internet; both provide the stream for free, but one requires a login to get the address of the stream, the other links to that address from a particular web page.

In both cases, going thorough the browser to get the stream address adds several manual clicks, but saving the actual stream address in winamp means I can play the radio station's stream with one click.

Am I an unethical hacker?

Several newspapers provide free web editions, but require logins. I use BugMeNot, which provides valid logins so that I don't have to create my own. BugMeNot only does this for sites that offer free registration.

Am I an unethical hacker for using BugMeNot?

In a few cases, I have created my own login at newspaper web sites, but sometimes I've given a fake, non-existent email address to avoid getting email from that newspaper. The email is guaranteed by RFC not to be anyone's real address.

Am I an unethical hacker for giving a fake email address in return for access to a web site?

When I do browse those sites, they like to serve up ads, many of which have animations, pop-ups, or other visually distracting and annoying features, so I use a software program to filter out those ads.

Am I an unethical hacker?

When an ad does get through, I use a Firefox extension, Nuke Anything, to set the ad's css display property to "none", effective removing the ad from the page.

Am I an unethical hacker?
posted by orthogonality at 8:02 PM on March 10, 2005

*sigh*

You idiots need to stop these "breaking and entering" metaphores. Is it wrong to walk into the student lounge, is it wrong to enter someone's unlocked house? it dosn't matter wether it is or isn't with regards to this case. the only question is "Is it ethical to alter a URL and add a database ID". The answer, I think, is yes.
posted by delmoi at 6:31 PM on March 15, 2005