I have to say that this is pretty embarrassing. What surprises me is that Yale didn't mention it earlier.
posted by oaf at 6:59 PM on July 25, 2002

Social security numbers are protected information under the Federal Family Educational Rights and Privacy Act. I have to wonder that supplying the SSN numbers of students (via the login procedure) to an off-campus web site would be a violation.
posted by fleener at 7:29 PM on July 25, 2002

Yay. It was Slashdotted earlier today, and now let's see if we can 'Metafilter' it :-)
posted by wackybrit at 7:45 PM on July 25, 2002

I'm just amazed that my alma mater spotted this break-in by those insufferable Princeton hacks. The computer network there, like any other huge, grandfathered academic system, had some pretty weak links, especially if you were UNIX proficient.

And what's with that "Oh, we were just testing their security" line? Since when did admissions officers at Princeton become IT security for Yale. Fishy, fishy, fishy.
posted by evanizer at 7:53 PM on July 25, 2002

I'm imaging it like this:

One person checks out the Yale admissions page, sees it only needs the SSN and birthdate, is somewhat amazed at how weak that is, tries a combination or two from Princeton's database, and word spreads... It was probably just idle curiousity.

Then the FBI called.

Too bad schools use the SSN for *everything*. It's like they're too lazy to have a computer generate a random ID or something...
posted by whatnotever at 7:57 PM on July 25, 2002

should always hire a pro.
and im shocked, the Yale lock has a sterling reputation and this scares me the most............."I'm just amazed that my alma mater spotted this break-in by those insufferable Princeton hacks"

:)

remember the red-handed axiom

-I just wanted to see if it was on/working/off/at rest/in transit/ etc.
posted by clavdivs at 8:13 PM on July 25, 2002

Freakin' Ivy Leaguers, danged menace is what they are, I've always said and this proves it.
posted by jonmc at 8:16 PM on July 25, 2002

This is the kind of thread where people try to off-handedly mention what "name" school they attended. =)
posted by donkeyschlong at 8:18 PM on July 25, 2002

I knew someone was going to snark me for that. I just knew it. "Oh, don't be silly, Evan, you're just stating a fact." I told myself. "Someone's gonna snark you..." said my MetaFilter conscience. "Oh shut up," I yelled at it, and batted it away, and hit post.

My Metafilter conscience is sitting on my shoulder, giggling right now.

Thanks, donkeyschlong! ;-)
posted by evanizer at 8:25 PM on July 25, 2002

Actually, I typed that in before I even read your post. =)
posted by donkeyschlong at 8:36 PM on July 25, 2002

Point the first: The YDN story indicates multiple instances that were only disclosed casually weeks later. This wasn't a security check; and no white-hat notification followed.

Point the second: security experts have railed for years against such simplistic security screens. It wasn't that long ago that the Social Security administration itself allowed people to "log in" with just their SSN; and alas far too many sites still use the SSN as a key or password.
posted by dhartung at 8:49 PM on July 25, 2002

Oh, so what they're telling me is that Princeton were just looking out for Yale's best interests. Oh, now I get it. Silly me, I thought they were rivals. Well, thanks for putting my mind at ease.
posted by Jubey at 9:17 PM on July 25, 2002

this kind of stuff is exactly why i turned down princeton's offers, even with their scholarship promises. why i never....
posted by lotsofno at 9:52 PM on July 25, 2002

Don't worry Evanizer. My Norwegian uncle was in Yale once. His name was Yimmy Yohnson. It's all good.
posted by KevinSkomsvold at 10:07 PM on July 25, 2002

Too bad schools use the SSN for *everything*. It's like they're too lazy to have a computer generate a random ID or something...

All too damn true, at least where I went. Fucking Baptists.

This is the kind of thread where people try to off-handedly mention what "name" school they attended

Maybe if I were that proud of it, donkey. But I swear, they call it the Ivy League school of the south! aw, dammit!
posted by Ufez Jones at 10:15 PM on July 25, 2002

I love the CNN headline, "Princeton accused of Ivy League hacking." In the Ivy League, I guess this is what passes for hacking.
posted by transona5 at 12:21 AM on July 26, 2002

How stupid it is for Yale to only require a birthday and SSN to log on to their admissions system? How come the kid that prepared the security report didn't scream at Yale officials to close a very obvious and gaping security hole?

Many *high schools* require students to use their SSN as their ID number, so it would be pretty easy for another student to check out whether a fellow classmate's been accepted.
posted by jennak at 2:06 AM on July 26, 2002

I swear, they call it the Ivy League school of the south!

You go here, too?

(I don't know why... felt I had to say it...)
posted by nath at 2:24 AM on July 26, 2002

My alma mater, also an Ivy (which shall remain nameless), used to have us write our SS#'s on business-reply postcards in certain instances of correspondence, no joke. Total bullshit from the best and the brightest.
posted by donkeyschlong at 2:26 AM on July 26, 2002

Who the fuck does Princeton think they are, the MPAA?
posted by NortonDC at 4:39 AM on July 26, 2002

One person checks out the Yale admissions page, sees it only needs the SSN and birthdate, is somewhat amazed at how weak that is, tries a combination or two from Princeton's database, and word spreads... It was probably just idle curiousity.

Probably in the beginning, but the admissions dean knew about it, condoned it, and defended it to the media. Looks like someone's going to get laid off on this particular pay day.

This is the kind of thread where people try to off-handedly mention what "name" school they attended. =)

Good point, donkey.
Yawn - stretch - time for breakfast. I'm thinking hash-BROWNs.
posted by PrinceValium at 6:40 AM on July 26, 2002

Killer, NortonDC, just killer.
posted by drywall at 7:14 AM on July 26, 2002

To get serious (and without namechecking the fine upper Manhattan university which taught me how to approach such matters) this really points to the need to stop allowing private entities to demand social security numbers as identifiers -- something that the back of every SS card says that the numbers aren't to be used for. Has anyone ever have any success in getting around using your Soc for something? The way I figure it, the only people who have a need for it are my employer (that's me) and the IRS (damn them) and maybe my bank so that they can report me to the IRS if they get itchy to. But I've been asked for my numbers everywhere from the public library to Costco, and have chosen not to patronise certain companies and organisations when they feel that their ned to file information on me supercedes my right to privacy.

Imagine if some nutjob at Princeton found a way to use these kids' numbers and dates of birth to access their health records somewhere, (I bet your doctor knows your soc!) and they decided not to offer admission to students who had overcome childhood cancer or had a surgical repair to a birth defect in their heart, or who had diabetes, figuring that such problems made it impractical to invest in such students' educations?
posted by Dreama at 7:45 AM on July 26, 2002

A true story:

How can I help you?
I'm returning this.
Do you have the receipt?
Yes, I do.
Why are you returning it.
It doesn't work.
Is it broken, or what?
It didn't do the job, that's all I can tell you about it.
Do you want to exchange it for another one or credit...
I want my money back.
Can I have your last name?
No.
I need it to get your money back.
No, you don't. It was a cash transaction and you have the receipt [and the item, instructions and packaging were all complete and reassembled]
(type type type)
It won't go without a name
Improvise. [employee #2 laughs]
hits same key three times
See, it won't go without your name.
Give it yours.
type type type. money and a new receipt appear.
Sign here.
"X"
[mumbling]thank you choosing Transistor Hut.
[cheery]Have a nice day!
posted by NortonDC at 8:49 AM on July 26, 2002

Maybe Princeton was just checking to make sure no terrorists had been admitted to Yale.
posted by espada at 12:27 PM on July 26, 2002

colleges here in WA (public at least, don't know about private) have been required this spring to switch to something other than SSN for student ID. [work self-link] and I think it's a damn good idea, even if it did throw everyone into a tizzy.

(I was once asked for my SSN to start a video rental account! how insane is that?!)
posted by epersonae at 3:49 PM on July 26, 2002