[FoRK] [IP] more on Rejected Harvard applicants say school's reaction to Web page "hack" excessive (fwd from dave@farber.net)

Owen Byrne owen at permafrost.net
Fri Mar 11 10:42:12 PST 2005


Eugen Leitl wrote:

>------ Forwarded Message
>From: Radu Cornea <ccradu at yahoo.com>
>Date: Thu, 10 Mar 2005 16:25:29 -0800 (PST)
>To: David Farber <dave at farber.net>
>Subject: Re: [IP] Rejected Harvard applicants say school's reaction to Web
>page "hack" excessive
>
>
>Philip Greenspun has a nice post on his weblog about this:
>
>http://blogs.law.harvard.edu/philg/2005/03/08#a7726
>
>
>Regards,
>
>--
>Radu
>usiness schools redefine hacking to "stuff that a 7-year-old could do"
>
>When universities created business schools in the 20th Century traditional
>academics decried the collapse of standards.  Instead of students studying
>Literature, Art, History, and Science they would be going through the
>motions of a scholar while occupying their minds with things that formerly
>had been learned at a desk as an apprentice in a dreary Victorian counting
>house.  Now in the 21st century the B-schools are degrading the term
>"computer hacking".
>
>Here are the facts:
>    €     Harvard and a bunch of other B-schools with a collective IT budget
>of maybe $50 million decided that writing Perl scripts was too hard so they
>outsourced Web-based applications to a company called ApplyYourself.
>    €      You'd think that the main advantage of a centralized service such
>as ApplyYourself would be that a prospective student could fill out one
>application and the information be sent simultaneously to many schools. 
>However, this is not how it works.  Each school has a totally separate area
>with ApplyYourself.
>    €      All the smart young Americans have gone to law, business, and
>medical school.  Companies don't like to hire old people (> 30 years) to
>write computer programs because it saddens them to see old folks doing
>something so degrading.  Thus ApplyYourself hired whoever was rejected by
>professional schools to write up some Visual Basic scripts to process HBS
>and other B-school applications.
>    €      The ApplyYourself code had a bug such that editing the URL in the
>"Address" or "Location" field of a Web browser window would result in an
>applicant being able to find out his admissions status several weeks before
>the official notification date.  This would be equivalent to a 7-year-old
>being offered a URL of the form
>http://philip.greenspun.com/images/20030817-utah-air-to-air/ and editing it
>down to http://philip.greenspun.com/images/ to see what else of interest
>might be on the server.
>    €      Someone figured this out and posted the URL editing idea on the
>BusinessWeek discussion forum, where all B-school hopefuls hang out and a
>bunch of curious applicants tried it out.
>    €      Now all the curious applicants, having edited their URLs, are
>being denied admission to Harvard and, due to the fact that  universities
>form cartels to fix tuition prices and other policies, presumably to the
>other B-schools as well.
>
>One interesting data point is that I once supervised a couple of MIT
>students building an online system for submission of essays to be graded. 
>MIT and a bunch of other schools have writing requirements.  Students submit
>essays.  These are held in confidence from other students.  A subset of
>users are authorized to grade essays and they are handed essays to
>evaluate.  One server with a single database is programmed to handle
>students and evaluators from many different schools and keep everything that
>should be separate separated.  The students building this system had never
>programmed in SQL before.  Nor had they ever written a Web script to glue
>their SQL code to an HTML template.  Nor had they ever written HTML before. 
>The entire project, which requires the same workflow and main features of
>the ApplyYourself service, took them three months at 20 hours per week. 
>Those kids are probably just graduating from med school now and preparing
>for their careers in radiology...
>
>In the 1960s the term "hacking" meant smart people developing useful and
>innovative computer software.  In the 1990s the term meant smart evil people
>developing and running programs to break into computer systems and gain
>shell access to those systems.  Thanks to Harvard Business school the term
>now means "people of average IQ poking around curiously by editing URLs on
>public servers and seeing what comes back in the form of directory listings,
>etc."
>
>[Update:  People have been asking me whether I think the schools are
>justified in rejecting the applicants who mucked with ApplyYourself's
>URLs.  Had I been an MBA applicant and heard about this security hole I
>probably would have tested it out.  Not so much out of curiosity as to
>whether I'd gotten in but mostly to see if a school with nearly $30 billion
>in assets really was so contemptuous of quality in IT and also to see just
>how far the Web development industry has slid from its apex (probably 1994,
>when 5 reformed Lisp hackers built Amazon.com out of C CGI scripts talking
>to Oracle).  I did something similar when writing Philip and Alex's Guide to
>Web Publishing.  I needed examples of Microsoft Active Server Page source
>code.  There was at one time a bug in IIS/ASP that enabled anyone to view
>the source code by appending "::$DATA" to any .asp URL.  Months after
>Microsoft had released a patch for this bug, I surfed around and found
>scripts at lots of prominent public servers, some of which scripts contained
>database usernames and passwords.  I published the results in
>http://philip.greenspun.com/panda/server-programming#ASP, which was turned
>into a hardcopy textbook by Harcourt.  So it seems that my curiosity into
>just how incompetent an institution with $billions in assets could be would
>have led to me failing the ethics test, being convicted of hacking, and
>being denied admission to a top business school.
>
>Where would I personally draw the line?  A grad student at MIT figured out
>that Fandango, the movie ticketing service, was passing the price of the
>movie ticket as a hidden form variable in the HTML instead of doing the
>pricing on the server at the final page.  He was able to edit the HTML form
>in Emacs and submit it to Fandango and buy tickets for any price that he
>felt was fair (being a grad student, his preferred price for tickets was
>$0.25).  He invited me to try it out but it but I thought that either
>Fandango or a movie theater would end up having to make up the difference
>and it didn't feel right to take their money.  The HBS/ApplyYourself
>situation falls into the "poking around with a browser" category where you
>get to see stuff but the Web publisher hasn't been injured because they
>still have the stuff on their server (one of the strange characteristics of
>the digital age).  As progressively dumber programmers build progressively
>more complex systems we will see more of this kind of attempt to paper over
>coding mistakes with lawyers, sanctions, policies, and laws.  Hollywood and
>the RIAA are usually the most successful at getting the government to do
>their bidding.  Thus I predict that one day Disney will have a Web site
>where you can buy access to any of their movies.  Because all of their
>profits are being used to pay executive salaries this will have to be built
>at extremely low cost.  Deficiencies in the softwrae will enable vast
>numbers of Americans to download Bambi for free, their ISPs will be forced
>to rat them out, and they will all get to see Martha's Stewart's cell in
>West Virginia first hand...]
>
># Posted by Philip Greenspun on 3/8/05; 4:19:25 PM - Comments [32] Trackback
>[13] 
>
>
>
>-------------------------------------
>You are subscribed as eugen at leitl.org
>To manage your subscription, go to
>  http://v2.listbox.com/member/?listname=ip
>
>Archives at: http://www.interesting-people.org/archives/interesting-people/
>
>----- End forwarded message -----
>  
>
>------------------------------------------------------------------------
>
>_______________________________________________
>FoRK mailing list
>http://xent.com/mailman/listinfo/fork
>  
>
Me - I think it was a deliberate test. Can you control your curiosity 
enough to not remove the blinders that you will have to wear in order to 
have a successful career in middle management? Can you restrain yourself 
from rebellion no matter how great the cognitive dissonance?
If you modify the url you fail. If you don't - you're a Republican!

Owen








More information about the FoRK mailing list