Hack job

BY PAUL SERRITELLA

Today, I write in support of the most shameful, degraded, and undeserving members our society. For years, I felt these people to be beneath contempt, and their motivations indefensible with either a clear conscience or straight face. And yet, today I stand in support of 119 individuals – all once cute, lovable babies – who willingly and unapologetically applied to Harvard Business School.

First, for those of you who spend morning classes in a non-wireless-enabled classroom, a news update: last week, an online forum run by Business Week featured a post by an anonymous ‘hacker’ that explained how applicants could access their B-School admission status online, several weeks before decisions would be finalized. Although the specifics are not available, it seems that the exploit had something to do with changing the arguments submitted to a web-accessible script that in turn accessed a back-end blah technobabble blah blah blah. Basically, you logged in, you changed one or two words in the ‘address’ bar of your browser, and the application retrieved your status. You couldn’t change your status, or look at other people’s information, and, before you got anywhere, you had to provide your own password.

One hundred and nineteen applicants to Harvard followed the instructions. Most, it seems, received no information at all, while a few found acceptances… but all tasted the glove slap of rejection a few days later when HBS Admissions decided that “any applicant found to have done so will not be admitted to this school.” “This behavior is unethical at best – a serious breach of trust that cannot be countered by rationalization,” said Dean Clark (no, the other one).

Now, seeking advance notice of one’s admission status is a nearly universal desire. And acting on that desire is so common that, if I recall correctly, the LSAT people can charge twenty bucks a phone call so we can see our scores a few weeks early. If 119 potential applicants had called the B-School office seeking information on their status, that activity might rise at worst to the level of “really friggin’ annoying.” And if an uninformed assistant had given them that information, I feel the error would lie with the Business School administration, not with the student.

So if the Dean’s “unethical at best” language has any meaning, it must apply to the use of computer systems to get this information. He wasn’t alone in this regard – most of the major news outlets that treated the story called the event a ‘hack,’ as in CNN’s “Business Schools’ Admissions Records Hacked.” And once an incident becomes about ‘hacking,’ the gloves come off (remember kids, whenever a hacker checks her admission status early, she’s helping the terrorists win). But, with all due respect, the “hacker” label gives these applicants too much credit. The server was configured to give them this information when asked, and was clear enough to be guessed by at least one member of the applicant pool. Lastly, it’s hard to say their access was unauthorized when they needed, and used, valid usernames and passwords to look up their own information.

If anything, the blame should lie squarely with the software vendor – ApplyYourself – for writing shoddy code and passing it off to the B-School like the Emperor’s new clothes. A blog entry on Phil Greenspun’s blogs.law.harvard.edu page covers this point in vituperative depth, and I recommend it to you in its entirety. But I’m stealing his conclusion: namely, before we castigate the applicants, consider harm and intent first.

There is a line between people who actively seek to compromise systems for gain or to cause damage; and those who browse the public information looking for data. When the data literally had their name on it, pointing the finger at the applicants for the vendor’s mistakes seems vindictive rather than ethical.

The bigger problem may be the applicants’ awful timing. Few have sympathy for business school applicants – even business school students, apparently. One current B-Schooler described the prevalent mood: “There was some discussion about it, but the general response was, ‘ah well.’ We’re a pretty apathetic lot, in the end.” (Although the Hugo Z. Schadenfreude Award has to go to ‘Skyshadow,’ who posted the following to the online forum Slashdot: “Expensive College Prep School: $90,000; Test Prep Classes: $10,000… Blowing your future because you can’t wait a month: Priceless. There are some levels of satisfaction that money can’t buy, like watching 100+ snot-nosed future pointy hairs take it up the pooper from Harvard.”). Admittedly, a few people have held that these applicants should be lionized for their initiative, but not many, and not loudly.

At the same time, this has been an uneven year for Harvard’s name in the media, and an even worse half-decade for business ethics. So perhaps when B-School Dean Clark saw an opportunity to hammer a few hundred anonymous applicants and, in so doing, dodge the ‘soft-on-hackers’ label that had tarred Larry Summers (wait, maybe that was about something else… never mind), he took it. But making an example of these kids doesn’t show that Harvard has backbone – it shows that the administration can’t tell the difference between knowing fraud and web surfing.

So, to those 119 former applicants, a brief word. People, you did break the rules, just not the rules you were accused of breaking. Rule One: never be an early technology adopter. Let someone else take the risk on a new process, and wait for him or her to screw up. Rule Two: never, ever, EVER make management look bad. And if I may close with a word of advice from a cryptographer friend of mine – next time, do things right. Get root access, delete the server logs, and cover your tracks. You’re going to wear the mantle of ‘hacker’ anyway, baby… earn it.

Paul Serritella is a 3L who did not hack into The Record’s computer system during the making of this column.

Comments