Record Speaks with Auto Admit Hacker

BY ANDREA SAENZ

The Record has reported on, editorialized about, and made fun of the Autoadmit message board (www.autoadmit.com or www.xoxohth.com) a number of times over the past two years, most recently covering HLS’s panel on anonymous Internet speech (“Panel Debates Online Anonymity,” April 12, 2007) and running board administrator Jarret Cohen’s editorial about the same subject (“Free Expression on the Internet,” April 12, 2007).

This summer, the board was hit by what seemed to be a hacker who was collecting names and information about posters by getting them to click on “trap” links that sent information to an email address. Subsequent threads, which may or may not have been real, threatened to “out” anonymous posters and even contained names of alleged Harvard Law posters. Given the racial, sexual, and otherwise offensive nature of much of the board’s content, this caused serious concern. The situation seemed to die down by the time school started, but the person and motives behind the hacker, who went by “AutoAdmitWatch,” were never clear.

Last week, the person behind AutoAdmitWatch approached the Record, interested in sharing some of the information he had gathered. He claimed to have gotten involved in the board out of a concern over innocent people being defamed by “anonymous idiots” online, and had discovered a great deal about the nature of student posting on Autoadmit.

It is no secret that I have visited the board and written about it before (including the parody “AutoAdmit Lifts Veil of Anonymity,” April 5, 2007, which was premised on the joke that only six people were posting all of the content).

AutoAdmitWatch accurately stated that I had clicked on some of his links, leading me to think he was credible, and he seemed to be a sane person.

As editor-in-chief, I consulted with the Record board and decided that, as strange as it was to print an interview with an anonymous person whose statements are difficult to verify, AutoAdmitWatch seemed to be legitimate, was not interested in defaming or outing Harvard students, and had some very interesting things to say. His interview follows:

Record: Are you a law student? What’s your tie to the Autoadmit board and the issue of anonymous Internet defamation?

AAW: I was a law student when this whole process began, but I graduated in 2007.

For students who aren’t frequent visitors to the AutoAdmit message board, can you explain what it is you did on the board?

The whole process began when I noticed that I had the ability to force users to edit their posts if I got them to click on a link. This was nothing more than a simple cross-site-script attack (xss). I used this attack to edit some content that I found to have crossed the line, by getting logged-in users to click on links to various googlepages or geocities links. I then realized the same xss hack could be used to force users to post against their will. Through a well-known facebook exploit, I could get users who were logged into facebook and AutoAdmit to post a unique identifier at the same time they sent a facebook message to a dummy account with the same string. Thus, I was able to link facebook users to AutoAdmit accounts, when the conditions were right.

You told me you got involved because you felt people were being defamed by “anonymous idiots” online. So why hack the message board, as opposed to another course of action? Some people might think you’re adding to the Wild West atmosphere of anonymous posting.

This is an interesting question. It became clear around the time of the T14 contest, that neither Anthony Ciolli nor Jarret Cohen were competently administering the board. [Note: The “T14 contest” involved a poster making a website with pictures and real names of female law students for others to “rate,” which none of the women had consented to.] As a result, a small group of users realized they could get away with anything. The closest analogy might be to a wife-beater who realizes that the police won’t enforce a restraining order. Obviously things are going to get a lot worse once people realize that there will be no consequences for their actions.

As a long-time user of the board, I had written to Jarret pleading that he take more aggressive action, but he never responded (nor intervened). At first I had sought to minimize damage done to friends of mine. Then I realized that I could possibly get some of the extreme posters who were causing the damage. Then things just went from there.

There were several threads purporting to “out” lists of HLS students as posters – were those real?

Yes and no. The facebook exploit was closed in the spring. As a result, in order to link AutoAdmit usernames with real life people, we needed a new mechanism. I had learned that my own school’s webmail was vulnerable to a similar xss attack where I could force a logged-in user to send an email with a certain string to a dummy account. I started reaching out to friends of mine at other schools, including Harvard, to see if they could compromise their webmail in the same way. We were successful at a number of schools and were now linking users to email accounts.

Things took a weird turn at Harvard when my contact there decided to take matters into his own hands. He and a student from my own alma mater decided that it was time to start outing people and created a series of websites to this extent. This was never part of the plan, although it wasn’t really against anything we had in mind. Until this point, I had just been gathering data, unsure of what to do with it.

In my mind, the Harvard student crossed the line. There was some discussion and we parted ways, although he continued to try to out people through new means. Since the Harvard data was going to him, I have no way of knowing how accurate any of it was.

What did you find out about the scope of Harvard Law posting and?lurking on the board??

Until the disagreement, I had seen the Harvard data. While the information is far from perfect, there were a significantly large number of lurkers when compared to very few posters, a trend that was very common. There were no more than 5 regular posters from this school, as compared to over 150+ readers.

The vast majority of posters who claim to be at Harvard were not. Amazingly, there were entire threads where various HLS posters turned out to really be just one guy talking to himself (who was not even in law school yet!) Most significantly, we started tracking which fake (trap) links students were clicking on. Only a small number of Harvard lurkers clicked on general interest links and the vast majority seemed more interested in HLS-only information. Also, it seems like you can put Dean Kagan into a subject and get everyone from Harvard to click on it.

So it would seem that the Record’s April Fool’s article about the board turned out to be surprisingly accurate! From what you found out, what kind of students are most likely to?post on Autoadmit??

I think there was little surprise here. Of my own classmates, and from what I understand from my peers at other schools who worked with me, the average AutoAdmit poster was largely restrained, apolitical, and was not particularly interesting. It would have been a lot more interesting had they all been Federalist Society or American Constitutional Society members, but that was not the case.

Most of the time I looked at people and wasn’t really that surprised that they wrote such offensive posts. I guess the real shocker was the number of women who post, which is surprisingly high. This, of course, applies to your own organization, which was largely overrepresented as far as I can tell.

What’s your take on how administrator Jarret Cohen (and former?admininstrator Anthony Ciolli) has handled criticism of the board over the last year or so??

I’m immensely disappointed with Cohen. Ciolli was not up to the job but I feel like he’s suffered enough for his mistakes. Cohen let the boar
d go to hell. It would have only taken a tiny amount of attention and the most basic competency to keep the negative elements in line. I realize that I’ve definitely contributed to the downfall of the board, but I could never do half the damage that Cohen did. We talked a few times and he just doesn’t seem interested in doing the right thing.

There has been a lawsuit filed against Ciolli and some anonymous posters that hasn’t seemed to go anywhere. Do you support that effort,?or think it’s likely to accomplish anything??

I think the lawsuit is stupid. Litigation is not going to fix this problem nor is it likely to be successful. Quite simply, we had a bizarre situation where a surprisingly influential community discovered that it was not subject to any consequences and would not be moderated in the slightest. It’s not surprising that the attacks started against the board’s own posters and ended up targeting those on the outside. The same laziness that led to this problem also allowed me to take some vigilante action. I feel that was a more appropriate solution and hopefully Cohen’s desire to protect the board will eventually extend to other areas (although I remain unconvinced he’s the man for the job).

Anything else you’d like to say about the board, what you did, and?what you discovered?

The most shocking thing about this process is that the vast majority of content is created by an incredibly small number of people. I’m not looking to out anyone, but the belief that there are hundreds of regular posters is just a misnomer. Other than occasional one-time posters, AutoAdmit really is the playground of a handful of really obsessive people that is followed by an incredible number of watchers.

Someone pointed out to me that AutoAdmit is like the Iowa primary, where a really backwards group of people get way too much attention and have the ability to set a tenor for discussion. If anyone wants to contact me and learn more (but no names), feel free to email me at AutoAdmitWatcher@gmail.com.

Comments