Not linking is not security

by brian d foy

Related link:

Earlier this month I heard about a fuss over information leak out of ApplyYourself, a company that helps manage the admissions process for schools. Apparently they didn't protect their information about admission status for students, and a particular URL would let students know how their application is doing. An entry in PowerYogi explains how it worked. Type the right URL into the browser and the you get the information.

Now, according to Reuters, Harvard Business School is rejecting applications from 119 students who took advantage of the ApplyYourself bug. Accepted Admissions Almanac posted a letter they sent to Business Week. They know which students looked at their application status since they used the session and user IDs that ApplyYourself gave to them. They weren't being sneaky or trying to get information on anyone else other than themselves.

The information each student needed to get to the application status was gladly given to them by the web pages they were already allowed to view. I don't see any "hacking" here.

Harvard Business School calls this "unethical". Most businesses would call it "resourceful", but that's just another way schools and reality diverge. If anyone is to blame, it's ApplyYourself and their inability to control the information or correctly authorize its viewing. They made it available, and people looked at it.

Simply not linking to information is not a security model.


2005-03-08 22:55:33
Not linking is not security
Reminds me of the people who use hidden fields to send sensitive information on a roundtrip through the client browser in web apps. After all, noone's going to View Source, right?
2005-03-09 16:22:05
ethics vs. web browsers
In a business ethics class, it was discussed whether it would be unethical to look at a document about salaries (for example) that was in an unlocked drawer. It was decided that, just because we knew where the document was and could get it without getting caught, it would be unethical to do that.

I imagine that Harvard is taking a similar stance, which is why they are discussing "ethics" while the engineers are discussing "security."

In business, a boss should be able to tell someone not to look at a document, and be assured that the document will remain unviewed. People who look at documents they shouldn't may be called "resourceful." They might also be called "fired."

My only real point here is that this article and Harvard are talking about two different things.

2005-03-10 00:01:22
The More Serious Ethical Violation
Harvard isn't mentioning the other and more serious ethical violation in this incident. The school didn't exercise sufficient care to protect the confidential records of applicants. This was perhaps the easiest break-in in Internet history. If applicants who had been accepted are to be cruelly rejected, then perhaps Harvard should discipline those who made this blunder.

Harvard's behavior is a bit like the Italian officials who are raising a fuss about US soldiers shooting one of their agents who was in a speeding car approaching a checkpoint. They're trying to distract attention from the fact that they've paid millions in ransom money to terrorists who'll use it to kill yet more Iraqi citizens.

Moral of both stories: The guiltier they are, the more loudly they try to blame others.

--Mike Perry, Inkling Books, Seattle
Author: Untangling Tolkien

2005-03-10 03:27:19
The More Serious Ethical Violation
not to mention that had the Italians not been active communists and one of them a reporter noone would have ever heard of it as it would have been understood by all sides that it was just one of those things that happen in a warzone...
2005-03-10 10:34:41
ethics vs. web browsers
In your business class, you would have to discuss whether it would be unethical for someone to apply for a job, then log into the site specified for them to view their offer. They would be told the offer would be sent by, say Monday. They log in, they don't see any results yet, but guess that the URL might be something like //yourjob/offerresults.html.

So they type it in to see if anything has been posted yet, in their account, for their own job. Low and behold, the offer has already been posted on that Sunday.

Where the heck is the ethical issue here? I'm sorry, if they didn't want that information distributed, they shouldn't distribute the information!!! Where did these applicants promise not to know their results prior to the deadline? Where did these applicants promise not to type in a URL within ApplyYourself's web site?

Where were they told they should avoid any potential source of information concerning their application prior to some date?

Yes, the article and Harvard are talking about two different things... The article is talking about reality, while Harvard's talking about a spin on reality. After all, someone has to take the blame, and who is a better target than these applicants?

2005-03-10 14:47:45
ethics vs. web browsers
Going through a desk to get information about other people is world's apart than looking at a website you used to apply to a school to get information about yourself.

The "ethics" concern is a knee-jerk reaction to people who don't even know what it means. Should Harvard also turn away students who call on the phone to ask the status of their applications? What if they call and an admissions officer mistakenly tells them?

Indeed, my article doesn't parrrot Harvard Business School: I think they have no one to blame but themselves, and that is unconscionable to them. To save their reputation, they blame the students.