HBS/ApplyYourself Application Fumble
The following HBS notice appeared on the BW Forums today:
The mission of Harvard Business School is to educate leaders who make a difference in the world. We aspire to achieve this mission in all our activities, and our admissions process reflects our commitment to the highest standards of integrity.
Earlier today, we sent the following e-mail to all applicants currently in the admissions process:
We understand that some users of ApplyYourself, the on-line application and decision notification system we employ, have inappropriately attempted to access decision information about their own applications before the specified notification date. We take this abuse of the ApplyYourself system very seriously. Such behavior is unethical and inconsistent with the behavior we expect from high-potential leaders we seek to admit to our program. We want to assure all applicants, however, that:
- HBS decision information housed within ApplyYourself is neither complete nor final until our application notification dates
- The application information that all applicants and recommenders submitted to us has been, and continues to be, secure
We appreciate your interest in Harvard Business School, and we want to underscore to all our applicants our commitment to make and communicate our admissions decisions in the most rigorous, fair, and secure fashion.
Sincerely,
Brit K. Dewey, Managing Director of MBA Admissions & Financial Aid
Harvard Business School
From what I can piece together from other forum posts, and forum posts are an admittedly dubious source of information, someone hacked into the HBS ApplyYourself site and figured out how to see decisions even though those decisions are not (supposed to be) public until the March 30 notification date. Furthermore this technical wizard, then posted the technique in the BW forum so that other Curious George's could also see their decisions.
While the forums are debating whether Harvard is acting foolishly or ApplyYourself is incompetent or the hacker is an idiot or BW is engaging in 1984-type censorship or the applicants violated various moral codes, I am going to leave those debates to others.
Hacking into a school's site because you can't wait four more weeks for the decision is immature and stupid! I am no techie, but I suspect that an analysis of log files will show Apply Yourself and HBS which of those pages were viewed. When that information is gathered, what do you think it will do for your admissions chances if your page is on the list?
"Not linking is not security" (your comments don't seem to allow HTML, so the URL is http://www.oreillynet.com/pub/wlg/6631) explains a bit more about this "hacking". Apparently ApplyYourself put the decision information for an applicant on a web page viewable by that applicant (and only that applicant) and now is angry at anyone who looked at that page. ApplyYourself allowed applicants to look at the page only if they were logged in, so obviously it was deliberately designed to allow applicants access, but they should have known they weren't supposed to look.
I guess the "unethical" thing was that there wasn't a specific link to the viewable page, so applicants were typing in a URL ApplyYourself didn't expect them to know when they looked at it. Because, you know, the location bar on your browser isn't actually meant to be used or anything, and it isn't like people ever actually type URLs into browsers.
If ApplyYourself didn't mean for the page to be accessible to applicants, I can't understand how they could blame anyone other than themselves for explicitly allowing access to it, but perhaps they don't have a very good grasp of how the web works or haven't ever really looked at any beginners guides on making secure web sites.
Posted by: Anonymous | March 08, 2005 at 04:25 PM