Harvard Hacked at URL Guessers

Ed Felten offers an interesting analysis of the legal and technical implications of the Harvard Business School URL-hacking incident.

More than 100 applicants to the school have been summarily rejected because they changed fields in a URL to see if they had been accepted, learning about the technique from weblogs or message boards.

Felten believes the school's punishment is extreme:

I might feel differently if I knew that the applicants were aware that they were breaking the rules. But I'm not sure that an applicant, on being told that his letter was already on the web and could be accessed by constructing a particular URL, would necessarily conclude that accessing it was against the rules.

Incidents like these make me wonder how anyone can argue that modifying a URL is inappropriate, much less compare it to breaking in to a computer system.

If you make something available at a URL, you've invited the world to view it. Harvard should be dropping the hammer on ApplyYourself, the company whose poor programming revealed admission decisions prematurely, not on these hapless applicants.

Update: One of the peeking applicants said knowing early about his rejection helped him pursue another school before it was too late.


I agree. It makes no sense to punish people who know how to use the web openly.


Or drop the hammer on the IT guy that integrated ApplyYourself into the application process. If someone takes the fall, it shouldn't be potential students. It should be the administration that implemented the bad code. I have yet to see an apology by ApplyYourself for their shoddy coding, or Harvard for using a blatantly simple way of taking a sneak peek. That URL technique is often used for many different things.

Yes, I agree, who was the IT liason inside of Harvard who was in charge of the project?

I wonder what you think about this imaginary case, Rogers.

Suppose I'm an educator doing an online course and I have a test students have to take and I've got the test at domainname/test.html.

Being a complete moron, I decide to put my key at domainname/test_answers.html

One of my more clever students decides to try test_answers.html and has the answers.

Clearly I'm a dumbass for doing this, but do you really want to say the student isn't doing anything unethical here?

How is this different than, say, I know my professor loves horses and so I correctly guess that her administrative password is horses?

I agree with you completely on the ApplyYourself issue, but I'm not so sure that guessing a publicly available URL is always ethical.

RE Brian's hypothetical, it would depend on wether they wanted to look at the answers to see how they did, or to look at the answers before they took the test. If they have already taken the test, then what is the harm in seeing how they did rather than waiting for you to grade it?

I happen to modify URLs on an almost constant basis. It is amazing how many web sites break themselves while updating but leave some of the old content live. I will come across it via google and then have to try out various related URLs to find page 2 etc.

I don't think passwords and URLs are a good comparison.

A person would never have a legitimate reason to guess someone else's password, but there often are reasons to guess URLs. I often do it because a site's navigation options are poor.

In the ApplyYourself case, if I'm an applicant, I'd be tempted to conclude that anything offered at a URL is fair game. I could see rationalizing the decision to try it on the grounds that the server wouldn't provide the information if it was too early to find out.

There have been some very productive discussions of this case over the past week, at Philip Greenspun's site, John Dvorak's site, and my site. In particular, look at this post on my site where I link to and describe the exact exploit, and then think about whether "anything offered by a URL is fair game," or should be to students whom we're asking not to be the next Bernie Ebbers.

It's hard to draw a bright clear line about what's right and wrong in this case, and that's what's so fascinating about it. However, I think it's pretty clear that ApplyYourself ought to be strung from the nearest yardarm.

Yes, Rogers, but what about the case I mention where I suspect my instructor has the answers to test.html stored unprotected in test_answers.html. Do you really think I'm acting ethically if I start checking to see if test_answers.html or test_key.html exist on the server as well?

I think you'd have to be stupid to put such a file on a public server, but I think that just because it might be there doesn't mean its ethical to go looking for it, even though it is just a URL.

In fact there are other cases where this is the case. For example, if I someone accidentally discloses non-public information about a company to me and I use that information to make an investment in that company's security, that could potentially be prosecutable, even though all I did was rely on information that was made available to me without any effort or initial desire for the information on my part.

I'll concede the point. Your hypothetical would demonstrate a case where guessing a URL is unethical, because I can't think of any reason someone would guess test_answers.html other than to see the test answers.

The situation reminds me of an infamous argument on MetaFilter where an Amazon error made $350 cameras available for $40. Users gleefully took advantage of the deal, prompting this exchange:

marknau: "I can't take a moral argument seriously from any of you who jumped at the opportunity to take advantage of an honest mistake. I don't want to hear ever again about greedy corporations or crooked politicians. You people just showed that you're willing to turn a blind eye when it is to your benefit. How does that make you any different from those you rail against?"

nortondc: "We have cameras."

"Being a complete moron"

Finally Brian Carnell admits it. :)

The punishment seems harsh to me. It's not like the applicants were cheating, stealing, causing any harm, or gaining an advantage. They were only getting their personal information early.

On the other hand, it'd be nice to see such strictness applied more frequently. I'm thinking of Tom DeLay, Cheney and other Republicans that think they can do anything they want.

Add a Comment

All comments are moderated before publication. These HTML tags are permitted: <p>, <b>, <i>, <a>, and <blockquote>. This site is protected by reCAPTCHA (for which the Google Privacy Policy and Terms of Service apply).