Ivy hacking caper exposes a big-league security flaw

August 01, 2002|By MIKE HIMOWITZ

IT'S FUN TO watch the rich and famous air out the laundry in public. Especially when they're two fabulously wealthy institutions dedicated to the very highest academic and community ideals.

That's why there was more than a little chuckling and chortling behind the dignified outrage which greeted last week's news that Princeton University had hacked into a Yale University computer.

The kids on both sides have been doing this for years. What made this hack particularly delicious is that it was carried out by adults - who presumably should have known better.

Shirley Tilghman, Princeton's new president, apologized for the April incident, in which at least one Princeton admissions official "hacked" into a system operated by Yale counterparts to find out whether some students who had applied to both schools had been admitted to Yale.

I use the word "hack" advisedly here because what happened was no feat of computer legerdemain. It's more like Princeton played peeping Tom with a system that left applicants' confidential information wide open to anyone who knew the window shade would fly open if they knocked twice on the sash.

That doesn't excuse Princeton's voyeurism, but if I were Yale, I'd put the righteous indignation away and hope nobody noticed what amounted to a serious lapse in computer security. And having learned about this little episode, if I were applying to a college that wanted to keep in touch online - or had a child doing so - I'd ask some serious questions about how closely it guards this information.

First, my personal disclaimer: I have a son, brother-in-law, nephew and cousin by marriage who are Princeton alumni; I also count a number of Yale graduates among my friends and colleagues, at least one of whom has written occasionally for this section.

None of them, of course, had anything to do with what happened after Yale set up a Web site to allow applicants to find out whether they had been admitted without having to wait for the much-anticipated and much-dreaded decision letters to arrive by snail mail.

Yale's intentions were undoubtedly the best. April is a month of high anxiety for high school seniors everywhere, and for none more so than those aspiring to the upper stratosphere of the Ivy League, where 10 to 15 students - almost all of them qualified - compete for every place.

Before delivering the good or bad news, Yale's admissions Web site asked applicants for two pieces of information to confirm their identities: Social Security number and date of birth. This is information applicants and their families would be expected to know, but that relatively few others would have handy - even if they knew or cared about Yale's admissions Web site.

The problem was that everyone in the admissions office of every school to which those same students applied also had their birth dates and Social Security numbers - all they needed to "hack" Yale's Web site and find out if those students had been admitted to Yale.

Given the amount of mail that flows between applicants and the schools they apply to, it would have been easy enough for Yale to have its computer generate a random password for each applicant and send each out. Combined with a Social Security and birth date, a password would have created a reasonably secure system. Some schools that allow students to track the status of their applications online do just that.

But Yale didn't, and the temptation was apparently too much for some folks in the Princeton admissions office.

Although most stories about admission to Ivy League schools stress competition among students, the schools themselves are competing, too, for the cream of the cream of the crop - National Merit finalists, Intel Scholarship winners, top athletes, celebrity kids and the offspring of families with the means to donate the funds to construct large buildings.

The snoops at Princeton used the information from their files to check out Yale's decisions on a handful of the many students who had applied to both schools, including fashion model Lauren Bush, the president's niece (she got into both colleges and chose Princeton, according to her publicist).

When the Yale Daily News broke the scandal online (its editors took a break from summer vacation to put out a special Web edition), it provided a wonderful opportunity for public indignation and private merriment among those who enjoyed watching an Ivy League version of Celebrity Boxing.

A Princeton admissions officer told the Yale Daily News that his office was just testing the security of Yale's system (we've heard that one before). But there's no question that the people involved were dead wrong, and possibly in violation of federal computer security laws.

Yale called for an FBI investigation, and undoubtedly there's already a team of grim-faced agents working over the Princeton admissions staff in a sweaty interrogation room somewhere - a nice break from chasing cyberterrorists.

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.