[ISN] MIT says it won't admit hackers

InfoSec News isn at c4i.org
Wed Mar 9 07:03:06 EST 2005 

http://www.boston.com/business/articles/2005/03/09/mit_says_it_wont_admit_hackers/

By Robert Weisman
Globe Staff  
March 9, 2005

The dean of MIT's Sloan School of Management yesterday said Sloan will 
join Harvard Business School in rejecting applications from 
prospective students who hacked into a website last week to learn 
whether they had been admitted before they were formally notified.

Stanford's Graduate School of Business, meanwhile, asked its own 
applicant-hackers to come forward and explain their actions, in a sign 
that the California school soon may take tougher action as well.

Thirty-two applicants apparently sought an early peek at the 
confidential data in their admission files at Sloan, while 41 files 
were targeted at Stanford and 119 at Harvard. Harvard on Monday became 
the second victimized business school to say outright it would not 
admit proven hackers. The first was Carnegie Mellon's Tepper School of 
Business, where one admission file was violated.

Those schools, along with Dartmouth's Tuck School of Business and 
Duke's Fuqua School of Business, all use an independent website run by 
ApplyYourself Inc. of Fairfax, Va., to receive applications and, in 
some cases, manage communications with applicants.

After midnight last Wednesday, hundreds of business school admission 
files were targeted by computers around the globe when a hacker posted 
detailed instructions on a BusinessWeek Online forum. Most of the 
hackers saw only blank screens, though some who accessed admission 
files at Harvard viewed preliminary decision information.

''Students who hacked the ApplyYourself website will be denied 
admission to Sloan," the school's dean, Richard L. Schmalensee, said 
in an interview yesterday after a team from Sloan met with 
representatives of ApplyYourself to learn what happened. Sloan used 
the website only to receive applications, using a separate in-house 
server to handle the admissions process, he said.

Schmalensee said he made his decision to reject the 32 applicants 
after seeing the directions posted by the hacker. ''The instructions 
are reasonably elaborate," he said. ''You didn't need a degree in 
computer science, but this clearly involved effort. You couldn't do 
this casually without knowing you were doing something wrong. We've 
always taken ethics seriously, and this is a serious matter."

At the same time, Schmalensee said Sloan would allow rejected 
applicants to reapply in later years, though he said the hacking 
incident would continue to be a factor in the school's decision.

''We'll look at applicants next year," he said, ''but we'd want to see 
evidence that this was an aberration, that they have grown."

Schmalensee said Sloan would consider appeals this year only if there 
were clear-cut extenuating circumstances; one example he cited was an 
applicant serving in Afghanistan turning over his ApplyYourself 
password to an irresponsible brother-in-law.

As to why MIT's Sloan School waited nearly a week to take action, 
Schmalensee said school officials needed to confer with ApplyYourself 
representatives and understand the situation better. ''The fact that 
we took so long doesn't mean we don't take ethics seriously," he 
maintained. ''It means we take due process seriously as well."

In Palo Alto, Calif., Stanford issued a statment from Derrick Bolton, 
assistant dean and director of MBA admissions, demanding explanations 
from the applicants whose files were targeted.

''Business schools teach students to make decisions and to be 
accountable for those decisions," Bolton said. ''We hope that the 
applicants who accessed their accounts might contact us to explain 
their behavior and to take ownership for their actions. We will take 
appropriate steps in the cases that warrant further scrutiny."

ApplyYourself's software enables schools to know which files have been 
accessed but can't definitively identify the hacker. However, both 
Schmalensee and Kim B. Clark, the Harvard business dean, noted that 
applicants bear ultimate responsibility for their passwords even if 
they turned them over to third parties who did the hacking.

Paul Danos, dean of Dartmouth's Tuck School, released a statement 
saying school officials continue to investigate and will meet on 
Friday to discuss their options. And at Duke's Fuqua School, where one 
file was hacked, associate dean James A. Gray said the applicant would 
be notified of a decision on March 18, the regular decision date for 
the school's current round of applicants.

''It would not be smart of him to be buying a Duke sweatshirt and 
renting an apartment in Durham," Gray said. ''It's not likely that he 
will need either."

Robert Weisman can be reached at weisman @ globe.com.

More information about the ISN mailing list