Last Updated on April 15, 2017 by Dave Farquhar
I saw a story on the news tonight about more than 100 students who won’t be getting into MBA programs. Why? When they applied to a number of prestigous universities, a posting on a bulletin board claimed to let them view their records and see if they were admitted or not.
It didn’t work for all of them. But those who tried to peek are being punished.My question is why is this information on the public Internet to begin with? This is precisely what intranets are for: You put sensitive information on a web server behind a firewall. Then you define one or more computers who can see it. The rest of the world can’t access it, because the rest of the world doesn’t know it exists. But those who are authorized to see it can see it, through the convenience of a web browser.
Leaving this kind of information on a web server that’s open to the public via the plain old Internet is akin to keeping student records, finals, and other sensitive information at the campus library. If it’s out where someone can see that it’s there–or might suspect it’s there–then someone’s going to look. It shouldn’t be there in the first place. I had professors who never kept tests in their office because some student at some point in time had broken in, hoping to get a preview of the final.
Punishing applicants for typing in a link that they figured wouldn’t work anyway accomplishes little or nothing, except to say that some of the nation’s finest universities have given no thought whatsoever to their computer security and network design.
I hope their graduates are smarter than the people who run the place. But that’s probably a given.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.
2 thoughts on “Punishing the curious for something that should have never happened”
What is acceptable hacking?
Where on the continuum must our heroes stop?
Is a pc, hosting a blog, an acceptable target?
Can they penetrate Cheyenne Mountain for the purpose of playing a game?
Or is the penetration of all pc’s unacceptable and illegal?
I liken a computer to a locked door. When I locked my keys inside my house a couple of years ago, I paid a professional locksmith to get me in. For all intents and purposes, I paid him to break into my house for me. Of course if I broke into my own house, that would be OK too. You’ll probably have to think for a while to come up with a reason for anyone other than a police officer, fire fighter or paramedic to enter my house without a key.
I once hacked a computer owned by my then-employer. It was a server that an erstwhile employee had set up and not told anyone about. It didn’t have the standard admin password on it. To this day I think he had been running either a warez site or a porn site on it. The computer belonged to the company, and he had left under questionable circumstances, so nobody can fault me for that. I’ve done other locksmith-type hacking during my career as well.
I’m uncomfortable with the I-didn’t-know-it-would-work defense–a guy who walks around in parking lots trying doors can use that defense. But this *is* borderline–it’s a notch above the chain-letter e-mail that says if you forward this message to enough people that Bill Gates will give you a large sum of money. One could also use the victimless crime defense. Do these administrators feel as strongly about underage drinking? I doubt it. Is that a victimless crime? Not necessarily it isn’t.
But sensitive data absolutely should not be on a computer in the public Internet. If I were a student at any of the universities in question, I would be outraged that my records sit on a computer that has any idea that IP addresses can be anything other than 192.168.x.x. (Or a 10-net or a 172-net; you get the idea.)
It’s a two-way street. It reminds me of what my parents told me soon after I got a car. Yes, if I leave the keys in the car and leave it unlocked and someone steals the car, it’s illegal. But the insurance company isn’t going to give me a penny if it happens.
So, yeah, these students are in the wrong. I don’t usually talk degrees of wrong, but this is much closer to a parking ticket than it is to murder. However, the universities are partially at fault too, and I guarantee this isn’t the biggest of their issues. Trust me, I know what goes on on college campuses. Many a Friday and Saturday night I was the only one sober.
Get the sensitive data behind firewalls and take a long, hard look at alcohol abuse (especially underage abuse), frat hazing, and inappropriate sexual relationships between students and professors. I fell victim to the first two. I won’t say who, but someone very close to me fell victim to the third, and I know of others.
Comments are closed.