Bonus question: Did this unauthorized access violate the Computer Fraud and Abuse Act? (http://www4.law.cornell.edu/uscode/18/1030.html) --- To: declanat_private Subject: Security of student admissions decisions Date: Thu, 25 Jul 2002 12:11:01 -0400 (EDT) From: Tony Engel <tengel at pobox dot com> Hi Declan, Here is an interesting article that you might want to share on Politech about Princeton admissions officers (illicitly) accessing student admission decisions on Yale computer systems. Essentially the Princeton employees "impersonated" the students in question by using their SSN and birthdate information to log on as them in the Yale system. Clearly not a very good way to secure sensitive information, but one also wonders what the Princeton employees thought they were doing... http://www.yaledailynews.com/article.asp?AID=19454 Thanks! Tony Engel P.S. Please mask my email address (tengel at pobox dot com is fine) if you choose to share this story. --- From: "Richard M. Smith" <rmsat_private> To: <declanat_private>, "'Richard M. Smith'" <rmsat_private> Subject: Princeton accused of Ivy League hacking Date: Thu, 25 Jul 2002 22:54:05 -0400 Hi Declan, I guess that everyone is into "hacking" these days. The security problem talked about in the CNN article is something that is possible all over the Internet. If I create an account at Web site "A" with a username and password, an employee at this Web site can check Web sites "B", "C", and "D" to see if I've used the same username/password combination at these other sites. In this case, Princeton had people's names, birthdates, and SSNs from Princeton applications and probably tried them at them at the Yale Web site. If the story is true, it would be interesting to know what Princeton did with the data. If Yale accepted someone, then would Princeton also accept them or would they reject them? Richard M. Smith http://www.ComputerBytesMan.com Princeton accused of Ivy League hacking http://www.cnn.com/2002/US/07/25/yale.princeton/index.html NEW HAVEN, Connecticut (CNN) -- Princeton University admissions officials gained unauthorized access to a Web site at rival Yale University containing personal information about applicants to the Ivy League school, according to officials at both institutions. Information on 11 applicants was accessed during 18 unauthorized log-ins to the site by Princeton officials, a Yale official told CNN. The log-ins were traced to computers in Princeton's admissions office. ... The Web site, launched in December, allowed prospective Yale students to find out whether they had been accepted to the school. They could access the site with their names, birth dates and Social Security numbers. ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ ------------------------------------------------------------------------- Like Politech? Make a donation here: http://www.politechbot.com/donate/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Jul 26 2002 - 01:12:25 PDT