FC: Princeton admissions officers "hack" into Yale computers

From: Declan McCullagh (declanat_private)
Date: Thu Jul 25 2002 - 22:58:59 PDT

  • Next message: Declan McCullagh: "FC: California red light cameras raise red flags, auditor says"

    Bonus question: Did this unauthorized access violate the Computer Fraud and 
    Abuse Act? (http://www4.law.cornell.edu/uscode/18/1030.html)
    
    ---
    
    To: declanat_private
    Subject: Security of student admissions decisions
    Date: Thu, 25 Jul 2002 12:11:01 -0400 (EDT)
    From: Tony Engel <tengel at pobox dot com>
    
    Hi Declan,
    
    Here is an interesting article that you might want to share on Politech about
    Princeton admissions officers (illicitly) accessing student admission decisions
    on Yale computer systems.
    
    Essentially the Princeton employees "impersonated" the students in question by
    using their SSN and birthdate information to log on as them in the Yale system.
    Clearly not a very good way to secure sensitive information, but one also
    wonders what the Princeton employees thought they were doing...
    
    http://www.yaledailynews.com/article.asp?AID=19454
    
    Thanks!
    Tony Engel
    
    P.S. Please mask my email address (tengel at pobox dot com is fine) if you
    choose to share this story.
    
    ---
    
    From: "Richard M. Smith" <rmsat_private>
    To: <declanat_private>, "'Richard M. Smith'" <rmsat_private>
    Subject: Princeton accused of Ivy League hacking
    Date: Thu, 25 Jul 2002 22:54:05 -0400
    
    Hi Declan,
    
    I guess that everyone is into "hacking" these days.  The security
    problem talked about in the CNN article is something that is possible
    all over the Internet.  If I create an account at Web site "A" with a
    username and password, an employee at this Web site can check Web sites
    "B", "C", and "D" to see if I've used the same username/password
    combination at these other sites.
    
    In this case, Princeton had people's names, birthdates, and SSNs from
    Princeton applications and probably tried them at them at the Yale Web
    site.  If the story is true, it would be interesting to know what
    Princeton did with the data.  If Yale accepted someone, then would
    Princeton also accept them or would they reject them?
    
    Richard M. Smith
    http://www.ComputerBytesMan.com
    
    
    Princeton accused of Ivy League hacking
    http://www.cnn.com/2002/US/07/25/yale.princeton/index.html
    
    NEW HAVEN, Connecticut (CNN) -- Princeton University admissions
    officials gained unauthorized access to a Web site at rival Yale
    University containing personal information about applicants to the Ivy
    League school, according to officials at both institutions.
    
    Information on 11 applicants was accessed during 18 unauthorized log-ins
    to the site by Princeton officials, a Yale official told CNN. The
    log-ins were traced to computers in Princeton's admissions office.
    
    ...
    
    The Web site, launched in December, allowed prospective Yale students to
    find out whether they had been accepted to the school. They could access
    the site with their names, birth dates and Social Security numbers. 
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    -------------------------------------------------------------------------
    Like Politech? Make a donation here: http://www.politechbot.com/donate/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Fri Jul 26 2002 - 01:12:25 PDT