I was planning to post this anyway, but a comment made by Sam the Eagle in another thread pushed me to do it now.

Kim B. Clark, former dean of Harvard Business School, was interviewed on this subject.*
"In March 2005, Harvard Business School discovered that 119 of its applicants had hacked into a third-party Web site to get an early peek at their acceptance status, which had not yet been released by the school.. In the midst of pressure, both from within and without the institution, then-Dean Clark had to decide how HBS would react to such actions."
"Although many would later criticize the school for its 'pious grandstanding' Dean Clark decided to reject the guilty applicants. . ."
"In an official statement, Dean Clark wrote:
'Our mission is to educate principled leaders who make a difference in the world. to achieve that, a person must have many skills and qualities, including the highest standards of integrity, sound judgment and a strong moral compass -- an intuitive sense of what is right and wrong. Those who have hacked into this Web site have failed to pass that test.'"







* Full disclosure. He is now president of BYU Idaho, and the interview appeared in a newsletter called Church News, a publication targeted specifically to members of the Church of Jesus Christ of Latter Day Saints. Quotes are taken from the July 28 issue of that newspaper.

I was planning to post this anyway, but a comment made by Sam the Eagle in another thread pushed me to do it now.

Kim B. Clark, former dean of Harvard Business School, was interviewed on this subject.*
"In March 2005, Harvard Business School discovered that 119 of its applicants had hacked into a third-party Web site to get an early peek at their acceptance status, which had not yet been released by the school.. In the midst of pressure, both from within and without the institution, then-Dean Clark had to decide how HBS would react to such actions."
"Although many would later criticize the school for its 'pious grandstanding' Dean Clark decided to reject the guilty applicants. . ."
"In an official statement, Dean Clark wrote:
'Our mission is to educate principled leaders who make a difference in the world. to achieve that, a person must have many skills and qualities, including the highest standards of integrity, sound judgment and a strong moral compass -- an intuitive sense of what is right and wrong. Those who have hacked into this Web site have failed to pass that test.'"


* Full disclosure. He is now president of BYU Idaho, and the interview appeared in a newsletter called Church News, a publication targeted specifically to members of the Church of Jesus Christ of Latter Day Saints. Quotes are taken from the July 28 issue of that newspaper.

This is a very good example of Integrity! :judge:

Are you trying to use it to suggest something?

I think she's just sayin'

did JMO pass out and her head clicked on submit before she got a chance to finish the thought? should we worry?

I think it's self-explanatory. Just sayin' ;)

I remember this - I am a little torn on this one. My recollection is that they didn't really "hack" so much as it was on an unsecured website? Could be wrong on that. Regardless, the flaw is not in changing any actual result, but simply trying to satisfy idle curiosity. Obviously, changing the result would be a huge moral gaffe, but looking to see? Not so sure.

the soa had pass marks loaded into the system before release date this year, and some candidates found out they passed bc the system would not let them sign up for the same exam in the fall. should the soa have followed IP addresses and failed these people?

if they hacked, then I see the issue. if they guessed the right url or found out abou it through a backdoor (like the soa exam results), then it is a lot less severe.

it says "hacked" so i doubt they just passively found their results

the soa had pass marks loaded into the system before release date this year, and some candidates found out they passed bc the system would not let them sign up for the same exam in the fall. should the soa have followed IP addresses and failed these people? if they hacked, then I see the issue. if they guessed the right url or found out abou it through a backdoor (like the soa exam results), then it is a lot less severe.Actually, everybody I spoke with at the SOA was impressed with the candidates' ingenuity. Many people said things like, "These people are really clever!" And that's exactly right. This was not a matter of integrity at all.

Bruce

i agree bruce. they used existing web sites and urls to find it out. no problem to me at all.

I agree completely about this spring. Ingenious, no possible integrity problem.

What about this: candidates guess what the URL will be, perhaps substituting "M07" for "F06" in a URL that worked in the fall; perhaps trying other variations that have never been used, like "May07" or "Spring07". (I haven't bothered looking at what has actually been used; interpret these questions to be "the obvious variation" and "other conceivable variations"). The SOA has never provided the updated link to the public. Would you consider that an integrity problem?

I'll accept those as "ingenious and OK", but suspect not all would agree.

If I recall correctly this was done for some SOA or CAS exam in the past, but I don't recall hearing it succeed recently.

So my recollection was not accurate, I went back and looked at the actual story, looks like they didn't actually do the hacking in the sense that they did the actual hacking, but it's somethign substantially more than what's being discussed wrt the SOA exams. Specifically, somebody else hacked the site and then posted a message telling people that they could look if they wanted to and how to do it. Also, they could only see their own scores, if that matters. Seems a fair amount worse than the SOA story, but still not nearly so bad as the statement above that they actually did the hacking. Somehow, having somebody tell you how to break in doesn't seem nearly as bad to me as breaking in yourself.

For those quibbling over the use of the word "hacking", that word has a meaning more complicated than merely illegally breaking into a computer system.

Hack has several meanings in the technology and computer science fields: a clever or quick fix to a computer program problem; a clumsy or inelegant solution to a problem; illegally breaking into a computer, generally over a network connection; or a modification of a program or device to give the user access to features otherwise were unavailable to them.

cf. History [of "hacking" in Computer Science (http://en.wikipedia.org/wiki/Hack_%28technology%29#History_in_Computer_Science)

So my recollection was not accurate, I went back and looked at the actual story, looks like they didn't actually do the hacking in the sense that they did the actual hacking, but it's somethign substantially more than what's being discussed wrt the SOA exams. Specifically, somebody else hacked the site and then posted a message telling people that they could look if they wanted to and how to do it. Also, they could only see their own scores, if that matters. Seems a fair amount worse than the SOA story, but still not nearly so bad as the statement above that they actually did the hacking. Somehow, having somebody tell you how to break in doesn't seem nearly as bad to me as breaking in yourself.

To me, it would matter whether the Harvard applicants knew that the message poster had done something illegal.

If someone had told me about the trick to check SOA exam scores, I probably would have tried it, not thinking it was unethical to use a function designed by the SOA on their own site, and come to conclusions based on what their site did. However, suppose that unknown to me, the student who posted the trick had hacked into the SOA site and changed the functionality - maybe the exam results were all in the system already, but were not supposed to be loaded into the signup utility until after results had been released, and she hacked the site and changed that. That changes things - then my checking whether I passed using her instructions would not be ethical - but if I did not know what she did and thought she was only telling me a clever way to find out what was already on the site, then I think my actions would have been misguided but not unethical.

To expand on the meaning of "hack" in context, elsewhere in the article, Dean Clark made the analogy of breaking into a locked room.

For those who think it was OK for people to follow somebody's instructions:

Consider a different case. If the results had been in a locked room and somebody broke the lock, is it then OK for others to go in and look?

Also, if they saw that the lock was broken, what was their responsibility to report the problem to the authorities?

This discussion has been the sort of thing I was hoping to see. Carry on.

How did the hacker break into the Harvard web site? Did they run a .exe file to extract information that was not easily accesible to the public? Or did they simply guess and check on the url until they hit the correct one. In my opinion, if somebody guesses the correct url address and gets into the website a day early, that is fair game.

To expand on the meaning of "hack" in context, elsewhere in the article, Dean Clark made the analogy of breaking into a locked room.

For those who think it was OK for people to follow somebody's instructions:

Consider a different case. If the results had been in a locked room and somebody broke the lock, is it then OK for others to go in and look?

Also, if they saw that the lock was broken, what was their responsibility to report the problem to the authorities?

This discussion has been the sort of thing I was hoping to see. Carry on.

So the SOA incident is a locked room with a window where you can see your results without actually going in?

So the SOA incident is a locked room with a window where you can see your results without actually going in?

I would say the SOA incident was more analogous to someone accidentally leaving the scores on the printer next to a bulletin board where they were supposed to be posted.

I think I've said this before, but I don't think the accepted students should have been punished [so severely]. What they did was very close to what most of us waiting for results do. In both situations, there's information out there somewhere on the institution's website that will be released within 24-48 hrs, so who does it hurt to try to get at it a bit early?

With the prelim exam "trick" this spring, someone discovered the key and posted on the board how others can get at their results as well. With the CSP results, some people came up with some of the result links at least 20 or 30 mins before they were posted on the SOA site. These ppl then posted the links on this board and those that were following the AO knew their results within a few minutes.

Same thing with the MBA students. One student discovered a back door to get at the admission info - that's all it was - a yes or no as to whether the student was admitted. He then lets everyone else in on the secret. Sure, the process was slightly more elaborate than manipulating a web link, but the root of the issue was the fact that the website was unsecure and allowed the "hacker" to do so in the first place.

How is all this unethical? Let's compare these actions to other actions one would consider to be unethical - eg. cheating, stealing, lying, etc. All the actions that our society deems unethical are those where a person essentially advances in a way that hurts others. Who did these MBA candidates hurt? So they got their admission results a day or 2 early. Why is this so terrible? Ok, you can say it's unfair that some people knew the trick (from reading the boards) while others didn't, so they got their results a bit early while everyone else had to wait. But you can't argue that those not informed of the back door were actually made worse off than those who knew (unlike, for example, the situation with the health CSP ASOP addition to the syllabus, where those that were not aware of the update were actually made worse off while those who knew benefitted).

My point is that given that no one was actually hurt or made worse off by the whole thing, why is it labeled as an unethical action? IMO, Harvard thought that they were the ones hurt (or, embarassed, rather) since they were shown to have unsecure sites. Their defense was then "well, they shouldn't have tried to get in." So instead of commending the student's ingenuity, learning from their errors, and moving on, they made a big fuss over the 'ethics' of the students and shifted the focus of the embarassment away from themselves. BTJMO.

I guess I don't see why LOOKING at one's own scores would be unethical. Especially if it was through a method such as guessing the url. If it was truly "breaking into" a secured site or something, that is different. I also wonder how they know WHO looked at the scores and who didn't? If someone followed the instructions, but then did not post about it on the message board, would they be subject to the same consequences?

I guess I don't see why LOOKING at one's own scores would be unethical. Especially if it was through a method such as guessing the url. If it was truly "breaking into" a secured site or something, that is different. I also wonder how they know WHO looked at the scores and who didn't? If someone followed the instructions, but then did not post about it on the message board, would they be subject to the same consequences?

I believe they either tracked IP addresses or could see who logged in to check their admission (since the directions were to log in to see your specific info).

This isn't actuarial, exactly, but I wonder if this can be related.

A high school student I met at Mathcamp once competed in an engineering weekend competition for high school students. People competed in teams, and there were numerous events to compete in, and each team had to submit something for each event.

Well, prep time was almost up, and they didn't have enough time to do a good job on one event: a boat race. I don't remember how he delineated the rules of the event, but there was rules on what you could use to propel the boat and how to control it. I think the race course was an olympic-size swimming pool.

They were going to propel their boat with compressed air, but their design was too heavy to really move with much speed. They didn't like their chances for winning.

Until they remembered - it doesn't matter how fast you're going as long as you're the first over the finish line. If your boat did something to disable all the other boats, as long as it made it to the finish line, it would win.

So they repurposed a few of the compressed air set-ups to become torpedo launchers. At race-time, they managed to take out a couple other boats before a judge had their boat physically removed.

I thought it was a really clever tactic, and it wasn't against the rules (the next year, the rules were changed to disallow attacking other boats). As the competition was being held at the Naval Academy in Annapolis, I would have thought they'd appreciate that kind of innovative thinking. (and we spent a few lunchtimes coming up with radio-controlled boat demolition derby ideas, and some ideas for destructive boats. My favorite was a boat that wiped out everything on the surface, including itself, but during the destruction launched a small boat out of its top, which would land on the water after the surface destruction was over.)



Anyway - was the team unethical? And was the judge removing the boat though no rules were broken unethical?

:popcorn: There's always the unexpected, isn't there? Bridge on the River Kwai.
/:popcorn:
I don't think the team was unethical. But, since the destruction of other boats had not been contemplated, I think the judge properly used his discretion in removing the boat. The fact that the rules changed the next year was a way of affirming the judge's action.

Too bad the military can't take a joke, though. ;)

PS - Given the important role played by loophole finding in actuarial work, I think the story does relate to the profession, at least by analogy.

This is why it comes down to principles. When you're dealing with really smart people, you can't simply set down rules and say "If you follow these rules, all is well." Smart people keep finding out ways to get around the rules, such that they're completely following the rules as written, but the results are not what the rule-makers were envisioning. Then the rule-makers try to play catch-up by layering on more rules. For simple stuff (like the boat race), that may work (though I can think of "nonviolent" ways to slow down other boats...), but for many complex business situations it won't work. You'd be playing whack-a-mole where your mallet comes down milliseconds after the mole has popped back in.

But then people don't like general principles, because how do you know when someone else may think you're breaking them? How can you tell you're keeping to them? People on both sides (excepting the consultants doing work for them) are unhappy because they don't see they can keep control on the issue.


(FWIW, the engineering team's reaction was more of "aw, man" than "We wuz robbed!". It made for a hilarious story, and as mentioned, sprouted a whole bunch more ideas of some really fun fantasy competitions. I think it would have been apt to remove the boat, and yet commend them for innovative thinking, but evidently the judges were very snippy about this innovation.)

You'd be playing whack-a-mole where your mallet comes down milliseconds after the mole has popped back in.
This is an awful example in a thread about integrity, when I am more trusted than anyone else posting here. Best eyes, too.

This is an awful example in a thread about integrity, when I am more trusted than anyone else posting here. Best eyes, too.
We commend you, mole, for your rapid response. "milliseconds" ;)

...and my horrid mole-whacking reflexes fail me as I respond minutes later.

Man, I'm really losing my touch.

I apologize, the mole. I will whack at gophers from now on.

My old university had a inefficient network security system that caused the internet connection on all dorm computers to run super slowly. A smart computer science student reworked the system on his own computer in order to make it run faster while maintaining the functionality (which other CS students have told me shouldn't have been hard to do). He enabled his version and disabled the official version.

He was severely disciplined, lost all his scholarships, and was nearly expelled.

My thoughts on this are that the university should have said the following:
1.) We know you're intelligent and didn't intend to compromise network security.
2.) However, we can't screen every student for competence and ethical intent before allowing them to monkey with the security system, so on principle we can't let this happen.
3.) Please do not do this again. We will need to discipline you.
4.) Set some large penalty and make it public to the university.
5.) Waive the penalty based on special circumstances, and make that also public to the university.

What do any of you think of this situation?

...and my horrid mole-whacking reflexes fail me as I respond minutes later.

Man, I'm really losing my touch.

I apologize, the mole. I will whack at gophers from now on.

Gophers deserve respect, too. They do all the little jobs nobody else wants. Some double as moles. ;)

Whack rats.

rats is star spelled backwards. and drawback is backwards spelled backwards.

Whattaya mean this isn't the random thoughts thread?

My old university had a inefficient network security system that caused the internet connection on all dorm computers to run super slowly. A smart computer science student reworked the system on his own computer in order to make it run faster while maintaining the functionality (which other CS students have told me shouldn't have been hard to do). He enabled his version and disabled the official version.

He was severely disciplined, lost all his scholarships, and was nearly expelled.

My thoughts on this are that the university should have said the following:
1.) We know you're intelligent and didn't intend to compromise network security.
2.) However, we can't screen every student for competence and ethical intent before allowing them to monkey with the security system, so on principle we can't let this happen.
3.) Please do not do this again. We will need to discipline you.
4.) Set some large penalty and make it public to the university.
5.) Waive the penalty based on special circumstances, and make that also public to the university.

What do any of you think of this situation?

I tend to agree with issues like this...obviously, the guy didn't mean to hurt anyone - he was just trying to help. He probably didn't realize that the security would be [potentially] compromised. Regardless, the point is that even if we all agree that what he did was ultimately a bad thing (even if accidental), I think arguing that it was "unethical" or of questionable integrity is preposterous. I don't know what the argument actually used against this guy was, so maybe ethics had nothing to do with it (in which case, I'm not sure why the anecdote is in this thread), but again, I see this as an example of the administration trying to disguise the situation by throwing blame [due to their own weaknesses] onto someone else.

ETA - since we've hijacked the thread a bit to talk about "unfair" punishments for actions that haven't really caused much harm (and definitely weren't meant to), here's another one (http://www-tech.mit.edu/V124/N18/18hacking.18n.html). Apparently, displaying a replica of the Wright brothers' plane (to celebrate the anniversary a few yrs ago) on the roof is very bad and requires fines and discipline from the same school administration that gets a lot of good publicity for such hacks.

I think the student changing the university's network should have known better than to do what he did. If he thought his solution was really OK, why not simply present it to the administration and offer to give it to them for free, or ask for an independent study credit in exchange for his more reliable and faster system?

Any moran should be able to figure out that it clearly cannot be considered acceptable for a random person without authorization to change an entire network. So while his punishment seems a little harsh, and perhaps some of the punishment should have been suspended in his case, he was still clearly unethical in my mind.

As for the boat-race people: I think it depends on how clearly the purpose of the race was communicated. If it was clearly communicated that the goal was to build the fastest boat, then their actions were unethical because they were trying to sabotage better teams. If there was no clearly defined goal (spoken or written) and the rules simply stated that whoever crossed the finish line first would win, then they were not unethical IMO.

Agree with the others on the Harvard thing: it depends on exactly what the "hacker" did to get in to the system, and how aware the students were of how bad the "hacker's" actions were.

SoA students getting their scores early via attempting to register for the exam they just sat for: totally ethical. (I was not involved and didn't hear about it until a week or so later.)

By the way, what if the student hadn't intended to compromise the network security, but in fact had created a loophole that hadn't been there in the past? Does that make a difference? (I think it doesn't)

Does it make a difference that the university did not have the opportunity to have one of their own programmers check the code before it went live? I think this makes an enormous difference to the ethics.

By the way, what if the student hadn't intended to compromise the network security, but in fact had created a loophole that hadn't been there in the past? Does that make a difference? (I think it doesn't)

Does it make a difference that the university did not have the opportunity to have one of their own programmers check the code before it went live? I think this makes an enormous difference to the ethics.

I totally agree that this can't be allowed to happen. Whether or not he intended to compromise security or even did compromise it, others could, so you can't set a precedent.

If he thought his solution was really OK, why not simply present it to the administration and offer to give it to them for free, or ask for an independent study credit in exchange for his more reliable and faster system?

The current system has been criticized to management many times with no effect.

I don't know what the argument actually used against this guy was...

The Patriot Act was invoked.