Security by obscurity fails again!
Harvard has rejected the applications of 119 students whom they accuse of “hacking” a web application to determine their application status. Apparently accessing a URL that wasn’t linked to yet but that was still available counts as hacking. Whatever. ApplyYourself, the company that Harvard uses to manage the admissions process, failed to prevent early access to a page called ApplicantDecision.asp. By accessing that page with their own ID before the announced admit date, applicants could tell whether they had been admitted to Harvard.
To my mind this hardly counts as hacking, but it is unethical. Harvard’s decision to reject those applicants is harsh; on the other hand, I can understand an unwillingness to churn out MBAs who engage in behavior that does not reflect the ethics Harvard expects of its students and graduates.
More interesting to me is ApplyYourself’s blunder: access to that page should be more tightly controlled. You cannot rely on security by obscurity. Or as brian d foy puts it, not linking is not security. I do hope that Harvard deals with the company as harshly as their applicants. I wonder, though, whether this was even identified as a security requirement. I’ve commented before that I have never worked on a project with clearly documented security requirements. That’s changing, but I hold little doubt that it’s still unusual for security to be considered early in many software projects. Unless the developers knew to restrict access to that page, why would their code do so? Of course, if there’s code that does not display a link to the page until a certain date, that should indicate the presence of a requirement. So despite my willingness to give them the benefit of the doubt, they’re not quite off the hook. I’m just not ready to write them off as dumbfucks.
Philip Greenspun has a few pithy comments on the matter. “As progressively dumber programmers build progressively more complex systems we will see more of this kind of attempt to paper over coding mistakes with lawyers, sanctions, policies, and laws.”
09 Mar 2005 Sam