HBS gets tough on ethics. Are they right?

Boston.com: Harvard rejects 119 accused of hacking. Following up the revelation that the third party company that manages online B-school apps got hacked, it looks like HBS (along with the Tepper School at Carnegie Mellon) is taking a hard line on admissions and blanket rejecting the 119 people whose admission files were hacked, while other B-schools (including Sloan) are taking a wait and see approach.

Does this mean that the other schools are soft on ethics? Maybe not, if the opposing perspectives in the article are correct:

Theoretically, at least, a hacker might have been a spouse or parent who had access to the password and personal identification numbers given to a business school applicant…

…[Cambridge Essay Service admissions consultant Sanford] Kreisberg said some applicants may had inadvertently tried to access the files, without realizing they were looking for confidential information, after they were e-mailed directions from other students who had copied them from the BusinessWeek message board.

It’s hard to tell from the articles, which don’t discuss the nature of the exploit. So let’s take a look. On the PowerYogi blog, the exact procedure used to do the hack is disclosed. Briefly, it appears that the hack relied (past tense, the info is no longer accessible) on a known URL that displays a dynamic page containing admission decision information, if any has been entered into the system. The parameters required to get the decision information are the applicant’s unique ID, apparently known as the AYID (or ApplyYourself ID) and a second ID number. The AYID is disclosed to the applicant on the URL for other pages that the applicant would normally visit. The second ID number can be discovered by viewing source on publicly accessible pages. Though the decision page is addressed via HTTPS, once you know the AYID and the secondary ID, you don’t need any other authentication information to access the page.

So the question is, could people have been tricked into looking at their records, as Kreisberg suggests? Answer: probably not. Following the directions to get the ID values should tip the applicant off that they’re going to see something they shouldn’t be seeing. And I don’t think it would be common for people to share out their user IDs and PINs for their online applications, so the odds of someone else checking your application status without your knowledge are pretty slim.

Bottom line: I think Sloan and the other business schools involved should take a hard line on its applicants’ files who were compromised as well.

And I think that all the schools involved should look at another vendor for online applications. ApplyYourself’s system doesn’t appear to meet even minimal standards for securing the sensitive information with which it is being entrusted. Hopefully Sloan CIO Al Essa is already looking closely at this situation.

In defense of plain ol’ SQL

Philip Greenspun Weblog: How long is the average Internet discussion forum posting?. I’m less interested in Philip’s answer than I am in the methodology: simple SQL select statements that give you very important product design data.

People talk about “data mining” and “business intelligence” as though they’re complicated, new skill sets, but really all you need sometimes to make the right call is a simple SQL query. And the right data set, of course…

Managing aggregator overlap

Brent Simmons talks about the issues with feed items that are about the same thing showing up in an RSS aggregator. I’m reposting the comment I made on his post here because I think managing the relationships between items is an important feature for RSS aggregators:

The ability to group feed items together based on what they link to is the only feature I miss in NNW from Dare Obasanjo’s RSS Bandit. It’s important for three reasons:

  1. It saves time. Some of the other comments cover this point [specifically, by grouping items that are about the same thing, you can read them all at once or just mark them all as read. Otherwise, you keep finding posts about the same thing all the way down your list of items.]
  2. It helps me follow conversations. Think of it as a client side version of Technorati–limited, of course, to the feeds I subscribe to.
  3. It aids in triangulation. I want to be able to quickly scan all the opinions of a new announcement, or quickly see the full original post that an item linked to so I can form my own opinion.

Maybe it’s not grouping, but some sort of optional “related items” UI that could show you items that link to the same things that are linked from the item you’re reading.