Boston Globe: MIT says it won’t admit hackers. There have been a few developments since I wrote about this case yesterday, and this is the big one. There have also been some questions raised about a few points in the case. Philip Greenspun points out how ridiculous it is to call something this easy a “hack”—I agree. It’s more like an exploit. That doesn’t make it any more justifiable, of course. That’s maybe the hardest part of this case—where is the line?
As I wrote in response to a comment on yesterday’s entry, there is no hard and fast line on cases of unauthorized access like this, because I’m curious about how systems work too and have been known to tinker with URL strings. That’s why I looked at the “exploit” instructions before I made my judgment call. If it had been a simple matter of substituting a login ID and PIN into the URL string, I might have felt differently. The fact that a prospective user of this “exploit” would have to dig a hidden value out of the source of the form should have tipped off the prospect that “hey, maybe I shouldn’t do this.”
I want future Sloanies to be smart enough not only to apply an “exploit” like this, but to understand that there may be consequences if they do it.