A long overdue hack: the CalTech cannon goes to MIT

brass rat on caltech cannon

Ever feel nostalgic for the good old days of MIT hacks, where devoted, slightly nutty students pulled off feats of engineering brilliance while evading the watchful eye of campus security? Well, mourn no more, Bunky, cause the MIT hackers are back with a vengeance. I think moving a Spanish-American War era cannon across the country through an inspired bit of social engineering qualifies as pretty impressive on its own, but adding the machined aluminum, gold plated Brass Rat (Brass Rat defined) to the cannon was absolutely inspired. Nice plaque too.

And as always the Slashdot commentary is helpful, for instance the note that the cannon belongs to a residential house at Caltech, not the university, and that “No one outside of Fleming House gives a rats ass about that cannon. (Actually, no one outside of Fleming House gives a rats ass about Fleming House),” is a masterpiece of humor, intracampus rivalry, and sour grapes all wrapped up in a brief comment.

And knowing that the cannon was previously stolen by CalTech neighbor Harvey Mudd, and that this theft occured on the 20th anniversary, and that the social engineering included a phony moving company called Howe & Ser (Howe Et Ser) Moving Company? Priceless.

How to pitch

Courtesy of Sloanblogger Cybersam, a little insight today into the MIT Enterprise Forum’s latest offering, discussions of how to make a great business pitch from a CEO perspective and a VC perspective. A lot of the advice from both sounds familiar from years gone by, but I didn’t (foolishly) blog it at the time. Very good stuff.

Sloan alum (re)gains the Mass CIO reins

The Massachusetts CIO controversy (short version: previous CIO shafted for trying to move Mass government away from Microsoft Office via a push for open document standards) appears to have resolved itself: Sloan (MBA 1990) grad Louis Gutierrez, currently chief technology strategist at the Commonwealth Medical division of the UMass med school, has been appointed the permanent CIO. The interesting thing is that he was the CIO of Massachusetts during the mid-90s, during the Weld and Celluci administrations, prior to stints at Harvard Pilgrim and other healthcare related organizations. In fact, he was the Commonwealth’s first CIO.

I predict that a lot of the noise around OpenDocument and the state will die down. With Gutierrez’s track record (the state, Harvard Pilgrim, the Federal Reserve, and UMass Medical School), I think he’ll be a little more seasoned in how he handles the issues.

Tech Trek hits the media

CNET News.com: MIT grads to size up Silicon Valley. Heh. Funny that this makes the news, with so little substance. There’s a lot to say about the Tech Trek (which is unnamed in this article), but this article doesn’t say it—just suggests that MIT finds the Valley interesting. Which it did back in January 2001, when I participated. But it’s good to see that the Sloan crew can still raise press attention.

Here’s hoping we’ll meet now and then

Howard Anderson at Technology Review: Good-Bye to Venture Capital. Howard, who was one of my professors at Sloan and who cofounded YankeeTek Ventures and Battery Ventures, says he’s getting out of the VC business because “technology supply is bloated” (i.e. there’s more technology available than people can buy); “the hype machine is broken” (i.e. executives are no longer spending money on tech like their hair was on fire); and “the financial markets for technology companies are no longer exuberantly irrational.” So Howard is getting out of the business and won’t be raising any more funds.

Part of this, I know, is Howard being Howard—controversial and blunt-spoken. But how much of his analysis is on? Is there really no way to make the big returns any more? Or, as an anonymous colleague of mine puts it, is he taking his marbles and going home because it didn’t work out for him?

(Update: the comments on this BusinessWeek article and from A VC and Brad Feld suggest that it might be the latter.)

Neverending story: the B-school admissions issue

Boston Globe: Divide grows on treatment of students in online breach. Pluses on the story: they bring most of the cogent points, including the “students have to take accountability” argument and the “that’s not really a hack, it’s editing a URL” argument. Plus they cite Philip, though they don’t link to his site or get into the comments thread. Minuses: no one asked how one could “accidentally” stumble across the URL in question; the story doesn’t make any new points that the extensive discussions on line didn’t already cover, plus it’s about two weeks late. We’ve already talked about all of this.

Interesting points:

  • There were 32 students at Sloan who were affected, compared to 119 at Harvard. That’s disproportionately high; HBS has about double the enrollment of Sloan, but I don’t think it has four times the applicant base. This could be because (a) Sloanies are more honest, or (b) more HBS students were inclined to look because Harvard actually had data on the server.
  • Corporate ethicist Robert A. G. Monks of Portland, Maine, says, “I wonder if you want 20-year-old kids traumatized for life over this.” I wonder how many business schools he’s seen recently. Most top tier schools aren’t accepting applicants straight out of undergrad. They want students with a few years’ experience under their belts. I think the youngest person in my class at Sloan was about 24, with most of the class in their late 20s. Someone who’s that old, who’s seen the business world, should understand that actions might have consequences and shouldn’t need to be coddled.
  • Total numbers of intrusions: total pool is “at least 211 applicants,” which includes 119 HBS, 32 Sloan, 17 Tuck, 41 Stanford, 1 CMU, and 1 Duke accounted for. While it’s not clear that each of the 211 only violated one file, or how students who applied to both Sloan and HBS and tried to peek at both files are counted, if you make the naïve assumption that the 211 counts intrusions rather than students, that means all the intrusions are accounted for.

Last HBS follow up, I swear: John Dvorak

Tech columnist John Dvorak weighed in yesterday on the ongoing MBA admissions brouhaha in his unofficial blog. His original post came down on the side of the “hackers”; I followed up in his comments to point to my post, and today he wrote the following:

OK after all my rants and various philosophical concepts the actual instructions for the student URL re-direction in the Harvard scandal is revealed here on the PowerYogi site. Reader/blogger Tim Jarrett sent me the link. Jarrett also takes a hard line approach to what I’d now call a script kiddy violation or simple curiosity. But, if indeed, there was a complex and dubious procedure then there may be some justification for complaint. In this case the indication is that the students should have known this was traceable. Making such an error shows bad judgement.

I still think the colleges should have sut up and not showboated and exposed the fact that they were using flawed software. And I’m still not convinced this can be considered “hacking” in any real sense. But I now retract my earlier comments and criticisms made today.

As Adam said in my comment threads, this whole thing has the makings of an excellent business school ethics case. There are so many dimensions, so much going on, that it’s impossible to take a hard line on it without looking at the facts.

I’m actually grateful to the folks who found the flaw and the lousy programmers at ApplyYourself, because I’ve had more honest and productive discussions about business and personal ethics and the Internet in the last four days than the last four years.

The B-school admissions case: Sloan drops another shoe

Boston Globe: MIT says it won’t admit hackers. There have been a few developments since I wrote about this case yesterday, and this is the big one. There have also been some questions raised about a few points in the case. Philip Greenspun points out how ridiculous it is to call something this easy a “hack”—I agree. It’s more like an exploit. That doesn’t make it any more justifiable, of course. That’s maybe the hardest part of this case—where is the line?

As I wrote in response to a comment on yesterday’s entry, there is no hard and fast line on cases of unauthorized access like this, because I’m curious about how systems work too and have been known to tinker with URL strings. That’s why I looked at the “exploit” instructions before I made my judgment call. If it had been a simple matter of substituting a login ID and PIN into the URL string, I might have felt differently. The fact that a prospective user of this “exploit” would have to dig a hidden value out of the source of the form should have tipped off the prospect that “hey, maybe I shouldn’t do this.”

I want future Sloanies to be smart enough not only to apply an “exploit” like this, but to understand that there may be consequences if they do it.

HBS gets tough on ethics. Are they right?

Boston.com: Harvard rejects 119 accused of hacking. Following up the revelation that the third party company that manages online B-school apps got hacked, it looks like HBS (along with the Tepper School at Carnegie Mellon) is taking a hard line on admissions and blanket rejecting the 119 people whose admission files were hacked, while other B-schools (including Sloan) are taking a wait and see approach.

Does this mean that the other schools are soft on ethics? Maybe not, if the opposing perspectives in the article are correct:

Theoretically, at least, a hacker might have been a spouse or parent who had access to the password and personal identification numbers given to a business school applicant…

…[Cambridge Essay Service admissions consultant Sanford] Kreisberg said some applicants may had inadvertently tried to access the files, without realizing they were looking for confidential information, after they were e-mailed directions from other students who had copied them from the BusinessWeek message board.

It’s hard to tell from the articles, which don’t discuss the nature of the exploit. So let’s take a look. On the PowerYogi blog, the exact procedure used to do the hack is disclosed. Briefly, it appears that the hack relied (past tense, the info is no longer accessible) on a known URL that displays a dynamic page containing admission decision information, if any has been entered into the system. The parameters required to get the decision information are the applicant’s unique ID, apparently known as the AYID (or ApplyYourself ID) and a second ID number. The AYID is disclosed to the applicant on the URL for other pages that the applicant would normally visit. The second ID number can be discovered by viewing source on publicly accessible pages. Though the decision page is addressed via HTTPS, once you know the AYID and the secondary ID, you don’t need any other authentication information to access the page.

So the question is, could people have been tricked into looking at their records, as Kreisberg suggests? Answer: probably not. Following the directions to get the ID values should tip the applicant off that they’re going to see something they shouldn’t be seeing. And I don’t think it would be common for people to share out their user IDs and PINs for their online applications, so the odds of someone else checking your application status without your knowledge are pretty slim.

Bottom line: I think Sloan and the other business schools involved should take a hard line on its applicants’ files who were compromised as well.

And I think that all the schools involved should look at another vendor for online applications. ApplyYourself’s system doesn’t appear to meet even minimal standards for securing the sensitive information with which it is being entrusted. Hopefully Sloan CIO Al Essa is already looking closely at this situation.

Another blogging Sloanie… er, Sloan CIO

Al Essa, the CIO of the Sloan School of Management at MIT, has not one but three public blogs: Tatler , described as “A personal perspective on intellectual history, aesthetics, political economy, and arts and letters”; The NOSE (Navigating Open Source Elearning); and Rude Mood, about running. I’m not sure that three complete independent, separately branded blogs aren’t overkill, but I guess it keeps things from getting confusing. A belated welcome to the blogosphere, Al.

Takes all the fun out of it

MIT: Tunnel map. It’s much more fun wandering around lost by dead reckoning and occasional, maddeningly imprecise signs. Sigh.

For the uninitiated, MIT, like many schools, has a network of tunnels beneath the buildings. Unlike many, access is not restricted and it’s perfectly reasonable to (say) hop into the tunnels from the loading docks at E25 and pop up only when you get to Lobby 7.

Of course there are less…um, pedestrian uses for the tunnels too. See this archive at Undercity.org for some starters…

Gambling on a different scale

I happened to be looking up an old Sloan instructor, Todd Dagres, who had been an assistant professor in my entrepreneurship curriculum, working alongside Howard Anderson. Dagres had led Battery Ventures’ investments in Akamai and Qtera back in 1999, but in 2001 was calling the tech IPO market a “nuclear winter.” Now that there are signs of life, however small, in the market, I wondered if Dagres had revised his assessment.

According to this Boston Globe article from last October, he’s revised it, all right. He’s left the business entirely—and started a film investment firm, BeGyle.

I guess film is another industry where big capital investments yield big returns—or big zeroes.

Biomedical networking

Shades of Gray: Biomedical networking. Sloanblogger Straz lands a product management job with a biomedical startup and posts two useful reminders to me as I continue with my own job hunt:

First, it’s a question of not what you know vs. who you know. It is first who you know (get in the door) and then what you know (get hired). Second, even under the best circumstances, 3 months is the bare minimum to complete a job hunt at the professional level.