July 29, 2002



Okay, I'll say right off no one's looking good here.

That said, here's a couple things you won't read elsewhere, maybe:

1) It wasn't "hacking." All the evidence is the Princeton admissions office took legitimately gathered information about students who'd applied to both colleges and put it into a login form in the internet. No l33t computer skillz required.

2) It's entirely believable that someone in the Princeton admissions office was interested in the issue of how Yale was keeping good security without assigning recently admitted or prospective students admissions numbers. I have spent more than a few days in meetings at U of T discussing exactly this similar issue. (Most universities are exploring how to get information out to incoming students faster... the problem is the security burden, which Yale got around apparently by ignoring it).

3) It's entirely unbelievable, on the other hand, that there was any intent to use the data gathered to give Princeton an edge in any admissions offers to choice students, or to get an edge on the competition. It just doesn't wash: none of the information garnered in this way would be so particularly valuable that subterfuge was necessary. What I do believe happened is once someone had first accessed the Princeton site, they then showed off Yale's foolishness to others in the office, as sort of an in-house joke on the Yalies. The alternative, that Princeton was obsessed with whether they would land the President's modelling niece, is silly.

4) The Yale admissions office web people are a bunch of tools. First off they put up what by all reports was a flagrantly insecure system, a massive disservice to all future and incoming students... that should be a crime in itself. But then, when Princeton gets around to informally notifying them about the obvious, massive, drive-a-truck-through-it problem with their web service, they called in the FBI on Princeton? If anything, the university that is being the most mindlessly competitive here is Yale, not Princeton, deflecting a story abou their cavalier attitude towards student privacy by blaming Princeton for "hacking". Yes, if Princeton was playing good corporate citizen, they should have tested the security flaw once, smiled to themselves, then promptly reported it to Yale (that's surely what I'd have done... right? right?). But this hardly warrants the assignment of national investigative resources.

Posted by BruceR at 12:08 PM