Maybe they could call it Harvard Bonehead School
Philip deconstructs the alleged uber-hacking that let a bunch of anxious Harvard B-School applicants peek at the status of their applications:
... All the smart young Americans have gone to law, business, and medical school. Companies don't like to hire old people (> 30 years) to write computer programs because it saddens them to see old folks doing something so degrading. Thus ApplyYourself hired whoever was rejected by professional schools to write up some Visual Basic scripts to process HBS and other B-school applications. ... In the 1960s the term "hacking" meant smart people developing useful and innovative computer software. In the 1990s the term meant smart evil people developing and running programs to break into computer systems and gain shell access to those systems. Thanks to Harvard Business school the term now means "people of average IQ poking around curiously by editing URLs on public servers and seeing what comes back in the form of directory listings, etc."
For the technically minded, Tim points to a description of the hack. He adds:
... ApplyYourself's system doesn't appear to meet even minimal standards for securing the sensitive information with which it is being entrusted. ...
Comments
Oh geez...
The agency I currently work for has the same thing going on on their website. And we actually have what's considered an amazing computer setup for a human services agency. When I was applying for this job, I was poking around on the site and actually found a large "inside" directory that let me see the status of my application, other people applying for positions (the list included first and last names), and various other stuff. It was actually really neat to find the entire employee handbook when I was considering the job here, so that I knew exactly what sorts of rules, regs, perks, etc. I'd be getting myself into.
The thing is though, with a bit of poking around and without any coding knowledge or anything, the public can find all of our phone/pager/cell numbers, our sick and vacation banks, trainings we've taken, internal awards we've been given, workshops and meetings we're scheduled to go to, etc. Basically everything that's considered public within the agency, but which I really don't want random people finding. I mean, some of the lists even come up in a google search of my name. I've e-mailed them and told them about this, but nothing has changed.
It would be really easy to fix, too, since we do have a directory that requires us to use our login and which doesn't come up in a google search (this is where info is stored that only I am allowed to see, like where I enter my timesheets and update my home address and tax info and stuff). They could just dump everything in there. But nooooo.