What is hacking?
By stevegarfield - 3/15/05 - 8:57 am
In today's Boston Globe the editorial writers do a disservice to true hackers when the when they write about the rejected college applicants in, The price of hacking:
Oddly, while hacking is a clear ethical offense, some people are wondering what the big deal is. Some say there was no clear ''do not enter' sign warning students. And it could be argued that these students were being assertive, a skill that would serve them well in business. One rejected student has even printed up T-shirts bemoaning the fate of the ''HBS 119.'
But there is no gray area. Hacking into a computer system is wrong, no matter how easy it is or how seemingly harmless."
Philip Greenspun though, gets it right when he writes, Business schools redefine hacking to "stuff that a 7-year-old could do".
These kids didn't hack into a computer system. They were already logged into the system with valid username/passwords. This editorial gives hacking a bad name. Hacking is not a "clear ethical offense", it's "a clever solution to an interesting problem".
Comments
Yeppers
One can only hope that Harvard Business School's next step is to fire the company that built a system that allows somebody to see "secret" data by fooling around with URLs. Heck, I've even done that (no, not at HBS!); that's not hacking, that's just bad, stupid security.
I wrote a bit about this myse
I wrote a bit about this myself: http://www.vermiliondreams.net/archives/001072.php
I think it was wrong of them to do it. Just because the security was poor doesn't mean they didn't have to go around security to get there. It's still stealing.
Stealing What?
I too, have done this. I'm only slightly torn here. I don't think these people should be locked out of business school just for looking to see the status of their applications. I mean, even the IRS has a webpage where you can go see the status of your return prior to them sending you off your check.
Nice spin by HBS - by focussing on the evil hacker students, people aren't asking loud enough why the hell their information was so easy to find.
===========================
From the brains behind http://www.bigdumptruck.com
Very true, Calla.
Wrong is wrong. Theft is theft!
Hmm...
I think it depends how much they had to change the URLs to get anywhere. If they had to type in some string of weird letters and numbers as part of the URL, that's kind of a sign that it wasn't meant to be public. Although, it's still bad security.
If they found this stuff just by taking the end off of a URL or adding "home" or "index" or something to it, I don't think that's so wrong. I mean, when I've applied for jobs and things and I find a job add with links to, say, the benefits breakdown for the position, I've taken the end of the URL off to see if I get a company handbook or anything that might be of interest to me as a prospective employee. I'm not looking for anything I wouldn't be comfortable asking to see if I ended up applying, but I'm getting information about the place without wasting their time or money.
HTTP is not hacking
Hacking means using ssh, telnet, or rlogin to get a shell prompt and then doing something (evil or otherwise) once you've got it. It is not possible to "hack" a computer just by sending it an interesting URL via HTTP.
Well ...
Oh, sure you can hack into applications via URL, if the applications are set up particularly stupidly. With ColdFusion all things are possible :-). I think (apologize if I'm wrong), the recent Santy worm does something similar via PHP. Actually, there's a whole ton of applications that accept commands via URLs. At work, we can always tell when the script kiddies have been trying out our search engine - we get all these "error" messages about ridculously long search strings (sent to try a buffer overflow attack).