Trainwreckspotting, or: Corporations vs IT security as exemplified by the HBS
When I first heard about the recent incident at the Harvard Business School, I rolled my eyes and proceeded to ignore it. But the blogosphere (and the web at large) has subsequently reverberated with such amount of bizarre reactions to the event that I need to write something about it before I pull my hair out.
Apparently, a student figured out that by editing the URL of a page in an University web application for admissions management, they could find out their status at a time the administration did not yet wanted to announce it. He proceeded to post instructions on how to do this to a messageboard, and inside a 9 hour window before the post was pulled and the security hole closed, 150 students total followed these instructions. The administration then publically decried these 150 as criminals of the worst sort and announced that all of them were retrospectively rejected.
Hello?
If anything, Harvard Business School should be prosecuting for gross criminal negligence the incompetent dilettantes who charged a boatload of money for writing an application that lacks even the most basic security checks whatsoever. Apparently the amount of money paid and the careers at stake in this piece of software were not enough motivation for the contractors to avoid embarrassing themselves by bungling things that a rookie would learn first thing in any decent web programming 101 (“never trust the client” and so on).
The students who peeked by following the posted instructions should have no repercussions at all. Rather, the administration should announce all other decisions already taken, to level the playing field. Blake Ross opines that the number of students who helped themselves was probably bounded by how quickly word could get out, and there is little doubt in my mind that he is correct. He also suggests that many circumstantial factors encouraged this behaviour and this, I agree, is worth more than one long, hard look. Punishing the peeping toms won’t achieve anything worthwhile.
Whoever posted this trick publically should be dinged by whatever measure is deemed appropriate, not for peeking, but for disclosing this information without due notice to those responsible for the application’s security. Of course it’s wishful thinking to believe that the administration would have thanked him for the lead rather than shooting the messenger, so she or he didn’t have much incentive to handle this correctly anyway.
And therein lies my gripe. Very few people outside IT seem to understand IT security (or even security in general) such that they can take a meaningful stance to problems, rather than just dropping into shallow reactionism. That’s not to say that understanding of IT security is all peachy keen among those who find themselves in the field (otherwise compound fiascos like this incident wouldn’t happen). It’s just to say that the distribution of competence goes from depressing inside the field to terrifying outside it.