I think from all the replies you came the closest to blame. The "hacker" who posted this should have adhered to the unwritten rules of ethical disclosure of vulnerabilities. He should have made both the schools and the company handling the data aware of the flaw, then given them time to secure their site, or patch their code. As for him just blogging the flaw, that was iresponsable and foolish. For his disclosure how many applicants, who just couldn't stand to wait, viewed their status and now may have lost their chance to get in. Though I agree with the school that this is unethical, how many corporations play by an ethical set of rules *COUGH* Microsoft *COUGH*.

I think the person who found the flaw is as much to blame as the potential applicants.

Something I would like to know is how the school knows who checked their application? These people are supposed to be intelligent right. Even my computer illiterate wife knows webservers maintain logs of access. George Carlin said it best, "the kid that eats the marbles, doesn't live to have kids". I think the same holds true here, I don't want these people in a business where a shortcut is taken because of profit margin that has potentially lethal consequences. Still though I would like to know how the school is certain those applicants are the actual ones who checked their status, I mean what if I had applied and read of this vulnerability and used it to check on someone I had gone to school with and knew had applied as well and this person never used it to actually check thier status, but was implicated all the same?

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/309/31143#31143