News Stay informed about the latest enterprise technology news and product updates.

One casualty of weak security: Online embarrassment

Pity the poor IT guy who is the face of Harvard hacking.

I'd like to tell you something about graduate cultural anthropology courses at Harvard University, but I can't.

That's because staff at the Harvard Graduate School of Arts and Sciences (GSAS) haven't seen fit to fire up its website server again, what with it being the target of a rather embarrassing hacking last weekend due to weak security, according to the hacker.

In a move that likely lacked true technical brilliance, someone waltzed right in and basically stole the GSAS website. Sometime Saturday a 125 MB file titled "harvard's" made its way onto a Torrent site.

The compressed file apparently contains the entire directory structure from the website, as well as database files from the site, including a database of contacts and something labeled "some other minor thing" by whoever uploaded the torrent, according to a breakdown of the contents at

Oh, and there's another file labeled "password.txt." It's not as nefarious as it sounds. The file isn't going to help users unlock admissions and billing records or catch a preview of a work-in-progress thesis.

But it does contain this one tough-talk line: "Thomas gatton….stupid people, you don't use a secure password."

The .txt file also contains usernames and passwords for Gatton, a systems administrator, and another staffer. The complete compressed file also includes an .nfo file that reads in part: "Maybe you don't like it but this is to demonstrate that persons like tgatton(admin of the server) in they don't know how to secure a website."

Now imagine you're Thomas Gatton. And you get the call that the site you work on has been hacked and that the hacker is actually blaming you -- by name -- for making it so easy for him due to weak security.


Far be it from me to say if Gatton knows his security. Maybe he didn't have the resources. Maybe he thought it was secure enough. Not everyone needs to be wrapped up like the Department of Defense (wait, they get hacked, too). Maybe securing the GSAS site wasn't even Gatton's job. Maybe this isn't his fault.

There's not much justification for the spiteful manner of calling Gatton out by name. The whole "I'm just showing you how weak your security is" bit is hardly in league with the public service writer Andy Bowers performed in 2005 when he made his own terrorist airplane boarding pass. Whoever saw fit to go after Harvard students here clearly hasn't gotten over not making National Honor Society in high school (I have, I think). I know this taunting on my own part somewhat misses the point. I can empathize with and understand the anger embedded in the attack, as well as the joy in mischievous and anonymous fame the hacker must be feeling.

And being the poster child for a snooty, privileged Ivy League education certainly makes Harvard a tasty target. Others might claim moral victories for messing with Wal-Mart, The New York Times or Philip Morris.

But calling someone out by name while rendering yourself anonymous?

The running theory from Harvard Client Technology Advisor Noah Selsby, via student paper The Harvard Crimson, is that the hacker took advantage of a "computer that had been hijacked, in order to attack our server from [his own] computer." That covered the hacker's identity and allows "no way to get a definitive IP address," Selsby told the Crimson. He also blamed weak passwords as the cause of the break-in. John Palfrey Jr., executive director of Harvard's Berkman Center for Internet and Society told the Crimson that "harder password combinations are something that human beings as a race should pursue."

Gatton didn't return a call for comment here. I don't blame him. Selsby shuffled me off to Harvard public affairs, saying he speaks only with internal media, though I seriously doubt the Crimson staff considers itself in league with the university.

Then again, the daily paper does print that little two-digit graduation year after Selsby's name, which probably doesn't help with the whole image-of-entitlement thing that made stealing Harvard such a catch in the first place.

Zach Church is a news writer for Contact him at

Dig Deeper on Small-business IT strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.