back to article Student claims code flaw spotting got him expelled from college

A Canadian computer science student is claiming he was expelled after identifying a gaping security hole in administrative software his college was using. Ahmed Al-Khabaz, a 20 year-old student at Dawson College in Montreal, told the National Post that he and a friend had been developing a mobile app for students to access their …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

These computer laws need real exemptions for security researchers.

... and Colleges & Government Agencies need to be held legally accountable for continuing to use unsafe and insecure software.

36
4
Silver badge
Meh

Be Honest

He was a naughty boy, he got caught being a naughty boy and should have got his backside slapped for being a naughty boy. What he did was illegal, he could have asked if he could run his software to check, but he did not.

I think he was just a clever lad acting the prat overestimating his own importance.

However the punishment really does not fit the crime, being a prat is not a crime, it is just being stupid. Censure him yes, expel him no. A kick up the arse and some menial tasks for the next three months would have been quite sufficient.

31
31
Anonymous Coward

Re: These computer laws need real exemptions for security researchers.

Finding the flaw was not illegal, having a rummage around the second time was, so in essence he was not expelled for finding the flaw, he was expelled for having a rummage around.

This is not illegal in English Public Schools, but it is in Canadian Colleges.

10
7
Anonymous Coward

Re: Be Honest

"being a prat is not a crime ... " No but it should be. Third degree Asshole sounds about right.

0
30
Anonymous Coward

Re: Be Honest

The number of times one finds a flaw and decides "Maybe I'll take a gander and see if they've fixed that critical flaw" and they haven't bothered is far higher than the number of times you take a gander and they have.

The school board in question should have their servers shut down for illegally leaking private information to anyone who can be bothered to steal it and their administrators and people that told the administrators to keep the net links open should all be tried for gross misconduct.

38
0
Bronze badge

Re: These computer laws need real exemptions for security researchers.

"Illegal" in Canadian Colleges? How can something a college declares illegal carry the weight of effectively banning him from colleges everywhere?

Somebody start a crowdfunding campaing for that student! No, make it two campaigns: one to fund him for self-education so he can later on audit his way out of that university, and a second campaign to fund his legal team.

Maybe a third fund to compel the school to stop acting the way it did. Once he found the hole, they should have plugged it, considering all the privacy info at risk. This is not some leisurely walk in the park to fix, but banking on security through obscurity, and letting the sci-fi named chummy vendor rest on its laurels is something ANY uni should be smacked and impaleld for.

A worse thought came to mind: the hole was engineered to allow privileged other parties (legal or criminal in intent) to backdoor intrude on the students and possibly the rest of the people on the campus. Someone should do a background investigation on the vendor, their relations to the school, and why they carried not enough clout to keep the school off the student's back.

By poking the second time, I think he had every right, since as a member of the campus, his own privacy data and that of friends and possibly faculty, staff, professors, and deans for whom he cared were at risk, too. SO, to my mind, he was exercising due diligence -- provided he was not instrumenting his own back doors or any booby traps. He seems to have wanted to be in a position to compel the school to fix the damned situation. All the money the deans and faculty and their alumni-oriented pet projects suck down, there could have been an emergency borrowing to plug the hole even if it meant using an outside auditor and repair team.

But, people LOVE to cover their own asses and those of their friends, lest those friends become frenemies.

Too bad most crowd funding sites don't seem to make it easy for mass actors to escrow a fund managed by a bank, so that angry people can support someone without having to directly manage the funds. Fire-and-forget funding campaigning should be possible, so long as the recipient is not a terrorist or paedophile or "banned" person who might be the vector of jailing of well-meaning actors.

22
0
Meh

Re: These computer laws need real exemptions for security researchers.

I think they overreacted, but I can see why they got upset.

It's one thing to notice a vulnerability during development of an application and report it to the university, for which he was rightfully praised..

It's another thing to fire up a vulnerability scanner and start hammering away at the system to see if it was fixed. This is a big no-no. As any pentester will tell you, you don't do crap to someone else's system without a signed contract.

I think expulsion is going to far, I would have limited it to some kind of official reprimand.

10
4
Silver badge

Someone is telling porkies

According to the board that expelled him, he already had a 'prior warning' and this is why he was expelled. Such a prior warning would have had to be given in writing and a record of it would exist, so either the board expelled him punitively for exposing their data-protection fail and are telling porkies, or the student isn't as innocent as he's making out.

Either way, (1) there would be a record of prior warning, therefore it should be fairly straightforward to establish who's right and (2) the article does not manage to delve in deep enough to find this out.

Therefore any comments on the article taking one side or the other are pretty spurious

19
0

Re: These computer laws need real exemptions for security researchers.

"Finding the flaw was not illegal, having a rummage around the second time was, so in essence he was not expelled for finding the flaw, he was expelled for having a rummage around."

Depends if he was having a rummage or checking to make sure they secured the hole to keep his own data safe and kick up a fuss if not.

And if he had malicious intent, the lad sounds bright enough to cover his trail before getting in.

If the site owners were worried that an unauthorised program might crash their server, they need to fix that server against someone who wants to bring it down.

3
1
Anonymous Coward

Re: Be Honest

Nope the answer clearly here is don't. When I worked at a large telco a long time ago there were several back doors in the security systems. I knew quite clearly that pointing these out could only lead to trouble, or even recognition by management, as someone capable of circumventing security. I kept these things to myself and a close group of friends, and used them occasionally when required, always starting from a machine not normally used by me and from dead accounts. One person let into the know of one of the exploits, got caught and in a lot of trouble. He kept the scripts unencrypted on a unix account in his name. twat. I even had mine encrypted with a C program I specially wrote for the purpose, a C program I still use (but only now for my naughty pictures/vids of ex-gfs collection)...o0o... Never reveal what they fear, security exploits, it can only get you in trouble and potentially remove a resource you may need at some point in the future.o0o.

2
1
Anonymous Coward

Re: These computer laws need real exemptions for security researchers.

Several years ago, I accidentally (not doing anything I shouldn't) discovered a major security flaw in my company's systems. I told them about it.

Instead of thanking me they dismissed me on a false charge and buried it under the carpet.

I'd advise you, if you find such a thing, to keep quiet and let the company take a fall, rather than yourself.

Bastards.

8
0
Bronze badge

Re: These computer laws need real exemptions for security researchers.

>t's another thing to fire up a vulnerability scanner and start hammering away at the system

He was a computer science student working on the college network, he is therefore entitled to treat everything on the college network as fair game for furthering his education - we did! If the college is stupid enough not to have locked their network and systems down to prevent students gaining unhindered access to key business systems then they deserve to have their network and such systems to be brought down.

6
0
Boffin

Re: Be Honest OK. Let's be honest...

He was simply verifying that his personal data was now secured.

If yo know there was a chance your personal data was vulnerable, you'd be a Prat for not double-checking it was now secured.

What He did was expose a security threat, but did not steal any data. Haven't you ever double-checked to see that a door was closed/locked? That's what He was doing.

It would be a different story if he actually downloaded any data.

The School and Company are the ones who were embarrassed and should feel guilty for not having secured all the students personal data in the first place.

2
0
Anonymous Coward

Re: Someone is telling porkies

Having peripheral experience with a large university justice system (technically I was mugged for a pizza and it took over a year before they brought the culprits up on disciplinary charges), my money is on the University. They moved way too fast for this to not be a feeble attempt at a face saving PR move. With the predictable result that it will generate even more negative PR.

1
0
Anonymous Coward

Re: These computer laws need real exemptions for security researchers.

@AC 22nd 14:37

"Instead of thanking me they dismissed me on a false charge and buried it under the carpet."

Sounds like something was on there they didn't want you seeing and were worried about it getting out.

Maybe the best thing to do is dump the whole thing to your own removable storage, take it offsite, then tell them about the flaw. Then you still have access to whatever juicy blackmail material they are getting twitchy about.

Or maybe just tell them you have done so with your best poker face on.

0
0

This post has been deleted by its author

Anonymous Coward

Re: I would imagine...

Erm, no! This is Canada in case you missed it.

5
1

Re: I would imagine...

Yeah, because what security firms really need are people who don't follow procedures and scan systems without permission or notification.

He's probably just a script kiddy anyway, seems to me an awful lot of self-styled "security researchers" are.

6
15
Anonymous Coward

Re: I would imagine...

I would imagine someone from one of the security firms will be calling him shortly to offer him a job, get him on a uni course and pay his fees.

Bet they dont.

I suspect his future will actually be a series of increasingly menial jobs which further undermine his employability in the field that interests him until the point at which he cracks and tries some criminal hacking, only to be caught because he is - at the heart - just a script kiddie. Short spell in prison to further ensure he struggles to get a real job and his life can continue to decline.

There are rarely any rewards for "doing the right thing" in this manner. (ignoring the argument about his secondary nessus scan)

1
11
Mushroom

Re: I would imagine...

I wish people would stop saying this.

I work in the information/computer security sector and this whole thing about talented black hats being offered legitimate paid work in grey/white hat security, especially joining ACME Ltd. to assist them after owing and humiliating ACME Ltd., is total nonsense. It's the stuff of movies, or possibly Mitnick-esque back in the 1980s when things were different.

These days, it's big business with a reputation to keep up. Would you hire a convicted bank robber as a bank cashier? Ethics is king and a leopard can't change its spots.

7
6
Silver badge
WTF?

Re: I would imagine...Canadians don't sue?

Get real, we take lessons from the USA every day AND our privacy protections are way, way better than the UK.

1
3

Re: I would imagine...

No, but I would hire him to find weak-spots in my security

3
0
Anonymous Coward

Re: I would imagine...

I am reading the comments and just realised that as IT professionals we are all cracked.

I should have the right to scan any system that stores my info. In fact since running a scan is so common place, we should all have the right to scan any system we intend to do business with before we commit ourselves to a transaction and putting our financial well being and security are risk.

If the chap could run a simple scan and find such severe vulnerabilities, the laws should be on his side not against him. Instead the law should so severely penalize the software company as to make it close shop.

We keep punishing the individuals who sometimes with little or no hacking or cracking skills "BREAK" into these insecure systems. We make big headlines calling then hackers and PERSECUTE them in the guise of protecting us the minions. Wouldn't it be more effective to have laws that penalize the companies whose careless coding and administration put thheir clients info at risk instead.

Just saying that the laws are stupid. they should be focused on intent and on truly protecting consumers not incompetent software companies.

22
3
Holmes

Re: I would imagine...

Would you like to eat your words???

The Dawson College computer science student who was expelled after discovering a security breach in a system used by students across Quebec has been offered a scholarship by the company behind the software.

"We will offer him a scholarship so he can finish his diploma in the private sector," said Edouard Taza, the president of Skytech.

ww.cbc.ca/news/canada/montreal/story/2013/01/21/montreal-dawson-college-hack-hamed-al-khabaz.html

17
1

Re: I would imagine...

"Bet they dont"

Bet they did... the same company whose software vulnerability he exposed, Skytech, offered him a (private sector, meaning commercial vocational school) scholarship and a job.

Much to the dismay of all the authoritarian types in the peanut gallery, I would say his career just got a boost from this episode. Out of that silly provincial college, and into a real institute of technology program that will actually lead to a real job that he'll walk right into, right now.

6
1
Silver badge

Re: I would imagine...

Sounds to me like pity. He caught them off guard and found a hole which is embarassing. Given a few weeks they still hadn't fixed what I imagine must be a fairly big problem and then their automated features got him expelled. They probably thought "Shit, we just got a kid expelled for doing the right thing, this is going to reflect bad on us QUICK GET HIM A JOB!"

6
0

Re: I would imagine...

The derogatory used term script kiddie implies no security research. Mind you he found the vulnerability on his own.

2
0
Happy

Re: I would imagine...

I should have the right to scan any system that stores my info. In fact since running a scan is so common place, we should all have the right to scan any system we intend to do business with before we commit ourselves to a transaction and putting our financial well being and security are risk.

Hmmm.

By that analogy, I should try to steal something from a shop before I decide whether I should buy something from them. If I fail, or I'm caught, then fine - I should shop there in future. Presumably after I've served my sentence for theft.

0
8
Pirate

Re: I would imagine...

No... by that logic you should be allowed to attempt to rob a bank before deciding whether or not to do business there.

Shops aren't storing your sensitive information. You could attempt to steal customers credit card info from a shop prior to deciding on whether to shop there though, or just use cash.

2
1
Bronze badge

Re: I would imagine...

And lucky for him that he is in Canada: the combination of US law and the ethnicity suggested by his name would be really bad. The prosecutor would be threatening him with a few decades in jail by now.

7
1
Bronze badge

Re: I would imagine...

He'd better behave himself. If they catch him being "unprofessional", by their standards, I bet the job vanishes. It's a pretty good deal from their PoV, they have a talented candidate, and they can check him out before he gets near anything critical to them.

0
1
Anonymous Coward

Re: I would imagine...

Bet they did... the same company whose software vulnerability he exposed, Skytech, offered him a (private sector, meaning commercial vocational school) scholarship and a job.

Ah, the wonders of a bit of publicity change the balance. The lesson for all future "black hat-white hat wannabes" is now create as much of a public furore as possible. Excellent.

The reality is that for every instance like this, there are dozens and dozens of others whereby the person's life is ruined and the likelihood is still that this guys career isnt going anywhere special.

This isnt about being authoritarian - it is simply how businesses work. Banks dont hire bank robbers etc.

The biggest problem about this feeding into the myth is that it stops "society" going back to the source of the problem and fixing the crazy ideas that led to this whole farce.

2
0

Re: I would imagine...

so now they have decided that, as the story's spiraling out of control and putting their company in bad light, they should make a strategic move ("how to turn a PR disaster into a success story for the Dummies") and use it to their advantage, by offering scholarship?

no-no-no, you got it all wrong, they meant it to reward him from the start, but of course, it's just those bad, bad, bad mass-media mis-presenting the company's viewpoint.

Whatever, smart move. Unless their stand was, in fact, mis-presented and they were, in effect, forced to reward this guy (who MIGHT not be as innocent as he claims), to avoid this pr hit...

0
0
Anonymous Coward

Re: I would imagine...

The Dawson College computer science student who was expelled after discovering a security breach in a system used by students across Quebec has been offered a scholarship by the company behind the software.

"We will offer him a scholarship so he can finish his diploma in the private sector," said Edouard Taza, the president of Skytech.

I'm impressed - that's actually an intelligent response. On the one side, they get control over the one person who has the facts of their vulnerability and is thorough enough to check up on it (but stupid enough to do this without formal permission - I hope he learned his lesson). Secondly, it flags to the college that they have gone WAY over the top (and that's even after assuming that that "we gave him a formal warning" statement agrees with the facts). Thirdly they stop the adverse publicity which the college doesn't seem to care about, but which would have been bad PR for the company. This approach makes it positive.

As I said, I'm impressed. That's an unusually intelligent response.

8
0
Bronze badge

Re: I would imagine...

Errr, businesses have and do employ ex-cons and talented fraudsters to help secure their operations. You wouldn't hire a bank robber as a cashier, but you might hire one to consult on laying out a bank to make a robber's job harder and to help train the cashiers how to deal with robberies.

The most publicised example of a black hat going white would be Frank Abagnale consulting on secure documents and check fraud, but he led the FBI a merry dance for years and earned a reputation as a forger par excellence. He's not just a kid who managed to fire an SQL injection in some software whilst he was developing an app for it...

3
1

Re: I would imagine...

That is in fact exactly what happened.

He was offerend a job by that software company yesterday, and his phone has been ringing off the hook from security companies wanting to hire him...

This story is a bit late on it's news apparently.

0
0
Anonymous Coward

Re: I would imagine...

Don't worry, the harper government is doing everything it can to equal any stupidity of American law in Canada.

2
0
Thumb Up

Re: I would imagine...

I couldn't agree more. The idea that using these simple scanning tools, which are legal, must be regulated by law is preposterous. The college have a duty to protect data, part of that is making data available when needed. They appear to be saying that their network is so weak that running scans will take down the system. That means they don't have a legal system and need to get it fixed. They should also be punished for failing to protect users data in both senses.

Running a security scan can slow things down and potentially break systems, however if I was to test the doors of the cars on my street without any intention of opening the door I'm not sure I could be prosecuted.

In network security it appears that I could be prosecuted rather heavily with no malicious intent. Doesn't seem right.

2
0
Silver badge

Re: I would imagine...

@Mr. Nobby

I think it's more apt that you do a bit of due diligence and look around the bank before lending them your money. Are there doors and walls, is there some form of security, do the staff walk around in orange jail house suits? :)

Most of the time we rely on blind trust that there's not a wide open door at the back where anybody with a clipboard can walk in and out and access whatever they feel like.

0
0
Bronze badge

...self-styled "security researchers"

This is the danger: the security research software tools are all out there, and available to people who have any minimal interest and maybe even less than minimal competence to operate them. Sure, pointing a penetration test suite at some network may produce interesting results, but that doesn't make you a "security researcher", any more than rushing around in camo firing an assault rifle would make you a "soldier". In both cases, there's professionalism involved. This young man was working his way towards that, seemingly, when he made an error of judgement. I don't see that his career should be terminated just because Dawson College itself no longer wishes to teach him.

0
0
Anonymous Coward

Re: I wish people would stop saying this.

Get real. I work with so-called real security types every day. A less ethical bunch you've never met. The APPEARANCE of ethics may be king, but the reality of it is far from it.

0
0
Anonymous Coward

Re: Banks dont hire bank robbers etc.

Maybe not directly, but consultancies work. And it depends on a variety of other things. I worked with a convicted con once. He decided to go straight before I worked for him. Still a bit of a temper on him, but you couldn't find a harder worker or someone more forthcoming about ratting out security problems. His juvey conviction was for boosting cars.

Oh and yes, we routinely configured teller stations for a number of banks.

0
0
Anonymous Coward

Betting serious cash that Anonymous will visit soon and help find all sorts of vulnerabilities for them.

4
0
Bronze badge
Holmes

Just what I was thinking about anonymous

Except that anonymous might reinforce the lesson with a bit of nasty leakage of some purloined information... How about the personal information of the network administrators, for example?

I'm really having trouble imagining the school's reasoning here. It was THEIR incompetence that created the vulnerability in the first place. He reported it, but since he already knew they were incompetent at protecting the information (which probably included his own personal information), I don't really blame him for checking on the degree of their incompetence. Given that he already had proof of their incompetence, why would ANYONE believe they had actually fixed the problem WITHOUT checking again?

The entire notion that law-respecting people get penalized for a bit of innovative or deviant thinking is really stupid. I hate to break the news to the morons who are running this so-called school, but you can count on the real criminals being quite innovative AND deviant AND NOT TELLING YOU ABOUT IT. They are NOT going to inform you about any little problems they notice, but just help themselves to whatever they can get.

I'm trying to imagine SOME set of circumstances that would justify the school's actions. So far the only one I've come up with is that he came back and tried to look at some information. That might seem pretty stupid after he had told the school exactly where the vulnerability was, but even that is a debatable scenario. How can you tell the hole is really there or fixed without looking through it--and there is some information on the other side of the hole, which is the whole problem.

5
1
Anonymous Coward

@Shannon Jacobs - Re: Just what I was thinking about anonymous

See how low can you get ? Why personal details of network admins ? What is their implication in this matter ? They were told to install that app chosen by upper management so why should they be lynched because the app had a vulnerability, and by whom ?

All your arguments fall as a house of cards because if that guy really wanted to check if the vulnerability was still there, he could simply have used the same test case that allowed him to discover the vulnerability, instead of thoroughly scanning the server without permission. Everywhere I've worked in my past there was a special clause in the contract regarding the scanning for vulnerabilities.

2
2
Bronze badge
Thumb Up

lucky escape

I recon this young man had lucky escape from "education" which provides no skills and I can see for him promising career in IT without diploma.

4
3
Anonymous Coward

Re: lucky escape

Unless of course he wants to work for banks, insurance, government, health care, universities and so on. You don't seem to live in Canada, eh?

0
4

Re: lucky escape

One of the many reasons Silicon Valley is not in Canada

4
1
Anonymous Coward

Re: lucky escape

One of the many reasons Silicon Valley is not in Canada

Fortunately - for Canadians anyway.

Good old Silicon Valley does have some amazing startups and success stories of epic proportions - however, it also has a monumental failure rate and for each passable success there are dozens and dozens of corpses by the road side.

Unless this guy comes from a background which gives him a fair bit of spare cash to plough into a start up - or lots of friends wealthy enough for him to lean on - the chances of him doing well, even in Silicon Valley is hovering around zero.

4
2

Re: lucky escape

Your posting shows how little you understand Silicon Valley - a place where failure is an option because out of it something else will arise. It's not for the timid or the risk adverse, who are afraid to try because they are afraid to lose. No it is probable not for the likes of you, nor for me anymore, but as far as I still know it still draws some of the brightest and most innovative people on earth. Silicon Valley is harbour of refuge for young Canadian minds like the one found in this article.

1
3

Page:

This topic is closed for new posts.

Forums