Re: lucky escape
Failure is not an option, it comes as standard.
A Canadian computer science student is claiming he was expelled after identifying a gaping security hole in administrative software his college was using. Ahmed Al-Khabaz, a 20 year-old student at Dawson College in Montreal, told the National Post that he and a friend had been developing a mobile app for students to access …
Your posting shows how little you understand Silicon Valley
And, ironically, your post shows you dont seem to have read mine.
a place where failure is an option because out of it something else will arise.
Great for the valley, sucks for the failure.
It's not for the timid or the risk adverse, who are afraid to try because they are afraid to lose.
Which was my point. Silicon Valley is great for start ups where there is a safety net. You can only have a high tolerance for risk when there is a high buffer. Failure is less painful, and less permanent for those from rich families or with wealthy enough friends that when it goes off the rails they can still eat.
No it is probable not for the likes of you
I am not sure what that is supposed to mean, or what idea you have about who I am, where I live or what I do.
, nor for me anymore, but as far as I still know it still draws some of the brightest and most innovative people on earth. Silicon Valley is harbour of refuge for young Canadian minds like the one found in this article.
No one disagreed with that.
The chances of him being one of the success stories is still very close to zero. For every winner there are hundreds, if not thousands, of losers.
The sheer number of attempts means the big picture can - rightly - say Silicon Valley is the home to lots of success stories. That doesnt mean any individual has a good chance of success (unless they can survive lots, and lots, of failures).
"Unless of course he wants to work for banks, insurance, government, health care, universities and so on. You don't seem to live in Canada, eh?"
Given that he was previously 'acing' his courses (as reported in teh article), he would appear to be a talented individual. Why would he want to work in sectors where IT professionals are traditionally poorly paid. I would imagine he would be far better off working in the private sector for a security consultancy.
The volte-face from the company concerned is almost comical. They have gone from a standpoint of 'you have to have permission to port-scan our software or we'll go after you' to 'well done, have a scholarship and job'. The former attitude is laughable. The real black-hatters will have no qualms about running port scans and trying known methods of SQL injection to expose flaws in the software. They will do this in an untraceable manner, ie.e via bot nets, or through a route such as TOR. The company is responsible for the flaw in their software - the attitude of demonising those who expose such flaws is just wrong-headed. For everyone who reports such an exploit to the appropriate people, you can be sure there are ten out there who would use it for nefarious purposes instead.
Allowing semi public access to other peoples private information for over a month is the real outrage of this story. Thinking security by obscurity by muzzling this kid is the way to go is just horrible security practice. I hope Anonymous tears em a new one. And here I thought Canadians were a little less corporate and more tolerant and enlightened when it came to this stuff. Guess the fleas from the scalp have infested America's Hat as well.
@JDX: I'm not sure if this article is just stating one side. I see how you can explain it is, but do you feel it is? Your statement stands true by word though, undoubtedly.
The article might be a little one sided, but do you not feel it gives enough of both sides to draw a personal conclusion from it, one that is probably correct? Mine is that a student found something, through interest, and then continued that interest through which the student found. I could be wrong, he could be more devious than let on, but it sounds very muck like the college overreacted.
Also, I don't think you can draw lines of tolerance based on country of origin. The colleges actions seem so quick and over the top, I think any country of the Western world would frown upon such actions taken within it's education system. Again, personal opinion and could be wrong.
With an optimistic point of view, in regards to a minor situation as this, I hope that most colleges would actually give some sort of council to the student to make the college's opinion more apparent before expulsion. Maybe this college did, but if they did, they apparently took council with the student half-assed. He surely wasn't told "Do it again, and you are expelled!"
If this resolution holds, as it is now, the student might want to think about moving to another country. I know that is bold, and maybe too witty of a statement, but one's education should never be taken lightly. You would think that the Canadian government would step in and say "Hold on college, is this really what is best?". Of course, that requires council, which apparently is pretty scarce in this case.
One the main rules of university- don't rock the boat of those in charge. A troublesome student can easily "be got rid of".
it's amazing the correlation between showing the flaws in a situation and your courseworks being low graded, exams unmarked and practical work assessments being forgot about.
Oh please, not the old racism card again...
So the lad has a Middle-Eastern sounding name. That's completely irrelevant to his behaviour, good, bad or indifferent. I personally think he did the right thing by testing to make sure the hole was fixed, and ruining his entire career is indeed excessive punishment in my view.
But his race, creed, culture, religion, ancestry, sexuality, birthplace, you name it, has nothing to do with it, and this kind of over-the-top PC thinking that overuses accusations of racism, every goddamned time someone of non-European descent commits any kind of indiscretion and is punished for it, is doing more to undermine real fairness and tolerance than all the racist bigotry on every Stormfront-esque sinkhole on the Internet combined. It cheapens the concept until the cry of "racist" simply becomes meaningless noise.
So please, spare us the PC bellyaching and look at the issues from a race-neutral perspective: A student attempted, rightly or wrongly, to hack into his college computer system and was expelled for it - rightly or wrongly. No race or religion involved.
After a month of receiving no info the kid shouldn't have tested it he should have just posted the vulnerability on BugTraq. He would not have then signed a NDA and it would be legal. Best of all he would be helping to protect other's sensitive data who the software company didn't seem to think was important.
This post has been deleted by its author
That won't solve anything they will just say "Yes it is fixed" and it won't be so it is completely pointless.
He is doing something to do with them. (Presumably the App was santioned at least that is implied).
His reputation could be tarnished by associating himself with something like this.
Society should not use the law to protect other peoples ability to be inept.
(Schoolboys catching so called professionals making schoolboy errrors.)
The problem is the so called professional not the schoolboy.
Even schoolboys have to act professionally. There are laws here in Canada protecting the storage and handling of private information, just go ask Facebook for a proof. However, what way this guy did was totally inappropriate. You stumble upon a vulnerability ? Report it properly to the software vendor and to the organization using the application. Wait for a month or more, contact them again and ask if the problem has been solved, and try to see if the vulnerability is still there but don't scan the whole system, you are not an auditor. Just use the same test case that allowed you to prove the vulnerability. Then and only then you can go public in case you feel the risk is still there. This is not the fastest way to correct the vulnerability but surely it is the one that is safe for you.
Don't run any kind of scanning of production server/application without asking for permission. If you still do it then you shall be prepared to bear the consequences. It is as simple as that. This guy should consider himself lucky because in the US, punishments would have been way much harsher and his Arabic name would have deepened his trouble.
Should be able to do a rudimentary scan for any type of system that you are potentially adding your own information to. (Any respectable company would pass any of the shelf scan.)
The situation where it is illegal to make any checks as to the competance of a 3rd party that you are trusting with your information is bad.
I don't do this due to the potential legal issues. But as far as I am concerned the people doing these sort of things no doubt call themselves professional etc etc whilst actually making schoolboy errors. (Ironically that were not actually made by a real schoolboy capable of acting in a basic logical manor).
I agree with you. However, the two issues are now separate. Suing the college will not prevent the college and the other third party pressing charges against him. He might get the college being forced to reinstate him but only after he serves the prison term for the other unrelated offense. This is how law works.
I doubt such a lawsuit would work. After all; the server maybe in the possession of the school, but they didn't develop nor maintain the software which was used on it. And if you can't prove that there have been any prior issues where data got leaked or stolen you'll have a hard time proving identify theft.
Another point is that he also can't accuse the school of negligence. After all; the very moment he had reported the bug they started working on it right away and also checked their logs to see what happened and who and how the data got accessed. You can tell as much by their statements where they mentioned to have noticed him accessing that server section twice.
"Another point is that he also can't accuse the school of negligence. After all; the very moment he had reported the bug they started working on it right away and also checked their logs to see what happened and who and how the data got accessed. You can tell as much by their statements where they mentioned to have noticed him accessing that server section twice."
Well, you cannot tell that. What you can tell is them saying that. These are different things.
Also, a completely unrelated issue, but according to the article, he scanned the system and then within minutes got a call from the security company's president. Something wrong here? How did the guy get the kid's number? Did, perhaps, the college give it to Skytech, itself a breach (I presume) of Canadian law?
First of all, as others already pointed out, he didn't got expelled from identifying the flaw. He got expelled for "allegedly trying to exploit the flaw", where his story obviously is that he only wanted to check if the flaw had been fixed.
But seriously, no personal offence intended, but I think he acted pretty stupid on several accounts. First the obvious part; after you identified a bug there are more ways to check if it was fixed. How about starting with using a little courtesy and asking the people involved? Then you could always jestingly ask: "So you wouldn't mind me trying it for myself?". Heck; if the whole story is true I bet they'd love him to check it out. Its simply the way he did it.
However, the biggest mistake was that he allowed himself to be bullied.
"If you don't sign this then we'll <insert legal threat here>".
The one and only right response at that moment is: "Ok, I will get my lawyer to look into that and we'll get back to you.". Because if you don't, as you can see here, you'll only tumble into the rabbit hole even deeper; and it doesn't even have to be the hole which the "bullies" dug for you.
Because right now he's also in violation of the agreement which he himself signed. Perhaps there's a way out of that mess, I dunno, but at this moment the only option he has left is to get a lawyer. And you can bet that it'll be a helluvalot more expensive than if he would have gotten a lawyer earlier on to look into the NDA and give some legal advice on that matter.
For a computer student I think he didn't play this very smart at all.
What, are IT students also expected to be savvy on contract law?
Interesting question, currently I am doing my MSc in IT and professional conduct is a required module. While the module won't turn us into lawyers, it is meant to give us enough knowledge to know when we need one.
Montreal and Quebec in general have seen an immigration of Muslims whose radicals want to impose their laws, religious laws, on the rest.
There is currently a vast resentment and tepid racism brewing and being from there, and having graduated from Dawson's Ineptitude, I would easily place my wager that things would have turned out different if his name was.
The uneducated in Montreal are usually racist. And it's spreading. Give that place a huge economic crash and a bullying loudmouth as leader and history may come back under a different guise.
This post has been deleted by its author
I did a lot of silly things at uni, got in trouble for some. My point is that uni is a place to learn things, sometimes learning things involves making mistakes. I might have got expelled for doing similar things because I didn't think it was that big a deal, and I didn't know it was illegal to run a port scanner and I wouldn't have had enough funds to lawyer up and I know lecturers and admins would easily have intimidated me into signing an NDA.
As far as I can tell he was a bit silly and the other lot over-reacted probably as a result of embarassment, shame everybody couldn't learn from what happened.
To be fair it sounds as though curiosity got the better of him and he wanted a second go at the hole he'd uncovered, to see exactly what data he could pull through it. No doubt he envisioned a pat on the back, a wodge of social media likes on his blog and a bit of personal glory, and had no malicious intent at all.
The law however has to be pragmatic. There will always be imperfect, buggy and vulnerable software and often the world just has to live with it, and so the law needs to offer some protection from people who CAN cause damage with the exercise of their skills (although SQL injection is often laughably trivial). There are plenty of open source applications to poke holes in, so why not install one of those and have a go, instead of accessing a production system with real data on it?
"He told me that I could go to jail for six to twelve months for what I had just done and if I didn't agree to meet with him and sign a non-disclosure agreement he was going to call the Royal Canadian Mounted Police (RCMP) and have me arrested. So I signed the agreement."
I bet this useless database company - SKYTECH / OMNIVOX - wouldn't have the balls to sue him, especially in Quebec where the provincial Supreme Court has a bit of a relaxed idea of life.
He should have been advised to get ILA (independent legal advice) by the allegedly blackmailing SKYTECH / OMNIVOX. Still, he still has the opportunity to tell the RCMP to whistle Dixie as he is not required to answer any questions asked of him - unlike the freedom hugging UK.
Let's hope ANONYMOUS does work the slime-buckets over well. Let's hope they also release the Social Insurance Numbers - which only have 5 lawful uses in Canada and cannot be used as a national identity number (even by the various governments of Canada).
Dawson College used to have a reputation for quality but now even their diplomas - churned out like a diploma mill - aren't printed on the best paper.
The company is the developer of the application, they might also be administrating it for the college that decided to outsource the application's administration. But in either cases, the developer doesn't have access to the students' records! The college have no right to allow a 3rd party to access the students' records without informing the students first.
If the outsourcing company suspected misconduct, they should have reported the misconduct to the college staff and/or the police; using their privilege over the data to access the student's record in order to call him at home is an invasion of privacy.