back to article Student claims code flaw spotting got him expelled from college

A Canadian computer science student is claiming he was expelled after identifying a gaping security hole in administrative software his college was using. Ahmed Al-Khabaz, a 20 year-old student at Dawson College in Montreal, told the National Post that he and a friend had been developing a mobile app for students to access …

COMMENTS

This topic is closed for new posts.
            1. MachDiamond Silver badge

              Re: lucky escape

              Failure is not an option, it comes as standard.

            2. Anonymous Coward
              Anonymous Coward

              Re: lucky escape

              You meant young criminal Canadian minds. And if the US Homeland Sec Dept. will hear about his accomplishments then I suspect that on his way to Silicon Valley he might be detoured to some Middle-East country.

              1. Robert Helpmann??
                Childcatcher

                Re: lucky escape

                ...on his way to Silicon Valley he might be detoured to some Middle-East country.

                I was unaware that Cuba is located in the Middle East.

            3. Anonymous Coward
              Anonymous Coward

              Re: lucky escape

              Your posting shows how little you understand Silicon Valley

              And, ironically, your post shows you dont seem to have read mine.

              a place where failure is an option because out of it something else will arise.

              Great for the valley, sucks for the failure.

              It's not for the timid or the risk adverse, who are afraid to try because they are afraid to lose.

              Which was my point. Silicon Valley is great for start ups where there is a safety net. You can only have a high tolerance for risk when there is a high buffer. Failure is less painful, and less permanent for those from rich families or with wealthy enough friends that when it goes off the rails they can still eat.

              No it is probable not for the likes of you

              I am not sure what that is supposed to mean, or what idea you have about who I am, where I live or what I do.

              , nor for me anymore, but as far as I still know it still draws some of the brightest and most innovative people on earth. Silicon Valley is harbour of refuge for young Canadian minds like the one found in this article.

              No one disagreed with that.

              The chances of him being one of the success stories is still very close to zero. For every winner there are hundreds, if not thousands, of losers.

              The sheer number of attempts means the big picture can - rightly - say Silicon Valley is the home to lots of success stories. That doesnt mean any individual has a good chance of success (unless they can survive lots, and lots, of failures).

      1. Loyal Commenter Silver badge

        Re: lucky escape

        "Unless of course he wants to work for banks, insurance, government, health care, universities and so on. You don't seem to live in Canada, eh?"

        Given that he was previously 'acing' his courses (as reported in teh article), he would appear to be a talented individual. Why would he want to work in sectors where IT professionals are traditionally poorly paid. I would imagine he would be far better off working in the private sector for a security consultancy.

        The volte-face from the company concerned is almost comical. They have gone from a standpoint of 'you have to have permission to port-scan our software or we'll go after you' to 'well done, have a scholarship and job'. The former attitude is laughable. The real black-hatters will have no qualms about running port scans and trying known methods of SQL injection to expose flaws in the software. They will do this in an untraceable manner, ie.e via bot nets, or through a route such as TOR. The company is responsible for the flaw in their software - the attitude of demonising those who expose such flaws is just wrong-headed. For everyone who reports such an exploit to the appropriate people, you can be sure there are ten out there who would use it for nefarious purposes instead.

  1. Anonymous Coward
    Anonymous Coward

    So are we sure this isn't just a bad excuse, because he'd been caught?

    1. asdf

      hmm

      Allowing semi public access to other peoples private information for over a month is the real outrage of this story. Thinking security by obscurity by muzzling this kid is the way to go is just horrible security practice. I hope Anonymous tears em a new one. And here I thought Canadians were a little less corporate and more tolerant and enlightened when it came to this stuff. Guess the fleas from the scalp have infested America's Hat as well.

    2. JDX Gold badge

      Well we only really hear his side of the story. So quite possibly.

      1. Anonymous Coward
        Thumb Up

        Really just one side?

        @JDX: I'm not sure if this article is just stating one side. I see how you can explain it is, but do you feel it is? Your statement stands true by word though, undoubtedly.

        The article might be a little one sided, but do you not feel it gives enough of both sides to draw a personal conclusion from it, one that is probably correct? Mine is that a student found something, through interest, and then continued that interest through which the student found. I could be wrong, he could be more devious than let on, but it sounds very muck like the college overreacted.

        Also, I don't think you can draw lines of tolerance based on country of origin. The colleges actions seem so quick and over the top, I think any country of the Western world would frown upon such actions taken within it's education system. Again, personal opinion and could be wrong.

        With an optimistic point of view, in regards to a minor situation as this, I hope that most colleges would actually give some sort of council to the student to make the college's opinion more apparent before expulsion. Maybe this college did, but if they did, they apparently took council with the student half-assed. He surely wasn't told "Do it again, and you are expelled!"

        If this resolution holds, as it is now, the student might want to think about moving to another country. I know that is bold, and maybe too witty of a statement, but one's education should never be taken lightly. You would think that the Canadian government would step in and say "Hold on college, is this really what is best?". Of course, that requires council, which apparently is pretty scarce in this case.

  2. Dr. G. Freeman
    Coat

    Doesn't surprise me

    One the main rules of university- don't rock the boat of those in charge. A troublesome student can easily "be got rid of".

    it's amazing the correlation between showing the flaws in a situation and your courseworks being low graded, exams unmarked and practical work assessments being forgot about.

    1. asdf

      Re: Doesn't surprise me

      Especially if the kid unfortunately has a name that sounds not so Canadian eh?

      1. Poor Coco
        Thumb Down

        Re: Doesn't surprise me

        This is MONTREAL, not Ontario, so cut out the fucking “eh”s.

        1. Anonymous Coward
          Anonymous Coward

          Re: Doesn't surprise me

          @Poor Coco,

          Oui.

      2. Steven Roper
        Facepalm

        @asdf

        Oh please, not the old racism card again...

        So the lad has a Middle-Eastern sounding name. That's completely irrelevant to his behaviour, good, bad or indifferent. I personally think he did the right thing by testing to make sure the hole was fixed, and ruining his entire career is indeed excessive punishment in my view.

        But his race, creed, culture, religion, ancestry, sexuality, birthplace, you name it, has nothing to do with it, and this kind of over-the-top PC thinking that overuses accusations of racism, every goddamned time someone of non-European descent commits any kind of indiscretion and is punished for it, is doing more to undermine real fairness and tolerance than all the racist bigotry on every Stormfront-esque sinkhole on the Internet combined. It cheapens the concept until the cry of "racist" simply becomes meaningless noise.

        So please, spare us the PC bellyaching and look at the issues from a race-neutral perspective: A student attempted, rightly or wrongly, to hack into his college computer system and was expelled for it - rightly or wrongly. No race or religion involved.

        1. Anonymous Coward
          Anonymous Coward

          @Steven Roper - Re: @asdf

          It's not at all about racism here. In case you didn't get it, it's just that some or all of the three letter US govt agencies are a little bit more picky when it comes about a certain race,

    2. JDX Gold badge

      Re: Doesn't surprise me

      It's hardly rocket science that if you piss people off they will be biased against you.

  3. Anonymous Coward
    Anonymous Coward

    Sorry but spotting a hole is one thing. But it is not his job to monitor progress on it being closed. If you want to know if had been fixed you do it the correct way by talking to a person, not using a audit tool.

    1. asdf

      Yep

      After a month of receiving no info the kid shouldn't have tested it he should have just posted the vulnerability on BugTraq. He would not have then signed a NDA and it would be legal. Best of all he would be helping to protect other's sensitive data who the software company didn't seem to think was important.

    2. This post has been deleted by its author

    3. h3

      RE : AC 21:10

      That won't solve anything they will just say "Yes it is fixed" and it won't be so it is completely pointless.

      He is doing something to do with them. (Presumably the App was santioned at least that is implied).

      His reputation could be tarnished by associating himself with something like this.

      Society should not use the law to protect other peoples ability to be inept.

      (Schoolboys catching so called professionals making schoolboy errrors.)

      The problem is the so called professional not the schoolboy.

      1. Anonymous Coward
        Anonymous Coward

        @h3 - Re: RE : AC 21:10

        Even schoolboys have to act professionally. There are laws here in Canada protecting the storage and handling of private information, just go ask Facebook for a proof. However, what way this guy did was totally inappropriate. You stumble upon a vulnerability ? Report it properly to the software vendor and to the organization using the application. Wait for a month or more, contact them again and ask if the problem has been solved, and try to see if the vulnerability is still there but don't scan the whole system, you are not an auditor. Just use the same test case that allowed you to prove the vulnerability. Then and only then you can go public in case you feel the risk is still there. This is not the fastest way to correct the vulnerability but surely it is the one that is safe for you.

  4. Anonymous Coward
    Anonymous Coward

    This is a basic rule nobody should ignore.

    Don't run any kind of scanning of production server/application without asking for permission. If you still do it then you shall be prepared to bear the consequences. It is as simple as that. This guy should consider himself lucky because in the US, punishments would have been way much harsher and his Arabic name would have deepened his trouble.

  5. h3

    Should be able to do a rudimentary scan for any type of system that you are potentially adding your own information to. (Any respectable company would pass any of the shelf scan.)

    The situation where it is illegal to make any checks as to the competance of a 3rd party that you are trusting with your information is bad.

    I don't do this due to the potential legal issues. But as far as I am concerned the people doing these sort of things no doubt call themselves professional etc etc whilst actually making schoolboy errors. (Ironically that were not actually made by a real schoolboy capable of acting in a basic logical manor).

    1. Anonymous Coward
      Anonymous Coward

      Great!

      Now go tell this to the US Department of Homeland Security. It's a place that might store your personal info and they will be delighted to sit down with you and have a talk. Oh, and before doing this, you should better cancel all you appointments for the next few weeks or maybe months.

    2. Oninoshiko
      Thumb Up

      I feel for the kid

      His information was on this server. He was making sure they where taking proper precautions to protect his information. Personally, I think he should file suit for them putting him (and the rest of the student body) at risk for identity theft.

      1. Anonymous Coward
        Anonymous Coward

        @Oninoshiko - Re: I feel for the kid

        I agree with you. However, the two issues are now separate. Suing the college will not prevent the college and the other third party pressing charges against him. He might get the college being forced to reinstate him but only after he serves the prison term for the other unrelated offense. This is how law works.

      2. Anonymous Coward
        Anonymous Coward

        @Oninoshiko

        I doubt such a lawsuit would work. After all; the server maybe in the possession of the school, but they didn't develop nor maintain the software which was used on it. And if you can't prove that there have been any prior issues where data got leaked or stolen you'll have a hard time proving identify theft.

        Another point is that he also can't accuse the school of negligence. After all; the very moment he had reported the bug they started working on it right away and also checked their logs to see what happened and who and how the data got accessed. You can tell as much by their statements where they mentioned to have noticed him accessing that server section twice.

        1. DavCrav

          Re: @Oninoshiko

          "Another point is that he also can't accuse the school of negligence. After all; the very moment he had reported the bug they started working on it right away and also checked their logs to see what happened and who and how the data got accessed. You can tell as much by their statements where they mentioned to have noticed him accessing that server section twice."

          Well, you cannot tell that. What you can tell is them saying that. These are different things.

          Also, a completely unrelated issue, but according to the article, he scanned the system and then within minutes got a call from the security company's president. Something wrong here? How did the guy get the kid's number? Did, perhaps, the college give it to Skytech, itself a breach (I presume) of Canadian law?

  6. Anonymous Coward
    FAIL

    He played it pretty dumb...

    First of all, as others already pointed out, he didn't got expelled from identifying the flaw. He got expelled for "allegedly trying to exploit the flaw", where his story obviously is that he only wanted to check if the flaw had been fixed.

    But seriously, no personal offence intended, but I think he acted pretty stupid on several accounts. First the obvious part; after you identified a bug there are more ways to check if it was fixed. How about starting with using a little courtesy and asking the people involved? Then you could always jestingly ask: "So you wouldn't mind me trying it for myself?". Heck; if the whole story is true I bet they'd love him to check it out. Its simply the way he did it.

    However, the biggest mistake was that he allowed himself to be bullied.

    "If you don't sign this then we'll <insert legal threat here>".

    The one and only right response at that moment is: "Ok, I will get my lawyer to look into that and we'll get back to you.". Because if you don't, as you can see here, you'll only tumble into the rabbit hole even deeper; and it doesn't even have to be the hole which the "bullies" dug for you.

    Because right now he's also in violation of the agreement which he himself signed. Perhaps there's a way out of that mess, I dunno, but at this moment the only option he has left is to get a lawyer. And you can bet that it'll be a helluvalot more expensive than if he would have gotten a lawyer earlier on to look into the NDA and give some legal advice on that matter.

    For a computer student I think he didn't play this very smart at all.

    1. Thorne

      Re: He played it pretty dumb...

      "For a computer student I think he didn't play this very smart at all."

      Running scanning software traceable back to him wasn't smart. If you want to report security bugs, do it anonymously because no good deed goes unpunished...

    2. Poor Coco
      WTF?

      Re: He played it pretty dumb...

      “For a computer student I think he didn't play this very smart at all.”

      What, are IT students also expected to be savvy on contract law?

      How about this — he signed that stupid agreement under coercion, which invalidates his signature?

      1. Anonymous Coward
        Anonymous Coward

        Re: He played it pretty dumb... @ Poor Coco

        What, are IT students also expected to be savvy on contract law?

        Interesting question, currently I am doing my MSc in IT and professional conduct is a required module. While the module won't turn us into lawyers, it is meant to give us enough knowledge to know when we need one.

    3. dssf

      Re: He played it pretty dumb...

      It should NEVER be legal to coerce a victim to agree to a flawed NDA, and then further manipulate said party further downstream.

  7. bag o' spanners
    Meh

    Sniffer wars! Build a better mouse.

  8. Dragon Leaves
    Childcatcher

    Montreal or Berlin?

    Montreal and Quebec in general have seen an immigration of Muslims whose radicals want to impose their laws, religious laws, on the rest.

    There is currently a vast resentment and tepid racism brewing and being from there, and having graduated from Dawson's Ineptitude, I would easily place my wager that things would have turned out different if his name was.

    The uneducated in Montreal are usually racist. And it's spreading. Give that place a huge economic crash and a bullying loudmouth as leader and history may come back under a different guise.

    1. This post has been deleted by its author

  9. fnusnu

    Schoolboy?

    He's 20. Seventy years ago people that age were flying night-time bomber raids over Germany. They knew right from wrong...

    1. Aitor 1
      Mushroom

      Re: Schoolboy?

      Doing the right thing.. Dresde maybe?

      He is naive.. and should get punished, but not that way.

    2. Anonymous Coward
      Anonymous Coward

      Re: Schoolboy?

      "... They knew right from wrong..."

      Absolutely! —this young whippersnapper should be up there in a bomber, killing people in their thousands, not poking about in databases.

      The youth of today, eh?

  10. Richard 120

    I did a lot of silly things at uni, got in trouble for some. My point is that uni is a place to learn things, sometimes learning things involves making mistakes. I might have got expelled for doing similar things because I didn't think it was that big a deal, and I didn't know it was illegal to run a port scanner and I wouldn't have had enough funds to lawyer up and I know lecturers and admins would easily have intimidated me into signing an NDA.

    As far as I can tell he was a bit silly and the other lot over-reacted probably as a result of embarassment, shame everybody couldn't learn from what happened.

  11. Jeff 11

    To be fair it sounds as though curiosity got the better of him and he wanted a second go at the hole he'd uncovered, to see exactly what data he could pull through it. No doubt he envisioned a pat on the back, a wodge of social media likes on his blog and a bit of personal glory, and had no malicious intent at all.

    The law however has to be pragmatic. There will always be imperfect, buggy and vulnerable software and often the world just has to live with it, and so the law needs to offer some protection from people who CAN cause damage with the exercise of their skills (although SQL injection is often laughably trivial). There are plenty of open source applications to poke holes in, so why not install one of those and have a go, instead of accessing a production system with real data on it?

  12. JaitcH
    WTF?

    A coerced agreement has no validity

    "He told me that I could go to jail for six to twelve months for what I had just done and if I didn't agree to meet with him and sign a non-disclosure agreement he was going to call the Royal Canadian Mounted Police (RCMP) and have me arrested. So I signed the agreement."

    I bet this useless database company - SKYTECH / OMNIVOX - wouldn't have the balls to sue him, especially in Quebec where the provincial Supreme Court has a bit of a relaxed idea of life.

    He should have been advised to get ILA (independent legal advice) by the allegedly blackmailing SKYTECH / OMNIVOX. Still, he still has the opportunity to tell the RCMP to whistle Dixie as he is not required to answer any questions asked of him - unlike the freedom hugging UK.

    Let's hope ANONYMOUS does work the slime-buckets over well. Let's hope they also release the Social Insurance Numbers - which only have 5 lawful uses in Canada and cannot be used as a national identity number (even by the various governments of Canada).

    Dawson College used to have a reputation for quality but now even their diplomas - churned out like a diploma mill - aren't printed on the best paper.

    1. JaitcH
      FAIL

      Re: A coerced agreement has no validity - We have a problem Montreal

      403 - Forbidden: Access is denied is returned from Skytech - the sloppy software company.

      Has Anonymous been busy?

      1. JaitcH
        FAIL

        Re: A coerced agreement has no validity - We have a problem Montreal (2)

        The 403 Disease spreads.

        http://www.dawsoncollege.qc.ca/

        403 - Forbidden: Access is denied.

        You do not have permission to view this directory or page using the credentials that you supplied.

  13. Anonymous Coward
    WTF?

    Strike 2, you're out!

    He turned informant on his own the 1st time. The 2nd time makes him dishonorable? Seems a bit paranoid of the college to be so hasty. He should try and move south.

  14. Anonymous Coward
    Anonymous Coward

    Yada, yada, yada...

    Bad choices can land you in jail. He just got a real life learning experience. He could be in jail so he should count his blessings. If he don't know better than to "test" the system, he will be seeing a lot of vertical bars in his future.

  15. Anonymous Coward
    Anonymous Coward

    how did they get his phone number?

    The company is the developer of the application, they might also be administrating it for the college that decided to outsource the application's administration. But in either cases, the developer doesn't have access to the students' records! The college have no right to allow a 3rd party to access the students' records without informing the students first.

    If the outsourcing company suspected misconduct, they should have reported the misconduct to the college staff and/or the police; using their privilege over the data to access the student's record in order to call him at home is an invasion of privacy.

    1. graeme leggett Silver badge

      Re: how did they get his phone number?

      perhaps it had been supplied when he reported the flaw in the first instance.

      1. Tom Jasper
        Facepalm

        Re: how did they get his phone number?

        Perhaps they walked in through the front door of their database web interface and found it there ;)

        Good to see http://www.skytech.com/ is #403 as well - partial justice for their protectionist behaviour.

  16. mIRCat
    Headmaster

    I assume they have the signed and dated forms from his original 'warning'. Anything less than that and they look like prats.

This topic is closed for new posts.

Other stories you might like