back to article Student claims code flaw spotting got him expelled from college

A Canadian computer science student is claiming he was expelled after identifying a gaping security hole in administrative software his college was using. Ahmed Al-Khabaz, a 20 year-old student at Dawson College in Montreal, told the National Post that he and a friend had been developing a mobile app for students to access …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    These computer laws need real exemptions for security researchers.

    ... and Colleges & Government Agencies need to be held legally accountable for continuing to use unsafe and insecure software.

    1. LarsG
      Meh

      Be Honest

      He was a naughty boy, he got caught being a naughty boy and should have got his backside slapped for being a naughty boy. What he did was illegal, he could have asked if he could run his software to check, but he did not.

      I think he was just a clever lad acting the prat overestimating his own importance.

      However the punishment really does not fit the crime, being a prat is not a crime, it is just being stupid. Censure him yes, expel him no. A kick up the arse and some menial tasks for the next three months would have been quite sufficient.

      1. Anonymous Coward
        Anonymous Coward

        Re: Be Honest

        "being a prat is not a crime ... " No but it should be. Third degree Asshole sounds about right.

        1. Anonymous Coward
          Anonymous Coward

          Re: Be Honest

          The number of times one finds a flaw and decides "Maybe I'll take a gander and see if they've fixed that critical flaw" and they haven't bothered is far higher than the number of times you take a gander and they have.

          The school board in question should have their servers shut down for illegally leaking private information to anyone who can be bothered to steal it and their administrators and people that told the administrators to keep the net links open should all be tried for gross misconduct.

      2. Anonymous Coward
        Anonymous Coward

        Re: Be Honest

        Nope the answer clearly here is don't. When I worked at a large telco a long time ago there were several back doors in the security systems. I knew quite clearly that pointing these out could only lead to trouble, or even recognition by management, as someone capable of circumventing security. I kept these things to myself and a close group of friends, and used them occasionally when required, always starting from a machine not normally used by me and from dead accounts. One person let into the know of one of the exploits, got caught and in a lot of trouble. He kept the scripts unencrypted on a unix account in his name. twat. I even had mine encrypted with a C program I specially wrote for the purpose, a C program I still use (but only now for my naughty pictures/vids of ex-gfs collection)...o0o... Never reveal what they fear, security exploits, it can only get you in trouble and potentially remove a resource you may need at some point in the future.o0o.

      3. GotThumbs
        Boffin

        Re: Be Honest OK. Let's be honest...

        He was simply verifying that his personal data was now secured.

        If yo know there was a chance your personal data was vulnerable, you'd be a Prat for not double-checking it was now secured.

        What He did was expose a security threat, but did not steal any data. Haven't you ever double-checked to see that a door was closed/locked? That's what He was doing.

        It would be a different story if he actually downloaded any data.

        The School and Company are the ones who were embarrassed and should feel guilty for not having secured all the students personal data in the first place.

    2. Anonymous Coward
      Anonymous Coward

      Re: These computer laws need real exemptions for security researchers.

      Finding the flaw was not illegal, having a rummage around the second time was, so in essence he was not expelled for finding the flaw, he was expelled for having a rummage around.

      This is not illegal in English Public Schools, but it is in Canadian Colleges.

      1. dssf

        Re: These computer laws need real exemptions for security researchers.

        "Illegal" in Canadian Colleges? How can something a college declares illegal carry the weight of effectively banning him from colleges everywhere?

        Somebody start a crowdfunding campaing for that student! No, make it two campaigns: one to fund him for self-education so he can later on audit his way out of that university, and a second campaign to fund his legal team.

        Maybe a third fund to compel the school to stop acting the way it did. Once he found the hole, they should have plugged it, considering all the privacy info at risk. This is not some leisurely walk in the park to fix, but banking on security through obscurity, and letting the sci-fi named chummy vendor rest on its laurels is something ANY uni should be smacked and impaleld for.

        A worse thought came to mind: the hole was engineered to allow privileged other parties (legal or criminal in intent) to backdoor intrude on the students and possibly the rest of the people on the campus. Someone should do a background investigation on the vendor, their relations to the school, and why they carried not enough clout to keep the school off the student's back.

        By poking the second time, I think he had every right, since as a member of the campus, his own privacy data and that of friends and possibly faculty, staff, professors, and deans for whom he cared were at risk, too. SO, to my mind, he was exercising due diligence -- provided he was not instrumenting his own back doors or any booby traps. He seems to have wanted to be in a position to compel the school to fix the damned situation. All the money the deans and faculty and their alumni-oriented pet projects suck down, there could have been an emergency borrowing to plug the hole even if it meant using an outside auditor and repair team.

        But, people LOVE to cover their own asses and those of their friends, lest those friends become frenemies.

        Too bad most crowd funding sites don't seem to make it easy for mass actors to escrow a fund managed by a bank, so that angry people can support someone without having to directly manage the funds. Fire-and-forget funding campaigning should be possible, so long as the recipient is not a terrorist or paedophile or "banned" person who might be the vector of jailing of well-meaning actors.

      2. Wize

        Re: These computer laws need real exemptions for security researchers.

        "Finding the flaw was not illegal, having a rummage around the second time was, so in essence he was not expelled for finding the flaw, he was expelled for having a rummage around."

        Depends if he was having a rummage or checking to make sure they secured the hole to keep his own data safe and kick up a fuss if not.

        And if he had malicious intent, the lad sounds bright enough to cover his trail before getting in.

        If the site owners were worried that an unauthorised program might crash their server, they need to fix that server against someone who wants to bring it down.

    3. Agarax
      Meh

      Re: These computer laws need real exemptions for security researchers.

      I think they overreacted, but I can see why they got upset.

      It's one thing to notice a vulnerability during development of an application and report it to the university, for which he was rightfully praised..

      It's another thing to fire up a vulnerability scanner and start hammering away at the system to see if it was fixed. This is a big no-no. As any pentester will tell you, you don't do crap to someone else's system without a signed contract.

      I think expulsion is going to far, I would have limited it to some kind of official reprimand.

      1. Roland6 Silver badge

        Re: These computer laws need real exemptions for security researchers.

        >t's another thing to fire up a vulnerability scanner and start hammering away at the system

        He was a computer science student working on the college network, he is therefore entitled to treat everything on the college network as fair game for furthering his education - we did! If the college is stupid enough not to have locked their network and systems down to prevent students gaining unhindered access to key business systems then they deserve to have their network and such systems to be brought down.

    4. James Micallef Silver badge

      Someone is telling porkies

      According to the board that expelled him, he already had a 'prior warning' and this is why he was expelled. Such a prior warning would have had to be given in writing and a record of it would exist, so either the board expelled him punitively for exposing their data-protection fail and are telling porkies, or the student isn't as innocent as he's making out.

      Either way, (1) there would be a record of prior warning, therefore it should be fairly straightforward to establish who's right and (2) the article does not manage to delve in deep enough to find this out.

      Therefore any comments on the article taking one side or the other are pretty spurious

      1. Anonymous Coward
        Anonymous Coward

        Re: Someone is telling porkies

        Having peripheral experience with a large university justice system (technically I was mugged for a pizza and it took over a year before they brought the culprits up on disciplinary charges), my money is on the University. They moved way too fast for this to not be a feeble attempt at a face saving PR move. With the predictable result that it will generate even more negative PR.

    5. Anonymous Coward
      Anonymous Coward

      Re: These computer laws need real exemptions for security researchers.

      Several years ago, I accidentally (not doing anything I shouldn't) discovered a major security flaw in my company's systems. I told them about it.

      Instead of thanking me they dismissed me on a false charge and buried it under the carpet.

      I'd advise you, if you find such a thing, to keep quiet and let the company take a fall, rather than yourself.

      Bastards.

      1. Anonymous Coward
        Anonymous Coward

        Re: These computer laws need real exemptions for security researchers.

        @AC 22nd 14:37

        "Instead of thanking me they dismissed me on a false charge and buried it under the carpet."

        Sounds like something was on there they didn't want you seeing and were worried about it getting out.

        Maybe the best thing to do is dump the whole thing to your own removable storage, take it offsite, then tell them about the flaw. Then you still have access to whatever juicy blackmail material they are getting twitchy about.

        Or maybe just tell them you have done so with your best poker face on.

  2. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: I would imagine...

      Erm, no! This is Canada in case you missed it.

      1. JaitcH
        WTF?

        Re: I would imagine...Canadians don't sue?

        Get real, we take lessons from the USA every day AND our privacy protections are way, way better than the UK.

      2. Dave Bell

        Re: I would imagine...

        And lucky for him that he is in Canada: the combination of US law and the ethnicity suggested by his name would be really bad. The prosecutor would be threatening him with a few decades in jail by now.

        1. Anonymous Coward
          Anonymous Coward

          Re: I would imagine...

          Don't worry, the harper government is doing everything it can to equal any stupidity of American law in Canada.

    2. JimC

      Re: I would imagine...

      Yeah, because what security firms really need are people who don't follow procedures and scan systems without permission or notification.

      He's probably just a script kiddy anyway, seems to me an awful lot of self-styled "security researchers" are.

      1. Anonymous Coward
        Anonymous Coward

        Re: I would imagine...

        I am reading the comments and just realised that as IT professionals we are all cracked.

        I should have the right to scan any system that stores my info. In fact since running a scan is so common place, we should all have the right to scan any system we intend to do business with before we commit ourselves to a transaction and putting our financial well being and security are risk.

        If the chap could run a simple scan and find such severe vulnerabilities, the laws should be on his side not against him. Instead the law should so severely penalize the software company as to make it close shop.

        We keep punishing the individuals who sometimes with little or no hacking or cracking skills "BREAK" into these insecure systems. We make big headlines calling then hackers and PERSECUTE them in the guise of protecting us the minions. Wouldn't it be more effective to have laws that penalize the companies whose careless coding and administration put thheir clients info at risk instead.

        Just saying that the laws are stupid. they should be focused on intent and on truly protecting consumers not incompetent software companies.

        1. Martin
          Happy

          Re: I would imagine...

          I should have the right to scan any system that stores my info. In fact since running a scan is so common place, we should all have the right to scan any system we intend to do business with before we commit ourselves to a transaction and putting our financial well being and security are risk.

          Hmmm.

          By that analogy, I should try to steal something from a shop before I decide whether I should buy something from them. If I fail, or I'm caught, then fine - I should shop there in future. Presumably after I've served my sentence for theft.

          1. Mr. Nobby
            Pirate

            Re: I would imagine...

            No... by that logic you should be allowed to attempt to rob a bank before deciding whether or not to do business there.

            Shops aren't storing your sensitive information. You could attempt to steal customers credit card info from a shop prior to deciding on whether to shop there though, or just use cash.

            1. Nick Ryan Silver badge

              Re: I would imagine...

              @Mr. Nobby

              I think it's more apt that you do a bit of due diligence and look around the bank before lending them your money. Are there doors and walls, is there some form of security, do the staff walk around in orange jail house suits? :)

              Most of the time we rely on blind trust that there's not a wide open door at the back where anybody with a clipboard can walk in and out and access whatever they feel like.

        2. Cheapster
          Thumb Up

          Re: I would imagine...

          I couldn't agree more. The idea that using these simple scanning tools, which are legal, must be regulated by law is preposterous. The college have a duty to protect data, part of that is making data available when needed. They appear to be saying that their network is so weak that running scans will take down the system. That means they don't have a legal system and need to get it fixed. They should also be punished for failing to protect users data in both senses.

          Running a security scan can slow things down and potentially break systems, however if I was to test the doors of the cars on my street without any intention of opening the door I'm not sure I could be prosecuted.

          In network security it appears that I could be prosecuted rather heavily with no malicious intent. Doesn't seem right.

      2. Jonathan Richards 1

        ...self-styled "security researchers"

        This is the danger: the security research software tools are all out there, and available to people who have any minimal interest and maybe even less than minimal competence to operate them. Sure, pointing a penetration test suite at some network may produce interesting results, but that doesn't make you a "security researcher", any more than rushing around in camo firing an assault rifle would make you a "soldier". In both cases, there's professionalism involved. This young man was working his way towards that, seemingly, when he made an error of judgement. I don't see that his career should be terminated just because Dawson College itself no longer wishes to teach him.

    3. Anonymous Coward
      Anonymous Coward

      Re: I would imagine...

      I would imagine someone from one of the security firms will be calling him shortly to offer him a job, get him on a uni course and pay his fees.

      Bet they dont.

      I suspect his future will actually be a series of increasingly menial jobs which further undermine his employability in the field that interests him until the point at which he cracks and tries some criminal hacking, only to be caught because he is - at the heart - just a script kiddie. Short spell in prison to further ensure he struggles to get a real job and his life can continue to decline.

      There are rarely any rewards for "doing the right thing" in this manner. (ignoring the argument about his secondary nessus scan)

      1. James Loughner
        Holmes

        Re: I would imagine...

        Would you like to eat your words???

        The Dawson College computer science student who was expelled after discovering a security breach in a system used by students across Quebec has been offered a scholarship by the company behind the software.

        "We will offer him a scholarship so he can finish his diploma in the private sector," said Edouard Taza, the president of Skytech.

        ww.cbc.ca/news/canada/montreal/story/2013/01/21/montreal-dawson-college-hack-hamed-al-khabaz.html

        1. Anonymous Coward
          Anonymous Coward

          Re: I would imagine...

          so now they have decided that, as the story's spiraling out of control and putting their company in bad light, they should make a strategic move ("how to turn a PR disaster into a success story for the Dummies") and use it to their advantage, by offering scholarship?

          no-no-no, you got it all wrong, they meant it to reward him from the start, but of course, it's just those bad, bad, bad mass-media mis-presenting the company's viewpoint.

          Whatever, smart move. Unless their stand was, in fact, mis-presented and they were, in effect, forced to reward this guy (who MIGHT not be as innocent as he claims), to avoid this pr hit...

        2. Anonymous Coward
          Anonymous Coward

          Re: I would imagine...

          The Dawson College computer science student who was expelled after discovering a security breach in a system used by students across Quebec has been offered a scholarship by the company behind the software.

          "We will offer him a scholarship so he can finish his diploma in the private sector," said Edouard Taza, the president of Skytech.

          I'm impressed - that's actually an intelligent response. On the one side, they get control over the one person who has the facts of their vulnerability and is thorough enough to check up on it (but stupid enough to do this without formal permission - I hope he learned his lesson). Secondly, it flags to the college that they have gone WAY over the top (and that's even after assuming that that "we gave him a formal warning" statement agrees with the facts). Thirdly they stop the adverse publicity which the college doesn't seem to care about, but which would have been bad PR for the company. This approach makes it positive.

          As I said, I'm impressed. That's an unusually intelligent response.

      2. Grogan Silver badge

        Re: I would imagine...

        "Bet they dont"

        Bet they did... the same company whose software vulnerability he exposed, Skytech, offered him a (private sector, meaning commercial vocational school) scholarship and a job.

        Much to the dismay of all the authoritarian types in the peanut gallery, I would say his career just got a boost from this episode. Out of that silly provincial college, and into a real institute of technology program that will actually lead to a real job that he'll walk right into, right now.

        1. wowfood

          Re: I would imagine...

          Sounds to me like pity. He caught them off guard and found a hole which is embarassing. Given a few weeks they still hadn't fixed what I imagine must be a fairly big problem and then their automated features got him expelled. They probably thought "Shit, we just got a kid expelled for doing the right thing, this is going to reflect bad on us QUICK GET HIM A JOB!"

        2. Dave Bell

          Re: I would imagine...

          He'd better behave himself. If they catch him being "unprofessional", by their standards, I bet the job vanishes. It's a pretty good deal from their PoV, they have a talented candidate, and they can check him out before he gets near anything critical to them.

        3. Anonymous Coward
          Anonymous Coward

          Re: I would imagine...

          Bet they did... the same company whose software vulnerability he exposed, Skytech, offered him a (private sector, meaning commercial vocational school) scholarship and a job.

          Ah, the wonders of a bit of publicity change the balance. The lesson for all future "black hat-white hat wannabes" is now create as much of a public furore as possible. Excellent.

          The reality is that for every instance like this, there are dozens and dozens of others whereby the person's life is ruined and the likelihood is still that this guys career isnt going anywhere special.

          This isnt about being authoritarian - it is simply how businesses work. Banks dont hire bank robbers etc.

          The biggest problem about this feeding into the myth is that it stops "society" going back to the source of the problem and fixing the crazy ideas that led to this whole farce.

          1. Anonymous Coward
            Anonymous Coward

            Re: Banks dont hire bank robbers etc.

            Maybe not directly, but consultancies work. And it depends on a variety of other things. I worked with a convicted con once. He decided to go straight before I worked for him. Still a bit of a temper on him, but you couldn't find a harder worker or someone more forthcoming about ratting out security problems. His juvey conviction was for boosting cars.

            Oh and yes, we routinely configured teller stations for a number of banks.

      3. stanimir

        Re: I would imagine...

        The derogatory used term script kiddie implies no security research. Mind you he found the vulnerability on his own.

    4. Electric Panda
      Mushroom

      Re: I would imagine...

      I wish people would stop saying this.

      I work in the information/computer security sector and this whole thing about talented black hats being offered legitimate paid work in grey/white hat security, especially joining ACME Ltd. to assist them after owing and humiliating ACME Ltd., is total nonsense. It's the stuff of movies, or possibly Mitnick-esque back in the 1980s when things were different.

      These days, it's big business with a reputation to keep up. Would you hire a convicted bank robber as a bank cashier? Ethics is king and a leopard can't change its spots.

      1. Mad Chaz

        Re: I would imagine...

        No, but I would hire him to find weak-spots in my security

      2. rh587

        Re: I would imagine...

        Errr, businesses have and do employ ex-cons and talented fraudsters to help secure their operations. You wouldn't hire a bank robber as a cashier, but you might hire one to consult on laying out a bank to make a robber's job harder and to help train the cashiers how to deal with robberies.

        The most publicised example of a black hat going white would be Frank Abagnale consulting on secure documents and check fraud, but he led the FBI a merry dance for years and earned a reputation as a forger par excellence. He's not just a kid who managed to fire an SQL injection in some software whilst he was developing an app for it...

      3. Anonymous Coward
        Anonymous Coward

        Re: I wish people would stop saying this.

        Get real. I work with so-called real security types every day. A less ethical bunch you've never met. The APPEARANCE of ethics may be king, but the reality of it is far from it.

    5. Pat 4

      Re: I would imagine...

      That is in fact exactly what happened.

      He was offerend a job by that software company yesterday, and his phone has been ringing off the hook from security companies wanting to hire him...

      This story is a bit late on it's news apparently.

  3. Anonymous Coward
    Anonymous Coward

    Betting serious cash that Anonymous will visit soon and help find all sorts of vulnerabilities for them.

    1. Shannon Jacobs
      Holmes

      Just what I was thinking about anonymous

      Except that anonymous might reinforce the lesson with a bit of nasty leakage of some purloined information... How about the personal information of the network administrators, for example?

      I'm really having trouble imagining the school's reasoning here. It was THEIR incompetence that created the vulnerability in the first place. He reported it, but since he already knew they were incompetent at protecting the information (which probably included his own personal information), I don't really blame him for checking on the degree of their incompetence. Given that he already had proof of their incompetence, why would ANYONE believe they had actually fixed the problem WITHOUT checking again?

      The entire notion that law-respecting people get penalized for a bit of innovative or deviant thinking is really stupid. I hate to break the news to the morons who are running this so-called school, but you can count on the real criminals being quite innovative AND deviant AND NOT TELLING YOU ABOUT IT. They are NOT going to inform you about any little problems they notice, but just help themselves to whatever they can get.

      I'm trying to imagine SOME set of circumstances that would justify the school's actions. So far the only one I've come up with is that he came back and tried to look at some information. That might seem pretty stupid after he had told the school exactly where the vulnerability was, but even that is a debatable scenario. How can you tell the hole is really there or fixed without looking through it--and there is some information on the other side of the hole, which is the whole problem.

      1. Anonymous Coward
        Anonymous Coward

        @Shannon Jacobs - Re: Just what I was thinking about anonymous

        See how low can you get ? Why personal details of network admins ? What is their implication in this matter ? They were told to install that app chosen by upper management so why should they be lynched because the app had a vulnerability, and by whom ?

        All your arguments fall as a house of cards because if that guy really wanted to check if the vulnerability was still there, he could simply have used the same test case that allowed him to discover the vulnerability, instead of thoroughly scanning the server without permission. Everywhere I've worked in my past there was a special clause in the contract regarding the scanning for vulnerabilities.

  4. Bronek Kozicki
    Thumb Up

    lucky escape

    I recon this young man had lucky escape from "education" which provides no skills and I can see for him promising career in IT without diploma.

    1. Anonymous Coward
      Anonymous Coward

      Re: lucky escape

      Unless of course he wants to work for banks, insurance, government, health care, universities and so on. You don't seem to live in Canada, eh?

      1. LesboInMansBody

        Re: lucky escape

        One of the many reasons Silicon Valley is not in Canada

        1. Anonymous Coward
          Anonymous Coward

          Re: lucky escape

          One of the many reasons Silicon Valley is not in Canada

          Fortunately - for Canadians anyway.

          Good old Silicon Valley does have some amazing startups and success stories of epic proportions - however, it also has a monumental failure rate and for each passable success there are dozens and dozens of corpses by the road side.

          Unless this guy comes from a background which gives him a fair bit of spare cash to plough into a start up - or lots of friends wealthy enough for him to lean on - the chances of him doing well, even in Silicon Valley is hovering around zero.

          1. LesboInMansBody

            Re: lucky escape

            Your posting shows how little you understand Silicon Valley - a place where failure is an option because out of it something else will arise. It's not for the timid or the risk adverse, who are afraid to try because they are afraid to lose. No it is probable not for the likes of you, nor for me anymore, but as far as I still know it still draws some of the brightest and most innovative people on earth. Silicon Valley is harbour of refuge for young Canadian minds like the one found in this article.

            1. MachDiamond Silver badge

              Re: lucky escape

              Failure is not an option, it comes as standard.

            2. Anonymous Coward
              Anonymous Coward

              Re: lucky escape

              You meant young criminal Canadian minds. And if the US Homeland Sec Dept. will hear about his accomplishments then I suspect that on his way to Silicon Valley he might be detoured to some Middle-East country.

              1. Robert Helpmann??
                Childcatcher

                Re: lucky escape

                ...on his way to Silicon Valley he might be detoured to some Middle-East country.

                I was unaware that Cuba is located in the Middle East.

            3. Anonymous Coward
              Anonymous Coward

              Re: lucky escape

              Your posting shows how little you understand Silicon Valley

              And, ironically, your post shows you dont seem to have read mine.

              a place where failure is an option because out of it something else will arise.

              Great for the valley, sucks for the failure.

              It's not for the timid or the risk adverse, who are afraid to try because they are afraid to lose.

              Which was my point. Silicon Valley is great for start ups where there is a safety net. You can only have a high tolerance for risk when there is a high buffer. Failure is less painful, and less permanent for those from rich families or with wealthy enough friends that when it goes off the rails they can still eat.

              No it is probable not for the likes of you

              I am not sure what that is supposed to mean, or what idea you have about who I am, where I live or what I do.

              , nor for me anymore, but as far as I still know it still draws some of the brightest and most innovative people on earth. Silicon Valley is harbour of refuge for young Canadian minds like the one found in this article.

              No one disagreed with that.

              The chances of him being one of the success stories is still very close to zero. For every winner there are hundreds, if not thousands, of losers.

              The sheer number of attempts means the big picture can - rightly - say Silicon Valley is the home to lots of success stories. That doesnt mean any individual has a good chance of success (unless they can survive lots, and lots, of failures).

      2. Loyal Commenter Silver badge

        Re: lucky escape

        "Unless of course he wants to work for banks, insurance, government, health care, universities and so on. You don't seem to live in Canada, eh?"

        Given that he was previously 'acing' his courses (as reported in teh article), he would appear to be a talented individual. Why would he want to work in sectors where IT professionals are traditionally poorly paid. I would imagine he would be far better off working in the private sector for a security consultancy.

        The volte-face from the company concerned is almost comical. They have gone from a standpoint of 'you have to have permission to port-scan our software or we'll go after you' to 'well done, have a scholarship and job'. The former attitude is laughable. The real black-hatters will have no qualms about running port scans and trying known methods of SQL injection to expose flaws in the software. They will do this in an untraceable manner, ie.e via bot nets, or through a route such as TOR. The company is responsible for the flaw in their software - the attitude of demonising those who expose such flaws is just wrong-headed. For everyone who reports such an exploit to the appropriate people, you can be sure there are ten out there who would use it for nefarious purposes instead.

  5. Anonymous Coward
    Anonymous Coward

    So are we sure this isn't just a bad excuse, because he'd been caught?

    1. asdf

      hmm

      Allowing semi public access to other peoples private information for over a month is the real outrage of this story. Thinking security by obscurity by muzzling this kid is the way to go is just horrible security practice. I hope Anonymous tears em a new one. And here I thought Canadians were a little less corporate and more tolerant and enlightened when it came to this stuff. Guess the fleas from the scalp have infested America's Hat as well.

    2. JDX Gold badge

      Well we only really hear his side of the story. So quite possibly.

      1. Anonymous Coward
        Thumb Up

        Really just one side?

        @JDX: I'm not sure if this article is just stating one side. I see how you can explain it is, but do you feel it is? Your statement stands true by word though, undoubtedly.

        The article might be a little one sided, but do you not feel it gives enough of both sides to draw a personal conclusion from it, one that is probably correct? Mine is that a student found something, through interest, and then continued that interest through which the student found. I could be wrong, he could be more devious than let on, but it sounds very muck like the college overreacted.

        Also, I don't think you can draw lines of tolerance based on country of origin. The colleges actions seem so quick and over the top, I think any country of the Western world would frown upon such actions taken within it's education system. Again, personal opinion and could be wrong.

        With an optimistic point of view, in regards to a minor situation as this, I hope that most colleges would actually give some sort of council to the student to make the college's opinion more apparent before expulsion. Maybe this college did, but if they did, they apparently took council with the student half-assed. He surely wasn't told "Do it again, and you are expelled!"

        If this resolution holds, as it is now, the student might want to think about moving to another country. I know that is bold, and maybe too witty of a statement, but one's education should never be taken lightly. You would think that the Canadian government would step in and say "Hold on college, is this really what is best?". Of course, that requires council, which apparently is pretty scarce in this case.

  6. Dr. G. Freeman
    Coat

    Doesn't surprise me

    One the main rules of university- don't rock the boat of those in charge. A troublesome student can easily "be got rid of".

    it's amazing the correlation between showing the flaws in a situation and your courseworks being low graded, exams unmarked and practical work assessments being forgot about.

    1. asdf

      Re: Doesn't surprise me

      Especially if the kid unfortunately has a name that sounds not so Canadian eh?

      1. Poor Coco
        Thumb Down

        Re: Doesn't surprise me

        This is MONTREAL, not Ontario, so cut out the fucking “eh”s.

        1. Anonymous Coward
          Anonymous Coward

          Re: Doesn't surprise me

          @Poor Coco,

          Oui.

      2. Steven Roper
        Facepalm

        @asdf

        Oh please, not the old racism card again...

        So the lad has a Middle-Eastern sounding name. That's completely irrelevant to his behaviour, good, bad or indifferent. I personally think he did the right thing by testing to make sure the hole was fixed, and ruining his entire career is indeed excessive punishment in my view.

        But his race, creed, culture, religion, ancestry, sexuality, birthplace, you name it, has nothing to do with it, and this kind of over-the-top PC thinking that overuses accusations of racism, every goddamned time someone of non-European descent commits any kind of indiscretion and is punished for it, is doing more to undermine real fairness and tolerance than all the racist bigotry on every Stormfront-esque sinkhole on the Internet combined. It cheapens the concept until the cry of "racist" simply becomes meaningless noise.

        So please, spare us the PC bellyaching and look at the issues from a race-neutral perspective: A student attempted, rightly or wrongly, to hack into his college computer system and was expelled for it - rightly or wrongly. No race or religion involved.

        1. Anonymous Coward
          Anonymous Coward

          @Steven Roper - Re: @asdf

          It's not at all about racism here. In case you didn't get it, it's just that some or all of the three letter US govt agencies are a little bit more picky when it comes about a certain race,

    2. JDX Gold badge

      Re: Doesn't surprise me

      It's hardly rocket science that if you piss people off they will be biased against you.

  7. Anonymous Coward
    Anonymous Coward

    Sorry but spotting a hole is one thing. But it is not his job to monitor progress on it being closed. If you want to know if had been fixed you do it the correct way by talking to a person, not using a audit tool.

    1. asdf

      Yep

      After a month of receiving no info the kid shouldn't have tested it he should have just posted the vulnerability on BugTraq. He would not have then signed a NDA and it would be legal. Best of all he would be helping to protect other's sensitive data who the software company didn't seem to think was important.

    2. This post has been deleted by its author

    3. h3

      RE : AC 21:10

      That won't solve anything they will just say "Yes it is fixed" and it won't be so it is completely pointless.

      He is doing something to do with them. (Presumably the App was santioned at least that is implied).

      His reputation could be tarnished by associating himself with something like this.

      Society should not use the law to protect other peoples ability to be inept.

      (Schoolboys catching so called professionals making schoolboy errrors.)

      The problem is the so called professional not the schoolboy.

      1. Anonymous Coward
        Anonymous Coward

        @h3 - Re: RE : AC 21:10

        Even schoolboys have to act professionally. There are laws here in Canada protecting the storage and handling of private information, just go ask Facebook for a proof. However, what way this guy did was totally inappropriate. You stumble upon a vulnerability ? Report it properly to the software vendor and to the organization using the application. Wait for a month or more, contact them again and ask if the problem has been solved, and try to see if the vulnerability is still there but don't scan the whole system, you are not an auditor. Just use the same test case that allowed you to prove the vulnerability. Then and only then you can go public in case you feel the risk is still there. This is not the fastest way to correct the vulnerability but surely it is the one that is safe for you.

  8. Anonymous Coward
    Anonymous Coward

    This is a basic rule nobody should ignore.

    Don't run any kind of scanning of production server/application without asking for permission. If you still do it then you shall be prepared to bear the consequences. It is as simple as that. This guy should consider himself lucky because in the US, punishments would have been way much harsher and his Arabic name would have deepened his trouble.

  9. h3

    Should be able to do a rudimentary scan for any type of system that you are potentially adding your own information to. (Any respectable company would pass any of the shelf scan.)

    The situation where it is illegal to make any checks as to the competance of a 3rd party that you are trusting with your information is bad.

    I don't do this due to the potential legal issues. But as far as I am concerned the people doing these sort of things no doubt call themselves professional etc etc whilst actually making schoolboy errors. (Ironically that were not actually made by a real schoolboy capable of acting in a basic logical manor).

    1. Anonymous Coward
      Anonymous Coward

      Great!

      Now go tell this to the US Department of Homeland Security. It's a place that might store your personal info and they will be delighted to sit down with you and have a talk. Oh, and before doing this, you should better cancel all you appointments for the next few weeks or maybe months.

    2. Oninoshiko
      Thumb Up

      I feel for the kid

      His information was on this server. He was making sure they where taking proper precautions to protect his information. Personally, I think he should file suit for them putting him (and the rest of the student body) at risk for identity theft.

      1. Anonymous Coward
        Anonymous Coward

        @Oninoshiko - Re: I feel for the kid

        I agree with you. However, the two issues are now separate. Suing the college will not prevent the college and the other third party pressing charges against him. He might get the college being forced to reinstate him but only after he serves the prison term for the other unrelated offense. This is how law works.

      2. Anonymous Coward
        Anonymous Coward

        @Oninoshiko

        I doubt such a lawsuit would work. After all; the server maybe in the possession of the school, but they didn't develop nor maintain the software which was used on it. And if you can't prove that there have been any prior issues where data got leaked or stolen you'll have a hard time proving identify theft.

        Another point is that he also can't accuse the school of negligence. After all; the very moment he had reported the bug they started working on it right away and also checked their logs to see what happened and who and how the data got accessed. You can tell as much by their statements where they mentioned to have noticed him accessing that server section twice.

        1. DavCrav

          Re: @Oninoshiko

          "Another point is that he also can't accuse the school of negligence. After all; the very moment he had reported the bug they started working on it right away and also checked their logs to see what happened and who and how the data got accessed. You can tell as much by their statements where they mentioned to have noticed him accessing that server section twice."

          Well, you cannot tell that. What you can tell is them saying that. These are different things.

          Also, a completely unrelated issue, but according to the article, he scanned the system and then within minutes got a call from the security company's president. Something wrong here? How did the guy get the kid's number? Did, perhaps, the college give it to Skytech, itself a breach (I presume) of Canadian law?

  10. Anonymous Coward
    FAIL

    He played it pretty dumb...

    First of all, as others already pointed out, he didn't got expelled from identifying the flaw. He got expelled for "allegedly trying to exploit the flaw", where his story obviously is that he only wanted to check if the flaw had been fixed.

    But seriously, no personal offence intended, but I think he acted pretty stupid on several accounts. First the obvious part; after you identified a bug there are more ways to check if it was fixed. How about starting with using a little courtesy and asking the people involved? Then you could always jestingly ask: "So you wouldn't mind me trying it for myself?". Heck; if the whole story is true I bet they'd love him to check it out. Its simply the way he did it.

    However, the biggest mistake was that he allowed himself to be bullied.

    "If you don't sign this then we'll <insert legal threat here>".

    The one and only right response at that moment is: "Ok, I will get my lawyer to look into that and we'll get back to you.". Because if you don't, as you can see here, you'll only tumble into the rabbit hole even deeper; and it doesn't even have to be the hole which the "bullies" dug for you.

    Because right now he's also in violation of the agreement which he himself signed. Perhaps there's a way out of that mess, I dunno, but at this moment the only option he has left is to get a lawyer. And you can bet that it'll be a helluvalot more expensive than if he would have gotten a lawyer earlier on to look into the NDA and give some legal advice on that matter.

    For a computer student I think he didn't play this very smart at all.

    1. Thorne

      Re: He played it pretty dumb...

      "For a computer student I think he didn't play this very smart at all."

      Running scanning software traceable back to him wasn't smart. If you want to report security bugs, do it anonymously because no good deed goes unpunished...

    2. Poor Coco
      WTF?

      Re: He played it pretty dumb...

      “For a computer student I think he didn't play this very smart at all.”

      What, are IT students also expected to be savvy on contract law?

      How about this — he signed that stupid agreement under coercion, which invalidates his signature?

      1. Anonymous Coward
        Anonymous Coward

        Re: He played it pretty dumb... @ Poor Coco

        What, are IT students also expected to be savvy on contract law?

        Interesting question, currently I am doing my MSc in IT and professional conduct is a required module. While the module won't turn us into lawyers, it is meant to give us enough knowledge to know when we need one.

    3. dssf

      Re: He played it pretty dumb...

      It should NEVER be legal to coerce a victim to agree to a flawed NDA, and then further manipulate said party further downstream.

  11. bag o' spanners
    Meh

    Sniffer wars! Build a better mouse.

  12. Dragon Leaves
    Childcatcher

    Montreal or Berlin?

    Montreal and Quebec in general have seen an immigration of Muslims whose radicals want to impose their laws, religious laws, on the rest.

    There is currently a vast resentment and tepid racism brewing and being from there, and having graduated from Dawson's Ineptitude, I would easily place my wager that things would have turned out different if his name was.

    The uneducated in Montreal are usually racist. And it's spreading. Give that place a huge economic crash and a bullying loudmouth as leader and history may come back under a different guise.

    1. This post has been deleted by its author

  13. fnusnu

    Schoolboy?

    He's 20. Seventy years ago people that age were flying night-time bomber raids over Germany. They knew right from wrong...

    1. Aitor 1
      Mushroom

      Re: Schoolboy?

      Doing the right thing.. Dresde maybe?

      He is naive.. and should get punished, but not that way.

    2. Anonymous Coward
      Anonymous Coward

      Re: Schoolboy?

      "... They knew right from wrong..."

      Absolutely! —this young whippersnapper should be up there in a bomber, killing people in their thousands, not poking about in databases.

      The youth of today, eh?

  14. Richard 120

    I did a lot of silly things at uni, got in trouble for some. My point is that uni is a place to learn things, sometimes learning things involves making mistakes. I might have got expelled for doing similar things because I didn't think it was that big a deal, and I didn't know it was illegal to run a port scanner and I wouldn't have had enough funds to lawyer up and I know lecturers and admins would easily have intimidated me into signing an NDA.

    As far as I can tell he was a bit silly and the other lot over-reacted probably as a result of embarassment, shame everybody couldn't learn from what happened.

  15. Jeff 11

    To be fair it sounds as though curiosity got the better of him and he wanted a second go at the hole he'd uncovered, to see exactly what data he could pull through it. No doubt he envisioned a pat on the back, a wodge of social media likes on his blog and a bit of personal glory, and had no malicious intent at all.

    The law however has to be pragmatic. There will always be imperfect, buggy and vulnerable software and often the world just has to live with it, and so the law needs to offer some protection from people who CAN cause damage with the exercise of their skills (although SQL injection is often laughably trivial). There are plenty of open source applications to poke holes in, so why not install one of those and have a go, instead of accessing a production system with real data on it?

  16. JaitcH
    WTF?

    A coerced agreement has no validity

    "He told me that I could go to jail for six to twelve months for what I had just done and if I didn't agree to meet with him and sign a non-disclosure agreement he was going to call the Royal Canadian Mounted Police (RCMP) and have me arrested. So I signed the agreement."

    I bet this useless database company - SKYTECH / OMNIVOX - wouldn't have the balls to sue him, especially in Quebec where the provincial Supreme Court has a bit of a relaxed idea of life.

    He should have been advised to get ILA (independent legal advice) by the allegedly blackmailing SKYTECH / OMNIVOX. Still, he still has the opportunity to tell the RCMP to whistle Dixie as he is not required to answer any questions asked of him - unlike the freedom hugging UK.

    Let's hope ANONYMOUS does work the slime-buckets over well. Let's hope they also release the Social Insurance Numbers - which only have 5 lawful uses in Canada and cannot be used as a national identity number (even by the various governments of Canada).

    Dawson College used to have a reputation for quality but now even their diplomas - churned out like a diploma mill - aren't printed on the best paper.

    1. JaitcH
      FAIL

      Re: A coerced agreement has no validity - We have a problem Montreal

      403 - Forbidden: Access is denied is returned from Skytech - the sloppy software company.

      Has Anonymous been busy?

      1. JaitcH
        FAIL

        Re: A coerced agreement has no validity - We have a problem Montreal (2)

        The 403 Disease spreads.

        http://www.dawsoncollege.qc.ca/

        403 - Forbidden: Access is denied.

        You do not have permission to view this directory or page using the credentials that you supplied.

  17. Anonymous Coward
    WTF?

    Strike 2, you're out!

    He turned informant on his own the 1st time. The 2nd time makes him dishonorable? Seems a bit paranoid of the college to be so hasty. He should try and move south.

  18. Anonymous Coward
    Anonymous Coward

    Yada, yada, yada...

    Bad choices can land you in jail. He just got a real life learning experience. He could be in jail so he should count his blessings. If he don't know better than to "test" the system, he will be seeing a lot of vertical bars in his future.

  19. Anonymous Coward
    Anonymous Coward

    how did they get his phone number?

    The company is the developer of the application, they might also be administrating it for the college that decided to outsource the application's administration. But in either cases, the developer doesn't have access to the students' records! The college have no right to allow a 3rd party to access the students' records without informing the students first.

    If the outsourcing company suspected misconduct, they should have reported the misconduct to the college staff and/or the police; using their privilege over the data to access the student's record in order to call him at home is an invasion of privacy.

    1. graeme leggett Silver badge

      Re: how did they get his phone number?

      perhaps it had been supplied when he reported the flaw in the first instance.

      1. Tom Jasper
        Facepalm

        Re: how did they get his phone number?

        Perhaps they walked in through the front door of their database web interface and found it there ;)

        Good to see http://www.skytech.com/ is #403 as well - partial justice for their protectionist behaviour.

  20. mIRCat
    Headmaster

    I assume they have the signed and dated forms from his original 'warning'. Anything less than that and they look like prats.

  21. Keep Refrigerated
    Childcatcher

    I believe that children are the future...

    Any college that punishes curiosity, inventiveness and thinking outside the box in such a way, is not a college I'd want to send my children.

    It's also becoming clear we live in a world where the first things we have to teach our kids is how to read, how to write, how to share and how to respond to legal intimidation.

  22. Anonymous Coward
    Anonymous Coward

    Skytech and the college were extremely embarrassed by the affair.

    He should have known not to go anywhere near it once he'd reported it, and certainly not check that the hole had been sorted. That was not his responsibility.

    Still, expelling him is too severe and clearly demonstrates just how embarrassed Skytech and the college were. No one likes to have their weaknesses highlighted, especially by a student.

  23. This post has been deleted by its author

  24. MarkJ
    Windows

    Two mistakes here

    1) Getting caught

    &

    2) Using a pentester from his own IP address. Get off your arse and walk to a cafe with free wifi.

    Scriptkiddie sounds about right.

  25. Ian Johnston Silver badge
    Thumb Up

    Ahmed Al-Khabaz

    Or little Bobby Tables, as his friends call him.

  26. rcorrect
    Trollface

    If it wasn't for the fact that information of innocent students and faculty would be involved I'd love to see Anonymous show Dawson College why security should be taken seriously. But it wouldn't be cool to violate the privacy of many just to put a handful of idiots in their place.

  27. VaalDonkie

    Ahmed Al-Khabaz

    ... is a strange name. Is that French or something?

  28. Elmo Fudd
    Happy

    Apparently he has been offered a job by the software company involved - See newspaper article here:

    http://www.calgaryherald.com/Montreal+student+booted+college+hacking+computer+system+offered+firm/7853705/story.html

  29. Anonymous Coward
    Anonymous Coward

    One for the lawyers ..

    'But Al-Khabaz said the school did not understand he was only trying to help. "They don’t understand my intentions. They think I’m a threat, a criminal," '

    They understand perfectly, they're just covering their own collective arses for the security breech, by sacraficing your career. The Dawson College students should institute proceedings against the College for such reckless exposure of their records. I'd like to know who installed the software that left such gaping holes in security. And why they aren't liable for legal sanctions.

  30. Bill the Beast
    FAIL

    He did the right thing by reporting it. He did a very foolish thing by trying to penetrate it again. Surely he knew they'd be watching for subsequent attempted exploits.

  31. Anonymous Coward
    Anonymous Coward

    Code flaw spotting was not the issue

    Hacking after reporting the flaw, which is "illegal access to a computer", is what got him booted. He could still be charged for criminal access to a PC.

  32. Tom Jasper
    Thumb Up

    Mature response (!!!!)

    See http://www.skytech.com/en/blog-dse-case.sky

    "

    Are you offering him a job?

    Our priority is for him to finish his studies, and yes, we are offering him a job in cybersecurity where he can put his talents to good use, outside his study hours, in a closed circuit research and development environment, all this without any controversy.

    What was his reaction?

    We were pleased to learn, through an interview with CBC television, that he accepted our scholarship offer to pursue his studies in another college.

    "

This topic is closed for new posts.

Other stories you might like