

Hamed Helped. Help Hamed. - thenicepostr
http://www.hamedhelped.com/

======
nowarninglabel
I have to wonder how much this will help. A colleague and I made a responsible
exposure to a vendor that provides the application software for the California
State University system. The vulnerability I chanced upon, and that my
colleague was able to verify to be fully open, made it possible to obtain the
private details of hundreds of thousands of applicants from their system. How
were we rewarded for quietly and responsibly disclosing this to the vendor?
The vendor threatened a lawsuit against the university, and the university
cowtailed and nearly fired my colleague, severely reprimanding him and myself.
Little did I know this would become a theme of my stint in working for
academia, of the universities not caring at all about students and their
private data. I worked for multiple universities and it was the same at each
one. They seemed to think the problem was with people not with buggy,
overpriced, insecure software.

~~~
JohnHaugeland
They got so embarrassed that they challenged the school to change its mind,
and offered the kid a full scholarship to wherever he goes next.

[http://www.cbc.ca/news/canada/montreal/story/2013/01/21/mont...](http://www.cbc.ca/news/canada/montreal/story/2013/01/21/montreal-
dawson-college-hack-hamed-al-khabaz.html)

In the meantime, their student body is furious that the staff have been
knowingly leaving their private information public for months.

So I'd say "a lot."

~~~
nowarninglabel
Well, kind of. I read this was successful in targeting the company to react
positively towards Hamed, however, the university is still throwing the book
at him. I guess that's a better tactic, going publicly after the company,
rather than through university management.

------
eranation
I've read the claims from both sides, I think that although he might have
handled it more carefully, it was an overreach to expel him this way, I feel
we should stand behind him. I signed the petition. Anyone with counter
evidence, please step forward.

~~~
JohnHaugeland
Where did you find claims on the school's part?

The only one I've found so far is an audio interview with Mr. Filion;
everything else has had the school refusing to comment.

Please provide links.

------
benatkin
Wow. This is much worse than I thought. I'm glad there's no conceivable
scenario in which this could lead him to be extradited to the USA, like Marc
Emery was. <http://en.wikipedia.org/wiki/Marc_Emery>

~~~
JohnHaugeland
Stop trolling, please.

Marc Emery sold illegal goods internationally. The two situations have nothing
to do with one another.

------
ck2
If anywhere should be more tolerant of intellectual curiosity, it should be in
a college environment.

Unless they can prove he had intent to cause damage, which it sounds like they
could not do, they should just forgive and forget and stop trying to cover the
overpaid butts of the sysadmin who didn't fix the hole in the first place.

Hell society forgave all the banks and wallstreet for their actual crimes.

------
unreal37
What's the truth here? What did Hamed "do"?

Exposing a security flaw doesn't get you expelled. He had to have taken it one
or more steps too far. I'd like to see the facts.

~~~
thefreeman
<http://news.ycombinator.com/item?id=5090007>

A few days after reporting the flaw, he got caught using
<http://www.acunetix.com/> (web vulnerability scanner) on their network. He
says he was checking to see if they fixed the flaw. I don't think he was
intentionally being malicious, but his explanation doesn't jive with his
actions.

I still think it sucks that they expelled him. But I am unable to logically
see how he didn't break the rules.

~~~
iuguy
It sounds like he's being screwed over by the vendor, who forced him to sign
an NDA.

To be honest anyone using Acunetix isn't looking to hack into anything. It's
an enterprise scanner that looks for general web app issues rather than
something that's typically used to conduct actual attacks. You'd expect an
actual attack to be conducted with a tool like Havij, Sqlmap, Burp or Zap
proxy.

~~~
danielharan
He did manage to slow the site down significantly, to the point of being
unusable. Not surprising given the code quality of an app where replacing the
student id in a url parameter gives you access to their file.

However the vendor offered him a job and a scholarship, so it seems like it's
the university's over-reaction.

------
jasim
This goes on to show how out of touch with reality our educational systems
currently are. They are incentivized by the wrong things, which reflects in
the kind of people and policies that are put in place.

Before the web and the free dissemination of information it brought about, the
average academician was more 'smarter' than the average student just by the
fact that the students hadn't yet had access to the sources of information
their teachers had.

However, we now live in times when you can expect anybody in the society to
grow to their full potential, thanks to the free web.

This changes the fundamental role educational institutions has to play. They
can't continue to be passive devices of information transmission. Yes, there
are an elite bunch of institutions that provide more value than that. But as
these events show, the educational sector around the world in general are
mediocre and are pretty inefficient.

You now have smarter students and they don't need you to tell them what the
world is about. That is the changed reality of the market and it is going to
affect this sector for the better in the long run.

~~~
JohnHaugeland
No, universities internationally are furious and disgusted.

This is a trade school, not a college. It's like being angry at DeVry or
University of Phoenix. The stupid things that places like that do have nothing
to do with real universities.

------
JohnHaugeland
This wasn't the first time Ahmed (not hamed, ahmed) reported the problem. When
they ignored it, left the software running, and notified none of the students,
he used some free white-hat web security scanner to generate a report to make
it more clear for the business people what was wrong.

The business people have decided that the security scanner is "a hacking tool"
and that Ahmed needed permission from the school to see if the software that
was imposed on him which was leaving his private data exposed _after_ the
staff knew was still broken.

The way Richard Filion, who runs the school, tries to make excuses around this
is appalling.

<http://www.cbc.ca/homerun/2013/01/21/dawson/>

The software vendor gave the poor kid a scholarship and asked the school to
change its mind.

[http://www.cbc.ca/news/canada/montreal/story/2013/01/21/mont...](http://www.cbc.ca/news/canada/montreal/story/2013/01/21/montreal-
dawson-college-hack-hamed-al-khabaz.html)

The RCMP declined to be involved.

The running excuse they're giving is "it was against our code of conduct."
And, I mean, most schools don't even kick binge drinkers who got in an
accident and nearly killed people out for code of conduct.

So clearly this isn't an excuse.

The people responsible for the decision are the head of the Computer Science
department, Ken Fogel, and Dianne Gauvin, one of the deans. Predictably, they
do not respond when contacted.

This is a computer science department where a panel of 14 out of 15
"professors" actually chose to stand behind this - though nobody will release
their reasoning or names. So don't expect Ken Fogel to get it on grounds that
you imagine he's one of us.

The school ombudsman, whose job it is to stand up for Ahmed, has been
whitewashing its Facebook page of all criticism. The main school Facebook page
is just ignoring the criticism instead; they post inbetween literally hundreds
of people (including students and alums) to chat with people on posts from
before this started getting public.

And, a reminder? They did this in _November_. They've been sitting on this for
months. They aren't going to change their minds without a very good reason.

Not shockingly, other students have been posting reams of existing security
holes on their various servers, and evidence of compromises that are claimed
to be years old.

Staff is doing just as nothing about those as they did about this the first
time Ahmed reported it.

------
mappum
While Hamed was honorable and didn't try to abuse his exploits, I think it is
a stretch to say "Hamed helped". I doubt he tried to get into the data for the
purpose of helping make it more secure, it is more likely that he just had the
"hacker drive", where he just wanted the challenge of beating a system.

~~~
arcatek
If I'm not mistaking, he discovered the vulnerability while developing an app
for its university, then he sent it to the system administrators.

His troubles began when he checked later if the security hole was still
opened.

~~~
anonymouz
According to the expulsion letter (linked somewhere in his thread) he only
reported the issue after he was detected and his access was blocked. That
doesn't prove either sides version but shows why one should get authorization
before attempting such a thing. After getting caught anyone can say that they
were just trying to help.

~~~
noibl
The letter says no such thing. I don't know why you've taken the trouble to
post this falsehood twice in a short thread.

<http://news.ycombinator.com/item?id=5096170>

------
jiggy2011
Moral of the story: Sanitise your query params.

~~~
JanezStupar
I think the moral of the story is - whatever you do anonymize your tracks and
do not inform the authorities. There is substantial risk and no reward for
acting otherwise.

~~~
vertis
I think there can be reward in some cases. From what petition website says,
he's received several job offers.

~~~
JanezStupar
This is a great comment for ShitHnSays.

