
Youth expelled from Montreal college after finding security flaw - lasercat
http://news.nationalpost.com/2013/01/20/youth-expelled-from-montreal-college-after-finding-sloppy-coding-that-compromised-security-of-250000-students-personal-data/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+NP_Top_Stories+%28National+Post+-+Top+Stories%29
======
rwg
I've already posted my "almost got arrested for using zsh" story, so here's
another one:

I used to work at a large public university. One day, a grad student brought
me his laptop and asked if I would take a look at it because "the Internet
[was] really slow." It turned out that his computer was part of a botnet
controlled via IRC, and it was being used to attack hosts on the Intertubes.

After sniffing the IP address + port of the IRC server and the channel name
and password the botnet was using, I joined the channel with a regular IRC
client. "/who #channel" listed _thousands_ of compromised clients, including
hundreds with .edu hostnames. (One university had a dozen hosts from
.hr.[university].edu in the channel. Sleep tight knowing your direct deposit
information is in good hands.)

There was no way I could notify everyone, so I concentrated on e-mailing
abuse@ the .edu domains. In my e-mails, I explained who I was and where I
worked, that one of our computers had been compromised by hackers (yeah yeah
terminology), and that in the course of investigating, I found that computers
at their university had also been compromised by the same hackers. I also
included a list of the compromised hostnames at their university and the IRC
server's information so their networking people could look for other
compromised hosts connected to the IRC server if they wanted to. Relatively
basic IT stuff.

I didn't get replies from the majority of the universities I sent messages to,
including the .hr.[university].edu one. I got a few thank yous, but I got just
as many replies from IT Security Officers and CIOs (including at big name
universities) accusing me of hacking their computers and demanding that I stop
immediately or face legal action.

Those people _just didn't understand_ , and they were in charge of (or
ultimately responsible for) their universities' IT security efforts... It was
completely mind-boggling to me at the time.

~~~
ivix
I would guess that being a CIO is 80% about management/people skills and 20%
about technology. Hopefully that goes some way to explaining why these people
did not understand your email.

~~~
ihsw
This is a C-level position at a publicly-funded institution, that ratio is
closer to 95% and 5%. I would even go so far as to say that these individuals
very likely have a background in law or simply have an MBNA.

Engineers aren't in charge, anywhere, other than tech companies.

~~~
rayiner
30% of MBA's are engineers, and the most common degree for CEO's is
engineering. 1/3 of S&P 500 CEO's have an engineering degree, even though only
a small fraction of the S&P 500 is tech companies.

~~~
mustpax
A lot of people get engineering degrees as a signalling mechanism to prove
they can do hard work, not because they have any interest in becoming
engineers. Formal training in a subject combined with a lack of intrinsic
curiosity about the subject makes the worst engineering managers you will ever
meet.

~~~
donall
I think this is probably true.

Empirically speaking, a lot of the guys who graduated with their B.Sc. in
computer science with me saw their career paths as joining a big consulting
company, working on the front lines for a couple of years and then getting
into management and leaving the code behind for good.

In my PhD program, most guys in the lab saw the actual engineering side of
things as a stepping stone to higher-paid positions in acadaemia.

Clearly a significant number of people with engineering degrees are engineers
only by title.

~~~
rayiner
The claim was that "engineers are never the one in charge." If your argument
is that engineers cease to be engineers once they get into management, then
it's tautological that "engineers are never in charge."

~~~
lindenr
The point as I read it was that people who aspire to management aren't really
engineers in the truest sense, but engineers "only by title".

That is, people working on actual engineering aren't really "engineers" if
they have their eyes set on something else, like a higher position in
acadaemia.

------
jrockway
I found something like this at my school. The administration reacted
similarly. But fortunately, I was taking djb's Unix Security Holes at the
time, and a harshly-worded note from djb to the Computer Center folks ended up
getting me a thank you.

Next semester, though, I refused to sign the new AUP (which included a clause
allowing the computer center staff to seize any computer I was using, even at
my off-campus home), and they kicked me out of school. (Actually what happened
was they locked my course registration account, and wouldn't reinstate it
until I signed the policy in their presence. I refused.)

(Sadly, I can't find the full-disclosure thread for this bug. I guess I posted
it to my blog, which I deleted after being threatened by school
administrators. Oh well. That was 9 years ago!)

~~~
Ras_
These expulsion stories sound really weird. I mean you pay for all of your
studies and still could get axed on a whim? Whereas in my country I get paid
to study and have zero chance of being expelled for these kinds of events.

~~~
monsterix
Which country may I ask? Nordic?

~~~
Ras_
Yes, Finland.

Maybe it's because all of our schools are public? For example higher ed.
providers are funded based on enrollment and rate of graduation. If someone
does not graduate, significant chunk (20-30%) of money won't be paid at all.
This creates some incentive for the institution to actually guide and see that
people don't fall through all kinds of cracks. I guess it's necessary when
there is no ordinary paying customer relationship involved.

~~~
rohansingh
How do you prevent the schools from just lowering graduation requirements in
order to artificially boost the percent of graduates and get a better payout?

~~~
Ras_
Since they are either fully government funded or jointly funded with
municipalities, there are no incentives to search short term profits by
running diploma mills.

Ministry of Education controls the money and conducts yearly performance
target negotiations bilaterally with each higher education institution. You
actually need a permit from the ministry to run any kind of school. Even our
few "private" primary and secondary schools are publicly funded and regulated
accordingly.

Independent expert body FINHEEC audits universities quality management schemes
regularly. Some European countries use accreditation-based evaluation (for
single degree programs) instead of system wide audits. At least one Finnish
university has also acquired ISO 9001 cert, but it was seen as more labor
intensive and not providing the same benefits (benchmarking, benchlearning) as
the required peer-based audits.

~~~
Ras_
Outline of FINHEEC audit process and outcomes:
[http://www.qaa.ac.uk/Partners/education/Documents/FINHEEC%20...](http://www.qaa.ac.uk/Partners/education/Documents/FINHEEC%20Audit%20Outcomes.pdf)

------
Xcelerate
This sort of thing scares me. One time I found a security vulnerability in a
popular forum I frequented. I emailed the site owner, and he thanked me and
fixed it. Later someone else discovered another weakness and used it to post
spam; the site owner emailed me asking about it. My initial thought was that
he suspected I was the one doing it, but it turned out he was just trying to
see if I could help him.

That scared the crap out of me though and I realized this was a VERY bad idea.
Something as harmless as trying to help someone make their website more secure
can get you more jail time than robbing a bank.

I also, completely accidentally, logged into another student's account at my
university (a big university too). The school gives you an ID number. Your
initial password is the same as this ID, and you're supposed to change it
later. I didn't remember my ID correctly, swapped two numbers in it, and ended
up in someone else's account. Home address, phone number -- all sorts of
information staring me in the face. Will I report this issue? Heck no!

It's weird how many of these I discover by accident. My school also had a
hackathon hosted by eBay and PayPal. In fact, one of the programmers from
PayPal was there. During the hackathon, I stumbled upon a way to get account
information without authentication (security tokens were being seriously
misused). The PayPal guy was shocked and asked me to send him all the
information on what I had found. Never did get any sort of reward out of
that... (and I lost the hackathon too).

~~~
slapshot
> more jail time than robbing a bank

This meme of "more jail time than robbing a bank" needs to end.

The federal penalty for possessing a firearm while robbing a bank is a
mandatory minimum of 5 years and a maximum of life in prison. The mandatory
minimum means that a judge could not sentence an armed bank robber for less
than 5 years for each bank robbed while holding a gun (you don't even need to
show it; just having it is enough). To make it worse, each 5-year gun sentence
must run _consecutive_ with each other sentence (ie., be added on after you
serve the other sentences). [1] If you brandish the gun, it becomes a
mandatory minimum of 7 years, and if you fire it you get a mandatory minimum
of 10 years [1].

Contrast that to all of the hacking charges we've discussed recently where the
mandatory minimum is zero (a judge could sentence a convicted defendant to no
penalty, or to probation).

To go further, the US Sentencing Guidelines [2], which are all-but-mandatory
for federal judges (there's a constitutional out, but in effect most
defendants are sentenced according to the Guidelines) gives "wire fraud" a
base offense level of 7 (of 42+), which gives a sentencing range of either 0-6
months or 4-10 months, depending on how much economic harm is caused. Compare
that to robbing a bank, which is a base offense level of 22, brandishing a
firearm adds +5 for an offense level of 27, and if you actually make off with
any cash add another +2 for an offense level of 29 (of 42+). The sentencing
guidelines call for a sentence of 87-108 months (7-9 years) for a first-time
bank robber, per bank, assuming that nobody gets hurt---plus the mandatory
additional 5+ years for having a gun.

Realistically, bank robbers face a lot more time than even malicious computer
criminals.

[1] See section (c) of 18 USC 924
<http://www.law.cornell.edu/uscode/text/18/924>

[2] <http://www.ussc.gov/guidelines/index.cfm>

~~~
laumars
> "The federal penalty for possessing a firearm while robbing a bank is a
> mandatory minimum of 5 years and a maximum of life in prison. The mandatory
> minimum means that a judge could not sentence an armed bank robber for less
> than 5 years for each bank robbed while holding a gun (you don't even need
> to show it; just having it is enough).

What's more, you don't even have to have a gun for it to be classed as "armed
robbery". In the UK, just the threat of having a fire arm is enough (you could
be brandishing a water pistol or even just making a gun gesture behind your
unzipped coat).

~~~
randomdata
This seems more like walking up to a teller and asking nicely in a clever way
if you could have all the money. Is it even a crime if the teller responds
positively to your request?

~~~
jlgreco
My suspicion is that yes, that would be a robbery if you ask in such a way
that the teller actually gives you money.

You could ask in such a way that it comes across as a joke ( _"Anything more I
can do for you today sir?"_ _"A million bucks and a winning lottery ticket
would be nice"_ ), but if it comes across as a joke then the teller isn't
going to give you any money.. because they think it is a joke.

~~~
randomdata
I think that is a reasonable interpretation, but sets a scary precedent. If
you are selling something and I, the buyer, say "I'd really like to get this
for free" and you respond, "okay, it's yours!" Can you come back and call on
me being a thief later?

> if it comes across as a joke then the teller isn't going to give you any
> money.. because they think it is a joke.

I'd also add that _vast majority_ of malformed requests are denied. Only
computers who have a sense of humour, so to speak, comply to the abnormal
requests. Computer security is much closer to this scenario than carrying a
gun, I feel.

~~~
jlgreco
Yeah, in the real world there are a lot of more factors to consider than just
the wording. How threatening the victim/potential victim feels the other party
is being is hugely important.

For example, there is a world of difference between a panhandler asking you
_"Hey, can I have a couple dollars"_ in a populated touristy area during the
day, and the same panhandler following you for several blocks at night before
asking you that in an ally. One is just panhandling, but the other is
effectively a mugging.

Computers don't really have those sort of cues, so it becomes difficult to
make reasonable comparisons between the two.

------
bstar77
I dealt with a situation at a college internship. The company was designing a
marketing campaign for Nokia, but we were having major problems with the
firewall software, which made for a very flaky Internet connection.

Long story short, my manager disabled the firewall and we were hacked that
night. I was let go the following day unceremoniously. I discovered soon after
that the company blamed me for the attack, saying I turned the firewall off
and hacked the servers myself.

The school immediately started expulsion proceedings without even contacting
me. Fortunately, my advisor personally addressed the issue and had everything
dropped. The drama only lasted a few days, but the schools brain dead response
to the issue gave me zero confidence in their ability to review anything
objectively. I was so disgusted I refused to walk in the graduation ceremony,
much to my parents disappointment.

------
puerto
Unauthorized security testing == Malicious attack

The actions of Mr. Al-Khabaz were unlawful and unethical. If he only
accidentally found the flaw and reported it to the responsible person, things
would be fine. But security testing without the permission of the system owner
is the same as unauthorized access attempt!

I work as a security professional for 7 years, and I recently did a guest
lecture on the college discussing the example like this. Most students were
not aware where the problem is. Maybe it would help imagining how would story
like this look in the physical world: Let's suppose you come back home and
find someone picking on your door lock with a lock picking tool. You ask him
"what are you doing?" and he says "I'm just checking is your lock safe. I do
it for your security." Would you believe him? Or would you call the police
immediately, without asking him anything? Let's add to this that security
testing tools can sometimes degrade the tested system's performance or
sometimes even crash it. In this case, it's not just unauthorized access
attempt, but successful denial-of-service attack!

Never, ever, do a security testing of the system without the written
permission of the system owner. If you get the permission, you will probably
be asked to sign an NDA in return. You will also need to provide some
information, like source IP address you're using and emergency contacts that
can be used to stop the testing in case of problems (like crashes, etc.). This
is the only lawful and ethical way to do these kind of procedures on someone
else's system.

I'm not discussing if the penalty is OK in this case. It really doesn't matter
if most people here cannot tell what he did wrong in the first place.

~~~
stereo
It's his own data in the system, which makes this completely different. In
your lock picking example, it would be a landlord finding one of their tenants
picking their flat's locks.

~~~
chollida1
No it's more analogous to him trying to break into a bank vault because it has
his money.

~~~
marekmroz
If by breaking in you mean walking in through open, unsecured doors...

------
rdtsc
I've said this before -- don't bother being a "white hat".

The industry and the legal system doesn't have a pigeon hole for that. You'll
be labeled as "hacker" (and not in a positive sense of it). Either disclose
the vulnerability immediately to get recognition, hoping it is public enough
they'll be ashamed of going after you, or or sell and profit from it. You are
already treated as a criminal by these large institutions, so if you go in
that direction might as well make some money.

~~~
twentysix
Its certainly a grey area and covering all your bases legally before embarking
on a penetration test would be good idea. Even with all the legal formalities,
there needs to be a good level of trust between the client and the auditor for
things to go smoothly.

 _Two days later, Mr. Al-Khabaz decided to run a software program called
Acunetix, designed to test for vulnerabilities in websites, to ensure that the
issues he and Mija had identified had been corrected._

If you find a security flaw in a system and report it, receiving positive
feedback doesn't automatically imply that you have permission to conduct
further tests. A web application vulnerability scanner can cause damage to
production systems.

Almost anyone can just download a scanner and run a wild test using default
settings. But its illegal to do it without prior authorization.

While his intentions were good, I think it was a bit naive of him to take upon
himself the responsibility to make sure the flaws were fixed and conduct a
test. Even when you have permission to conduct a test you stick to the scope
and limits of the agreement. You cant just keep leapfrogging networks as you
find holes.

Manually finding holes/bugs accidentally and reporting them is different from
running a vulnerability scanner.

I dont think he should have been expelled without giving a chance to explain
his story and the way they did it was not ethical. The management over
reacted, especially considering there was no damages mentioned in this case.

[http://testlab.sit.fraunhofer.de/downloads/Publications/tuer...](http://testlab.sit.fraunhofer.de/downloads/Publications/tuerpe_eichler_Testing_production_systems_safely_-
_Common_precautions_in_penetration_testing_TAIC_PART_2009.pdf)

<http://www.coresecurity.com/content/under-attack>

<https://en.wikipedia.org/wiki/Randal_L._Schwartz#Intel_case>

~~~
kibwen

      > While his intentions were good, I think it was a bit 
      > naive of him to take upon himself the responsibility to 
      > make sure the flaws were fixed and conduct a test.
    

Given that his own personal information could have been exposed by this
exploit, it's just as likely that he was acting out of self-preservation
rather than merely due to feelings of personal responsibility. The only naive
bit here is that he obliterated his plausible deniability via 1) not allowing
more time between submitting the report and attempting the scan, and 2) not
masking his IP behind seven proxies.

------
sudhirj
Ahmed, if you're reading this, sorry about your college acting like idiots. If
finishing college is important to you, I'm sorry they've made it so difficult.

That said, please don't think this is going to end your career. There are a
lot of companies and startups that would love to have you for your kind of
initiative. Not having a degree that you don't seem to need anyway will not be
a sticking point with them. And the option of starting your own consultancy is
a possibility - you already have some publicity that can help with initial
gigs.

If you'd like to try your hand at a job, do check out ThoughtWorks
(www.thoughtworks.com). We don't usually stand on ceremony or make a fuss
about qualifications.

~~~
chm
He's technically still in Québec's equivalent of a US high-school 12th grade.
Since he's 20, he can wait a year and be accepted to a University.

~~~
aroberge
No, cegep has either 2 or 3 year programs. Year 1 is equivalent to US high-
school 12th grade. Year 2 of 2-year programs is equivalent to 1st year
university for B.A. or B.Sc. 3-year programs tend to be terminal degree of a
more "technical" nature.

~~~
chm
Je suis au courant. Je croyais qu'il était en première année de CEGEP.

------
eigenvector
Even aside from the fact that he was acting in good faith and did not cause
any damage to persons or property (as acknowledged by the software vendor),
the procedure used to expel him is woefully lacking. I sat on the highest
student discipline tribunal at my (Canadian) university and an expulsion for
non-academic reasons - which had to receive final approval from both the
President and the Governing Council - would only be recommended in cases
involving egregious and likely criminal misconduct and only after the courts
had found merit to the allegation.

Furthermore, any student faced with potential expulsion would have been
entitled to a series of quasi-judicial hearings and assistance in preparing
their defence. To expel someone for non-academic reasons from a publicly-
funded institution (which Dawson is) should not be taken lightly and surely
never in a fashion where the accused is not permitted to present their case.

~~~
gpcz
It was also really crappy cover-up strategy on the school's part. By refusing
due process to Al-Khabaz and expelling him with zeroes for his last semester
grades, Al-Khabaz now had nothing to lose exposing both the security flaw and
the injustice to the press. If they didn't play all their cards at the same
time (like putting him on probation or something), he probably wouldn't have
gone public.

~~~
purephase
In all honesty, it is all of these reasons that make me believe that we're not
hearing the entire story.

------
bhickey
The CS faculty at Dawson (less one) should be embarrassed.

This happened to me twice in college, minus the expulsion part. In the less
interesting case the University sent around a form to be used in nominating
student speakers for commencement. It included a drop down that was keyed off
of student id. Student ids were regarded as private.

The school required everyone to either buy health insurance from them, or
provide proof of insurance. They had a webapp where you could report this
data. The login required your student id, name, and birth date (thanks
Facebook). If you visited the app after using it, the form auto-populated with
your health insurance information. I brought it to the attention of the
University and they took down their nomination app in a matter of minutes.

In the more exciting incident, someone at Sungard called my university and
asked them to have the campus police arrest me. (Edit: Quite boring, really
<http://seclists.org/bugtraq/2008/Jan/409>)

~~~
linuxhansl
"The CS faculty at Dawson (less one) should be embarrassed."

Now they are.

------
mathrawka
Back in 1999 when I was a freshman in university, my school had a server for
students to host their websites on and use Pine for email. The server did not
give shell access... but then there was a security hole in Pine that would
allow you to run chsh. So I did that, and got shell access. I think the worst
thing I did (other than running ls in a few directories) was use it to connect
to IRC.

Since I wasn't really trying to hide anything, so one of the IT guys must have
seen me with shell access and reported me. My punishment was having my
ethernet turned off in my dorm room (even though the incident occurred in a
computer lab while the dorm's ethernet was turned not ready for use yet). I
appealed the decision and met with the Dean, and she said I was considered a
threat to the school so I should be happy that my punishment wasn't worse.

Anyways, the rest of the year in the dorm was spent playing a cat and mouse
game. I used my computer on my roommate's LAN port, so they ended up shutting
off his ethernet as well.. I felt bad about that, especially since they
refused to give him internet access for the rest of the year. So I ended up
making a 50 foot ethernet cable and running it through the bathroom into
another person's room (Two 2-person dorm rooms were connected by a common
bathroom). That got shut off, so I bought a new LAN card (to get a new MAC
address) and connected to another ethernet drop. I was able to get online for
the rest of the year, but that sure left a sour taste in my mouth for my
school.

Edit: I remember one close call... over a break (I was one of the few people
in the dorm), water came out of the shower drain and flooded our rooms. I came
back from spending the day out to see the Dean going into our room to inspect
the damage, and I quickly had to hide my 50 foot cable that went through the
bathroom.

~~~
eru
Was MAC spoofing not doable in 1999?

~~~
nivla
and sadly it won't be in the future. New Intel-wifi cards have them
blocked[1], their new drivers even go out of the way to modify/intercept
Windows from doing it from the software side. Won't be long until other
manufacturers follow suit.

[1] <http://www.intel.com/support/wireless/wlan/sb/CS-031081.htm>

~~~
bentcorner
Sounds like we need a tor-like protocol for Ethernet.

------
herlifeinpixels
What's upsetting is the 14/15 professors who voted him to be expelled. Do
computer science professors not understand the concept of white-hat hacking?
Shame on them.

What message does this send to other students at Dawson? Don't be curious;
don't go out of your way to do a favour for the safety of your peers; keep
your mouth shut and we'll hand you your degree.

Someone give him a scholarship to a legit university!

~~~
droithomme
> Do computer science professors not understand the concept of white-hat
> hacking?

Unfortunately, if they were at all competent they wouldn't be teaching at a
place like that. CS programs at minor universities are notoriously poor and
staffed by whoever they could get, and it's not going to be anyone that can
make decent pay working on current technology.

~~~
doktrin
Perhaps CS is an exception, but I was under the impression that jobs in
academia (in general) were in woefully short supply.

While I'm sure they wouldn't get the cream of the crop, there's reportedly an
excess of under-employed & under-paid PhD's and post-docs in a number of STEM
fields (again, specifically in academia).

~~~
barry-cotter
CEGEPs are kind of a combination community college/last year of high
school/first year of university. They are teaching institutions, not research
ones. US community colleges can demand Master's degrees but not Ph.D.s to
teach. Mostly people with Ph.D.s who can't get real academic jobs exit that
market, not go CC.

Anyone who is actually teach a CS course at a CC or a CEGEP and who is doing
it as a full time job is doing it for non-pecuniary reasons, inclusive of
being incompetent but having attained a qualification sufficient to teach.

------
kennywinker
There really needs to be legal protection for acts of white-hat hacking like
this. Both protection from prosecution, and protection from reprisal. This
kind of stuff isn't going to stop happening unless the act of finding and
reporting a security vulnerability becomes legally protected behaviour.

~~~
jahewson
The problem is the that would provide a legitimate cover story for black hats.
"Oh I was just doing a white hat scan".

~~~
freehunter
Here's the thing: black hats are _always_ scanning you. Where I work, a fairly
low-key place, we're currently being scanned on some of our ~100 Internet-
facing IP addresses with a frequency of 15 requests per second. This is
nothing uncommon. We get people on our guest network scanning us from the
"inside" as well (they think they're inside, at least. They have a 10.x.x.x
number, they're inside, right?)

Point being, if you can't hold up to a white hat scan, you're likely already
hacked. Security is how you enforce your policy. But it's only white hat until
data is compromised, and that's where the prosecution comes in.

------
dbbolton
The title is misleading. He wasn't actually expelled for finding the flaw; he
was expelled because, after reporting the flaw, he ran an exploit program on
the school's server without permission, allegedly to see if it had been fixed.
Had he only reported it, he would not have been subject to any disciplinary
action.

~~~
Gigablah
So the fact that the submission title is misleading makes the university's
heavy-handedness easier to swallow?

~~~
aquadrop
It just means that whole article can contain more misleadings and be one-
sided. Journalists... you know.

~~~
Zr40
The article could contain that regardless of whether the title is misleading.

------
just2n
_“All software companies, even Google or Microsoft, have bugs in their
software,” said Mr. Taza. “These two students discovered a very clever
security flaw, which could be exploited. We acted immediately to fix the
problem, and were able to do so before anyone could use it to access private
information.”_

Yes, even Google and Microsoft have bugs in their software. This isn't an
excuse to bully people who tell you about the bugs in yours. The difference
between you and Google is that Google pays people who find bugs in their
software, especially serious security flaws, even if they aren't employed by
Google, rather than threatening them with legal action.

------
biggeek
Most schools have an acceptable use policy for their students which covers
unauthorized vulnerability probing and port scanning.

I can understand Ahmed's youthful curiosity about whether the vulnerabilities
that he identified had been fixed...But he had handed off the info to the
Dawson College IT team and the ball was no longer in his court.

Running Acunetix against the college's/SkyTech's server(s) was a pretty dumb
move. But hell, when you are in your early 20s, that's when you are supposed
to make dumb mistakes.

I'm all for teaching moments, but this "One Strike And You Are Expelled" issue
irks me.

Ultimately, this is about Edward Taza of Skytech Communications being sleazy
and manipulative by threatening a scared, inexperienced 20 y/o college student
with expensive legal action and implying the possibility of jail time unless
he signed a non-disclosure agreement.

The EFF should probably take a look at this.

------
dmatthewson
Like most developers, I've stumbled into lots of security problems over the
years. The first few times I attempted responsible disclosure, but that
resulted in enough close calls that I simply don't report them anymore. I
document them. Sometimes I might mention them to others who have an interest.

I would now never report a security flaw without a iron clad set of laws in
place to protect the rights of white-hats, whether we are licensed and
approved security researchers or not.

~~~
codewright
I nearly got expelled from High School and pegged with a felony my Senior year
for noticing a vulnerability.

------
phaus
So why exactly did Tazo (The incompetent president of the company responsible
for the security breach) mention "police" and "legal consequences" in his
conversation if he wasn't making a threat.

If you are going to be a lying asshole and deny something, do yourself a favor
and deny it outright. Don't try to imply that you were just having a friendly
conversation about "legal consequences" right before you solicit someone to
sign a non-disclosure agreement. No one in the world will believe you weren't
trying to intimidate this poor kid into compliance.

~~~
rtpg
seeing how we don't have the actual logs of the conversation, who knows what
was actually said. This is the biggest problem with these stories: we only get
information through very partial observers.

~~~
phaus
That's why I only mentioned what the President admitted to saying.

------
tantalor
> The agreement prevented Mr. Al-Kabaz from discussing...

No, it didn't, because he was blackmailed into the NDA. It's completely
unenforceable. It was signed under duress and only benefited one party.

~~~
wpietri
You misunderstand the purpose of an agreement like that.

It's not like it magically binds your tongue. It just makes it easier to sue
you if you violate it. The fact that the student could win in a suit is
irrelevant. He couldn't afford the time and money to fight.

Before he signed the NDA, they would have had a harder time suing him. Perhaps
he could have spent merely $10k and gotten it quickly dismissed. After, the
company could make it arbitrarily expensive for him to fight it. If he could
have eventually proved coercion (which I'm honestly skeptical of) then he
would have been off the hook -- after years of stress and massive lawyer
bills.

~~~
tantalor
You're absolutely correct, I hadn't considered that.

------
plouvre
Who in their right mind would think it's a good idea to use a penetration tool
against their college?? The title is all wrong. He got expelled for using a
penetration, not finding a flaw. He was congratulated for that! I heard
someone else from the team even got some kind of prize for it.

Sensationalist journalism is what it is. After a little bit of research, I
discovered it's written by someone who used to be in Dawson's Student Union,
so I guess he has a teeth against the administration.

"Ethan Cox is a 28-year-old political organizer and writer from Montreal. He
cut his political teeth accrediting the Dawson Student Union against ferocious
opposition from the college administration and has worked as a union organizer
for the Public Service Alliance of Canada."

~~~
hso9791
Maybe the right response would be to legally punish - by fine - both parties.

After all, there is private data insufficiently safeguarded. Some poor girl
could end up getting stalked if the right kind of sleeze came across this.

------
peripetylabs
I think the college administrators are bullying this student because they are
embarrassed.

The threats by the Skytech CEO Edouard Taza; the college not allowing the
professors to hear the student before voting; his transcripts vandalized with
zeroes so he cannot continue his studies elsewhere... What exactly is the
relationship between Skytech and this college?

I've signed the petition to reinstate Hamed:

<http://www.hamedhelped.com/petition/>

Hamed, stick to your guns. You did the right thing.

~~~
Khao
I used to work at Skytech. We already had a case of a student discovering a
flaw in our code while I was there and things went very smoothly. We contacted
the student, he told us what the flaw was, we corrected it. Edouard made him
sign a non-disclosure agreement and made him delete all the data he had gotten
from our servers and that was the end of it. This student was a brilliant
student with excellent grades just like Hamed.

Now why is this story different this time? I'm not too sure since I've left a
couple years ago, but my guess would be that the college administrators have
taken this decision. Knowing Edouard Taza, I doubt he would have pushed for
this student to be expelled, since he clearly has a great future in software
and could be one day employed at Skytech to fix even more security holes.

Edit : hadn't finished reading the article, it seems the professors decided to
kick the student out : "Following this meeting, the fifteen professors in the
computer science department were asked to vote on whether to expel Mr. Al-
Khabaz, and fourteen voted in favour." To me what this says is their computer
science department is full of idiots. Any good CS professor would have
understood that Hamed didn't have any malicious intent.

~~~
unreal37
No, what this tells me is that Mr Al-Khabaz continued trying to hack the
server even when told to stop. Whats the difference between the reaction we
all expect (including your story) and this? The difference is Mr Al-Khabaz
continuing to try to break into the web servers.

He got kicked out of CEGEP. He'll survive unharmed. Sad that he thinks getting
publicity is worth it though.

------
d0m
So.. here's something that happened to me in my engineering software
university.

A friend of me just had a summer internship in a security firm and learned a
trick or two. And, looking at the html/javascript code of a page, there was an
obvious entry point that gave access to anyonela else account provided you had
their student number (i.e. skip the password step).

So my friend showed it to me and I suggested he tell the IT department.
Obviously, the next thing we know, he's accused of "Hacking" and get menaced
by the IT department.

A couple days later, we check back the website and realize that a trivial
_encryption_ is added.. I.e. you have to reverse the student number or
something like that. And, obviously, just on the client-side.

A little bit pissed, we decided to take our revenge of being menaced for just
being nice. So we create a web page where it explains the story (That we found
an entry point, that we told the IT, etc.) and then, we say "Try it!" [<enter
student number>] which directly logs you in into their account.

We e-mail that page to the main directors of the school by suggesting a quick
fix. And, we make sure to CC the IT departments.

The day after it was fixed and we received a real "thanks" from the authority.
I guess the trick is to contact a higher authority rather than directly
contacting the IT department.

------
AYBABTME
I'm going against the general idea here, but the college issued a statement:

<http://www.dawsoncollege.qc.ca/home>

Basically, they say Ahmed did more than just what is reported in the article,
and they can't publicly say what he did - because that's private info about
Ahmed that they're legally obliged to protect.

Now I'm not taking a position in favor of the college or in favor of Ahmed.
I'm just saying, it's not all black (or white). The National Post article is
biased and we're missing some info. We should remember about that before going
crazy on the witch hunt.

~~~
politician
Perspective: That bit about protecting his privacy is the same sort of excuse
Ortiz's office gave in their initial response to Aaron's death.

~~~
AYBABTME
Might be used as an excused but they're indeed not authorized to disclose a
student's mischiefs to the public, or any other info as it stands.

------
kirillzubovsky
I love the part of the story where the guy naively assumed that it would take
his school less than two days to fix the vulnerability. In reality, would
probably take them months.

How long did it take sony to fix their issues? Oh, right, it took someone to
explose it publicly. Heh. It's unfortunate how broken some IT organizations
are and that they would rather kill the messenger than fix things.

~~~
chii
its apathy. The people "responsible" for the service don't actually care, and
perhaps probably won't be punished for teh failure of the service. Hence, the
vulnerability (and the publicity) only makes more work for them - therefore,
they shoot the messenger as a form of blame/revenge.

------
Karunamon
This headline is somewhat misleading. The student was expelled, not for
finding and disclosing a security flaw (he was actually congratulated and
thanked for this), but for later running a pentest software suite _without
permission_ to "verify" if the bug had been fixed.

That's not to say that the expulsion still doesn't reek of BS, but Ahmed's
hands are not completely clean here.

~~~
tomp
That is probably just their excuse. I think it's quite reasonable to check if
someone fixes a security flaw that puts your own information to the risk. It's
like trying to open (without the key) the safe at the bank that has your money
in it.

~~~
Karunamon
Try walking into the safe deposit box area at the bank absent escort or
previous notification and see how that works out for you.

Again, the school is on record as giving him kudos for reporting the error -
it's perfectly reasonable to assume that someone will not launch _offensive
penetration testing tools_ at your site, _without notice or permission_ , just
because they have reported the bug in the past.

He could have tested the bug without the pentest software, besides. Just
because someone points out a crack in your window doesn't give them carte
blanche to try breaking it after you said you fixed it.

~~~
Dylan16807
The webserver _did_ escort him into the room with the safe deposit boxes.

He has a key, they let him in, that's their job. The problem is that he could
open his box, or any other box, without actually _using_ the key.

~~~
Karunamon
We're laboring a physical analogy quite hard, here.

Again, the problem isn't that he found and disclosed a bug, the problem is
that he attempted to exploit that bug after the fact.

You _do not_ have the right to do that. Pure and simple.

Finding and disclosing a bug is one thing, utilizing it is something else
entirely.

~~~
Dylan16807
He was not 'exploiting' it. He was checking if it _could_ be exploited, just
performing a gentle tug.

------
hn-miw-i
Problem is he used an auditing/penetration testing tool POST disclosure, and
did it without authorization. The availability of these tools puts weapon
grade exploits in the hands of those with limited understanding of the
consequences. I don't have an issue with the availablity -- best we lighten
our history with Full Disclosure and provide best of breed tools to simulate
attackers -- however, responsibility and individual accountability is at an
all time low. These tools will light up the alarms immediately and the user
will have limited understanding.

Let's assume it was not SQLi but an authorization application logic bug ie: by
changing parameter passed by browser allowed access to whole record set. He
did the right thing and told the vendor -- but after the fact he ran a tool
that probably simulated SQLi on every damn parameter! Like smashing a car
window after telling the owner he has left it unlocked.

Even a brain dead sysadmin would notice it In the logs, and likely whatever
SIEM would fire a high priority alert.

He did this without auth and the company did the right thing here. In this
post aaronsw world we can't just assume that every n00b clown whitehat hacker
is totally innocent of all crimes even if done with the best intentions.
People need to take responsibility for their actions. An ignorant click can be
just as criminally negligent as stabbing a dude in the face.

~~~
Dylan16807
What is with all these analogies that equate testing with smashing things.

Stop it.

Stop. It.

------
eduardogonzalo
My name is Eduardo Gonzalo Agurto Catalan, I am an entrepreneur in the field
of IT security and a digital rights activist. i would like tohave Ahmed Al-
Khabaz's e-mail or other contact information in order to contact him and
discuss how I and a few fellow experts could help him. We believe it is a
great injstice and that the business community cannot stay passive towards
this situation which we perceive as a kind of bullying. You can contact me :
eduardogonzalo@hotmail.fr

------
HelgeSeetzen
Ahmed, I am assuming that you are following this discussion.

Based on the article, your life probably doesn't feel so good right now. Sorry
to see a bright person in such a situation.

Give me a ring if you are looking for an internship, job or start-up
experience in Montreal. We are in town (walking distance from Dawson
actually). By the nature of our business, we also have good connections with
academia if that can help (www.tandemlaunch.com).

My login is my name so you can reach me at
[firstname].[lastname]@tandemlaunch.com

------
ck2
Maybe the answer is if you find a problem like that don't keep a secret
between you and the person in charge.

Just go to the school paper or town paper and let them report it.

He did great up to the point where he tried to pen-test after reporting it. I
understand the intellectual curiosity to see if people are doing their jobs
and it's too easy to armchair quarterback but if you bring attention to
yourself by reporting a problem you can be sure they will watch you and not
necessarily the problem.

------
sebcat
While I do not agree with the way this student was being treated, running
Acunetix on a system is quite invasive. Regardless of his intent, the
consequences might have been data loss and/or denial of service if the system
was built poorly enough. Doing extensive vulnerability assessments without
consent is really not a good idea.

------
mikeleeorg
I hope someone offers him an internship or job. It sounds like he may have a
lot of raw talent.

~~~
eru
Or at least attitude. Which transforms into talent anyway in the long run.

------
kamaal
This is a perfect example of 'No good deed goes unpunished'.

The best action to take while you find a security flaw is to do nothing. Let
some one evil abuse the flaw and make the guys miserable enough to realize the
importance of a responsible disclosure.

Without this the guys ego is going to take this as- 'How dare he point a
problem in my/our work' and not 'Thanks for saving my life before some body
could screw me'.

------
aaron695
Am I the only one that sees that the title/headline is pretty close to a lie
and that he ran a 'Web Vulnerability Scanner' on someone else's web site?

This is illegal! Most people seem to be missing this.

If you're going to break the law at your own University at least cover your
tracks.

Don't annoy the crap out of them(Rightly or wrongly) then go on to black hat
them.

------
chris_wot
"This type of software should never be used without prior permission of the
system administrator, because it can cause a system to crash."

Remind me to never, ever use Omnivox, or any Skytech software, ever.

~~~
d0m
You probably won't have to, but as a student, you don't have the choices ;)
Your courses information, schedule, homework, etc. is all on it.

~~~
chris_wot
In Australia, I'm happy to say all I need to do is report a data leak to the
privacy commissioner and they'll basically investigate what's happening and
force changes.

------
dutchbrit
Reminds me of when I was a kiddo, I almost got expelled because I found a
security issue in the schools network. I could access everyones files. They
also didn't like it when I pointed out they were running cracked versions of
Macromedia Flash on all their pc's. Let's just say, I'm glad I didn't get
expelled. But I'm pretty sure they just saw me as an annoying fuck & that's
all. I don't think they really cared, but were 'forced' to put time and effort
making their network more secure.

------
zobzu
Happened to me in 2000 in France. Same sort of stuff. Didn't kill my career.
Just went elsewhere. I guess the French education system at least had this
that it couldn't ban me nationwide :)

------
jbm
Clearly the negative reputation Dawson CEGEP has should be applied to the
administration, and not the students.

What a clusterfuck. Since when do CEGEPs expel students for running security
checks?

------
kyllo
Maybe consider punishing the negligence of the person who wrote the insecure
code instead? But I don't think most people, especially lawmakers, even
understand that security vulnerabilities are caused by flawed code, which is
caused by human error. So they tend to shoot the messenger instead.

------
realrocker
I was in a similar situation in college. Was asked to sign a Non-Disclosure
Agreement or get arrested. Told them to go to hell and file a lawsuit if they
want too. Nothing happened eventually. Thank God for the excruciatingly
painful justice system of India :P

------
munin
it seems like there's more to this story, and the more to this story is around
his actions two days after the report.

I've seen things like this happen before. You find a bug, you report it, they
tell you "oh we're getting on it immediately". Some time goes by and you
think, hey, did they fix it? You look, discover "nope", think "man I bet those
guys would fix it if I lit a fire under their ass" and try and use the bug to
deface the site, or something.

this is logic that makes sense to a 20 year old (speaking as a former 20 year
old..). I've seen that happen before. the article doesn't say this, but
perhaps reading between the lines the second attempt did not have a pure
motivation behind it...

------
Gilipe
A fellow student and I discovered a similar flaw in my college's system a few
years back, but not as serious as this (no social insurance numbers, but
emails, full names, phone numbers and addresses).

We brought it to the attention of the head of the IT Department by email.
Later that week, the head visited our morning class to discuss this with us.

He discussed the issue to the class and actually acknowledged his appreciation
for students like us for reacting promptly and responsibly over the issue.

------
olalonde
It doesn't come much as a surprise to me that Omnivox has at least a few
security flaws. I had to use it during my CEGEP years in Montreal and it's a
huge piece of garbage.

------
janisjanis
He's too good for college. He should just start his own IT security company.

------
denzil_correa
I beleive Skytech should hire this bloke for a "and they lived happily ever
after" story. It's essentially a win-win for Skytech.

~~~
phaus
After the way this was handled, I'd live in a cardboard box before I worked
for this company. You can't have a healthy working environment without trust.

I'd give it a shot if they fired their president, but that's an unrealistic
expectation.

~~~
denzil_correa
Do you think there is a chance that the university over reacted without the
company in loop?

~~~
phaus
The president of the company is the one who allegedly intimidated the student
into signing a NDA by threatening to call the police and have him arrested. If
that's how it happened, then it's irrelevant what the school did.

~~~
denzil_correa
> _The president of the company is the one who allegedly intimidated the
> student into signing a NDA_

Missed that part - now it makes me think back on my suggestion. Probably, he
should just look around on HN. :-)

------
mossplix
No good deed goes unpunished

------
kimmel
I would like to point out that open source projects love, absolutely LOVE when
you report security bugs to them. Many projects have procedures and special
mailing lists to get a hold of the correct people in a prompt manner.

To me this stinks of the "closed mind" problem.

------
malandrew
I'm wondering if that NDA included the clause that urges you to get advice
from a lawyer. The conditions under which he signed it sound very suspicious
(i.e. coercive language) and I wonder if it would be grounds to nullify the
NDA entirely.

~~~
illuminate
I'm curious, how often does this occur?

"included the clause that urges you to get advice from a lawyer"

I can't recall being offered a NDA with this language.

~~~
malandrew
All the contracts of some form or another in the jurisdiction of California
that I've reviewed recently include some language to that effect, usually at
the end among the warranties and disclaimers.

------
lilsunnybee
There should really be a Department of Computer Security run by most national
governments where people can anonymously report exploits, and that Department
takes care of contacting the company or organization. If that group also deals
with certain types of personal information that is threatened, there should
have 30-60 days to demonstrate that they addressed the vulnerability
appropriately, or face penalties.

Its really dumb that we're this far into the internet age already and
companies and organizations can still play it so fast and loose with security
and personal information. It's irresponsible and negligent.

~~~
GFischer
There are "Computer Emergency Readiness Teams" in most countries, the United
States one is

<http://www.us-cert.gov/>

The one in my country gets anonymous report exploits for state-run software.
Not sure what they do wit them though :)

------
rurounijones
The administration of Dawson College clearly saw things differently,
proceeding to expel Mr. Al-Khabaz for a “serious professional conduct issue.”

He is a _student_ , how can be have a "Professional conduct issue"

------
cantos
I've only reported a security issue once and wouldn't do it again. In this
case a vendor and IT has agreed to allow several security settings to be
disabled temporarily, making all user passwords easily available in the
process, but then had apparently forgotten and left things vulnerable for 6
months. IT had to brief some senior people who then started freaking out about
hackers. I was lucky to just get off with a few people annoyed with me.

------
krspaul
kids make mistakes sometimes, and its unfortunate during this period of
transition to adulthood that they fall victim to the swift guillotine of
collegiate justice - which unlike a court of law, you dont get representation,
you dont get a fair trial, you dont get allowed an intemediary who can
communicate 'language' between both sides. you dont even get protections like
freedom of speech these days.

its all a flow chart if you make a mistake in school no matter if its tech
stuff like this, or anything really. we live in a world of corporations,
lawsuits and lawyers, insurance & liability - no room for grey area anywhere
in there. wheres the incentive for the school to care? they already got your
money.

the worst part for the students is - they can have all sorts of good feelings
built up towards their professors & classes. then the administration comes in
and manages to sour all those feelings. those same professors, who may think
the world of you, cant do a thing because at the end of the day its c.y.a. -
and youre all alone.

college kids need to get educated about how college justice works if you screw
up - its always too late when they do learn.....lets spend money on athletic
complexes instead right?

------
JimmaDaRustla
Apparently he refused to "cease and desist" his actions. So...he brought on
the expulsion!?

Dawson statement on the article: The reasons cited in the National Post
article for which the student was expelled are inaccurate. The process which
leads to expulsion includes a step in which a student is issued an advisory to
cease and desist the activities for which he or she is being sanctioned,
particularly in the area of professional code of conduct.

------
sopooneo
I think hackers need to realize that this type of reaction is the norm. If you
find an exploit then use your discretion in deciding to report it, but don't
be naive. There is no reason to risk martyring yourself for someone else's
interests. The risk to those (including yourself) whose information is
vulnerable should be taken into account, but countered by the risk that you
will be persecuted for bringing the problem to light.

------
readme
I don't agree that expulsion is the correct reaction, but when he ran the pen-
test software, what he was doing was wrong. It's one thing to stumble upon a
bug while you're developing an app, and report it. That's totally respectable.
Running pen-testing software without permission is akin to walking up to a
stranger's home and testing that all the windows are locked, with a crowbar.

~~~
randomdata
I can't help but feel a better analogy is finding a rip in the seat of a bus,
reporting it, and then poking at the rip a few days later to see if it has
been repaired. Going at someone's windows with a crowbar doesn't seem to fit
the situation at all, in my opinion.

~~~
unreal37
No, he didn't check if this one bug was fixed. I mean, he could have done that
without downloading pen test software - just by checking what he previously
checked to discover the bug in the first place.

What he did do was download pen test software to automatically check the
website for flaws AFTER BEING TOLD NOT TO. He went to every bus and checked
every seat, door, window, engine, tire, seat belt for dozens of different
flaws without permission.

And yes, pen test software can be destructive. It can put bad data in a
database, crash a server, overrun log files, and corrupt things. Penetration
testing is not a passive process.

------
lucastech
People are always afraid of what they don't understand, but to think that
prosecuting or punishing people for helping prevent malicious people from
finding these types of bugs is just ignorant. No ones code is perfect, and it
often takes dozens of eyes before issues like this are found.

The longer people are punished for helping, the worse our "cyber security"
will digress moving forward.

------
antsam
Found a bug like this at my school and reported it a few months ago. The guy
who responded to me said he'd fix it but it's still live :(

~~~
throwaway125
I've had similar encounters with privately disclosed vulnerabilities that are
still live years after the fact. What is the right course of action here? If
you just wait out and the vulnerability eventually gets exploited they could
blame whoever reported it "because he was the only one who knew". You can't
really anonymously disclose it after privately reporting it either, because
they'll quickly link it to who reported it before.

------
drucken
Two completely different issues:

1\. Exploit discovery.

2\. Automated service attack.

From the information given, it seems Al-Khabaz did exactly or better than what
was expected of him for the first.

But why, if he was simply check for the existing vulnerability after informing
of the first, did he launch an automated attack?

I suspect Dawson College has sound reasons to treat him the way they did for
both instances.

------
RRRA
Go sign the petition here: <http://hamedhelped.com/petition/>

------
runarb
Looks like this news is starting to go global. Even the local it newspaper her
in Norway has an article about it: [http://www.digi.no/909958/utvist-etter-aa-
ha-varslet-om-saar...](http://www.digi.no/909958/utvist-etter-aa-ha-varslet-
om-saarbarhet) (in Norwegian).

The Streisand effect has struck again :)

------
73ChargerFan
Company offers scholarship to Dawson student who exposed security flaws

[http://www.cbc.ca/news/canada/montreal/story/2013/01/21/mont...](http://www.cbc.ca/news/canada/montreal/story/2013/01/21/montreal-
dawson-college-hack-hamed-al-khabaz.html)

------
georgespencer
Ahmed if you're reading this and looking to get into software engineering,
drop me a line (email in profile). I run a venture-funded startup and would be
happy to take care of relocating you if your technical abilities are up to
scratch.

------
jokeofweek
Just to let you know, Dawson wrote a response to the media which can be seen
at <http://www.dawsoncollege.qc.ca/>

------
WinnyDaPoo
He treaded on thin water and he fell in. He should have asked for explicit
permission to start pentesting instead of putting his academic career in a
volatile state.

~~~
GFischer
However, if the article framed things correctly, the college's response is
overkill.

I would have given him a second warning.

------
jiggy2011
There needs to be (if it does not already exist) some method of doing
completely anonymous and confidential disclosures that somehow get to the the
right person.

------
sergiotapia
There a difference is finding an exploit accidentally and reporting it from
running a penetration testing tool on a production server.

What did this kid expect?

------
awfkawekfjn
I know of a similar vulnerability in another large french school management
system, but this just gives me one more reason not to report it.

------
MarlonPro
What Mr. Al-Kabaz would have done is secure a lawyer before he signed the NDA.

------
vezycash
__Warning to hackers __

Hackers are the new Sicilians and blacks.

Don't snitch.

Snitches get punished both by:

    
    
        The person being snitched upon
    
        The person who is being snitched to.
    

This article and many other comments herein support this view.

------
GiraffeNecktie
As the saying goes "No good deed goes unpunished."

------
namank
Tweet this link to Anonymous. I just did.

<https://twitter.com/naman_k/status/293252007878328320>

~~~
namank
While I was expecting downvotes for this comment, I was also looking forward
to the discussion that should arguably accompany such downvotes.

But that, of course, is a privilege exercised by the downvoter and rarely ever
happens!

~~~
Dylan16807
If you know why you got downvoted then you don't need someone to explain it to
you.

There are less-irritating ways to start a conversation than trying to be 'loud
and wrong'.

~~~
namank
Perspectives matter. There isn't only one way of being wrong; or right for
that matter.

------
outside1234
the worst part about this whole article is that the professors voted to kick
him out -- not the pointy hairs.

------
securitywiz
shall we all assume it was an sql injection? does anyone know what the actual
vulnerability was?

~~~
tantalor
Almost certainly a query parameter, since he was reverse engineering their API
it would be obvious.

For it to be a SQL injection, he'd have to have been looking for
vulnerabilities.

~~~
nwh
While it's probable he found some issue with permissions in the queries,
stumbling on SQL injection is easier than you'd think. For a very short period
I used a completely random (any ASCII character) password generator for
websites, but I quickly realised that the ' and " characters were breaking the
vast majority of sites I logged in to. Plaintext passwords in a database
without escaping; about the worst password storage you can get.

------
john_fushi
This story is somewhat complex, and lacks information on many aspects. I've
made a kind of TLDR of what happened and added my thoughts. I've also cross
compared the informations given in the article with those available on
dawson's college web page and Skytech's omnivox.

[he was] working on a mobile app to allow students easier access to their
college account [.] -> Did he have authorisation? -> From who did he have
authorisation? -> Omnivox does not seem to have a public API.

“I saw a flaw which left the personal information of thousands of students,
including myself, vulnerable,” "I felt I had a moral duty to bring it to the
attention of the college and help to fix it, which I did. I could have easily
hidden my identity behind a proxy. I chose not to because I didn’t think I was
doing anything wrong.” -> Did he try to fix it, or only bring it to the
attention of the college? -> Did he inform the college he tried/would try to
fix the flaw? -> Did he try to fix the flaw after or before meeting with the
college?

"Mr. Paradis congratulated Mr. Al-Khabaz and colleague Ovidiu Mija for their
work and promised that he and Skytech, the makers of Omnivox, would fix the
problem immediately" -> Mr. Paradis is Dawson's Director of Information
Services and Technology -> I precise only because it is not clear from the
article if he works at the college or at Skytech

"Mr. Al-Khabaz decided to run a software program called Acunetix" "to ensure
that the issues he and Mija had identified had been corrected" -> Did they use
acunetix the first time? -> If yes, did the college know? Did skytech noticed?
-> Otherwise, why? They found the flaw without acunetix

"Taza explained that he was quite pleased with the work the two students did
identifying problems, but the testing software Mr. Al-Khabaz ran to verify the
system was fixed crossed a line."

The administration of Dawson College clearly saw things differently,
proceeding to expel Mr. Al-Khabaz for a “serious professional conduct issue.

Following this meeting, the fifteen professors in the computer science
department were asked to vote on whether to expel Mr. Al-Khabaz, and fourteen
voted in favour. Mr. Al-Khabaz argues that the process was flawed because he
was never given a chance to explain his side of the story to the faculty ->
Was there other incidents that could have influenced the judgment? -> College
rarely want to expel students who ace all their courses. Especially in CS with
the high rate of failure.

-> According to the college : The process which leads to expulsion includes a step in which a student is issued an advisory to cease and desist the activities for which he or she is being sanctioned

-> This, along with the "He said that this was the second time they had seen me in their logs" tend to indicate he probably ran the test multiple times. Or, the first time he foud the flaw, skytech took him for an attacked and the college warned him to stop developpement on his application. This would indicate that he had no authorisation in doing so.

------
maeon3
When it comes to software and security flaws, finding them is like an exercise
in witchcraft.

Throw the person who found the software bug into the lake, if they float, then
they were a witch, and deserve to die.

And people wonder why security is so poor and Chinese hackers find it so easy
to hack into all our stuff. Because America Punishes people who focus on
bulletproof secure code.

I guess we'll need to hire some special interests to pay-off the news networks
cnn/fox/msnbc/etc to add the "Hackers are not witches" to their narratives. We
would probably need bribes on the order of billions.

------
contingencies
Shame on the faculty! Fire the faculty! I am sure this sort of thing wouldn't
fly in France. Looks like Quebec is letting down the Fracophone team. Liberté,
Égalité, Fraternité!

~~~
rtkwe
Do you mean the dean who ran the judicial hearing? If anyone were to have
their heads roll so to speak for this it would be his. The faculty that voted
were simply acting on the best information which was presented to them.

~~~
contingencies
People who are supposed to be the shepherds of an environment that fosters
free-thinking openness, curiosity, creativity and learning should not lend
credence to witch-hunts. If they have a critical-thinking faculty to match
their titles, then they should very well have realised that the process they
rubber-stamped was one-sided and questionable.

