Student expelled from College for running a vulnerability scanner following his discovery of a secur - Polidicks

[quote="The National Post"]A student has been expelled from Montreal’s Dawson College after he discovered a flaw in the computer system used by most Quebec CEGEPs, one which compromised the security of over 250,000 students’ personal information. Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.” “I saw a flaw which left the personal information of thousands of students, including myself, vulnerable,” said Mr. Al-Khabaz. “I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong.” After an initial meeting with Director of Information Services and Technology François Paradis on Oct. 24, where Mr. Paradis congratulated Mr. Al-Khabaz and colleague Ovidiu Mija for their work and promised that he and Skytech, the makers of Omnivox, would fix the problem immediately, things started to go downhill. Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents. “It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didn’t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement.” The agreement prevented Mr. Al-Kabaz from discussing confidential or proprietary information he found on Skytech servers, or any information relating to Skytech, their servers or how he accessed them. The agreement also prevented Mr. Al-Kabaz from discussing the existence of the non-disclosure pact itself, and specified that if his actions became public he would face legal consequences. When reached for comment Mr. Taza acknowledged mentioning police and legal consequences, but denied having made any threats, and suggested that Mr. Al-Khabaz had misunderstood his comments. “All software companies, even Google or Microsoft, have bugs in their software,” said Mr. Taza. “These two students discovered a very clever security flaw, which could be exploited. We acted immediately to fix the problem, and were able to do so before anyone could use it to access private information.” Related Taza explained that he was quite pleased with the work the two students did identifying problems, but the testing software Mr. Al-Khabaz ran to verify the system was fixed crossed a line. “This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake.” The administration of Dawson College clearly saw things differently, proceeding to expel Mr. Al-Khabaz for a “serious professional conduct issue.” “I was called into a meeting with the co–ordinator of my program, Ken Fogel, and the dean, Dianne Gauvin,” says Mr. Al-Khabaz. “They asked a lot of questions, mostly about who knew about the problems and who I had told. I got the sense that their primary concern was covering up the problem.” Following this meeting, the fifteen professors in the computer science department were asked to vote on whether to expel Mr. Al-Khabaz, and fourteen voted in favour. Mr. Al-Khabaz argues that the process was flawed because he was never given a chance to explain his side of the story to the faculty. He appealed his expulsion to the academic dean and even director-general Richard Filion. Both denied the appeal, leaving him in academic limbo. “I was acing all of my classes, but now I have zeros across the board. I can’t get into any other college because of these grades, and my permanent record shows that I was expelled for unprofessional conduct. I really want this degree, and now I won’t be able to get it. My academic career is completely ruined. In the wrong hands, this breach could have caused a disaster. Students could have been stalked, had their identities stolen, their lockers opened and who knows what else. I found a serious problem, and tried to help fix it. For that I was expelled.” Morgan Crockett, director of internal affairs and advocacy for the Dawson Student Union, agrees. “Dawson has betrayed a brilliant student to protect Skytech management,” said Ms. Crockett. “It’s a travesty that Ahmad’s academic future has been compromised just so that Dawson and Skytech could save face. If they had any sense of decency, they would reinstate Ahmad into [the] computer science [program], refund the financial aid debt he has incurred as a result of his expulsion and offer him a full public apology “ Repeated calls to various members of the Dawson administration were not returned, with the college citing an inability to discuss an individual student’s case on legal and ethical grounds in a statement released by their communications department.[/quote] [url]http://news.nationalpost.com/2013/01/20/youth-expelled-from-montreal-college-after-finding-sloppy-coding-that-compromised-security-of-250000-students-personal-data/[/url] [url]http://www.hamedhelped.com/[/url] This guy was a former classmate of mine, and I'm ashamed of my school and my teachers for having removed him from the college in such a manner. While I agree that he definitely shouldn't have run the scanning software, the consequences are far too dire for his actions, especially considering his intentions we're only to help. There's a [url="http://www.hamedhelped.com/petition/"]petition[/url] on the site linked above if you'd like to help [editline]More info as the story develops[/editline] [quote="CBC"]The Dawson College computer science student who was expelled after discovering a security breach in a system used by students across Quebec has been offered a scholarship by the company behind the software. "We will offer him a scholarship so he can finish his diploma in the private sector," said Edouard Taza, the president of Skytech. Taza said he also reached out to Hamed Al-Khabaz, 20, and offered him a part-time job in information technology security. The student said he was surprised by the offer because he said Skytech had done nothing to help him since being expelled from Dawson College. Dawson, however, said it stands by his decision to expel Al-Khabaz for breaking the school's code of conduct.[/quote] Full article [url]http://www.cbc.ca/news/canada/montreal/story/2013/01/21/montreal-dawson-college-hack-hamed-al-khabaz.html[/url] Interview with Hamad [url]http://www.cbc.ca/player/Shows/ID/2327699115/[/url] Interview with Director General of Dawson [url]http://www.cbc.ca/homerun/2013/01/21/dawson/[/url] [editline]Jan 22[/editline] Teacher from Computer Science faculty writes into the Gazette posing some questions, claiming the full story has not been revealed Teacher's letter [url]http://www.montrealgazette.com/opinion/Letter+Dawson+computer+prof+backs+college+decision+Ahmed/7854144/story.html[/url] Hamad Helped campaign's response [url]https://www.facebook.com/HamedHelped/posts/569901043039008[/url] Timeline of the events by Hamad Helped campaign [url]https://www.facebook.com/HamedHelped/posts/275887802536695[/url]

-backpedal- Dawson's faculty are elitist pricks.

[quote]“I was acing all of my classes, but now I have zeros across the board. I can’t get into any other college because of these grades, and my permanent record shows that I was expelled for unprofessional conduct. I really want this degree, and now I won’t be able to get it. My academic career is completely ruined. In the wrong hands, this breach could have caused a disaster. Students could have been stalked, had their identities stolen, their lockers opened and who knows what else. I found a serious problem, and tried to help fix it. For that I was expelled.” Despite Hamed’s insistence that he had no criminal intent, Dawson has rejected his appeal, awarded him zeroes in all his classes and tarred his transcript, essentially ruining his academic future. To make matters worse, he has been ordered by the Province of Québec to refund the bursaries he had received for the 2012-2013 Academic year. He has also been threatened with criminal charges and jailtime.[/quote] Fucking ridiculous.

Stuff like this makes me sad. Seriously, some people will do anything to cover their arses, even it it means ruining a persons life to do it.

That's absolutely fucking atrocious. This kid's obviously pretty tech-savvy, and just because some fucking CEO threw a bitch-fit he's been failed in everything? How is this even legal? [B]Edit:[/B] Nope, still can't believe this. How can a corporation have the power to ruin somebody's life? This kid was doing them a fucking favour, and they reward him by ensuring he will never ever get a job?

Hopefully this can be turned into a case of so much outrage that they backpedal straight off a cliff.

"Let's expel the guy who found a flaw when it comes to hiding the identity of all of our students, ruining his academic career, without understanding the problem and fixing it".

[QUOTE=Reds;39299453]Hopefully this can be turned into a case of so much outrage that they backpedal straight off a cliff.[/QUOTE] Let at least three major canadian media outlets catch wind of this and they'll backpedal alright.

Wow, what assholes

[QUOTE=MIPS;39299414]Now you see why the place got shot up a few years back. Faculty are mindless pricks.[/QUOTE] are you seriously justifying the school shooting because the faculty isnt up to some standards?? seriously, many of the people who were shot were students!

Signed and shared.

If this gets any bigger he may not need any academic success to land himself a job. Unless he always wanted to get into academia.

[QUOTE=Panthereye;39299487]are you seriously justifying the school shooting because the faculty isnt up to some standards?? seriously, many of the people who were shot were students![/QUOTE] I'll fix that.

If anything, I'd say he's being treated like this because of his name. That's fucking filthy and he should get his grades back up and an apology.

[QUOTE=Maximo13;39299511]If anything, I'd say he's being treated like this because of his name. That's fucking filthy and he should get his grades back up and an apology.[/QUOTE] If anything, his name was bloody awesome.

[QUOTE=Tom32123;39299548]If anything, his name was bloody awesome.[/QUOTE] But everyone refers to him differently. Article calls him Ahmed, he goes by Hamad on Facebook/the site refers to him as such, but according to the school he's Ahmad I spent a year and a half in classes with him and I haven't got a clue which one it is :v:

The college should be ashamed of themselves, he did the right thing and got treated like a criminal for it.

that flaw almost sounds like a backdoor into the database

[QUOTE=Joazzz;39299878]that flaw almost sounds like a backdoor into the database[/QUOTE] According to the description, it pretty much is.

Also as a follow-up, I'd like to point out that it's this kind of stuff that produces black-hats.

In some countries, this is a serious factor for "endowed" brains to consider leaving and working someplace else. Their motivation is retarded indeed.

Sounds like SQL injection.

Am I alone in thinking that this doesn't pass the smell test? Here we have a guy claiming he found a security hole, told them about it, and tested it - and because of this he has been suspended, had his loans cancelled, and threatened with jailtime. In the article he even suggests that the school attempted to cover it up. We have either found ourselves the unluckiest college student ever, or we've found half of a story

[QUOTE=Zeke129;39300081]Am I alone in thinking that this doesn't pass the smell test? Here we have a guy claiming he found a security hole, told them about it, and tested it - and because of this he has been suspended, had his loans cancelled, and threatened with jailtime. In the article he even suggests that the school attempted to cover it up. We have either found ourselves the unluckiest college student ever, or we've found half of a story[/QUOTE] Indeed, you are the [B][I][U]only individual in existance[/U][/I][/B] that could form some simple connections. In all seriousness it isn't so much the Collage's fault, but the fourteen so called "professors" of the Computer Science faculty need to eat the biggest dick sandwich known to man and perhaps read a book on data security.

[QUOTE=BigBoom;39300214]Indeed, you are the [B][I][U]only individual in existance[/U][/I][/B] that could form some simple connections.[/QUOTE] The only one so far in the thread who is taking the article at anything other than face value. I find it hard to believe that 14/15 faculty members would vote to expel a student for only doing the things this student claims he did.

I'm getting something of a Sony vibe here, something almost like; "Someone found an exploit in our system? Sue them!" Sadly I've seen this happen in other places, one of the schools I attended had a similar security issue that allowed any user to gain remote admin access on any other computer in the entire school. I got warned and had all my privileges removed after reporting it to the main IT guy.

[quote]Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected.[/quote] Stupid mistake doing that without permission from the administrators.

I just HOPE the college suddenly collapses out of structural failure while corporatist scum idiots are inside,killing them all.

Hopefully once this gets the attention of multiple large media outlets a college will give him a place. This is a potential PR goldmine for whatever college does.

Why is there no reliable canadian media outlets about this ? There's only the natiomal post talking about this.