Student expelled from College for running a vulnerability scanner following his discovery of a secur - Polidicks

[QUOTE=SgtCr4zyGunz;39305867]okay then fine give him a slap on the wrist so he gets the message. not ruin his entire fucking academic career and possibly his life when it was clear he has no malicious intent.[/QUOTE] well based on above posts it probably had some malicious intent or he was a massive idiot.

[QUOTE=rrunyan;39305215][I]Ahmed Al-Khabaz[/I][/QUOTE] I almost touched on that actually If things truly did go down the way he said they did, I wouldn't be surprised if the faculty had already decided they wanted this guy gone for discriminatory reasons and ended up finding themselves the perfect excuse to do it. I assume the faculty's votes were confidential but it would be interesting to see how the 1 dissenting voter differed from the rest

Signed the petition, I hope it all goes well for him.

[QUOTE=SgtCr4zyGunz;39305867]okay then fine give him a slap on the wrist so he gets the message. not ruin his entire fucking academic career and possibly his life when it was clear he has no malicious intent.[/QUOTE] Exactly what I was going to say. What he did was clearly a mistake that could have caused damage to their systems, but in the end he didn't intend to do harm and was only working with fixing the exploit in mind. The chosen punishment is way, way too harsh. ...unless, as others have mentioned, he has a history of these kinds of things, which would change everything. But I doubt he would go forward and put his story into national news if that was the case.

The college has a reason to be strict and enforce their computer usage policies how they see fit. I think a lot of people aren't really even reading the article, he didn't walk up to the Director of IT and immediately get expelled after informing him about the exploit. He starting doing additional scanning afterwards. He might have even been told to stop all additional pen testing. Its a shitty situation but what is the college supposed to do? Hand out a slap on the wrist to anyone who wants to have a go at their systems? You can't have everyone that wants to be the big hero and save the day start trying to find exploits and any time of day using whatever software they want on your live databases. It wasn't his job or his place to be trying to find exploits in their system and the school even states in their computer usage policy that what he was doing wouldn't be met without consequence. [url]http://dc11.dawsoncollege.qc.ca/dsweb/Get/Document-10133/IT%20Policy.pdf[/url] This isn't the same as telling someone their door is unlocked, it would be the equivalent of kicking in someones door and informing them it wasn't strong enough.

[QUOTE=M2k3;39308518]This isn't the same as telling someone their door is unlocked, it would be the equivalent of kicking in someones door and informing them it wasn't strong enough.[/QUOTE] It's like telling them their door's unlocked, then going inside to steal shit and getting caught.

I've updated the OP with some more info on what's been happening, in short Skytech has offered him a scholarship and a part-time job. I also linked to two interviews, one with Hamad and the other with the Director General of Dawson. Just figured I'd let you guys know in case you wanted to follow-up on this story. Anywho, to address some of you concerns and theories that have been brought up. I don't believe it was related to discrimination. I only know of one teacher that is French for certain, the rest that I know are of various descents. The guy himself was a jokester of sorts but he never disrupted class, and in regards to a potential history, there's nothing I've heard of in the same vein as this. Of course such things would be kept confidential but our program is a very close-knit community so we would very likely know, at least to some degree, regardless. There was one incident of note in our first semester of study, where his group jokingly used offensive terms and swears for variable names in an assignment and then forgetting to change them before submitting. They did get in quite of a bit of trouble for that, but it's not relevant to the issue at hand and is the only I've heard of in regards to him.

[QUOTE=Bazkip;39311178]I've updated the OP with some more info on what's been happening, in short Skytech has offered him a scholarship and a part-time job.[/QUOTE] I figured something like this would happen, I bet some schools send him letters that they'll accept him and stuff, too. Probably will turn out to be a good thing for him in the long run.

Signed the petition, but couldn't he theoretically take legal action against them? Because what they did was totally fucking unacceptable.

[QUOTE=Ekalektik_1;39311276]Because what they did was totally fucking unacceptable.[/QUOTE] Expelling a student after he conducted a simulated attack on a company's webserver without permission? Voting almost unanimously, which strongly suggests that there's more to it than a bumbling student making an innocent mistake? This is the computer equivalent of shooting a rocket at someone's door to see if their locks are strong enough. You don't mess around with these tools.

[QUOTE=catbarf;39311624]This is the computer equivalent of shooting a rocket at someone's door to see if their locks are strong enough. You don't mess around with these tools.[/QUOTE] The equivalent of doing that, and then getting a job offer at an aerospace company.

[QUOTE=SCopE5000;39304128]Welp if that was the case Acunetix themselves wouldn't have a blog post telling you to use a simulated environment, as the chance of records being deleted are 'indeed very high' [url]http://www.acunetix.com/blog/docs/invasive-vs-non-invasive-web-application-security-scan/[/url] So yeah, why don't you stop tossing bullshit.[/QUOTE] wow you have no fucking clue what you're talking about, have you even used acunetix before? acunetix does not actively attempt to drop databases and that post doesn't mention anything about it, it could only damage the database as a result of a badly coded site(and by accessing sections of the site, which a normal user may have eventually accidentally done). that article was written as a CYA tool, because a lot of sites ARE badly coded please stop posting, you are dumb

As far as I'm understanding this Skytech actually liked it However, the it policy/code of conduct is very clear on what can and cannot be done "Take no action which could compromise the integrity or normal operations of these resources." -- it policy "2.13 misuse College property or equipment;" -- code of conduct yeah, i've seen similar situations before, and even if they didn't consider it to be a big deal the lawyers get all huffy and require them to leave

Well I guess that he got offered a scholarship is great news for him now.

[QUOTE=catbarf;39311624]This is the computer equivalent of shooting a rocket at someone's door to see if their locks are strong enough. You don't mess around with these tools.[/QUOTE] It's the equivalent of pushing their door to see if its open.

Ya know, I doubt his job offer and scholarship are still valid after (completely) breaking his NDA.

[QUOTE=Soda;39311854] it could only damage the database as a result of a badly coded site[/QUOTE] Gee, a badly coded site? Kind of like one with such massive security vulnerabilities that would allow any script kiddie to access sensitive info? [QUOTE=-Flapadar;39314004]It's the equivalent of pushing their door to see if its open.[/QUOTE] Pushing someone's door open doesn't risk destroying their house. Like I said, this is not a tool you deploy on a server 'just to check'. It's an invasive, simulated attack meant to be every bit as nasty as a real intrusion, and even if it fails it is [i]designed[/i] to compromise security, potentially leaving the server open to other attacks. You wouldn't simulate a mugging by pulling a gun on someone to test if their self-defense skills are up to par, you wouldn't try to force open someone's car and then try to hotwire it to see if their vehicle security is good enough, and you wouldn't run a simulated attack on a company's server to see if they've patched a flaw. All of these are perfectly fine in controlled tests with the explicit knowledge of the subject, but are absolutely illegal and inappropriate to do because you feel like it without the knowledge or consent of the subject. Computer ethics is a big deal for anyone who wants to work in the tech industry. Such a flagrant disregard has consequences.

Main medias seems to have gotten a hold of this, I saw him on TV like 10 minutes ago on LCN.

[QUOTE=catbarf;39316179]Pushing someone's door open doesn't risk destroying their house. Like I said, this is not a tool you deploy on a server 'just to check'. It's an invasive, simulated attack meant to be every bit as nasty as a real intrusion, and even if it fails it is [i]designed[/i] to compromise security, potentially leaving the server open to other attacks.[/QUOTE] The only risk of damage to the database is incorrect data which can be easily removed from the database (3NF)... I'm not saying it's legal: I'm just saying it's absolute bullshit that it could cause irreversible damage or a server to crash.

this is not the first time i've seen this from skytech, my friend found a very serious security flaw on their /kadmin login page a few years back that opened a webapp to browse their ftp server without any authorization needed, just call the javascript function for it and you're in that basically gave him a direct ftp connection to their server and managed to download a bunch of crap off them including the entire omnivox source code, he decided to call them to tell them about the flaw and they threatened him with legal action they even went to his house to secure the harddrive he downloaded the source code on (although they did give him a new one IIRC)

I go to a college in Quebec and use Omnivox on a near daily basis. If Omnivox were a car, it would be a rickety piece of shit held together with duct tape and licorice that couldn't go over 30 kph without breaking in half. Some of us in the Computer Science and Electronics courses have found security flaws, and though none were as severe as that, we never report them out of fear of this exact kind of bullshit. Skytech is known for being crazy overzealous, and the deans of the CEGEPs are so technologically inept that it isn't even funny, it's just sad.

remember, school is where people think the LEAST

Ignoring the fact that they expelled him (which is hard to ignore), did they seriously have to destroy his plans for the future like that? If he broke school policy, fine, punish him within the range of the school, but don't ensure that he can't get a similar education ever, let alone a career. Complete overkill.

[QUOTE=Agent766;39314856]Ya know, I doubt his job offer and scholarship are still valid after (completely) breaking his NDA.[/QUOTE] The job offer and scholarship were offered [i]after[/i] this went public, Skytech's trying to save face. Anywho got to see the Hamad today, Dawson held a press conference and then he held a small media scrum afterwards. Outside, because the college wouldn't let him hold it inside. Our student union wanted to have students stand around him while he was speaking with reporters so that he wouldn't seem alone when giving his reaction to Dawson's statements. Decided to volunteer for that, and after waiting about an hour in the cold after Dawson's press conference was supposed to end, he finally emerged. I ended up being directly behind Hamad so I kinda just awkwardly looked around and fidgeted with my hat the whole time, I bet I looked great lol. Talked with him a little bit afterwards, though didn't ask him any questions since I figured he's probably getting sick of that by now. Just told him it was a pleasure being in the same class as him, and wished him the best for his future endeavours. Cause I won't be seeing him again, he obviously has no intentions of returning back to college, instead he'll take one of his many job offers and probably the scholarship as well to complete his studies. Speaking of job offers, he apparently even got one from Google. Lucky bastard, I should've gotten myself expelled. So that's about what's going on now with this, I'll look around to see if I can find the video (so you can all see me fidget awkwardly) or anything else of interest. [editline]22nd January 2013[/editline] One of my program's teachers wrote in to the Gazette basically trying to defend the faculty's position and make claims that the full story has not been shared Here's the teacher's message [url]http://www.montrealgazette.com/opinion/Letter+Dawson+computer+prof+backs+college+decision+Ahmed/7854144/story.html[/url] And here's the response [url]https://www.facebook.com/HamedHelped/posts/569901043039008[/url] Provides a bit more insight into what really happened. Specifically this [quote=Hamad Helped]On September 21st Hamed ran a scan to test for vulnerabilities on Dawson's student portal. He was asked to stop and not repeat the act. However, when he figured out the major flow a month later he was thanked by the College and granted access to a test server to check for more bugs. He did not realise that by checking for more bugs he would be violating the original warning and risking expulsion. [/quote] [editline]22nd January 2013[/editline] They also just put out a timeline of the events [url]https://www.facebook.com/HamedHelped/posts/275887802536695[/url] This in particular adds a little more clarification to the above quote, and outlines where exactly he screwed up [quote="Hamad Helped"]Hamed and his colleagues meet with François Paradis to test their theory of data access. A test server is setup for them to run their findings. They sign a Protocol for Portal Vulnerability Test. Part of said protocol stipulates that testing must happen on College grounds under the supervision of Dawson College IT staff.[/quote]

can't do the time, don't do the crime.

[QUOTE=PvtCupcakes;39325031]can't do the time, don't do the crime.[/QUOTE] Shouldn't expect to do time when you're just trying to help

[QUOTE=Bazkip;39325290]Shouldn't expect to do time when you're just trying to help[/QUOTE] It's not helping when you're running software to exploit and open new security holes.

[QUOTE=OogalaBoogal;39325367]It's not helping when you're running software to exploit and open new security holes.[/QUOTE] It's not harmful when it's run on a test server, which it was

[QUOTE=Bazkip;39325290]Shouldn't expect to do time when you're just trying to help[/QUOTE] It's generally a good idea to ask first when your method of helping is easy to mistake for a genuine attack.

"On September 21st Hamed ran a scan to test for vulnerabilities on Dawson's student portal. He was asked to stop and not repeat the act. However, when he figured out the major flow a month later he was thanked by the College and granted access to a test server to check for more bugs. He did not realise that by checking for more bugs he would be violating the original warning and risking expulsion." so he does have a history of doing stupid shit then? [editline]23rd January 2013[/editline] i mean he was already warned not to be doing this. why couldn't he have asked before prodding their shit?