College expels student for reporting security hole

[menotu]

heise Security

While developing an app to simplify remote access to the college portal, two Dawson College computer science students stumbled on a serious security vulnerability in the access portal which administered data for all students at their college. The vulnerability could be exploited to access personal data for all students on the system with very little effort. A total of 250,000 student records were reported to be affected.

The students, Hamed Al-Khabaz and Ovidiu Mija, reported the vulnerability to the head of the computer centre at Dawson College in Montreal, Canada. He congratulated them on their discovery and forwarded the report to the company behind the software. The students were assured that the vulnerability would be fixed immediately.

Two days later, Al-Khabaz was curious as to whether the company had kept its word. Shortly after accessing the company's web site using the web vulnerability discovery tool Acunetix, his phone rang. He found himself talking to Skytech president Edouard Taza. Taza told Al-Khabaz that the company considered his actions to be a malicious attack and threatened to call the police unless he signed a non-disclosure agreement, which Al-Khabaz duly did.  

Taza has denied threatening the student, telling Canadian newspaper National Post that he merely mentioned the police and legal consequences. According to Taza, checking whether the vulnerability was still open crossed a line – using Acunetix without obtaining the consent of Skytech system administrators could, he claims, have crashed the server.

The student's second intervention provoked a draconian response from Dawson College. The student was first interrogated by college management on whom he had told about the vulnerability.

Professors at the computer science department then voted to expel Hamed Al-Khabaz from the college, with only one of the 15 professors voting against. Al-Khabaz lodged two appeals against the decision, both of which were rejected.  The expulsion letter says that Al-Khabaz "injected SQL code" into the system.

Within just a few weeks, the model-student had become a pariah. His college record now states that he was expelled from Dawson College for unprofessional conduct

http://www.h-online.com/security/news/item/College-expels-student-for-reporting-security-hole-1789138.html


heise

=========
from CBC

Company offers scholarship to Dawson student who exposed security flaws

The Dawson College computer science student who was expelled after discovering a security breach in a system used by students across Quebec has been offered a scholarship by the company behind the software.

"We will offer him a scholarship so he can finish his diploma in the private sector," said Edouard Taza, the president of Skytech.

but

Dawson stands by its decision

In an interview with CBC's Homerun, Dawson director general Richard Filion said the school expelled Al-Khabaz based on the school's professional code of conduct.

"We're not doing this blindly, we're not doing this with happiness, but we had to consider a serious breach in these values and principles," said Filion.

The Dawson Student Union is appealing for the school to reinstate Al-Khabaz.

"Hamed is a brilliant computer science student who simply wanted to help his school," said Morgan Crockett, the union’s director of internal affairs and advocacy.

"Dawson College should be thankful for his talent and foresight. They must immediately reinstate Hamed, refund the debt he has incurred as a result of his unjust expulsion and offer him a public apology."

CBC

[Just17]

His college record now states that he was expelled from Dawson College for unprofessional conduct

Interesting concept ......  I was not under the impression that college students were professionals ........

Other than that .....  I would suggest that the student was stupid in the extreme ......  having reported the vulnerability to the head of the computer centre, surely the obvious thing to do would be to approach the head and test - together - if the vulnerability had been fixed .......  after of course allowing some time (maybe a week to lapse).

But, no ....  two days later he accessed the system on his own .....  and notably NOT with the other student involved in the vulnerability discovery.

One would have to wonder why ....

Yet, I must add that the college also appears to have over reacted in a BIG way.
As the company involved were not pursuing him, or complaining apparently, and if this was the first incident of its type, then surely the student deserved a second chance.

Would make one wonder if there was some history we are not hearing about ......

[Reb]

Dawson College demonstrates most important lesson to the world.

How to turn a well meaning, good intentioned person of obvious aptitude, into a monster, yep that's how you do it.

Thank gawd, the company concerned has seen potential in the young man, I hope they nurture him well.

[nitrogen_widget]

Interesting that the company that threatened him is now offering a scholarship.

[µT6]

i think it should apply the same rule as web browsers and similar stuff, after report the flaw you wait for a reasonable amount of time to make a fix or patch, if that doesn't happen, then make it public by demonstrating all the information gathered and how to exploit it

maybe he was a bit naive, now he should sue everyone and earn some money, they asked for it, the university and the company both should pay him good cash for this abuse of power

[AndrzejL]

Don't be naive... There was something more to the story...

“After he was interviewed by the dean of Dawson and his Computer Science program coordinator, the details were brought to a meeting of 15 professors in the school’s Computer Science department. By a 14-to-1 vote, they moved to expel him.”

14 bad professors had a grudge against innocent Ahmed... Please...

Regards.

Andrzej

[AndrzejL]

Dawson College demonstrates most important lesson to the world.

How to turn a well meaning, good intentioned person of obvious aptitude, into a monster, yep that's how you do it.

Thank gawd, the company concerned has seen potential in the young man, I hope they nurture him well.

Pentesting of a network that does not belongs to You / is not under Your administration IS illegal. If he wanted to pentest the school he should have asked Dean for a permission. He did it without asking anyone. If I go and start pentesting any site I chose I will soon have a visitors on my doorstep. Visitors with handcuffs and NO I am not that kinky... Why should this fella get away with it? Just because he got media to blown out this story does not means he is any different from any other person who (while using their computer) committed acts of a malicious nature. Any other person trying to crack website / server could say the same thing - "I was just pentesting them to check if they patched their security holes... I am a white hat... I don't break laws I was trying to help them keep their security tight..."... would it save him from going to jail? No. So why is this one special?

Regards.

Andrzej

[AndrzejL]

His college record now states that he was expelled from Dawson College for unprofessional conduct

Interesting concept ......  I was not under the impression that college students were professionals ........

Other than that .....  I would suggest that the student was stupid in the extreme ......  having reported the vulnerability to the head of the computer centre, surely the obvious thing to do would be to approach the head and test - together - if the vulnerability had been fixed .......  after of course allowing some time (maybe a week to lapse).

But, no ....  two days later he accessed the system on his own .....  and notably NOT with the other student involved in the vulnerability discovery.

One would have to wonder why ....

I like where You're going with this... but unfortunately if the media will "Barbara Streisand" the story much more the "big bad school" might be forced to take him back in...

Regards.

Andrzej

[Crow]

I think that there is more to that story that we've been told, is the school retaining information to protect the student? could happen, 14 from 15 teachers agreed and that most count for something; that little part "injected SQL code" seems interesting.

Did the school failed? yes, they did. Students are in a formative process, it is expected that they will make errors; teachers are supposed to know what to do when students make mistakes, expel them is to confess they doesn't know what to do, they are abdicating their teaching position and abusing their power.

That means, even if he did it maliciously, he deserved a mentor to guide him not only in the technical aspects but also in the professional part of his future life.

[AndrzejL]

Crow I agree to a certain point... Like I said I am not buying this "poor Ahmed wanted to do something great and got kicked off..." story. There is more to it. I disagree about the school failure part. I believe they gave him some credit and decided "He committed a crime - act of malicious nature - but let's give him a break - let's kick him out from school and let's keep cops out of this...". About mentoring... They could only do so much. I like to keep repeating myself that You can put your boots into the freezer but that in no way will make them taste like vanilla ice cream... I believe we all deserve second chance - second - not third fourth and fifth... Anything more then 2nd chance is called being naive...

Regards.

Andrzej

[µT6]

going a bit offtopic here but everybody deserves more than a second chance

i agree with crow, also doing a sum of what has been reported, the complete story or the way it happened is not being told completely

anyway, seeing that school and company made something like a "i'm sorry, let's be friends" this tells me that there was fault at every part involved

i still think that this student should sue everyone here, or at least accept the company offer

[Crow]

AndrzejL having worked 10 years with juvenile delinquents and supervising cases from all the State taught me that some need more than one chance, if I'm naive I'm proud of it since otherwise many kids will have ended in jail or worst if I haven't trust them more than once.

When a student fails good teachers ask themselves: what we didn't right? what was our mistake? because good teachers consider themselves part of the equation, if the student succeed they are happy because they succeeded, if the student fails they assume their part.

Oh, and is not "poor Ahmed" is:
 "D***n Ahmed why did you do such a thing? are you st***d"  

 

[Just17]

Crow .....  is this guy a juvenile? .......   do people expect juveniles to behave in a 'professional' manner?

From the info I understood he is an adult - young yes - but adult.

For all we are aware he has been given several chances ......  without the background we are jumping to conclusions .......  either about him or about the college.

[topcat]

A total of 250,000 student records were reported to be affected.

Wow, that's some huge big campus!
(Stopped reading there.)

[Crow]

Crow .....  is this guy a juvenile? .......   do people expect juveniles to behave in a 'professional' manner?

From the info I understood he is an adult - young yes - but adult.

For all we are aware he has been given several chances ......  without the background we are jumping to conclusions .......  either about him or about the college.

In no place the age is established so we can't tell. An adult?  only by the age?  that is a legal approach, hardly an educational one. He was in a school in a formative process.

What chances?  he reported the problem, "checked" if the solution was there and that was all.