Slashdot Mirror
Student Expelled From Montreal College For Finding "Sloppy Coding"
innocent_white_lamb writes "In what appears to be a more-and-more common occurrence, Ahmed Al-Khabez has been expelled from Dawson College in Montreal after he discovered a flaw in the software that the college (and apparently all other colleges across Quebec) uses to track student information. His original intention was to write a mobile app to allow students to access their college account more easily, but during the development of his app he discovered 'sloppy coding' that would allow anyone to access all of the information that the system contains about any student. He was initially ordered to sign a non-disclosure agreement stating that he would never talk about the flaw that he discovered, and he was expelled from the college shortly afterward."
Troublist!
All problems can be solved by personally punishing someone in an unrelated fashion to their crime, rather than simply fixing the problem.
...and report on exactly how this flaw works, and what its implications are.
The college system turned a friend or at least a neutral party into an enemy. They should expect any and all damage that he can inflict on the administrators at the top that were foolish enough to support the actions taken against the student.
Do not look into laser with remaining eye.
I'd covertly publish the flaw + a ready-to-use exploit everywhere and let chaos ensue.
So, go to a internet cafe and set it free. They fucked you, so fuck them back.
Outside vendor freaked out and it's easier for the school to take the easy way out and kick him out then it is to help him.
"He told me that I could go to jail for six to twelve months for what I had just done and if I didnâ(TM)t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement."
You're an idiot. You signed something under threat of prison / arrest without bothering to consult a lawyer. No amount of mention of poverty, trust, or even just plain intimidation should have made you do such a thing without first consulting a lawyer.
And, as such, your legal position is not significantly weakened because, by talking to the media, you've BREACHED that non-disclosure agreement that you voluntarily signed and would now have to prove duress in a court to invalidate that.
You're an idiot. Don't sign anything, and if you do abide by what you sign. If they threaten you with police if you DON'T sign anything, pick up the phone and call the police (or lawyer) yourself. Duress to sign a contract is extremely important. Signing an NDA (of all things) "voluntarily" and then claiming it was done under duress in a public statement (that mentions the NDA you've just agreed you won't mention) is idiotic. Call a lawyer: it's the ONLY sensible option at that point.
And if you'd done that? Sure, it would have cost you a few hundred to get them in, but there's no way on earth that you'd be where you are now (i.e. having to hire lawyers to get back into school, for instance). In fact, likely the matter would all quickly become a "misunderstanding" that was hastily swept up out of the press.
You're an idiot. All you've done is shown a court that what you did was so grey-area that you'd rather hastily sign a contract than have the police look into it, and then you've gone and broken that exact contract, and admitted doing just that in the most public way possible.
does whistle blower laws cover this? and what was the scope of his work?
sounds like he found something and they did not want to fix it or the cost to fix was high / a hole like that will lead to a fine.
Why would you run a vulnerability scanner software on a remote network from your home ip!?. Sounds to be like he found a flaw, and got overzealous and got permbanned.
did you forget to take your meds?
Go visit the Facebook page and any other social media page. Send them what you think of the situation.
Expelled for trying to hack the site a second time, not for notifying them of his first hack. Summary is technically true, but still a deception.
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected.
Seriously, don't run Acunetix or Retina scans or whatever on other people's systems. It looks like you are probing for vulnerabilities because, well, that's exactly what it's doing.
And if I'm a sys-admin, I'm going to see that and think you're an attacker. From my point of view, you've just cased the joint. That's what I'm going to report up, and from there everything gets ugly.
And this a couple of days after some other big IT personality gave a speech at the funeral stating he could have been gone the same way as Aaron Swartz if he would have been punished the same way during his hacking and exploring days during College.
Sad.
I know, this is slashdot, but i still read the article
And i still don't agree with him getting expelled, but the reason was not discovering/disclosing the flaw, but he got in hot water when afterwards he tested if the flaw was still there, and the company developing the software reported the hacking attempt.
It was still a big overreaction that happened afterwards, and he shouldn't have been expelled, but it's not the discovering/reporting of the flaw that got him in trouble, and the article clearly states this!
All of the other students in the CS department should drop all their CS classes and change their major. Put the 14 idiot professors out of work and kill the whole department - then maybe, just maybe, this sort of authoritarian bullshit has a chance off stopping. The norm is on its way to becoming: You graduated from college? Sorry, we're looking for someone who can think independently."
Aren't there laws which invalidate contracts signed under duress anyway? I thought I remembered reading that somewhere.
"Don't teach a man to fish, feed yourself. He's a grown man. Fishing's not that hard." - Ron Swanson
Shooting the messenger does nothing to solve the underlying problem. Thanks to the fourth estate and the Streisand effect, shooting the messenger is likely to get you more attention, not less.
Techs everywhere need to learn this important lesson: Never Sign Anything unless you are also offered on the same piece of paper a guarantee of you what you receive in return. You get no prize money for signing NDA or DNC. If you ask for it, you will get 1) a job, 2) some cash, 3) some action not taken. You can ask for nothing, but you will get the exact opposite - penalized or harmed. Your goal is to sign something such that if what you are offered is not fulfilled, the NDA is broken
As it stands, asking someone to sign a NDA and not offering a guarantee of something in return is already suspect and can be fought. You had an expectation that you wouldn't get expelled, or that you would get a free education, or something else of benefit to you. People need to learn that colleges, Lance Armstrongs and corporations all act the same way. You will get screwed if and when there is an opportunity to screw you. And you will go broke defending what is right. Few will care.
Don't Sign without Something in Return (DSSR)!
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
I missed that part of the article. Can you quote the line where they said that?
It seemed more like he discovered a flaw and reported it. This embarrassed the university. He later tried to verify if the flaw had been fixed by using the flaw (probably not the best move he could have made) and the university used this as an excuse to terminate him.
By coincidence I was listening to "The Lost Art of Keeping a Secret" by Queens of the Stone Age when I found this story atop /. this morning. How apropos.
DO NOT QUESTION AUTHORITY. This is what happens when you exhibit independent thought..
Never email donotemail@WeAreSpammers.com
Give him a break. Perhaps he was too naive of people's goodwill. However, seeing that he was cornered, talking to the press and appealing to the public opinion is his only way out, and hopefully a more progressive university will take on his cause. Going public is the only way to "clear" his name - Google search news articles vs. tainted academic transcript.
Slashdot article summary is very misleading at best. He was not expelled because he reported a security flaw, he was expelled because he ran Acunetix a website vulnerability scanner after he reported the vulnerability without permission of the web gods. Although no malicious intent by Ahmed Al-Khabaz, he stepped over the line and the University was not in a forgiving mood,
arguably vindictive.
Taza explained that he was quite pleased with the work the two students did identifying problems, but the testing software Mr. Al-Khabaz ran to verify the system was fixed crossed a line.
“This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake.”
For reporting the vulnerability in the first place, he was thanked by the University, but they did not take kindly to using Acunetix -- I would certainly agree that the university over-reacted, but they were not punishing him for discovering a vulnerability.
Just because he had an Islamic name
What's "Islamic" about the name? If you said "Arabic", now that would be something else...
Ezekiel 23:20
Burglars also tend to find sloppy locking. So, will they a get out of jail card?
By the story linked, he wasn't expelled for finding a software flaw, he was expelled for running a vulnerability scanner against their network.
Everything with finding the flaw seems to have gone find. He found the flaw while working to develope an app, he did nothing wrong, and it seems like he got kudos for it, not any sort of harrassment at all.
Then he started using a vulnerability scanner on their network. You never do this without an arrangement (IE a pen testing contract). Never ever ever. It's illegal for one, it definitely can disrupt systems, and it sends up all kinds of red flags.
On the other hand, no one told me those things in college; they were part of my job training post-college. When I was at school, there were no 'ethical hacking' classes that let you know what is and is not illegal to do as part of vulnerability research. So I doubt very much the kid had any idea what was going wrong. Hell, I know now that most big universities get crazy-angry if you do anything that even looks like an attack over them... but no one told me that in college when I was actually using those networks.
The company took a rather strong wording but soft action: they elected not to pursue anything past getting him to sign an NDA. They didn't ask the school to expell him, the school did that entirely on their own. The student clearly doesn't understand why he was expelled, either. At least not by his quotes in the story (he's sure it's trying to cover up the flaws; in reality it's almost certainly because he ran what is considered a cyber attack across a university network, very illegal and very likely to piss off the administration).
Obviously he shouldn't have been expelled; he did not act with malice, and clearly still doesn't know the legal boundaries. What this tells me is it's long past time to start coupling your computer science 101 class with a cyber ethics and law 101 class. While anyone who works for a pen testing company can immediately see where things went bad, his actions make perfect sense from the perspective of a college student.
When I was a CS student I discovered a flaw in the program we used to turn in assignments. The flaw allowed access to the code anyone had turned in for an assignment. I however elected to anonymously inform the CS dept about the problem. Glad I did. I found out they searched and searched trying to figure out who I was so they could kick me out. Sometimes it is better just to be an Anonymous Coward.
Specifically, he broke the First Law of Insiders Reporting Security Violations, which is that he let someone know who he was.
History has shown beyond a doubt that if you're reporting a security violation to some entity, the only time it's safe to do it "in the clear" is when that entity obviously has no power over you. Otherwise, you have to protect yourself.
He didn't, and everything follows from that mistake.
Log in or piss off.
Time to DoS the school in question.
That will improve things. Or not. How supposedly smart people can make such a fundamental beginners mistake is beyond me.
I do understand what motivated the student tough: He seems to be one of these very valuable individuals that try to solve problems when they see them. Unfortunately, "modern" administrations are so in love with their misconceptions, that they cannot stand the type.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Read the article again. They did. Particularly where the software company threatened him with legal action.
I wonder, does the flaw cover staff and faculty information?
Use the exploit to expose their personal details. That'll convince them to hurry up and fix the problem.
Ahmed Al-Khabaz started off doing the correct thing by alerting the University (who then escalated it to the vendor) about the security hole. The vendor said they would fix it and as far as I can tell did not give any further infomation to the finder of the hole who was also had personal infomation hosted on the service. The company should have given him updates and told him when it was fixed, It would even be beneficial for them if they got him to run the exploit from his location given that he had discoverd it and clearly wanted it fixed.
The use of an NDA seemed appropriate though as he had access to confidential infomation of other users, and I understand the company needed time to patch this before the exploit was released into the wild, the NDA should have allowed him to speak to a some defined people namely some representeive of the university and work with them to get this problem fixed, up to this point everything seems to be going how it should.
After this all parties seem to make mistakes, first Al-Khabaz should not have just re-run the exploit as it he should have first seekd permission, if permission was not given he should have reported the situation the university who should have gotten proof that the hole was patched including the abillity to do independent verification (which the university could have got Al-Khabiz to do possible for a nominal fee.
The next mistake was the choice of the Skytech to come down so heavy handed they seem to have gone all out defensive rather than looked for a sensible way around it. Maybe they could have offerd Al-Khabaz a short period of [pro-bono] work pen-testing that he could put on his CV. Students need these mentions and the company could have delt with what is a PR disater and helped a student with there future career with next to no outlay by being a bit more cooperative rather than throwing lega threats around
Oh and I know that there are peopl who are against students doing work for free in exchange for being able to write somthing on there resume but this is a fact of life now, although a nominal charge of $100 for the test and a simple report documenting what he had done and that the holwe had been fixed would seem acceptable as well.
Most Damage is done by people who are AWAKE
Next time just do sell the exploit on the black market.
Wow, a post that fully justifies using AC. Would it be safe to at least identify this school of mostly incompetent faculty?
now we need to go OSS in diesel cars
A student in the middle of a business venture would be quite lucky to have a few hundred available. I know I didn't. The disadvantage poverty creates within civil law is insurmountable unless the potential damages are sufficiently juicy to draw in a shark willing to work with no fee. I wouldn't have signed sure, but expecting him to be able to be able to afford a lawyer is unreasonable.
Now you are right though, all he can do having already stepped outside the law, is get even (hopefully without harming the other student's privacy), or lick his wounds.
refactor the law, its bloated, confusing and unmaintainable.
Had a larger post but it got eaten.
Obviously the school's problem was the vulnerabiltiy scanner he ran later to 'check on the flaw', not his finding the flaw during app development.
And anyone who works in pen testing knows it's illegal to do that. But did he? It doesn't sound like it in the slightest.
We need a cyber ethics/law 101 to go with comp sci 101 these days; we can't ethically hold people accountable for laws they don't know; ignorance of the law may not be an excuse, but cyber law is more complex. You can avoid breaking almost all enforced regular laws by not stealing, following vehicle instructions (speed limits, etc) and not hurting other people, but on networks some things are illegal you might not expect to be illegal.
We introduce college kids to all sorts of concepts and tools, and wait until AFTER college at job training to tell them "oh by the way running this over someone else's network without written permission is illegal" Not every CS student gets a pen testing internship during college, but I'd wager most CS students get exposed to network vulnerability tools.
An Idiot? To trust senior staff at a teaching institution?
Naive perhaps.
Too trusting maybe.
But an Idiot?
I'd rather live in his worldview than yours.
He should hold them at ransom in signing the agreement....
Every person has a duty to inform themselves of all laws under which they live. That is accepted common law going back to the dawn of civilization.
That our system of laws has become too complex and far-reaching for that to be even possible is the voters' fault, since they are the ones who choose those who make those laws.
If you want a simple law structure that everyone can live with, elect people who will put that structure in place - not the nanny statists who promise to take care of you so you don't have to.
But the administration probably doesn't understand the difference.
now we need to go OSS in diesel cars
This might be one side of the picture. Lets see what the college administration says about this.
How "common" is this? How common is it for college students to find security flaws in the code that schools run, and to be expelled for uncovering it? That isn't even what happened here:
He was expelled for his "testing" of the breach after he told the administration and the software company about the security flaw.
He was not expelled for finding the security flaw, he was expelled for running what was a well-intentioned "attack" on the software he identified the flaw in. If he had co-ordinated with the software vendor there would have been no issue. Of course, the only way you'd know that is by reading the linked-to article - I wonder why the headline author didn't do that?
Ken
Traditional college fails at tech this is why we need more tech schools / IT & tech apprenticeships.
This seems alot like other cases for big name schools useing out site people for the tech and then the students take the heat for finding bugs in the system.
I think it's the higher ups who don't get tech and maybe even the theory based classes that poorly cover stuff like this.
But the administration probably doesn't understand the difference.
Montreal isn't in the United States, it's in Canada, where our culture of racism is quite different.
...when I read the title. I'm from Montreal, currently studying on exchange overseas. A few months back a friend of mine was telling me about an app him and some friends in a club at Dawson College were writing. I know a few of the guys personally because I was at some party with them back in September and I had heard a bit about how the project was going in the months following. All this to say, the story is complete bullshit.
Apparently, the school had originally offered to share some info that would help the guys making the app, but, coincidentally some company started developing something around the same time that was along the same lines so Dawson reneged on the deal. FTA:
Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software
The story goes, according to my friend, as such. Apparently, the programmer and one of the other guys decided they were just going to take the info, which was easy to do since Omnivox is such a terrible system, by breaking in. While doing this, they discovered the flaw and used it as leverage once the school noticed they had accessed the system and approached them. The other friend played innocent and the programmer got the flak for it, eventually being expelled.
This was by no means a white hacking deal. Also, these guys have been exploiting Dawson's system for a while to print for free and other such things.
It's interesting how many articles like this we get on slashdot. Just makes me wonder how easy it is to skew a story a certain way regarding a subject like programming which so many people know nothing about. If they found something, what were they doing looking in the first place? Well, sometimes people are just dicking around or curiously looking at how bad a system is, but sometimes they are - like in this case - breaking in to steal specific information for personal gain.
The lesson to be learned here is: If you're in college and someone threatens you with any sort of legal action, don't say a word, just walk out, and walk strait into a lawyers office. Immediately. While I was in college I got sued/fined/thrown out of different places so many times I've lost count. The college and college police think they are the law and use their power to manipulate and harass students they don't like.
I once had the police looking for me for 3 months to ticket me for lighting some firecrackers on newyears at 2am. It was a ridiculous cat and mouse game, and they refused to give up. Finally they "Caught" me and gave me a ticket. It went to trial for gods sake. The city paid for eye witnesses to testify and everything. It was a $100 fine and I won the case. It probably cost the city tens of thousands of dollars to screw with me for about 6 months. In the end, on the way out, I patted the DA on the shoulder and said "See ya next newyears!" and he laughed. What a joke.
Get a lawyer, and get one fast. Don't sign anything, don't talk to anymore. They will do anything to win. Including show up at parties, undercover, asking where you're at. Or sending you tickets via registered mail. Just get a lawyer and be done with it.
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.
So he reports a flaw in the software and then two days later IT detects a possible surface attack on the website which turns out to be him using software that finds other exploits. Seems to me like the student is a moron.
Sorry dude welcome to the real world of consequence.
Lesson Learned - don't report the security holes you discover. Apparently it would have just been better to exploit or sell it.
OTOH, I have seen that when you get into the class of people that like to gain power from other, such as school administrators, you have people that are broadly ignorant of realities, such as that the vast majority of people are NOT out to get them, and are NOT terrorists, etc. Canada is not an exception to the "higher ups are more often bad people that ordinary folks" rule.
now we need to go OSS in diesel cars
Should read:
"Student expelled from Montreal University after repeatedly attempting to hack into their systems"
It's funny because you fucking nerds KNOW that reporting a security flaw you discovered will usually get you attacked by all the resources of the entity in question. There are very few if not zero exceptions to this. But your constant burning desire to demonstrate how smart you are gets the better of you.
I reported a security flaw in high school to the network admin and had my computer privileges revoked. All stories similar to this end the same. I just HAD to report it, not because I was doing the right thing, but because I wanted to prove how smart I was. And you all know that's exactly why you say anything at all.
Nerds are so fucking naive.
Or do you think it is illegal to try to force your window to see if the new latch is secure?
in the private sector he would have been fired for breaking the acceptable use policy of the network.
You mean other parts of the world don't automatically assume that the white man is racist?
People around here always seem to forget that many of the submitters lack the ability to correctly interpret what they read, so article summaries are often quite misleading. I was just about to comment that things may not at all be what they seem, when I read your post. Thanks for that. I have lost count of how many time are article will say something and the submitter will come to exact opposite conclusion of the point that the article is trying to make.
OTOH.
Lets look at what happens when you let Islamists have their way in your country for a bit.
Lest look at France.
Let me go on record. Without being AC.
Islam is a religion that allows no other religions to exist.
Everywhere it has taken hold and become dominant it has used that dominance for evil.
Fuck them.
Why is it so hard to only have politicians for a few years, then have them go away?
It seemed more like he discovered a flaw and reported it. This embarrassed the university. He later tried to verify if the flaw had been fixed by using the flaw
He discovered a flaw, then waited two days and used general security testing software. I'm not sure that's the same as verifying they fixed it, nor is his intent to verify even clear.
Here is the relevant section of the article;
After an initial meeting with Director of Information Services and Technology François Paradis on Oct. 24, where Mr. Paradis congratulated Mr. Al-Khabaz and colleague Ovidiu Mija for their work and promised that he and Skytech, the makers of Omnivox, would fix the problem immediately, things started to go downhill.
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.
“It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didn’t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement.”
Note that jail was only mentioned after Acunetix was run.
If you have a name in Arabic, you are not necessarily Arabic. Could be a convert (Muhammad Ali); Could be Christian; could be Asian;
If you have an Arabic name, you are Arabic. Note however that Arabic is referring to both language, ethnicity, culture and nationality.
There is the "Arabian Peninsula" so you may say instead he has an Arabian name. Though some Asian Muslims might take offense and could be very well that the kid never actually been outside of Canada in his life.
"Islamic" and "Muslim" are currently interchangeable. Though I think (not sure) "Islamic" is actually historically incorrect. Regardless, ""Ahmed" is Muslim in the same sense that "John" is Christian and "David" is Jewish so you can go with that too.
Either way you go about it is usually fine in the sense you'd be equally wrong in your assertions. I would personally like to refer to him as Augustus Baker and see how that flies with the alumni committee :P
Slashdot article summary is very misleading at best. He was not expelled because he reported a security flaw, he was expelled because he ran Acunetix a website vulnerability scanner after he reported the vulnerability without permission of the web gods. Although no malicious intent by Ahmed Al-Khabaz, he stepped over the line and the University was not in a forgiving mood,
arguably vindictive.
Taza explained that he was quite pleased with the work the two students did identifying problems, but the testing software Mr. Al-Khabaz ran to verify the system was fixed crossed a line.
“This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake.”
For reporting the vulnerability in the first place, he was thanked by the University, but they did not take kindly to using Acunetix -- I would certainly agree that the university over-reacted, but they were not punishing him for discovering a vulnerability.
This can't be stated enough.
First of all, I have to wonder how he found the problem in the first place, if he used Acunetix to follow up later to see if it had been fixed. I doubt he just "stumbled" across it, frankly; when I want to check to see if a flaw has been fixed, I use the same method I used to discover the flaw in the first place. And they allude to this...that it's the second time they've seen him in their logs that way. So I get why they would have their doubts about purity of his intention, especially since Acunetix is commercial software that he probably would have pirated, given that the trial version would have expired between the first and second tests. A lot of malicious scanning is done with this tool; I've seen it showing up in the logs of many clients over time. So again, that's another thing to cast doubt on the notion that he was just writing an API and happened to stumble across bad coding. If I look at it from the school's perspective, I can see why they were spooked. And I definitely have to question the way he portrays things as having taken place. You don't run an application security scan against someone's infrastructure without their permission, period. And this is why.
As for the software company threatening with legal action, that's nothing to do with the university. Yes, vendors go off the deep end over vulnerabilities, especially when they smell blood in the water because the person reporting the vulnerability has unclean hands. But the actions of the university are one thing, and the actions of the vendor are another.
For your security, this post has been encrypted with ROT-13, twice.
Do both. Absolutely, do both. You have recorded their consent to recording, and you've recorded them erasing the evidence.
That's one of the dumbest things I have heard. Oops you found a hole and pointed it out your expelled.
IT / tech schools do a better job there CS is more on the programing / high level design.
This is more of a IT / sysadmin / networking. issues and most CS classes fail to tech that part the right way or just cover it at a very top level way that that may tell you about the tools but not how to deal with their outputs / where the hole came from.
Just because he had an Islamic name
What's "Islamic" about the name? If you said "Arabic", now that would be something else...
I think you totally miss the point. Bigots don't really double-check their math; that's why there was a rash of hindus getting assaulted after 9/11. So any name that is based in Arabic or Farsi (or, if the bigot in question has been abroad, Pashtu, Urdu, or any number of languages used in Central Asia) is, by assumption, "Islamic," when you're discussing prejudice against Muslims.
For your security, this post has been encrypted with ROT-13, twice.
When I was in college i discovered that the University was unknowingly showing registration passwords on their LDAP server. (you could only view this through an LDAP browser).
I brought it to their attention. They made me promise not to tell anyone while they were fixing it (no actual non-disclosure document was signed).
Once they had it fixed they called me and a friend who also noticed the issue into the IT office, and offered us paid internships. I already had an internship, but it was a nice gesture.
He wasn't expelled for uncovering a software flaw. He was expelled for continuing to exploit it two days after he made the report.
Ahmed Al-Khabez certainly appears to be an Arab name. Al-Khabez may or may not be "Islamic," (probably is), but Ahmed is definitely a Muslim name: Christians or Hindus are very unlikely to have it. But why is his name relevant to this story?
Who bought the third party software with the security flaw? What, if anything, was their relationship to the vendor?
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
I remember finding a similar security flaw is the printing system of Waterloo University that would kick the system into some administrator mode full of everyone's usernames and passwords.
Troll is not a replacement for I disagree.
Just because he had an Islamic name
What's "Islamic" about the name? If you said "Arabic", now that would be something else...
Actually, there are Islamic names and "Ahmad" is one of them. Another obvious one is "Muhammad". These names are both Islamic and Arabic and are popular among non-Arab Muslims. A Christian who speaks Arabic would never have one of these two names, but could have an Arabic name that is not Islamic, like "Walid". An Arab Muslim could also be named "Walid", but it is unlikely that a non-Arab Muslim would be.
What really happened is that a student actively probed the servers of the company that hosted the software. Whether or not this should be punishable, is certainly debatable, but don't make it sound like all he did was find a bug.
The first thing he did was appropriate... reporting the flaw to his IT/Infosec management. 2nd thing was what he did wrong.
By not co-ordinating his follow-up testing with anyone (the vendor, the school, etc.) he was caught exploiting a known weakness in the software.
He had no responsibility or right to attack the software a second time, call it "testing" if you like, he choose to attack the software using the exact same exploit he warned them about earlier.
It wasn't his job to "test" their fix.
14 out of 15 professors choose to expel this student - a student who claims to have been "acing all his classes" - there just might be more to the story than this student is sharing with the reporter...
Ken
You can use different email addresses for the free trial
But it's still robust and vibrant.
That is actually quite a non-trivial secure concern called horizontal privilege escalation that carries a high risk. They should get that fixed asap and do a little forensics to see if it's being actively exploited. A penetration test would help.
What's "Islamic" about the name? If you said "Arabic", now that would be something else...
You are right, technically speaking, but since 95% of Arabs do in fact practice or consider themselves part of the Islamic faith, I would say that your comment is bordering on pedantic.
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
Nice try. But it wasn't his window he was trying to force.
That made him sign the NDA
PocketPermissions Android Permission Guide
Well that's fine message to send to young people. If you find a security flaw don't report it or you will be punished.
No, but Montreal is in Quebec. I'll let you interpret that however you want.
The software company was made to look incompetent and was then expected to spend their own money fixing the problem. I would not be surprised if they were out to get him from the moment they were told. Tell him about the progress? You've never worked in a software company, have you?
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
"Any sufficiently technical expert is indistinguishable from a witch"
--Robert David Graham
Well all I can say is taht Dawson College is a backward place that hasn't a clue how to deal with computer issues.... My guess is that people go there to study theology or other non subjects.
It seems a big issue that the NDA was supposedly signed under duress. To me duress is something like "sign this or we will burn down your house" In this case it is more like "Given that you have now started to illegally use hacking software we are concerned that you will spread this information to others who will cause bigger issues. As a consequence of you illegal action and to protect ourselves we require you to sign this NDA. Failure to sign it shows inclination to spread this information therefore we will have to bring your actions to the police if you do not sign it". To me that is not duress as it is direct consequences of Al-Khabez's actions.
The stupidity of this story is that it is a bright person who has few social skills. Sure he was praised for finding the bug. Then he just had to test it two days later. I can just hear the thoughts going through the president of Skytech's mind, "It's great that you found the flaw but run a hacking suite on our servers and your ass is grass." Ever hear of poking the bear? Skyteck is probably a little sensitive that a major flaw was found. Now you look for more when that is probably what they are already doing? And only after two days? I guess the college student doesn't understand enterprise level software releases as it can take more than a couple of days to get a fix into the field. There are testing and scheduling to be concerned with. Had Al-Khabez waited a month and tested just the vulnerability he found I doubt there would have been an issue. Instead he ran a hacker suite after two days.
That's hacking!
People will deny his name was part of this but it is like saying that back before civil rights the reason they didn't hire black people had nothing to do with race.
I find it comforting that the Canadians are a corrupt bunch of scum-bags, just like us.
According to the law in Iraq, Saddam was illegally targeted by terrorists (the USA/UK).
According to the Crown, the Founding Fathers broke the law and formed insurrection to the crown.
According to Soviet Law, the defectors to the USA broke the law they agreed to.
According to Saudi law, Google are breaking the law by allowing anti-Muslim screed to be read by people on the internet.
Perfect analogy. Mod parent up please.
14 out of 15 professors choose to expel this student
Indeed this is the part I find the most telling that there is more to the story. Would all these professors really have conspired to avoid embarrassment for the college? Or, is there something these professors knew that isn't in TFA?
He found a flaw, waited two days, and then proceeded to use a general purpose tool. While this is most likely naivety on his part, it could also be something else we're not aware of.
But we don't have the logs, nor do we have info on the original vulnerability. If I were a professor given the info in TFA, I would not have expelled him. And that is what doesn't add up. If a professor had evidence that his intent was more than to just verify a fix, then the 14/15 vote begins to make much more sense.
PocketPermissions Android Permission Guide
not just incompetent, apparently also malicious and power-mad, if the OP's story is to be believed.
Arabs, Persians and Europeans have shown that they cannot interact peacefully. There are places in the world where Islam co-exists with other religions quite happily, even places where it has done so for centuries. Religion has much less to do with it than cultural friction which long predates Islam (and Christianity, for that matter), though certainly religion has become woven into the issue as well.
As far as France being a cautionary tale about Islam run amok... yeah, right. Islam is a minority religion in France, and will remain so for the foreseeable future. There is literally no risk that the extremely dominant French culture is going to vanish, though it will certainly pick up a few hints from the immigrant cultures as the younger generations who always drive cultural change assimilate across racial and cultural lines. This is a normal, healthy process which we in the States refer to as "the melting pot," France will be stronger, socially and culturally, once they get past these awkward early stages.
Try not to take me more seriously than I take myself.
Although no malicious intent by Ahmed Al-Khabaz, he stepped over the line and the University was not in a forgiving mood, arguably vindictive.
Note that Dawson College is not a University, you cannot get a bachelor's degree there. It is closer to a technical college.
ID: the nose did not occur naturally, how would we wear glasses otherwise? (apologies to Voltaire)
Like many quality companies in the world, there are quality universities that do not apply a strictly paper-based filter on all applicants before further consideration. That kind of screening is effective, but it can lead to a lot of undesirable false negatives.
The kid seems bright enough (his understanding of the law notwithstanding) that he could probably hack it at a place like MIT or Stanford. Get the hell away from Dawson.
Seriously, anyone in the Motreal area ought to snap his talent up!
It's Quebec, not the U.S. We refer to Arabs as Arabs and Islamists as Islamists, not to both of them as terrorists.
There is also no danger of Frances law being turned to Sharia in places right?
I think you can not see what you do not want to.
This could have happened to me. I found a flaw in my school's grading software (which I'll disclose here because hey, I'm kind of proud that 8th-grade me found it):
Grades were not managed by a single system, per se. Every teacher had a copy of a piece of software. This software would take grades in and spit HTML out, calculating percentages and so on. These html pages were then purposefully exposed to the world on the school's web server. The structure looked like this:
\- login.html
\-------grades/
\-------------gradesPersonA.html
\-------------gradesPersonB.html
So: how were these html pages protected? Actually, the method was pretty clever and would work most of the time on a properly configured web server. The individual grade files were not named something easily guessable. In fact, they weren't guessable at all. Everyone had a password; the login html page would take the username and password, run a hash function on both, and redirect you to hash(username+password).html. As long as you don't have the password, you couldn't even find the html file without brute-forcing it (and they were pretty long hashes).
However. This all falls apart if there's no index.html file in /grades/ and the web server is configured to generate directory listings. Just navigate to /grades/ and there they all are! Some teachers seemed to have a blank index.html file, and some didn't (I suppose they might have been using different versions of the software).
I decided to take matters into my own hands (yes, I was an idiot. I was 14, what do you expect). I had been granted access to a small chunk of the webserver for php experiments by a teacher. I quickly discovered I had read access to most of the web server (including lots of files teachers had stuck up there, not for public use, and just protected by being named obscurely) and write access to large chunks, including the root.
Being, as I said, an idiot, I dropped a .htaccess file into the root that was supposed to disable directory listings and close the hole.
It was extremely successful. So successful, in fact, you couldn't access the login.html page; you couldn't access the grade pages; you couldn't access ANY PAGE AT ALL on the entire district web server. Including my folder, so I had effectively locked myself out along with everyone else.
Fuckfuckfuckfuckfuck.
I call my teacher over, explain the problem, he gets on the phone to the school's IT department, they remove the malformed .htaccess file, everything's back to normal, I get a short talking-to, and it goes no further. Never done anything so similarly stupid since.
(oh, and fun hack: my school's computers were locked down using a piece of software that basically rootkits the system and redirects writes to disk into a ramdisk, transparently, so on shutdown every change is wiped away clean. This works great unless you disable the rootkit. Which you can't do, of course, because as long as the rootkit is running, you can delete it all you like and it comes back on reboot. So you boot into a liveCD (the BIOS isn't locked, what a surprise), rename an important data file, reboot into Windows, make all the changes you like, and then restore the data file. BAM. Not only have your changes stuck, but they'll stick NO MATTER WHAT ANYONE DOES, because the system's locked down! Never did anything more than prove I could (and never told anyone at the school), but holy crap could I have gotten in trouble if I had.)
Honest! I was just trying to make this mobile app so I had to hack into your system and I found this sloppy code that let me in!
What part of "Do not access things you are not authorized to access" do these people not understand?
If you stumble onto a defect in an information system while developing an application front-end to that system, there is no unauthorised access. The level of intelligence on /. has decreased significantly from the early days. Mores the pity.
Since his personal info is in this system, it is indeed his "window".
I miss when ACs mattered.
Oh wait....
Look, there are real problems and challenges with immigration but when you oversimplify things into grandiose claims like these, you make the real problems worse. I live in the heart of multiculturalist Canada (in the same town this article took place in). We do occasionally have issues with small pockets of Muslim immigrants who want to enforce their religion, but this is a rarity. The vast majority of Muslims you meet in this town are polite and mind their own business. I sit next to them everyday on the metro and I assure you, they are the opposite of scary. Media hype and the availability heuristic..we should be old enough to see past these things by now.
"The single biggest problem in communication is the illusion that it has taken place." George Bernard Shaw
Minor correction: Dawson is not a university, it's a college. In Quebec, it's the step before university, but since he was studying computer science it was akin to a trade school. He would be lacking the prerequisites with that program to go into computer science at the university level, except at ETS in Montreal.
Sounds like what he got in trouble for was being a responsible developer and informing the university of the flaw. He got praises from the developers and IT people from the company who wrote the software but then the president of the company (not the university) went apeshit and claimed he was hacking them. I suspect the University was unhappy with the company for the problem and the company decided to take it out on the person who embarrassed them.
Ah calling somone a pedant for not agreeing with your made up statistics, nice.
Don't complain about syntax, grammar, or spelling. There is no.hell like input on android.
Write "This was written under duress and I do not agree that by signing it I forfeit any rights I have in law", and then sign it.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
This is Canada. We saved the black people.
Don't complain about syntax, grammar, or spelling. There is no.hell like input on android.
Now kill yourself! Do it! Do it! Become a martyr. Do it!
It is 100% illegal for you to try and force the latch on my window, just to make sure the new one is secure. Also, depending on jurisdiction, that might be considered legal justification for me to use lethal force to protect my home. I strongly advise that you DO NOT try that in Texas.
Try not to take me more seriously than I take myself.
Yes, but you'll have a bit of a problem when you try to install it on your system, won't you? The software is cognizant of having been there before.
For your security, this post has been encrypted with ROT-13, twice.
I don't hate or fear the people.
I will fight with every fiber of my being though against their LAW.
As soon as enough of them get into a community you start to see them wanting to exchange current local law for their religious law.
Fuck that.
I suspect that the professors were not conspiring, but whoever prepared the package of information for them probably did give them a rater selected view of events. The kid screwed up by pinging to see if the issue had been fixed, but given how often industry has a bad habit of burying issues and his concerns about real world harm this problem could present, I can not blame him for his desire to find out if they had made good on their promise to correct it.
I generally agree that with the information in TFA a professor would be unlikely to expel, but I have seen administrators (who often do have an incentive to protect either themselves or a corporate parter) passing along slanted stories, esp if they are just taking the word of the company.
What the heck! I've been using MS-Win since 1987 in one form or another. I've never published a complaint. It is all by word of mouth. No published incriminating evidence. hmmm...
Arabs, Persians and Europeans have shown that they cannot interact peacefully.
You silly, where did you get that idea? Persians had never had problems with others - until Islam came, that is. Arabs are as variegated in their beliefs as any European, and Europeans are willing to lure just about anyone into Europe. Show me the "cannot interact peacefully" part, would you?
There are places in the world where Islam co-exists with other religions quite happily, even places where it has done so for centuries.
As an atheist with a few Wiccan friends, could you direct me to the Islamic country that would welcome us with open arms?
Ezekiel 23:20
The vast majority of Muslims you meet in this town are polite and mind their own business.
The problem is, it was the same with Christians until the fourth century. Then the actual horrors started.
Ezekiel 23:20
he used Acunetix
So in other words, he's a script kiddie? They're going nuts over that?
A lot of malicious scanning is done with this tool
What makes scanning so malicious? What's next, getting into trouble for trying to telnet to random IP addresses? Is it now a crime to point nmap at school IP addresses? Maybe surfing to their website and repeatedly hitting F5 is a reprehensible DoS attack?
Acunetix is commercial software that he probably would have pirated
Even if that's true, which you do not know, so what? I don't see where that has anything to do with the issue at hand.
I can see why they were spooked
Well, I can't. They can fix the flaws, it's not like that's hard. Might even have to hire a few competent programmers! Instead, they reached for the assault weapons. If they pump enough bullets into this messenger, maybe they can erase his message as well as him. We ought to take these legal powers away from these bozos.
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
Actually, Ahmed/Ahmet is an Islamic name, like Muhammad. Same as how only Christians get named "Jesus" (though almost always in Spanish speaking countries).
http://en.wikipedia.org/wiki/Ahmad
Yes, we do the same thing, here, in the US. I am not apologizing for the idiots that do. And I'd have to add that most Americans understand the difference.
People != Sensationalist Media
People != Government
Many of us are ashamed of them.
Montreal is not the fourth Century in the East, it is the 21st century in the West. That's a terrible analogy--by that logic I could prove anything I wanted, just draw a specious analogy with vastly alien historical situations to prove anything evil. After all, history is violent and nobody is innocent if you go back far enough and make ridiculous comparisons. What you are doing is akin to religious people who try to claim Atheism is evil by citing the massive amount of deaths in China. It's irrelevant.
You have to look at the reality that exists in the now. We've far, far more pressing social issues here than oh so scary Muslim families who are going to their mosques and working their day jobs.
"The single biggest problem in communication is the illusion that it has taken place." George Bernard Shaw
What happened to the security hole?
Don't complain about syntax, grammar, or spelling. There is no.hell like input on android.
The rule here is to never sign NDA in this case. Go public and burn the company in question with the media. Threatening people with jail when they discover a exploit in software is counter-active and just plain stupid. The president of Skytech clearly doesn't understand software or computers in general. In fact. I am sure that he is just plain capital asshole as you can find them in companies everywhere.
I dont have the right to test the windows at my bank...
Matthew 28:19-20:
"Go ye therefore, and teach all nations, baptizing them in the name of the Father, and of the Son, and of the Holy Ghost: / Teaching them to observe all things whatsoever I have commanded you: and, lo, I am with you always, even unto the end of the world. Amen."
Same goes for Christianity. Your friends going around telling people about the good news are actually being good Christians. Also, I've never heard of any Islamic people in the Western World telling others they can't be Christian. Hmmm, maybe because the Islamic people you are talking about are called FUNDAMENTALISTS (you have them in Christianity too, fyi).
And don't give us this bullshit by singling out Islam. The majority of the "problems" you would describe, if you were to actually show some examples, are created by social differences and are always the result of both sides not willing to compromise. The majority of Turks, for example, in Germany were given work permits because Germany desperately needed workers in the 70s. Their failure to integrate is a problem for both sides, on one hand, some Germans refusing to accept that these people have different histories, coming from different cultural backgrounds. Moreover, the integration programs that were put into place were not good enough to encourage people to break from there social communities, which in many ways, is defined by their religion. Yet, it is very evident that Turkish people segregated themselves in a large way in different communities. The general argument can be boiled down to: "they didn't integrate." "Well, you didn't let them." However, if this was not the case, Berlin wouldn't be the city it is today, nor would Vienna. The same goes for Arabic peoples in France, the Netherlands and many other European countries. Also, Arabs in France are also the result of French intolerance in places like Algeria, for example.
How is it not clear to you that Christians caused the same problems among different sects for centuries until Western Democratic society smoothed these tensions over to a reasonable degree.
Lastly, fuck you and your religion. Neither you, nor it is endangered by Islam. And, maybe you should risk exposure to another culture, it might actually open your eyes or at least make you realize when it would be smarter to hide your racist views from the public.
Nice website you've got there. It'd be a shame if something were to happen to it.
A Christian who speaks Arabic would never have one of these two names
I have a Jewish first name, but that doesn't make me Jewish. And it's been like that since the middle ages.
Ezekiel 23:20
Higher education in Quebec is different then other parts of Canada.
http://en.wikipedia.org/wiki/Higher_education_in_Quebec
"More's"
Try "knocking on the bricks to see if they used ACTUAL bricks rather than just brick-pattenred wallpaper".
The rule here is to never sign NDA in this case. Go public and burn the company in question with the media. Threatening people with jail when they discover a exploit in software is counter-active and just plain stupid. The president of Skytech clearly doesn't understand software or computers in general. In fact. I am sure that he is just plain capital asshole as you can find them in companies everywhere.
It feels like a better conclusion is "cover your tracks" no matter how white-hat (and basically harmless) what you're doing is, because the world is full of jerk offs.
Higher education in Quebec is different then other parts of Canada.
Yes. Apparently they don't teach English grammar in Quebec.
Since his personal info is in this system, it is indeed his "window".
So I suppose you also own Facebook if you have an FB account?
You continue to miss the point. He was not "threatened" until he used a hacker suite on the server. Finding the exploit was not the issue. He went over the line into hacking when he used a hacker suite. Had he stopped at reporting the issue there never would have been an NDA or any "threatening".
Your rule is to be a black hat in every instance. Not a good rule. My rule would be to report the bug and then check that specific bug much later.
So....deceived rather than conspired? I find this also difficult to believe. The professors are (presumably) experts in computer science and had this kid's entire future in their hands. Do you think they would be easily duped?
I wouldn't blame the kid for curiosity either. But I wouldn't vote to kick a kid out of school without compelling evidence of intent *beyond* curiosity (in this case).
So I have a hard time imagining how they could skew evidence so well as to convince so many professors to take this severe an action. Again though, it's hard to imagine since we don't have the logs, nor do we have info on the original vulnerability. What we do have though, is 14 professors who felt there was sufficient evidence to expel him.
PocketPermissions Android Permission Guide
Not that I agree with GP but Ahmad is “the second name of Prophet Muhammad and it (Ahmad) literally means “one who praises Allah more than others”
He got kicked out for scanning the network some time after reporting the vulnerability.
What? In this age of virtual machines and snapshots?
I really doubt that.
Shame it's completely wrong, the window belongs to Omnivox. A better analogy would be that he noticed Omnivox had left their window open and told them, to which they thanked him. He then goes back 2 days later with a crowbar (Acunetix) to test whether they'd locked their windows properly yet.
Sorry.
The biggest problem Christianity has caused for me is looking at nativity scenes in peoples front yards.
Not that big of a deal.
No one has told me that I have to pray to Christ or I am dead.
The Christians have not put me in prison for taking the lords name in vain.
Now maybe they used to like that centuries ago. They are not that way now.
I will not tolerate it from them or any religion.
If Islam wants some respect then they should grow the fuck up. Like the other mainstream religions have.
Until then, I will say again. Fuck Them.
No, he got congratulated for finding the flaw. He got in trouble for running a vulnerablity scan afterwards to verify that the flaw was fixed. He ran the vulnerability scan without the system administrators knowledge or permission. I agree that he should have gotten in trouble, maybe not expelled, but in trouble because the vulnerability scan could have crashed or corrupted the system.
The worst part of being athiest.... You don't have anyone to talk to during orgasm!
I think you meant to put a 'w' instead of a 't' - but don't worry, it only made your sentence mean the OPPOSITE of what you intended. Now who's the idiot?
"And, as such, your legal position is not significantly weakened because"
Since it seems (from the description) that he was congratulated and then criticized by different people, I suspect that the attitude was already there but the action of checking to see if it was patched changed the balance of who's voice was dominant.
"Everything with finding the flaw seems to have gone find."
Huh?
Why is this funny? I just finished my second degree and I can say with a total degree of certainty that the only good code I get to see from day to day is either from my Embedded Software Developers or from Software Developers who use C or ASM.
Dawson is not a university. It's a CEGEP. The software in question is OMNIVOX, a pure POS most CEGEP use...
Also NEVER IDENTIFY YOURSELF when reporting a vulnerability. IT departments love to shoot the messenger.
I found myself in a similar situation many years ago with e-Trade (now Scotia iTrade). Their phone support staff was giving EVERYONE the same temp password for initial login and forgotten passwords. I was sort of distracted the day I first set up my account, and didn't really notice that the system ALSO didn't force me to choose a new password immediately after using the default. A few weeks later, I logged in but got my user ID digits transposed. I found myself logged into someone else's stock account, with over $12k of holdings. I could view their balance, holdings, contact info; I could have changed said contact info and sold their stock portfolio, moved the money wherever I dared, etc.
I quickly logged out after noting the incorrect ID and email of this person that I had just logged in as.. then went home, registered 2 or 3 anon web proxies and through those registered for an Asia-based webmail service under a one-time throwaway account. I then emailed the person, CC'ing eTrade, with a polite note stating that they should change their password IMMEDIATELY, and that they should call eTrade right away and demand they fix their password policies. I then deleted the email account and proxy setup, and hoped I'd done enough to help that person AND shield myself.
I, and a few others at our office, STILL got polite (but somewhat probing) calls from eTrade the next day, as I'd forgotten that we were all going out through the company NAT there, so they had seen our office IP access that mistaken account the day before. I played dumb, stating "why yes, that WAS my password too! I sure hope no one got at my account! I'll change it right away, thank you sir."
eTrade emailed everyone a few days later announcing an updated password policy -- I hope someone on their IT and phone support teams got a stern talking-to about using the identical password for multiple users, too. Inexcusable for a finance company with people's money to be that careless.
Easy for you to say, but given that his name indicates he's probably not fourth generation Quebecois _and_ in light of Aaron Swartz literally being hounded to death by his own government, that threat no doubt sounded all too real. Western laws and protections have been proven not to be universally applied to those of the 'wrong' religion and tending towards the brown part of the skin spectrum.
Actually, he didn't seem to get into trouble until he ran a vulnerability scan on the site, to "ensure that the issues he and Mija had identified had been corrected"; Skytech saw the scan happening, called him up, and told him what he was doing constituted a "cyber-attack", and THAT'S when the metaphorical shit hit the metaphorical fan.
Metaphorically speaking.
My sig can beat up your sig.
Depending on the culture of that specific university, yes, I could believe they were easily duped. Professors tend to be overworked and these comity assignments can be quite draining. They rarely will sit and do independent checking or even really debate the topic, most of them are willing to just hear the complaint and apply the rules quickly so they can get back to tasks more directly connected to their jobs. The evidence may have been as simple as 'Our long term partner has brought charges against this student for attempting to hack their network. Our relationship with them is important and failure to hold up our guidelines regarding unprofessional conduct could sour the relationship or even lead to legal troubles'. Unless they have a reason to suspect the company is feeding them false or misleading information they have a significant incentive to just believe them.
Unless someone raises a stink, the whole process probably took about 10 minutes.
There are places in the world where Islam co-exists with other religions quite happily, even places where it has done so for centuries.
As an atheist with a few Wiccan friends, could you direct me to the Islamic country that would welcome us with open arms?
I have added emphasis to show you where you are going wrong here. As soon as religion and politics intermingle at state/country level, this is when things start to go horribly wrong. A country should be ruled based on general principles of morality. As soon as you start to introduce a religious element to a country's legal framework, you are setting yourself up for a fall whatever religion it may be.
Just my $0.03 (At current exchange rates, my £0.02 is worth more than your $0.02)
This kid was applauded for finding the vulnerability related to the development of his app. He was expelled because a week later he ran a full exploit test suite on their systems without their permission. If he did that anywhere else it would most likely constitute a crime; he'd be fired from a job for doing so, he'd probably be arrested for doing so against a third party. Expulsion may be too harsh, but this kid is not innocent.
Ahmed is both an Arabic and Islamic name. Ahmed means "most praised" and is sometimes used as a name for Mohammed, the founder of Islam. It is believed that naming your son with this name will bring blessings to your home.
Now, considering this, it does not seem wrong to call it an Islamic name. Certainly, it is a common Arabic name. But why? More than likely, because the most common religion in Arabic speaking countries is Islam.
Is Jesus a Christian name, or a Hebrew name (or, tongue somewhat in cheek, a Latino name)? It is a very common name in Latin America, but then, Latin America is overwhelmingly Christian.
I would be very surprised if Ahmed's family is not Muslim. If they were not Muslim, it seems unlikely they would choose a name so favored by Muslim Arabs. But it is possible, of course.
What's "Islamic" about the name? If you said "Arabic", now that would be something else...
You are right, technically speaking, but since 95% of Arabs do in fact practice or consider themselves part of the Islamic faith, I would say that your comment is bordering on pedantic.
Where do you get that statistic? I know that the media portrays it as practically everyone with an arabic name or heritage is automatically a member of the Islamic faith, but the statistics do not bear this out. Yes they are the majority, but once you factor in the Christians, Druze and other assorted communities who are generally ignored by the mainstream media you start to see that the figure is almost definately somewhere sub-90-percent.
Just my $0.03 (At current exchange rates, my £0.02 is worth more than your $0.02)
I am curious what would happen if Anonymous got involved in this. I wonder what the college would do if Anonymous gained access to all the very same student records then threatened to release them all unless the college reinstated this student.
xkcd.
[Gotta be redundant by now.]
Have gnu, will travel.
Reporting a bug like is in it self dangerous. The reason is simple. Companies are often controlled by people who do not understand the technology and the importance of bug discovery. So when this happen. They go on rampage and punish the discoverer of the bug. Instead of awarding him or send him a thank you note.
This people do not care about white hat or black hats. In fact. I am not sure if they care about anything else then pure profit.
Nazi: "I order you to sign this non-disclosure form, or you will be sorry!"
Subject: "OK"
Nazi: "Good. Now you are expelled."
Subject: "You forgot to tell me I would be sorry no matter what I did."
Subject's original response should have been "Fuck you, Nazi".
Perhaps they thought he was a Newfie.
Have gnu, will travel.
Purdue
I too accidentally stumbled upon student information. Except the files I found were on a network drive that didn't have permissions properly set, and thus any person who knew where to look, and had an account on the network could see these files. All students and teachers had an account, but that doesn't mean you ahd to be either. All you needed was to know someone who was a student there, and have them log in. The issue was that everyone had read access, but no one had write or delete privileges. So, you can see addresses, phone numbers, social security numbers ( yes I'm an American ), names, student ID numbers, and other bits of information and there was nothing you could do. I brought this up to the head of IT security and he approached the whole situation like I was a criminal and questioned me about everything. There was one weird thing he had said though. Something along the lines of "These could sell for anywhere from $50 to $100 a pop." so I was under the impression this wasn't an accident. I couldn't focus on my school work, and just stopped going to any of my classes after this. I failed out of every class, and didn't really care. I saw this as a slap in the face. Considering that I was going for computer security ( won't say the exact course I took, so I don't get stalked/harassed ) this absolutely disgusted me. Also, from what I understand NOBODY got fired because of this.
Again, you didn't get the issue. He was "threatened" because he attempted to hack after reporting the bug; not for reporting the bug.
Instead of awarding him or send him a thank you note.
They did thank him UNTIL HE ATTEMPTED TO HACK THEIR SYSTEM WITH A HACKING SUITE. Just because he reported a bug does not mean their system if free and open for him to play with. He crossed the line into hacking.
"He had no responsibility or right to attack the software a second time, call it "testing" if you like, he choose to attack the software using the exact same exploit he warned them about earlier."
Because it's not like he was a student at that university and his own personal information was at risk or anything, right? Oh wait...
I guess the appropriate course of action was to instead anonymously hint that such a thing is possible and then when someone else takes the data, start a class action lawsuit against the university. Lesson learned.
I'll interpret it the way you should: if anything Quebec and Montreal are MORE open than the rest of Canada.
they're doing him a favor. dawson's a shit school and he'll be better off somewhere more technical.
Yes deep freeze.
Back in the high school they had that but we found that if you hit Cancel at the novell login screen you then loged in as local admin. Also for some time you where able to get pass the web filter just by turning proxy settings off. They fixed that part.
Only if you're someone incapable of removing registry entries. Someone who knows enough to use acutenix is going to know how to do that. Were you even being serious?
Well now everyone knows about the flaws and extreme douchness of Dawson College.
If I were a student I would file suit against university for negligant handling of my PII and encourage others to do the same.
If a vulnerability scan crashes a system then there really is sloppy coding.
Anonymous could stop DDoS attacks and instead just run a couple of vulnerability scans to take down their opponents. So much easier!
never sign anything legal unless your lawyer is with you or has already reviewed it for your protection. NEVER SIGN ANYTHING
It doesn't surprise me what actions the student opted to take. What most people often forget is that he's still very young and getting expelled from college in his eyes could potentially mean his future will be shattered. I can relate to him because I myself am a student, and If I found myself in a similar situation it would be much more difficult to make a decision while it's happening opposed to from my computer at home. But at the same time it's hard for us to make a form of judgment because we will never truly hear both sides of the story.
I have to agree. I work in QA and I don't know how many time our developers have had code do unintended things. Its really not uncommon and this guy more than likely did the same thing.
What do you mean that API call lists all of the stuff it shouldn't??
If you stumble onto a defect in an information system while developing an application front-end to that system, there is no unauthorised access.
The issue is, according to TFA:
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected.
Harsh? Yes. Despite that, he should have tread more carefully, I'd say. As nice as finding and communicating the issue is, he should have known that trying to access whatever it was when he was obviously known by said company (and as such being watched) was going to put that company on edge.
The system was public-facing.
What crime would that be?
- Jesper
My security clearance is so high I have to kill myself if I remember I have it...
I think he had a right to know if they had fixed it, or if his own private information was still vulnerable to prying eyes.
Attacks do damage. The only thing this kid attacked was the school's irresponsibility. The school acknowledged that there was no malicious intent on his part.
He was not "expelled for finding sloppy coding". No matter how much you dislike schools, Quebec, Canada, authority figures, software, computers, accurate headlines, or terms of use, he still was not "expelled for finding sloppy coding."
What is so hard about swapping the text and adding a comma?
Try it:
Student Finds Sloppy Coding, Expelled From Montreal College
Now it implies a correlation (which there definitely appears to be) instead of libelously explicitly stating causation.
Even though I'm not a security researcher, I have in a distant past stumbled onto security flaws while trying to interface with something. The claim is entirely plausible. You might want to stop taking these pills you're talking about; they obviously don't help.
http://www.cbc.ca/news/canada/montreal/story/2013/01/21/montreal-dawson-college-hack-hamed-al-khabaz.html
Apparently his attempt to test Skytech's system really screwed things up:
“The attack made the College Portal extremely unresponsive for its thousands of users. Had it not been countered, it would have put the College Portal out of order for the entire students and teachers population of Dawson. The attack was traced, and it turns out that it came from one of the students who participated, earlier that week, in the discovery of the security flaw. We therefore decided to be clement, and not to report the attack to the authorities.”
Since the portal serves 250,000 students at numerous schools, this was kinda a big deal.
It was not harmless.
The CBC story has a much more complete explanation of the problems his test caused:
“The attack made the College Portal extremely unresponsive for its thousands of users. Had it not been countered, it would have put the College Portal out of order for the entire students and teachers population of Dawson. The attack was traced, and it turns out that it came from one of the students who participated, earlier that week, in the discovery of the security flaw. We therefore decided to be clement, and not to report the attack to the authorities.”
http://www.cbc.ca/news/canada/montreal/story/2013/01/21/montreal-dawson-college-hack-hamed-al-khabaz.html
the university used this as an excuse to terminate him.
The company was Skytech, not Skynet.
Testing of the bug exist or has been fixed is not "hacking the system". He used a online security tool. He might have asked for a permission to do this. But the most likely answer he would have received would have been flat out no. You know why. Because the company in question might not had any interest in actually fixing the bug. Saying that they are going to do something does not equal that they are actually going to do so.
So checking up on them should be fine. A long as he did not try to exploit the bug (extract data).
Islam isn't actually worse then most religions. In a lot of ways it's better.
Christianity doesn't typically grow under Islamic rule, but it doesn't disappear either. Same for Juadaism. OTOH to stop Christianity from destroying Islam and Judaism we needed separate, secular legal doctrines such as America's First Amendment.
Without that legal doctrine, and strong central governments capable of crushing the Christian equivalent of Boko Harem (ie: Tim McVeigh) Christianity would actually probably be worse then Islam because Christianity only tolerates Jews as kinda-right-even-if-mistaken whereas Islam will tolerate all Abrahamic faiths.
As an atheist with a few Wiccan friends, could you direct me to the Islamic country that would welcome us with open arms?
Be fair.
The reason you're welcome in most Christian countries isn't that Christian Government is inherently more moral then Islam, or that Christianity is inherently less evil. It's that Christianity is so bad we had to invent the "freedom of religion," and give the state enough power to protect it.
Islam's actually a lot better then Christianity on a lot of fronts. There's a reason that several modern Christian states were mostly Islamic in the 1300s, but very few Islamic states totally de-Christianized. Until the Jews started actually fighting for Jerusalem anti-Semitism did not exist in Islamic countries, and even after 1948 organized pogroms by governments simply did not happen.
Or are you seriously arguing that Fred Phelps would not be leading a lynch mob to your exact house in the absence of a) the First Amendment and b) the United States Judicial System?
They did thank him UNTIL HE ATTEMPTED TO HACK THEIR SYSTEM WITH A HACKING SUITE Just because he reported a bug does not mean their system if free and open for him to play with. He crossed the line into hacking.
It isn't a "hacking suite", it is a security vulnerability scanning suite designed to help peopl protect websites. The young man in question had an interest in making sure that the security hole had been fixed, as personal details of his like his address, social security number, etc. were being made publicly available by this company's sloppy work. He had a right to to make sure that these details were not still publicly available. The company made a big mistake going after him like this, because they could be open to litigation for not protecting data properly, and have just called massive public attention to themselves.
Who'd ya think is the cretin. Whaddaya, some kinda wise guy? I oughta smack ya's!
Anonymous could stop DDoS attacks and instead just run a couple of vulnerability scans to take down their opponents. So much easier!
Maybe I am missing the woosh (I usually do), but this is not really true. One of the main advantages to a DDoS is that it makes it difficult to null route the attacker. An attack originating from a single source can be easily thwarted using automated systems.
Fanboy Status: Apache Flex, C#, Eclipse, KDE, Pirate Party, Ron Paul, Slackware, Windows 7
How many scans are they getting hit with now that they've alerted the world to having vulnerabilities? Come arrest everyone that scans your webserver.
No, they couldn't. Electric utilities are regulated like the monopolies they are. Now what they might be able to do, probably even what they intended to do, is to regulate whether you can hook up a generator in such a fashion that it might inadvertently be connected to their system (which would be bad). But even that is a bit iffy -- you could probably force them to specify characteristics of the proper sort of switch over circuitry that you have to install rather than denying you the ability to connect a generator outright.
And in this day and age, the ability to connect solar to the grid and actually force power back is actually a right granted by the state to the customer in a lot of places.
What makes you think what he writes should have any less legal force than what the company wrote?
I do the same thing all the time. Mandatory arbitration clause in car purchase agreement? Strike through and initial.
If she has the ability to countersign, then she effectively does. If she doesn't have the ability to countersign -- worst case is that the entire contract is null and void, because there was no "meeting of the minds." But you would be laughed out of court if you suggested that the person who penciled in a change to a contract should be held to the original version because the other party didn't agree to the change, when the marked-up contract is sitting in the other party's files, properly countersigned, and there are no signatures on any unchanged version. And you would be laughed out of court if you suggested that the nice lady who signed the contract; who signed all the contracts for all the customers; who sat there every day signing contracts -- shouldn't have signed that modified contract. That's the company's problem, not the customers.
Well both ideas are speculation on our part, but I think the kid not telling the news the whole story is still more likely than 14 people failed to take their responsibilities seriously because they are overworked. Would you vote to expel someone based on the kind of evidence you are imagining?
If you are right, I find it very sad that these individuals were given the power of expulsion and did not treat that power with respect.
Also I don't see how it is in the company's interest to have him expelled when they already had an NDA. In order to fault the company and the college, we have to presume too many facts. Now they are overworked, coerced, irresponsible, etc etc. Occam's Razor does not like this theory :)
From NicBenjamin's cbc link
Dawson College spokeswoman Donna Varrica sent CBC a statement saying the college stands by its original decision to expel Al-Khabaz.
Varrica clarified the process that leads to expulsion. She said the process includes a step in which a student is issued an advisory to cease and desist the activities for which he or she is being sanctioned.
"When this directive is contravened by the student by engaging in additional activities of the same sort, the College has no recourse but to take appropriate measures to sanction the student," Varrica stated.
Apparently the school told him not to do this and he persisted? Also they stand by the decision and the software company offered him a scholarship and part time job now that the new broke.
So what's really going on here? I know everyone wants to root for the underdog, but perhaps the kid is just not telling the whole truth.
PocketPermissions Android Permission Guide
In the late 1980s, I was the sysadmin of a large Unix server at a well-known university, when suddenly the server stopped accepting logins. It seems that the password file (/etc/password) had gotten corrupted. The reason? A well-meaning graduate student had suspected a security flaw and decided to "try it out" to confirm it and then report it. His heart was in the right place, but his judgment was total stupidity: he corrupted a running server used by dozens of scientists "to see if it would work." If he had just stopped by my office and ASKED (we knew each other well), we could have checked for the flaw safely.
So I have a little sympathy for Mr. Al-Khabaz, but he did exercise very poor judgment in running Acunetix.
To continue the analogy, it was the window to the dorm room that the school provided him.
So following your analogy, it would seem perfectly reasonable to me that he should be able to test the security of the mechanisms meant to protect him.
Software sucks. Open Source sucks less.
Montreal is not the fourth Century in the East, it is the 21st century in the West. That's a terrible analogy--by that logic I could prove anything I wanted, just draw a specious analogy with vastly alien historical situations to prove anything evil. After all, history is violent and nobody is innocent if you go back far enough and make ridiculous comparisons. What you are doing is akin to religious people who try to claim Atheism is evil by citing the massive amount of deaths in China. It's irrelevant.
It's *not* a ridiculous comparison. Once a large group of people with the same religion gains majority, with the religion making claim to its own superiority in its holy book, and all of its adherents reassuring each other about it daily, *what* is going to stop them form exercising their power towards their political goals? Their kind hearts? Look at the history. Look at each country where either pre-reformation Christianity (after which the Christians had to become tolerant against their will) or Islam (which has had no actual reformation by now) gained majority, and find me one where people thinking differently *weren't* oppressed.
You have to look at the reality that exists in the now. We've far, far more pressing social issues here than oh so scary Muslim families who are going to their mosques and working their day jobs.
Yes, you Canadians are special :-p, your unique national spirit protects you from things that happen everywhere else. Right.
Ezekiel 23:20
That's because ETS isn't much above a CEGEP anyways!
In the hands of someone not authorized to use it in a web site it is a hacking suite. In the same vein as lokpicks in the hands of someone other than a lisenced locksmith are breaking and enter tools. He was searching for vulnerabilities in a site he did not own using a tool that can cause sites to crash. Had he wrote a script to test just the one he knew about I doubt there would have been an issue.
That is all beside the point I was trying to make in that he was "threatened" for the unauthorized running of the security test software and not for reporting the issue.
He didn't test the specific bug. He tested all possible bugs. Had he written a specific program to test the single bug I doubt there would have been an issue.
Checking on a production site in two days from a report is also a very short time. It takes longer than that to program and test the fix. Then it has to get sent out and installed correctly.
Like I said previously in this thread, wait at least a couple of weeks and test the single vulnerability not test for every possible one in two days.
I find it funny how no sys admins have chimed in that they would have jumped down his throat for screwing with their systems. O right, it's OK to screw with corporations.
Islam's actually a lot better then Christianity on a lot of fronts.
So it's like half-bad software package compared to a really bad one? People will have to live with its bugs longer, because there is less incentive to fix them? And again, given who I am, I'd never be accepted in *any* kind of Muslim society. They'd eagerly backstab me on a Turkish street, I don't even have to go to Saudi Arabia for that.
Ezekiel 23:20
Sounds like what he got in trouble for was being a responsible developer and informing the university of the flaw. He got praises from the developers and IT people from the company who wrote the software but then the president of the company (not the university) went apeshit and claimed he was hacking them. I suspect the University was unhappy with the company for the problem and the company decided to take it out on the person who embarrassed them.
After he reported the issue, instead of letting the vendor and college deal with the situation he went back and ran a scanner to "see if the problem is fixed". That is the actual issue and that is, indeed, a direct violation of Canadian law. You can check whatever data you receive but scanning someone else's server for a vulnerability without his consent is illegal.
My guess is, the guy was high on the praise he got for his discovery and tried to find more to milk it. Lame.
lucm, indeed.
It's not about ownership. It's about having the right to see whether your data is now secure after having made the previous discovery that your data was indeed not secure.
I think you are paranoid, poor chap.
Insulting /. when not having read TFA is precious.
Oh yes I know that. My point was that if a simple vulnerability scan takes out your critical systems, you are screwed.
Here is a quote from the Acunetix User Manual page 21:
NOTE: DO NOT SCAN A WEBSITE WITHOUT PROPER AUTHORIZATION!
Emphasis theirs
It's the old hire the guy who hacked you scenario:
http://www.cbc.ca/news/story/2013/01/21/montreal-dawson-college-hack-hamed-al-khabaz.html
If you see a door that says "sensitive information here, please do not open door" and the door looks broken, you have two choices, lightly touch the door to confirm your diagnosis that it's broken, in which case you did exercise "unauthorized access", or you report that door without verification. If you report it without verification, then you can't ever tell anyone you found a broken door. You found something that might have been a broken door, but you'll never know.
Yes, it's silly and stupid, but you can't verify a broken item without taking responsibility for abusing it. And lots of people have gotten in trouble for that, and few would want them to quietly back away and tell nobody under fear someone may accuse them of having peeked beyond the broken door.
Learn to love Alaska
See http://www.cbc.ca/news/canada/montreal/story/2013/01/21/montreal-dawson-college-hack-hamed-al-khabaz.html to see what happened after this report.
School still pig-headed; IT supplier less so.
-- hendrik
They wouldn't stab you anywhere. As a Westerner you could be banned from the country, but the Turks aren't suicidal enough to call down the USAF on their heads.
As far as Islamic places you'd be welcome, I think the Balkans and former Soviet states would surprise you. Albania is so anti-religious they actually banned Church in the Constitution at one point. Religion is very important in Bosnia, but it's the "Are you a Catholic Atheist or a Protestant Atheist?" Kind of religion, not the kind where people actually care what anyone believes.
If you see a door that says "sensitive information here, please do not open door" and the door looks broken, you have two choices, lightly touch the door to confirm your diagnosis that it's broken, in which case you did exercise "unauthorized access", or you report that door without verification. If you report it without verification, then you can't ever tell anyone you found a broken door. You found something that might have been a broken door, but you'll never know.
Yes, it's silly and stupid, but you can't verify a broken item without taking responsibility for abusing it. And lots of people have gotten in trouble for that, and few would want them to quietly back away and tell nobody under fear someone may accuse them of having peeked beyond the broken door.
He didn't touch lightly. He ran a penetration test software suite against it.
I think you are very generous. The vendor does really have the authority to have the student ejected. That points a finger at an overly cozy relationship between the vendor and the university.
Quebec has recently been cleaning house over inappropriate cozy relationships between publicly financed institutions and businesses (for lack of a better term).
Maybe the student union should draw the attention of the Charbonneau Inquiry. The inquiry seems to have a problem with witnesses suddenly flipping their stories. I wonder why.
14 out of 15 professors choose to expel this student
Indeed this is the part I find the most telling that there is more to the story. Would all these professors really have conspired to avoid embarrassment for the college?
Penn State... ever heard the stories of what happened there?
Most on Slashdot are hopelessly Naive when it comes to the Law, probably since you have not seen it operated properly, close up. There is the Techie, man in the street and Lawyer way of looking at things, though I am a Roman Law lawyer, I am also an Engineer, and I know all about ASCL.
The law is a game, lawyers play every day, and get paid by result. They understand the Rules, the Research Method, and Area-of-Interest Lawyers understand current precedent ... It takes 5+ years of your life to be any good.
Most advice here is worth what you paid for it, and I don't practice in NORAM so some common sense advice:
1. The school committed both Breach of Contract and a Tort, and the coerced NDA is worthless.
1E. David Treisman -v- University of Essex c 1968 .., UK-QBD asserted that a University, in the Exercise of Disciplinary Powers is a Court of First Instance and must follow the Principles of Natural Justice ... No Coercian, Fair Hearing, Right to Representation.
Though not litigated in Canada, CSC follows English Precent.
The real issue is competence, cost of setup and Understanding of the Civil Procedure Rules. Cases run by individuals can be fast-tracked, and the most dangerous opponent is a competent litigent acting without representation.
There MUST be a competent local lawyer who will do the action either pro bono or contingent for 5% of the damages.
MFG, omb
My bank has public facing computers. If I were to find and exploit a way to access other people's banking data, I'm pretty sure there'd be hell to pay.
I'm pretty sure the US and UK both have laws that would prevent access beyond your authorization. I'd be astonished if Canada did not have similar legislation.
And yes he probably could have handled it better.
As a developer I'd really rather know if the app that I was developing could possibly be used in ways that it's not supposed to be used. I.e. the discovered vulnerability. He reported the vulnerability, and was told that it had been fixed.
Frankly I want to know for myself if the vulnerability was fixed, rather than just relying on someone else's say so before I release an app that I'm developing that may be used in unexpected and undesirable ways.
That said, the test should have been performed with the oversight of the people responsible for the system being tested. Better it should have been tested against a duplicate of the system as a testing environment, preferably with valid but unrelated data. Then tested against the real data system if the test system passes. Again only with administrative oversight.
Finally, an NDA for such a situation should be worded so that the NDA applies while the reported bug is being patched and has been made available to schools and businesses using the system and a reasonable time following that availability to give the admins time to test and deploy the patched system. Once those events have happened, the NDA should no longer be applicable. After all the vendor has addressed the flaw. Additionally the NDA should have an absolute expiration date giving the vendor the incentive to actually fix the problem.
My other concern with this behavior is that as a developer I expect people reporting that they have fixed the identified problem to ask that the person reporting the problem in the first place, follow up and confirm that the flaw is not there any more, and advise them of any other problems that may be detected. That would be an invitation to do exactly what the student did. Check the fix and look for other problems.
That said, those are techniques in the open source community. In the closed source community, it wouldn't surprise me if the vendor was OK with fixing the original reported flaw, but didn't want to learn about anything else, and asked the school to watch out for the behavior that might indicate the student was looking for other flaws, rather than seeking them out themselves and fixing them ahead of time.
You never know...
A penetration suite is the equivelent of trying all the door handles as you walk through the parking lot. You don't open the door, you don't sit in it, you just poke it and see if it responds. A little more invasive than just looking through the window at the door locks, but still pretty non-invasive.
Learn to love Alaska
An obvious historical example is the Moors, Al-Andalus.
I'm more worried about Christian theocracy at this point. I'd be worried about the dismantling of science. At least Muslim schools teach evolutionary biology...
Actually there's a lot of other things I'm far more worried about. I'm more worried about dogmatic political ideologies taking over as they do every bit as much harm as theocracy. Muslims are barely a minority, and like I said, l do live integrated with them and for the most part I don't see what the big deal is aside from lots of what if's and bogeymen.
Last I checked there's been a fair amount of protests throughout Muslim nations in the media over the past while.. they're hardly all brain dead dangerous followers... but go ahead, believe they are all the same, believe in your invented bogeyman. You do realize that not too long ago Muslims were actually romanticized, not feared?
"The single biggest problem in communication is the illusion that it has taken place." George Bernard Shaw
...by the company who's software had the bug.
http://www.cbc.ca/news/canada/montreal/story/2013/01/21/montreal-dawson-college-hack-hamed-al-khabaz.html
Not an update - shool still behaving like spoiled children.
You never know...
Last year our school gave us laptops with Windows 7 (you may have read about them http://news.slashdot.org/story/09/09/27/0252235/au-government-to-build-unhackable-netbooks). Well needless to say, pretty much everybody got administrator access on the laptops within the first couple months of having them. Most of us got a three day suspension and our laptops wiped. Some were lucky bastards and either didn't get caught or managed to bullshit their way out of it.
What part of "Do not access things you are not authorized to access" do these people not understand?
Here are some non-computer analogies to help people like you (who know nothing about computers) understand:
- You notice the boss left his car door open by mistake, and you inform him so he can close it
- You notice the security at your business has accidentally forgotten to lock the doors at closing time, and you notify them so they can lock it
- You notice your neighbor accidentally left his door open when he went out, so you let him know
In this case, what they should have actually done is thanked him and offered to pay him something, since this kind of security work is actually expensive if you hire someone to do it.
My other UID is three digits.
My bank has public facing computers. If I were to find and exploit a way to access other people's banking data, I'm pretty sure there'd be hell to pay.
I'm pretty sure the US and UK both have laws that would prevent access beyond your authorization. I'd be astonished if Canada did not have similar legislation.
Your bank gets scanned several times an hour (if not several times a minute) by half the blackhats and scriptkiddies of the globe, and nobody in the banks IT dept. would be dumb enough to bitch about it, because they know its natural on a public-facing system.
Simply scanning your bank and reporting your findings to them, is unlikely to get you in "hell" ... unless you act like a dick about it.
You should't scan them without permission - off course. That is not up for debate. But a scan is not the same as gaining - and indeed exploiting - unauthorized access. The school in question here clearly overreacted.
Regarding legislation, you may be right if the authorities decide to make a case out of it. But then again, they'll make a case out of pretty much anything if they are on a rampage. In the US you'll get your ass thrown in jail and/or fined millions just for violating a TOS. Or face 30 years for copying publicly-available data created with tax dollars (ahemm, Swartz?). The fact that such shit happens in the real world really doesn't make it right.
Defining a "scan" as a "crime" is silly at best. Realistically it is an abuse of power and a danger to a free society.
- Jesper
My security clearance is so high I have to kill myself if I remember I have it...
Let me guess. You really didn't RTFA ... did you ... ?
- Jesper
My security clearance is so high I have to kill myself if I remember I have it...
Causing embarrassment to a big silverback that can chase you out of the group.
Heh. Would've modded you up if I could. Because that is like the EXACT explanation for what happened in this case.
- Jesper
My security clearance is so high I have to kill myself if I remember I have it...
To me, at a guess, it looks like delayed blowback from the vendor that wanted to find an external criminal instead of being accused of negligence. It seems that when comes to computer security problems if you don't have a very clear paper trail with every step signed by every stakeholder then the one most likely to be blamed will use any tiny excuse to stick a stake in you.
I've seen it before, you walk into a building you've never visited before to do something about a hacked machine you've never seen before and the kneejerk reaction of some loud idiot is to blame the guy that is there to do something to fix the problem - and then they make so much noise that you have to provide hard evidence that you didn't cause it before you can actually get some work done. It's as if you need childcare training to deal with people in these situations.
Short of the fantasy of mind reading that comes down to choosing who to trust or not, so I suspect they assumed the worst.
Yeah... while in the rest of the world we are sane, and it's not illegal to check if a door is unlocked, and you most certainly can't kill someone because you think they are trying to break in.
They promised to fix it immediately. Did he promise to trust them on that?
The moral of the story is it's stupid to do things that impact on system performance and embarrass others when they know who you are. It's a silverback asserting dominance by punishing the young gorilla that revealed the silverback is getting old and slow.
It was probably the cost of not having their software licence pulled. A known buggy site would have been seen as better than having the rug pulled out from under them in half an hour.
I wonder who has access to minutes from the meeting where his expulsion was decided? A lot of universities allow staff to have access, unless of course they pull the bullshit "commercial in confidence" trick to cover things that it shouldn't.
The USA has a pretty weird patchwork of legal systems descended from different roots too.
Sometimes it leads to an International level laughing stock (eg. the highly fractured US electoral system and how it can have weak links like Florida), but I'm sure it mostly works.
Crowbar? To get through an "open door". A better analogy would be a sackload of rats and watching to see if any of them made it through one of the doors.
Either way, this could be seen as checking to see if a promise that was made to him (that it would be fixed ASAP) was kept, and in this case it was not. I wonder if in turn he had promised not to look for more holes. If so it's bad faith all round but he gets to wear all of the consequences.
Almost all religions nominally don't allow other religions to exist. Islam (or at least, the Koran) is critical but sympathetic toward Christians - everyone else is wrong. Modern Christianity is worse as demonstrated by the Crusades from England, McCarthyism in the USA, etc. If Islamic countries are aggressive its probably because we repeatedly winnowed out the pacific ones. The Romans, Hindus, etc were/are better at accepting multiple religions (an advantage of a polytheistic religion) even though they've persecuted others when they've had the chance (and been persecuted at other times).
Every majority persecutes it's minorities to some extent. And this rule is fractal - even within the majority and minority group, there will be many subgroups of different sizes or subtly or overtly persecuting one another ad infinitum.
"Everywhere it has taken hold and become dominant it has used that dominance for evil." This statement is ridiculous. Saying things like this makes you look like an uneducated idiot.
IANAL
Canada indeed has a couple laws that would be relevant
Most relevant, The Criminal Code section 342 "Unauthorized use of Computer" http://www.efc.ca/pages/law/cc/cc.342.1.html.
This criminal code section is subject to colour of right, meaning if you have permission from the system owner to perform testing, this section and owning the tools to perform this section become OK. If however you do not have permission, the investigation into this breach could expose other CCofC violations probably section 430 "Mischief", Section 351 "Possession of Break-in instruments",. as well as something from sections 354-360 which are the possessions of proceeds of crime sections.
Side note, don't break-in using any technique that involves intercepting someones communications (eavesdropping, man-in-the-middle) as that falls under privacy laws (CCofC 183-196) which are much more strict and can't be waived by the system owner, only by the sender or recipient of the communication.
IANAL, but for this case I would say the first time he found the vulnerability, there was no intent to commit the crime, he stumbled across it. The second time he was checking the other system to see if the flaw was there which seems like an unauthorized use of computer system. If he had asked the system owner (or manufacturer I suppose) if he could perform tests to ensure the flaw in the system would not be made worse by his code or his system would not be affected by the flaw, he would have been on better legal footing.
and once more IANAL
Cheers
Kenny
CCofC = Criminal Code of Canada
IANAL = I Am Not A Lawyer
Except vulnerability testing in the physical world is equally a good thing. You'll find security consultants do exactly that for domestic and commercial property all the time. It leads to "fixes". IT is no different.
The point about gaining authorisation for testing security is to prove that you are bona-fide, before you're caught. If I am caught "testing" a stranger's locked doors in the middle of the night, yes it is a good thing if I find they are being lax about security and tell them. But I may find it difficult convincing police that this was my true intention from the start.
In your world of "bona-fide unauthorized access", any criminal caught attempting to exploit an online vulnerability need only say; "I was testing it, honest" to walk free.
That's not what he did tho, he ran a broad spectrum penetration test on the website. That's quite different to verifying that the specific vulnerability he found had been fixed.
Expulsion may uncalled for, but it's not like he's some blameless victim; he did a foolish thing by doing that without contacting them first.
There is a petition to help this student, asking Dawson to reinstate him, make him whole financially, and apologize.
The student's experience is normal in dictatorial regimes. Increasingly in our country too, those in authority do not like to be called out or held accountable. The work to squash anyone who dares speak out. Universities especially are famous for this kind of behavior.
Bull. A pen test can be very intrusive and either cause a denial of service or corruption. To use your lame example it's more like trying your keys in all the ignitions and if one starts reving the engine to see if it breaks.
If scanning for vulnerbilities in any site, ever, is unethical then the industry is in far worse shape than I thought. He could have done this all day every day and I'd support it. I only reason he got in trouble was he was in easy reach. It was a smart kid doing what smart kids do. Disgusting.
The Crusades were hundreds of years ago.
McCarthyisim was about communism and a little about homosexuals. Not much about religion but I am sure a little.
Nobody wants to argue that the Crusades or the Spanish Inquisition were good things. What we do hope is that Christianity has grown out of that.
Society in decent places has. Until Islam does it has no place in decent society.
Thou shalt not point out that the Emperor has no clothes.
Honest! I was just trying to make this mobile app so I had to hack into your system and I found this sloppy code that let me in!
What part of "Do not access things you are not authorized to access" do these people not understand?
I think this is a perfect case for Massachusetts prosecutor Carmen Ortiz. Charge the guy with stealing "Sloppy code worth millions of dollars!" And, by all means, go for that 50 years!
I smell a lawsuit. Ahmed shouldn't take this without a fight.
About 30 years ago I worked on an academic record database for a major university. I too came to the conclusion that the system entailed bad design and "sloppy code" and said something about it. I was fired, asked to leave. Later, I found that the University has lost about $ 1 Million in the effort to implement this system and had to start over from scratch. It taught me about politics and cover up and that they trump sound technology or even competence, and that academic administrations are very political organizations.
He's intelligent and honest, but he's also young and inexperienced. Expulsion was too harsh. He should have had his hand slapped and been warned about running such scans without prior permission. Given how smart he is, I doubt he'd make the same mistake again.
I think identifying the school would invite hackers to target it. Probably not a good idea.
I'm glad my school is a bit more tolerant of these things. They really honor that sort of curiosity, and would commend students for finding problems rather than penalize them. But then again, I doubt MIT makes mistakes like this...
Dawson College is stupid. The next student who finds a flaw isn't going to say a word. What a great recipe for ensuring that all of your security problems remain problematic.
Isn't that how we got Facebook? All the info in the student db was accessible, and so he used it to make a site for commentary?
--- Say something clever. Pretend it was me. Thanks.
for all /. readers to bring the montreal uni website down in a gesture of solidarity for this guy. he didn't deserve to be expelled
Skynet made Omnivox http://www.skytech.com/en/index.sky " We feel that this situation should not prevent such a talented student from doing what he loves most. Just as we are already collaborating with the other student who helped discover the flaw, we will also offer this student to work for us with mandates in IT security in order to allow him to work in the subject area he loves. "
My bank has public facing computers. If I were to find and exploit a way to access other people's banking data, I'm pretty sure there'd be hell to pay.
I'm pretty sure the US and UK both have laws that would prevent access beyond your authorization. I'd be astonished if Canada did not have similar legislation.
Your bank gets scanned several times an hour (if not several times a minute) by half the blackhats and scriptkiddies of the globe, and nobody in the banks IT dept. would be dumb enough to bitch about it, because they know its natural on a public-facing system.
Simply scanning your bank and reporting your findings to them, is unlikely to get you in "hell" ... unless
r
There is an interesting quandary here.
If I walk into a bank I can make a visual inspection to see if they have locks. I can see the vault door, I can see FDIC or the lack of FDIC assertions. I can research the banks financials and research the validity of any insurance claim.
Now can I do an inspection "scan" to make like discoveries. Can I look at the API/ABI and inspect for flaws that my personal expert experiences tell me to look for?
Disclosure is a wildly different tangle. Should you discover a problem and disclose it in confidence to the authorities there should be no consequence. However who is the authority and who should be notified and how. I would assert() that disclosure is a moral obligation that should be PROTECTED by the law. Non-disclosure seems safe up to the point that in the modern data mining world the act of discovery will leave footprints that cannot be erased and would open anyone up to prosecution/persecution should a pre zero day exploit surface.
Above I used the word expert. In my experience a competent novice is most likely to stumble on interesting flaws. They tend to write naive code that triggers bug after bug. Experts tend to write quality code block after block, checking return value, not overloading variables or functions and not employing the last bit of trickery discussed in class.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
Sounds like a class action -- 25,000 john and jane doe against the company and school for inappropriate management of their data.
Enough to get tuition covered + taxes as well as make the attorney rich.
Kids like this should be cultivated, not expelled.
I t's not lost on me that we disrespect young computer programmers while in school and often cause the kind of resentment that results in hacker mischief and evil deeds.
While the debate on limiting guns begins to rage due to people insisting they need guns to protect themselves from thieves and invasion, the disgruntled kids and other countries are slipping into their bank accounts, charge cards and stealing from them. Foreign countries own nearly 40% of our country without having fired a shot.
It is our own extremists, our citizens who are often committing terrorist acts.
We react instead of respond.
We need to protect ourselves and fight back. We need to nurture computer capable kids and guide them to help keep us safe.
Abasing the students with that potential is shortsighted and wrong.
JAF
Assuming that there are no major pieces missing from this report. I think that the school management is simply inexperienced in these sorts of things and treats technology like magic. To them, anyone who'd dare to suggest flaw (much less demonstrate one) in the holy binary box that is their software is kin to a witch - a creepy hacker who by the power of covenant devil aims to make them look like fools they really are. ~Forgive them father, for they know not what they do. :P
They could have at least water boarded him a bit to see if he could make up some interesting fake information while they were at it.
If I can break in, it is my responsibility to do so. And then I show them how I did so they can fix it. If they don't fix it - the crime is theirs, not mine.
The truly loyal subject will neither advise nor submit to arbitrary measures.
If, by accident, I discover they are failing to do so and I inform them of the problem, then I have an obligation to myself and all other facebook users to ensure the problem has been corrected.
The truly loyal subject will neither advise nor submit to arbitrary measures.
If, by accident, I discover they are failing to do so and I inform them of the problem, then I have an obligation to myself and all other facebook users to ensure the problem has been corrected.
But does that give you the right to test their site for all other possible vulnerabilities using a penetration tool without asking them?
If a vulnerability scan crashes a system then there really is sloppy coding.
Anonymous could stop DDoS attacks and instead just run a couple of vulnerability scans to take down their opponents. So much easier!
So your're a black hat under the guise of a white hat? "grey hat" hacker?
This doesn't just happen in academia. I was ordered to investigate the security of our software at a company once, because they didn't think I'd find anything. I wrote a confidential 30 page report for the company on a security vulnerability I discovered as part of this task while employed at a company and presented it to my manager, it exposed a serious flaw. I had found the flaw in only one day. They became upset with me, and they ended my employment a month later. As I was looking for a new job I listed security vulnerability research under my employment section on my linkedin for the job. They had H.R. paying attention to my linkedin, and then demanded I remove from any mention of security vulnerability investigations or they would press charges.
Reading comprehension: F.
The "http://www2.dawsoncollege.qc.ca/phones/" public website
Name / Email Office Local Position / Department
Alexander Simonelis 3F.22 5058 Faculty
Computer Science
Or give him a call 514) 931-8731 ext. 5058.
Thanks to all
Just because he had an Islamic name
What's "Islamic" about the name? If you said "Arabic", now that would be something else...
http://www.thinkbabynames.com/meaning/1/Ahmed
What isn't Islamic about the name?
I think the British had a treaty with Quebec that let them keep their Roman/Civil Law sometime between the end of the 7 Years War & the beginning of the American Revolution.
This is an issue of professional ethics that seems to be sadly lacking. You don't probe somebody else system without express permission. To do it a second time is clearly deliberate not an accident.
Here are some non-computer analogies to help people like you (who know nothing about computers) understand:
You notice that there are a couple of thousand cars in a parking lot, and you try to lockpick every single car door damaging some of them in the process after you've been told that tempering with car doors in the parking lot is not acceptable behavior and you might lose your right to hang out in this parking lot if you continue.
since this kind of security work is actually expensive if you hire someone to do it.
Script kiddies are actually pretty cheap.
He was not asked to do a vulnerability test, and, like he was warned, there are stiff penalties for attacks. I'm more familiar with US laws on the subject, but would not be surprised for Canada's to be similar.
However, he is apparently not being charged, but being expelled. That is something else entirely. Yes, expulsion may be less severe than the pressing criminal charges, but in light of the circumstances it would have been much more appropriate to involve student affairs and have them explain very clearly what was wrong with his actions and what the future consequences will be. To go from praise to expulsion by one event... something should be very extraordinary about that one event.
Sometimes people forget that students are at a university to learn, not to be hammered into obedience or served up as an example. What was the actual harm of running acutenix against the application? The "it could have crashed" cannard is so lame -- anyone can download a vulnerability scanner. If your service or device is so lame that it breaks from a simple scan then you need to know. And not only that, you *will* find out if it is a public facing service or device. No, him running the scanner was not doing them a service, but the line "it could have crashed" is lame at best and more likely FUD.
We've had students do more actual harm (still fairly tenuous) through unethical and probably illegal actions -- referring them to student affairs always helps. Even for the DMCA (where there is some legislated obligation to act) there is a "three strikes" rule -- and expulsion isn't even the end result.
My point is that he was a student and he needed to learn. For example, not to run vulnerability scanners against targets you do not have authorization to do so. But this lesson could have been taught without resorting to expulsion.
The Wikipedia entry gives a good breakdown
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
Of course it isn't made up; the Wikipedia entry gives a good breakdown
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
Except that nowhere in the wiki does it state that. So you made it up. Just admit it.
Don't complain about syntax, grammar, or spelling. There is no.hell like input on android.
He was a student there. He was making sure "his" personal info was secure. The colledge has a responsibility to make sure the info they collect from paying students is secure.
Before you get upset about this, you should know that he has been offered a job at the very company making the software he exploited. http://news.nationalpost.com/2013/01/22/student-expelled-after-he-discovered-flaw-in-schools-data-security-was-warned-twice-college-says/
Does anyone know the name of this company? Is there a reason we are not naming and shaming this CEO?
Hey! You want ALL people to be equally trusted on mere word agrrreements! Savvy ones know when to let be; pros, gurus, serpas, gods and nirvanahs know when and how to close the hole. But noobies, newbies and novices fall into the holes right away! Did he test the hole? Mmh? We know that his chore as programmer would be not to propagate the hole and have it closed in his application. That s business as usual in programming and every day tasks, or, how to say it? PROGRAMMING is to do SOMETHING with those platform defects, in fact. djb
Verification word: shipped. Does this verification words are inspecting what you comment real time and choosing a meaningful word? Neat, eh?