Slashdot Mirror
Student Expelled From Montreal College For Finding "Sloppy Coding"
innocent_white_lamb writes "In what appears to be a more-and-more common occurrence, Ahmed Al-Khabez has been expelled from Dawson College in Montreal after he discovered a flaw in the software that the college (and apparently all other colleges across Quebec) uses to track student information. His original intention was to write a mobile app to allow students to access their college account more easily, but during the development of his app he discovered 'sloppy coding' that would allow anyone to access all of the information that the system contains about any student. He was initially ordered to sign a non-disclosure agreement stating that he would never talk about the flaw that he discovered, and he was expelled from the college shortly afterward."
Aren't there laws which invalidate contracts signed under duress anyway? I thought I remembered reading that somewhere.
"Don't teach a man to fish, feed yourself. He's a grown man. Fishing's not that hard." - Ron Swanson
When I was a CS student I discovered a flaw in the program we used to turn in assignments. The flaw allowed access to the code anyone had turned in for an assignment. I however elected to anonymously inform the CS dept about the problem. Glad I did. I found out they searched and searched trying to figure out who I was so they could kick me out. Sometimes it is better just to be an Anonymous Coward.
So you rely primarily on security thru obscurity and hope that genuine bad guys would never scan you? That's pretty scary.
The funniest part is I've been putting up with scans/etc since the early 90s and it doesn't take long to figure out that almost all of them come from compromised systems, usually from another country. A local guy easily traced almost by definition is on your side, because a real bad guy would be coming from a rooted machine in .cn or something essentially untraceable like that. In other words if you can find and talk to the guy in "minutes" as per the story, he's probably on your side or at worse is a hopeless noob script kiddie who's no more harmful or harmless than the other one million kiddies out there, so there's no sense messing with him.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
These (school administrator) are actually "failed politicians". It's even worse when the school is a lower level like a high school. I've seen this problem rampant at the majority of schools I've had to deal with (mostly because of obvious network security issues already exploited by someone else). Politicians are people that like to gain power at the expense of others. But in the case of school administrators, they are just weaker people that have to seek a weaker pool of victims. But let me add that this is NOT 100%. I have met many school administrators who are not at all like that (one of whom actually went into politics later on). It's about 30% good, 70% bad, from my experience.
now we need to go OSS in diesel cars
Did they? The part I am surprised at the most is that 14 out of 15 CS professors voted to expel him. I suspect there is more to this story and we're only getting the kid's side. I find it hard to believe they voted to expel a kid without knowing his side of it. The summary also makes it sound like the people trying to get him to sign an NDA (the company) were the same people who expelled him (the 15 profs on the committee at the college) -- this is clearly not the case.
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.
“It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack.
Following this meeting, the fifteen professors in the computer science department were asked to vote on whether to expel Mr. Al-Khabaz, and fourteen voted in favour. Mr. Al-Khabaz argues that the process was flawed because he was never given a chance to explain his side of the story to the faculty. He appealed his expulsion to the academic dean and even director-general Richard Filion. Both denied the appeal, leaving him in academic limbo.
The whole thing seems to imply a conspiracy between the college and company to throw him under the proverbial bus. But now conspiracy seems to involve 15 or more people at the college. And for what? Good discounts on software? Saving face? Doesn't appear they saved much face here. And I doubt all these professors were thinking about the financials of the college.
It also doesn't makes much sense from a PR standpoint to kick a dog that's already down. If they already had an NDA, why would the company want him expelled? Nevertheless, I have no doubts that this company acted irrationally and possibly intimidated him. How did the CEO know to call this kid moments after he tried using Acunetix? Obviously someone or something was watching the logs. And sadly it is far from unheard-of for companies to overreact when someone tells them about a vulnerability on their system.
However, that doesn't explain why the kid decided to run some general vulnerability testing software within 2 days notice to the company about the 'sloppy coding'. Now, I wouldn't call it a "cyber attack", but this kid was poking the company with a stick to see what shook loose. At this point his claimed honest intentions seem less clear to me. It could be he didn't know any better, or it could be he was looking for something more, or a mixture of the two. But this doesn't seem like the action of someone testing a vulnerability they found. It seems like someone doing "percussive" testing
Still, I can't imagine the school voted to expel him based on the info provided in TFA. There is a missing piece to this puzzle.
By not co-ordinating his follow-up testing with anyone (the vendor, the school, etc.) he was caught exploiting a known weakness in the software.
He had no responsibility or right to attack the software a second time, call it "testing" if you like, he choose to attack the software using the exact same exploit he warned them about earlier.
It wasn't his job to "test" their fix.
14 out of 15 professors choose to expel this student - a student who claims to have been "acing all his classes" - there just might be more to the story than this student is sharing with the reporter...
Ken
Yes that's my point, there is too much traffic of that nature "out on the real inet" to bother with UNLESS you're using specific rules to filter just to "get" one guy.
Its a bit spammy, like reporting everyone who looked at your front door as a potential burglar. That might even work in the deepest back hills of Montana 200 miles from the nearest city. But the internet hasn't been like that since the early 90s, maybe earlier, so its like being on a busy Manhattan street and reporting every passerby who glances at your front office door as a crook.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
The rule here is to never sign NDA in this case. Go public and burn the company in question with the media. Threatening people with jail when they discover a exploit in software is counter-active and just plain stupid. The president of Skytech clearly doesn't understand software or computers in general. In fact. I am sure that he is just plain capital asshole as you can find them in companies everywhere.
Speaking of High School...I was once threatened with expulsion, had to file a police report, and have my mom come in to talk to the principal because I downloaded public-domain clips of police chases for a report at school. My teacher saw them one day and approved it, and then the next had me taken in for breaching the computer/internet access policy we all had to sign. I had to explain that, due to the loose language of "you may not download any content to school computers" that they should immediately disconnect every computer from the internet, or at least forbid browsing, as every page view "downloads" data to the computer, thus making EVERY user of the internet in the entire district in violation of the policy. Plus it put them in a bind that the teacher saw exactly what I was doing and did nothing about it until another student found the videos the next morning.
They thought they had a computer hacker on their hands and treated me as such. Too bad when we did start testing the network for holes - we found plenty and kept our mouths shut and our found holes open.