Slashdot Mirror

← Back to Stories (view on slashdot.org)

Student Expelled From Montreal College For Finding "Sloppy Coding"

Posted by samzenpus on from the this-is-not-the-code-you-are-looking-for dept.

innocent_white_lamb writes "In what appears to be a more-and-more common occurrence, Ahmed Al-Khabez has been expelled from Dawson College in Montreal after he discovered a flaw in the software that the college (and apparently all other colleges across Quebec) uses to track student information. His original intention was to write a mobile app to allow students to access their college account more easily, but during the development of his app he discovered 'sloppy coding' that would allow anyone to access all of the information that the system contains about any student. He was initially ordered to sign a non-disclosure agreement stating that he would never talk about the flaw that he discovered, and he was expelled from the college shortly afterward."

4 of 633 comments (clear)

  1. Under duress? by MillerHighLife21 · · Score: 5, Interesting

    Aren't there laws which invalidate contracts signed under duress anyway? I thought I remembered reading that somewhere.

    --
    "Don't teach a man to fish, feed yourself. He's a grown man. Fishing's not that hard." - Ron Swanson
  2. I found something a little bit like this by Anonymous Coward · · Score: 5, Interesting

    When I was a CS student I discovered a flaw in the program we used to turn in assignments. The flaw allowed access to the code anyone had turned in for an assignment. I however elected to anonymously inform the CS dept about the problem. Glad I did. I found out they searched and searched trying to figure out who I was so they could kick me out. Sometimes it is better just to be an Anonymous Coward.

  3. Re:Time to go to the press... by Skapare · · Score: 5, Interesting

    These (school administrator) are actually "failed politicians". It's even worse when the school is a lower level like a high school. I've seen this problem rampant at the majority of schools I've had to deal with (mostly because of obvious network security issues already exploited by someone else). Politicians are people that like to gain power at the expense of others. But in the case of school administrators, they are just weaker people that have to seek a weaker pool of victims. But let me add that this is NOT 100%. I have met many school administrators who are not at all like that (one of whom actually went into politics later on). It's about 30% good, 70% bad, from my experience.

    --
    now we need to go OSS in diesel cars
  4. Re:Time to go to the press... by Anonymous Coward · · Score: 5, Interesting

    Did they? The part I am surprised at the most is that 14 out of 15 CS professors voted to expel him. I suspect there is more to this story and we're only getting the kid's side. I find it hard to believe they voted to expel a kid without knowing his side of it. The summary also makes it sound like the people trying to get him to sign an NDA (the company) were the same people who expelled him (the 15 profs on the committee at the college) -- this is clearly not the case.

    Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.

    “It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack.

    Following this meeting, the fifteen professors in the computer science department were asked to vote on whether to expel Mr. Al-Khabaz, and fourteen voted in favour. Mr. Al-Khabaz argues that the process was flawed because he was never given a chance to explain his side of the story to the faculty. He appealed his expulsion to the academic dean and even director-general Richard Filion. Both denied the appeal, leaving him in academic limbo.

    The whole thing seems to imply a conspiracy between the college and company to throw him under the proverbial bus. But now conspiracy seems to involve 15 or more people at the college. And for what? Good discounts on software? Saving face? Doesn't appear they saved much face here. And I doubt all these professors were thinking about the financials of the college.

    It also doesn't makes much sense from a PR standpoint to kick a dog that's already down. If they already had an NDA, why would the company want him expelled? Nevertheless, I have no doubts that this company acted irrationally and possibly intimidated him. How did the CEO know to call this kid moments after he tried using Acunetix? Obviously someone or something was watching the logs. And sadly it is far from unheard-of for companies to overreact when someone tells them about a vulnerability on their system.

    However, that doesn't explain why the kid decided to run some general vulnerability testing software within 2 days notice to the company about the 'sloppy coding'. Now, I wouldn't call it a "cyber attack", but this kid was poking the company with a stick to see what shook loose. At this point his claimed honest intentions seem less clear to me. It could be he didn't know any better, or it could be he was looking for something more, or a mixture of the two. But this doesn't seem like the action of someone testing a vulnerability they found. It seems like someone doing "percussive" testing

    Still, I can't imagine the school voted to expel him based on the info provided in TFA. There is a missing piece to this puzzle.