Slashdot Mirror
Student Expelled From Montreal College For Finding "Sloppy Coding"
innocent_white_lamb writes "In what appears to be a more-and-more common occurrence, Ahmed Al-Khabez has been expelled from Dawson College in Montreal after he discovered a flaw in the software that the college (and apparently all other colleges across Quebec) uses to track student information. His original intention was to write a mobile app to allow students to access their college account more easily, but during the development of his app he discovered 'sloppy coding' that would allow anyone to access all of the information that the system contains about any student. He was initially ordered to sign a non-disclosure agreement stating that he would never talk about the flaw that he discovered, and he was expelled from the college shortly afterward."
Troublist!
Just because he had an Islamic name they thought he was more than a college student trying to make things easier for students in general. He did the right thing, reporting the flaw, an this is what happens? The administration are idiots
All problems can be solved by personally punishing someone in an unrelated fashion to their crime, rather than simply fixing the problem.
...and report on exactly how this flaw works, and what its implications are.
The college system turned a friend or at least a neutral party into an enemy. They should expect any and all damage that he can inflict on the administrators at the top that were foolish enough to support the actions taken against the student.
Do not look into laser with remaining eye.
I'd covertly publish the flaw + a ready-to-use exploit everywhere and let chaos ensue.
So, go to a internet cafe and set it free. They fucked you, so fuck them back.
Outside vendor freaked out and it's easier for the school to take the easy way out and kick him out then it is to help him.
"He told me that I could go to jail for six to twelve months for what I had just done and if I didnâ(TM)t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement."
You're an idiot. You signed something under threat of prison / arrest without bothering to consult a lawyer. No amount of mention of poverty, trust, or even just plain intimidation should have made you do such a thing without first consulting a lawyer.
And, as such, your legal position is not significantly weakened because, by talking to the media, you've BREACHED that non-disclosure agreement that you voluntarily signed and would now have to prove duress in a court to invalidate that.
You're an idiot. Don't sign anything, and if you do abide by what you sign. If they threaten you with police if you DON'T sign anything, pick up the phone and call the police (or lawyer) yourself. Duress to sign a contract is extremely important. Signing an NDA (of all things) "voluntarily" and then claiming it was done under duress in a public statement (that mentions the NDA you've just agreed you won't mention) is idiotic. Call a lawyer: it's the ONLY sensible option at that point.
And if you'd done that? Sure, it would have cost you a few hundred to get them in, but there's no way on earth that you'd be where you are now (i.e. having to hire lawyers to get back into school, for instance). In fact, likely the matter would all quickly become a "misunderstanding" that was hastily swept up out of the press.
You're an idiot. All you've done is shown a court that what you did was so grey-area that you'd rather hastily sign a contract than have the police look into it, and then you've gone and broken that exact contract, and admitted doing just that in the most public way possible.
does whistle blower laws cover this? and what was the scope of his work?
sounds like he found something and they did not want to fix it or the cost to fix was high / a hole like that will lead to a fine.
Why would you run a vulnerability scanner software on a remote network from your home ip!?. Sounds to be like he found a flaw, and got overzealous and got permbanned.
did you forget to take your meds?
Go visit the Facebook page and any other social media page. Send them what you think of the situation.
Expelled for trying to hack the site a second time, not for notifying them of his first hack. Summary is technically true, but still a deception.
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected.
Seriously, don't run Acunetix or Retina scans or whatever on other people's systems. It looks like you are probing for vulnerabilities because, well, that's exactly what it's doing.
And if I'm a sys-admin, I'm going to see that and think you're an attacker. From my point of view, you've just cased the joint. That's what I'm going to report up, and from there everything gets ugly.
And this a couple of days after some other big IT personality gave a speech at the funeral stating he could have been gone the same way as Aaron Swartz if he would have been punished the same way during his hacking and exploring days during College.
Sad.
I know, this is slashdot, but i still read the article
And i still don't agree with him getting expelled, but the reason was not discovering/disclosing the flaw, but he got in hot water when afterwards he tested if the flaw was still there, and the company developing the software reported the hacking attempt.
It was still a big overreaction that happened afterwards, and he shouldn't have been expelled, but it's not the discovering/reporting of the flaw that got him in trouble, and the article clearly states this!
All of the other students in the CS department should drop all their CS classes and change their major. Put the 14 idiot professors out of work and kill the whole department - then maybe, just maybe, this sort of authoritarian bullshit has a chance off stopping. The norm is on its way to becoming: You graduated from college? Sorry, we're looking for someone who can think independently."
Aren't there laws which invalidate contracts signed under duress anyway? I thought I remembered reading that somewhere.
"Don't teach a man to fish, feed yourself. He's a grown man. Fishing's not that hard." - Ron Swanson
Shooting the messenger does nothing to solve the underlying problem. Thanks to the fourth estate and the Streisand effect, shooting the messenger is likely to get you more attention, not less.
Techs everywhere need to learn this important lesson: Never Sign Anything unless you are also offered on the same piece of paper a guarantee of you what you receive in return. You get no prize money for signing NDA or DNC. If you ask for it, you will get 1) a job, 2) some cash, 3) some action not taken. You can ask for nothing, but you will get the exact opposite - penalized or harmed. Your goal is to sign something such that if what you are offered is not fulfilled, the NDA is broken
As it stands, asking someone to sign a NDA and not offering a guarantee of something in return is already suspect and can be fought. You had an expectation that you wouldn't get expelled, or that you would get a free education, or something else of benefit to you. People need to learn that colleges, Lance Armstrongs and corporations all act the same way. You will get screwed if and when there is an opportunity to screw you. And you will go broke defending what is right. Few will care.
Don't Sign without Something in Return (DSSR)!
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
By coincidence I was listening to "The Lost Art of Keeping a Secret" by Queens of the Stone Age when I found this story atop /. this morning. How apropos.
DO NOT QUESTION AUTHORITY. This is what happens when you exhibit independent thought..
Never email donotemail@WeAreSpammers.com
Give him a break. Perhaps he was too naive of people's goodwill. However, seeing that he was cornered, talking to the press and appealing to the public opinion is his only way out, and hopefully a more progressive university will take on his cause. Going public is the only way to "clear" his name - Google search news articles vs. tainted academic transcript.
Burglars also tend to find sloppy locking. So, will they a get out of jail card?
By the story linked, he wasn't expelled for finding a software flaw, he was expelled for running a vulnerability scanner against their network.
Everything with finding the flaw seems to have gone find. He found the flaw while working to develope an app, he did nothing wrong, and it seems like he got kudos for it, not any sort of harrassment at all.
Then he started using a vulnerability scanner on their network. You never do this without an arrangement (IE a pen testing contract). Never ever ever. It's illegal for one, it definitely can disrupt systems, and it sends up all kinds of red flags.
On the other hand, no one told me those things in college; they were part of my job training post-college. When I was at school, there were no 'ethical hacking' classes that let you know what is and is not illegal to do as part of vulnerability research. So I doubt very much the kid had any idea what was going wrong. Hell, I know now that most big universities get crazy-angry if you do anything that even looks like an attack over them... but no one told me that in college when I was actually using those networks.
The company took a rather strong wording but soft action: they elected not to pursue anything past getting him to sign an NDA. They didn't ask the school to expell him, the school did that entirely on their own. The student clearly doesn't understand why he was expelled, either. At least not by his quotes in the story (he's sure it's trying to cover up the flaws; in reality it's almost certainly because he ran what is considered a cyber attack across a university network, very illegal and very likely to piss off the administration).
Obviously he shouldn't have been expelled; he did not act with malice, and clearly still doesn't know the legal boundaries. What this tells me is it's long past time to start coupling your computer science 101 class with a cyber ethics and law 101 class. While anyone who works for a pen testing company can immediately see where things went bad, his actions make perfect sense from the perspective of a college student.
When I was a CS student I discovered a flaw in the program we used to turn in assignments. The flaw allowed access to the code anyone had turned in for an assignment. I however elected to anonymously inform the CS dept about the problem. Glad I did. I found out they searched and searched trying to figure out who I was so they could kick me out. Sometimes it is better just to be an Anonymous Coward.
Specifically, he broke the First Law of Insiders Reporting Security Violations, which is that he let someone know who he was.
History has shown beyond a doubt that if you're reporting a security violation to some entity, the only time it's safe to do it "in the clear" is when that entity obviously has no power over you. Otherwise, you have to protect yourself.
He didn't, and everything follows from that mistake.
Log in or piss off.
Time to DoS the school in question.
That will improve things. Or not. How supposedly smart people can make such a fundamental beginners mistake is beyond me.
I do understand what motivated the student tough: He seems to be one of these very valuable individuals that try to solve problems when they see them. Unfortunately, "modern" administrations are so in love with their misconceptions, that they cannot stand the type.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I wonder, does the flaw cover staff and faculty information?
Use the exploit to expose their personal details. That'll convince them to hurry up and fix the problem.
Ahmed Al-Khabaz started off doing the correct thing by alerting the University (who then escalated it to the vendor) about the security hole. The vendor said they would fix it and as far as I can tell did not give any further infomation to the finder of the hole who was also had personal infomation hosted on the service. The company should have given him updates and told him when it was fixed, It would even be beneficial for them if they got him to run the exploit from his location given that he had discoverd it and clearly wanted it fixed.
The use of an NDA seemed appropriate though as he had access to confidential infomation of other users, and I understand the company needed time to patch this before the exploit was released into the wild, the NDA should have allowed him to speak to a some defined people namely some representeive of the university and work with them to get this problem fixed, up to this point everything seems to be going how it should.
After this all parties seem to make mistakes, first Al-Khabaz should not have just re-run the exploit as it he should have first seekd permission, if permission was not given he should have reported the situation the university who should have gotten proof that the hole was patched including the abillity to do independent verification (which the university could have got Al-Khabiz to do possible for a nominal fee.
The next mistake was the choice of the Skytech to come down so heavy handed they seem to have gone all out defensive rather than looked for a sensible way around it. Maybe they could have offerd Al-Khabaz a short period of [pro-bono] work pen-testing that he could put on his CV. Students need these mentions and the company could have delt with what is a PR disater and helped a student with there future career with next to no outlay by being a bit more cooperative rather than throwing lega threats around
Oh and I know that there are peopl who are against students doing work for free in exchange for being able to write somthing on there resume but this is a fact of life now, although a nominal charge of $100 for the test and a simple report documenting what he had done and that the holwe had been fixed would seem acceptable as well.
Most Damage is done by people who are AWAKE
Next time just do sell the exploit on the black market.
Wow, a post that fully justifies using AC. Would it be safe to at least identify this school of mostly incompetent faculty?
now we need to go OSS in diesel cars
A student in the middle of a business venture would be quite lucky to have a few hundred available. I know I didn't. The disadvantage poverty creates within civil law is insurmountable unless the potential damages are sufficiently juicy to draw in a shark willing to work with no fee. I wouldn't have signed sure, but expecting him to be able to be able to afford a lawyer is unreasonable.
Now you are right though, all he can do having already stepped outside the law, is get even (hopefully without harming the other student's privacy), or lick his wounds.
refactor the law, its bloated, confusing and unmaintainable.
Had a larger post but it got eaten.
Obviously the school's problem was the vulnerabiltiy scanner he ran later to 'check on the flaw', not his finding the flaw during app development.
And anyone who works in pen testing knows it's illegal to do that. But did he? It doesn't sound like it in the slightest.
We need a cyber ethics/law 101 to go with comp sci 101 these days; we can't ethically hold people accountable for laws they don't know; ignorance of the law may not be an excuse, but cyber law is more complex. You can avoid breaking almost all enforced regular laws by not stealing, following vehicle instructions (speed limits, etc) and not hurting other people, but on networks some things are illegal you might not expect to be illegal.
We introduce college kids to all sorts of concepts and tools, and wait until AFTER college at job training to tell them "oh by the way running this over someone else's network without written permission is illegal" Not every CS student gets a pen testing internship during college, but I'd wager most CS students get exposed to network vulnerability tools.
An Idiot? To trust senior staff at a teaching institution?
Naive perhaps.
Too trusting maybe.
But an Idiot?
I'd rather live in his worldview than yours.
He should hold them at ransom in signing the agreement....
Every person has a duty to inform themselves of all laws under which they live. That is accepted common law going back to the dawn of civilization.
That our system of laws has become too complex and far-reaching for that to be even possible is the voters' fault, since they are the ones who choose those who make those laws.
If you want a simple law structure that everyone can live with, elect people who will put that structure in place - not the nanny statists who promise to take care of you so you don't have to.
This might be one side of the picture. Lets see what the college administration says about this.
How "common" is this? How common is it for college students to find security flaws in the code that schools run, and to be expelled for uncovering it? That isn't even what happened here:
He was expelled for his "testing" of the breach after he told the administration and the software company about the security flaw.
He was not expelled for finding the security flaw, he was expelled for running what was a well-intentioned "attack" on the software he identified the flaw in. If he had co-ordinated with the software vendor there would have been no issue. Of course, the only way you'd know that is by reading the linked-to article - I wonder why the headline author didn't do that?
Ken
Traditional college fails at tech this is why we need more tech schools / IT & tech apprenticeships.
This seems alot like other cases for big name schools useing out site people for the tech and then the students take the heat for finding bugs in the system.
I think it's the higher ups who don't get tech and maybe even the theory based classes that poorly cover stuff like this.
...when I read the title. I'm from Montreal, currently studying on exchange overseas. A few months back a friend of mine was telling me about an app him and some friends in a club at Dawson College were writing. I know a few of the guys personally because I was at some party with them back in September and I had heard a bit about how the project was going in the months following. All this to say, the story is complete bullshit.
Apparently, the school had originally offered to share some info that would help the guys making the app, but, coincidentally some company started developing something around the same time that was along the same lines so Dawson reneged on the deal. FTA:
Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software
The story goes, according to my friend, as such. Apparently, the programmer and one of the other guys decided they were just going to take the info, which was easy to do since Omnivox is such a terrible system, by breaking in. While doing this, they discovered the flaw and used it as leverage once the school noticed they had accessed the system and approached them. The other friend played innocent and the programmer got the flak for it, eventually being expelled.
This was by no means a white hacking deal. Also, these guys have been exploiting Dawson's system for a while to print for free and other such things.
It's interesting how many articles like this we get on slashdot. Just makes me wonder how easy it is to skew a story a certain way regarding a subject like programming which so many people know nothing about. If they found something, what were they doing looking in the first place? Well, sometimes people are just dicking around or curiously looking at how bad a system is, but sometimes they are - like in this case - breaking in to steal specific information for personal gain.
The lesson to be learned here is: If you're in college and someone threatens you with any sort of legal action, don't say a word, just walk out, and walk strait into a lawyers office. Immediately. While I was in college I got sued/fined/thrown out of different places so many times I've lost count. The college and college police think they are the law and use their power to manipulate and harass students they don't like.
I once had the police looking for me for 3 months to ticket me for lighting some firecrackers on newyears at 2am. It was a ridiculous cat and mouse game, and they refused to give up. Finally they "Caught" me and gave me a ticket. It went to trial for gods sake. The city paid for eye witnesses to testify and everything. It was a $100 fine and I won the case. It probably cost the city tens of thousands of dollars to screw with me for about 6 months. In the end, on the way out, I patted the DA on the shoulder and said "See ya next newyears!" and he laughed. What a joke.
Get a lawyer, and get one fast. Don't sign anything, don't talk to anymore. They will do anything to win. Including show up at parties, undercover, asking where you're at. Or sending you tickets via registered mail. Just get a lawyer and be done with it.
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.
So he reports a flaw in the software and then two days later IT detects a possible surface attack on the website which turns out to be him using software that finds other exploits. Seems to me like the student is a moron.
Sorry dude welcome to the real world of consequence.
Lesson Learned - don't report the security holes you discover. Apparently it would have just been better to exploit or sell it.
Should read:
"Student expelled from Montreal University after repeatedly attempting to hack into their systems"
It's funny because you fucking nerds KNOW that reporting a security flaw you discovered will usually get you attacked by all the resources of the entity in question. There are very few if not zero exceptions to this. But your constant burning desire to demonstrate how smart you are gets the better of you.
I reported a security flaw in high school to the network admin and had my computer privileges revoked. All stories similar to this end the same. I just HAD to report it, not because I was doing the right thing, but because I wanted to prove how smart I was. And you all know that's exactly why you say anything at all.
Nerds are so fucking naive.
Or do you think it is illegal to try to force your window to see if the new latch is secure?
in the private sector he would have been fired for breaking the acceptable use policy of the network.
People around here always seem to forget that many of the submitters lack the ability to correctly interpret what they read, so article summaries are often quite misleading. I was just about to comment that things may not at all be what they seem, when I read your post. Thanks for that. I have lost count of how many time are article will say something and the submitter will come to exact opposite conclusion of the point that the article is trying to make.
Do both. Absolutely, do both. You have recorded their consent to recording, and you've recorded them erasing the evidence.
That's one of the dumbest things I have heard. Oops you found a hole and pointed it out your expelled.
IT / tech schools do a better job there CS is more on the programing / high level design.
This is more of a IT / sysadmin / networking. issues and most CS classes fail to tech that part the right way or just cover it at a very top level way that that may tell you about the tools but not how to deal with their outputs / where the hole came from.
When I was in college i discovered that the University was unknowingly showing registration passwords on their LDAP server. (you could only view this through an LDAP browser).
I brought it to their attention. They made me promise not to tell anyone while they were fixing it (no actual non-disclosure document was signed).
Once they had it fixed they called me and a friend who also noticed the issue into the IT office, and offered us paid internships. I already had an internship, but it was a nice gesture.
He wasn't expelled for uncovering a software flaw. He was expelled for continuing to exploit it two days after he made the report.
Who bought the third party software with the security flaw? What, if anything, was their relationship to the vendor?
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
I remember finding a similar security flaw is the printing system of Waterloo University that would kick the system into some administrator mode full of everyone's usernames and passwords.
Troll is not a replacement for I disagree.
What really happened is that a student actively probed the servers of the company that hosted the software. Whether or not this should be punishable, is certainly debatable, but don't make it sound like all he did was find a bug.
The first thing he did was appropriate... reporting the flaw to his IT/Infosec management. 2nd thing was what he did wrong.
That is actually quite a non-trivial secure concern called horizontal privilege escalation that carries a high risk. They should get that fixed asap and do a little forensics to see if it's being actively exploited. A penetration test would help.
Nice try. But it wasn't his window he was trying to force.
That made him sign the NDA
PocketPermissions Android Permission Guide
Well that's fine message to send to young people. If you find a security flaw don't report it or you will be punished.
The software company was made to look incompetent and was then expected to spend their own money fixing the problem. I would not be surprised if they were out to get him from the moment they were told. Tell him about the progress? You've never worked in a software company, have you?
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
"Any sufficiently technical expert is indistinguishable from a witch"
--Robert David Graham
Well all I can say is taht Dawson College is a backward place that hasn't a clue how to deal with computer issues.... My guess is that people go there to study theology or other non subjects.
It seems a big issue that the NDA was supposedly signed under duress. To me duress is something like "sign this or we will burn down your house" In this case it is more like "Given that you have now started to illegally use hacking software we are concerned that you will spread this information to others who will cause bigger issues. As a consequence of you illegal action and to protect ourselves we require you to sign this NDA. Failure to sign it shows inclination to spread this information therefore we will have to bring your actions to the police if you do not sign it". To me that is not duress as it is direct consequences of Al-Khabez's actions.
The stupidity of this story is that it is a bright person who has few social skills. Sure he was praised for finding the bug. Then he just had to test it two days later. I can just hear the thoughts going through the president of Skytech's mind, "It's great that you found the flaw but run a hacking suite on our servers and your ass is grass." Ever hear of poking the bear? Skyteck is probably a little sensitive that a major flaw was found. Now you look for more when that is probably what they are already doing? And only after two days? I guess the college student doesn't understand enterprise level software releases as it can take more than a couple of days to get a fix into the field. There are testing and scheduling to be concerned with. Had Al-Khabez waited a month and tested just the vulnerability he found I doubt there would have been an issue. Instead he ran a hacker suite after two days.
Honest! I was just trying to make this mobile app so I had to hack into your system and I found this sloppy code that let me in!
What part of "Do not access things you are not authorized to access" do these people not understand?
I find it comforting that the Canadians are a corrupt bunch of scum-bags, just like us.
According to the law in Iraq, Saddam was illegally targeted by terrorists (the USA/UK).
According to the Crown, the Founding Fathers broke the law and formed insurrection to the crown.
According to Soviet Law, the defectors to the USA broke the law they agreed to.
According to Saudi law, Google are breaking the law by allowing anti-Muslim screed to be read by people on the internet.
Perfect analogy. Mod parent up please.
not just incompetent, apparently also malicious and power-mad, if the OP's story is to be believed.
Like many quality companies in the world, there are quality universities that do not apply a strictly paper-based filter on all applicants before further consideration. That kind of screening is effective, but it can lead to a lot of undesirable false negatives.
The kid seems bright enough (his understanding of the law notwithstanding) that he could probably hack it at a place like MIT or Stanford. Get the hell away from Dawson.
Seriously, anyone in the Motreal area ought to snap his talent up!
This could have happened to me. I found a flaw in my school's grading software (which I'll disclose here because hey, I'm kind of proud that 8th-grade me found it):
Grades were not managed by a single system, per se. Every teacher had a copy of a piece of software. This software would take grades in and spit HTML out, calculating percentages and so on. These html pages were then purposefully exposed to the world on the school's web server. The structure looked like this:
\- login.html
\-------grades/
\-------------gradesPersonA.html
\-------------gradesPersonB.html
So: how were these html pages protected? Actually, the method was pretty clever and would work most of the time on a properly configured web server. The individual grade files were not named something easily guessable. In fact, they weren't guessable at all. Everyone had a password; the login html page would take the username and password, run a hash function on both, and redirect you to hash(username+password).html. As long as you don't have the password, you couldn't even find the html file without brute-forcing it (and they were pretty long hashes).
However. This all falls apart if there's no index.html file in /grades/ and the web server is configured to generate directory listings. Just navigate to /grades/ and there they all are! Some teachers seemed to have a blank index.html file, and some didn't (I suppose they might have been using different versions of the software).
I decided to take matters into my own hands (yes, I was an idiot. I was 14, what do you expect). I had been granted access to a small chunk of the webserver for php experiments by a teacher. I quickly discovered I had read access to most of the web server (including lots of files teachers had stuck up there, not for public use, and just protected by being named obscurely) and write access to large chunks, including the root.
Being, as I said, an idiot, I dropped a .htaccess file into the root that was supposed to disable directory listings and close the hole.
It was extremely successful. So successful, in fact, you couldn't access the login.html page; you couldn't access the grade pages; you couldn't access ANY PAGE AT ALL on the entire district web server. Including my folder, so I had effectively locked myself out along with everyone else.
Fuckfuckfuckfuckfuck.
I call my teacher over, explain the problem, he gets on the phone to the school's IT department, they remove the malformed .htaccess file, everything's back to normal, I get a short talking-to, and it goes no further. Never done anything so similarly stupid since.
(oh, and fun hack: my school's computers were locked down using a piece of software that basically rootkits the system and redirects writes to disk into a ramdisk, transparently, so on shutdown every change is wiped away clean. This works great unless you disable the rootkit. Which you can't do, of course, because as long as the rootkit is running, you can delete it all you like and it comes back on reboot. So you boot into a liveCD (the BIOS isn't locked, what a surprise), rename an important data file, reboot into Windows, make all the changes you like, and then restore the data file. BAM. Not only have your changes stuck, but they'll stick NO MATTER WHAT ANYONE DOES, because the system's locked down! Never did anything more than prove I could (and never told anyone at the school), but holy crap could I have gotten in trouble if I had.)
I miss when mods were more strict about modding down an entire branch of comments like this as off topic, regardless of the opinion. YOU ARE OFF TOPIC. please STFU.
Since his personal info is in this system, it is indeed his "window".
Write "This was written under duress and I do not agree that by signing it I forfeit any rights I have in law", and then sign it.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
Now kill yourself! Do it! Do it! Become a martyr. Do it!
It is 100% illegal for you to try and force the latch on my window, just to make sure the new one is secure. Also, depending on jurisdiction, that might be considered legal justification for me to use lethal force to protect my home. I strongly advise that you DO NOT try that in Texas.
Try not to take me more seriously than I take myself.
What the heck! I've been using MS-Win since 1987 in one form or another. I've never published a complaint. It is all by word of mouth. No published incriminating evidence. hmmm...
What happened to the security hole?
Don't complain about syntax, grammar, or spelling. There is no.hell like input on android.
I dont have the right to test the windows at my bank...
Nice website you've got there. It'd be a shame if something were to happen to it.
Higher education in Quebec is different then other parts of Canada.
http://en.wikipedia.org/wiki/Higher_education_in_Quebec
Try "knocking on the bricks to see if they used ACTUAL bricks rather than just brick-pattenred wallpaper".
Higher education in Quebec is different then other parts of Canada.
Yes. Apparently they don't teach English grammar in Quebec.
Since his personal info is in this system, it is indeed his "window".
So I suppose you also own Facebook if you have an FB account?
He got kicked out for scanning the network some time after reporting the vulnerability.
Shame it's completely wrong, the window belongs to Omnivox. A better analogy would be that he noticed Omnivox had left their window open and told them, to which they thanked him. He then goes back 2 days later with a crowbar (Acunetix) to test whether they'd locked their windows properly yet.
Was it too much effort for you to type the word "did"?
NOBODY writes "What'd", you cretin.
Let me guess - you're American.
I think you meant to put a 'w' instead of a 't' - but don't worry, it only made your sentence mean the OPPOSITE of what you intended. Now who's the idiot?
"And, as such, your legal position is not significantly weakened because"
"Everything with finding the flaw seems to have gone find."
Huh?
Why is this funny? I just finished my second degree and I can say with a total degree of certainty that the only good code I get to see from day to day is either from my Embedded Software Developers or from Software Developers who use C or ASM.
Also NEVER IDENTIFY YOURSELF when reporting a vulnerability. IT departments love to shoot the messenger.
I found myself in a similar situation many years ago with e-Trade (now Scotia iTrade). Their phone support staff was giving EVERYONE the same temp password for initial login and forgotten passwords. I was sort of distracted the day I first set up my account, and didn't really notice that the system ALSO didn't force me to choose a new password immediately after using the default. A few weeks later, I logged in but got my user ID digits transposed. I found myself logged into someone else's stock account, with over $12k of holdings. I could view their balance, holdings, contact info; I could have changed said contact info and sold their stock portfolio, moved the money wherever I dared, etc.
I quickly logged out after noting the incorrect ID and email of this person that I had just logged in as.. then went home, registered 2 or 3 anon web proxies and through those registered for an Asia-based webmail service under a one-time throwaway account. I then emailed the person, CC'ing eTrade, with a polite note stating that they should change their password IMMEDIATELY, and that they should call eTrade right away and demand they fix their password policies. I then deleted the email account and proxy setup, and hoped I'd done enough to help that person AND shield myself.
I, and a few others at our office, STILL got polite (but somewhat probing) calls from eTrade the next day, as I'd forgotten that we were all going out through the company NAT there, so they had seen our office IP access that mistaken account the day before. I played dumb, stating "why yes, that WAS my password too! I sure hope no one got at my account! I'll change it right away, thank you sir."
eTrade emailed everyone a few days later announcing an updated password policy -- I hope someone on their IT and phone support teams got a stern talking-to about using the identical password for multiple users, too. Inexcusable for a finance company with people's money to be that careless.
Easy for you to say, but given that his name indicates he's probably not fourth generation Quebecois _and_ in light of Aaron Swartz literally being hounded to death by his own government, that threat no doubt sounded all too real. Western laws and protections have been proven not to be universally applied to those of the 'wrong' religion and tending towards the brown part of the skin spectrum.
I am curious what would happen if Anonymous got involved in this. I wonder what the college would do if Anonymous gained access to all the very same student records then threatened to release them all unless the college reinstated this student.
xkcd.
[Gotta be redundant by now.]
Have gnu, will travel.
Nazi: "I order you to sign this non-disclosure form, or you will be sorry!"
Subject: "OK"
Nazi: "Good. Now you are expelled."
Subject: "You forgot to tell me I would be sorry no matter what I did."
Subject's original response should have been "Fuck you, Nazi".
Purdue
I too accidentally stumbled upon student information. Except the files I found were on a network drive that didn't have permissions properly set, and thus any person who knew where to look, and had an account on the network could see these files. All students and teachers had an account, but that doesn't mean you ahd to be either. All you needed was to know someone who was a student there, and have them log in. The issue was that everyone had read access, but no one had write or delete privileges. So, you can see addresses, phone numbers, social security numbers ( yes I'm an American ), names, student ID numbers, and other bits of information and there was nothing you could do. I brought this up to the head of IT security and he approached the whole situation like I was a criminal and questioned me about everything. There was one weird thing he had said though. Something along the lines of "These could sell for anywhere from $50 to $100 a pop." so I was under the impression this wasn't an accident. I couldn't focus on my school work, and just stopped going to any of my classes after this. I failed out of every class, and didn't really care. I saw this as a slap in the face. Considering that I was going for computer security ( won't say the exact course I took, so I don't get stalked/harassed ) this absolutely disgusted me. Also, from what I understand NOBODY got fired because of this.
they're doing him a favor. dawson's a shit school and he'll be better off somewhere more technical.
Yes deep freeze.
Back in the high school they had that but we found that if you hit Cancel at the novell login screen you then loged in as local admin. Also for some time you where able to get pass the web filter just by turning proxy settings off. They fixed that part.
Well now everyone knows about the flaws and extreme douchness of Dawson College.
If I were a student I would file suit against university for negligant handling of my PII and encourage others to do the same.
never sign anything legal unless your lawyer is with you or has already reviewed it for your protection. NEVER SIGN ANYTHING
It doesn't surprise me what actions the student opted to take. What most people often forget is that he's still very young and getting expelled from college in his eyes could potentially mean his future will be shattered. I can relate to him because I myself am a student, and If I found myself in a similar situation it would be much more difficult to make a decision while it's happening opposed to from my computer at home. But at the same time it's hard for us to make a form of judgment because we will never truly hear both sides of the story.
He was not "expelled for finding sloppy coding". No matter how much you dislike schools, Quebec, Canada, authority figures, software, computers, accurate headlines, or terms of use, he still was not "expelled for finding sloppy coding."
What is so hard about swapping the text and adding a comma?
Try it:
Student Finds Sloppy Coding, Expelled From Montreal College
Now it implies a correlation (which there definitely appears to be) instead of libelously explicitly stating causation.
How many scans are they getting hit with now that they've alerted the world to having vulnerabilities? Come arrest everyone that scans your webserver.
No, they couldn't. Electric utilities are regulated like the monopolies they are. Now what they might be able to do, probably even what they intended to do, is to regulate whether you can hook up a generator in such a fashion that it might inadvertently be connected to their system (which would be bad). But even that is a bit iffy -- you could probably force them to specify characteristics of the proper sort of switch over circuitry that you have to install rather than denying you the ability to connect a generator outright.
And in this day and age, the ability to connect solar to the grid and actually force power back is actually a right granted by the state to the customer in a lot of places.
What makes you think what he writes should have any less legal force than what the company wrote?
I do the same thing all the time. Mandatory arbitration clause in car purchase agreement? Strike through and initial.
If she has the ability to countersign, then she effectively does. If she doesn't have the ability to countersign -- worst case is that the entire contract is null and void, because there was no "meeting of the minds." But you would be laughed out of court if you suggested that the person who penciled in a change to a contract should be held to the original version because the other party didn't agree to the change, when the marked-up contract is sitting in the other party's files, properly countersigned, and there are no signatures on any unchanged version. And you would be laughed out of court if you suggested that the nice lady who signed the contract; who signed all the contracts for all the customers; who sat there every day signing contracts -- shouldn't have signed that modified contract. That's the company's problem, not the customers.
In the late 1980s, I was the sysadmin of a large Unix server at a well-known university, when suddenly the server stopped accepting logins. It seems that the password file (/etc/password) had gotten corrupted. The reason? A well-meaning graduate student had suspected a security flaw and decided to "try it out" to confirm it and then report it. His heart was in the right place, but his judgment was total stupidity: he corrupted a running server used by dozens of scientists "to see if it would work." If he had just stopped by my office and ASKED (we knew each other well), we could have checked for the flaw safely.
So I have a little sympathy for Mr. Al-Khabaz, but he did exercise very poor judgment in running Acunetix.
To continue the analogy, it was the window to the dorm room that the school provided him.
So following your analogy, it would seem perfectly reasonable to me that he should be able to test the security of the mechanisms meant to protect him.
Software sucks. Open Source sucks less.
It's not about ownership. It's about having the right to see whether your data is now secure after having made the previous discovery that your data was indeed not secure.
It's the old hire the guy who hacked you scenario:
http://www.cbc.ca/news/story/2013/01/21/montreal-dawson-college-hack-hamed-al-khabaz.html
See http://www.cbc.ca/news/canada/montreal/story/2013/01/21/montreal-dawson-college-hack-hamed-al-khabaz.html to see what happened after this report.
School still pig-headed; IT supplier less so.
-- hendrik
Most on Slashdot are hopelessly Naive when it comes to the Law, probably since you have not seen it operated properly, close up. There is the Techie, man in the street and Lawyer way of looking at things, though I am a Roman Law lawyer, I am also an Engineer, and I know all about ASCL.
The law is a game, lawyers play every day, and get paid by result. They understand the Rules, the Research Method, and Area-of-Interest Lawyers understand current precedent ... It takes 5+ years of your life to be any good.
Most advice here is worth what you paid for it, and I don't practice in NORAM so some common sense advice:
1. The school committed both Breach of Contract and a Tort, and the coerced NDA is worthless.
1E. David Treisman -v- University of Essex c 1968 .., UK-QBD asserted that a University, in the Exercise of Disciplinary Powers is a Court of First Instance and must follow the Principles of Natural Justice ... No Coercian, Fair Hearing, Right to Representation.
Though not litigated in Canada, CSC follows English Precent.
The real issue is competence, cost of setup and Understanding of the Civil Procedure Rules. Cases run by individuals can be fast-tracked, and the most dangerous opponent is a competent litigent acting without representation.
There MUST be a competent local lawyer who will do the action either pro bono or contingent for 5% of the damages.
MFG, omb
And yes he probably could have handled it better.
As a developer I'd really rather know if the app that I was developing could possibly be used in ways that it's not supposed to be used. I.e. the discovered vulnerability. He reported the vulnerability, and was told that it had been fixed.
Frankly I want to know for myself if the vulnerability was fixed, rather than just relying on someone else's say so before I release an app that I'm developing that may be used in unexpected and undesirable ways.
That said, the test should have been performed with the oversight of the people responsible for the system being tested. Better it should have been tested against a duplicate of the system as a testing environment, preferably with valid but unrelated data. Then tested against the real data system if the test system passes. Again only with administrative oversight.
Finally, an NDA for such a situation should be worded so that the NDA applies while the reported bug is being patched and has been made available to schools and businesses using the system and a reasonable time following that availability to give the admins time to test and deploy the patched system. Once those events have happened, the NDA should no longer be applicable. After all the vendor has addressed the flaw. Additionally the NDA should have an absolute expiration date giving the vendor the incentive to actually fix the problem.
My other concern with this behavior is that as a developer I expect people reporting that they have fixed the identified problem to ask that the person reporting the problem in the first place, follow up and confirm that the flaw is not there any more, and advise them of any other problems that may be detected. That would be an invitation to do exactly what the student did. Check the fix and look for other problems.
That said, those are techniques in the open source community. In the closed source community, it wouldn't surprise me if the vendor was OK with fixing the original reported flaw, but didn't want to learn about anything else, and asked the school to watch out for the behavior that might indicate the student was looking for other flaws, rather than seeking them out themselves and fixing them ahead of time.
You never know...
...by the company who's software had the bug.
http://www.cbc.ca/news/canada/montreal/story/2013/01/21/montreal-dawson-college-hack-hamed-al-khabaz.html
Not an update - shool still behaving like spoiled children.
You never know...
Last year our school gave us laptops with Windows 7 (you may have read about them http://news.slashdot.org/story/09/09/27/0252235/au-government-to-build-unhackable-netbooks). Well needless to say, pretty much everybody got administrator access on the laptops within the first couple months of having them. Most of us got a three day suspension and our laptops wiped. Some were lucky bastards and either didn't get caught or managed to bullshit their way out of it.
To me, at a guess, it looks like delayed blowback from the vendor that wanted to find an external criminal instead of being accused of negligence. It seems that when comes to computer security problems if you don't have a very clear paper trail with every step signed by every stakeholder then the one most likely to be blamed will use any tiny excuse to stick a stake in you.
I've seen it before, you walk into a building you've never visited before to do something about a hacked machine you've never seen before and the kneejerk reaction of some loud idiot is to blame the guy that is there to do something to fix the problem - and then they make so much noise that you have to provide hard evidence that you didn't cause it before you can actually get some work done. It's as if you need childcare training to deal with people in these situations.
Yeah... while in the rest of the world we are sane, and it's not illegal to check if a door is unlocked, and you most certainly can't kill someone because you think they are trying to break in.
They promised to fix it immediately. Did he promise to trust them on that?
The moral of the story is it's stupid to do things that impact on system performance and embarrass others when they know who you are. It's a silverback asserting dominance by punishing the young gorilla that revealed the silverback is getting old and slow.
It was probably the cost of not having their software licence pulled. A known buggy site would have been seen as better than having the rug pulled out from under them in half an hour.
I wonder who has access to minutes from the meeting where his expulsion was decided? A lot of universities allow staff to have access, unless of course they pull the bullshit "commercial in confidence" trick to cover things that it shouldn't.
The USA has a pretty weird patchwork of legal systems descended from different roots too.
Sometimes it leads to an International level laughing stock (eg. the highly fractured US electoral system and how it can have weak links like Florida), but I'm sure it mostly works.
Crowbar? To get through an "open door". A better analogy would be a sackload of rats and watching to see if any of them made it through one of the doors.
Either way, this could be seen as checking to see if a promise that was made to him (that it would be fixed ASAP) was kept, and in this case it was not. I wonder if in turn he had promised not to look for more holes. If so it's bad faith all round but he gets to wear all of the consequences.
Except vulnerability testing in the physical world is equally a good thing. You'll find security consultants do exactly that for domestic and commercial property all the time. It leads to "fixes". IT is no different.
The point about gaining authorisation for testing security is to prove that you are bona-fide, before you're caught. If I am caught "testing" a stranger's locked doors in the middle of the night, yes it is a good thing if I find they are being lax about security and tell them. But I may find it difficult convincing police that this was my true intention from the start.
In your world of "bona-fide unauthorized access", any criminal caught attempting to exploit an online vulnerability need only say; "I was testing it, honest" to walk free.
That's not what he did tho, he ran a broad spectrum penetration test on the website. That's quite different to verifying that the specific vulnerability he found had been fixed.
Expulsion may uncalled for, but it's not like he's some blameless victim; he did a foolish thing by doing that without contacting them first.
There is a petition to help this student, asking Dawson to reinstate him, make him whole financially, and apologize.
The student's experience is normal in dictatorial regimes. Increasingly in our country too, those in authority do not like to be called out or held accountable. The work to squash anyone who dares speak out. Universities especially are famous for this kind of behavior.
If scanning for vulnerbilities in any site, ever, is unethical then the industry is in far worse shape than I thought. He could have done this all day every day and I'd support it. I only reason he got in trouble was he was in easy reach. It was a smart kid doing what smart kids do. Disgusting.
Thou shalt not point out that the Emperor has no clothes.
I smell a lawsuit. Ahmed shouldn't take this without a fight.
I think identifying the school would invite hackers to target it. Probably not a good idea.
I'm glad my school is a bit more tolerant of these things. They really honor that sort of curiosity, and would commend students for finding problems rather than penalize them. But then again, I doubt MIT makes mistakes like this...
Dawson College is stupid. The next student who finds a flaw isn't going to say a word. What a great recipe for ensuring that all of your security problems remain problematic.
Isn't that how we got Facebook? All the info in the student db was accessible, and so he used it to make a site for commentary?
--- Say something clever. Pretend it was me. Thanks.
for all /. readers to bring the montreal uni website down in a gesture of solidarity for this guy. he didn't deserve to be expelled
Skynet made Omnivox http://www.skytech.com/en/index.sky " We feel that this situation should not prevent such a talented student from doing what he loves most. Just as we are already collaborating with the other student who helped discover the flaw, we will also offer this student to work for us with mandates in IT security in order to allow him to work in the subject area he loves. "
Sounds like a class action -- 25,000 john and jane doe against the company and school for inappropriate management of their data.
Enough to get tuition covered + taxes as well as make the attorney rich.
Kids like this should be cultivated, not expelled.
I t's not lost on me that we disrespect young computer programmers while in school and often cause the kind of resentment that results in hacker mischief and evil deeds.
While the debate on limiting guns begins to rage due to people insisting they need guns to protect themselves from thieves and invasion, the disgruntled kids and other countries are slipping into their bank accounts, charge cards and stealing from them. Foreign countries own nearly 40% of our country without having fired a shot.
It is our own extremists, our citizens who are often committing terrorist acts.
We react instead of respond.
We need to protect ourselves and fight back. We need to nurture computer capable kids and guide them to help keep us safe.
Abasing the students with that potential is shortsighted and wrong.
JAF
Assuming that there are no major pieces missing from this report. I think that the school management is simply inexperienced in these sorts of things and treats technology like magic. To them, anyone who'd dare to suggest flaw (much less demonstrate one) in the holy binary box that is their software is kin to a witch - a creepy hacker who by the power of covenant devil aims to make them look like fools they really are. ~Forgive them father, for they know not what they do. :P
They could have at least water boarded him a bit to see if he could make up some interesting fake information while they were at it.
If, by accident, I discover they are failing to do so and I inform them of the problem, then I have an obligation to myself and all other facebook users to ensure the problem has been corrected.
The truly loyal subject will neither advise nor submit to arbitrary measures.
If, by accident, I discover they are failing to do so and I inform them of the problem, then I have an obligation to myself and all other facebook users to ensure the problem has been corrected.
But does that give you the right to test their site for all other possible vulnerabilities using a penetration tool without asking them?
This doesn't just happen in academia. I was ordered to investigate the security of our software at a company once, because they didn't think I'd find anything. I wrote a confidential 30 page report for the company on a security vulnerability I discovered as part of this task while employed at a company and presented it to my manager, it exposed a serious flaw. I had found the flaw in only one day. They became upset with me, and they ended my employment a month later. As I was looking for a new job I listed security vulnerability research under my employment section on my linkedin for the job. They had H.R. paying attention to my linkedin, and then demanded I remove from any mention of security vulnerability investigations or they would press charges.
The "http://www2.dawsoncollege.qc.ca/phones/" public website
Name / Email Office Local Position / Department
Alexander Simonelis 3F.22 5058 Faculty
Computer Science
Or give him a call 514) 931-8731 ext. 5058.
Thanks to all
I think the British had a treaty with Quebec that let them keep their Roman/Civil Law sometime between the end of the 7 Years War & the beginning of the American Revolution.
This is an issue of professional ethics that seems to be sadly lacking. You don't probe somebody else system without express permission. To do it a second time is clearly deliberate not an accident.
Before you get upset about this, you should know that he has been offered a job at the very company making the software he exploited. http://news.nationalpost.com/2013/01/22/student-expelled-after-he-discovered-flaw-in-schools-data-security-was-warned-twice-college-says/
Does anyone know the name of this company? Is there a reason we are not naming and shaming this CEO?