Slashdot Mirror
Student Expelled From Montreal College For Finding "Sloppy Coding"
innocent_white_lamb writes "In what appears to be a more-and-more common occurrence, Ahmed Al-Khabez has been expelled from Dawson College in Montreal after he discovered a flaw in the software that the college (and apparently all other colleges across Quebec) uses to track student information. His original intention was to write a mobile app to allow students to access their college account more easily, but during the development of his app he discovered 'sloppy coding' that would allow anyone to access all of the information that the system contains about any student. He was initially ordered to sign a non-disclosure agreement stating that he would never talk about the flaw that he discovered, and he was expelled from the college shortly afterward."
Troublist!
All problems can be solved by personally punishing someone in an unrelated fashion to their crime, rather than simply fixing the problem.
...and report on exactly how this flaw works, and what its implications are.
The college system turned a friend or at least a neutral party into an enemy. They should expect any and all damage that he can inflict on the administrators at the top that were foolish enough to support the actions taken against the student.
Do not look into laser with remaining eye.
I'd covertly publish the flaw + a ready-to-use exploit everywhere and let chaos ensue.
Outside vendor freaked out and it's easier for the school to take the easy way out and kick him out then it is to help him.
does whistle blower laws cover this? and what was the scope of his work?
sounds like he found something and they did not want to fix it or the cost to fix was high / a hole like that will lead to a fine.
Why would you run a vulnerability scanner software on a remote network from your home ip!?. Sounds to be like he found a flaw, and got overzealous and got permbanned.
did you forget to take your meds?
Expelled for trying to hack the site a second time, not for notifying them of his first hack. Summary is technically true, but still a deception.
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected.
Seriously, don't run Acunetix or Retina scans or whatever on other people's systems. It looks like you are probing for vulnerabilities because, well, that's exactly what it's doing.
And if I'm a sys-admin, I'm going to see that and think you're an attacker. From my point of view, you've just cased the joint. That's what I'm going to report up, and from there everything gets ugly.
And this a couple of days after some other big IT personality gave a speech at the funeral stating he could have been gone the same way as Aaron Swartz if he would have been punished the same way during his hacking and exploring days during College.
Sad.
I know, this is slashdot, but i still read the article
And i still don't agree with him getting expelled, but the reason was not discovering/disclosing the flaw, but he got in hot water when afterwards he tested if the flaw was still there, and the company developing the software reported the hacking attempt.
It was still a big overreaction that happened afterwards, and he shouldn't have been expelled, but it's not the discovering/reporting of the flaw that got him in trouble, and the article clearly states this!
Aren't there laws which invalidate contracts signed under duress anyway? I thought I remembered reading that somewhere.
"Don't teach a man to fish, feed yourself. He's a grown man. Fishing's not that hard." - Ron Swanson
Shooting the messenger does nothing to solve the underlying problem. Thanks to the fourth estate and the Streisand effect, shooting the messenger is likely to get you more attention, not less.
Techs everywhere need to learn this important lesson: Never Sign Anything unless you are also offered on the same piece of paper a guarantee of you what you receive in return. You get no prize money for signing NDA or DNC. If you ask for it, you will get 1) a job, 2) some cash, 3) some action not taken. You can ask for nothing, but you will get the exact opposite - penalized or harmed. Your goal is to sign something such that if what you are offered is not fulfilled, the NDA is broken
As it stands, asking someone to sign a NDA and not offering a guarantee of something in return is already suspect and can be fought. You had an expectation that you wouldn't get expelled, or that you would get a free education, or something else of benefit to you. People need to learn that colleges, Lance Armstrongs and corporations all act the same way. You will get screwed if and when there is an opportunity to screw you. And you will go broke defending what is right. Few will care.
Don't Sign without Something in Return (DSSR)!
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
I missed that part of the article. Can you quote the line where they said that?
It seemed more like he discovered a flaw and reported it. This embarrassed the university. He later tried to verify if the flaw had been fixed by using the flaw (probably not the best move he could have made) and the university used this as an excuse to terminate him.
DO NOT QUESTION AUTHORITY. This is what happens when you exhibit independent thought..
Never email donotemail@WeAreSpammers.com
You do assume that this is going to be fought fairly. The legal system is a game of adversaries - and the objective of the college administration was not to fight a fair legal battle, but to win at all costs. If I were a bastard in their place, I'd see an obvious way to prevent him doing that: "You want a lawyer? Go ahead. But the moment you step out of this office, I'm calling the police. Either sign the NDA right now, I'll make sure you really do need that lawyer."
It's intimidation, of course. But most of the time I'd expect it to work. What's the worst that could happen? A college student finding enough money to file a civil suit against the college, that could take years to complete and cost more than he'll earn in a decade? No, most people would recognise that they are being strong-armed, but also that they are being strong-armed by someone with both the willingness and ability to utterly screw up their life if they don't comply... regardless of the fine points of contract law.
Sure, nevermind all those other unrelated innocents who'd get their information stolen in consequence.
Also, stop misusing that damn phrase, asshole.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Give him a break. Perhaps he was too naive of people's goodwill. However, seeing that he was cornered, talking to the press and appealing to the public opinion is his only way out, and hopefully a more progressive university will take on his cause. Going public is the only way to "clear" his name - Google search news articles vs. tainted academic transcript.
Slashdot article summary is very misleading at best. He was not expelled because he reported a security flaw, he was expelled because he ran Acunetix a website vulnerability scanner after he reported the vulnerability without permission of the web gods. Although no malicious intent by Ahmed Al-Khabaz, he stepped over the line and the University was not in a forgiving mood,
arguably vindictive.
Taza explained that he was quite pleased with the work the two students did identifying problems, but the testing software Mr. Al-Khabaz ran to verify the system was fixed crossed a line.
“This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake.”
For reporting the vulnerability in the first place, he was thanked by the University, but they did not take kindly to using Acunetix -- I would certainly agree that the university over-reacted, but they were not punishing him for discovering a vulnerability.
Just because he had an Islamic name
What's "Islamic" about the name? If you said "Arabic", now that would be something else...
Ezekiel 23:20
Also, running a pen-testing tool on someone else's network without written permission is just a dumb move. Even a college freshman should know better.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
Calling a kid an idiot is a bit strong. He's only 20. It was only a few years ago that the biggest threat from an authority figure was that something he'd done might appear on his "permanent record." Nice to see another country that doesn't educate it's citizens on their rights.
I'd be amazed if there isn't a lawyer who won't take this up pro bono and sue the school.
By the story linked, he wasn't expelled for finding a software flaw, he was expelled for running a vulnerability scanner against their network.
Everything with finding the flaw seems to have gone find. He found the flaw while working to develope an app, he did nothing wrong, and it seems like he got kudos for it, not any sort of harrassment at all.
Then he started using a vulnerability scanner on their network. You never do this without an arrangement (IE a pen testing contract). Never ever ever. It's illegal for one, it definitely can disrupt systems, and it sends up all kinds of red flags.
On the other hand, no one told me those things in college; they were part of my job training post-college. When I was at school, there were no 'ethical hacking' classes that let you know what is and is not illegal to do as part of vulnerability research. So I doubt very much the kid had any idea what was going wrong. Hell, I know now that most big universities get crazy-angry if you do anything that even looks like an attack over them... but no one told me that in college when I was actually using those networks.
The company took a rather strong wording but soft action: they elected not to pursue anything past getting him to sign an NDA. They didn't ask the school to expell him, the school did that entirely on their own. The student clearly doesn't understand why he was expelled, either. At least not by his quotes in the story (he's sure it's trying to cover up the flaws; in reality it's almost certainly because he ran what is considered a cyber attack across a university network, very illegal and very likely to piss off the administration).
Obviously he shouldn't have been expelled; he did not act with malice, and clearly still doesn't know the legal boundaries. What this tells me is it's long past time to start coupling your computer science 101 class with a cyber ethics and law 101 class. While anyone who works for a pen testing company can immediately see where things went bad, his actions make perfect sense from the perspective of a college student.
When I was a CS student I discovered a flaw in the program we used to turn in assignments. The flaw allowed access to the code anyone had turned in for an assignment. I however elected to anonymously inform the CS dept about the problem. Glad I did. I found out they searched and searched trying to figure out who I was so they could kick me out. Sometimes it is better just to be an Anonymous Coward.
Is there a reason you're so angry at someone who's never done anything to harm you?
I don't know if you're a lawyer, and I don't know if you've ever dealt with clients who have been bullied into signing things. I am, and I have. Your fantasy version of the perfectly rational college student making calm and collected decisions when he's being threatened with prison, from people who are his authority figures and who he assumed were there to help protect him, is ludicrous.
This disclosure won't affect whether a court ultimately determines that the contract was signed under duress. And now that there is going to be some extremely hostile press against the company (I hope), such a lawsuit may never materialize. In which case breaking the agreement may have been the smart thing to do.
Wow ... you seem to be lacking some basic empathy skills. Do you have any idea what it is like to be squeezed by some institutional power for no other reason than doing the right thing? It's brutal enough to be squeezed when you have some experience under your belt, but this kid was only twenty years old.
Now, let's say he finds himself in the same position a few years down the road and he repeats his actions, expecting a different result. Then, I'd call him an idiot. In this case, I call him exactly as he was: a student. It was a shitty lesson, but that's the point of college. It's not to get a job or join some pro football team. It's to learn and he learned by fire.
Specifically, he broke the First Law of Insiders Reporting Security Violations, which is that he let someone know who he was.
History has shown beyond a doubt that if you're reporting a security violation to some entity, the only time it's safe to do it "in the clear" is when that entity obviously has no power over you. Otherwise, you have to protect yourself.
He didn't, and everything follows from that mistake.
Log in or piss off.
Two things I'd do in that situation:
1) Get a lawyer before going to that meeting. Short notice, but not impossible. You don't have to bring him but do get his advice.
2) Carry an audio recorder hidden on your person (check if that's legal first; in some cases it isn't). That will help you in court later if you have to provide proof of undue duress.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
That will improve things. Or not. How supposedly smart people can make such a fundamental beginners mistake is beyond me.
I do understand what motivated the student tough: He seems to be one of these very valuable individuals that try to solve problems when they see them. Unfortunately, "modern" administrations are so in love with their misconceptions, that they cannot stand the type.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Read the article again. They did. Particularly where the software company threatened him with legal action.
Ahmed Al-Khabaz started off doing the correct thing by alerting the University (who then escalated it to the vendor) about the security hole. The vendor said they would fix it and as far as I can tell did not give any further infomation to the finder of the hole who was also had personal infomation hosted on the service. The company should have given him updates and told him when it was fixed, It would even be beneficial for them if they got him to run the exploit from his location given that he had discoverd it and clearly wanted it fixed.
The use of an NDA seemed appropriate though as he had access to confidential infomation of other users, and I understand the company needed time to patch this before the exploit was released into the wild, the NDA should have allowed him to speak to a some defined people namely some representeive of the university and work with them to get this problem fixed, up to this point everything seems to be going how it should.
After this all parties seem to make mistakes, first Al-Khabaz should not have just re-run the exploit as it he should have first seekd permission, if permission was not given he should have reported the situation the university who should have gotten proof that the hole was patched including the abillity to do independent verification (which the university could have got Al-Khabiz to do possible for a nominal fee.
The next mistake was the choice of the Skytech to come down so heavy handed they seem to have gone all out defensive rather than looked for a sensible way around it. Maybe they could have offerd Al-Khabaz a short period of [pro-bono] work pen-testing that he could put on his CV. Students need these mentions and the company could have delt with what is a PR disater and helped a student with there future career with next to no outlay by being a bit more cooperative rather than throwing lega threats around
Oh and I know that there are peopl who are against students doing work for free in exchange for being able to write somthing on there resume but this is a fact of life now, although a nominal charge of $100 for the test and a simple report documenting what he had done and that the holwe had been fixed would seem acceptable as well.
Most Damage is done by people who are AWAKE
from people who are his authority figures and who he assumed were there to help protect him
A college / university being excessively paternalistic / coddling of its students almost all of the time? Naah, never happen.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Next time just do sell the exploit on the black market.
Wow, a post that fully justifies using AC. Would it be safe to at least identify this school of mostly incompetent faculty?
now we need to go OSS in diesel cars
A student in the middle of a business venture would be quite lucky to have a few hundred available. I know I didn't. The disadvantage poverty creates within civil law is insurmountable unless the potential damages are sufficiently juicy to draw in a shark willing to work with no fee. I wouldn't have signed sure, but expecting him to be able to be able to afford a lawyer is unreasonable.
Now you are right though, all he can do having already stepped outside the law, is get even (hopefully without harming the other student's privacy), or lick his wounds.
refactor the law, its bloated, confusing and unmaintainable.
Most student generally trust their college authority to work for their own good (especially in countries less sceptical against authority like in Europe/Canada). When I was 20 years old, afraid of failing, afraid of the consequence of just being labelled a hacker on my career, with the enormous amount of money at risk to be lost AND trusting that the guy in front of me was actually doing me a favour, I could have been strong armed into signing.
The College has moral authority on the student and abused it. That's exactly why duress laws have been created.
An Idiot? To trust senior staff at a teaching institution?
Naive perhaps.
Too trusting maybe.
But an Idiot?
I'd rather live in his worldview than yours.
You're an idiot. You signed something under threat of prison / arrest without bothering to consult a lawyer. No amount of mention of poverty, trust, or even just plain intimidation should have made you do such a thing without first consulting a lawyer.
And here is the harm in the "If you're not guilty you have nothing to worry about" attitude. A lot of people act as if nothing can hurt them if they've done nothing wrong. These same people tend to look on those that protect themslves as guilty. The student may have been trying to appear innocent by cooperating instead of "acting guilty" by lawyering up so this would just blow over.
"He told me that I could go to jail for six to twelve months for what I had just done and if I didnâ(TM)t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement."
You're an idiot. You signed something under threat of prison / arrest without bothering to consult a lawyer. No amount of mention of poverty, trust, or even just plain intimidation should have made you do such a thing without first consulting a lawyer.
And, as such, your legal position is not significantly weakened because, by talking to the media, you've BREACHED that non-disclosure agreement that you voluntarily signed and would now have to prove duress in a court to invalidate that.
You're an idiot. Don't sign anything, and if you do abide by what you sign. If they threaten you with police if you DON'T sign anything, pick up the phone and call the police (or lawyer) yourself. Duress to sign a contract is extremely important. Signing an NDA (of all things) "voluntarily" and then claiming it was done under duress in a public statement (that mentions the NDA you've just agreed you won't mention) is idiotic. Call a lawyer: it's the ONLY sensible option at that point.
And if you'd done that? Sure, it would have cost you a few hundred to get them in, but there's no way on earth that you'd be where you are now (i.e. having to hire lawyers to get back into school, for instance). In fact, likely the matter would all quickly become a "misunderstanding" that was hastily swept up out of the press.
You're an idiot. All you've done is shown a court that what you did was so grey-area that you'd rather hastily sign a contract than have the police look into it, and then you've gone and broken that exact contract, and admitted doing just that in the most public way possible.
Ladies, Gentlemen,
People like the parent here are precisely the thing that is bred by the zero tolerance system practiced in school. Human error or weakness is no longer a fact accepted, no, it becomes a strong blame-the-victim justification. Making a mistake is now everything that is needed to shred the victim of abusive behavior to pieces.
That, precisely, is the damage caused by zero tolerance stances in our educational system - people incapable of basic human empathy, the acceptance that humans make mistakes (especially when thrown into situations that have no precedent in their limited young life).
You sir, are an asshole.
What an unpleasant person you come across as. It must be nice to live in a brain that can have no empathy for other people, and can dismiss their mistakes because they're an 'idiot'. Not having to deal with trivial emotions like sympathy or concern.
It's good for you that when you became 18 or 16 (in your examples) you knew everything about your rights and could effectively counter any bullying tactics. Sadly the rest of us are not so fortunate, and when threatened by a older more experienced people in authority tend to doubt our poor, meagre minds.
How "common" is this? How common is it for college students to find security flaws in the code that schools run, and to be expelled for uncovering it? That isn't even what happened here:
He was expelled for his "testing" of the breach after he told the administration and the software company about the security flaw.
He was not expelled for finding the security flaw, he was expelled for running what was a well-intentioned "attack" on the software he identified the flaw in. If he had co-ordinated with the software vendor there would have been no issue. Of course, the only way you'd know that is by reading the linked-to article - I wonder why the headline author didn't do that?
Ken
Not allowed to buy alcohol. Still a child.
Or don't hide the audio recorder. Put it on the table and turn it on, ask them to repeat what they say.
When all else fails, try.
Or of course, they could have just gone to him, showing their own proof that they had indeed fixed the problem. Thanked him again for not exploiting the weakness in their system and understanding that students trying to learn, be constructive and help others access information easier are the kind you want in your University. Everything after whether correct or incorrect, is understandable coming from a colleague student. People make mistakes. When the College did it, they were given a second chance, because of this guy. When he then made a mistake, no such option was granted. He's better off without the college, and at least he will have learnt a few things. It's all just a shame really.
For all we know that information has already been stolen.
Don't know something? Look it up. Still don't know? Then ask.
Traditional college fails at tech this is why we need more tech schools / IT & tech apprenticeships.
This seems alot like other cases for big name schools useing out site people for the tech and then the students take the heat for finding bugs in the system.
I think it's the higher ups who don't get tech and maybe even the theory based classes that poorly cover stuff like this.
But the administration probably doesn't understand the difference.
Montreal isn't in the United States, it's in Canada, where our culture of racism is quite different.
[...] this kid was only twenty years old.
Not true. In Quebec, we have the CEGEP system, which is equivalent to the last year of high school and freshman year of university. Dawson is a CEGEP, so Ahmed was almost definitely between 16 and 18.
I explicitly release the above into the public domain.
"only 20" = not a kid. Fully grown, legal, contract-obliged, come-of-age adult in just about every civilisation and jurisdiction known to man. By at least 2 years, I should think, in most places.
Legally. In reality, since so many 18 year olds who have never worked a day in their lives are going to college these days, people are mentally remaining kids until 22-24 years old. Remember that the US voting age limit used to be higher.
...when I read the title. I'm from Montreal, currently studying on exchange overseas. A few months back a friend of mine was telling me about an app him and some friends in a club at Dawson College were writing. I know a few of the guys personally because I was at some party with them back in September and I had heard a bit about how the project was going in the months following. All this to say, the story is complete bullshit.
Apparently, the school had originally offered to share some info that would help the guys making the app, but, coincidentally some company started developing something around the same time that was along the same lines so Dawson reneged on the deal. FTA:
Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software
The story goes, according to my friend, as such. Apparently, the programmer and one of the other guys decided they were just going to take the info, which was easy to do since Omnivox is such a terrible system, by breaking in. While doing this, they discovered the flaw and used it as leverage once the school noticed they had accessed the system and approached them. The other friend played innocent and the programmer got the flak for it, eventually being expelled.
This was by no means a white hacking deal. Also, these guys have been exploiting Dawson's system for a while to print for free and other such things.
It's interesting how many articles like this we get on slashdot. Just makes me wonder how easy it is to skew a story a certain way regarding a subject like programming which so many people know nothing about. If they found something, what were they doing looking in the first place? Well, sometimes people are just dicking around or curiously looking at how bad a system is, but sometimes they are - like in this case - breaking in to steal specific information for personal gain.
You're an idiot. You signed something under threat of prison / arrest without bothering to consult a lawyer.
Actually, that's exactly what he should have done. If you're ever presented paperwork, and presented a choice at which point you must choose right there and then, sign it. It's compelled/under duress.
Several of my former employers had a policy on termination where you must sign an agreement stating you won't sue for anything (wrongful dismissal, etc) in order to get a generous severance package. But, you have to make that agreement there, in the room, before they walk you out of the building. I ran this past a few lawyers, and they all said the exact same thing: if you're under duress, sign it right away. Agreements that are signed under duress are void.
.
The lesson to be learned here is: If you're in college and someone threatens you with any sort of legal action, don't say a word, just walk out, and walk strait into a lawyers office. Immediately. While I was in college I got sued/fined/thrown out of different places so many times I've lost count. The college and college police think they are the law and use their power to manipulate and harass students they don't like.
I once had the police looking for me for 3 months to ticket me for lighting some firecrackers on newyears at 2am. It was a ridiculous cat and mouse game, and they refused to give up. Finally they "Caught" me and gave me a ticket. It went to trial for gods sake. The city paid for eye witnesses to testify and everything. It was a $100 fine and I won the case. It probably cost the city tens of thousands of dollars to screw with me for about 6 months. In the end, on the way out, I patted the DA on the shoulder and said "See ya next newyears!" and he laughed. What a joke.
Get a lawyer, and get one fast. Don't sign anything, don't talk to anymore. They will do anything to win. Including show up at parties, undercover, asking where you're at. Or sending you tickets via registered mail. Just get a lawyer and be done with it.
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.
So he reports a flaw in the software and then two days later IT detects a possible surface attack on the website which turns out to be him using software that finds other exploits. Seems to me like the student is a moron.
Sorry dude welcome to the real world of consequence.
In Quebec, legal drinking age is 18... vive la difference!
Lesson Learned - don't report the security holes you discover. Apparently it would have just been better to exploit or sell it.
OTOH, I have seen that when you get into the class of people that like to gain power from other, such as school administrators, you have people that are broadly ignorant of realities, such as that the vast majority of people are NOT out to get them, and are NOT terrorists, etc. Canada is not an exception to the "higher ups are more often bad people that ordinary folks" rule.
now we need to go OSS in diesel cars
You misspelled "they fucked you, so fuck everyone else". People who'd get "fucked" are other students.
Yeah, because being involved in a subsequent cyber attack will cause the school to realize the error of expelling him after his second cyber-attack.
Ken
You mean other parts of the world don't automatically assume that the white man is racist?
People around here always seem to forget that many of the submitters lack the ability to correctly interpret what they read, so article summaries are often quite misleading. I was just about to comment that things may not at all be what they seem, when I read your post. Thanks for that. I have lost count of how many time are article will say something and the submitter will come to exact opposite conclusion of the point that the article is trying to make.
Wow. Such vitriol. If you try you can troll even harder.
Best Slashdot Co
OTOH.
Lets look at what happens when you let Islamists have their way in your country for a bit.
Lest look at France.
Let me go on record. Without being AC.
Islam is a religion that allows no other religions to exist.
Everywhere it has taken hold and become dominant it has used that dominance for evil.
Fuck them.
Why is it so hard to only have politicians for a few years, then have them go away?
Here is the relevant section of the article;
After an initial meeting with Director of Information Services and Technology François Paradis on Oct. 24, where Mr. Paradis congratulated Mr. Al-Khabaz and colleague Ovidiu Mija for their work and promised that he and Skytech, the makers of Omnivox, would fix the problem immediately, things started to go downhill.
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.
“It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didn’t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement.”
Note that jail was only mentioned after Acunetix was run.
Slashdot article summary is very misleading at best. He was not expelled because he reported a security flaw, he was expelled because he ran Acunetix a website vulnerability scanner after he reported the vulnerability without permission of the web gods. Although no malicious intent by Ahmed Al-Khabaz, he stepped over the line and the University was not in a forgiving mood,
arguably vindictive.
Taza explained that he was quite pleased with the work the two students did identifying problems, but the testing software Mr. Al-Khabaz ran to verify the system was fixed crossed a line.
“This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake.”
For reporting the vulnerability in the first place, he was thanked by the University, but they did not take kindly to using Acunetix -- I would certainly agree that the university over-reacted, but they were not punishing him for discovering a vulnerability.
This can't be stated enough.
First of all, I have to wonder how he found the problem in the first place, if he used Acunetix to follow up later to see if it had been fixed. I doubt he just "stumbled" across it, frankly; when I want to check to see if a flaw has been fixed, I use the same method I used to discover the flaw in the first place. And they allude to this...that it's the second time they've seen him in their logs that way. So I get why they would have their doubts about purity of his intention, especially since Acunetix is commercial software that he probably would have pirated, given that the trial version would have expired between the first and second tests. A lot of malicious scanning is done with this tool; I've seen it showing up in the logs of many clients over time. So again, that's another thing to cast doubt on the notion that he was just writing an API and happened to stumble across bad coding. If I look at it from the school's perspective, I can see why they were spooked. And I definitely have to question the way he portrays things as having taken place. You don't run an application security scan against someone's infrastructure without their permission, period. And this is why.
As for the software company threatening with legal action, that's nothing to do with the university. Yes, vendors go off the deep end over vulnerabilities, especially when they smell blood in the water because the person reporting the vulnerability has unclean hands. But the actions of the university are one thing, and the actions of the vendor are another.
For your security, this post has been encrypted with ROT-13, twice.
That's one of the dumbest things I have heard. Oops you found a hole and pointed it out your expelled.
IT / tech schools do a better job there CS is more on the programing / high level design.
This is more of a IT / sysadmin / networking. issues and most CS classes fail to tech that part the right way or just cover it at a very top level way that that may tell you about the tools but not how to deal with their outputs / where the hole came from.
Just because he had an Islamic name
What's "Islamic" about the name? If you said "Arabic", now that would be something else...
I think you totally miss the point. Bigots don't really double-check their math; that's why there was a rash of hindus getting assaulted after 9/11. So any name that is based in Arabic or Farsi (or, if the bigot in question has been abroad, Pashtu, Urdu, or any number of languages used in Central Asia) is, by assumption, "Islamic," when you're discussing prejudice against Muslims.
For your security, this post has been encrypted with ROT-13, twice.
He wasn't expelled for uncovering a software flaw. He was expelled for continuing to exploit it two days after he made the report.
Ahmed Al-Khabez certainly appears to be an Arab name. Al-Khabez may or may not be "Islamic," (probably is), but Ahmed is definitely a Muslim name: Christians or Hindus are very unlikely to have it. But why is his name relevant to this story?
Who bought the third party software with the security flaw? What, if anything, was their relationship to the vendor?
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
I remember finding a similar security flaw is the printing system of Waterloo University that would kick the system into some administrator mode full of everyone's usernames and passwords.
Troll is not a replacement for I disagree.
By not co-ordinating his follow-up testing with anyone (the vendor, the school, etc.) he was caught exploiting a known weakness in the software.
He had no responsibility or right to attack the software a second time, call it "testing" if you like, he choose to attack the software using the exact same exploit he warned them about earlier.
It wasn't his job to "test" their fix.
14 out of 15 professors choose to expel this student - a student who claims to have been "acing all his classes" - there just might be more to the story than this student is sharing with the reporter...
Ken
You can use different email addresses for the free trial
What's "Islamic" about the name? If you said "Arabic", now that would be something else...
You are right, technically speaking, but since 95% of Arabs do in fact practice or consider themselves part of the Islamic faith, I would say that your comment is bordering on pedantic.
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
Nice try. But it wasn't his window he was trying to force.
That made him sign the NDA
PocketPermissions Android Permission Guide
Idiot? I think that your posting is a great example of idiocy, so should I call you an idiot? I person may be unwise and behave foolishly, but that doesn't mean that the person is an idiot. Clearly, the man had sufficient intelligence and technical savvy to get into that mess. You, sir, come off as someone who clings to some shred of understanding of legal matters and lies in wait for opportunities to wave it in the breeze like a flag of honor. Heck, I'll bet you don't have a clue about IP laws in Canada and Quebec.
Recording conversations in Canada only requires single party consent, thus as long as you are a party to the conversation, you may record it. This goes for the phone or in person. However, if someone else walks in the room and talks to the other party (or the phone rings and the other person picks it up), you'd have to turn the recorder off.
In this case, publicly recording the conversation is the best, because it will make the aggressor rethink what he's saying, lest what he say be made public.
The software company was made to look incompetent and was then expected to spend their own money fixing the problem. I would not be surprised if they were out to get him from the moment they were told. Tell him about the progress? You've never worked in a software company, have you?
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
It seems a big issue that the NDA was supposedly signed under duress. To me duress is something like "sign this or we will burn down your house" In this case it is more like "Given that you have now started to illegally use hacking software we are concerned that you will spread this information to others who will cause bigger issues. As a consequence of you illegal action and to protect ourselves we require you to sign this NDA. Failure to sign it shows inclination to spread this information therefore we will have to bring your actions to the police if you do not sign it". To me that is not duress as it is direct consequences of Al-Khabez's actions.
The stupidity of this story is that it is a bright person who has few social skills. Sure he was praised for finding the bug. Then he just had to test it two days later. I can just hear the thoughts going through the president of Skytech's mind, "It's great that you found the flaw but run a hacking suite on our servers and your ass is grass." Ever hear of poking the bear? Skyteck is probably a little sensitive that a major flaw was found. Now you look for more when that is probably what they are already doing? And only after two days? I guess the college student doesn't understand enterprise level software releases as it can take more than a couple of days to get a fix into the field. There are testing and scheduling to be concerned with. Had Al-Khabez waited a month and tested just the vulnerability he found I doubt there would have been an issue. Instead he ran a hacker suite after two days.
Well said.
Just an additional note, since nobody else seems to have mentioned it: the student may have been a minor and the NDA unenforceable against him. It seems the age of majority in Quebec is 18.
Contracts signed under duress (Sign this or I call the cops) are unenforceable. There your entire tirade was for naught.
OP is just showing a classic example of the just world fallacy. This guy is in a bad situation, so he must have done something bad to get there because the world is just. Everything is always the victim's own fault and people like the OP are common enough that you'll usually find at least one of these people ready to interpret any event along these lines.
When did threats become illegal?
Blackmail/extortion has pretty much always been illegal, Chief.
*The More You Know*
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Not that I agree with that ledow idiot, but this isn't the US where you're allowed to kill people in other countries three years before you can buy a six pack. He's legal to buy alcohol in Quebec.
Most people reach CEGEP at 18, sometimes very rarely at 17. Not that it matters, because if you had bothered to read the fucking article you'd notice that the first sentence of the second paragraph states he is 20.
Perfect analogy. Mod parent up please.
14 out of 15 professors choose to expel this student
Indeed this is the part I find the most telling that there is more to the story. Would all these professors really have conspired to avoid embarrassment for the college? Or, is there something these professors knew that isn't in TFA?
He found a flaw, waited two days, and then proceeded to use a general purpose tool. While this is most likely naivety on his part, it could also be something else we're not aware of.
But we don't have the logs, nor do we have info on the original vulnerability. If I were a professor given the info in TFA, I would not have expelled him. And that is what doesn't add up. If a professor had evidence that his intent was more than to just verify a fix, then the 14/15 vote begins to make much more sense.
PocketPermissions Android Permission Guide
I heard that they also make watches that record...
Arabs, Persians and Europeans have shown that they cannot interact peacefully. There are places in the world where Islam co-exists with other religions quite happily, even places where it has done so for centuries. Religion has much less to do with it than cultural friction which long predates Islam (and Christianity, for that matter), though certainly religion has become woven into the issue as well.
As far as France being a cautionary tale about Islam run amok... yeah, right. Islam is a minority religion in France, and will remain so for the foreseeable future. There is literally no risk that the extremely dominant French culture is going to vanish, though it will certainly pick up a few hints from the immigrant cultures as the younger generations who always drive cultural change assimilate across racial and cultural lines. This is a normal, healthy process which we in the States refer to as "the melting pot," France will be stronger, socially and culturally, once they get past these awkward early stages.
Try not to take me more seriously than I take myself.
Also, running a pen-testing tool on someone else's network without written permission is just a dumb move.
Actually, running a pen-testing tool is, by itself, not a dumb move (as long as a proxy is used).
But running a pen-testing tool, and the tell the owner of the network about its findings that is a dumb move. If you absolutely have to tell anybody about what you found, tell the press, not the owner of the network!
Although no malicious intent by Ahmed Al-Khabaz, he stepped over the line and the University was not in a forgiving mood, arguably vindictive.
Note that Dawson College is not a University, you cannot get a bachelor's degree there. It is closer to a technical college.
ID: the nose did not occur naturally, how would we wear glasses otherwise? (apologies to Voltaire)
That wouldn't hurt the university as bad as it would hurt the students.
Can you be Even More Awesome?!
If you find an unlocked door and don't enter, you can't (legitimately) be accused of breaking and entering, nor of merely entering/trespassing. If you come back two days later and check to see if the door is unlocked, and still don't enter, then you haven't committed a new crime.
Cyber crime laws tend to be quite draconian compared to real-world laws, so it's quite possible that he could have been charged under Canada's laws; he certainly could have been charged under the same law Aaron Swartz was charged under.
(that is, were he in the U.S. and not in Canada, of course).
It's Quebec, not the U.S. We refer to Arabs as Arabs and Islamists as Islamists, not to both of them as terrorists.
Honest! I was just trying to make this mobile app so I had to hack into your system and I found this sloppy code that let me in!
What part of "Do not access things you are not authorized to access" do these people not understand?
If you stumble onto a defect in an information system while developing an application front-end to that system, there is no unauthorised access. The level of intelligence on /. has decreased significantly from the early days. Mores the pity.
Since his personal info is in this system, it is indeed his "window".
Look, there are real problems and challenges with immigration but when you oversimplify things into grandiose claims like these, you make the real problems worse. I live in the heart of multiculturalist Canada (in the same town this article took place in). We do occasionally have issues with small pockets of Muslim immigrants who want to enforce their religion, but this is a rarity. The vast majority of Muslims you meet in this town are polite and mind their own business. I sit next to them everyday on the metro and I assure you, they are the opposite of scary. Media hype and the availability heuristic..we should be old enough to see past these things by now.
"The single biggest problem in communication is the illusion that it has taken place." George Bernard Shaw
Minor correction: Dawson is not a university, it's a college. In Quebec, it's the step before university, but since he was studying computer science it was akin to a trade school. He would be lacking the prerequisites with that program to go into computer science at the university level, except at ETS in Montreal.
Sounds like what he got in trouble for was being a responsible developer and informing the university of the flaw. He got praises from the developers and IT people from the company who wrote the software but then the president of the company (not the university) went apeshit and claimed he was hacking them. I suspect the University was unhappy with the company for the problem and the company decided to take it out on the person who embarrassed them.
Ah calling somone a pedant for not agreeing with your made up statistics, nice.
Don't complain about syntax, grammar, or spelling. There is no.hell like input on android.
Write "This was written under duress and I do not agree that by signing it I forfeit any rights I have in law", and then sign it.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
This is Canada. We saved the black people.
Don't complain about syntax, grammar, or spelling. There is no.hell like input on android.
It is 100% illegal for you to try and force the latch on my window, just to make sure the new one is secure. Also, depending on jurisdiction, that might be considered legal justification for me to use lethal force to protect my home. I strongly advise that you DO NOT try that in Texas.
Try not to take me more seriously than I take myself.
Yes, but you'll have a bit of a problem when you try to install it on your system, won't you? The software is cognizant of having been there before.
For your security, this post has been encrypted with ROT-13, twice.
Burglars also tend to find sloppy locking. So, will they a get out of jail card?
Burglars typically go to jail for the act of burglary, not the finding of poor locks.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
I suspect that the professors were not conspiring, but whoever prepared the package of information for them probably did give them a rater selected view of events. The kid screwed up by pinging to see if the issue had been fixed, but given how often industry has a bad habit of burying issues and his concerns about real world harm this problem could present, I can not blame him for his desire to find out if they had made good on their promise to correct it.
I generally agree that with the information in TFA a professor would be unlikely to expel, but I have seen administrators (who often do have an incentive to protect either themselves or a corporate parter) passing along slanted stories, esp if they are just taking the word of the company.
What the heck! I've been using MS-Win since 1987 in one form or another. I've never published a complaint. It is all by word of mouth. No published incriminating evidence. hmmm...
Also should not read "university". It's a college, which is not a university in Quebec, and in his case akin to trade school/tech college (he wouldn't meet prerequisites for university CompSci, but can find a job).
Arabs, Persians and Europeans have shown that they cannot interact peacefully.
You silly, where did you get that idea? Persians had never had problems with others - until Islam came, that is. Arabs are as variegated in their beliefs as any European, and Europeans are willing to lure just about anyone into Europe. Show me the "cannot interact peacefully" part, would you?
There are places in the world where Islam co-exists with other religions quite happily, even places where it has done so for centuries.
As an atheist with a few Wiccan friends, could you direct me to the Islamic country that would welcome us with open arms?
Ezekiel 23:20
The vast majority of Muslims you meet in this town are polite and mind their own business.
The problem is, it was the same with Christians until the fourth century. Then the actual horrors started.
Ezekiel 23:20
he used Acunetix
So in other words, he's a script kiddie? They're going nuts over that?
A lot of malicious scanning is done with this tool
What makes scanning so malicious? What's next, getting into trouble for trying to telnet to random IP addresses? Is it now a crime to point nmap at school IP addresses? Maybe surfing to their website and repeatedly hitting F5 is a reprehensible DoS attack?
Acunetix is commercial software that he probably would have pirated
Even if that's true, which you do not know, so what? I don't see where that has anything to do with the issue at hand.
I can see why they were spooked
Well, I can't. They can fix the flaws, it's not like that's hard. Might even have to hire a few competent programmers! Instead, they reached for the assault weapons. If they pump enough bullets into this messenger, maybe they can erase his message as well as him. We ought to take these legal powers away from these bozos.
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
The two might look the same for USians. You see, in Canada, we don't sue you for getting hurt while robbing you. Don't even sue you for not saying sorry after you bump into us. In fact, lawyers are almost mythical creatures here, less direct spawns of satan.
Canadians also don't expect people to act completely irrationaly, or aggresively, because we're a pretty decent people to begin with. We aren't extremely paranoid and cautious, mainly because we aren't constantly trying to surpass the joneses nor do we step on others to get ahead.
So, yes, Canadians are a bit naive when exposed to they type of stupidity that has been rampant in the US for decades.
Don't complain about syntax, grammar, or spelling. There is no.hell like input on android.
Actually, Ahmed/Ahmet is an Islamic name, like Muhammad. Same as how only Christians get named "Jesus" (though almost always in Spanish speaking countries).
http://en.wikipedia.org/wiki/Ahmad
We follow rules because they're rules. You'd be suprised how many people get run over in Canada just because the signal told them it was time to walk.
Don't complain about syntax, grammar, or spelling. There is no.hell like input on android.
He's not an idiot. He was in an intimidating situation. People respond that way all the time.
The classic situation is to be stopped by a cop on the street. The standard legal advice is to refuse to talk without a lawyer. The reality of the situation is that people can't exercise their rights.
If you don't understand that, you're an idiot. (Since we're in hysteria-land, I'll adopt the language.)
Yes, we do the same thing, here, in the US. I am not apologizing for the idiots that do. And I'd have to add that most Americans understand the difference.
People != Sensationalist Media
People != Government
Many of us are ashamed of them.
Montreal is not the fourth Century in the East, it is the 21st century in the West. That's a terrible analogy--by that logic I could prove anything I wanted, just draw a specious analogy with vastly alien historical situations to prove anything evil. After all, history is violent and nobody is innocent if you go back far enough and make ridiculous comparisons. What you are doing is akin to religious people who try to claim Atheism is evil by citing the massive amount of deaths in China. It's irrelevant.
You have to look at the reality that exists in the now. We've far, far more pressing social issues here than oh so scary Muslim families who are going to their mosques and working their day jobs.
"The single biggest problem in communication is the illusion that it has taken place." George Bernard Shaw
What happened to the security hole?
Don't complain about syntax, grammar, or spelling. There is no.hell like input on android.
The rule here is to never sign NDA in this case. Go public and burn the company in question with the media. Threatening people with jail when they discover a exploit in software is counter-active and just plain stupid. The president of Skytech clearly doesn't understand software or computers in general. In fact. I am sure that he is just plain capital asshole as you can find them in companies everywhere.
The other way to do it is to say, "I want to get a lawyer first before I go to that meeting," and then take as long as required to get a lawyer. You don't have to go to a meeting on their schedule. If you never get a lawyer, too bad. Don't go to the meeting.
You can be sure they'll have legal advice, so you should have legal advice too.
Another good thing to say is, "Could you send me a letter telling me what this is all about?"
These are things that people learn to say after they've had a lot of experience with these things. It's hard to think something like this out the first time somebody springs it on you.
I second the idea of openly displaying an audio recorder. They probably have an audio recorder too (or at least some way of taking notes). If they object, say, "Why do you object to having an accurate record of the meeting?" (The reason they object is that they're going to have several witnesses there, and if there are any disagreements about who said what, it will be two of them against one of you.)
Matthew 28:19-20:
"Go ye therefore, and teach all nations, baptizing them in the name of the Father, and of the Son, and of the Holy Ghost: / Teaching them to observe all things whatsoever I have commanded you: and, lo, I am with you always, even unto the end of the world. Amen."
Same goes for Christianity. Your friends going around telling people about the good news are actually being good Christians. Also, I've never heard of any Islamic people in the Western World telling others they can't be Christian. Hmmm, maybe because the Islamic people you are talking about are called FUNDAMENTALISTS (you have them in Christianity too, fyi).
And don't give us this bullshit by singling out Islam. The majority of the "problems" you would describe, if you were to actually show some examples, are created by social differences and are always the result of both sides not willing to compromise. The majority of Turks, for example, in Germany were given work permits because Germany desperately needed workers in the 70s. Their failure to integrate is a problem for both sides, on one hand, some Germans refusing to accept that these people have different histories, coming from different cultural backgrounds. Moreover, the integration programs that were put into place were not good enough to encourage people to break from there social communities, which in many ways, is defined by their religion. Yet, it is very evident that Turkish people segregated themselves in a large way in different communities. The general argument can be boiled down to: "they didn't integrate." "Well, you didn't let them." However, if this was not the case, Berlin wouldn't be the city it is today, nor would Vienna. The same goes for Arabic peoples in France, the Netherlands and many other European countries. Also, Arabs in France are also the result of French intolerance in places like Algeria, for example.
How is it not clear to you that Christians caused the same problems among different sects for centuries until Western Democratic society smoothed these tensions over to a reasonable degree.
Lastly, fuck you and your religion. Neither you, nor it is endangered by Islam. And, maybe you should risk exposure to another culture, it might actually open your eyes or at least make you realize when it would be smarter to hide your racist views from the public.
Nice website you've got there. It'd be a shame if something were to happen to it.
A Christian who speaks Arabic would never have one of these two names
I have a Jewish first name, but that doesn't make me Jewish. And it's been like that since the middle ages.
Ezekiel 23:20
The rule here is to never sign NDA in this case. Go public and burn the company in question with the media. Threatening people with jail when they discover a exploit in software is counter-active and just plain stupid. The president of Skytech clearly doesn't understand software or computers in general. In fact. I am sure that he is just plain capital asshole as you can find them in companies everywhere.
It feels like a better conclusion is "cover your tracks" no matter how white-hat (and basically harmless) what you're doing is, because the world is full of jerk offs.
Actually this is not entirely true, especially that bit about "beat his wife." In the United States at least it is extremely common for authorities to coerce people into signing things like confessions to a crime that they didn't even commit. Something like 70% of the time police bring in suspects for a crime they can get a confession out of them through some psychological tricks, not even duress or threatening them. This has actually become so bad that lots of courts will not convict or even say a case should go to trial based on a signed confession.
Not all contracts are legally binding as you describe either. There are also many clauses such as things being "unconscionable" in law that prevent a contract from being binding. This is extremely common in the case of EULAs because if you actually read those things they try to put in wording such that you waive half your rights (to things like civil suits, etc.) which is not in any way allowed in a contract. This happens constantly mostly due to legal wording (double meanings and the such) and strong arm tactics used to force people into signing things. People often times believe that this would never happen to them because they are so well-informed, but through a lot of tricks and tactics even some fairly intelligent and mature people can be subjected to this.
Maybe you wouldn't have signed that NDA sure, but it may have actually been just as big a mess because the larger institution is going to use any and all legal loopholes they can to screw this up if they are already trying to force an NDA on you with such tactics. There are also some things you could probably argue that should protect him (in the United States at least, I don't know much about Canadian law) such as whistleblower's protection/immunity which would probably have a very strong leg for him making it better for him to sign it and have it thrown out later.
And mind you I am not a lawyer or anything even close, but this is not as cut and dry as you are trying to make it sound.
Yes, Ill just go pay $5000 for a lawyer. Oh wait I am a student, so I dont have 5000 for legal consultation.
Doh!
Lawyers ain't free man. Unless you really are saying hes an idiot because he cannot afford a lawyer.
As a potential lottery winner, I totally support tax cuts for the wealthy
Since his personal info is in this system, it is indeed his "window".
So I suppose you also own Facebook if you have an FB account?
You continue to miss the point. He was not "threatened" until he used a hacker suite on the server. Finding the exploit was not the issue. He went over the line into hacking when he used a hacker suite. Had he stopped at reporting the issue there never would have been an NDA or any "threatening".
Your rule is to be a black hat in every instance. Not a good rule. My rule would be to report the bug and then check that specific bug much later.
So....deceived rather than conspired? I find this also difficult to believe. The professors are (presumably) experts in computer science and had this kid's entire future in their hands. Do you think they would be easily duped?
I wouldn't blame the kid for curiosity either. But I wouldn't vote to kick a kid out of school without compelling evidence of intent *beyond* curiosity (in this case).
So I have a hard time imagining how they could skew evidence so well as to convince so many professors to take this severe an action. Again though, it's hard to imagine since we don't have the logs, nor do we have info on the original vulnerability. What we do have though, is 14 professors who felt there was sufficient evidence to expel him.
PocketPermissions Android Permission Guide
What? In this age of virtual machines and snapshots?
I really doubt that.
Shame it's completely wrong, the window belongs to Omnivox. A better analogy would be that he noticed Omnivox had left their window open and told them, to which they thanked him. He then goes back 2 days later with a crowbar (Acunetix) to test whether they'd locked their windows properly yet.
No, he got congratulated for finding the flaw. He got in trouble for running a vulnerablity scan afterwards to verify that the flaw was fixed. He ran the vulnerability scan without the system administrators knowledge or permission. I agree that he should have gotten in trouble, maybe not expelled, but in trouble because the vulnerability scan could have crashed or corrupted the system.
The worst part of being athiest.... You don't have anyone to talk to during orgasm!
"You're an idiot. You signed something under threat of prison / arrest without bothering to consult a lawyer. No amount of mention of poverty, trust, or even just plain intimidation should have made you do such a thing without first consulting a lawyer." Hmmm, threatening to go to the police if someone doesn't sign a contract. I'm pretty sure that would constitute blackmail in the UK under the Theft Act (making aan unwarranted demand with menaces), which is a serious offence with a maximum sentence of 14 years imprisonment; see http://www.legislation.gov.uk/ukpga/1968/60/section/21. Anyone know what the law on blackmail is in his jurisdiction?
perl -e 'fork||print for split//,"hahahaha"'
Since it seems (from the description) that he was congratulated and then criticized by different people, I suspect that the attitude was already there but the action of checking to see if it was patched changed the balance of who's voice was dominant.
Why is this funny? I just finished my second degree and I can say with a total degree of certainty that the only good code I get to see from day to day is either from my Embedded Software Developers or from Software Developers who use C or ASM.
Easy for you to say, but given that his name indicates he's probably not fourth generation Quebecois _and_ in light of Aaron Swartz literally being hounded to death by his own government, that threat no doubt sounded all too real. Western laws and protections have been proven not to be universally applied to those of the 'wrong' religion and tending towards the brown part of the skin spectrum.
Actually, he didn't seem to get into trouble until he ran a vulnerability scan on the site, to "ensure that the issues he and Mija had identified had been corrected"; Skytech saw the scan happening, called him up, and told him what he was doing constituted a "cyber-attack", and THAT'S when the metaphorical shit hit the metaphorical fan.
Metaphorically speaking.
My sig can beat up your sig.
Depending on the culture of that specific university, yes, I could believe they were easily duped. Professors tend to be overworked and these comity assignments can be quite draining. They rarely will sit and do independent checking or even really debate the topic, most of them are willing to just hear the complaint and apply the rules quickly so they can get back to tasks more directly connected to their jobs. The evidence may have been as simple as 'Our long term partner has brought charges against this student for attempting to hack their network. Our relationship with them is important and failure to hold up our guidelines regarding unprofessional conduct could sour the relationship or even lead to legal troubles'. Unless they have a reason to suspect the company is feeding them false or misleading information they have a significant incentive to just believe them.
Unless someone raises a stink, the whole process probably took about 10 minutes.
There are places in the world where Islam co-exists with other religions quite happily, even places where it has done so for centuries.
As an atheist with a few Wiccan friends, could you direct me to the Islamic country that would welcome us with open arms?
I have added emphasis to show you where you are going wrong here. As soon as religion and politics intermingle at state/country level, this is when things start to go horribly wrong. A country should be ruled based on general principles of morality. As soon as you start to introduce a religious element to a country's legal framework, you are setting yourself up for a fall whatever religion it may be.
Just my $0.03 (At current exchange rates, my £0.02 is worth more than your $0.02)
This kid was applauded for finding the vulnerability related to the development of his app. He was expelled because a week later he ran a full exploit test suite on their systems without their permission. If he did that anywhere else it would most likely constitute a crime; he'd be fired from a job for doing so, he'd probably be arrested for doing so against a third party. Expulsion may be too harsh, but this kid is not innocent.
Ahmed is both an Arabic and Islamic name. Ahmed means "most praised" and is sometimes used as a name for Mohammed, the founder of Islam. It is believed that naming your son with this name will bring blessings to your home.
Now, considering this, it does not seem wrong to call it an Islamic name. Certainly, it is a common Arabic name. But why? More than likely, because the most common religion in Arabic speaking countries is Islam.
Is Jesus a Christian name, or a Hebrew name (or, tongue somewhat in cheek, a Latino name)? It is a very common name in Latin America, but then, Latin America is overwhelmingly Christian.
I would be very surprised if Ahmed's family is not Muslim. If they were not Muslim, it seems unlikely they would choose a name so favored by Muslim Arabs. But it is possible, of course.
What's "Islamic" about the name? If you said "Arabic", now that would be something else...
You are right, technically speaking, but since 95% of Arabs do in fact practice or consider themselves part of the Islamic faith, I would say that your comment is bordering on pedantic.
Where do you get that statistic? I know that the media portrays it as practically everyone with an arabic name or heritage is automatically a member of the Islamic faith, but the statistics do not bear this out. Yes they are the majority, but once you factor in the Christians, Druze and other assorted communities who are generally ignored by the mainstream media you start to see that the figure is almost definately somewhere sub-90-percent.
Just my $0.03 (At current exchange rates, my £0.02 is worth more than your $0.02)
Not true. In Quebec, we have the CEGEP system, which is equivalent to the last year of high school and freshman year of university. Dawson is a CEGEP, so Ahmed was almost definitely between 16 and 18.
WTF? OK, I got used to silly things like 100 being 222 in America because of "Farenheit" and all that Imperial weirdness. But what the heck is CEGEP again, that twenty-year-olds are "between 16 and 18" in Canada?! Can't you be reasonable -using real worlds metrics- at all?
Oh, the beautiful gloss of greality!
xkcd.
[Gotta be redundant by now.]
Have gnu, will travel.
Reporting a bug like is in it self dangerous. The reason is simple. Companies are often controlled by people who do not understand the technology and the importance of bug discovery. So when this happen. They go on rampage and punish the discoverer of the bug. Instead of awarding him or send him a thank you note.
This people do not care about white hat or black hats. In fact. I am not sure if they care about anything else then pure profit.
Nazi: "I order you to sign this non-disclosure form, or you will be sorry!"
Subject: "OK"
Nazi: "Good. Now you are expelled."
Subject: "You forgot to tell me I would be sorry no matter what I did."
Subject's original response should have been "Fuck you, Nazi".
Perhaps they thought he was a Newfie.
Have gnu, will travel.
Purdue
Again, you didn't get the issue. He was "threatened" because he attempted to hack after reporting the bug; not for reporting the bug.
Instead of awarding him or send him a thank you note.
They did thank him UNTIL HE ATTEMPTED TO HACK THEIR SYSTEM WITH A HACKING SUITE. Just because he reported a bug does not mean their system if free and open for him to play with. He crossed the line into hacking.
"He had no responsibility or right to attack the software a second time, call it "testing" if you like, he choose to attack the software using the exact same exploit he warned them about earlier."
Because it's not like he was a student at that university and his own personal information was at risk or anything, right? Oh wait...
I guess the appropriate course of action was to instead anonymously hint that such a thing is possible and then when someone else takes the data, start a class action lawsuit against the university. Lesson learned.
My reaction to part one would have been "Fuck you, I'm calling the police." (Second, as someone pointed out, such a contract would be invalid, and perhaps a felony crime in itself).
You're over-reacting. Finding a lawyer and filing suit is not that hard, especially today, with plenty of lawyers jobless. University admins are usually not very sophisticated, and make all kinds of stupid mistakes in situations such as these. Plus their attempts at intimidation tend to be pretty pathetic in the end.
I'll interpret it the way you should: if anything Quebec and Montreal are MORE open than the rest of Canada.
Only if you're someone incapable of removing registry entries. Someone who knows enough to use acutenix is going to know how to do that. Were you even being serious?
If a vulnerability scan crashes a system then there really is sloppy coding.
Anonymous could stop DDoS attacks and instead just run a couple of vulnerability scans to take down their opponents. So much easier!
There's a lot of things that rub me wrong about this post.
1) He's 20. He's supposed to be an idiot. The rest of us are supposed to politely correct him when he does something stupid; rather then trying to convince everyone we're geniuses by calling him stupid.
2) A couple hundred is a lot of money to someone who does not have a professional job. It is my entire life savings. It is my entire cushion. If my car breaks it is what will allow me to continue my shitty-ass job.
It's very easy for someone who makes $30k to think they're superior because they can afford to talk to a lawyer for three hours on no notice. That doesn't mean they are actually superior.
Moreover it's not clear he'd be better-off doing that then doing what he is doing. He's not being prosecuted. His college is going to be forced to explain exactly why they thought what he was doing was profesional misconduct so heinous he had to be expelled. The guys who made him sign the NDA have apparently been scared off due to the publicity.
Granted there's almost certainly more to it then he's saying. I don't know many compsci profs who would vote to expel a kid on the basis that he'd been too curious as to whether a security hole he'd found (and told the company about) had been patched, but according to the article 14 of the 15 members of the faculty did precisely that. Which implies there's more to it.
It doesn't surprise me what actions the student opted to take. What most people often forget is that he's still very young and getting expelled from college in his eyes could potentially mean his future will be shattered. I can relate to him because I myself am a student, and If I found myself in a similar situation it would be much more difficult to make a decision while it's happening opposed to from my computer at home. But at the same time it's hard for us to make a form of judgment because we will never truly hear both sides of the story.
If you stumble onto a defect in an information system while developing an application front-end to that system, there is no unauthorised access.
The issue is, according to TFA:
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected.
Harsh? Yes. Despite that, he should have tread more carefully, I'd say. As nice as finding and communicating the issue is, he should have known that trying to access whatever it was when he was obviously known by said company (and as such being watched) was going to put that company on edge.
The system was public-facing.
What crime would that be?
- Jesper
My security clearance is so high I have to kill myself if I remember I have it...
I think he had a right to know if they had fixed it, or if his own private information was still vulnerable to prying eyes.
Attacks do damage. The only thing this kid attacked was the school's irresponsibility. The school acknowledged that there was no malicious intent on his part.
He was not "expelled for finding sloppy coding". No matter how much you dislike schools, Quebec, Canada, authority figures, software, computers, accurate headlines, or terms of use, he still was not "expelled for finding sloppy coding."
What is so hard about swapping the text and adding a comma?
Try it:
Student Finds Sloppy Coding, Expelled From Montreal College
Now it implies a correlation (which there definitely appears to be) instead of libelously explicitly stating causation.
Even though I'm not a security researcher, I have in a distant past stumbled onto security flaws while trying to interface with something. The claim is entirely plausible. You might want to stop taking these pills you're talking about; they obviously don't help.
http://www.cbc.ca/news/canada/montreal/story/2013/01/21/montreal-dawson-college-hack-hamed-al-khabaz.html
Apparently his attempt to test Skytech's system really screwed things up:
“The attack made the College Portal extremely unresponsive for its thousands of users. Had it not been countered, it would have put the College Portal out of order for the entire students and teachers population of Dawson. The attack was traced, and it turns out that it came from one of the students who participated, earlier that week, in the discovery of the security flaw. We therefore decided to be clement, and not to report the attack to the authorities.”
Since the portal serves 250,000 students at numerous schools, this was kinda a big deal.
It was not harmless.
The CBC story has a much more complete explanation of the problems his test caused:
“The attack made the College Portal extremely unresponsive for its thousands of users. Had it not been countered, it would have put the College Portal out of order for the entire students and teachers population of Dawson. The attack was traced, and it turns out that it came from one of the students who participated, earlier that week, in the discovery of the security flaw. We therefore decided to be clement, and not to report the attack to the authorities.”
http://www.cbc.ca/news/canada/montreal/story/2013/01/21/montreal-dawson-college-hack-hamed-al-khabaz.html
the university used this as an excuse to terminate him.
The company was Skytech, not Skynet.
Testing of the bug exist or has been fixed is not "hacking the system". He used a online security tool. He might have asked for a permission to do this. But the most likely answer he would have received would have been flat out no. You know why. Because the company in question might not had any interest in actually fixing the bug. Saying that they are going to do something does not equal that they are actually going to do so.
So checking up on them should be fine. A long as he did not try to exploit the bug (extract data).
Islam isn't actually worse then most religions. In a lot of ways it's better.
Christianity doesn't typically grow under Islamic rule, but it doesn't disappear either. Same for Juadaism. OTOH to stop Christianity from destroying Islam and Judaism we needed separate, secular legal doctrines such as America's First Amendment.
Without that legal doctrine, and strong central governments capable of crushing the Christian equivalent of Boko Harem (ie: Tim McVeigh) Christianity would actually probably be worse then Islam because Christianity only tolerates Jews as kinda-right-even-if-mistaken whereas Islam will tolerate all Abrahamic faiths.
As an atheist with a few Wiccan friends, could you direct me to the Islamic country that would welcome us with open arms?
Be fair.
The reason you're welcome in most Christian countries isn't that Christian Government is inherently more moral then Islam, or that Christianity is inherently less evil. It's that Christianity is so bad we had to invent the "freedom of religion," and give the state enough power to protect it.
Islam's actually a lot better then Christianity on a lot of fronts. There's a reason that several modern Christian states were mostly Islamic in the 1300s, but very few Islamic states totally de-Christianized. Until the Jews started actually fighting for Jerusalem anti-Semitism did not exist in Islamic countries, and even after 1948 organized pogroms by governments simply did not happen.
Or are you seriously arguing that Fred Phelps would not be leading a lynch mob to your exact house in the absence of a) the First Amendment and b) the United States Judicial System?
They did thank him UNTIL HE ATTEMPTED TO HACK THEIR SYSTEM WITH A HACKING SUITE Just because he reported a bug does not mean their system if free and open for him to play with. He crossed the line into hacking.
It isn't a "hacking suite", it is a security vulnerability scanning suite designed to help peopl protect websites. The young man in question had an interest in making sure that the security hole had been fixed, as personal details of his like his address, social security number, etc. were being made publicly available by this company's sloppy work. He had a right to to make sure that these details were not still publicly available. The company made a big mistake going after him like this, because they could be open to litigation for not protecting data properly, and have just called massive public attention to themselves.
Unfortunately for him the way he tested the system screwed it up for thousands of other people:
“The attack made the College Portal extremely unresponsive for its thousands of users. Had it not been countered, it would have put the College Portal out of order for the entire students and teachers population of Dawson. The attack was traced, and it turns out that it came from one of the students who participated, earlier that week, in the discovery of the security flaw. We therefore decided to be clement, and not to report the attack to the authorities.”
http://www.cbc.ca/news/canada/montreal/story/2013/01/21/montreal-dawson-college-hack-hamed-al-khabaz.html
So he basically launched a DDOS attack accidentally. It's really hard to relate that to a property crime metaphorically, so I won't try.
Anonymous could stop DDoS attacks and instead just run a couple of vulnerability scans to take down their opponents. So much easier!
Maybe I am missing the woosh (I usually do), but this is not really true. One of the main advantages to a DDoS is that it makes it difficult to null route the attacker. An attack originating from a single source can be easily thwarted using automated systems.
Fanboy Status: Apache Flex, C#, Eclipse, KDE, Pirate Party, Ron Paul, Slackware, Windows 7
How many scans are they getting hit with now that they've alerted the world to having vulnerabilities? Come arrest everyone that scans your webserver.
No, they couldn't. Electric utilities are regulated like the monopolies they are. Now what they might be able to do, probably even what they intended to do, is to regulate whether you can hook up a generator in such a fashion that it might inadvertently be connected to their system (which would be bad). But even that is a bit iffy -- you could probably force them to specify characteristics of the proper sort of switch over circuitry that you have to install rather than denying you the ability to connect a generator outright.
And in this day and age, the ability to connect solar to the grid and actually force power back is actually a right granted by the state to the customer in a lot of places.
What makes you think what he writes should have any less legal force than what the company wrote?
I do the same thing all the time. Mandatory arbitration clause in car purchase agreement? Strike through and initial.
If she has the ability to countersign, then she effectively does. If she doesn't have the ability to countersign -- worst case is that the entire contract is null and void, because there was no "meeting of the minds." But you would be laughed out of court if you suggested that the person who penciled in a change to a contract should be held to the original version because the other party didn't agree to the change, when the marked-up contract is sitting in the other party's files, properly countersigned, and there are no signatures on any unchanged version. And you would be laughed out of court if you suggested that the nice lady who signed the contract; who signed all the contracts for all the customers; who sat there every day signing contracts -- shouldn't have signed that modified contract. That's the company's problem, not the customers.
Well both ideas are speculation on our part, but I think the kid not telling the news the whole story is still more likely than 14 people failed to take their responsibilities seriously because they are overworked. Would you vote to expel someone based on the kind of evidence you are imagining?
If you are right, I find it very sad that these individuals were given the power of expulsion and did not treat that power with respect.
Also I don't see how it is in the company's interest to have him expelled when they already had an NDA. In order to fault the company and the college, we have to presume too many facts. Now they are overworked, coerced, irresponsible, etc etc. Occam's Razor does not like this theory :)
From NicBenjamin's cbc link
Dawson College spokeswoman Donna Varrica sent CBC a statement saying the college stands by its original decision to expel Al-Khabaz.
Varrica clarified the process that leads to expulsion. She said the process includes a step in which a student is issued an advisory to cease and desist the activities for which he or she is being sanctioned.
"When this directive is contravened by the student by engaging in additional activities of the same sort, the College has no recourse but to take appropriate measures to sanction the student," Varrica stated.
Apparently the school told him not to do this and he persisted? Also they stand by the decision and the software company offered him a scholarship and part time job now that the new broke.
So what's really going on here? I know everyone wants to root for the underdog, but perhaps the kid is just not telling the whole truth.
PocketPermissions Android Permission Guide
In the late 1980s, I was the sysadmin of a large Unix server at a well-known university, when suddenly the server stopped accepting logins. It seems that the password file (/etc/password) had gotten corrupted. The reason? A well-meaning graduate student had suspected a security flaw and decided to "try it out" to confirm it and then report it. His heart was in the right place, but his judgment was total stupidity: he corrupted a running server used by dozens of scientists "to see if it would work." If he had just stopped by my office and ASKED (we knew each other well), we could have checked for the flaw safely.
So I have a little sympathy for Mr. Al-Khabaz, but he did exercise very poor judgment in running Acunetix.
To continue the analogy, it was the window to the dorm room that the school provided him.
So following your analogy, it would seem perfectly reasonable to me that he should be able to test the security of the mechanisms meant to protect him.
Software sucks. Open Source sucks less.
Montreal is not the fourth Century in the East, it is the 21st century in the West. That's a terrible analogy--by that logic I could prove anything I wanted, just draw a specious analogy with vastly alien historical situations to prove anything evil. After all, history is violent and nobody is innocent if you go back far enough and make ridiculous comparisons. What you are doing is akin to religious people who try to claim Atheism is evil by citing the massive amount of deaths in China. It's irrelevant.
It's *not* a ridiculous comparison. Once a large group of people with the same religion gains majority, with the religion making claim to its own superiority in its holy book, and all of its adherents reassuring each other about it daily, *what* is going to stop them form exercising their power towards their political goals? Their kind hearts? Look at the history. Look at each country where either pre-reformation Christianity (after which the Christians had to become tolerant against their will) or Islam (which has had no actual reformation by now) gained majority, and find me one where people thinking differently *weren't* oppressed.
You have to look at the reality that exists in the now. We've far, far more pressing social issues here than oh so scary Muslim families who are going to their mosques and working their day jobs.
Yes, you Canadians are special :-p, your unique national spirit protects you from things that happen everywhere else. Right.
Ezekiel 23:20
CEGEP:
Instead of completing his/her final year at a traditional high school (as would be typical in the US), the student starts attending a 2-year degree and/or vo-tech school. Completion of the two-year program serves the same function as high school diploma in the US and (depending on the school and program completed) may also serve as an Associates degree.
Usually people complete a program like this before turning 20, but there are many reasons why that isn't necessarily the case.
"Flame away, I wear asbestos underwear"
In the hands of someone not authorized to use it in a web site it is a hacking suite. In the same vein as lokpicks in the hands of someone other than a lisenced locksmith are breaking and enter tools. He was searching for vulnerabilities in a site he did not own using a tool that can cause sites to crash. Had he wrote a script to test just the one he knew about I doubt there would have been an issue.
That is all beside the point I was trying to make in that he was "threatened" for the unauthorized running of the security test software and not for reporting the issue.
Either way, it is easy enough to do with the Evernote app on an Android phone- just push a widget button. It will upload your audio for you, so you don't have to worry much about someone destroying or confiscating the phone. Sound quality is quite good, and plenty of people put their phones down in front of them along with their notepads during meetings ;)
He didn't test the specific bug. He tested all possible bugs. Had he written a specific program to test the single bug I doubt there would have been an issue.
Checking on a production site in two days from a report is also a very short time. It takes longer than that to program and test the fix. Then it has to get sent out and installed correctly.
Like I said previously in this thread, wait at least a couple of weeks and test the single vulnerability not test for every possible one in two days.
I find it funny how no sys admins have chimed in that they would have jumped down his throat for screwing with their systems. O right, it's OK to screw with corporations.
Islam's actually a lot better then Christianity on a lot of fronts.
So it's like half-bad software package compared to a really bad one? People will have to live with its bugs longer, because there is less incentive to fix them? And again, given who I am, I'd never be accepted in *any* kind of Muslim society. They'd eagerly backstab me on a Turkish street, I don't even have to go to Saudi Arabia for that.
Ezekiel 23:20
Sounds like what he got in trouble for was being a responsible developer and informing the university of the flaw. He got praises from the developers and IT people from the company who wrote the software but then the president of the company (not the university) went apeshit and claimed he was hacking them. I suspect the University was unhappy with the company for the problem and the company decided to take it out on the person who embarrassed them.
After he reported the issue, instead of letting the vendor and college deal with the situation he went back and ran a scanner to "see if the problem is fixed". That is the actual issue and that is, indeed, a direct violation of Canadian law. You can check whatever data you receive but scanning someone else's server for a vulnerability without his consent is illegal.
My guess is, the guy was high on the praise he got for his discovery and tried to find more to milk it. Lame.
lucm, indeed.
It's not about ownership. It's about having the right to see whether your data is now secure after having made the previous discovery that your data was indeed not secure.
In the US you can buy condoms at any age, but in many places you can't legally buy porn until 18. It's just as relevant as your silly statement.
Contribute to civilization: ari.aynrand.org/donate
I think you are paranoid, poor chap.
Oh yes I know that. My point was that if a simple vulnerability scan takes out your critical systems, you are screwed.
Here is a quote from the Acunetix User Manual page 21:
NOTE: DO NOT SCAN A WEBSITE WITHOUT PROPER AUTHORIZATION!
Emphasis theirs
It's the old hire the guy who hacked you scenario:
http://www.cbc.ca/news/story/2013/01/21/montreal-dawson-college-hack-hamed-al-khabaz.html
If you see a door that says "sensitive information here, please do not open door" and the door looks broken, you have two choices, lightly touch the door to confirm your diagnosis that it's broken, in which case you did exercise "unauthorized access", or you report that door without verification. If you report it without verification, then you can't ever tell anyone you found a broken door. You found something that might have been a broken door, but you'll never know.
Yes, it's silly and stupid, but you can't verify a broken item without taking responsibility for abusing it. And lots of people have gotten in trouble for that, and few would want them to quietly back away and tell nobody under fear someone may accuse them of having peeked beyond the broken door.
Learn to love Alaska
See http://www.cbc.ca/news/canada/montreal/story/2013/01/21/montreal-dawson-college-hack-hamed-al-khabaz.html to see what happened after this report.
School still pig-headed; IT supplier less so.
-- hendrik
They wouldn't stab you anywhere. As a Westerner you could be banned from the country, but the Turks aren't suicidal enough to call down the USAF on their heads.
As far as Islamic places you'd be welcome, I think the Balkans and former Soviet states would surprise you. Albania is so anti-religious they actually banned Church in the Constitution at one point. Religion is very important in Bosnia, but it's the "Are you a Catholic Atheist or a Protestant Atheist?" Kind of religion, not the kind where people actually care what anyone believes.
If you see a door that says "sensitive information here, please do not open door" and the door looks broken, you have two choices, lightly touch the door to confirm your diagnosis that it's broken, in which case you did exercise "unauthorized access", or you report that door without verification. If you report it without verification, then you can't ever tell anyone you found a broken door. You found something that might have been a broken door, but you'll never know.
Yes, it's silly and stupid, but you can't verify a broken item without taking responsibility for abusing it. And lots of people have gotten in trouble for that, and few would want them to quietly back away and tell nobody under fear someone may accuse them of having peeked beyond the broken door.
He didn't touch lightly. He ran a penetration test software suite against it.
I think you are very generous. The vendor does really have the authority to have the student ejected. That points a finger at an overly cozy relationship between the vendor and the university.
Quebec has recently been cleaning house over inappropriate cozy relationships between publicly financed institutions and businesses (for lack of a better term).
Maybe the student union should draw the attention of the Charbonneau Inquiry. The inquiry seems to have a problem with witnesses suddenly flipping their stories. I wonder why.
My bank has public facing computers. If I were to find and exploit a way to access other people's banking data, I'm pretty sure there'd be hell to pay.
I'm pretty sure the US and UK both have laws that would prevent access beyond your authorization. I'd be astonished if Canada did not have similar legislation.
And yes he probably could have handled it better.
As a developer I'd really rather know if the app that I was developing could possibly be used in ways that it's not supposed to be used. I.e. the discovered vulnerability. He reported the vulnerability, and was told that it had been fixed.
Frankly I want to know for myself if the vulnerability was fixed, rather than just relying on someone else's say so before I release an app that I'm developing that may be used in unexpected and undesirable ways.
That said, the test should have been performed with the oversight of the people responsible for the system being tested. Better it should have been tested against a duplicate of the system as a testing environment, preferably with valid but unrelated data. Then tested against the real data system if the test system passes. Again only with administrative oversight.
Finally, an NDA for such a situation should be worded so that the NDA applies while the reported bug is being patched and has been made available to schools and businesses using the system and a reasonable time following that availability to give the admins time to test and deploy the patched system. Once those events have happened, the NDA should no longer be applicable. After all the vendor has addressed the flaw. Additionally the NDA should have an absolute expiration date giving the vendor the incentive to actually fix the problem.
My other concern with this behavior is that as a developer I expect people reporting that they have fixed the identified problem to ask that the person reporting the problem in the first place, follow up and confirm that the flaw is not there any more, and advise them of any other problems that may be detected. That would be an invitation to do exactly what the student did. Check the fix and look for other problems.
That said, those are techniques in the open source community. In the closed source community, it wouldn't surprise me if the vendor was OK with fixing the original reported flaw, but didn't want to learn about anything else, and asked the school to watch out for the behavior that might indicate the student was looking for other flaws, rather than seeking them out themselves and fixing them ahead of time.
You never know...
A penetration suite is the equivelent of trying all the door handles as you walk through the parking lot. You don't open the door, you don't sit in it, you just poke it and see if it responds. A little more invasive than just looking through the window at the door locks, but still pretty non-invasive.
Learn to love Alaska
An obvious historical example is the Moors, Al-Andalus.
I'm more worried about Christian theocracy at this point. I'd be worried about the dismantling of science. At least Muslim schools teach evolutionary biology...
Actually there's a lot of other things I'm far more worried about. I'm more worried about dogmatic political ideologies taking over as they do every bit as much harm as theocracy. Muslims are barely a minority, and like I said, l do live integrated with them and for the most part I don't see what the big deal is aside from lots of what if's and bogeymen.
Last I checked there's been a fair amount of protests throughout Muslim nations in the media over the past while.. they're hardly all brain dead dangerous followers... but go ahead, believe they are all the same, believe in your invented bogeyman. You do realize that not too long ago Muslims were actually romanticized, not feared?
"The single biggest problem in communication is the illusion that it has taken place." George Bernard Shaw
...by the company who's software had the bug.
http://www.cbc.ca/news/canada/montreal/story/2013/01/21/montreal-dawson-college-hack-hamed-al-khabaz.html
Not an update - shool still behaving like spoiled children.
You never know...
Everyone who isn't a lawyer is hopelessly naive when it comes to the law. That's why the standard advice for anyone in legal trouble is to say nothing, do nothing, and demand a lawyer. It's also why a standard approach for a party in a dubious legal position is to try to intimidate their opponent into not asking for one by making offers of leniency that must be accepted on the spot, and warning of terrible things that will happen if the offer is rejected.
He was given a second chance.
Then he ran a vulnerability scanner on their server.
Last year our school gave us laptops with Windows 7 (you may have read about them http://news.slashdot.org/story/09/09/27/0252235/au-government-to-build-unhackable-netbooks). Well needless to say, pretty much everybody got administrator access on the laptops within the first couple months of having them. Most of us got a three day suspension and our laptops wiped. Some were lucky bastards and either didn't get caught or managed to bullshit their way out of it.
What part of "Do not access things you are not authorized to access" do these people not understand?
Here are some non-computer analogies to help people like you (who know nothing about computers) understand:
- You notice the boss left his car door open by mistake, and you inform him so he can close it
- You notice the security at your business has accidentally forgotten to lock the doors at closing time, and you notify them so they can lock it
- You notice your neighbor accidentally left his door open when he went out, so you let him know
In this case, what they should have actually done is thanked him and offered to pay him something, since this kind of security work is actually expensive if you hire someone to do it.
My other UID is three digits.
My bank has public facing computers. If I were to find and exploit a way to access other people's banking data, I'm pretty sure there'd be hell to pay.
I'm pretty sure the US and UK both have laws that would prevent access beyond your authorization. I'd be astonished if Canada did not have similar legislation.
Your bank gets scanned several times an hour (if not several times a minute) by half the blackhats and scriptkiddies of the globe, and nobody in the banks IT dept. would be dumb enough to bitch about it, because they know its natural on a public-facing system.
Simply scanning your bank and reporting your findings to them, is unlikely to get you in "hell" ... unless you act like a dick about it.
You should't scan them without permission - off course. That is not up for debate. But a scan is not the same as gaining - and indeed exploiting - unauthorized access. The school in question here clearly overreacted.
Regarding legislation, you may be right if the authorities decide to make a case out of it. But then again, they'll make a case out of pretty much anything if they are on a rampage. In the US you'll get your ass thrown in jail and/or fined millions just for violating a TOS. Or face 30 years for copying publicly-available data created with tax dollars (ahemm, Swartz?). The fact that such shit happens in the real world really doesn't make it right.
Defining a "scan" as a "crime" is silly at best. Realistically it is an abuse of power and a danger to a free society.
- Jesper
My security clearance is so high I have to kill myself if I remember I have it...
Let me guess. You really didn't RTFA ... did you ... ?
- Jesper
My security clearance is so high I have to kill myself if I remember I have it...
Causing embarrassment to a big silverback that can chase you out of the group.
Heh. Would've modded you up if I could. Because that is like the EXACT explanation for what happened in this case.
- Jesper
My security clearance is so high I have to kill myself if I remember I have it...
To me, at a guess, it looks like delayed blowback from the vendor that wanted to find an external criminal instead of being accused of negligence. It seems that when comes to computer security problems if you don't have a very clear paper trail with every step signed by every stakeholder then the one most likely to be blamed will use any tiny excuse to stick a stake in you.
I've seen it before, you walk into a building you've never visited before to do something about a hacked machine you've never seen before and the kneejerk reaction of some loud idiot is to blame the guy that is there to do something to fix the problem - and then they make so much noise that you have to provide hard evidence that you didn't cause it before you can actually get some work done. It's as if you need childcare training to deal with people in these situations.
Short of the fantasy of mind reading that comes down to choosing who to trust or not, so I suspect they assumed the worst.
Yeah... while in the rest of the world we are sane, and it's not illegal to check if a door is unlocked, and you most certainly can't kill someone because you think they are trying to break in.
They promised to fix it immediately. Did he promise to trust them on that?
The moral of the story is it's stupid to do things that impact on system performance and embarrass others when they know who you are. It's a silverback asserting dominance by punishing the young gorilla that revealed the silverback is getting old and slow.
It was probably the cost of not having their software licence pulled. A known buggy site would have been seen as better than having the rug pulled out from under them in half an hour.
I wonder who has access to minutes from the meeting where his expulsion was decided? A lot of universities allow staff to have access, unless of course they pull the bullshit "commercial in confidence" trick to cover things that it shouldn't.
The USA has a pretty weird patchwork of legal systems descended from different roots too.
Sometimes it leads to an International level laughing stock (eg. the highly fractured US electoral system and how it can have weak links like Florida), but I'm sure it mostly works.
Crowbar? To get through an "open door". A better analogy would be a sackload of rats and watching to see if any of them made it through one of the doors.
Either way, this could be seen as checking to see if a promise that was made to him (that it would be fixed ASAP) was kept, and in this case it was not. I wonder if in turn he had promised not to look for more holes. If so it's bad faith all round but he gets to wear all of the consequences.
IANAL
Canada indeed has a couple laws that would be relevant
Most relevant, The Criminal Code section 342 "Unauthorized use of Computer" http://www.efc.ca/pages/law/cc/cc.342.1.html.
This criminal code section is subject to colour of right, meaning if you have permission from the system owner to perform testing, this section and owning the tools to perform this section become OK. If however you do not have permission, the investigation into this breach could expose other CCofC violations probably section 430 "Mischief", Section 351 "Possession of Break-in instruments",. as well as something from sections 354-360 which are the possessions of proceeds of crime sections.
Side note, don't break-in using any technique that involves intercepting someones communications (eavesdropping, man-in-the-middle) as that falls under privacy laws (CCofC 183-196) which are much more strict and can't be waived by the system owner, only by the sender or recipient of the communication.
IANAL, but for this case I would say the first time he found the vulnerability, there was no intent to commit the crime, he stumbled across it. The second time he was checking the other system to see if the flaw was there which seems like an unauthorized use of computer system. If he had asked the system owner (or manufacturer I suppose) if he could perform tests to ensure the flaw in the system would not be made worse by his code or his system would not be affected by the flaw, he would have been on better legal footing.
and once more IANAL
Cheers
Kenny
CCofC = Criminal Code of Canada
IANAL = I Am Not A Lawyer
Except vulnerability testing in the physical world is equally a good thing. You'll find security consultants do exactly that for domestic and commercial property all the time. It leads to "fixes". IT is no different.
The point about gaining authorisation for testing security is to prove that you are bona-fide, before you're caught. If I am caught "testing" a stranger's locked doors in the middle of the night, yes it is a good thing if I find they are being lax about security and tell them. But I may find it difficult convincing police that this was my true intention from the start.
In your world of "bona-fide unauthorized access", any criminal caught attempting to exploit an online vulnerability need only say; "I was testing it, honest" to walk free.
That's not what he did tho, he ran a broad spectrum penetration test on the website. That's quite different to verifying that the specific vulnerability he found had been fixed.
Expulsion may uncalled for, but it's not like he's some blameless victim; he did a foolish thing by doing that without contacting them first.
There is a petition to help this student, asking Dawson to reinstate him, make him whole financially, and apologize.
The student's experience is normal in dictatorial regimes. Increasingly in our country too, those in authority do not like to be called out or held accountable. The work to squash anyone who dares speak out. Universities especially are famous for this kind of behavior.
What do you do when they don't repeat it?
On the other hand, threatening to call the police isn't exacly incriminating so they might not care anyway.
Thou shalt not point out that the Emperor has no clothes.
Honest! I was just trying to make this mobile app so I had to hack into your system and I found this sloppy code that let me in!
What part of "Do not access things you are not authorized to access" do these people not understand?
I think this is a perfect case for Massachusetts prosecutor Carmen Ortiz. Charge the guy with stealing "Sloppy code worth millions of dollars!" And, by all means, go for that 50 years!
I smell a lawsuit. Ahmed shouldn't take this without a fight.
About 30 years ago I worked on an academic record database for a major university. I too came to the conclusion that the system entailed bad design and "sloppy code" and said something about it. I was fired, asked to leave. Later, I found that the University has lost about $ 1 Million in the effort to implement this system and had to start over from scratch. It taught me about politics and cover up and that they trump sound technology or even competence, and that academic administrations are very political organizations.
Dawson College is stupid. The next student who finds a flaw isn't going to say a word. What a great recipe for ensuring that all of your security problems remain problematic.
Isn't that how we got Facebook? All the info in the student db was accessible, and so he used it to make a site for commentary?
--- Say something clever. Pretend it was me. Thanks.
Skynet made Omnivox http://www.skytech.com/en/index.sky " We feel that this situation should not prevent such a talented student from doing what he loves most. Just as we are already collaborating with the other student who helped discover the flaw, we will also offer this student to work for us with mandates in IT security in order to allow him to work in the subject area he loves. "
My bank has public facing computers. If I were to find and exploit a way to access other people's banking data, I'm pretty sure there'd be hell to pay.
I'm pretty sure the US and UK both have laws that would prevent access beyond your authorization. I'd be astonished if Canada did not have similar legislation.
Your bank gets scanned several times an hour (if not several times a minute) by half the blackhats and scriptkiddies of the globe, and nobody in the banks IT dept. would be dumb enough to bitch about it, because they know its natural on a public-facing system.
Simply scanning your bank and reporting your findings to them, is unlikely to get you in "hell" ... unless
r
There is an interesting quandary here.
If I walk into a bank I can make a visual inspection to see if they have locks. I can see the vault door, I can see FDIC or the lack of FDIC assertions. I can research the banks financials and research the validity of any insurance claim.
Now can I do an inspection "scan" to make like discoveries. Can I look at the API/ABI and inspect for flaws that my personal expert experiences tell me to look for?
Disclosure is a wildly different tangle. Should you discover a problem and disclose it in confidence to the authorities there should be no consequence. However who is the authority and who should be notified and how. I would assert() that disclosure is a moral obligation that should be PROTECTED by the law. Non-disclosure seems safe up to the point that in the modern data mining world the act of discovery will leave footprints that cannot be erased and would open anyone up to prosecution/persecution should a pre zero day exploit surface.
Above I used the word expert. In my experience a competent novice is most likely to stumble on interesting flaws. They tend to write naive code that triggers bug after bug. Experts tend to write quality code block after block, checking return value, not overloading variables or functions and not employing the last bit of trickery discussed in class.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
Assuming that there are no major pieces missing from this report. I think that the school management is simply inexperienced in these sorts of things and treats technology like magic. To them, anyone who'd dare to suggest flaw (much less demonstrate one) in the holy binary box that is their software is kin to a witch - a creepy hacker who by the power of covenant devil aims to make them look like fools they really are. ~Forgive them father, for they know not what they do. :P
If I can break in, it is my responsibility to do so. And then I show them how I did so they can fix it. If they don't fix it - the crime is theirs, not mine.
The truly loyal subject will neither advise nor submit to arbitrary measures.
If, by accident, I discover they are failing to do so and I inform them of the problem, then I have an obligation to myself and all other facebook users to ensure the problem has been corrected.
The truly loyal subject will neither advise nor submit to arbitrary measures.
IANAL but I don't think you are allowed to blackmail someone into signing a NDA. If they believed that a crime was committed, they are obliged to report it. By saying they will let you sign the agreement to get out of it, they are blackmailing you. If you discover that someone committed murder and state you will not report it if they do X - you have now committed a crime of your own.
Not the best source for legal advice, but http://www.ehow.com/info_8335199_legal-obligations-report-crime.html seems to cover this topic.
When all else fails, try.
I think it is more complicated than that. If you take something from me and I tell you that I'll call the police and have you procecuted for stealing unless you pay me for the thing you took, I don't think that would be considered blackmail.
Point taken.
When all else fails, try.
If, by accident, I discover they are failing to do so and I inform them of the problem, then I have an obligation to myself and all other facebook users to ensure the problem has been corrected.
But does that give you the right to test their site for all other possible vulnerabilities using a penetration tool without asking them?
Reading comprehension: F.
I think the British had a treaty with Quebec that let them keep their Roman/Civil Law sometime between the end of the 7 Years War & the beginning of the American Revolution.
This is an issue of professional ethics that seems to be sadly lacking. You don't probe somebody else system without express permission. To do it a second time is clearly deliberate not an accident.
Here are some non-computer analogies to help people like you (who know nothing about computers) understand:
You notice that there are a couple of thousand cars in a parking lot, and you try to lockpick every single car door damaging some of them in the process after you've been told that tempering with car doors in the parking lot is not acceptable behavior and you might lose your right to hang out in this parking lot if you continue.
since this kind of security work is actually expensive if you hire someone to do it.
Script kiddies are actually pretty cheap.
He was not asked to do a vulnerability test, and, like he was warned, there are stiff penalties for attacks. I'm more familiar with US laws on the subject, but would not be surprised for Canada's to be similar.
However, he is apparently not being charged, but being expelled. That is something else entirely. Yes, expulsion may be less severe than the pressing criminal charges, but in light of the circumstances it would have been much more appropriate to involve student affairs and have them explain very clearly what was wrong with his actions and what the future consequences will be. To go from praise to expulsion by one event... something should be very extraordinary about that one event.
Sometimes people forget that students are at a university to learn, not to be hammered into obedience or served up as an example. What was the actual harm of running acutenix against the application? The "it could have crashed" cannard is so lame -- anyone can download a vulnerability scanner. If your service or device is so lame that it breaks from a simple scan then you need to know. And not only that, you *will* find out if it is a public facing service or device. No, him running the scanner was not doing them a service, but the line "it could have crashed" is lame at best and more likely FUD.
We've had students do more actual harm (still fairly tenuous) through unethical and probably illegal actions -- referring them to student affairs always helps. Even for the DMCA (where there is some legislated obligation to act) there is a "three strikes" rule -- and expulsion isn't even the end result.
My point is that he was a student and he needed to learn. For example, not to run vulnerability scanners against targets you do not have authorization to do so. But this lesson could have been taught without resorting to expulsion.
The Wikipedia entry gives a good breakdown
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
Of course it isn't made up; the Wikipedia entry gives a good breakdown
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
Except that nowhere in the wiki does it state that. So you made it up. Just admit it.
Don't complain about syntax, grammar, or spelling. There is no.hell like input on android.
He was a student there. He was making sure "his" personal info was secure. The colledge has a responsibility to make sure the info they collect from paying students is secure.
Before you get upset about this, you should know that he has been offered a job at the very company making the software he exploited. http://news.nationalpost.com/2013/01/22/student-expelled-after-he-discovered-flaw-in-schools-data-security-was-warned-twice-college-says/
Does anyone know the name of this company? Is there a reason we are not naming and shaming this CEO?