Slashdot Mirror
CTO Says Al-Khabaz Expulsion Shows CS Departments Stuck In "Pre-Internet Era"
An anonymous reader writes "The Security Ledger writes that the expulsion of Ahmed Al-Khabaz, a 20-year-old computer sciences major at Dawson College in Montreal, has exposed a yawning culture gap between academic computer science programs and the contemporary marketplace for software engineering talent. In an opinion piece in the Montreal Gazette on Tuesday, Dawson computer science professor Alex Simonelis said his department forbids hacking as an 'extreme example' of 'behavior that is unacceptable in a computing professional.' And, in a news conference on Tuesday, Dawson's administration stuck to that line, saying that Al-Khabaz's actions show he is 'no longer suited for the profession.' In the meantime, Al-Khabaz has received more than one job offer from technology firms, including Skytech, the company that makes Omnivox. Chris Wysopal, the CTO of Veracode, said that the incident shows that 'most computer science departments are still living in the pre-Internet era when it comes to computer security.' 'Computer Science is taught in this idealized world separate from reality. They're not dealing with the reality that software has to run in a hostile environment,' he said. 'Teaching students how to write applications without taking into account the hostile environment of the Internet is like teaching architects how to make buildings without taking into account environmental conditions like earthquakes, wind and rain,' Wysopal said."
Interesting timing ; not quite the same.
One is Defensive Planning; One is about New ways to use things.
US Government Announces National Day of Civic Hacking
http://yro.slashdot.org/story/13/01/23/1823208/us-government-announces-national-day-of-civic-hacking
_JS
And also a very good explanation. How on earth did they produce such a hopelessly stupid system? It was designed by people who are unready for engineering systems to be used.
I am a big fan of not blaming the victim, as a matter of moral principle. That's a great policy. But it's really crappy engineering design; building something that is designed to rely on the assumption that society can reliably provide perfect enforcement is stupid.
There's another layer of difficulty, which is that it is not always obvious whether something is a security hole or a permissive feature...
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
When did all the computer science programs turn in to trade schools for programmers?
Meh, why fight it. Lower that bar!
Required reading for internet skeptics
All that happened was some young hotshot did something the dept forbids. He paid for that, end of story. How you go from there to "CS depts out of touch with today's world" is beyond me, but then again I'm not some CTO either.
'Computer Science is taught in this idealized world separate from reality. They're not dealing with the reality that software has to run in a hostile environment,'
That's because if schools taught people how to properly test security, the government would label them terrorist breeding grounds. Anyone remember Steve Jackson Games? They released a game where one of the roles you could play was a computer hacker. The FBI called it a "handbook for computer crime" and the "anarchist's cookbook of cybercrime". No charges were ever filed. It was a work of fiction. It still nearly bankrupt them and took many years to resolve.
Schools do not want to teach students because they're afraid of government reprisal if they show a generation just how crappy our national infrastructure really is. As one recent net celebrity put it, "Our security posture is like a dog waiting for its belly to be rubbed." They don't wanna teach people how to find these problems, because it'll embarass the crap out of The Powers That Be.
Don't blame professors for this. Look higher.
#fuckbeta #iamslashdot #dicemustdie
I can personally vouch for some CS academic professors not keeping up with the internet era. With professors assigning 'relevant' problems like calculating how much space a tape can hold in a file systems class (and never mentioning SSDs), and other professors saying "We'll probably have quad core computers within the next 10 years", just shows how they haven't kept up with the times.
Other professors are better at keeping up with this. Unsurprisingly, the older they are the more likely a culprit of not keeping up with the times.
Like so many things, you have to learn by doing. The only way to learn how to write secure code is to learn how to hack into stuff. Otherwise, how would you even know it's working?
If we want CS students what's really involved in creating a secure system, how about a mandatory "intro to hacking" course?
There's no -1 for "I don't get it."
However, I don't buy that what this student did was hacking (in the cracking sense)
Targeting a system you don't own, or aren't reponsible for and trying to break into it is almost always not a good thing to be doing, and should be considered unprofessional (and unethical) conduct.
Noticing a problem while you are setting something else up, notifying the appropriate people, and checking to see if that problem is gone are very reasonable things to do.
I have been working in Computer Security in Internet Banking for the last 15 years, and while I have had many co-workers who measure their worth by how good they are at breaking in to things, very few of those people have been nearly as good at defending those same things.
Figuring out how to hack a site takes finding one vulnerability.
Figuring out how to defend a site takes thinking about all types of vulnerabilities.
What a rambling bunch of text.
I'ts like a dumb guy trying way too hard to come off as insightful.
What they are teaching is that it is unethical to run penetration testing against a system without permission. This philosophy is embodied in the ACM Code of Ethics, in section 2.8:
He got thanked for finding the flaw. He got expelled for pen testing someone else's system. Two different acts, two different issues.
I went to school in Computer Science (a new degree) around 1972 at a college where the IBM System/370 was the thing. Hacking was big too, all the best students were into it, exploiting system bugs to gain access to data that was otherwise off-limits such as logon IDs and passwords. The school wasn't stupid enough to keep their student records on the same system though, so while hacking wasn't specifically encouraged, I don't recall anyone getting in any trouble over it. And IBM would fix the bugs as we found them, so by the time I left, the system was nearly bulletproof. We were probably the most valuable beta testers they ever had and worked for free.
Well yeah, 'Computer Science is taught in this idealized world separate from reality' has always been the case. Just like Math is taught in an idealized world separate from reality. If you want to learn to be a coder in the real world, don't waste your time with a CompSci degree, get a 2 year programming certificate at a vocational training school. I never really thought of computer science as preparing anyone for a real job as a coder.
Expecting a computer science graduate to know how to be an application developer is like expecting an architect to have carpentry skills -- the architect may know all of the basic theory and design concepts behind how to build a stairway, but it's going to take him 5 times longer than an experienced carpenter to get it right, and he might have to do it more than once.
Chris Wysopal, the CTO of Veracode, is still using terms like "pre-internet era".
With terminology like that, it sounds like someone is living in the pre-2000 internet era.
- Nec Impar Pluribus, or so I'm told.
Based on what I read elsewhere, the guy received praise when he reported the vulnerability and only got kicked out after he used a third party online scanning tool to verify the status of the system without permission from the university.
"Computer Science is taught in this idealized world separate from reality"
Sadly, that statement extends to far more than CS in the world of academia.
Maybe there should be a slightly different attitude towards breaking into computer systems, or attempting to break into them. However, it needs to be mentioned that if you are learning to skydive the first lesson isn't "what if you chute doesn't open." Similarly, the first project in a chemistry class isn't making dynamite.
What this case showed was a student with some skills could break into a university system. Great. One problem is that the student had little grounding in what consequences might pile up if this skill was used. Like the chemistry student making dynamite the knowledge might be there but no judgement about what to do with that knowledge.
Unfortunately, I don't think the proper response is for companies to hire people like this. They need a lot more work before they really can be expected to use their skills in a responsible manner - and today's corporate environment is hardly the place where people are going to get that. Would a person with the skill to break into computer systems and zero reasons not to do so willy-nilly (especially at the direction of lower level management with all kinds of reasons of their own) be a quality employee? More importantly, would such skills misused result in a good reference on down the road?
We are setting these people up to be unemployable in the future, right after they are exploited.
Like the saying:
Those who can, do
Those who can't do, teach
Muchas Gracias, Señor Edward Snowden !
Sucks to be you.
Everyone can't go on to get Computer Science degrees at universities.
Just like there always being a need for more ditch diggers, the computing world always has a place for 'vocational training school' graduates to do the shitty grunt work like you.
The school's actions seem a bit silly. There are a lot of tech people here -- let's just agree we won't hire from Dawson College.
He ran a scanner against the site causing a DOS. Twice!
He was asked not to. The expulsion is a little extreme but what he did was definitely not justified.
and this guy is standing near the parked bikes. He comes up to me say and says you know, I could easily open that lock. I ignore him and walk away but I look back and he is standing there right beside my bike not breaking any laws. So I have a few alternatives. I can walk away and hope he doesn't damage it or rip it off. I can call the cops, but no laws have been broken, or I can unlock my bike and go elsewhere.
Though frankly what I want to do is kick him shitless.
http://michaelsmith.id.au
Smart and actual experience trumping their dumb ass. Lot of companies do this too not just education.
They want a sheep skin lord know why I still have to train them,
But when I go for a job my 25 years in the trenches means nothing to them.
Finally you say fuck it and sell shit at the mall or something.
well we need more hands on training / apprenticeships.
The college system is kind of out of date and comes with the full load of fluff and filler classes. Tech schools are roped into the college system as well.
There is lot's stuff that is poor fit into a 2 year or 4 year plan and other stuff that needs a lot more hands on training that is a poor fit for a collgle class room. When more of a community College setting is better. Yes community College offer classes non degree.
Also the cost of college is getting to high and by cutting down what is now 4-5 years down to say 1-3 years can save alot and make it quicker to learn skills.
ALSO THERE IS lot's of IT / tech work that is not even application development or CS that get lumped into CS as the tech schools get no respect.
could easily be making six figures as well.
Hopefully some better college will offer him admission in light of him getting the boot from Dawson.
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
And not Computer Programming. My friend went to college, I went to work. He could design a CPU from scratch, knew how to do visual recognition. Nothing any employer I ever came across found useful. As an employer, later in my career, If I had the choice between hiring somebody with 5 years experience vs fresh out of college, experience wins every time.
My friends path through CS was influenced directly by the funding the professors got. Machine Vision was a big funder to that college.
other CS departments trun out people with skills gaps so it's more of a over issues of what is being taught is a world separate from reality with loads of theory.
Yep, and the only way to realize just -how- vulnerable your systems are is test them out yourself (or have someone do it for you). I'm afraid that many CS graduates know nothing about how the "bad guys" are going to get into your system. They might have vague ideas about how a DDOS works, but its unlikely they ever have experienced one first hand. To an average person, indeed even an average CS graduate hacking (in the black or grey hat usage) either consists of just pressing a button or involves many crazy steps that no one can possibly do. A half-assed simulation simply doesn't cut it because it isn't modeled on the real world and so the students think that their actual work will be done in a vacuum and not in the real world of script-kiddies, zero day exploits and 4chan.
Taxation is legalized theft, no more, no less.
You're missing the last bit:
And those who can't teach, teach college.
he had a test account and as working on a app I think the school just was very out of touch with the real world IT.
Let's see he finds a bug while coding his app and then he reports it and say it was fixed and then a few days later he tests the bug it's still in place.
If you are so ashamed of your agreement that you can't discuss the existence of the non-disclosure agreement, you are evil.
We need a law that prevents the creation of non-disclosure agreements that include their own existence. Everyone in the world should be allowed to state they have a non-disclosure agreement.
Just like slavery is going to far for a 'hiring agreement', non-disclosure agreements that are self-referential go too far.
I challenge anyone to ever come up with a situation that talking about the existence of a non-disclosure agreement is somehow wrong.
These machines ruined people so they cannot program because they learned GOTO and no secuirety. HGR: HCOLOR=7: HLINE 100,100 to 200,200 That is no way to learn graphics. Qt X-Windows!
that is more of IT class then a CS class.
people doing application development do need to know about makeing secure code but other parts fall on the sever and web guys who don't real need the full CS load of application development and theory classes. Also is parts of theory that people application development do not really need. Other then at at very high level.
They should be Teaching how to deal with stuff like this but all they did was let him doing it his own and then say you did it wrong and we not just giving a C or even a D. and you are not just getting a F no you are getting a
SUPER F as in F for life.
but he was not breaking into computer systems.
He was working on a APP and found a major bug in the system.
That like working some where let's say you adding cameras or new sensors or even upgrading the fire alarm system at bank security system and find there is a very easy way to bypass parts of the system and report it and let's a few days later you are back doing more work and find that no fix has been done.
Give it a rest dumbfuck.
Wow! What a creative comeback. Really, That was SO impressive!! "Dumbfuck!" Such poetry, and you managed an actual two syllabe word. Most impressive, can I use that? Whatever you're paying your writers, double their salary and give them 2 weeks in Hawaii. That was, dare I say, creative genius! Yes, yes it was.
I may never post again, there's no reason to now, for I have read the ultimate in rebuttals. Someone call the Fox channel!
That is why Tech needs more trades / apprenticeships and not 4+ years CS.
Way to many tech / IT jobs want CS graduates for jobs that need a different skill set.
the NDA likely said don't tell how to get into there system and they seem ok about him talking about what happened and even if it did they are not makeing a big deal about as they did not want him to get kicked out of school.
give them the power to say no the PHB about rushing the code out with bugs.
civil engineers have that power.
You're making a very bad assumption that only poor professionals work in minor colleges.
There are countless reasons for working at one university rather than another, the simplest being that it's a place you like or where you have family. Another might be that it provides good promotion prospects rather than only dead man's shoes. And another big one is that it's not a place infested with prima donnas where the only option is to play second fiddle.
Academia has a lot of problems, and choosing the best place to work is not anything like as simple as you portray. Not everybody is driven by high salaries and high prestige colleges. Indeed, the kinds of places you seem to rate most highly are often a huge rat race and not pleasant at all.
While I don't know Dawson College, just because it's small and not well known does not say anything about the caliber of its academics.
apprenticeships and more trades like learning is need then with people who have done / are doing the real work and not some professor who has not or has been in education all of there life.
GETS JOB ANYWAYS IN COMPUTER SCIENCE.
Screw you school, you are drunk on old age.
There's only so much you can fit into any 1 course, semester, or year (or series of them), after all.
However, I can see teaching "web guys" how to use say, for instance/example, stored procedures & binding variables to the string to issue to the stored procs - this helps vs. SQLInjection attacks. On today's "internet" (the wild west imo), it makes total sense.
As far as "coding defensively" though? You sort of have to "teach yourself"/"grow your own" @ times... & use what you learned to do so!
E.G./To wit, from a post of mine from 2005 regarding "CODING FOR DEFCON":
"You can do what I do though, which makes it HARDER STILL on them (and, as a bonus effect, builds in "native antivirus protection" into the app), which is, believe-it-or-not, hardcoding the application's compressed .exe filesize into the application @ it's initialization (either form/screen creation or show methods), & test it on disk.
If the Win32 PE file changes its size even 1 byte (less or more) from its on-disk compressed size? DO as you like!
After all, this IS what std. type "Virus" do, add size & code to the end of the .exe afaik, so this DOES function as a rudimentary form of virus protection & stops your apps from spreading infectors like those, potentially @ least, because they let you know something IS wrong!
This is what/how I do it in my code @ least. SO, what can you do IF the filesize changes? Well, limits of your imagination, or 'cruelty' I suppose...
E.G.-> Reboot their machines, shutdown the program being 'hacked' or potentially virus infected since it changed its size (what I do), or if you are crueler than myself, anything you like (i.e./e.g.-> Blow their bootsector, lol).
There is MORE you can do to protect against various "debuggers" like SoftIce &/or WinDbg for example RIGHT in your code though, even if they uncompress to attempt disassembly.
API calls like IsDebuggerPresent, or the presence of SoftIce via routines present all over the internet for it (there are many of these)." - by Anonymous Coward on Saturday August 06 2005, @05:46AM (#13257227)
That functions not ONLY to defend vs. disassembly, but also as a rudimentary form of "built-in antivirus" since std. executable/classic viruses bind themselves to the end of a program & alter jump tables to function... this changes their size!
* HOWEVER - Do that on code I wrote? It shuts itself DOWN, terminated...
Thus letting you the user KNOW something tried altering its structure!
(CRC-32 or other types of checks could be substituted but the principle's the same idea!)
APK
P.S.=> Sometimes, you HAVE to use what you learned while you were in schooling for the art & science of computing & "grow your own"...
... apk
Professors don't like being shown up and will take it out on students (and sometimes staff) that do it. Obviously not all professors, but a good majority of them are complete asshats. I work at a University and see it first hand (thus the Anonymous posting). You can do something absolutely correctly, but if you don't do it they way THEY want it done, it is wrong.
I obtained a Masters in CS a few years ago. Security was a big topic for the department. We had a dedicated network and set of servers to learn, test and use the type of software that Al-Khabaz used. We do not use it on live networks against production servers. You never do that without knowledge of everyone involved. Same way where I work. Doing what he did would get you fired. If you find a security hole, point it out to the appropriate people. Then let them fix it, don't keep poking it with a stick. If your network and servers have appropriate security monitoring software, this would set off every alarm in the place.
The "http://www2.dawsoncollege.qc.ca/phones/" public website
Name / Email Office Local Position / Department
Alexander Simonelis 3F.22 5058 Faculty
Computer Science
Or give him a call 514) 931-8731 ext. 5058.
Thanks to all
I see coding styles that are downright horrid, that are being taught, and every single College course is so out of date, it's doing a dis-service to the students.
Couple that with a Lazy prof that is upstaged by a student..... and you get this exact reaction.
Do not look at laser with remaining good eye.
Dawson computer science professor Alex Simonelis said his department forbids hacking as an 'extreme example' of 'behavior that is unacceptable in a computing professional.' And, in a news conference on Tuesday, Dawson's administration stuck to that line, saying that Al-Khabaz's actions show he is 'no longer suited for the profession.'
The geek's encounters with the law --- with society as a whole --- have not been ending well for him. The Internet is not his private playground anymore. Intrusions into other people's systems and software may end in a felony charge.
I've no doubt that the geek can still find shelter and support in his own community when things go south, but the climate outside is not so warm and welcoming anymore.
Heh, I ran into 1 like that - only 2 though in 2 degrees & 1 on strictly CS... guy was a TOTAL prick! If you did ANYTHING different than the textbook code he got on your ass about it and graded you down for it - The class was practically CUTTING & PASTING the examples from the textbook for their assignments - THAT IS NOT LEARNING! It is plagiarism!
Man... I couldn't BELIEVE it! I wrote my own work & routines, after all, by THAT point in my career? I ought to! He said I was "overbuilding" my assignments... wtf, who CARES if they work and better than what the current assignment book code even does especially!
I got a shit grade & the rest of my classes were nearly straight A's & ought to have been: I'd been actually DOING THE JOB as a pro for years beforehand!
Told 1 of my classmates about it & he said "WTF? You're the smartest guy in the class!" (yea, well... look where it got me! Kept me off "Dean's List" that semester in fact...).
I didn't even REALLY NEED TO GO THERE, but... I went back to finish up AAS level CS work after nearly 15++ yrs. of working the field as a pro (to get the paper & to move onwards to BS level), & ran into the very thing you speak of.
* Thank the merciful Lord there's only a minority of them out there, @ least in my experience.
APK
P.S.=> There's always THIS "old adage" to describe that 'kind': "THOSE WHO CAN, DO... those who CAN'T? Teach!" & imo @ least?
The type you describe shouldn't do THAT either - they lack pedagogie, but I am certain of 1 thing: People like that eventually end up "nuking" themselves... I've seen it TOO MANY TIMES in this existence (spanning nearly 1/2 a century for me now in fact)!
... apk
does no one ever read the article anymore?
It was on a test server.....using credentials given by the vendor, Skytech Communications.
The mere fact that Skytech supposedly gave him a job offer is enough to think that the department has their collective heads up....well..you get the point.
There's a reason why the legendary Weld Pond would be so vocal and would even say "These kind of people right out of college are the kinds of people we want to hire."
So, I'm sure nobody will mind if I run around checking all the doors in the university to see if they are secure against common lockpicking techniques, including the new one I've discovered myself?
I mean, seriously. Yes, he identified a flaw and reported it. But then he ran a vulnerability scanner across the university network to see if the problem remained? That's pretty poor judgment at the very least. Certainly grounds for investigation on the part of the university. Grounds for expulsion? I don't know. But some pretty severe discipline. Unless you're authorized to do that sort of security scan on a given network, it's not generally regarded as acceptable practice, it isn't particularly ethical to do it, and that principle would probably be discussed somewhere in coursework. And most universities DO have a code of conduct that students are supposed to follow. At some point the thought should have crossed his mind "Should I really be doing this?"
I think he should have gotten a strong warning never to do such a thing again (yes, he should have known better), and that there would be a cost for his poor judgement to make sure it sunk in. Something like: suspension for a semester. Inconvenient and costly, but not as bad as expulsion.
I think it was some time in the 1980s when there was a very strong push to get academics in applied fields to do some outside consulting or perish. Then there's academics such as the head of R&D at the company I work for - two days a week at university and the other three designing and improving equipment and techniques that are used in a commercial venture.
True, but putting that statement here is very misleading because it actually has nothing to do with the situation. In this case the person was a legal user of the software and was authorised up to a point. It looks like they stepped over that line, but where the line lies comes down to fine print in licence agreements and not in criminal law IMHO. It's very different to "Running penetration tests on random companies' resources without prior authorization".
I'm sure you are aware of all that, so why are you attempting to mislead gullible readers here?
Go ahead and go in to a bank, or better yet a government agency. Barge in to the "Employees Only" area, open up a confidential filing cabinet, and start rifling through for your data. See how well you do in court with the "I was just checking to see if my data was being mishandled!"
You learned these rules in Kindergarten: Don't touch what isn't yours, don't break someone else's stuff. You don't get to go and try to bust in to systems you don't own, or have permission from the owner. It isn't just the law, it is common courtesy/sense.
Geeks really need to get it through their skulls that just because you are technically capable of something, doesn't make it ok.
The first person that described to me in detail exactly why the Pentium 4 was crap in comparison to other architectures passed his degree in electrical engineering in 1948.
In the physical world, there is NO SUCH THING as perfect security. You can't design a setup that someone else cannot overcome. All you can do it make it so hard that nobody would try, and multi layered so you hopefully catch something if there is a failure at one level. There's no perfect security, no magic bullet.
Likewise there is nothing that is invincible, nothing that can withstand any and all attacks without problems. Everything has failure points, everything can be broken. You have to use things properly or they WILL fail.
We all accept this as part of every day life. However then when it comes to the virtual world, to computers, geeks seem to think things should be perfect. No system should ever have any security flaw, ever. No system should break or fail, even when subjected to deliberate attack. Everything should be built flawlessly.
Nope, sorry, doesn't work that way. While it is a lot easier to make things more resilient than in the physical world, you still have to assume that failure is possible, that flaws are present and not known. That is just life.
This isn't really about Al-Khabez. It's about policing the boundaries of the profession. The problem - the reason that there is a culture clash - is that despite attempts for over 40 years, no-one has succeeded in transforming computer programming into a profession. To be more precise, whether programmers professionalized remains a serious question for debate.
Look at the quotes from Simonelis, Dawson, and the ACM:
If programming were a profession like medicine or law or engineering, programmers would acquire higher status, as would organizations like the ACM. From the point of view of managers, programmers are often seen as unmanageable crafts people with little respect for standard practices of business. For them, professionalization is about controlling and assessing programmers and theirwork. The rise of computer science, the creation of software engineering, and the creation of the ACM were all driven in large part by efforts to professionalize the field: sometimes more in the interests of programmers, sometimes more in the interests of management
This comes up again and again on Slashdot. Should there be a standard curriculum or test or other criteria that all programmers should meet? Should we have to belong to professional associations? Should programmers be obliged to follow codes or take legal responsibility for flaws in software? How much should formal education and credentials be valued? Should self-taught programmers be excluded?
These are contentious issues. Clearly Dawson College and Mr Simonelis have an interest in defining and policing the boundaries of the profession. This would enhance their status. But as nearly a half century of debate and ongoing discussion here demonstrate, there is no professional consensus for them to uphold. This is real cultural divide. Al-Khabez got caught in the middle, used by Dawson in their efforts to define the profession and their own status. I think that's terribly unfortunate.
For an excellent book on the history of programming and efforts to professionalize it, see The Computer Boys Take Over by Nathan Ensmenger. He argues that programmers are morke like technicians than professionals. Like other technicians, their work is often threatening to the organizations that depend on them. And despite the best attempts of computer science and software engineering, much of it is guided more by craft principles than by rigorous scientific or engineering methods.
I answer just the title of your post. I don't care about the rest of it.
was conducted on a test server only, and using credentials provided to him by the company that makes Omnivox.
So maybe he did the test the wrong way or he may of went to far but he is still in school and should be learning how to do stuff like this not getting kicked out for doing it wrong
also other parts of IT should not be lumped into CS they should have there own profession.
Well, if you want to see "so what" go read your state's legal code, or the US code. If that is too complex or theoretical for you, go break a law, may I suggest a small one, and get caught. You'll quickly find out "so what."
That's what happened to this guy. He broke the rules, he faced the consequences.
Go ahead and show me the home/business alarm you think will stop me. Go ahead. I can more or less guarantee you can't do it. The reason is I know quite a bit about how they work, since my grandpa has been in the business of selling them all his life, and how they can be defeated. Particularly if you are talking something public where you can look around innocuously and find out what is there. Ultimately they are at their core just a circuit board in a box that connects to sensors, sirens, and maybe a phone line. Break the board, they stop working. If you have one in your house open it up and see what's inside. It is simplistic, and not at all attack resistant other than the thin metal box it lives in.
For that matter, defeating an alarm really isn't necessary if taking something, like say physical data (files and so on) is your objective. All they do is make noise and if they are good ones, call a security company who will eventually call the police who will eventually respond (they aren't that fast, false alarms happen often). That doesn't stop people with guns from kicking in your door, grabbing what they want, and leaving.
Same shit with security guards. You ever have a look at the security that public places like office buildings and malls use? They are unarmed, and low paid. Their job is to call the police if shit happens. It doesn't take much to out-class them, you bring a pistol with you, you've already got them hopelessly outgunned. You think they are going to throw their life on the line if someone holds them at gunpoint? Hell no. For that matter there usually aren't very many. The mall near me has one car that patrols their parking lot at night (I overlook the parking lot). That is it for perimeter security. I don't know what they have inside, but you can bet it isn't much more (maybe not even anyone).
Physical security at homes and businesses keeps out the causal crooks, nothing more. Now that's all they really face, people wouldn't bother with a targeted, planned, attack, they just don't have enough of value. They face low level thugs that do vandalism, smash and grabs, that kind of shit. And oh, by the way, it DOES happen. The mall near me gets broken in to at least once a year, usually dumbass teens just causing trouble, and by the fact that they got in, it means security failed to stop them.
They don't get fired, their job isn't to stop everything, it is to report anything they see, and to drive around and look conspicuous (their car is marked, and has a flashing yellow light) so as to scare troublemakers off.
If your house has never been broken in to it isn't because you have amazing security. A burglar alarm and a crap lock do not make great security. It is because nobody has tried. They good news is most of us don't face much in the way of threats to security in the physical world. Nobody tries to break in, or attack us, or the like. It is quite uncommon.
Now that doesn't mean we should just be all lax with computer security, but it does mean that this silly demand of perfection needs to stop. Nothing is perfectly secure.
Fuck that. What he did exposed the incompetence of Skytech, Edouard Taza, the department that wouldn't protect its student and the administration which, by extapolation, doesn't give a rats ass about and of their students... generally.
Did they refund his tuition? I'll bet not.
Good luck with any lawsuit in the age of paranoia.
You don't make 'your' administration or its contractors look bad without fear of reprisal. You don't treat the network as if it is yours. You don't piss into the wind. You don't pull the mask off the ol' Lone Ranger, and you don't mess around with Slim.
Skytech gets the kid expelled, then offers him a job? And the Dawson administration says, "Al-Khabaz's actions show he is 'no longer suited for the profession."
Canada has been sniffing its tar sands again.
It is kind of hilarious that he calls it the 'pre-internet' era. As if we didn't worry about security before the internet. Ha.
"First they came for the slanderers and i said nothing."
My experience when looking for a job found it is more like the fact that schools work on a shoe-string budget when it comes to their infrastructure especially IT. They don't want to (can't) pay industry rates or if they do you end up doing more than just IT work as part of your role. So they end up getting people willing to take their lower pay.
And despite the best attempts of computer science and software engineering, much of it is guided more by craft principles than by rigorous scientific or engineering methods.
And the interesting thing about all this is that there's a sizable group of programmers who not only think of programming as a craft, but want it to become even more so, up to the point of resurrecting the old three-level system of professional advancement from apprentice to journeyman then master craftsman. The book that introduced me to the subject was the quite inspiring Apprenticeship Patterns, which I highly recommend for anyone interested. And as usual, Wikipedia offers plenty of references.
Conservatism: (n.) love of the existing evils. Liberalism: (n.) desire to substitute new evils for the existing ones.
So, The Security Ledger (is that Sledger, for short?) wants to tar the whole Computer Science education fraternity (no pun intended) because of this single incident - all CS departments and teaching are considered outdated, because of this? Great to see the Sledger applying the best scientific methods to its analysis!
> Teaching students how to write applications without taking into account the hostile environment of the Internet is
> like teaching architects how to make buildings without taking into account environmental conditions like earthquakes, wind and rain
Architecture students don't test the arts quad for design flaws by simulating an earthquake or flooding the basement.
Apparently, they've been taking a lot of heat - the front page of their web site has a semi-lengthy explanation that the expulsion was for violation of their "professional conduct code", not hacking.
One of the no-no's is "Continual rudeness". How Canadian. Guess Steve Jobs wouldn't have lasted long there...
“Schools are supposed to teach best practice, which includes ethics and adherence to reasonable laws,” -- yes... in some imaginary world they live in that's much more important than fixing exploits in your software. That's the right attitude for having a very hack-able site.
'Teaching students how to write applications without taking into account the hostile environment of the Internet is like teaching architects how to make buildings without taking into account environmental conditions like earthquakes, wind and rain,' Wysopal said."
Except in this case, if I follow the analogy, the student was the earthquake...it is one thing to teach how to deal with the situation, it is entirely another to have said student come stomping in on your theoretical models like godzilla ;)
I find it funny that a criminal offense perpetrated by the student is suddenly the CS department's fault for not being forward thinking enough or modern enough...I didnt realize BnE was suddenly the cool thing to do now...( seriously this was an illegal act...he is lucky they are not having him charged, but you know...if things keep up maybe they reconsider that option. )
The real problem is, both he and the school are "right" and "Wrong"
He is right to: Test the boundaries of applications and identify security issues, to tell the school about it, and to want to know it is fixed.
He is wrong to: attack without authorization, that he attacked a system that is production facing, and contains sensitive data....we only have his word he didn't get anything or made a copy of the data for future purposes.
The school is right to: enforce school policies when it comes to a second offense, remember he was not punished for the first offense. They have the right to enforce their policies, and they had the right to do a lot more considering what he did actually is a criminal offense.
The school is wrong to: Not have disclosed the full details of the breach immediately, not to have documented or given proof they have instructed the student on future action should he do this again, (though I was always told ignorance was no excuse....new generation disagrees...even if its contrary to the law.).
I think the right solution is to reinstate the student, and submit the evidence to the police for criminal prosecution. If what the student did was not illegal, he is back in school and free, if not, he'll have no one to blame but himself at that point.
"password is sent as part of a URL"
If you ever see security this bad, close your browser, fdisk your machine, write multiple series of 0 and 1 to the drive, then destroy it with homemade thermite and never never never speak of it again. Anything else is likely to be a felony break of a EULA.
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
No, not student loan bubble, the bubble most teachers are enclosed in all their lives. They go to school, they learn to teach in school, then they go back to teach. Finding a teacher who isn't out of touch with reality is rare because their reality relies on teaching and not practical application. It reminds me of my high school world history teacher. We were forced to copy overhead projector notes verbatim and organize our notebooks in exactly the method she described. We'd have a notebook test for 20% of our grade with 10 questions on it, questions like "what is the 5th word of the 11th page in your notebook" with the answer being "the." I should also mention this was 2001 so antiquity isn't an excuse.
All of my best teachers have been people who experienced their craft in the field.
Oh yay!
Lets introduce trade secrets, jobs passed on as inheritances, price fixing, treating apprentices like personal slaves...things sure were better back in those days!
Way to straw man the topic, eh?
Conservatism: (n.) love of the existing evils. Liberalism: (n.) desire to substitute new evils for the existing ones.
All that Wysopal, and many others, are doing is confusing multiple independent issues. The essential point for our Department is that hacking, when it involves unauthorized use of others' computer systems, is generally unacceptable and possibly criminal. Especially when it is repeated, and after a warning. No one, in computing or outside, can possibly expect any computer science department to teach otherwise.
From experience at a top 5 consulting engineering firm if something went wrong it was normally the contractor who cocked up - one of my more interesting jobs there was reverse engineering a soil density program to prove that a sub contractor was at fault when a bridge fell of its supports :-)
That our colleges are overly staffed by professors who spend their entire lives in the ivory towers of academia should come as no surprise to anyone. Indeed, as others have said, that type lives in the pristine world of theory and never has to face reality. Thus, they do not provide adequate preparation for people who have to apply that theory in practical applications. I'll never forget the professor who could not understand why a computer program that actually worked was better than one that did not. He had assigned us a challenge. I was the only student in the class who succeeded. He laughed at me right in the middle of class since my solution was 300 lines and his was only 6 lines. I copied each of his lines of code exactly. After class I entered them into the computer. His "solution" crashed even on the simplest cases. I printed full diagnostics and brought them to the next class. I present those and he insisted I must have made a mistake. I said I had not erred and offered the printout to him to examine. He still insisted his program was better, even though it did not work. On the other hand, I have had some very good professors who were quite open to discussion. From them I learned a great deal. Their teaching makes all the difference in my professional life.
Not exactly. We are not doing this to "emhance our status". We are doing it because it's an ethical necessity for the computing profession, as stated by section 2.8 of the ACM Code.
Think about it: can any comp sc department teach otherwise?
Alex Simonelis
I did not post advice.
Simonelis' Epic Fail web site (the guy who kicked out the Arab student).
http://dc37.dawsoncollege.qc.ca/compsci/asimonel/
I have a different take on this student. http://ireneogrizek.ca/2013/01/26/political-activism-and-the-hero-complex/