Slashdot Mirror

← Back to Stories (view on slashdot.org)

CTO Says Al-Khabaz Expulsion Shows CS Departments Stuck In "Pre-Internet Era"

Posted by samzenpus on from the getting-up-to-speed dept.

An anonymous reader writes "The Security Ledger writes that the expulsion of Ahmed Al-Khabaz, a 20-year-old computer sciences major at Dawson College in Montreal, has exposed a yawning culture gap between academic computer science programs and the contemporary marketplace for software engineering talent. In an opinion piece in the Montreal Gazette on Tuesday, Dawson computer science professor Alex Simonelis said his department forbids hacking as an 'extreme example' of 'behavior that is unacceptable in a computing professional.' And, in a news conference on Tuesday, Dawson's administration stuck to that line, saying that Al-Khabaz's actions show he is 'no longer suited for the profession.' In the meantime, Al-Khabaz has received more than one job offer from technology firms, including Skytech, the company that makes Omnivox. Chris Wysopal, the CTO of Veracode, said that the incident shows that 'most computer science departments are still living in the pre-Internet era when it comes to computer security.' 'Computer Science is taught in this idealized world separate from reality. They're not dealing with the reality that software has to run in a hostile environment,' he said. 'Teaching students how to write applications without taking into account the hostile environment of the Internet is like teaching architects how to make buildings without taking into account environmental conditions like earthquakes, wind and rain,' Wysopal said."

7 of 248 comments (clear)

  1. About those professors ... by Taco+Cowboy · · Score: 5, Insightful

    Like the saying:

    Those who can, do

    Those who can't do, teach

    --
    Muchas Gracias, Señor Edward Snowden !
    1. Re:About those professors ... by Kell+Bengal · · Score: 5, Insightful

      That doesn't really hold at the university level, where research is required in conjunction to teaching. In fact, it serves a twin purpose - research forces people who just want to teach to stay current in their discipline. Teaching forces people who just want to research to focus and order their knowledge so it can be understood by novices. High school teachers get out of date pretty quickly, but university professors (certainly in my experience) has to be on the ball.

      Perhaps the real question here is "Is the field of academic computer science out of touch?"

      Full disclosure: I am a robotics researcher ('lecturer', equiv. to an assistant professor) at a university; I'm on a fellowship, though, so I don't have to teach much!

      --
      Scientists point out problems, engineers fix them
      altslashdot.org: The future of slashdot.
    2. Re:About those professors ... by Anonymous Coward · · Score: 5, Insightful

      I've never found that to be the case with university professors. In fact, most of the ones I ever knew did no research at all. They wrote textbooks and taught classes.

      They still weren't useless. They knew the material they were meant to teach. But they were horribly out of touch. I still remember having these bizarre arguments with one professor that was sure open source was a brief fad, that it couldn't catch on in any meaningful way, but that if it did, it would be poison for innovation in the tech industry. I'd like to go back and do an obnoxious, "I told you so."

      Shit, I hope he's not dead now... I'd feel pretty bad.

  2. Re:Teaching them to what? by Guspaz · · Score: 5, Insightful

    He did something wrong, sure. But what he did was not bad enough to justify completely destroying his future from an academic and professional standpoint.

    He's lucky that this story has attracted as much international attention as it has (and it certainly is strange to be reading about local news stories on international sites like Slashdot, when I work across the street from Al Khabaz' school). If it hadn't attracted all this attention, he wouldn't have had all these job offers, and would have been screwed.

    Dawson tried to leave him in debt, unable to enter any other CEGEP, unable to enter any university (you're required to graduate from CEGEP to get into university in Quebec), and with severely diminished job prospects.

    Should he have been punished? Yes. Should Dawson have tried to destroy his life? Certainly not.

  3. Re:I consider that a pretty good analogy... by DahGhostfacedFiddlah · · Score: 5, Insightful

    You know, we blame civil engineers when their buildings collapse, maybe it's time to start blaming computer "engineers" when their systems do. Now, I know first-hand how hard it is to design secure computer systems, and I'm well aware there's a fine line between "holding to account" and a witchhunt, but we're nowhere near that line as it stands.

    In every single one of these stories I hear the mainstream media gasp about the "dangerous hacker". I see /. complain about morons who treat technical curiosity as an attack. But those comments outnumber 10:1 the most important question that you just asked.

    How on earth did they produce such a hopelessly stupid system?

    Maybe if we could get everyone asking this question, the conversation would shift.

    --
    Last post!
  4. Re:I consider that a pretty good analogy... by lgw · · Score: 5, Insightful

    There is no such thing as a secure system. This applies to both physical and information security. There's always a way in. So that's a bad analogy to life-safety engineering, or at least a subtle one.

    When it comes to security, there's no "secure" or "insecure", and the threats are rarely well understood, let alone well described. The important questions are "how much will it cost an attacker to gain access" and "how much will it cost an authorized user to gain access" and "how valuable is this anyway" and "what's the tradeoff in making this more secure". Sure, there are also just stupid, terrible designs when it comes to security, but the mere fact that an attacker gains access means little.

    When it comes to life safety, the parameters are thoroughly described. The levee must withstand the winds and storm surge from a class 3 hurricane, this building must survive impact from a 707, whatever. If they fail under far worse conditions than they were specced for, that's not an engineering failure. It's rarely so clear when it comes to security (though, of course, sometimes the password is sent as part of a URL or whatever, and it is quite clear).

    --
    Socialism: a lie told by totalitarians and believed by fools.
  5. Re:oh get real... by LordLimecat · · Score: 5, Insightful

    From the article:
    Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites.....
    A few minutes later, the phone rang ......It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack.

    Yea, see, this is why insecure.org has warnings to not run nmap against resources that you do not own: It is generally considered nefarious, ill-advised, and possibly illegal. Yes, pen-testing other people's stuff will land you in trouble. Should he have been expelled? Maybe not, since he was clearly trying to expose a vulnerability, but he should have known better and hopefully now he does.

    Probably also should not have signed that NDA and then gone on to break it, but then Im no lawyer. Probably should have just said "yea, I sign nothing till i have representation".

    If you do not have a job / contract with someone to pen-test, act as a "tiger team", check for physical security breaches, etc, DONT.