Slashdot Mirror

← Back to Stories (view on slashdot.org)

CTO Says Al-Khabaz Expulsion Shows CS Departments Stuck In "Pre-Internet Era"

Posted by samzenpus on from the getting-up-to-speed dept.

An anonymous reader writes "The Security Ledger writes that the expulsion of Ahmed Al-Khabaz, a 20-year-old computer sciences major at Dawson College in Montreal, has exposed a yawning culture gap between academic computer science programs and the contemporary marketplace for software engineering talent. In an opinion piece in the Montreal Gazette on Tuesday, Dawson computer science professor Alex Simonelis said his department forbids hacking as an 'extreme example' of 'behavior that is unacceptable in a computing professional.' And, in a news conference on Tuesday, Dawson's administration stuck to that line, saying that Al-Khabaz's actions show he is 'no longer suited for the profession.' In the meantime, Al-Khabaz has received more than one job offer from technology firms, including Skytech, the company that makes Omnivox. Chris Wysopal, the CTO of Veracode, said that the incident shows that 'most computer science departments are still living in the pre-Internet era when it comes to computer security.' 'Computer Science is taught in this idealized world separate from reality. They're not dealing with the reality that software has to run in a hostile environment,' he said. 'Teaching students how to write applications without taking into account the hostile environment of the Internet is like teaching architects how to make buildings without taking into account environmental conditions like earthquakes, wind and rain,' Wysopal said."

25 of 248 comments (clear)

  1. US Government Announces National Day of Civic Hack by JS_RIDDLER · · Score: 5, Informative

    Interesting timing ; not quite the same.
    One is Defensive Planning; One is about New ways to use things.
    US Government Announces National Day of Civic Hacking
    http://yro.slashdot.org/story/13/01/23/1823208/us-government-announces-national-day-of-civic-hacking

    --
    _JS
  2. I consider that a pretty good analogy... by seebs · · Score: 4, Insightful

    And also a very good explanation. How on earth did they produce such a hopelessly stupid system? It was designed by people who are unready for engineering systems to be used.

    I am a big fan of not blaming the victim, as a matter of moral principle. That's a great policy. But it's really crappy engineering design; building something that is designed to rely on the assumption that society can reliably provide perfect enforcement is stupid.

    There's another layer of difficulty, which is that it is not always obvious whether something is a security hole or a permissive feature...

    --
    My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
    1. Re:I consider that a pretty good analogy... by DahGhostfacedFiddlah · · Score: 5, Insightful

      You know, we blame civil engineers when their buildings collapse, maybe it's time to start blaming computer "engineers" when their systems do. Now, I know first-hand how hard it is to design secure computer systems, and I'm well aware there's a fine line between "holding to account" and a witchhunt, but we're nowhere near that line as it stands.

      In every single one of these stories I hear the mainstream media gasp about the "dangerous hacker". I see /. complain about morons who treat technical curiosity as an attack. But those comments outnumber 10:1 the most important question that you just asked.

      How on earth did they produce such a hopelessly stupid system?

      Maybe if we could get everyone asking this question, the conversation would shift.

      --
      Last post!
    2. Re:I consider that a pretty good analogy... by Stiletto · · Score: 4, Insightful

      Get ready to have no free (gratis) software, as it would be ridiculous to donate one's time to write code for free if you could be held liable for mistakes. Get ready for your paid software to cost 10X more to cover the extra development "hardening" time it would all require to be less penetrable, and to cover the insurance policies software companies would have to take out to shield themselves.

      You know, we blame civil engineers when their buildings collapse, maybe it's time to start blaming computer "engineers" when their systems do.

      But we don't blame civil engineers when their buildings collapse after they get blown up by dynamite. It's not like these computer systems are just falling over from nature. They're under malicious attack.

    3. Re:I consider that a pretty good analogy... by lgw · · Score: 5, Insightful

      There is no such thing as a secure system. This applies to both physical and information security. There's always a way in. So that's a bad analogy to life-safety engineering, or at least a subtle one.

      When it comes to security, there's no "secure" or "insecure", and the threats are rarely well understood, let alone well described. The important questions are "how much will it cost an attacker to gain access" and "how much will it cost an authorized user to gain access" and "how valuable is this anyway" and "what's the tradeoff in making this more secure". Sure, there are also just stupid, terrible designs when it comes to security, but the mere fact that an attacker gains access means little.

      When it comes to life safety, the parameters are thoroughly described. The levee must withstand the winds and storm surge from a class 3 hurricane, this building must survive impact from a 707, whatever. If they fail under far worse conditions than they were specced for, that's not an engineering failure. It's rarely so clear when it comes to security (though, of course, sometimes the password is sent as part of a URL or whatever, and it is quite clear).

      --
      Socialism: a lie told by totalitarians and believed by fools.
    4. Re:I consider that a pretty good analogy... by Belial6 · · Score: 4, Insightful

      We blame civil engineers if their buildings collapse under normal use. We do not blamed them if someone plants a bomb in the building. More actually, we don't blame the architect if someone successfully breaks into your home.

    5. Re:I consider that a pretty good analogy... by LordLimecat · · Score: 4, Insightful

      You know, we blame civil engineers when their buildings collapse,

      You dont, however, blame them when someone helpfully demonstrates that by taking out support pillar 3A with TNT that the building suffers catostrophic failure. I mean, yea, maybe you blame them a little, but generally you get pissed at the guy holding the detonator.

    6. Re:I consider that a pretty good analogy... by Jessified · · Score: 4, Interesting

      Well in this case the programming failed under normal use. That is it failed to keep people out.

      In the case of buildings, normal use would include extreme weather and earthquakes etc depending on the area.

      Normal use on the internet includes keeping intruders out, even when they put some effort to get in.

      Nothing is perfect, but you don't punish people who identify flaws, especially not at a so-called place of learning.

  3. Pffft... "Education" by narcc · · Score: 5, Interesting

    When did all the computer science programs turn in to trade schools for programmers?

    Meh, why fight it. Lower that bar!

    --
    Required reading for internet skeptics
    1. Re:Pffft... "Education" by Comrade+Ogilvy · · Score: 4, Insightful

      While there are always outstanding mavericks, a lot of engineering departments are primarily staffed by brainy people who would make third tier engineers in the real world. Most people who are passionate about a subject area are itching to go out and DO IT. Yes, there are a few amazing brainy oddballs out there that have to be in academia. Yes, there are 5 or 6 CS departments like Stanford or UC Berkeley or Carnegie Mellon that probably do not fit that mold.

      But Dawson College? A top notch computer scientist could be racking up six figures with a BS or MS. Who do you think works there and what are they paid?

  4. Blamestorming by girlintraining · · Score: 4, Interesting

    'Computer Science is taught in this idealized world separate from reality. They're not dealing with the reality that software has to run in a hostile environment,'

    That's because if schools taught people how to properly test security, the government would label them terrorist breeding grounds. Anyone remember Steve Jackson Games? They released a game where one of the roles you could play was a computer hacker. The FBI called it a "handbook for computer crime" and the "anarchist's cookbook of cybercrime". No charges were ever filed. It was a work of fiction. It still nearly bankrupt them and took many years to resolve.

    Schools do not want to teach students because they're afraid of government reprisal if they show a generation just how crappy our national infrastructure really is. As one recent net celebrity put it, "Our security posture is like a dog waiting for its belly to be rubbed." They don't wanna teach people how to find these problems, because it'll embarass the crap out of The Powers That Be.

    Don't blame professors for this. Look higher.

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:Blamestorming by girlintraining · · Score: 4, Funny

      Students learn much more from professors who have backbones than those from the family of invertebrates.

      Yes, it's totally reasonable to expect someone who has spent close to six figures earning their degrees and certifications, and finally managed to earn tenure, risk it all to satisfy your idea of morality. Dude, that's bullshit. It's bullshit on an epic why-the-hell-did-even-two-other-people-agree-with-you scale.

      College professors do have integrity. Well, many of them anyway. It's mean-spirited and flat-out wrong to accuse people who are responsible for ensuring that the next generation is trained at least well enough to know which way to hold the mouse before sending them out into the world... that they lack integrity simply because they don't want to be jailed and have their lives ruined to uphold an arbitrary moral value that I suspect even you yourself only sometimes adhere to.

      Don't blame the victim! Put the responsibility on the asshats that created the problem: The government. Oh wait, they're the giant 3000 ton gorilla! Probably easier then to go after the wimpy guy with glasses next to it, huh? That's exactly what you've just done, while demanding others have a backbone. Pathetic.

      --
      #fuckbeta #iamslashdot #dicemustdie
  5. Re:oh get real... by MightyMartian · · Score: 4, Insightful

    Because the young hot shot wasn't doing anything nefarious, and when he first reported the vulnerability he was praised. It's only when he determined that no one was doing a fucking thing about the vulnerability that he got kicked out.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  6. Hacking sites you don't own is unprofessional by Anonymous Coward · · Score: 4, Interesting

    However, I don't buy that what this student did was hacking (in the cracking sense)

    Targeting a system you don't own, or aren't reponsible for and trying to break into it is almost always not a good thing to be doing, and should be considered unprofessional (and unethical) conduct.

    Noticing a problem while you are setting something else up, notifying the appropriate people, and checking to see if that problem is gone are very reasonable things to do.

    I have been working in Computer Security in Internet Banking for the last 15 years, and while I have had many co-workers who measure their worth by how good they are at breaking in to things, very few of those people have been nearly as good at defending those same things.

    Figuring out how to hack a site takes finding one vulnerability.

    Figuring out how to defend a site takes thinking about all types of vulnerabilities.

  7. Teaching them to what? by Obfuscant · · Score: 5, Informative
    The computer science department is not teaching their students to write code without consideration of the environment of the Internet. At least nothing in this situation says they are.

    What they are teaching is that it is unethical to run penetration testing against a system without permission. This philosophy is embodied in the ACM Code of Ethics, in section 2.8:

    2.8 Access computing and communication resources only when authorized to do so.

    Theft or destruction of tangible and electronic property is prohibited by imperative 1.2 - "Avoid harm to others." Trespassing and unauthorized use of a computer or communication system is addressed by this imperative. Trespassing includes accessing communication networks and computer systems, or accounts and/or files associated with those systems, without explicit authorization to do so. Individuals and organizations have the right to restrict access to their systems so long as they do not violate the discrimination principle (see 1.4). No one should enter or use another's computer system, software, or data files without permission. One must always have appropriate approval before using system resources, including communication ports, file space, other system peripherals, and computer time.

    He got thanked for finding the flaw. He got expelled for pen testing someone else's system. Two different acts, two different issues.

    1. Re:Teaching them to what? by Guspaz · · Score: 5, Insightful

      He did something wrong, sure. But what he did was not bad enough to justify completely destroying his future from an academic and professional standpoint.

      He's lucky that this story has attracted as much international attention as it has (and it certainly is strange to be reading about local news stories on international sites like Slashdot, when I work across the street from Al Khabaz' school). If it hadn't attracted all this attention, he wouldn't have had all these job offers, and would have been screwed.

      Dawson tried to leave him in debt, unable to enter any other CEGEP, unable to enter any university (you're required to graduate from CEGEP to get into university in Quebec), and with severely diminished job prospects.

      Should he have been punished? Yes. Should Dawson have tried to destroy his life? Certainly not.

  8. About those professors ... by Taco+Cowboy · · Score: 5, Insightful

    Like the saying:

    Those who can, do

    Those who can't do, teach

    --
    Muchas Gracias, Señor Edward Snowden !
    1. Re:About those professors ... by Kell+Bengal · · Score: 5, Insightful

      That doesn't really hold at the university level, where research is required in conjunction to teaching. In fact, it serves a twin purpose - research forces people who just want to teach to stay current in their discipline. Teaching forces people who just want to research to focus and order their knowledge so it can be understood by novices. High school teachers get out of date pretty quickly, but university professors (certainly in my experience) has to be on the ball.

      Perhaps the real question here is "Is the field of academic computer science out of touch?"

      Full disclosure: I am a robotics researcher ('lecturer', equiv. to an assistant professor) at a university; I'm on a fellowship, though, so I don't have to teach much!

      --
      Scientists point out problems, engineers fix them
      altslashdot.org: The future of slashdot.
    2. Re:About those professors ... by Anonymous Coward · · Score: 5, Insightful

      I've never found that to be the case with university professors. In fact, most of the ones I ever knew did no research at all. They wrote textbooks and taught classes.

      They still weren't useless. They knew the material they were meant to teach. But they were horribly out of touch. I still remember having these bizarre arguments with one professor that was sure open source was a brief fad, that it couldn't catch on in any meaningful way, but that if it did, it would be poison for innovation in the tech industry. I'd like to go back and do an obnoxious, "I told you so."

      Shit, I hope he's not dead now... I'd feel pretty bad.

    3. Re:About those professors ... by Dahamma · · Score: 4, Interesting

      My experience was the exact opposite... I guess it depends on your university's priorities. I had professors teaching undergraduate courses who were not only doing serious research, but were often leading their field. Off the top of my head (it's been a while, but jeez looking at it in hindsight it is humbling):

      http://en.wikipedia.org/wiki/Martin_Hellman
      http://en.wikipedia.org/wiki/Mark_Horowitz
      http://en.wikipedia.org/wiki/John_McCarthy_(computer_scientist)
      http://en.wikipedia.org/wiki/Robert_Sapolsky
      http://en.wikipedia.org/wiki/Anne_Fernald
      http://en.wikipedia.org/wiki/Philip_Zimbardo
      http://en.wikipedia.org/wiki/William_C._Dement
      http://en.wikipedia.org/wiki/Paul_R._Ehrlich
      http://en.wikipedia.org/wiki/Craig_Heller
      http://en.wikipedia.org/wiki/Eric_Knudsen

    4. Re:About those professors ... by dkf · · Score: 4, Interesting

      Are typical university CS department professors doing meaningful "research"?

      Should a "typical university" have a CS department at all? Speaking as someone who works in a CS department where the academic staff have to produce research output as well as teach, it sounds like there are places which just ought to stop the pretense and to actually call themselves "Visual Basic Training Schools" or something. (Disclosure: I mostly don't teach, and instead do software engineering to turn the CS research into practical tools to support other research areas.)

      --
      "Little does he know, but there is no 'I' in 'Idiot'!"
  9. Re:oh get real... by Guspaz · · Score: 5, Informative

    Dawson is not a university. In Quebec, "College" and "University" mean different things. Dawson is a CEGEP, which is a mandatory level of education between highschool and university.

    CEGEPs in Quebec has two kinds of programs. 2-year Pre-university programs can be considered to replace the final year of highschool and first year of university (as in, highschool and university are both one year shorter in Quebec). They also have three-year programs (like the computer science program Al-Khabaz is in), which are vocational degrees intended to prepare a student for the job market rather than university. Graduating from either type of program grants you a degree called a DEC ("Diploma of College Studies" in English), which also happens to be required for admission to any university.

    Many students, however, do what I did, and get a three-year vocational compsci DEC and then go to university and get their BCompSc. Yeah, it takes you an extra year (as compared to the pre-uni DEC), but CEGEP is the first time as a student that you get to study what YOU want instead of what the government says you must take, and I had a fantastic time.

  10. Re:oh get real... by LordLimecat · · Score: 5, Insightful

    From the article:
    Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites.....
    A few minutes later, the phone rang ......It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack.

    Yea, see, this is why insecure.org has warnings to not run nmap against resources that you do not own: It is generally considered nefarious, ill-advised, and possibly illegal. Yes, pen-testing other people's stuff will land you in trouble. Should he have been expelled? Maybe not, since he was clearly trying to expose a vulnerability, but he should have known better and hopefully now he does.

    Probably also should not have signed that NDA and then gone on to break it, but then Im no lawyer. Probably should have just said "yea, I sign nothing till i have representation".

    If you do not have a job / contract with someone to pen-test, act as a "tiger team", check for physical security breaches, etc, DONT.

  11. does no one ever read the article anymore? by MoFoQ · · Score: 4, Interesting

    does no one ever read the article anymore?
    It was on a test server.....using credentials given by the vendor, Skytech Communications.

    ...the software vulnerability scan that got him expelled from school was conducted on a test server only, and using credentials provided to him by the company that makes Omnivox: Skytech Communications.

    The mere fact that Skytech supposedly gave him a job offer is enough to think that the department has their collective heads up....well..you get the point.

    There's a reason why the legendary Weld Pond would be so vocal and would even say "These kind of people right out of college are the kinds of people we want to hire."

  12. Ok by Sycraft-fu · · Score: 5, Informative

    Go ahead and show me the home/business alarm you think will stop me. Go ahead. I can more or less guarantee you can't do it. The reason is I know quite a bit about how they work, since my grandpa has been in the business of selling them all his life, and how they can be defeated. Particularly if you are talking something public where you can look around innocuously and find out what is there. Ultimately they are at their core just a circuit board in a box that connects to sensors, sirens, and maybe a phone line. Break the board, they stop working. If you have one in your house open it up and see what's inside. It is simplistic, and not at all attack resistant other than the thin metal box it lives in.

    For that matter, defeating an alarm really isn't necessary if taking something, like say physical data (files and so on) is your objective. All they do is make noise and if they are good ones, call a security company who will eventually call the police who will eventually respond (they aren't that fast, false alarms happen often). That doesn't stop people with guns from kicking in your door, grabbing what they want, and leaving.

    Same shit with security guards. You ever have a look at the security that public places like office buildings and malls use? They are unarmed, and low paid. Their job is to call the police if shit happens. It doesn't take much to out-class them, you bring a pistol with you, you've already got them hopelessly outgunned. You think they are going to throw their life on the line if someone holds them at gunpoint? Hell no. For that matter there usually aren't very many. The mall near me has one car that patrols their parking lot at night (I overlook the parking lot). That is it for perimeter security. I don't know what they have inside, but you can bet it isn't much more (maybe not even anyone).

    Physical security at homes and businesses keeps out the causal crooks, nothing more. Now that's all they really face, people wouldn't bother with a targeted, planned, attack, they just don't have enough of value. They face low level thugs that do vandalism, smash and grabs, that kind of shit. And oh, by the way, it DOES happen. The mall near me gets broken in to at least once a year, usually dumbass teens just causing trouble, and by the fact that they got in, it means security failed to stop them.

    They don't get fired, their job isn't to stop everything, it is to report anything they see, and to drive around and look conspicuous (their car is marked, and has a flashing yellow light) so as to scare troublemakers off.

    If your house has never been broken in to it isn't because you have amazing security. A burglar alarm and a crap lock do not make great security. It is because nobody has tried. They good news is most of us don't face much in the way of threats to security in the physical world. Nobody tries to break in, or attack us, or the like. It is quite uncommon.

    Now that doesn't mean we should just be all lax with computer security, but it does mean that this silly demand of perfection needs to stop. Nothing is perfectly secure.