Student Expelled From Montreal College For Finding "Sloppy Coding" 633
innocent_white_lamb writes "In what appears to be a more-and-more common occurrence, Ahmed Al-Khabez has been expelled from Dawson College in Montreal after he discovered a flaw in the software that the college (and apparently all other colleges across Quebec) uses to track student information. His original intention was to write a mobile app to allow students to access their college account more easily, but during the development of his app he discovered 'sloppy coding' that would allow anyone to access all of the information that the system contains about any student. He was initially ordered to sign a non-disclosure agreement stating that he would never talk about the flaw that he discovered, and he was expelled from the college shortly afterward."
Terrorist? (Score:4, Funny)
Troublist!
Re:Terrorist? (Score:5, Funny)
In trouble for finding sloppy coding?
What'd he do, boot a Windows computer?
Re:My Ass (Score:5, Insightful)
Honest! I was just trying to make this mobile app so I had to hack into your system and I found this sloppy code that let me in!
What part of "Do not access things you are not authorized to access" do these people not understand?
If you stumble onto a defect in an information system while developing an application front-end to that system, there is no unauthorised access. The level of intelligence on /. has decreased significantly from the early days. Mores the pity.
Comment removed (Score:5, Insightful)
Re:My Ass (Score:4, Insightful)
Re:My Ass (Score:4, Informative)
My bank has public facing computers. If I were to find and exploit a way to access other people's banking data, I'm pretty sure there'd be hell to pay.
I'm pretty sure the US and UK both have laws that would prevent access beyond your authorization. I'd be astonished if Canada did not have similar legislation.
Your bank gets scanned several times an hour (if not several times a minute) by half the blackhats and scriptkiddies of the globe, and nobody in the banks IT dept. would be dumb enough to bitch about it, because they know its natural on a public-facing system.
Simply scanning your bank and reporting your findings to them, is unlikely to get you in "hell" ... unless you act like a dick about it.
You should't scan them without permission - off course. That is not up for debate. But a scan is not the same as gaining - and indeed exploiting - unauthorized access. The school in question here clearly overreacted.
Regarding legislation, you may be right if the authorities decide to make a case out of it. But then again, they'll make a case out of pretty much anything if they are on a rampage. In the US you'll get your ass thrown in jail and/or fined millions just for violating a TOS. Or face 30 years for copying publicly-available data created with tax dollars (ahemm, Swartz?). The fact that such shit happens in the real world really doesn't make it right.
Defining a "scan" as a "crime" is silly at best. Realistically it is an abuse of power and a danger to a free society.
- Jesper
Re:My Ass (Score:4, Informative)
Re: (Score:3)
Re:My Ass (Score:5, Insightful)
If a vulnerability scan crashes a system then there really is sloppy coding.
Anonymous could stop DDoS attacks and instead just run a couple of vulnerability scans to take down their opponents. So much easier!
Remember (Score:5, Insightful)
All problems can be solved by personally punishing someone in an unrelated fashion to their crime, rather than simply fixing the problem.
Re: (Score:2, Insightful)
Crime?
If I see a bank vault missing a wall, am I criminal for pointing out this obvious and stupid flaw?
Re:Remember (Score:4, Insightful)
No, but if you later try to break into the bank to make sure they fixed the wall, they might misinterpret your intentions.
Re:Remember (Score:5, Insightful)
I would characterize it more like "if you walked down that same old dingy dark alley where you discovered the hole in the wall to the safe before, they will assume that this time it clearly must be to exploit the vulnerability and cause them the expense of having to actually brick up the hole".
Re:Remember (Score:5, Insightful)
The deal is that this is IT, not physical world, and you cannot reuse the same mode of thinking. In IT, vulnerability testing is a good thing, not a bad thing. It leads to fixes, hopefully. Relevant laws, to be moral (IMHO), should be written so that bad intentions are required to make access to a computer system a crime. Unauthorized access in itself shouldn't be criminal if it's done in a bona-fide attempt to find vulnerabilities and inform the owners/developers of the system of those. It shouldn't be criminal in a bona-fide attempt at interoperability either -- again, IMHO.
Re: (Score:3)
They wouldn't be misinterpreting my intentions. If I spot a giant hole into a bank vault when walking down the alley and resist the temptation once and point it out then walk back by next week and it is still an open hole... the only logical explanation is that the bank wants me to have the money. It is an implicit gift!
Re: (Score:3)
No company has the ability to force you to sign an NDA. And, if you felt forced when you signed it, then it's a contract signed under coercion, and unenforceable. I'm so sick of NDA's. They are meaningless shit, not even good for wiping your nasty ass with.
When someone offers you an NDA, tell them to stuff it up their ass.
Re: (Score:3)
Anyone who thinks this sounds good should have a look here first:
http://www.avvo.com/legal-answers/can-my-employer-force-me-to-sign-something-stating-619319.html [avvo.com]
Your employer can fire you if they think your less than sunny attitude is responsible for the weather, let alone if you refuse to sign a document. Your only question is whether the consequences of refusing to sign are worse than the consequences of signing but yes your employer can make there be consequences for not signing.
Re: (Score:3)
LMAO - those who would give up essential liberties for some imagined security deserve neither. I need "a job", but I don't need any specific job.
I guess that I'm valuable enough that the boss puts up with my shit. Imagine that (to borrow from a stupid internet meme) - "I haz VALUE!"
Meanwhile, I'll continue being my old cantankerous self, and do things my own way. If the electric company disconnects my electricity, I'll just run my generator, and eventually buy a bigger, more powerful generator, and/or sw
Re: (Score:3)
The school acts like an antisocial jerk. If the school truly believes that there was no intent to harm and thus there should be no punishment, then if the law states otherwise they should get very vocal about their wish that the law be changed. Otherwise they can stuff their public admission where the light doesn't shine, because it's just as good. If it's a significant enough school, they should have plenty of clout with local politicians and alumni -- they should use it for good deeds. Protecting their st
Re:Remember (Score:4, Insightful)
People keep comparing this to stepping through the missing wall of a vault.
I think a better analogy is coming back a week later and shining a flashlight or laser beam on the vault, and discovering that there is still no wall.
Time to go to the press... (Score:5, Insightful)
The college system turned a friend or at least a neutral party into an enemy. They should expect any and all damage that he can inflict on the administrators at the top that were foolish enough to support the actions taken against the student.
Re:Time to go to the press... (Score:5, Insightful)
I'm fascinated by the adversarial attitude the college administration appears to have towards their students. I mean unless there's more to this story than we know about, like he made suggestive comments about the press or threatened them first, they apparently made him sign an NDA and booted him when they felt he had no recourse.
I'd have very serious questions about the ethical or even social ability of these people to operate a third level institution. It strikes me as classic CYA from middle management with extreme prejuidice, which typically indicates angry disconnected shut-ins in the back room. Well, either that or aloof disconnected gentlemen's clubs in the back room. Same result either way. It's not a learning environment from their perspective, it's a simmering cauldron of unpleasantness that must be kept strictly under control lest it get in the way of money.
Re:Time to go to the press... (Score:5, Interesting)
These (school administrator) are actually "failed politicians". It's even worse when the school is a lower level like a high school. I've seen this problem rampant at the majority of schools I've had to deal with (mostly because of obvious network security issues already exploited by someone else). Politicians are people that like to gain power at the expense of others. But in the case of school administrators, they are just weaker people that have to seek a weaker pool of victims. But let me add that this is NOT 100%. I have met many school administrators who are not at all like that (one of whom actually went into politics later on). It's about 30% good, 70% bad, from my experience.
Re:Time to go to the press... (Score:5, Interesting)
Speaking of High School...I was once threatened with expulsion, had to file a police report, and have my mom come in to talk to the principal because I downloaded public-domain clips of police chases for a report at school. My teacher saw them one day and approved it, and then the next had me taken in for breaching the computer/internet access policy we all had to sign. I had to explain that, due to the loose language of "you may not download any content to school computers" that they should immediately disconnect every computer from the internet, or at least forbid browsing, as every page view "downloads" data to the computer, thus making EVERY user of the internet in the entire district in violation of the policy. Plus it put them in a bind that the teacher saw exactly what I was doing and did nothing about it until another student found the videos the next morning.
They thought they had a computer hacker on their hands and treated me as such. Too bad when we did start testing the network for holes - we found plenty and kept our mouths shut and our found holes open.
Perhaps someone got a kickback (Score:3)
Re:Time to go to the press... (Score:4, Informative)
As an example, I got let go from a government job because they considered me a security risk just because I asked what servers they were running! Most of the software was badly programmed VBasic, then what do you expect when you hire a programmer for $30k/annum? The absurdity is that the manager of the office overode my dismissal because they couldn't get anybody else to fix their corrupted databases. Something not one of their system administrators could fix as they had absolutely no experience outside of school.
Might just be governments being clueless about software. Canada did pay millions to use a search system, developed by the US gov't, that doesn't actually search the content of pages. Brilliant.
Re:Time to go to the press... (Score:5, Interesting)
Did they? The part I am surprised at the most is that 14 out of 15 CS professors voted to expel him. I suspect there is more to this story and we're only getting the kid's side. I find it hard to believe they voted to expel a kid without knowing his side of it. The summary also makes it sound like the people trying to get him to sign an NDA (the company) were the same people who expelled him (the 15 profs on the committee at the college) -- this is clearly not the case.
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.
“It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack.
Following this meeting, the fifteen professors in the computer science department were asked to vote on whether to expel Mr. Al-Khabaz, and fourteen voted in favour. Mr. Al-Khabaz argues that the process was flawed because he was never given a chance to explain his side of the story to the faculty. He appealed his expulsion to the academic dean and even director-general Richard Filion. Both denied the appeal, leaving him in academic limbo.
The whole thing seems to imply a conspiracy between the college and company to throw him under the proverbial bus. But now conspiracy seems to involve 15 or more people at the college. And for what? Good discounts on software? Saving face? Doesn't appear they saved much face here. And I doubt all these professors were thinking about the financials of the college.
It also doesn't makes much sense from a PR standpoint to kick a dog that's already down. If they already had an NDA, why would the company want him expelled? Nevertheless, I have no doubts that this company acted irrationally and possibly intimidated him. How did the CEO know to call this kid moments after he tried using Acunetix? Obviously someone or something was watching the logs. And sadly it is far from unheard-of for companies to overreact when someone tells them about a vulnerability on their system.
However, that doesn't explain why the kid decided to run some general vulnerability testing software within 2 days notice to the company about the 'sloppy coding'. Now, I wouldn't call it a "cyber attack", but this kid was poking the company with a stick to see what shook loose. At this point his claimed honest intentions seem less clear to me. It could be he didn't know any better, or it could be he was looking for something more, or a mixture of the two. But this doesn't seem like the action of someone testing a vulnerability they found. It seems like someone doing "percussive" testing
Still, I can't imagine the school voted to expel him based on the info provided in TFA. There is a missing piece to this puzzle.
Re: (Score:3)
Contracts signed under duress are often void, as are contracts with unconscionable terms.
Re: (Score:3)
Outside vendor freaked out and it's easier for the (Score:3, Insightful)
Outside vendor freaked out and it's easier for the school to take the easy way out and kick him out then it is to help him.
does whistle blower laws cover this? (Score:2)
does whistle blower laws cover this? and what was the scope of his work?
sounds like he found something and they did not want to fix it or the cost to fix was high / a hole like that will lead to a fine.
Sorry but he's an idiot (Score:2)
Why would you run a vulnerability scanner software on a remote network from your home ip!?. Sounds to be like he found a flaw, and got overzealous and got permbanned.
Re:Sorry but he's an idiot (Score:5, Informative)
Why would you run a vulnerability scanner software on a remote network from your home ip!?. Sounds to be like he found a flaw, and got overzealous and got permbanned.
I heard about this on the radio this morning. This is not the full story.
Supposedly he reported the flaw to the school and was thanked and told it would be taken care of. Later (not sure how long he waited), he decided to test to see if the flaw was fixed, at which point the CEO/owner of the software company called him directly and told him he could be arrested and asked/forced him to sign the NDA. It was only after that, that he was expelled.
It also seems this flaw is in the software itself and would have affected more that just this particular school.
Any way you look at it, it's very ugly.
Re:Sorry but he's an idiot (Score:5, Informative)
He waited two days.
He coordinated with no one, he just decided to run a piece of scanner software against someone else's servers and got caught.
When his case was reviewed byhis college, despite no formal charges being brought against him he was expelled by a vote of 14 out 15 professors in his own department (where he was "acing all his classes").
I seriously suspect there is more to this story than is being reported... These professors that knew him voted him out of the school.
Re:Sorry but he's an idiot (Score:5, Insightful)
I wonder why the school decided to expel him. The software company overreacted a bit when they found out; perhaps they sent a note to the school to the effect of "We found that student of yours hacking around in our system again; we've told him we'll call the cops if he keeps doing it". I can see why the school would expel him on the strength of that.
Re: (Score:3)
instead of reading the summary read the entire thing.
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.
Don't scan other people's systems (Score:5, Insightful)
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected.
Seriously, don't run Acunetix or Retina scans or whatever on other people's systems. It looks like you are probing for vulnerabilities because, well, that's exactly what it's doing.
And if I'm a sys-admin, I'm going to see that and think you're an attacker. From my point of view, you've just cased the joint. That's what I'm going to report up, and from there everything gets ugly.
Re:Don't scan other people's systems (Score:4, Interesting)
So you rely primarily on security thru obscurity and hope that genuine bad guys would never scan you? That's pretty scary.
The funniest part is I've been putting up with scans/etc since the early 90s and it doesn't take long to figure out that almost all of them come from compromised systems, usually from another country. A local guy easily traced almost by definition is on your side, because a real bad guy would be coming from a rooted machine in .cn or something essentially untraceable like that. In other words if you can find and talk to the guy in "minutes" as per the story, he's probably on your side or at worse is a hopeless noob script kiddie who's no more harmful or harmless than the other one million kiddies out there, so there's no sense messing with him.
Re:Don't scan other people's systems (Score:5, Interesting)
Yes that's my point, there is too much traffic of that nature "out on the real inet" to bother with UNLESS you're using specific rules to filter just to "get" one guy.
Its a bit spammy, like reporting everyone who looked at your front door as a potential burglar. That might even work in the deepest back hills of Montana 200 miles from the nearest city. But the internet hasn't been like that since the early 90s, maybe earlier, so its like being on a busy Manhattan street and reporting every passerby who glances at your front office door as a crook.
Re:Don't scan other people's systems (Score:4, Insightful)
Really? Will all the real sysadmins stand up. Every internet exposed system gets these scans ran several times a day from random sites. Who even takes the time to investigate this shit? Just auto detect and auto block like a normal person. Hell, look at your auth logs and see all the brute force root pw attempts from random ip's 24/7? Go install a old version of RHEL with a old LAMP stack without a firewall and wait if you don't believe me.
This was targeted at the student, they were looking, desperately for him.
Aaron Swartz funeral (Score:4, Insightful)
Sad.
Re: (Score:2)
Terrible summary -_- (Score:5, Informative)
I know, this is slashdot, but i still read the article
And i still don't agree with him getting expelled, but the reason was not discovering/disclosing the flaw, but he got in hot water when afterwards he tested if the flaw was still there, and the company developing the software reported the hacking attempt.
It was still a big overreaction that happened afterwards, and he shouldn't have been expelled, but it's not the discovering/reporting of the flaw that got him in trouble, and the article clearly states this!
Re: (Score:3)
Exactly. The student was not authorized by the school to be doing what he was doing. If he wanted to check to see if the flaw was still there, then he should have informed the school that he was doing so and got permission to test. Or more entertainingly, inform the press of the flaw and get EVERYONE to test for it. If he gave an anonymous tip the NDA would still hold.
Re:Terrible summary -_- (Score:4, Insightful)
Shoot the messenger. (Score:3)
Never sign anything (Score:5, Insightful)
As it stands, asking someone to sign a NDA and not offering a guarantee of something in return is already suspect and can be fought. You had an expectation that you wouldn't get expelled, or that you would get a free education, or something else of benefit to you. People need to learn that colleges, Lance Armstrongs and corporations all act the same way. You will get screwed if and when there is an opportunity to screw you. And you will go broke defending what is right. Few will care.
Don't Sign without Something in Return (DSSR)!
Re: (Score:3, Interesting)
If the company threatened to call the RCMP unless he signs the NDA, then either:
1. He is a criminal, and the company conspired with him.
or
2. The company extorted an agreement with him with no compensation, based on false premise of his actions being a crime.
or
3. The company extorted an agreement with him with no compensation, by threatening to commit perjury.
No matter what his actions are, the company either committed a crime or owes him a compensation for NDA, or both. And that does not include even includ
DO NOT QUESTION AUTHORITY (Score:2)
There needs to be a cyber law class (Score:5, Insightful)
By the story linked, he wasn't expelled for finding a software flaw, he was expelled for running a vulnerability scanner against their network.
Everything with finding the flaw seems to have gone find. He found the flaw while working to develope an app, he did nothing wrong, and it seems like he got kudos for it, not any sort of harrassment at all.
Then he started using a vulnerability scanner on their network. You never do this without an arrangement (IE a pen testing contract). Never ever ever. It's illegal for one, it definitely can disrupt systems, and it sends up all kinds of red flags.
On the other hand, no one told me those things in college; they were part of my job training post-college. When I was at school, there were no 'ethical hacking' classes that let you know what is and is not illegal to do as part of vulnerability research. So I doubt very much the kid had any idea what was going wrong. Hell, I know now that most big universities get crazy-angry if you do anything that even looks like an attack over them... but no one told me that in college when I was actually using those networks.
The company took a rather strong wording but soft action: they elected not to pursue anything past getting him to sign an NDA. They didn't ask the school to expell him, the school did that entirely on their own. The student clearly doesn't understand why he was expelled, either. At least not by his quotes in the story (he's sure it's trying to cover up the flaws; in reality it's almost certainly because he ran what is considered a cyber attack across a university network, very illegal and very likely to piss off the administration).
Obviously he shouldn't have been expelled; he did not act with malice, and clearly still doesn't know the legal boundaries. What this tells me is it's long past time to start coupling your computer science 101 class with a cyber ethics and law 101 class. While anyone who works for a pen testing company can immediately see where things went bad, his actions make perfect sense from the perspective of a college student.
I found something a little bit like this (Score:5, Interesting)
When I was a CS student I discovered a flaw in the program we used to turn in assignments. The flaw allowed access to the code anyone had turned in for an assignment. I however elected to anonymously inform the CS dept about the problem. Glad I did. I found out they searched and searched trying to figure out who I was so they could kick me out. Sometimes it is better just to be an Anonymous Coward.
Re: (Score:3)
Wow, a post that fully justifies using AC. Would it be safe to at least identify this school of mostly incompetent faculty?
Really? (Score:4, Insightful)
How "common" is this? How common is it for college students to find security flaws in the code that schools run, and to be expelled for uncovering it? That isn't even what happened here:
He was expelled for his "testing" of the breach after he told the administration and the software company about the security flaw.
He was not expelled for finding the security flaw, he was expelled for running what was a well-intentioned "attack" on the software he identified the flaw in. If he had co-ordinated with the software vendor there would have been no issue. Of course, the only way you'd know that is by reading the linked-to article - I wonder why the headline author didn't do that?
I was in shock... (Score:5, Informative)
...when I read the title. I'm from Montreal, currently studying on exchange overseas. A few months back a friend of mine was telling me about an app him and some friends in a club at Dawson College were writing. I know a few of the guys personally because I was at some party with them back in September and I had heard a bit about how the project was going in the months following. All this to say, the story is complete bullshit.
Apparently, the school had originally offered to share some info that would help the guys making the app, but, coincidentally some company started developing something around the same time that was along the same lines so Dawson reneged on the deal. FTA:
Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software
The story goes, according to my friend, as such. Apparently, the programmer and one of the other guys decided they were just going to take the info, which was easy to do since Omnivox is such a terrible system, by breaking in. While doing this, they discovered the flaw and used it as leverage once the school noticed they had accessed the system and approached them. The other friend played innocent and the programmer got the flak for it, eventually being expelled.
This was by no means a white hacking deal. Also, these guys have been exploiting Dawson's system for a while to print for free and other such things.
It's interesting how many articles like this we get on slashdot. Just makes me wonder how easy it is to skew a story a certain way regarding a subject like programming which so many people know nothing about. If they found something, what were they doing looking in the first place? Well, sometimes people are just dicking around or curiously looking at how bad a system is, but sometimes they are - like in this case - breaking in to steal specific information for personal gain.
Re:I was in shock... (Score:4, Informative)
I don't remember the extent to which it was a break in and I dare not ask my friend again so I can post on slashdot (he might not be so happy about it), however, I know that the flaw was discovered while they were trying to find ways to get the information they wanted. I also remember it being an SQL injection, but I don't want to go on record saying that because I'm not 100% sure (my friend was also telling me that same day that the other guy, who didn't get expelled, was using an SQL injection to break in to the Pizza Pizza system and remove his order so he could then call them up and say he had placed an order that hadn't arrived yet, resulting in free pizza).
Just as unreliable as the article is my anecdotal evidence and I agree with your comment. I do know for certain that they were looking for ways to steal the information they needed, which they succeeded in doing with some sort of exploit and which I remember to be an SQL injection, when they found this security flaw. I also think that, unlike what he claims, he did not notice that the link to one's profile/info was encrypted by simply accessing his student account, but rather that they found this huge database of SIN, names, addresses, etc... which they realized anyone could find working forward from their student account, the opposite of how they did it (working backwards from the database).
Lastly, I know for certain that the other guy (pizza exploiter) was using the info to hold Dawson by the balls in case they went after them for breaking in to the system. It should be noted that the other guy did not get expelled, even though he was pushing the whole operation and using the programmer's skills.
Re: (Score:3)
I can assure you that if it was an SQL injection attack, you would remember it VERY clearly, as it's a very distinct type of vulnerabilities.
It does appear that SQL injection attacks are what he was accused of. Slightly less one-sided story from CBS news [www.cbc.ca]
a lesson for students (Score:4, Interesting)
The lesson to be learned here is: If you're in college and someone threatens you with any sort of legal action, don't say a word, just walk out, and walk strait into a lawyers office. Immediately. While I was in college I got sued/fined/thrown out of different places so many times I've lost count. The college and college police think they are the law and use their power to manipulate and harass students they don't like.
I once had the police looking for me for 3 months to ticket me for lighting some firecrackers on newyears at 2am. It was a ridiculous cat and mouse game, and they refused to give up. Finally they "Caught" me and gave me a ticket. It went to trial for gods sake. The city paid for eye witnesses to testify and everything. It was a $100 fine and I won the case. It probably cost the city tens of thousands of dollars to screw with me for about 6 months. In the end, on the way out, I patted the DA on the shoulder and said "See ya next newyears!" and he laughed. What a joke.
Get a lawyer, and get one fast. Don't sign anything, don't talk to anymore. They will do anything to win. Including show up at parties, undercover, asking where you're at. Or sending you tickets via registered mail. Just get a lawyer and be done with it.
Re: (Score:3)
I'm curious how practical this advice is in the face of the following facts:
Comment removed (Score:5, Informative)
Under duress? (Score:5, Interesting)
Aren't there laws which invalidate contracts signed under duress anyway? I thought I remembered reading that somewhere.
Re:Under duress? (Score:4, Interesting)
probably yes, in most jurisdictions. But it depends on who has the burden of proof.
Re:Under duress? (Score:4, Informative)
Yes, for a contract to be enforceable it has to be a meeting of the minds, a contract signed under threat of imprisonment wouldn't generally be valid under English common law. Now Montreal is in Quebec and so governed under Napoleonic code instead of English common law and so I'm not sure that that assumption still holds since I don't live in Quebec or Louisiana.
Re:Idiot. (Score:5, Insightful)
You do assume that this is going to be fought fairly. The legal system is a game of adversaries - and the objective of the college administration was not to fight a fair legal battle, but to win at all costs. If I were a bastard in their place, I'd see an obvious way to prevent him doing that: "You want a lawyer? Go ahead. But the moment you step out of this office, I'm calling the police. Either sign the NDA right now, I'll make sure you really do need that lawyer."
It's intimidation, of course. But most of the time I'd expect it to work. What's the worst that could happen? A college student finding enough money to file a civil suit against the college, that could take years to complete and cost more than he'll earn in a decade? No, most people would recognise that they are being strong-armed, but also that they are being strong-armed by someone with both the willingness and ability to utterly screw up their life if they don't comply... regardless of the fine points of contract law.
Re:Idiot. (Score:5, Insightful)
It wasn't the college... (Score:3)
That made him sign the NDA
Re:Idiot. (Score:4, Insightful)
Or don't hide the audio recorder. Put it on the table and turn it on, ask them to repeat what they say.
Re: (Score:3)
Re:Idiot. (Score:5, Insightful)
Calling a kid an idiot is a bit strong. He's only 20. It was only a few years ago that the biggest threat from an authority figure was that something he'd done might appear on his "permanent record." Nice to see another country that doesn't educate it's citizens on their rights.
I'd be amazed if there isn't a lawyer who won't take this up pro bono and sue the school.
Re:Idiot. (Score:5, Insightful)
Is there a reason you're so angry at someone who's never done anything to harm you?
I don't know if you're a lawyer, and I don't know if you've ever dealt with clients who have been bullied into signing things. I am, and I have. Your fantasy version of the perfectly rational college student making calm and collected decisions when he's being threatened with prison, from people who are his authority figures and who he assumed were there to help protect him, is ludicrous.
This disclosure won't affect whether a court ultimately determines that the contract was signed under duress. And now that there is going to be some extremely hostile press against the company (I hope), such a lawsuit may never materialize. In which case breaking the agreement may have been the smart thing to do.
Re:Idiot. (Score:5, Insightful)
Wow ... you seem to be lacking some basic empathy skills. Do you have any idea what it is like to be squeezed by some institutional power for no other reason than doing the right thing? It's brutal enough to be squeezed when you have some experience under your belt, but this kid was only twenty years old.
Now, let's say he finds himself in the same position a few years down the road and he repeats his actions, expecting a different result. Then, I'd call him an idiot. In this case, I call him exactly as he was: a student. It was a shitty lesson, but that's the point of college. It's not to get a job or join some pro football team. It's to learn and he learned by fire.
Re: (Score:3)
[...] this kid was only twenty years old.
Not true. In Quebec, we have the CEGEP system, which is equivalent to the last year of high school and freshman year of university. Dawson is a CEGEP, so Ahmed was almost definitely between 16 and 18.
Re:Idiot. (Score:5, Insightful)
What an unpleasant person you come across as. It must be nice to live in a brain that can have no empathy for other people, and can dismiss their mistakes because they're an 'idiot'. Not having to deal with trivial emotions like sympathy or concern.
It's good for you that when you became 18 or 16 (in your examples) you knew everything about your rights and could effectively counter any bullying tactics. Sadly the rest of us are not so fortunate, and when threatened by a older more experienced people in authority tend to doubt our poor, meagre minds.
Re:Idiot. (Score:4, Informative)
Re: (Score:3)
Not that I agree with that ledow idiot, but this isn't the US where you're allowed to kill people in other countries three years before you can buy a six pack. He's legal to buy alcohol in Quebec.
Re: (Score:3)
Most student generally trust their college authority to work for their own good (especially in countries less sceptical against authority like in Europe/Canada). When I was 20 years old, afraid of failing, afraid of the consequence of just being labelled a hacker on my career, with the enormous amount of money at risk to be lost AND trusting that the guy in front of me was actually doing me a favour, I could have been strong armed into signing.
The College has moral authority on the student and abused it.
Re: (Score:3)
The two might look the same for USians. You see, in Canada, we don't sue you for getting hurt while robbing you. Don't even sue you for not saying sorry after you bump into us. In fact, lawyers are almost mythical creatures here, less direct spawns of satan.
Canadians also don't expect people to act completely irrationaly, or aggresively, because we're a pretty decent people to begin with. We aren't extremely paranoid and cautious, mainly because we aren't constantly t
Re:Ridiculous (Score:5, Informative)
I missed that part of the article. Can you quote the line where they said that?
It seemed more like he discovered a flaw and reported it. This embarrassed the university. He later tried to verify if the flaw had been fixed by using the flaw (probably not the best move he could have made) and the university used this as an excuse to terminate him.
Re:Ridiculous (Score:5, Interesting)
By not co-ordinating his follow-up testing with anyone (the vendor, the school, etc.) he was caught exploiting a known weakness in the software.
He had no responsibility or right to attack the software a second time, call it "testing" if you like, he choose to attack the software using the exact same exploit he warned them about earlier.
It wasn't his job to "test" their fix.
14 out of 15 professors choose to expel this student - a student who claims to have been "acing all his classes" - there just might be more to the story than this student is sharing with the reporter...
Re: (Score:3)
14 out of 15 professors choose to expel this student
Indeed this is the part I find the most telling that there is more to the story. Would all these professors really have conspired to avoid embarrassment for the college? Or, is there something these professors knew that isn't in TFA?
He found a flaw, waited two days, and then proceeded to use a general purpose tool. While this is most likely naivety on his part, it could also be something else we're not aware of.
But we don't have the logs, nor do we have info on the original vulnerability. If I were a pr
Re: (Score:3)
I generally agree that with the information in TFA
Re:Ridiculous (Score:4, Insightful)
Unless someone raises a stink, the whole process probably took about 10 minutes.
Re:Ridiculous (Score:5, Informative)
Slashdot article summary is very misleading at best. He was not expelled because he reported a security flaw, he was expelled because he ran Acunetix [acunetix.com] a website vulnerability scanner after he reported the vulnerability without permission of the web gods. Although no malicious intent by Ahmed Al-Khabaz, he stepped over the line and the University was not in a forgiving mood,
arguably vindictive.
Taza explained that he was quite pleased with the work the two students did identifying problems, but the testing software Mr. Al-Khabaz ran to verify the system was fixed crossed a line.
“This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake.”
For reporting the vulnerability in the first place, he was thanked by the University, but they did not take kindly to using Acunetix -- I would certainly agree that the university over-reacted, but they were not punishing him for discovering a vulnerability.
Thank you (Score:3)
Re:Ridiculous (Score:4, Insightful)
Slashdot article summary is very misleading at best. He was not expelled because he reported a security flaw, he was expelled because he ran Acunetix [acunetix.com] a website vulnerability scanner after he reported the vulnerability without permission of the web gods. Although no malicious intent by Ahmed Al-Khabaz, he stepped over the line and the University was not in a forgiving mood,
arguably vindictive.
Taza explained that he was quite pleased with the work the two students did identifying problems, but the testing software Mr. Al-Khabaz ran to verify the system was fixed crossed a line.
“This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake.”
For reporting the vulnerability in the first place, he was thanked by the University, but they did not take kindly to using Acunetix -- I would certainly agree that the university over-reacted, but they were not punishing him for discovering a vulnerability.
This can't be stated enough.
First of all, I have to wonder how he found the problem in the first place, if he used Acunetix to follow up later to see if it had been fixed. I doubt he just "stumbled" across it, frankly; when I want to check to see if a flaw has been fixed, I use the same method I used to discover the flaw in the first place. And they allude to this...that it's the second time they've seen him in their logs that way. So I get why they would have their doubts about purity of his intention, especially since Acunetix is commercial software that he probably would have pirated, given that the trial version would have expired between the first and second tests. A lot of malicious scanning is done with this tool; I've seen it showing up in the logs of many clients over time. So again, that's another thing to cast doubt on the notion that he was just writing an API and happened to stumble across bad coding. If I look at it from the school's perspective, I can see why they were spooked. And I definitely have to question the way he portrays things as having taken place. You don't run an application security scan against someone's infrastructure without their permission, period. And this is why.
As for the software company threatening with legal action, that's nothing to do with the university. Yes, vendors go off the deep end over vulnerabilities, especially when they smell blood in the water because the person reporting the vulnerability has unclean hands. But the actions of the university are one thing, and the actions of the vendor are another.
Re: (Score:3)
he used Acunetix
So in other words, he's a script kiddie? They're going nuts over that?
A lot of malicious scanning is done with this tool
What makes scanning so malicious? What's next, getting into trouble for trying to telnet to random IP addresses? Is it now a crime to point nmap at school IP addresses? Maybe surfing to their website and repeatedly hitting F5 is a reprehensible DoS attack?
Acunetix is commercial software that he probably would have pirated
Even if that's true, which you do not know, so what? I don't see where that has anything to do with the issue at hand.
I can see why they were spooked
Well, I can't. They can fix the flaws, it's not like that's ha
Re: (Score:3)
Re:Ridiculous (Score:5, Informative)
Here is the relevant section of the article;
After an initial meeting with Director of Information Services and Technology François Paradis on Oct. 24, where Mr. Paradis congratulated Mr. Al-Khabaz and colleague Ovidiu Mija for their work and promised that he and Skytech, the makers of Omnivox, would fix the problem immediately, things started to go downhill.
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.
“It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didn’t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement.”
Note that jail was only mentioned after Acunetix was run.
Re:Ridiculous (Score:5, Interesting)
The rule here is to never sign NDA in this case. Go public and burn the company in question with the media. Threatening people with jail when they discover a exploit in software is counter-active and just plain stupid. The president of Skytech clearly doesn't understand software or computers in general. In fact. I am sure that he is just plain capital asshole as you can find them in companies everywhere.
Re: (Score:3)
Here is a quote from the Acunetix User Manual [acunetix.com] page 21:
NOTE: DO NOT SCAN A WEBSITE WITHOUT PROPER AUTHORIZATION!
Emphasis theirs
Re:Ridiculous (Score:5, Insightful)
Just because he had an Islamic name
What's "Islamic" about the name? If you said "Arabic", now that would be something else...
Re: (Score:3, Insightful)
But the administration probably doesn't understand the difference.
Montreal isn't in the United States, it's in Canada, where our culture of racism is quite different.
Re: (Score:3)
Arabs, Persians and Europeans have shown that they cannot interact peacefully. There are places in the world where Islam co-exists with other religions quite happily, even places where it has done so for centuries. Religion has much less to do with it than cultural friction which long predates Islam (and Christianity, for that matter), though certainly religion has become woven into the issue as well.
As far as France being a cautionary tale about Islam run amok... yeah, right. Islam is a minority religion i
Re:Screw the NDA (Score:5, Insightful)
Sure, nevermind all those other unrelated innocents who'd get their information stolen in consequence.
Re: (Score:3)
This. Zealots never seem to look past their own interests.
Re:Screw the NDA (Score:5, Insightful)
They are not innocent if they are funding a corrupt administration.
By this logic, no taxpayer in history was ever an 'innocent'.
I'm pretty sure that's exactly the argument that just about every terrorist/freedom fighter in the world falls back on when targeting civilians.
Re:Screw the NDA (Score:4, Interesting)
I think its a pretty fair argument. After WWI the idea of not targeting civilians is simple a non-starter in any symmetric conflict and any asymmetric conflict were you are on the weak end. Look at Iraq, Afghanistan, and Pakistan. Think about all the excess blood and treasure we have investing in avoiding collateral damage to civilians and how many civilians have been maimed or killed anyway.
That is good and perhaps morally correct in a highly asymmetric situation where you have vastly superior capability to fight. I think you can argue anything other than "total war" is immoral when either its an even match or you're out matched.
The most immoral war you can possibly fight is one you can't win. That means you are harming others for ends that cannot possibly be achieved.
A freedom fighter must be willing to do what it takes or should do nothing at all. If you are fighting a superior enemy that likely requires considering the use of human shields and civilian targets. It means attacking the means of production even when what the produce is bread stuffs, etc.
Don't misconstrue this as an apology for the terrorists. Most of so labeled individuals by our government are bad dudes who deserve destruction, there are some really sad and pathetically mislabeled folks as well. I simply suggest that if you take the primary cause of your conflict being justification for war as a conceit; than I believe you have an obligation to try and win it.
Re: (Score:3)
The article did mention there was a 2nd person working on the project who knew about the flaw. I do not know if this 2nd person also signed the NDA or not.
Re:Information wants to be free (Score:5, Insightful)
Sure, nevermind all those other unrelated innocents who'd get their information stolen in consequence.
Also, stop misusing that damn phrase, asshole.
Re:He tried to hack them again (Score:5, Insightful)
Once man's "hack" is another man's Quality Assurance.
There are a lot of innocent bystanders here. Someone has chosen to be their champion in this thread already. Those bystanders are just as much as risk even if he takes the easy path and keeps his mouth shut
Re: (Score:3)
Better yet: don't report a security hole you discover and follow up by trying it again without consent.