Forgot your password?
typodupeerror
Canada Education Security News

Student Expelled From Montreal College For Finding "Sloppy Coding" 633

Posted by samzenpus
from the this-is-not-the-code-you-are-looking-for dept.
innocent_white_lamb writes "In what appears to be a more-and-more common occurrence, Ahmed Al-Khabez has been expelled from Dawson College in Montreal after he discovered a flaw in the software that the college (and apparently all other colleges across Quebec) uses to track student information. His original intention was to write a mobile app to allow students to access their college account more easily, but during the development of his app he discovered 'sloppy coding' that would allow anyone to access all of the information that the system contains about any student. He was initially ordered to sign a non-disclosure agreement stating that he would never talk about the flaw that he discovered, and he was expelled from the college shortly afterward."
This discussion has been archived. No new comments can be posted.

Student Expelled From Montreal College For Finding "Sloppy Coding"

Comments Filter:
  • Remember (Score:5, Insightful)

    by Anonymous Coward on Monday January 21, 2013 @09:53AM (#42646315)

    All problems can be solved by personally punishing someone in an unrelated fashion to their crime, rather than simply fixing the problem.

  • by TWX (665546) on Monday January 21, 2013 @09:53AM (#42646319)
    ...and report on exactly how this flaw works, and what its implications are.

    The college system turned a friend or at least a neutral party into an enemy. They should expect any and all damage that he can inflict on the administrators at the top that were foolish enough to support the actions taken against the student.
  • by Anonymous Coward on Monday January 21, 2013 @09:54AM (#42646331)

    So, go to a internet cafe and set it free. They fucked you, so fuck them back.

  • by Joe_Dragon (2206452) on Monday January 21, 2013 @09:55AM (#42646339)

    Outside vendor freaked out and it's easier for the school to take the easy way out and kick him out then it is to help him.

  • by Anonymous Coward on Monday January 21, 2013 @10:00AM (#42646381)

    Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected.

    Seriously, don't run Acunetix or Retina scans or whatever on other people's systems. It looks like you are probing for vulnerabilities because, well, that's exactly what it's doing.

    And if I'm a sys-admin, I'm going to see that and think you're an attacker. From my point of view, you've just cased the joint. That's what I'm going to report up, and from there everything gets ugly.

  • by tommeke100 (755660) on Monday January 21, 2013 @10:01AM (#42646385)
    And this a couple of days after some other big IT personality gave a speech at the funeral stating he could have been gone the same way as Aaron Swartz if he would have been punished the same way during his hacking and exploring days during College.
    Sad.
  • by alphatel (1450715) * on Monday January 21, 2013 @10:08AM (#42646423)
    Techs everywhere need to learn this important lesson: Never Sign Anything unless you are also offered on the same piece of paper a guarantee of you what you receive in return. You get no prize money for signing NDA or DNC. If you ask for it, you will get 1) a job, 2) some cash, 3) some action not taken. You can ask for nothing, but you will get the exact opposite - penalized or harmed. Your goal is to sign something such that if what you are offered is not fulfilled, the NDA is broken

    As it stands, asking someone to sign a NDA and not offering a guarantee of something in return is already suspect and can be fought. You had an expectation that you wouldn't get expelled, or that you would get a free education, or something else of benefit to you. People need to learn that colleges, Lance Armstrongs and corporations all act the same way. You will get screwed if and when there is an opportunity to screw you. And you will go broke defending what is right. Few will care.
    Don't Sign without Something in Return (DSSR)!
  • Re:Screw the NDA (Score:5, Insightful)

    by X0563511 (793323) on Monday January 21, 2013 @10:10AM (#42646437) Homepage Journal

    Sure, nevermind all those other unrelated innocents who'd get their information stolen in consequence.

  • Re:Idiot. (Score:5, Insightful)

    by SuricouRaven (1897204) on Monday January 21, 2013 @10:10AM (#42646441)

    You do assume that this is going to be fought fairly. The legal system is a game of adversaries - and the objective of the college administration was not to fight a fair legal battle, but to win at all costs. If I were a bastard in their place, I'd see an obvious way to prevent him doing that: "You want a lawyer? Go ahead. But the moment you step out of this office, I'm calling the police. Either sign the NDA right now, I'll make sure you really do need that lawyer."

    It's intimidation, of course. But most of the time I'd expect it to work. What's the worst that could happen? A college student finding enough money to file a civil suit against the college, that could take years to complete and cost more than he'll earn in a decade? No, most people would recognise that they are being strong-armed, but also that they are being strong-armed by someone with both the willingness and ability to utterly screw up their life if they don't comply... regardless of the fine points of contract law.

  • by X0563511 (793323) on Monday January 21, 2013 @10:11AM (#42646445) Homepage Journal

    Sure, nevermind all those other unrelated innocents who'd get their information stolen in consequence.

    Also, stop misusing that damn phrase, asshole.

  • Re:Remember (Score:2, Insightful)

    by durrr (1316311) on Monday January 21, 2013 @10:13AM (#42646461)

    Crime?
    If I see a bank vault missing a wall, am I criminal for pointing out this obvious and stupid flaw?

  • by Intrepid imaginaut (1970940) on Monday January 21, 2013 @10:13AM (#42646467)

    I'm fascinated by the adversarial attitude the college administration appears to have towards their students. I mean unless there's more to this story than we know about, like he made suggestive comments about the press or threatened them first, they apparently made him sign an NDA and booted him when they felt he had no recourse.

    I'd have very serious questions about the ethical or even social ability of these people to operate a third level institution. It strikes me as classic CYA from middle management with extreme prejuidice, which typically indicates angry disconnected shut-ins in the back room. Well, either that or aloof disconnected gentlemen's clubs in the back room. Same result either way. It's not a learning environment from their perspective, it's a simmering cauldron of unpleasantness that must be kept strictly under control lest it get in the way of money.

  • Re:Ridiculous (Score:5, Insightful)

    by K. S. Kyosuke (729550) on Monday January 21, 2013 @10:14AM (#42646479)

    Just because he had an Islamic name

    What's "Islamic" about the name? If you said "Arabic", now that would be something else...

  • Re:Idiot. (Score:5, Insightful)

    by Anonymous Coward on Monday January 21, 2013 @10:16AM (#42646495)

    Calling a kid an idiot is a bit strong. He's only 20. It was only a few years ago that the biggest threat from an authority figure was that something he'd done might appear on his "permanent record." Nice to see another country that doesn't educate it's citizens on their rights.

    I'd be amazed if there isn't a lawyer who won't take this up pro bono and sue the school.

  • by Anonymous Coward on Monday January 21, 2013 @10:18AM (#42646501)

    By the story linked, he wasn't expelled for finding a software flaw, he was expelled for running a vulnerability scanner against their network.

    Everything with finding the flaw seems to have gone find. He found the flaw while working to develope an app, he did nothing wrong, and it seems like he got kudos for it, not any sort of harrassment at all.

    Then he started using a vulnerability scanner on their network. You never do this without an arrangement (IE a pen testing contract). Never ever ever. It's illegal for one, it definitely can disrupt systems, and it sends up all kinds of red flags.

    On the other hand, no one told me those things in college; they were part of my job training post-college. When I was at school, there were no 'ethical hacking' classes that let you know what is and is not illegal to do as part of vulnerability research. So I doubt very much the kid had any idea what was going wrong. Hell, I know now that most big universities get crazy-angry if you do anything that even looks like an attack over them... but no one told me that in college when I was actually using those networks.

    The company took a rather strong wording but soft action: they elected not to pursue anything past getting him to sign an NDA. They didn't ask the school to expell him, the school did that entirely on their own. The student clearly doesn't understand why he was expelled, either. At least not by his quotes in the story (he's sure it's trying to cover up the flaws; in reality it's almost certainly because he ran what is considered a cyber attack across a university network, very illegal and very likely to piss off the administration).

    Obviously he shouldn't have been expelled; he did not act with malice, and clearly still doesn't know the legal boundaries. What this tells me is it's long past time to start coupling your computer science 101 class with a cyber ethics and law 101 class. While anyone who works for a pen testing company can immediately see where things went bad, his actions make perfect sense from the perspective of a college student.

  • Re:Idiot. (Score:5, Insightful)

    by saihung (19097) on Monday January 21, 2013 @10:20AM (#42646519)

    Is there a reason you're so angry at someone who's never done anything to harm you?

    I don't know if you're a lawyer, and I don't know if you've ever dealt with clients who have been bullied into signing things. I am, and I have. Your fantasy version of the perfectly rational college student making calm and collected decisions when he's being threatened with prison, from people who are his authority figures and who he assumed were there to help protect him, is ludicrous.

    This disclosure won't affect whether a court ultimately determines that the contract was signed under duress. And now that there is going to be some extremely hostile press against the company (I hope), such a lawsuit may never materialize. In which case breaking the agreement may have been the smart thing to do.

  • by JaredOfEuropa (526365) on Monday January 21, 2013 @10:20AM (#42646521) Journal
    Since the security flaw left personal data of all students including himself out in the open, I'd say he had every right to see if the company patched the hole yet. One might even say it was his duty to check. This was just 2 days after he reported the hack, but does shooting the messenger imply that they worry more about their reputation than the actual security flaw? Especially since the student took pains to report the issue rather than exploit or publish it. For once I'd like to see trigger-happy software companies and institutions like these hauled before court on charges of gross negligence, undue duress, and leaking of personal info.

    I wonder why the school decided to expel him. The software company overreacted a bit when they found out; perhaps they sent a note to the school to the effect of "We found that student of yours hacking around in our system again; we've told him we'll call the cops if he keeps doing it". I can see why the school would expel him on the strength of that.
  • Re:Idiot. (Score:5, Insightful)

    by WankersRevenge (452399) on Monday January 21, 2013 @10:21AM (#42646525)

    Wow ... you seem to be lacking some basic empathy skills. Do you have any idea what it is like to be squeezed by some institutional power for no other reason than doing the right thing? It's brutal enough to be squeezed when you have some experience under your belt, but this kid was only twenty years old.

    Now, let's say he finds himself in the same position a few years down the road and he repeats his actions, expecting a different result. Then, I'd call him an idiot. In this case, I call him exactly as he was: a student. It was a shitty lesson, but that's the point of college. It's not to get a job or join some pro football team. It's to learn and he learned by fire.

       

  • by jedidiah (1196) on Monday January 21, 2013 @10:24AM (#42646545) Homepage

    Once man's "hack" is another man's Quality Assurance.

    There are a lot of innocent bystanders here. Someone has chosen to be their champion in this thread already. Those bystanders are just as much as risk even if he takes the easy path and keeps his mouth shut

  • Re:Remember (Score:4, Insightful)

    by RicardoGCE (1173519) on Monday January 21, 2013 @10:30AM (#42646607)

    No, but if you later try to break into the bank to make sure they fixed the wall, they might misinterpret your intentions.

  • by Anonymous Coward on Monday January 21, 2013 @10:35AM (#42646655)

    An Idiot? To trust senior staff at a teaching institution?

    Naive perhaps.
    Too trusting maybe.
    But an Idiot?
    I'd rather live in his worldview than yours.

  • Re:Idiot. (Score:5, Insightful)

    by jareth-0205 (525594) on Monday January 21, 2013 @10:40AM (#42646723) Homepage

    What an unpleasant person you come across as. It must be nice to live in a brain that can have no empathy for other people, and can dismiss their mistakes because they're an 'idiot'. Not having to deal with trivial emotions like sympathy or concern.

    It's good for you that when you became 18 or 16 (in your examples) you knew everything about your rights and could effectively counter any bullying tactics. Sadly the rest of us are not so fortunate, and when threatened by a older more experienced people in authority tend to doubt our poor, meagre minds.

  • Re:Remember (Score:5, Insightful)

    by Skapare (16644) on Monday January 21, 2013 @10:43AM (#42646745) Homepage

    I would characterize it more like "if you walked down that same old dingy dark alley where you discovered the hole in the wall to the safe before, they will assume that this time it clearly must be to exploit the vulnerability and cause them the expense of having to actually brick up the hole".

  • Really? (Score:4, Insightful)

    by kenh (9056) on Monday January 21, 2013 @10:44AM (#42646763) Homepage Journal

    How "common" is this? How common is it for college students to find security flaws in the code that schools run, and to be expelled for uncovering it? That isn't even what happened here:

    He was expelled for his "testing" of the breach after he told the administration and the software company about the security flaw.

    Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.

    “It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didn’t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement.”

    He was not expelled for finding the security flaw, he was expelled for running what was a well-intentioned "attack" on the software he identified the flaw in. If he had co-ordinated with the software vendor there would have been no issue. Of course, the only way you'd know that is by reading the linked-to article - I wonder why the headline author didn't do that?

  • Re:Idiot. (Score:4, Insightful)

    by irtza (893217) on Monday January 21, 2013 @10:45AM (#42646773) Homepage

    Or don't hide the audio recorder. Put it on the table and turn it on, ask them to repeat what they say.

  • Re:Idiot. (Score:5, Insightful)

    by FBeans (2201802) on Monday January 21, 2013 @10:45AM (#42646779)
    Or of course, they could have just gone to him, showing their own proof that they had indeed fixed the problem. Thanked him again for not exploiting the weakness in their system and understanding that students trying to learn, be constructive and help others access information easier are the kind you want in your University. Everything after whether correct or incorrect, is understandable coming from a colleague student. People make mistakes. When the College did it, they were given a second chance, because of this guy. When he then made a mistake, no such option was granted. He's better off without the college, and at least he will have learnt a few things. It's all just a shame really.
  • Re:Ridiculous (Score:3, Insightful)

    by Anonymous Coward on Monday January 21, 2013 @10:47AM (#42646799)

    But the administration probably doesn't understand the difference.

    Montreal isn't in the United States, it's in Canada, where our culture of racism is quite different.

  • Re:Ridiculous (Score:1, Insightful)

    by Dishevel (1105119) on Monday January 21, 2013 @11:07AM (#42646989)

    OTOH.
    Lets look at what happens when you let Islamists have their way in your country for a bit.
    Lest look at France.
    Let me go on record. Without being AC.
    Islam is a religion that allows no other religions to exist.
    Everywhere it has taken hold and become dominant it has used that dominance for evil.
    Fuck them.

  • Re:Ridiculous (Score:4, Insightful)

    by Shoten (260439) on Monday January 21, 2013 @11:17AM (#42647071)

    Slashdot article summary is very misleading at best. He was not expelled because he reported a security flaw, he was expelled because he ran Acunetix [acunetix.com] a website vulnerability scanner after he reported the vulnerability without permission of the web gods. Although no malicious intent by Ahmed Al-Khabaz, he stepped over the line and the University was not in a forgiving mood,
    arguably vindictive.

    Taza explained that he was quite pleased with the work the two students did identifying problems, but the testing software Mr. Al-Khabaz ran to verify the system was fixed crossed a line.

    “This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake.”

    For reporting the vulnerability in the first place, he was thanked by the University, but they did not take kindly to using Acunetix -- I would certainly agree that the university over-reacted, but they were not punishing him for discovering a vulnerability.

    This can't be stated enough.

    First of all, I have to wonder how he found the problem in the first place, if he used Acunetix to follow up later to see if it had been fixed. I doubt he just "stumbled" across it, frankly; when I want to check to see if a flaw has been fixed, I use the same method I used to discover the flaw in the first place. And they allude to this...that it's the second time they've seen him in their logs that way. So I get why they would have their doubts about purity of his intention, especially since Acunetix is commercial software that he probably would have pirated, given that the trial version would have expired between the first and second tests. A lot of malicious scanning is done with this tool; I've seen it showing up in the logs of many clients over time. So again, that's another thing to cast doubt on the notion that he was just writing an API and happened to stumble across bad coding. If I look at it from the school's perspective, I can see why they were spooked. And I definitely have to question the way he portrays things as having taken place. You don't run an application security scan against someone's infrastructure without their permission, period. And this is why.

    As for the software company threatening with legal action, that's nothing to do with the university. Yes, vendors go off the deep end over vulnerabilities, especially when they smell blood in the water because the person reporting the vulnerability has unclean hands. But the actions of the university are one thing, and the actions of the vendor are another.

  • Re:Screw the NDA (Score:5, Insightful)

    by SpeedBump0619 (324581) on Monday January 21, 2013 @11:17AM (#42647085)

    They are not innocent if they are funding a corrupt administration.

    By this logic, no taxpayer in history was ever an 'innocent'.

    I'm pretty sure that's exactly the argument that just about every terrorist/freedom fighter in the world falls back on when targeting civilians.

  • by Kupfernigk (1190345) on Monday January 21, 2013 @11:51AM (#42647419)
    If 14 out of 15 academic staff agreed on the same issue, there is indeed more to the story, such as what pressure was being brought to bear on them.
  • Re:My Ass (Score:5, Insightful)

    by Anonymous Coward on Monday January 21, 2013 @12:22PM (#42647807)

    Honest! I was just trying to make this mobile app so I had to hack into your system and I found this sloppy code that let me in!

    What part of "Do not access things you are not authorized to access" do these people not understand?

    If you stumble onto a defect in an information system while developing an application front-end to that system, there is no unauthorised access. The level of intelligence on /. has decreased significantly from the early days. Mores the pity.

  • by borcharc (56372) * on Monday January 21, 2013 @12:24PM (#42647841)

    Really? Will all the real sysadmins stand up. Every internet exposed system gets these scans ran several times a day from random sites. Who even takes the time to investigate this shit? Just auto detect and auto block like a normal person. Hell, look at your auth logs and see all the brute force root pw attempts from random ip's 24/7? Go install a old version of RHEL with a old LAMP stack without a firewall and wait if you don't believe me.

    This was targeted at the student, they were looking, desperately for him.

  • Re:Ridiculous (Score:4, Insightful)

    by jythie (914043) on Monday January 21, 2013 @02:16PM (#42649083)
    Depending on the culture of that specific university, yes, I could believe they were easily duped. Professors tend to be overworked and these comity assignments can be quite draining. They rarely will sit and do independent checking or even really debate the topic, most of them are willing to just hear the complaint and apply the rules quickly so they can get back to tasks more directly connected to their jobs. The evidence may have been as simple as 'Our long term partner has brought charges against this student for attempting to hack their network. Our relationship with them is important and failure to hold up our guidelines regarding unprofessional conduct could sour the relationship or even lead to legal troubles'. Unless they have a reason to suspect the company is feeding them false or misleading information they have a significant incentive to just believe them.

    Unless someone raises a stink, the whole process probably took about 10 minutes.
  • Re:Remember (Score:4, Insightful)

    by bzipitidoo (647217) <bzipitidoo@yahoo.com> on Monday January 21, 2013 @02:21PM (#42649111) Journal

    People keep comparing this to stepping through the missing wall of a vault.

    I think a better analogy is coming back a week later and shining a flashlight or laser beam on the vault, and discovering that there is still no wall.

  • Re:Remember (Score:5, Insightful)

    by tibit (1762298) on Monday January 21, 2013 @04:02PM (#42650327)

    The deal is that this is IT, not physical world, and you cannot reuse the same mode of thinking. In IT, vulnerability testing is a good thing, not a bad thing. It leads to fixes, hopefully. Relevant laws, to be moral (IMHO), should be written so that bad intentions are required to make access to a computer system a crime. Unauthorized access in itself shouldn't be criminal if it's done in a bona-fide attempt to find vulnerabilities and inform the owners/developers of the system of those. It shouldn't be criminal in a bona-fide attempt at interoperability either -- again, IMHO.

  • Re:My Ass (Score:5, Insightful)

    by cheater512 (783349) <nick@nickstallman.net> on Monday January 21, 2013 @04:16PM (#42650469) Homepage

    If a vulnerability scan crashes a system then there really is sloppy coding.

    Anonymous could stop DDoS attacks and instead just run a couple of vulnerability scans to take down their opponents. So much easier!

  • Re:My Ass (Score:5, Insightful)

    by OneAhead (1495535) on Monday January 21, 2013 @05:02PM (#42650877)
    Even though I'm not a security researcher, I have in a distant past stumbled onto security flaws while trying to interface with something. The claim is entirely plausible. You might want to stop taking these pills you're talking about; they obviously don't help.
  • Re:My Ass (Score:4, Insightful)

    by dbIII (701233) on Tuesday January 22, 2013 @06:48AM (#42655291)
    Causing embarrassment to a big silverback that can chase you out of the group.

Never buy from a rich salesman. -- Goldenstern

Working...