Student Expelled From Montreal College For Finding "Sloppy Coding" 633
innocent_white_lamb writes "In what appears to be a more-and-more common occurrence, Ahmed Al-Khabez has been expelled from Dawson College in Montreal after he discovered a flaw in the software that the college (and apparently all other colleges across Quebec) uses to track student information. His original intention was to write a mobile app to allow students to access their college account more easily, but during the development of his app he discovered 'sloppy coding' that would allow anyone to access all of the information that the system contains about any student. He was initially ordered to sign a non-disclosure agreement stating that he would never talk about the flaw that he discovered, and he was expelled from the college shortly afterward."
Under duress? (Score:5, Interesting)
Aren't there laws which invalidate contracts signed under duress anyway? I thought I remembered reading that somewhere.
Re:Under duress? (Score:4, Interesting)
probably yes, in most jurisdictions. But it depends on who has the burden of proof.
I found something a little bit like this (Score:5, Interesting)
When I was a CS student I discovered a flaw in the program we used to turn in assignments. The flaw allowed access to the code anyone had turned in for an assignment. I however elected to anonymously inform the CS dept about the problem. Glad I did. I found out they searched and searched trying to figure out who I was so they could kick me out. Sometimes it is better just to be an Anonymous Coward.
Re:Don't scan other people's systems (Score:4, Interesting)
So you rely primarily on security thru obscurity and hope that genuine bad guys would never scan you? That's pretty scary.
The funniest part is I've been putting up with scans/etc since the early 90s and it doesn't take long to figure out that almost all of them come from compromised systems, usually from another country. A local guy easily traced almost by definition is on your side, because a real bad guy would be coming from a rooted machine in .cn or something essentially untraceable like that. In other words if you can find and talk to the guy in "minutes" as per the story, he's probably on your side or at worse is a hopeless noob script kiddie who's no more harmful or harmless than the other one million kiddies out there, so there's no sense messing with him.
Re:Time to go to the press... (Score:5, Interesting)
These (school administrator) are actually "failed politicians". It's even worse when the school is a lower level like a high school. I've seen this problem rampant at the majority of schools I've had to deal with (mostly because of obvious network security issues already exploited by someone else). Politicians are people that like to gain power at the expense of others. But in the case of school administrators, they are just weaker people that have to seek a weaker pool of victims. But let me add that this is NOT 100%. I have met many school administrators who are not at all like that (one of whom actually went into politics later on). It's about 30% good, 70% bad, from my experience.
a lesson for students (Score:4, Interesting)
The lesson to be learned here is: If you're in college and someone threatens you with any sort of legal action, don't say a word, just walk out, and walk strait into a lawyers office. Immediately. While I was in college I got sued/fined/thrown out of different places so many times I've lost count. The college and college police think they are the law and use their power to manipulate and harass students they don't like.
I once had the police looking for me for 3 months to ticket me for lighting some firecrackers on newyears at 2am. It was a ridiculous cat and mouse game, and they refused to give up. Finally they "Caught" me and gave me a ticket. It went to trial for gods sake. The city paid for eye witnesses to testify and everything. It was a $100 fine and I won the case. It probably cost the city tens of thousands of dollars to screw with me for about 6 months. In the end, on the way out, I patted the DA on the shoulder and said "See ya next newyears!" and he laughed. What a joke.
Get a lawyer, and get one fast. Don't sign anything, don't talk to anymore. They will do anything to win. Including show up at parties, undercover, asking where you're at. Or sending you tickets via registered mail. Just get a lawyer and be done with it.
Re:Time to go to the press... (Score:5, Interesting)
Did they? The part I am surprised at the most is that 14 out of 15 CS professors voted to expel him. I suspect there is more to this story and we're only getting the kid's side. I find it hard to believe they voted to expel a kid without knowing his side of it. The summary also makes it sound like the people trying to get him to sign an NDA (the company) were the same people who expelled him (the 15 profs on the committee at the college) -- this is clearly not the case.
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.
“It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack.
Following this meeting, the fifteen professors in the computer science department were asked to vote on whether to expel Mr. Al-Khabaz, and fourteen voted in favour. Mr. Al-Khabaz argues that the process was flawed because he was never given a chance to explain his side of the story to the faculty. He appealed his expulsion to the academic dean and even director-general Richard Filion. Both denied the appeal, leaving him in academic limbo.
The whole thing seems to imply a conspiracy between the college and company to throw him under the proverbial bus. But now conspiracy seems to involve 15 or more people at the college. And for what? Good discounts on software? Saving face? Doesn't appear they saved much face here. And I doubt all these professors were thinking about the financials of the college.
It also doesn't makes much sense from a PR standpoint to kick a dog that's already down. If they already had an NDA, why would the company want him expelled? Nevertheless, I have no doubts that this company acted irrationally and possibly intimidated him. How did the CEO know to call this kid moments after he tried using Acunetix? Obviously someone or something was watching the logs. And sadly it is far from unheard-of for companies to overreact when someone tells them about a vulnerability on their system.
However, that doesn't explain why the kid decided to run some general vulnerability testing software within 2 days notice to the company about the 'sloppy coding'. Now, I wouldn't call it a "cyber attack", but this kid was poking the company with a stick to see what shook loose. At this point his claimed honest intentions seem less clear to me. It could be he didn't know any better, or it could be he was looking for something more, or a mixture of the two. But this doesn't seem like the action of someone testing a vulnerability they found. It seems like someone doing "percussive" testing
Still, I can't imagine the school voted to expel him based on the info provided in TFA. There is a missing piece to this puzzle.
Re:Ridiculous (Score:5, Interesting)
By not co-ordinating his follow-up testing with anyone (the vendor, the school, etc.) he was caught exploiting a known weakness in the software.
He had no responsibility or right to attack the software a second time, call it "testing" if you like, he choose to attack the software using the exact same exploit he warned them about earlier.
It wasn't his job to "test" their fix.
14 out of 15 professors choose to expel this student - a student who claims to have been "acing all his classes" - there just might be more to the story than this student is sharing with the reporter...
Re:Never sign anything (Score:3, Interesting)
If the company threatened to call the RCMP unless he signs the NDA, then either:
1. He is a criminal, and the company conspired with him.
or
2. The company extorted an agreement with him with no compensation, based on false premise of his actions being a crime.
or
3. The company extorted an agreement with him with no compensation, by threatening to commit perjury.
No matter what his actions are, the company either committed a crime or owes him a compensation for NDA, or both. And that does not include even include the company's role in events that caused the college to expel him.
Re:Don't scan other people's systems (Score:5, Interesting)
Yes that's my point, there is too much traffic of that nature "out on the real inet" to bother with UNLESS you're using specific rules to filter just to "get" one guy.
Its a bit spammy, like reporting everyone who looked at your front door as a potential burglar. That might even work in the deepest back hills of Montana 200 miles from the nearest city. But the internet hasn't been like that since the early 90s, maybe earlier, so its like being on a busy Manhattan street and reporting every passerby who glances at your front office door as a crook.
Re:Don't scan other people's systems (Score:2, Interesting)
So you rely primarily on security thru obscurity and hope that genuine bad guys would never scan you? That's pretty scary.
Straw man. That's not what he said at all.
The issue is that running unauthorized "vulnerability scans" is exactly what hackers do prior to busting into a network. Since he was a student there, it would have behooved him to coordinate his tests with the Network folks, rather than attacking the system in exactly the same way a hacker would.
Perhaps they would have said "no way, piss off". But you can't make unauthorized attempts to crack someone's network and expect them to be happy about it.
Re:Ridiculous (Score:5, Interesting)
The rule here is to never sign NDA in this case. Go public and burn the company in question with the media. Threatening people with jail when they discover a exploit in software is counter-active and just plain stupid. The president of Skytech clearly doesn't understand software or computers in general. In fact. I am sure that he is just plain capital asshole as you can find them in companies everywhere.
Re:Screw the NDA (Score:4, Interesting)
I think its a pretty fair argument. After WWI the idea of not targeting civilians is simple a non-starter in any symmetric conflict and any asymmetric conflict were you are on the weak end. Look at Iraq, Afghanistan, and Pakistan. Think about all the excess blood and treasure we have investing in avoiding collateral damage to civilians and how many civilians have been maimed or killed anyway.
That is good and perhaps morally correct in a highly asymmetric situation where you have vastly superior capability to fight. I think you can argue anything other than "total war" is immoral when either its an even match or you're out matched.
The most immoral war you can possibly fight is one you can't win. That means you are harming others for ends that cannot possibly be achieved.
A freedom fighter must be willing to do what it takes or should do nothing at all. If you are fighting a superior enemy that likely requires considering the use of human shields and civilian targets. It means attacking the means of production even when what the produce is bread stuffs, etc.
Don't misconstrue this as an apology for the terrorists. Most of so labeled individuals by our government are bad dudes who deserve destruction, there are some really sad and pathetically mislabeled folks as well. I simply suggest that if you take the primary cause of your conflict being justification for war as a conceit; than I believe you have an obligation to try and win it.
Re:Time to go to the press... (Score:5, Interesting)
Speaking of High School...I was once threatened with expulsion, had to file a police report, and have my mom come in to talk to the principal because I downloaded public-domain clips of police chases for a report at school. My teacher saw them one day and approved it, and then the next had me taken in for breaching the computer/internet access policy we all had to sign. I had to explain that, due to the loose language of "you may not download any content to school computers" that they should immediately disconnect every computer from the internet, or at least forbid browsing, as every page view "downloads" data to the computer, thus making EVERY user of the internet in the entire district in violation of the policy. Plus it put them in a bind that the teacher saw exactly what I was doing and did nothing about it until another student found the videos the next morning.
They thought they had a computer hacker on their hands and treated me as such. Too bad when we did start testing the network for holes - we found plenty and kept our mouths shut and our found holes open.