Forgot your password?
typodupeerror
Canada Education Security News

Student Expelled From Montreal College For Finding "Sloppy Coding" 633

Posted by samzenpus
from the this-is-not-the-code-you-are-looking-for dept.
innocent_white_lamb writes "In what appears to be a more-and-more common occurrence, Ahmed Al-Khabez has been expelled from Dawson College in Montreal after he discovered a flaw in the software that the college (and apparently all other colleges across Quebec) uses to track student information. His original intention was to write a mobile app to allow students to access their college account more easily, but during the development of his app he discovered 'sloppy coding' that would allow anyone to access all of the information that the system contains about any student. He was initially ordered to sign a non-disclosure agreement stating that he would never talk about the flaw that he discovered, and he was expelled from the college shortly afterward."
This discussion has been archived. No new comments can be posted.

Student Expelled From Montreal College For Finding "Sloppy Coding"

Comments Filter:
  • Terrorist? (Score:4, Funny)

    by snsh (968808) on Monday January 21, 2013 @08:49AM (#42646285)

    Troublist!

    • by Anonymous Coward on Monday January 21, 2013 @09:04AM (#42646403)

      In trouble for finding sloppy coding?

      What'd he do, boot a Windows computer?

  • Remember (Score:5, Insightful)

    by Anonymous Coward on Monday January 21, 2013 @08:53AM (#42646315)

    All problems can be solved by personally punishing someone in an unrelated fashion to their crime, rather than simply fixing the problem.

    • Re: (Score:2, Insightful)

      by durrr (1316311)

      Crime?
      If I see a bank vault missing a wall, am I criminal for pointing out this obvious and stupid flaw?

      • Re:Remember (Score:4, Insightful)

        by RicardoGCE (1173519) on Monday January 21, 2013 @09:30AM (#42646607)

        No, but if you later try to break into the bank to make sure they fixed the wall, they might misinterpret your intentions.

        • Re:Remember (Score:5, Insightful)

          by Skapare (16644) on Monday January 21, 2013 @09:43AM (#42646745) Homepage

          I would characterize it more like "if you walked down that same old dingy dark alley where you discovered the hole in the wall to the safe before, they will assume that this time it clearly must be to exploit the vulnerability and cause them the expense of having to actually brick up the hole".

          • Re:Remember (Score:5, Insightful)

            by tibit (1762298) on Monday January 21, 2013 @03:02PM (#42650327)

            The deal is that this is IT, not physical world, and you cannot reuse the same mode of thinking. In IT, vulnerability testing is a good thing, not a bad thing. It leads to fixes, hopefully. Relevant laws, to be moral (IMHO), should be written so that bad intentions are required to make access to a computer system a crime. Unauthorized access in itself shouldn't be criminal if it's done in a bona-fide attempt to find vulnerabilities and inform the owners/developers of the system of those. It shouldn't be criminal in a bona-fide attempt at interoperability either -- again, IMHO.

        • by shaitand (626655)

          They wouldn't be misinterpreting my intentions. If I spot a giant hole into a bank vault when walking down the alley and resist the temptation once and point it out then walk back by next week and it is still an open hole... the only logical explanation is that the bank wants me to have the money. It is an implicit gift!

  • by TWX (665546) on Monday January 21, 2013 @08:53AM (#42646319)
    ...and report on exactly how this flaw works, and what its implications are.

    The college system turned a friend or at least a neutral party into an enemy. They should expect any and all damage that he can inflict on the administrators at the top that were foolish enough to support the actions taken against the student.
    • by Intrepid imaginaut (1970940) on Monday January 21, 2013 @09:13AM (#42646467)

      I'm fascinated by the adversarial attitude the college administration appears to have towards their students. I mean unless there's more to this story than we know about, like he made suggestive comments about the press or threatened them first, they apparently made him sign an NDA and booted him when they felt he had no recourse.

      I'd have very serious questions about the ethical or even social ability of these people to operate a third level institution. It strikes me as classic CYA from middle management with extreme prejuidice, which typically indicates angry disconnected shut-ins in the back room. Well, either that or aloof disconnected gentlemen's clubs in the back room. Same result either way. It's not a learning environment from their perspective, it's a simmering cauldron of unpleasantness that must be kept strictly under control lest it get in the way of money.

      • by Skapare (16644) on Monday January 21, 2013 @09:49AM (#42646823) Homepage

        These (school administrator) are actually "failed politicians". It's even worse when the school is a lower level like a high school. I've seen this problem rampant at the majority of schools I've had to deal with (mostly because of obvious network security issues already exploited by someone else). Politicians are people that like to gain power at the expense of others. But in the case of school administrators, they are just weaker people that have to seek a weaker pool of victims. But let me add that this is NOT 100%. I have met many school administrators who are not at all like that (one of whom actually went into politics later on). It's about 30% good, 70% bad, from my experience.

        • by denmarkw00t (892627) on Monday January 21, 2013 @12:57PM (#42648871) Homepage Journal

          Speaking of High School...I was once threatened with expulsion, had to file a police report, and have my mom come in to talk to the principal because I downloaded public-domain clips of police chases for a report at school. My teacher saw them one day and approved it, and then the next had me taken in for breaching the computer/internet access policy we all had to sign. I had to explain that, due to the loose language of "you may not download any content to school computers" that they should immediately disconnect every computer from the internet, or at least forbid browsing, as every page view "downloads" data to the computer, thus making EVERY user of the internet in the entire district in violation of the policy. Plus it put them in a bind that the teacher saw exactly what I was doing and did nothing about it until another student found the videos the next morning.

          They thought they had a computer hacker on their hands and treated me as such. Too bad when we did start testing the network for holes - we found plenty and kept our mouths shut and our found holes open.

      • Who bought the third party software with the security flaw? What, if anything, was their relationship to the vendor?
      • by Jmc23 (2353706) on Monday January 21, 2013 @11:39AM (#42648041) Journal
        I think it has less to do with the school and more to do with Canada in general. Most of Canada's networks run on security through obscurity and we don't pay decent wages to software people.

        As an example, I got let go from a government job because they considered me a security risk just because I asked what servers they were running! Most of the software was badly programmed VBasic, then what do you expect when you hire a programmer for $30k/annum? The absurdity is that the manager of the office overode my dismissal because they couldn't get anybody else to fix their corrupted databases. Something not one of their system administrators could fix as they had absolutely no experience outside of school.

        Might just be governments being clueless about software. Canada did pay millions to use a search system, developed by the US gov't, that doesn't actually search the content of pages. Brilliant.

    • by Anonymous Coward on Monday January 21, 2013 @10:06AM (#42646983)

      Did they? The part I am surprised at the most is that 14 out of 15 CS professors voted to expel him. I suspect there is more to this story and we're only getting the kid's side. I find it hard to believe they voted to expel a kid without knowing his side of it. The summary also makes it sound like the people trying to get him to sign an NDA (the company) were the same people who expelled him (the 15 profs on the committee at the college) -- this is clearly not the case.

      Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.

      “It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack.

      Following this meeting, the fifteen professors in the computer science department were asked to vote on whether to expel Mr. Al-Khabaz, and fourteen voted in favour. Mr. Al-Khabaz argues that the process was flawed because he was never given a chance to explain his side of the story to the faculty. He appealed his expulsion to the academic dean and even director-general Richard Filion. Both denied the appeal, leaving him in academic limbo.

      The whole thing seems to imply a conspiracy between the college and company to throw him under the proverbial bus. But now conspiracy seems to involve 15 or more people at the college. And for what? Good discounts on software? Saving face? Doesn't appear they saved much face here. And I doubt all these professors were thinking about the financials of the college.

      It also doesn't makes much sense from a PR standpoint to kick a dog that's already down. If they already had an NDA, why would the company want him expelled? Nevertheless, I have no doubts that this company acted irrationally and possibly intimidated him. How did the CEO know to call this kid moments after he tried using Acunetix? Obviously someone or something was watching the logs. And sadly it is far from unheard-of for companies to overreact when someone tells them about a vulnerability on their system.

      However, that doesn't explain why the kid decided to run some general vulnerability testing software within 2 days notice to the company about the 'sloppy coding'. Now, I wouldn't call it a "cyber attack", but this kid was poking the company with a stick to see what shook loose. At this point his claimed honest intentions seem less clear to me. It could be he didn't know any better, or it could be he was looking for something more, or a mixture of the two. But this doesn't seem like the action of someone testing a vulnerability they found. It seems like someone doing "percussive" testing

      Still, I can't imagine the school voted to expel him based on the info provided in TFA. There is a missing piece to this puzzle.

  • by Joe_Dragon (2206452) on Monday January 21, 2013 @08:55AM (#42646339)

    Outside vendor freaked out and it's easier for the school to take the easy way out and kick him out then it is to help him.

  • does whistle blower laws cover this? and what was the scope of his work?

    sounds like he found something and they did not want to fix it or the cost to fix was high / a hole like that will lead to a fine.

  • Why would you run a vulnerability scanner software on a remote network from your home ip!?. Sounds to be like he found a flaw, and got overzealous and got permbanned.

    • by rwise2112 (648849) on Monday January 21, 2013 @09:13AM (#42646465)

      Why would you run a vulnerability scanner software on a remote network from your home ip!?. Sounds to be like he found a flaw, and got overzealous and got permbanned.

      I heard about this on the radio this morning. This is not the full story.

      Supposedly he reported the flaw to the school and was thanked and told it would be taken care of. Later (not sure how long he waited), he decided to test to see if the flaw was fixed, at which point the CEO/owner of the software company called him directly and told him he could be arrested and asked/forced him to sign the NDA. It was only after that, that he was expelled.

      It also seems this flaw is in the software itself and would have affected more that just this particular school.

      Any way you look at it, it's very ugly.

      • by kenh (9056) on Monday January 21, 2013 @11:02AM (#42647561) Homepage Journal

        He waited two days.

        He coordinated with no one, he just decided to run a piece of scanner software against someone else's servers and got caught.

        When his case was reviewed byhis college, despite no formal charges being brought against him he was expelled by a vote of 14 out 15 professors in his own department (where he was "acing all his classes").

        I seriously suspect there is more to this story than is being reported... These professors that knew him voted him out of the school.

    • by JaredOfEuropa (526365) on Monday January 21, 2013 @09:20AM (#42646521) Journal
      Since the security flaw left personal data of all students including himself out in the open, I'd say he had every right to see if the company patched the hole yet. One might even say it was his duty to check. This was just 2 days after he reported the hack, but does shooting the messenger imply that they worry more about their reputation than the actual security flaw? Especially since the student took pains to report the issue rather than exploit or publish it. For once I'd like to see trigger-happy software companies and institutions like these hauled before court on charges of gross negligence, undue duress, and leaking of personal info.

      I wonder why the school decided to expel him. The software company overreacted a bit when they found out; perhaps they sent a note to the school to the effect of "We found that student of yours hacking around in our system again; we've told him we'll call the cops if he keeps doing it". I can see why the school would expel him on the strength of that.
  • by Anonymous Coward on Monday January 21, 2013 @09:00AM (#42646381)

    Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected.

    Seriously, don't run Acunetix or Retina scans or whatever on other people's systems. It looks like you are probing for vulnerabilities because, well, that's exactly what it's doing.

    And if I'm a sys-admin, I'm going to see that and think you're an attacker. From my point of view, you've just cased the joint. That's what I'm going to report up, and from there everything gets ugly.

    • by vlm (69642) on Monday January 21, 2013 @09:37AM (#42646683)

      So you rely primarily on security thru obscurity and hope that genuine bad guys would never scan you? That's pretty scary.

      The funniest part is I've been putting up with scans/etc since the early 90s and it doesn't take long to figure out that almost all of them come from compromised systems, usually from another country. A local guy easily traced almost by definition is on your side, because a real bad guy would be coming from a rooted machine in .cn or something essentially untraceable like that. In other words if you can find and talk to the guy in "minutes" as per the story, he's probably on your side or at worse is a hopeless noob script kiddie who's no more harmful or harmless than the other one million kiddies out there, so there's no sense messing with him.

    • by borcharc (56372) * on Monday January 21, 2013 @11:24AM (#42647841)

      Really? Will all the real sysadmins stand up. Every internet exposed system gets these scans ran several times a day from random sites. Who even takes the time to investigate this shit? Just auto detect and auto block like a normal person. Hell, look at your auth logs and see all the brute force root pw attempts from random ip's 24/7? Go install a old version of RHEL with a old LAMP stack without a firewall and wait if you don't believe me.

      This was targeted at the student, they were looking, desperately for him.

  • by tommeke100 (755660) on Monday January 21, 2013 @09:01AM (#42646385)
    And this a couple of days after some other big IT personality gave a speech at the funeral stating he could have been gone the same way as Aaron Swartz if he would have been punished the same way during his hacking and exploring days during College.
    Sad.
  • Terrible summary -_- (Score:5, Informative)

    by Racemaniac (1099281) on Monday January 21, 2013 @09:03AM (#42646397)

    I know, this is slashdot, but i still read the article

    And i still don't agree with him getting expelled, but the reason was not discovering/disclosing the flaw, but he got in hot water when afterwards he tested if the flaw was still there, and the company developing the software reported the hacking attempt.

    It was still a big overreaction that happened afterwards, and he shouldn't have been expelled, but it's not the discovering/reporting of the flaw that got him in trouble, and the article clearly states this!

    • by nebular (76369)

      Exactly. The student was not authorized by the school to be doing what he was doing. If he wanted to check to see if the flaw was still there, then he should have informed the school that he was doing so and got permission to test. Or more entertainingly, inform the press of the flaw and get EVERYONE to test for it. If he gave an anonymous tip the NDA would still hold.

  • by interiot (50685) on Monday January 21, 2013 @09:06AM (#42646413) Homepage
    Shooting the messenger does nothing to solve the underlying problem. Thanks to the fourth estate and the Streisand effect, shooting the messenger is likely to get you more attention, not less.
  • by alphatel (1450715) * on Monday January 21, 2013 @09:08AM (#42646423)
    Techs everywhere need to learn this important lesson: Never Sign Anything unless you are also offered on the same piece of paper a guarantee of you what you receive in return. You get no prize money for signing NDA or DNC. If you ask for it, you will get 1) a job, 2) some cash, 3) some action not taken. You can ask for nothing, but you will get the exact opposite - penalized or harmed. Your goal is to sign something such that if what you are offered is not fulfilled, the NDA is broken

    As it stands, asking someone to sign a NDA and not offering a guarantee of something in return is already suspect and can be fought. You had an expectation that you wouldn't get expelled, or that you would get a free education, or something else of benefit to you. People need to learn that colleges, Lance Armstrongs and corporations all act the same way. You will get screwed if and when there is an opportunity to screw you. And you will go broke defending what is right. Few will care.
    Don't Sign without Something in Return (DSSR)!
  • DO NOT QUESTION AUTHORITY [flickr.com]. This is what happens when you exhibit independent thought..
  • by Anonymous Coward on Monday January 21, 2013 @09:18AM (#42646501)

    By the story linked, he wasn't expelled for finding a software flaw, he was expelled for running a vulnerability scanner against their network.

    Everything with finding the flaw seems to have gone find. He found the flaw while working to develope an app, he did nothing wrong, and it seems like he got kudos for it, not any sort of harrassment at all.

    Then he started using a vulnerability scanner on their network. You never do this without an arrangement (IE a pen testing contract). Never ever ever. It's illegal for one, it definitely can disrupt systems, and it sends up all kinds of red flags.

    On the other hand, no one told me those things in college; they were part of my job training post-college. When I was at school, there were no 'ethical hacking' classes that let you know what is and is not illegal to do as part of vulnerability research. So I doubt very much the kid had any idea what was going wrong. Hell, I know now that most big universities get crazy-angry if you do anything that even looks like an attack over them... but no one told me that in college when I was actually using those networks.

    The company took a rather strong wording but soft action: they elected not to pursue anything past getting him to sign an NDA. They didn't ask the school to expell him, the school did that entirely on their own. The student clearly doesn't understand why he was expelled, either. At least not by his quotes in the story (he's sure it's trying to cover up the flaws; in reality it's almost certainly because he ran what is considered a cyber attack across a university network, very illegal and very likely to piss off the administration).

    Obviously he shouldn't have been expelled; he did not act with malice, and clearly still doesn't know the legal boundaries. What this tells me is it's long past time to start coupling your computer science 101 class with a cyber ethics and law 101 class. While anyone who works for a pen testing company can immediately see where things went bad, his actions make perfect sense from the perspective of a college student.

  • by Anonymous Coward on Monday January 21, 2013 @09:19AM (#42646505)

    When I was a CS student I discovered a flaw in the program we used to turn in assignments. The flaw allowed access to the code anyone had turned in for an assignment. I however elected to anonymously inform the CS dept about the problem. Glad I did. I found out they searched and searched trying to figure out who I was so they could kick me out. Sometimes it is better just to be an Anonymous Coward.

    • by Skapare (16644)

      Wow, a post that fully justifies using AC. Would it be safe to at least identify this school of mostly incompetent faculty?

  • Really? (Score:4, Insightful)

    by kenh (9056) on Monday January 21, 2013 @09:44AM (#42646763) Homepage Journal

    How "common" is this? How common is it for college students to find security flaws in the code that schools run, and to be expelled for uncovering it? That isn't even what happened here:

    He was expelled for his "testing" of the breach after he told the administration and the software company about the security flaw.

    Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.

    “It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didn’t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement.”

    He was not expelled for finding the security flaw, he was expelled for running what was a well-intentioned "attack" on the software he identified the flaw in. If he had co-ordinated with the software vendor there would have been no issue. Of course, the only way you'd know that is by reading the linked-to article - I wonder why the headline author didn't do that?

  • I was in shock... (Score:5, Informative)

    by zanian (1621285) on Monday January 21, 2013 @09:50AM (#42646829)

    ...when I read the title. I'm from Montreal, currently studying on exchange overseas. A few months back a friend of mine was telling me about an app him and some friends in a club at Dawson College were writing. I know a few of the guys personally because I was at some party with them back in September and I had heard a bit about how the project was going in the months following. All this to say, the story is complete bullshit.

    Apparently, the school had originally offered to share some info that would help the guys making the app, but, coincidentally some company started developing something around the same time that was along the same lines so Dawson reneged on the deal. FTA:

    Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software

    The story goes, according to my friend, as such. Apparently, the programmer and one of the other guys decided they were just going to take the info, which was easy to do since Omnivox is such a terrible system, by breaking in. While doing this, they discovered the flaw and used it as leverage once the school noticed they had accessed the system and approached them. The other friend played innocent and the programmer got the flak for it, eventually being expelled.

    This was by no means a white hacking deal. Also, these guys have been exploiting Dawson's system for a while to print for free and other such things.

    It's interesting how many articles like this we get on slashdot. Just makes me wonder how easy it is to skew a story a certain way regarding a subject like programming which so many people know nothing about. If they found something, what were they doing looking in the first place? Well, sometimes people are just dicking around or curiously looking at how bad a system is, but sometimes they are - like in this case - breaking in to steal specific information for personal gain.

  • by Charliemopps (1157495) on Monday January 21, 2013 @09:52AM (#42646845)

    The lesson to be learned here is: If you're in college and someone threatens you with any sort of legal action, don't say a word, just walk out, and walk strait into a lawyers office. Immediately. While I was in college I got sued/fined/thrown out of different places so many times I've lost count. The college and college police think they are the law and use their power to manipulate and harass students they don't like.

    I once had the police looking for me for 3 months to ticket me for lighting some firecrackers on newyears at 2am. It was a ridiculous cat and mouse game, and they refused to give up. Finally they "Caught" me and gave me a ticket. It went to trial for gods sake. The city paid for eye witnesses to testify and everything. It was a $100 fine and I won the case. It probably cost the city tens of thousands of dollars to screw with me for about 6 months. In the end, on the way out, I patted the DA on the shoulder and said "See ya next newyears!" and he laughed. What a joke.

    Get a lawyer, and get one fast. Don't sign anything, don't talk to anymore. They will do anything to win. Including show up at parties, undercover, asking where you're at. Or sending you tickets via registered mail. Just get a lawyer and be done with it.

    • by mark-t (151149)

      Get a lawyer

      I'm curious how practical this advice is in the face of the following facts:

      1. Lawyers cost money.
      2. money This person was a student, and therefore probably practically broke, beyond having enough to eat and keep a roof over his head.
      3. Legal aid for people in financial need has a waiting list that is weeks if not months long.
      4. Borrowing money, even to hire yourself a lawyer, is often unviable for young Canadians, who may not have the credit rating to qualify for anything yet.
  • by cjjjer (530715) <cjjjer&hotmail,com> on Monday January 21, 2013 @09:52AM (#42646847)

    Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.

    So he reports a flaw in the software and then two days later IT detects a possible surface attack on the website which turns out to be him using software that finds other exploits. Seems to me like the student is a moron.

    Sorry dude welcome to the real world of consequence.

A LISP programmer knows the value of everything, but the cost of nothing. -- Alan Perlis

Working...