Forgot your password?
typodupeerror
Education Businesses Security News

CTO Says Al-Khabaz Expulsion Shows CS Departments Stuck In "Pre-Internet Era" 248

Posted by samzenpus
from the getting-up-to-speed dept.
An anonymous reader writes "The Security Ledger writes that the expulsion of Ahmed Al-Khabaz, a 20-year-old computer sciences major at Dawson College in Montreal, has exposed a yawning culture gap between academic computer science programs and the contemporary marketplace for software engineering talent. In an opinion piece in the Montreal Gazette on Tuesday, Dawson computer science professor Alex Simonelis said his department forbids hacking as an 'extreme example' of 'behavior that is unacceptable in a computing professional.' And, in a news conference on Tuesday, Dawson's administration stuck to that line, saying that Al-Khabaz's actions show he is 'no longer suited for the profession.' In the meantime, Al-Khabaz has received more than one job offer from technology firms, including Skytech, the company that makes Omnivox. Chris Wysopal, the CTO of Veracode, said that the incident shows that 'most computer science departments are still living in the pre-Internet era when it comes to computer security.' 'Computer Science is taught in this idealized world separate from reality. They're not dealing with the reality that software has to run in a hostile environment,' he said. 'Teaching students how to write applications without taking into account the hostile environment of the Internet is like teaching architects how to make buildings without taking into account environmental conditions like earthquakes, wind and rain,' Wysopal said."
This discussion has been archived. No new comments can be posted.

CTO Says Al-Khabaz Expulsion Shows CS Departments Stuck In "Pre-Internet Era"

Comments Filter:
  • Pffft... "Education" (Score:5, Interesting)

    by narcc (412956) on Wednesday January 23, 2013 @08:46PM (#42675947) Journal

    When did all the computer science programs turn in to trade schools for programmers?

    Meh, why fight it. Lower that bar!

  • Blamestorming (Score:5, Interesting)

    by girlintraining (1395911) on Wednesday January 23, 2013 @08:48PM (#42675975)

    'Computer Science is taught in this idealized world separate from reality. They're not dealing with the reality that software has to run in a hostile environment,'

    That's because if schools taught people how to properly test security, the government would label them terrorist breeding grounds. Anyone remember Steve Jackson Games? They released a game where one of the roles you could play was a computer hacker. The FBI called it a "handbook for computer crime" and the "anarchist's cookbook of cybercrime". No charges were ever filed. It was a work of fiction. It still nearly bankrupt them and took many years to resolve.

    Schools do not want to teach students because they're afraid of government reprisal if they show a generation just how crappy our national infrastructure really is. As one recent net celebrity put it, "Our security posture is like a dog waiting for its belly to be rubbed." They don't wanna teach people how to find these problems, because it'll embarass the crap out of The Powers That Be.

    Don't blame professors for this. Look higher.

  • by Anonymous Coward on Wednesday January 23, 2013 @08:53PM (#42676013)

    However, I don't buy that what this student did was hacking (in the cracking sense)

    Targeting a system you don't own, or aren't reponsible for and trying to break into it is almost always not a good thing to be doing, and should be considered unprofessional (and unethical) conduct.

    Noticing a problem while you are setting something else up, notifying the appropriate people, and checking to see if that problem is gone are very reasonable things to do.

    I have been working in Computer Security in Internet Banking for the last 15 years, and while I have had many co-workers who measure their worth by how good they are at breaking in to things, very few of those people have been nearly as good at defending those same things.

    Figuring out how to hack a site takes finding one vulnerability.

    Figuring out how to defend a site takes thinking about all types of vulnerabilities.

  • Re:oh get real... (Score:2, Interesting)

    by CurunirAran (2811035) on Wednesday January 23, 2013 @08:58PM (#42676069)
    The CTO said what he said because the department TRULY is out of touch with the real world if it believes that hacking is an 'extreme example' of 'behavior that is unacceptable in a computing professional'.

    Hackathons, which involve unusual solutions to problems, often using hidden, undisovered features of various products, are becoming increasingly popular, and often you'll have BIG companies sponsoring these same competitions.

    Moreover, the dept is wrong in its comment because CS as a profession is rather different from software engineering. I don't think formulating more efficient algorithms and solving various mathematical problems (basically CS RESEARCH) has much in common with do with software engineering. In fact, I'd rather that my employee found a problem with my system than an end user doing so.
  • by Chemisor (97276) on Wednesday January 23, 2013 @09:15PM (#42676199)

    Computer science programs became trade schools for programmers when idiot HR departments made a CS degree a requirement for every coding monkey position. The fact that a computer science degree does not give its holder any knowledge of actual computers or real world programming does not bother HR drones because they do not have that knowledge either.

  • Re:Blamestorming (Score:3, Interesting)

    by Taco Cowboy (5327) on Wednesday January 23, 2013 @09:35PM (#42676387) Journal

    Don't blame professors for this. Look higher.

    A professor who cowed down to tptb is a professor with no integrity

    The job of a professor is to teach

    But "teaching" encompasses more than the particular subject at hand

    The character of the teachers (professors for this case) is also an important factor

    Students learn much more from professors who have backbones than those from the family of invertebrates.

  • by Anonymous Coward on Wednesday January 23, 2013 @10:31PM (#42676779)

    Like the saying:

    Those who can, do

    Those who can't do, teach

    Those who cannot do either somehow end up making the decisions for those who can.

  • by MoFoQ (584566) on Wednesday January 23, 2013 @10:55PM (#42676921)

    does no one ever read the article anymore?
    It was on a test server.....using credentials given by the vendor, Skytech Communications.

    ...the software vulnerability scan that got him expelled from school was conducted on a test server only, and using credentials provided to him by the company that makes Omnivox: Skytech Communications.

    The mere fact that Skytech supposedly gave him a job offer is enough to think that the department has their collective heads up....well..you get the point.

    There's a reason why the legendary Weld Pond [wikipedia.org] would be so vocal and would even say "These kind of people right out of college are the kinds of people we want to hire."

  • by Jessified (1150003) on Thursday January 24, 2013 @12:13AM (#42677417)

    Well in this case the programming failed under normal use. That is it failed to keep people out.

    In the case of buildings, normal use would include extreme weather and earthquakes etc depending on the area.

    Normal use on the internet includes keeping intruders out, even when they put some effort to get in.

    Nothing is perfect, but you don't punish people who identify flaws, especially not at a so-called place of learning.

  • by Dahamma (304068) on Thursday January 24, 2013 @02:22AM (#42678019)

    My experience was the exact opposite... I guess it depends on your university's priorities. I had professors teaching undergraduate courses who were not only doing serious research, but were often leading their field. Off the top of my head (it's been a while, but jeez looking at it in hindsight it is humbling):

    http://en.wikipedia.org/wiki/Martin_Hellman [wikipedia.org]
    http://en.wikipedia.org/wiki/Mark_Horowitz [wikipedia.org]
    http://en.wikipedia.org/wiki/John_McCarthy_(computer_scientist) [wikipedia.org]
    http://en.wikipedia.org/wiki/Robert_Sapolsky [wikipedia.org]
    http://en.wikipedia.org/wiki/Anne_Fernald [wikipedia.org]
    http://en.wikipedia.org/wiki/Philip_Zimbardo [wikipedia.org]
    http://en.wikipedia.org/wiki/William_C._Dement [wikipedia.org]
    http://en.wikipedia.org/wiki/Paul_R._Ehrlich [wikipedia.org]
    http://en.wikipedia.org/wiki/Craig_Heller [wikipedia.org]
    http://en.wikipedia.org/wiki/Eric_Knudsen [wikipedia.org]

  • by dkf (304284) <donal.k.fellows@manchester.ac.uk> on Thursday January 24, 2013 @04:53AM (#42678477) Homepage

    Are typical university CS department professors doing meaningful "research"?

    Should a "typical university" have a CS department at all? Speaking as someone who works in a CS department where the academic staff have to produce research output as well as teach, it sounds like there are places which just ought to stop the pretense and to actually call themselves "Visual Basic Training Schools" or something. (Disclosure: I mostly don't teach, and instead do software engineering to turn the CS research into practical tools to support other research areas.)

We are not a loved organization, but we are a respected one. -- John Fisher

Working...