Student Expelled From Montreal College For Finding "Sloppy Coding" 633
innocent_white_lamb writes "In what appears to be a more-and-more common occurrence, Ahmed Al-Khabez has been expelled from Dawson College in Montreal after he discovered a flaw in the software that the college (and apparently all other colleges across Quebec) uses to track student information. His original intention was to write a mobile app to allow students to access their college account more easily, but during the development of his app he discovered 'sloppy coding' that would allow anyone to access all of the information that the system contains about any student. He was initially ordered to sign a non-disclosure agreement stating that he would never talk about the flaw that he discovered, and he was expelled from the college shortly afterward."
He tried to hack them again (Score:1, Informative)
Expelled for trying to hack the site a second time, not for notifying them of his first hack. Summary is technically true, but still a deception.
Terrible summary -_- (Score:5, Informative)
I know, this is slashdot, but i still read the article
And i still don't agree with him getting expelled, but the reason was not discovering/disclosing the flaw, but he got in hot water when afterwards he tested if the flaw was still there, and the company developing the software reported the hacking attempt.
It was still a big overreaction that happened afterwards, and he shouldn't have been expelled, but it's not the discovering/reporting of the flaw that got him in trouble, and the article clearly states this!
Re:Ridiculous (Score:5, Informative)
I missed that part of the article. Can you quote the line where they said that?
It seemed more like he discovered a flaw and reported it. This embarrassed the university. He later tried to verify if the flaw had been fixed by using the flaw (probably not the best move he could have made) and the university used this as an excuse to terminate him.
Re:Sorry but he's an idiot (Score:5, Informative)
Why would you run a vulnerability scanner software on a remote network from your home ip!?. Sounds to be like he found a flaw, and got overzealous and got permbanned.
I heard about this on the radio this morning. This is not the full story.
Supposedly he reported the flaw to the school and was thanked and told it would be taken care of. Later (not sure how long he waited), he decided to test to see if the flaw was fixed, at which point the CEO/owner of the software company called him directly and told him he could be arrested and asked/forced him to sign the NDA. It was only after that, that he was expelled.
It also seems this flaw is in the software itself and would have affected more that just this particular school.
Any way you look at it, it's very ugly.
Re:Ridiculous (Score:5, Informative)
Slashdot article summary is very misleading at best. He was not expelled because he reported a security flaw, he was expelled because he ran Acunetix [acunetix.com] a website vulnerability scanner after he reported the vulnerability without permission of the web gods. Although no malicious intent by Ahmed Al-Khabaz, he stepped over the line and the University was not in a forgiving mood,
arguably vindictive.
Taza explained that he was quite pleased with the work the two students did identifying problems, but the testing software Mr. Al-Khabaz ran to verify the system was fixed crossed a line.
“This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake.”
For reporting the vulnerability in the first place, he was thanked by the University, but they did not take kindly to using Acunetix -- I would certainly agree that the university over-reacted, but they were not punishing him for discovering a vulnerability.
Re:Under duress? (Score:4, Informative)
Yes, for a contract to be enforceable it has to be a meeting of the minds, a contract signed under threat of imprisonment wouldn't generally be valid under English common law. Now Montreal is in Quebec and so governed under Napoleonic code instead of English common law and so I'm not sure that that assumption still holds since I don't live in Quebec or Louisiana.
I was in shock... (Score:5, Informative)
...when I read the title. I'm from Montreal, currently studying on exchange overseas. A few months back a friend of mine was telling me about an app him and some friends in a club at Dawson College were writing. I know a few of the guys personally because I was at some party with them back in September and I had heard a bit about how the project was going in the months following. All this to say, the story is complete bullshit.
Apparently, the school had originally offered to share some info that would help the guys making the app, but, coincidentally some company started developing something around the same time that was along the same lines so Dawson reneged on the deal. FTA:
Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software
The story goes, according to my friend, as such. Apparently, the programmer and one of the other guys decided they were just going to take the info, which was easy to do since Omnivox is such a terrible system, by breaking in. While doing this, they discovered the flaw and used it as leverage once the school noticed they had accessed the system and approached them. The other friend played innocent and the programmer got the flak for it, eventually being expelled.
This was by no means a white hacking deal. Also, these guys have been exploiting Dawson's system for a while to print for free and other such things.
It's interesting how many articles like this we get on slashdot. Just makes me wonder how easy it is to skew a story a certain way regarding a subject like programming which so many people know nothing about. If they found something, what were they doing looking in the first place? Well, sometimes people are just dicking around or curiously looking at how bad a system is, but sometimes they are - like in this case - breaking in to steal specific information for personal gain.
Comment removed (Score:5, Informative)
Re:Idiot. (Score:4, Informative)
Re:Ridiculous (Score:5, Informative)
Here is the relevant section of the article;
After an initial meeting with Director of Information Services and Technology François Paradis on Oct. 24, where Mr. Paradis congratulated Mr. Al-Khabaz and colleague Ovidiu Mija for their work and promised that he and Skytech, the makers of Omnivox, would fix the problem immediately, things started to go downhill.
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.
“It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didn’t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement.”
Note that jail was only mentioned after Acunetix was run.
Re:Sorry but he's an idiot (Score:5, Informative)
He waited two days.
He coordinated with no one, he just decided to run a piece of scanner software against someone else's servers and got caught.
When his case was reviewed byhis college, despite no formal charges being brought against him he was expelled by a vote of 14 out 15 professors in his own department (where he was "acing all his classes").
I seriously suspect there is more to this story than is being reported... These professors that knew him voted him out of the school.
Re:My Ass (Score:4, Informative)
Re:Time to go to the press... (Score:4, Informative)
As an example, I got let go from a government job because they considered me a security risk just because I asked what servers they were running! Most of the software was badly programmed VBasic, then what do you expect when you hire a programmer for $30k/annum? The absurdity is that the manager of the office overode my dismissal because they couldn't get anybody else to fix their corrupted databases. Something not one of their system administrators could fix as they had absolutely no experience outside of school.
Might just be governments being clueless about software. Canada did pay millions to use a search system, developed by the US gov't, that doesn't actually search the content of pages. Brilliant.
Re:I was in shock... (Score:4, Informative)
I don't remember the extent to which it was a break in and I dare not ask my friend again so I can post on slashdot (he might not be so happy about it), however, I know that the flaw was discovered while they were trying to find ways to get the information they wanted. I also remember it being an SQL injection, but I don't want to go on record saying that because I'm not 100% sure (my friend was also telling me that same day that the other guy, who didn't get expelled, was using an SQL injection to break in to the Pizza Pizza system and remove his order so he could then call them up and say he had placed an order that hadn't arrived yet, resulting in free pizza).
Just as unreliable as the article is my anecdotal evidence and I agree with your comment. I do know for certain that they were looking for ways to steal the information they needed, which they succeeded in doing with some sort of exploit and which I remember to be an SQL injection, when they found this security flaw. I also think that, unlike what he claims, he did not notice that the link to one's profile/info was encrypted by simply accessing his student account, but rather that they found this huge database of SIN, names, addresses, etc... which they realized anyone could find working forward from their student account, the opposite of how they did it (working backwards from the database).
Lastly, I know for certain that the other guy (pizza exploiter) was using the info to hold Dawson by the balls in case they went after them for breaking in to the system. It should be noted that the other guy did not get expelled, even though he was pushing the whole operation and using the programmer's skills.
Re:My Ass (Score:2, Informative)
No, he got congratulated for finding the flaw. He got in trouble for running a vulnerablity scan afterwards to verify that the flaw was fixed. He ran the vulnerability scan without the system administrators knowledge or permission. I agree that he should have gotten in trouble, maybe not expelled, but in trouble because the vulnerability scan could have crashed or corrupted the system.
Re:My Ass (Score:4, Informative)
My bank has public facing computers. If I were to find and exploit a way to access other people's banking data, I'm pretty sure there'd be hell to pay.
I'm pretty sure the US and UK both have laws that would prevent access beyond your authorization. I'd be astonished if Canada did not have similar legislation.
Your bank gets scanned several times an hour (if not several times a minute) by half the blackhats and scriptkiddies of the globe, and nobody in the banks IT dept. would be dumb enough to bitch about it, because they know its natural on a public-facing system.
Simply scanning your bank and reporting your findings to them, is unlikely to get you in "hell" ... unless you act like a dick about it.
You should't scan them without permission - off course. That is not up for debate. But a scan is not the same as gaining - and indeed exploiting - unauthorized access. The school in question here clearly overreacted.
Regarding legislation, you may be right if the authorities decide to make a case out of it. But then again, they'll make a case out of pretty much anything if they are on a rampage. In the US you'll get your ass thrown in jail and/or fined millions just for violating a TOS. Or face 30 years for copying publicly-available data created with tax dollars (ahemm, Swartz?). The fact that such shit happens in the real world really doesn't make it right.
Defining a "scan" as a "crime" is silly at best. Realistically it is an abuse of power and a danger to a free society.
- Jesper