Please create an account to participate in the Slashdot moderation system


Forgot your password?
Education Businesses Security News

CTO Says Al-Khabaz Expulsion Shows CS Departments Stuck In "Pre-Internet Era" 248

An anonymous reader writes "The Security Ledger writes that the expulsion of Ahmed Al-Khabaz, a 20-year-old computer sciences major at Dawson College in Montreal, has exposed a yawning culture gap between academic computer science programs and the contemporary marketplace for software engineering talent. In an opinion piece in the Montreal Gazette on Tuesday, Dawson computer science professor Alex Simonelis said his department forbids hacking as an 'extreme example' of 'behavior that is unacceptable in a computing professional.' And, in a news conference on Tuesday, Dawson's administration stuck to that line, saying that Al-Khabaz's actions show he is 'no longer suited for the profession.' In the meantime, Al-Khabaz has received more than one job offer from technology firms, including Skytech, the company that makes Omnivox. Chris Wysopal, the CTO of Veracode, said that the incident shows that 'most computer science departments are still living in the pre-Internet era when it comes to computer security.' 'Computer Science is taught in this idealized world separate from reality. They're not dealing with the reality that software has to run in a hostile environment,' he said. 'Teaching students how to write applications without taking into account the hostile environment of the Internet is like teaching architects how to make buildings without taking into account environmental conditions like earthquakes, wind and rain,' Wysopal said."
This discussion has been archived. No new comments can be posted.

CTO Says Al-Khabaz Expulsion Shows CS Departments Stuck In "Pre-Internet Era"

Comments Filter:
  • by JS_RIDDLER ( 570254 ) * on Wednesday January 23, 2013 @08:37PM (#42675861)

    Interesting timing ; not quite the same.
    One is Defensive Planning; One is about New ways to use things.
    US Government Announces National Day of Civic Hacking []

  • by Obfuscant ( 592200 ) on Wednesday January 23, 2013 @08:59PM (#42676071)
    The computer science department is not teaching their students to write code without consideration of the environment of the Internet. At least nothing in this situation says they are.

    What they are teaching is that it is unethical to run penetration testing against a system without permission. This philosophy is embodied in the ACM Code of Ethics [], in section 2.8:

    2.8 Access computing and communication resources only when authorized to do so.

    Theft or destruction of tangible and electronic property is prohibited by imperative 1.2 - "Avoid harm to others." Trespassing and unauthorized use of a computer or communication system is addressed by this imperative. Trespassing includes accessing communication networks and computer systems, or accounts and/or files associated with those systems, without explicit authorization to do so. Individuals and organizations have the right to restrict access to their systems so long as they do not violate the discrimination principle (see 1.4). No one should enter or use another's computer system, software, or data files without permission. One must always have appropriate approval before using system resources, including communication ports, file space, other system peripherals, and computer time.

    He got thanked for finding the flaw. He got expelled for pen testing someone else's system. Two different acts, two different issues.

  • Re:oh get real... (Score:5, Informative)

    by Guspaz ( 556486 ) on Wednesday January 23, 2013 @09:11PM (#42676167)

    Dawson is not a university. In Quebec, "College" and "University" mean different things. Dawson is a CEGEP, which is a mandatory level of education between highschool and university.

    CEGEPs in Quebec has two kinds of programs. 2-year Pre-university programs can be considered to replace the final year of highschool and first year of university (as in, highschool and university are both one year shorter in Quebec). They also have three-year programs (like the computer science program Al-Khabaz is in), which are vocational degrees intended to prepare a student for the job market rather than university. Graduating from either type of program grants you a degree called a DEC ("Diploma of College Studies" in English), which also happens to be required for admission to any university.

    Many students, however, do what I did, and get a three-year vocational compsci DEC and then go to university and get their BCompSc. Yeah, it takes you an extra year (as compared to the pre-uni DEC), but CEGEP is the first time as a student that you get to study what YOU want instead of what the government says you must take, and I had a fantastic time.

  • Re:Blamestorming (Score:4, Informative)

    by docmordin ( 2654319 ) on Wednesday January 23, 2013 @09:32PM (#42676369)

    But I do agree most of the graduating "computer engineers" I've interviewed barely knew how to code and had a few canned routines like bubble-sorting memorized. The ones claiming to be Microsoft certified were even more embarrassing.

    I'm not sure you're aware, but, depending upon the school, an S.B. in computer engineering can be much more akin to an S.B. in electrical engineering than one in computer science. To elaborate, some computer engineering programs are part a joint department that focus almost entirely on circuit analysis and design, solid-state theory, (non-)linear/stochastic control, architecture design, electromagnetics, and much more, with very little, if any, emphasis on programming.

  • by F. Lynx Pardinus ( 2804961 ) on Thursday January 24, 2013 @12:06AM (#42677361)

    High school teachers get out of date pretty quickly

    As someone who recently used my knowledge of the 1920's Nyquist limit on a project, I'm pretty skeptical of this claim. I don't think the fundamentals of computer science change nearly as fast as you assume.

  • Ok (Score:5, Informative)

    by Sycraft-fu ( 314770 ) on Thursday January 24, 2013 @02:08AM (#42677985)

    Go ahead and show me the home/business alarm you think will stop me. Go ahead. I can more or less guarantee you can't do it. The reason is I know quite a bit about how they work, since my grandpa has been in the business of selling them all his life, and how they can be defeated. Particularly if you are talking something public where you can look around innocuously and find out what is there. Ultimately they are at their core just a circuit board in a box that connects to sensors, sirens, and maybe a phone line. Break the board, they stop working. If you have one in your house open it up and see what's inside. It is simplistic, and not at all attack resistant other than the thin metal box it lives in.

    For that matter, defeating an alarm really isn't necessary if taking something, like say physical data (files and so on) is your objective. All they do is make noise and if they are good ones, call a security company who will eventually call the police who will eventually respond (they aren't that fast, false alarms happen often). That doesn't stop people with guns from kicking in your door, grabbing what they want, and leaving.

    Same shit with security guards. You ever have a look at the security that public places like office buildings and malls use? They are unarmed, and low paid. Their job is to call the police if shit happens. It doesn't take much to out-class them, you bring a pistol with you, you've already got them hopelessly outgunned. You think they are going to throw their life on the line if someone holds them at gunpoint? Hell no. For that matter there usually aren't very many. The mall near me has one car that patrols their parking lot at night (I overlook the parking lot). That is it for perimeter security. I don't know what they have inside, but you can bet it isn't much more (maybe not even anyone).

    Physical security at homes and businesses keeps out the causal crooks, nothing more. Now that's all they really face, people wouldn't bother with a targeted, planned, attack, they just don't have enough of value. They face low level thugs that do vandalism, smash and grabs, that kind of shit. And oh, by the way, it DOES happen. The mall near me gets broken in to at least once a year, usually dumbass teens just causing trouble, and by the fact that they got in, it means security failed to stop them.

    They don't get fired, their job isn't to stop everything, it is to report anything they see, and to drive around and look conspicuous (their car is marked, and has a flashing yellow light) so as to scare troublemakers off.

    If your house has never been broken in to it isn't because you have amazing security. A burglar alarm and a crap lock do not make great security. It is because nobody has tried. They good news is most of us don't face much in the way of threats to security in the physical world. Nobody tries to break in, or attack us, or the like. It is quite uncommon.

    Now that doesn't mean we should just be all lax with computer security, but it does mean that this silly demand of perfection needs to stop. Nothing is perfectly secure.

... though his invention worked superbly -- his theory was a crock of sewage from beginning to end. -- Vernor Vinge, "The Peace War"