CTO Says Al-Khabaz Expulsion Shows CS Departments Stuck In "Pre-Internet Era" 248
An anonymous reader writes "The Security Ledger writes that the expulsion of Ahmed Al-Khabaz, a 20-year-old computer sciences major at Dawson College in Montreal, has exposed a yawning culture gap between academic computer science programs and the contemporary marketplace for software engineering talent. In an opinion piece in the Montreal Gazette on Tuesday, Dawson computer science professor Alex Simonelis said his department forbids hacking as an 'extreme example' of 'behavior that is unacceptable in a computing professional.' And, in a news conference on Tuesday, Dawson's administration stuck to that line, saying that Al-Khabaz's actions show he is 'no longer suited for the profession.' In the meantime, Al-Khabaz has received more than one job offer from technology firms, including Skytech, the company that makes Omnivox. Chris Wysopal, the CTO of Veracode, said that the incident shows that 'most computer science departments are still living in the pre-Internet era when it comes to computer security.' 'Computer Science is taught in this idealized world separate from reality. They're not dealing with the reality that software has to run in a hostile environment,' he said. 'Teaching students how to write applications without taking into account the hostile environment of the Internet is like teaching architects how to make buildings without taking into account environmental conditions like earthquakes, wind and rain,' Wysopal said."
I consider that a pretty good analogy... (Score:5, Insightful)
And also a very good explanation. How on earth did they produce such a hopelessly stupid system? It was designed by people who are unready for engineering systems to be used.
I am a big fan of not blaming the victim, as a matter of moral principle. That's a great policy. But it's really crappy engineering design; building something that is designed to rely on the assumption that society can reliably provide perfect enforcement is stupid.
There's another layer of difficulty, which is that it is not always obvious whether something is a security hole or a permissive feature...
oh get real... (Score:2, Insightful)
Re:oh get real... (Score:5, Insightful)
Because the young hot shot wasn't doing anything nefarious, and when he first reported the vulnerability he was praised. It's only when he determined that no one was doing a fucking thing about the vulnerability that he got kicked out.
Re:oh get real... (Score:2, Insightful)
Re:Pffft... "Education" (Score:5, Insightful)
While there are always outstanding mavericks, a lot of engineering departments are primarily staffed by brainy people who would make third tier engineers in the real world. Most people who are passionate about a subject area are itching to go out and DO IT. Yes, there are a few amazing brainy oddballs out there that have to be in academia. Yes, there are 5 or 6 CS departments like Stanford or UC Berkeley or Carnegie Mellon that probably do not fit that mold.
But Dawson College? A top notch computer scientist could be racking up six figures with a BS or MS. Who do you think works there and what are they paid?
Not Just CS (Score:0, Insightful)
"Computer Science is taught in this idealized world separate from reality"
Sadly, that statement extends to far more than CS in the world of academia.
About those professors ... (Score:5, Insightful)
Like the saying:
Those who can, do
Those who can't do, teach
Re:Teaching them to what? (Score:5, Insightful)
He did something wrong, sure. But what he did was not bad enough to justify completely destroying his future from an academic and professional standpoint.
He's lucky that this story has attracted as much international attention as it has (and it certainly is strange to be reading about local news stories on international sites like Slashdot, when I work across the street from Al Khabaz' school). If it hadn't attracted all this attention, he wouldn't have had all these job offers, and would have been screwed.
Dawson tried to leave him in debt, unable to enter any other CEGEP, unable to enter any university (you're required to graduate from CEGEP to get into university in Quebec), and with severely diminished job prospects.
Should he have been punished? Yes. Should Dawson have tried to destroy his life? Certainly not.
Re:I consider that a pretty good analogy... (Score:5, Insightful)
You know, we blame civil engineers when their buildings collapse, maybe it's time to start blaming computer "engineers" when their systems do. Now, I know first-hand how hard it is to design secure computer systems, and I'm well aware there's a fine line between "holding to account" and a witchhunt, but we're nowhere near that line as it stands.
In every single one of these stories I hear the mainstream media gasp about the "dangerous hacker". I see /. complain about morons who treat technical curiosity as an attack. But those comments outnumber 10:1 the most important question that you just asked.
How on earth did they produce such a hopelessly stupid system?
Maybe if we could get everyone asking this question, the conversation would shift.
Re:Personal Experience (Score:4, Insightful)
At the university I go to, I recall a computer architecture teacher that used handouts/slides from when the Pentium 4 was the highest-end CPU available
Basic computer architecture is basic computer architecture. The specifics may change, the number of bits may change, but the basics are still the same. I learned on 8080s and 6502s and PDP-8s and an odd CDC 6500, and they all shared the same concepts. When I pick up a datasheet for a modern processor, I see a lot of the same old stuff.
Once you have the basics, then you can expand. "How can we improve on X? By doing Y...". You don't know why Y is better unless you know what X is. And more important, it is hard to see the potential parallels for future improvement unless you know the past. "If we did A to improve X into Y, maybe we can do A to help this other thing, too..."
Re:About those professors ... (Score:5, Insightful)
Perhaps the real question here is "Is the field of academic computer science out of touch?"
Full disclosure: I am a robotics researcher ('lecturer', equiv. to an assistant professor) at a university; I'm on a fellowship, though, so I don't have to teach much!
Re:Hey Look! It's seebs Trying To Be Clever Again! (Score:2, Insightful)
Give it a rest dumbfuck.
Wow! What a creative comeback. Really, That was SO impressive!! "Dumbfuck!" Such poetry, and you managed an actual two syllabe word. Most impressive, can I use that? Whatever you're paying your writers, double their salary and give them 2 weeks in Hawaii. That was, dare I say, creative genius! Yes, yes it was.
I may never post again, there's no reason to now, for I have read the ultimate in rebuttals. Someone call the Fox channel!
Re:I consider that a pretty good analogy... (Score:4, Insightful)
Get ready to have no free (gratis) software, as it would be ridiculous to donate one's time to write code for free if you could be held liable for mistakes. Get ready for your paid software to cost 10X more to cover the extra development "hardening" time it would all require to be less penetrable, and to cover the insurance policies software companies would have to take out to shield themselves.
But we don't blame civil engineers when their buildings collapse after they get blown up by dynamite. It's not like these computer systems are just falling over from nature. They're under malicious attack.
Very bad assumption (Score:3, Insightful)
You're making a very bad assumption that only poor professionals work in minor colleges.
There are countless reasons for working at one university rather than another, the simplest being that it's a place you like or where you have family. Another might be that it provides good promotion prospects rather than only dead man's shoes. And another big one is that it's not a place infested with prima donnas where the only option is to play second fiddle.
Academia has a lot of problems, and choosing the best place to work is not anything like as simple as you portray. Not everybody is driven by high salaries and high prestige colleges. Indeed, the kinds of places you seem to rate most highly are often a huge rat race and not pleasant at all.
While I don't know Dawson College, just because it's small and not well known does not say anything about the caliber of its academics.
Re:I consider that a pretty good analogy... (Score:5, Insightful)
There is no such thing as a secure system. This applies to both physical and information security. There's always a way in. So that's a bad analogy to life-safety engineering, or at least a subtle one.
When it comes to security, there's no "secure" or "insecure", and the threats are rarely well understood, let alone well described. The important questions are "how much will it cost an attacker to gain access" and "how much will it cost an authorized user to gain access" and "how valuable is this anyway" and "what's the tradeoff in making this more secure". Sure, there are also just stupid, terrible designs when it comes to security, but the mere fact that an attacker gains access means little.
When it comes to life safety, the parameters are thoroughly described. The levee must withstand the winds and storm surge from a class 3 hurricane, this building must survive impact from a 707, whatever. If they fail under far worse conditions than they were specced for, that's not an engineering failure. It's rarely so clear when it comes to security (though, of course, sometimes the password is sent as part of a URL or whatever, and it is quite clear).
Re:I consider that a pretty good analogy... (Score:5, Insightful)
Re:I consider that a pretty good analogy... (Score:5, Insightful)
You know, we blame civil engineers when their buildings collapse,
You dont, however, blame them when someone helpfully demonstrates that by taking out support pillar 3A with TNT that the building suffers catostrophic failure. I mean, yea, maybe you blame them a little, but generally you get pissed at the guy holding the detonator.
Re:oh get real... (Score:5, Insightful)
From the article: ......It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack.
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites.....
A few minutes later, the phone rang
Yea, see, this is why insecure.org has warnings to not run nmap against resources that you do not own: It is generally considered nefarious, ill-advised, and possibly illegal. Yes, pen-testing other people's stuff will land you in trouble. Should he have been expelled? Maybe not, since he was clearly trying to expose a vulnerability, but he should have known better and hopefully now he does.
Probably also should not have signed that NDA and then gone on to break it, but then Im no lawyer. Probably should have just said "yea, I sign nothing till i have representation".
If you do not have a job / contract with someone to pen-test, act as a "tiger team", check for physical security breaches, etc, DONT.
This is something geeks need to understand (Score:4, Insightful)
In the physical world, there is NO SUCH THING as perfect security. You can't design a setup that someone else cannot overcome. All you can do it make it so hard that nobody would try, and multi layered so you hopefully catch something if there is a failure at one level. There's no perfect security, no magic bullet.
Likewise there is nothing that is invincible, nothing that can withstand any and all attacks without problems. Everything has failure points, everything can be broken. You have to use things properly or they WILL fail.
We all accept this as part of every day life. However then when it comes to the virtual world, to computers, geeks seem to think things should be perfect. No system should ever have any security flaw, ever. No system should break or fail, even when subjected to deliberate attack. Everything should be built flawlessly.
Nope, sorry, doesn't work that way. While it is a lot easier to make things more resilient than in the physical world, you still have to assume that failure is possible, that flaws are present and not known. That is just life.
This is about defining/defending "the profession" (Score:4, Insightful)
This isn't really about Al-Khabez. It's about policing the boundaries of the profession. The problem - the reason that there is a culture clash - is that despite attempts for over 40 years, no-one has succeeded in transforming computer programming into a profession. To be more precise, whether programmers professionalized remains a serious question for debate.
Look at the quotes from Simonelis, Dawson, and the ACM:
If programming were a profession like medicine or law or engineering, programmers would acquire higher status, as would organizations like the ACM. From the point of view of managers, programmers are often seen as unmanageable crafts people with little respect for standard practices of business. For them, professionalization is about controlling and assessing programmers and theirwork. The rise of computer science, the creation of software engineering, and the creation of the ACM were all driven in large part by efforts to professionalize the field: sometimes more in the interests of programmers, sometimes more in the interests of management
This comes up again and again on Slashdot. Should there be a standard curriculum or test or other criteria that all programmers should meet? Should we have to belong to professional associations? Should programmers be obliged to follow codes or take legal responsibility for flaws in software? How much should formal education and credentials be valued? Should self-taught programmers be excluded?
These are contentious issues. Clearly Dawson College and Mr Simonelis have an interest in defining and policing the boundaries of the profession. This would enhance their status. But as nearly a half century of debate and ongoing discussion here demonstrate, there is no professional consensus for them to uphold. This is real cultural divide. Al-Khabez got caught in the middle, used by Dawson in their efforts to define the profession and their own status. I think that's terribly unfortunate.
For an excellent book on the history of programming and efforts to professionalize it, see The Computer Boys Take Over by Nathan Ensmenger. He argues that programmers are morke like technicians than professionals. Like other technicians, their work is often threatening to the organizations that depend on them. And despite the best attempts of computer science and software engineering, much of it is guided more by craft principles than by rigorous scientific or engineering methods.
Re:About those professors ... (Score:5, Insightful)
I've never found that to be the case with university professors. In fact, most of the ones I ever knew did no research at all. They wrote textbooks and taught classes.
They still weren't useless. They knew the material they were meant to teach. But they were horribly out of touch. I still remember having these bizarre arguments with one professor that was sure open source was a brief fad, that it couldn't catch on in any meaningful way, but that if it did, it would be poison for innovation in the tech industry. I'd like to go back and do an obnoxious, "I told you so."
Shit, I hope he's not dead now... I'd feel pretty bad.
Re:Blamestorming (Score:4, Insightful)
I'm not talking about this guy: I'm replying to the comments of the OP talking about how schools today don't teach security, and they don't. They don't because they're afraid --
And my first sentence dealt with that concern. If they make step one of the process: GET PERMISSION then they don't have an issue. That statement applies to more than just this one case.
People can't have an open dialog about computer security right now because it's too political.
That nonsense. Of course you can have an "open dialog", as long as you aren't doing it as part of breaking into someone else's computer without permission. It happens all the time.
You shouldn't have to risk your career just to show some kids how to do something that might actually help them and their community,
You don't. I've already described the dual course admin series that taught people exactly this without costing anyone any careers or getting them expelled. How did they do this magic? They used systems that they had permission to test. They put the systems together to learn how to do that; they broke into them to learn what was possible and how to prevent it.
There have even been cases of commercial outfits that have made public challenges -- and none of the participants have been hung or shot or had their careers ruined. More magic? No, just the simple part about having permission.
There's even a competition run by the government that deals with cyber security, which involves teaching kids how to break into systems. But then, they aren't doing it without permission.
See the common thread here?