Feeds

Student claims code flaw spotting got him expelled from college

Canadian college denies overreacting

Next gen security for virtualised datacentres

A Canadian computer science student is claiming he was expelled after identifying a gaping security hole in administrative software his college was using.

Ahmed Al-Khabaz, a 20 year-old student at Dawson College in Montreal, told the National Post that he and a friend had been developing a mobile app for students to access their records when they found a hole in Omnivox software the college used. The hole allowed free access to personal information the college held on students, such as social insurance number, home address and phone number and class schedules

Al-Khabaz reported the problem to his college professor and said he and his friend were initially congratulated and were told the problem would be fixed by the college and the software's developers Skytech.

Later he ran a scan using commercial Acunetix vulnerability scanning software to check on progress and within minutes the phone at his parent's home started to ring he said. On the other end was Edouard Taza, the president of Skytech.

"He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed," the student said.

"He told me that I could go to jail for six to twelve months for what I had just done and if I didn't agree to meet with him and sign a non-disclosure agreement he was going to call the Royal Canadian Mounted Police (RCMP) and have me arrested. So I signed the agreement."

Taza said that he did mention the legal and police situation to Al-Khabaz but has denied making any threats. The security hole in question was being fixed he said, and the firm is confident no-one's privacy has been breached, but he was concerned at the scanning software used.

"This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake," he said.

Unfortunately for Al-Khabaz Dawson College didn't feel that way, and began an investigation for a for a "serious professional conduct issue." Al-Khabaz was called in for a meeting to discuss his future, which he said seemed to focus mainly around who knew about the problem with the college's code.

After the meeting a vote was taken among staff and his expulsion was confirmed by a vote of 14 to one. Al-Khabaz has appealed to the heads of the college but was turned down and is now in a difficult situation.

“I was acing all of my classes, but now I have zeros across the board. I can’t get into any other college because of these grades, and my permanent record shows that I was expelled for unprofessional conduct," he said. "I really want this degree, and now I won’t be able to get it. My academic career is completely ruined."

But Dawson College has disputed his claims and says it stands by its decision. It says Al-Khabaz was formally warned to not repeat activities that he was being investigated for and was expelled for breaching those terms.

"When this directive is contravened by the student by engaging in additional activities of the same sort, the College has no recourse but to take appropriate measures to sanction the student," said the educational institution in a statement.

A spokeswoman told El Reg that AL-Khabaz was praised for his resourcefulness in the initial report to his tutors, but a month later repeated unauthorized access to the software, which is run by a third-party supplier and "injected SQL code," according to his expulsion letter.

Skytech are so-far unavailable for comment about the precise nature of this SQL injection, but it's clear this case is going to take some time to sort out and we expect writs to start flying shortly. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.