Student claims code flaw spotting got him expelled from college
Canadian college denies overreacting
A Canadian computer science student is claiming he was expelled after identifying a gaping security hole in administrative software his college was using.
Ahmed Al-Khabaz, a 20 year-old student at Dawson College in Montreal, told the National Post that he and a friend had been developing a mobile app for students to access their records when they found a hole in Omnivox software the college used. The hole allowed free access to personal information the college held on students, such as social insurance number, home address and phone number and class schedules
Al-Khabaz reported the problem to his college professor and said he and his friend were initially congratulated and were told the problem would be fixed by the college and the software's developers Skytech.
Later he ran a scan using commercial Acunetix vulnerability scanning software to check on progress and within minutes the phone at his parent's home started to ring he said. On the other end was Edouard Taza, the president of Skytech.
"He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed," the student said.
"He told me that I could go to jail for six to twelve months for what I had just done and if I didn't agree to meet with him and sign a non-disclosure agreement he was going to call the Royal Canadian Mounted Police (RCMP) and have me arrested. So I signed the agreement."
Taza said that he did mention the legal and police situation to Al-Khabaz but has denied making any threats. The security hole in question was being fixed he said, and the firm is confident no-one's privacy has been breached, but he was concerned at the scanning software used.
"This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake," he said.
Unfortunately for Al-Khabaz Dawson College didn't feel that way, and began an investigation for a for a "serious professional conduct issue." Al-Khabaz was called in for a meeting to discuss his future, which he said seemed to focus mainly around who knew about the problem with the college's code.
After the meeting a vote was taken among staff and his expulsion was confirmed by a vote of 14 to one. Al-Khabaz has appealed to the heads of the college but was turned down and is now in a difficult situation.
“I was acing all of my classes, but now I have zeros across the board. I can’t get into any other college because of these grades, and my permanent record shows that I was expelled for unprofessional conduct," he said. "I really want this degree, and now I won’t be able to get it. My academic career is completely ruined."
But Dawson College has disputed his claims and says it stands by its decision. It says Al-Khabaz was formally warned to not repeat activities that he was being investigated for and was expelled for breaching those terms.
"When this directive is contravened by the student by engaging in additional activities of the same sort, the College has no recourse but to take appropriate measures to sanction the student," said the educational institution in a statement.
A spokeswoman told El Reg that AL-Khabaz was praised for his resourcefulness in the initial report to his tutors, but a month later repeated unauthorized access to the software, which is run by a third-party supplier and "injected SQL code," according to his expulsion letter.
Skytech are so-far unavailable for comment about the precise nature of this SQL injection, but it's clear this case is going to take some time to sort out and we expect writs to start flying shortly. ®
Re: Be Honest
The number of times one finds a flaw and decides "Maybe I'll take a gander and see if they've fixed that critical flaw" and they haven't bothered is far higher than the number of times you take a gander and they have.
The school board in question should have their servers shut down for illegally leaking private information to anyone who can be bothered to steal it and their administrators and people that told the administrators to keep the net links open should all be tried for gross misconduct.
These computer laws need real exemptions for security researchers.
... and Colleges & Government Agencies need to be held legally accountable for continuing to use unsafe and insecure software.
Re: These computer laws need real exemptions for security researchers.
"Illegal" in Canadian Colleges? How can something a college declares illegal carry the weight of effectively banning him from colleges everywhere?
Somebody start a crowdfunding campaing for that student! No, make it two campaigns: one to fund him for self-education so he can later on audit his way out of that university, and a second campaign to fund his legal team.
Maybe a third fund to compel the school to stop acting the way it did. Once he found the hole, they should have plugged it, considering all the privacy info at risk. This is not some leisurely walk in the park to fix, but banking on security through obscurity, and letting the sci-fi named chummy vendor rest on its laurels is something ANY uni should be smacked and impaleld for.
A worse thought came to mind: the hole was engineered to allow privileged other parties (legal or criminal in intent) to backdoor intrude on the students and possibly the rest of the people on the campus. Someone should do a background investigation on the vendor, their relations to the school, and why they carried not enough clout to keep the school off the student's back.
By poking the second time, I think he had every right, since as a member of the campus, his own privacy data and that of friends and possibly faculty, staff, professors, and deans for whom he cared were at risk, too. SO, to my mind, he was exercising due diligence -- provided he was not instrumenting his own back doors or any booby traps. He seems to have wanted to be in a position to compel the school to fix the damned situation. All the money the deans and faculty and their alumni-oriented pet projects suck down, there could have been an emergency borrowing to plug the hole even if it meant using an outside auditor and repair team.
But, people LOVE to cover their own asses and those of their friends, lest those friends become frenemies.
Too bad most crowd funding sites don't seem to make it easy for mass actors to escrow a fund managed by a bank, so that angry people can support someone without having to directly manage the funds. Fire-and-forget funding campaigning should be possible, so long as the recipient is not a terrorist or paedophile or "banned" person who might be the vector of jailing of well-meaning actors.