A computer science student has been expelled from Montreal’s Dawson College for poking at what he calls “sloppy coding” in the college’s software – sloppiness that compromised the security of more than 250,000 students’ personal data.
According to the National Post, the student, 20-year-old Ahmed Al-Khabaz, had been working on a mobile app that would have allowed students easier access to their college accounts.
Al-Khabaz and a colleague – Ovidiu Mija – discovered the flaw in the college’s Omnivox Portal software.
Omnivox Portal, made by Skytech Communications, is advertised as a hub for all internal communications at educational institutions.
Al-Khabaz, a member of the school’s software development club, told the National Post that a security hole in the portal software allowed “anyone with a basic knowledge of computers” to gain access to all information a college has on a student, including social insurance number, home address, phone number, and class schedule.
Al-Khabaz said he felt morally obligated to report the problem, not knowing that his actions would be negatively construed:
"I saw a flaw which left the personal information of thousands of students, including myself, vulnerable... I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong."
In fact, Dawson College initially gave the pair a pat on the back for their initial code-poking.
Dawson College Director of Information Services and Technology François Paradis met with the two on October 24th, congratulating them for their work and promising that he and Skytech would fix the problem immediately.
Two days later, Al-Khabaz decided to check whether the software had in fact been fixed.
He used a web vulnerability scanner called Acunetix. Within minutes, he told the National Post, Skytech President Edouard Taza rang him up and accused him of launching a cyber attack:
"He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didn't agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement."
Taza, while acknowledging that he mentioned police and legal consequences, denied making threats:
"All software companies, even Google or Microsoft, have bugs in their software... These two students discovered a very clever security flaw, which could be exploited. We acted immediately to fix the problem, and were able to do so before anyone could use it to access private information."
But while the initial flaw report was welcome, Taza said, subsequently using the vulnerability scanner was a no-no:
"This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake."
The college deemed it far more serious than just an honest mistake. The college’s professors voted, 14 to one, to expel Al-Khabaz for what they called a “serious professional conduct issue.”
Al-Khabaz deems his academic career “completely ruined.”
"I was acing all of my classes, but now I have zeros across the board. I can’t get into any other college because of these grades, and my permanent record shows that I was expelled for unprofessional conduct. I really want this degree, and now I won’t be able to get it. My academic career is completely ruined. In the wrong hands, this breach could have caused a disaster. Students could have been stalked, had their identities stolen, their lockers opened and who knows what else. I found a serious problem, and tried to help fix it. For that I was expelled."
Was Al-Khabaz in the wrong to have scanned for vulnerabilities? Even if he did it without malice?
Unfortunately, the answer is yes. Automated tools can crash systems or worse, as security researcher Jeremiah Grossman notes in this article on how vulnerability scanners can harm sites.
White-hat hacking requires authorization – otherwise, it’s illegal.
Was the college overzealous in the punishment?
It depends. How well did their instructors get across the lesson that using such tools can do harm and is illegal unless authorized? Do they include it in their coursework?
If not, then college administrators should take their share of blame in this incident and include such material in the curriculum, post haste.
If tutelage in the proper use of vulnerability scanners has in fact been included in the curriculum, then Al-Khabaz’s conduct was unprofessional.
Whether it was unprofessional to the point of expulsion and career-ruining, well, geez, I don’t know about that.
Administrators could have, at least, allowed the student to air his side of the story – which, apparently, they did not, denying his appeal.
Commenters on coverage of the story have expressed a desire to hire the young man. Hopefully, this won’t be a career-stopper for him.
Hopefully, his tale will bring attention to the nuances of using these automated tools.
Like Uncle Ben said to Peter Parker, with great power comes great responsibility. Let’s hope educational venues aren’t shirking their duty to teach students what that responsibility looks like.