Sophos Cloud Optix
A computer science student has been expelled from Montreal’s Dawson College for poking at what he calls “sloppy coding” in the college’s software – sloppiness that compromised the security of more than 250,000 students’ personal data.
According to the National Post, the student, 20-year-old Ahmed Al-Khabaz, had been working on a mobile app that would have allowed students easier access to their college accounts.
Al-Khabaz and a colleague – Ovidiu Mija – discovered the flaw in the college’s Omnivox Portal software.
Omnivox Portal, made by Skytech Communications, is advertised as a hub for all internal communications at educational institutions.
Al-Khabaz, a member of the school’s software development club, told the National Post that a security hole in the portal software allowed “anyone with a basic knowledge of computers” to gain access to all information a college has on a student, including social insurance number, home address, phone number, and class schedule.
Al-Khabaz said he felt morally obligated to report the problem, not knowing that his actions would be negatively construed:
"I saw a flaw which left the personal information of thousands of students, including myself, vulnerable... I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong."
In fact, Dawson College initially gave the pair a pat on the back for their initial code-poking.
Dawson College Director of Information Services and Technology François Paradis met with the two on October 24th, congratulating them for their work and promising that he and Skytech would fix the problem immediately.
Two days later, Al-Khabaz decided to check whether the software had in fact been fixed.
He used a web vulnerability scanner called Acunetix. Within minutes, he told the National Post, Skytech President Edouard Taza rang him up and accused him of launching a cyber attack:
"He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didn't agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement."
Taza, while acknowledging that he mentioned police and legal consequences, denied making threats:
"All software companies, even Google or Microsoft, have bugs in their software... These two students discovered a very clever security flaw, which could be exploited. We acted immediately to fix the problem, and were able to do so before anyone could use it to access private information."
But while the initial flaw report was welcome, Taza said, subsequently using the vulnerability scanner was a no-no:
"This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake."
The college deemed it far more serious than just an honest mistake. The college’s professors voted, 14 to one, to expel Al-Khabaz for what they called a “serious professional conduct issue.”
Al-Khabaz deems his academic career “completely ruined.”
He said:
"I was acing all of my classes, but now I have zeros across the board. I can’t get into any other college because of these grades, and my permanent record shows that I was expelled for unprofessional conduct. I really want this degree, and now I won’t be able to get it. My academic career is completely ruined. In the wrong hands, this breach could have caused a disaster. Students could have been stalked, had their identities stolen, their lockers opened and who knows what else. I found a serious problem, and tried to help fix it. For that I was expelled."
Was Al-Khabaz in the wrong to have scanned for vulnerabilities? Even if he did it without malice?
Unfortunately, the answer is yes. Automated tools can crash systems or worse, as security researcher Jeremiah Grossman notes in this article on how vulnerability scanners can harm sites.
White-hat hacking requires authorization – otherwise, it’s illegal.
Was the college overzealous in the punishment?
It depends. How well did their instructors get across the lesson that using such tools can do harm and is illegal unless authorized? Do they include it in their coursework?
If not, then college administrators should take their share of blame in this incident and include such material in the curriculum, post haste.
If tutelage in the proper use of vulnerability scanners has in fact been included in the curriculum, then Al-Khabaz’s conduct was unprofessional.
Whether it was unprofessional to the point of expulsion and career-ruining, well, geez, I don’t know about that.
Administrators could have, at least, allowed the student to air his side of the story – which, apparently, they did not, denying his appeal.
Commenters on coverage of the story have expressed a desire to hire the young man. Hopefully, this won’t be a career-stopper for him.
Hopefully, his tale will bring attention to the nuances of using these automated tools.
Like Uncle Ben said to Peter Parker, with great power comes great responsibility. Let’s hope educational venues aren’t shirking their duty to teach students what that responsibility looks like.
Rusty lock
and white cowboy hat images from Shutterstock.
Malice intent or not, what he did was illegal, and the college had every right to expel him. If you purposely commit a crime just to see if it can be done, you're still committing a crime. Period.
he didn't purposely commit a crime, he checked to see if they fixed the vulnerability. WHICH HE HIMSELF DISCOVERED..big difference. If he WANTED to commit a cybercrime, he could have just kept the knowledge of the vulnerability to himself and exploited it. The whole idea behind school is to gain knowledge and apply it, not be expelled for using the very knowledge they are teaching you. Total lunacy. PERIOD.
Yea right, MR oh-so-pure and clean.. lets expel students every time they commit a crime.. such as, ya know, under age drinking / drunk driving/ pissing in the bushes/ smoking a joint/ smoking on campus… well there goes about 90% of the student body of every school in the country.. yourself included.
Great Idea.
I think all agree on his guilt, but punishment should be appropriate. We don’t execute people for dropping litter.
Guilt is not the issue. We don’t execute people who drop litter or violate parking regs.
It could be clearer that this was the responsibility of the College as the Instructor had not advised the student of this !
Clearly from the students' praised actions he had no cause to be concerned and indeed some pressure to double checked probably as a result of the praise, just to be certain he really had got it fixed.
This and the following simple point seems to have escaped everyone…
He is there to STUDY, the lecturers have a duty of care to him. they failed. i can see NO grounds for suspension at all- simply an accellerated program of courses in security.. which he had richly earned to be at no fee.
This is a ridiculous ruling, and assumes instruction he clearly never had had..
Okay, it could possibly have crashed the system, but expelling him was kinda harsh. He had good intentions, so calling it a cyber attack isn't a viable excuse to expel him. He didn't have permission, but still.
Was there a better approach to this issue from the College Professionals?
If you cannot find the answer to that to be a profound YES, then we live on different planets.
On the other hand, perhaps somewhere BETTER would be a serendipitous dividend; go search.
Were those professional academics maybe under some kind of peer pressure?
Something well known about Laws and Serving.
He should have asked permission before using such software. He had no malicious intent, however, yes, the law is the law. His academic career is down the tubes as a result. What he should have done was to ask in a posting. That would have been much safer.
I reported a few security vulnerabilities back when I was at college and it was received well, the in-house sysadmin came and asked me to reproduce it and he personally reported to the company who managed the IT infrastructure in his name to avoid any issues. So don't be afraid to do it, not everywhere is like this college.
The punishment does not fit the crime. The legality of the act not withstanding, the young man should have been read the riot act when he initially disclosed the vulnerability but instead "François Paradis met with the two on October 24th, congratulating them for their work".
Let's give a dog a pat on the back for peeing on the paper and then kick him in the head when he shits in the same place later on.
I'd say that Paradis is the one who should be fired or would that as a punishment not fit in this case.
..The hell? You think he should have been "read the riot act" when he initially stumbled across the vulnerability while designing a mobile app, and promptly reported it? What exactly had he done wrong at this point? Do you really think the proper course of action when discovering something like that would have been to ignore it, rather than reporting it to the proper authorities as he did?
I agree the punishment is harsh. I think a suspension of sorts would of sufficed. He should of asked for permission after the flaw was detected but they should see him as a student that made an error. Unless he has a prior reputation for repeated malicious hacking, this should of not of qualified for an expulsion.
Overkill, unjustified and stupid.
Choice:
make him sweat while they “decided his future” on the course, i.e. go for a coffee, then tell him many hours later that he may remain on the course but that he is on probation for the remained
-or-
screw up his future, possibly forever.
Having been in a similar position many years ago, but with more compassionate lecturers, I bloody well learned my lesson.
What has he learned apart from never to report any flaws that he may find in future?
As for the instructions in regards using such tools, this would have been an excellent lesson to present to the class.
I bet there would be many underground agents approaching him with juicy offers to try to break into stuff. He has been treated unfairly, so revenge could be a motive, he seems to have the knowledge and there is a high chance he would make someone pay. Why create crackers when their intelligence could be used in a constructive way. The punishment, more than harsh was rather stupid and I vote to get all those professors expelled. Someone teaching history or chemistry shouldn't even be asked for an opinion on such matters.
I would say they overeacted. Yes what he did was a crime. However he didn't mean any harm. He discovered a problem and was praised for it. 2 day later he wanted to see if the problem had been fixed. Considering his personal records were vulnerable I can't blame him for wanting to make sure they had been fixed. Since software companies can be slow on the updates checking it under the circumstances only makes sense. He likely figured since he received such praise the first time that checking it would be no big deal. Of course you see the result. To make it worse they try to claim it was a cyber attack and potentially ruin his life. I think expelling him was wrong. The initial people who gave him praise should have warned him not to do it again. Also the school needs to use their brains and realize that if he was actually trying to cause harm, he would have hidden behind a proxy or accessed the network from an outside location and proceeded to hack it. A suspension I could understand. But an expulsion was just too much.
Surely the even more important question is why didn't the college fix this serious problem affecting the privacy of their students as soon as it was brought to their attention?
OTT action by the college. After the pat on the back, it should have been a matter that could be dealt with by a verbal caution, or at the very worst a written warning. I would probably have issued the verbal caution with the pat on the back, to make it quite clear that, although he is to be thanked for spotting it, he should have been advised at the time not to test it further. I therefore agree, he should not have tested the system for the flaw again without asking permission first, but it should be recognised that there was no malicious intent and that the prior vulnerability would still have existed had it not been for him.
It strikes me that the young man in question has a better moral compass than the college authorities.
If he was a different kind of person, what better way to turn someone into a cyber criminal than ruining his life and career?
Notwithstanding the legality of the situation, I feel that the punishment most certainly does not fit the "crime" here, as there are too many incidences of bad coding out there which compromise lives and put people at risk.
Expel him by all means, if that is the only option available to the college authorities (which I do not believe), but at the same time take the software company who provided this shoddy program to task for creating something which could have damaged a lot of people's lives.
We live in a world where it is too easy to produce sub-standard goods, sell them and get away with it, and while this student should have asked for permission, he provided information to the company who produced this software which ultimately could save them a lot of embarrassment and has enhanced security for the students at this college – something which the college should be extremely grateful for no matter that the follow-up incident took place.
There are some murky details. Reportedly Al-Khabaz used the vulnerability scanner "to check whether the software had in fact been fixed" but did not tell how he "saw the flaw" in the first place. Skytech alleged that they "had seen [him] in their logs" already the first time.
As for Al-Khabaz I'd totally sympathize with him had he used the same means to check for the fix. That he brought in in the big gun in a subsequent check poses the question about his motives (and apparently he hadn't his colleague with him this time). A whizz like he claims to be should be aware – putting legal questions aside – that such tools 1) can be dangerous and 2) likely trigger alerts (even in flawed products and installations).
Skytech's reaction is also questionable: Apparently they hadn't informed the college of the first detected "attack" (if indeed they didn't "see" it only after having been informed by the college of the flaw). And why did Taza contact Al-Khabaz directly? There's no indication there has been a direct or indirect communication with Al-Khabaz about the initial incident.
If actually the college did nothing more than first patting the two and then kicking Al-Khabaz (perhaps because of Skytech's reaction to the initial report) their course of action was hypocritical and conniving (or even back-stabbing).
With the details at hand there remains a lot of "ifs". If in fact this is the whole story then I'd say the punishment is way too harsh but Al-Khabaz should consider a bit more self-criticism.
I'd hire this kid, and another college would be stupid not to have him. He's clearly inteligent, and has a bright future. Let's hope a youthful mistake doesn't destroy someone's life, especially when this mistake may have actually saved lives.
Sounds like a HUUUGE over reaction on the part of the college to me… I really hope this guy is able to at least find good employment as a result of the publicity that he’s receiving.
By running a vulnerability scanner (without the knowledge or permission of the Asset Owner(s)), he did in fact carry out a cyber attack. Reporting a security weakness that he discovered was his DUTY; not a benevolent act for the good of the students. All the same he got a 'pat on the back'. When this second action was discovered, he was rightly separated from anywhere he could easily cause damage. It's the culture of 'Oh well – lets talk about where you went wrong and ensure it doesn't happen again' that results in data loss. He might have been good at coding, but knew absolutely nothing about information security – which is why he's now out of the college.
I have personal experience of being on the receiving end of Acunetix scanners. Believe me, it is almost indistringuishable from a DOS attack. It is an extremely aggressive scanner, it will try to inject stuff, it will trigger 1000s of form submissions with permutations of parameters and characters. So, yeah, you just might tend ot overreact when you learn who took down your system with Acunetix. Let's say one of your systems is brought down and the back-end database riddled with garbage. Would you be inclined to assume the person responsible had only the best of intentions?
Correct me if im wrong, but didnt Old Marky Zuckerberg get into similar trouble but he actually did something wrong when he hacked into Harvards servers. The guy getting screwed in this situation could go on to be very rich if he plays the publicity right! I have a small project i could definately use his help on. as the story already points out, if he had been told it was illegal then it warrented expulsion but if it hasnt been covered and he wasnt using campus equipment then they should be thanking him from saving them from the fines that go with releasing peoples personal information.
In the Register’s version of this story the college had already given him a formal warning for previous similar activity. If that’s the case then he got what he deserved.
http://www.theregister.co.uk/2013/01/21/dawson_student_expelled_code_flaw/
I don’t see why anyone would employ him particularly for doing what “anyone with a basic knowledge of computers” could do.
This story has more twists than a snake.
On the morning news, CBC Montreal reported that Skytech is now offering to pay Mr. Al-Khabaz's tuition and to give him a job. He is also getting job offers from other companies.
Dawson College, on the other hand, has not simply expelled or suspended him. They have reverted his academic credits to zero, essentially wiping out all the work he has done so far.
At this point the media attention has encouraged Skytech to milk some positive PR out of the story, and I say "Good for them!" Dawson, in my opinion, has gone much too far in the other direction, and I wager they won't reinstate Mr. Al-Khabaz's college credits without some legal encouragement.
OTT: yes, if the facts of this case have been presented rather fairly. Especially when considering there is a healthy amount of shared blame. Technically, he shouldn’t have performed the subsequent attack scan. Others have commented here that intent or not, it’s illegal. However, reality and culture play a BIG role in the response. Intent IS important. And any thinking of what “could have” happened (the scan could have shutdown a system) is inappropriate. You cannot prosecute someone for what they COULD have done. And equally so then, the college, and Skytech COULD have allowed the release of the student’s info, and they clearly did not seal the breach, before or immediately after it was discovered and disclosed. And if their system is vulnerable to an attack scan, then fix it!
The punishment was not only harsh, but counter productive. Coders and app developers now have a clear guideline: find a security hole, and you're better off publishing it to black hats, than co-operating with software vendors and institutions. Eventually the problem is fixed, and you don't risk your neck.
Clearly, the vulnerability affected the creation of a reasonable and legal app, using a public facing interface. Controlled use of a scanner on a well designed system seems unlikely to be a major problem. Uncontrolled or extended use would seem to be a better indication of "unprofessional" conduct.
Incredible. He reported it and went back to check to see if it was fixed, as he had a vested interest (his own information). It was illegal, but did he recognize that his actions fell into that category, or was he thinking that he was just doing due diligence? Expulsion? Absurd. To have such a student who does have morals, who is trying to do good (assumptions based on the article above), should not be expelled. That leads to fear of authority or at least fear of being a whistle-blower, which, to an extent, he was. More appropriate? Academic probation – make sure he really was doing what he said he was and give him an opportunity to report it. Did he make some dumb mistakes? Didn't you at that age? While this is happening, make sure it was taught, in all of its forms, in the classes that are supposed to teach it! There is, or should be, accountability on both sides.
How did Ahmed find the vulnerability in the first place? Using Acunetix? I can imagine it panning out like this: Ahmed finds a vulnerability, helped by an automated scanning tool. He brings the vulnerability to the attention of the college authorities – but not necessarily how it was found. The college authorities check their logs, perhaps for the first time in ages, and overlook the automated attack in gratitude for him finding the security flaw. But a second attack two days later is a bridge too far.
do the bad guys ask permission as well?
He was trying to help. As I see no harm done in this specific case I do think the punishment was not thought out and far too harsh. Most prestige schools such as MIT, Stanford, and Carnegie Mellon support the students finding and reporting security flaws. Thats all he did, he had good intentions but the company seems to have overlooked the disaster they could have had in seconds if not for him.
the college has a duty of care to protect their students, but if the flaw is still there all they are doing is covering their backs not protecting the students, they should be transparent in this not hiding away, I find it inconceivable that they suddenly went on the attack unless they have not fixed the problem to start with
Thanks for the clear description of the problem and an assessment of the consequences. Good forum.
Did Mr.Khabaz not realize the inner workings of colleges?? Point is, when he wanted to check on it again at a later date, he should have KNOWN to contact that admin first.
Due diligence and all that other stuff doesn't matter (which is why he got tossed out). Isn't college supposed to be higher learning? In the IT world, you automatically know from entry level to notify people before going into their systems, whatever the reason. No exceptions, zero tolerance. Hard lessons are learned everyday. The kids life isn't over. He didn't murder anyone so he CAN get a job people.