Montreal Student's Academic Future is "Ruined" by Responsible Disclosure
January 21, 2013 2:47 PM
comment(s) - last by
Over 250,000 user records could have been compromised due to the negligent security
When people wonder why some hackers
opt for the relatively destructive route
, one only needs to look at the numerous troubling stories of hackers who went on what is supposedly a more responsible route of discrete disclosure, only to be punished.
I. Student Goes From Hero to Harassed Over Discrete Disclosure, Testing
The latest such unfortunate victim of incompetent and belligerent staff is Ahmed Al-Khabaz, a student at
, an institution in Montreal, Quebec, Canada.
As part of a school project, Mr. Al-Khabaz was recruited to create a mobile app that would allow students to access their student accounts on a system called "Omnivox" used by most of Quebec's CEGEPs (General and Vocational Colleges). But he and a colleague discovered a serious security flaw that would put nearly 250,000 students' personal information at risk.
Dawson College is located in Montreal, Quebec. [Image Source: Dawson College]
Looking to do the right thing, he scheduled a meeting with Dawson College's Director of Information Services and Technology, François Paradis. Mr. Al-Khabaz recalls, "I saw a flaw which left the personal information of thousands of students, including myself, vulnerable. I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong."
Ahmed Al-Khabaz, a star computer science student was initially praised for finding a serious security flaw, but was subsequently condemned for checking if it had been fixed.
[Image Source: National Post]
Mr. Paradis commended him for his work, as was his colleague, Ovidiu Mija. Mr. Paradis promised that the university and the third-party software partner who produced the software, Skytech, would immediately fix the gaping hole.
But that praise soon turned to condemnation. Days later Mr. Al-Khabaz looked to test if the flaw had been indeed fixed, by probing the system with a vulnerability toolkit, Acunetix.
At that point he received an angry call from Skytech. He recalls in
, "It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didn’t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement."
The non-disclosure agreement (NDA) both forbid Mr. Al-Khabaz from future access of the company's servers, and forbid him from revealing the security flaw he found to the public.
Mr. Taza disputes Mr. Al-Khabaz's account, commenting, "All software companies, even Google or Microsoft, have bugs in their software. These two students discovered a very clever security flaw, which could be exploited. We acted immediately to fix the problem, and were able to do so before anyone could use it to access private information."
He expresses frustration at Mr. Al-Khabaz's decision to probe Skytech's network, but even he dismisses the action as harmless, commenting, "This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake.
II. University Expels One of Its Brightest
But here comes the truly disturbing twist -- while Skytech at worst threatened Mr. Al-Khabaz into signing an NDA, his college did far worse. They called his actions in probing Skytech a "serious professional conduct issue", proceeding to expel him.
He recalls a meeting, commenting, "I was called into a meeting with the co–ordinator of my program, Ken Fogel, and the dean, Dianne Gauvin. They asked a lot of questions, mostly about who knew about the problems and who I had told. I got the sense that their primary concern was covering up the problem."
The final decision to vote on the expulsion was put before a panel of computer science professors. 14 voted to expel the student for check if the flaw had been fixed, while 1 voted against it. Mr. Al-Khabaz was expelled, and university managers twice denied his appeals.
Only one computer science professor out of 15 voted not to suspend Mr. Al-Khabaz for discrete disclosure and vulnerability testing. [Image Source: National Post]
A distraught Mr. Al-Khabaz comments, "I was acing all of my classes, but now I have zeros across the board. I can’t get into any other college because of these grades, and my permanent record shows that I was expelled for unprofessional conduct. I really want this degree, and now I won’t be able to get it. My academic career is completely ruined. In the wrong hands, this breach could have caused a disaster. Students could have been stalked, had their identities stolen, their lockers opened and who knows what else. I found a serious problem, and tried to help fix it. For that I was expelled."
The university has generally refused to discuss the case, though it did release a brief statement to the
, saying it stands behind its decision and calling Mr. Al-Khabaz's actions inappropriate. It says its typical procedure is to send a warning about conduct-related issues. It did not specifically state whether Mr. Al-Khabaz had received such a warning or whether they were aware of his sanctioned work on the Omnivox app, which triggered the discrete disclosure and testing of the flaw in question.
III. Appeal is Pending, But Mr. Al-Khabaz's Future Remains in Jeopardy
Morgan Crockett, director of internal affairs and advocacy for the Dawson Student Union, calls the action atrocious. He remarks, "Dawson has betrayed a brilliant student to protect Skytech management. It’s a travesty that Ahmad’s academic future has been compromised just so that Dawson and Skytech could save face. If they had any sense of decency, they would reinstate Ahmad into [the] computer science [program], refund the financial aid debt he has incurred as a result of his expulsion and offer him a full public apology."
A copy of the expulsion letter is seen below:
The Dawson Student Union is actively appealing the decision.
No one is advocating that hackers take illegal or destructive routes in "encouraging" businesses or academic institutions to fix their flaws. But when responsible individuals are punished and anonymous destructive disclosures often result in no action against the perpetrators, one must wonder whether the wrong message is being sent.
If Mr. Al-Khabaz's account is accurate one must wonder why any student in their right mind would want to attend such an abusive institution.
: Dawson College's webpage is currently inaccessible, although it is unclear whether it pertains to the story.
This article is over a month old, voting and posting comments is disabled
1/25/2013 6:17:10 PM
I meant to post this before...
He was likely port scanning, got away with it the first time because he discovered a hole, he should have known better the second time, its not up to him to ensure someone elses software on someone elses network is working. This is frowned upon.
RE: port scan
1/25/2013 6:27:11 PM
Also the title of this article is not correct, he wasnt "Ruined" by Responsible Disclosure, he was ruined because he violated an agreement, twice.
You would be surprised how often this happens, other flaws broadcasting student information throughout college/uni networks. It gets fixed but noone tells you, thats ok, the people that knew about the flaw gathered all the info, the college wont tell everyone to change their password as a precaution, that would hold them responsible.
The problem is that nowadays I'd say over 80% of people employed in security type position dont have the required level of knowledge.
Anyways thats all besides the point, anyone can download a port scanner and start using it on their network(not recommended), anyone that knows what they are doing(smart), would never run it like that kid did.
"I mean, if you wanna break down someone's door, why don't you start with AT&T, for God sakes? They make your amazing phone unusable as a phone!" -- Jon Stewart on Apple and the iPhone
Goatse Security iPad Hacker Found Guilty, Faces up to Five Years in Prison
November 21, 2012, 2:42 PM
NSA Chief to Pitch "Common Core Values" to Hackers at DEFCON 20
July 24, 2012, 3:25 PM
Breaking Bad: How to Crash Google's Chrome Browser With Just 8 Characters
September 23, 2015, 11:08 AM
Quick Note: Amazon UK Offers £10 Back on Any Order £50 or Over
August 3, 2015, 12:05 PM
Editorial: Reddit Allows Itself to be Hijacked as a Hate Platform For Racist Bigots
July 21, 2015, 6:32 PM
Mozilla and Facebook to Adobe: It's Time to Kill Flash
July 20, 2015, 6:30 PM
Instagram Bans "Curvy" From Hashtag Searches, Provokes "Plus Sized" Outrage
July 16, 2015, 1:20 PM
Mozilla Promise Punctual Windows 10 Firefox Release, Teases at iOS Arrival
July 7, 2015, 3:08 PM
Most Popular Articles
Why the U.S. Won't be Able to Ban Google's New Huawei Marshmallow Flagship Phone
October 3, 2015, 5:27 PM
Apple's First Fixes to iOS 9 Land w/ iOS 9.0.1 Release
September 23, 2015, 6:11 PM
Apple Watch Commands 2 in 3 Smart Watch Sales, WatchOS 2 Sweetens the Pitch
September 20, 2015, 6:07 PM
Tag Heuer Admits Its $1,800 Smartwatch Was Inspired By Apple -- Price-Wise
September 30, 2015, 6:32 PM
Breaking Bad: How to Crash Google's Chrome Browser With Just 8 Characters
September 23, 2015, 11:08 AM
Latest Blog Posts
Sceptre Airs 27", 120 Hz. 1080p Monitor/HDTV w/ 5 ms Response Time for $220
Dec 3, 2014, 10:32 PM
Costco Gives Employees Thanksgiving Off; Wal-Mart Leads "Black Thursday" Charge
Oct 29, 2014, 9:57 PM
"Bear Selfies" Fad Could Turn Deadly, Warn Nevada Wildlife Officials
Oct 28, 2014, 12:00 PM
The Surface Mini That Was Never Released Gets "Hands On" Treatment
Sep 26, 2014, 8:22 AM
ISIS Imposes Ban on Teaching Evolution in Iraq
Sep 17, 2014, 5:22 PM
More Blog Posts
Copyright 2015 DailyTech LLC. -
Terms, Conditions & Privacy Information