Student expelled for helping find security flaws at university

Student expelled for helping find security flaws at university

Summary: A student at a Montreal university has been expelled and had his grades zeroed after he discovered and reported a flaw in the software that is responsible for holding students' personal information.

SHARE:
TOPICS: Security, Education
19

Ahmed Al-Khabaz, who was studying computer science at the Dawson College, discovered that the student software managing their college accounts had a significant flaw that could allow any user to retrieve students' personal information, according to the National Post.

Al-Khabaz brought the issue up with the college, who thanked Al-Khabaz and colleague fellow student who discovered the flaw with him, and was told that the college would work with the creator of the software, Skytech, to ensure it was fixed. The software in question — Omnivox — is also in use at a number of other universities.

When Al-Khabaz tested the system two days later, he received a phone call from Skytech President Edouard Taza, who, according to Al-Khabaz's account of the incident, threatened to have him arrested unless he signed a non-disclosure agreement, which, in addition to preventing him from discussing the issue, also prevented him from disclosing that such an agreement even existed.

Al-Khabaz had used a toolkit called Acunetix to test whether the flaw still existed. It typically tests for common vulnerabilities, such as cross site scripting flaws or for where developer has failed to protect against SQL injection attacks. Many of the tests can simply be attempted manually, but probing web applications falls into a relatively grey area, legally and ethically.

Despite Al-Khabaz signing the non-disclosure agreement, the university moved to expel Al-Khabaz from the university and zeroed his grades, ruining his chances of applying at another university.

Al-Khabaz's appeals to the university have been denied.

Dawson Student Union has now set up a site petitioning the university to recognise that Al-Khabaz's intents were not malicious and to have his expulsion overturned. It has already received about 5,000 signatures, while Al-Khabaz has received seven job offers.

According to CBC News and the student union's petition website, Al-Khabaz has also received a scholarship and part-time job offer from Skytech itself.

At the time of writing, Skytech's website was unavailable.

The incident echoes that of Australian security researcher Patrick Webster, who, similar to Al-Khabaz, discovered a flaw in First State Super's site, informed them, but was later questioned by local police. The investigation was later dropped once the story hit the media, and the Privacy Commissioner's investigation, which found First State Super to be in breach of the Privacy Act, later noted that the NSW Police and First State Super had stopped pursuing Webster.

Such incidents have led well-intending researchers to either not report vulnerabilities as they find them, or take pre-emptive action to obtain a lawyer before informing the vulnerable organisation.

Topics: Security, Education

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • Student expelled for helping find security flaws at university

    this is the reason why repressive regimes almost always fails. instead of nurturing their intellectuals, they normally incarcerate and even murder them. we thought that the western civilization got rid of this apalling vice of the power elites, but they seem to be thriving and becoming bolder in the execution of their greed.
    kc63092@...
  • Don't want to attend Dawson College or recommend that institution to anyone

    In fact, whenever the situation arrises in the future, I will equate Dawson College with North Korea - both have similar ideologies.
    kenosha77a
    • You will find

      that most liberal and supposedly open-minded universities have similar ideologies to N. Korea! Closed/narrow minded, totalitarian regimes.
      What the ...!
  • What a deceptive Headline.

    The "student" was not punished due to his finding of the vulnerability. He was punished when he went back for more and installed "intrusive tools" to do so on a campus network. If he worked for a company with any security policy in place he would have been terminated immediately. "When Al-Khabaz tested the system two days later..." This was his downfall, he exploited a known vulnerability where access to PII was available. He deserved exactly what he got.
    No Thanks, Just Lurking
    • Academic computing environment. 'nuff said.

      Nice try at trolling.
      ejhonda
    • Agree

      "When Al-Khabaz tested the system two days later..." This was his downfall, he exploited a known vulnerability where access to PII was available. He deserved exactly what he got.

      I tend to agree. The quoted bit sounds rather sketchy. It's one thing to discover a vulnerabiliyt and report it. It's another thing to go back a couple of days later and start poking around by leveraging that exploit (should have poked around before reporting it.)

      All in all, I suspect there's more to the story than what this writeup reveals.
      dsf3g
  • He Probably Has Good Job Prospects

    In software security.
    bb_apptix
  • Typical reaction from Canadian elite

    This is typical of a reaction when you embarrass the elite in this country. Rather than celebrate the accomplishments and initiative of a student, look around for a reason to take revenge and try to discredit that individual as much as possible. You can't exact heavier penalties in academia than expulsion and zero grades. This is the real of academic dishonesty (cheating) or bringing severe disrepute to the institution.

    Many of the elite here place more value in compliance and obedience, seeking near sycophant-like approval of whatever they do, good or bad. Unit that attitude changes, affected institutions here will never be world class.
    yvesmarchand@...
    • Errata

      This is the realm of academic... Should read: This is the realm of academic....
      yvesmarchand@...
  • Seems all the Dawson web sites are down at this time...

    Seems Dawson College has pulled all their web sites (or someone outside has managed to hack most). The only working site is http://dc37.dawsoncollege.qc.ca/employment/ ; the main site at http://www.dawsoncollege.qc.ca/ has an error 403, and the site in question (student portal at http://dawsoncollege.omnivox.ca/ ) is no longer available. Probably very embarassing for the school, and seems like an inappropriate reaction by Dawson to expell Al-Kahbaz. That kind of knee-jerk reaction will create TONS of bad press for the school. Certainly not well thought out by the administration (and maybe we will see changes at the top there!).
    randysmith@...
  • Malicious Intent?

    According to the story, when he went back and tested it, he was NOT attempting to access any data for malicious purposes, he was testing to see if they had acted to plug the hole. Admittedly, he should have gone back to the Dean and asked the Dean to witness the test, but it seems he did not have any intent other than to see if his suggestion had worked.

    I wonder, if his name were Robinson instead of Al-Khabaz, would he have been treated differently?
    jallan32
  • Does he get a tuition refund?

    Well, going back to test with aggressive software does not sound smart, but also not malicious, given that he reported the initial problem. I can't believe the school can zero out his grades - didn't he pay for the education? Are they going to give him a refund?
    quakeguy
  • Big Corp Coercion

    To protect ones bottom line at any cost including a product that has major security issues.
    Somebody should be prompting major media coverage of Skytechs problems and their influence on their customers.
    The student has already gotten the positive exposure he needs to afford him some leverage, maybe to the point of telling the school to stuff it.
    sickntired44
  • Never work for Skytech

    Skytech has a very bad reputation and lousy business practice in America. Serious reconsider before you work for Skytech. Unfortunately, Skytech has a unique connection with IT Management at schools.
    Netteligent
  • For what it's worth ...

    Skytech President Edouard Taza in my personal opinion shows there's one born every minute.
    Good going Al-Khabaz, maybe you'll be running Skytech soon and you can move the president into a more proper position. The guy seems to be scared of his own shadow.
    msdead
  • Testing, testing...

    I thing Dawson College needs to use the old wooden paddle on themselves.
    .
    Al-Khabob was honest up front and report. Dawson should have followed up with more tests. Since Al-Khabaz found the original problem, he may have had other ways to search for other exploits AND ALL under the watchful eye of Skytech. Maybe Skytech could have learned something.
    BUT obviously Skytech seen the GOOD in this Al-Khabaz.
    .
    These days that's a rough name to have in software security.
    .
    fm-usa
  • Dawson College isn't a University

    It is a "CEGEP" (kinda-sorta like a "community college" or a "junior college"). In Quebec, you do 11 years of grade school and high school. Then, if you are planning to go to university, you do two years of CEGEP before heading off to a university (where your program is generally about a year shorter than it would be at a US university (for example, an arts degree is 3 years post-CEGEP)).

    CEGEPs are colleges, but they do no research and they don't offer "degrees" - only "diplomas". If you are in a pre-university program, that diploma is only useful for getting into a university. They are *much* cheaper than just about anything in the US.

    It's not that surprising that a CEGEP would go bananas over this - they probably see it as an attack on the integrity of their IT systems. I agree that a student who finds a vulnerability and reports it responsibly shouldn't get treated this way and I expect that the student will eventually be reinstated once cooler heads prevail.
    Flydog57
  • Correction

    Dawson is a college, not a university. Here in Quebec, college comes before university.
    Sebastian Tristan
  • What I don't understand...

    ...is the NDA and arrest threats. I may be mistaken, but at least in the US, couldn't be forced to sign an NDA simply for discovering a vulnerability. Certainly not something that would leave him open for arrest. There could be a civil suit, of course, but that would be a hard win.

    Quite the contrary, I would think this guy would have a heck of a lawsuit against both school and Skytech, and that NDA being ruled void due to duress. That may be why they turned around and offered him a job...

    Of course, I'm in the US and this happened in CAN. Different rules.
    RaulYbarra