comScore
Tech Monday, January 21st 2013 at 11:30 am

Canadian College Student Points Out Major Security Flaw, Obviously Gets Expelled for Doing So [UPDATED]

By ( ) Comments

Updated with video from Ahmed Al-Khabaz after the jump.

When 20-year-old Dawson College computer science student Ahmed Al-Khabaz found a security flaw in his college’s software that put in jeopardy the personal information of more than 250,000 students, he did what any conscientious person would do — he warned the school. Then, obviously, the school did what anyone would have done — they expelled Al-Khabaz for a “serious professional conduct issue,” and gave him zeros in all his classes so he can’t get in to any other colleges. Makes sense. A student points out a security flaw that could have ruined the lives of his fellow students, why wouldn’t you ruin his? Stay classy, Dawson College.

The flaw was found in the Omnivox software system used by most of Quebec’s CEGEPs (General and Vocational Colleges), and was the result of what Al-Khabaz called “sloppy coding.” Al-Khabaz found the flaw while working on a smartphone app to let students access their college accounts. The flaw could have let anyone with basic computer knowledge access any of the information the colleges had on any of their students, including addresses, social insurance numbers, and even their class schedules — not the sorts of information you generally want to be common knowledge.

After Al-Khabaz informed the school of the issue, the Director of Information Services and Technology François Paradis told him that the school and the makers of Omnivox, the ominously named Skynet Skytech would immediately fix the problem. After two days Al-Khabaz used Acunetix, a program designed to find security vulnerabilities in software, to see if the problem was really fixed.

That’s when the president of Skynet Skytech called, accused Al-Khabaz of a cyber-attack, and threatened him with prosecution and jail time if he didn’t sign a non-disclosure agreement, which he did. The president of Skynet Skytech, Edouard Taza, denies making threats, but did admit to mentioning the police and the legal consequences. That sounds pretty threatening.

Taza said that using the Acunetix software without permission was what Al-Khabaz did wrong, but said it was very clear there was no malicious intent in using it.

The administration at Dawson College called a meeting with Al-Khabaz, the coordinator of the computer science program Ken Fogel, and the dean Dianne Gauvin. Al-Khabaz said he was asked a lot of questions and got the impression that the school’s main concern was covering up the problem. They probably didn’t want to look bad if the public found out about the security flaw.

After the meeting, 15 professors voted on whether to expel Al-Khabaz, and 14 voted to do so. Al-Khabaz appealed the decision to the academic dean of the school, and to director-general Richard Filion, but both appeals were denied. Now instead of looking bad for having a major security flaw in their software, Dawson College looks bad for expelling and ruining the academic life of the person who tried to fix it — oh, and also for having a major security flaw in their software. A+, good job, everyone.

The director of student advocacy, Megan Crockett, is calling for Dawson College to reinstate Al-Khabaz, publicly apologize to him, and refund the financial aid debt he is responsible for after being expelled. Is that enough? If your college expelled you after you tried to help them fix a major security flaw would you even want to go back?

Dawson College shouldn’t have expelled this kid, and Skynet Skytech shouldn’t have threatened him with prosecution. They should have offered him a job.

UDPATE: 12/25/13 – It seems Ahmed Al-Khabaz has taken to YouTube to try to bring attention to his situation, and ask people for support. He’s asking Dawson College to reinstate his grades and to remove what he called a “negative comment” on his record. Al-Khabaz states in the video that he does not want to return to Dawson College — and why would he? He just wants to be able to go back to college and finish his degree.

Your move, Dawson College.

(via National Post, image via ikrichter)

Relevant to your interests

Filed Under |
  • Cath

    shameful ,

    school should be grateful to have such a brilliant student.. If he was in the US, they;d be more than 5-6 major corps that would recruit it.

    Shame on you Dawson and Skytech

  • http://twitter.com/Sickjessi Jessicka

    Well…They’re both in the wrong really. The school shouldn’t have gone overboard on him, BUT he shouldn’t have used the program either. A phonecall to ask if they had fixed it, plus collaborating with them to see if it was fixed would’ve done wonders – Plus he could’ve become their security tester, even if temporary. Both entities went about things in the wrong way, and the title is misleading – He *did* potentially break a law, and might’ve broken school conduct rules as well.

  • Anonymous

    Tch, tch… Only in Canada, just like a popular Tea Brand…

  • http://twitter.com/nachtritter Duke Fleed

    While what he did may have been ill-advised, everyone involved knows there was no wrong intent. Therefore he shouldn’t have been expelled and certainly not black-listed from future studies the way he will be now. That is excessively harsh punishment.

  • http://twitter.com/nachtritter Duke Fleed

    Send him to MIT to study network & computer security, then a job as a white hat hacker. Stupid school system.

  • Rob Turk

    Why shouldn’t the kid have run this program? Aren’t college kids supposed to learn by doing? What kind of Nannystate BS is this?

  • Hassan

    What’s even more depressing is the 14/15 computer science professors who voted to expel him. Aren’t professors supposed to recognize talent?

  • Jack Bond

    Apparently Skytech basically let him off the hook, but the school wouldn’t have it. This just goes to show, if your school has a chance to do something wrong, you have two choices.
    1. Help them fix it and let them ruin your life.
    2. Let them do it wrong, sue their pants off, then reap the reward.

  • Idlethoughts

    Some other higher tier school should just offer to take him regardless of his “zeros” in classes, as he obviously has talent and good, responsible intentions.

  • Anonymous

    He was fighting for the User!

  • bishop

    Way to go, taking a National Post article and adding in little, cheap comments that I’m sure you think are “smart and witty”.

  • http://www.facebook.com/VaiosSun Vaios Karanikas

    Moυ θυμιζεις το Voight-Kampff test στην ταινία Blade Runner για την ανεύρεση μεταλλαγμένων ! :-D

  • http://www.facebook.com/antony.kwok Antony Kwok

    It’s incredible the percentage of people failing to apply priorities in their issue management!

  • Eric

    Anyone who registers there from here on in should be ashamed of themselves.