I've already posted my "almost got arrested for using zsh" story, so here's another one:<p>I used to work at a large public university. One day, a grad student brought me his laptop and asked if I would take a look at it because "the Internet [was] really slow." It turned out that his computer was part of a botnet controlled via IRC, and it was being used to attack hosts on the Intertubes.<p>After sniffing the IP address + port of the IRC server and the channel name and password the botnet was using, I joined the channel with a regular IRC client. "/who #channel" listed <i>thousands</i> of compromised clients, including hundreds with .edu hostnames. (One university had a dozen hosts from .hr.[university].edu in the channel. Sleep tight knowing your direct deposit information is in good hands.)<p>There was no way I could notify everyone, so I concentrated on e-mailing abuse@ the .edu domains. In my e-mails, I explained who I was and where I worked, that one of our computers had been compromised by hackers (yeah yeah terminology), and that in the course of investigating, I found that computers at their university had also been compromised by the same hackers. I also included a list of the compromised hostnames at their university and the IRC server's information so their networking people could look for other compromised hosts connected to the IRC server if they wanted to. Relatively basic IT stuff.<p>I didn't get replies from the majority of the universities I sent messages to, including the .hr.[university].edu one. I got a few thank yous, but I got just as many replies from IT Security Officers and CIOs (including at big name universities) accusing me of hacking their computers and demanding that I stop immediately or face legal action.<p>Those people <i>just didn't understand</i>, and they were in charge of (or ultimately responsible for) their universities' IT security efforts... It was completely mind-boggling to me at the time.
I found something like this at my school. The administration reacted similarly. But fortunately, I was taking djb's Unix Security Holes at the time, and a harshly-worded note from djb to the Computer Center folks ended up getting me a thank you.<p>Next semester, though, I refused to sign the new AUP (which included a clause allowing the computer center staff to seize any computer I was using, even at my off-campus home), and they kicked me out of school. (Actually what happened was they locked my course registration account, and wouldn't reinstate it until I signed the policy in their presence. I refused.)<p>(Sadly, I can't find the full-disclosure thread for this bug. I guess I posted it to my blog, which I deleted after being threatened by school administrators. Oh well. That was 9 years ago!)
This sort of thing scares me. One time I found a security vulnerability in a popular forum I frequented. I emailed the site owner, and he thanked me and fixed it. Later someone else discovered another weakness and used it to post spam; the site owner emailed me asking about it. My initial thought was that he suspected I was the one doing it, but it turned out he was just trying to see if I could help him.<p>That scared the crap out of me though and I realized this was a VERY bad idea. Something as harmless as trying to help someone make their website more secure can get you more jail time than robbing a bank.<p>I also, completely accidentally, logged into another student's account at my university (a big university too). The school gives you an ID number. Your initial password is the same as this ID, and you're supposed to change it later. I didn't remember my ID correctly, swapped two numbers in it, and ended up in someone else's account. Home address, phone number -- all sorts of information staring me in the face. Will I report this issue? Heck no!<p>It's weird how many of these I discover by accident. My school also had a hackathon hosted by eBay and PayPal. In fact, one of the programmers from PayPal was there. During the hackathon, I stumbled upon a way to get account information without authentication (security tokens were being seriously misused). The PayPal guy was shocked and asked me to send him all the information on what I had found. Never did get any sort of reward out of that... (and I lost the hackathon too).
I dealt with a situation at a college internship. The company was designing a marketing campaign for Nokia, but we were having major problems with the firewall software, which made for a very flaky Internet connection.<p>Long story short, my manager disabled the firewall and we were hacked that night. I was let go the following day unceremoniously. I discovered soon after that the company blamed me for the attack, saying I turned the firewall off and hacked the servers myself.<p>The school immediately started expulsion proceedings without even contacting me. Fortunately, my advisor personally addressed the issue and had everything dropped. The drama only lasted a few days, but the schools brain dead response to the issue gave me zero confidence in their ability to review anything objectively. I was so disgusted I refused to walk in the graduation ceremony, much to my parents disappointment.
Unauthorized security testing == Malicious attack<p>The actions of Mr. Al-Khabaz were unlawful and unethical. If he only accidentally found the flaw and reported it to the responsible person, things would be fine. But security testing without the permission of the system owner is the same as unauthorized access attempt!<p>I work as a security professional for 7 years, and I recently did a guest lecture on the college discussing the example like this. Most students were not aware where the problem is. Maybe it would help imagining how would story like this look in the physical world:
Let's suppose you come back home and find someone picking on your door lock with a lock picking tool. You ask him "what are you doing?" and he says "I'm just checking is your lock safe. I do it for your security." Would you believe him? Or would you call the police immediately, without asking him anything?
Let's add to this that security testing tools can sometimes degrade the tested system's performance or sometimes even crash it. In this case, it's not just unauthorized access attempt, but successful denial-of-service attack!<p>Never, ever, do a security testing of the system without the written permission of the system owner. If you get the permission, you will probably be asked to sign an NDA in return. You will also need to provide some information, like source IP address you're using and emergency contacts that can be used to stop the testing in case of problems (like crashes, etc.). This is the only lawful and ethical way to do these kind of procedures on someone else's system.<p>I'm not discussing if the penalty is OK in this case. It really doesn't matter if most people here cannot tell what he did wrong in the first place.
I've said this before -- don't bother being a "white hat".<p>The industry and the legal system doesn't have a pigeon hole for that. You'll be labeled as "hacker" (and not in a positive sense of it). Either disclose the vulnerability immediately to get recognition, hoping it is public enough they'll be ashamed of going after you, or or sell and profit from it. You are already treated as a criminal by these large institutions, so if you go in that direction might as well make some money.
Ahmed, if you're reading this, sorry about your college acting like idiots. If finishing college is important to you, I'm sorry they've made it so difficult.<p>That said, please don't think this is going to end your career. There are a lot of companies and startups that would love to have you for your kind of initiative. Not having a degree that you don't seem to need anyway will not be a sticking point with them. And the option of starting your own consultancy is a possibility - you already have some publicity that can help with initial gigs.<p>If you'd like to try your hand at a job, do check out ThoughtWorks (www.thoughtworks.com). We don't usually stand on ceremony or make a fuss about qualifications.
Even aside from the fact that he was acting in good faith and did not cause any damage to persons or property (as acknowledged by the software vendor), the procedure used to expel him is woefully lacking. I sat on the highest student discipline tribunal at my (Canadian) university and an expulsion for non-academic reasons - which had to receive final approval from both the President and the Governing Council - would only be recommended in cases involving egregious and likely criminal misconduct and only after the courts had found merit to the allegation.<p>Furthermore, any student faced with potential expulsion would have been entitled to a series of quasi-judicial hearings and assistance in preparing their defence. To expel someone for non-academic reasons from a publicly-funded institution (which Dawson is) should not be taken lightly and surely never in a fashion where the accused is not permitted to present their case.
The CS faculty at Dawson (less one) should be embarrassed.<p>This happened to me twice in college, minus the expulsion part. In the less interesting case the University sent around a form to be used in nominating student speakers for commencement. It included a drop down that was keyed off of student id. Student ids were regarded as private.<p>The school required everyone to either buy health insurance from them, or provide proof of insurance. They had a webapp where you could report this data. The login required your student id, name, and birth date (thanks Facebook). If you visited the app after using it, the form auto-populated with your health insurance information. I brought it to the attention of the University and they took down their nomination app in a matter of minutes.<p>In the more exciting incident, someone at Sungard called my university and asked them to have the campus police arrest me. (Edit: Quite boring, really <a href="http://seclists.org/bugtraq/2008/Jan/409" rel="nofollow">http://seclists.org/bugtraq/2008/Jan/409</a>)
What's upsetting is the 14/15 professors who voted him to be expelled. Do computer science professors not understand the concept of white-hat hacking? Shame on them.<p>What message does this send to other students at Dawson? Don't be curious; don't go out of your way to do a favour for the safety of your peers; keep your mouth shut and we'll hand you your degree.<p>Someone give him a scholarship to a legit university!
Back in 1999 when I was a freshman in university, my school had a server for students to host their websites on and use Pine for email. The server did not give shell access... but then there was a security hole in Pine that would allow you to run chsh. So I did that, and got shell access. I think the worst thing I did (other than running ls in a few directories) was use it to connect to IRC.<p>Since I wasn't really trying to hide anything, so one of the IT guys must have seen me with shell access and reported me. My punishment was having my ethernet turned off in my dorm room (even though the incident occurred in a computer lab while the dorm's ethernet was turned not ready for use yet). I appealed the decision and met with the Dean, and she said I was considered a threat to the school so I should be happy that my punishment wasn't worse.<p>Anyways, the rest of the year in the dorm was spent playing a cat and mouse game. I used my computer on my roommate's LAN port, so they ended up shutting off his ethernet as well.. I felt bad about that, especially since they refused to give him internet access for the rest of the year. So I ended up making a 50 foot ethernet cable and running it through the bathroom into another person's room (Two 2-person dorm rooms were connected by a common bathroom). That got shut off, so I bought a new LAN card (to get a new MAC address) and connected to another ethernet drop. I was able to get online for the rest of the year, but that sure left a sour taste in my mouth for my school.<p>Edit: I remember one close call... over a break (I was one of the few people in the dorm), water came out of the shower drain and flooded our rooms. I came back from spending the day out to see the Dean going into our room to inspect the damage, and I quickly had to hide my 50 foot cable that went through the bathroom.
There really needs to be legal protection for acts of white-hat hacking like this. Both protection from prosecution, and protection from reprisal. This kind of stuff isn't going to stop happening unless the act of finding and reporting a security vulnerability becomes legally protected behaviour.
The title is misleading. He wasn't actually expelled for finding the flaw; he was expelled because, after reporting the flaw, he ran an exploit program on the school's server without permission, allegedly to see if it had been fixed. Had he only reported it, he would not have been subject to any disciplinary action.
<i>“All software companies, even Google or Microsoft, have bugs in their software,” said Mr. Taza. “These two students discovered a very clever security flaw, which could be exploited. We acted immediately to fix the problem, and were able to do so before anyone could use it to access private information.”</i><p>Yes, even Google and Microsoft have bugs in their software. This isn't an excuse to bully people who tell you about the bugs in yours. The difference between you and Google is that Google pays people who find bugs in their software, especially serious security flaws, even if they aren't employed by Google, rather than threatening them with legal action.
Most schools have an acceptable use policy for their students which covers unauthorized vulnerability probing and port scanning.<p>I can understand Ahmed's youthful curiosity about whether the vulnerabilities that he identified had been fixed...But he had handed off the info to the Dawson College IT team and the ball was no longer in his court.<p>Running Acunetix against the college's/SkyTech's server(s) was a pretty dumb move. But hell, when you are in your early 20s, that's when you are supposed to make dumb mistakes.<p>I'm all for teaching moments, but this "One Strike And You Are Expelled" issue irks me.<p>Ultimately, this is about Edward Taza of Skytech Communications being sleazy and manipulative by threatening a scared, inexperienced 20 y/o college student with expensive legal action and implying the possibility of jail time unless he signed a non-disclosure agreement.<p>The EFF should probably take a look at this.
Like most developers, I've stumbled into lots of security problems over the years. The first few times I attempted responsible disclosure, but that resulted in enough close calls that I simply don't report them anymore. I document them. Sometimes I might mention them to others who have an interest.<p>I would now never report a security flaw without a iron clad set of laws in place to protect the rights of white-hats, whether we are licensed and approved security researchers or not.
So why exactly did Tazo (The incompetent president of the company responsible for the security breach) mention "police" and "legal consequences" in his conversation if he wasn't making a threat.<p>If you are going to be a lying asshole and deny something, do yourself a favor and deny it outright. Don't try to imply that you were just having a friendly conversation about "legal consequences" right before you solicit someone to sign a non-disclosure agreement. No one in the world will believe you weren't trying to intimidate this poor kid into compliance.
> The agreement prevented Mr. Al-Kabaz from discussing...<p>No, it didn't, because he was blackmailed into the NDA. It's completely unenforceable. It was signed under duress and only benefited one party.
Who in their right mind would think it's a good idea to use a penetration tool against their college?? The title is all wrong. He got expelled for using a penetration, not finding a flaw. He was congratulated for that! I heard someone else from the team even got some kind of prize for it.<p>Sensationalist journalism is what it is. After a little bit of research, I discovered it's written by someone who used to be in Dawson's Student Union, so I guess he has a teeth against the administration.<p>"Ethan Cox is a 28-year-old political organizer and writer from Montreal. He cut his political teeth accrediting the Dawson Student Union against ferocious opposition from the college administration and has worked as a union organizer for the Public Service Alliance of Canada."
I think the college administrators are bullying this student because they are embarrassed.<p>The threats by the Skytech CEO Edouard Taza; the college not allowing the professors to hear the student before voting; his transcripts vandalized with zeroes so he cannot continue his studies elsewhere... What exactly is the relationship between Skytech and this college?<p>I've signed the petition to reinstate Hamed:<p><a href="http://www.hamedhelped.com/petition/" rel="nofollow">http://www.hamedhelped.com/petition/</a><p>Hamed, stick to your guns. You did the right thing.
So.. here's something that happened to me in my engineering software university.<p>A friend of me just had a summer internship in a security firm and learned a trick or two. And, looking at the html/javascript code of a page, there was an obvious entry point that gave access to anyonela else account provided you had their student number (i.e. skip the password step).<p>So my friend showed it to me and I suggested he tell the IT department. Obviously, the next thing we know, he's accused of "Hacking" and get menaced by the IT department.<p>A couple days later, we check back the website and realize that a trivial <i>encryption</i> is added.. I.e. you have to reverse the student number or something like that. And, obviously, just on the client-side.<p>A little bit pissed, we decided to take our revenge of being menaced for just being nice. So we create a web page where it explains the story (That we found an entry point, that we told the IT, etc.) and then, we say "Try it!" [<enter student number>] which directly logs you in into their account.<p>We e-mail that page to the main directors of the school by suggesting a quick fix. And, we make sure to CC the IT departments.<p>The day after it was fixed and we received a real "thanks" from the authority. I guess the trick is to contact a higher authority rather than directly contacting the IT department.
I'm going against the general idea here, but the college issued a statement:<p><a href="http://www.dawsoncollege.qc.ca/home" rel="nofollow">http://www.dawsoncollege.qc.ca/home</a><p>Basically, they say Ahmed did more than just what is reported in the article, and they can't publicly say what he did - because that's private info about Ahmed that they're legally obliged to protect.<p>Now I'm not taking a position in favor of the college or in favor of Ahmed. I'm just saying, it's not all black (or white). The National Post article is biased and we're missing some info. We should remember about that before going crazy on the witch hunt.
I love the part of the story where the guy naively assumed that it would take his school less than two days to fix the vulnerability. In reality, would probably take them months.<p>How long did it take sony to fix their issues? Oh, right, it took someone to explose it publicly. Heh. It's unfortunate how broken some IT organizations are and that they would rather kill the messenger than fix things.
This headline is somewhat misleading. The student was expelled, not for finding and disclosing a security flaw (he was actually congratulated and thanked for this), but for later running a pentest software suite <i>without permission</i> to "verify" if the bug had been fixed.<p>That's not to say that the expulsion still doesn't reek of BS, but Ahmed's hands are not completely clean here.
Problem is he used an auditing/penetration testing tool POST disclosure, and did it without authorization. The availability of these tools puts weapon grade exploits in the hands of those with limited understanding of the consequences. I don't have an issue with the availablity -- best we lighten our history with Full Disclosure and provide best of breed tools to simulate attackers -- however, responsibility and individual accountability is at an all time low. These tools will light up the alarms immediately and the user will have limited understanding.<p>Let's assume it was not SQLi but an authorization application logic bug ie: by changing parameter passed by browser allowed access to whole record set. He did the right thing and told the vendor -- but after the fact he ran a tool that probably simulated SQLi on every damn parameter!
Like smashing a car window after telling the owner he has left it unlocked.<p>Even a brain dead sysadmin would notice it In the logs, and likely whatever SIEM would fire a high priority alert.<p>He did this without auth and the company did the right thing here. In this post aaronsw world we can't just assume that every n00b clown whitehat hacker is totally innocent of all crimes even if done with the best intentions. People need to take responsibility for their actions. An ignorant click can be just as criminally negligent as stabbing a dude in the face.
My name is Eduardo Gonzalo Agurto Catalan, I am an entrepreneur in the field of IT security and a digital rights activist. i would like tohave Ahmed Al-Khabaz's e-mail or other contact information in order to contact him and discuss how I and a few fellow experts could help him. We believe it is a great injstice and that the business community cannot stay passive towards this situation which we perceive as a kind of bullying. You can contact me : eduardogonzalo@hotmail.fr
Ahmed, I am assuming that you are following this discussion.<p>Based on the article, your life probably doesn't feel so good right now. Sorry to see a bright person in such a situation.<p>Give me a ring if you are looking for an internship, job or start-up experience in Montreal. We are in town (walking distance from Dawson actually). By the nature of our business, we also have good connections with academia if that can help (www.tandemlaunch.com).<p>My login is my name so you can reach me at [firstname].[lastname]@tandemlaunch.com
Maybe the answer is if you find a problem like that don't keep a secret between you and the person in charge.<p>Just go to the school paper or town paper and let them report it.<p>He did great up to the point where he tried to pen-test after reporting it. I understand the intellectual curiosity to see if people are doing their jobs and it's too easy to armchair quarterback but if you bring attention to yourself by reporting a problem you can be sure they will watch you and not necessarily the problem.
While I do not agree with the way this student was being treated, running Acunetix on a system is quite invasive. Regardless of his intent, the consequences might have been data loss and/or denial of service if the system was built poorly enough. Doing extensive vulnerability assessments without consent is really not a good idea.
This is a perfect example of 'No good deed goes unpunished'.<p>The best action to take while you find a security flaw is to do nothing. Let some one evil abuse the flaw and make the guys miserable enough to realize the importance of a responsible disclosure.<p>Without this the guys ego is going to take this as- 'How dare he point a problem in my/our work' and not 'Thanks for saving my life before some body could screw me'.
"This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash."<p>Remind me to never, ever use Omnivox, or any Skytech software, ever.
Reminds me of when I was a kiddo, I almost got expelled because I found a security issue in the schools network. I could access everyones files. They also didn't like it when I pointed out they were running cracked versions of Macromedia Flash on all their pc's. Let's just say, I'm glad I didn't get expelled. But I'm pretty sure they just saw me as an annoying fuck & that's all. I don't think they really cared, but were 'forced' to put time and effort making their network more secure.
Happened to me in 2000 in France. Same sort of stuff. Didn't kill my career. Just went elsewhere. I guess the French education system at least had this that it couldn't ban me nationwide :)
Clearly the negative reputation Dawson CEGEP has should be applied to the administration, and not the students.<p>What a clusterfuck. Since when do CEGEPs expel students for running security checks?
Maybe consider punishing the negligence of the person who wrote the insecure code instead? But I don't think most people, especially lawmakers, even understand that security vulnerabilities are caused by flawed code, which is caused by human error. So they tend to shoot the messenger instead.
I was in a similar situation in college. Was asked to sign a Non-Disclosure Agreement or get arrested. Told them to go to hell and file a lawsuit if they want too. Nothing happened eventually. Thank God for the excruciatingly painful justice system of India :P
it seems like there's more to this story, and the more to this story is around his actions two days after the report.<p>I've seen things like this happen before. You find a bug, you report it, they tell you "oh we're getting on it immediately". Some time goes by and you think, hey, did they fix it? You look, discover "nope", think "man I bet those guys would fix it if I lit a fire under their ass" and try and use the bug to deface the site, or something.<p>this is logic that makes sense to a 20 year old (speaking as a former 20 year old..). I've seen that happen before. the article doesn't say this, but perhaps reading between the lines the second attempt did not have a pure motivation behind it...
A fellow student and I discovered a similar flaw in my college's system a few years back, but not as serious as this (no social insurance numbers, but emails, full names, phone numbers and addresses).<p>We brought it to the attention of the head of the IT Department by email. Later that week, the head visited our morning class to discuss this with us.<p>He discussed the issue to the class and actually acknowledged his appreciation for students like us for reacting promptly and responsibly over the issue.
It doesn't come much as a surprise to me that Omnivox has at least a few security flaws. I had to use it during my CEGEP years in Montreal and it's a huge piece of garbage.
I would like to point out that open source projects love, absolutely LOVE when you report security bugs to them. Many projects have procedures and special mailing lists to get a hold of the correct people in a prompt manner.<p>To me this stinks of the "closed mind" problem.
I'm wondering if that NDA included the clause that urges you to get advice from a lawyer. The conditions under which he signed it sound very suspicious (i.e. coercive language) and I wonder if it would be grounds to nullify the NDA entirely.
There should really be a Department of Computer Security run by most national governments where people can anonymously report exploits, and that Department takes care of contacting the company or organization. If that group also deals with certain types of personal information that is threatened, there should have 30-60 days to demonstrate that they addressed the vulnerability appropriately, or face penalties.<p>Its really dumb that we're this far into the internet age already and companies and organizations can still play it so fast and loose with security and personal information. It's irresponsible and negligent.
The administration of Dawson College clearly saw things differently, proceeding to expel Mr. Al-Khabaz for a “serious professional conduct issue.”<p>He is a <i>student</i>, how can be have a "Professional conduct issue"
I've only reported a security issue once and wouldn't do it again. In this case a vendor and IT has agreed to allow several security settings to be disabled temporarily, making all user passwords easily available in the process, but then had apparently forgotten and left things vulnerable for 6 months. IT had to brief some senior people who then started freaking out about hackers. I was lucky to just get off with a few people annoyed with me.
kids make mistakes sometimes, and its unfortunate during this period of transition to adulthood that they fall victim to the swift guillotine of collegiate justice - which unlike a court of law, you dont get representation, you dont get a fair trial, you dont get allowed an intemediary who can communicate 'language' between both sides. you dont even get protections like freedom of speech these days.<p>its all a flow chart if you make a mistake in school no matter if its tech stuff like this, or anything really. we live in a world of corporations, lawsuits and lawyers, insurance & liability - no room for grey area anywhere in there. wheres the incentive for the school to care? they already got your money.<p>the worst part for the students is - they can have all sorts of good feelings built up towards their professors & classes. then the administration comes in and manages to sour all those feelings. those same professors, who may think the world of you, cant do a thing because at the end of the day its c.y.a. - and youre all alone.<p>college kids need to get educated about how college justice works if you screw up - its always too late when they do learn.....lets spend money on athletic complexes instead right?
Apparently he refused to "cease and desist" his actions. So...he brought on the expulsion!?<p>Dawson statement on the article: The reasons cited in the National Post article for which the student was expelled are inaccurate. The process which leads to expulsion includes a step in which a student is issued an advisory to cease and desist the activities for which he or she is being sanctioned, particularly in the area of professional code of conduct.
I think hackers need to realize that this type of reaction is the norm. If you find an exploit then use your discretion in deciding to report it, but don't be naive. There is no reason to risk martyring yourself for someone else's interests. The risk to those (including yourself) whose information is vulnerable should be taken into account, but countered by the risk that you will be persecuted for bringing the problem to light.
I don't agree that expulsion is the correct reaction, but when he ran the pen-test software, what he was doing was wrong. It's one thing to stumble upon a bug while you're developing an app, and report it. That's totally respectable. Running pen-testing software without permission is akin to walking up to a stranger's home and testing that all the windows are locked, with a crowbar.
People are always afraid of what they don't understand, but to think that prosecuting or punishing people for helping prevent malicious people from finding these types of bugs is just ignorant. No ones code is perfect, and it often takes dozens of eyes before issues like this are found.<p>The longer people are punished for helping, the worse our "cyber security" will digress moving forward.
Two completely different issues:<p>1. Exploit discovery.<p>2. Automated service attack.<p>From the information given, it seems Al-Khabaz did exactly or better than what was expected of him for the first.<p>But why, if he was simply check for the existing vulnerability after informing of the first, did he launch an automated attack?<p>I suspect Dawson College has sound reasons to treat him the way they did for both instances.
Looks like this news is starting to go global. Even the local it newspaper her in Norway has an article about it: <a href="http://www.digi.no/909958/utvist-etter-aa-ha-varslet-om-saarbarhet" rel="nofollow">http://www.digi.no/909958/utvist-etter-aa-ha-varslet-om-saar...</a> (in Norwegian).<p>The Streisand effect has struck again :)
Company offers scholarship to Dawson student who exposed security flaws<p><a href="http://www.cbc.ca/news/canada/montreal/story/2013/01/21/montreal-dawson-college-hack-hamed-al-khabaz.html" rel="nofollow">http://www.cbc.ca/news/canada/montreal/story/2013/01/21/mont...</a>
Ahmed if you're reading this and looking to get into software engineering, drop me a line (email in profile). I run a venture-funded startup and would be happy to take care of relocating you if your technical abilities are up to scratch.
Just to let you know, Dawson wrote a response to the media which can be seen at <a href="http://www.dawsoncollege.qc.ca/" rel="nofollow">http://www.dawsoncollege.qc.ca/</a>
He treaded on thin water and he fell in. He should have asked for explicit permission to start pentesting instead of putting his academic career in a volatile state.
There needs to be (if it does not already exist) some method of doing completely anonymous and confidential disclosures that somehow get to the the right person.
There a difference is finding an exploit accidentally and reporting it from running a penetration testing tool on a production server.<p>What did this kid expect?
<i></i>Warning to hackers<i></i><p>Hackers are the new Sicilians and blacks.<p>Don't snitch.<p>Snitches get punished both by:<p><pre><code> The person being snitched upon
The person who is being snitched to.
</code></pre>
This article and many other comments herein support this view.
Tweet this link to Anonymous. I just did.<p><a href="https://twitter.com/naman_k/status/293252007878328320" rel="nofollow">https://twitter.com/naman_k/status/293252007878328320</a>
This story is somewhat complex, and lacks information on many aspects. I've made a kind of TLDR of what happened and added my thoughts. I've also cross compared
the informations given in the article with those available on dawson's college web page and Skytech's omnivox.<p>[he was] working on a mobile app to allow students easier access to their college account [.]
-> Did he have authorisation?
-> From who did he have authorisation?
-> Omnivox does not seem to have a public API.<p>“I saw a flaw which left the personal information of thousands of students, including myself, vulnerable,”
"I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong.”
-> Did he try to fix it, or only bring it to the attention of the college?
-> Did he inform the college he tried/would try to fix the flaw?
-> Did he try to fix the flaw after or before meeting with the college?<p>"Mr. Paradis congratulated Mr. Al-Khabaz and colleague Ovidiu Mija for their work and promised that he and Skytech, the makers of Omnivox, would fix the problem immediately"
-> Mr. Paradis is Dawson's Director of Information Services and Technology
-> I precise only because it is not clear from the article if he works at the college or at Skytech<p>"Mr. Al-Khabaz decided to run a software program called Acunetix"
"to ensure that the issues he and Mija had identified had been corrected"
-> Did they use acunetix the first time?
-> If yes, did the college know? Did skytech noticed?
-> Otherwise, why? They found the flaw without acunetix<p>"Taza explained that he was quite pleased with the work the two students did identifying problems, but the testing software Mr. Al-Khabaz ran to verify the system was fixed crossed a line."<p>The administration of Dawson College clearly saw things differently, proceeding to expel Mr. Al-Khabaz for a “serious professional conduct issue.<p>Following this meeting, the fifteen professors in the computer science department were asked
to vote on whether to expel Mr. Al-Khabaz, and fourteen voted in favour.
Mr. Al-Khabaz argues that the process was flawed because he was never given a chance to explain his side of the story to the faculty
-> Was there other incidents that could have influenced the judgment?
-> College rarely want to expel students who ace all their courses. Especially in CS with the high rate of failure.<p>-> According to the college :
The process which leads to expulsion includes a step in which a student is issued an advisory to cease and desist the activities for which he or she is being sanctioned<p>-> This, along with the "He said that this was the second time they had seen me in their logs" tend to indicate he probably ran the test multiple times. Or, the first time he foud the flaw, skytech took him for an attacked and the college warned him to stop developpement on his application. This would indicate that he had no authorisation in doing so.
Am I the only one that sees that the title/headline is pretty close to a lie and that he ran a 'Web Vulnerability Scanner' on someone else's web site?<p>This is illegal! Most people seem to be missing this.<p>If you're going to break the law at your own University at least cover your tracks.<p>Don't annoy the crap out of them(Rightly or wrongly) then go on to black hat them.
When it comes to software and security flaws, finding them is like an exercise in witchcraft.<p>Throw the person who found the software bug into the lake, if they float, then they were a witch, and deserve to die.<p>And people wonder why security is so poor and Chinese hackers find it so easy to hack into all our stuff. Because America Punishes people who focus on bulletproof secure code.<p>I guess we'll need to hire some special interests to pay-off the news networks cnn/fox/msnbc/etc to add the "Hackers are not witches" to their narratives. We would probably need bribes on the order of billions.
Shame on the faculty! Fire the faculty! I am sure this sort of thing wouldn't fly in France. Looks like Quebec is letting down the Fracophone team. Liberté, Égalité, Fraternité!