Hamed Helped. Help Hamed.

I have to wonder how much this will help. A colleague and I made a responsible exposure to a vendor that provides the application software for the California State University system. The vulnerability I chanced upon, and that my colleague was able to verify to be fully open, made it possible to obtain the private details of hundreds of thousands of applicants from their system. How were we rewarded for quietly and responsibly disclosing this to the vendor? The vendor threatened a lawsuit against the university, and the university cowtailed and nearly fired my colleague, severely reprimanding him and myself. Little did I know this would become a theme of my stint in working for academia, of the universities not caring at all about students and their private data. I worked for multiple universities and it was the same at each one. They seemed to think the problem was with people not with buggy, overpriced, insecure software.

I've read the claims from both sides, I think that although he might have handled it more carefully, it was an overreach to expel him this way, I feel we should stand behind him. I signed the petition. Anyone with counter evidence, please step forward.

Wow. This is much worse than I thought. I'm glad there's no conceivable scenario in which this could lead him to be extradited to the USA, like Marc Emery was. <a href="http://en.wikipedia.org/wiki/Marc_Emery" rel="nofollow">http://en.wikipedia.org/wiki/Marc_Emery</a>

What's the truth here? What did Hamed "do"?<p>Exposing a security flaw doesn't get you expelled. He had to have taken it one or more steps too far. I'd like to see the facts.

This goes on to show how out of touch with reality our educational systems currently are. They are incentivized by the wrong things, which reflects in the kind of people and policies that are put in place.<p>Before the web and the free dissemination of information it brought about, the average academician was more 'smarter' than the average student just by the fact that the students hadn't yet had access to the sources of information their teachers had.<p>However, we now live in times when you can expect anybody in the society to grow to their full potential, thanks to the free web.<p>This changes the fundamental role educational institutions has to play. They can't continue to be passive devices of information transmission. Yes, there are an elite bunch of institutions that provide more value than that. But as these events show, the educational sector around the world in general are mediocre and are pretty inefficient.<p>You now have smarter students and they don't need you to tell them what the world is about. That is the changed reality of the market and it is going to affect this sector for the better in the long run.

This wasn't the first time Ahmed (not hamed, ahmed) reported the problem. When they ignored it, left the software running, and notified none of the students, he used some free white-hat web security scanner to generate a report to make it more clear for the business people what was wrong.<p>The business people have decided that the security scanner is "a hacking tool" and that Ahmed needed permission from the school to see if the software that was imposed on him which was leaving his private data exposed <i>after</i> the staff knew was still broken.<p>The way Richard Filion, who runs the school, tries to make excuses around this is appalling.<p><a href="http://www.cbc.ca/homerun/2013/01/21/dawson/" rel="nofollow">http://www.cbc.ca/homerun/2013/01/21/dawson/</a><p>The software vendor gave the poor kid a scholarship and asked the school to change its mind.<p><a href="http://www.cbc.ca/news/canada/montreal/story/2013/01/21/montreal-dawson-college-hack-hamed-al-khabaz.html" rel="nofollow">http://www.cbc.ca/news/canada/montreal/story/2013/01/21/mont...</a><p>The RCMP declined to be involved.<p>The running excuse they're giving is "it was against our code of conduct." And, I mean, most schools don't even kick binge drinkers who got in an accident and nearly killed people out for code of conduct.<p>So clearly this isn't an excuse.<p>The people responsible for the decision are the head of the Computer Science department, Ken Fogel, and Dianne Gauvin, one of the deans. Predictably, they do not respond when contacted.<p>This is a computer science department where a panel of 14 out of 15 "professors" actually chose to stand behind this - though nobody will release their reasoning or names. So don't expect Ken Fogel to get it on grounds that you imagine he's one of us.<p>The school ombudsman, whose job it is to stand up for Ahmed, has been whitewashing its Facebook page of all criticism. The main school Facebook page is just ignoring the criticism instead; they post inbetween literally hundreds of people (including students and alums) to chat with people on posts from before this started getting public.<p>And, a reminder? They did this in <i>November</i>. They've been sitting on this for months. They aren't going to change their minds without a very good reason.<p>Not shockingly, other students have been posting reams of existing security holes on their various servers, and evidence of compromises that are claimed to be years old.<p>Staff is doing just as nothing about those as they did about this the first time Ahmed reported it.

While Hamed was honorable and didn't try to abuse his exploits, I think it is a stretch to say "Hamed helped". I doubt he tried to get into the data for the purpose of helping make it more secure, it is more likely that he just had the "hacker drive", where he just wanted the challenge of beating a system.

If anywhere should be more tolerant of intellectual curiosity, it should be in a college environment.<p>Unless they can prove he had intent to cause damage, which it sounds like they could not do, they should just forgive and forget and stop trying to cover the overpaid butts of the sysadmin who didn't fix the hole in the first place.<p>Hell society forgave all the banks and wallstreet for their actual crimes.

Moral of the story: Sanitise your query params.