Montreal comp sci student reports massive bug, is expelled and threatened with arrest for checking to see if it had been fixed


91 Responses to “Montreal comp sci student reports massive bug, is expelled and threatened with arrest for checking to see if it had been fixed”

  1. slippy0 says:

    He was expelled for running vulnerability probing software well after he reported the vulnerability. Sure, it is probably extreme, but it was a very dumb thing to do. 

    • tofagerl says:

      People who can’t tell the difference between hat colors should not decide which hats to destroy!

      • yadayada says:

         My first thought was “How to create a Black Hat in one easy step.”
        I hope he at least has legal remedies available. As in, I hope he can afford a lawyer.

    • Paul says:

       Why is that dumb? They were exposing him and his classmates to identify theft. Knowing a bureaucracy, it would be a little naive to think “I reported the flaw, of course they fixed it.”

      • slippy0 says:

        Because if you’re going to be doing something like that, you could easily be confused with someone doing something malicious. If you’re going to run a diagnostic that can be used to identify vulnerabilities, and not do anything to prevent it from being traced back to you, you should probably at the very least notify the company/department. 

        I think it was an overreaction for him to be expelled, I’m just saying the headline is misleading. 

        • wysinwyg says:

           I’ve seen complaints about misleading headlines where I thought “OK, I guess it’s pretty ambiguous.”  This is not one of those situations.

      • C W says:

        It’s not naive to think “they don’t want me in their systems and expelled me for it. better get right up back in them now that I have even less permissions to access them after being denied, and even less permissions on top of that now that I’m expelled” ?

      • Kyon says:

        Sure, but I’m pretty sure it’s illegal to run vulnerability scanners on someone’s network without their permission. While it might be naive to assume that they fixed it, it’s probably more naive to assume that they won’t throw the book at you for trying to break their security. Bureaucracy may not be efficient, but that doesn’t mean its not litigative.

        • Avram Grumer says:

          And it’s naïve of the school to think this kind of behavior won’t get them some bad publicity from sites like BoingBoing. 

          What is it that makes people just shrug and go Yeah, school bureaucracies are stupid that way instead of getting pissed off and demanding that school bureaucracies stop being stupid? 

          • Diogenes says:

             It’s the result of a lifetime’s training to trust authority.  Keep your head down and they won’t bother you.  Every bureaucratic bully in the world counts on that behavior.

    • You, sir, either have no idea what you’re talking about, or ar an idiot. Omnivox is web-based, and I’ll bet lots of money that his “probing software” was something along the lines of typing in http://site/profile/studentid=123. If you can conceive of a rational world in which visiting that URL once is worthy of accolades  then going back a few days later is worthy of jail time, then you have a loose grip on reality. If there is even a shred of truth to this article, then you are entirely blaming the victim for the outrageous actions of a cabal of spineless bullies.

    • C W says:

      Hrm, these people are unreasonable and stated in no uncertain terms that they did not want me in their systems… better go log back into those systems and meddle further!

    • That is completely false. He used the vulnerability testing software on a test server set up by the company specifically for him. Listen to the full interview here:

      • C W says:

        No sarcasm intended, but was this after the University had already advised him to stop using their resources for this project?

    • Sigmund_Jung says:

      That’s not a good reason to me. Yes, it can dumb…if you are a full grown up man. Are we forgeting that, first of all, young people do stupid things and that is exactly why we have different treatments for diffferent ages. He might be 20, but in some states in the US he can’t even drink.

      We can’t throw away the process of becoming an adult and start arresting and ruining peoples lives that way. Otherwise, you’ll start building a society of risk-averse people, and THAT is dumb.

    • andygates says:

      “Hey, is that unlocked door I reported still unlocked?”
      That’s dumb? 

    • Diogenes says:

      They should have hired him on the spot to replace their current IT head.  He’s obviously better qualified to handle their confidential data.

  2. jennybean42 says:

    Is it bad my first thought was, “well, they were extra hard on him because his  name is Ahmed Al-Khabaz?”

  3. eldritch says:

    A quick search of the Dawson College website provides information regarding their Computer Science Technology progam’s faculty and staff.

    There are 16 teaching professors, and 2 staff who seem less likely to have been involved. Can we narrow down which 14 voted in favor of expulsion?

    • Andrew Gee says:

      Yay! Witch hunt! That’s the grown up way to respond.

      • That_Anonymous_Coward says:

        When a child is about to touch the stove do you take the time to rationally explain that stoves are hot and they should not pursue trying to touch it or do you act quickly to stop them even if it might make them cry?

        Not to mention the school opting to protect an outside vendor who placed their entire student body at risk doesn’t seem like a grown up response.

      • Antinous / Moderator says:

        Yay! Witch hunt! That’s the grown up way to respond.

        No need to hunt when you wave your pointy hat and broomstick at us.

      • James Kimbell says:

        There never have been any witches, but there are definitely 14 people who voted to expel this guy.

  4. Ken.C says:

    I sense a petition in the making. 

  5. elix says:

    This is absolutely fucking retarded. However… the moment he was threatened with jailtime and forced to sign a secret gag order, he should’ve told them to park their goddamn asses while he went and consulted a lawyer. (Affording a lawyer when you’re a 20-year-old student is an entirely separate challenge, granted.)

    Now, I suppose that technically his access a second time could be considered evidence of malicious behaviour and he doesn’t have the law on his side to be confident that a judge would throw the assholes out of court, but never sign a gag order without talking to a lawyer. (I am not a lawyer and I am not qualified to give legal advice; this is my idea of ‘common sense’ and a safe bet. Your laws may allow you to be gagged without legal counsel.)

    • Grahamers2002 says:

      If this jurisdiction is like most, absence of “malicious intent” to do bad stuff after you gain access to protected computer information does not preclude you from guilt.  

      The typical statute criminalizes intentionally gaining access to or exceeding authorized access to a computer system, and thereby obtaining information from any protected computer.  It’s the “breaking and entering” law of the internet age.  Simply getting in the door and looking at stuff is illegal.We can debate if this is overly-broad but this is the law of most lands.  As such, he broke it the 2nd if not the first time.  Should he be prosecuted?  Hell no.  That is where prosecutorial discretion should kick in.  Should this school have booted him?  While I don’t think so on the facts we have, we don’t know all of the conversations that were had after he first notified.  It’s hard to imagine facts that could come to light supporting his expulsion, but they may exist.  He should be lauded and I hope some other school gives him a full ride scholarship.

      • Zach Z says:

        FWIW, this jurisdiction operates under the Quebec version of the Napoleanic Code rather than the more regular Common Law basis.  If McGill is on it, they should be able to pick him up without trouble.  That said, completion of his year in CEGEP (~junior college in Quebec for residents first year at university) at Dawson would probably have to be waived.

      • elix says:

        Like I said, his actions are going to be, by default, considered evidence of malicious behaviour, because he’s performing (as a whitehat) an exploit against their systems. He does not have the law on his side, because of this.

        But my non-expert, non-lawyerly advice is, if someone other than a member of law enforcement is threatening you with jailtime and forcing you to sign a gag order, you get a lawyer on the phone before you take one step forward. Unless you, yourself, are a lawyer licensed to practice in the area and so are likely to be more aware of your rights than the average layman, you should be going to one. If law enforcement is involved, that brings police procedure into the picture and it quickly gets a lot more complex and complicated, but he didn’t get that far.

  6. Dlo Burns says:

    This looks like a job for Anonymous!

  7. mccrum says:

    Maybe MIT has a space for him, they’d never treat anyone like that!  (Too soon?)

  8. Ryan Lenethen says:

    Perhaps they were trying to teach him about the real world. I recall a story about an engineer at Cisco I believe that discovered a huge security flaw in their routers. When he first approched managment with it they gagged him, and then when he approched them years later as it still hadn’t been fixed they fired him. Thats the story I remember anyway, doesn’t sound so different…

  9. prombough says:

     For those who want to lend him a hand

  10. Maybe it wasn’t a bug he found but a (surveillance) feature?

  11. Kimmo says:

    WTF. That is all.

  12. Boundegar says:

    Now that this story has legs, I’m betting his troubles are over.  Assuming he’s really a white hat, there are plenty of universities that would be convinced by the journalism to let this guy have a second crack at his degree, and plenty of companies that would love to hire him.  All he needs to do is staple the most favorable version of the story to his resume.

    • anansi133 says:

      Yeah, I’d love to think that… time will tell. Given all the other horror stories I’m hearing from Big Education, it’s at least equally plausible that college is broken and not in a position to repair itself. No real black hats here, just a bunch of insecure profs with imposter syndrome.

  13. That_Anonymous_Coward says:

    So the moral of the story is if you want competent computer people don’t hire anyone who went to Dawson?

  14. DmpstrBaby says:

    To me there is no debate when it comes to outing a flaw, do it publicly and anonymously. Contacting someone “in charge” seems to be to much of a burden in most cases. Then again no one forced you to be a white knight so deal with it and learn to flip burgers.

  15. Leigh says:

     Yet again we have ugly proof of the old saying about shooting the messenger. I wonder if authority figures have ever considered the possibility that people would be a little less cynical about authority if they would actually respond to the problem instead of punishing the person who alerted them to its existence because they feel embarrassed by the lapse.

  16. tumbleweed says:

    Sadly, this sounds vaguely familiar. When I was in undergrad, I noticed that there were many personal details publicly visible in my University’s LDAP directory. The University had a front end for staff in LDAP, but not students.

    So, I made a nice front-end for browsing the student directory. It was very useful for managing student society membership (and probably stalking, if you were into that kind of thing). It had a disclaimer, saying where the data was coming from, and I spread the word about it, assuming the IT department would eventually notice, and lock down the LDAP ACLs.

    Eventually word reached the high echelons of the IT department, and they were very upset. Thankfully, I was lucky. All I had to do was take the front-end down, and write them a letter of apology to avoid them taking me to the University court. Of course, I sucked up, and thankfully that was the end of that. Naturally, they didn’t actually do anything about the leak and the private student details were still visible to anyone who knew where to look…

  17. JProffitt71 says:

    Christ what a bunch of assholes (Regarding Dawson).

  18. James Penrose says:

    ” you could easily be confused with someone doing something malicious.”

    If he wanted to be naughty, he probably would not have reported said bug but simply exploited it quietly.

    This is bureaucratic stupidity in its finest form.  I will  wager they had not even begun to look at fixing the actual problem but simply hoped that if they were nice to it, it would go away and not bother them.

  19. Improbus Liber says:

    Another group of fools gets to learn about the Streisand Effect.  You would think that Academics would be more in touch with reality but I guess one bureaucracy is much like another … clueless.

  20. Computer science graduate (and working software engineer) here.

    Either there is a totally different side to this story which we haven’t seen, or the professional staff at this institution are behaving in a very unprofessional manner.

    • That_Anonymous_Coward says:

      The company he “hacked” has a contract for all of the schools, there is lots of money… one can see pressure from above as some players, not introduced in the story yet, protect their revenue streams that are kicked back to them.

      That and its trendy to slap the label ‘cyber attack’ on things.

  21. Alexis Rivera says:

    It is ironic that those holding power positions on universities are becoming less and less qualified to understand the way technology works especially those who are supposed to teach the newer generations. I’d say screw you if I find a bug exposing my personal info and you try to cover it up and ignore it I would sue the hell out of you I’d even publish the fact to the students but not the method so they can sue the university too.

    • Rusty says:

      If you pay attention to the maxim, “Those who can, do. Those who can’t, teach” it’s not all that surprising.

      University professors really don’t make all that great of a salary. If your school happens to have a contract with someone like IBM or Microsoft to help with product evaluation and feedback, you might get a bit of a stipend from the vendor, but it’s not exactly “common”.

  22. toobigtofail says:

    Dawson college’s website gives a 403…

  23. noah django says:

    No good deed shall go unpunished.  fuck this hetero earth.

    edit: I found this posted on another website:
    “the moral of the story is to keep bugs you find in proprietary software secret or, since trying to alert the creator to the issue can get you in trouble, sell the secret to someone who will use it

    you have no obligation to help proprietary software work and if you do discover a flaw, exploiting it for personal profit is not any different, morally, than using the software to begin with

    the reason he was threatened is because fear of lawsuits on the part of the proprietary software vendor. This is the nature of proprietary software, making perverse incentives for your behavior

    he was incentivized to sell the information, acting morally with regards to an immoral system was his error. It was his duty to exploit it, not report it”

    which was called “post of the week” by another poster. food for thought, but i’m tech retarded, myself.

  24. He was running a vulnerability scanner after the fact, and it actively runs exploits. Just because you can do something, doesn’t mean you should do something.

    He made a very serious mistake in testing it later. It is not your computer and not your software to be messing with. Furthermore it isn’t even the issue of him finding the bug, it is the issue of running the Acunetix software which is used to probe security holes automatically. This is like going up to a neighbor’s door with a set of master keys you found and trying each key in the door til it opens, and then yelling to your neighbor, HEY YOUR DOOR IS OPEN.

    What I am saying is there 2 issues here, issue 1 a bug is found that is serious. Issue 2 the student ran a vulnerability scanner INSTEAD of just solely testing for his own bug, so it was huge and noticable. He shouldn’t have tested his bug on computers that weren’t his.

    Furthermore, he should be forgiven, he is just young and naive and did not have the scruples to go about how one should safely disclose this kind of issue.

    This is an incredible overreaction on the part of the college and the company. They have turned a relatively boring software bug in nation-wide news due to their overly zealous behaviour. They should have known better.

  25. Heevee Lister says:

    “They have turned a relatively boring software bug in nation-wide news due to their overly zealous behaviour.”

    They certainly have, which might mean that now that the entire world knows about their bug, they might actually have to fix it.  They might even have to say something conciliatory to Al-Khabaz. 

    And they probably thought they were being smart with their strategy.  Heh.

  26. Rusty says:

    As an update, the company who wrote the software apparently is offering him a scholarship and a part time job in software security. The school faculty and administration may be idiots, but it sounds like the software company understands a bit more about how the setup is supposed to work than the school does.

    • Luther Blissett says:

      Yay. We should set a reminder for next year to see if they realized the offer. If we can find out.

      Oh, BTW, this could be a nice series for BB. “Yesterdays (good) news, fact checking.” (Any of the staff reading this?)

  27. Barry Kort says:

    Moulton’s First Law of Bureaucracy:  Once a bureaucracy makes a mistake, it can’t be fixed.

    Moulton’s Second Law of Bureaucracy:  Once a corrupt bureaucracy makes a mistake, not only can it not be fixed, it can’t even be mentioned.  Evar.

  28. Luther Blissett says:

    Can I haz resaerch, plz?

    Sigh. I should run a one-man Campaing For Less Assumptions, More Facts.

  29. That_Anonymous_Coward says:

    Yes a corporation who cut corners decided what he did was a “cyber attack”.
    This is spin to make the easily lead think he was an evil hacker stealing cookies.

    Its not like the student used a homebrewed tool to attack their system.
    I am much more curious how they saw him in the log and were able to call him seconds later.  I’d like someone to review the rest of those logs and see how many times the system had been access via the flaw previously.  Just because this student found this doesn’t mean he was the first… just the first to report it… maybe… NDA’s and such…

  30. C W says:

    “This is spin to make the easily lead”

    What, no “sheeple”?

  31. That_Anonymous_Coward says:

    I don’t use that out of fear….

  32. mccrum says:

    Interestingly, you’re assuming such a thing doesn’t exist…

  33. Luther Blissett says:

    Oh, I didn’t assume there isn’t a one-man CFLAMF, but I’m positive I didn’t run one before yesterday. (At least not on the web.)

Leave a Reply