Montreal comp sci student reports massive bug, is expelled and threatened with arrest for checking to see if it had been fixed

Ahmed Al-Khabaz was a 20-year-old computer science student at Dawson College in Montreal, until he discovered a big, glaring bug in Omnivox, software widely used by Quebec's junior college system. The bug exposed the personal information (social insurance number, home address, class schedule) of its users. When Al-Khabaz reported the bug to François Paradis, his college's Director of Information Services and Technology, he was congratulated. But when he checked a few days later to see if the bug had been fixed, he was threatened with arrest and made to sign a secret gag-order whose existence he wasn't allowed to disclose. Then, he was expelled:

“I was called into a meeting with the co–ordinator of my program, Ken Fogel, and the dean, Dianne Gauvin,” says Mr. Al-Khabaz. “They asked a lot of questions, mostly about who knew about the problems and who I had told. I got the sense that their primary concern was covering up the problem.”

Following this meeting, the fifteen professors in the computer science department were asked to vote on whether to expel Mr. Al-Khabaz, and fourteen voted in favour. Mr. Al-Khabaz argues that the process was flawed because he was never given a chance to explain his side of the story to the faculty. He appealed his expulsion to the academic dean and even director-general Richard Filion. Both denied the appeal, leaving him in academic limbo.

“I was acing all of my classes, but now I have zeros across the board. I can’t get into any other college because of these grades, and my permanent record shows that I was expelled for unprofessional conduct. I really want this degree, and now I won’t be able to get it. My academic career is completely ruined. In the wrong hands, this breach could have caused a disaster. Students could have been stalked, had their identities stolen, their lockers opened and who knows what else. I found a serious problem, and tried to help fix it. For that I was expelled.”

The thing that gets me, as a member of a computer science faculty, is how gutless his instructors were in their treatment of this promising student. They're sending a clear signal that you're better off publicly disclosing bugs without talking to faculty or IT than going through channels, because "responsible disclosure" means that bugs go unpatched, students go unprotected, and your own teachers will never, ever have your back.

Shame on them.

Youth expelled from Montreal college after finding ‘sloppy coding’ that compromised security of 250,000 students personal data [Ethan Cox/National Post]



  1. He was expelled for running vulnerability probing software well after he reported the vulnerability. Sure, it is probably extreme, but it was a very dumb thing to do. 

      1.  My first thought was “How to create a Black Hat in one easy step.”
        I hope he at least has legal remedies available. As in, I hope he can afford a lawyer.

    1.  Why is that dumb? They were exposing him and his classmates to identify theft. Knowing a bureaucracy, it would be a little naive to think “I reported the flaw, of course they fixed it.”

      1. Because if you’re going to be doing something like that, you could easily be confused with someone doing something malicious. If you’re going to run a diagnostic that can be used to identify vulnerabilities, and not do anything to prevent it from being traced back to you, you should probably at the very least notify the company/department. 

        I think it was an overreaction for him to be expelled, I’m just saying the headline is misleading. 

        1.  I’ve seen complaints about misleading headlines where I thought “OK, I guess it’s pretty ambiguous.”  This is not one of those situations.

      2. It’s not naive to think “they don’t want me in their systems and expelled me for it. better get right up back in them now that I have even less permissions to access them after being denied, and even less permissions on top of that now that I’m expelled” ?

        1. Please read the article, paying special attention to the chronology, which you’ve got all wrong.

      3. Sure, but I’m pretty sure it’s illegal to run vulnerability scanners on someone’s network without their permission. While it might be naive to assume that they fixed it, it’s probably more naive to assume that they won’t throw the book at you for trying to break their security. Bureaucracy may not be efficient, but that doesn’t mean its not litigative.

        1. And it’s naïve of the school to think this kind of behavior won’t get them some bad publicity from sites like BoingBoing. 

          What is it that makes people just shrug and go Yeah, school bureaucracies are stupid that way instead of getting pissed off and demanding that school bureaucracies stop being stupid? 

          1.  It’s the result of a lifetime’s training to trust authority.  Keep your head down and they won’t bother you.  Every bureaucratic bully in the world counts on that behavior.

    2. You, sir, either have no idea what you’re talking about, or ar an idiot. Omnivox is web-based, and I’ll bet lots of money that his “probing software” was something along the lines of typing in http://site/profile/studentid=123. If you can conceive of a rational world in which visiting that URL once is worthy of accolades  then going back a few days later is worthy of jail time, then you have a loose grip on reality. If there is even a shred of truth to this article, then you are entirely blaming the victim for the outrageous actions of a cabal of spineless bullies.

      1. Or maybe I actually read the article…

        “Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites…”

        “actively searches for vulnerabilities by attempting to exploit them. ”

        What he’s doing isn’t inherently evil, I’m just saying the headline is misleading.

        EDIT: See Mansour Moufid’s response below. It shares some evidence contradicting my statements.

        1. Well, in any case, my assertion was incorrect. I humbly apologize and thank you for your informative correction. I must’ve skipped over that paragraph in the original article.

          Web application scanners can mess up a (bad) web site pretty hard, if he was repeatedly running it against a production server, then he certainly deserves a stern talking to.

      2. “I’ll bet lots of money that his “probing software” was something along the lines of typing in http://site/profile/studentid=123. If you can conceive of a rational world in which visiting that URL once is worthy of accolades  then going back a few days later is worthy of jail time, then you have a loose grip on reality”

        I’ll take that bet!

        (Shhhhh, slippy0, I’ll split the winnings with you.)

    3. Hrm, these people are unreasonable and stated in no uncertain terms that they did not want me in their systems… better go log back into those systems and meddle further!

      1. No sarcasm intended, but was this after the University had already advised him to stop using their resources for this project?

    4. That’s not a good reason to me. Yes, it can dumb…if you are a full grown up man. Are we forgeting that, first of all, young people do stupid things and that is exactly why we have different treatments for diffferent ages. He might be 20, but in some states in the US he can’t even drink.

      We can’t throw away the process of becoming an adult and start arresting and ruining peoples lives that way. Otherwise, you’ll start building a society of risk-averse people, and THAT is dumb.

    5. They should have hired him on the spot to replace their current IT head.  He’s obviously better qualified to handle their confidential data.

  2. Is it bad my first thought was, “well, they were extra hard on him because his  name is Ahmed Al-Khabaz?”

    1. I don’t believe it’s bad at all. That’s just part of the way our brain works. If, however, after rational consideration, you concluded that was a good reason to be hard on him, then you would be bad.

      1. When a child is about to touch the stove do you take the time to rationally explain that stoves are hot and they should not pursue trying to touch it or do you act quickly to stop them even if it might make them cry?

        Not to mention the school opting to protect an outside vendor who placed their entire student body at risk doesn’t seem like a grown up response.

      2. Yay! Witch hunt! That’s the grown up way to respond.

        No need to hunt when you wave your pointy hat and broomstick at us.

      3. There never have been any witches, but there are definitely 14 people who voted to expel this guy.

  3. This is absolutely fucking retarded. However… the moment he was threatened with jailtime and forced to sign a secret gag order, he should’ve told them to park their goddamn asses while he went and consulted a lawyer. (Affording a lawyer when you’re a 20-year-old student is an entirely separate challenge, granted.)

    Now, I suppose that technically his access a second time could be considered evidence of malicious behaviour and he doesn’t have the law on his side to be confident that a judge would throw the assholes out of court, but never sign a gag order without talking to a lawyer. (I am not a lawyer and I am not qualified to give legal advice; this is my idea of ‘common sense’ and a safe bet. Your laws may allow you to be gagged without legal counsel.)

    1. If this jurisdiction is like most, absence of “malicious intent” to do bad stuff after you gain access to protected computer information does not preclude you from guilt.  

      The typical statute criminalizes intentionally gaining access to or exceeding authorized access to a computer system, and thereby obtaining information from any protected computer.  It’s the “breaking and entering” law of the internet age.  Simply getting in the door and looking at stuff is illegal.We can debate if this is overly-broad but this is the law of most lands.  As such, he broke it the 2nd if not the first time.  Should he be prosecuted?  Hell no.  That is where prosecutorial discretion should kick in.  Should this school have booted him?  While I don’t think so on the facts we have, we don’t know all of the conversations that were had after he first notified.  It’s hard to imagine facts that could come to light supporting his expulsion, but they may exist.  He should be lauded and I hope some other school gives him a full ride scholarship.

      1. FWIW, this jurisdiction operates under the Quebec version of the Napoleanic Code rather than the more regular Common Law basis.  If McGill is on it, they should be able to pick him up without trouble.  That said, completion of his year in CEGEP (~junior college in Quebec for residents first year at university) at Dawson would probably have to be waived.

      2. Like I said, his actions are going to be, by default, considered evidence of malicious behaviour, because he’s performing (as a whitehat) an exploit against their systems. He does not have the law on his side, because of this.

        But my non-expert, non-lawyerly advice is, if someone other than a member of law enforcement is threatening you with jailtime and forcing you to sign a gag order, you get a lawyer on the phone before you take one step forward. Unless you, yourself, are a lawyer licensed to practice in the area and so are likely to be more aware of your rights than the average layman, you should be going to one. If law enforcement is involved, that brings police procedure into the picture and it quickly gets a lot more complex and complicated, but he didn’t get that far.

        1. “… if someone other than a member of law enforcement is threatening you with jailtime and forcing you to sign a gag order, you get a lawyer on the phone before you take one step forward.”
          FIFY. Don’t talk to police.

  4. Perhaps they were trying to teach him about the real world. I recall a story about an engineer at Cisco I believe that discovered a huge security flaw in their routers. When he first approched managment with it they gagged him, and then when he approched them years later as it still hadn’t been fixed they fired him. Thats the story I remember anyway, doesn’t sound so different…

    1. You mean like the guy who pointed out a vulnerability and they threatened to make him pay for fixing it?

      Or like the guy who tried to get Amex to fix something, but no one at Amex wanted to help him because he wasn’t a card holder?

        1. Because corporations want everyone to think they have perfectly secure systems.  They can threaten people to keep the news form getting out, so they do.

          Paypal told the world the DDOS against them hurt nothing, and yet people were arrested around the globe and pursued wildly… Paypal claiming large losses to help the cases get better sentences.

          Look at Sony.  Hacked a multitude of times, pointing to Anonymous as evil super hackers… when the truth is they failed to follow basic security rules.  They had known for a long time about the vulnerabilities which lead to the hack and didn’t care enough to fix it.  The rest of their network fell around the globe because the cost of keeping the systems secure was higher than dealing with the fallout of a hack.

  5. Now that this story has legs, I’m betting his troubles are over.  Assuming he’s really a white hat, there are plenty of universities that would be convinced by the journalism to let this guy have a second crack at his degree, and plenty of companies that would love to hire him.  All he needs to do is staple the most favorable version of the story to his resume.

    1. Yeah, I’d love to think that… time will tell. Given all the other horror stories I’m hearing from Big Education, it’s at least equally plausible that college is broken and not in a position to repair itself. No real black hats here, just a bunch of insecure profs with imposter syndrome.

  6. So the moral of the story is if you want competent computer people don’t hire anyone who went to Dawson?

  7. To me there is no debate when it comes to outing a flaw, do it publicly and anonymously. Contacting someone “in charge” seems to be to much of a burden in most cases. Then again no one forced you to be a white knight so deal with it and learn to flip burgers.

    1. As this flaw directly affected him so he had a vested interest.
      If a website was handing out your Social Security Number (or equivalent) to anyone who could diddle a web interface wouldn’t you want to make sure it was fixed?

      1. Funny you should ask about that because there was a tax web site here in Australia which did that. The guy who found the problem reported the security hole to the relevant authorities and they called the police, charges were laid against him, etc.

      2.  If I was to ever report a bug to a private party I would most likely assume it to be ignored.

        Once upon a time if you wanted something to be fixed you reported it on bugtraq’s mailing list for the entire world to see, that usually succeeded to motivate people into fixing things.

  8.  Yet again we have ugly proof of the old saying about shooting the messenger. I wonder if authority figures have ever considered the possibility that people would be a little less cynical about authority if they would actually respond to the problem instead of punishing the person who alerted them to its existence because they feel embarrassed by the lapse.

  9. Sadly, this sounds vaguely familiar. When I was in undergrad, I noticed that there were many personal details publicly visible in my University’s LDAP directory. The University had a front end for staff in LDAP, but not students.

    So, I made a nice front-end for browsing the student directory. It was very useful for managing student society membership (and probably stalking, if you were into that kind of thing). It had a disclaimer, saying where the data was coming from, and I spread the word about it, assuming the IT department would eventually notice, and lock down the LDAP ACLs.

    Eventually word reached the high echelons of the IT department, and they were very upset. Thankfully, I was lucky. All I had to do was take the front-end down, and write them a letter of apology to avoid them taking me to the University court. Of course, I sucked up, and thankfully that was the end of that. Naturally, they didn’t actually do anything about the leak and the private student details were still visible to anyone who knew where to look…

    1. I can hear that meeting right now:  “Oh.  Well.  As long as the problem was fixed, where’s the harm?”


  10. ” you could easily be confused with someone doing something malicious.”

    If he wanted to be naughty, he probably would not have reported said bug but simply exploited it quietly.

    This is bureaucratic stupidity in its finest form.  I will  wager they had not even begun to look at fixing the actual problem but simply hoped that if they were nice to it, it would go away and not bother them.

  11. Another group of fools gets to learn about the Streisand Effect.  You would think that Academics would be more in touch with reality but I guess one bureaucracy is much like another … clueless.

  12. Computer science graduate (and working software engineer) here.

    Either there is a totally different side to this story which we haven’t seen, or the professional staff at this institution are behaving in a very unprofessional manner.

    1. The company he “hacked” has a contract for all of the schools, there is lots of money… one can see pressure from above as some players, not introduced in the story yet, protect their revenue streams that are kicked back to them.

      That and its trendy to slap the label ‘cyber attack’ on things.

  13. It is ironic that those holding power positions on universities are becoming less and less qualified to understand the way technology works especially those who are supposed to teach the newer generations. I’d say screw you if I find a bug exposing my personal info and you try to cover it up and ignore it I would sue the hell out of you I’d even publish the fact to the students but not the method so they can sue the university too.

    1. If you pay attention to the maxim, “Those who can, do. Those who can’t, teach” it’s not all that surprising.

      University professors really don’t make all that great of a salary. If your school happens to have a contract with someone like IBM or Microsoft to help with product evaluation and feedback, you might get a bit of a stipend from the vendor, but it’s not exactly “common”.

  14. No good deed shall go unpunished.  fuck this hetero earth.

    edit: I found this posted on another website:
    “the moral of the story is to keep bugs you find in proprietary software secret or, since trying to alert the creator to the issue can get you in trouble, sell the secret to someone who will use it

    you have no obligation to help proprietary software work and if you do discover a flaw, exploiting it for personal profit is not any different, morally, than using the software to begin with

    the reason he was threatened is because fear of lawsuits on the part of the proprietary software vendor. This is the nature of proprietary software, making perverse incentives for your behavior

    he was incentivized to sell the information, acting morally with regards to an immoral system was his error. It was his duty to exploit it, not report it”

    which was called “post of the week” by another poster. food for thought, but i’m tech retarded, myself.

  15. He was running a vulnerability scanner after the fact, and it actively runs exploits. Just because you can do something, doesn’t mean you should do something.

    He made a very serious mistake in testing it later. It is not your computer and not your software to be messing with. Furthermore it isn’t even the issue of him finding the bug, it is the issue of running the Acunetix software which is used to probe security holes automatically. This is like going up to a neighbor’s door with a set of master keys you found and trying each key in the door til it opens, and then yelling to your neighbor, HEY YOUR DOOR IS OPEN.

    What I am saying is there 2 issues here, issue 1 a bug is found that is serious. Issue 2 the student ran a vulnerability scanner INSTEAD of just solely testing for his own bug, so it was huge and noticable. He shouldn’t have tested his bug on computers that weren’t his.

    Furthermore, he should be forgiven, he is just young and naive and did not have the scruples to go about how one should safely disclose this kind of issue.

    This is an incredible overreaction on the part of the college and the company. They have turned a relatively boring software bug in nation-wide news due to their overly zealous behaviour. They should have known better.

  16. “They have turned a relatively boring software bug in nation-wide news due to their overly zealous behaviour.”

    They certainly have, which might mean that now that the entire world knows about their bug, they might actually have to fix it.  They might even have to say something conciliatory to Al-Khabaz. 

    And they probably thought they were being smart with their strategy.  Heh.

    1. Yay. We should set a reminder for next year to see if they realized the offer. If we can find out.

      Oh, BTW, this could be a nice series for BB. “Yesterdays (good) news, fact checking.” (Any of the staff reading this?)

  17. Moulton’s First Law of Bureaucracy:  Once a bureaucracy makes a mistake, it can’t be fixed.

    Moulton’s Second Law of Bureaucracy:  Once a corrupt bureaucracy makes a mistake, not only can it not be fixed, it can’t even be mentioned.  Evar.

  18. Can I haz resaerch, plz?

    Sigh. I should run a one-man Campaing For Less Assumptions, More Facts.

  19. Yes a corporation who cut corners decided what he did was a “cyber attack”.
    This is spin to make the easily lead think he was an evil hacker stealing cookies.

    Its not like the student used a homebrewed tool to attack their system.
    I am much more curious how they saw him in the log and were able to call him seconds later.  I’d like someone to review the rest of those logs and see how many times the system had been access via the flaw previously.  Just because this student found this doesn’t mean he was the first… just the first to report it… maybe… NDA’s and such…

  20. Oh, I didn’t assume there isn’t a one-man CFLAMF, but I’m positive I didn’t run one before yesterday. (At least not on the web.)

Comments are closed.