Montreal comp sci student reports massive bug, is expelled and threatened with arrest for checking to see if it had been fixed

Ahmed Al-Khabaz was a 20-year-old computer science student at Dawson College in Montreal, until he discovered a big, glaring bug in Omnivox, software widely used by Quebec's junior college system. The bug exposed the personal information (social insurance number, home address, class schedule) of its users. When Al-Khabaz reported the bug to François Paradis, his college's Director of Information Services and Technology, he was congratulated. But when he checked a few days later to see if the bug had been fixed, he was threatened with arrest and made to sign a secret gag-order whose existence he wasn't allowed to disclose. Then, he was expelled:

“I was called into a meeting with the co–ordinator of my program, Ken Fogel, and the dean, Dianne Gauvin,” says Mr. Al-Khabaz. “They asked a lot of questions, mostly about who knew about the problems and who I had told. I got the sense that their primary concern was covering up the problem.”
Following this meeting, the fifteen professors in the computer science department were asked to vote on whether to expel Mr. Al-Khabaz, and fourteen voted in favour. Mr. Al-Khabaz argues that the process was flawed because he was never given a chance to explain his side of the story to the faculty. He appealed his expulsion to the academic dean and even director-general Richard Filion. Both denied the appeal, leaving him in academic limbo.
“I was acing all of my classes, but now I have zeros across the board. I can’t get into any other college because of these grades, and my permanent record shows that I was expelled for unprofessional conduct. I really want this degree, and now I won’t be able to get it. My academic career is completely ruined. In the wrong hands, this breach could have caused a disaster. Students could have been stalked, had their identities stolen, their lockers opened and who knows what else. I found a serious problem, and tried to help fix it. For that I was expelled.”

The thing that gets me, as a member of a computer science faculty, is how gutless his instructors were in their treatment of this promising student. They're sending a clear signal that you're better off publicly disclosing bugs without talking to faculty or IT than going through channels, because "responsible disclosure" means that bugs go unpatched, students go unprotected, and your own teachers will never, ever have your back.

Shame on them.

Youth expelled from Montreal college after finding ‘sloppy coding’ that compromised security of 250,000 students personal data [Ethan Cox/National Post]

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: bullying • canada • computer science • dawson college • education • montreal • pq

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

slippy0

He was expelled for running vulnerability probing software well after he reported the vulnerability. Sure, it is probably extreme, but it was a very dumb thing to do.
- http://www.fagerland.org tofagerl
  
  People who can’t tell the difference between hat colors should not decide which hats to destroy!
  - yadayada
    
    My first thought was “How to create a Black Hat in one easy step.”
    I hope he at least has legal remedies available. As in, I hope he can afford a lawyer.
- http://profile.yahoo.com/4TS77Q7S2EOHIDY3PZHV4TE54E Paul
  
  Why is that dumb? They were exposing him and his classmates to identify theft. Knowing a bureaucracy, it would be a little naive to think “I reported the flaw, of course they fixed it.”
  - slippy0
    
    Because if you’re going to be doing something like that, you could easily be confused with someone doing something malicious. If you’re going to run a diagnostic that can be used to identify vulnerabilities, and not do anything to prevent it from being traced back to you, you should probably at the very least notify the company/department.
    
    I think it was an overreaction for him to be expelled, I’m just saying the headline is misleading.
    - wysinwyg
      
      I’ve seen complaints about misleading headlines where I thought “OK, I guess it’s pretty ambiguous.” This is not one of those situations.
  - C W
    
    It’s not naive to think “they don’t want me in their systems and expelled me for it. better get right up back in them now that I have even less permissions to access them after being denied, and even less permissions on top of that now that I’m expelled” ?
    - L_Mariachi
      
      Please read the article, paying special attention to the chronology, which you’ve got all wrong.
  - Kyon
    
    Sure, but I’m pretty sure it’s illegal to run vulnerability scanners on someone’s network without their permission. While it might be naive to assume that they fixed it, it’s probably more naive to assume that they won’t throw the book at you for trying to break their security. Bureaucracy may not be efficient, but that doesn’t mean its not litigative.
    - http://grumer.org/ Avram Grumer
      
      And it’s naïve of the school to think this kind of behavior won’t get them some bad publicity from sites like BoingBoing.
      
      What is it that makes people just shrug and go Yeah, school bureaucracies are stupid that way instead of getting pissed off and demanding that school bureaucracies stop being stupid?
      - Diogenes
        
        It’s the result of a lifetime’s training to trust authority. Keep your head down and they won’t bother you. Every bureaucratic bully in the world counts on that behavior.
- http://www.jeremiahblatz.com/ Jeremiah Blatz
  
  You, sir, either have no idea what you’re talking about, or ar an idiot. Omnivox is web-based, and I’ll bet lots of money that his “probing software” was something along the lines of typing in http://site/profile/studentid=123. If you can conceive of a rational world in which visiting that URL once is worthy of accolades then going back a few days later is worthy of jail time, then you have a loose grip on reality. If there is even a shred of truth to this article, then you are entirely blaming the victim for the outrageous actions of a cabal of spineless bullies.
  - slippy0
    
    Or maybe I actually read the article…
    
    http://news.nationalpost.com/2013/01/20/youth-expelled-from-montreal-college-after-finding-sloppy-coding-that-compromised-security-of-250000-students-personal-data/
    
    “Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites…”
    
    http://www.reddit.com/r/programming/comments/16z0fn/youth_expelled_from_montreal_college_after/c80qayl
    
    “actively searches for vulnerabilities by attempting to exploit them. ”
    
    What he’s doing isn’t inherently evil, I’m just saying the headline is misleading.
    
    EDIT: See Mansour Moufid’s response below. It shares some evidence contradicting my statements.
    - http://www.jeremiahblatz.com/ Jeremiah Blatz
      
      Well, in any case, my assertion was incorrect. I humbly apologize and thank you for your informative correction. I must’ve skipped over that paragraph in the original article.
      
      Web application scanners can mess up a (bad) web site pretty hard, if he was repeatedly running it against a production server, then he certainly deserves a stern talking to.
  - C W
    
    “I’ll bet lots of money that his “probing software” was something along the lines of typing in http://site/profile/studentid=123. If you can conceive of a rational world in which visiting that URL once is worthy of accolades then going back a few days later is worthy of jail time, then you have a loose grip on reality”
    
    I’ll take that bet!
    
    (Shhhhh, slippy0, I’ll split the winnings with you.)
- C W
  
  Hrm, these people are unreasonable and stated in no uncertain terms that they did not want me in their systems… better go log back into those systems and meddle further!
- http://www.peripetylabs.com/ Mansour Moufid
  
  That is completely false. He used the vulnerability testing software on a test server set up by the company specifically for him. Listen to the full interview here:
  
  http://www.cbc.ca/player/Radio/Local+Shows/Quebec/Daybreak+Montreal/ID/2327525012/
  - C W
    
    No sarcasm intended, but was this after the University had already advised him to stop using their resources for this project?
- Sigmund_Jung
  
  That’s not a good reason to me. Yes, it can dumb…if you are a full grown up man. Are we forgeting that, first of all, young people do stupid things and that is exactly why we have different treatments for diffferent ages. He might be 20, but in some states in the US he can’t even drink.
  
  We can’t throw away the process of becoming an adult and start arresting and ruining peoples lives that way. Otherwise, you’ll start building a society of risk-averse people, and THAT is dumb.
- andygates
  
  “Hey, is that unlocked door I reported still unlocked?”
  That’s dumb?
- Diogenes
  
  They should have hired him on the spot to replace their current IT head. He’s obviously better qualified to handle their confidential data.
jennybean42

Is it bad my first thought was, “well, they were extra hard on him because his name is Ahmed Al-Khabaz?”
- soylent_plaid
  
  It’s bad, but it’s not because you’re a bad person.
- http://daruiburns.tumblr.com/ Dlo Burns
  
  it wouldn’t surprise me if he’s on a watch list now. Or he was before and got bumped up.
  - James Kimbell
    
    Or someone with a similar name was, and he received the hassle anyway.
- http://dptlc.blogspot.com/ DmpstrBaby
  
  Actually Dawson as a very large international student body and lots of people with names like Al-Khabaz. Also, not in the USA..
  - http://profile.yahoo.com/SZEOISKAEDUCNZA7E3AZJHJOFQ Steve
    
    Montreal is every bit as racist as the average US town.
    - edkedz
      
      Yes, but in different ways, and usually expressed differently.
- whiznat
  
  I don’t believe it’s bad at all. That’s just part of the way our brain works. If, however, after rational consideration, you concluded that was a good reason to be hard on him, then you would be bad.
eldritch

A quick search of the Dawson College website provides information regarding their Computer Science Technology progam’s faculty and staff.

http://www.dawsoncollege.qc.ca/programs/social-science-business-technologies/computer-science-technology/faculty-staff-list

There are 16 teaching professors, and 2 staff who seem less likely to have been involved. Can we narrow down which 14 voted in favor of expulsion?
- http://www.facebook.com/profile.php?id=100000273403609 Andrew Gee
  
  Yay! Witch hunt! That’s the grown up way to respond.
  - That_Anonymous_Coward
    
    When a child is about to touch the stove do you take the time to rationally explain that stoves are hot and they should not pursue trying to touch it or do you act quickly to stop them even if it might make them cry?
    
    Not to mention the school opting to protect an outside vendor who placed their entire student body at risk doesn’t seem like a grown up response.
    - http://dptlc.blogspot.com/ DmpstrBaby
      
      If you’ve already warned him to let him touch the stove so he’ll learn the hard way.
      - Diogenes
        
        Please don’t reproduce.
  - Antinous / Moderator
    
    Yay! Witch hunt! That’s the grown up way to respond.
    
    No need to hunt when you wave your pointy hat and broomstick at us.
  - James Kimbell
    
    There never have been any witches, but there are definitely 14 people who voted to expel this guy.
Ken.C

I sense a change.org petition in the making.
- C W
  
  I’d like to believe this is a joke about the futility of slactivism, but I fear it is sincere.
  - Ken.C
    
    It’s not pro- or anti- petitions, it’s merely a statement.
elix

This is absolutely fucking retarded. However… the moment he was threatened with jailtime and forced to sign a secret gag order, he should’ve told them to park their goddamn asses while he went and consulted a lawyer. (Affording a lawyer when you’re a 20-year-old student is an entirely separate challenge, granted.)

Now, I suppose that technically his access a second time could be considered evidence of malicious behaviour and he doesn’t have the law on his side to be confident that a judge would throw the assholes out of court, but never sign a gag order without talking to a lawyer. (I am not a lawyer and I am not qualified to give legal advice; this is my idea of ‘common sense’ and a safe bet. Your laws may allow you to be gagged without legal counsel.)
- Grahamers2002
  
  If this jurisdiction is like most, absence of “malicious intent” to do bad stuff after you gain access to protected computer information does not preclude you from guilt.
  
  The typical statute criminalizes intentionally gaining access to or exceeding authorized access to a computer system, and thereby obtaining information from any protected computer. It’s the “breaking and entering” law of the internet age. Simply getting in the door and looking at stuff is illegal.We can debate if this is overly-broad but this is the law of most lands. As such, he broke it the 2nd if not the first time. Should he be prosecuted? Hell no. That is where prosecutorial discretion should kick in. Should this school have booted him? While I don’t think so on the facts we have, we don’t know all of the conversations that were had after he first notified. It’s hard to imagine facts that could come to light supporting his expulsion, but they may exist. He should be lauded and I hope some other school gives him a full ride scholarship.
  - Zach Z
    
    FWIW, this jurisdiction operates under the Quebec version of the Napoleanic Code rather than the more regular Common Law basis. If McGill is on it, they should be able to pick him up without trouble. That said, completion of his year in CEGEP (~junior college in Quebec for residents first year at university) at Dawson would probably have to be waived.
  - elix
    
    Like I said, his actions are going to be, by default, considered evidence of malicious behaviour, because he’s performing (as a whitehat) an exploit against their systems. He does not have the law on his side, because of this.
    
    But my non-expert, non-lawyerly advice is, if someone other than a member of law enforcement is threatening you with jailtime and forcing you to sign a gag order, you get a lawyer on the phone before you take one step forward. Unless you, yourself, are a lawyer licensed to practice in the area and so are likely to be more aware of your rights than the average layman, you should be going to one. If law enforcement is involved, that brings police procedure into the picture and it quickly gets a lot more complex and complicated, but he didn’t get that far.
    - Won Word
      
      “… if someone ~~other than a member of law enforcement~~ is threatening you with jailtime and forcing you to sign a gag order, you get a lawyer on the phone before you take one step forward.”
      FIFY. Don’t talk to police.
http://daruiburns.tumblr.com/ Dlo Burns

This looks like a job for Anonymous!
mccrum

Maybe MIT has a space for him, they’d never treat anyone like that! (Too soon?)
- Andrew Singleton
  
  Yes. Yes it is.
  
  *offers cookie*
  - mccrum
    
    Then rescinded with a bow and cookie enjoyed.
Ryan Lenethen

Perhaps they were trying to teach him about the real world. I recall a story about an engineer at Cisco I believe that discovered a huge security flaw in their routers. When he first approched managment with it they gagged him, and then when he approched them years later as it still hadn’t been fixed they fired him. Thats the story I remember anyway, doesn’t sound so different…
- That_Anonymous_Coward
  
  You mean like the guy who pointed out a vulnerability and they threatened to make him pay for fixing it?
  http://it.slashdot.org/story/11/10/14/2129228/security-researcher-threatened-with-vulnerability-repair-bill
  
  Or like the guy who tried to get Amex to fix something, but no one at Amex wanted to help him because he wasn’t a card holder?
  https://www.techdirt.com/articles/20111011/04263216303/find-massive-security-hole-american-express-if-youre-not-cardholder-it-doesnt-care.shtml
  - Preston Sturges
    
    Wouldn’t you love to know what ulterior motives were involved?
    - That_Anonymous_Coward
      
      Because corporations want everyone to think they have perfectly secure systems. They can threaten people to keep the news form getting out, so they do.
      
      Paypal told the world the DDOS against them hurt nothing, and yet people were arrested around the globe and pursued wildly… Paypal claiming large losses to help the cases get better sentences.
      
      Look at Sony. Hacked a multitude of times, pointing to Anonymous as evil super hackers… when the truth is they failed to follow basic security rules. They had known for a long time about the vulnerabilities which lead to the hack and didn’t care enough to fix it. The rest of their network fell around the globe because the cost of keeping the systems secure was higher than dealing with the fallout of a hack.
prombough

For those who want to lend him a hand http://www.hamedhelped.com
http://twitter.com/digittante d i g i t t a n t e

Maybe it wasn’t a bug he found but a (surveillance) feature?
http://disqus.com/Kimmoth/ Kimmo

WTF. That is all.
Boundegar

Now that this story has legs, I’m betting his troubles are over. Assuming he’s really a white hat, there are plenty of universities that would be convinced by the journalism to let this guy have a second crack at his degree, and plenty of companies that would love to hire him. All he needs to do is staple the most favorable version of the story to his resume.
- anansi133
  
  Yeah, I’d love to think that… time will tell. Given all the other horror stories I’m hearing from Big Education, it’s at least equally plausible that college is broken and not in a position to repair itself. No real black hats here, just a bunch of insecure profs with imposter syndrome.
That_Anonymous_Coward

So the moral of the story is if you want competent computer people don’t hire anyone who went to Dawson?
- Diogenes
  
  But if you want toadies, taught by professional toadies, Dawson’s the name to look for.
http://dptlc.blogspot.com/ DmpstrBaby

To me there is no debate when it comes to outing a flaw, do it publicly and anonymously. Contacting someone “in charge” seems to be to much of a burden in most cases. Then again no one forced you to be a white knight so deal with it and learn to flip burgers.
- That_Anonymous_Coward
  
  As this flaw directly affected him so he had a vested interest.
  If a website was handing out your Social Security Number (or equivalent) to anyone who could diddle a web interface wouldn’t you want to make sure it was fixed?
  - http://glitch.tl/ Michael Smith
    
    Funny you should ask about that because there was a tax web site here in Australia which did that. The guy who found the problem reported the security hole to the relevant authorities and they called the police, charges were laid against him, etc.
    - That_Anonymous_Coward
      
      Is that the story I mentioned upthread from slashdot?
      
      http://it.slashdot.org/story/11/10/14/2129228/security-researcher-threatened-with-vulnerability-repair-bill
      - http://glitch.tl/ Michael Smith
        
        No I am pretty sure it was this one:
        
        http://www.computerworld.com.au/article/85738/govt_security_hole_assists_gst_hack/
  - http://dptlc.blogspot.com/ DmpstrBaby
    
    If I was to ever report a bug to a private party I would most likely assume it to be ignored.
    
    Once upon a time if you wanted something to be fixed you reported it on bugtraq’s mailing list for the entire world to see, that usually succeeded to motivate people into fixing things.
http://profile.yahoo.com/U4NLFZOXENOY4DIM6YXDKDHOTQ Leigh

Yet again we have ugly proof of the old saying about shooting the messenger. I wonder if authority figures have ever considered the possibility that people would be a little less cynical about authority if they would actually respond to the problem instead of punishing the person who alerted them to its existence because they feel embarrassed by the lapse.
- http://profiles.google.com/marc.k.mielke Marc Mielke
  
  As long as people can potentially abuse their authority, people will and should be cynical about authority.
http://tumbleweed.org.za/ tumbleweed

Sadly, this sounds vaguely familiar. When I was in undergrad, I noticed that there were many personal details publicly visible in my University’s LDAP directory. The University had a front end for staff in LDAP, but not students.

So, I made a nice front-end for browsing the student directory. It was very useful for managing student society membership (and probably stalking, if you were into that kind of thing). It had a disclaimer, saying where the data was coming from, and I spread the word about it, assuming the IT department would eventually notice, and lock down the LDAP ACLs.

Eventually word reached the high echelons of the IT department, and they were very upset. Thankfully, I was lucky. All I had to do was take the front-end down, and write them a letter of apology to avoid them taking me to the University court. Of course, I sucked up, and thankfully that was the end of that. Naturally, they didn’t actually do anything about the leak and the private student details were still visible to anyone who knew where to look…
- mccrum
  
  I can hear that meeting right now: “Oh. Well. As long as the problem was fixed, where’s the harm?”
  
  Ugh.
JProffitt71

Christ what a bunch of assholes (Regarding Dawson).
James Penrose

” you could easily be confused with someone doing something malicious.”

If he wanted to be naughty, he probably would not have reported said bug but simply exploited it quietly.

This is bureaucratic stupidity in its finest form. I will wager they had not even begun to look at fixing the actual problem but simply hoped that if they were nice to it, it would go away and not bother them.
Improbus Liber

Another group of fools gets to learn about the Streisand Effect. You would think that Academics would be more in touch with reality but I guess one bureaucracy is much like another … clueless.
- http://twitter.com/Beryllium9 Beryllium9
  
  I don’t recall ever hearing someone accuse academics of being in touch with reality. :)
http://glitch.tl/ Michael Smith

Computer science graduate (and working software engineer) here.

Either there is a totally different side to this story which we haven’t seen, or the professional staff at this institution are behaving in a very unprofessional manner.
- That_Anonymous_Coward
  
  The company he “hacked” has a contract for all of the schools, there is lots of money… one can see pressure from above as some players, not introduced in the story yet, protect their revenue streams that are kicked back to them.
  
  That and its trendy to slap the label ‘cyber attack’ on things.
Alexis Rivera

It is ironic that those holding power positions on universities are becoming less and less qualified to understand the way technology works especially those who are supposed to teach the newer generations. I’d say screw you if I find a bug exposing my personal info and you try to cover it up and ignore it I would sue the hell out of you I’d even publish the fact to the students but not the method so they can sue the university too.
- http://www.beresourceful.net/ Rusty
  
  If you pay attention to the maxim, “Those who can, do. Those who can’t, teach” it’s not all that surprising.
  
  University professors really don’t make all that great of a salary. If your school happens to have a contract with someone like IBM or Microsoft to help with product evaluation and feedback, you might get a bit of a stipend from the vendor, but it’s not exactly “common”.
toobigtofail

Dawson college’s website gives a 403…

http://www.dawsoncollege.qc.ca/
- mccrum
  
  Our entire webpage is secret!
noah django

No good deed shall go unpunished. fuck this hetero earth.

edit: I found this posted on another website:
“the moral of the story is to keep bugs you find in proprietary software secret or, since trying to alert the creator to the issue can get you in trouble, sell the secret to someone who will use it

you have no obligation to help proprietary software work and if you do discover a flaw, exploiting it for personal profit is not any different, morally, than using the software to begin with

the reason he was threatened is because fear of lawsuits on the part of the proprietary software vendor. This is the nature of proprietary software, making perverse incentives for your behavior

he was incentivized to sell the information, acting morally with regards to an immoral system was his error. It was his duty to exploit it, not report it”

which was called “post of the week” by another poster. food for thought, but i’m tech retarded, myself.
http://openid.aliz.es/GeneralPurpose GeneralPurpose

He was running a vulnerability scanner after the fact, and it actively runs exploits. Just because you can do something, doesn’t mean you should do something.

He made a very serious mistake in testing it later. It is not your computer and not your software to be messing with. Furthermore it isn’t even the issue of him finding the bug, it is the issue of running the Acunetix software which is used to probe security holes automatically. This is like going up to a neighbor’s door with a set of master keys you found and trying each key in the door til it opens, and then yelling to your neighbor, HEY YOUR DOOR IS OPEN.

What I am saying is there 2 issues here, issue 1 a bug is found that is serious. Issue 2 the student ran a vulnerability scanner INSTEAD of just solely testing for his own bug, so it was huge and noticable. He shouldn’t have tested his bug on computers that weren’t his.

Furthermore, he should be forgiven, he is just young and naive and did not have the scruples to go about how one should safely disclose this kind of issue.

This is an incredible overreaction on the part of the college and the company. They have turned a relatively boring software bug in nation-wide news due to their overly zealous behaviour. They should have known better.
Heevee Lister

“They have turned a relatively boring software bug in nation-wide news due to their overly zealous behaviour.”

They certainly have, which might mean that now that the entire world knows about their bug, they might actually have to fix it. They might even have to say something conciliatory to Al-Khabaz.

And they probably thought they were being smart with their strategy. Heh.
http://www.beresourceful.net/ Rusty

As an update, the company who wrote the software apparently is offering him a scholarship and a part time job in software security. The school faculty and administration may be idiots, but it sounds like the software company understands a bit more about how the setup is supposed to work than the school does.

http://www.cbc.ca/news/canada/montreal/story/2013/01/21/montreal-dawson-college-hack-hamed-al-khabaz.html
- Luther Blissett
  
  Yay. We should set a reminder for next year to see if they realized the offer. If we can find out.
  
  Oh, BTW, this could be a nice series for BB. “Yesterdays (good) news, fact checking.” (Any of the staff reading this?)
http://profiles.google.com/barry.kort Barry Kort

Moulton’s First Law of Bureaucracy: Once a bureaucracy makes a mistake, it can’t be fixed.

Moulton’s Second Law of Bureaucracy: Once a corrupt bureaucracy makes a mistake, not only can it not be fixed, it can’t even be mentioned. Evar.
Luther Blissett

Can I haz resaerch, plz?

Sigh. I should run a one-man Campaing For Less Assumptions, More Facts.
That_Anonymous_Coward

Yes a corporation who cut corners decided what he did was a “cyber attack”.
This is spin to make the easily lead think he was an evil hacker stealing cookies.

Its not like the student used a homebrewed tool to attack their system.
I am much more curious how they saw him in the log and were able to call him seconds later. I’d like someone to review the rest of those logs and see how many times the system had been access via the flaw previously. Just because this student found this doesn’t mean he was the first… just the first to report it… maybe… NDA’s and such…
C W

“This is spin to make the easily lead”

What, no “sheeple”?
That_Anonymous_Coward

I don’t use that out of fear….

http://xkcd.com/1013/
mccrum

Interestingly, you’re assuming such a thing doesn’t exist…
Luther Blissett

Oh, I didn’t assume there isn’t a one-man CFLAMF, but I’m positive I didn’t run one before yesterday. (At least not on the web.)