TechSpot

Dawson student expelled for exposing software security flaw

By Shawn Knight
Jan 21, 2013
Post New Reply
  1. A student from Montreal Dawson College has been expelled from the school with failing grades after exposing a security flaw in a computer system used by a number of Quebec general and vocational colleges. The “sloppy code” found by Ahmed...

    Read more
     
  2. taimuraly

    taimuraly TS Enthusiast Posts: 119

    Omg I can't wait for the news that they had links to Al Qaeda -_-
     
  3. captainawesome

    captainawesome TS Guru Posts: 418   +42

    I hope this story and the rest like it does it's job and sorts this issue by means of a [warranted] public outcry.
     
    Wendig0 and m4a4 like this.
  4. Kezhen Gao

    Kezhen Gao TS Rookie

    Well Skytech did offer him scholarship to finish his diploma in the private sector and also offered him a part time job within the company.
     
  5. I don't buy his version of events at all, how come everyone always seems to instantly be on the "victim's" side before the even know if said story is true? Advice: don't.
     
  6. Ranger1st

    Ranger1st TS Enthusiast Posts: 273   +77

    Quebec as a whole has never been known for doing smart things. ever..
     
    Wendig0 and m4a4 like this.
  7. ikesmasher

    ikesmasher TS Evangelist Posts: 1,966   +389

    I feel like the professors probably were not given the true full story.
     
  8. Ahmed Al-Khabaz could had sold the security flaw to hackers for a lot of money and kept quiet about it. Instead, he gave the information about the security flaw to the company freely, and everyone has treated him as a criminal for it.

    How about punishing the software company for failing to secure their code? But of course that isn't a crime under law to build sloppy code. So, why should reporting security flaws be a crime, unless you want to support sloppy code in the first place to be rewarded for doing so.

    Whoever prevents people from reviewing code, has something to hide. Only open source code is honest, and should be the only code worth trusting. When proprietary code (hidden code) is used, you already will get this results with security flaws in them.

    Telling everyone it is illegal to review code, is just insanity, crazy, knowing that is like blind faith, to believe in something you know nothing about. Proprietary code is nothing more than obscurity in design, and should never be accepted as reviewed code, proven secure and safe.

    If anyone was to insert a backdoor in software, it would be in proprietary code. Give Ahmed Al-Khabaz a break, he isn't the criminal for EXPOSING the truth. His actions were of a good person, to warn others about the security flaw.

    The software company and school should had acted to resolve the security flaw, not to punish the messenger who spoke the truth. But, we all know why this happens, because of financial gain, the money involved. As clearly, nobody praised Ahmed Al-Khabaz for doing the right thing.

    He deserves better than this treatment upon him. He isn't the advisory, the enemy, his actions are examples for all of us to follow, by seeking out the truth.
     
  9. MilwaukeeMike

    MilwaukeeMike TS Evangelist Posts: 2,153   +737

    Yes, or we're not getting the full story right now. It definitely seems like there's more to this story.

    Either way I'd put my money on a DDoS by Anon sometime this week. :)
     
    m4a4 likes this.
  10. ikesmasher

    ikesmasher TS Evangelist Posts: 1,966   +389

    didnt look at it that way, seems obvious now.
     
  11. Bluewr

    Bluewr TS Rookie

    Well, it's not exactly a new story, and so far, Skytech, and the school itself have chosen not to reply to any media question or inquiry.
    So the only information we have is based on the victem here.
    And as he did say there was threat of police action from the Skytech president.
    Who in an intereview did confirm that he did say police action would be taken, but he didn't mean it as a threat(Back pedaling, just because I said, I'll kill you, didn't mean I'll really kill you)
    So until the other side come out with a statement or official source, the student and the student council and body that is petitioning for him to be reinstated is taken as fact.
     
     
  12. Bluewr

    Bluewr TS Rookie

    Interesting, Skytech(Company in question) gave the student a test account to a test server to test things, without any prior word against him using a common security scanner to scan for vulnaribity
    Which he then used to see if the vulnerbility he discovered still exist.

    http://www.cbc.ca/video/player.html?clipid=2327525012&position=2136&site=cbc.news.ca
    Interviewer: ?But did you tell them ahead of time that you were going to run this software??

    Ahmed: ?Well, I thought it was pretty obvious, from my point of view; they gave me the test account, and, uh, it was made for testing purposes.?

    So, this company gave the kid an account on their test server (he says he only ran the pentest software on their test server), and they come back and yell at him?
     
  13. cliffordcooley

    cliffordcooley TechSpot Paladin Posts: 6,248   +1,549

    I know its off-topic but;
    I wonder if these professors that kicked this kid out of college, play violent video games.

    For those of you who know about the other topic, you may find a little humor in this comment.
     
  14. PinothyJ

    PinothyJ TS Enthusiast Posts: 429   +15

    Innocent until proven guilty...
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.