Dawson student expelled for exposing software security flaw

By on January 21, 2013, 3:00 PM

A student from Montreal Dawson College has been expelled from the school with failing grades after exposing a security flaw in a computer system used by a number of Quebec general and vocational colleges. The “sloppy code” found by Ahmed Al-Khabaz and a fellow student reportedly put the personal information of some 250,000 students at risk, according to a report from the National Post of Canada.

Al-Khabaz and Ovidiu Mija discovered the security flaw last fall. After running a test to confirm the risk was legit, the computer science student said that anyone with basic knowledge of computers could gain access to personal information like social insurance number, home address, phone number and even class schedule – or pretty much all information that the college has on a particular student.

The duo brought the issue to the attention of Francois Paradis, Director of Information Services and Technology at the school. They were congratulated and left with the promise that Skytech, the company behind the flawed software, would fix the issue immediately.

Two days later, Al-Khabaz decided to check the vulnerability a second time to see if the company had fixed the problem yet. Moments later, his phone rang - it was Edouard Taza, the president of Skytech. According to Al-Khabaz, Taza said the security check boiled down to a cyber attack and he could be arrested unless he signed a non-disclosure agreement to keep him quiet about the incident.

Taza later told the publication that he recalled mentioning police and legal consequences but there were no threats or non-disclosure agreements. He said the company was able to fix the problem immediately before anyone could access private information. The executive said he was please with the work of the students but Al-Khabaz’s use of the testing software crossed a line. Ultimately, Taza said the student simply made a mistake and there was no indication of malicious intent.

The school, however, wasn’t as forgiving. After meeting with the coordinator of the department and the school’s dean, the 15 professors in the department were asked to vote whether or not to allow Al-Khabaz to remain in school. 14 voted to kick him out of the college.

“I was acing all of my classes, but now I have zeros across the board,” Al-Khabaz said. “I can’t get into any other college because of these grades, and my permanent record shows that I was expelled for unprofessional conduct. I really want this degree, and now I won’t be able to get it. My academic career is completely ruined. In the wrong hands, this breach could have caused a disaster. Students could have been stalked, had their identities stolen, their lockers opened and who knows what else. I found a serious problem, and tried to help fix it. For that I was expelled.”




User Comments: 13

Got something to say? Post a comment
taimuraly taimuraly said:

Omg I can't wait for the news that they had links to Al Qaeda -_-

2 people like this | captainawesome captainawesome said:

I hope this story and the rest like it does it's job and sorts this issue by means of a [warranted] public outcry.

Kezhen Gao said:

Well Skytech did offer him scholarship to finish his diploma in the private sector and also offered him a part time job within the company.

Guest said:

I don't buy his version of events at all, how come everyone always seems to instantly be on the "victim's" side before the even know if said story is true? Advice: don't.

2 people like this | Ranger1st Ranger1st said:

Quebec as a whole has never been known for doing smart things. ever..

ikesmasher said:

I feel like the professors probably were not given the true full story.

Guest said:

Ahmed Al-Khabaz could had sold the security flaw to hackers for a lot of money and kept quiet about it. Instead, he gave the information about the security flaw to the company freely, and everyone has treated him as a criminal for it.

How about punishing the software company for failing to secure their code? But of course that isn't a crime under law to build sloppy code. So, why should reporting security flaws be a crime, unless you want to support sloppy code in the first place to be rewarded for doing so.

Whoever prevents people from reviewing code, has something to hide. Only open source code is honest, and should be the only code worth trusting. When proprietary code (hidden code) is used, you already will get this results with security flaws in them.

Telling everyone it is illegal to review code, is just insanity, crazy, knowing that is like blind faith, to believe in something you know nothing about. Proprietary code is nothing more than obscurity in design, and should never be accepted as reviewed code, proven secure and safe.

If anyone was to insert a backdoor in software, it would be in proprietary code. Give Ahmed Al-Khabaz a break, he isn't the criminal for EXPOSING the truth. His actions were of a good person, to warn others about the security flaw.

The software company and school should had acted to resolve the security flaw, not to punish the messenger who spoke the truth. But, we all know why this happens, because of financial gain, the money involved. As clearly, nobody praised Ahmed Al-Khabaz for doing the right thing.

He deserves better than this treatment upon him. He isn't the advisory, the enemy, his actions are examples for all of us to follow, by seeking out the truth.

1 person liked this | MilwaukeeMike said:

I feel like the professors probably were not given the true full story.

Yes, or we're not getting the full story right now. It definitely seems like there's more to this story.

Either way I'd put my money on a DDoS by Anon sometime this week.

ikesmasher said:

Yes, or we're not getting the full story right now. It definitely seems like there's more to this story.

Either way I'd put my money on a DDoS by Anon sometime this week.

didnt look at it that way, seems obvious now.

Bluewr Bluewr said:

Well, it's not exactly a new story, and so far, Skytech, and the school itself have chosen not to reply to any media question or inquiry.

So the only information we have is based on the victem here.

And as he did say there was threat of police action from the Skytech president.

Who in an intereview did confirm that he did say police action would be taken, but he didn't mean it as a threat(Back pedaling, just because I said, I'll kill you, didn't mean I'll really kill you)

So until the other side come out with a statement or official source, the student and the student council and body that is petitioning for him to be reinstated is taken as fact.

Bluewr Bluewr said:

Interesting, Skytech(Company in question) gave the student a test account to a test server to test things, without any prior word against him using a common security scanner to scan for vulnaribity

Which he then used to see if the vulnerbility he discovered still exist.

[link]

Interviewer: ?But did you tell them ahead of time that you were going to run this software??

Ahmed: ?Well, I thought it was pretty obvious, from my point of view; they gave me the test account, and, uh, it was made for testing purposes.?

So, this company gave the kid an account on their test server (he says he only ran the pentest software on their test server), and they come back and yell at him?

cliffordcooley cliffordcooley, TechSpot Paladin, said:

I know its off-topic but;

I wonder if these professors that kicked this kid out of college, play violent video games.

For those of you who know about the other topic, you may find a little humor in this comment.

PinothyJ said:

I don't buy his version of events at all, how come everyone always seems to instantly be on the "victim's" side before the even know if said story is true? Advice: don't.

Innocent until proven guilty...

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.