Canadian student expelled for playing security "white hat"

[nsane.forums]

Found security flaw that exposed personal information of over 100,000 students.

An online petition drive launched to reinstate Ahmed Al-Khabaz, a student expelled from Dawson College after running security scans on a student information system that exposed major weaknesses.

A 20-year-old Canadian computer science student has become, depending on your point of view, a martyr for computer security or a cautionary tale for students and others who take an interest in exposing security flaws in software products. While Ahmed Al-Khabaz said he felt he had a "moral duty" to probe the security of a student information system used by over 250,000 students, the school's administration said his acts were a "serious professional conduct issue" and expelled him. Now, fellow students are demanding his reinstatement, and the college and its software provider are facing a publicity and security backlash.

Al-Khabaz and another student reported finding a security flaw in the mobile application for Omnivox, a Web-based software package developed by Montreal-based Skytech Communications that is used by students to access and manage their personal information and college services—including their Social Insurance numbers, the Canadian equivalent of US Social Security numbers.

Omnivox is used widely by Quebec's general and vocational colleges. Al-Khabaz told the National Post that the software had "sloppy coding" that allowed anyone "with basic knowledge of computers to gain access to the personal information of any student"—including virtually all of the personal data the college had collected on them.

When Al-Khabaz and fellow student Ovidiu Mija reported the problem to the school's director of Information Services and Technology, they were initially congratulated for finding the flaw and were told it would be fixed immediately. But it was Al-Khabaz' next step that landed him in trouble with the school. Two days later, he decided to check to see if the flaw had indeed been fixed, using a site security scanning tool called Acunetix.

Acunetix provides a free trial download of its software for checking against cross-site scripting (XSS) attacks; the complete tool can perform deeper vulnerability scans against websites. Both, however, are intended primarily for use during off-line software testing, and not on live sites—in its full version, Acunetix crawls the entire target site checking for vulnerabilities and document error messages for signs of potential attack paths.

Al-Khabaz told the National Post that moments after he ran the scan, Skytech's president Edouard Taza called him on his home phone, telling him it was the second time that the company had seen his activities in their log files, and that what he was doing was considered a cyber-attack. Al-Khabaz claimed that Taza threatened prosecution if he did not meet with him and sign a nondisclosure agreement. Taza confirmed the conversation to the Post but denied he made threats; Skytech executives did not respond to Ars' request for comments.

The use of the scanning software against an active site, even in its limited trial form, is at best a mistake, said Acunetix Director of Sales Chris Martin in an interview with Ars. "We go to great lengths to stress to users not to use Acunetix WVS on live websites, but on offline copies of those Web application setups to avoid these situations," he told us. "This is clearly stated in our manual as well as in prominent guideline advisories on our website."

While Skytech saw the probe by Al-Khabaz as the mistake of an overeager student, Dawson College administrators decided to take disciplinary action. After he was interviewed by the dean of Dawson and his Computer Science program coordinator, the details were brought to a meeting of 15 professors in the school's Computer Science department. By a 14-to-1 vote, they moved to expel him.

That move was denounced by the Dawson Student Union as an attempt to sweep the security problems under the rug. In a statement, the Student Union's officers said, "Though he offered to assist Skytech to fix malfunctions that could lead to the theft (of student information), Al-Khabaz’s goodwill was rejected and he was instead greeted with increased hostility, character accusations and legal threats." And an on-line petition drive is underway to have Al-Khabaz reinstated at Dawson, called HamedHelped, is underway.

But the college, through its Facebook page, denied that the expulsion was motivated by a desire to conceal the risk to students' data. "We’re in the delicate position of trying to respond to every claim and accusation without breaking the law that forbids us from discussing your personal student files with the media or anyone else, for that matter," the Dawson College statement read. "We cannot violate the privacy of our students, even when they go public with their version of what happened."

Skytech has responded to the backlash by trying to reach out to Al-Khabaz and help him continue his studies. Today, Taza told the CBC that he was offering Al-Khabaz a part-time job and a scholarship to continue pursuing his degree at a private college. Apparently, news of that offer hasn't calmed the backlash. As of this afternoon, Skytech's website and the site of Dawson College were both unreachable, apparently due to a denial of service attack.

View: Original Article

[Ambrocious]

He should be thanked with a cash reward, not expelled! What he did was the equivelancy of warn a small city of a raging fire that was coming towards it. He helped things out and got in trouble for it...how dumb.

[Shadowx]

Man, the one that expelled the student must be some sort of j^ck^ss