Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Student Expelled From Montreal College For Finding "Sloppy Coding"

samzenpus posted about a year and a half ago | from the this-is-not-the-code-you-are-looking-for dept.

Canada 633

innocent_white_lamb writes "In what appears to be a more-and-more common occurrence, Ahmed Al-Khabez has been expelled from Dawson College in Montreal after he discovered a flaw in the software that the college (and apparently all other colleges across Quebec) uses to track student information. His original intention was to write a mobile app to allow students to access their college account more easily, but during the development of his app he discovered 'sloppy coding' that would allow anyone to access all of the information that the system contains about any student. He was initially ordered to sign a non-disclosure agreement stating that he would never talk about the flaw that he discovered, and he was expelled from the college shortly afterward."

cancel ×

633 comments

Sorry! There are no comments related to the filter you selected.

Terrorist? (3, Funny)

snsh (968808) | about a year and a half ago | (#42646285)

Troublist!

Re:Terrorist? (5, Funny)

Anonymous Coward | about a year and a half ago | (#42646403)

In trouble for finding sloppy coding?

What'd he do, boot a Windows computer?

Re:Terrorist? (-1)

Anonymous Coward | about a year and a half ago | (#42646707)

Or to any Linux desktop, really.

Ridiculous (-1)

klashn (1323433) | about a year and a half ago | (#42646297)

Just because he had an Islamic name they thought he was more than a college student trying to make things easier for students in general. He did the right thing, reporting the flaw, an this is what happens? The administration are idiots

Re:Ridiculous (5, Informative)

JackieBrown (987087) | about a year and a half ago | (#42646425)

I missed that part of the article. Can you quote the line where they said that?

It seemed more like he discovered a flaw and reported it. This embarrassed the university. He later tried to verify if the flaw had been fixed by using the flaw (probably not the best move he could have made) and the university used this as an excuse to terminate him.

Re:Ridiculous (5, Informative)

gewalker (57809) | about a year and a half ago | (#42646475)

Slashdot article summary is very misleading at best. He was not expelled because he reported a security flaw, he was expelled because he ran Acunetix [acunetix.com] a website vulnerability scanner after he reported the vulnerability without permission of the web gods. Although no malicious intent by Ahmed Al-Khabaz, he stepped over the line and the University was not in a forgiving mood,
arguably vindictive.

Taza explained that he was quite pleased with the work the two students did identifying problems, but the testing software Mr. Al-Khabaz ran to verify the system was fixed crossed a line.

“This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake.”

For reporting the vulnerability in the first place, he was thanked by the University, but they did not take kindly to using Acunetix -- I would certainly agree that the university over-reacted, but they were not punishing him for discovering a vulnerability.

Re:Ridiculous (2)

oh_my_080980980 (773867) | about a year and a half ago | (#42646587)

Read the article again. They did. Particularly where the software company threatened him with legal action.

Re:Ridiculous (4, Insightful)

K. S. Kyosuke (729550) | about a year and a half ago | (#42646479)

Just because he had an Islamic name

What's "Islamic" about the name? If you said "Arabic", now that would be something else...

Re:Ridiculous (0)

Skapare (16644) | about a year and a half ago | (#42646715)

But the administration probably doesn't understand the difference.

Remember (5, Insightful)

Anonymous Coward | about a year and a half ago | (#42646315)

All problems can be solved by personally punishing someone in an unrelated fashion to their crime, rather than simply fixing the problem.

Re:Remember (1, Insightful)

durrr (1316311) | about a year and a half ago | (#42646461)

Crime?
If I see a bank vault missing a wall, am I criminal for pointing out this obvious and stupid flaw?

Re:Remember (1)

Anonymous Coward | about a year and a half ago | (#42646583)

Yes. Perhaps no one else would have noticed. But now you have made fairly easy for anyone to commit a crime by pointing out how to do it. Thus you are guilty as charged as well and a criminal. /sarcasm. (or maybe not, 'case this really happens now a days)

Re:Remember (3, Insightful)

RicardoGCE (1173519) | about a year and a half ago | (#42646607)

No, but if you later try to break into the bank to make sure they fixed the wall, they might misinterpret your intentions.

Re:Remember (4, Insightful)

Skapare (16644) | about a year and a half ago | (#42646745)

I would characterize it more like "if you walked down that same old dingy dark alley where you discovered the hole in the wall to the safe before, they will assume that this time it clearly must be to exploit the vulnerability and cause them the expense of having to actually brick up the hole".

Re: Remember (0)

Anonymous Coward | about a year and a half ago | (#42646625)

You are if you go back a week later and try knocking out the bricks in the wall to "see if the problem has been fixed".

Re:Remember (1)

2fuf (993808) | about a year and a half ago | (#42646671)

I guess the point is that no, you wouldn't be a criminal for notifying people of the missing wall, but you technically would be if you then stepped through the wall and took some of the money inside the bank to show that the wall was still missing. Which in your analogy would be what he did when he used the Acunetix software.

Not that I ethically find it to be a crime, especially as the school admits there was clearly no intent to harm, but if you want to make an accurate analogy he did more than just pointing out.

Best way to solve this weird situation is that IT departments stop being dicks about their policies and legislation should be less severe imho.

Time to go to the press... (5, Insightful)

TWX (665546) | about a year and a half ago | (#42646319)

...and report on exactly how this flaw works, and what its implications are.

The college system turned a friend or at least a neutral party into an enemy. They should expect any and all damage that he can inflict on the administrators at the top that were foolish enough to support the actions taken against the student.

Re:Time to go to the press... (5, Insightful)

Intrepid imaginaut (1970940) | about a year and a half ago | (#42646467)

I'm fascinated by the adversarial attitude the college administration appears to have towards their students. I mean unless there's more to this story than we know about, like he made suggestive comments about the press or threatened them first, they apparently made him sign an NDA and booted him when they felt he had no recourse.

I'd have very serious questions about the ethical or even social ability of these people to operate a third level institution. It strikes me as classic CYA from middle management with extreme prejuidice, which typically indicates angry disconnected shut-ins in the back room. Well, either that or aloof disconnected gentlemen's clubs in the back room. Same result either way. It's not a learning environment from their perspective, it's a simmering cauldron of unpleasantness that must be kept strictly under control lest it get in the way of money.

Re:Time to go to the press... (0)

Anonymous Coward | about a year and a half ago | (#42646623)

He signed an NDA (after supposed threats of contact with the police from the (re)seller of the software) so this would make him extremely vulnurable.

Re:Time to go to the press... (2)

Entrope (68843) | about a year and a half ago | (#42646675)

Contracts signed under duress are often void, as are contracts with unconscionable terms.

Screw the NDA (1)

Anonymous Coward | about a year and a half ago | (#42646329)

I'd covertly publish the flaw + a ready-to-use exploit everywhere and let chaos ensue.

Re:Screw the NDA (4, Insightful)

X0563511 (793323) | about a year and a half ago | (#42646437)

Sure, nevermind all those other unrelated innocents who'd get their information stolen in consequence.

Re:Screw the NDA (2)

radiumsoup (741987) | about a year and a half ago | (#42646609)

This. Zealots never seem to look past their own interests.

Re:Screw the NDA (0)

Anonymous Coward | about a year and a half ago | (#42646673)

They are not innocent if they are funding a corrupt administration.

Re:Screw the NDA (1)

HaZardman27 (1521119) | about a year and a half ago | (#42646769)

Then neither is the individual who discovered the vulnerability, as he was also funding the administration until the administration would no longer allow him to.

Re:Screw the NDA (0)

Anonymous Coward | about a year and a half ago | (#42646771)

There is a chance they are already getting their information stolen by others using the same flaw.

Information wants to be free (0, Insightful)

Anonymous Coward | about a year and a half ago | (#42646331)

So, go to a internet cafe and set it free. They fucked you, so fuck them back.

Re:Information wants to be free (5, Insightful)

X0563511 (793323) | about a year and a half ago | (#42646445)

Sure, nevermind all those other unrelated innocents who'd get their information stolen in consequence.

Also, stop misusing that damn phrase, asshole.

Outside vendor freaked out and it's easier for the (2, Insightful)

Joe_Dragon (2206452) | about a year and a half ago | (#42646339)

Outside vendor freaked out and it's easier for the school to take the easy way out and kick him out then it is to help him.

Idiot. (0, Flamebait)

ledow (319597) | about a year and a half ago | (#42646363)

"He told me that I could go to jail for six to twelve months for what I had just done and if I didnâ(TM)t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement."

You're an idiot. You signed something under threat of prison / arrest without bothering to consult a lawyer. No amount of mention of poverty, trust, or even just plain intimidation should have made you do such a thing without first consulting a lawyer.

And, as such, your legal position is not significantly weakened because, by talking to the media, you've BREACHED that non-disclosure agreement that you voluntarily signed and would now have to prove duress in a court to invalidate that.

You're an idiot. Don't sign anything, and if you do abide by what you sign. If they threaten you with police if you DON'T sign anything, pick up the phone and call the police (or lawyer) yourself. Duress to sign a contract is extremely important. Signing an NDA (of all things) "voluntarily" and then claiming it was done under duress in a public statement (that mentions the NDA you've just agreed you won't mention) is idiotic. Call a lawyer: it's the ONLY sensible option at that point.

And if you'd done that? Sure, it would have cost you a few hundred to get them in, but there's no way on earth that you'd be where you are now (i.e. having to hire lawyers to get back into school, for instance). In fact, likely the matter would all quickly become a "misunderstanding" that was hastily swept up out of the press.

You're an idiot. All you've done is shown a court that what you did was so grey-area that you'd rather hastily sign a contract than have the police look into it, and then you've gone and broken that exact contract, and admitted doing just that in the most public way possible.

Under duress? (5, Interesting)

MillerHighLife21 (876240) | about a year and a half ago | (#42646407)

Aren't there laws which invalidate contracts signed under duress anyway? I thought I remembered reading that somewhere.

Re:Under duress? (1)

Anonymous Coward | about a year and a half ago | (#42646447)

The problem is proving the under duress part.

Re:Under duress? (3, Interesting)

bickerdyke (670000) | about a year and a half ago | (#42646499)

probably yes, in most jurisdictions. But it depends on who has the burden of proof.

Re:Under duress? (3, Informative)

afidel (530433) | about a year and a half ago | (#42646565)

Yes, for a contract to be enforceable it has to be a meeting of the minds, a contract signed under threat of imprisonment wouldn't generally be valid under English common law. Now Montreal is in Quebec and so governed under Napoleonic code instead of English common law and so I'm not sure that that assumption still holds since I don't live in Quebec or Louisiana.

Re:Idiot. (5, Insightful)

SuricouRaven (1897204) | about a year and a half ago | (#42646441)

You do assume that this is going to be fought fairly. The legal system is a game of adversaries - and the objective of the college administration was not to fight a fair legal battle, but to win at all costs. If I were a bastard in their place, I'd see an obvious way to prevent him doing that: "You want a lawyer? Go ahead. But the moment you step out of this office, I'm calling the police. Either sign the NDA right now, I'll make sure you really do need that lawyer."

It's intimidation, of course. But most of the time I'd expect it to work. What's the worst that could happen? A college student finding enough money to file a civil suit against the college, that could take years to complete and cost more than he'll earn in a decade? No, most people would recognise that they are being strong-armed, but also that they are being strong-armed by someone with both the willingness and ability to utterly screw up their life if they don't comply... regardless of the fine points of contract law.

Re:Idiot. (1)

JaredOfEuropa (526365) | about a year and a half ago | (#42646567)

Two things I'd do in that situation:
1) Get a lawyer before going to that meeting. Short notice, but not impossible. You don't have to bring him but do get his advice.
2) Carry an audio recorder hidden on your person (check if that's legal first; in some cases it isn't). That will help you in court later if you have to provide proof of undue duress.

Re:Idiot. (3, Insightful)

irtza (893217) | about a year and a half ago | (#42646773)

Or don't hide the audio recorder. Put it on the table and turn it on, ask them to repeat what they say.

Re:Idiot. (5, Insightful)

FBeans (2201802) | about a year and a half ago | (#42646779)

Or of course, they could have just gone to him, showing their own proof that they had indeed fixed the problem. Thanked him again for not exploiting the weakness in their system and understanding that students trying to learn, be constructive and help others access information easier are the kind you want in your University. Everything after whether correct or incorrect, is understandable coming from a colleague student. People make mistakes. When the College did it, they were given a second chance, because of this guy. When he then made a mistake, no such option was granted. He's better off without the college, and at least he will have learnt a few things. It's all just a shame really.

he's a student (1)

Anonymous Coward | about a year and a half ago | (#42646459)

Give him a break. Perhaps he was too naive of people's goodwill. However, seeing that he was cornered, talking to the press and appealing to the public opinion is his only way out, and hopefully a more progressive university will take on his cause. Going public is the only way to "clear" his name - Google search news articles vs. tainted academic transcript.

Re:Idiot. (2)

SirGarlon (845873) | about a year and a half ago | (#42646483)

Also, running a pen-testing tool on someone else's network without written permission is just a dumb move. Even a college freshman should know better.

Re:Idiot. (5, Insightful)

Anonymous Coward | about a year and a half ago | (#42646495)

Calling a kid an idiot is a bit strong. He's only 20. It was only a few years ago that the biggest threat from an authority figure was that something he'd done might appear on his "permanent record." Nice to see another country that doesn't educate it's citizens on their rights.

I'd be amazed if there isn't a lawyer who won't take this up pro bono and sue the school.

Re:Idiot. (5, Insightful)

saihung (19097) | about a year and a half ago | (#42646519)

Is there a reason you're so angry at someone who's never done anything to harm you?

I don't know if you're a lawyer, and I don't know if you've ever dealt with clients who have been bullied into signing things. I am, and I have. Your fantasy version of the perfectly rational college student making calm and collected decisions when he's being threatened with prison, from people who are his authority figures and who he assumed were there to help protect him, is ludicrous.

This disclosure won't affect whether a court ultimately determines that the contract was signed under duress. And now that there is going to be some extremely hostile press against the company (I hope), such a lawsuit may never materialize. In which case breaking the agreement may have been the smart thing to do.

Re:Idiot. (1)

vlm (69642) | about a year and a half ago | (#42646613)

from people who are his authority figures and who he assumed were there to help protect him

A college / university being excessively paternalistic / coddling of its students almost all of the time? Naah, never happen.

Re:Idiot. (5, Insightful)

WankersRevenge (452399) | about a year and a half ago | (#42646525)

Wow ... you seem to be lacking some basic empathy skills. Do you have any idea what it is like to be squeezed by some institutional power for no other reason than doing the right thing? It's brutal enough to be squeezed when you have some experience under your belt, but this kid was only twenty years old.

Now, let's say he finds himself in the same position a few years down the road and he repeats his actions, expecting a different result. Then, I'd call him an idiot. In this case, I call him exactly as he was: a student. It was a shitty lesson, but that's the point of college. It's not to get a job or join some pro football team. It's to learn and he learned by fire.

   

Re:Idiot. (-1, Troll)

ledow (319597) | about a year and a half ago | (#42646605)

"only 20" = not a kid. Fully grown, legal, contract-obliged, come-of-age adult in just about every civilisation and jurisdiction known to man. By at least 2 years, I should think, in most places.

I lack empathy for idiots, who sign things under (alleged) duress, and then break them anyway. If you were going to break it, don't sign it. If you're threatened with the POLICE, of all things, let them come - phone them your damn self. Because either you did something wrong (and know it), or someone else did by threatening you with the police.

If he'd signed a mortgage, it would be legally binding. If he'd signed a marriage register, it would be legally binding. If he signed a statement that he beat his wife, it would be legally binding. If he'd signed a hire agreement on his car, it would be legally binding. If he'd signed an alimony agreement to feed his kids, it would be legally binding.

At absolute worst, he should have just called in his parents at that stage if he's that much of a child. But he is NOT a child. In my country, he's been able to have his own family and house for four years, sign legal contracts for that time, etc. etc. etc. In some countries, only for two.

And the second you're old enough to sign legally-binding contracts, you're judged - in law - to know whether or not you should be signing them, and competent enough of understanding to abide by them.

20. He's bloody 20. Not 15. 20. He is NOT a child, even if he's still a student.

He just acts like one.

Re:Idiot. (5, Insightful)

jareth-0205 (525594) | about a year and a half ago | (#42646723)

What an unpleasant person you come across as. It must be nice to live in a brain that can have no empathy for other people, and can dismiss their mistakes because they're an 'idiot'. Not having to deal with trivial emotions like sympathy or concern.

It's good for you that when you became 18 or 16 (in your examples) you knew everything about your rights and could effectively counter any bullying tactics. Sadly the rest of us are not so fortunate, and when threatened by a older more experienced people in authority tend to doubt our poor, meagre minds.

Re:Idiot. (1)

Anonymous Coward | about a year and a half ago | (#42646765)

Not allowed to buy alcohol. Still a child.

a few hundred? (1)

nten (709128) | about a year and a half ago | (#42646631)

A student in the middle of a business venture would be quite lucky to have a few hundred available. I know I didn't. The disadvantage poverty creates within civil law is insurmountable unless the potential damages are sufficiently juicy to draw in a shark willing to work with no fee. I wouldn't have signed sure, but expecting him to be able to be able to afford a lawyer is unreasonable.

Now you are right though, all he can do having already stepped outside the law, is get even (hopefully without harming the other student's privacy), or lick his wounds.

Re:Idiot. (2)

gutnor (872759) | about a year and a half ago | (#42646633)

Most student generally trust their college authority to work for their own good (especially in countries less sceptical against authority like in Europe/Canada). When I was 20 years old, afraid of failing, afraid of the consequence of just being labelled a hacker on my career, with the enormous amount of money at risk to be lost AND trusting that the guy in front of me was actually doing me a favour, I could have been strong armed into signing.

The College has moral authority on the student and abused it. That's exactly why duress laws have been created.

Re:Idiot. (0)

Anonymous Coward | about a year and a half ago | (#42646643)

You're an asshole.

You are a lawyer and I claim my $5 (2, Insightful)

Anonymous Coward | about a year and a half ago | (#42646655)

An Idiot? To trust senior staff at a teaching institution?

Naive perhaps.
Too trusting maybe.
But an Idiot?
I'd rather live in his worldview than yours.

Re:Idiot. (1)

Jaime2 (824950) | about a year and a half ago | (#42646667)

You're an idiot. You signed something under threat of prison / arrest without bothering to consult a lawyer. No amount of mention of poverty, trust, or even just plain intimidation should have made you do such a thing without first consulting a lawyer.

And here is the harm in the "If you're not guilty you have nothing to worry about" attitude. A lot of people act as if nothing can hurt them if they've done nothing wrong. These same people tend to look on those that protect themslves as guilty. The student may have been trying to appear innocent by cooperating instead of "acting guilty" by lawyering up so this would just blow over.

Re:Idiot. (1)

Anonymous Coward | about a year and a half ago | (#42646677)

"He told me that I could go to jail for six to twelve months for what I had just done and if I didnâ(TM)t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement."

You're an idiot. You signed something under threat of prison / arrest without bothering to consult a lawyer. No amount of mention of poverty, trust, or even just plain intimidation should have made you do such a thing without first consulting a lawyer.

And, as such, your legal position is not significantly weakened because, by talking to the media, you've BREACHED that non-disclosure agreement that you voluntarily signed and would now have to prove duress in a court to invalidate that.

You're an idiot. Don't sign anything, and if you do abide by what you sign. If they threaten you with police if you DON'T sign anything, pick up the phone and call the police (or lawyer) yourself. Duress to sign a contract is extremely important. Signing an NDA (of all things) "voluntarily" and then claiming it was done under duress in a public statement (that mentions the NDA you've just agreed you won't mention) is idiotic. Call a lawyer: it's the ONLY sensible option at that point.

And if you'd done that? Sure, it would have cost you a few hundred to get them in, but there's no way on earth that you'd be where you are now (i.e. having to hire lawyers to get back into school, for instance). In fact, likely the matter would all quickly become a "misunderstanding" that was hastily swept up out of the press.

You're an idiot. All you've done is shown a court that what you did was so grey-area that you'd rather hastily sign a contract than have the police look into it, and then you've gone and broken that exact contract, and admitted doing just that in the most public way possible.

Ladies, Gentlemen,

People like the parent here are precisely the thing that is bred by the zero tolerance system practiced in school. Human error or weakness is no longer a fact accepted, no, it becomes a strong blame-the-victim justification. Making a mistake is now everything that is needed to shred the victim of abusive behavior to pieces.

That, precisely, is the damage caused by zero tolerance stances in our educational system - people incapable of basic human empathy, the acceptance that humans make mistakes (especially when thrown into situations that have no precedent in their limited young life).

You sir, are an asshole.

does whistle blower laws cover this? (1)

Joe_Dragon (2206452) | about a year and a half ago | (#42646369)

does whistle blower laws cover this? and what was the scope of his work?

sounds like he found something and they did not want to fix it or the cost to fix was high / a hole like that will lead to a fine.

Re:does whistle blower laws cover this? (1)

EmagGeek (574360) | about a year and a half ago | (#42646739)

Whistleblower laws typically only apply to employees of the agency that is having the whistle blown on them.

They do not generally apply to outside hackers who are trying to gain unlawful access into the agency's resources.

Sorry but he's an idiot (1)

js3 (319268) | about a year and a half ago | (#42646373)

Why would you run a vulnerability scanner software on a remote network from your home ip!?. Sounds to be like he found a flaw, and got overzealous and got permbanned.

Re:Sorry but he's an idiot (4, Informative)

rwise2112 (648849) | about a year and a half ago | (#42646465)

Why would you run a vulnerability scanner software on a remote network from your home ip!?. Sounds to be like he found a flaw, and got overzealous and got permbanned.

I heard about this on the radio this morning. This is not the full story.

Supposedly he reported the flaw to the school and was thanked and told it would be taken care of. Later (not sure how long he waited), he decided to test to see if the flaw was fixed, at which point the CEO/owner of the software company called him directly and told him he could be arrested and asked/forced him to sign the NDA. It was only after that, that he was expelled.

It also seems this flaw is in the software itself and would have affected more that just this particular school.

Any way you look at it, it's very ugly.

Re:Sorry but he's an idiot (1)

X0563511 (793323) | about a year and a half ago | (#42646481)

Because hiding it would look even worse?

Re:Sorry but he's an idiot (0)

hobarrera (2008506) | about a year and a half ago | (#42646503)

He didn't run any scanning software, if you'd at least read the summary you'd realize he found an application-level hole while developing a client application.

Re:Sorry but he's an idiot (2)

js3 (319268) | about a year and a half ago | (#42646533)

instead of reading the summary read the entire thing.

Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.

Re:Sorry but he's an idiot (5, Insightful)

JaredOfEuropa (526365) | about a year and a half ago | (#42646521)

Since the security flaw left personal data of all students including himself out in the open, I'd say he had every right to see if the company patched the hole yet. One might even say it was his duty to check. This was just 2 days after he reported the hack, but does shooting the messenger imply that they worry more about their reputation than the actual security flaw? Especially since the student took pains to report the issue rather than exploit or publish it. For once I'd like to see trigger-happy software companies and institutions like these hauled before court on charges of gross negligence, undue duress, and leaking of personal info.

I wonder why the school decided to expel him. The software company overreacted a bit when they found out; perhaps they sent a note to the school to the effect of "We found that student of yours hacking around in our system again; we've told him we'll call the cops if he keeps doing it". I can see why the school would expel him on the strength of that.

Re:Sorry but he's an idiot (1)

js3 (319268) | about a year and a half ago | (#42646561)

He does not have the right to attempt to break into their system.

Facebook (0)

Anonymous Coward | about a year and a half ago | (#42646375)

Go visit the Facebook page and any other social media page. Send them what you think of the situation.

He tried to hack them again (1, Informative)

Anonymous Coward | about a year and a half ago | (#42646379)

Expelled for trying to hack the site a second time, not for notifying them of his first hack. Summary is technically true, but still a deception.

Re:He tried to hack them again (1)

hobarrera (2008506) | about a year and a half ago | (#42646513)

For some definitions of "hack".
Really, if the site was still up with the security hole, it's not the student's fault: he's not the one who was giving out information.

Re:He tried to hack them again (4, Insightful)

jedidiah (1196) | about a year and a half ago | (#42646545)

Once man's "hack" is another man's Quality Assurance.

There are a lot of innocent bystanders here. Someone has chosen to be their champion in this thread already. Those bystanders are just as much as risk even if he takes the easy path and keeps his mouth shut

Don't scan other people's systems (5, Insightful)

Anonymous Coward | about a year and a half ago | (#42646381)

Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected.

Seriously, don't run Acunetix or Retina scans or whatever on other people's systems. It looks like you are probing for vulnerabilities because, well, that's exactly what it's doing.

And if I'm a sys-admin, I'm going to see that and think you're an attacker. From my point of view, you've just cased the joint. That's what I'm going to report up, and from there everything gets ugly.

Re:Don't scan other people's systems (4, Interesting)

vlm (69642) | about a year and a half ago | (#42646683)

So you rely primarily on security thru obscurity and hope that genuine bad guys would never scan you? That's pretty scary.

The funniest part is I've been putting up with scans/etc since the early 90s and it doesn't take long to figure out that almost all of them come from compromised systems, usually from another country. A local guy easily traced almost by definition is on your side, because a real bad guy would be coming from a rooted machine in .cn or something essentially untraceable like that. In other words if you can find and talk to the guy in "minutes" as per the story, he's probably on your side or at worse is a hopeless noob script kiddie who's no more harmful or harmless than the other one million kiddies out there, so there's no sense messing with him.

Re:Don't scan other people's systems (1)

Charliemopps (1157495) | about a year and a half ago | (#42646783)

Is it illegal to "case a joint"?

Aaron Swartz funeral (3, Insightful)

tommeke100 (755660) | about a year and a half ago | (#42646385)

And this a couple of days after some other big IT personality gave a speech at the funeral stating he could have been gone the same way as Aaron Swartz if he would have been punished the same way during his hacking and exploring days during College.
Sad.

Terrible summary -_- (5, Informative)

Racemaniac (1099281) | about a year and a half ago | (#42646397)

I know, this is slashdot, but i still read the article

And i still don't agree with him getting expelled, but the reason was not discovering/disclosing the flaw, but he got in hot water when afterwards he tested if the flaw was still there, and the company developing the software reported the hacking attempt.

It was still a big overreaction that happened afterwards, and he shouldn't have been expelled, but it's not the discovering/reporting of the flaw that got him in trouble, and the article clearly states this!

Re:Terrible summary -_- (2)

nebular (76369) | about a year and a half ago | (#42646451)

Exactly. The student was not authorized by the school to be doing what he was doing. If he wanted to check to see if the flaw was still there, then he should have informed the school that he was doing so and got permission to test. Or more entertainingly, inform the press of the flaw and get EVERYONE to test for it. If he gave an anonymous tip the NDA would still hold.

Re:Terrible summary -_- (1)

daenris (892027) | about a year and a half ago | (#42646589)

If he gave an anonymous tip the NDA would still hold.

I just want to say that this is ridiculous. Reporting something anonymously does not mean he wouldn't have been violating the NDA. If that were the case, all NDAs ever would be completely pointless. Now, it might mean he doesn't get caught for violating the NDA, but it would still be a violation of it.

Re:Terrible summary -_- (1)

oh_my_080980980 (773867) | about a year and a half ago | (#42646619)

Read the article, the company threatened legal action. They knew he was helping them.

Drop all CS classes (0, Flamebait)

Anonymous Coward | about a year and a half ago | (#42646401)

All of the other students in the CS department should drop all their CS classes and change their major. Put the 14 idiot professors out of work and kill the whole department - then maybe, just maybe, this sort of authoritarian bullshit has a chance off stopping. The norm is on its way to becoming: You graduated from college? Sorry, we're looking for someone who can think independently."

Shoot the messenger. (2)

interiot (50685) | about a year and a half ago | (#42646413)

Shooting the messenger does nothing to solve the underlying problem. Thanks to the fourth estate and the Streisand effect, shooting the messenger is likely to get you more attention, not less.

Never sign anything (5, Insightful)

alphatel (1450715) | about a year and a half ago | (#42646423)

Techs everywhere need to learn this important lesson: Never Sign Anything unless you are also offered on the same piece of paper a guarantee of you what you receive in return. You get no prize money for signing NDA or DNC. If you ask for it, you will get 1) a job, 2) some cash, 3) some action not taken. You can ask for nothing, but you will get the exact opposite - penalized or harmed. Your goal is to sign something such that if what you are offered is not fulfilled, the NDA is broken

As it stands, asking someone to sign a NDA and not offering a guarantee of something in return is already suspect and can be fought. You had an expectation that you wouldn't get expelled, or that you would get a free education, or something else of benefit to you. People need to learn that colleges, Lance Armstrongs and corporations all act the same way. You will get screwed if and when there is an opportunity to screw you. And you will go broke defending what is right. Few will care.
Don't Sign without Something in Return (DSSR)!

Re:Never sign anything (1)

Skapare (16644) | about a year and a half ago | (#42646687)

I don't know if it was actually written on paper, but he was offered something in return for the NDA ... they would not call the RCMP (that's Canadian for "Police").

what a timely song... (0)

Anonymous Coward | about a year and a half ago | (#42646429)

By coincidence I was listening to "The Lost Art of Keeping a Secret" by Queens of the Stone Age when I found this story atop /. this morning. How apropos.

DO NOT QUESTION AUTHORITY (1)

Dynamoo (527749) | about a year and a half ago | (#42646433)

DO NOT QUESTION AUTHORITY [flickr.com] . This is what happens when you exhibit independent thought..

Re:DO NOT QUESTION AUTHORITY (1)

gnasher719 (869701) | about a year and a half ago | (#42646553)

Strange. Where I went to school (which was most definitely not the USA), QUESTION AUTHORITY was the thing that our class teacher drilled into us. BTW. When I started at the school as a pupil, he had started there fresh from university. When I left, he was the head of the school.

Re:DO NOT QUESTION AUTHORITY (1)

gweihir (88907) | about a year and a half ago | (#42646621)

It is quite simple: There are decent and smart people that are as your class teacher. Then there are "the masses" that do whatever they are told. And then there is the scum, which floats to the top unless regularly removed. The scum will defend their authority (that they are invariably incompetent to wield) by any means at their disposal. In fact, questioning somebodies authority is a way to determine whether the person is competent to wield it: If they react with extreme countermeasures, they are not and (deep down) know it.

Re:DO NOT QUESTION AUTHORITY (1)

JaredOfEuropa (526365) | about a year and a half ago | (#42646735)

When I left, he was the head of the school.

In other words, now he was the authority...

OT, but this reminds me of a historian who went to teach a history class for 1 day at a high school. After class, the regular history teacher proudly noted how critical his students were, "questioning authority" (the students continuously challenged the teacher). To which the historian replied: "Judging from their questions, these kids know bugger all about history". Challenging authority is all well and good, and it's something that's being taught in our schools as well, but it's not enough. You need to have some smarts and a decent education if you want to have any hope of doing so effectively. Otherwise you'll just end up looking foolish.

burglars and locks (0)

Anonymous Coward | about a year and a half ago | (#42646489)

Burglars also tend to find sloppy locking. So, will they a get out of jail card?

There needs to be a cyber law class (5, Insightful)

Anonymous Coward | about a year and a half ago | (#42646501)

By the story linked, he wasn't expelled for finding a software flaw, he was expelled for running a vulnerability scanner against their network.

Everything with finding the flaw seems to have gone find. He found the flaw while working to develope an app, he did nothing wrong, and it seems like he got kudos for it, not any sort of harrassment at all.

Then he started using a vulnerability scanner on their network. You never do this without an arrangement (IE a pen testing contract). Never ever ever. It's illegal for one, it definitely can disrupt systems, and it sends up all kinds of red flags.

On the other hand, no one told me those things in college; they were part of my job training post-college. When I was at school, there were no 'ethical hacking' classes that let you know what is and is not illegal to do as part of vulnerability research. So I doubt very much the kid had any idea what was going wrong. Hell, I know now that most big universities get crazy-angry if you do anything that even looks like an attack over them... but no one told me that in college when I was actually using those networks.

The company took a rather strong wording but soft action: they elected not to pursue anything past getting him to sign an NDA. They didn't ask the school to expell him, the school did that entirely on their own. The student clearly doesn't understand why he was expelled, either. At least not by his quotes in the story (he's sure it's trying to cover up the flaws; in reality it's almost certainly because he ran what is considered a cyber attack across a university network, very illegal and very likely to piss off the administration).

Obviously he shouldn't have been expelled; he did not act with malice, and clearly still doesn't know the legal boundaries. What this tells me is it's long past time to start coupling your computer science 101 class with a cyber ethics and law 101 class. While anyone who works for a pen testing company can immediately see where things went bad, his actions make perfect sense from the perspective of a college student.

Re:There needs to be a cyber law class (1)

Skapare (16644) | about a year and a half ago | (#42646645)

He was ultimately expelled for choosing a school with overly paranoid administrators. It's that simple.

I found something a little bit like this (5, Interesting)

Anonymous Coward | about a year and a half ago | (#42646505)

When I was a CS student I discovered a flaw in the program we used to turn in assignments. The flaw allowed access to the code anyone had turned in for an assignment. I however elected to anonymously inform the CS dept about the problem. Glad I did. I found out they searched and searched trying to figure out who I was so they could kick me out. Sometimes it is better just to be an Anonymous Coward.

Re:I found something a little bit like this (2)

Skapare (16644) | about a year and a half ago | (#42646627)

Wow, a post that fully justifies using AC. Would it be safe to at least identify this school of mostly incompetent faculty?

He broke the law (1)

c (8461) | about a year and a half ago | (#42646563)

Specifically, he broke the First Law of Insiders Reporting Security Violations, which is that he let someone know who he was.

History has shown beyond a doubt that if you're reporting a security violation to some entity, the only time it's safe to do it "in the clear" is when that entity obviously has no power over you. Otherwise, you have to protect yourself.

He didn't, and everything follows from that mistake.

Retribution (0)

Anonymous Coward | about a year and a half ago | (#42646575)

Time to DoS the school in question.

Yes! Shoot the messenger! (1)

gweihir (88907) | about a year and a half ago | (#42646577)

That will improve things. Or not. How supposedly smart people can make such a fundamental beginners mistake is beyond me.

I do understand what motivated the student tough: He seems to be one of these very valuable individuals that try to solve problems when they see them. Unfortunately, "modern" administrations are so in love with their misconceptions, that they cannot stand the type.

Why not out the faculty? (0)

Anonymous Coward | about a year and a half ago | (#42646591)

I wonder, does the flaw cover staff and faculty information?

Use the exploit to expose their personal details. That'll convince them to hurry up and fix the problem.

Bad descions by all (1)

archshade (1276436) | about a year and a half ago | (#42646611)

Ahmed Al-Khabaz started off doing the correct thing by alerting the University (who then escalated it to the vendor) about the security hole. The vendor said they would fix it and as far as I can tell did not give any further infomation to the finder of the hole who was also had personal infomation hosted on the service. The company should have given him updates and told him when it was fixed, It would even be beneficial for them if they got him to run the exploit from his location given that he had discoverd it and clearly wanted it fixed.

The use of an NDA seemed appropriate though as he had access to confidential infomation of other users, and I understand the company needed time to patch this before the exploit was released into the wild, the NDA should have allowed him to speak to a some defined people namely some representeive of the university and work with them to get this problem fixed, up to this point everything seems to be going how it should.

After this all parties seem to make mistakes, first Al-Khabaz should not have just re-run the exploit as it he should have first seekd permission, if permission was not given he should have reported the situation the university who should have gotten proof that the hole was patched including the abillity to do independent verification (which the university could have got Al-Khabiz to do possible for a nominal fee.

The next mistake was the choice of the Skytech to come down so heavy handed they seem to have gone all out defensive rather than looked for a sensible way around it. Maybe they could have offerd Al-Khabaz a short period of [pro-bono] work pen-testing that he could put on his CV. Students need these mentions and the company could have delt with what is a PR disater and helped a student with there future career with next to no outlay by being a bit more cooperative rather than throwing lega threats around

Oh and I know that there are peopl who are against students doing work for free in exchange for being able to write somthing on there resume but this is a fact of life now, although a nominal charge of $100 for the test and a simple report documenting what he had done and that the holwe had been fixed would seem acceptable as well.

Lesson learnt: (1)

Anonymous Coward | about a year and a half ago | (#42646617)

Next time just do sell the exploit on the black market.

Is this taught in class? (0)

Anonymous Coward | about a year and a half ago | (#42646647)

Had a larger post but it got eaten.

Obviously the school's problem was the vulnerabiltiy scanner he ran later to 'check on the flaw', not his finding the flaw during app development.

And anyone who works in pen testing knows it's illegal to do that. But did he? It doesn't sound like it in the slightest.

We need a cyber ethics/law 101 to go with comp sci 101 these days; we can't ethically hold people accountable for laws they don't know; ignorance of the law may not be an excuse, but cyber law is more complex. You can avoid breaking almost all enforced regular laws by not stealing, following vehicle instructions (speed limits, etc) and not hurting other people, but on networks some things are illegal you might not expect to be illegal.

We introduce college kids to all sorts of concepts and tools, and wait until AFTER college at job training to tell them "oh by the way running this over someone else's network without written permission is illegal" Not every CS student gets a pen testing internship during college, but I'd wager most CS students get exposed to network vulnerability tools.

Ignorance is no excuse (0)

Anonymous Coward | about a year and a half ago | (#42646681)

Every person has a duty to inform themselves of all laws under which they live. That is accepted common law going back to the dawn of civilization.

That our system of laws has become too complex and far-reaching for that to be even possible is the voters' fault, since they are the ones who choose those who make those laws.

If you want a simple law structure that everyone can live with, elect people who will put that structure in place - not the nanny statists who promise to take care of you so you don't have to.

Hmmm... Very interesting (0)

Anonymous Coward | about a year and a half ago | (#42646657)

He should hold them at ransom in signing the agreement....

One Side of the Picture (1)

Faisal Rehman (2424374) | about a year and a half ago | (#42646741)

This might be one side of the picture. Lets see what the college administration says about this.

Really? (3, Insightful)

kenh (9056) | about a year and a half ago | (#42646763)

How "common" is this? How common is it for college students to find security flaws in the code that schools run, and to be expelled for uncovering it? That isn't even what happened here:

He was expelled for his "testing" of the breach after he told the administration and the software company about the security flaw.

Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.

“It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didn’t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement.”

He was not expelled for finding the security flaw, he was expelled for running what was a well-intentioned "attack" on the software he identified the flaw in. If he had co-ordinated with the software vendor there would have been no issue. Of course, the only way you'd know that is by reading the linked-to article - I wonder why the headline author didn't do that?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>