Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

CTO Says Al-Khabaz Expulsion Shows CS Departments Stuck In "Pre-Internet Era"

samzenpus posted about a year and a half ago | from the getting-up-to-speed dept.

Education 248

An anonymous reader writes "The Security Ledger writes that the expulsion of Ahmed Al-Khabaz, a 20-year-old computer sciences major at Dawson College in Montreal, has exposed a yawning culture gap between academic computer science programs and the contemporary marketplace for software engineering talent. In an opinion piece in the Montreal Gazette on Tuesday, Dawson computer science professor Alex Simonelis said his department forbids hacking as an 'extreme example' of 'behavior that is unacceptable in a computing professional.' And, in a news conference on Tuesday, Dawson's administration stuck to that line, saying that Al-Khabaz's actions show he is 'no longer suited for the profession.' In the meantime, Al-Khabaz has received more than one job offer from technology firms, including Skytech, the company that makes Omnivox. Chris Wysopal, the CTO of Veracode, said that the incident shows that 'most computer science departments are still living in the pre-Internet era when it comes to computer security.' 'Computer Science is taught in this idealized world separate from reality. They're not dealing with the reality that software has to run in a hostile environment,' he said. 'Teaching students how to write applications without taking into account the hostile environment of the Internet is like teaching architects how to make buildings without taking into account environmental conditions like earthquakes, wind and rain,' Wysopal said."

cancel ×

248 comments

Sorry! There are no comments related to the filter you selected.

US Government Announces National Day of Civic Hack (5, Informative)

JS_RIDDLER (570254) | about a year and a half ago | (#42675861)

Interesting timing ; not quite the same.
One is Defensive Planning; One is about New ways to use things.
US Government Announces National Day of Civic Hacking
http://yro.slashdot.org/story/13/01/23/1823208/us-government-announces-national-day-of-civic-hacking [slashdot.org]

About those professors ... (5, Insightful)

Taco Cowboy (5327) | about a year and a half ago | (#42676147)

Like the saying:

Those who can, do

Those who can't do, teach

Re:About those professors ... (5, Insightful)

Kell Bengal (711123) | about a year and a half ago | (#42676423)

That doesn't really hold at the university level, where research is required in conjunction to teaching. In fact, it serves a twin purpose - research forces people who just want to teach to stay current in their discipline. Teaching forces people who just want to research to focus and order their knowledge so it can be understood by novices. High school teachers get out of date pretty quickly, but university professors (certainly in my experience) has to be on the ball.

Perhaps the real question here is "Is the field of academic computer science out of touch?"

Full disclosure: I am a robotics researcher ('lecturer', equiv. to an assistant professor) at a university; I'm on a fellowship, though, so I don't have to teach much!

You're missing the last bit of it (0, Flamebait)

alvinrod (889928) | about a year and a half ago | (#42676441)

You're missing the last bit:

And those who can't teach, teach college.

Re:About those professors ... (3, Interesting)

Anonymous Coward | about a year and a half ago | (#42676779)

Like the saying:

Those who can, do

Those who can't do, teach

Those who cannot do either somehow end up making the decisions for those who can.

I consider that a pretty good analogy... (4, Insightful)

seebs (15766) | about a year and a half ago | (#42675945)

And also a very good explanation. How on earth did they produce such a hopelessly stupid system? It was designed by people who are unready for engineering systems to be used.

I am a big fan of not blaming the victim, as a matter of moral principle. That's a great policy. But it's really crappy engineering design; building something that is designed to rely on the assumption that society can reliably provide perfect enforcement is stupid.

There's another layer of difficulty, which is that it is not always obvious whether something is a security hole or a permissive feature...

Re:I consider that a pretty good analogy... (1)

Anonymous Coward | about a year and a half ago | (#42675981)

It's the Quebec school system. Everything is, no; has to be, different here.

other CS departments trun out people w skills gaps (1)

Joe_Dragon (2206452) | about a year and a half ago | (#42676381)

other CS departments trun out people with skills gaps so it's more of a over issues of what is being taught is a world separate from reality with loads of theory.

WTF??? (0)

Anonymous Coward | about a year and a half ago | (#42676015)

What a rambling bunch of text.

I'ts like a dumb guy trying way too hard to come off as insightful.

Re:WTF??? (1)

Anonymous Coward | about a year and a half ago | (#42676417)

I'ts like a dumb guy trying way too hard to come off as insightful.

What a brilliant piece of self-reference! Unfortunately, it was almost certainly unintentional.

Hey Look! It's seebs Trying To Be Clever Again! (-1)

Anonymous Coward | about a year and a half ago | (#42676461)

Give it a rest dumbfuck.

Re:Hey Look! It's seebs Trying To Be Clever Again! (2, Insightful)

Anonymous Coward | about a year and a half ago | (#42676613)

Give it a rest dumbfuck.

Wow! What a creative comeback. Really, That was SO impressive!! "Dumbfuck!" Such poetry, and you managed an actual two syllabe word. Most impressive, can I use that? Whatever you're paying your writers, double their salary and give them 2 weeks in Hawaii. That was, dare I say, creative genius! Yes, yes it was.

I may never post again, there's no reason to now, for I have read the ultimate in rebuttals. Someone call the Fox channel!

Re:I consider that a pretty good analogy... (5, Insightful)

DahGhostfacedFiddlah (470393) | about a year and a half ago | (#42676299)

You know, we blame civil engineers when their buildings collapse, maybe it's time to start blaming computer "engineers" when their systems do. Now, I know first-hand how hard it is to design secure computer systems, and I'm well aware there's a fine line between "holding to account" and a witchhunt, but we're nowhere near that line as it stands.

In every single one of these stories I hear the mainstream media gasp about the "dangerous hacker". I see /. complain about morons who treat technical curiosity as an attack. But those comments outnumber 10:1 the most important question that you just asked.

How on earth did they produce such a hopelessly stupid system?

Maybe if we could get everyone asking this question, the conversation would shift.

Re:I consider that a pretty good analogy... (2)

SolitaryMan (538416) | about a year and a half ago | (#42676557)

The problem is not just in Software Engineering. Any applied field is faces the problem.

Think about it: in any university or college, NONE of your teachers are actually posess the skill you are trying to acquire. Unless, of course, you want to become a teacher or academia type scientist.

Say, you want to become a Software Engineer and you go to a college. There, general algo's professor teaches you general algorithms. Text processing professor teaches you compilers. The same for operating systems, programming language theory and so on. Every professor gives you some valuable knowledge, but you don't see how they all fit together until you get your first job. I think this is a tragedy of the modern education: it is too fragmented.

apprenticeships and more trades like learning is n (1)

Joe_Dragon (2206452) | about a year and a half ago | (#42676689)

apprenticeships and more trades like learning is need then with people who have done / are doing the real work and not some professor who has not or has been in education all of there life.

Re:I consider that a pretty good analogy... (4, Insightful)

Stiletto (12066) | about a year and a half ago | (#42676619)

Get ready to have no free (gratis) software, as it would be ridiculous to donate one's time to write code for free if you could be held liable for mistakes. Get ready for your paid software to cost 10X more to cover the extra development "hardening" time it would all require to be less penetrable, and to cover the insurance policies software companies would have to take out to shield themselves.

You know, we blame civil engineers when their buildings collapse, maybe it's time to start blaming computer "engineers" when their systems do.

But we don't blame civil engineers when their buildings collapse after they get blown up by dynamite. It's not like these computer systems are just falling over from nature. They're under malicious attack.

give them the power to say no the PHB about rushin (2)

Joe_Dragon (2206452) | about a year and a half ago | (#42676677)

give them the power to say no the PHB about rushing the code out with bugs.

civil engineers have that power.

Re:I consider that a pretty good analogy... (5, Insightful)

lgw (121541) | about a year and a half ago | (#42676707)

There is no such thing as a secure system. This applies to both physical and information security. There's always a way in. So that's a bad analogy to life-safety engineering, or at least a subtle one.

When it comes to security, there's no "secure" or "insecure", and the threats are rarely well understood, let alone well described. The important questions are "how much will it cost an attacker to gain access" and "how much will it cost an authorized user to gain access" and "how valuable is this anyway" and "what's the tradeoff in making this more secure". Sure, there are also just stupid, terrible designs when it comes to security, but the mere fact that an attacker gains access means little.

When it comes to life safety, the parameters are thoroughly described. The levee must withstand the winds and storm surge from a class 3 hurricane, this building must survive impact from a 707, whatever. If they fail under far worse conditions than they were specced for, that's not an engineering failure. It's rarely so clear when it comes to security (though, of course, sometimes the password is sent as part of a URL or whatever, and it is quite clear).

Re:I consider that a pretty good analogy... (4, Insightful)

Belial6 (794905) | about a year and a half ago | (#42676713)

We blame civil engineers if their buildings collapse under normal use. We do not blamed them if someone plants a bomb in the building. More actually, we don't blame the architect if someone successfully breaks into your home.

Re:I consider that a pretty good analogy... (4, Insightful)

LordLimecat (1103839) | about a year and a half ago | (#42676763)

You know, we blame civil engineers when their buildings collapse,

You dont, however, blame them when someone helpfully demonstrates that by taking out support pillar 3A with TNT that the building suffers catostrophic failure. I mean, yea, maybe you blame them a little, but generally you get pissed at the guy holding the detonator.

Re:I consider that a pretty good analogy... (1)

AK Marc (707885) | about a year and a half ago | (#42676809)

You know, we blame civil engineers when their buildings collapse, maybe it's time to start blaming computer "engineers" when their systems do. Now, I know first-hand how hard it is to design secure computer systems, and I'm well aware there's a fine line between "holding to account" and a witchhunt, but we're nowhere near that line as it stands.

The problem is what happens when I design an application that's fine, but it must run over an insecure OS or insecure hardware, and something else with higher permissions compromises my application's data?

Though the real issue is that with a civil engineering failure, something big falls down. With a computer failure, someone sees something they shouldn't have. "no harm, no foul" is uttered way too much, but is how people treat a problem they can't see or understand. At least with the World Trade Center falling, they could see it, even if they couldn't understand it.

Pffft... "Education" (5, Interesting)

narcc (412956) | about a year and a half ago | (#42675947)

When did all the computer science programs turn in to trade schools for programmers?

Meh, why fight it. Lower that bar!

Re:Pffft... "Education" (4, Insightful)

Comrade Ogilvy (1719488) | about a year and a half ago | (#42676115)

While there are always outstanding mavericks, a lot of engineering departments are primarily staffed by brainy people who would make third tier engineers in the real world. Most people who are passionate about a subject area are itching to go out and DO IT. Yes, there are a few amazing brainy oddballs out there that have to be in academia. Yes, there are 5 or 6 CS departments like Stanford or UC Berkeley or Carnegie Mellon that probably do not fit that mold.

But Dawson College? A top notch computer scientist could be racking up six figures with a BS or MS. Who do you think works there and what are they paid?

a middling computer scientist... (1)

schlachter (862210) | about a year and a half ago | (#42676355)

could easily be making six figures as well.

Hopefully some better college will offer him admission in light of him getting the boot from Dawson.

Very bad assumption (3, Insightful)

Anonymous Coward | about a year and a half ago | (#42676681)

You're making a very bad assumption that only poor professionals work in minor colleges.

There are countless reasons for working at one university rather than another, the simplest being that it's a place you like or where you have family. Another might be that it provides good promotion prospects rather than only dead man's shoes. And another big one is that it's not a place infested with prima donnas where the only option is to play second fiddle.

Academia has a lot of problems, and choosing the best place to work is not anything like as simple as you portray. Not everybody is driven by high salaries and high prestige colleges. Indeed, the kinds of places you seem to rate most highly are often a huge rat race and not pleasant at all.

While I don't know Dawson College, just because it's small and not well known does not say anything about the caliber of its academics.

Re:Pffft... "Education" (2, Interesting)

Chemisor (97276) | about a year and a half ago | (#42676199)

Computer science programs became trade schools for programmers when idiot HR departments made a CS degree a requirement for every coding monkey position. The fact that a computer science degree does not give its holder any knowledge of actual computers or real world programming does not bother HR drones because they do not have that knowledge either.

oh get real... (2, Insightful)

canistel (1103079) | about a year and a half ago | (#42675955)

All that happened was some young hotshot did something the dept forbids. He paid for that, end of story. How you go from there to "CS depts out of touch with today's world" is beyond me, but then again I'm not some CTO either.

Re:oh get real... (4, Insightful)

MightyMartian (840721) | about a year and a half ago | (#42675991)

Because the young hot shot wasn't doing anything nefarious, and when he first reported the vulnerability he was praised. It's only when he determined that no one was doing a fucking thing about the vulnerability that he got kicked out.

Re:oh get real... (2, Insightful)

canistel (1103079) | about a year and a half ago | (#42676075)

Riiiight.... so university's just kick people out randomly when they do nothing wrong. Uh huh.

Re:oh get real... (5, Informative)

Guspaz (556486) | about a year and a half ago | (#42676167)

Dawson is not a university. In Quebec, "College" and "University" mean different things. Dawson is a CEGEP, which is a mandatory level of education between highschool and university.

CEGEPs in Quebec has two kinds of programs. 2-year Pre-university programs can be considered to replace the final year of highschool and first year of university (as in, highschool and university are both one year shorter in Quebec). They also have three-year programs (like the computer science program Al-Khabaz is in), which are vocational degrees intended to prepare a student for the job market rather than university. Graduating from either type of program grants you a degree called a DEC ("Diploma of College Studies" in English), which also happens to be required for admission to any university.

Many students, however, do what I did, and get a three-year vocational compsci DEC and then go to university and get their BCompSc. Yeah, it takes you an extra year (as compared to the pre-uni DEC), but CEGEP is the first time as a student that you get to study what YOU want instead of what the government says you must take, and I had a fantastic time.

Re:oh get real... (0)

Anonymous Coward | about a year and a half ago | (#42676609)

Wait. Is you're argument really just 'they wouldn't do that'. And it's insightful? Why would anyone have that kind of blind faith in any organization?

Re:oh get real... (5, Insightful)

LordLimecat (1103839) | about a year and a half ago | (#42676823)

From the article:
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites.....
A few minutes later, the phone rang ......It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack.

Yea, see, this is why insecure.org has warnings to not run nmap against resources that you do not own: It is generally considered nefarious, ill-advised, and possibly illegal. Yes, pen-testing other people's stuff will land you in trouble. Should he have been expelled? Maybe not, since he was clearly trying to expose a vulnerability, but he should have known better and hopefully now he does.

Probably also should not have signed that NDA and then gone on to break it, but then Im no lawyer. Probably should have just said "yea, I sign nothing till i have representation".

If you do not have a job / contract with someone to pen-test, act as a "tiger team", check for physical security breaches, etc, DONT.

Re:oh get real... (2, Interesting)

CurunirAran (2811035) | about a year and a half ago | (#42676069)

The CTO said what he said because the department TRULY is out of touch with the real world if it believes that hacking is an 'extreme example' of 'behavior that is unacceptable in a computing professional'.

Hackathons, which involve unusual solutions to problems, often using hidden, undisovered features of various products, are becoming increasingly popular, and often you'll have BIG companies sponsoring these same competitions.

Moreover, the dept is wrong in its comment because CS as a profession is rather different from software engineering. I don't think formulating more efficient algorithms and solving various mathematical problems (basically CS RESEARCH) has much in common with do with software engineering. In fact, I'd rather that my employee found a problem with my system than an end user doing so.

Re:oh get real... (1)

LordLimecat (1103839) | about a year and a half ago | (#42676837)

Running penetration tests on random companies' resources without prior authorization is a really bad idea, and perhaps this guy is lucky that expulsion is as far as it went.

"Hackathons" refer to coding sessions, which is a completely different usage than how it is being used here.

Blamestorming (4, Interesting)

girlintraining (1395911) | about a year and a half ago | (#42675975)

'Computer Science is taught in this idealized world separate from reality. They're not dealing with the reality that software has to run in a hostile environment,'

That's because if schools taught people how to properly test security, the government would label them terrorist breeding grounds. Anyone remember Steve Jackson Games? They released a game where one of the roles you could play was a computer hacker. The FBI called it a "handbook for computer crime" and the "anarchist's cookbook of cybercrime". No charges were ever filed. It was a work of fiction. It still nearly bankrupt them and took many years to resolve.

Schools do not want to teach students because they're afraid of government reprisal if they show a generation just how crappy our national infrastructure really is. As one recent net celebrity put it, "Our security posture is like a dog waiting for its belly to be rubbed." They don't wanna teach people how to find these problems, because it'll embarass the crap out of The Powers That Be.

Don't blame professors for this. Look higher.

Re:Blamestorming (2, Funny)

fluffy99 (870997) | about a year and a half ago | (#42676117)

They don't wanna teach people how to find these problems, because it'll embarass the crap out of The Powers That Be.

Don't blame professors for this. Look higher

Your explanation sounds a bit too tin-foil-hat. The reality is that the market just wants keyboard jockeys who can code a working product quickly and cheaply. The security (and I'd also say quality) of the product is way down on the priority list of most employers. If you want to fix that, you need to figure out how to demand high-quality software. Not the buggy, security-flawed crap we see from major companies like Adobe, Java and Microsoft.

But I do agree most of the graduating "Computer Engineers" I've interviewed barely knew how to code and had a few canned routines like bubble-sorting memorized. The ones claiming to be Microsoft certified were even more embarrassing.

Re:Blamestorming (3, Informative)

docmordin (2654319) | about a year and a half ago | (#42676369)

But I do agree most of the graduating "computer engineers" I've interviewed barely knew how to code and had a few canned routines like bubble-sorting memorized. The ones claiming to be Microsoft certified were even more embarrassing.

I'm not sure you're aware, but, depending upon the school, an S.B. in computer engineering can be much more akin to an S.B. in electrical engineering than one in computer science. To elaborate, some computer engineering programs are part a joint department that focus almost entirely on circuit analysis and design, solid-state theory, (non-)linear/stochastic control, architecture design, electromagnetics, and much more, with very little, if any, emphasis on programming.

Re:Blamestorming (1)

AK Marc (707885) | about a year and a half ago | (#42676845)

Computer engineering at Texas A&M (early 1990s) was part of the EE program, and was for EEs who wanted to design chips, rather than design wiring for commercial buildings (the two most popular things EEs do). There was almost nothing on programming, and most of the programming included hardware level (so maybe it was good for firmware writers or people writing device drivers).

Re:Blamestorming (2)

Obfuscant (592200) | about a year and a half ago | (#42676155)

That's because if schools taught people how to properly test security, the government would label them terrorist breeding grounds.

Not if step one in the process is: 1) get permission from the system operator/administrator/owner. That's where this guy failed.

Many years ago I knew of a problem in a web server I was running. Certain operations would cause it to hang. You know how I found out this issue? By running a script-kiddy scanner. It wasn't in a place I could easily fix, and the chance of it happening was rare. Except for the script kiddies who thought they were doing me a favor by scanning my system without my permission so they could exercise their 'leet hacker chops and show me how smart they were, and hung up the server while doing it.

And, of course, the small detail that some of the content I was generating was dynamic, linked to other dynamic output, and took longer to generate than the delay between testing the links. That filled up the process table rather nicely, keeping anyone else from accessing the system.

Why is it a foreign concept to ask for permission before trying to break into someone's system? Had someone asked me, I could have told him I know about the issue and thanks but no thanks.

Re:Blamestorming (2)

fredprado (2569351) | about a year and a half ago | (#42676325)

Why should I get permission from someone to check if my data is being mishandled by him? It is absurd. A scan, as he did it, is very far from breaking into the system and accessing information you shouldn't have access to.

he had a test account and as working on a app (2)

Joe_Dragon (2206452) | about a year and a half ago | (#42676483)

he had a test account and as working on a app I think the school just was very out of touch with the real world IT.

Let's see he finds a bug while coding his app and then he reports it and say it was fixed and then a few days later he tests the bug it's still in place.

Re:Blamestorming (1)

girlintraining (1395911) | about a year and a half ago | (#42676989)

Not if step one in the process is: 1) get permission from the system operator/administrator/owner. That's where this guy failed.

I'm not talking about this guy: I'm replying to the comments of the OP talking about how schools today don't teach security, and they don't. They don't because they're afraid -- teaching someone security is like teaching them how to use a firearm. In the process of learning that, you learn how to disarm it safely, etc. Learning is a two-edged sword, but unfortunately our government has demonized learning that could lead to political fallout. Look at how the press reacted to the gun control debate -- by publishing the names of thousands of people who were granted carry and conceal permits, and then putting it on an interactive map with a giant "rape me" sign above each of them. I don't know how that helps foster a sincere and open discussion on the topic.

The moment something becomes political you can't learn about it anymore, not objectively anyway. It becomes very time consuming to sort through the bullshit and get to a good answer... and this is when the government isn't actively looking for your inquiries and adding you to terror watchlists. People can't have an open dialog about computer security right now because it's too political. That doesn't mean you can't learn it, or even teach it... it just means it's a lot riskier.

You shouldn't have to risk your career just to show some kids how to do something that might actually help them and their community, but there it is, and that's what's up.

Re:Blamestorming (1)

Anonymous Coward | about a year and a half ago | (#42676309)

Not as high as you're referring to but...in this case the immediate higher-up is Dianne Gauvin, The Dean of Social Science and Business Technologies (dgauvin@dawsoncollege.qc.ca). Perhaps even a little higher is Robert Kavanagh, the Academic Dean (rkavanagh@dawsoncollege.qc.ca).

Snippet from the original article:
http://news.nationalpost.com/2013/01/20/youth-expelled-from-montreal-college-after-finding-sloppy-coding-that-compromised-security-of-250000-students-personal-data/ [nationalpost.com]

The administration of Dawson College clearly saw things differently, proceeding to expel Mr. Al-Khabaz for a “serious professional conduct issue.”

“I was called into a meeting with the co–ordinator of my program, Ken Fogel, and the dean, Dianne Gauvin,” says Mr. Al-Khabaz. “They asked a lot of questions, mostly about who knew about the problems and who I had told. I got the sense that their primary concern was covering up the problem.”

Following this meeting, the fifteen professors in the computer science department were asked to vote on whether to expel Mr. Al-Khabaz, and fourteen voted in favour. Mr. Al-Khabaz argues that the process was flawed because he was never given a chance to explain his side of the story to the faculty. He appealed his expulsion to the academic dean and even director-general Richard Filion. Both denied the appeal, leaving him in academic limbo.

Re:Blamestorming (2, Interesting)

Taco Cowboy (5327) | about a year and a half ago | (#42676387)

Don't blame professors for this. Look higher.

A professor who cowed down to tptb is a professor with no integrity

The job of a professor is to teach

But "teaching" encompasses more than the particular subject at hand

The character of the teachers (professors for this case) is also an important factor

Students learn much more from professors who have backbones than those from the family of invertebrates.

Re:Blamestorming (4, Funny)

girlintraining (1395911) | about a year and a half ago | (#42676913)

Students learn much more from professors who have backbones than those from the family of invertebrates.

Yes, it's totally reasonable to expect someone who has spent close to six figures earning their degrees and certifications, and finally managed to earn tenure, risk it all to satisfy your idea of morality. Dude, that's bullshit. It's bullshit on an epic why-the-hell-did-even-two-other-people-agree-with-you scale.

College professors do have integrity. Well, many of them anyway. It's mean-spirited and flat-out wrong to accuse people who are responsible for ensuring that the next generation is trained at least well enough to know which way to hold the mouse before sending them out into the world... that they lack integrity simply because they don't want to be jailed and have their lives ruined to uphold an arbitrary moral value that I suspect even you yourself only sometimes adhere to.

Don't blame the victim! Put the responsibility on the asshats that created the problem: The government. Oh wait, they're the giant 3000 ton gorilla! Probably easier then to go after the wimpy guy with glasses next to it, huh? That's exactly what you've just done, while demanding others have a backbone. Pathetic.

Re:Blamestorming (1)

phantomfive (622387) | about a year and a half ago | (#42676473)

Schools do not want to teach students because they're afraid of government reprisal if they show a generation just how crappy our national infrastructure really is.

Seriously? Do you really think this?

Re:Blamestorming (1)

Jaime2 (824950) | about a year and a half ago | (#42676929)

That's because if schools taught people how to properly test security, the government would label them terrorist breeding grounds.

Not really. My team has a great track record of our products passing security scans. We've never used mock hacking to find security issues in our code. We simply do rigorous code reviews against solid security principals. Some teams around us do the whole code-hack-fix thing, and they have a lot of security fix work every time the pen-testing tool is updated or changed.

I laugh every time I hear a colleague come back from some security class they were sent to and I find out that they spent five days running ten-year-old exploit tools against unpatched servers.

Personal Experience (0)

Anonymous Coward | about a year and a half ago | (#42675987)

I can personally vouch for some CS academic professors not keeping up with the internet era. With professors assigning 'relevant' problems like calculating how much space a tape can hold in a file systems class (and never mentioning SSDs), and other professors saying "We'll probably have quad core computers within the next 10 years", just shows how they haven't kept up with the times.

Other professors are better at keeping up with this. Unsurprisingly, the older they are the more likely a culprit of not keeping up with the times.

Re:Personal Experience (1)

rbprbp (2731083) | about a year and a half ago | (#42676079)

At the university I go to, I recall a computer architecture teacher that used handouts/slides from when the Pentium 4 was the highest-end CPU available and some introductory programming classes that used 16-bit Turbo Pascal (so the students that were using a 64-bit OS - most of them, those days - were screwed) or non-.NET Visual Basic. Kinda says something about their CS program.

Re:Personal Experience (1)

Guspaz (556486) | about a year and a half ago | (#42676219)

When I was in CEGEP taking compsci as Al-Khabaz is (at John Abbott, though, not Dawson), we were the first year that didn't have a mandatory COBOL course. This was in like 2003, 2004 or so.

Re:Personal Experience (3, Insightful)

Obfuscant (592200) | about a year and a half ago | (#42676339)

At the university I go to, I recall a computer architecture teacher that used handouts/slides from when the Pentium 4 was the highest-end CPU available

Basic computer architecture is basic computer architecture. The specifics may change, the number of bits may change, but the basics are still the same. I learned on 8080s and 6502s and PDP-8s and an odd CDC 6500, and they all shared the same concepts. When I pick up a datasheet for a modern processor, I see a lot of the same old stuff.

Once you have the basics, then you can expand. "How can we improve on X? By doing Y...". You don't know why Y is better unless you know what X is. And more important, it is hard to see the potential parallels for future improvement unless you know the past. "If we did A to improve X into Y, maybe we can do A to help this other thing, too..."

Re:Personal Experience (0)

Anonymous Coward | about a year and a half ago | (#42676999)

There's no reason to teach "file systems", unless it's a specialized class on Operating Systems where you are learning how to write your own FS to plug into MINIX or something.

I'm a graduate student at NYU-POLY, let met tell you what I saw there: the Software Engineering class doesn't have a single software-related lecture. It's all about calculating costs, scheduling, generating spreadsheets and faking data to build graphs to convince management to implement business processes; that's right, to get a passing grade in SE there the professor wants you to be skillful at commiting fraud to manipulate the budget.

You think the professor is bad? The text book used (Software Engineering: A Practicioner's Approach) is full of anecdotal justifications, including imaginary characters that ponder, in a surreal dialog after each chapter, on how they liked the ideas presented.

It's more like there's a whole conspiracy of incompetent "professionals" backing each other up to keep their jobs no matter what anybody else says.

Hacking 101 (1)

MrEricSir (398214) | about a year and a half ago | (#42675999)

Like so many things, you have to learn by doing. The only way to learn how to write secure code is to learn how to hack into stuff. Otherwise, how would you even know it's working?

If we want CS students what's really involved in creating a secure system, how about a mandatory "intro to hacking" course?

Re:Hacking 101 (2)

Obfuscant (592200) | about a year and a half ago | (#42676193)

If we want CS students what's really involved in creating a secure system, how about a mandatory "intro to hacking" course?

Using systems intended for such purposes and not someone else's production systems, of course.

Many years ago our Uni had such a course, run in two parts. Part 1: Unix system administration 2: How to break into improperly administered Unix systems. Nobody went to jail. Nobody was branded a terrorist. Many (some?) people learned how to be system admins.

that is more of IT class then a CS class (1)

Joe_Dragon (2206452) | about a year and a half ago | (#42676525)

that is more of IT class then a CS class.

people doing application development do need to know about makeing secure code but other parts fall on the sever and web guys who don't real need the full CS load of application development and theory classes. Also is parts of theory that people application development do not really need. Other then at at very high level.

Hacking sites you don't own is unprofessional (4, Interesting)

Anonymous Coward | about a year and a half ago | (#42676013)

However, I don't buy that what this student did was hacking (in the cracking sense)

Targeting a system you don't own, or aren't reponsible for and trying to break into it is almost always not a good thing to be doing, and should be considered unprofessional (and unethical) conduct.

Noticing a problem while you are setting something else up, notifying the appropriate people, and checking to see if that problem is gone are very reasonable things to do.

I have been working in Computer Security in Internet Banking for the last 15 years, and while I have had many co-workers who measure their worth by how good they are at breaking in to things, very few of those people have been nearly as good at defending those same things.

Figuring out how to hack a site takes finding one vulnerability.

Figuring out how to defend a site takes thinking about all types of vulnerabilities.

Re:Hacking sites you don't own is unprofessional (1)

MichaelSmith (789609) | about a year and a half ago | (#42676217)

I have been working in Computer Security in Internet Banking for the last 15 years, and while I have had many co-workers who measure their worth by how good they are at breaking in to things,

Any reason you post anonomously then?

Teaching them to what? (5, Informative)

Obfuscant (592200) | about a year and a half ago | (#42676071)

The computer science department is not teaching their students to write code without consideration of the environment of the Internet. At least nothing in this situation says they are.

What they are teaching is that it is unethical to run penetration testing against a system without permission. This philosophy is embodied in the ACM Code of Ethics [acm.org] , in section 2.8:

2.8 Access computing and communication resources only when authorized to do so.

Theft or destruction of tangible and electronic property is prohibited by imperative 1.2 - "Avoid harm to others." Trespassing and unauthorized use of a computer or communication system is addressed by this imperative. Trespassing includes accessing communication networks and computer systems, or accounts and/or files associated with those systems, without explicit authorization to do so. Individuals and organizations have the right to restrict access to their systems so long as they do not violate the discrimination principle (see 1.4). No one should enter or use another's computer system, software, or data files without permission. One must always have appropriate approval before using system resources, including communication ports, file space, other system peripherals, and computer time.

He got thanked for finding the flaw. He got expelled for pen testing someone else's system. Two different acts, two different issues.

Re:Teaching them to what? (2)

Xenx (2211586) | about a year and a half ago | (#42676191)

He got thanked for finding the flaw. He got expelled for pen testing someone else's system. Two different acts, two different issues.

It's obvious that the testing was done for the right reasons, he just went about it in the wrong manner. He was smart enough to find the flaw, and morally sound enough to report the flaw. It doesn't fit to make the punishment so extreme in such a case.

They should beTeaching how to deal with stuff like (1)

Joe_Dragon (2206452) | about a year and a half ago | (#42676539)

They should be Teaching how to deal with stuff like this but all they did was let him doing it his own and then say you did it wrong and we not just giving a C or even a D. and you are not just getting a F no you are getting a

SUPER F as in F for life.

Re:Teaching them to what? (5, Insightful)

Guspaz (556486) | about a year and a half ago | (#42676269)

He did something wrong, sure. But what he did was not bad enough to justify completely destroying his future from an academic and professional standpoint.

He's lucky that this story has attracted as much international attention as it has (and it certainly is strange to be reading about local news stories on international sites like Slashdot, when I work across the street from Al Khabaz' school). If it hadn't attracted all this attention, he wouldn't have had all these job offers, and would have been screwed.

Dawson tried to leave him in debt, unable to enter any other CEGEP, unable to enter any university (you're required to graduate from CEGEP to get into university in Quebec), and with severely diminished job prospects.

Should he have been punished? Yes. Should Dawson have tried to destroy his life? Certainly not.

Re:Teaching them to what? (1)

countach (534280) | about a year and a half ago | (#42676393)

He might have done something wrong, but the real problem is nobody taught him properly it was wrong. They are running a computer science course there, they should have taught him CS ethics. When his CS instincts were wrong, they should have fired themselves for failing to teach.

Re:Teaching them to what? (0)

Obfuscant (592200) | about a year and a half ago | (#42676409)

He did something wrong, sure. But what he did was not bad enough to justify completely destroying his future from an academic and professional standpoint.

Well, good thing they didn't "completely destroy his future" then, isn't it? Even the summary tells us he's had several job offers already, and nothing stops him from going to a different college.

If it hadn't attracted all this attention, he wouldn't have had all these job offers,

So he might have only had one, with the company whose software he was pen testing. Completely destroyed? He's got a job, which many people who are actively seeking work don't have.

unable to enter any university (you're required to graduate from CEGEP to get into university in Quebec)

Perhaps an enterprising individual will see this lack of Universities anyplace but Quebec and make a lot of money by creating Universities in other places.

Should he have been punished? Yes.

A common method for schools to punish people who commit academic dishonesty is to expel them. Maybe if more schools did that, instead of looking the other way or simply saying "don't do that again", fewer people would do such things when they get out into the real world. Just a thought.

Re:Teaching them to what? (1)

servognome (738846) | about a year and a half ago | (#42676909)

A common method for schools to punish people who commit academic dishonesty is to expel them.

Yup, I had more than one professor state that if they caught you cheating, they would make it their personal mission to have you expelled. Welcome to the real world kids.

Re:Teaching them to what? (2)

mark-t (151149) | about a year and a half ago | (#42676335)

Yes, it's true that he was actually testing somebody else's system... however, it's not unreasonable to conclude, given what kind of software he was evidently trying to develop, that it would need to be fixed before he released his application or else the vulnerability might be exploited by anybody who used his app and happened to also discover it, as he originally did.

Re:Teaching them to what? (1)

Kernel Kurtz (182424) | about a year and a half ago | (#42676685)

He got thanked for finding the flaw. He got expelled for pen testing someone else's system. Two different acts, two different issues.

He should have done one of them anonymously. Seems he was technically capable of doing so.

That would have made him more "ethical", but less ethical.

Re:Teaching them to what? (1)

Ichijo (607641) | about a year and a half ago | (#42676747)

Trespassing includes accessing communication networks and computer systems, or accounts and/or files associated with those systems, without explicit authorization to do so.

I am accessing this very web page on Slashdot.org without explicit written or verbal authorization from Slashdot's owners. Am I trespassing?

does no one ever read the article anymore? (4, Interesting)

MoFoQ (584566) | about a year and a half ago | (#42676921)

does no one ever read the article anymore?
It was on a test server.....using credentials given by the vendor, Skytech Communications.

...the software vulnerability scan that got him expelled from school was conducted on a test server only, and using credentials provided to him by the company that makes Omnivox: Skytech Communications.

The mere fact that Skytech supposedly gave him a job offer is enough to think that the department has their collective heads up....well..you get the point.

There's a reason why the legendary Weld Pond [wikipedia.org] would be so vocal and would even say "These kind of people right out of college are the kinds of people we want to hire."

I was educated in the "pre-internet" era of 1972.. (0)

Anonymous Coward | about a year and a half ago | (#42676109)

I went to school in Computer Science (a new degree) around 1972 at a college where the IBM System/370 was the thing. Hacking was big too, all the best students were into it, exploiting system bugs to gain access to data that was otherwise off-limits such as logon IDs and passwords. The school wasn't stupid enough to keep their student records on the same system though, so while hacking wasn't specifically encouraged, I don't recall anyone getting in any trouble over it. And IBM would fix the bugs as we found them, so by the time I left, the system was nearly bulletproof. We were probably the most valuable beta testers they ever had and worked for free.

It's always been that way. (1)

hawguy (1600213) | about a year and a half ago | (#42676111)

Well yeah, 'Computer Science is taught in this idealized world separate from reality' has always been the case. Just like Math is taught in an idealized world separate from reality. If you want to learn to be a coder in the real world, don't waste your time with a CompSci degree, get a 2 year programming certificate at a vocational training school. I never really thought of computer science as preparing anyone for a real job as a coder.

Expecting a computer science graduate to know how to be an application developer is like expecting an architect to have carpentry skills -- the architect may know all of the basic theory and design concepts behind how to build a stairway, but it's going to take him 5 times longer than an experienced carpenter to get it right, and he might have to do it more than once.

So You Never Got Accepted? (0)

Anonymous Coward | about a year and a half ago | (#42676173)

Sucks to be you.

Everyone can't go on to get Computer Science degrees at universities.

Just like there always being a need for more ditch diggers, the computing world always has a place for 'vocational training school' graduates to do the shitty grunt work like you.

Re:So You Never Got Accepted? (1)

hawguy (1600213) | about a year and a half ago | (#42676529)

Whoa, sorry I seem to have hit a nerve there.

Here's US Berkeley's CompSci overview... what part of this makes you think that CompSci is preparing graduates to be application developers?

UC Berkeley construes computer science broadly to include the theory of computation, the design and
analysis of algorithms, the architecture and logic design of computers, programming languages, compilers,
operating systems, scientific computation, computer graphics, databases, artificial intelligence and natural lan-
guage processing. The Electrical Engineering and Computer Science Department’s goal is to prepare students
for both a possible research career and long-term technical leadership in industry.

That's not to say that a CompSci student can't become a developer, but the curriculum is not designed to teach that - there are far easier ways to learn application development if that's all you're interested in.

That is Tech needs more trades / apprenticeships (1)

Joe_Dragon (2206452) | about a year and a half ago | (#42676653)

That is why Tech needs more trades / apprenticeships and not 4+ years CS.

Way to many tech / IT jobs want CS graduates for jobs that need a different skill set.

The CTO is living in the past... (0)

DavidClarkeHR (2769805) | about a year and a half ago | (#42676113)

Chris Wysopal, the CTO of Veracode, is still using terms like "pre-internet era".

With terminology like that, it sounds like someone is living in the pre-2000 internet era.

Not the whole story (0)

Anonymous Coward | about a year and a half ago | (#42676121)

Based on what I read elsewhere, the guy received praise when he reported the vulnerability and only got kicked out after he used a third party online scanning tool to verify the status of the system without permission from the university.

Not Just CS (0, Insightful)

Anonymous Coward | about a year and a half ago | (#42676139)

"Computer Science is taught in this idealized world separate from reality"

Sadly, that statement extends to far more than CS in the world of academia.

Security training? (2)

cdrguru (88047) | about a year and a half ago | (#42676141)

Maybe there should be a slightly different attitude towards breaking into computer systems, or attempting to break into them. However, it needs to be mentioned that if you are learning to skydive the first lesson isn't "what if you chute doesn't open." Similarly, the first project in a chemistry class isn't making dynamite.

What this case showed was a student with some skills could break into a university system. Great. One problem is that the student had little grounding in what consequences might pile up if this skill was used. Like the chemistry student making dynamite the knowledge might be there but no judgement about what to do with that knowledge.

Unfortunately, I don't think the proper response is for companies to hire people like this. They need a lot more work before they really can be expected to use their skills in a responsible manner - and today's corporate environment is hardly the place where people are going to get that. Would a person with the skill to break into computer systems and zero reasons not to do so willy-nilly (especially at the direction of lower level management with all kinds of reasons of their own) be a quality employee? More importantly, would such skills misused result in a good reference on down the road?

We are setting these people up to be unemployable in the future, right after they are exploited.

Re:Security training? (1)

Morpf (2683099) | about a year and a half ago | (#42676317)

If you are learning martial arts, you first learn how to fall without hurting yourself. ;) I think it is important to learn how to code robustly. Most of CS students should already know how broken many systems are. As others stated: Don't scan systems without consent but feel free to hack your own boxes and programs.

but he was not breaking into computer systems (1)

Joe_Dragon (2206452) | about a year and a half ago | (#42676597)

but he was not breaking into computer systems.

He was working on a APP and found a major bug in the system.

That like working some where let's say you adding cameras or new sensors or even upgrading the fire alarm system at bank security system and find there is a very easy way to bypass parts of the system and report it and let's a few days later you are back doing more work and find that no fix has been done.

Let's agree not to hire from Dawson College (0)

Anonymous Coward | about a year and a half ago | (#42676187)

The school's actions seem a bit silly. There are a lot of tech people here -- let's just agree we won't hire from Dawson College.

He ran a scanner against the site causing a DOS (1)

Anonymous Coward | about a year and a half ago | (#42676221)

He ran a scanner against the site causing a DOS. Twice!

He was asked not to. The expulsion is a little extreme but what he did was definitely not justified.

Re:He ran a scanner against the site causing a DOS (0)

Anonymous Coward | about a year and a half ago | (#42676805)

Now now, don't go bringing in the facts when slashdotters are ranting about their favorite phony strawmen.

So I lock my bike at the shop (1)

MichaelSmith (789609) | about a year and a half ago | (#42676259)

and this guy is standing near the parked bikes. He comes up to me say and says you know, I could easily open that lock. I ignore him and walk away but I look back and he is standing there right beside my bike not breaking any laws. So I have a few alternatives. I can walk away and hope he doesn't damage it or rip it off. I can call the cops, but no laws have been broken, or I can unlock my bike and go elsewhere.

Though frankly what I want to do is kick him shitless.

Re:So I lock my bike at the shop (1)

Anonymous Coward | about a year and a half ago | (#42676367)

You mean you park your bike at the shop, latch your locking mechanism but completely fail to bolt it in a secure fashion. Some guy comes up to you and says you know, anyone could open that lock. You threaten him and tell him not to tell anyone your bike's unsecured.

He then opens your bike lock, checking to see if you paid attention and bolted it properly... and you kick him shitless.

The biggest written burn of a stuffed think they (0)

Anonymous Coward | about a year and a half ago | (#42676301)

Smart and actual experience trumping their dumb ass. Lot of companies do this too not just education.
They want a sheep skin lord know why I still have to train them,
But when I go for a job my 25 years in the trenches means nothing to them.

Finally you say fuck it and sell shit at the mall or something.

well we need more hands on training / apprentices (1)

Joe_Dragon (2206452) | about a year and a half ago | (#42676313)

well we need more hands on training / apprenticeships.

The college system is kind of out of date and comes with the full load of fluff and filler classes. Tech schools are roped into the college system as well.

There is lot's stuff that is poor fit into a 2 year or 4 year plan and other stuff that needs a lot more hands on training that is a poor fit for a collgle class room. When more of a community College setting is better. Yes community College offer classes non degree.

Also the cost of college is getting to high and by cutting down what is now 4-5 years down to say 1-3 years can save alot and make it quicker to learn skills.

ALSO THERE IS lot's of IT / tech work that is not even application development or CS that get lumped into CS as the tech schools get no respect.

Why they call it computer science (0)

Anonymous Coward | about a year and a half ago | (#42676375)

And not Computer Programming. My friend went to college, I went to work. He could design a CPU from scratch, knew how to do visual recognition. Nothing any employer I ever came across found useful. As an employer, later in my career, If I had the choice between hiring somebody with 5 years experience vs fresh out of college, experience wins every time.

My friends path through CS was influenced directly by the funding the professors got. Machine Vision was a big funder to that college.

Yep... (1)

Darkness404 (1287218) | about a year and a half ago | (#42676439)

Yep, and the only way to realize just -how- vulnerable your systems are is test them out yourself (or have someone do it for you). I'm afraid that many CS graduates know nothing about how the "bad guys" are going to get into your system. They might have vague ideas about how a DDOS works, but its unlikely they ever have experienced one first hand. To an average person, indeed even an average CS graduate hacking (in the black or grey hat usage) either consists of just pressing a button or involves many crazy steps that no one can possibly do. A half-assed simulation simply doesn't cut it because it isn't modeled on the real world and so the students think that their actual work will be done in a vacuum and not in the real world of script-kiddies, zero day exploits and 4chan.

All self-referential non-D (0)

Anonymous Coward | about a year and a half ago | (#42676505)

If you are so ashamed of your agreement that you can't discuss the existence of the non-disclosure agreement, you are evil.

We need a law that prevents the creation of non-disclosure agreements that include their own existence. Everyone in the world should be allowed to state they have a non-disclosure agreement.

Just like slavery is going to far for a 'hiring agreement', non-disclosure agreements that are self-referential go too far.

I challenge anyone to ever come up with a situation that talking about the existence of a non-disclosure agreement is somehow wrong.

the NDA likely said don't tell how to get into the (1)

Joe_Dragon (2206452) | about a year and a half ago | (#42676661)

the NDA likely said don't tell how to get into there system and they seem ok about him talking about what happened and even if it did they are not makeing a big deal about as they did not want him to get kicked out of school.

DOS and C64 and AppleII (1)

SparrowOS (2792265) | about a year and a half ago | (#42676513)

These machines ruined people so they cannot program because they learned GOTO and no secuirety. HGR: HCOLOR=7: HLINE 100,100 to 200,200 That is no way to learn graphics. Qt X-Windows!

"Not suited for Computer Science" (0)

Anonymous Coward | about a year and a half ago | (#42676705)

GETS JOB ANYWAYS IN COMPUTER SCIENCE.

Screw you school, you are drunk on old age.

Can't put the blame on educators only... apk (0)

Anonymous Coward | about a year and a half ago | (#42676735)

There's only so much you can fit into any 1 course, semester, or year (or series of them), after all.

However, I can see teaching "web guys" how to use say, for instance/example, stored procedures & binding variables to the string to issue to the stored procs - this helps vs. SQLInjection attacks. On today's "internet" (the wild west imo), it makes total sense.

As far as "coding defensively" though? You sort of have to "teach yourself"/"grow your own" @ times... & use what you learned to do so!

E.G./To wit, from a post of mine from 2005 regarding "CODING FOR DEFCON":

"You can do what I do though, which makes it HARDER STILL on them (and, as a bonus effect, builds in "native antivirus protection" into the app), which is, believe-it-or-not, hardcoding the application's compressed .exe filesize into the application @ it's initialization (either form/screen creation or show methods), & test it on disk.

If the Win32 PE file changes its size even 1 byte (less or more) from its on-disk compressed size? DO as you like!

After all, this IS what std. type "Virus" do, add size & code to the end of the .exe afaik, so this DOES function as a rudimentary form of virus protection & stops your apps from spreading infectors like those, potentially @ least, because they let you know something IS wrong!

This is what/how I do it in my code @ least. SO, what can you do IF the filesize changes? Well, limits of your imagination, or 'cruelty' I suppose...

E.G.-> Reboot their machines, shutdown the program being 'hacked' or potentially virus infected since it changed its size (what I do), or if you are crueler than myself, anything you like (i.e./e.g.-> Blow their bootsector, lol).

There is MORE you can do to protect against various "debuggers" like SoftIce &/or WinDbg for example RIGHT in your code though, even if they uncompress to attempt disassembly.

API calls like IsDebuggerPresent, or the presence of SoftIce via routines present all over the internet for it (there are many of these)." - by Anonymous Coward on Saturday August 06 2005, @05:46AM (#13257227)

That functions not ONLY to defend vs. disassembly, but also as a rudimentary form of "built-in antivirus" since std. executable/classic viruses bind themselves to the end of a program & alter jump tables to function... this changes their size!

* HOWEVER - Do that on code I wrote? It shuts itself DOWN, terminated...

Thus letting you the user KNOW something tried altering its structure!

(CRC-32 or other types of checks could be substituted but the principle's the same idea!)

APK

P.S.=> Sometimes, you HAVE to use what you learned while you were in schooling for the art & science of computing & "grow your own"...

... apk

Professors (0)

Anonymous Coward | about a year and a half ago | (#42676777)

Professors don't like being shown up and will take it out on students (and sometimes staff) that do it. Obviously not all professors, but a good majority of them are complete asshats. I work at a University and see it first hand (thus the Anonymous posting). You can do something absolutely correctly, but if you don't do it they way THEY want it done, it is wrong.

Ran into 1 like that in CS... apk (0)

Anonymous Coward | about a year and a half ago | (#42676881)

Heh, I ran into 1 like that - only 2 though in 2 degrees & 1 on strictly CS... guy was a TOTAL prick! If you did ANYTHING different than the textbook code he got on your ass about it and graded you down for it - The class was practically CUTTING & PASTING the examples from the textbook for their assignments - THAT IS NOT LEARNING! It is plagiarism!

Man... I couldn't BELIEVE it! I wrote my own work & routines, after all, by THAT point in my career? I ought to! He said I was "overbuilding" my assignments... wtf, who CARES if they work and better than what the current assignment book code even does especially!

I got a shit grade & the rest of my classes were nearly straight A's & ought to have been: I'd been actually DOING THE JOB as a pro for years beforehand!

Told 1 of my classmates about it & he said "WTF? You're the smartest guy in the class!" (yea, well... look where it got me! Kept me off "Dean's List" that semester in fact...).

I didn't even REALLY NEED TO GO THERE, but... I went back to finish up AAS level CS work after nearly 15++ yrs. of working the field as a pro (to get the paper & to move onwards to BS level), & ran into the very thing you speak of.

* Thank the merciful Lord there's only a minority of them out there, @ least in my experience.

APK

P.S.=> There's always THIS "old adage" to describe that 'kind': "THOSE WHO CAN, DO... those who CAN'T? Teach!" & imo @ least?

The type you describe shouldn't do THAT either - they lack pedagogie, but I am certain of 1 thing: People like that eventually end up "nuking" themselves... I've seen it TOO MANY TIMES in this existence (spanning nearly 1/2 a century for me now in fact)!

... apk

Use hacking tools on dedicated network (1)

jfdavis668 (1414919) | about a year and a half ago | (#42676811)

I obtained a Masters in CS a few years ago. Security was a big topic for the department. We had a dedicated network and set of servers to learn, test and use the type of software that Al-Khabaz used. We do not use it on live networks against production servers. You never do that without knowledge of everyone involved. Same way where I work. Doing what he did would get you fired. If you find a security hole, point it out to the appropriate people. Then let them fix it, don't keep poking it with a stick. If your network and servers have appropriate security monitoring software, this would set off every alarm in the place.

Send Alexander Simonelis an email about WhiteHats (0)

Anonymous Coward | about a year and a half ago | (#42676851)

The "http://www2.dawsoncollege.qc.ca/phones/" public website

    Name / Email Office Local Position / Department
    Alexander Simonelis 3F.22 5058 Faculty
          Computer Science

Or give him a call 514) 931-8731 ext. 5058.

Thanks to all

College level CS is not useful anymore. (1)

Lumpy (12016) | about a year and a half ago | (#42676853)

I see coding styles that are downright horrid, that are being taught, and every single College course is so out of date, it's doing a dis-service to the students.

Couple that with a Lazy prof that is upstaged by a student..... and you get this exact reaction.

It's the geek who has lost touch with reality, (1)

westlake (615356) | about a year and a half ago | (#42676875)

Dawson computer science professor Alex Simonelis said his department forbids hacking as an 'extreme example' of 'behavior that is unacceptable in a computing professional.' And, in a news conference on Tuesday, Dawson's administration stuck to that line, saying that Al-Khabaz's actions show he is 'no longer suited for the profession.'

The geek's encounters with the law --- with society as a whole --- have not been ending well for him. The Internet is not his private playground anymore. Intrusions into other people's systems and software may end in a felony charge.

I've no doubt that the geek can still find shelter and support in his own community when things go south, but the climate outside is not so warm and welcoming anymore.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?