A student, Ahmed Al-Khabaz (right), was expelled from Montreal’s Dawson College after pointing out a security flaw in the computer networking systems used by most of Quebec Province’s vocational colleges. Because no one likes bad news, right?
According to an article in the National Post:
Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.”
After an initial meeting with Director of Information Services and Technology FranÃ§ois Paradis on Oct. 24, where Mr. Paradis congratulated Mr. Al-Khabaz and colleague Ovidiu Mija for their work and promised that he and Skytech, the makers of Omnivox, would fix the problem immediately, things started to go downhill.
Al-Khabaz subsequently ran a software program called Acunetix, which exists to test for vulnerabilities in websites, to verify that the issues he had discovered had been corrected.
He immediately received a call from the president of Skytech, Edouard Taza. According to the National Post, as Al-Khabaz explained it,
Taza said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didn’t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement.
That might be part of the problem. Because if you sign a non-disclosure agreement that means you can’t talk about what happened, and you just did.
But as Taza explained (to the National Post):
This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake.
But Dawson didn’t seem to be so forgiving. The coordinator of Al-Khabaz’s program called the student into a meeting in which, according to Al-Khabaz,
“They asked a lot of questions, mostly about who knew about the problems and who I had told. I got the sense that their primary concern was covering up the problem.”
Professors in the computer science department voted to expel the student. He appealed the decision to the school’s academic dean. The appeal was denied.
The school declined to explain what happened in the Al-Khabaz case, leaving a statement on the website that said,
Under the terms of Quebec privacy laws, it is illegal to discuss the details of student files with individuals or with the media. Dawson College practices due process and due diligence in every case brought before the review committee. If a student does not agree with a decision, he or she has the right to appeal, as spelled out in the policies.
In the recent case of Ahmed Al-Khabaz, which he himself brought to the media, the College stands by its decision. The reasons cited in the National Post article for which the student was expelled are inaccurate. The process which leads to expulsion includes a step in which a student is issued an advisory to cease and desist the activities for which he or she is being sanctioned, particularly in the area of professional code of conduct. Conditions for remaining in the College on good terms are clearly explained in person to the student.
That, of course, clarifies nothing.
The problem isn’t that Dawson failed to follow appropriate procedures. The student was expelled because a committee voting to expel him. He appealed the decision and the college denied the appeal. These things aren’t a matter of debate. The question is why discovering a networking flaw, bringing the networking flaw to the attention of the company in charge of maintaining that network, and then testing to see if the flaw has been fixed (while clearly risky) is grounds for removal. [Image via]