Montreal college student expelled after exposing security hole in college’s network

This sounds awfully bad. And it doesn’t help the school’s case – Dawson College – that the Student Union’s director of internal affairs and advocacy is backing up the student’s side of the story.

Canada’s National Post has the story, here’s a brief snippet:

A student has been expelled from Montreal’s Dawson College after he discovered a flaw in the computer system used by most Quebec CEGEPs (General and Vocational Colleges), one which compromised the security of over 250,000 students’ personal information.

Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.”

“I saw a flaw which left the personal information of thousands of students, including myself, vulnerable,” said Mr. Al-Khabaz. “I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong.”

The next week, he tested the flaw again to see if they had fixed it, and next thing he knows, he’s expelled.

The student alleges some rather questionable behavior on the part of the company that designed the flawed system, Skytech, as well.

The school is refusing to discuss the case. Claiming legal and ethical grounds. Well, first off, the ethical question is easy to solve – just get the student’s permission to talk about the case. That should be easy.

As for “legal” grounds, that sounds like a cop out. The school is afraid the student will sue them, it sounds like, so they’re not talking about what they did. If the kid was up to no good, then it shouldn’t be terribly hard for the school to just say so publicly, regardless of some bogus legal concerns.

It doesn’t prejudice your case to simply state the facts publicly. So long as you’re telling the truth.

In an ironic twist, the university’s Web site doesn’t seem to be doing too well either.

Screen Shot 2013-01-21 at 7.13.29 PM


Follow me on Twitter: @aravosis | @americablog | @americabloggay | Facebook | Google+ | LinkedIn. John Aravosis is the editor of AMERICAblog, which he founded in 2004. He has a joint law degree (JD) and masters in Foreign Service from Georgetown (1989); and worked in the US Senate, World Bank, Children's Defense Fund, and as a stringer for the Economist. Frequent TV pundit: O'Reilly Factor, Hardball, World News Tonight, Nightline & Reliable Sources. Bio, .

Share This Post

  • school management software

    I think the concentration should now be given completely on reviving the flaw. It should not stay long as flaws, or else it may create really data insecurity for the college.

  • rerutled

    Here is the College’s response describing why the student was expelled. (I apologize, it is long; but it is on the College’s home page, and it likely will not persist permanently.) Currently here: http://www.dawsoncollege.qc.ca/home

    ———–

    To set the record straight, Ahmed Al-Khabaz was not expelled because he found a flaw in the student information systems. In fact, the College and Skytech recognized his work, thanked him, and enlisted him and two other students to help address the problem.

    He was expelled for other reasons. Despite receiving clear directives not to, he attempted repeatedly to intrude into areas of College information systems that had no relation with student information systems.

    These actions and behaviours breach the code of professional conduct for Computer Science students, a serious breach that requires the College to act.

    The College followed its regular processes to investigate the situation and to proceed with sanctions against Mr. Al-Khabaz, on the recommendation of the Computer Science Department, giving him the opportunity to plead his case with the Dean and the Department Chair and to avail himself of appeal processes.

    As a public institution in Quebec, Dawson College must adhere to strong professional values in its delivery of education as it is entrusted with preparing students for future academic and working lives. Universities expect this commitment to values as do employers, parents and students themselves.

    Dawson College has a responsibility to instill the principles of proper conduct in the workplace so that employers hiring our graduates know that they are responsible citizens and qualified workers who understand how to behave in a professional environment.

    The decision to expel a student is a serious matter and our presence here today is to assure the public that such decisions are never taken lightly because we are fully conscious of their effects of on individuals.

  • JosephP

    Not only did they kick him out, they give him “zeros” in all his courses!

  • Zorba

    I was kind of wondering myself if they would have expelled him if his name had been Jim Smith. Great minds, and all that, Comrade. ;-)

  • ComradeRutherford

    Well, his name is “Ahmed Al-Khabaz” so obviously he is a terrorist!

  • ComradeRutherford

    The business professional’s answer is always to NOT spend money to fix the security problem, but to criminalize anyone that dares point it out!

    Security Through Obscurity is a lot less expensive than doing it right in the first place, and maximizing profits to shareholders is the ONLY thing that counts.

    When The Emperor Wears No Clothes, then it is the policy of the realm to execute everyone that notices that the Emperor is naked.

  • rerutled

    This is very odd. It would be an unusual reason to expel a student – to say the least. And expelling a student is not some form-filling-out exercise; there are a group of people who would have to approve it — from an associate Dean (who usually handles individuals), to the Dean overseeing the student’s academic unit, to the Provost. Rarely would expulsion be for a single offense, more often for a history of offenses, because colleges take their first responsibility as educating students. A more usual complaint is that they are too lenient on students who behave badly. Moreover, this instance is impossible to confirm, because a University will never level accusations against a student unless it reached a court of law — which this won’t. But, more importantly, in Quebec, the privacy laws are such that a college can’t even acknowledge that a student is enrolled there; even with that student’s permission.

© 2014 AMERICAblog News. All rights reserved. · Entries RSS