This sounds awfully bad. And it doesn’t help the school’s case – Dawson College – that the Student Union’s director of internal affairs and advocacy is backing up the student’s side of the story.
Canada’s National Post has the story, here’s a brief snippet:
A student has been expelled from Montreal’s Dawson College after he discovered a flaw in the computer system used by most Quebec CEGEPs (General and Vocational Colleges), one which compromised the security of over 250,000 students’ personal information.
Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.”
“I saw a flaw which left the personal information of thousands of students, including myself, vulnerable,” said Mr. Al-Khabaz. “I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong.”
The next week, he tested the flaw again to see if they had fixed it, and next thing he knows, he’s expelled.
The student alleges some rather questionable behavior on the part of the company that designed the flawed system, Skytech, as well.
The school is refusing to discuss the case. Claiming legal and ethical grounds. Well, first off, the ethical question is easy to solve – just get the student’s permission to talk about the case. That should be easy.
As for “legal” grounds, that sounds like a cop out. The school is afraid the student will sue them, it sounds like, so they’re not talking about what they did. If the kid was up to no good, then it shouldn’t be terribly hard for the school to just say so publicly, regardless of some bogus legal concerns.
It doesn’t prejudice your case to simply state the facts publicly. So long as you’re telling the truth.
In an ironic twist, the university’s Web site doesn’t seem to be doing too well either.