A STUDENT has been expelled from Montreal's Dawson College after bringing a security vulnerability to the attention of the university and the software maker.
Ahmed Al-Khabaz, who used to study computer science at Dawson College, discovered a security vulnerability in the Omnivox software used by that college and others to store students' personal information. After Al-Khabaz alerted the college and Omnivox developers to the vulnerability, he ran a stress test program to ensure that the vulnerabilities had been fixed, an action that led to his expulsion from the college.
Al-Khabez claims that the vulnerability he and a colleague found would allow anyone with basic knowledge of computers to access the personal details of over 250,000 students. He told the National Post, "I saw a flaw which left the personal information of thousands of students, including myself, vulnerable. I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn't think I was doing anything wrong."
When Al-Khabez first talked to the college about the flaw things went well, with all parties concerned walking away happy. However two days later Al-Khabez wanted to check whether the vulnerability he had found was fixed and ran Acunetix, a program used to stress test software.
Soon after Al-Khabez ran the software Skytech, the software developer behind the Omnivox software, got in touch with Al-Khabez offering some stern words to the student and urged him to sign a non-disclosure agreement. Al-Khabez was then referred to the Dawson College administration, which voted to expel Al-Khabez for a "serious professional conduct issue".
According to Al-Khabez, the college administration seemed keen to cover up its failings rather than protect a talented and resourceful student. Al-Khabez said, "I was called into a meeting with the coordinator of my programme, Ken Fogel, and the dean, Dianne Gauvin. They asked a lot of questions, mostly about who knew about the problems and who I had told. I got the sense that their primary concern was covering up the problem."
Even Skytech's CEO said Al-Khabez's decision to run Acunetix did not exhibit any malicious intent, so Dawson College's actions seem wholly disproportionate. Given that Al-Khabez did not expose the students' data and acted responsibly by informing the college, it appears that Dawson College's actions were motivated by a coverup and have ruined an honest, bright student's career. µ