The Inquirer-Home

College student expelled for reporting security vulnerability

Feels the wrath of academia
Mon Jan 21 2013, 16:13

A STUDENT has been expelled from Montreal's Dawson College after bringing a security vulnerability to the attention of the university and the software maker.

Ahmed Al-Khabaz, who used to study computer science at Dawson College, discovered a security vulnerability in the Omnivox software used by that college and others to store students' personal information. After Al-Khabaz alerted the college and Omnivox developers to the vulnerability, he ran a stress test program to ensure that the vulnerabilities had been fixed, an action that led to his expulsion from the college.

Al-Khabez claims that the vulnerability he and a colleague found would allow anyone with basic knowledge of computers to access the personal details of over 250,000 students. He told the National Post, "I saw a flaw which left the personal information of thousands of students, including myself, vulnerable. I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn't think I was doing anything wrong."

When Al-Khabez first talked to the college about the flaw things went well, with all parties concerned walking away happy. However two days later Al-Khabez wanted to check whether the vulnerability he had found was fixed and ran Acunetix, a program used to stress test software.

Soon after Al-Khabez ran the software Skytech, the software developer behind the Omnivox software, got in touch with Al-Khabez offering some stern words to the student and urged him to sign a non-disclosure agreement. Al-Khabez was then referred to the Dawson College administration, which voted to expel Al-Khabez for a "serious professional conduct issue".

According to Al-Khabez, the college administration seemed keen to cover up its failings rather than protect a talented and resourceful student. Al-Khabez said, "I was called into a meeting with the coordinator of my programme, Ken Fogel, and the dean, Dianne Gauvin. They asked a lot of questions, mostly about who knew about the problems and who I had told. I got the sense that their primary concern was covering up the problem."

Even Skytech's CEO said Al-Khabez's decision to run Acunetix did not exhibit any malicious intent, so Dawson College's actions seem wholly disproportionate. Given that Al-Khabez did not expose the students' data and acted responsibly by informing the college, it appears that Dawson College's actions were motivated by a coverup and have ruined an honest, bright student's career. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Microsoft's Windows 10 Preview has permission to watch your every move

Does Microsoft have the right to keylog users of its Windows 10 Technical Preview?