The Inquirer-Home

College student expelled for reporting security vulnerability

Feels the wrath of academia
Mon Jan 21 2013, 16:13
university-cambridge

A STUDENT has been expelled from Montreal's Dawson College after bringing a security vulnerability to the attention of the university and the software maker.

Ahmed Al-Khabaz, who used to study computer science at Dawson College, discovered a security vulnerability in the Omnivox software used by that college and others to store students' personal information. After Al-Khabaz alerted the college and Omnivox developers to the vulnerability, he ran a stress test program to ensure that the vulnerabilities had been fixed, an action that led to his expulsion from the college.

Al-Khabez claims that the vulnerability he and a colleague found would allow anyone with basic knowledge of computers to access the personal details of over 250,000 students. He told the National Post, "I saw a flaw which left the personal information of thousands of students, including myself, vulnerable. I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn't think I was doing anything wrong."

When Al-Khabez first talked to the college about the flaw things went well, with all parties concerned walking away happy. However two days later Al-Khabez wanted to check whether the vulnerability he had found was fixed and ran Acunetix, a program used to stress test software.

Soon after Al-Khabez ran the software Skytech, the software developer behind the Omnivox software, got in touch with Al-Khabez offering some stern words to the student and urged him to sign a non-disclosure agreement. Al-Khabez was then referred to the Dawson College administration, which voted to expel Al-Khabez for a "serious professional conduct issue".

According to Al-Khabez, the college administration seemed keen to cover up its failings rather than protect a talented and resourceful student. Al-Khabez said, "I was called into a meeting with the coordinator of my programme, Ken Fogel, and the dean, Dianne Gauvin. They asked a lot of questions, mostly about who knew about the problems and who I had told. I got the sense that their primary concern was covering up the problem."

Even Skytech's CEO said Al-Khabez's decision to run Acunetix did not exhibit any malicious intent, so Dawson College's actions seem wholly disproportionate. Given that Al-Khabez did not expose the students' data and acted responsibly by informing the college, it appears that Dawson College's actions were motivated by a coverup and have ruined an honest, bright student's career. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Heartbleed bug discovered in OpenSSL

Have you reacted to Heartbleed?