Student expelled from college because he reported a security problem to officials

hamed

What do you do when a student discovers then reports a serious vulnerability in your school’s network — so serious that it could potentially give access to students’ social security numbers, home addresses, phone numbers, class schedules and every other bit of information that a school would have on its students? Why, you expel him for “unprofessional conduct” of course.

This is what happened to Hamed Al-Khabaz, a computer science student at Dawson College in Montreal. He came across this security hole, reportedly due to the “sloppy coding” in the school’s network. As for why he was anywhere near the code anyway? He and his friend were innocently working on an app that would provide students mobile access to their school data — something nobody would be surprised a computer science student would be doing, don’t you think?

Hamed reported this straight to the school’s Director of Information Services and Technology. All seemed fine, and Hamed was told that Skytech, the company behind the software, would work on it right away. After not hearing from them for a few days, he decided to check on the vulnerability via a program called Acunetix.

Skytech contacted Hamed immediately, saying that because the security scan he performed on the system was used before notifying their system administrator, it could have caused some serious problems. They also said that it was the second time in a few days that they detected him on their systems.

Here’s where it gets ugly: Hamed signed a ND (non-disclosure), agreeing not to discuss the case. But despite that, the faculty at Dawson college decided to take a vote on whether or not expel him or not for “unprofessional conduct.” What makes it even more disgusting is the fact that Skytech acknowledges that Hamed had no “malicious intent” when he did what he did.

14 out of 15 professors voted to expel him.

Hamed’s grades have been zeroed, he was expelled and now has a record of unprofessional conduct. All for trying to help out, and checking on the situation after? It makes sense that he maybe should have notified them before performing a scan — but to expel him when you know he meant no harm? That makes no sense. Maybe they’re trying to put the blame of the security vulnerability on him. Who knows.

If you wanna help Hamed, you can sign an online petition at the link below.

Help Hamed petition

[via Gizmodo, National Post]

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

23 comments

  1. AT

    @Kyle: @Ashraf: @Mike:

    I need to give a bit of history of Dawson College so everyone can get a bit more perspective. A number of years ago, Dawson College was the scene of an on-campus shooting. I don’t remember the full details but I believe it happened at the same time of the Virginia Tech shootings with many students also getting shot and killed. When something like that happening, college administrators are criticized for under-reacting before such an incident and tend to over-react to other incidences. This might be a case where the administers are acting swiftly to head off any potential trouble.

  2. Kyle

    @Ashraf: Just a minor point and i think that will be it for me on this subject. You wrote: “Dawson kicking him out could be a face saving move, or maybe trying to appease some organization. Is that necessarily SkyTech? Possibly, but if they offered him a job, I doubt it.”

    As i somewhat cynically noted above, the job offer could simply be a smart PR move with little expectation of him taking them up on the offer, since he might worry that the first chance they get they’ll let him go or, more likely, will be slow at promoting him. It might not be a crafty PR move and Skytech has nothing but good intentions, but either way it has the effect of putting them in a better light while at the same time helping to dispel any suspicions that they may have worked behind the scenes to see that he was punished.

  3. Ashraf
    Mr. Boss

    Here is the “facts” from Hamed’s point-of-view regarding this whole instance (pulled from the Hamed petition websites). Are they completely true? I don’t know but it does sound more or less the same as shown in the expulsion letter.

    ——

    The Facts

    Many people have been asking for additional information about the events leading up to Hamed’s expulsion. Below we will try to the best of our ability to provide you with the full picture.

    September 21st

    After inspecting Dawson’s Omnivox portal framework from the outside, Hamed sensed that their system might be vulnerable to data breaching. He decided to use Acunetix to scrap the portal for vulnerabilities. He had the choice to go through an anonymous proxy and never get caught, but he did not do so in order to let them know that they are not being attacked but that he is simply running a test.

    September 22nd

    Hamed receives an email from François Paradis, the Director of Information Systems Technology, informing him that his account has been suspended for attempting to gain unauthorised access to their systems. Hamed immediately informed them of his intent. They reactivated his account. At no time does he receive a “Cease & Desist” letter or official first warning from Mr. Paradis. Their exchanges are cordial and Mr. Paradis stresses the important of being cautious in his actions as to not provoke Skytech into going after him.

    October 14th

    Hamed noticed a pattern in the url of his Omnivox avatar. The pattern led to his Student ID number. From there he realised that anyone’s information could be accessed by replicating the pattern. He did not use software to make this discovery, but rather deductive logic.

    October 17th

    Hamed requests to meet with François Paradis in order to run some tests to expose vulnerabilities.

    October 24th

    Hamed and his colleagues meet with François Paradis to test their theory of data access. A test server is setup for them to run their findings. They sign a Protocol for Portal Vulnerability Test. Part of said protocol stipulates that testing must happen on College grounds under the supervision of Dawson College IT staff.

    October 26th

    Hamed is informed that Skytech has fixed the holes in Omnivox and that the site is now secure. Excited by their rapid response, he logs on to the test server the College provided him to run an Acrunetix scan. The scan shows no vulnerabilities but Skytech is alerted to its use and calls Dawson College to get the name of the “culprit”. Dawson College hands over Hamed’s number and Skytech calls him at 9PM. They threaten to call the RCMP on him and warn that he may face a year in jail for his actions. Hamed explains that he was part of the team that found the initial hole and that his intent was just to ensure the data was truly secure. They ask him to provide any bugs he may have found by October 28th. He does so under condition that they agree to not sue them and in return he will not disclose any of what he found to anybody.

    November 2nd

    Hamed is invited to attend a meeting on November 6th “to address serious professional conduct issues”. In attendance will be the Sector Dean and Vice-Dean as well as the Program Coordinator.

    November 6th

    The meeting to review Hamed’s case takes place.

    November 12th

    The Computer Science Department meets to review Hamed’s case. Only a single teacher has taken the initiative to speak with him directly. Said teacher is the only one to vote against his expulsion.Hamed is not present.

    November 14th

    Hamed is asked to meet with Diane Gauvin. She hands him his letter of expulsion citing professional misconduct. Security is on hand to immediately confiscate his Student ID.

    November 20th

    Hamed appeals his expulsion to the Academic Dean.

    November 27th

    Hamed meets with the Academic Dean to present his case.

    November 29th

    The Academic Dean rejects his appeal and ensures that “the Sector Dean will not go back on her words.”

    November 30th

    Hamed meets with the Director General to appeal his expulsion.

    December 7th

    The Director General rejects his second and final appeal.

    In sum,

    - Hamed exchanged emails with Mr. Paradis where it was expressed that his actions on September 21st were irresponsible.
    - Hamed never received a Cease & Desist letter.
    - Hamed never received an official written warning.
    - Hamed was thanked for bringing vulnerabilities to light on October 24th.
    - Hamed was given access to a test server on October 24th.
    - Hamed was asked to only use the test server when at Dawson.
    - Hamed was eager to verify the updated security of Omnivox on October 26th and performed tests from his home.
    - Hamed immediately stopped scanning the system upon receiving a call from the CEO of Skytech.
    - Hamed was not granted the right to speak directly with the members of the Computer Science faculty before they voted on his expulsion.

  4. Ashraf
    Mr. Boss

    @AT: Thx!
    @Kyle: Your explanation very well could be true. Dawson kicking him out could be a face saving move, or maybe trying to appease some organization. Is that necessarily SkyTech? Possibly, but if they offered him a job, I doubt it.
    In the end, I think we can only speculate as to motivation unless Dawson and its professors speak up to explain their thinking.
    @AT: Thx!
    @Mike: I think Dawson’s point of view is that they tried to educate him and tell him to stop, but he didn’t listen. Not saying that is right; just saying that is what I think their justification is.
    @ovl: Let’s agree to disagree. You are entitled to your point-of-view, I am to mine.
    That said, I do agree that the article is a bit too biased. While you must understand this is a blog (and not a news organization) and we will definitely express our biases in articles, I do agree that we should have given some coverage to the other side of the coin, so to speak. Keep in mind, however, when this article was written Dawson didn’t make any public statements on their side of the story.

  5. ovl

    @Ashraf

    I totally disagree with you that “there is no clear black and white boundary as to what exactly he was expelled for.”

    You have read the expulsion letter and its very clearly stated that Ahmed “injected SQL code” again into the system a month later after the college system was fixed by SkyTech (you know that SQL injection is a technique used by hackers to attack databases through a website). Ahmed received heads up not to do it again, but he recklessly ignored the professional warning. This was the precise black & white boundary which he intentionally crossed.

    “It was written as a catchy headline for a reason — to get people to read the article.”

    I think there is no need to give any article the misleading headline just in order to catch someone’s attention. BTW, the entire article is one-sided and biased, too.

  6. Kyle

    @Ashraf: Good points. I agree with most of what you wrote, though i disagree with how he followed up on the problem without apparently letting anyone know what he was doing. But even so, if it’s true that Dawson encouraged him to investigate the problem, then i can’t for the life of me figure out why they would go after him so hard unless they just had it in for the kid for some unfathomable reason.

    The only thing i can come up with (after putting on my tin-foil hat) is that perhaps Dawson worried, or was explicitly told, that Skytech was ticked off at having their nose rubbed in it by a college student and therefore putting at riskt what may have been a very mutually beneficial relationship (such as if Skytech routinely hired graduates from Dawson) — a relationship that they feared could be irreparably harmed unless they gave Hamad the boot. That too could explain why the computer science department recommended his expulsion, offering him up as a sort of sacrificial lamb since they would have the most to lose if the Skytech pipeline suddenly dried up.

    But that’s just me grasping at straws. In the end it comes down to whether Hamad had permission to do what he did. If he didn’t, then i think the college was within its rights to do what they did, even if it seems drastic. We’ll probably never know for sure what really happened.

    In any event, per AT’s post it looks like Hamad is going to come out of this in great shape with companies lining up to hire him. Funnily enough it even mentions that Skytech may have offered him a job, which cynically speaking is probably nothing more than a good PR move.

  7. Ashraf
    Mr. Boss

    @Kyle: Let’s agree on one thing: we obviously don’t have all the facts. That said, with what we do have, let me point out one fatal flaw in your analogy. According to Dawson themselves, they did not ask him to stay clear — they “enlisted him and two other students to help address the problem”. This, of course, is going contradictory with other statements they have made, particularly the link you posted. As I mentioned in my comment earlier, I’d say following up to see if a vulnerability has been patched is only doing his duty since he was asked to “address the problem”.
    Also, it is being reported as “a few days” between breach 1 (when the vulnerability was reported) and breach 2 (when Ahmed followed up with the program) seemingly indicating that Ahmed may not have given the college/IT firm enough time to fix the issue before probing to see if it was fixed. However, if you look at the timeline included in the document ovl posted, over a month passed between the two so called system breaches. A month. Honestly, I’d want to expel the IT manager in-charge, not Ahmed, for leaving a significant security breach open for over a month.
    That said, in my mind there is a difference between “again fiddling around with security mechanisms” and between following up to see if the reported vulnerability was fixed. If, in your analogy, the lockpicking student was simply following up to see if the issue he reported was fixed, I for one would support him.
    A messy situation indeed, but I do feel Dawson is being too hard handed.

  8. Kyle

    @Ashraf: I agree that the punishment seems hard, but i can imagine roughly equivalent non-computing scenarios where the same outcome would occur and most people would concur that he should have been kicked out.

    This isn’t a perfect analogy but let’s say a student is really good at picking locks and so forth. So he happens to be fiddling around an area on campus where students shouldn’t be, an area which houses confidential information, and while mucking about he discovers a way that a thief could potentially break in. He reports this to a school official who says “okay, well on the one hand, thank you for alerting us to this potential problem, but you had no business being there. We’ll turn this matter over to campus security. THEY will fix the problem and YOU will steer clear of that area from now on. Understood?” “Yeah, okay”.
    A few days later he stealthily returns, again fiddling around with security mechanisms. Eventually he is caught in the act.
    So how would such a situation be handled? My guess is the student would be summarily kicked out and most people would feel he had it coming. Not only for returning to a place he knew he shouldn’t go anywhere near, and thus essentially declaring that rules which normal students must follow don’t apply to a security whiz like himself, but also for gravely disrespecting the professionals who were tasked to take care of the problem. Not to mention potentially disrupting whatever new measures they were putting into place.

    In such a scenario, which i don’t think is too far off base, it could even be argued that he got off easy, for the college could just as easily have turned the matter over to the police.

  9. Ashraf
    Mr. Boss

    @Mark: What a joke! I quote: “To set the record straight, Ahmed Al-Khabaz was not expelled because he found a flaw in the student information systems. In fact, the College and Skytech recognized his work, thanked him, and enlisted him and two other students to help address the problem.” Wouldn’t following up to see if the vulnerability was fixed helping address the problem?

    And: “He was expelled for other reasons. Despite receiving clear directives not to, he attempted repeatedly to intrude into areas of College information systems that had no relation with student information systems.” According to the document ovl links, there are only two intrusions mentioned (the first one supposedly being the intital finding while the second being the follow-up). I’m not sure what “repeatedly” means.
    @ovl: It was written as a catchy headline for a reason — to get people to read the article. And it isn’t like the headline is wrong. Look at the document you linked. It clearly states: “The decision was based on the following facts…” and it goes to list the whole chain of events starting from the original discovery of the vulnerability to the expulsion. There is no clear black and white boundary as to what exactly he was expelled for; the whole situation was considered, from start to finish.
    @Kyle: I agree there are always two sides of the story. And I agree the latter half of what Ahmed did was wrong. But does that justify expulsion? Really? I mean if he actually attacked the network or did something malicious, I’d understand. But he didn’t. He was checking to see if the vulnerability he reported earlier was fixed. In my opinion, the punishment does not fit the crime in this case.

  10. Kyle

    @Ashraf: I’m not here to come to the defense of Dawson College per se, but just to point out that so far most people on the net have only heard one side of the story. Too often i’ve seen stories where one’s first reaction is “how could such educated and supposedly mature people (in this case the professors who voted to expel) do such a stupid thing which could only serve to make them look bad!?”….but later as more details come out almost invariably the situation suddenly doesn’t seem as full of folly as it did initially.

    In regards to Mark’s post where it mentions that the recommendation came from the Computer Science Department, to me that puts things in a new light since they presumably would be in the best position to know when a fellow computer geek crosses the line. And, at least if Dawson is to be believed, he had been warned before about this sort of behavior and yet continued to cross the line.

  11. ovl

    Here is the Dawson College’s expulsion letter dated 11/14/12:
    http://s3.documentcloud.org/documents/560325/pages/al-khabaz-expulsion-revised-p1-normal.gif

    According to Skytech (the company what fixed the flaw in the Dawson College system), Al-Khabaz looked to test if the flaw had been “indeed” fixed by Skytech, by probing the system with a vulnerability toolkit called Acunetix. This type of software should never be used without the Prior Permission of the System Administrator, because it can cause a system to crash and could be considered as a cyber attack. Al-Khabaz used it without prior permission and he admitted his unauthorized action.

    So he was not expelled from the college, “because he reported a security problem to officials.”

  12. Mark

    I suppose they are right when they say they can’t get into specifics.

    On their homepage (http://www.dawsoncollege.qc.ca/home) they say this: “Despite receiving clear directives not to, he attempted repeatedly to intrude into areas of College information systems that had no relation with student information systems.”

    “The College followed its regular processes to investigate the situation and to proceed with sanctions against Mr. Al-Khabaz, on the recommendation of the Computer Science Department, giving him the opportunity to plead his case with the Dean and the Department Chair and to avail himself of appeal processes.”

    Nothing to do with “unprofessional conduct”, if you ask me, just coming down hard on a disciplinary issue. If they’d told him before he can’t bring peace to the world and feed the hungry and he had tried again anyway, they would have thrown him out just as quickly.

    That sort of mindset won’t be impressed by that petition in the least, I’m afraid. Good luck to him anyway!

  13. Ashraf
    Mr. Boss

    @Kyle: Sounds like a canned response that provides no specifics what-so-ever and does not shed light on their side of the story… All that response tells us is a) the college feels what the media is reporting is inaccurate and b) college polices state students get a cease and desist prior to expulsion. Nothing useful.
    In my opinion, Ahmed did make a mistake. After reporting the vulnerability, he should not have used Acunetix. However, he is a curious computer science geek; that is what geeks do. Seeing as no malicious intent was involved nor was anything malicious done (according to media reports), this does not deserve expulsion.
    BTW, according to Ahmed he wasn’t allowed to defend himself at the 15 professor meeting that voted to kick him out.

  14. Kyle

    I searched around and here is what the college has to say: Dawson College Statement

    The key paragraph is this one:
    “In the recent case of Ahmed Al-Khabaz, which he himself brought to the media, the College stands by its decision. The reasons cited in the National Post article for which the student says he was expelled are inaccurate. The process which leads to expulsion includes a step in which a student is issued an advisory to cease and desist the activities for which he or she is being sanctioned, particularly in the area of professional code of conduct. Conditions for remaining in the College on good terms are clearly explained in person to the student.”

  15. Mike

    Why are authorities so quick to condemn (and in a school, no less)? At the most, the student should have been told, don’t do that again; on the other end, he should have been given a stipend and a position in the IS Dept.

  16. Shawn

    We’re talking about Dawson here… this school will do anything to protect their image including lie,cheat and steal.

    It’s disgusting and I’m glad that the Dawson union got involved in helping this kid.

    The kid does exactly like me I see a problem I report it a week later I re-check if it’s been fix to give more hell to the people I warned. Done this on many sites and I’m happy to say that theses websites appreciate the bug fixes.

    From dumb ordering systems to open folders if your business tries hard I’ll be damn sure to help… should you not care well I’m one of the nice ones and there are others who will gladly destroy you.

    So good luck to him… it’s about time theses companies start thinking about the people and not always money.

  17. Kyle

    Respectfully, it sounds like we’re mostly only getting his side of the story in that we haven’t heard from the professors why they voted the way they did. I mean, are 14 out of 15 professors totally corrupt and/or stupid?

    Also, there is no maybe about it. He certainly should have notified Skytech that he was going to run a security check on his own. Perhaps he was told not to go anywhere near the security system again, to leave everything to Skytech, yet he did it anyway and this is why the college felt he deserved to be expelled.

    Further, we don’t know if he had gotten into trouble before at the college and so this may have been a “last straw” type of situation.