Student expelled from college because he reported a security problem to officials
January 21, 2013 23
Email article | Print article 
What do you do when a student discovers then reports a serious vulnerability in your school’s network — so serious that it could potentially give access to students’ social security numbers, home addresses, phone numbers, class schedules and every other bit of information that a school would have on its students? Why, you expel him for “unprofessional conduct” of course.
This is what happened to Hamed Al-Khabaz, a computer science student at Dawson College in Montreal. He came across this security hole, reportedly due to the “sloppy coding” in the school’s network. As for why he was anywhere near the code anyway? He and his friend were innocently working on an app that would provide students mobile access to their school data — something nobody would be surprised a computer science student would be doing, don’t you think?
Hamed reported this straight to the school’s Director of Information Services and Technology. All seemed fine, and Hamed was told that Skytech, the company behind the software, would work on it right away. After not hearing from them for a few days, he decided to check on the vulnerability via a program called Acunetix.
Skytech contacted Hamed immediately, saying that because the security scan he performed on the system was used before notifying their system administrator, it could have caused some serious problems. They also said that it was the second time in a few days that they detected him on their systems.
Here’s where it gets ugly: Hamed signed a ND (non-disclosure), agreeing not to discuss the case. But despite that, the faculty at Dawson college decided to take a vote on whether or not expel him or not for “unprofessional conduct.” What makes it even more disgusting is the fact that Skytech acknowledges that Hamed had no “malicious intent” when he did what he did.
14 out of 15 professors voted to expel him.
Hamed’s grades have been zeroed, he was expelled and now has a record of unprofessional conduct. All for trying to help out, and checking on the situation after? It makes sense that he maybe should have notified them before performing a scan — but to expel him when you know he meant no harm? That makes no sense. Maybe they’re trying to put the blame of the security vulnerability on him. Who knows.
If you wanna help Hamed, you can sign an online petition at the link below.
[via Gizmodo, National Post]
About the author: Enrique View all posts by Enrique
Related »
23 Comments »
Leave A Response »
Respectfully, it sounds like we’re mostly only getting his side of the story in that we haven’t heard from the professors why they voted the way they did. I mean, are 14 out of 15 professors totally corrupt and/or stupid?
Also, there is no maybe about it. He certainly should have notified Skytech that he was going to run a security check on his own. Perhaps he was told not to go anywhere near the security system again, to leave everything to Skytech, yet he did it anyway and this is why the college felt he deserved to be expelled.
Further, we don’t know if he had gotten into trouble before at the college and so this may have been a “last straw” type of situation.
We’re talking about Dawson here… this school will do anything to protect their image including lie,cheat and steal.
It’s disgusting and I’m glad that the Dawson union got involved in helping this kid.
The kid does exactly like me I see a problem I report it a week later I re-check if it’s been fix to give more hell to the people I warned. Done this on many sites and I’m happy to say that theses websites appreciate the bug fixes.
From dumb ordering systems to open folders if your business tries hard I’ll be damn sure to help… should you not care well I’m one of the nice ones and there are others who will gladly destroy you.
So good luck to him… it’s about time theses companies start thinking about the people and not always money.
Why are authorities so quick to condemn (and in a school, no less)? At the most, the student should have been told, don’t do that again; on the other end, he should have been given a stipend and a position in the IS Dept.
I searched around and here is what the college has to say: Dawson College Statement
The key paragraph is this one:
“In the recent case of Ahmed Al-Khabaz, which he himself brought to the media, the College stands by its decision. The reasons cited in the National Post article for which the student says he was expelled are inaccurate. The process which leads to expulsion includes a step in which a student is issued an advisory to cease and desist the activities for which he or she is being sanctioned, particularly in the area of professional code of conduct. Conditions for remaining in the College on good terms are clearly explained in person to the student.”
@Kyle: Sounds like a canned response that provides no specifics what-so-ever and does not shed light on their side of the story… All that response tells us is a) the college feels what the media is reporting is inaccurate and b) college polices state students get a cease and desist prior to expulsion. Nothing useful.
In my opinion, Ahmed did make a mistake. After reporting the vulnerability, he should not have used Acunetix. However, he is a curious computer science geek; that is what geeks do. Seeing as no malicious intent was involved nor was anything malicious done (according to media reports), this does not deserve expulsion.
BTW, according to Ahmed he wasn’t allowed to defend himself at the 15 professor meeting that voted to kick him out.
I suppose they are right when they say they can’t get into specifics.
On their homepage (http://www.dawsoncollege.qc.ca/home) they say this: “Despite receiving clear directives not to, he attempted repeatedly to intrude into areas of College information systems that had no relation with student information systems.”
“The College followed its regular processes to investigate the situation and to proceed with sanctions against Mr. Al-Khabaz, on the recommendation of the Computer Science Department, giving him the opportunity to plead his case with the Dean and the Department Chair and to avail himself of appeal processes.”
Nothing to do with “unprofessional conduct”, if you ask me, just coming down hard on a disciplinary issue. If they’d told him before he can’t bring peace to the world and feed the hungry and he had tried again anyway, they would have thrown him out just as quickly.
That sort of mindset won’t be impressed by that petition in the least, I’m afraid. Good luck to him anyway!
Here is the Dawson College’s expulsion letter dated 11/14/12:
http://s3.documentcloud.org/documents/560325/pages/al-khabaz-expulsion-revised-p1-normal.gif
According to Skytech (the company what fixed the flaw in the Dawson College system), Al-Khabaz looked to test if the flaw had been “indeed” fixed by Skytech, by probing the system with a vulnerability toolkit called Acunetix. This type of software should never be used without the Prior Permission of the System Administrator, because it can cause a system to crash and could be considered as a cyber attack. Al-Khabaz used it without prior permission and he admitted his unauthorized action.
So he was not expelled from the college, “because he reported a security problem to officials.”
@Ashraf: I’m not here to come to the defense of Dawson College per se, but just to point out that so far most people on the net have only heard one side of the story. Too often i’ve seen stories where one’s first reaction is “how could such educated and supposedly mature people (in this case the professors who voted to expel) do such a stupid thing which could only serve to make them look bad!?”….but later as more details come out almost invariably the situation suddenly doesn’t seem as full of folly as it did initially.
In regards to Mark’s post where it mentions that the recommendation came from the Computer Science Department, to me that puts things in a new light since they presumably would be in the best position to know when a fellow computer geek crosses the line. And, at least if Dawson is to be believed, he had been warned before about this sort of behavior and yet continued to cross the line.
@Mark: What a joke! I quote: “To set the record straight, Ahmed Al-Khabaz was not expelled because he found a flaw in the student information systems. In fact, the College and Skytech recognized his work, thanked him, and enlisted him and two other students to help address the problem.” Wouldn’t following up to see if the vulnerability was fixed helping address the problem?
And: “He was expelled for other reasons. Despite receiving clear directives not to, he attempted repeatedly to intrude into areas of College information systems that had no relation with student information systems.” According to the document ovl links, there are only two intrusions mentioned (the first one supposedly being the intital finding while the second being the follow-up). I’m not sure what “repeatedly” means.
@ovl: It was written as a catchy headline for a reason — to get people to read the article. And it isn’t like the headline is wrong. Look at the document you linked. It clearly states: “The decision was based on the following facts…” and it goes to list the whole chain of events starting from the original discovery of the vulnerability to the expulsion. There is no clear black and white boundary as to what exactly he was expelled for; the whole situation was considered, from start to finish.
@Kyle: I agree there are always two sides of the story. And I agree the latter half of what Ahmed did was wrong. But does that justify expulsion? Really? I mean if he actually attacked the network or did something malicious, I’d understand. But he didn’t. He was checking to see if the vulnerability he reported earlier was fixed. In my opinion, the punishment does not fit the crime in this case.
@Ashraf: I agree that the punishment seems hard, but i can imagine roughly equivalent non-computing scenarios where the same outcome would occur and most people would concur that he should have been kicked out.
This isn’t a perfect analogy but let’s say a student is really good at picking locks and so forth. So he happens to be fiddling around an area on campus where students shouldn’t be, an area which houses confidential information, and while mucking about he discovers a way that a thief could potentially break in. He reports this to a school official who says “okay, well on the one hand, thank you for alerting us to this potential problem, but you had no business being there. We’ll turn this matter over to campus security. THEY will fix the problem and YOU will steer clear of that area from now on. Understood?” “Yeah, okay”.
A few days later he stealthily returns, again fiddling around with security mechanisms. Eventually he is caught in the act.
So how would such a situation be handled? My guess is the student would be summarily kicked out and most people would feel he had it coming. Not only for returning to a place he knew he shouldn’t go anywhere near, and thus essentially declaring that rules which normal students must follow don’t apply to a security whiz like himself, but also for gravely disrespecting the professionals who were tasked to take care of the problem. Not to mention potentially disrupting whatever new measures they were putting into place.
In such a scenario, which i don’t think is too far off base, it could even be argued that he got off easy, for the college could just as easily have turned the matter over to the police.
@Kyle: Let’s agree on one thing: we obviously don’t have all the facts. That said, with what we do have, let me point out one fatal flaw in your analogy. According to Dawson themselves, they did not ask him to stay clear — they “enlisted him and two other students to help address the problem”. This, of course, is going contradictory with other statements they have made, particularly the link you posted. As I mentioned in my comment earlier, I’d say following up to see if a vulnerability has been patched is only doing his duty since he was asked to “address the problem”.
Also, it is being reported as “a few days” between breach 1 (when the vulnerability was reported) and breach 2 (when Ahmed followed up with the program) seemingly indicating that Ahmed may not have given the college/IT firm enough time to fix the issue before probing to see if it was fixed. However, if you look at the timeline included in the document ovl posted, over a month passed between the two so called system breaches. A month. Honestly, I’d want to expel the IT manager in-charge, not Ahmed, for leaving a significant security breach open for over a month.
That said, in my mind there is a difference between “again fiddling around with security mechanisms” and between following up to see if the reported vulnerability was fixed. If, in your analogy, the lockpicking student was simply following up to see if the issue he reported was fixed, I for one would support him.
A messy situation indeed, but I do feel Dawson is being too hard handed.
Here’s a bit of a follow up to the story. He has been offered a job by several companies.
http://ca.news.yahoo.com/blogs/dailybrew/dawson-college-student-exposed-security-flaw-still-expelled-161319542.html
@Ashraf: Good points. I agree with most of what you wrote, though i disagree with how he followed up on the problem without apparently letting anyone know what he was doing. But even so, if it’s true that Dawson encouraged him to investigate the problem, then i can’t for the life of me figure out why they would go after him so hard unless they just had it in for the kid for some unfathomable reason.
The only thing i can come up with (after putting on my tin-foil hat) is that perhaps Dawson worried, or was explicitly told, that Skytech was ticked off at having their nose rubbed in it by a college student and therefore putting at riskt what may have been a very mutually beneficial relationship (such as if Skytech routinely hired graduates from Dawson) — a relationship that they feared could be irreparably harmed unless they gave Hamad the boot. That too could explain why the computer science department recommended his expulsion, offering him up as a sort of sacrificial lamb since they would have the most to lose if the Skytech pipeline suddenly dried up.
But that’s just me grasping at straws. In the end it comes down to whether Hamad had permission to do what he did. If he didn’t, then i think the college was within its rights to do what they did, even if it seems drastic. We’ll probably never know for sure what really happened.
In any event, per AT’s post it looks like Hamad is going to come out of this in great shape with companies lining up to hire him. Funnily enough it even mentions that Skytech may have offered him a job, which cynically speaking is probably nothing more than a good PR move.
I know many people will not believe yahoo news so here is another link to CTV News. A National broadcaster in Canada. This includes a link to a video interview with the student himself.
http://www.ctvnews.ca/canada/dawson-student-accused-of-a-cyber-attack-offered-job-in-it-security-1.1124127
Let’s keep in mind: this is a school. Couldn’t it educate the student, rather than expel him?
@Ashraf
I totally disagree with you that “there is no clear black and white boundary as to what exactly he was expelled for.”
You have read the expulsion letter and its very clearly stated that Ahmed “injected SQL code” again into the system a month later after the college system was fixed by SkyTech (you know that SQL injection is a technique used by hackers to attack databases through a website). Ahmed received heads up not to do it again, but he recklessly ignored the professional warning. This was the precise black & white boundary which he intentionally crossed.
“It was written as a catchy headline for a reason — to get people to read the article.”
I think there is no need to give any article the misleading headline just in order to catch someone’s attention. BTW, the entire article is one-sided and biased, too.
@AT: Thx!
@Kyle: Your explanation very well could be true. Dawson kicking him out could be a face saving move, or maybe trying to appease some organization. Is that necessarily SkyTech? Possibly, but if they offered him a job, I doubt it.
In the end, I think we can only speculate as to motivation unless Dawson and its professors speak up to explain their thinking.
@AT: Thx!
@Mike: I think Dawson’s point of view is that they tried to educate him and tell him to stop, but he didn’t listen. Not saying that is right; just saying that is what I think their justification is.
@ovl: Let’s agree to disagree. You are entitled to your point-of-view, I am to mine.
That said, I do agree that the article is a bit too biased. While you must understand this is a blog (and not a news organization) and we will definitely express our biases in articles, I do agree that we should have given some coverage to the other side of the coin, so to speak. Keep in mind, however, when this article was written Dawson didn’t make any public statements on their side of the story.
I just realized, the guy’s name is “Hamed Al-Khabaz” not “Ahmed Al-Khabaz” #fail
Here is the “facts” from Hamed’s point-of-view regarding this whole instance (pulled from the Hamed petition websites). Are they completely true? I don’t know but it does sound more or less the same as shown in the expulsion letter.
——
@Ashraf: Just a minor point and i think that will be it for me on this subject. You wrote: “Dawson kicking him out could be a face saving move, or maybe trying to appease some organization. Is that necessarily SkyTech? Possibly, but if they offered him a job, I doubt it.”
As i somewhat cynically noted above, the job offer could simply be a smart PR move with little expectation of him taking them up on the offer, since he might worry that the first chance they get they’ll let him go or, more likely, will be slow at promoting him. It might not be a crafty PR move and Skytech has nothing but good intentions, but either way it has the effect of putting them in a better light while at the same time helping to dispel any suspicions that they may have worked behind the scenes to see that he was punished.
@Kyle: You are very right, especially seeing has Hamed says he hasn’t received any official offer from them.
@Kyle: @Ashraf: @Mike:
I need to give a bit of history of Dawson College so everyone can get a bit more perspective. A number of years ago, Dawson College was the scene of an on-campus shooting. I don’t remember the full details but I believe it happened at the same time of the Virginia Tech shootings with many students also getting shot and killed. When something like that happening, college administrators are criticized for under-reacting before such an incident and tend to over-react to other incidences. This might be a case where the administers are acting swiftly to head off any potential trouble.
No matter what happened, especially since he didn’t have any bad intensions, I think the punishment was way too harsh. :( hope the college takes him back.