What do you do when a student discovers then reports a serious vulnerability in your school’s network — so serious that it could potentially give access to students’ social security numbers, home addresses, phone numbers, class schedules and every other bit of information that a school would have on its students? Why, you expel him for “unprofessional conduct” of course.
This is what happened to Hamed Al-Khabaz, a computer science student at Dawson College in Montreal. He came across this security hole, reportedly due to the “sloppy coding” in the school’s network. As for why he was anywhere near the code anyway? He and his friend were innocently working on an app that would provide students mobile access to their school data — something nobody would be surprised a computer science student would be doing, don’t you think?
Hamed reported this straight to the school’s Director of Information Services and Technology. All seemed fine, and Hamed was told that Skytech, the company behind the software, would work on it right away. After not hearing from them for a few days, he decided to check on the vulnerability via a program called Acunetix.
Skytech contacted Hamed immediately, saying that because the security scan he performed on the system was used before notifying their system administrator, it could have caused some serious problems. They also said that it was the second time in a few days that they detected him on their systems.
Here’s where it gets ugly: Hamed signed a ND (non-disclosure), agreeing not to discuss the case. But despite that, the faculty at Dawson college decided to take a vote on whether or not expel him or not for “unprofessional conduct.” What makes it even more disgusting is the fact that Skytech acknowledges that Hamed had no “malicious intent” when he did what he did.
14 out of 15 professors voted to expel him.
Hamed’s grades have been zeroed, he was expelled and now has a record of unprofessional conduct. All for trying to help out, and checking on the situation after? It makes sense that he maybe should have notified them before performing a scan — but to expel him when you know he meant no harm? That makes no sense. Maybe they’re trying to put the blame of the security vulnerability on him. Who knows.
If you wanna help Hamed, you can sign an online petition at the link below.