20-year old computer science student Ahmed Al-Khabaz has been expelled from Montreal’s Dawson College after he found a huge flaw in the computer system which means that the personal information of thousands of students was at risk.
The majority of Quebec CEGEPs use this same computer system to store their student’s personal data meaning that the security of more than 250,000 students was in question.
Al-Khabaz, a member of the school’s software development club was working on a mobile app that allowed student’s easier access to their college accounts, when he and a colleague, Ovidiu Mija, discovered the shocking flaw.
Al-Khabaz said that the “sloppy coding” in the Omnivox software allowed pretty much “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.”
Al-Khabaz said he felt as though it was his “moral duty” to bring this flaw to the attention of the college and to help them amend it. He said he could have easily hidden his identity behind a proxy, however he felt as though he was doing something good, rather than something he was about to be punished for.
Al-Khabaz had a meeting with Director of Information Services and Technology François Paradis back in October and the director praised Al-Khabaz and his colleague for discovering the problem and bringing it to the college’s attention. He assured Al-Khabaz that Skytech (who make the software Omnivox) would fix the fault immediately.
Two days after this meeting, Al-Khabaz decided to run a software program called Acunetix to find out if the problem had been rectified and that his personal data was now safe. Acunetix is designed to test and locate vulnerabilities in websites and a few moments after he ran it, his home telephone rang. Al-Khabaz found himself having a discussion with Edouard Taza – the president of Skytech who informed the student that his actions constituted a “cyber attack.”
Al-Khabaz explained that he was the student who had initially discovered the security flaw and pointed it out to the college and apologized for his actions. However Taza told him that he could go to jail for 6-12 months and that if Al-Khabaz did not sign a non-disclosure agreement, the police would be called in to arrest him.
Al-Khabaz signed the agreement which forbade him from discussing anything he discovered about the Skytech servers or any information relating to the company and the way in which he accessed it. He was also prohibited from discussing the non-disclosure agreement itself and the student was warned that if his actions became public he would face legal action.
Canada’s National Post contacted Taza for comment on these allegations and the Skytech president admitted mentioning police and legal consequences but denied threatening the student, claiming that he must have “misunderstood” his comments.
Taza explained that all software companies, even the biggest ones have bugs and said that his company acted quickly to remedy the security flaw discovered by the students. However, when Al-Khabaz ran the Acunetix software, Taza believed he crossed a line. He said:
“This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake.”
After hearing that Al-Khabaz had chosen to run the test-software, the Dawson College administration chose to expel the student for a “serious professional conduct issue.”
Al-Khabaz explained that he was called into a meeting with his program coordinator Ken Fogel and Dawson College Dean Dianne Gauvin where he was asked numerous questions that primarily focused on finding out how many people Al-Khabaz had told about the software problems. Al-Khabaz said: “I got the sense that their primary concern was covering up the problem.”
After this meeting, the 15 professors in the computer science department were asked to vote on whether Al-Khabaz should be expelled and 14 voted to dismiss the student. Al-Khabaz argued that the process was flawed because he was not given the opportunity to explain his actions to the faculty. He appealed the decision to the academic Dean and the director-general of the College Richard Filion – but both appeals were rejected and he is now in academic limbo!
Al-Khabaz told the National Post that prior to the incident, he was receiving top grades across all of his classes – but has since been given zeros across the board meaning that he can’t get into another college. The expulsion appears on his permanent record and he has been unable to complete the degree he desperately wanted. He said: “My academic career is completely ruined. In the wrong hands, this breach could have caused a disaster. Students could have been stalked, had their identities stolen, their lockers opened and who knows what else. I found a serious problem, and tried to help fix it. For that I was expelled.”
Dawson Student Union is supporting Al-Khabaz, director internal affairs and advocacy, Morgan Crockett said: “Dawson has betrayed a brilliant student to protect Skytech management…It’s a travesty that Ahmad’s academic future has been compromised just so that Dawson and Skytech could save face. If they had any sense of decency, they would reinstate Ahmad into [the] computer science [program], refund the financial aid debt he has incurred as a result of his expulsion and offer him a full public apology.”
The National Post made several attempts to reach the Dawson College administration for comment on the story however the College refused to discuss the matter. They said they were not permitted to discuss an individual student’s case on legal and ethical grounds.
If what Ahmed Al-Khabaz claims is true, I think he has every right to be angry and upset –his choice to run the Acunetix software was undoubtedly naïve, however surely a warning would have been punishment enough. Choosing to expel the Al-Khabaz for checking if his personal data was secure or not seems like a rather drastic measure!
His case actually reminds me of the recent article written by Columbia Law School Professor Tim Wu which looked at the way in which he felt the U.S. legal system had failed Aaron Swartz and all those like him. Obviously Wu’s article is focused on the American legal system and this incident occurred in Canada and was the school system, but the underlying message in it is the same.
This young student merely used his extensive knowledge of computers to highlight a potentially damning flaw and then to check that it had been rectified and yet now he faces the total ruin of his academic career – which is surely a punishment far too harsh for his ‘crime’?
Source: National Post