Kid Got Expelled from College for Reporting a Security Problem to School Officials

Squeaky the Squirrel

http://gizmodo.com/5977646/kid-got-expelled-from-college-for-reporting-a-security-problem-to-school-officials

No good deed, huh. A student from Dawson College in Montreal has been expelled for his involvement in the uncovering of a potentially horrible flaw in his school's online directories. Sounds dumb, right? Even worse: Everyone more or less agrees he meant no harm.

Here's what happened: Ahmed Al-Khabaz, a Computer Science student at Dawson, and a friend were working on a mobile app to allow students mobile access to their school data. In the process, they uncovered a pretty serious vulnerability ("sloppy coding") that would have put student information at risk. What kind of information? According to Al-Khabaz, "social insurance number, home address and phone number, class schedule, basically all the information the college has on a student."


So Al-Khabaz took the issue to the school's Director of Information Services and Technology. The meeting went well, and he was told that Skytech, that company that makes the software in question, would get right on it. After not hearing back for a few days, Al-Khabaz decided to check to see if the vulnerability had been patched, using a program called Acunetix. That was a mistake. He immediately received a call from the head of Skytech, saying this was the second time in a few days that he'd been spotted in their system, and this was a serious breach. The software he'd used to check up on the system could have caused serious problems, since it was used without prior notification to the system admin.


Al-Khabaz apologized, and eventually signed an NDA forbidding him from discussing the case, but that wasn't the end of it. Despite the Skytech people acknowledging that there was no malicious intent, Dawson's faculty held a vote on whether it should expel him for "unprofessional conduct." Al-Khabaz was not allowed to speak on his own behalf, and 14 of 15 professors voted to expel him—rendering his grades for the semester zeroes across the board. Two motions for appeal have been turned down.


So that's Al-Khabaz's situation right now: 20 years old, expelled from school with bottomed-out grades and a record of unprofessional conduct. All for trying to help, and bungling it a bit. You can read the rest of the sad, regretable situation over at the National Post, or sign an online petition to help him out. URL="http://news.nationalpost.com/2013/01/20/youth-expelled-from-montreal-college-after-finding-sloppy-coding-that-compromised-security-of-250000-students-personal-data/"]National Post[/URL]via [URL="http://www.techmeme.com/130121/p2#a130121p2"]Techmeme[/URL

syklops

Al-Khabaz apologized, and eventually signed an NDA forbidding him from discussing the case, but that wasn't the end of it. Despite the Skytech people acknowledging that there was no malicious intent, Dawson's faculty held a vote on whether it should expel him for "unprofessional conduct." Al-Khabaz was not allowed to speak on his own behalf, and 14 of 15 professors voted to expel him—rendering his grades for the semester zeroes across the board. Two motions for appeal have been turned down.

There is a tiny bit missing from the story. Apparently, after the NDA was signed the college told him the issue was resolved if he agreed to not do any more security testing of college website. Unfortunately Al-Khabaz, ran the Acunetix web auditing tool, presumably to check if the flaw had been fixed. This was picked up by the college IT people and he got expelled for breaking his agreement of not doing further testing.

Its still a crappy situation. The only silver lining is he has been offered a job, by the company whose softare he found holes in.

BaconZombie

Hey also only gave them 2 days to fix the problem before testing it.
Plus if he know what the issue was, why did he use Acunetix which is a XSS scanner only and not do it by manually.

syklops wrote: »

There is a tiny bit missing from the story. Apparently, after the NDA was signed the college told him the issue was resolved if he agreed to not do any more security testing of college website. Unfortunately Al-Khabaz, ran the Acunetix web auditing tool, presumably to check if the flaw had been fixed. This was picked up by the college IT people and he got expelled for breaking his agreement of not doing further testing.

Its still a crappy situation. The only silver lining is he has been offered a job, by the company whose softare he found holes in.

JimmyCrackCorn

Crappy situation but he signed an NDA and made an agreement he then broke.

Squeaky the Squirrel

I'm Hamed Al-Khabaz, the student who got expelled after finding critical flaw in school system. AMA