Montreal Based Dawson College Expels Student After He Reports Security Flaw In Computer System


By: Talha Bhatti  |   January 22nd, 2013   |   News, O Canada
Dawson College

Ahmed Al-Khabaz has been expelled from Dawson College in Montreal after he reported a security loophole in a system that many Quebec CEGEPs (General and Vocational Colleges) utilize. The 20-year old computer science student’s identification of the flaw kept 250,000 students personal data safe which other wise would have been exposed to attack. Al-Khabaz discovered the issue when he was developing a mobile to allow students the ability to access their college account. He was working with another student when they found “sloppy coding” in the Omnivox software. According to Al-Khabaz the flaw allowed “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.”

 

Al-Khabaz wen on to say that, “I saw a flaw which left the personal information of thousands of students, including myself, vulnerable. I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong.”

 

Al-Khabaz met the Director of Information Services and Technology, François Paradis, after the discover and was appreciated for his efforts. The two students, Al-Khabaz and Ovidiu Mija were assured on October 24 that the Director and Omnivox developers, Skytech, would fix the issues immediately.

 

A couple of days later Al-Khabaz ran Acunetix, a program made to test flaws in websites, to see that the issue he discovered had be resolved. Right after he ran the test he was called by Skytech President, Edouard Taza. Al-Khabaz claims that Taza said ,“…this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didn’t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement.”

 

The NDA was to keep a lid on the matter and prevented the student form talking to the press, police or others about the situation. Taza acknowledges he spoke about the police and legal repercussions but denies outright threats.He said that, “All software companies, even Google or Microsoft, have bugs in their software. These two students discovered a very clever security flaw, which could be exploited. We acted immediately to fix the problem, and were able to do so before anyone could use it to access private information.”

 

However, he was not happy with the scanning software Al-Khabaz had used and said that, “This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake.”

 

Dawson College did not see the matter the same way and expelled Al-Khabaz for “serious professional conduct issue.”

 

Al-Khabaz explains that, “I was called into a meeting with the co–ordinator of my program, Ken Fogel, and the dean, Dianne Gauvin. They asked a lot of questions, mostly about who knew about the problems and who I had told. I got the sense that their primary concern was covering up the problem.” After the meeting fifteen professors from the colleges computer science department voted to expel Al-Khabaz. The student says the proceedings were unfair because he did not get a chance to tell his story to the professors. His appeals to the academic dean and director-general were denied.

 

Al-Khabaz says that, “I was acing all of my classes, but now I have zeros across the board. I can’t get into any other college because of these grades, and my permanent record shows that I was expelled for unprofessional conduct. I really want this degree, and now I won’t be able to get it. My academic career is completely ruined. In the wrong hands, this breach could have caused a disaster. Students could have been stalked, had their identities stolen, their lockers opened and who knows what else. I found a serious problem, and tried to help fix it. For that I was expelled.”

 

Director of internal affairs and advocacy for the Dawson Student Union, Morgan Crockett, is siding with Al-Khabaz  and says, “Dawson has betrayed a brilliant student to protect Skytech management. It’s a travesty that Ahmad’s academic future has been compromised just so that Dawson and Skytech could save face. If they had any sense of decency, they would reinstate Ahmad into [the] computer science [program], refund the financial aid debt he has incurred as a result of his expulsion and offer him a full public apology “

 

Source: National Post

Leave a Reply

Your email address will not be published. Required fields are marked *