Updated with video from Ahmed Al-Khabaz after the jump.
When 20-year-old Dawson College computer science student Ahmed Al-Khabaz found a security flaw in his college’s software that put in jeopardy the personal information of more than 250,000 students, he did what any conscientious person would do — he warned the school. Then, obviously, the school did what anyone would have done — they expelled Al-Khabaz for a “serious professional conduct issue,” and gave him zeros in all his classes so he can’t get in to any other colleges. Makes sense. A student points out a security flaw that could have ruined the lives of his fellow students, why wouldn’t you ruin his? Stay classy, Dawson College.
The flaw was found in the Omnivox software system used by most of Quebec’s CEGEPs (General and Vocational Colleges), and was the result of what Al-Khabaz called “sloppy coding.” Al-Khabaz found the flaw while working on a smartphone app to let students access their college accounts. The flaw could have let anyone with basic computer knowledge access any of the information the colleges had on any of their students, including addresses, social insurance numbers, and even their class schedules — not the sorts of information you generally want to be common knowledge.
After Al-Khabaz informed the school of the issue, the Director of Information Services and Technology François Paradis told him that the school and the makers of Omnivox, the ominously named
Skynet Skytech would immediately fix the problem. After two days Al-Khabaz used Acunetix, a program designed to find security vulnerabilities in software, to see if the problem was really fixed.
That’s when the president of
Skynet Skytech called, accused Al-Khabaz of a cyber-attack, and threatened him with prosecution and jail time if he didn’t sign a non-disclosure agreement, which he did. The president of Skynet Skytech, Edouard Taza, denies making threats, but did admit to mentioning the police and the legal consequences. That sounds pretty threatening.
Taza said that using the Acunetix software without permission was what Al-Khabaz did wrong, but said it was very clear there was no malicious intent in using it.
The administration at Dawson College called a meeting with Al-Khabaz, the coordinator of the computer science program Ken Fogel, and the dean Dianne Gauvin. Al-Khabaz said he was asked a lot of questions and got the impression that the school’s main concern was covering up the problem. They probably didn’t want to look bad if the public found out about the security flaw.
After the meeting, 15 professors voted on whether to expel Al-Khabaz, and 14 voted to do so. Al-Khabaz appealed the decision to the academic dean of the school, and to director-general Richard Filion, but both appeals were denied. Now instead of looking bad for having a major security flaw in their software, Dawson College looks bad for expelling and ruining the academic life of the person who tried to fix it — oh, and also for having a major security flaw in their software. A+, good job, everyone.
The director of student advocacy, Megan Crockett, is calling for Dawson College to reinstate Al-Khabaz, publicly apologize to him, and refund the financial aid debt he is responsible for after being expelled. Is that enough? If your college expelled you after you tried to help them fix a major security flaw would you even want to go back?
Dawson College shouldn’t have expelled this kid, and
Skynet Skytech shouldn’t have threatened him with prosecution. They should have offered him a job.
UDPATE: 12/25/13 – It seems Ahmed Al-Khabaz has taken to YouTube to try to bring attention to his situation, and ask people for support. He’s asking Dawson College to reinstate his grades and to remove what he called a “negative comment” on his record. Al-Khabaz states in the video that he does not want to return to Dawson College — and why would he? He just wants to be able to go back to college and finish his degree.
Your move, Dawson College.
- Anonymous hacks MIT site after Aaron Swartz’s suicide
- There’s a White House petition to classify DDoS attacks as protests
- Facebook banned the developer of an extension designed to clean up Facebook