Computer science student expelled for testing university software security

From the details I've read this university and especially the computer science department of this university should be ashamed of its cowardly behavior -- expelling a student who was nice enough to report a security vulnerability to them.

I suspect this is one of those cases that will be lucky enough to get enough attention to be reversed -- one wonders how many similar episodes do not get attention.. Shameful.

After an initial meeting with Director of Information Services and Technology François Paradis on Oct. 24, where Mr. Paradis congratulated Mr. Al-Khabaz and colleague Ovidiu Mija for their work and promised that he and Skytech, the makers of Omnivox, would fix the problem immediately, things started to go downhill.

Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.

“It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack...

--- End quote ---

..Following this meeting, the fifteen professors in the computer science department were asked to vote on whether to expel Mr. Al-Khabaz, and fourteen voted in favour.

--- End quote ---

From boingboing which says something I agree with as a former CS student:
The thing that gets me, as a member of a computer science faculty, is how gutless his instructors were in their treatment of this promising student.
--- End quote ---


The issue was not that he reported the vulnerability, but instead that he ran an automated tool, Acunetix, designed to hack and test systems. Without system administrator approval from both the school network and the remote system network, he is in violation of several ethical guidelines and laws. Tools like this CAN and HAVE crashed entire systems, at times rendering the system inaccessible, because of the amount of traffic they can generate and techniques they use. So, no, he was NOT expelled for reporting the vulnerability, but for going in two days later, using a tool that was not authorized on the school network, and scanning a remote system which IS against the law in many jurisdictions.

So, he helps them, they say they took care of it, he checks, he gets expelled for checking.

Yup. No good deed goes unpunished.

Renegade, unless he was specifically granted permission to re-check the system, it is an illegal scan of the system. Many professional penetration testers have lost their jobs because of such an act.

It's fine to say he should not have run that automated testing software -- but the idea of expelling someone for that -- or anything even remotely close to that, is just unfathomable to me.. It's completely antithetical to the spirit of learning and curiosity about technology that you would want to foster in computer science students.

This is exactly the kind of student that a department should be happy to have and should spend their time encouraging and challenging and helping to flourish.

This is a student for god's sake -- the idea of applying these kinds of zero-tolerance paranoid security reactions to someone like that is just wrongheaded.


