After an initial meeting with Director of Information Services and Technology François Paradis on Oct. 24, where Mr. Paradis congratulated Mr. Al-Khabaz and colleague Ovidiu Mija for their work and promised that he and Skytech, the makers of Omnivox, would fix the problem immediately, things started to go downhill.
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.
“It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack...
..Following this meeting, the fifteen professors in the computer science department were asked to vote on whether to expel Mr. Al-Khabaz, and fourteen voted in favour.
The thing that gets me, as a member of a computer science faculty, is how gutless his instructors were in their treatment of this promising student.
Renegade, unless he was specifically granted permission to re-check the system, it is an illegal scan of the system. Many professional penetration testers have lost their jobs because of such an act.-Josh (January 21, 2013, 09:07 AM)
An automatic client script analyzer allowing for security testing of Ajax and Web 2.0 applications
Industries' most advanced and in-depth SQL injection and Cross site scripting testing
Advanced penetration testing tools, such as the HTTP Editor and the HTTP Fuzzer
Visual macro recorder makes testing web forms and password protected areas easy
Support for pages with CAPTCHA, single sign-on and Two Factor authentication mechanisms
Extensive reporting facilities including VISA PCI compliance reports
Multi-threaded and lightning fast scanner crawls hundreds of thousands of pages with ease
Intelligent crawler detects web server type and application language
Acunetix crawls and analyzes websites including flash content, SOAP and AJAX
Port scans a web server and runs security checks against network services running on the server
From my sysadmin perspective all I can say is: A predictable and avoidable outcome. I'm hardly surprised at the response. Nor should he be.Agreed.-40hz (January 21, 2013, 10:42 AM)
The difference between scanning for publicly available information (domain owner, email addresses listed on web pages, administrative contacts, etc.) and vulnerability scanning is that information gathering is passive when you talk about publicly available information. Scanning a server can have real consequences on the server if the tool is not configured properly and is NOT passive.-Josh (January 21, 2013, 10:35 AM)
Just because it's predictable (true), doesn't make it right.
I'm with Mouser & Ren - They should have just counted coo on the kid...not take him out and shoot him - this is crap.-Stoic Joker (January 21, 2013, 12:03 PM)
I have very little sympathy for this particular kid's self-caused problemseven if I do think the school's response borders on being capricious and excessive.-40hz (January 21, 2013, 02:10 PM)
Most universities these days are also hosting critical and sensitive research projects; running important internal programs (accounting & payroll); and frequently leasing out computer resources on contract to local businesses and government agencies along with the expertise to maintain such systems.
The fact that he, on his own, informed them about the vulnerabilities the first time, tells you everything you need to know about his intentions, his moral character, and the nature of the "threat" he supposedly posed.-mouser (January 21, 2013, 03:06 PM)
When reached for comment Mr. Taza acknowledged mentioning police and legal consequences, but denied having made any threats, and suggested that Mr. Al-Khabaz had misunderstood his comments.
Going in again is where he made his mistake.-Josh (January 21, 2013, 03:24 PM)
What I'd like to see is the complaint that the professors voted on.
Out of curiosity...does anybody know what the school's official written policy is on this? The schools I'm familiar with all require signed agreements before granting access to the university's data centers and their network. IIRC the two I dealt with both had unambiguous policies regarding the unauthorized use of scanning and related tools, along with severe penalties for doing so.-40hz (January 21, 2013, 04:17 PM)
I think part of what has really gotten under my skin about this story is.. It's the professors in this department who should have known better. *THEY* should have been standing up *against* the college bureaucrats who wanted to expel him.. defending his curiosity and spirit and going to bat for him and fighting for a more proportional response. Shame on these professors -- shame on them. The only thing for them to do now is come forward and explain themselves and explain themselves -- or recant and come to his defense.-mouser (January 21, 2013, 03:41 PM)
duh! sorry for over-reacting -- i can see now you were making a joke.. I guess this episode struck a little close to home for me and it's got me a little quick on the draw.-mouser (January 21, 2013, 05:53 PM)
The machine never falters in voting for itself...(as that is its primary purpose)...So if I gotta pick a direction coming outta the gate, Damn Straight I'm backing the dog.-Stoic Joker (January 21, 2013, 06:16 PM)
Morgan Crockett, director of internal affairs and advocacy for the Dawson Student Union, agrees.
“Dawson has betrayed a brilliant student to protect Skytech management,” said Ms. Crockett. “It’s a travesty that Ahmad’s academic future has been compromised just so that Dawson and Skytech could save face. If they had any sense of decency, they would reinstate Ahmad into [the] computer science [program], refund the financial aid debt he has incurred as a result of his expulsion and offer him a full public apology “
Repeated calls to various members of the Dawson administration were not returned, with the college citing an inability to discuss an individual student’s case on legal and ethical grounds in a statement released by their communications department.
...Just remember folks, there are TWO SIDES to every story....and to every equation... ;)-Josh (January 21, 2013, 06:01 PM)
I don't think it's about forgiveness and understanding.
A student of computer science beat the ones with the bachelors and masters at what they are supposed to be teaching.
The student is expelled?-cmpm (January 21, 2013, 04:29 PM)
Audio interview with the sudent:
http://www.cbc.ca/player/Radio/Local+Shows/Quebec/Daybreak+Montreal/ID/2327525012/-mouser (January 21, 2013, 02:58 PM)
The fact that he, on his own, informed them about the vulnerabilities the first time, tells you everything you need to know about his intentions, his moral character, and the nature of the "threat" he supposedly posed.-mouser (January 21, 2013, 03:06 PM)
+1 - Agreed. Now if he'd have polked it twice all sneeky and quiet...then I'd be up for a BBQ. But that ain't what happened.-Stoic Joker (January 21, 2013, 03:15 PM)
I did not add 'therefore more qualified than they are.
They should be more responsible though.
'Beat the ones with the degrees' was not meant as a contest.
More of a lack of the right words I suppose.-cmpm (January 21, 2013, 07:30 PM)
Audio interview with the sudent:
http://www.cbc.ca/player/Radio/Local+Shows/Quebec/Daybreak+Montreal/ID/2327525012/-mouser (January 21, 2013, 02:58 PM)
If anyone listened to that... the student was GIVEN A TESTING ACCOUNT. What do you do with test accounts? Errr... test maybe?
Just to add insult to injury, he was given all zeros for all his grades.
Nice. Kick 'em while he's down why don't ya? Show 'em who's the boss.
Proportionality has disappeared from "laws/rules/regulations/whatever". I could give recent examples that would simply blow your mind, however, as they're real, and so utterly insane, they can only be put in the Basement.The fact that he, on his own, informed them about the vulnerabilities the first time, tells you everything you need to know about his intentions, his moral character, and the nature of the "threat" he supposedly posed.-mouser (January 21, 2013, 03:06 PM)
+1 - Agreed. Now if he'd have polked it twice all sneeky and quiet...then I'd be up for a BBQ. But that ain't what happened.-Stoic Joker (January 21, 2013, 03:15 PM)
+1 and +1
Nothing better than BBQing a Good Samaritan though! They're not all that common, so when ya find 'em, better cook 'em up real quick!-Renegade (January 21, 2013, 08:19 PM)
Nothing better than BBQing a Good Samaritan though! They're not all that common, so when ya find 'em, better cook 'em up real quick!-Renegade (January 21, 2013, 08:19 PM)
Audio interview with the sudent:
http://www.cbc.ca/player/Radio/Local+Shows/Quebec/Daybreak+Montreal/ID/2327525012/-mouser (January 21, 2013, 02:58 PM)
If anyone listened to that... the student was GIVEN A TESTING ACCOUNT. What do you do with test accounts? Errr... test maybe?-Renegade (January 21, 2013, 08:19 PM)
get out of the coder's chair and spend a little more time down in the system operations center
I believe all agree the given punishment is not the right thing to do.-cmpm (January 21, 2013, 08:51 PM)
I believe all agree the given punishment is not the right thing to do.-cmpm (January 21, 2013, 08:51 PM)
And yeah, I know keeping large systems up and running smoothly isn't an easy job. I do have sympathy for sysadmins - they seem to have one of those jobs where when the SHTF, it really hits the fan and splatters everywhere.-Renegade (January 21, 2013, 09:21 PM)
You run a kinder and gentler shop than most if that's the case. Most of my experience has taught me when the poo really hits the fan it's shortly followed by a few sysadmins being thrown through those same blades.-40hz (January 21, 2013, 10:10 PM)
The job offers are starting up now.
He may have fast-tracked his career!
Report says even Skytech is offering.
Hm, I think there will be more info sometime tomorrow.
http://news.nationalpost.com/2013/01/21/montreal-student-expelled-after-finding-data-security-threat-receives-job-scholarship-offers-while-college-refuses-to-reinstate-him/-cmpm (January 21, 2013, 11:05 PM)
To those defending the expulsion. Would you prefer if he would just keep the vulnerabilities secret and later he or someone else just abuse them? Because knowingly or not thats what you are advocating here.-rxantos (January 21, 2013, 11:55 PM)
Richard Filion, the director general of Dawson College, did not respond to requests for an interview, but told CBC Radio that “We have to abide by this legal requirement not to divulge any personal information of any student. The story that has been reported by many media today … was relying on an incomplete version of what had happened and what had led the college to make such a decision. The other side of the story is related to facts that we cannot divulge.”
I'm so sick of this cowardly lying legal bullshit.
So basically they are saying: You only know half the story, and if we could tell you the other half you'd understand why we did what we did. But we're not going to tell you because we want to protect the rights of the person we expelled.-mouser (January 22, 2013, 12:37 AM)
It's typical cowardly ass-covering behavior: insist there are some special secret facts that justify what they did and find some way to stall releasing it until the attention dies down.-mouser (January 22, 2013, 12:37 AM)
i don't see anything in that list that deserves to be covered up and hidden as secret and explained away as: "we have secret reasons that justify expulsion but we're not going to tell you what they are."
but i think we cannot let big organizations get away with this weasel behavior of saying: "trust us, if we explained to you the real reasons behind our actions you would understand, but we've decided we are not going to tell you the real reasons because [insert bullshit lie here]".-mouser (January 22, 2013, 02:57 AM)
but i think we cannot let big organizations get away with this weasel behavior of saying: "trust us, if we explained to you the real reasons behind our actions you would understand, but we've decided we are not going to tell you the real reasons because [insert bullshit lie here]".-mouser (January 22, 2013, 02:57 AM)
THAT! Yes! That! :Thmbsup:
+1-Renegade (January 22, 2013, 06:14 AM)
@Mouser - FWIW I am on record a few posts back for saying I thought the response seemed unusually harsh and possibly excessive based on the facts made public so far.-40hz (January 22, 2013, 06:03 AM)
But that's been the historic response whenever arbitrary acts of authority get challenged. :-\-40hz (January 22, 2013, 06:52 AM)
Yet we're debating what exactly?-Stoic Joker (January 22, 2013, 07:06 AM)
- Report vulnerabilities
- Don't report vulnerabilities
- Sell exploits to pay for books & tuition
- Publish the exploit on Twitter & PasteBin then watch the SHTF? :P
-Renegade (January 22, 2013, 12:16 AM)
Having said that if the university had any sense they would have invited him to help with checking the hole wa fixed after he reported it initially.-Carol Haynes (January 22, 2013, 03:40 AM)
@Mouser - FWIW I am on record a few posts back for saying I thought the response seemed unusually harsh and possibly excessive based on the facts made public so far.-40hz (January 22, 2013, 06:03 AM)
Which is pretty much where this keeps going in a circle:
Everyone seems to agree that the punishment was excessive.
Everyone seems to agrees that he totally screwed up.
Yet we're debating what exactly?-Stoic Joker (January 22, 2013, 07:06 AM)
Good point. I think we should get on to what students SHOULD do. i.e.
- Report vulnerabilities
- Don't report vulnerabilities
- Sell exploits to pay for books & tuition
- Publish the exploit on Twitter & PasteBin then watch the SHTF? :P
-Renegade (January 22, 2013, 12:16 AM)
;D
I'm voting for #4 as it would be the most entertaining~! :P :Thmbsup:-Renegade (January 22, 2013, 07:31 AM)
Report says even Skytech is offering.-cmpm (January 21, 2013, 11:05 PM)
Mr. Al-Khabaz-- get a lawyer before you accept Skytech's "scholarship" or "job offer". My guess is they want you to sign something to prevent any future claims against them. The more generous they are, the greater their perceived liability in this case.
Based on the reported news, it seems that they bullied you into signing non-disclosure and then they disclosed your actions to Dawson. That information was used by Dawson to expel you.
I'm sure there is a Montreal lawyer with a sense of justice who would love to take your case, possibly for little or no cost to you.
Proceed with caution.
The job offers are starting up now.Hrm, did he actually do anything interesting, or did he just run some scriptkiddeialready-existing tools?
He may have fast-tracked his career!
Report says even Skytech is offering.
Hm, I think there will be more info sometime tomorrow.
http://news.nationalpost.com/2013/01/21/montreal-student-expelled-after-finding-data-security-threat-receives-job-scholarship-offers-while-college-refuses-to-reinstate-him/-cmpm (January 21, 2013, 11:05 PM)
Hrm, did he actually do anything interesting, or did he just run some scriptkiddeialready-existing tools?-f0dder (January 22, 2013, 09:16 AM)
MONTREAL — The Dawson Student Union is demanding immediate reinstatement of Hamed Al-Khabaz as a computer-science student at the Montreal CEGEP.Montreal college student union defends expelled computer science student (http://www.globalmontreal.com/montreal+college+student+union+defends+expelled+computer+science+student/6442792671/story.html)
Useful timeline of events and facts here:
http://www.hamedhelped.com/
Reading it just makes me more convinced that the computer science department at Dawson has behaved unforgivably; if they have a different set of facts they need to present them publicly.-mouser (January 22, 2013, 10:43 PM)
November 14th
Hamed is asked to meet with Diane Gauvin. She hands him his letter of expulsion citing professional misconduct. Security is on hand to immediately confiscate his Student ID.
Wow... if that's the real series of events, I withdraw my statement that he did anything wrong. This timeline is pretty damning.-wraith808 (January 22, 2013, 11:11 PM)
October 26th
Hamed is informed that Skytech has fixed the holes in Omnivox and that the site is now secure. Excited by their rapid response, he logs on to the test server the College provided him to run an Acrunetix scan. The scan shows no vulnerabilities but Skytech is alerted to its use and calls Dawson College to get the name of the “culprit”. Dawson College hands over Hamed’s number and Skytech calls him at 9PM. They threaten to call the RCMP on him and warn that he may face a year in jail for his actions. Hamed explains that he was part of the team that found the initial hole and that his intent was just to ensure the data was truly secure. They ask him to provide any bugs he may have found by October 28th. He does so under condition that they agree to not sue them and in return he will not disclose any of what he found to anybody.
In sum,
- Hamed exchanged emails with Mr. Paradis where it was expressed that his actions on September 21st were irresponsible.
- Hamed never received a Cease & Desist letter.
- Hamed never received an official written warning.
- Hamed was thanked for bringing vulnerabilities to light on October 24th.
- Hamed was given access to a test server on October 24th.
- Hamed was asked to only use the test server when at Dawson.
- Hamed was eager to verify the updated security of Omnivox on October 26th and performed tests from his home.
- Hamed immediately stopped scanning the system upon receiving a call from the CEO of Skytech.
- Hamed was not granted the right to speak directly with the members of the Computer Science faculty before they voted on his expulsion.
Reading that article (Montreal college student union defends expelled computer science student) gives me a warm feeling.Yes, me too.-mouser (January 22, 2013, 05:12 PM)
Let's see who they might try to throw under a bus as a sacrificial lamb.-IainB (January 23, 2013, 01:35 AM)
“Shelling happens frequently on busy public servers – standard operating procedure in any professional organization is to assume the attack has successfully rooted the operating system and bleach the server outright, alerting anyone who has credentials on the box or website and begin again, usually on a new domain/IP and patched architecture.”
“Doing otherwise indicates a complete disregard for the privacy of every user and every other admin on the domain as demanded by federal and provincial law.”
Wow... if that's the real series of events, I withdraw my statement that he did anything wrong. This timeline is pretty damning.-wraith808 (January 22, 2013, 11:11 PM)
The faculty will agree in retrospect (if only to escape from scrutiny) the kid should not have been expelled.. at that point, the college will not be able to defend the expulsion and the college will find a way to say "we made the right decision and did nothing wrong and we're not going to argue the point any further.. but, on review we've decided to give him another chance anyway -- he can come back to school with all complaints dropped. now please leave us alone"-mouser (January 23, 2013, 02:07 AM)
I'm missing what the domain has to do with anything.
Could one of the sysadmins here explain how DNS resolution compromises a server? (Well, other than MTM and all that - which seems to me like a different issue.)-Renegade (January 23, 2013, 09:25 AM)
assume the attack has successfully rooted the operating system and bleach the server outright
October 24th
Hamed and his colleagues meet with François Paradis to test their theory of data access. A test server is setup for them to run their findings. They sign a Protocol for Portal Vulnerability Test. Part of said protocol stipulates that testing must happen on College grounds under the supervision of Dawson College IT staff.
Hamed was eager to verify the updated security of Omnivox on October 26th and performed tests from his home.
I'm missing what the domain has to do with anything.
Could one of the sysadmins here explain how DNS resolution compromises a server? (Well, other than MTM and all that - which seems to me like a different issue.)-Renegade (January 23, 2013, 09:25 AM)
The link was publicly recorded in Aug., 2011, at Zone-h, an open source mirror frequented by #AntiSec factions, who frequently record f** files to independents, who then confirm, store and register the hack with public search engines indicating a given domain has been compromised.-article
Wow... if that's the real series of events, I withdraw my statement that he did anything wrong. This timeline is pretty damning.-wraith808 (January 22, 2013, 11:11 PM)
Ditto. And that's from my own sysadmin perspective.-40hz (January 23, 2013, 09:46 AM)
m much more interested in how you could "bleach" a server. That's a new one for me.-40hz (January 23, 2013, 09:59 AM)
So by that information to me it appears he broke the "protocol" agreement that he signed...thoughts on that?-hamradio (January 23, 2013, 11:47 AM)
So by that information to me it appears he broke the "protocol" agreement that he signed...thoughts on that?-hamradio (January 23, 2013, 11:47 AM)
He did. Definitely in the wrong on that point. But as most of us (including we sysadmins) seem to be leaning, the school's response was way out of proportion to the offense that was committed. So much so that it doesn't make sense...
I can't help thinking there's still something more behind this incident than what is being acknowledged. I'm guessing this student got caught up in something else that was going on at Dawson (perhaps an ongoing investigation into an earlier or much more serious network breech?) and those behind it thought they had finally "got their man."
If so, some of the rabidness on the part of Dawson starts to make a bit more sense. As does their insinuation that there's more going on than they can publicly discuss. Which would certainly be the case if there was a police investigation currently in progress over something that had happened on Dawson's network.
Oh well...as time passes, more will come out. :o-40hz (January 23, 2013, 12:05 PM)
The question though to me is what was in the "protocol" that he signed...like if it wasn't followed and such...like consequences. So until that is posted in truth one has to assume that the "protocol" made him a "professional" and that it had a thing in it saying he could be expelled for not following them...-hamradio (January 23, 2013, 12:09 PM)
CTO Says Al-Khabaz Expulsion Shows CS Departments Stuck In "Pre-Internet Era" (http://news.slashdot.org/story/13/01/23/2347231/cto-says-al-khabaz-expulsion-shows-cs-departments-stuck-in-pre-internet-era)
Posted by samzenpus on Wednesday January 23, @07:37PM
from the getting-up-to-speed dept.
An anonymous reader writes "The Security Ledger writes that the expulsion of Ahmed Al-Khabaz, a 20 year-old computer sciences major at Dawson College in Montreal, has exposed a yawning culture gap between academic computer science programs and the contemporary marketplace for software engineering talent. In an opinion piece in the Montreal Gazette on Tuesday, Dawson computer science professor Alex Simonelis said his department forbids hacking as an 'extreme example' of 'behavior that is unacceptable in a computing professional.' And, in a news conference on Tuesday, Dawson's administration stuck to that line, saying that Al-Khabaz's actions show he is 'no longer suited for the profession.' In the meantime, Al-Khabaz has received more than one job offer from technology firms, including Skytech, the company that makes Omnivox. Chris Wysopal, the CTO of Veracode, said that the incident shows that 'most computer science departments are still living in the pre-Internet era when it comes to computer security.' 'Computer Science is taught in this idealized world separate from reality. They're not dealing with the reality that software has to run in a hostile environment,' he said. 'Teaching students how to write applications without taking into account the hostile environment of the Internet is like teaching architects how to make buildings without taking into account environmental conditions like earthquakes, wind and rain,' Wysopal said."
Alex Simonelis said his department forbids hacking as an 'extreme example' of 'behavior that is unacceptable in a computing professional.'-the Article
^^ StoicJoker - It's always wonderful to hear you call a spade a spade. :) :Thmbsup: You do it with style!-Renegade (January 24, 2013, 08:10 AM)
^^ StoicJoker - It's always wonderful to hear you call a spade a spade. :) :Thmbsup: You do it with style!-Renegade (January 24, 2013, 08:10 AM)
@Ren -
"Admiration -- our polite recognition of another's resemblance to ourselves." - Ambrose Bierce
;D :P-40hz (January 24, 2013, 08:47 AM)
One unfortnate thing I'm seeing more and more with the upcoming generation is how many have consciously or subconsciously embraced the notion that "it's easier to ask for forgiveness than to get permission." Almost like life comes with a reset or "new game" button. Well guess what? It doesn't. It's called reality. Welcome to Life-101.
^^ StoicJoker - It's always wonderful to hear you call a spade a spade. :) :Thmbsup: You do it with style!-Renegade (January 24, 2013, 08:10 AM)
^^ StoicJoker - It's always wonderful to hear you call a spade a spade. :) :Thmbsup: You do it with style!-Renegade (January 24, 2013, 08:10 AM)
StoicJoker Style! :Thmbsup:-TaoPhoenix (January 24, 2013, 03:59 PM)
You can blame the ever-venerable Grace Hopper (http://en.wikipedia.org/wiki/Grace_Hopper) for the quote,-Edvard (January 24, 2013, 02:21 PM)