Computer science student expelled for testing university software security

[mouser]

From the details I've read this university and especially the computer science department of this university should be ashamed of its cowardly behavior -- expelling a student who was nice enough to report a security vulnerability to them.

I suspect this is one of those cases that will be lucky enough to get enough attention to be reversed -- one wonders how many similar episodes do not get attention.. Shameful.

After an initial meeting with Director of Information Services and Technology François Paradis on Oct. 24, where Mr. Paradis congratulated Mr. Al-Khabaz and colleague Ovidiu Mija for their work and promised that he and Skytech, the makers of Omnivox, would fix the problem immediately, things started to go downhill.

Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.

“It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack...

..Following this meeting, the fifteen professors in the computer science department were asked to vote on whether to expel Mr. Al-Khabaz, and fourteen voted in favour.

http://news.national...dents-personal-data/

From boingboing which says something I agree with as a former CS student:

The thing that gets me, as a member of a computer science faculty, is how gutless his instructors were in their treatment of this promising student.

[Josh]

Mouser,

The issue was not that he reported the vulnerability, but instead that he ran an automated tool, Acunetix, designed to hack and test systems. Without system administrator approval from both the school network and the remote system network, he is in violation of several ethical guidelines and laws. Tools like this CAN and HAVE crashed entire systems, at times rendering the system inaccessible, because of the amount of traffic they can generate and techniques they use. So, no, he was NOT expelled for reporting the vulnerability, but for going in two days later, using a tool that was not authorized on the school network, and scanning a remote system which IS against the law in many jurisdictions.

[Renegade]

So, he helps them, they say they took care of it, he checks, he gets expelled for checking.

Yup. No good deed goes unpunished.

[Josh]

Renegade, unless he was specifically granted permission to re-check the system, it is an illegal scan of the system. Many professional penetration testers have lost their jobs because of such an act.

[mouser]

It's fine to say he should not have run that automated testing software -- but the idea of expelling someone for that -- or anything even remotely close to that, is just unfathomable to me.. It's completely antithetical to the spirit of learning and curiosity about technology that you would want to foster in computer science students.

This is exactly the kind of student that a department should be happy to have and should spend their time encouraging and challenging and helping to flourish.

This is a student for god's sake -- the idea of applying these kinds of zero-tolerance paranoid security reactions to someone like that is just wrongheaded.

[Josh]

Mouser, I am not trying to justify the expulsion, merely trying to showcase that the tool he used has been shown to have the ability to crash a remote system when scanned improperly. I agree, he should not have been expelled, however I feel the school was under pressure from the software owner to take further action after he scanned their network again. Again, had he been a professional tester, he could have faced being fired and a follow-on lawsuit. This is not someone being paranoid as this tool CAN break a system.

[Renegade]

+1 for mouser.

As for the legality of it? Meh. Not really all that interested in legal BS. Especially when you've got laws that make it illegal to get drunk and pass out in your own bathroom.

http://cynic.me/2012...toilet-in-cambridge/

Sure, maybe it's possible that he could crash the system. Only goes to show that they don't have any protection against DOS/DDOS there. Chalk another point up for the good guy.

I know what you mean about pros getting fired, and laws, and all that. I've simply lost any kind of interest in "legality" anymore. Laws are created by lobby groups, and not by the people. Why should anyone care what the letter of the law is anymore? Ok, I'm being extremely cynical, but sheesh... Like mouser points out, he's a student trying to help out and doing a damn good job of being a good student! But expulsion? Sheesh. Why throw the baby out with the bath water when you can throw it in the blender?

Is there no balance in the law? Is there no compassion? Is there no justice? Is there no sanity left? Has the letter of the law become so important that we've sacrificed our common sense and humanity on the altar of the "law books"?

What happened to proportionality?

[wraith808]

Renegade, unless he was specifically granted permission to re-check the system, it is an illegal scan of the system. Many professional penetration testers have lost their jobs because of such an act.

-Josh (January 21, 2013, 09:07 AM)

The utility in question (Acunetix) scans for publicly available information about the system. It wasn't the smartest thing to do, but neither is it illegal- you can get the same information in other ways, and it's a white hat utility.  And the way they bullied him with incorrect information about the legality to get an NDA signed, then backed off... yeah...

[Josh]

An automatic client script analyzer allowing for security testing of Ajax and Web 2.0 applications
Industries' most advanced and in-depth SQL injection and Cross site scripting testing
Advanced penetration testing tools, such as the HTTP Editor and the HTTP Fuzzer
Visual macro recorder makes testing web forms and password protected areas easy
Support for pages with CAPTCHA, single sign-on and Two Factor authentication mechanisms
Extensive reporting facilities including VISA PCI compliance reports
Multi-threaded and lightning fast scanner crawls hundreds of thousands of pages with ease
Intelligent crawler detects web server type and application language
Acunetix crawls and analyzes websites including flash content, SOAP and AJAX
Port scans a web server and runs security checks against network services running on the server

From the Acunetix website...

The difference between scanning for publicly available information (domain owner, email addresses listed on web pages, administrative contacts, etc.) and vulnerability scanning is that information gathering is passive when you talk about publicly available information. Scanning a server can have real consequences on the server if the tool is not configured properly and is NOT passive.

[40hz]

From my sysadmin perspective all I can say is: A predictable and avoidable outcome.  I'm hardly surprised at the response.  Nor should he be.

I'll leave the armchair discussions of social ramifications and "justice" to others.  

[Renegade]

Hey, did that student pay for his license?

http://www.acunetix.com/ordering/

Acumotherkillerservertrixiephant Seems a bit beyond student budgets...

Maybe he should be crucified for that too!

(Just kidding! The university probably has licensing to cover students. Meh? What the heck! Let's have a good old fashioned lynching! )

Maybe ethics courses or legal courses should be included in first year university?

[f0dder]

From my sysadmin perspective all I can say is: A predictable and avoidable outcome.  I'm hardly surprised at the response.  Nor should he be.

-40hz (January 21, 2013, 10:42 AM)

Agreed.

If you don't have a (written) agreement with your target, you're not pentesting - you're hacking.

Is it piss-poor behavior from the uni? Yes. But if you're not going to play by the rules (which might very well be necessary sometimes, whistleblowing incompetent lying bastards comes to mind), you'll have to expect unfavorable outcomes.

Which is why you run such scans from a VM on a laptop with a faked MAC address, through TOR on a public WiFi.

[Stoic Joker]

Just because it's predictable (true), doesn't make it right.

I'm with Mouser & Ren - They should have just counted coo on the kid...not take him out and shoot him - this is crap.

[wraith808]

All I'm responding to is the fact of it being illegal

The difference between scanning for publicly available information (domain owner, email addresses listed on web pages, administrative contacts, etc.) and vulnerability scanning is that information gathering is passive when you talk about publicly available information. Scanning a server can have real consequences on the server if the tool is not configured properly and is NOT passive.

-Josh (January 21, 2013, 10:35 AM)

All I'm saying is saying it was illegal, then using said threat to make him sign an NDA wasn't right by any means.  It's not illegal in and of itself, and trying to prosecute him for such would be legal handwaving.  Not saying a prosecutor wouldn't do it, but that's what it would be.

[40hz]

Just because it's predictable (true), doesn't make it right.

I'm with Mouser & Ren - They should have just counted coo on the kid...not take him out and shoot him - this is crap.

-Stoic Joker (January 21, 2013, 12:03 PM)

Here's the thing...a university's computer is *NOT* just sitting there for purely educational purposes - or for the students. Most universities these days are also hosting critical and sensitive research projects; running important internal programs (accounting & payroll); and frequently leasing out computer resources on contract to local businesses and government agencies along with the expertise to maintain such systems.

So when some undergrad decides that such a system is his personal playground where everything that happens on it should be purely for his own personal education and experience....well...I have a little trouble dealing with that level of hubris and selfishness.

Running a penetration test (even a white-hat one) sets off alarms, gets the sysadmins steppin' & fetchin' - and sometimes puts outside contracts or internal operations in jeopardy. Especially if the DoD or financial institutions are involved. Disclosure statements to be filed, audits to be performed, re-certifications needed in some cases, and occasionally data or contracts lost, plus a hit to your reputation and a signal to potential hackers that this is a facility worth targeting...all of these things come at a price. And to just say "Well...I'm just a student and I was trying to learn something." doesn't cut it in this context.

One unfortnate thing I'm seeing more and more with the upcoming generation is how many have consciously or subconsciously embraced the notion that "it's easier to ask for forgiveness than to get permission." Almost like life comes with a reset or "new game" button. Well guess what? It doesn't. It's called reality. Welcome to Life-101.

And one of the first lessons learned in Life-101 is that just because you say "you're sorry" and "didn't mean anything by it" doesn't automatically absolve you of the consequences of your actions.

In this day of virtual machines and lab setups there are safer and better ways to become educated in network intrusion than to perform an unauthorized 'run' on a live production system. Doing that is just flat out unacceptable.

In this particular student's case, it was great that he discovered and reported a security problem. And I see he received kudos and full props for it. But going back in after the fact to "verify" the fix had been made? I'd be suspicious too.

I have very little sympathy for this particular kid's self-caused problems even if I do think the school's response borders on being capricious and excessive. However, please note that the headlines are somewhat misleading too. He wasn't expelled for identifying a security issue. He was expelled for going back afterwards and running an unauthorized scan using Acunetix. That's a very different thing than implying that he merely identified a security hole - and then got promptly expelled from his college by way of a thank-you as some news sources are seeming to say.

[Stoic Joker]

Yeah, Yeah, Yeah, I'm familiar with the rap...

I have very little sympathy for this particular kid's self-caused problems even if I do think the school's response borders on being capricious and excessive.

-40hz (January 21, 2013, 02:10 PM)

  (Do I even have to say it...?) Exxaactly ... Hence my comment about "Counting Coo". Sit the boy down, have a little quality "Scared Straight" lecture time with him, and then... Let. It. Go. They didn't need to crucify his ass. That just invites a PR nightmare...Kinda like what they appear to be having a bit of now.

[mouser]

Audio interview with the sudent:
http://www.cbc.ca/pl...treal/ID/2327525012/

[mouser]

The fact that he, on his own, informed them about the vulnerabilities the first time, tells you everything you need to know about his intentions, his moral character, and the nature of the "threat" he supposedly posed.

The more I read about this the angrier I get.. I guess it hits close to home for me -- I could easily see this happening to me or any other student in the computer science departments that i've attended.  In fact I can easily see myself or friends *not* reporting such a discovery and being curious about what else was exposed.. Absolutely disgraceful behavior from the university -- I hope the CS students in that department start protesting loudly until its reversed -- and even then every professor in that department who voted for his expulsion should be treated with suspicion.

It would be nice to hear from the one CS faculty who among his appears did NOT vote for expulsion.  If anyone finds an interview of him I'd love to read it.  We need to celebrate those willing to stand up to this bureaucratic group-think like cowardly behavior.

[cmpm]

Most universities these days are also hosting critical and sensitive research projects; running important internal programs (accounting & payroll); and frequently leasing out computer resources on contract to local businesses and government agencies along with the expertise to maintain such systems.

If these programs are not separate from student user accounts, then the university and Skytech and Omnivox Consulting are not very smart about much of anything. And have bigger issues that are not solved by expelling a student.

[Stoic Joker]

The fact that he, on his own, informed them about the vulnerabilities the first time, tells you everything you need to know about his intentions, his moral character, and the nature of the "threat" he supposedly posed.

-mouser (January 21, 2013, 03:06 PM)

+1 - Agreed. Now if he'd have polked it twice all sneeky and quiet...then I'd be up for a BBQ. But that ain't what happened.

[cmpm]

Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.”

Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.

Run the Test again, Mr. Al-Khabaz.
the damn fools.....

[Josh]

But he went in scanning for ADDITIONAL vulnerabilities AFTER he advised them of the first one. That is the problem here. I've watched tools like this drag a network to a crawl from a simple scan. Retina and other tools, while basic in nature, can degrade a network to the point of sheer non-usability. Intent aside, he did not have permission to scan, was not asked to do so after the initial report, and could have taken other avenues with the IT staff to conduct a proper security audit based on what he had already seen. Going in again is where he made his mistake.

[wraith808]

When reached for comment Mr. Taza acknowledged mentioning police and legal consequences, but denied having made any threats, and suggested that Mr. Al-Khabaz had misunderstood his comments.

This is what makes me want to BBQ them instead.  This wasn't because of hacking or even running the software.  They were in CYA mode, and the uni is helping them to CYA.  What I'd like to see is the complaint that the professors voted on.  It wasn't as simple as this guy ran this... should we expel.  There's still CYA going on.  And that's the big problem that I see- this guy is getting crushed in the machinery of maintain contracts and CYA.

[wraith808]

Going in again is where he made his mistake.

-Josh (January 21, 2013, 03:24 PM)

No one is saying what he did wasn't a mistake- he should have been informed as to such, and perhaps punitive measures taken based on the fact that he violated university rules, if indeed there was such in place.  But there is intent, and reasoned response.  That's what's being questioned.  The argument over whether running it was the wrong move is a straw man, IMO.

[mouser]

What I'd like to see is the complaint that the professors voted on.

Ditto -- who here would be surprised to find out they voted based on some totally overblown fantasy that this kid was some criminal mastermind repeatedly trying to hack into and bring down their computer systems and steal and misuse the private information of others.