Computer science student expelled for testing university software security

[cmpm]

My best guess is they voted according to keeping their own jobs.
Knowing a little about how administration operates.

[mouser]

I think part of what has really gotten under my skin about this story is.. It's the professors in this department who should have known better.  *THEY* should have been standing up *against* the college bureaucrats who wanted to expel him.. defending his curiosity and spirit and going to bat for him and fighting for a more proportional response.  Shame on these professors -- shame on them.  The only thing for them to do now is come forward and explain themselves and explain themselves -- or recant and come to his defense.

[Stoic Joker]

Better yet, having already by way of their own vote assigned a quantity of guilt to said situation ... The professors should be forced to share in said quantum of guilt for improperly teaching him what not to do.

If outrage is not to be conserved, then it should be allowed to expand proportionately across all involved in the interest of fair play (my version).

[40hz]

I get the feeling that many people who don't deal with large system administration issues tend to be more "forgiving" and "understanding" (whatever that means in this context) then do those of us who deal with it for a living.
 

----/

Out of curiosity...does anybody know what the school's official written policy is on this? The schools I'm familiar with all require signed agreements before granting access to the university's data centers and their network. IIRC the two I dealt with both had unambiguous policies regarding the unauthorized use of scanning and related tools, along with severe penalties for doing so.

[cmpm]

I don't think it's about forgiveness and understanding.
A student of computer science beat the ones with the bachelors and masters at what they are supposed to be teaching.
The student is expelled?

[Josh]

Out of curiosity...does anybody know what the school's official written policy is on this? The schools I'm familiar with all require signed agreements before granting access to the university's data centers and their network. IIRC the two I dealt with both had unambiguous policies regarding the unauthorized use of scanning and related tools, along with severe penalties for doing so.

-40hz (January 21, 2013, 04:17 PM)

http://dc11.dawsonco...%20Policy%20v1.1.pdf

Out of specific interest are bullets 2a and 4.

[40hz]

I think part of what has really gotten under my skin about this story is.. It's the professors in this department who should have known better.  *THEY* should have been standing up *against* the college bureaucrats who wanted to expel him.. defending his curiosity and spirit and going to bat for him and fighting for a more proportional response.  Shame on these professors -- shame on them.  The only thing for them to do now is come forward and explain themselves and explain themselves -- or recant and come to his defense.

-mouser (January 21, 2013, 03:41 PM)

At the risk of sounding cynical, I haven't seen university faculties buck university administrations much over anything in something like the last twenty years - unless it was over their compensation packages - or the firing of one of their own.

True they'll wade into the public arena with opinions on hot-button social issues whenever there's a possibility of securing some government work (gun control being the most recent area that needed "expert" academic input) or exposure on TV at a hearing. But most times, they seem to keep their heads down pretty low.

As a group, most academics are remarkably risk adverse and status conscious.

I don't expect too manyof Dawson's own  to come forward - although faculty members outside Dawson may have a bit to say once there's enough Reddit and Slashdot chatter posted to safely gauge which way the "big wind" is going to blow on this one.

Unfortunately for this student, right now we have the Aaron Schwartz and Kim Dotcomm debacles to deal with. So when it comes to Dawson, the tech press has much bigger (and IMHO more important) fish to fry.

[IainB]

I have it from a reliable source, apparently via someone at Montreal's Dawson College, that there could be a great deal more to this story than meets the eye. Whereas it was commendable that Ahmed Al-Khabaz reported the security weaknesses, he thus exposed himself to some security scrutiny, and apparently it was found that he has close associations with the notorious Al-Gebra movement reported on here: New Terrorist Group at Large in USA.
Maybe his expulsion for subsequently "retesting" the security was based on matters of which we are not privy to. It could all add up.

[mouser]

Utter nonsense.

If they had some reason to suspect him of some terrorist connections they would have and should have said so, and he never would have reported the vulnerabilities to them in the first place. Pure paranoia.

Now if it comes out that he was snooping around more than he admitted, or enjoyed looking for vulnerabilities more than he admitted, or has a longer history of playing around with university computer security.. that's certainly possible and remains to be seen.

But let's not take what is by every sign just a young kid curious about his university's computer systems security -- a trait we used to celebrate in the hackers of old, and make him out to be a terrorist.

[IainB]

Erm, it was a joke, d'you see? Follow the link. "It all adds up".
And so it is nonsense!   

[mouser]

duh! sorry for over-reacting -- i can see now you were making a joke.. I guess this episode struck a little close to home for me and it's got me a little quick on the draw.

[Josh]

duh! sorry for over-reacting -- i can see now you were making a joke.. I guess this episode struck a little close to home for me and it's got me a little quick on the draw.

-mouser (January 21, 2013, 05:53 PM)

Hence why I told you on IRC that I felt you were jumping to the same conclusion that most people on the internet do and that is to believe the first story to the media, or the side that is easiest to garner the most sympathy for. After all, it makes us feel better to root for the underdog vice the big entity (in this case, the college). Just remember folks, there are TWO SIDES to every story.

[Stoic Joker]

The machine never falters in voting for itself...(as that is its primary purpose)...So if I gotta pick a direction coming outta the gate, Damn Straight I'm backing the dog.

[Josh]

The machine never falters in voting for itself...(as that is its primary purpose)...So if I gotta pick a direction coming outta the gate, Damn Straight I'm backing the dog.

-Stoic Joker (January 21, 2013, 06:16 PM)

The problem with that is the other party is immediately painted guilty until proven innocent. Doesn't it make sense to wait until information from both sides is available? Something tells me there is more to this than meets the eye.

[cmpm]

Morgan Crockett, director of internal affairs and advocacy for the Dawson Student Union, agrees.

“Dawson has betrayed a brilliant student to protect Skytech management,” said Ms. Crockett. “It’s a travesty that Ahmad’s academic future has been compromised just so that Dawson and Skytech could save face. If they had any sense of decency, they would reinstate Ahmad into [the] computer science [program], refund the financial aid debt he has incurred as a result of his expulsion and offer him a full public apology “

Repeated calls to various members of the Dawson administration were not returned, with the college citing an inability to discuss an individual student’s case on legal and ethical grounds in a statement released by their communications department.

Ruin the kid's education and not even blink about it.

[IainB]

...Just remember folks, there are TWO SIDES to every story.

-Josh (January 21, 2013, 06:01 PM)

...and to every equation...        

But seriously, I would suggest that the issue here is the communication and publication of college security standards.
It would need to have been communicated clearly to the students - i.e., documented in college rules/regulations, and they had had it spelled out to them - that it was a "capital offence" to ping or test/retest the university's network security, but had it been so communicated?

If it had, then fine, and Ahmed Al-Khabaz had been dealt with appropriately - but only if he had also been clearly warned after the first breach (I read one report that said he was apparently told that this was the second breach).

If it had not, or if he had not even been warned after the first breach, then Ahmed Al-Khabaz would seem to have been done a great wrong, and possibly even entrapped.

In any event, I am skeptical whether they really would put it to a vote as has been reported. Would that have been the policy and corresponding due process? If so, then it sounds like it's a potentially wide-open to question and dubious process to me. I mean, no-one takes a decision, just blame it on a committee? No, the Provost should/would have been all over this one like a bad rash, making decisions.

No typical college or university can be a high-security IT establishment (e.g., like a military or Defence establishment), by definition. They need to retain Open and accessible systems for the students to use. Students will not necessarily be familiar with all the prevailing rules/regulations, and would be given the benefit of the doubt - especially in such a a case as this, where the student accidentally discovers and reports a flaw.

If he was an employee of a military or Defence establishment, then, in my experience he'd have been summarily dismissed and immediately physically escorted out the door, but that is not applicable in this case.

[40hz]

I don't think it's about forgiveness and understanding.
A student of computer science beat the ones with the bachelors and masters at what they are supposed to be teaching.
The student is expelled?

-cmpm (January 21, 2013, 04:29 PM)

I'd characterize it more as a smart student identified a security hole in a university system. Period.

There's a big gap between doing that and us taking the ball and running with it by saying "he beat the ones" with degrees and is therefor more qualified than they are. Something which also ignores the fact that, putting all those old sayings (about how those who can't do it go on to teach it) aside, it's important to remember teaching something is a separate skill from the doing of something. There are many brilliant specialists and experts that can't teach what they do to save their lives. And vice-versa.

Also...he was not expelled for who he is, what his dreams are, or by the envious for being the romantic 'lone misunderstood hero.' He was expelled (so the less emotional reports seem to say) because he ran an unauthorized network scanning program on a system he was specifically not allowed to run it on. And further, it was a scan that had nothing to do with the original discovery of the exploit. It was done after the fact.

So all the "yeah buts" aside, he did something he knew he wasn't supposed to do.

And FWIW, unless you are a professional cracker, finding security holes is more about luck and being observant than anything else from what I've seen. So lets not automatically flip the 'genius-flag' on this student until we see a little more of what he can do.

I had a martial arts instructor who used to compliment us every time we did something unusually well - or got some technique 100% correct for the first time. He'd walk over and bow, clap you on the shoulder, and then say: "Well done!!! Not do it five more times just so we both know it wasn't luck."

[cmpm]

I did not add 'therefore more qualified than they are.
They should be more responsible though.
'Beat the ones with the degrees' was not meant as a contest.
More of a lack of the right words I suppose.

[Tinman57]

  I kind of see both side of the stories, so I'm kind of in neutral grounds.  HOWEVER, (and there's always a however ) I'll play the devil's advocate and ask these questions before I make up my mind, not that it really matters.  lol

1.  Did the student sign a legal agreement with the school/network on what was acceptable and unacceptable behavior?

2.  How did/could the school or network admin know that he was trying this in a white-hat manner, trying to help the network, or actually just trying to find vulnerabilities for his own evil agenda?

  Inquiring minds want to know!  

[Renegade]

Audio interview with the sudent:
http://www.cbc.ca/pl...treal/ID/2327525012/

-mouser (January 21, 2013, 02:58 PM)

If anyone listened to that... the student was GIVEN A TESTING ACCOUNT. What do you do with test accounts? Errr... test maybe?

Just to add insult to injury, he was given all zeros for all his grades.

Nice. Kick 'em while he's down why don't ya? Show 'em who's the boss.

Proportionality has disappeared from "laws/rules/regulations/whatever". I could give recent examples that would simply blow your mind, however, as they're real, and so utterly insane, they can only be put in the Basement.

The fact that he, on his own, informed them about the vulnerabilities the first time, tells you everything you need to know about his intentions, his moral character, and the nature of the "threat" he supposedly posed.

-mouser (January 21, 2013, 03:06 PM)

+1 - Agreed. Now if he'd have polked it twice all sneeky and quiet...then I'd be up for a BBQ. But that ain't what happened.

-Stoic Joker (January 21, 2013, 03:15 PM)

+1 and +1


Nothing better than BBQing a Good Samaritan though! They're not all that common, so when ya find 'em, better cook 'em up real quick!

[40hz]

I did not add 'therefore more qualified than they are.
They should be more responsible though.
'Beat the ones with the degrees' was not meant as a contest.
More of a lack of the right words I suppose.

-cmpm (January 21, 2013, 07:30 PM)

Understood. I think my point (which I didn't make that well) is that you need to draw the line somewhere. All limits and rules, by nature, are arbitrary. But to open the gates to any activity on a system (or to disregard blatant system hacking activities) - with the justification that every so often it yields something of unexpected benefit - is not a good way to operate a network. And the people that do operate most professional networks are usually a lot better at it than they're given credit for. Especially by the press who automatically label any successful exploit an act of "technical" brilliance - even though most genuinely successful exploits are heavily dependent on additional non-tech factors such as "inside men," dishonest administrators, and "social engineering" mindgames.

Just saying.

[Josh]

Audio interview with the sudent:
http://www.cbc.ca/pl...treal/ID/2327525012/

-mouser (January 21, 2013, 02:58 PM)

If anyone listened to that... the student was GIVEN A TESTING ACCOUNT. What do you do with test accounts? Errr... test maybe?

Just to add insult to injury, he was given all zeros for all his grades.

Nice. Kick 'em while he's down why don't ya? Show 'em who's the boss.

Proportionality has disappeared from "laws/rules/regulations/whatever". I could give recent examples that would simply blow your mind, however, as they're real, and so utterly insane, they can only be put in the Basement.

The fact that he, on his own, informed them about the vulnerabilities the first time, tells you everything you need to know about his intentions, his moral character, and the nature of the "threat" he supposedly posed.

-mouser (January 21, 2013, 03:06 PM)

+1 - Agreed. Now if he'd have polked it twice all sneeky and quiet...then I'd be up for a BBQ. But that ain't what happened.

-Stoic Joker (January 21, 2013, 03:15 PM)

+1 and +1


Nothing better than BBQing a Good Samaritan though! They're not all that common, so when ya find 'em, better cook 'em up real quick!

-Renegade (January 21, 2013, 08:19 PM)

But test what? He did not specify ANY of that. Just because you have a "test account" does not mean you have free reign on the network. Often times, these are for a specific purpose. And unless he was granted permission to perform the second vulnerability test, he was still in the wrong. I am not trying to justify the response he received for this, but I do see the validity in the claims that he was in the wrong.

[40hz]

Nothing better than BBQing a Good Samaritan though! They're not all that common, so when ya find 'em, better cook 'em up real quick!

-Renegade (January 21, 2013, 08:19 PM)

Again. He wasn't punished for identifying and communicating his discovery of an exploit. If he let it go at that, there wouldn't have been a problem.

He was expelled afterwards for running hack-type scan software on a system in direct violation of the system's access and use policy.

Why couldn't he have just collected his kudos and walked away? Seriously?

[40hz]

Audio interview with the sudent:
http://www.cbc.ca/pl...treal/ID/2327525012/

-mouser (January 21, 2013, 02:58 PM)

If anyone listened to that... the student was GIVEN A TESTING ACCOUNT. What do you do with test accounts? Errr... test maybe?

-Renegade (January 21, 2013, 08:19 PM)

Close...so very close...

Um Ren? You need to get out of the coder's chair and spend a little more time down in the system operations center...it might make some of "our" terminology and mindset a little clearer.

(Sorry. Couldn't resist. And up till now I've been sooooo good too!)

[cmpm]

get out of the coder's chair and spend a little more time down in the system operations center

I can relate to that. It needs to work both ways as well.
Not that you don't see that, 40hz.
I don't think that university sees it like that.

I believe all agree the given punishment is not the right thing to do.

And sheesh, he's a kid, not a genius, I know.
Not aware of these severe consequences, possibly, no matter what he signed.