Author Topic: Computer science student expelled for testing university software security (Read 54358 times)

f0dder · « **Reply #75 on:** January 22, 2013, 09:16 AM »

The job offers are starting up now.
He may have fast-tracked his career!

Report says even Skytech is offering.
Hm, I think there will be more info sometime tomorrow.

http://news.national...es-to-reinstate-him/
-cmpm (January 21, 2013, 11:05 PM)

Hrm, did he actually do anything interesting, or did he just run some scriptkiddeialready-existing tools?

If the latter, something smells fishy wrt. job offers...

wraith808 · « **Reply #76 on:** January 22, 2013, 09:47 AM »

Hrm, did he actually do anything interesting, or did he just run some scriptkiddeialready-existing tools?
-f0dder (January 22, 2013, 09:16 AM)

He did something interesting to find out the problem, i.e. was writing a utility for students, and realized there was a hole.

Then he ran already-existing tools to see if the problem had been fixed.

Stoic Joker · « **Reply #77 on:** January 22, 2013, 03:43 PM »

MONTREAL — The Dawson Student Union is demanding immediate reinstatement of Hamed Al-Khabaz as a computer-science student at the Montreal CEGEP.

Montreal college student union defends expelled computer science student

Or just sign the petition to reinstate him http://www.hamedhelped.com/petition/

mouser · « **Reply #78 on:** January 22, 2013, 05:12 PM »

Reading that article (Montreal college student union defends expelled computer science student) gives me a warm feeling. Go go Dawson Student Union! Nice to hear that he has someone standing up for him there.

At this moment you can bet there are a large number of Dawson college administrators who are in their bathrooms dry heaving in panic at the disastrous public relations nightmare they have caused themselves by thinking they could just kick this kid out of school and never have to justify their actions or defend their actions in the light of day.

Even if you believe that they did the right thing by expelling him -- I hope you can agree that if you ran an institution/department and went to the extreme steps of flunking a student from his classes, kicking him out of school, and forcing him to refund his grants -- that you would be prepared to get up publicly and defend your actions and explain exactly what he did wrong and what you did about it, and why it justified his expulsion.

I expect what we're going to see now is a bunch of rats trying to jump ship and figure out a way for them to undo this nightmare lest they have to get up and explain how they expelled this kid without having good reason to do so.

mouser · « **Reply #79 on:** January 22, 2013, 10:43 PM »

Useful timeline of events and facts here:
http://www.hamedhelped.com/

Reading it just makes me more convinced that the computer science department at Dawson has behaved unforgivably; if they have a different set of facts they need to present them publicly.

wraith808 · « **Reply #80 on:** January 22, 2013, 11:11 PM »

Wow... if that's the real series of events, I withdraw my statement that he did anything wrong. This timeline is pretty damning.

Renegade · « **Reply #81 on:** January 22, 2013, 11:18 PM »

Useful timeline of events and facts here:
http://www.hamedhelped.com/

Reading it just makes me more convinced that the computer science department at Dawson has behaved unforgivably; if they have a different set of facts they need to present them publicly.
-mouser (January 22, 2013, 10:43 PM)

From that page:

November 14th

Hamed is asked to meet with Diane Gauvin. She hands him his letter of expulsion citing professional misconduct. Security is on hand to immediately confiscate his Student ID.

Ummm... Does anyone know the difference between "professional" and "amateur"?

Students are amateurs. It doesn't matter how smart or how good their grades are - they are amateurs. They are unpaid.

Professionals are paid to perform a task/service. They perform that task/service for a living. Consistently.

What he did may have been misconduct, but it certainly wasn't professional misconduct.

If you hire Joe Blow because he needs a job, and has dabbled in XYZ, you're hiring an amateur. If you hire John Doe because he does XYZ for a living, you're hiring a professional. Not a particularly difficult concept to understand.

But I raise the issue because I've seen the word "professional" thrown around, misused, and abused in a few different areas. The Humpty Dumpty interpretation of language seems to be more prevalent now with educated people that should know better. I'll leave that there though...

Now, to tie this back into the thread, mouser pointed out previously about "weasel behaviour", and this is exactly that kind of deceptive garbage used by weasels and rats to wiggle out of the messes they create for themselves. They twist words far beyond their meanings in hopes of obfuscating the facts.

Renegade · « **Reply #82 on:** January 22, 2013, 11:22 PM »

Wow... if that's the real series of events, I withdraw my statement that he did anything wrong. This timeline is pretty damning.
-wraith808 (January 22, 2013, 11:11 PM)

Quite. This entry seems to be the most contentious one there:

October 26th

Hamed is informed that Skytech has fixed the holes in Omnivox and that the site is now secure. Excited by their rapid response, he logs on to the test server the College provided him to run an Acrunetix scan. The scan shows no vulnerabilities but Skytech is alerted to its use and calls Dawson College to get the name of the “culprit”. Dawson College hands over Hamed’s number and Skytech calls him at 9PM. They threaten to call the RCMP on him and warn that he may face a year in jail for his actions. Hamed explains that he was part of the team that found the initial hole and that his intent was just to ensure the data was truly secure. They ask him to provide any bugs he may have found by October 28th. He does so under condition that they agree to not sue them and in return he will not disclose any of what he found to anybody.

So he's provided with a test server, uses it, and Hell breaks loose.

The summary makes it all sound much more damning:

In sum,

- Hamed exchanged emails with Mr. Paradis where it was expressed that his actions on September 21st were irresponsible.
- Hamed never received a Cease & Desist letter.
- Hamed never received an official written warning.
- Hamed was thanked for bringing vulnerabilities to light on October 24th.
- Hamed was given access to a test server on October 24th.
- Hamed was asked to only use the test server when at Dawson.
- Hamed was eager to verify the updated security of Omnivox on October 26th and performed tests from his home.
- Hamed immediately stopped scanning the system upon receiving a call from the CEO of Skytech.
- Hamed was not granted the right to speak directly with the members of the Computer Science faculty before they voted on his expulsion.

IainB · « **Reply #83 on:** January 23, 2013, 01:35 AM »

Reading that article (Montreal college student union defends expelled computer science student) gives me a warm feeling.
-mouser (January 22, 2013, 05:12 PM)

Yes, me too.
If the facts as above are all true and can be substantiated, then it rather looks like a monumental clusterfark at Montreal's Dawson College. The Provost must take the blame.
They either dig the hole they've apparently already dug for themselves deeper still, or give in and say sorry.
The Streisand Effect will make sure this one doesn't get forgotten in a hurry.
There'll be a subsequent change at Board level too, I suspect.
Let's see who they might try to throw under a bus as a sacrificial lamb.

Renegade · « **Reply #84 on:** January 23, 2013, 01:52 AM »

Let's see who they might try to throw under a bus as a sacrificial lamb.
-IainB (January 23, 2013, 01:35 AM)

No doubt!

I'm also interested to see what happens later for that professor that voted against expelling Hamed. If public opinion holds, he'll be vindicated for his lone vote. What sort of publicity will it generate for him?

mouser · « **Reply #85 on:** January 23, 2013, 02:07 AM »

I don't think you need a sacrificial lamb in a case like this..

What i suspect will happen is that the computer science faculty will realize that they voted to expel this kid on some trumped-up overblown misleading description of what the kid did, and want to walk away from that vote as soon as they possibly can before they find themselves in the spotlight they deserve. I expect that they will be the first weak link in the chain because they are going to be easy to identify and explicitly voted (based im guessing on minimal investigation, and because there is already one of them who knows the truth and voted AGAINST expelling the kid -- which is going to make it awfully hard for the rest of them to get away with brushing this under the rug).

The faculty will agree in retrospect (if only to escape from scrutiny) the kid should not have been expelled.. at that point, the college will not be able to defend the expulsion and the college will find a way to say "we made the right decision and did nothing wrong and we're not going to argue the point any further.. but, on review we've decided to give him another chance anyway -- he can come back to school with all complaints dropped. now please leave us alone"

They key to understanding all of this is that you can be sure that NO ONE in the chain of f*ckups who decided to expel this kid and reject his appeal and now defend the college's actions -- has the SLIGHTEST conception of what he did and why they are expelling him. They only know that that a decision to do so was made and that therefore it was the right thing to do and up the chain it goes with everyone saluting and saying "it was the right thing to do, unquestionably." As soon as the CS professors swallow their pride and admit they fucked up, everything else should unravel.

This kid is EXTREMELY lucky, partly because that there is so much attention on this, but mainly because most of the time the way these things come down is you never find the people who actually made the decision that killed you -- and everyone involved says: "there was no choice, we were just following rules". In this case the fact that they have this vote of faculty members that was the deciding factor -- surely that will be what creates the leverage to undo this.

cmpm · « **Reply #86 on:** January 23, 2013, 08:21 AM »

Dawson's website is still compromised according to this report.

http://o.canada.com/...ked-16-months-later/

Renegade · « **Reply #87 on:** January 23, 2013, 09:25 AM »

^^ From that article:

“Shelling happens frequently on busy public servers – standard operating procedure in any professional organization is to assume the attack has successfully rooted the operating system and bleach the server outright, alerting anyone who has credentials on the box or website and begin again, usually on a new domain/IP and patched architecture.”

“Doing otherwise indicates a complete disregard for the privacy of every user and every other admin on the domain as demanded by federal and provincial law.”

I'm missing what the domain has to do with anything.

Could one of the sysadmins here explain how DNS resolution compromises a server? (Well, other than MTM and all that - which seems to me like a different issue.)

40hz · « **Reply #88 on:** January 23, 2013, 09:46 AM »

Wow... if that's the real series of events, I withdraw my statement that he did anything wrong. This timeline is pretty damning.
-wraith808 (January 22, 2013, 11:11 PM)

Ditto. And that's from my own sysadmin perspective.

The faculty will agree in retrospect (if only to escape from scrutiny) the kid should not have been expelled.. at that point, the college will not be able to defend the expulsion and the college will find a way to say "we made the right decision and did nothing wrong and we're not going to argue the point any further.. but, on review we've decided to give him another chance anyway -- he can come back to school with all complaints dropped. now please leave us alone"
-mouser (January 23, 2013, 02:07 AM)

Right now I think Dawson is desperately seeking for a way to disengage without admitting any wrongdoing. Something that has always worked well for major corporations when they're caught up to no good.

Now that more information is available, it does appear that some significant administrative "wilding" has taken place. Likely at the behest of some "fusty-musty" admin/faculty types. (Those of you who 'served time' in any college or university will know the tribe - they have first names like Sterling or Cornelius, wear tweed suits all year long, and favor paisley or yellow bow ties.)

I think the utterly vindictive (and likely illegal) act of failing him in all his courses in addition to expelling him is a very clear indication of the mindset of those who made the decision. (And I somehow can't help but think that having a name like Ahmed Al-Kahbaz figured significantly into how this incident got handled by the school.)

I think Mouser has called it. The school will probably offer this guy a deal where they'll reinstate his student status, grades, and grant(s) in exchange for a written admission of some sort of wrongdoing on his part; an agreement to waive his right to seek future legal remedies; and most likely some sort of 'gag agreement' not to criticize or say anything that would put Dawson in a bad light.

This is a sad state of affairs in that it would be in this student's best interest to accept such an arrangement, and then leave the school, rather than go out under a cloud that would likely take years of expensive litigation to resolve.

Oh well...right now this kid has some flex room in that he could always threaten to break that NDA (and likely get it invalidated in the process since it was obtained under 'extreme duress' assuming Canada has such a law) and go public with the whole story in detail - something Dawson seems extremely anxious to avoid.

I'm sure he'll settle with Dawson. I just hope he receives competent legal advice and gets enough back before he does so.

40hz · « **Reply #89 on:** January 23, 2013, 09:59 AM »

I'm missing what the domain has to do with anything.

Could one of the sysadmins here explain how DNS resolution compromises a server? (Well, other than MTM and all that - which seems to me like a different issue.)
-Renegade (January 23, 2013, 09:25 AM)

I really doesn't AFAIK except by a stretch as you noted. I suppose you could somehow compromise or poison the internal DNS cache, or bugger with HOSTS and do some voodoo rerouting - but again that's a pretty big stretch - and easily detected.

I think he's speaking of somehow compromising a Windows server (where DNS/AD and the whole domain model are completely intertwined) and is either leaving something out of the point he thinks he's making, or is just a little confused. Which is understandable. The Windows implementation of DNS as it relates to AD can get confusing at times.

assume the attack has successfully rooted the operating system and bleach the server outright

I'm much more interested in how you could "bleach" a server. That's a new one for me. Unless the writer is from China?

(Sorry. that wasn't very PC on my part, was it?)

hamradio · « **Reply #90 on:** January 23, 2013, 11:47 AM »

Quotes from the site...

October 24th

Hamed and his colleagues meet with François Paradis to test their theory of data access. A test server is setup for them to run their findings. They sign a Protocol for Portal Vulnerability Test. Part of said protocol stipulates that testing must happen on College grounds under the supervision of Dawson College IT staff.

and then in summary...

Hamed was eager to verify the updated security of Omnivox on October 26th and performed tests from his home.

So by that information to me it appears he broke the "protocol" agreement that he signed...thoughts on that?

Stoic Joker · « **Reply #91 on:** January 23, 2013, 11:49 AM »

I'm missing what the domain has to do with anything.

Could one of the sysadmins here explain how DNS resolution compromises a server? (Well, other than MTM and all that - which seems to me like a different issue.)
-Renegade (January 23, 2013, 09:25 AM)

Perhaps it's in reference to the externally facing public (www...) domain, and not the internal LAN/AD domain.

The link was publicly recorded in Aug., 2011, at Zone-h, an open source mirror frequented by #AntiSec factions, who frequently record f** files to independents, who then confirm, store and register the hack with public search engines indicating a given domain has been compromised.
-article

Stoic Joker · « **Reply #92 on:** January 23, 2013, 11:52 AM »

Wow... if that's the real series of events, I withdraw my statement that he did anything wrong. This timeline is pretty damning.
-wraith808 (January 22, 2013, 11:11 PM)

Ditto. And that's from my own sysadmin perspective.
-40hz (January 23, 2013, 09:46 AM)

Stoic Joker · « **Reply #93 on:** January 23, 2013, 11:57 AM »

m much more interested in how you could "bleach" a server. That's a new one for me.
-40hz (January 23, 2013, 09:59 AM)

A superficial google search implies that 'Bleach' is a type of MineCraft server ... $:-\$ ... So I guess (in Canada) if a server goes past a certain point they just give up and play video games on it.

40hz · « **Reply #94 on:** January 23, 2013, 12:05 PM »

So by that information to me it appears he broke the "protocol" agreement that he signed...thoughts on that?
-hamradio (January 23, 2013, 11:47 AM)

He did. Definitely in the wrong on that point. But as most of us (including we sysadmins) seem to be leaning, the school's response was way out of proportion to the offense that was committed. So much so that it doesn't make sense...

I can't help thinking there's still something more behind this incident than what is being acknowledged. I'm guessing this student got caught up in something else that was going on at Dawson (perhaps an ongoing investigation into an earlier or much more serious network breech?) and those behind it thought they had finally "got their man." Or at least "somebody involved" who they thought they could lean on hard to get to the people they were really after.

If so, some of the rabidness on the part of Dawson starts to make a bit more sense. As does their insinuation that there's more going on than they can publicly discuss. Which would certainly be the case if there was a police investigation currently in progress over something that had happened on Dawson's network.

Oh well...as time passes, more will come out.

hamradio · « **Reply #95 on:** January 23, 2013, 12:09 PM »

So by that information to me it appears he broke the "protocol" agreement that he signed...thoughts on that?
-hamradio (January 23, 2013, 11:47 AM)

He did. Definitely in the wrong on that point. But as most of us (including we sysadmins) seem to be leaning, the school's response was way out of proportion to the offense that was committed. So much so that it doesn't make sense...

I can't help thinking there's still something more behind this incident than what is being acknowledged. I'm guessing this student got caught up in something else that was going on at Dawson (perhaps an ongoing investigation into an earlier or much more serious network breech?) and those behind it thought they had finally "got their man."

If so, some of the rabidness on the part of Dawson starts to make a bit more sense. As does their insinuation that there's more going on than they can publicly discuss. Which would certainly be the case if there was a police investigation currently in progress over something that had happened on Dawson's network.

Oh well...as time passes, more will come out.

-40hz (January 23, 2013, 12:05 PM)

The question though to me is what was in the "protocol" that he signed...like if it wasn't followed and such...like consequences. So until that is posted in truth one has to assume that the "protocol" made him a "professional" and that it had a thing in it saying he could be expelled for not following them...

40hz · « **Reply #96 on:** January 23, 2013, 12:32 PM »

^Up to a point, yes. Doing a scan from an unauthorized point of access may very well have made him subject to expulsion. I know students who have been expelled for doing similar things.

But in those situations the procedure was to suspend the student and have him go before the school's judicial review board for an expulsion hearing. Once that was done, if the determination was to expel, the student was out - and that was the end of it.

I've never seen a school fail a students grades, pressure him into signing an NDA, and start a process to recover all his grant or scholarship money.

And threatening him with prosecution (unless he refused to attend his school hearing) is unheard of since anything he said at such a hearing could be used in evidence against him at a real trial. So with disciplinary boards it's usually one or the other: (a) sign an agreement you'll stand before the school and accept their decision without further legal recourse on your part, or further action from the school - or (b) refuse, in which the case the school will call in the police - and summarily suspend you until that gets resolved in some court a year or three later.

From what I've seen, expulsion is still enough of a big deal that schools need to be very careful about it. Much like employers have to be when they terminate an employee. My sister terminated one of her employees for stealing. Six months later she got sued for wrongful discharge and was ultimately made to settle with the girl for all her back wages because the girl claimed she hadn't. The thing that lost the case for my sister was the fact she did not call the police and have the girl arrested. Because of that, it was considered her word against the girl's that a crime had been committed.

But maybe the laws are different up in Canada?

wraith808 · « **Reply #97 on:** January 23, 2013, 12:35 PM »

The question though to me is what was in the "protocol" that he signed...like if it wasn't followed and such...like consequences. So until that is posted in truth one has to assume that the "protocol" made him a "professional" and that it had a thing in it saying he could be expelled for not following them...
-hamradio (January 23, 2013, 12:09 PM)

Nothing so draconian if it's a normal agreement for such. There might be provision for such, but it would have required more of a hearing than he received in general. But all of this is speculation until posted- I definitely wouldn't err on the side of trusting the Uni after what they've shown.

IainB · « **Reply #98 on:** January 24, 2013, 05:24 AM »

Some pointed comment at Slashdot:

CTO Says Al-Khabaz Expulsion Shows CS Departments Stuck In "Pre-Internet Era"
Posted by samzenpus on Wednesday January 23, @07:37PM
from the getting-up-to-speed dept.

An anonymous reader writes "The Security Ledger writes that the expulsion of Ahmed Al-Khabaz, a 20 year-old computer sciences major at Dawson College in Montreal, has exposed a yawning culture gap between academic computer science programs and the contemporary marketplace for software engineering talent. In an opinion piece in the Montreal Gazette on Tuesday, Dawson computer science professor Alex Simonelis said his department forbids hacking as an 'extreme example' of 'behavior that is unacceptable in a computing professional.' And, in a news conference on Tuesday, Dawson's administration stuck to that line, saying that Al-Khabaz's actions show he is 'no longer suited for the profession.' In the meantime, Al-Khabaz has received more than one job offer from technology firms, including Skytech, the company that makes Omnivox. Chris Wysopal, the CTO of Veracode, said that the incident shows that 'most computer science departments are still living in the pre-Internet era when it comes to computer security.' 'Computer Science is taught in this idealized world separate from reality. They're not dealing with the reality that software has to run in a hostile environment,' he said. 'Teaching students how to write applications without taking into account the hostile environment of the Internet is like teaching architects how to make buildings without taking into account environmental conditions like earthquakes, wind and rain,' Wysopal said."

Stoic Joker · « **Reply #99 on:** January 24, 2013, 07:01 AM »

Alex Simonelis said his department forbids hacking as an 'extreme example' of 'behavior that is unacceptable in a computing professional.'
-the Article

Alex, is retarded. But that's a common trap for academics...no access to the real world. Just a lot of time in a rarefied bubble of their own little world.

Anybody who's spent any amount of time doing administrative level site work knows that hacking is flatout part of the job. Nobody ever documents anything properly, keeps support agreements current, or (frequently) has the slightest clue of what actually happens in the magical world behind the lit screen. So if you want to get done with a "5 minute" job in less than a week ... You damn well better know how to gently probe and disassemble something quickly without crashing it. Obviously this clown has never heard of the CEH classification (but it's on my to-do list).

I've said it before, and I'll say it again: The only difference between a hacker and an administrator is a paycheck and a pair of handcuffs. Because you'll never be able to keep people out, if you don't know how and where they get in.