topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Saturday November 2, 2024, 5:56 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: Computer science student expelled for testing university software security  (Read 53734 times)

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,913
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
From the details I've read this university and especially the computer science department of this university should be ashamed of its cowardly behavior -- expelling a student who was nice enough to report a security vulnerability to them.

I suspect this is one of those cases that will be lucky enough to get enough attention to be reversed -- one wonders how many similar episodes do not get attention.. Shameful.

After an initial meeting with Director of Information Services and Technology François Paradis on Oct. 24, where Mr. Paradis congratulated Mr. Al-Khabaz and colleague Ovidiu Mija for their work and promised that he and Skytech, the makers of Omnivox, would fix the problem immediately, things started to go downhill.

Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.

“It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack...

..Following this meeting, the fifteen professors in the computer science department were asked to vote on whether to expel Mr. Al-Khabaz, and fourteen voted in favour.



From boingboing which says something I agree with as a former CS student:
The thing that gets me, as a member of a computer science faculty, is how gutless his instructors were in their treatment of this promising student.
« Last Edit: January 21, 2013, 10:13 AM by mouser »

Josh

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Points: 45
  • Posts: 3,411
    • View Profile
    • Donate to Member
Mouser,

The issue was not that he reported the vulnerability, but instead that he ran an automated tool, Acunetix, designed to hack and test systems. Without system administrator approval from both the school network and the remote system network, he is in violation of several ethical guidelines and laws. Tools like this CAN and HAVE crashed entire systems, at times rendering the system inaccessible, because of the amount of traffic they can generate and techniques they use. So, no, he was NOT expelled for reporting the vulnerability, but for going in two days later, using a tool that was not authorized on the school network, and scanning a remote system which IS against the law in many jurisdictions.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
So, he helps them, they say they took care of it, he checks, he gets expelled for checking.

Yup. No good deed goes unpunished.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Josh

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Points: 45
  • Posts: 3,411
    • View Profile
    • Donate to Member
Renegade, unless he was specifically granted permission to re-check the system, it is an illegal scan of the system. Many professional penetration testers have lost their jobs because of such an act.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,913
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
It's fine to say he should not have run that automated testing software -- but the idea of expelling someone for that -- or anything even remotely close to that, is just unfathomable to me.. It's completely antithetical to the spirit of learning and curiosity about technology that you would want to foster in computer science students.

This is exactly the kind of student that a department should be happy to have and should spend their time encouraging and challenging and helping to flourish.

This is a student for god's sake -- the idea of applying these kinds of zero-tolerance paranoid security reactions to someone like that is just wrongheaded.

Josh

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Points: 45
  • Posts: 3,411
    • View Profile
    • Donate to Member
Mouser, I am not trying to justify the expulsion, merely trying to showcase that the tool he used has been shown to have the ability to crash a remote system when scanned improperly. I agree, he should not have been expelled, however I feel the school was under pressure from the software owner to take further action after he scanned their network again. Again, had he been a professional tester, he could have faced being fired and a follow-on lawsuit. This is not someone being paranoid as this tool CAN break a system.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
+1 for mouser.

As for the legality of it? Meh. Not really all that interested in legal BS. Especially when you've got laws that make it illegal to get drunk and pass out in your own bathroom.

http://cynic.me/2012...toilet-in-cambridge/

Sure, maybe it's possible that he could crash the system. Only goes to show that they don't have any protection against DOS/DDOS there. Chalk another point up for the good guy. :D

I know what you mean about pros getting fired, and laws, and all that. I've simply lost any kind of interest in "legality" anymore. Laws are created by lobby groups, and not by the people. Why should anyone care what the letter of the law is anymore? Ok, I'm being extremely cynical, but sheesh... Like mouser points out, he's a student trying to help out and doing a damn good job of being a good student! But expulsion? Sheesh. Why throw the baby out with the bath water when you can throw it in the blender?

Is there no balance in the law? Is there no compassion? Is there no justice? Is there no sanity left? Has the letter of the law become so important that we've sacrificed our common sense and humanity on the altar of the "law books"?

What happened to proportionality?
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,188
    • View Profile
    • Donate to Member
Renegade, unless he was specifically granted permission to re-check the system, it is an illegal scan of the system. Many professional penetration testers have lost their jobs because of such an act.

The utility in question (Acunetix) scans for publicly available information about the system. It wasn't the smartest thing to do, but neither is it illegal- you can get the same information in other ways, and it's a white hat utility.  And the way they bullied him with incorrect information about the legality to get an NDA signed, then backed off... yeah...
« Last Edit: January 21, 2013, 10:22 AM by wraith808 »

Josh

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Points: 45
  • Posts: 3,411
    • View Profile
    • Donate to Member
An automatic client script analyzer allowing for security testing of Ajax and Web 2.0 applications
Industries' most advanced and in-depth SQL injection and Cross site scripting testing
Advanced penetration testing tools, such as the HTTP Editor and the HTTP Fuzzer
Visual macro recorder makes testing web forms and password protected areas easy
Support for pages with CAPTCHA, single sign-on and Two Factor authentication mechanisms
Extensive reporting facilities including VISA PCI compliance reports
Multi-threaded and lightning fast scanner crawls hundreds of thousands of pages with ease
Intelligent crawler detects web server type and application language
Acunetix crawls and analyzes websites including flash content, SOAP and AJAX
Port scans a web server and runs security checks against network services running on the server

From the Acunetix website...

The difference between scanning for publicly available information (domain owner, email addresses listed on web pages, administrative contacts, etc.) and vulnerability scanning is that information gathering is passive when you talk about publicly available information. Scanning a server can have real consequences on the server if the tool is not configured properly and is NOT passive.
« Last Edit: January 21, 2013, 10:41 AM by Josh »

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
From my sysadmin perspective all I can say is: A predictable and avoidable outcome.  I'm hardly surprised at the response.  Nor should he be.

I'll leave the armchair discussions of social ramifications and "justice" to others.  8)


Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Hey, did that student pay for his license?

http://www.acunetix.com/ordering/

Acumotherkillerservertrixiephant Seems a bit beyond student budgets... :P

Maybe he should be crucified for that too!

(Just kidding! The university probably has licensing to cover students. Meh? What the heck! Let's have a good old fashioned lynching! :P )

Maybe ethics courses or legal courses should be included in first year university? ;)
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
From my sysadmin perspective all I can say is: A predictable and avoidable outcome.  I'm hardly surprised at the response.  Nor should he be.
Agreed.

If you don't have a (written) agreement with your target, you're not pentesting - you're hacking.

Is it piss-poor behavior from the uni? Yes. But if you're not going to play by the rules (which might very well be necessary sometimes, whistleblowing incompetent lying bastards comes to mind), you'll have to expect unfavorable outcomes.

Which is why you run such scans from a VM on a laptop with a faked MAC address, through TOR on a public WiFi.
- carpe noctem

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
Just because it's predictable (true), doesn't make it right.

I'm with Mouser & Ren - They should have just counted coo on the kid...not take him out and shoot him - this is crap.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,188
    • View Profile
    • Donate to Member
All I'm responding to is the fact of it being illegal
The difference between scanning for publicly available information (domain owner, email addresses listed on web pages, administrative contacts, etc.) and vulnerability scanning is that information gathering is passive when you talk about publicly available information. Scanning a server can have real consequences on the server if the tool is not configured properly and is NOT passive.

All I'm saying is saying it was illegal, then using said threat to make him sign an NDA wasn't right by any means.  It's not illegal in and of itself, and trying to prosecute him for such would be legal handwaving.  Not saying a prosecutor wouldn't do it, but that's what it would be.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
Just because it's predictable (true), doesn't make it right.

I'm with Mouser & Ren - They should have just counted coo on the kid...not take him out and shoot him - this is crap.

Here's the thing...a university's computer is *NOT* just sitting there for purely educational purposes - or for the students. Most universities these days are also hosting critical and sensitive research projects; running important internal programs (accounting & payroll); and frequently leasing out computer resources on contract to local businesses and government agencies along with the expertise to maintain such systems.

So when some undergrad decides that such a system is his personal playground where everything that happens on it should be purely for his own personal education and experience....well...I have a little trouble dealing with that level of hubris and selfishness.

Running a penetration test (even a white-hat one) sets off alarms, gets the sysadmins steppin' & fetchin' - and sometimes puts outside contracts or internal operations in jeopardy. Especially if the DoD or financial institutions are involved. Disclosure statements to be filed, audits to be performed, re-certifications needed in some cases, and occasionally data or contracts lost, plus a hit to your reputation and a signal to potential hackers that this is a facility worth targeting...all of these things come at a price. And to just say "Well...I'm just a student and I was trying to learn something." doesn't cut it in this context.

One unfortnate thing I'm seeing more and more with the upcoming generation is how many have consciously or subconsciously embraced the notion that "it's easier to ask for forgiveness than to get permission." Almost like life comes with a reset or "new game" button. Well guess what? It doesn't. It's called reality. Welcome to Life-101.

And one of the first lessons learned in Life-101 is that just because you say "you're sorry" and "didn't mean anything by it" doesn't automatically absolve you of the consequences of your actions.

In this day of virtual machines and lab setups there are safer and better ways to become educated in network intrusion than to perform an unauthorized 'run' on a live production system. Doing that is just flat out unacceptable.

In this particular student's case, it was great that he discovered and reported a security problem. And I see he received kudos and full props for it. But going back in after the fact to "verify" the fix had been made? I'd be suspicious too.

I have very little sympathy for this particular kid's self-caused problems even if I do think the school's response borders on being capricious and excessive. However, please note that the headlines are somewhat misleading too. He wasn't expelled for identifying a security issue. He was expelled for going back afterwards and running an unauthorized scan using Acunetix. That's a very different thing than implying that he merely identified a security hole - and then got promptly expelled from his college by way of a thank-you as some news sources are seeming to say.






Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
Yeah, Yeah, Yeah, I'm familiar with the rap...

I have very little sympathy for this particular kid's self-caused problems even if I do think the school's response borders on being capricious and excessive.

 :D (Do I even have to say it...?) Exxaactly ... Hence my comment about "Counting Coo". Sit the boy down, have a little quality "Scared Straight" lecture time with him, and then... Let. It. Go. They didn't need to crucify his ass. That just invites a PR nightmare...Kinda like what they appear to be having a bit of now.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,913
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Audio interview with the sudent:
http://www.cbc.ca/pl...treal/ID/2327525012/

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,913
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
The fact that he, on his own, informed them about the vulnerabilities the first time, tells you everything you need to know about his intentions, his moral character, and the nature of the "threat" he supposedly posed.

The more I read about this the angrier I get.. I guess it hits close to home for me -- I could easily see this happening to me or any other student in the computer science departments that i've attended.  In fact I can easily see myself or friends *not* reporting such a discovery and being curious about what else was exposed.. Absolutely disgraceful behavior from the university -- I hope the CS students in that department start protesting loudly until its reversed -- and even then every professor in that department who voted for his expulsion should be treated with suspicion.

It would be nice to hear from the one CS faculty who among his appears did NOT vote for expulsion.  If anyone finds an interview of him I'd love to read it.  We need to celebrate those willing to stand up to this bureaucratic group-think like cowardly behavior.

cmpm

  • Charter Member
  • Joined in 2006
  • ***
  • default avatar
  • Posts: 2,026
    • View Profile
    • Donate to Member
Most universities these days are also hosting critical and sensitive research projects; running important internal programs (accounting & payroll); and frequently leasing out computer resources on contract to local businesses and government agencies along with the expertise to maintain such systems.

If these programs are not separate from student user accounts, then the university and Skytech and Omnivox Consulting are not very smart about much of anything. And have bigger issues that are not solved by expelling a student.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
The fact that he, on his own, informed them about the vulnerabilities the first time, tells you everything you need to know about his intentions, his moral character, and the nature of the "threat" he supposedly posed.

+1 - Agreed. Now if he'd have polked it twice all sneeky and quiet...then I'd be up for a BBQ. But that ain't what happened.

cmpm

  • Charter Member
  • Joined in 2006
  • ***
  • default avatar
  • Posts: 2,026
    • View Profile
    • Donate to Member
Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.”

Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.

Run the Test again, Mr. Al-Khabaz.
the damn fools.....

Josh

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Points: 45
  • Posts: 3,411
    • View Profile
    • Donate to Member
But he went in scanning for ADDITIONAL vulnerabilities AFTER he advised them of the first one. That is the problem here. I've watched tools like this drag a network to a crawl from a simple scan. Retina and other tools, while basic in nature, can degrade a network to the point of sheer non-usability. Intent aside, he did not have permission to scan, was not asked to do so after the initial report, and could have taken other avenues with the IT staff to conduct a proper security audit based on what he had already seen. Going in again is where he made his mistake.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,188
    • View Profile
    • Donate to Member
When reached for comment Mr. Taza acknowledged mentioning police and legal consequences, but denied having made any threats, and suggested that Mr. Al-Khabaz had misunderstood his comments.

This is what makes me want to BBQ them instead.  This wasn't because of hacking or even running the software.  They were in CYA mode, and the uni is helping them to CYA.  What I'd like to see is the complaint that the professors voted on.  It wasn't as simple as this guy ran this... should we expel.  There's still CYA going on.  And that's the big problem that I see- this guy is getting crushed in the machinery of maintain contracts and CYA.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,188
    • View Profile
    • Donate to Member
Going in again is where he made his mistake.

No one is saying what he did wasn't a mistake- he should have been informed as to such, and perhaps punitive measures taken based on the fact that he violated university rules, if indeed there was such in place.  But there is intent, and reasoned response.  That's what's being questioned.  The argument over whether running it was the wrong move is a straw man, IMO.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,913
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
What I'd like to see is the complaint that the professors voted on.

Ditto -- who here would be surprised to find out they voted based on some totally overblown fantasy that this kid was some criminal mastermind repeatedly trying to hack into and bring down their computer systems and steal and misuse the private information of others.