Dawson College student expelled for illegal site scan

Dawson College in Montreal has expelled a computer science student for a “serious professional conduct issue.” Ahmed “Hamed” Al-Khabaz discovered a security problem in a mobile application called Omnivox [made by Skytech Communications] used by the school to manage and allow access to student information. The application is widely used by educational institutions in the province as well as elsewhere.

When Al-Khabaz initially informed the director of Information Services and Technology, he was told that the problem would be fixed. They even congratulated him.

According to Al-Khabaz, the software has “sloppy coding” that allowed anyone “with basic knowledge of computers to gain access to the personal information of any student”.

Several days later, Al-Khabaz decided to see if the vulnerability still existed by using a website security scanning tool again. The tool is designed to be used with off-line copies of web applications, not on live sites.

Skytech detected the second scan and the company’s president called Al-Khabaz. Al-Khabaz claimed that and the company’s president threatened prosecution if he did not meet with him and sign a nondisclosure agreement. The company’s president confirmed the conversation but denied he ever made the threat. I suspect Skytech tried to cover up the glitch as there is no other reason to sign a nondisclosure agreement.

After a meeting with the dean and 15 computer science professors, Dawson deemed Al-Khabaz’s actions an attack and expelled him.

Skytech has responded to the backlash by trying to reach out to Al-Khabaz and help him continue his studies by offering Al-Khabaz a part-time job and a scholarship to continue pursuing his degree at a private college.

Dawson College and Skytech’s websites were both down on Monday apparently due to a denial of service attack.

Al-Khabaz should have known that scanning an institution [or anywhere] is illegal without consent. When he notified the administration I would be surprised if the administration didn’t made some type of comment like it was nice to notify us but you should be scanning the site and don’t do it again [but of course we don’t have the exact conversation].

He obviously shouldn’t have scanned again to see if it was fixed. It is not his job to do so. He’s probably lucky the school didn’t have him arrested.

It also looks like Skytech was trying to hide the security issues so it would not ruin the company’s reputation.

From the various reaction, some think Al-Khabaz should be given a reward [or even a medal] for exposing the security issue. Others suggested locking him up.

Note: The information has been taken from various sources and seemed to be reliable as of this publication date and time.

Update #1 2013/01/22: According to Dawson College, Al-Khabaz was warned after he reported the security issue. They also hinted that he actually may have entered portions of the site that he shouldn’t of entered [i.e. he may have gone into the financial system, grade system, etc.].

Update #1 2013/01/28: Al-Khabaz couldn’t wait to get onto any media outlet that would have him to claim his innocence. Hmmmm.


About ebraiter
computer guy

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: