Dawson College disgraces itself in defending ethical hacker’s expulsion

They should have stuck with “no comment”, writes Jesse Brown

They should have stuck with “no comment”.

By now you may have have heard about former Dawson College student Ahmed (Hamed) Al-Kahbaz. Just 20 years old, Ahmed proved his chops as a Computer Science student by discovering a shocking vulnerability on Dawson’s website that could allow any amateur hacker to gain access to every bit of information Dawson has on its 10,000 students. He then proved his decency by reporting the bug instead of exploiting it, and he proved his loyalty to his school by reporting it to Dawson privately, and not publicly announcing it online, which is how most white hat hackers would do it. He continued to act responsibly when he re-checked the Dawson site two days later to see if the hole had been plugged. That’s when the administration flipped from praising Ahmed to expelling him.

When this story broke in the National Post, Dawson’s initial response was to explain that they couldn’t respond without breaking their own code of ethics: their policy prevents them from discussing the personal details of any student, past or present. (Which is ironic, given that until Ahmed spoke up, they were potentially disclosing everything they knew about every one of their students.) In any event, Dawson said they were duty-bound to keep mum.

They stuck with that line for a matter of hours, then their director general, Richard Fillion, added this tid-bit in a CBC radio interview:

“The story that has been reported … was relying on an incomplete version of what had happened. The other side of the story is related to facts that we cannot divulge.”

So, a tantalizing insinuation that Ahmed was not telling the whole truth, but a steadfast dedication to hold firm to their ethical policy.

That lasted until the next morning, when Dawson faculty member Alex Simonelis’ letter to the Montreal Gazette was published. Simonelis tap-danced around Dawson’s policy by phrasing each accusation in the form of a question:

“Exactly how did the student “stumble upon” the flaw? Was it by running intrusion tests against Skytech’s website? If so, did he have Skytech’s permission to do so, given that it is unacceptable to do so otherwise?  Was the student given a cease-and-desist warning regarding such actions by our college’s administration? I believe I know the answers to those questions…”

Later that day, Dawson tossed their ethical policy completely by issuing a press release titled “Setting the Record Straight” that begins like this:

“Dawson College will address some of the issues that have arisen due to the expulsion of Computer Science student Ahmed Al-Khabaz. In some areas, it is still bound by the terms of confidentiality of student files.”

Only in some areas? That’s nice. Why are they no longer bound in other areas? No reason is given. The inference, I guess, is that they tried their darndest to be nice, but they can only stay silent so long in the face of such wild tales. The whole truth must now be heard, ethical policy be damned!

And the truth, then? The shocking revelations that “set the record straight”?

“Ahmed Al-Khabaz was not expelled because he found a flaw in the student information systems.  He was expelled for other reasons. Despite receiving clear directives not to, he attempted repeatedly to intrude into areas of College information systems that had no relation with student information systems.”

Wow. So, they weren’t mad that he saved their asses from a major data-leak. They were mad that he later tested their whole site to make sure the leak was plugged and that no other vulnerabilities existed, even after they told him not to.

Thanks for clearing that up.

Follow Jesse on Twitter @JesseBrown

 

 

 

 




Browse

Dawson College disgraces itself in defending ethical hacker’s expulsion

  1. Well anyone in the country interested in computer science has just crossed Dawson college off their list.

    Absolut Nummies.

  2. Curious, but what should their response have been?

    “Oh, go ahead and hack our systems if you can. Don’t worry about us catching you, we’ll make sure there’re no consequences for it..”

    Were I someone who wanted to hack an institutions’ systems, this certainly strikes me as a great way to protect myself from repercussions should I get caught. Report the first hole you find, then use that as a “get-out-of-jail-free” card while you explore for others that might be less detectable.

    Also, consider that the only evidence we have that Mr. Al-Khabaz reported the hole completely voluntarily is his statements. Maybe he realized after hacking in that he’d left his fingerprints all over the place (the line about “I could have used a proxy, but didn’t …” lends some support to this — why mention it otherwise) and was called in for a meeting with the Director of IT to explain what the hell happened. He then uses his information as a bargaining chip to keep himself from being expelled. I actually find this reasoning pretty believable if only because the likelihood of an individual student being able to schedule a one-on-one with the Director of IT for the entire university to report a possible flaw is pretty small. But for the Director of IT to call in a student who they found doing this is way more believable.

    After all, since he had a meeting with the director of IT, would it have been so hard to get permission for the follow-up attempts if he was really white-hatting it?

      • The biggest PR wreck was not propping up this young man’s brilliance as a product of their educational services from the start. Fools bound to repeat their foolishness, I guess.

    • Does the fact that the head of Skytech is quoted in the NP articles as saying “…it is very clear to me that there was no malicious intent. He simply made a mistake” hold much water with you? What about the fact that he’s offered Al-Kahbaz a full scholarship to a private CEGEP and a part-time job at Skytech?

      • Not a lot, honestly. It’s pretty easy to cry a river after you’ve been caught. The guy of Skytech may be taking that at face value. That he’s offered the Al-Kahbaz a job is simply testament that Al-Kahbaz is good at finding security holes. That doesn’t turn the argument toward black-hat or white-hat.

  3. The error they made, which many institutions make, is to focus on bureaucratic details and dig in their heels when shown that they were wrong. They focused on the fact that the student violated a policy, but failed to ask themselves the question of whether the punishment fit the crime, and whether there were some exculpatory factors to consider.

    • Did they, though? After all, it seems to me that what’s not really being considered here is whether Mr. Al-Khabaz’ version makes sense.

      He supposedly found a security flaw.. but he was doing nothing improper while looking for it, and we’re to believe that his reasons were perfectly above board.

      After finding it, instead of reporting it to any of his various computing science professors or any of the IT department, he manages to get an appointment with the Director of IT for the entire university, during which he gets thanked for finding the hole and sent on his merry way with assurances that they’ll do something about it.

      He then uses a script-kiddie program (which has the possibility to crash the entire system) to attack the university again supposedly for “testing” whether they fixed the hole, but — at least according to the university — was doing this in a completely different area of their systems.. because I guess he figured the hole would magically move if they hadn’t fixed it.

      A group of 15 of the computing science faculty gets together, looks at the case, and of them 14 of them vote to expel him. Because Computing Science professors have obviously never been involved in the computing community and so have no familiarity with the various ideals of freedom of information, copyleft, open-source, etc.. so thus had no interest in his side of the story.

      Once expelled he runs to the press with this story, for which he doesn’t stand to gain at all if people get mad at the university for expelling him, so obviously wouldn’t think of lying to them about it.

      Perhaps what’s more likely is that he was looking for holes for purposes that weren’t so above board and got nailed for it. A cease and desist letter was sent and he was summoned to the Director of IT of the university to disclose the hole to them and who else he’d given it to, and made to agree not to publicize it in exchange for being allowed to continue his studies.

      Then, thinking he had the leverage of this security hole to hold over them, he starts looking for new ones with a script-kiddie program and, wonder of wonders, gets nailed for it again.

      15 of his faculty get together, realize the guy’s a black hat and they don’t want him anywhere near their systems anymore, give him the heave ho.

      So now he runs to the press with a pack of lies that the university is hard pressed to dispel because of PIPEDA and various other privacy laws and agreements. Then Jesse comes along and does his shtick of protecting the innocent hackers who’d never ever lie and here we are.

      • The only thing I’d quibble with is that I really can’t imagine that it’s that difficult to get a meeting with the Director of IT @ Dawson College. It’s a 7500 student CEGEP, not U of T.

        • 15 Computer Science faculty, presumably some number of IT workers. But he doesn’t end up talking to any of those. He gets a face to face with the Director. Even for a small college, that seems a bit of a stretch to me. I could have believed an email exchange (and for a security hole, that’d actually make more sense, since you could attach files, etc) but a face to face meeting? That comes when there’s some chewing out to be done.

          • If you find a computer vulnerability in a system administered by campus IT services, why would you tell your comp sci prof about it instead of the person in charge of campus IT? That’d be like having a complaint about student union elections and telling your poli sci prof about it instead of the head of the student union, or having a complaint about the food in the cafeteria and going to your nutrition prof instead of the head of food services.

            I work at a bigger institution than Dawson, with a bigger IT Department, and if a Comp Sci student emailed the head of IT to say that he’d found a major security issue that he’d like to discuss, said student might get a face-to-face with the IT Director THAT DAY.

          • Well, were I working on a project to mobilize the student information system, I’d probably tell the prof that was co-ordinating my project about it — because they’re the ones I talk to every day.

            And again I point out.. presumably there are some IT people that work for the university, yes? I mean, unless the university really is a completely mickey-mouse operation, presumably they have a “contact us” link somewhere, or a general information line. Now, I realize it’s only a reasonable person who might actually use the avenues typically offered to people rather than hunt through staff lists for the director of IT and send an email in hopes that it actually reaches them and not simply some secretary who reads the email, but I’ve been giving this guy that much benefit of the doubt.

            Perhaps I shouldn’t have.

          • What “search through staff lists”? There are precisely three names on the Dawson IT Services page, and the Director’s is the very first one.

            Sure, you could email their helpdesk link, but I never would. The student who checks that email account is just going to forward an email about a serious security flaw straight to the Director of IT anyway.

            Yes, there are other people who work in IT at Dawson College. To my mind, if you find a security flaw that exposes the student information of every single student at your college, the head of the college’s IT department is the most, and arguably ONLY person that it’s appropriate for you to contact.

      • He supposedly found a security flaw.. but he was doing nothing improper while looking for it, and we’re to believe that his reasons were perfectly above board.

        I guess I’d quibble with that a bit too. I’m no comp sci major, but it seems to me that if the project you’re working on is creating an app to let students access their student records from mobile devices that it’s not implausible that you could innocently come across sloppy coding that let’s ANYONE access student records.

        • Not implausible, true.. but it seems odd then that he’d go probing in areas that weren’t the student information system afterward.

      • I’m not arguing by the way that the guy didn’t do anything wrong. I understand that some of the articles have portrayed him as blameless and implied that the college’s actions were motivated by a desire to cover up their own security failures. I realize that’s highly unlikely for many of the reasons you mentioned. My point is simply that the punishment…giving him zeros for courses that he had passed and making him pay back all his student grants…seems draconian for what appears to have been a naive error. Of course all I have to go on is what the press said and what the college said. While you’ve given a plausible speculation for what might have happened, the information the college has put out doesn’t go anywhere near those theories. What they’ve said still seems consistent with the idea that he made a naive error (running a battery of tests with a program that goes way beyond what was needed) in the course of trying to do the right thing, and perhaps he didn’t understand this fully. That was clearly the wrong thing to do, and it violated a policy. But I’ve heard of a lot of cases of people doing stupider things and they don’t even necessarily lose their job because of it. It sounds as if this guy’s entire academic record is ruined because of an honest mistake.

      • 15 of his faculty get together, realize the guy’s a black hat and they don’t want him anywhere near their systems anymore, give him the heave ho.

        To be fair, they did that after hearing only the administration’s explanation of what happened. If we can’t say that the student is innocent based only on the student’s side of the story, why is it fair for the faculty to find him guilty based on only the administration’s side of the story?

        • What makes you think they only had the administrations side?
          Oh right.. because he told the media that.

          • Well, apparently of the 15 comp sci faculty involved in that vote, the only one to vote not to expel him was the only one who actually talked to him.

  4. This is a little preachy, don’t you think? People get screwed every day for far less than this… Sometimes for no reason at all. Injustice is all around us… But I don’t see how devaluaing the degrees of everyone who has studied there helps this kid? Life is tough… Get a helmet! #firstworldproblems

  5. Their reaction is mind numbing, I can’t believe how anti-intellectual it is to expel a computer science student for doing computer science.

    • Hint: Running a script-kiddie program is not computer science.

      • LOL – I’m sure that is how Dawson views it too. Perhaps I have seen too many giant plates of spaghetti code assembled by copy and paste IT gurus who possess a masters or PHD in computing science to know that the level of education is no guarantee of quality. The most talented individuals I have encountered over 35 years have been self taught; some never even went to university.

        It’s this kind of “I know best” attitude that leaves systems open to hacking. Yeah, script-kiddie programs are not real computer science, like they teach at Dawson.

        Those who can do, those who can’t teach. — George Bernard Shaw

  6. September 21st

    After inspecting
    Dawson’s Omnivox portal framework from the outside, Hamed sensed that
    their system might be vulnerable to data breaching. He decided to use
    Acunetix to scrap the portal for
    vulnerabilities. He had the choice to go through an anonymous proxy and
    never get caught, but he did not do so in order to let them know that
    they are not being attacked but that he is simply running a test.

    September 22nd

    Hamed receives an email from François Paradis, the Director of
    Information Systems Technology, informing him that his account has been
    suspended for attempting to gain unauthorised access to their systems.
    Hamed immediately informed them of his intent. They reactivated his
    account. At no time does he receive a “Cease & Desist” letter or
    official first warning from Mr. Paradis. Their exchanges are cordial and
    Mr. Paradis stresses the important of being cautious in his actions as
    to not provoke Skytech into going after him.

    October 14th

    Hamed noticed a pattern in the url of his Omnivox avatar. The pattern
    led to his Student ID number. From there he realised that anyone’s
    information could be accessed by replicating the pattern. He did not use
    software to make this discovery, but rather deductive logic.

    October 17th

    Hamed requests to meet with François Paradis in order to run some tests to expose vulnerabilities.

    October 24th

    Hamed and his colleagues meet with François Paradis to test their
    theory of data access. A test server is setup for them to run their
    findings. They sign a Protocol for Portal Vulnerability Test. Part of
    said protocol stipulates that testing must happen on College grounds
    under the supervision of Dawson College IT staff.

    October 26th

    Hamed is informed that Skytech has fixed the holes in Omnivox and that
    the site is now secure. Excited by their rapid response, he logs on to
    the test server the College provided him to run an Acrunetix scan. The
    scan shows no vulnerabilities but Skytech is alerted to its use and
    calls Dawson College to get the name of the “culprit”. Dawson College
    hands over Hamed’s number and Skytech calls him at 9PM. They threaten to
    call the RCMP on him and warn that he may face a year in jail for his
    actions. Hamed explains that he was part of the team that found the
    initial hole and that his intent was just to ensure the data was truly
    secure. They ask him to provide any bugs he may have found by October
    28th. He does so under condition that they agree to not sue them and in
    return he will not disclose any of what he found to anybody.

    November 2nd

    Hamed is invited to attend a meeting on November 6th “to address
    serious professional conduct issues”. In attendance will be the Sector
    Dean and Vice-Dean as well as the Program Coordinator.

    November 6th

    The meeting to review Hamed’s case takes place.

    November 12th

    The Computer Science Department meets to review Hamed’s case. Only a
    single teacher has taken the initiative to speak with him directly. Said
    teacher is the only one to vote against his expulsion. Hamed is not
    present.

    November 14th

    Hamed is asked to meet with
    Diane Gauvin. She hands him his letter of expulsion citing professional
    misconduct. Security is on hand to immediately confiscate his Student
    ID.

    November 20th

    Hamed appeals his expulsion to the Academic Dean.

    November 27th

    Hamed meets with the Academic Dean to present his case.

    November 29th

    The Academic Dean rejects his appeal and ensures that “the Sector Dean will not go back on her words.”

    November 30th

    Hamed meets with the Director General to appeal his expulsion.

    December 7th
    The Director General rejects his second and final appeal.

    In sum,

    – Hamed exchanged emails with Mr. Paradis where it was expressed that his actions on September 21st were irresponsible.
    – Hamed never received a Cease & Desist letter.
    – Hamed never received an official written warning.
    – Hamed was thanked for bringing vulnerabilities to light on October 24th.
    – Hamed was given access to a test server on October 24th.
    – Hamed was asked to only use the test server when at Dawson.
    – Hamed was eager to verify the updated security of Omnivox on October 26th and performed tests from his home.
    – Hamed immediately stopped scanning the system upon receiving a call from the CEO of Skytech.

    – Hamed was not granted the right to speak directly with the members of
    the Computer Science faculty before they voted on his expulsion.

  7. September 21st

    After inspecting
    Dawson’s Omnivox portal framework from the outside, Hamed sensed that
    their system might be vulnerable to data breaching. He decided to use
    Acunetix to scrap the portal for
    vulnerabilities. He had the choice to go through an anonymous proxy and
    never get caught, but he did not do so in order to let them know that
    they are not being attacked but that he is simply running a test.

    September 22nd

    Hamed receives an email from François Paradis, the Director of
    Information Systems Technology, informing him that his account has been
    suspended for attempting to gain unauthorised access to their systems.
    Hamed immediately informed them of his intent. They reactivated his
    account. At no time does he receive a “Cease & Desist” letter or
    official first warning from Mr. Paradis. Their exchanges are cordial and
    Mr. Paradis stresses the important of being cautious in his actions as
    to not provoke Skytech into going after him.

    October 14th

    Hamed noticed a pattern in the url of his Omnivox avatar. The pattern
    led to his Student ID number. From there he realised that anyone’s
    information could be accessed by replicating the pattern. He did not use
    software to make this discovery, but rather deductive logic.

    October 17th

    Hamed requests to meet with François Paradis in order to run some tests to expose vulnerabilities.

    October 24th

    Hamed and his colleagues meet with François Paradis to test their
    theory of data access. A test server is setup for them to run their
    findings. They sign a Protocol for Portal Vulnerability Test. Part of
    said protocol stipulates that testing must happen on College grounds
    under the supervision of Dawson College IT staff.

    October 26th

    Hamed is informed that Skytech has fixed the holes in Omnivox and that
    the site is now secure. Excited by their rapid response, he logs on to
    the test server the College provided him to run an Acrunetix scan. The
    scan shows no vulnerabilities but Skytech is alerted to its use and
    calls Dawson College to get the name of the “culprit”. Dawson College
    hands over Hamed’s number and Skytech calls him at 9PM. They threaten to
    call the RCMP on him and warn that he may face a year in jail for his
    actions. Hamed explains that he was part of the team that found the
    initial hole and that his intent was just to ensure the data was truly
    secure. They ask him to provide any bugs he may have found by October
    28th. He does so under condition that they agree to not sue them and in
    return he will not disclose any of what he found to anybody.

    November 2nd

    Hamed is invited to attend a meeting on November 6th “to address
    serious professional conduct issues”. In attendance will be the Sector
    Dean and Vice-Dean as well as the Program Coordinator.

    November 6th

    The meeting to review Hamed’s case takes place.

    November 12th

    The Computer Science Department meets to review Hamed’s case. Only a
    single teacher has taken the initiative to speak with him directly. Said
    teacher is the only one to vote against his expulsion. Hamed is not
    present.

    November 14th

    Hamed is asked to meet with
    Diane Gauvin. She hands him his letter of expulsion citing professional
    misconduct. Security is on hand to immediately confiscate his Student
    ID.

    November 20th

    Hamed appeals his expulsion to the Academic Dean.

    November 27th

    Hamed meets with the Academic Dean to present his case.

    November 29th

    The Academic Dean rejects his appeal and ensures that “the Sector Dean will not go back on her words.”

    November 30th

    Hamed meets with the Director General to appeal his expulsion.

    December 7th
    The Director General rejects his second and final appeal.

    In sum,

    – Hamed exchanged emails with Mr. Paradis where it was expressed that his actions on September 21st were irresponsible.
    – Hamed never received a Cease & Desist letter.
    – Hamed never received an official written warning.
    – Hamed was thanked for bringing vulnerabilities to light on October 24th.
    – Hamed was given access to a test server on October 24th.
    – Hamed was asked to only use the test server when at Dawson.
    – Hamed was eager to verify the updated security of Omnivox on October 26th and performed tests from his home.
    – Hamed immediately stopped scanning the system upon receiving a call from the CEO of Skytech.

    – Hamed was not granted the right to speak directly with the members of
    the Computer Science faculty before they voted on his expulsion.

    • V_d – where did you find this version of events? Curious whether it’s publicly available and legitimate… which would make the college and his detractors look sort of like idots.

  8. Dawson College always makes the student feel WRONG and STUPID.
    I wouldn’t go back, I would SUE THEM for money.

  9. The author criticizes Dawson for not providing explicit details, thereby admitting he doesn’t have a complete set of facts. Then passes judgement on the decision made, based on his own interpretation of said limited set of facts. Sounds legit. I guess that’s why they call it a blog and not journalism.

Sign in to comment.