Dawson College disgraces itself in defending ethical hacker's expulsion - Macleans.ca

Dawson College disgraces itself in defending ethical hacker’s expulsion

They should have stuck with “no comment”, writes Jesse Brown

by

They should have stuck with “no comment”.

By now you may have have heard about former Dawson College student Ahmed (Hamed) Al-Kahbaz. Just 20 years old, Ahmed proved his chops as a Computer Science student by discovering a shocking vulnerability on Dawson’s website that could allow any amateur hacker to gain access to every bit of information Dawson has on its 10,000 students. He then proved his decency by reporting the bug instead of exploiting it, and he proved his loyalty to his school by reporting it to Dawson privately, and not publicly announcing it online, which is how most white hat hackers would do it. He continued to act responsibly when he re-checked the Dawson site two days later to see if the hole had been plugged. That’s when the administration flipped from praising Ahmed to expelling him.

When this story broke in the National Post, Dawson’s initial response was to explain that they couldn’t respond without breaking their own code of ethics: their policy prevents them from discussing the personal details of any student, past or present. (Which is ironic, given that until Ahmed spoke up, they were potentially disclosing everything they knew about every one of their students.) In any event, Dawson said they were duty-bound to keep mum.

They stuck with that line for a matter of hours, then their director general, Richard Fillion, added this tid-bit in a CBC radio interview:

“The story that has been reported … was relying on an incomplete version of what had happened. The other side of the story is related to facts that we cannot divulge.”

So, a tantalizing insinuation that Ahmed was not telling the whole truth, but a steadfast dedication to hold firm to their ethical policy.

That lasted until the next morning, when Dawson faculty member Alex Simonelis’ letter to the Montreal Gazette was published. Simonelis tap-danced around Dawson’s policy by phrasing each accusation in the form of a question:

“Exactly how did the student “stumble upon” the flaw? Was it by running intrusion tests against Skytech’s website? If so, did he have Skytech’s permission to do so, given that it is unacceptable to do so otherwise?  Was the student given a cease-and-desist warning regarding such actions by our college’s administration? I believe I know the answers to those questions…”

Later that day, Dawson tossed their ethical policy completely by issuing a press release titled “Setting the Record Straight” that begins like this:

“Dawson College will address some of the issues that have arisen due to the expulsion of Computer Science student Ahmed Al-Khabaz. In some areas, it is still bound by the terms of confidentiality of student files.”

Only in some areas? That’s nice. Why are they no longer bound in other areas? No reason is given. The inference, I guess, is that they tried their darndest to be nice, but they can only stay silent so long in the face of such wild tales. The whole truth must now be heard, ethical policy be damned!

And the truth, then? The shocking revelations that “set the record straight”?

“Ahmed Al-Khabaz was not expelled because he found a flaw in the student information systems.  He was expelled for other reasons. Despite receiving clear directives not to, he attempted repeatedly to intrude into areas of College information systems that had no relation with student information systems.”

Wow. So, they weren’t mad that he saved their asses from a major data-leak. They were mad that he later tested their whole site to make sure the leak was plugged and that no other vulnerabilities existed, even after they told him not to.

Thanks for clearing that up.

Follow Jesse on Twitter @JesseBrown