College Expels Student For Finding Security Flaw

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
What's that you say? You found a security flaw in your school's computer system that affects over 250,000 students? Thanks....you're expelled.

Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.”
Click to expand...
 
Stopped reading at Ahmed Al-Khabaz. Pretty much tells you everything right there in terms of the impetus for the school's kneejerk.
 
It's crazy they allowed an obvious terrorist to attend the school in the first place.

/sarcasm!
 
Maybe you shouldn't have stopped right there. The main problem is that he found the security hole and reported it but then a few days/weeks later he tried to see if it was fixed without prior approval. I mean expelling was a bit much but what he did was wrong and reckless and had nothing to do with his name or race.
 
What was not covered was weather he gave them the code to correct the flaw. Or if Skytech had to get there developers to find and fix it themselves.

Either way the kid acted ethically. Skytech just got pissy at seeing him check to see if they flaw was still present after he reported it and they had time to correct it.

Weather or not Skytech put pressure on the University to expel Ahmed is unclear, but with one party acting ethically and the other arriving at an unjust action... You draw your own conclusions.

Either way someone should pick this Kid up. He is stand up, and technically proficient.
 
pewter77 said:
Maybe you shouldn't have stopped right there. The main problem is that he found the security hole and reported it but then a few days/weeks later he tried to see if it was fixed without prior approval. I mean expelling was a bit much but what he did was wrong and reckless and had nothing to do with his name or race.
Click to expand...

Someone's sarcasm detector is broken today.
 
The flaw existed for weeks after the security flaw was exposed I would have demanded the school to remove my information from the server or threaten to sue.
 
Niiiice college, great way to show a 20 year old you care for being a vigilant person that wanted to see it got fix.:rolleyes:

Hope he turns into a grey-hat.
 
Dawson is still acting like an idiot. The Skytech offering is to CYA. He should walk away from both.
 
The problem is that the student came back and probed the security hole well after he had ethically and successfully alerted his school and their SIS/ERP vendor. He can say whatever he wishes for his intent to re-probe the vulnerability he discovered, but without the express permission of the sysadmin or system owner, it's a breach of ethics. The initial reaction of the school and vendor is the correct one here. You cannot honestly believe that the student was not told to not expose, probe, exploit, or otherwise act on his knowledge of the vulnerability in any way after he came forward.

The SIS/ERP vendor is saving face against the internet backlash by offering him a job and scholarship. That's very nice of them. The school has decided to weather the storm, and I can't fault them for sticking to their code of conduct. Best of luck to all three parties.
 
"Varrica clarified the process that leads to expulsion. She said the process includes a step in which a student is issued an advisory to cease and desist the activities for which he or she is being sanctioned."

From what I read he got not advisory cease and desist? It sounds like he reported it to the school, they THANKED him for it, then when he checked to see if it still existed or was fixed, the threw him out.

Seems a bit ham fisted, I mean if they think he was REALLY trying to do something "Criminal" why on EARTH would he have reported the flaw in the first place?

Basically ruining the kids life (at least his college life) because of trying to help them and they are too blind to see it.
 
Oy. As some others said, he wasn't expelled for finding a flaw. He was expelled because he tried to penetrate the flaw a couple weeks after the fact. He should have simply called up the software company and say "how goes progress? Mind if I test it from my end?"
 
Expulsion is still a bit too harsh, he could've just gotten a slap on the wrist for playing around with the security flaw after he discovered it. Either good luck to all parties.
 
Matthew Kane said:
Expulsion is still a bit too harsh, he could've just gotten a slap on the wrist for playing around with the security flaw after he discovered it. Either good luck to all parties.
Click to expand...
Let me play around with the security flaws in your bank and your company's payroll system and we'll see just how harsh of a penalty you think is justified.
 
Stiler said:
"Varrica clarified the process that leads to expulsion. She said the process includes a step in which a student is issued an advisory to cease and desist the activities for which he or she is being sanctioned."

From what I read he got not advisory cease and desist? It sounds like he reported it to the school, they THANKED him for it, then when he checked to see if it still existed or was fixed, the threw him out.

Seems a bit ham fisted, I mean if they think he was REALLY trying to do something "Criminal" why on EARTH would he have reported the flaw in the first place?

Basically ruining the kids life (at least his college life) because of trying to help them and they are too blind to see it.
Click to expand...

Either the school is really weird, so it's good they got kicked out. ooor this isn't the whole story. :D
 
Azhar said:
Oy. As some others said, he wasn't expelled for finding a flaw. He was expelled because he tried to penetrate the flaw a couple weeks after the fact. He should have simply called up the software company and say "how goes progress? Mind if I test it from my end?"
Click to expand...

And this is the difference between being smart and wise. The kid was smart, but not wise. While the information we have seems to paint this guy as a white hat, he did try to unlawfully enter a companies server without permission. In other words, he broke the law, intent really doesn't enter into it at that point.

While i feel the guy got a raw deal, this is the kind of education people should be getting in college. Namely, it doesn't matter what the intent was, if you fuck up there are consequences.
 
That is also missing the point spugnor, he was on the team charged with developing an app that used the system he was interfacing with. So unless he was pulled from that team, he still had access/authorization to do what he did, but that is unclear from the articles.
 
/. made the same kind of click-bait title. He got expelled for running a tool looking for exploitable security holes without permission. That sets off all kinds of red flags. What a dope.
 
Azhar said:
Oy. As some others said, he wasn't expelled for finding a flaw. He was expelled because he tried to penetrate the flaw a couple weeks after the fact. He should have simply called up the software company and say "how goes progress? Mind if I test it from my end?"
Click to expand...

IMO, I think the issue was that he used software to probe for holes in the first place. Sure he was "congratulated" as per his side of the story, but it still was known that he used "hacking software" to find the hole in the first place.
 
Say I figure out that you have a weakness that if kicked swiftly in the balls, you will fall to your feet. This is a simple vulnerability, that many may exploit with basic foot-eye coordination and practice kicking.

I inform you of this vulnerability, and that is all fine, but why is it that some people think that I am now morally justified in kicking you in the balls the next morning to see if you took my advice or not?

Just because you found a weakness doesn't mean you have any right to attack it, and any attack against a weakness should be responded to with an appropriately swift punch to your big fat nose.
 
odditory said:
Stopped reading at Ahmed Al-Khabaz. Pretty much tells you everything right there in terms of the impetus for the school's kneejerk.
Click to expand...

We like to think that north of the 49th we don't do those kind of things.

That article is more than a bit sensationalist. He wasn't booted because he found a whole, he was booted because he tested a whole against a live system. We don't know the details of that test. If you find a whole in a system and the way you "test" it is by running a complete table exfiltration, maybe he deserves to be booted. I'd like to think a panel of 15 tenure'd comp sci profs wouldn't vote overwhelmingly in favor of expelling a student because of a live system test.

But maybe not, this does seem like an overreaction.
 
Ducman69 said:
I inform you of this vulnerability, and that is all fine, but why is it that some people think that I am now morally justified in kicking you in the balls the next morning to see if you took my advice or not?
Click to expand...

It's not the college's balls that are vulnerable, it's the students - including the one doing the kicking - and the college is telling them their balls are covered. I think in that case a student has a right to check and make sure.
 
You know the company was just pissed off that the kid highlighted how slow they were to fix the problem. The company was probably still in the process of planning meetings to nominate a committee to designate a task force to propose options for consideration of the possibility of acknowledging the issue.
 
This is like trying to hack into the Pentagon, you discover a security flaw and you report it to them. They're not going to say "GEE! Thanks for that! You're a great American!"

No... Your ass is going to prison (first) then (if you get out) you may get a job with them.
 
Hmmm, it sounds like to me that they are telling this kid that he should have first, removed his own personal information from the affected systems. Then he should have gotten onto some hacking web sites and sold his information to the highest bidder.

If his personal information was on the affected systems, then he has a vested interest in making sure his personal information is safe.

The way the story is written, he originally discovered the flaw while developing an app for his class. After he reported the flaw, while verifying his personal information was secure, he was accused of trying to penetrate the affected systems. He was then expelled. But the wording of the story was you should only be expelled after repeated violations with refusal to modify your behavior. Why would you expel a student (still learning) for a single violation.

The whole scenario sounds fishy.

Don
 
odditory said:
Stopped reading at Ahmed Al-Khabaz. Pretty much tells you everything right there in terms of the impetus for the school's kneejerk.
Click to expand...

I'd blame it on tech ignorant people being in charge. Just like the Aaron Swartz case.
 
The article read as:
1. Script Kiddie found security flaw.
2. Script Kiddie decided to try again.
3. Security detected this the second time.

Okay? So how is this kid in anyway innocent and deserving of "Awe, he did the right thing!"?

He ran a penetration test against the website. The intent should've been taken as hostile - student or not. He got what he deserved. Running any sort of penetration test means you have written, expressed agreement to test. You can't even just call them up and say "I'd like to see if my bug is still a bug." Because if shit hits the fan and you actually break something, which is absolutely possible trying to find exploits, you'll be left in the cold with your pants down around your ankles.
 
DonDon said:
The whole scenario sounds fishy.
Click to expand...
What happened was:

1. student is making a mobile app so other students can log into the student information system easier

2. same student finds flaws in the way the app works and reports it (thing that happened #1)

3. a few days later, student is worried what other flaws that may put his or other students' private information.

4. ****Without permission**** he runs a fuzzing tool against the university's servers. (thing that happened #2)

There were 2 main events in this story, and people are assuming that #1 is what got him expelled. It's not. Thing #2 is what got him expelled, for hopefully obvious reasons. If it's not obvious, then stay away from running fuzzing tools against servers you don't own or don't have permission to "test".
 
edit:
2, ("app" refers to the server student info app, not mobile app he's writing)
 
You must log in or register to reply here.
Back
Top