dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2419
share rss forum feed


FFH
Premium
join:2002-03-03
Tavistock NJ
kudos:5

[Serious] Dawson College expels hacking student

A computer science student at Dawson College in Montreal uncovered a privacy leaking bug in the leased software used by many colleges in Quebec to manage student records. He reported the flaw, notified the company involved, and then waited for it to be fixed.

But he didn't wait long enough. He used available web site hacker software to probe the software to see if they fixed it yet. They had, and caught his probe right away. The company that sells the software was not happy and made him sign an agreement to stop the probing. He did and the company was happy. But his College wasn't - they expelled him on a 14-1 vote by the Computer Science Dept faculty for unprofessional conduct for the probing attempt.

Now that this is becoming public, I expect Dawson College will be forced to back down and reinstate him. We will see.

»news.nationalpost.com/2013/01/20···al-data/
--
A democracy cannot exist as a permanent form of government. It can only exist until the voters discover that they can vote themselves money from the public treasury.



Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2

So, the poor student pays dearly for the college's incompetence... instead of a commendation.

Well done, Dawson. Well done!
--
"I fear the day that technology will surpass our human interaction. The world will have a generation of idiots." ~ Albert Einstein



milnoc

join:2001-03-05
H3B
kudos:2

It gets worse. He signed a NDA with Skytech, Dawson' IT subcontractor, where he would reveal the vulnerabilities of Dawson's Web site in exchange for not being sued. But the college expelled him anyway for "unprofessional conduct".

He's being interviewed right now by CBC Radio 1 Montreal, where he's revealing everything that has happened to him, effectively violating the NDA.

Lesson learned. The next time you find a vulnerability in someone else's system, stay quiet about it, and exploit it for your own benefit. No point in doing "the right thing" if you're going to be punished for it anyway.
--
Watch my future television channel's public test broadcast!
»thecanadianpublic.com/live



DKS
Damn Kidney Stones
Premium,ExMod 2002
join:2001-03-22
Owen Sound, ON
kudos:2

said by milnoc:

Lesson learned. The next time you find a vulnerability in someone else's system, stay quiet about it, and exploit it for your own benefit. No point in doing "the right thing" if you're going to be punished for it anyway.

He did the wrong thing by attempting to check out the college's web site a second time. That was his mistake. It is like calling crimestoppers. You call, pass on the information and walk away. It is not up to you to solve the problem or deal with the issue. Report it and you have done your duty.
--
Need-based health care not greed-based health care.


milnoc

join:2001-03-05
H3B
kudos:2

But the site was still not fixed properly, a site that contained his own personal information along with everyone else's.

And you can bet that someone who didn't care about "morals" or "ethics" would not have mention a word of this to anyone.

BTW, using your analogy, he essentially called "Crimestoppers" to report an incident committed by the police itself. How reliable do you think the police will be in investigating itself?
--
Watch my future television channel's public test broadcast!
»thecanadianpublic.com/live



DKS
Damn Kidney Stones
Premium,ExMod 2002
join:2001-03-22
Owen Sound, ON
kudos:2

said by milnoc:

But the site was still not fixed properly, a site that contained his own personal information along with everyone else's.

The site was fixed and he was caught.

BTW, using your analogy, he essentially called "Crimestoppers" to report an incident committed by the police itself. How reliable do you think the police will be in investigating itself?

This isn't law enforcement. This was education and a commercial site. As a courtesy, the company should have thanked him, but he got curious. There is an old saying, "Curiosity killed the cat". Same thing.
--
Need-based health care not greed-based health care.


urbanriot
Premium
join:2004-10-18
Canada
kudos:3
Reviews:
·Cogeco Cable
reply to Juggernaut

said by Juggernaut:

So, the poor student pays dearly for the college's incompetence... instead of a commendation.

Not exactly. The entirety of this story should be fully understood and based on the well written Nation Port article, he's not exactly an innocent in this matter.

quote:
I saw a flaw which left the personal information of thousands of students, including myself, vulnerable, said Mr. Al-Khabaz. I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didnt think I was doing anything wrong.
So that's good, I agree with that.

quote:
After an initial meeting with Director of Information Services and Technology François Paradis on Oct. 24, where Mr. Paradis congratulated Mr. Al-Khabaz and colleague Ovidiu Mija for their work and promised that he and Skytech, the makers of Omnivox, would fix the problem immediately, things started to go downhill.
So they know about the issue and they're going to get to work on it...

quote:
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected
... two days later!? Considering this was a long standing exploit, there's no reason why he needs to immediately check into whether or not these people have resolved the problem. Furthermore, It's not his job to follow-up, it's the job of the people at the school who are aware of this problem to follow-up. Rather than exploit the system, he should have communicated with the people at the school.

quote:
It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack.
And it's true, he's attacking their system using an exploit he's aware of.

quote:
This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake.
... could have crashed the system? Yet two days after reporting the issue, he tries to exploit the system again?

I agree with those that said he made a mistake. He should have communicated with the appropriate people rather than using tools to exploit the sever.


Thane_Bitter
Inquire within
Premium
join:2005-01-20
reply to milnoc

Do you know which show (name of the program) it was on?

Expand your moderator at work


Steve
I know your IP address
Consultant
join:2001-03-10
Foothill Ranch, CA
kudos:5

2 recommendations

reply to FFH

Re: [Serious] Dawson College expels hacking student

I have been doing security pen testing for decades as part of my day job, and my opinion is that the kid made a minor error in judgement, and that the authorities are overreacting out of ignorance and CYA.

The sad part is that this behavior is so common as to have a name: "The Big Surprise of security consulting".

This Surprise, which still disappoints me, is that security reports are mostly ignored, but occasionally turn the good guy into the bad guy.

It shouldn't be a surprise to anybody that "they said it's fixed" is not the same thing as "it's fixed", and all vendors have released patches that didn't fully fix the problem. One of the reasons Microsoft takes longer than we like to fix stuff is that they assume there are multiple avenues of exploitation, so they look all over the neighborhood for related areas (they also test the crap out of it).

So all responsible security researchers check their work after claims of repair, but the kid's mistake was to use an industrial strength check-everything tool rather than just probe for the issue he knew about. These things barge in like an elephant and occasionally can hurt a site with the tests, though it's something the vendor should have been applying.

That the vendor fixed the problem right away is a really good sign, but their overreaction to the kid is shameful. "Hey, we appreciate the bug report, but you seriously need to knock it off" would have been all that would have been required.

The fact that the vendor extracted an NDA from the kid is evidence that this is just CYA and PR, and not outrage at what the kid did. That the school boots the kid means they're in the same camp and don't know how the world works. Shame on them.

Those who assert "They fixed it, he should have left it alone" are being very cavalier with confidential student data and are exhibiting a confidence unwarranted by experience. It's not about beating up on the vendor, but protecting private data, which the university has a moral - and perhaps legal - obligation to do.

I expected this to end the same way that so many others do, where the "security researcher" was actually using the data for private gain, but in this case he was just insuring that private data (including his, presumably) was not compromised.

He's the good guy; shame on the University.

Steve
--
Stephen J. Friedl | Unix Wizard | Security Consultant | Orange County, California USA | my web site


MaynardKrebs
Heave Steve, for the good of the country
Premium
join:2009-06-17
kudos:4
reply to FFH

I'd sue the college for $1B.
And probably also sue the software company too, if they provided ANY information to the college.


got_milk

join:2007-08-22
Georgetown, ON
reply to Steve

said by Steve:

So all responsible security researchers check their work after claims of repair, but the kid's mistake was to use an industrial strength check-everything tool rather than just probe for the issue he knew about. These things barge in like an elephant and occasionally can hurt a site with the tests, though it's something the vendor should have been applying.

It's not so black and white here. While I can respect wanting to ensure the security flaw was fixed, what he was doing was illegal. He did not have permission from the college to do any kind of security probing.

I don't necessarily agree with kicking the poor guy out of school - but I don't feel that he's entirely the victim here. He should have known better than to pentest like that.


Steve
I know your IP address
Consultant
join:2001-03-10
Foothill Ranch, CA
kudos:5

said by got_milk:

He should have known better than to pentest like that.

Isn't that what I said?
said by me :

but the kid's mistake was to use an industrial strength check-everything tool rather than just probe for the issue he knew about



FFH
Premium
join:2002-03-03
Tavistock NJ
kudos:5
reply to MaynardKrebs

said by MaynardKrebs:

I'd sue the college for $1B.
And probably also sue the software company too, if they provided ANY information to the college.

Total waste of time and will never happen. The very likely outcome here is the school will now readmit him due to the PR hit.

But since 14 of 15 of his professors voted to boot him, if I was him I'd get readmitted, and then having cleared my academic record transfer elsewhere. My experience is that most professors are petty little tyrants and will take out their embarrassment by hounding him with lesser grades than he was getting before. It is the passive/aggressive method that would be hard to prove that they had it in for him.
--
A democracy cannot exist as a permanent form of government. It can only exist until the voters discover that they can vote themselves money from the public treasury.

got_milk

join:2007-08-22
Georgetown, ON
reply to Steve

Ignore this, double post. Sorry!


got_milk

join:2007-08-22
Georgetown, ON
reply to Steve

said by Steve:

said by got_milk:

He should have known better than to pentest like that.

Isn't that what I said?
said by me :

but the kid's mistake was to use an industrial strength check-everything tool rather than just probe for the issue he knew about

Yes, but then you also said:

said by Steve:

He's the good guy; shame on the University.

My argument is that he's not necessarily the good guy overall - what he did was against the law. Even probing just for that vulnerability alone is equally as illegal. He didn't have permission to do so, and he's lucky in a sense that law enforcement didn't get involved.


hm

@videotron.ca
reply to got_milk

said by got_milk:

what he was doing was illegal.

Mind posting a URL showing us that scanning a URL is illegal in Canada?


hm

@videotron.ca
reply to FFH

Basically what you have here is a company Skytech, covering up their incompetence with this software and leaving a vulnerability open that can cause a breach on hundreds of thousands of peoples private info. And Dawson Also covering it up. Right up to the Director of Dawson.

Instead of thanking him for the hole he discovered in both security and privacy, the company threatens him and Dawson expels him.

This is the same type scenerio that plays out all the time with "whistleblowers".

"Had Hamed not made his discoveries," according to the reinstatement website, "the personal data of millions of Quebec students, college and university staff, as well as alumni dating back to 1994 would have continued to be easily exploitable."

Dawson Student Union calls for reinstatement of software-flaw ‘whistleblower’
»www.montrealgazette.com/news/mon···ory.html


dragonfly

join:2012-09-04
reply to DKS

said by DKS:

He did the wrong thing by attempting to check out the college's web site a second time. That was his mistake. It is like calling crimestoppers. You call, pass on the information and walk away. It is not up to you to solve the problem or deal with the issue. Report it and you have done your duty.

If there was nothing wrong with finding the vulnerability in the first place, why is there something wrong with finding new vulnerabilities to report them, or even just to verify that the vulnerability was fixed? Why is this bad, exactly?


zong
Premium
join:2005-07-21
Scarborough, ON
Reviews:
·TekSavvy DSL
·mycybernet.net
·Switchworks
reply to FFH

THIS IS A COPY AND PASTE FROM SLASHDOT. While this is entirely hearsay, and should be taken with a grain of salt, if true, this kid is totally in the wrong.

================

...when I read the title. I'm from Montreal, currently studying on exchange overseas. A few months back a friend of mine was telling me about an app him and some friends in a club at Dawson College were writing. I know a few of the guys personally because I was at some party with them back in September and I had heard a bit about how the project was going in the months following. All this to say, the story is complete bullshit.

Apparently, the school had originally offered to share some info that would help the guys making the app, but, coincidentally some company started developing something around the same time that was along the same lines so Dawson reneged on the deal. FTA:

Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software

The story goes, according to my friend, as such. Apparently, the programmer and one of the other guys decided they were just going to take the info, which was easy to do since Omnivox is such a terrible system, by breaking in. While doing this, they discovered the flaw and used it as leverage once the school noticed they had accessed the system and approached them. The other friend played innocent and the programmer got the flak for it, eventually being expelled.

This was by no means a white hacking deal. Also, these guys have been exploiting Dawson's system for a while to print for free and other such things.


got_milk

join:2007-08-22
Georgetown, ON
reply to hm

said by hm :

said by got_milk:

what he was doing was illegal.

Mind posting a URL showing us that scanning a URL is illegal in Canada?

I'm not familiar with the ins and outs of the Canadian Criminal Code, but a friend of mine who works for a large security firm told me that his company won't pentest anything without signed documents granting him access to do so as without consent, as not only is it unethical to do so but it's against Canadian law.

I've been meaning to read up through the code on exactly what is and what isn't legal, but I haven't been able to do that yet. Sorry I can't provide a direct source.


TigerLord
UEE Citizen
Premium,Mod
join:2002-06-09
Canada
kudos:8

1 recommendation

reply to FFH

President of Skytech didn't want it known a 20 year old fixed the code he spent millions on so he wanted him to sign a NDA.

The president who blackmailed the poor guy is the one who should go to prison.

Expand your moderator at work


milnoc

join:2001-03-05
H3B
kudos:2

1 recommendation

reply to Thane_Bitter

Re: [Serious] Dawson College expels hacking student

CBC Daybreak. Here's the full interview. »www.cbc.ca/player/Radio/Local+Sh···7525012/

BTW, the vulnerability was discovered by accident, and cracked by two people, using only pen and paper, in 20 minutes.

--
Watch my future television channel's public test broadcast!
»thecanadianpublic.com/live



Steve
I know your IP address
Consultant
join:2001-03-10
Foothill Ranch, CA
kudos:5
reply to got_milk

said by got_milk:

Even probing just for that vulnerability alone is equally as illegal.

Not necessarily; "intent" is a consideration in nearly every potential legal transgression. Is it "breaking and entering" if I bust your door down in order to pull you out of your burning house?

However:
said by this post :

Apparently, the programmer and one of the other guys decided they were just going to take the info, which was easy to do since Omnivox is such a terrible system, by breaking in

This was not even hinted at in the original article, but sadly would not surprise me either given the state of youth. Intent is a big deal here, and if this slashdot post is true, then that clearly turns the whole evaluation of the situation.


milnoc

join:2001-03-05
H3B
kudos:2

Further information from the interview. His second attempt to hack the system was done using a test account that was given to him by Skytech!
--
Watch my future television channel's public test broadcast!
»thecanadianpublic.com/live



Guspaz
Guspaz
Premium,MVM
join:2001-11-05
Montreal, QC
kudos:23
reply to FFH

Kid should be punished, sure. But expulsion? That would prevent (or at least make it very difficult) you from getting into any other CEGEP, which would prevent you from getting into university, which would basically mess up the rest of your life.

Should the guy get a slap on the wrist? Sure. Should the rest of his life be ruined? No.
--
Developer: Tomato/MLPPP, Linux/MLPPP, etc »fixppp.org


MaynardKrebs
Heave Steve, for the good of the country
Premium
join:2009-06-17
kudos:4
reply to dragonfly

said by dragonfly:

If there was nothing wrong with finding the vulnerability in the first place, why is there something wrong with finding new vulnerabilities to report them, or even just to verify that the vulnerability was fixed? Why is this bad, exactly?

Because you become a terrorist if you do anything against corporate interests, or challenge the establishment.

»www.economist.com/news/obituary/···26-aaron


FFH
Premium
join:2002-03-03
Tavistock NJ
kudos:5

said by MaynardKrebs:

said by dragonfly:

If there was nothing wrong with finding the vulnerability in the first place, why is there something wrong with finding new vulnerabilities to report them, or even just to verify that the vulnerability was fixed? Why is this bad, exactly?

Because you become a terrorist if you do anything against corporate interests, or challenge the establishment.

»www.economist.com/news/obituary/···26-aaron

Not the same. And it wasn't the company that is sticking it to him. It was his college. Save your corporation is evil for another thread.
--
A democracy cannot exist as a permanent form of government. It can only exist until the voters discover that they can vote themselves money from the public treasury.