dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2447
share rss forum feed


hm

@videotron.ca
reply to milnoc

Re: [Serious] Dawson College expels hacking student

Also, The company giving him the money says he will get into private college. The only private one I know in the area, that is english, is Marianopolis.

Takes $$ to go there, as well as some academic excellence.

So chances are, with the money he will get and all the PR, he will get a conditional acceptance and be big man on campus as his story makes the rounds. He will just have to prove himself and wear a dorky private school jacket.


milnoc

join:2001-03-05
H3B
kudos:2
reply to FFH5
Latest CBC Daybreak podcast on the issue.

»podcast.cbc.ca/mp3/podcasts/mont···7287.mp3

Dawson College is about to hold a news conference over the expulsion.
--
Watch my future television channel's public test broadcast!
»thecanadianpublic.com/live


hm

@videotron.ca
What else can Dawson say or do? Not much else they can say w/o breaching privacy of the student.

In any case this kid should give them the finger no matter what. He would be nuts to even go back there in a hostile environment where the entire faculty more or less treated him like a terrorist.


Steve
I know your IP address
Consultant
join:2001-03-10
Foothill Ranch, CA
kudos:5
said by hm :

What else can Dawson say or do? Not much else they can say w/o breaching privacy of the student.

This is a legitimate concern for me.

Right now we only have the kid's word for it, plus the coverage around it, and he's clearly going to present his best case.

It may well be that the school is as dumb as it appears, but we don't know that, and even if the kid had done things that we would all agree are bad news, the college may well be prevented from talking about it. That means they would have to take a beating without the ability to defend their actions.

I've seen this happen in other cases (not related to security), and have enough respect for college authority (and enough disrespect for the "good judgement" of college students) that this gives me a bit of pause.

Steve
--
Stephen J. Friedl | Unix Wizard | Security Consultant | Orange County, California USA | my web site


J E F F
Whatta Ya Think About Dat?
Premium
join:2004-04-01
Kitchener, ON
kudos:1
reply to dragonfly5
said by dragonfly5:

said by DKS:

He did the wrong thing by attempting to check out the college's web site a second time. That was his mistake. It is like calling crimestoppers. You call, pass on the information and walk away. It is not up to you to solve the problem or deal with the issue. Report it and you have done your duty.

If there was nothing wrong with finding the vulnerability in the first place, why is there something wrong with finding new vulnerabilities to report them, or even just to verify that the vulnerability was fixed? Why is this bad, exactly?

Because he said so.

Personally though, shame on the vendor for not testing their software, and shame on the school for expelling the student and not cancelling contract with offending vendor.
--
If you can't explain it simply, you don't understand it well enough. - Albert Einstein


urbanriot
Premium
join:2004-10-18
Canada
kudos:3
Reviews:
·Cogeco Cable
reply to resa1983
said by resa1983:

Apparently, he's had 10 job offers now.

It's surprising to me that running a publicly available scanner on a site would lead to 10 job offers.


hm

@videotron.ca

1 edit
said by urbanriot:

said by resa1983:

Apparently, he's had 10 job offers now.

It's surprising to me that running a publicly available scanner on a site would lead to 10 job offers.

Is that all he did? [deleted]

resa1983
Premium
join:2008-03-10
North York, ON
kudos:10
reply to urbanriot
said by urbanriot:

said by resa1983:

Apparently, he's had 10 job offers now.

It's surprising to me that running a publicly available scanner on a site would lead to 10 job offers.

Might've been more to do with the original issue that he found.
--
Battle.net Tech Support MVP


FFH5
Premium
join:2002-03-03
Tavistock NJ
kudos:5
reply to milnoc
said by milnoc:

Dawson College is about to hold a news conference over the expulsion.

Dawson colleges comments on expulsion. BTW it stays, for now anyway. The pressure is building on them to back down.

»www.cbc.ca/news/canada/montreal/···baz.html

Dawson director general Richard Filion said the school expelled Al-Khabaz based on the school's professional code of conduct.

"We're not doing this blindly, we're not doing this with happiness, but we had to consider a serious breach in these values and principles," said Filion.

The Dawson Student Union is appealing for the school to reinstate Al-Khabaz.

"Hamed is a brilliant computer science student who simply wanted to help his school," said Morgan Crockett, the union’s director of internal affairs and advocacy.

"Dawson College should be thankful for his talent and foresight. They must immediately reinstate Hamed, refund the debt he has incurred as a result of his unjust expulsion and offer him a public apology."

Filion said the school rejected the appeal and maintained its decision to expel Al-Khabaz.

"Well, if you look at the Criminal Code, it is clear that if someone is having access without authorization to any computer service, he is ... guilty in a criminal act," said Filion.


--
A democracy cannot exist as a permanent form of government. It can only exist until the voters discover that they can vote themselves money from the public treasury.

dragonfly5

join:2012-09-04
Oh Filion, your obsession with law and order is touching. If you're serious, you should be expelling half your students for pot possession.


indeedy

@videotron.ca
said by dragonfly5:

Oh Filion, your obsession with law and order is touching. If you're serious, you should be expelling half your students for pot possession.

Indeed. And half the faculty who goes out to smoke pot with them, and the other half buying smokes from the students who live on the reserve.

He is one to talk.


hm

@videotron.ca
reply to FFH5
said by FFH5:

"Well, if you look at the Criminal Code, it is clear that if someone is having access without authorization to any computer service, he is ... guilty in a criminal act," said Filion.

The kid noticed that if he switched some numbers around in the URL, then he had full and unfettered access to someone elses info. SIN, D.O.B. Grades, Address, phone number, Courses taken or dropped or added, including locker number and combinations.

THIS is what he brought to their attention. A security hole the same magnitude in size and number as this: »Re: [Serious] HRSDC does it again!!! And it has even more info than that breach.

At this point he was congratulated by everyone, including Dawsons own Computer admins.

It's only once he ran this program freely downloadable program, »www.acunetix.com/vulnerability-s···ownload/, to check if the hole was fixed (which he should be concerned about since his info is in it and accessible to anyone) that both the company and Dawson came down on him. The threats and intimidation to tell no one and to sign an NDA from this creep of a company, and an expulsion with support by his own faculty to step on him. Not only so, but Dawson goes to great lengths to even lie by saying he was injecting cross site XSS exploits, which he wasn't and confirmed by the company. Dawsons excuse is a lie to cover themselves. And it also goes to show how little the faculty at Dawson teaching Comp Sci even know what and XSS exploit is.

Looks bad on all of them and makes them look like total idiots.

And to top it off, let is not forget this was only *just one* exploit he found out of many. And again this is a magnitude similar to the HRDC breach.

Seems to me Dawson is just hiding from both the public and the press, as well as making crap up and the CBC more or less called them out on.

MaynardKrebs
Heave Steve, for the good of the country
Premium
join:2009-06-17
kudos:4
reply to Steve
said by Steve:

Right now we only have the kid's word for it, plus the coverage around it, and he's clearly going to present his best case.

Apparently the student handed over all correspondence about the matter to the CBC so they could see everything that was said by all parties.


Steve
I know your IP address
Consultant
join:2001-03-10
Foothill Ranch, CA
kudos:5

1 recommendation

said by MaynardKrebs:

Apparently the student handed over all correspondence about the matter to the CBC so they could see everything that was said by all parties.

Whoa: no.

"What the kid claims to be all the correspondence" is not the same as "all information on the subject".


dirtyjeffer
Anons on ignore, but not due to fear.
Premium
join:2002-02-21
London, ON

1 recommendation

no, it's the CBC...they only report 100% factual non-biased news.

booj

join:2011-02-07
Richmond, ON
reply to hm
said by hm :

The kid noticed that if he switched some numbers around in the URL, then he had full and unfettered access to someone elses info. SIN, D.O.B. Grades, Address, phone number, Courses taken or dropped or added, including locker number and combinations.

THIS is what he brought to their attention. A security hole the same magnitude in size and number as this: »Re: [Serious] HRSDC does it again!!! And it has even more info than that breach.

I can't believe incrementing numbers in a URL gets you a felony hacking conviction in the US:

»techcrunch.com/2013/01/21/ipad-h···ibility/


hm

@videotron.ca
The Honda Canada breach was the same, but contained *lots less* info than what Dawson has.

Since I was affected I called privcom on this one and it's the same as what this Dawson kid did, Privcom said it wasn't worth dragging Honda over the coals.

Funny how the same vectors have different outcomes, eh.

But then again, Privcom has people who understand what the exploit is and what a computer is, as well as what pumpiong diff ID's do. Dawsons Computer Science faculty does not, amazingly enough. I wouldn't want to be taught by these people.

MaynardKrebs
Heave Steve, for the good of the country
Premium
join:2009-06-17
kudos:4
said by hm :

The Honda Canada breach was the same, but contained *lots less* info than what Dawson has.

Since I was affected I called privcom on this one and it's the same as what this Dawson kid did, Privcom said it wasn't worth dragging Honda over the coals.

Funny how the same vectors have different outcomes, eh.

But then again, Privcom has people who understand what the exploit is and what a computer is, as well as what pumpiong diff ID's do. Dawsons Computer Science faculty does not, amazingly enough. I wouldn't want to be taught by these people.

Exactly.

Maybe all the Dawson CompSci students should sue the college for devaluing their 'degree/diploma' by the lack of understanding and antics the faculty/administration displayed over this matter. I calls into question anything the students were 'taught'.


hm

@videotron.ca
Per the National Post reporter who broke the story, Dawson has had a legal waiver given to them to divulge any private information they see fit to prove what they were stating.

Dawson decided to hide since it has become clear their Comp Sci faculty dinosaurs don't know an XSS from a port scan.

Expelled Dawson student waives privacy rights, challenges College to prove he deserved expulsion
»rabble.ca/blogs/bloggers/ethan-c···llege-pr


zong
Premium
join:2005-07-21
Scarborough, ON
Reviews:
·TekSavvy DSL
·mycybernet.net
·Switchworks
Even more interesting is according to the reporter who broke the story in that link, the College told another CBC reporter investigating the story that the original reporter is going to be sued, and that the CBC will be sued if they keep pressing.

Amazing. Bullying a kid is one thing, covering up and threatening the press is a whole other matter. Who the hell is running that show anyway? They don't seem to be running on all cylinders.

peterboro
Avatars are for posers
Premium
join:2006-11-03
Peterborough, ON

1 recommendation

This is no surprise to anyone familiar with labour law in Ontario who the biggest wankers are in administration.

1. Universities then Colleges.

2 Hospitals.

3 Provincial ministries.

It seems there is a degree of inverse proportionality to common sense and a degree of the douche bag factor that is related to ones pay and propensity to engage in covering up anything that challenges their little fiefdoms.