dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
813
share rss forum feed


hurleyp

join:2000-06-20
Ottawa, ON
Reviews:
·Rogers Hi-Speed

2 recommendations

Student expelled for finding security flaw

"A student has been expelled from Montreal’s Dawson College after he discovered a flaw in the computer system used by most Quebec CEGEPs, one which compromised the security of over 250,000 students’ personal information."

»news.nationalpost.com/2013/01/20···al-data/

A strange story that seems to be more about procedural/legal nonsense than any lost information. It makes you wonder what is the correct way to report a security hole without getting yourself into trouble.

(In Quebec, a "CEGEP" is roughly equivalent to a junior college.)
--
"I reject your reality and substitute my own."


NOYB
St. John 3.16
Premium
join:2005-12-15
Forest Grove, OR
kudos:1

1 recommendation

said by hurleyp:

"It makes you wonder what is the correct way to report a security hole without getting yourself into trouble.



Anonymously and only directly to the owner of the system so they can keeping from being widely known and not have to do anything about it or take responsibility or get a public black eye. Public perception is more important to them than actual security.

--
Be a Good Netizen - Read, Know & Complain About Overly Restrictive Tyrannical ISP ToS & AUP »comcast.net/terms/ »verizon.net/policies/
Say Thanks with a Tool Points Donation


jack b
Gone Fishing
Premium,MVM
join:2000-09-08
Cape Cod
kudos:1
reply to hurleyp
File this, appropriately, under "no good-deed goes unpunished".

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to hurleyp

The agreement prevented Mr. Al-Kabaz from discussing confidential or proprietary information he found on Skytech servers, or any information relating to Skytech, their servers or how he accessed them. The agreement also prevented Mr. Al-Kabaz from discussing the existence of the non-disclosure pact itself, and specified that if his actions became public he would face legal consequences.

When reached for comment Mr. Taza acknowledged mentioning police and legal consequences, but denied having made any threats, and suggested that Mr. Al-Khabaz had misunderstood his comments.

I'll keep my comments to myself about this whole exchange -- insert comment about he said / she said here.
That being said, on the hacking books I've ever read, NOW I finally understand why they make a point to open
with the procedural and legal stuff before getting to the technical.

My question is whether Skytech is actually going to DO anything about it, and by extension Dawson's College.
Somehow I'm getting cold pricklies of Skytech saying to Dawson (and everyone else that runs their software,
for that matter), "there's a critical flaw, which we've identified and fixed but you'll need to pay us X dollars to get the fix."

Regards

Secyurityet
Premium
join:2012-01-07
untied state
said by HELLFIRE:

Somehow I'm getting cold pricklies of Skytech saying to Dawson (and everyone else that runs their software,
for that matter), "there's a critical flaw, which we've identified and fixed but you'll need to pay us X dollars to get the fix."

That would be included in their Gold software maintenance plan...


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to hurleyp
Thanks for this, hurleyp See Profile

Doesn't make sense
quote:
Hamed Al-Khabaz was expelled last November after he found “massive shortcomings” in the Omnivox software created and operated by Skytech Communications. The flaws left the personal data, including the social insurance numbers, of more than 250,000 current students and millions more past students vulnerable to theft, he said.

Al-Khabaz said he was accused of launching a cyber-attack and threatened with jail and a lawsuit. Al-Khabaz said he wanted to help the company close the security loopholes, and so signed an agreement that he would hand over all of the information about the flaws that he had discovered in exchange for agreeing to not speak publicly about his findings.
CTV Montreal Article

--
Canadians reserve the Right to - Arm Bears
Expand your moderator at work


Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
kudos:13
reply to NOYB

 

Yes it seems thats the only way!



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to hurleyp

Re: Student expelled for finding security flaw

Also from Ars Technica:
Canadian student expelled for playing security “white hat”
»arstechnica.com/security/2013/01···ite-hat/


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

1 recommendation

reply to hurleyp
Dawson student who exposed security flaw offered job, scholarship by Skytech
»www.montrealgazette.com/news/mon···ory.html