40 
No good deed, huh. A student from Dawson College in Montreal has been expelled for his involvement in the uncovering of a potentially horrible flaw in his school’s online directories. Sounds dumb, right? Even worse: Everyone more or less agrees he meant no harm.
Here’s what happened: Ahmed Al-Khabaz, a Computer Science student at Dawson, and a friend were working on a mobile app to allow students mobile access to their school data. In the process, they uncovered a pretty serious vulnerability (“sloppy coding”) that would have put student information at risk. What kind of information? According to Al-Khabaz, “social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.”
So Al-Khabaz took the issue to the school’s Director of Information Services and Technology. The meeting went well, and he was told that Skytech, that company that makes the software in question, would get right on it. After not hearing back for a few days, Al-Khabaz decided to check to see if the vulnerability had been patched, using a program called Acunetix. That was a mistake. He immediately received a call from the head of Skytech, saying this was the second time in a few days that he’d been spotted in their system, and this was a serious breach. The software he’d used to check up on the system could have caused serious problems, since it was used without prior notification to the system admin.
Al-Khabaz apologised, and eventually signed an NDA forbidding him from discussing the case, but that wasn’t the end of it. Despite the Skytech people acknowledging that there was no malicious intent, Dawson’s faculty held a vote on whether it should expel him for “unprofessional conduct.” Al-Khabaz was not allowed to speak on his own behalf, and 14 of 15 professors voted to expel him—rendering his grades for the semester zeroes across the board. Two motions for appeal have been turned down.
So that’s Al-Khabaz’s situation right now: 20 years old, expelled from school with bottomed-out grades and a record of being expelled. All for trying to help, and bungling it a bit. You can read the rest of the sad, regretable situation over at the National Post. [National Post via Techmeme]
Image by Sergey Nivens/Shutterstock
Gorgeous School Furniture That Teaches Kids Good Posture
These Lucky School Kids Get to Learn In a Building Right Out of a Pixar Movie
Welsh Kids Teach Teachers How to Use Their School's iPads
This is just wrong, I got threatened with disciplinary action when I reported a problem with my Sixth Form College’s network. Its just not right.
I think we all know what the real story is here…
He didn’t follow the code, we all know you cannot write bug report without creating a patch for said bug first.
Here’s hoping a security firm hires him off the back of this, sounds like he could be worth it.
Somewhere’ll pick him up just for the publicity of being the good guys in this.
you know, its stories like this that make me think there simply is no hope for human kind. no hope at all.
Your first mistake is comparing university bureaucrats and professors with “human kind.”
haha, true. but if i shot one in the face im pretty sure i would be tried for killing another “human”
Now he has a chance at becoming the next Bill Gates or Steve Jobs. I mean, all rich people dropped out of college right?
I got told I was going to be expelled from my high school (a “Maths and Computing specialist school”) in 2004 for telling and then watching a friend use wildcards with netbios commands (namely, net send) on an old account that the school hadn’t updated permissions on. Every computer in the school, including the headmasters, and those linked to projectors, popped up the message at the same time saying: “u smell”
I got off in the end with nothing but a severe shouting at – probably due to my Dads observations that I didn’t do anything, it’s their own fault for having old accounts still open and not updated, and that there was actually no damage, even network resources used were negligible. The other guy got 2 incident slips and a few after school detentions for “being stupid enough to listen” to me ¬_¬
Funny side note, the guy who listened to me and pressed enter then went on to work for Twitter for a bit, and now works at Quora I think.
Schools should have to report all internal hacks by students so then the student can be poached to work for the “good guys” whoever they may be. If we want to get the good security people on our side, then our schools are the place to find them. And ffs don’t punish them severely – that’s like kicking an angry dog, you’re only going to make it more willing to bite you again twice as hard.
and now rather than a smart good guy helping to stop hacking and identify security risks there is another member of Anon on the loose.. good work school!
saves his college..
gets kicked out college…
if superman was real in our world…
This is coming from someone was almost expelled from their college for something similar, the college did right.
There was a VNC exploit going around and everyone wanted to be like the cool kids using it, the programme was found on my user area (admin were still unsure why it was there) and I was nearly expelled under the computer missuse act.
It is all good saying “the college is bad for expelling him, someone will employ him” but in reality what he should have done is not tried to investigate further and/or exploit it to show that it is vulnerable (report said that he did on another sit) he should have raised it to the IT staff “hey, there is some code here that looks a bit insecure, I think you should have a look at it”. This happens A LOT with business by people reporting exploits I think there was a similar case with facebook.
All in all, nearly getting expelled was the biggest shock in my life and I vowed never to do anything malicious with computers even if it is reporting exploits, make sure you have permission first.
This could go two ways for the chap involved, he could get a nice IT job from it or he could be black listed as untrustworthy because of this incident :S
its not the same as “testing the security at walmart by stealing a TV”
its checking up on a fault you have reported, one that the school didnt seem to care about, one that the software company didnt seem to care about. they just happen to have fixed it. thats the amazing bit.
From what I understand, he was expelled, not for reporting the security problem, but for later checking whether it had been fixed by running penetration testing software over the live website.
Also, he’s name’s Hamed, not Ahmed. At least that’s going by the campaign running to help him, ‘Hamed Helped’…