A student has been expelled from Montrealâ€™s Dawson College after he discovered a flaw in the computer system used by most Quebec CEGEPs, one which compromised the security of over 250,000 studentsâ€™ personal information.
Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the schoolâ€™s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as â€œsloppy codingâ€ in the widely used Omnivox software which would allow â€œanyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.â€
â€œI saw a flaw which left the personal information of thousands of students, including myself, vulnerable,â€ said Mr. Al-Khabaz. â€œI felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didnâ€™t think I was doing anything wrong.â€
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.
â€œIt was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didnâ€™t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement.â€
Taza explained that he was quite pleased with the work the two students did identifying problems, but the testing software Mr. Al-Khabaz ran to verify the system was fixed crossed a line.
â€œThis type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake.â€
The administration of Dawson College clearly saw things differently, proceeding to expel Mr. Al-Khabaz for a â€œserious professional conduct issue.â€
â€œI was called into a meeting with the coâ€“ordinator of my program, Ken Fogel, and the dean, Dianne Gauvin,â€ says Mr. Al-Khabaz. â€œThey asked a lot of questions, mostly about who knew about the problems and who I had told. I got the sense that their primary concern was covering up the problem.â€
â€œI was acing all of my classes, but now I have zeros across the board. I canâ€™t get into any other college because of these grades, and my permanent record shows that I was expelled for unprofessional conduct. I really want this degree, and now I wonâ€™t be able to get it. My academic career is completely ruined. In the wrong hands, this breach could have caused a disaster. Students could have been stalked, had their identities stolen, their lockers opened and who knows what else. I found a serious problem, and tried to help fix it. For that I was expelled.â€