Story

Student expelled after exposing security flaw in college computers

As reported on The Verge.

By Aaron Souppouris

SecurID stock

Last fall, Ahmed Al-Khabaz and a fellow student discovered “sloppy coding” in their college’s computer system that jeopardized the security of over 250,000 students’ personal information. After testing to confirm the issue was real, Al-Khabaz was congratulated for raising the issue with the relevant authorities, but has since been expelled from Montreal’s Dawson College with failing grades.

 

MINUTES AFTER TESTING THE FLAW, AL-KHABAZ WAS ACCUSED OF LAUNCHING A CYBER ATTACK

The reason for his expulsion, according to Canada’s National Post, is a further test Al-Khabaz ran on October 26th last year. The former student says he simply wanted to confirm that Skytech, the company that provides and maintains the college’s computer systems, had fixed the vulnerability, but minutes after the test he was called by company president Eduoard Taza, who accused him of launching a cyber attack against Skytech’s network. Al-Khabaz says that, despite explaining he was one of the students that originally reported the vulnerability, he was threatened with legal proceedings and forced to sign a non-disclosure agreement preventing him from discussing the attack or the existence of any flaw.

Dawson College administration took the opinion that the “test” had endangered the safe running of college computers, and after meeting with the student, voted in favor of expelling him. Al-Khabaz believes that, rather than acting in the college’s best interests, the administration was simply trying to save face. “I got the sense that their primary concern was covering up the problem.” He says that his newly-assigned failing grades — he was reportedly “acing” all of his classes before the incident — have prevented him from enrolling at another college.

“IT IS VERY CLEAR TO ME THAT THERE WAS NO MALICIOUS INTENT.”

It’s likely that, whether perpetrated in good faith or not, Al-Khabaz’s actions could rightly be perceived as a cyber attack. Skytech president Eduoard Taza told theNational Post he was “pleased” with the students’ work in uncovering the vulnerability, but said the additional testing crossed a line. “He should have known better than to use [the testing software] without permission.” The president acknowledges mentioning the legal implications of the test to Al-Khabaz, but denies using threatening language to force him to sign a non-disclosure agreement. College representatives have refused to comment on the case, but Taza says “it is very clear.. there was no malicious intent. He simply made a mistake.”