Student Expelled For Reporting Security Problem To School Officials

No good deed, huh. A student from Dawson College in Montreal, Canada, has been expelled for his involvement in the uncovering of a potentially horrible flaw in his school's online directories. Sounds dumb, right? Even worse: Everyone more or less agrees he meant no harm.

Here's what happened: Ahmed Al-Khabaz — a computer science student at Dawson — and a friend were working on a mobile app to allow students mobile access to their school data. In the process, they uncovered a pretty serious vulnerability ("sloppy coding") that would have put student information at risk. What kind of information? According to Al-Khabaz, "social insurance number, home address and phone number, class schedule, basically all the information the college has on a student."

So Al-Khabaz took the issue to the school's Director of Information Services and Technology. The meeting went well, and he was told that Skytech, that company that makes the software in question, would get right on it. After not hearing back for a few days, Al-Khabaz decided to check to see if the vulnerability had been patched, using a program called Acunetix. That was a mistake. He immediately received a call from the head of Skytech, saying this was the second time in a few days that he'd been spotted in their system, and this was a serious breach. The software he'd used to check up on the system could have caused serious problems, since it was used without prior notification to the system admin.

Al-Khabaz apologised, and eventually signed an NDA forbidding him from discussing the case, but that wasn't the end of it. Despite the Skytech people acknowledging that there was no malicious intent, Dawson's faculty held a vote on whether it should expel him for "unprofessional conduct." Al-Khabaz was not allowed to speak on his own behalf, and 14 of 15 professors voted to expel him — rendering his grades for the semester zeroes across the board. Two motions for appeal have been turned down.

So that's Al-Khabaz's situation right now: 20 years old, expelled from school with bottomed-out grades and a record of being expelled. All for trying to help, and bungling it a bit. You can read the rest of the sad, regrettable situation over at the National Post. [National Postvia Techmeme]

Picture: Sergey Nivens/Shutterstock



    He wasn't expelled for reporting the issue, he was thanked for it. Its when he did it again that they chose to expel him. Not a smart thing to do.

      Thank you, This was already discussed on Reddit with the same misleading title!

      Not a smart thing to do running vulnerability scanners on networks you don't have permission to.

    Yeah, he should've just asked what the go was instead of what he did. Still way harsh what they did though. Those professors are complete dicks.

      @planky @kaflooey
      He's just a kid, kids do silly things, the school sounds like it's in Skytech's pocket.
      Hmmm Skytech, Skynet....

        So glad I'm not the only one that associated Skynet instantly =/

        20 years old - he's not a kid.

          How old are you, because there are some of us here who do think that a twenty year old is still a kid. :)

    still he could of well used that information for his own personal gain
    so basically he is getting punished for his good deed, sounds to be that he was checking whether they had actually done any work on it as they said, people/corporations/governemnts/etc generally act really slow until something bad happens
    they are promoting bad behaviour, naturally you would have to assume there would have to be some maintenance downtime of the school systems, he was just making sure it was fixed
    also the company didn't fix it, they set up a monitoring system, yet prevention is key here
    the next guy probably won't be that nice and if he is smart he will only use it once

    I really hope this gets picked up by the MSM. It seems more like he was expelled for exposing a lack of action on a known security flaw than for doing anything wrong.

      He was expelled for running a vulnerability scanner across a network he didn't have permission to.

    Common sense fails again.

    So essentially he is a twenty year old computer science student who's dropped out/been expelled.
    He's well on his way to becoming a millionaire in the IT industry.

    Well, the lesson here is, don't go to Skytech for your IT needs... I almost got expelled for misusing computers at school. I decided to net send "SUCK IT FAGS!" to everyone. Someone piped up it was me and we got a talking to. I didn't do it again until after the HSC, on "muck-up day", even though we we're warned to do anything, I sent another message "Year 12 2004, legacy 4eva" or something (This time, it was a group decision). After this, I was called up to the principle with another mate, after a bit of "I can still fail you for this year" and stuff, he smiled, shook our hands and thanked us for the harmless prank.

    Back in high school myself and a mate of mine used to exploit the schools decision on getting in computers that used thumb screws on the casing...

    Suffice to say we were both running 4gb of ddr2 ram on our home rigs while our other mates marveled at the fact that we could afford it (these bad boys were like $60 a stick when they came out).

    Now I work in IT... at a school.... and students are literally hitler... karma eh?..... worth it.

    I think regardless of his silly methods, it hardly qualifies as "unprofessional conduct". I would call it quite the opposite.
    Hell there are lot of security companies out there that do this kind of stuff all the time, legitimately, for money....
    And to not be able to speak at a hearing is a bit odd. How are you supposed to defend yourself?

Join the discussion!

Trending Stories Right Now