Shop Mobile More Submit  Join Login

Details

Closed to new replies
February 7, 2013
Link

Statistics

Replies: 77

Student expelled after he discovered flaw in school’s data security

:icondoctorv23:
DoctorV23 Featured By Owner Feb 7, 2013
[link] -An interesting story I came across and thought I'd share here.
It raises serious questions about how an institution responds to constructive criticism - in this case, an effort to protect common interests. Instead of seeing it as such, the school chose to expel the student, citing him for improper conduct. It would have been just as easy and possibly more rational to thank him for his efforts.
Was Dawson College justified in its decision, or is it an example of a narrow-minded reaction -or did it have something to do with his not very Anglo-Saxon (or French) name?
thoughts?
Reply

You can no longer comment on this thread as it was closed due to no activity for a month.

Devious Comments

:iconkaikaku:
kaikaku Featured By Owner Feb 19, 2013  Hobbyist General Artist
There really isn't enough information given in the article to say conclusively what I think of this issue. But generally speaking, security through obscurity isn't really security; a lot of organizations don't seem to grasp this. Dawson College sounds like it might be one of them.

A lot of people are saying that what he did is basically mess with someone's locks to see if he could get in. I don't think that analogy an apt one. For one, his own student info is also behind the lock, so it's not like he has no stake in whether or not it's secure.
Reply
:iconkitsumekat:
kitsumekat Featured By Owner Feb 14, 2013
The guy is not innocent.
Reply
:iconsvataben:
Svataben Featured By Owner Feb 11, 2013  Hobbyist General Artist
"he was expelled after he repeatedly tried to gain access to areas of the college information system where he had no authorization."
He had been told repeatedly to stop, but he was so hung up on enlarging his metaphorical penis that he didn't listen
He broke the law, got warned, did it again, got removed. its all very logical. He had it coming.
Reply
:iconabcat:
AbCat Featured By Owner Feb 11, 2013   Writer
I used to play Risk online, and there was this prick there who always used to post thousands of weird ascii characters in the chat window, which would cause the game to crash for anyone whose PC didn't have the memory to deal with it. When challenged by the mods he said he was doing it to expose a flaw in their programming. They fixed the flaw and banned him.
Reply
:iconaviscelox:
AvisCelox Featured By Owner Feb 10, 2013  Hobbyist General Artist
The school probably should have responded to the problem he found, but at the same time, he should have stopped meddling when he was instructed to do so. Not listening to the school in this case I would say is indeed improper conduct.
Reply
:iconpuppy-dangerous:
puppy-dangerous Featured By Owner Feb 8, 2013  Professional Artisan Crafter
He was expelled because he repeatedly tried to gain access to records- he was trying to hack into the school system.

Which is not allowed.

It's not constructive criticism.

It's like robber saying they were just testing your locks when you call the cops.
Reply
:iconsonrouge:
sonrouge Featured By Owner Feb 7, 2013
A bit too much "he said, he said" to nail down who was actually in the wrong, but I will say that there are a lot of places out there (the Federal Government being top of the list) who will move heaven and earth to hide a problem rather than lift a finger to fix it.
Reply
:iconzer05um:
Zer05um Featured By Owner Feb 12, 2013  Professional General Artist
Which always makes me confused, since the efforts taken to hide the problem are often more expensive than fixing it would be.
Reply
:iconsonrouge:
sonrouge Featured By Owner Feb 12, 2013
Some people think that a problem ceases to exist if it isn't acknowledged, and they stick to that absurd view even when it refuses to go away (our current debt and deficit are good examples).
Reply
:iconzer05um:
Zer05um Featured By Owner Feb 13, 2013  Professional General Artist
Humans.
Reply
:iconnovuso:
Novuso Featured By Owner Feb 7, 2013
That happens everywhere. Nobody wants to take the blame for a major failure so they pass buck and kill the messenger if they can. Old saying: Hear no evil, see no evil, speak no evil.


It is tough being a whistle blower because the whistle blower is usually the one who gets the axe. The really smart ones do it anonymously.
Reply
:iconvisionoftheworld:
VISIONOFTHEWORLD Featured By Owner Feb 7, 2013
So someone linked the story to you and you are re sharing it. I don't know how else we have a story on the 'National Post' which I've honestly never read before. Right in the headline there states he was warned twice to stop trying to hack their data security system. Schools are not authorized to employ students as their data security people, and even the employees of the company providing software security services will not try to bombard the school's networks to 'test' anything. This article has no details about what really happened, it tries to make it sound like this poor innocent 20 year old just tripped over a "flaw" in a data security system "while working on a school project". According to whom he was working on a project? Even if he was, he is using that as the cover for his attempts to hack their security. I work in a data based job, and I will tell you there is no way in history that anyone just stumbles over flaws in computer security. If a 'flaw' was found, it means you were looking for one. Already by doing this he is in violation of the school's conduct, and depending on where he snooped- the law. he's lucky he isn't being tried for data theft or hacking. The school probably warned him twice because they were following strict protocol- because the knee-jerk reaction would otherwise have been to throw him out and confiscate computers after the first offense. School did everything by the book- and this student is not somebody I would hire at my company. I bet if the details of what he was doing actually come out, he won't look like such an innocent little angel anymore.
Reply
:iconendeavor-to-freefall:
Endeavor-To-Freefall Featured By Owner Feb 7, 2013
Sounds like a shittier version of Die Hard 4.
Reply
:iconebolabears:
EbolaBears Featured By Owner Feb 7, 2013
The student had good intentions and went about it the wrong way. If the school refused his help/advice that should have been the end of it.

If I tried to 'show' the Secret Service a 'vulnerability' they had in the White House protection scheme I'd be dead or in jail until I was dead.
The intention might have been genuine but that doesn't make it right.

The student chose his actions and he must be held responsible and accountable for his decisions.
Reply
:iconrestinmotion:
RestInMotion Featured By Owner Feb 7, 2013
And that's why he will be hired by the company whose system he found flaws in.

Also, if you notice a flaw in White House protection and bring it up through physically showing them this, then no shit it won't end well for you. It's all in how you bring it up.
Reply
:iconebolabears:
EbolaBears Featured By Owner Feb 7, 2013
"It's all in how you bring it up."

That's why the student was expelled.
Reply
:iconkittythenekoalien:
KittyTheNekoAlien Featured By Owner Feb 7, 2013  Hobbyist General Artist
As everyone said, it's not the fact he got around a faulty system that got him expelled, but the fact he hacked the system at all and could obtain personal info that got him expelled. Why would a college keep students who will go and steal information of other students? It's not about being able to take constructive criticism at all - though they will likely try to better the security of their system so they don't get hacked again.
Reply
:iconpakaku:
Pakaku Featured By Owner Feb 7, 2013
Old news...
Reply
:icondj0hybrid:
DJ0Hybrid Featured By Owner Feb 7, 2013  Hobbyist Writer
A) He attempted to break the security before letting anyone know.
B) He did it twice (total) before he was warned.
C) The third time is when he got expelled as he was caught in areas he was told not to go to while he was instructed to test the security flaw.
D) The college cited that he was not acting in a professional manner.

If we look at ACM's (Association for Computing Machinery) code of ethics: [link]
He broke code 2.8 by accessing part of the network he was not authorized to do so, not to mention honor with the school.
Reply
:icondoctorv23:
DoctorV23 Featured By Owner Feb 7, 2013
Another link: "Speaking to The Security Ledger by phone from Montreal on Monday, Al-Khabaz said that the software vulnerability scan that got him expelled from school was conducted on a test server only, and using credentials provided to him by the company that makes Omnivox: Skytech Communications. The scan, he said, was merely intended to determine if the vulnerability he had reported had been fixed, and wasn’t intended to bring down the test system." - [link]
Reply
:iconrestinmotion:
RestInMotion Featured By Owner Feb 7, 2013
Glad to see he's getting job offers.
Reply
:icondoctorv23:
DoctorV23 Featured By Owner Feb 7, 2013
It's also interesting to see that he'll most likely be hired by the software company who produced the flawed software.
Reply
:iconevb16:
evb16 Featured By Owner Feb 7, 2013
Why didn't he just go to a higher up instead of exploiting this hole to show them?
Reply
:iconmaddmatt:
maddmatt Featured By Owner Feb 7, 2013
So instead of trying to work with the school to protect this information, he tried to keep breaking the lock on the door to show how flimsy the lock on the door really was.

Idiot.
Reply
:iconrestinmotion:
RestInMotion Featured By Owner Feb 7, 2013
Did you actually read the article? He went to the school several times and tried to help.
Reply
:icontacosteev:
tacosteev Featured By Owner Feb 7, 2013  Hobbyist
He reported it and was thanked. A few days later he was caught running scanning software on their systems. From a sysadmin perspective I wouldn't buy the "just seeing it's fixed" excuse. Patches can sometimes take longer than a couple of days to write and test before going live.
Reply
:iconmaddmatt:
maddmatt Featured By Owner Feb 7, 2013
And attempted to access unauthorized information anyway, against their warnings. Doesn't seem like he was working with them to me.

He is an idiot.
Reply
:iconrestinmotion:
RestInMotion Featured By Owner Feb 7, 2013
You're right, that's why the idiot has gotten job offers from several people, including the company whose system he hacked. Yeah, it takes a real idiot to do that.
Reply
:icontacosteev:
tacosteev Featured By Owner Feb 7, 2013  Hobbyist
Which I question. Other articles on this kid said the president of that company called him threatening him with arrest. Doubt they'd hire him and if they offered a job, I wouldn't take it from them.
Reply
:iconmaddmatt:
maddmatt Featured By Owner Feb 7, 2013
We will see how that turns out.

The school was still absolutely correct to expel him.
Reply
:iconrestinmotion:
RestInMotion Featured By Owner Feb 7, 2013
I agree but not by their logic. Their logic was we need to put out responsible citizens who are good at what they do and good in a business environment. That makes no sense considering the fact that bringing a glaring fault in a system to the attention of the administration is responsible, skillful, and is good business. Then again, they've made a huge deal about this which has brought further attention to their faults so I highly doubt the school actually knows what is good for business.
Reply
:iconmaddmatt:
maddmatt Featured By Owner Feb 7, 2013
Breaking into areas you do not belong and are repeatedly warned is not being responsible.

The school did nothing wrong here.
Reply
:iconrestinmotion:
RestInMotion Featured By Owner Feb 7, 2013
Doing so with the intention of bringing it to the attention of the school is. And I agree, they did nothing wrong but their reasoning makes no sense.
Reply
(4 Replies)
:iconabstract-mindser:
Abstract-Mindser Featured By Owner Feb 7, 2013
That was incredibly narrow minded and idiotic of the school.

Really, if someone pointed out a flaw to me, no matter how 'Creatively' they did it, I'd congratulate them and then challenge the students to come up with a better system.
Reply
:iconself-epidemic:
Self-Epidemic Featured By Owner Feb 7, 2013  Professional Digital Artist
And, what if he got private information of students. In fact it is a GOOD reason he got expelled, the amount of damage he could of done.
Reply
:iconabstract-mindser:
Abstract-Mindser Featured By Owner Feb 7, 2013
What kind of damage could he really have done?
Reply
:iconself-epidemic:
Self-Epidemic Featured By Owner Feb 7, 2013  Professional Digital Artist
Got another students records? Details? People could do a lot with information like that.
Reply
:icondoctorv23:
DoctorV23 Featured By Owner Feb 7, 2013
- sounds to me like that's exactly what he was trying to prevent.
Reply
:iconabstract-mindser:
Abstract-Mindser Featured By Owner Feb 7, 2013
Such as?
Reply
:iconself-epidemic:
Self-Epidemic Featured By Owner Feb 7, 2013  Professional Digital Artist
....

Identity fraud? Dude, just because its a student, stop assuming the potential. He may not even understand what he is doing, but if he sold that information to someone who could, he would be fucking around with peoples lives SO badly.
Reply
:icondoctorv23:
DoctorV23 Featured By Owner Feb 7, 2013
I don't think that he was trying to do that. He was honest and direct with the school board regarding his activity as far as I can see.
Reply
:iconself-epidemic:
Self-Epidemic Featured By Owner Feb 7, 2013  Professional Digital Artist
Yeah, but what if he HAD?
Reply
:iconthelightswentoutin99:
TheLightsWentOutIn99 Featured By Owner Feb 7, 2013  Student Writer
What if I pulled a knife and stabbed my coworkers one evening? They'd better lock me up before I do something like that, seeing as I have access to both knives and coworkers.
Reply
:iconsvataben:
Svataben Featured By Owner Feb 11, 2013  Hobbyist General Artist
Nah, it's more like this: what if you'd broken into their house and rifled through all their things, but upon getting caught, you didn't seem to have stolen anything.
Was it ok that you broke in, just because you hadn't stolen anything?
Reply
:iconthelightswentoutin99:
TheLightsWentOutIn99 Featured By Owner Feb 13, 2013  Student Writer
That's more accurate, but still a flawed analogy. If someone breaks into my house and steals something of mine, then it's gone. If someone breaks into my computer and steals data, the data is still there (unless the individual erases it).
Reply
:iconsvataben:
Svataben Featured By Owner Feb 13, 2013  Hobbyist General Artist
If they steal your privacy, the privacy is gone. Completely accurate analogy is completely accurate. :)
Reply
(1 Reply)
:iconself-epidemic:
Self-Epidemic Featured By Owner Feb 7, 2013  Professional Digital Artist
Well, if you were carrying a knife and they found out, yes, they would. Dumbass :P
Reply
:iconthelightswentoutin99:
TheLightsWentOutIn99 Featured By Owner Feb 7, 2013  Student Writer
So, carrying a knife is a crime? Oh, you're from the United Kingdom.

Okay, let's say it was a letter opener, or are those illegal in your police state, too?
Reply
:iconself-epidemic:
Self-Epidemic Featured By Owner Feb 8, 2013  Professional Digital Artist
Of course carrying a knife is a crime :p

I think they are, there is a certain length and such, but at least we have less murders via guns and knives than you guys do :p
Reply
(1 Reply)
:iconcreamstar:
Creamstar Featured By Owner Feb 7, 2013
Yes, because, as the article says, he tried to gain access to unauthorized information.
Reply
Add a Comment: