I have to wonder how much this will help. A colleague and I made a responsible exposure to a vendor that provides the application software for the California State University system. The vulnerability I chanced upon, and that my colleague was able to verify to be fully open, made it possible to obtain the private details of hundreds of thousands of applicants from their system. How were we rewarded for quietly and responsibly disclosing this to the vendor? The vendor threatened a lawsuit against the university, and the university cowtailed and nearly fired my colleague, severely reprimanding him and myself. Little did I know this would become a theme of my stint in working for academia, of the universities not caring at all about students and their private data. I worked for multiple universities and it was the same at each one. They seemed to think the problem was with people not with buggy, overpriced, insecure software.
Well, kind of. I read this was successful in targeting the company to react positively towards Hamed, however, the university is still throwing the book at him. I guess that's a better tactic, going publicly after the company, rather than through university management.
I've read the claims from both sides, I think that although he might have handled it more carefully, it was an overreach to expel him this way, I feel we should stand behind him. I signed the petition. Anyone with counter evidence, please step forward.
Wow. This is much worse than I thought. I'm glad there's no conceivable scenario in which this could lead him to be extradited to the USA, like Marc Emery was. http://en.wikipedia.org/wiki/Marc_Emery
A few days after reporting the flaw, he got caught using http://www.acunetix.com/ (web vulnerability scanner) on their network. He says he was checking to see if they fixed the flaw. I don't think he was intentionally being malicious, but his explanation doesn't jive with his actions.
I still think it sucks that they expelled him. But I am unable to logically see how he didn't break the rules.
I don't understand how using an external attack tool is grounds for anything. If Hamed could use it to search for exploits an attacker could have used it to search for exploits.
Especially if a students' information had been previously exposed and the attacker had access to everyone's personal information / passwords!
-- Edit : after reading his expulsion letter, it seems he supposedly injected SQL on both occasions. One imagines they strictly forbid him from doing so again. Sure, he probably should have asked for a sandbox system if he wanted to do ad hoc security research, but it is still quite a logical leap to actually expel him.
Either ways, the solution should be to fix the security system and reward the whistleblower. In a few years, we are going to have millions of teenagers with the competence and ability to pull of what Hamed did. What then?
Obviously those youngsters are all criminals that ought to be put to jail. We shall implement a zero-tolerance policy, just like the copyright industry did. </sarcasm>
> but his explanation doesn't jive with his actions.
I think it's perfectly congruent. An entity has your data as well as information on many other people. You come across and report a vunerability. You check that something was done about it. I see no holes in this (aside from the ones in Montreal college's security).
Perhaps he was using a wider net to see if there were any other problems which, given the level of (in)competence displayed by the techs working for the college, was a distinct possibility.
It sounds like he's being screwed over by the vendor, who forced him to sign an NDA.
To be honest anyone using Acunetix isn't looking to hack into anything. It's an enterprise scanner that looks for general web app issues rather than something that's typically used to conduct actual attacks. You'd expect an actual attack to be conducted with a tool like Havij, Sqlmap, Burp or Zap proxy.
He did manage to slow the site down significantly, to the point of being unusable. Not surprising given the code quality of an app where replacing the student id in a url parameter gives you access to their file.
However the vendor offered him a job and a scholarship, so it seems like it's the university's over-reaction.
I advice everyone to read the original expulsion letter. It is just one page, and the parent's post completely (and I must assume intentionally) twists the facts as mentioned in the letter to make the student look better.
In particular the letter claims that the student has in fact attempted to exploit the SQL injection to gain unauthorized access, and that both notifications to the IT department were made after they detected him and blocked his account.
Actually the letter says nothing about detection and all other sources[1][2] about this matter agree that the 'detection' took the form of a voluntary disclosure, which was rewarded with an NDA demand under threat of arrest.
So it seems you are the one twisting the facts for reasons unknown.
---
[1] "Al-Khabaz immediately alerted the head of information technology for the school about the breach in the Omnivox software used by the college. At first he was thanked for the discovery." -- http://www.thestar.com/news/article/1318163--montreal-studen...
[2] "they discovered that by exchanging other student numbers in the encrypted links, they could easily obtain information such as the social insurance numbers, home addresses and phone numbers of more than 250,000 students. Al-Khabaz said he informed the school’s head of information technology immediately after discovering the vulnerability in the school’s Omnivox software and was congratulated for the discovery." -- http://www.cbc.ca/m/rich/canada/story/2013/01/21/montreal-da...
Read point 2: "On September 21, the IT Policy was applied and your network and portal accesses were suspended."
Read point 3: "On September 22, you admitted to these attacks in writing."
Compare the dates. According to the letter, his disclosure came after the account was suspended. Implying that they did detect the attack before he admitted to it.
An admission in writing is not the same thing as a disclosure.
You're using uncorroborated dates in a document that's clearly worded to paint the student in the worst light possible to infer a 'detection' which it doesn't mention and for which there is no evidence. You're then sharing your inference as documented fact. That's a smear.
I was merely communicating the content of the letter. Whether its claim or the contradicting ones of the student are true, I don't know. What I do know is that mrtron's "translation" of the letter conveniently leaves out the actual exploitation of the SQL injection and the blocking of the account that are claimed to have happened in the letter, and is therefore completely unfit as a summary of the letter.
I did read the blocking of his account to mean that he was detected in some form. You may not agree with my reading of that letter, and I certainly don't agree with mrtron's reading of the letter, but that's why I asked people to read the original letter anyway.
I never said that it was not a case of responsible disclosure. I simply don't know, the evidence at this point seems insufficient to support either conclusion.
What kind of IT Policy was applied? Was this automatic, did they detect the event before he alerted them, or did they do this after he had disclosed the vulnerability?
The first application of the IT Policy is the interesting one here, as it lays the foundation for - or undermines Hamed's case as a white hat.
> Exposing a security flaw doesn't get you expelled.
Unless you're at a minor Canadian trade school which wants to bury that they knew about the security flaw for months and did nothing about it.
.
> He had to have taken it one or more steps too far.
First he told them about it.
Then he waited a couple months, and tested to see if it was still there, with some free online security scanner; it was.
So he reported it again, and this time contacted the vendor.
The school freaked out, decided that he was hacking them without permission, and expelled him over "code of conduct."
They absolutely refuse to explain, though they keep pretending that there was a law broken. The student went to the RCMP; the RCMP disagrees. So does the original vendor, who has challenged the school, and given the kid a scholarship.
This goes on to show how out of touch with reality our educational systems currently are. They are incentivized by the wrong things, which reflects in the kind of people and policies that are put in place.
Before the web and the free dissemination of information it brought about, the average academician was more 'smarter' than the average student just by the fact that the students hadn't yet had access to the sources of information their teachers had.
However, we now live in times when you can expect anybody in the society to grow to their full potential, thanks to the free web.
This changes the fundamental role educational institutions has to play. They can't continue to be passive devices of information transmission. Yes, there are an elite bunch of institutions that provide more value than that. But as these events show, the educational sector around the world in general are mediocre and are pretty inefficient.
You now have smarter students and they don't need you to tell them what the world is about. That is the changed reality of the market and it is going to affect this sector for the better in the long run.
No, universities internationally are furious and disgusted.
This is a trade school, not a college. It's like being angry at DeVry or University of Phoenix. The stupid things that places like that do have nothing to do with real universities.
This wasn't the first time Ahmed (not hamed, ahmed) reported the problem. When they ignored it, left the software running, and notified none of the students, he used some free white-hat web security scanner to generate a report to make it more clear for the business people what was wrong.
The business people have decided that the security scanner is "a hacking tool" and that Ahmed needed permission from the school to see if the software that was imposed on him which was leaving his private data exposed after the staff knew was still broken.
The way Richard Filion, who runs the school, tries to make excuses around this is appalling.
The running excuse they're giving is "it was against our code of conduct." And, I mean, most schools don't even kick binge drinkers who got in an accident and nearly killed people out for code of conduct.
So clearly this isn't an excuse.
The people responsible for the decision are the head of the Computer Science department, Ken Fogel, and Dianne Gauvin, one of the deans. Predictably, they do not respond when contacted.
This is a computer science department where a panel of 14 out of 15 "professors" actually chose to stand behind this - though nobody will release their reasoning or names. So don't expect Ken Fogel to get it on grounds that you imagine he's one of us.
The school ombudsman, whose job it is to stand up for Ahmed, has been whitewashing its Facebook page of all criticism. The main school Facebook page is just ignoring the criticism instead; they post inbetween literally hundreds of people (including students and alums) to chat with people on posts from before this started getting public.
And, a reminder? They did this in November. They've been sitting on this for months. They aren't going to change their minds without a very good reason.
Not shockingly, other students have been posting reams of existing security holes on their various servers, and evidence of compromises that are claimed to be years old.
Staff is doing just as nothing about those as they did about this the first time Ahmed reported it.
While Hamed was honorable and didn't try to abuse his exploits, I think it is a stretch to say "Hamed helped". I doubt he tried to get into the data for the purpose of helping make it more secure, it is more likely that he just had the "hacker drive", where he just wanted the challenge of beating a system.
According to the expulsion letter (linked somewhere in his thread) he only reported the issue after he was detected and his access was blocked. That doesn't prove either sides version but shows why one should get authorization before attempting such a thing. After getting caught anyone can say that they were just trying to help.
If anywhere should be more tolerant of intellectual curiosity, it should be in a college environment.
Unless they can prove he had intent to cause damage, which it sounds like they could not do, they should just forgive and forget and stop trying to cover the overpaid butts of the sysadmin who didn't fix the hole in the first place.
Hell society forgave all the banks and wallstreet for their actual crimes.
I think the moral of the story is - whatever you do anonymize your tracks and do not inform the authorities. There is substantial risk and no reward for acting otherwise.
Having nearly been fired from an university for responsible disclosure, I agree completely, there is substantial risk and no reward for public disclosure of any kind in university environments.
Well yes, it can be leveraged. But one needs to be careful about it.
You can't just go talking about it or sending official letters to the administration or the IT department. Personally should I want to disclose something like this I would first approach a maverick amongst faculty staff to test the waters. After consultation with a person with good knowledge of the local political landscape I would discretely relay my knowledge.
But it is still risky and leaving no evidence is still a safe bet.
