In case you had not heard it, the information of about a quarter million Canadian students was compromised in a security incident last week. These kind of breaches are so common place now, I hardly take notice of them any more. But an article about this case appeared in the National Post, “Youth expelled from Montreal college after finding ‘sloppy coding’ that compromised security of 250,000 students personal data”
It turns out 20 year old Ahmed Al-Khabaz found a flaw that was trivial. He reported it to the vendor. The data was not leaked online on pastbin – at least, not by Mr.Al-Khabaz. But others before Al-Khabaz could have come in, copied the data, and left.
According to the article,
After an initial meeting with Director of Information Services and Technology François Paradis on Oct. 24, where Mr. Paradis congratulated Mr. Al-Khabaz and colleague Ovidiu Mija for their work and promised that he and Skytech, the makers of Omnivox, would fix the problem immediately, things started to go downhill.
Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.
It was Edouard Taz, the President of Skytech, the company who wrote the Omnivox software. Taz threatened to report Al-Khabaz to the RCMP promising six to twelve months jail time unless Al-Khabaz agreed to immediately meet up and sign an NDA. It goes down hill from here. Dawson College expelled the student for a “serious professional conduct issue”. Fourteen out of fifteen professors in the computer science department voted in favour to expel Al-Khabaz. And the result is that a smart young kid, who did the right thing, and made a little mistake out of curiosity, is facing serious long term effects of not being able to get a college degree. And with him having nothing left to lose, the NDA they forced him to sign became useless, and Skytech lost as well because we all now know how crappy the security of Omnivox is. Edouard Taz shot himself in the foot. It’s just too bad he had to take down Al-Khabaz with him.
And the vulnerability? We don’t know we can assume it was something as trivial as manually editing the URL in the address bar, or some simple SQL injection attack. Something that in any other industry would be called “gross negligence”, but for some reason IT companies get away with delivering cars with faulty breaks and calling the slippery road an “Advanced Persistent Threat”. And companies like Skytech, with the assistance of an ill-informed Computer Science department at Dawson College, take it out on a young kid who honestly tried to do the right thing. Security through bullying. The response of both Skytech and Dawson College was over the top, and counter-productive to everyone’s interest.
Compare this to the response of my old university, the Radboud Universiteit Nijmegen. A 19 year old kid spent all his money on a 1200 baud modem (half duplex) and uses it to login to a university LAT-TCP server to connect to something called “the internet”. He uses “ftp” and “sz” to download files, “nn” and “telnet” to read news and chat with people all over the world. He did much worse then Al-Khabaz, although he too was careful not to do any accidental damage. And like Al-Khabaz performing his scan of Skytech, this person knew he was a trespasser. An assistant professor known as “Sparky”, notices that a student who had not been active at the university, started logging in very regularly. He becomes suspicious that the account might have been compromised. So he sends a Unix Talk request to her (see man talk). The two briefly chat online. Sparky confirms the account is compromised. But instead of screaming and threatening like Mr. Taza, Sparky asks the hacker how he got into the account. The hacker tells him he used ypcat to get /etc/shadow, then ran a cracker. Sparky then tells the hacker he has two days to get his stuff from the account and leave, and not to come back using any other accounts. Three years later, our young hacker has actually enlisted with the university to study CS, and in his second year he becomes friends with Sparky – and even gets an account on the university’s historic PDP-11. He confesses the whole affair and both have a good laugh. The student later on starts an ISP, becomes a security consultant who speaks at Black Hat, and is part of a group that writes VPN software in use all over the world. And the young-hacker-turned-sysadmin also has to deal with hackers himself. One time he logs into an irc channels to tell a group of file sharing hackers that they overstayed their welcome and should not have filled up the disks, and that it was time to go – and probably stop stealing movies and ISP resources. The circle of not threatening kids who make mistakes continued.
I can’t imagine how my life would have turned out if Sparky had hunted me down and had threatened me with jail time or that he would have kicked me out of university when I was 19. I learned a lot from Sparky, and I’ve passed along the same treatment to others. I wish Mr. Al-Khabaz all the best. He deserves much better then the treatment he received from Skytech and Dawson College. Don’t we all make those mistakes when we are that young? The real mistake here, is that Omnivox is a product with severe security flaws, that could have resulted in identity theft of 250,000 Canadian Students. Perhaps Mr. Taz should focus his bullying at his own security department?