Share

Related Links

Related Stories

Top 5 Stories

News

Canadian student threatened, expelled and then hired

22 January 2013

The solution to bad publicity is to own it, not inflate it. That’s what SkyTech has done with the Canadian student who found flaws in its software: first he was threatened and expelled, but now he’s been offered a scholarship and part-time job.

Ahmed Al-Khabaz was a computer science student at Dawson College, Montreal. He and a colleague were developing a mobile app designed to help students access their college accounts. In doing so he discovered a flaw in Skytech Communications' Omnivox Portal software, a system that acts as a hub for internal communications and used by many educational institutions – and he reported it.

“I saw a flaw which left the personal information of thousands of students, including myself, vulnerable,” said Mr. Al-Khabaz. “I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong.” Nor it seems did the college, who on October 24 initially congratulated him and promised to work with Skytech to fix the problem.

The problem came two days later when Al-Khabaz used Acunetix, a website vulnerability scanner, to verify that the flaw had been fixed. This was his mistake. Using a vulnerability scanner with permission is white-hat hacking; using it without the permission of the site owner is black-hat hacking – and Al-Khabaz did not have that prior approval. Within minutes, according to reports, Edouard Taza, the president of Skytech phoned him. “He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack... and if I didn’t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement.”

That was just the beginning of his problems. He was subsequently expelled from the school, had his academic records expunged, and forced to pay back thousands of dollars awarded in student grants. But over the last week the media has picked up on the story. The general feeling is sympathetic. Whether Al-Khabaz’ use of the vulnerability scanner “was unprofessional to the point of expulsion and career-ruining, well, geez, I don't know about that,” says Lisa Vaas in the Sophos NakedSecurity blog. “A network security expert says the young man is not at fault and should be rewarded for pointing out what is becoming an all-too-common problem throughout Canada,” reported the Montreal Gazette.

Now it would appear that Skytech has had a change of heart. “On Monday afternoon,” reports the Gazette, “a Skytech employee confirmed media reports that the IT company has offered the 20-year-old a part-time job and a scholarship to finish his studies at another school.”

This article is featured in:
Application Security  •  Internet and Network Security  •  Security Training and Education

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×