Ahmed Al-Khabaz was a computer science student at Dawson College, Montreal. He and a colleague were developing a mobile app designed to help students access their college accounts. In doing so he discovered a flaw in Skytech Communications' Omnivox Portal software, a system that acts as a hub for internal communications and used by many educational institutions – and he reported it.
“I saw a flaw which left the personal information of thousands of students, including myself, vulnerable,” said Mr. Al-Khabaz. “I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong.” Nor it seems did the college, who on October 24 initially congratulated him and promised to work with Skytech to fix the problem.
The problem came two days later when Al-Khabaz used Acunetix, a website vulnerability scanner, to verify that the flaw had been fixed. This was his mistake. Using a vulnerability scanner with permission is white-hat hacking; using it without the permission of the site owner is black-hat hacking – and Al-Khabaz did not have that prior approval. Within minutes, according to reports, Edouard Taza, the president of Skytech phoned him. “He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack... and if I didn’t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement.”
That was just the beginning of his problems. He was subsequently expelled from the school, had his academic records expunged, and forced to pay back thousands of dollars awarded in student grants. But over the last week the media has picked up on the story. The general feeling is sympathetic. Whether Al-Khabaz’ use of the vulnerability scanner “was unprofessional to the point of expulsion and career-ruining, well, geez, I don't know about that,” says Lisa Vaas in the Sophos NakedSecurity blog. “A network security expert says the young man is not at fault and should be rewarded for pointing out what is becoming an all-too-common problem throughout Canada,” reported the Montreal Gazette.
Now it would appear that Skytech has had a change of heart. “On Monday afternoon,” reports the Gazette, “a Skytech employee confirmed media reports that the IT company has offered the 20-year-old a part-time job and a scholarship to finish his studies at another school.”