A few days after reporting the flaw, he got caught using http://www.acunetix.com/ (web vulnerability scanner) on their network. He says he was checking to see if they fixed the flaw. I don't think he was intentionally being malicious, but his explanation doesn't jive with his actions.
I still think it sucks that they expelled him. But I am unable to logically see how he didn't break the rules.
I don't understand how using an external attack tool is grounds for anything. If Hamed could use it to search for exploits an attacker could have used it to search for exploits.
Especially if a students' information had been previously exposed and the attacker had access to everyone's personal information / passwords!
-- Edit : after reading his expulsion letter, it seems he supposedly injected SQL on both occasions. One imagines they strictly forbid him from doing so again. Sure, he probably should have asked for a sandbox system if he wanted to do ad hoc security research, but it is still quite a logical leap to actually expel him.
Either ways, the solution should be to fix the security system and reward the whistleblower. In a few years, we are going to have millions of teenagers with the competence and ability to pull of what Hamed did. What then?
Obviously those youngsters are all criminals that ought to be put to jail. We shall implement a zero-tolerance policy, just like the copyright industry did. </sarcasm>
> but his explanation doesn't jive with his actions.
I think it's perfectly congruent. An entity has your data as well as information on many other people. You come across and report a vunerability. You check that something was done about it. I see no holes in this (aside from the ones in Montreal college's security).
Perhaps he was using a wider net to see if there were any other problems which, given the level of (in)competence displayed by the techs working for the college, was a distinct possibility.
It sounds like he's being screwed over by the vendor, who forced him to sign an NDA.
To be honest anyone using Acunetix isn't looking to hack into anything. It's an enterprise scanner that looks for general web app issues rather than something that's typically used to conduct actual attacks. You'd expect an actual attack to be conducted with a tool like Havij, Sqlmap, Burp or Zap proxy.
He did manage to slow the site down significantly, to the point of being unusable. Not surprising given the code quality of an app where replacing the student id in a url parameter gives you access to their file.
However the vendor offered him a job and a scholarship, so it seems like it's the university's over-reaction.
I advice everyone to read the original expulsion letter. It is just one page, and the parent's post completely (and I must assume intentionally) twists the facts as mentioned in the letter to make the student look better.
In particular the letter claims that the student has in fact attempted to exploit the SQL injection to gain unauthorized access, and that both notifications to the IT department were made after they detected him and blocked his account.
Actually the letter says nothing about detection and all other sources[1][2] about this matter agree that the 'detection' took the form of a voluntary disclosure, which was rewarded with an NDA demand under threat of arrest.
So it seems you are the one twisting the facts for reasons unknown.
---
[1] "Al-Khabaz immediately alerted the head of information technology for the school about the breach in the Omnivox software used by the college. At first he was thanked for the discovery." -- http://www.thestar.com/news/article/1318163--montreal-studen...
[2] "they discovered that by exchanging other student numbers in the encrypted links, they could easily obtain information such as the social insurance numbers, home addresses and phone numbers of more than 250,000 students. Al-Khabaz said he informed the school’s head of information technology immediately after discovering the vulnerability in the school’s Omnivox software and was congratulated for the discovery." -- http://www.cbc.ca/m/rich/canada/story/2013/01/21/montreal-da...
Read point 2: "On September 21, the IT Policy was applied and your network and portal accesses were suspended."
Read point 3: "On September 22, you admitted to these attacks in writing."
Compare the dates. According to the letter, his disclosure came after the account was suspended. Implying that they did detect the attack before he admitted to it.
An admission in writing is not the same thing as a disclosure.
You're using uncorroborated dates in a document that's clearly worded to paint the student in the worst light possible to infer a 'detection' which it doesn't mention and for which there is no evidence. You're then sharing your inference as documented fact. That's a smear.
I was merely communicating the content of the letter. Whether its claim or the contradicting ones of the student are true, I don't know. What I do know is that mrtron's "translation" of the letter conveniently leaves out the actual exploitation of the SQL injection and the blocking of the account that are claimed to have happened in the letter, and is therefore completely unfit as a summary of the letter.
I did read the blocking of his account to mean that he was detected in some form. You may not agree with my reading of that letter, and I certainly don't agree with mrtron's reading of the letter, but that's why I asked people to read the original letter anyway.
I never said that it was not a case of responsible disclosure. I simply don't know, the evidence at this point seems insufficient to support either conclusion.
What kind of IT Policy was applied? Was this automatic, did they detect the event before he alerted them, or did they do this after he had disclosed the vulnerability?
The first application of the IT Policy is the interesting one here, as it lays the foundation for - or undermines Hamed's case as a white hat.
> Exposing a security flaw doesn't get you expelled.
Unless you're at a minor Canadian trade school which wants to bury that they knew about the security flaw for months and did nothing about it.
.
> He had to have taken it one or more steps too far.
First he told them about it.
Then he waited a couple months, and tested to see if it was still there, with some free online security scanner; it was.
So he reported it again, and this time contacted the vendor.
The school freaked out, decided that he was hacking them without permission, and expelled him over "code of conduct."
They absolutely refuse to explain, though they keep pretending that there was a law broken. The student went to the RCMP; the RCMP disagrees. So does the original vendor, who has challenged the school, and given the kid a scholarship.
Exposing a security flaw doesn't get you expelled. He had to have taken it one or more steps too far. I'd like to see the facts.