College Student Expelled After Finding Software Flaw Gets Job Offers
Hamed Al-Khabaz in an undated photo.
CREDIT: Martin Reisch/Creative Commons
A Montreal college student was expelled after alerting school officials to "sloppy coding" that exposed the personal information of more than 250,000 students.
But in a strange twist, half a dozen companies have offered him a job — including the software company whose product he criticized and which threatened to call police on him.
In November, Hamed Al-Khabaz, a student at Dawson College, and a friend discovered it was easy to access the financial and personal information of students enrolled into the Quebec community-college system.
That information, entered into the Omnivox course-enrollment system used by many provincial colleges and universities, included Social Insurance Numbers (akin to U.S. Social Security numbers) and tuition and payment details.
Blowing the whistle
"I felt I had a moral duty to bring it to the attention of the college," Al-Khabaz, 20, told Canada's National Post. "I could have easily hidden my identity behind a proxy. I chose not to because I didn't think I was doing anything wrong."
School officials agreed he hadn't. Al-Khabaz said they congratulated him and promised to fix the flaw.
But two days later, Al-Khabaz decided to check the fix for himself by running a program for testing website vulnerabilities against Omnivox.
He quickly got a phone call from Edouard Taza, president of Skytech, the company that runs Omnivox and hosts each school's enrollment systems on its own servers. Taza accused Al-Khabaz of mounting a cyberattack.
"He told me that I could go to jail for six to 12 months for what I had just done, and if I didn't agree to meet with him and sign a non-disclosure agreement, he was going to call the RCMP [Royal Canadian Mounted Police] and have me arrested," Al-Khabaz said.
Taza told the Post Al-Khabaz "should have known better than to use [the website-testing software] without permission."
"He simply made a mistake," Taza said.
Kicked out, and turnabout
That mistake got Al-Khabaz expelled from Dawson for what the school called a "serious professional conduct issue."
A website has been created soliciting signatures for an online petition in support of Al-Khabaz's reinstatement. As of this morning (Jan. 22) it had been signed more than 7,000 times.
Meanwhile, the websites of Skytech, Dawson College and all Omnivox college systems that Skytech hosts were unreachable this morning, likely victims of distributed denial-of-service attacks.
Dawson College stands firm on its decision to expel Al-Khabaz.
"The story that has been reported by many media today ... was relying on an incomplete version of what had happened," Dawson College Director General Richard Filion told CBC Radio. "The other side of the story is related to facts that we cannot divulge."
The college's student union, which is trying to get Al-Khabaz reinstated, told the National Post in a follow-up story that he'd received several job offers.
One potential employer told the National Post that it was "disgraceful that a very skilled student ... would be expelled and punished for the rest of his life for trying to help protect his fellow students."
One offer came from Skytech itself. The company also offered Al-Khabaz a scholarship so he could finish his studies at a private college.
"At this point, it appears Dawson has no intention of letting me back in," Al-Khabaz told the National Post. "I may have to look at all the other offers I have received and pick the best one."