Thursday, January 24, 2013

Pupil expelled from Montreal college after finding ‘sloppy coding’ that compromised security of 250,000 students personal data

Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson College in Montreal, was expelled after discovering and reporting a security flaw in a computer program run by CEGEPs in Quebec.

Update: Montreal student expelled after finding data security threat receives job, scholarship offers while college refuses to reinstate him

A student has been expelled from Montreal’s Dawson College after he discovered a flaw in the computer system used by most Quebec CEGEPs (General and Vocational Colleges), one which compromised the security of over 250,000 students’ personal information.

Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.”

“I saw a flaw which left the personal information of thousands of students, including myself, vulnerable,” said Mr. Al-Khabaz. “I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong.”

I felt I had a moral duty to bring it to the attention of the college
After an initial meeting with Director of Information Services and Technology François Paradis on Oct. 24, where Mr. Paradis congratulated Mr. Al-Khabaz and colleague Ovidiu Mija for their work and promised that he and Skytech, the makers of Omnivox, would fix the problem immediately, things started to go downhill.

Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.

“It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didn’t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement.”

The agreement prevented Mr. Al-Kabaz from discussing confidential or proprietary information he found on Skytech servers, or any information relating to Skytech, their servers or how he accessed them. The agreement also prevented Mr. Al-Kabaz from discussing the existence of the non-disclosure pact itself, and specified that if his actions became public he would face legal consequences.

When reached for comment Mr. Taza acknowledged mentioning police and legal consequences, but denied having made any threats, and suggested that Mr. Al-Khabaz had misunderstood his comments.

“All software companies, even Google or Microsoft, have bugs in their software,” said Mr. Taza. “These two students discovered a very clever security flaw, which could be exploited. We acted immediately to fix the problem, and were able to do so before anyone could use it to access private information.”

Taza explained that he was quite pleased with the work the two students did identifying problems, but the testing software Mr. Al-Khabaz ran to verify the system was fixed crossed a line.

“This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake.”

The administration of Dawson College clearly saw things differently, proceeding to expel Mr. Al-Khabaz for a “serious professional conduct issue.”

“I was called into a meeting with the co–ordinator of my program, Ken Fogel, and the dean, Dianne Gauvin,” says Mr. Al-Khabaz. “They asked a lot of questions, mostly about who knew about the problems and who I had told. I got the sense that their primary concern was covering up the problem.”

Following this meeting, the fifteen professors in the computer science department were asked to vote on whether to expel Mr. Al-Khabaz, and fourteen voted in favour. Mr. Al-Khabaz argues that the process was flawed because he was never given a chance to explain his side of the story to the faculty. He appealed his expulsion to the academic dean and even director-general Richard Filion. Both denied the appeal, leaving him in academic limbo.

“I was acing all of my classes, but now I have zeros across the board. I can’t get into any other college because of these grades, and my permanent record shows that I was expelled for unprofessional conduct. I really want this degree, and now I won’t be able to get it. My academic career is completely ruined. In the wrong hands, this breach could have caused a disaster. Students could have been stalked, had their identities stolen, their lockers opened and who knows what else. I found a serious problem, and tried to help fix it. For that I was expelled.”

Morgan Crockett, director of internal affairs and advocacy for the Dawson Student Union, agrees.

“Dawson has betrayed a brilliant student to protect Skytech management,” said Ms. Crockett. “It’s a travesty that Ahmad’s academic future has been compromised just so that Dawson and Skytech could save face. If they had any sense of decency, they would reinstate Ahmad into [the] computer science [program], refund the financial aid debt he has incurred as a result of his expulsion and offer him a full public apology “

Repeated calls to various members of the Dawson administration were not returned, with the college citing an inability to discuss an individual student’s case on legal and ethical grounds in a statement released by their communications department.


British schools shut as soon as they see a snowflake

Be honest, how many times can you remember your old school being closed because of the weather? Once? Twice? Never?

I have memories of trudging through thick snow in a balaclava, wellies and short trousers, with wringing wet woollen gloves hanging from a piece of string knotted at the neck of my gabardine mac.

My knees were red raw, my nose was running and my heart was pounding with the thrill of snowball fights and sliding on treacherous sheets of ice created by tipping cold water on to the pavement and waiting for it to freeze.

During lessons we’d peer through frosty windows at the winter wonderland outside, willing the bell to ring so that the festivities could be resumed.

Maybe there was the odd day when the rackety radiator pipes froze or the ancient boiler gave up the ghost. But frankly, I can’t remember any school I attended ever being padlocked because of a light dusting of snow.

I’m old enough to recall the severe winter of 1963, one of the coldest on record. But to the best of my recollection our junior school kept its doors open throughout. In fact, my abiding memory of that winter was ice-skating with my dad on the Fens, which had been specially flooded for the purpose.

Certainly I can’t imagine my old headmaster letting a cold snap get in the way of our education. But he belonged to a generation of teachers who had been through World War II. Some of them probably served on the Arctic convoys. They weren’t going to flinch in the face of a couple of inches of snow.

Come to think of it, I’m not sure my own kids were ever sent home from school because of the weather, either. And that doesn’t seem all that long ago.

So why was it necessary yesterday to shut 5,000 schools across the country?

According to the chairman of the local government association’s ‘Children and Young People’ directorate: ‘Ultimately, head teachers, in consultation with school governors, make the final decision on whether or not to close a school. This is based on a range of local circumstances including the number of teachers who can make it into work safely, dangerous road conditions, or problems with vital supplies such as food, heating or water.’

It may well have been that in some remote rural areas, roads were impassible. Parts of the country have been worse affected than others, especially in the North East. But in Barnet, for instance, 60 schools were shut.

Why? I was out and about in North London at the weekend and the gritters and transport companies had done a great job.

All the major roads were clear, the buses and Tubes seemed to be running normally. The only weather-related disruption in Barnet was the panic-buying in Waitrose, where the car park was overflowing and shoppers were squabbling over trolleys as they stripped the shelves bare.

There was no earthly reason why any teacher in Barnet couldn’t get to work. In fact, just a few miles away in Hackney, only one secondary school and two primary schools closed.

So why the discrepancy? My guess is that in Barnet, and elsewhere, the risk assessment brigade pulled on their hi-viz jackets, consulted their insurers and decided to take the line of least resistance.

If they shut the schools, there’s no danger that anyone would slip over in the playground and sue for compensation.

Curiously, though, it’s only ever the public services that seem to collapse with monotonous predictability whenever there’s ‘adverse weather’. Everyone else just gets on with it.

At White Hart Lane, the game between Spurs and Manchester United went ahead in the teeth of a snowstorm. And my local curry house, Tandoori Nights, was absolutely heaving.

People clearly weren’t letting a few snowflakes get in the way of a chicken vindaloo. And I can’t help wondering now how many of my fellow diners braving the elements on Saturday night are employed as teachers in the London Borough of Barnet and were yesterday enjoying an undeserved day at home in front of the fire.

Some people are made of sterner stuff. Mike, our postman, got through as usual. So did Mr Patel with the papers. Why was it, then, that Barnet council thought opening the schools presented a uniquely hazardous proposition and was therefore to be avoided at all costs?

What was also utterly predictable was that Heathrow would go into meltdown at the drop of a snowflake, even though other airports soldiered on smoothly. If Heathrow really has spent £36 million on cold weather emergency kit over the past two years, there wasn’t much evidence of it — apart from a handful of new brooms and a couple of plastic snow shovels.

And while we’re at it, I’m sick and tired of assorted officials and dopey birds on the weather forecast telling us not to go out unless our journey is essential. Why would anyone go out in this weather unless they had to?

Oi, Doris, get your coat on, pet. There’s a blizzard outside so I thought we’d take a nice non-essential drive in the country.

There’s no escape from this patronising nonsense. A friend flew into Stansted from Glasgow on Friday. As her plane was making its descent, the captain came on the intercom with the usual update on the weather at their destination.

But instead of just telling passengers it was a bit parky, he insisted on advising them to ‘please make sure you dress in accordance with the weather conditions’.

What the hell has that got to do with him? Does he think a grown woman from the West of Scotland might change into a skimpy frock and flip-flops before disembarking at snowy Stansted?

And so what if she did? It’s none of easyJet’s damn business. Stop treating us all like children.

Now where did I put my balaclava?


Australia: Private schools reap secondary student numbers at state's expense

Private schooling mainly at High School level is the Australian norm but the pattern may be acceletating

On the figures above, 42% of Australian teenagers go to non-government high schools,  which IS edging up.  It was 39% only a couple of years ago

STUDENTS are flocking to government primary schools but the number sticking with the system for their secondary education is in free-fall.

Education Department figures, compiled for the Herald Sun, show the Catholic and independent sectors are snaring more students.Government secondary schools are expected to have 4700 fewer students than three years ago, a 2.1 per cent decline.

Deakin University Prof Jill Blackmore said parents appeared happy to trust state primary schools, but many were willing to invest to give their child the best chance at university and making lifelong contacts.

"They know that government schools actually do a good job at preparing them in the critical areas of literacy and numeracy," Prof Blackmore said. "But they know the social capital factor is the thing that is critical in secondary."

Enrolment figures, which include estimates for this year, show government primary schools are on track to record three-year growth of 5.4 per cent. The figure is on par with other sectors.

But while state secondary enrolments are going backwards, those at Catholic secondary schools are up 3.8 per cent and independent schools 1.6 per cent.

Catholic Education Office executive director Stephen Elder said growth was strong across Melbourne, particularly in new suburbs.

Independent Schools Victoria chief executive Michelle Green said many established private schools were at or near capacity.

An Education Department spokesman said a baby boom, which began in 2006, was driving government primary enrolments and would flow to secondary schools.


No comments: