A computer science undergrad at Montreal’s Dawson College was recently expelled after stumbling across — and reporting — a coding flaw that compromised the security of the personal information of the college’s students.
Ahmed Al-Khabaz, 20, found the security leak while working on a mobile phone app for students. Thanks to “sloppy coding,” he says, anyone with basic skills could have accessed “personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.”
Al-Khabaz reported the flaw to Dawson’s Director of Information Services and Technology on October 24, and was assured that the college and Skytech, the company that had written the software, would take immediate action to plug the leak. Several days later he ran a test of the system from his home computer to see whether the students’ information — including his own — had in fact been secured.
Within minutes Al-Khabaz received a phone call from Edouard Taza, president of Skytech. (He had made no attempt to conceal his identity while running the probe, he says.) Taza accused Al-Khabaz of launching an attack on the system, and demanded that he sign a non-disclosure agreement covering the incident. (Skynet later declared that Al-Khabaz’s test had compromised the responsiveness of its site.)
Not long afterwards, Al-Khabaz was called into a meeting with top college officials, after which — with no notice to Al-Khabaz and without hearing his side of the story — the faculty of his department voted 14-1 to expel him. Two attempts to overturn the decision were rejected, and now Al-Khabaz is out of college with a semester’s worth of failed classes and a dismissal for academic misconduct on his transcript.
Since this story broke in the National Post on Sunday, however, Al-Khabaz has seen his fortunes begin to change. His plight was featured in Boing Boing, the Twitter hashtag #HamedHelped began to blow up, and the Canadian — and global — media began to knock on his door.
A large portion of this attention came from the Student Union at Dawson College, which set up a website providing resources relating to his case, a petition calling for his reinstatement, and assistance to media looking to talk with Al-Khabaz. At this writing, 7,763 people have signed the Student Union petition, with tens of thousands more visiting the site.
Dawson College, however, shows no signs of backing down. A statement posted to their website asserts that “the reasons cited in the National Post article for which the student was expelled are inaccurate.” In an interview yesterday, Dawson director general Richard Filion called Al-Khabaz’s actions “a criminal act,” though the college has not contacted police about the incident.