Update: Student’s Expulsion Exposes Computer Science Culture Gap

Editor’s Note: Updated to include comment from Dawson CS Professor Simonelis. – PFR 1/22/2013

The expulsion of a  20 year-old computer science major at Dawson College in Quebec, Canada has laid bare what one expert says is a culture gap between academic computer science departments and the ‘real world’ of application development.

Ahmed Al-Khabaz
Ahmed Al-Khabaz’s case reveals the culture gap between academic and applied computer science. (Photo courtesy of The National Post).

In the wake of news stories that have drawn attention to the case, Dawson’s faculty and administration have stood by their decision, saying that “hacking” of the type Ahmed Al-Khabaz was engaged in was an example of “unprofessional conduct” by a computer sciences engineer. This, even as private sector firms – including the company whose software Al-Khabaz exposed – have come forward with job offers and scholarships.

Al-Khabaz was expelled in November by a school administration that looked askance at his security audits of a student portal web site dubbed “Omnivox,” accusing him of launching “SQL injection” attacks against “College and external information systems.”

Speaking to The Security Ledger by phone from Montreal on Monday, Al-Khabaz said that the software vulnerability scan that got him expelled from school was conducted on a test server only, and using credentials provided to him by the company that makes Omnivox: Skytech Communications. The scan, he said, was merely intended to determine if the vulnerability he had reported had been fixed, and wasn’t intended to bring down the test system.

He said the vulnerability he discovered would have allowed anyone with knowledge of a student or staff member’s unique ID to gain access to their Omnivox account, which contains personally identifying information as well as intra-school communications and scheduling information.

Popular sentiment both at the College and online has backed Al-Khabaz, with many taking to Twitter and Facebook to accuse Dawson of badly mishandling the incident. Skytech was forced to filter traffic from outside Canada to its servers, which host the public web pages for many of  province’s vocational colleges, or “CEGEPs” on Monday and Tuesday.

“No longer suited for the profession”

Dawson College’s administration and the faculty in its Computer Science department clearly feel differently.

In an opinion piece in the Montreal Gazette on Tuesday, Dawson computer science professor Alex Simonelis argued that the College’s Computer Science department forbids hacking as an “extreme example” of “behavior that is unacceptable in a computing professional.”

Simonelis also contradicted Al-Khabaz’s account of how the vulnerability was discovered, saying that he discovered the hole after running vulnerability scan against Skytech’s servers. Al-Khabaz said that he discovered it while developing a mobile application for students that would give them access to Omnivox. Simonelis did not respond to a request for an interview from The Security Ledger.

In a news conference on Tuesday, Dawson’s administration reiterated their position, calling Al-Khabaz “no longer suited for the profession.” But one prominent computer security expert took issue with Al-Khabaz’s expulsion – especially given his choice to responsibly disclose his discovery to the College and vendor.

CS Departments Stuck in a ‘Pre-Internet’ Era

“This is how a lot of vulnerabilities get found,” said Chris Wysopal, the CTO of the firm Veracode, which tests applications for security problems.

Chris Wysopal
Wysopal of Veracode says CS departments are stuck in a “pre-Internet” era.

Wysopal, who began his career  hunting for security flaws in software as part of the Boston-based hacker collective known as “L0pht Heavy Industries” said that Al-Khabaz’s work in pursuing the security hole is exactly the kind of skill set that is required to be a successful software security professional in today’s market.

“You have someone who has a security mindset and an understanding of attacks and they’re just using software, programming to an API and trying to configure it and they find a vulnerability that puts all the users of the software at risk. In this case, this includes the researcher, himself.”

While Al-Khabaz may have been overeager in his pursuit of a fix for the flaw, Wysopal said that kind of enthusiasm isn’t unusual.

“If you’re a whitehat,” Wysopal said, using the term for lawful security researchers, “you feel like you have an obligation to tell the vendor.”

Wysopal said that Al-Khabaz “did the right thing” by putting heat on Skytech to fix the hole. “I think it was a sign of his persistence. He said ‘I got the vendor to say we’ll deal with this’ and the  IT people at the College to back him and go to the vendor, now the vendor had to do something.”

The hostile reaction of the Dawson administration to Al-Khabaz’s work is indicative of a culture gap between the academic study of computer science and the practical reality of writing and deploying software today.

“Most Computer Science departments are still living in the pre-Internet era when it comes to computer security,” Wysopal said. “Computer Science is taught in this idealized world separate from reality. They’re not dealing with the reality that software has to run in a hostile environment.”

Al-Khabaz told Security Ledger that his coursework in Dawson’s computer science department did not include any coverage of computer security or related skills like penetration testing and vulnerability scanning. His discovery of the security hole in Omnivox came by chance. But, once he discovered it, he felt he had a duty to report it.

Wysopal said that blame rests with colleges and universities for not embracing software security and teaching it as a standard part of computer science, even though most graduates will enter a work force that asks them to write code that will run on web servers and mobile devices, where it will be subject to hostile actors.

Asked what the proper way to handle Al-Khabaz’s actions,  Wysopal said he would have talked to those involved and seen what harm was done. “I can’t see what harm was caused. And, if someone is intellectually curious and trying to solve problems and help people, it seems like those are all the best characteristics. This whole ‘lack of professionalism’ thing — I don’t get it,” he said.

In an e-mail response, Simonelis, the Dawson Computer Science professor, said that it was Wysopal who was mistaken. He noted Al-Khabaz’s use of the Acunetix web scanner, despite being warned by the Dawson administration, as proper grounds for expulsion. 

“Schools are supposed to teach best practice, which includes ethics and adherence to reasonable laws,” Simonelis wrote. 

Like other software professionals, however, Wysopal said that Al-Khabaz’s prospects in the field are good.

“He obviously has the aptitude to do testing and investigation. These kind of people right out of college are the kinds of people we want to hire.”

10 Comments

  1. Simonelis is talking bullshit. You are not living in the dream world, and you are now known by everyone on earth reading this article as incompetent, stupid or both when it comes to teaching CS to anyone.

    Al-Khabaz’s work in pursuing the security hole is exactly the kind of skill set that is required to be a successful software security professional in today’s market : confirmed.

    Simonelis : bullshit talk not in sync with reality.

  2. Al-Khabaz’s work would be considered required coursework in the master’s programme provided by the Kerckhoff’s Institute (http://www.kerckhoffs-institute.org/). Methinks Dawson College’s CS faculty are not a little off the mark, but rather have decided to be on another planet entirely.

  3. Those who can’t do, teach. I’m very qualified to teach C.S. in a college environment but I won’t do it because 1) it would be a notable cut in pay from my current job in enterprise I.T., and 2) people like Simonelis. Both my parents taught in college and it is filled with small-minded people who are set in their ways and are on power trips. They get away with things that would get them fired if they were out in the real world. Al-Khabaz should just leave Dawson behind and go make tons of money doing what he has proven he knows how to do well: Be better at I.T. than Simonelis.

  4. Look at Simonelis “web site”.

    http://dc37.dawsoncollege.qc.ca/compsci/asimonel/

    It’s barely 1995 “web skillz”. This is what passes as a CompSci professor, but worse as the department chair of CompSci? Even a complete noob could create something that at least looks like vintage 2001.

    No one picked up on the fact that the guy kicked out is Arab. Wanna bet Simonelis has “issues” with non-white people? The guy is probably a racist.

  5. I feel the need to defend Dawson since I work there. Only one side of the story has come out. For legal reasons, the college can’t comment on what has happened. Their hands are tied while Al-Khabaz is courting the media as much as he can.

    “The hostile reaction of the Dawson administration to Al-Khabaz’s work is indicative of a culture gap between the academic study of computer science and the practical reality of writing and deploying software today.”

    This is the nature of education generally and I’m surprised people still make it an issue. Would you go up to your grade 2 teacher and thank her for teaching you how to multiply? Like, hey, thanks, learning that 2 + 2 = 4 really changed my life and I use that equation all the time!

    School is about teaching two things: yes, some content, two, and most importantly, tools that allow you to keep learning.

    There are people at Dawson who are getting death threats over this–that’s hardly the response of a responsible group of young people.

  6. Well, according to those facts publicly available on the internet, Al-Khabaz was *not* expelled for hacking.
    He hacked once, told about it, and was told by Dawson to stay off that system. Fine up to here, no expulsion.

    Then, against all orders, he hacked the system again. And this – ignoring the express order to stay away – got him expelled, and rightly so (probably, depends on what was the announced penalty for disobeying that stay-away-order).

    And this “Arab” thing: There is a large “politically correct” understream, in Canada even more than in Europe and certainly more than in the U.S., to give “Arabs”
    privileges above those of the “standard” (you now what I mean) population. Why? What for?

    Would there have been the same amount of help by third persons, if the student was “just” white, christian or jewish?