Update: Canadian Colleges Go Dark Following Expulsion of Whitehat

Editor’s Note: Updated to clarify that the sites were unreachable outside Canada, but accessible from IP addresses within that country and to add comment from Skytech on the Internet filtering. – PFR (1/22/2013)

The web sites of a number of Canadian General and Vocational Colleges were unreachable from IP addresses outside Canada on Tuesday, after news spread that Dawson College, in Montreal, expelled a student who uncovered and reported security holes in a web-based student portal used at the school.

Websites for Skytech and Dawson College were unreachable Tuesday, following media attention to the case of Ahmel Al-Khabaz

The web site for Dawson College, dawsoncollege.qc.ca returned a 403 “Access Denied” message on Monday evening and Tuesday morning, along with the web sites for John Abbott College, the Collège de Maisonneuve and Cégep de Trois-Rivières. The schools all use the Omnivox software by local firm Skytech Communications to manage their student portals. The web site for Skytech Communications could not be reached either early Tuesday and returned the same 403 error.

Calls to Skytech seeking comment weren’t immediately returned. Dawson could not be reached early Tuesday.  

The unexplained outages at schools using Omnivox suggests that Skytech, itself, may be the target of a denial of service attack, or that Skytech and Omnivox installations are undergoing unscheduled maintenance.  Web users in Canada reported Tuesday that the Skytech and Dawson web sites could be reached from IP addresses within the country, though multiple attempts to access the sites from outside Canada were denied on Tuesday. 

Bruno Fornier, an employee at Skytech, told The Security Ledger in a phone interview that the company began filtering IP addresses outside Canada after the company experienced a surge in traffic on Monday. He said the traffic was driven by curiosity over the news about the Dawson College student. He denied that it was a denial of service attack.

The IP filtering affected both Skytech’s web site and those of its customers because Skytech acts as a hosting company for those schools’ web sites. 

This, in the wake of the disclosures by 20 year-old Ahmed Al-Khabaz, the Dawson College student who discovered critical security holes in the Omnivox platform and disclosed them to the administration at his College. Al-Khabaz was subsequently expelled in November for “unprofessional conduct” after he ran an unauthorized Web vulnerability scan against an Omnivox installation to determine whether Skytech had implemented a patch for the vulnerability he disclosed.

The case garnered widespread media attention in Canada, the US and Europe and has generated at least one online petition asking for clemency for Al-Khabaz, who received failing grades in all his courses as a result of the expulsion and is being asked to reimburse the Province of Québec for financial aid given to him for his studies.

Al-Khabaz insists that he did nothing illegal, and that his vulnerability scan was targeted at an Omnivox test server that Skytech granted him access to following his initial disclosure.

In public statements, the administration at Dawson stands by its decision. In a statement posted on the College’s Facebook page, Dawson said that the decision to expel a student “is never taken lightly,” and that the college is in a “delicate position” in trying to combat what it claims was inaccurate information in a story by The National Post, without “breaking the law that forbids us from discussing your personal student files with the media or anyone else.”

“There are two sides to every story,” the school said in a statement. “The reasons in the National Post about why the student was expelled are not accurate. But we can see why people would think there had been unfair treatment based on the article. The College stands by its decision, but we are sorry it is causing so much misinformation.”

The case against Al-Khabaz comes just over a week after the death of Aaron Swartz, the 26 year-old hacktivist and savant who committed suicide in his apartment in New York. In the wake of his death, public criticism has focused on the U.S. Attorney for Massachusetts, Carmen Ortiz, who was aggressively prosecuting Swartz for an ideologically motivated break in to MIT’s campus network and the theft of millions of pages of scholarly articles from the scholarly research service JSTOR.

Though some of Al-Khabaz’s actions may have been technical violations of Canadian law, public sentiment has run strongly in Al-Khabaz’s favor, with most people seeing his actions as altruistic and intended to protect fellow students from identity theft or other online attacks. Dawson’s statement on Facebook garnered more than 150 comments, almost all critical of the school.

“Many organizations hide behind privacy to cover up their own mistakes. In this case, the college has allowed its students privacy to be breached and punished the person who brought the error to your attention. Admit your mistake. Readmit the student. Fix your system,” wrote a Facebook user named Richard Smith, in a comment that was typical of those directed at the preparatory school.