Editor’s Note: Updated to include comment from Dawson CS Professor Simonelis. – PFR 1/22/2013
The expulsion of a 20 year-old computer science major at Dawson College in Quebec, Canada has laid bare what one expert says is a culture gap between academic computer science departments and the ‘real world’ of application development.
In the wake of news stories that have drawn attention to the case, Dawson’s faculty and administration have stood by their decision, saying that “hacking” of the type Ahmed Al-Khabaz was engaged in was an example of “unprofessional conduct” by a computer sciences engineer. This, even as private sector firms – including the company whose software Al-Khabaz exposed – have come forward with job offers and scholarships.
Al-Khabaz was expelled in November by a school administration that looked askance at his security audits of a student portal web site dubbed “Omnivox,” accusing him of launching “SQL injection” attacks against “College and external information systems.”
Speaking to The Security Ledger by phone from Montreal on Monday, Al-Khabaz said that the software vulnerability scan that got him expelled from school was conducted on a test server only, and using credentials provided to him by the company that makes Omnivox: Skytech Communications. The scan, he said, was merely intended to determine if the vulnerability he had reported had been fixed, and wasn’t intended to bring down the test system.
He said the vulnerability he discovered would have allowed anyone with knowledge of a student or staff member’s unique ID to gain access to their Omnivox account, which contains personally identifying information as well as intra-school communications and scheduling information.
Popular sentiment both at the College and online has backed Al-Khabaz, with many taking to Twitter and Facebook to accuse Dawson of badly mishandling the incident. Skytech was forced to filter traffic from outside Canada to its servers, which host the public web pages for many of province’s vocational colleges, or “CEGEPs” on Monday and Tuesday.
“No longer suited for the profession”
Dawson College’s administration and the faculty in its Computer Science department clearly feel differently.
In an opinion piece in the Montreal Gazette on Tuesday, Dawson computer science professor Alex Simonelis argued that the College’s Computer Science department forbids hacking as an “extreme example” of “behavior that is unacceptable in a computing professional.”
Simonelis also contradicted Al-Khabaz’s account of how the vulnerability was discovered, saying that he discovered the hole after running vulnerability scan against Skytech’s servers. Al-Khabaz said that he discovered it while developing a mobile application for students that would give them access to Omnivox.
Simonelis did not respond to a request for an interview from The Security Ledger.
In a news conference on Tuesday, Dawson’s administration reiterated their position, calling Al-Khabaz “no longer suited for the profession.” But one prominent computer security expert took issue with Al-Khabaz’s expulsion – especially given his choice to responsibly disclose his discovery to the College and vendor.
CS Departments Stuck in a ‘Pre-Internet’ Era
“This is how a lot of vulnerabilities get found,” said Chris Wysopal, the CTO of the firm Veracode, which tests applications for security problems.
Wysopal, who began his career hunting for security flaws in software as part of the Boston-based hacker collective known as “L0pht Heavy Industries” said that Al-Khabaz’s work in pursuing the security hole is exactly the kind of skill set that is required to be a successful software security professional in today’s market.
“You have someone who has a security mindset and an understanding of attacks and they’re just using software, programming to an API and trying to configure it and they find a vulnerability that puts all the users of the software at risk. In this case, this includes the researcher, himself.”
While Al-Khabaz may have been overeager in his pursuit of a fix for the flaw, Wysopal said that kind of enthusiasm isn’t unusual.
“If you’re a whitehat,” Wysopal said, using the term for lawful security researchers, “you feel like you have an obligation to tell the vendor.”
Wysopal said that Al-Khabaz “did the right thing” by putting heat on Skytech to fix the hole. “I think it was a sign of his persistence. He said ‘I got the vendor to say we’ll deal with this’ and the IT people at the College to back him and go to the vendor, now the vendor had to do something.”
The hostile reaction of the Dawson administration to Al-Khabaz’s work is indicative of a culture gap between the academic study of computer science and the practical reality of writing and deploying software today.
“Most Computer Science departments are still living in the pre-Internet era when it comes to computer security,” Wysopal said. “Computer Science is taught in this idealized world separate from reality. They’re not dealing with the reality that software has to run in a hostile environment.”
Al-Khabaz told Security Ledger that his coursework in Dawson’s computer science department did not include any coverage of computer security or related skills like penetration testing and vulnerability scanning. His discovery of the security hole in Omnivox came by chance. But, once he discovered it, he felt he had a duty to report it.
Wysopal said that blame rests with colleges and universities for not embracing software security and teaching it as a standard part of computer science, even though most graduates will enter a work force that asks them to write code that will run on web servers and mobile devices, where it will be subject to hostile actors.
Asked what the proper way to handle Al-Khabaz’s actions, Wysopal said he would have talked to those involved and seen what harm was done. “I can’t see what harm was caused. And, if someone is intellectually curious and trying to solve problems and help people, it seems like those are all the best characteristics. This whole ‘lack of professionalism’ thing — I don’t get it,” he said.
In an e-mail response, Simonelis, the Dawson Computer Science professor, said that it was Wysopal who was mistaken. He noted Al-Khabaz’s use of the Acunetix web scanner, despite being warned by the Dawson administration, as proper grounds for expulsion.
“Schools are supposed to teach best practice, which includes ethics and adherence to reasonable laws,” Simonelis wrote.
Like other software professionals, however, Wysopal said that Al-Khabaz’s prospects in the field are good.
“He obviously has the aptitude to do testing and investigation. These kind of people right out of college are the kinds of people we want to hire.”