So today, I want to bring a certain story to your attention. As a student of a university, I fairly often find myself using or accessing important information through my school’s website. I have to access my account for financial aid (which holds my social security number and other important bits of information), as well as grades, emails, and sensitive material of that kind.
I’m letting you know this because my experience is not unique, in that thousands of schools across the world have websites that hold the private information of millions of students, from incoming freshmen to outgoing graduates.
In short, universities hold incredible amounts of information within their computer security system.
So, if you found that there was a massive hole in the security of your school, what’s the right answer? Do you not mention it, making yourself responsible for any security breach that follows? Or do you step forward and report it to the school?
Ahmed Al-Khabaz was a student at Montreal’s Dawson College who found himself in the exact same position. He and another student were working on a mobile app that would work alongside the university website, which allowed him to discover a major vulnerability in the system’s security.
When he found the vulnerability, he disclosed it to the school, as well as the company that handles the university’s computer security and its website.
Ahmed was initially congratulated on his straight-forward integrity but was subsequently expelled from the school, left with nothing but failing grades re-assigned to all his classes.
The reason for the sudden hostility on the university’s part was due to a cyber test that Ahmed had conducted while investigating the vulnerability. He had essentially run a penetration test on the vulnerability to verify that it existed.
It was something he felt was necessary before reporting to the school, and while he may have done it unwisely, he’s not wrong. However, it has been painted as a “cyberattack,” leaving Ahmed open to expulsion (and perhaps legal action).
While the school maintains that Ahmed committed an act of information security “hostility” against the university, Ahmed believes that the technology company behind the site is trying to cover its tracks alongside the school.
When you’ve been unintentionally embarrassed by a guy barely out of his teens, the mature answer is apparently to expel him. Perhaps worse, his chances at getting into another school are nearly destroyed because Dawson has chosen to retroactively change his good grades into failing ones.
In short, a computer science student, looking out for the students and administrators of his school, reported an issue with the website security. He was then expelled and failed for it.
The legality of this action is questionable at best, but these are the kinds of situations that each of the world’s nations must address as technology becomes a greater part of our infrastructure.
If you’d like to know more, read the following articles on the situation. Keep an eye on it, as I’m sure this is not the last we’ll hear of universities covering their butts at the expense of computer science students. And I hope it’s not the last we hear of Ahmed.