Incident Response, TDR

Ethical hacking incident brings rewards and expulsion for Canadian college student

A young, Montreal-based computer science student, his former college and the institution's IT provider all found themselves thrust into the media spotlight over the student's stance on ethical hacking.

The story began on Oct. 26, 2012, when 20-year-old Ahmed Al-Khabaz and fellow student Ovidiu Mija discovered what they considered “sloppy coding” on Omnivox, a portal that contains the personal information of some 250,000 students enrolled in Quebec's community colleges. Al-Khabaz and Mija notified officials at their school, Dawson College, which in turn contacted Skytech Communications. Skytech admitted that the pair had discovered a “critical vulnerability,” and fixed the problem within 24 hours. Both students were enlisted to solve the issue, and Skytech says it rewarded Mija for his work.

On Oct. 28, Al-Khabaz used Acunetix to launch thousands of requests at Omnivox, prompting Skytech president Eduoard Taza to contact him directly. Al-Khabaz and Taza have publicly disputed the nature of the call, with the former claiming that Taza threatened to turn the case over to the Royal Canadian Mounted Police.

Dawson College's reaction was less ambivalent: it expelled Al-Khabaz on Nov. 14 for violating its code of professional conduct.

The story went public in mid-January, with Dawson's student union weighing in strongly in Al-Khabaz's defence, and newspaper columnists invoking the name of Reddit co-founder Aaron Swartz to illustrate the social role of ethical hackers. The story was further propelled by news that Skytech had offered Al-Khabaz both a part-time job and financial assistance in pursuing his education. “When did the locks become more important than the things they purport to protect?” asked Globe and Mail columnist Jon Blanchard in his review of what he called a “sordid” affair.

After initially dodging media requests, both the college and Skytech issued statements, with Dawson insisting that Al-Khabaz was expelled for attempting “repeatedly to intrude into areas of college information systems that had no relation to student information systems.”

Two days later, Skytech posted an FAQ about the case, confirming the details about the initial hacks, and stating that “this young man has learned from this experience, and deserves a fresh start to complete his studies elsewhere. Properly channeled, such talent will contribute to advancing the cyber security field.”

Admitting that he was violating a non-disclosure agreement with Skytech, Al-Khabaz maintained in an interview on Jan. 26 with the Canadian Broadcasting Corp. that he had done nothing wrong. “Sometimes, rules don't need to be applied… for the greater good.”


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.