http://arstechnica.com/security/2013/01/canadian-student-expelled-for-playing-security-white-hat/ By Sean Gallagher Ars Technica Jan 21 2013 A 20-year-old Canadian computer science student has become, depending on your point of view, a martyr for computer security or a cautionary tale for students and others who take an interest in exposing security flaws in software products. While Ahmed Al-Khabaz said he felt he had a "moral duty" to probe the security of a student information system used by over 250,000 students, the school's administration said his acts were a "serious professional conduct issue" and expelled him. Now, fellow students are demanding his reinstatement, and the college and its software provider are facing a publicity and security backlash. Al-Khabaz and another student reported finding a security flaw in the mobile application for Omnivox, a Web-based software package developed by Montreal-based Skytech Communications that is used by students to access and manage their personal information and college services—including their Social Insurance numbers, the Canadian equivalent of US Social Security numbers. Omnivox is used widely by Quebec's general and vocational colleges. Al-Khabaz told the National Post that the software had "sloppy coding" that allowed anyone "with basic knowledge of computers to gain access to the personal information of any student"—including virtually all of the personal data the college had collected on them. When Al-Khabaz and fellow student Ovidiu Mija reported the problem to the school's director of Information Services and Technology, they were initially congratulated for finding the flaw and were told it would be fixed immediately. But it was Al-Khabaz' next step that landed him in trouble with the school. Two days later, he decided to check to see if the flaw had indeed been fixed, using a site security scanning tool called Acunetix. [...] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.orgReceived on Mon Jan 21 2013 - 22:19:58 PST
This archive was generated by hypermail 2.2.0 : Mon Jan 21 2013 - 22:17:48 PST