I'm Hamed Al-Khabaz, the student who got expelled after finding critical flaw in school system. AMA

I'm from Montreal, and found this on a local car forum (MontrealRacing.com). How do you respond to these allegations?

Quotes were taken from: from:http://news.slashdot.org/story/13/01/21/1244225/student-expelled-from-montreal-college-for-finding-sloppy-coding

"I was in shock ...when I read the title. I'm from Montreal, currently studying on exchange overseas. A few months back a friend of mine was telling me about an app him and some friends in a club at Dawson College were writing. I know a few of the guys personally because I was at some party with them back in September and I had heard a bit about how the project was going in the months following. All this to say, the story is complete bullshit.

Apparently, the school had originally offered to share some info that would help the guys making the app, but, coincidentally some company started developing something around the same time that was along the same lines so Dawson reneged on the deal.

The story goes, according to my friend, as such. Apparently, the programmer and one of the other guys decided they were just going to take the info, which was easy to do since Omnivox is such a terrible system, by breaking in. While doing this, they discovered the flaw and used it as leverage once the school noticed they had accessed the system and approached them. The other friend played innocent and the programmer got the flak for it, eventually being expelled.

This was by no means a white hacking deal. Also, these guys have been exploiting Dawson's system for a while to print for free and other such things.

It's interesting how many articles like this we get on slashdot. Just makes me wonder how easy it is to skew a story a certain way regarding a subject like programming which so many people know nothing about. If they found something, what were they doing looking in the first place? Well, sometimes people are just dicking around or curiously looking at how bad a system is, but sometimes they are - like in this case - breaking in to steal specific information for personal gain.

"I don't remember the extent to which it was a break in and I dare not ask my friend again so I can post on slashdot (he might not be so happy about it), however, I know that the flaw was discovered while they were trying to find ways to get the information they wanted. I also remember it being an SQL injection, but I don't want to go on record saying that because I'm not 100% sure (my friend was also telling me that same day that the other guy, who didn't get expelled, was using an SQL injection to break in to the Pizza Pizza system and remove his order so he could then call them up and say he had placed an order that hadn't arrived yet, resulting in free pizza).

Just as unreliable as the article is my anecdotal evidence and I agree with your comment. I do know for certain that they were looking for ways to steal the information they needed, which they succeeded in doing with some sort of exploit and which I remember to be an SQL injection, when they found this security flaw. I also think that, unlike what he claims, he did not notice that the link to one's profile/info was encrypted by simply accessing his student account, but rather that they found this huge database of SIN, names, addresses, etc... which they realized anyone could find working forward from their student account, the opposite of how they did it (working backwards from the database).

Lastly, I know for certain that the other guy (pizza exploiter) was using the info to hold Dawson by the balls in case they went after them for breaking in to the system. It should be noted that the other guy did not get expelled, even though he was pushing the whole operation and using the programmer's skills."

TL;DR the story was misrepresented by the media, and you were allegedly trying to steal information

Hey man, what you're writing here is not even remotely true to what happened. None of us stole any information and the proof to that is us reporting the problems to the IT department the very next day. We believe we acted accordingly and ethically. In case any of us wanted to steal information or had any malicious intent, we had the option of doing so before reporting it. Since you don't seem to understand the magnitude of the effects this could have had on students, have we not reported it, in case someone with malicious intents would have found it beforehand, I can tell you that having your personal information at risk can be a living nightmare. What you posted here are all false allegations. There was no SQL injection involved, and no information has been used for any sort of personal gain. The media investigated the case from both sides before releasing any article, hence nothing was misinterpreted.

I think you may have ended the AMA.

Still here :), was attending a tech talk from google. Ready to answer and refute all the misinformation that have been passing around me.

Why do you think that the fourteen computer science teachers who voted against you did so? It seems like they should be the other people on top of the game by realizing that what you did was not breaking any laws and was, in fact, helping the university, yet they chose the opposite side.

All teachers never heard my side of the story except for one of them hence the 14/15. The sole teacher decided to call me into his office and discuss the series of events that happened. He understood my motivations. I wish I knew they were going to vote against me, so I would of barked into their office and start talking. I was under an NDA from Skytech at that time and I didn't know teachers were allowed to vote against me let alone know about my story. Everything happened silently.

[deleted]

I never signed any agreement when I started college. If anything, our school portal has a privacy policy in the website which they broke by confirming to us that their encryption is not reversable. Besides, what motivated me to look for flaws was because they were using deprecated code in the frontend of their website and that they also store our sensitive information there. Would you not do the same knowing that you have background knowledge in information security and feel a bit curious ? The "attack" that kicked me out was done in a test server with my account without being behind a proxy. Thought it was safe after they congratulated me for what I have done.

The first article spelled your name wrong :/

Nah, my name is actually Ahmed in ID but I'd like to be called Hamed and that's how it's been since I was born. I guess my dad made a typo when telling the name to the doctors when I was born or something lol.

How excited are you for Tuskar?

Hmm.. not really a Tuskar player, more of a techies guy :D

Would you go back to that school if you could? Have any other colleges/employers offered you a position?

Had most of my teachers not vote against me (14/15 profs decided to give me the boot) I would want to go back.

I got in total 2 college offers and 1 university offer.

Why did they vote against you? Were they some how involved in setting up the school technology system? Edit: or more to the point was it more of an personal issue with them or other outside factors causing them to vote against you? That you know of.

No, I was having a good time with them as far as I'm concerned. And I was behind an NDA agreement with Skytech at the time and Dawson knew about it, and was under the impression that the staff there won't tell anyone. They ended up breaking their own rules of professionalism by making a secret teacher only meeting to vote whether I stay or not.

What video games do you guys play?

Dota2 for me. I made quite a few extensions for competive players to track games for chrome and all major browsers!

Link?

This one is for chrome!

DotA 2 Match Ticker for Firefox & Opera

Wasn't aware that was made by you :)

Dotabuff guy saying hi!

Reaverxai, now Tharuler! Thanks for the comment and support!

Do you mind going into the details of what was broken, how you found it and ways it could have been broken into? Nothing so specific that they could get taken advantage of now - but enough that a five year old like myself would understand things?

Thanks.

PS - Thought I saw a headline somewhere that you were ok with a new school/scholarship - is that so?

Sure, I'll try to respect as much as possible part of Skytech Contract (in which I'm not allowed to go into details of the technical side of my actions).

In simplified terms, you could of visited anybody's information with a master link. That master link contained a parameter for a College ID and a student ID, with some encryption thrown at it. Hopefully I explained it properly and made it look easy :D

Do you play Age of Empires?

Yes, even today, competitively.

Do you believe that had you told your side of the story to said teachers/professors, they would have voted in your favor?

To add to graniton's (Ovi) answer answer, I thought the teachers were bound to be with my side if they would know my story. I had such good relations with them, it was sad when the news broke to me that they decided to boot me instead of giving me a word to appeal. They are still great teachers in terms of teaching.

How does your family feel about everything that has happened? Are they supportive?

Are you continuing your studies via other methods while you explore the other offers you've received?

My familly is supporting me of course! Although they aren't really seeing the good side after all this, I wish one day to show them that the aftermath was worth it.

Yes, right now I'm juggling between studies or job, though it is clear to me that getting a degree has more advantages. You never know, I might go zuckerberg mode.

[deleted]

No, not really. They say the best revenge is forgiveness. If anything, I got more than if I would of never whistleblowed.

Personally I know far to less about this story to make up an opinion. But how do you feel about the people that are accusing you of trying to breach the security for your own benefit? Can you prove them wrong?

Yes, it really hurts and makes me a bit angry but I gotta control myself. They are humans and they probably misunderstood parts.. So I try to explain it without any flaming going on. I usually prove them wrong by saying I was doing my tests on a test server, openly (without hiding my IP or stuff like that) and that we reported the problem instead of them asking me for the flaws since it never alerted them.

Do you regret how this has played out so far?

No regrets. If anything, what my actions have done should alarm third party companies that hold sensitive data. Not Google or Facebook that just store our email and phone and age, etc. School portals hold sensitive information such as SSN, Grades, Lockers Pass Code, Schedules.. And to be honest, these systems tend to be weak these days. They are not taking this seriously.

I feel bad for you right now.

What are you doing right now in regards to this? Taking this to court?

Do you plan on going back to school?

Thank you for your kind words. I'm not planning to go court mode. I'm either going to work to a company I have passion for, or make my own startup with those left out ideas I have, or simply return to school and get that Computer Science Degree. I'll see.

How would you recommend to start learning code or software programming?

www.codeacademy.com is a good start for anyone. It's in very simple terms, short courses with extremely focused material, and free. Get your feet wet and decide if you want to make a larger time investment.

Thanks for this

Yeah, what FlyingVhee said but you wanna still take computer science to learn to boring algorithms, data structures, design patterns, etc., that you might need.

Wow! Didn't expect to see you on Reddit! I would just like to say I look up to you and I wish you the best in life.

My questions are -Do you regret this learning experience? -What are the upsides to this whole situation and how have you benefited from finding the security flaw?

Thanks for your comment! I absolutly do not regret this experience, it's really once a in a lifetime thing. The only upsides I can think of after this situation is that school systems will be more secure since from now on, they need to step up their game if they don't want to be shamed at. And it's a good thing. They store so much sensitive data that they need to be more secure than top tier companies like reddit.

I just want to say that you are awesome for what you did. I wonder, was there was some prejudice for your race? And LoL is far more superior than Dota2 :P

Thanks, but I didn't feel anything racist when I was appealing for my case to the deans at my college. But who knows. And as for the debate on MOBA (if I may), I'm going to stick with the hardcore action that dota offers. Although the esport scene in LoL is very big!

What specifically do you want to specialize in inside of computer studies? Security?

Also, did they end up fixing the flaw, and will your agreement with Skytech ever expire?

No, security isn't my big thing, it just so happens that it's fun to know about it. I'm more of a Front End engineer, so everything javascript is my thing.

I'm no lawyer here, but there was no expiry date on the contract. And yes they ended up patching the flaw. :)

Hey thanks for doing this!

• I take it you're familiar with programming. If so what programming languages are you the best with?

• Would you rather fight 1 horse sized duck or 100 duck sized horses?

Hi. I'm a Javascript guy and I use many of it's libraries. I also do HTML5/CSS3 too! Although they didn't teach us webdev at school (Java was the main language), I self-taught myself what I really like.