"I was in shock ...when I read the title. I'm from Montreal, currently studying on exchange overseas. A few months back a friend of mine was telling me about an app him and some friends in a club at Dawson College were writing. I know a few of the guys personally because I was at some party with them back in September and I had heard a bit about how the project was going in the months following. All this to say, the story is complete bullshit.
Apparently, the school had originally offered to share some info that would help the guys making the app, but, coincidentally some company started developing something around the same time that was along the same lines so Dawson reneged on the deal.
The story goes, according to my friend, as such. Apparently, the programmer and one of the other guys decided they were just going to take the info, which was easy to do since Omnivox is such a terrible system, by breaking in. While doing this, they discovered the flaw and used it as leverage once the school noticed they had accessed the system and approached them. The other friend played innocent and the programmer got the flak for it, eventually being expelled.
This was by no means a white hacking deal. Also, these guys have been exploiting Dawson's system for a while to print for free and other such things.
It's interesting how many articles like this we get on slashdot. Just makes me wonder how easy it is to skew a story a certain way regarding a subject like programming which so many people know nothing about. If they found something, what were they doing looking in the first place? Well, sometimes people are just dicking around or curiously looking at how bad a system is, but sometimes they are - like in this case - breaking in to steal specific information for personal gain.
"I don't remember the extent to which it was a break in and I dare not ask my friend again so I can post on slashdot (he might not be so happy about it), however, I know that the flaw was discovered while they were trying to find ways to get the information they wanted. I also remember it being an SQL injection, but I don't want to go on record saying that because I'm not 100% sure (my friend was also telling me that same day that the other guy, who didn't get expelled, was using an SQL injection to break in to the Pizza Pizza system and remove his order so he could then call them up and say he had placed an order that hadn't arrived yet, resulting in free pizza).
Just as unreliable as the article is my anecdotal evidence and I agree with your comment. I do know for certain that they were looking for ways to steal the information they needed, which they succeeded in doing with some sort of exploit and which I remember to be an SQL injection, when they found this security flaw. I also think that, unlike what he claims, he did not notice that the link to one's profile/info was encrypted by simply accessing his student account, but rather that they found this huge database of SIN, names, addresses, etc... which they realized anyone could find working forward from their student account, the opposite of how they did it (working backwards from the database).
Lastly, I know for certain that the other guy (pizza exploiter) was using the info to hold Dawson by the balls in case they went after them for breaking in to the system. It should be noted that the other guy did not get expelled, even though he was pushing the whole operation and using the programmer's skills."
TL;DR the story was misrepresented by the media, and you were allegedly trying to steal information
dishesdesserts85 karma
I'm from Montreal, and found this on a local car forum (MontrealRacing.com). How do you respond to these allegations?
Quotes were taken from: from:http://news.slashdot.org/story/13/01/21/1244225/student-expelled-from-montreal-college-for-finding-sloppy-coding
"I was in shock ...when I read the title. I'm from Montreal, currently studying on exchange overseas. A few months back a friend of mine was telling me about an app him and some friends in a club at Dawson College were writing. I know a few of the guys personally because I was at some party with them back in September and I had heard a bit about how the project was going in the months following. All this to say, the story is complete bullshit.
Apparently, the school had originally offered to share some info that would help the guys making the app, but, coincidentally some company started developing something around the same time that was along the same lines so Dawson reneged on the deal.
The story goes, according to my friend, as such. Apparently, the programmer and one of the other guys decided they were just going to take the info, which was easy to do since Omnivox is such a terrible system, by breaking in. While doing this, they discovered the flaw and used it as leverage once the school noticed they had accessed the system and approached them. The other friend played innocent and the programmer got the flak for it, eventually being expelled.
This was by no means a white hacking deal. Also, these guys have been exploiting Dawson's system for a while to print for free and other such things.
It's interesting how many articles like this we get on slashdot. Just makes me wonder how easy it is to skew a story a certain way regarding a subject like programming which so many people know nothing about. If they found something, what were they doing looking in the first place? Well, sometimes people are just dicking around or curiously looking at how bad a system is, but sometimes they are - like in this case - breaking in to steal specific information for personal gain.
"I don't remember the extent to which it was a break in and I dare not ask my friend again so I can post on slashdot (he might not be so happy about it), however, I know that the flaw was discovered while they were trying to find ways to get the information they wanted. I also remember it being an SQL injection, but I don't want to go on record saying that because I'm not 100% sure (my friend was also telling me that same day that the other guy, who didn't get expelled, was using an SQL injection to break in to the Pizza Pizza system and remove his order so he could then call them up and say he had placed an order that hadn't arrived yet, resulting in free pizza).
Just as unreliable as the article is my anecdotal evidence and I agree with your comment. I do know for certain that they were looking for ways to steal the information they needed, which they succeeded in doing with some sort of exploit and which I remember to be an SQL injection, when they found this security flaw. I also think that, unlike what he claims, he did not notice that the link to one's profile/info was encrypted by simply accessing his student account, but rather that they found this huge database of SIN, names, addresses, etc... which they realized anyone could find working forward from their student account, the opposite of how they did it (working backwards from the database).
Lastly, I know for certain that the other guy (pizza exploiter) was using the info to hold Dawson by the balls in case they went after them for breaking in to the system. It should be noted that the other guy did not get expelled, even though he was pushing the whole operation and using the programmer's skills."
TL;DR the story was misrepresented by the media, and you were allegedly trying to steal information
View HistoryShare Link