20-year-old student Ahmed Al-Khabaz (Ahmed Al-Habasit) certified with the Department of Computer Science College of Montreal. The reason was that he twice ran Web Vulnerability Scanner online school - and found a still-dangerous vulnerability in the learning portal Omnivox, are used by nearly all colleges and universities in Quebec. Thus he allegedly "threatened" private data 250,000 students.
Dawson College (Montreal) and a member of a local computer club, Ahmed was working on a mobile application that allows students to be easier to work with their data on the training site. During the work on the program, and he and his colleagues discovered a vulnerability in the above Omnivox. Because of "sloppy coding" anyone who has basic computer knowledge, can get access to the profile of any student in the system, including social security number, home address, phone number, schedule and everything else.
When Ahmed found a vulnerability, he felt a moral obligation to report it the college. "I could easily hide their identity behind a proxy. But I did not, because I do not consider that does something bad ", - says the student in an interview with the Canadian newspaper National Post.
Ahmed and his friend, also a programmer, was invited to a meeting with the Director of Information Technology College. He thanked them for their work and promised that they, along with the company Skytech, system developer Omnivox, close the vulnerability in the near future.
Two days later, Ahmed decided to check, they have closed the hole or not. He launched a Web Vulnerability Scanner Acunetix , and literally right there at his home phone call from Skytech. Called himself president - he said that for the second time sees Ahmed in their web logs, and what he does is called cyber attacks. Ahmed repeatedly apologized and explained that it was he who discovered that vulnerability, which was announced a couple of days ago, and now just check that it is closed. President of Skytech said the boy faces from 6 to 12 months in jail if he does not come right now, and will not sign NDA (non-disclosure agreement) that the student did. According to this, he had no right to disclose any information found on servers Skytech, or any other information relating to the company Skytech and software and how to access the servers.
The agreement also prohibited from disclosing the fact of the agreement.
In an interview with National Post officer then explained that every software has bugs, and Ahmed found another tricky bug in security, but the use of the scanner has been a violation. Such programs, he says, can be used only after notifying the owner of the server.
On the "misconduct" Students learn the college, which had initiated the procedure for the dismissal of a "serious breach of professional ethics» (serious professional conduct issue). After discussing the issue for a vote of 15 professors of the Faculty of Computer Science, and with the exception of 14 of them voted. Ahmed himself believes it unfair that he was not given the opportunity to explain the situation in person to the Board of the Faculty.
Articles
0 commentaires:
Enregistrer un commentaire