Recently, a college student in Canada was expelled because he exposed weaknesses in the school’s computer system which stores student records. Don't judge a book by its cover, however, as the hacker's expulsion eventually led him to the Promised land.
Recently, a college student in Canada was expelled because he exposed weaknesses in the school’s computer system which stores student records.
Omnivox, a system from Skytech Communications, is a record keeping system that is implemented in more than one campus nationally. Hamed Al-Khabaz, the student expelled, found an exploit that would allow anyone to access confidential student information (social insurance—similar to social security in the US—number, address, etc.) while working on a mobile app that would allow students to access their school record. According to him, he was “morally” obligated to report the system’s flaw to the school, which he did. Initially praised for the find, Al-Khabaz later used a scanning tool called Acunetix to see if the hole had been plugged, which ultimately became the main reason for his expulsion.
Minutes into the scan, Al-Khabaz got a call from the president of Skytech, Edouard Taza, telling him he can’t go any further, because the scan was equivalent to that of a cyberattack. Fearing jail time, Al-Khabaz signed a non-disclosure agreement that prohibited him from discussing anything related to Skytech, especially the flaws found in the Omnivox system. However, Al-Khabaz, with his own interests in mind, went to the press and gave them his side of the story.
“I saw a flaw which left the personal information of thousands of students, including myself, vulnerable. I felt I had a moral duty to bring it to the attention of the college and help fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong,” Al-Khabaz said.
In the school’s defense, the campus IT policy does not allow unauthorized users to snoop around computer systems to look for holes. Taza added by saying that Acunetix “should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better…” Moreover, by exposing his side of the story to the media, Al-Khabaz also broke his agreement with Skytech and, by extension, with the school.
In the end, Al-Khabaz actually isn't at the short end of the bargain as his notoriety turned into fame and schools are lining up to educate the celebrity-hacker. It gets better, however, because since his story went viral many companies have offered him jobs—even Skytech—as well as scholarships for his schooling. Touché Mr. Al-Khabaz. Touché.