Dawson still won’t reconsider their decision to expel Hamed Al-Khabaz, a computer whiz who was a student at the school until November. Administrators also stand by their decision to give the former student zeroes in all his classes and note that he broke their professional code of conduct on his permanent Quebec education file.
All this despite a decision by the company most embarrassed by the student to offer him a job and a virtual recommendation by press release on its website late Monday January 21.
We feel that this situation should not prevent such a talented student from doing what he loves most,” reads the statement approved by Skytech owner Edouard Taza. “Just as we are already collaborating with the other student who helped discover the flaw, we will also offer this student to work for us with mandates in IT security in order to allow him to work in the subject area he loves.”
The virtual comment was just one of a dozen kudos Al-Khabaz has received since going public.
Al-Khabaz’s problems began when he and a friend were prototyping an application so that students could get class cancellations, messages, their schedules and other services on their mobile phones. These services are normally provided through student management software called Omnivox. While working, “I saw that the portal was a bit sloppy so I decided to run a few tests,” says Al-Khabaz.
He and the other students discovered that hackers could easily collect the personal data of students, staff, and alumni dating as far back as 1994. The two informed Skytech to get the problem patched.
It was Al-Khabaz’s decision to rescan Omnivox a few days later to find out whether the concerns were corrected that got him in trouble, primarily because his curiosity got the better of him, and he decided to look around for more holes. That incident took place on October 26.
“I didn’t hide myself,” he said. “Had it been a real attack, I would have cleared my traces. My goal was to help to make sure that my data was safe. I found out that it was totally fixed and was testing to see how good the fix was. The problem was, I was also checking other stuff that I found. Part of the plan was to get their attention to see if there were other exploits to be fixed. The day later, I got the email from my school.”
That email led to the expulsion through a series of actions that included a vote by the fifteen professors who teach in Dawson’s computer science department. According to Al-Khabaz, only one of them spoke with him personally about why he did what he did.
“One of them decided to talk with me and hear my side of the story before voting,” said Al-Khabaz near the end of a very long day of wall-to-wall interviews on Monday, January 21. “He was the one who voted against the motion. He told me that Dawson considered me a dangerous kid. They said that I had criminal intentions and was behaving unprofessionally. I’m feeling a bit nauseous and I’m really hungry, but I have high hopes that something good will come out of all this. This media release will hopefully help. Maybe one of the schools will pick up the story and offer me a space.”
Earlier in the day, Al-Khabaz had expressed hopes that Dawson would overturn their own decision and let him finish his degree. The Dawson Student Union, the Canadian Federation of Students and petitioners at the website “www.hamedhelped.com” requested the same thing.
Reversing the expulsion was rejected by Dawson in a press release signed by Communications Coordinator Donna Varrica and distributed at one in the afternoon. “In the recent case of Ahmed Al-Khabaz, which he himself brought to the media, the College stands by its decision,” it read.
Varrica justified Al-Khabaz’s expulsion with Dawson’s academic integrity and professional code of conduct policies. The academic integrity document runs for 44 pages; the code of conduct document four pages. Neither contains the words “computer” nor “hacking.” Most clauses describe how sanctions will be carried out rather than what might cause them. Inappropriate classroom behaviour and sexual discrimination are clearly not tolerated, but everything else seems up to the CEGEP staff on an ad hoc basis.
“The process which leads to expulsion includes a step in which a student is issued an advisory to cease and desist the activities for which he or she is being sanctioned, particularly in the area of professional code of conduct,” reads Dawson’s press release. “Conditions for remaining in the College on good terms are clearly explained in person to the student…When this directive is contravened by the student by engaging in additional activities of the same sort, the College has no recourse but to take appropriate measures to sanction the student.”
A media storm ensued. At a hastily-called press conference last Thursday, January 24, administrators tried to explain the school’s actions, but their explanations about a principle he’s supposed to have broken seem less compelling than his explanation of his actions.
The conference itself released only two new pieces of information. The first was that Al-Khabaz scanned Dawson systems on September 21 and received a reprimand by email. Administrators implied there were more incidents but didn’t provide specifics.
They also spoke about a department-level code of conduct that students are supposed to adhere to that was significantly shorter than the 48 pages they provided three days earlier.
A document called “To set the record straight” on the Dawson website provides the wording at: http://www.dawsoncollege.qc.ca/public/72b18975-8251-444e-8af8-224b7df11fb7/info_desk/420a0_-_professional_conduct.pdf.
Professional Conduct In order to remain in the Program, a student must display behaviour appropriate to the Computer Science Profession. The Computer Science Technology Program, in accordance with the Institutional Student Evaluation Policy (ISEP), may remove a student from the program for reasons other than failing courses. In order to continue in the program, a student is expected to exhibit behaviour appropriate to the profession. Appropriate behaviour must be displayed in all activities associated with the program, in classrooms, labs, during the internship, in relations with fellow students, staff, faculty, employers and clients. The procedure for removing students from the program on the basis of Professional Conduct will be applied as per the College’s Institutional Student Evaluation Policy (ISEP). Some examples of inappropriate behaviour are: malicious use of computer equipment; spreading of computer viruses deliberately or through negligence; deliberate refusal to follow lab instructions given by staff or faculty regarding any use of computers; unethical practices such as theft of another student’s work, theft of college property, unauthorized copying of software, destruction of another student’s work, destruction of college computer files; continual rudeness; interference with another student’s learning; failure to collaborate in a team environment; display of deportment or habits (for example personal hygiene) outside the normally accepted standards in the work place; violation of confidentiality. Students expelled from the program under the Professional Conduct portion of the Academic Standing and Advancement policy can appeal to the Academic Dean.
How this code actually applies to Al-Khabaz’s case was not specified during the press conference Thursday.
The most extreme moment occurred when Ken Fogel, the chair of Dawson’s Computer Science department, expressed extreme frustration that Al-Khabaz expressed a “moral authority” to repeatedly check Dawson’s information technology systems for flaws. “It’s like a house full of lots of doors with locks on them,” he said. “He keeps breaking the locks.”
It’s not really like a house, but if it were, it would be like a house with all my stuff in it…my passport, my social security number, my entire life,” said Al-Khabaz outside the theatre where Dawson’s press conference was held. “It’s not just my life in there, but the lives of every other student and staff member as well. I’ve got the skills to help secure those things, so I have to help protect them.”
Note: A previous version of this story was published on p4 of the West Island edition and on page 9 of the city edition of the Suburban on January 23.
I’ve changed some of the words “hacking” after reading Jon Blanchard’s editorial on the subject at http://o.canada.com/2013/01/27/when-did-locks-become-more-important-than-the-things-they-protect/. As Blanchard points out, Al-Khabaz’s actions were not “hacking.”
Another important review worth reading is Paul Wouters’ description of his very different experience being educated in technical responsibility at https://nohats.ca/wordpress/
Also well worth reading is Ethan Cox’s initial coverage of what happened at http://news.nationalpost.com/2013/01/20/youth-expelled-from-montreal-college-after-finding-sloppy-coding-that-compromised-security-of-250000-students-personal-data/