Company offers scholarship to Dawson student who exposed security flaws

The Dawson College computer science student who was expelled after discovering a security breach in a system used by students across Quebec has been offered a scholarship by the company behind the software.

Dawson stands by its decision to expel student

Security breach leads to student's expulsion

CBC News: Montreal at 6:00

9 years ago
The story behind the Twitter trend #hamedhelped. 2:27

The Dawson College computer science student who was expelled after discovering a security breach in a system used by students across Quebec has been offered a scholarship by the company behind the software.

"We will offer him a scholarship so he can finish his diploma in the private sector," said Edouard Taza, the president of Skytech.

Taza said he also reached out to Hamed Al-Khabaz, 20, and offered him a part-time job in information technology security.

The student said he was surprised by the offer because he said Skytech had done nothing to help him since being expelled from Dawson College.

Dawson, however, said it stands by its decision to expel Al-Khabaz for breaking the school's code of conduct.

Dawson stands by its decision

In an interview with CBC's Homerun, Dawson director general Richard Filion said the school expelled Al-Khabaz based on the school's professional code of conduct.

"We're not doing this blindly, we're not doing this with happiness, but we had to consider a serious breach in these values and principles," said Filion.

The Dawson Student Union is appealing for the school to reinstate Al-Khabaz.

"Hamed is a brilliant computer science student who simply wanted to help his school," said Morgan Crockett, the union’s director of internal affairs and advocacy.

"Dawson College should be thankful for his talent and foresight. They must immediately reinstate Hamed, refund the debt he has incurred as a result of his unjust expulsion and offer him a public apology."

Al-Khabaz said with an expulsion and a note on his permanent student record, he's concerned about being able to find another college willing to accept him.

"I really want to go back to school. I really love the teachers in computer science at Dawson College," he said.

Filion said the school rejected the appeal and maintained its decision to expel Al-Khabaz.

"Well, if you look at the Criminal Code, it is clear that if someone is having access without authorization to any computer service, he is ... guilty in a criminal act," said Filion.

The school has not alerted police.

Expelled for pointing a security breach

Al-Khabaz said he uncovered the flaws in the online academic portal used across Quebec in September while working on a school project for the software development club at the Montreal school.

He said he and a fellow student discovered the potential breach by accident.

"I was just trying to help and make sure our data was safe," Al-Khabaz told CBC Montreal’s Daybreak.

While looking at the student portal's website, they discovered that by exchanging other student numbers in the encrypted links, they could easily obtain information such as the social insurance numbers, home addresses and phone numbers of more than 250,000 students.

Al-Khabaz said he informed the school’s head of information technology immediately after discovering the vulnerability in the school’s Omnivox software and was congratulated for the discovery.

Days later, Al-Khabaz says he ran a program to check if the vulnerabilities he discovered on the site still existed, and almost immediately, he received a phone call at home from Skytech, the makers of the Omnivox software.

Al-Khabaz said the call was from Taza, who informed him that he had launched a cyberattack on the site that could result in jail time.

According to Al-Khabaz, he was given a choice between signing a non-disclosure agreement or facing possible criminal charges, so Al-Khabaz agreed to sign the agreement.

"I just wanted to get back into school. I had to collaborate with them. I was pretty scared at that point and I didn’t want to get my education ruined," he said.

'Attack' made portal unresponsive for users

Skytech released the following statement in response to Al-Khabaz’s test for site vulnerabilities:

"The attack … made the College portal extremely unresponsive for its thousands of users. Had it not been countered, it would have put the College portal out of order for the entire students and teachers population of Dawson. The attack was traced, and it turns out that it came from one of the students who participated, earlier that week, in the discovery of the security flaw. We therefore decided to be clement, and not to report the attack to the authorities."

Dawson College then decided to expel Al-Khabaz for breaching the school’s code of conduct.

But Al-Khabaz said the school did not understand he was only trying to help.

"They don’t understand my intentions. They think I’m a threat, a criminal," he said.

Dawson College spokeswoman Donna Varrica sent CBC a statement saying the college stands by its original decision to expel Al-Khabaz.

Varrica clarified the process that leads to expulsion. She said the process includes a step in which a student is issued an advisory to cease and desist the activities for which he or she is being sanctioned.

"When this directive is contravened by the student by engaging in additional activities of the same sort, the College has no recourse but to take appropriate measures to sanction the student," Varrica stated.