security by expulsion - Ahmed Al-Khabaz and Dawson College

Posted on: Tue, 01/22/2013 - 08:46 By: Tom Swiss

Computer security experts have long decried the practice of "security by obscurity"; keeping the design of a system secret cannot effectively protect it from attackers, because points of compromise won't stay hidden long.

Montreal’s Dawson College has taken the failure of security by obscurity one step further with what we might call "security by expulsion":

Ahmed Al-Khabaz expelled from Dawson College after finding security flaw

Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.”

...

“I was called into a meeting with the co–ordinator of my program, Ken Fogel, and the dean, Dianne Gauvin,” says Mr. Al-Khabaz. “They asked a lot of questions, mostly about who knew about the problems and who I had told. I got the sense that their primary concern was covering up the problem.”

Following this meeting, the fifteen professors in the computer science department were asked to vote on whether to expel Mr. Al-Khabaz, and fourteen voted in favour. Mr. Al-Khabaz argues that the process was flawed because he was never given a chance to explain his side of the story to the faculty. He appealed his expulsion to the academic dean and even director-general Richard Filion. Both denied the appeal, leaving him in academic limbo.