Student expelled after exposing security flaw in college computers

SecurID stock

Last fall, Ahmed Al-Khabaz and a fellow student discovered "sloppy coding" in their college's computer system that jeopardized the security of over 250,000 students’ personal information. After testing to confirm the issue was real, Al-Khabaz was congratulated for raising the issue with the relevant authorities, but has since been expelled from Montreal's Dawson College with failing grades.

Minutes after testing the flaw, Al-Khabaz was accused of launching a cyber attack

The reason for his expulsion, according to Canada's National Post, is a further test Al-Khabaz ran on October 26th last year. The former student says he simply wanted to confirm that Skytech, the company that provides and maintains the college's computer systems, had fixed the vulnerability, but minutes after the test he was called by company president Eduoard Taza, who accused him of launching a cyber attack against Skytech's network. Al-Khabaz says that, despite explaining he was one of the students that originally reported the vulnerability, he was threatened with legal proceedings and forced to sign a non-disclosure agreement preventing him from discussing the attack or the existence of any flaw.

Dawson College administration took the opinion that the "test" had endangered the safe running of college computers, and after meeting with the student, voted in favor of expelling him. Al-Khabaz believes that, rather than acting in the college's best interests, the administration was simply trying to save face. "I got the sense that their primary concern was covering up the problem." He says that his newly-assigned failing grades — he was reportedly "acing" all of his classes before the incident — have prevented him from enrolling at another college.

"It is very clear to me that there was no malicious intent."

It's likely that, whether perpetrated in good faith or not, Al-Khabaz's actions could rightly be perceived as a cyber attack. Skytech president Eduoard Taza told the National Post he was "pleased" with the students' work in uncovering the vulnerability, but said the additional testing crossed a line. "He should have known better than to use [the testing software] without permission." The president acknowledges mentioning the legal implications of the test to Al-Khabaz, but denies using threatening language to force him to sign a non-disclosure agreement. College representatives have refused to comment on the case, but Taza says "it is very clear.. there was no malicious intent. He simply made a mistake."

The Verge
Log In Sign Up

Log In Sign Up

Please choose a new Verge username and password

As part of the new Verge launch, prior users will need to choose a permanent username, along with a new password.

Your username will be used to login to Verge going forward.

I already have a Vox Media account!

Verify Vox Media account

Please login to your Vox Media account. This account will be linked to your previously existing Eater account.

Please choose a new Verge username and password

As part of the new Verge launch, prior MT authors will need to choose a new username and password.

Your username will be used to login to Verge going forward.

Forgot password?

We'll email you a reset link.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot password?

Try another email?

Almost done,

By becoming a registered user, you are also agreeing to our Terms and confirming that you have read our Privacy Policy.



Choose an available username to complete sign up.

In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.