Photo courtesy Martin Reisch.
On November 14th, 2012, Dawson College in Montréal, Québec, Canada, expelled Computer Science student Hamed Al-Khabaz for discovering weaknesses and security flaws in Skytech’s Omnivox Student Portal. Had Hamed not made his discoveries, the personal data of millions of Québec students, College and University staff, as well as alumni dating as far back as 1994 would have continued to be easily exploitable.
Despite Hamed’s insistence that he had no criminal intent, Dawson has rejected his appeal, awarded him zeroes in all his classes and tarred his transcript, essentially ruining his academic future. To make matters worse, he has been ordered by the Province of Québec to refund the bursaries he had received for the 2012-2013 Academic year. He has also been threatened with criminal charges and jail time.
This site exists to tell those in positions of power that the people will not be silenced. That bullying, intimidation and coercion will not be tolerated. The vilification and criminalization of a generation of programmers, hackers and web enthusiasts is an affront to democracy and civil liberties.
Hamed helped, let’s help Hamed.
For twitter updates on #HamedHelped, follow Hamed, the Dawson Student Union, DSU Director of Internal Affairs & Advocacy Morgan Crockett, DSU Staff Mathieu Perron and journalist Ethan Cox.
The Facts
Many people have been asking for additional information about the events leading up to Hamed’s expulsion. Below we will try to the best of our ability to provide you with the full picture.
September 21st
After inspecting Dawson’s Omnivox portal framework from the outside, Hamed sensed that their system might be vulnerable to data breaching. He decided to use Acunetix to scrape the portal for vulnerabilities. He had the choice to go through an anonymous proxy and never get caught, but he did not do so in order to let them know that they are not being attacked but that he is simply running a test.
September 22nd
Hamed receives an email from François Paradis, the Director of Information Systems Technology, informing him that his account has been suspended for attempting to gain unauthorised access to their systems. Hamed immediately informed them of his intent. They reactivated his account. At no time does he receive a “Cease & Desist” letter or official first warning from Mr. Paradis. Their exchanges are cordial and Mr. Paradis stresses the important of being cautious in his actions as to not provoke Skytech into going after him.
October 14th
Hamed noticed a pattern in the url of his Omnivox avatar. The pattern led to his Student ID number. From there he realised that anyone’s information could be accessed by replicating the pattern. He did not use software to make this discovery, but rather deductive logic.
October 17th
Hamed requests to meet with François Paradis in order to run some tests to expose vulnerabilities.
October 24th
Hamed and his colleagues meet with François Paradis to test their theory of data access. A test server is setup for them to run their findings. They sign a Protocol for Portal Vulnerability Test. Part of said protocol stipulates that testing must happen on College grounds under the supervision of Dawson College IT staff.
October 26th
Hamed is informed that Skytech has fixed the holes in Omnivox and that the site is now secure. Excited by their rapid response, he logs on to the test server the College provided him to run an Acrunetix scan. The scan shows no vulnerabilities but Skytech is alerted to its use and calls Dawson College to get the name of the “culprit”. Dawson College hands over Hamed’s number and Skytech calls him at 9PM. They threaten to call the RCMP on him and warn that he may face a year in jail for his actions. Hamed explains that he was part of the team that found the initial hole and that his intent was just to ensure the data was truly secure. They ask him to provide any bugs he may have found by October 28th. He does so under condition that they agree to not sue them and in return he will not disclose any of what he found to anybody.
November 2nd
Hamed is invited to attend a meeting on November 6th “to address serious professional conduct issues”. In attendance will be the Sector Dean and Vice-Dean as well as the Program Coordinator.
November 6th
The meeting to review Hamed’s case takes place.
November 12th
The Computer Science Department meets to review Hamed’s case. Only a single teacher has taken the initiative to speak with him directly. Said teacher is the only one to vote against his expulsion. Hamed is not present.
November 14th
Hamed is asked to meet with Diane Gauvin. She hands him his letter of expulsion citing professional misconduct. Security is on hand to immediately confiscate his Student ID.
November 20th
Hamed appeals his expulsion to the Academic Dean.
November 27th
Hamed meets with the Academic Dean to present his case.
November 29th
The Academic Dean rejects his appeal and ensures that “the Sector Dean will not go back on her words.”
November 30th
Hamed meets with the Director General to appeal his expulsion.
December 7th
The Director General rejects his second and final appeal.
In sum,
- Hamed exchanged emails with Mr. Paradis where it was expressed that his actions on September 21st were irresponsible.
- Hamed never received a Cease & Desist letter.
- Hamed never received an official written warning.
- Hamed was thanked for bringing vulnerabilities to light on October 24th.
- Hamed was given access to a test server on October 24th.
- Hamed was asked to only use the test server when at Dawson.
- Hamed was eager to verify the updated security of Omnivox on October 26th and performed tests from his home.
- Hamed immediately stopped scanning the system upon receiving a call from the CEO of Skytech.
- Hamed was not granted the right to speak directly with the members of the Computer Science faculty before they voted on his expulsion.