Student, Expelled After Finding Security Flaw in College Network, Clashes With Administrators

A Montreal student who was expelled after discovering a security flaw in his college’s computer system is now engaged in a public war of words with the administration, as he tries to persuade it to remove the expulsion from his academic record.

Hamed Al-Khabaz, 20, said he found what he suspected was a vulnerability in the system at Dawson College in September, while he and another computer-science student were working on a mobile app. The system, called Omnivox, is used by nearly 100 colleges and more than 200,000 students in Canada.

When the pair began prying into the flaw, they received an e-mail from the college’s information-technology department, explaining that they needed permission to run the software they were using on the system. After e-mailing back to ask for consent, Mr. Al-Khabaz said, they never received a response. A month later, they decided to explore the issue further, this time without the help of software.

“We found a vulnerability that involved students’ Social Security numbers, grades, and addresses,” Mr. Al-Khabaz said. “We immediately told the college, and they decided to have us meet with them.”

At that meeting, the two students demonstrated the problem for college administrators using a test server. They were thanked for their efforts, Mr. Al-Khabaz said, and he left his phone number, explaining that there were other vulnerabilities that needed to be dealt with.

“These flaws could let someone ban users from logging in or see anybody’s address in a class,” he said. Two days later, he used the test server to see if the problems had been fixed, and was pleased to see that they had.

Then the phone rang. It was Edouard Taza, president of Skytech Communications, the maker of Omnivox. He accused Mr. Al-Khabaz of launching a cyberattack against the system and threatened legal action, Mr. Al-Khabaz said, but he seemed appeased after the student said he had no malicious intent and signed a nondisclosure agreement.

“So I thought everything was fixed,” Mr. Al-Khabaz told The Chronicle. “But then Dawson decided to expel me.”

The college met with Mr. Al-Khabaz and asked 15 professors in the computer-science department to decide his fate. Only one professor voted against expelling him, and that professor, Mr. Al-Khabaz said, was the only one of the 15 who had met with him before voting.

He was expelled on November 14, and a note was added to his academic record indicating that he had been dismissed for unprofessional conduct. In the following months, he twice appealed his expulsion, without success.

This week, working with the Dawson Student Union, Mr. Al-Khabaz began talking with reporters at news outlets including the Canadian Broadcasting Corporation and the National Post. Other news media picked up the story, and Dawson, which had declined to comment at first, citing privacy concerns, responded.

“He was expelled for other reasons,” the college said. “Despite receiving clear directives not to, he attempted repeatedly to intrude into areas of college information systems that had no relation with student information systems.”

Mr. Al-Khabaz said that he had received no such directives, apart from the original e-mail in September, and that he had been upfront with the college about his actions.

Ken Fogel, chair of Dawson’s computer-science department, has compared the student’s actions to breaking into a house.

“He thinks it’s only his house,” Mr. Al-Khabaz said in response. “That house also has my information and my whole life stored there, and I’ve been in that house the last two years.”

Because of the continued tension with Dawson, he said, he was no longer sure that he would return even if his expulsion were lifted. His goal now, he said, was to remove the expulsion from his record and have his grades reinstated. He said he was afraid that the mark on his record would make it difficult for him to attend a different college or get a job.

On the other hand, since taking his story to the news media, Mr. Al-Khabaz said, he had received at least 10 job offers—and a scholarship from Skytech.