Login  |  Register  |  Contact

Don’t respond to a breach like this

A student who legitimately reported a security breach was expelled from college for checking to see whether the hole was fixed.

(From the original article):

Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.”

Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.

It was the President of the SaaS company who forced him to sign an NDA under threat of reporting him to law enforcement, and he was then expelled.

Reactions like this have a chilling effect. They motivate discoverers to not report them, to release them publicly, or to sell or give them to someone who will use them maliciously. None of those are good. Even if it pisses you off, even if you think a line was crossed, if someone finds a flaw and tries to work with you to protect customers and users rather than using it maliciously, you need to engage with them positively. No matter how much it hurts.

Because you sure as heck don’t want to end up on the pointy end of an article like this.

—Rich

No Related Posts
Previous entry: New Paper: Building an Early Warning System | | Next entry: It’s just Dropbox. What’s the risk?

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By -ds  on  01/22  at  12:08 PM

You’re making a big jump, Rich, and leaving out a big chunk of context to support your interpretation. 

The story says that…

“After an initial meeting with Director of Information Services and Technology Fran├žois Paradis on Oct. 24, where Mr. Paradis congratulated Mr. Al-Khabaz and colleague Ovidiu Mija for their work and promised that he and Skytech, the makers of Omnivox, would fix the problem immediately, things started to go downhill.”

So, the firm did indeed seem to positively receive the notification of the vulnerability and did make a commitment to correct the issue.  However, Mr. Al-Khabaz waited only two days to check up on them.  Is 2 days a reasonable ammount of time to fix the issue?  Hard to say but probably not. 

Mr. Al-Khabaz acted in an unreasonable and irresponsible manner and if the worst of the consequences is that some schmuck from the firm called him with an empty threat he’s done well.  His, however, is not the idea of responsible disclosure we should be celebrating.

Name:

Email:

Remember my personal information

Notify me of follow-up comments?