Dawson college student expelled for finding and reporting a security flaw in college software
Read the original article here.
Wow. First the guy finds the silly hole that allows anyone who is logged in to the system to see other's data. With my background in IT I just see that kind of select * from users where user_id=$user_id
where $user_id is the HTTP parameter :) I have seen it myself and I was even exposed once in my life to a flaw in HR software at the company I worked for that had a similar issue. Except that after I reported it to the company - not only some correct and instant actions were taken, the company also took care of possible personal information leak by purchasing the credit file monitoring service for all employees. Just a matter or precaution.
While I do understand that his second attempt to test the system (well, in fact even the first one!) may be considered as a hostile action, I believe he was concerned about his personal data that can be stolen. Why do we verify the bank account statements if we trust the banks? At the end, a well-designed and properly implemented information system is supposed to simply filter out any attempt to fetch the data that does not belong to the authenticated user. This is the basic rule. And also a well-designed system is not supposed to be made “extremely unresponsive for its thousands of users” by one guy who probes it.
Many organizations out there are keeping our private information on their premises. But we own this information. Do we have right to demand making this information storage secure? Do we have right as owners of the information to use any non-destructive means necessary to ensure that it is truly secure?
If what M. Al-Khabaz says is true - it is legal and ethical for Skytech to intimidate him and force to decline his right for publishing disclosure of the information that, essentially, puts other people's private information at risk of being exposed without their permission?
In some countries the people are allowed to use deadly force (e.g. a gun) to defend their property and people living there. While I do not approve the violence I do believe in reasonable self-defense against the crime. What is about the information that is your virtual property? What legal weapons are you allowed to have and use to protect it?
And finally, what a knee-jerk reaction of Dawson college. First of all, this is a proof that the guy does understand something about the computer science if he could find and understand the issue. Secondly, he did a good thing for college by reporting it to the administration first - not calling the police and RCMP or, even worse, waiting, collecting evidence and then suing the college for mishandling of the personal information. Expelling it and not even reconsidering that decision after rethinking the situation - is this smart and responsible?
I think our society needs to develop better information culture needed for 21st century.
blog comments powered by Disqus