Tuesday, January 22, 2013

When Students Are Smarter Than Teachers

One of the big news stories around here this week is how Dawson College expelled a student for exposing a security flaw in the online course management software they use.  The software, called Ominvox, is used in many CEGEPs (junior college) in Quebec.

Here's the gist of the flaw:  Pages containing sensitive information about users (students and teachers) are given encrypted URLs, but apparently the URL still contains pieces of the staff or student ID number.  Simply by changing those numbers, anyone logged in to the system can have information about any other user.

The student in question Hamed Al-Khabaz, immediately reported this gaping security hole to the College's head of IT.  He got a pat on the back.  After few days, he ran a program to see if the vulnerability was still there.  Good follow-up on his part.

The College then threatened to press charges and ultimately expelled the kid.


The correct course of action should have been:
1.  "Holy crap - thanks for finding this really serious problem with our system, we'll get that fixed right away."
2. "Here's your diploma. You can go home now."

Seriously.  This kid is smart, thorough and above all HONEST.  This first thing he did when he found the problem was tell a grown up.  And then he got expelled.

I thought that the mission of a college - or any other school for that matter - was education.  I didn't think that this mission was restricted to the classroom.  Well what the hell do the administrators at Dawson think they are teaching this student, and all their students, by their actions?

They are teaching him to toe the line, to cover his ass and never trust anyone in a position of authority.  Clearly these are superb lessons.


I hope that my own children can act with the clarity of thought, integrity, thoroughness and honesty that Hamed Al-Khabaz did.

This whole incident started back in September of 2012, and we're only hearing about it now, because the company behind the software, SkyTech (not Skynet) forced Al-Khabaz to sign an NDA.  In my capacity as a teacher, I used Omnivox everyday, and I have not heard a thing about it - including whether or not the vulnerability has been repaired.

In an interesting about-face, SkyTech has now offered Al-Khabaz a scholarship so that he can complete his studies at a private college.  They should hire him.

Institutions of all kinds, governments, companies, schools, and parents, need to remember that the example we set by our actions often provides a more powerful lesson than anything else.

Watch this clip of Al-Khabaz being interviewed on CBC News.

You can sign a petition to encourage Dawson College to reinstate Hamed Al-Khabaz here.

No comments: