[thefreeman]

http://news.ycombinator.com/item?id=5090007

A few days after reporting the flaw, he got caught using http://www.acunetix.com/ (web vulnerability scanner) on their network. He says he was checking to see if they fixed the flaw. I don't think he was intentionally being malicious, but his explanation doesn't jive with his actions.

I still think it sucks that they expelled him. But I am unable to logically see how he didn't break the rules.

[AustinGibbons]

I don't understand how using an external attack tool is grounds for anything. If Hamed could use it to search for exploits an attacker could have used it to search for exploits.

Especially if a students' information had been previously exposed and the attacker had access to everyone's personal information / passwords!

-- Edit : after reading his expulsion letter, it seems he supposedly injected SQL on both occasions. One imagines they strictly forbid him from doing so again. Sure, he probably should have asked for a sandbox system if he wanted to do ad hoc security research, but it is still quite a logical leap to actually expel him.

[pprd]

Either ways, the solution should be to fix the security system and reward the whistleblower. In a few years, we are going to have millions of teenagers with the competence and ability to pull of what Hamed did. What then?

[loup-vaillant]

Obviously those youngsters are all criminals that ought to be put to jail. We shall implement a zero-tolerance policy, just like the copyright industry did. </sarcasm>

Nevertheless, I'm afraid they might do just that.

[jrogers65]

> but his explanation doesn't jive with his actions.

I think it's perfectly congruent. An entity has your data as well as information on many other people. You come across and report a vunerability. You check that something was done about it. I see no holes in this (aside from the ones in Montreal college's security).

[borplk]

Just saying,

If he found the vulnerability without using Acunetix, why did he have to use Acunetix later to check if the same vulnerability has been fixed or not?

Couldn't he re-check using the same way that he initially found the vulnerability?

[jrogers65]

Perhaps he was using a wider net to see if there were any other problems which, given the level of (in)competence displayed by the techs working for the college, was a distinct possibility.

[thefreeman]

Exactly. Which is the definition of unauthorized penetration testing.

[_b8r0]

It sounds like he's being screwed over by the vendor, who forced him to sign an NDA.

To be honest anyone using Acunetix isn't looking to hack into anything. It's an enterprise scanner that looks for general web app issues rather than something that's typically used to conduct actual attacks. You'd expect an actual attack to be conducted with a tool like Havij, Sqlmap, Burp or Zap proxy.

[danielharan]

He did manage to slow the site down significantly, to the point of being unusable. Not surprising given the code quality of an app where replacing the student id in a url parameter gives you access to their file.

However the vendor offered him a job and a scholarship, so it seems like it's the university's over-reaction.

[thefreeman]

As I said in my post, I don't believe his intent was malicious (which is what I assume you mean by "hack into").

But that doesn't make the scanner any less stressful or detrimental to the system