Hacker News new | ask | show | jobs
by mrtron 4897 days ago
Translation:

On Sept 21st our site was vulnerable to a simple SQL injection attack. On Sept 22nd you documented this information for us.

On Oct 26th our site was STILL vulnerable to a simple SQL injection attack. On Oct 29th you again documented this information for us.

On Nov 12th we expelled you for our discovering our abysmal security.
2 comments
anonymouz 4897 days ago
I advice everyone to read the original expulsion letter. It is just one page, and the parent's post completely (and I must assume intentionally) twists the facts as mentioned in the letter to make the student look better.

In particular the letter claims that the student has in fact attempted to exploit the SQL injection to gain unauthorized access, and that both notifications to the IT department were made after they detected him and blocked his account.

link
noibl 4897 days ago
Actually the letter says nothing about detection and all other sources[1][2] about this matter agree that the 'detection' took the form of a voluntary disclosure, which was rewarded with an NDA demand under threat of arrest.

So it seems you are the one twisting the facts for reasons unknown.

---

[1] "Al-Khabaz immediately alerted the head of information technology for the school about the breach in the Omnivox software used by the college. At first he was thanked for the discovery." -- http://www.thestar.com/news/article/1318163--montreal-studen...

[2] "they discovered that by exchanging other student numbers in the encrypted links, they could easily obtain information such as the social insurance numbers, home addresses and phone numbers of more than 250,000 students. Al-Khabaz said he informed the school’s head of information technology immediately after discovering the vulnerability in the school’s Omnivox software and was congratulated for the discovery." -- http://www.cbc.ca/m/rich/canada/story/2013/01/21/montreal-da...

link
anonymouz 4897 days ago
Read point 2: "On September 21, the IT Policy was applied and your network and portal accesses were suspended."

Read point 3: "On September 22, you admitted to these attacks in writing."

Compare the dates. According to the letter, his disclosure came after the account was suspended. Implying that they did detect the attack before he admitted to it.

link
noibl 4897 days ago
An admission in writing is not the same thing as a disclosure.

You're using uncorroborated dates in a document that's clearly worded to paint the student in the worst light possible to infer a 'detection' which it doesn't mention and for which there is no evidence. You're then sharing your inference as documented fact. That's a smear.

link
anonymouz 4897 days ago
I was merely communicating the content of the letter. Whether its claim or the contradicting ones of the student are true, I don't know. What I do know is that mrtron's "translation" of the letter conveniently leaves out the actual exploitation of the SQL injection and the blocking of the account that are claimed to have happened in the letter, and is therefore completely unfit as a summary of the letter.
link
noibl 4897 days ago
Sorry but that's bullshit. What you've said is that the guy simply got caught and therefore this was not a case of responsible disclosure.

The letter doesn't say that. No other sources say that. You're the only one saying that.

link
hso9791 4897 days ago
What kind of IT Policy was applied? Was this automatic, did they detect the event before he alerted them, or did they do this after he had disclosed the vulnerability?

The first application of the IT Policy is the interesting one here, as it lays the foundation for - or undermines Hamed's case as a white hat.

link