This story has been updated with additional information from Dawson College

A 20-year-old Canadian computer science student has become, depending on your point of view, a martyr for computer security or a cautionary tale for students and others who take an interest in exposing security flaws in software products. While Ahmed Al-Khabaz said he felt he had a "moral duty" to probe the security of a student information system used by over 250,000 students, the school's administration said his acts were a "serious professional conduct issue" and expelled him. Now, fellow students are demanding his reinstatement, and the college and its software provider are facing a publicity and security backlash.

Al-Khabaz and another student reported finding a security flaw in the mobile application for Omnivox, a Web-based software package developed by Montreal-based Skytech Communications that is used by students to access and manage their personal information and college services—including their Social Insurance numbers, the Canadian equivalent of US Social Security numbers.

Omnivox is used widely by Quebec's general and vocational colleges. Al-Khabaz told the National Post that the software had "sloppy coding" that allowed anyone "with basic knowledge of computers to gain access to the personal information of any student"—including virtually all of the personal data the college had collected on them. Al-Khabaz and fellow student Ovidiu Mija found the flaw by running Acuntetix, a web site security scanning tool.

When Al-Khabaz and Mija reported the problem to the school's director of Information Services and Technology, Al-Khabaz claimed they were initially congratulated for finding the flaw and were told it would be fixed immediately. But it was Al-Khabaz' next step that landed him in trouble with the school. Two days later, he decided to check to see if the flaw had indeed been fixed, running the scanning software again.

Acunetix provides a free trial download of its software for checking against cross-site scripting (XSS) attacks; the complete tool can perform deeper vulnerability scans against websites. Both, however, are intended primarily for use during off-line software testing, and not on live sites—in its full version, Acunetix crawls the entire target site checking for vulnerabilities and document error messages for signs of potential attack paths.

Al-Khabaz told the National Post that moments after he ran the scan, Skytech's president Edouard Taza called him on his home phone, telling him it was the second time that the company had seen his activities in their log files, and that what he was doing was considered a cyber-attack. Al-Khabaz claimed that Taza threatened prosecution if he did not meet with him and sign a nondisclosure agreement. Taza confirmed the conversation to the Post but denied he made threats; Skytech executives did not respond to Ars' request for comments.

The use of the scanning software against an active site, even in its limited trial form, is at best a mistake, said Acunetix Director of Sales Chris Martin in an interview with Ars. "We go to great lengths to stress to users not to use Acunetix WVS on live websites, but on offline copies of those Web application setups to avoid these situations," he told us. "This is clearly stated in our manual as well as in prominent guideline advisories on our website."

While Skytech saw the probe by Al-Khabaz as the mistake of an overeager student, Dawson College administrators decided to take disciplinary action. After he was interviewed by the dean of Dawson and his Computer Science program coordinator, the details were brought to a meeting of 15 professors in the school's Computer Science department. By a 14-to-1 vote, they moved to expel him.

That move was denounced by the Dawson Student Union as an attempt to sweep the security problems under the rug. In a statement, the Student Union's officers said, "Though he offered to assist Skytech to fix malfunctions that could lead to the theft (of student information), Al-Khabaz’s goodwill was rejected and he was instead greeted with increased hostility, character accusations and legal threats." And an on-line petition drive is underway to have Al-Khabaz (also known as Hamed) reinstated at Dawson, called HamedHelped, is underway.

But the college, through its Facebook page, denied that the expulsion was motivated by a desire to conceal the risk to students' data. "We’re in the delicate position of trying to respond to every claim and accusation without breaking the law that forbids us from discussing your personal student files with the media or anyone else, for that matter," the Dawson College statement read. "We cannot violate the privacy of our students, even when they go public with their version of what happened."

In a statement posted to the college's website, the school implied that Al-Khabaz had been previously warned off his actions, and despite that warning went back again and ran the site scanner. "The reasons cited in the National Post article for which the student was expelled are inaccurate," the college administration's statement read. "The process which leads to expulsion includes a step in which a student is issued an advisory to cease and desist the activities for which he or she is being sanctioned, particularly in the area of professional code of conduct. Conditions for remaining in the College on good terms are clearly explained in person to the student."

One of Al-Khabaz's former instructors went further, writing a letter to the Montreal Gazette on the matter, mocking the media for painting an unfair picture of the college's actions. "I can tell you that our Computer Science program, like virtually all professional programs, has a professional conduct policy that lays out expectations that our students must meet, in addition to purely academic requirements," wrote Alex Simonelis, a member of the faculty of Dawson College's Computer Science Department.

"The media need to fill in some blanks in their accounts," Simonelis continued. "Exactly how did the student “stumble upon” the flaw? Was it by running intrusion tests against Skytech’s website? If so, did he have Skytech’s permission to do so, given that it is unacceptable to do so otherwise? Was the student given a cease-and-desist warning regarding such actions by our college’s administration? After informing our college of the flaws, and being invited to demonstrate them at the college on a specific date, did the student sign an agreement not to run further intrusion tests against Skytech? Did the student run such an intrusion test again, after the warning/signing? Did the student have a hearing with our department chair and dean? I believe I know the answers to those questions, but I could be wrong, and so would really appreciate any correction the media provide."

Skytech has responded to the backlash by trying to reach out to Al-Khabaz and help him continue his studies. On January 21, Taza told the CBC that he was offering Al-Khabaz a part-time job and a scholarship to continue pursuing his degree at a private college. Apparently, news of that offer didn't calm the backlash—for much of Monday, Skytech's website and the site of Dawson College were both unreachable, apparently due to a denial of service attack. Both sites are now back online.