A Montreal computer science student accessed, without authorization, an IT system to check if a software vulnerability he discovered had been remedied. This case raises the question: When, if ever, is such unauthorized action justified?
There's no clear-cut answer, at least to a number of IT security practitioners and thought-leaders queried by Information Security Media Group about the case of Ahmed Al-Khabaz, a 20-year-old Dawson College student. For the most part, the experts don't like the idea of people accessing systems without consent, but some believe conditions exist when such action could be deemed appropriate.
"Generally the answer is no," says Dan Lohrmann, chief security officer for Michigan's state government. "However, if there is an emergency, with no way to get authorization, and life and death is at stake, it could possibly be appropriate on a very rare exception. If this was done, authorities should be contacted ASAP."
But well-regarded information security technologist and author Bruce Schneier sees a justification for Al-Khabaz's deed. "'Is it ever' [appropriate to access without permission] is a huge qualifier, so without even thinking I will say yes," Schneier says. "In this case, I think [it's] perfectly reasonable for the person who disclosed the flaw to check on the fix. Why not? He knows the flaw, and he's curious."
Seeing If Sloppy Coding Was Fixed
The facts of the case, derived from reports from the Canadian newspaper National Post, are that Al-Khabaz discovered a flaw caused by sloppy coding of software known as Omnivox that exposed personal information of more than 250,000 students in a computer system used by most of Quebec's general and vocational colleges.
After notifying his college - and being congratulated for discovering the flaw - Al-Khabaz ran the software program Acunetix, designed to test website vulnerabilities, to see if the application, running on the computers of a hosting company called Skytech Communications, was fixed. Skytech immediately noticed that Al-Khabaz accessed the system, and eventually notified Dawson College. The computer science faculty overwhelmingly voted to expel Al-Khabaz.
In the United States, laws governing computer access can be found in the Computer Fraud and Abuse Act. Other Western nations, including Canada, have similar laws. "Whereas the intent of the CFAA is to criminalize any unauthorized access of an Internet device, it results in criminals cloaking their illegal hacking and white hats facing criminal risk for their well-intended activity," explains Doug DePeppe, a lawyer specializing in cyberrisk. "Under the CFAA, the hacker's intent is irrelevant. Mere unauthorized access violates U.S. federal law."
None of experts interviewed had firsthand knowledge of the Al-Khabaz incident, but they offered their professional insight into the larger questions of when such an intrusion could be justified and whether the punishment meted out by the college was appropriate.
Former U.S. Interior Department Chief Information Officer Hord Tipton, executive director of the certification organization (ISC)², characterizes Al-Khabaz's action as a "gray-hat" intrusion, not like white-hat ones, in which systems penetrations have the blessings of its owners, or black-hat attacks, in which the hacker intends to cause harm.
"There are varied opinions as to the legitimacy of gray-hat activities," Tipton says. "Complex systems are too easily broken by pen testing, which to me makes the rules of engagement requirement a reasonable solution."
Awareness of a Slippery Slope
Michigan's Lohrmann says accessing systems in these types of cases must be very rare. "This could become a very slippery slope," he says. "If someone can access computers without authorization on a routine basis, the entire discipline of an organization will be called into question. Think of military orders and how they should be obeyed: with very rare exceptions, per the military code of conduct."
But even if actions such as those taken by Al-Khabaz can be justified, they could prove disruptive.
"Other than it may be illegal, it is not appropriate to access computers to 'test' security unless authorized," says Robert Bigman, who retired in 2012 after serving 15 years as chief information security officer at the Central Intelligence Agency. "Keep in mind that, other than external configuration testing, such tests usually involve using a hack to access the system to run the test. This can cause all sorts of application and system management errors leading to service unavailability, needless alerting of security operations staff and costly recoding."
Greg Garcia, a cybersecurity consultant who once served as Homeland Security assistant secretary for cybersecurity and communications, says such hackers must accept the consequences when they take the law in their own hands. "Even if a web host or software provider could be accused of negligence for not fixing a problem, white-hat hackers are in greater peril for these kinds of freelance operations, given the heightened global sensitivity about cybersecurity," says Garcia, who serves on the U.S. federal government's Information Security and Privacy Advisory Board. "He did his job and then could have agitated for official follow-up, which might have resulted in a better outcome for everyone."
Purdue University Computer Science Professor Gene Spafford says such unauthorized access could be fitting, "especially if it is software you, yourself, are required to use - you want to know your exposure. However, it is a dangerous practice and it is important to understand the consequences and limitations."
The college should have used the incident "as a teaching moment to present the students with a lesson on responsible reporting of flaws, and the liability of testing for flaws without authorization," says Spafford, who also serves as executive director of Purdue's Center for Education and Research in Information Assurance and Security.
Dawson College, citing Quebec privacy laws, wouldn't address specific in the case, but in a statement said Al-Khabaz was issued an advisory to cease and desist the activities for which he was being sanctioned. "In order to continue in the program, a student is expected to exhibit behavior appropriate to the profession," the college says. "Appropriate behavior must be displayed in all activities associated with the program, in classrooms, labs, during the internship, in relations with fellow students, staff, faculty, employers and clients."
If the news accounts reflect reality, most of the interviewed experts say expulsion was too severe of a penalty.
"The punishment is idiotic," Schneier says. "He was one of the good guys. ... Certainly in legal systems dating back through the Romans, motivation is a factor in determining guilt and punishment. The difference between murder and manslaughter, for example, is entirely about motivation."
Tipton says he understands the student's frustration that motivated him to access the system without permission. "The severity of the punishment should have been balanced against the intent, and the degree of damage done or not done," he says. "How deeply were the systems exploited, and was privacy actually compromised?
Determining a Fitting Penalty
What would have been an appropriate punishment?
Daniel Mintz faced a similar situation when he served as the CIO at the U.S. Department of Transportation. Then, an employee's daughter loaded peer-to-peer software on a home computer that allowed an enterprising reporter to access DOT information and write a story that didn't please members of Congress. "There were people within the department who encouraged me to terminate the employee, or at least punish him fairly severely, neither of which I did," says Mintz, who runs ESEM Consulting. "Instead, I used it as an example to provide some lessons learned for the DOT staff in general, gave the employee a warning, and had them attend some additional classes relating to information protection. If there had been a pattern of such behavior, I might have made a different decision; but in my judgment this was a very strong employee who made a mistake."
DePeppe says the college could have taken a similar tact. "While not a perfect example, I would point to the '60s and '70s and sit-in demonstrations," says the lawyer who has written about the role of academia in reshaping society's understanding of the Internet era. "It took time for academic institutions to fully appreciate that this First Amendment demonstration was actually a movement about injustices in society. There was deeper significance to the civil demonstrations. In this case, the school would do more for the benefit of society to tout the student's underlying good, and push for greater dialogue and study of how the Internet is changing society, and what the proper role of the criminal law should be."
How would such an incident affect the ability of some like Al-Khabaz from getting a job in cybersecurity?
Al-Khabaz received an offer from Skytech, the company that operates the Omnivox software, that included a part-time job and scholarship, according to another National Post article.
Would a blemish like this on what otherwise would be a perfect record prevent such a skilled IT security practitioner from being hired by the CIA, for instance? Former CIA CISO Bigman answers: "Good question. In this case, I think not. His motivations were entirely positive, and it does not demonstrate anti-social behavior."