Apparently, hackers have difficulty resisting temptation.
Recently, at Dawson College in Montreal, 20-year-old student Ahmed Al-Khabaz was expelled for exposing a security flaw in his school’s administrative websites that could reveal the personal data of 250, 000 students across Quebec. Initially, Al-Khabaz reported the hole in the coding to the administration, but after waiting a week he decided to run a test to see if he could still exploit the security flaw. This landed Al-Khabaz in hot water and his eventual expulsion from the computer sciences program at Dawson.
Al-Kabaz’s actions are very similar to Western’s own notorious hacker Keith Horwood, who accessed the University Students’ Council’s online vote last year and changed the selections in an attempt at humour, to prove it was susceptible to hacking. Both Al-Khabaz and Horwood claim to be ‘white-hat hackers’—meaning they only hack to point out security flaws, rather than the ‘black-hat’ variety, that hack for personal gain. However, is there really such a thing as a helpful hack?
Picture it like this. You know how to pick easy-to-open locks. You see that a local convenience store has such a lock, so you decide to tell them about it so they can fix it. Then, a week later, you go back to the store in the middle of the night and break in just because you can. In a digital sense, this is exactly what Al-Khabaz did. In Horwood’s case, he simply broke in and vandalized the place. This is not justifiable. You wouldn’t be considered a ‘white-hat trespasser,’ and nor should Al-Khabaz be excused as a white-hat hacker.
Realistically, it comes down to ego. Whether or not good intentions were a factor behind Al-Khabaz’s decision to hack his school’s information, it seems to me that to go back later and do it again was merely a validation of his own skills. Common sense would dictate ‘leave well-enough alone,’ but Al-khabaz ignored this and was punished with expulsion.
Unfortunately, this type of behaviour is being reinforced. While Al-Khabaz was expelled by his school, he quickly received a job offer from the very company whose software he exploited. Similarly, Horwood used the publicity he gained from his hacking and his subsequent trial to launch a social media platform. It seems ridiculous to imagine if you broke into the local convenience store they would give you a job there. Yet, this is exactly what is being afforded these digital criminals, encouraging others to engage in similar reprehensible conduct.
The University had every right to punish Al-Khabaz for his repeated attempt to hack the system. Had he been more malicious, he could have accessed the personal data of a quarter-million students, and dissuading others from attempting such a feat is absolutely necessary. Labelling oneself a digital vigilante doesn’t excuse the undisputed criminal nature of hacking. And rewarding this negative behaviour with employment opportunities is encouraging individuals to imitate it. Call it ‘black-hat’ or ‘white-hat,’ hacking still hurts.