If you're new, read the synopsis.
Good news: I've freed up quite a bit of time for myself, and over the next week or so, I should be putting together and (hopefully) publishing my website. I'll be hosting it personally for a while, but eventually, I'm hoping to move hosting to a dedicated line, possibly even an independent service provider.
That's good so that my customers will have a regular way to get in touch with me and a standard place to go to get updates all about me. I have a few more technical hurdles yet to overcome, but I'll get there.
Also in the good news category: the Ombudsman has completed their investigation, however the outcome does not bode well for me overall. I don't want to go into too much detail without documentation in front of me (which is in the mail right now), however, the overall summary of the Ombudsman's findings is essentially a summary of what happened here, complete with the excuses from the college, and the statement that the Ombudsman's office will be taking no further actions.
While I'm a little confused as to where to turn next, I think my next focus will be on certifications, not necessarily this.
Either way, I need to eventually move on with my own life, and while I have some decisions to make as to whether I want to pursue this further or not, I have to spend some time focusing on things that I NEED in order to be properly employable... Like my A+ certification... I've considered the A+ an almost give-away cert for a while, and really, all I need to do is write the test and I'll get the cert... I'm looking into how to do that now.
I'll update again when official word comes down, in writing from the ombudsman. At least they don't say "We'll inform you in writing within 5 days" and not get back to me for the better part of a month. They actually have not made any promises in terms of time line, and they've always come through with a result eventually.
Anyways, be well everyone.
Monday, November 22, 2010
Saturday, August 21, 2010
Good News
It's been a while since I can concretely say I've received GOOD NEWS about this issue. A friend from my previous employer had been linked over to this blog, I'm not sure how, but I'm glad he did. He's taken some interest and helping me out. I thank him for any help he can give, both publicly and privately.
With my call with the ombudsman around the corner, everything regarding this matter seems to be ramping-up. A situation which I can only consider to be good.
I've found a fairly good job in the IT field at this point and I'm fairly happy with it; because of this any bitterness or animosity that was left from this matter now only lies with the association I have with Mohawk specifically. If I can reach a resolution with them, as opposed to just ignoring the matter and taking a loss here, then I'll be satisfied with everything.
This blog, I'm sure, will continue to be up, and I'll keep it updated until I reach that point, however, after then, I'm sure I won't be updating it much. However, it will remain online to serve as an example to any future students facing similar challenges.
Good luck with whatever you're facing today.
With my call with the ombudsman around the corner, everything regarding this matter seems to be ramping-up. A situation which I can only consider to be good.
I've found a fairly good job in the IT field at this point and I'm fairly happy with it; because of this any bitterness or animosity that was left from this matter now only lies with the association I have with Mohawk specifically. If I can reach a resolution with them, as opposed to just ignoring the matter and taking a loss here, then I'll be satisfied with everything.
This blog, I'm sure, will continue to be up, and I'll keep it updated until I reach that point, however, after then, I'm sure I won't be updating it much. However, it will remain online to serve as an example to any future students facing similar challenges.
Good luck with whatever you're facing today.
Friday, July 23, 2010
Synopsis
After all the information I've put here, I've decided to do a synopsis of the events that transpired to try and keep things clear and concise; if you want the full story, you'll have to go back to the beginning of this blog and read the first half-dozen or so posts in order of posting. Additionally, I believe that posting a link to this Synopsis at the beginning of each and every future post on this blog will keep people from getting overly confused as to why this blog exists.
Events: Late 2008 - Mohawk College holds an online referendum vote which is found to have a major security flaw allowing users to vote multiple times.
Early 2009 - The College requests help from myself and others, even to the point of paying for our services to assist in closing security holes mentioned above, new voting system is created, used for Student Presidential elections.
November 2009, Online Referendum vote held, system is found to be extremely similar too initial system from 2008, after brief testing, I find that this system is nearly identical to earlier system in almost every way. Finding this, I submit an email to the CIO of the college describing the problem, how and what I proved through the brief tests I ran, what effects the tests would have and what to remove as illegitimate data, a suggestion on how to change/improve the voting system and an offer of assistance with no mention of compensation for services (aka payment).
For the record, I was never searching to be paid for services, I merely wanted to help my school be the best it could be and clearly the voting system was not the best it could be. I was happy in knowing I was involved in that improvement, and required nothing more than that satisfaction and recognition.
within a few weeks of informing the CIO of the flaw, I was talked to by my Dean, the CIO, Security and eventually suspended. I appealed the suspension due to the fact that I was unable to find where I was in violation of any rule (a stance I maintain to this day), and as a result of my appeal, my suspension was extended, despite, again, not being able to determine nor be told exactly how I violated which policy, just abstract descriptions of which policies were "broken".
I attempted contact with my Student's association, Legal and Government, and nothing, to this day, has been done. I remain suspended from Mohawk at least until September of this year.
On the technical side, I utilized a command-line scripting process, which can be reproduced in almost every operating system, where I used text-based Internet browsers to submit requests to specific URLs with specific data, in a massive way. Never did I attempt to mask my identity, nor did I intend or accomplish altering the outcome of the voting process. According to Mohawk's Policies, the ITSCC Definition of hacking is the willful misrepresentation of yourself of your computer for the purposes of either gaining access to which you are not otherwise entitled, or for the purposes of obtaining information to which you are not otherwise entitled (eg, passwords). Therefore password hacking/cracking, or spoofing of system information is a violation of the ITSCC policy, since I was not doing either of these activities, I was not in violation of any policy.
Additionally, The voting system was "secured" (I use the term loosely) by two variables. The first was a student ID which was easily able to be changed by manipulating the HTML code of the page, the second was cookie data that was transmitted for authentication of the session. As most sites do, Mohawk uses SSL to encrypt data transmission when submitting usernames and passwords, however, it does not use SSL in any other capacity, therefore, the authentication cookies are transmitted in plain text, every time you make an access to any server or service that requires you to be "logged in to mocomotion". With the Wireless at Mohawk using a Pre-Shared Key system for encryption, every person with access to that key is capable of decrypting everyone else's traffic using commonly available tools and a general understanding of the encryption. THEREFORE, anyone with this knowlege and publicly available tools, could get the cookie data from anyone using Mocomotion on wireless, and therefore authenticate to the voting server using that data if so inclined.
The story gets worse from there, but the general point of the previous two paragraphs is to demonstrate that there are SEVERAL security failings, that could cause anyone with the intention of altering the voting outcome, to do so without being directly implicated as doing anything wrong. Also, it would be the only way to NOT be suspended is to be breaking the rules to the point at which it would be nearly impossible for the faculty to actually narrow down who performed the attack by using cookie data other than that from your own session (which I did).
Long story short, I discovered, and proved there was a problem, offered to help, and got suspended. None of those that I would have expected to be obligated or have any interest in helping me did so, and overall everyone who may have any capability of helping is keeping distance from the situation.
Events: Late 2008 - Mohawk College holds an online referendum vote which is found to have a major security flaw allowing users to vote multiple times.
Early 2009 - The College requests help from myself and others, even to the point of paying for our services to assist in closing security holes mentioned above, new voting system is created, used for Student Presidential elections.
November 2009, Online Referendum vote held, system is found to be extremely similar too initial system from 2008, after brief testing, I find that this system is nearly identical to earlier system in almost every way. Finding this, I submit an email to the CIO of the college describing the problem, how and what I proved through the brief tests I ran, what effects the tests would have and what to remove as illegitimate data, a suggestion on how to change/improve the voting system and an offer of assistance with no mention of compensation for services (aka payment).
For the record, I was never searching to be paid for services, I merely wanted to help my school be the best it could be and clearly the voting system was not the best it could be. I was happy in knowing I was involved in that improvement, and required nothing more than that satisfaction and recognition.
within a few weeks of informing the CIO of the flaw, I was talked to by my Dean, the CIO, Security and eventually suspended. I appealed the suspension due to the fact that I was unable to find where I was in violation of any rule (a stance I maintain to this day), and as a result of my appeal, my suspension was extended, despite, again, not being able to determine nor be told exactly how I violated which policy, just abstract descriptions of which policies were "broken".
I attempted contact with my Student's association, Legal and Government, and nothing, to this day, has been done. I remain suspended from Mohawk at least until September of this year.
On the technical side, I utilized a command-line scripting process, which can be reproduced in almost every operating system, where I used text-based Internet browsers to submit requests to specific URLs with specific data, in a massive way. Never did I attempt to mask my identity, nor did I intend or accomplish altering the outcome of the voting process. According to Mohawk's Policies, the ITSCC Definition of hacking is the willful misrepresentation of yourself of your computer for the purposes of either gaining access to which you are not otherwise entitled, or for the purposes of obtaining information to which you are not otherwise entitled (eg, passwords). Therefore password hacking/cracking, or spoofing of system information is a violation of the ITSCC policy, since I was not doing either of these activities, I was not in violation of any policy.
Additionally, The voting system was "secured" (I use the term loosely) by two variables. The first was a student ID which was easily able to be changed by manipulating the HTML code of the page, the second was cookie data that was transmitted for authentication of the session. As most sites do, Mohawk uses SSL to encrypt data transmission when submitting usernames and passwords, however, it does not use SSL in any other capacity, therefore, the authentication cookies are transmitted in plain text, every time you make an access to any server or service that requires you to be "logged in to mocomotion". With the Wireless at Mohawk using a Pre-Shared Key system for encryption, every person with access to that key is capable of decrypting everyone else's traffic using commonly available tools and a general understanding of the encryption. THEREFORE, anyone with this knowlege and publicly available tools, could get the cookie data from anyone using Mocomotion on wireless, and therefore authenticate to the voting server using that data if so inclined.
The story gets worse from there, but the general point of the previous two paragraphs is to demonstrate that there are SEVERAL security failings, that could cause anyone with the intention of altering the voting outcome, to do so without being directly implicated as doing anything wrong. Also, it would be the only way to NOT be suspended is to be breaking the rules to the point at which it would be nearly impossible for the faculty to actually narrow down who performed the attack by using cookie data other than that from your own session (which I did).
Long story short, I discovered, and proved there was a problem, offered to help, and got suspended. None of those that I would have expected to be obligated or have any interest in helping me did so, and overall everyone who may have any capability of helping is keeping distance from the situation.
Tuesday, July 6, 2010
Mohawk IT - Current state of affairs.
Well, it seems that Mohawk's IT department is still on life-support.
Another Mohawk College student who I now work with, who will also remain nameless, had a difficult time the other day when attempting to pay his Mohawk tuition fees online, therefore "skipping the lines" (as the website says), only to be faced with a MySQL error, and having to do the process again, first, ensuring his tuition is paid correctly, and second, to be charged double what he was supposed to be.
Honestly, if you know of nothing else, it's very obvious by even this isolated event, that the IT department at Mohawk is on life-support AT BEST. Clearly their web developers are focused on completely the wrong things, if something as important as having a STABLE AND SECURE PAYMENT SYSTEM isn't upheld.
Of course, you don't have to take my word for it.
Another Mohawk College student who I now work with, who will also remain nameless, had a difficult time the other day when attempting to pay his Mohawk tuition fees online, therefore "skipping the lines" (as the website says), only to be faced with a MySQL error, and having to do the process again, first, ensuring his tuition is paid correctly, and second, to be charged double what he was supposed to be.
Honestly, if you know of nothing else, it's very obvious by even this isolated event, that the IT department at Mohawk is on life-support AT BEST. Clearly their web developers are focused on completely the wrong things, if something as important as having a STABLE AND SECURE PAYMENT SYSTEM isn't upheld.
Of course, you don't have to take my word for it.
Wednesday, June 23, 2010
Quick Update
I've been thinking about doing a video for quite some time, but I keep thinking about what to say, and the words that come out never seem to be the right ones... I'll have to start a script so that I can organize everything in a way that is correct.
I also thought it would be a good idea to get word out to my local MPs about the issue, one has responded and I appreciate that, though, I almost expect to be let down yet again. Honestly, that which happened to me, is, in my opinion, completely wrong, and I would certainly HATE to see it ever happen again, not to me, not to anyone.
Keep fighting.
Confused? go back to the first post
I also thought it would be a good idea to get word out to my local MPs about the issue, one has responded and I appreciate that, though, I almost expect to be let down yet again. Honestly, that which happened to me, is, in my opinion, completely wrong, and I would certainly HATE to see it ever happen again, not to me, not to anyone.
Keep fighting.
Confused? go back to the first post
Friday, June 4, 2010
Going back?
I just wanted to mention that, the other day, I received a letter from Mohawk for tuition fees for September, as I'm sure most students did.
I suppose they're expecting me to return to finish my last semester there. I somehow doubt they'll be getting a payment.
I suppose they're expecting me to return to finish my last semester there. I somehow doubt they'll be getting a payment.
Saturday, May 15, 2010
Denial
Well, for a while now I've been rethinking my position in regards to higher education.
I normally wouldn't put this here if it weren't for recent events. The story goes that I've been considering switching from college to university, which university, I won't say; why, should be obvious by now. When? September, and for what? well, it's still IT, but I don't want to get into course specifics... again, not the focus of the story.
I applied, as all university students do, through the OUAC website (ouac.on.ca), which is the Ontario Universities Application Centre. If you've ever applied to college or university, it shouldn't be surprising for me to say that, when you fill out your online application, you can request transcripts through the website. You request them once, they're sent to OUAC, and the people at OUAC redistribute them to all the universities you applied to. I believe the college application system here works very similar; though I havn't used that system in a while, so it may have changed.
I did this many weeks ago, and I wouldn't even explain all this to you except for the letter I recieved in the past week from the OUAC. The letter kindly explained that for some reason (which they did not define, nor specify. it seems to me they may not know why), that my transcript was not being released by Mohawk. The letter then went on to say that I should get into contact with the college's transcript clerk, in the office of the registrar, to clear up the problem. After I have resolved the issue, the letter went on to read that, it is not necessary for me to contact them, as the institution will automatically send the transcript(s).
After everything I've gone through with Mohawk, I don't think I have to wonder what the hold-up is.
On a lighter note, from what I've heard, I requested a transcript shortly prior to sending in my OUAC application, so I would have one in-hand, specifically if this were to happen, and from what I've heard, it's sitting on someone's desk, waiting for me. I havn't had the chance to go out and pick it up yet, since I've been having some troubles with my car, however, with the car up and running again, I'll have to make arrangements to pick that up in the upcoming week. Perhaps the institutions I have applied to will accept my transcript being brought in by hand.
Regardless. I will keep this blog updated when I find out WHY the transcript was withheld, until then, I can only assume the worst.
until then, it seems like I'm denied from being able to move on from Mohawk. Here's hoping for a swift and positive outcome to this situation.
I normally wouldn't put this here if it weren't for recent events. The story goes that I've been considering switching from college to university, which university, I won't say; why, should be obvious by now. When? September, and for what? well, it's still IT, but I don't want to get into course specifics... again, not the focus of the story.
I applied, as all university students do, through the OUAC website (ouac.on.ca), which is the Ontario Universities Application Centre. If you've ever applied to college or university, it shouldn't be surprising for me to say that, when you fill out your online application, you can request transcripts through the website. You request them once, they're sent to OUAC, and the people at OUAC redistribute them to all the universities you applied to. I believe the college application system here works very similar; though I havn't used that system in a while, so it may have changed.
I did this many weeks ago, and I wouldn't even explain all this to you except for the letter I recieved in the past week from the OUAC. The letter kindly explained that for some reason (which they did not define, nor specify. it seems to me they may not know why), that my transcript was not being released by Mohawk. The letter then went on to say that I should get into contact with the college's transcript clerk, in the office of the registrar, to clear up the problem. After I have resolved the issue, the letter went on to read that, it is not necessary for me to contact them, as the institution will automatically send the transcript(s).
After everything I've gone through with Mohawk, I don't think I have to wonder what the hold-up is.
On a lighter note, from what I've heard, I requested a transcript shortly prior to sending in my OUAC application, so I would have one in-hand, specifically if this were to happen, and from what I've heard, it's sitting on someone's desk, waiting for me. I havn't had the chance to go out and pick it up yet, since I've been having some troubles with my car, however, with the car up and running again, I'll have to make arrangements to pick that up in the upcoming week. Perhaps the institutions I have applied to will accept my transcript being brought in by hand.
Regardless. I will keep this blog updated when I find out WHY the transcript was withheld, until then, I can only assume the worst.
until then, it seems like I'm denied from being able to move on from Mohawk. Here's hoping for a swift and positive outcome to this situation.
Subscribe to:
Comments (Atom)