| Recurring |
one_organization |
(a) The software failure incident related to the expulsion of the college student, Hamed Al-Khabaz, at Dawson College in Montreal due to his investigation of a security vulnerability in the Omnivox system provided by Skytech Communications. The incident involved the student discovering a flaw that could expose the personal data of over 250,000 students, including social insurance numbers. The student was initially praised for his discovery but was later expelled from the computer science program for "serious professional conduct" after using a web-scanning tool to verify if the flaw had been fixed [16160].
(b) The incident involving the security vulnerability in the Omnivox system provided by Skytech Communications at Dawson College in Montreal did not specifically mention similar incidents happening at other organizations or with their products and services. Therefore, there is no information provided in the articles about similar incidents occurring at multiple organizations. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident in the article can be attributed to the design phase. The incident occurred when a college student discovered a security vulnerability in the Omnivox system provided by Skytech Communications, which could have exposed the personal data of over 250,000 students [16160]. The flaw in the system allowed anyone to query and obtain sensitive information such as social insurance numbers, home addresses, phone numbers, and class schedules of students. The student initially reported the vulnerability to the college and was praised for the discovery. However, when he used a web-scanning tool to verify if the flaw had been fixed, he was accused of conducting a cyberattack and was expelled from the computer science program for "serious professional conduct" [16160].
(b) The software failure incident can also be linked to the operation phase. After discovering the vulnerability, the student used a web-scanning tool without permission to check if the flaw had been addressed. This action was considered unauthorized operation of the system, leading to his expulsion from the college's computer science program [16160]. The college officials stated that the student had been warned to cease and desist but failed to do so, resulting in the decision to expel him. This aspect of the incident highlights the role of unauthorized operation or misuse of the system in the failure. |
| Boundary (Internal/External) |
within_system |
(a) within_system: The software failure incident involving the college student being expelled was primarily due to factors originating from within the system. The student, Hamed Al-Khabaz, discovered a security vulnerability within the Omnivox system provided by Skytech Communications, which exposed personal data of students [16160]. The incident escalated when Al-Khabaz used a web-scanning tool, Acunetix, to verify if the flaw had been fixed without proper authorization, leading to his expulsion from the computer science program [16160]. The college cited his actions as "serious professional conduct" and a violation of the school's IT policy [16160].
(b) outside_system: There is no clear indication in the articles that the software failure incident was primarily due to factors originating from outside the system. The main focus of the incident was on the actions of the student, the college's response, and the subsequent repercussions faced by the student [16160]. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in this case was primarily due to non-human actions. The vulnerability in the Omnivox system, which exposed the personal data of over 250,000 students, was discovered by the student Hamed Al-Khabaz and his colleague while working on a mobile application. The flaw allowed anyone to query the system and obtain sensitive information without any malicious intent on the part of the students [16160].
(b) Human actions also played a role in this software failure incident. After discovering the vulnerability, Al-Khabaz used a web-scanning tool called Acunetix to verify if the flaw had been fixed. This action led to him being accused of conducting a cyberattack by the president of Skytech, who pressured him to sign a non-disclosure agreement. Additionally, the college's decision to expel Al-Khabaz was based on his use of the Acunetix tool without permission, which violated the school's IT policy [16160]. |
| Dimension (Hardware/Software) |
software |
(a) The software failure incident in Article 16160 was not due to hardware issues but rather due to contributing factors that originated in software. The incident involved a security vulnerability in the Omnivox system provided by Skytech Communications, which allowed unauthorized access to personal data of students [16160]. The failure was related to a flaw in the software system that exposed sensitive information, leading to the expulsion of the student who discovered the vulnerability. The incident was primarily a software-related issue rather than a hardware-related one. |
| Objective (Malicious/Non-malicious) |
non-malicious |
(a) The software failure incident in this case was non-malicious. The college student, Hamed Al-Khabaz, discovered a security vulnerability in the Omnivox system provided by Skytech Communications, which could have exposed the personal data of over 250,000 students. He reported the flaw to the college and helped in fixing it. However, he used a web-scanning tool, Acunetix, without permission to verify if the flaw had been fixed, which led to his expulsion from the computer science program [16160]. The president of Skytech acknowledged that there was no malicious intent on Al-Khabaz's part, stating that he simply made a mistake by using the tool without permission [16160]. |
| Intent (Poor/Accidental Decisions) |
accidental_decisions |
(a) The intent of the software failure incident:
- The incident involving the college student, Hamed Al-Khabaz, can be categorized under accidental_decisions. Al-Khabaz discovered a security vulnerability in the Omnivox system and reported it to the college and the system provider with the intention of helping to fix the flaw. However, he used a web-scanning tool without permission to verify if the flaw had been fixed, which led to his expulsion [16160]. |
| Capability (Incompetence/Accidental) |
accidental |
(a) The software failure incident in this case does not seem to be related to development incompetence. The college student, Hamed Al-Khabaz, discovered a security vulnerability in the system provided by Skytech Communications and reported it to the college for fixing. However, he was expelled for using a web-scanning tool without permission to verify if the flaw had been fixed, which was considered a serious professional conduct violation by the college [16160].
(b) The software failure incident can be attributed to accidental factors. Hamed Al-Khabaz used the web-scanning tool Acunetix to check if the security flaw he discovered had been fixed, which led to his expulsion from the college. The president of Skytech Communications mentioned that Al-Khabaz's use of the tool without permission was a mistake and not driven by malicious intent. The incident escalated due to misunderstandings and actions taken without proper authorization, leading to unintended consequences [16160]. |
| Duration |
temporary |
The software failure incident reported in the article was temporary. The incident occurred when the college student, Hamed Al-Khabaz, discovered a security vulnerability in the Omnivox system provided by Skytech Communications. This vulnerability could have exposed the personal data of over 250,000 students, including social insurance numbers. Al-Khabaz initially reported the flaw to the college and Skytech, and they were working on fixing the problem immediately. However, the incident escalated when Al-Khabaz used a web-scanning tool to verify if the flaw had been fixed, leading to his expulsion from the computer science program [16160]. |
| Behaviour |
other |
(a) crash: The software failure incident in the article does not involve a crash where the system loses state and does not perform any of its intended functions. The incident revolves around a security vulnerability in the system that could expose personal data, leading to the expulsion of a student who discovered the flaw [16160].
(b) omission: The software failure incident does not involve omission where the system omits to perform its intended functions at an instance(s). Instead, it focuses on the discovery of a vulnerability that could potentially expose sensitive student data [16160].
(c) timing: The software failure incident does not relate to timing issues where the system performs its intended functions correctly but too late or too early. The incident primarily concerns the discovery and subsequent handling of a security vulnerability in the system [16160].
(d) value: The software failure incident does not involve a failure due to the system performing its intended functions incorrectly. The issue at hand is the exposure of personal data due to a security vulnerability [16160].
(e) byzantine: The software failure incident does not exhibit a byzantine behavior where the system behaves erroneously with inconsistent responses and interactions. The incident mainly revolves around the actions taken after the discovery of a security vulnerability in the system [16160].
(f) other: The behavior of the software failure incident can be categorized as a security vulnerability leading to potential data exposure and subsequent actions taken by the involved parties, including the expulsion of the student who discovered the flaw and the responses from the college and the company responsible for the system [16160]. |