Professor 'Packetslinger' Assigns Questionable Task 411
mrowton writes "A professor at an undisclosed university recently assigned a practical for his computer-security class. The practical, which is worth 15 percent of the students final grade, requires students to perform reconnaissance on an internet server using tools available in the public domain. While the university is allowing the practical to continue it has also stated that the techniques should not be performed on their own web servers. If students are caught performing any scans against university computers then it would prompt: "Disabling their student account and referring them to the Student Dean of Corrections." The assignment was enough for SANS to dub him 'Professor Packetslinger of the School of Loose Screws.'"
Is scanning a network illegal? (Score:3, Interesting)
Sand box? (Score:2, Interesting)
Lemme get this straight (Score:4, Interesting)
He's not supplying his own honeypot servers, and didn't get the University to allow use of campus servers either? I'd think he could sell it to the IT group as a hardening exercise, since students would have to do full disclosure to get credit anyway.
Yup, just goes to show you that "smart" and "fool" aren't antonyms.
Re:Sand box? (Score:5, Interesting)
Might not be illegal but it's bad form (Score:4, Interesting)
Just like with your house, while it might not technically be illegal for you to sit on public land and case my house out like you are going to break in to it, you can bet I'll object if you try.
When did portscanning become illegal? (Score:3, Interesting)
SANS seems to take it for granted that portscanning is illegal and immoral. However, I can't find anything on Google, and of course, IANAL. Is there any case precedent in the United States for the illegality of portscanning?
I would hazard a guess that it is not illegal. It is the equivalent of looking at a house from a public vantage point to see if any windows are open. Although such an action is suspicious (the person may next try to get in through a window), it certainly isn't illegal, at least in the United States. SANS seems to be overreacting.
The same thing happened at my University (Score:5, Interesting)
The assignments were some of the most practical security assignments you could imagine. For one assignment, he gave us the location of a target machine, and told us to "break in and find something that would make people a lot of money". The trick was to scan it with Nmap across an obscene number of ports (he was running a compromised telnet server on some really high port - like 11,000), telnet in, and look through the files to find a fictitious email about a stock buyout. ("But make sure not to scan any machines besides the target machine!") In another one, we telnetted into a mail server he set up, and emailed the TA with a faked 'from' address. "If it looks fake, you lose points", so you had to make damn sure to get all the fields looking immaculate. Another assignment was he gave us an XOR encrypted message, and we had to crack it. (The trick was to look for large areas with spaces, which gave away the key)
It was, all in all, a great class. Just one problem - the IT people *hated* the class. He told us he got a complaint during the Nmap assignment that it had been used to run 150,000 scans on campus machines. The computer science department adamantly defended the assignments, as important learning tools. It's an important issue of academic freedom, and (last I had heard) the CS department's concerns trumped IT's complaint.
Re:Is scanning a network illegal? (Score:3, Interesting)
My point here is this; he did not assign any illegal activity from what I saw in the article. If someone could point me to where the actual assignment is written down, I might see something there, however all I saw was the ramblings of a paranoid person who has no clue as to what is and is not legal. If port scans and vulnerability scans truly are illegal, I have felons banging on my ports all day long.
honeynet (Score:1, Interesting)
Amazing! The prof should be fired! (Score:3, Interesting)
I strongly believe that the professor should be fired. The students should be told to NOT go forward with the assignment. And the name of the professor and university should be released so that such unethical or thoughtless behaviour by the professor and double-standard thinking by the school can be revealed and acted upon.
I can't believe the school would come back and say that the professor would not be reprimanded, that the assignment can go forward, but not to scan their own computer networks. This implies that the school admins know that it is a security issue and questionable behaviour, but is allowing it to go forward on the internet. Complete and utter retarded and *ss backwards thinking and reasoning.
For some companies I've worked at, a scan is reason enough to ban your IP, if not your IP address block. Performing a scan is grounds for dismissal, if not initiation of criminal charges of misuse of the business systems. This was the case at my old university. Misuse of school systems resulted in dismissal and/or legal proceedings.
The correct and responsible means of testing would have been to setup a training network. Obviously, there is a complete lack of responsible planning on the part of the professor and the school. Or perhaps a lack of understanding of what they are setting up their students and themselves up for.
The student who brought this up REALLY needs to bring this to the attention of his/her fellow students and prevent them from getting into trouble with businesses and the authorities.
Just because your superiors tell you to do it, doesn't mean it's okay to do it.
I think I may have had this assignment. (Score:3, Interesting)
One telltale phrase that hit a nerve with me was something that I remember nearly verbatim: "using tools available in the public domain." The examples he gave were essentially tools like traceroute, ping, etc.
Nobody in the class thought there was anything questionable about this, let alone illegal.