Professor 'Packetslinger' Assigns Questionable Task 411
mrowton writes "A professor at an undisclosed university recently assigned a practical for his computer-security class. The practical, which is worth 15 percent of the students final grade, requires students to perform reconnaissance on an internet server using tools available in the public domain. While the university is allowing the practical to continue it has also stated that the techniques should not be performed on their own web servers. If students are caught performing any scans against university computers then it would prompt: "Disabling their student account and referring them to the Student Dean of Corrections." The assignment was enough for SANS to dub him 'Professor Packetslinger of the School of Loose Screws.'"
Whistle Blower (Score:2)
I wonder if that paper will attract more students because of the assignment. Guys, whatever you do, just don't TK.
In related news... (Score:5, Funny)
Re:Whistle Blower (Score:2)
Re:Whistle Blower (Score:2)
Thanks for playing.
That disclaimer isn't enough. (Score:4, Insightful)
I don't care if you're talented. You have no idea how a scan is going to affect whatever applications I have running off of that pipe. What may not break one network may most certainly break another. You, with all your talent, can still make a mistake. I've had it happen to me and the reason why I was able to quickly recover was because I KNEW I WAS BEING SCANNED BEFOREHAND! Vendor comes in and says "Oh, this is going to be harmless." and surprise one little Nessus scan brings down half the unix farm until I unplug the laptop. If I really want you pen-testing my network then I'll bring you in as an intern. That way I know about and accept the risk I want to take instead of the unknown.
You make this bold, sweeping statement about security through obscurity but reread your quote. "You may" not "You will" The students do not have to turn in their work to the company they scanned so there is no way for that organization to take those findings and improve their system. If this was some big noble cause why didn't the prof contact some local businesses and have them agree to a pen-test in return for a report? The fact that the administration reserves the right to discipline any student that uses this assignment to scan the school's network speaks volumes. Your comment about admins who oppose this are ones who routinely port scan the school's network is a fallacy on so many levels that I simply chose to ignore it.
I don't care if the prof is going to cash his Nobel check and give the money to the starving poor in Africa. The assignment was ill conceived from the start. It wasn't professional or academic and there were viable alternatives other than going out into the wild and poking around people's perimeters without permission. What? Haven't heard of a test lab?
Absolutely nothing in your post has dissuaded me from the opinion that this entire issue was just plain dumb.
Is scanning a network illegal? (Score:3, Interesting)
Re:Is scanning a network illegal? (Score:2, Informative)
Re:Is scanning a network illegal? (Score:2)
Re:Is scanning a network illegal? (Score:2)
Want to know what's funny? I can break into your house with perfectly legal tools.
Just because the tools are publicly available and have a non-illegal use, doesn't mean you can use them.
Re:Is scanning a network illegal? (Score:2)
Re:Is scanning a network illegal? (Score:2)
My point is that all of the information requested in the assignment is public information that ALL computers running webservers broadcast. Most browsers hide it, but the operating system of the host server is sent every time you browse a site, for example.
No, a string is sent each time. I can make the string be anything I like. You aren't a developer, are you?
Re:Is scanning a network illegal? (Score:2)
Re:Is scanning a network illegal? (Score:2)
Suppose you connect to a computer with the BackOrifice trojan. What is not important is that it all
Re:Is scanning a network illegal? (Score:3, Interesting)
My point here is this; he did not assign any illegal activity from what I saw in the article. If someone could point me to where the actual assignment is written down, I m
Might not be illegal but it's bad form (Score:4, Interesting)
Just like with your house, while it might not technically be illegal for you to sit on public land and case my house out like you are going to break in to it, you can bet I'll object if you try.
Re:Might not be illegal but it's bad form (Score:2)
Sadly, I find my firewall logs demonstrate far too many attempts to track down the ISP of each and every one.
The vast majority of stuff just gets summarily dropped at the firewall. But you'd be amazed at how many dictionary attacks I see on the server that SSH reque
Re:Might not be illegal but it's bad form (Score:2)
I don't bother with basic shit (Score:2)
Re:Might not be illegal but it's bad form (Score:2)
Which, depending on the size and importance of your network, sets you up for a lawsuit. Assuming a free and unfettered internet, if you block an entire ISP from your network for what amounts to zero illegal activity, I would put it out there that a lawsuit would result in a court order to unblock said ISP.
Now, it's true, this doesn't take in to account things like private vs public networks or the actual network that you handle, but punishi
Re:Might not be illegal but it's bad form (Score:2)
In the real world the analogy would be someone suing because you lock your doors...
There is no right to talk to my network and I can bloody well block whoever I want anytime I want...
Now, while the above is a bit harshly worded, I would really like to hear how you think there would be any basis for this at all.
Re:Might not be illegal but it's bad form (Score:2)
If I want to block all addresses starting with 66.6.x.x because i don't like the number 666, I have every right to.
That's like saying that just because a person hasn't done anything illegal you are required to let them walk though your house.
Damn there are a lot of strange opinions stated as fact on
Now, if it's a provider that I am usin
Re:Might not be illegal but it's bad form (Score:2)
Assuming a free and unfettered internet, if you block an entire ISP from your network for what amounts to zero illegal activity, I would put it out there that a lawsuit would result in a court order to unblock said ISP.
Why is that? There's no reciprocal agreement in force, and blocking an ISP because their users are portscanning you is perfectly legal. Maybe a bit rude, but oh well.
Re:Might not be illegal but it's bad form (Score:2)
Could you point out the case citation that holds that the First Amendment guarantee of Freedom of Assembly doesn't apply to people who operate big networks?
Re:Might not be illegal but it's bad form (Score:2)
Must be nice to have a lot of time on your hands. If I was to sit at work and read my FW logs all day and contact every ISP that probed my ports (That kind' sounds dirty) then I would probably be sitting in front of my PC 24x7.
Re:Is scanning a network illegal? (Score:2)
Re:Is scanning a network illegal? (Score:2)
The world is not a one way street and you are not its traffic light. If you cannot get along with institutions, then do not be surprised when institutions do not get along with you.
Sand box? (Score:2, Interesting)
Re:Sand box? (Score:5, Interesting)
Re:Sand box? (Score:2)
You could grade based on what the student learned from both tasks.
Re:Sand box? (Score:2)
Or even better, default installations of the more popular OS's and Web servers (you know who you are) so that these security professionals-to-be get a taste of the real world!
Once they're handled this, then step it up to a fully patched and locked down version.
Whatever we think he should have done, if this story is true his actions are unprofessional. The ban on University servers acknowledges that they could be compromised with some effect on services, so to recommend to test it on unknown thirdparties i
Re:Sand box? (Score:2)
What that's missing, of course, are the users internal to the server/network that do everything they can to break the security of the network so they can run their favorite chat/game/interactive screen-saver.
Re:Sand box? (Score:2)
Re:Sand box? (Score:2)
Can they please disclose the university? (Score:2)
Dean of Corrections? good lord... =b
Lemme get this straight (Score:4, Interesting)
He's not supplying his own honeypot servers, and didn't get the University to allow use of campus servers either? I'd think he could sell it to the IT group as a hardening exercise, since students would have to do full disclosure to get credit anyway.
Yup, just goes to show you that "smart" and "fool" aren't antonyms.
In academia (Score:2)
Re:In academia (Score:2)
We have a lab in our building that is devoted to studying networking, and literally most of the people in there couldn't point out the switch in their room, people that have, with a stright face, used the phrase "statically configured dynamic address".
What's the big deal? I've done statically configured DHCP - it's quite useful for configuring servers, for instance.
Undisclosed, huh? (Score:2)
Yeah, my money's definitely on Dan.
Firing ranges (Score:2)
I feel for the prof, there isn't a good "firing range" on the internet. It would make for an interesting business. Setup a virtual network of servers with targets/exploits and have the students try and hit them.
you're mostly right (Score:2)
Re:Firing ranges (Score:2)
There is. Check your spam folder.
Re:Firing ranges (Score:2)
What about criminology classes? (Score:3, Insightful)
Re:What about criminology classes? (Score:2)
Next assignment - Hack in and change your grade (Score:3, Funny)
2 legal, 2 illegal, solutions w/o getting caught (Score:2)
Legal Solution #2: find out the address of a home computer on a broadband connection and hit that, preferably a friend who knows you're doing it or yourself.
Illegal Solution #1: Find out the address of a home computer on a broadband connection owned by the kind of luser who doesn't even know they have a log let alone how to check it.
Illegal solution #2: Hi
Re:2 legal, 2 illegal, solutions w/o getting caugh (Score:2)
The last two are available due to the fact that most sysadmins aren't being paid to look at logs all day; and that home users don't have the extra cash to pay a sysadmin at all.
Why read logs when you have computers that do it for you?
Dean of Corrections? (Score:3, Funny)
Is it a university or a prison?
Screws and Marbles... (Score:2)
Unless you're majoring as a PC Technician, you are likely to lose your marbles than your screws in the IT department. My marbles disappeared a long time ago.
Re:Screws and Marbles... (Score:2)
Re:Screws and Marbles... (Score:2)
Hence the stereotype of the single male computer geek.
Exactly, because all married males know exactly where their marbles are: in a jar in a cupboard in the kitchen.
Missing intructions (Score:2)
Re:Missing intructions (Score:2)
Bingo! Set up a dyndns.org entry to your own darned machine.
Got knows my firewall logs indicate that half the friggin world has been scanning my machine. Fortunately, I have a firewall to log such things for me and keep the buggers out. =)
Re:Missing intructions (Score:2)
When did Snorting a remote network become illegal? (Score:2)
Re:When did Snorting a remote network become illeg (Score:2)
When did portscanning become illegal? (Score:3, Interesting)
SANS seems to take it for granted that portscanning is illegal and immoral. However, I can't find anything on Google, and of course, IANAL. Is there any case precedent in the United States for the illegality of portscanning?
I would hazard a guess that it is not illegal. It is the equivalent of looking at a house from a public vantage point to see if any windows are open. Although such an action is suspicious (the person may next try to get in through a window), it certainly isn't illegal, at least in the United States. SANS seems to be overreacting.
Re:When did portscanning become illegal? (Score:2)
It is the equivalent of looking at a house from a public vantage point to see if any windows are open. Although such an action is suspicious (the person may next try to get in through a window), it certainly isn't illegal, at least in the United States. SANS seems to be overreacting.
Actually, I think port-scanning is a wee bit closer to turning the doorknobs on all exterior doors (but not opening them and going through), pushing the windowsills, and knocking on the walls looking for hidden doors. Grey-
Re:When did portscanning become illegal? (Score:2)
if the cops saw you doing that to a stranger's, they'd probably have a good reason to ask what the hell you were doing.
And they could probably charge you for trespass if nothing else. Dunno if there are any actual laws on this subject.
Re:When did portscanning become illegal? (Score:2)
In Texas, for example, any unauthorized connection or attempt to connect to a computer is illegal.
Re:When did portscanning become illegal? (Score:2)
Re:When did portscanning become illegal? (Score:2)
What if you're up in a tree with binoculars trying to hide your presence (similar to using stealth techniques)? Is that legal?
Yes, if it's your tree or if you have permission to be in it. Again, suspicious, but not a crime.
Now, what if a half naked coed walks by the window 20 times a day? Still legal?
It may be. You wouldn't stand naked by a window facing someone else's house and not expect to be seen. That's what curtains are for. Although there might be state anti-stalking laws that complicate a cas
Should have set up a honeypot-like system (Score:2)
Easy file to hack = C, More difficult file to hack = B, Very difficult file plus leave a calling card = A
The same thing happened at my University (Score:5, Interesting)
The assignments were some of the most practical security assignments you could imagine. For one assignment, he gave us the location of a target machine, and told us to "break in and find something that would make people a lot of money". The trick was to scan it with Nmap across an obscene number of ports (he was running a compromised telnet server on some really high port - like 11,000), telnet in, and look through the files to find a fictitious email about a stock buyout. ("But make sure not to scan any machines besides the target machine!") In another one, we telnetted into a mail server he set up, and emailed the TA with a faked 'from' address. "If it looks fake, you lose points", so you had to make damn sure to get all the fields looking immaculate. Another assignment was he gave us an XOR encrypted message, and we had to crack it. (The trick was to look for large areas with spaces, which gave away the key)
It was, all in all, a great class. Just one problem - the IT people *hated* the class. He told us he got a complaint during the Nmap assignment that it had been used to run 150,000 scans on campus machines. The computer science department adamantly defended the assignments, as important learning tools. It's an important issue of academic freedom, and (last I had heard) the CS department's concerns trumped IT's complaint.
Re:The same thing happened at my University (Score:2)
The machines he had asked us to scan were on EE/CIS research network. If I remember correctly, he explicitly asked us not to scan any other machines outside of the research network.
Re:The same thing happened at my University (Score:2)
Too bad we don't have faculty around here clever enough to create an assignment like this one.
Re:The same thing happened at my University (Score:2)
One half was assigned the task of setting up a computer so that it could not be penetrated. The other half had the job of penetrating that computer.
And that was all done on a network isolated from the rest of the Internet.
DJB? (Score:2)
I could see some profs doing it out of stupidity, but I could see Dan Bernstein doing it entirely out of arrogance...
Reminds me of the last episode of Naruto (Score:2)
At the end of the exam anyone left (who stayed voluntarily after the 10th question) was passed regardless of whether they had written down any answers or not.
As long as they hadn't got caught cheating so the expert cheaters were passed.
After all... The goal of the Ninja is to be able to aquire information undetected.
Perh
Re:Reminds me of the last episode of Naruto (Score:2)
NO. The real purpose of the ninja is to flip out and kill people [realultimatepower.net].
Re: ninja meaning of lif (Score:2)
From the inside (Score:2, Informative)
I am both an undergraduate CS major and a system administrator on campus. I work with the top-level sysadmins that complained about the assignment, and who likely reported it to the ISC. They're good people that know their stuff, but I think they acted poorly by publicising it. It was a simple assignment which meant no harm. The class has never been taught here before. The CS department's reading of the university AUP and Ethics Policy differed widely from the
Can't blame the professor (Score:2)
So at least the student will have a co-defendant if things go bad.
So much for ethics... (Score:2)
Multiple fools combined! (Score:2)
First: This guy "Handler" from SANS should know full well that port scanning is not a crime. But he goes out of his way to make it look like one.
Ex
Cheating 101 (Score:2)
The true objective wouldn't be to increase th
Bl00dy Idiot... (Score:2)
what he should have done was divided the students into small teams (by drawing lots), each responsible for setting up a set of servers on this isolated network to do specific tasks and then set the teams to securing their own servers while trying to penetrate the servers of the other teams.
Award points for how many other servers you cracked, minus how many times your own got
$ans? (Score:2)
"I think it's funny they call themselves handlers instead of "people without computer science degrees or any knowledge of computer security trying desperately to learn how to read shellcode and informing a le
A better way to teach this. (Score:4, Insightful)
Re:A better way to teach this. (Score:3, Insightful)
Totally ludicrous (Score:2)
What I think happened: the university's IT director found out about it, realized how bad it could mak
This is really stupid.. (Score:2)
Trying to exploit any of the found vulnerabilities is a different story altogether.
Of course 'the prof' could/should have done it in a secured environment within the uni but its ok if he didnt.Mr Handler is obviously overreacting and giving it more attention than it deserves.
Public-domain tools? (Score:2)
obviously this "school" has no ethics courses (Score:2)
using tools available in the public domain (Score:2)
That's not going to get the students very far. Are there any public domain security tools?
Isn't it his job to teach his students? (Score:5, Insightful)
I don't see what the hoopla is about here. He asked them to do a scan, not open them up and format the hard disk or download files on it.
Maybe his next assignment is the ethics. Maybe it's just a test to see if any of his students find this ethically wrong and refuse to do it. Maybe he would have given them extra points.
I run several servers on the Internet, and I get port scanned all the time. Even more so at home, where my dynamic DSL IP is hit by worms many times each day.
Dear American proto-hackers, you are welcome to come to Europe and learn the tools of your trade here. We meet every year between Christmas and New Year at the CCC Congress [www.ccc.de], and we have a LAN there, so people can get acquainted with the tools.
We were encouraged... (Score:4, Insightful)
Its a bit like open source software.. The information is public, what problems are there by students looking at it. As long as the dont actually compromise anything, they could be helping it security.
In this case, I think the IT Staff are being idiots.
SANS is French for without.... (Score:3, Insightful)
Amazing! The prof should be fired! (Score:3, Interesting)
I strongly believe that the professor should be fired. The students should be told to NOT go forward with the assignment. And the name of the professor and university should be released so that such unethical or thoughtless behaviour by the professor and double-standard thinking by the school can be revealed and acted upon.
I can't believe the school would come back and say that the professor would not be reprimanded, that the assignment can go forward, but not to scan their own computer networks. This implies that the school admins know that it is a security issue and questionable behaviour, but is allowing it to go forward on the internet. Complete and utter retarded and *ss backwards thinking and reasoning.
For some companies I've worked at, a scan is reason enough to ban your IP, if not your IP address block. Performing a scan is grounds for dismissal, if not initiation of criminal charges of misuse of the business systems. This was the case at my old university. Misuse of school systems resulted in dismissal and/or legal proceedings.
The correct and responsible means of testing would have been to setup a training network. Obviously, there is a complete lack of responsible planning on the part of the professor and the school. Or perhaps a lack of understanding of what they are setting up their students and themselves up for.
The student who brought this up REALLY needs to bring this to the attention of his/her fellow students and prevent them from getting into trouble with businesses and the authorities.
Just because your superiors tell you to do it, doesn't mean it's okay to do it.
I think I may have had this assignment. (Score:3, Interesting)
One telltale phrase that hit a nerve with me was something that I remember nearly verbatim: "using tools available in the public domain." The examples he gave were essentially tools like traceroute, ping, etc.
Nobody in the class thought there was anything questionable about this, let alone illegal.
Re:Students should do it anyway (Score:2)
Re:Is this really a problem? (Score:2)
Someone who leaves FTP service on with no password might be stupid, but you are still breaking the law if you take their stuff or use the server to hold warez.
That is no different than a stupid person leaving their car windows down with the engine running - you can stash heroin there for safe keeping or to transfer to a buddy, or you could steal the car, but either way you broke the law and are going to jail, and the other person will be cleared when it is certain the
Re:Scanning ports does not equal breaking in (Score:2)
Someone who leaves FTP service on with no password might be stupid, but you are still breaking the law if you take their stuff or use the server to hold warez.
Well... Yeah that is how the law works with intrusions, but port scanning is not breaking in (intrusion). It is like you walked up to someone's house and checked to see if the door was locked without actually even opening the door.
Yes, its kind of dubious, but its not breaking any laws (or at least shoulnd't).
Re:Is this really a problem? (Score:2)
To use your car analogy, it's more like somebody walking by took note that the car windows were left open.
Re:Is this really a problem? (Score:2)
However, scanning the entire TCP and UDP port ranges of some random reachable host in order to assess vulnerability is a differently colored equine.
If I'm running service on TCP80, does that mean you're invited to scan UDP10000-65535 to see what doors may be inadvertently unlocked? I would argue that you may not be breaking a law, but you are acting shady and with ill will to
Re:Is this really a problem? (Score:2)
If you were not running any service on TCP port 80, would it be ok to ... try different URLs? After all, the URL is a user interface [useit.com] and the only way to learn more about the resource a URL points to is to give it a try and access it.
Re:Is this really a problem? (Score:2)
If there is no valid starting URL, then trying random URLs referencing my host is also shady--and just plain silly--since there is no service running.
BTW, the linked information on URLs was really, really not good. It's old, not very accurate, with weird speculations that did not prove valid over the years since it was authored in 1999.
Re:Kerry / Edwards 2004 (Score:2)
Re:better than a fork bomb (Score:2)
He had otherwise proven to be an apt UNIX geek so I heard several of his fellow lab users ask him why he thought their terminals had locked up--since asking me would be scary apparently, go figure--and I heard him mumble, "dunno" and then he hustled out before we figured out what happened.
The lab manager held his many thousand page printout in a large overfull box unt
Re:What does it matter? (Score:2)
If a person or company is running a server on the net, they are doing so to provide services and information to users/customers. Using a that server for any other purpose than what is clearly intended is not good form, and is probably a violation of ISP policy. Therefore, while the cops aren't going to show up at your door for scanning system, your ISP might pull your plug.
This assignment is very poorly thought out. Students could learn just as much from a few different server