Slashdot Mirror
Professor 'Packetslinger' Assigns Questionable Task
mrowton writes "A professor at an undisclosed university recently assigned a practical for his computer-security class. The practical, which is worth 15 percent of the students final grade, requires students to perform reconnaissance on an internet server using tools available in the public domain. While the university is allowing the practical to continue it has also stated that the techniques should not be performed on their own web servers. If students are caught performing any scans against university computers then it would prompt: "Disabling their student account and referring them to the Student Dean of Corrections." The assignment was enough for SANS to dub him 'Professor Packetslinger of the School of Loose Screws.'"
Now who would be the WB to publish the name of the university here?
I wonder if that paper will attract more students because of the assignment. Guys, whatever you do, just don't TK.
Virtual Betting on Facebook for non-geeks.
I thought there was a case not too long ago that says a scan is not an intrusion, thus is not illegal.
Why doesnt the professor construct a cheap server, with security out the wazoo? Then let the students attempt to bring down the sand box, rather than randomly probing servers which are probably used to run a business?
Dean of Corrections? good lord... =b
The World Wide Web is dying. Soon, we shall have only the Internet.
Scanning a system is not illegal... trying passwords would be, but seeing if anything is listening out on a host is not in anyway illegal.
The phrase "more better" is acceptable English. suck it grammar Nazis
He's not supplying his own honeypot servers, and didn't get the University to allow use of campus servers either? I'd think he could sell it to the IT group as a hardening exercise, since students would have to do full disclosure to get credit anyway.
Yup, just goes to show you that "smart" and "fool" aren't antonyms.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
Yeah, my money's definitely on Dan.
Dewey, what part of this looks like authorities should be involved?
If a police office needs to test out shooting a gun, he goes to a firing range. You wouldn't have him field test it.
I feel for the prof, there isn't a good "firing range" on the internet. It would make for an interesting business. Setup a virtual network of servers with targets/exploits and have the students try and hit them.
They should have an assignment that each student rob, or break into a bank. Any attemps to break into school secured areas would result in immediate suspension.
If you change it to anything other than an 'A' you automatically fail.
He who knows best knows how little he knows. - Thomas Jefferson
Legal solution #1: Contact a local business, explain you're a student learning about computer security, and ask for permission to hit their server.
Legal Solution #2: find out the address of a home computer on a broadband connection and hit that, preferably a friend who knows you're doing it or yourself.
Illegal Solution #1: Find out the address of a home computer on a broadband connection owned by the kind of luser who doesn't even know they have a log let alone how to check it.
Illegal solution #2: Hit a BUSY public server that you know is locked down well and likely to have only a single discoverable service, such as www.google.com, thus also giving the wonderful ability to turn in a two line report and STILL get the full purpose of the assignment; bonus points for mentioning the port ranges that were in stealth mode.
The last two are available due to the fact that most sysadmins aren't being paid to look at logs all day; and that home users don't have the extra cash to pay a sysadmin at all.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Scan the schools' comps anyway and if caught social-engineer your way out of trouble for Double Bonus Points(TM)!
If I notice someone poking around at my systems in such a way that looks like it's looking for exploits, I'll contact the ISP responsable and ask them to chave a chat with that user. If they blow me off, I'm likely to blacklist the ISP entirely.
Just like with your house, while it might not technically be illegal for you to sit on public land and case my house out like you are going to break in to it, you can bet I'll object if you try.
The NSA issued a press release stating that its whole domestic spying operation was just part of a homework assignment.
AKA Warden?
Is it a university or a prison?
So it is wrong for them to scan their own servers, but it's ok to look for exploits on non-university computers... Brilliant
we did this as an assignment for a network security at the small community college I attended. as long as the students are gathering information and not launching an assault whats the big deal. though I have to say that the college considered all the students to be security risk and so forced us to stay of the campus net during class. they would also pay close attention to anything we did when we were on the network
nothing to see here move along
I got asked to see if a server at my university was secure. I scanned it using nmap. It set off their IDS and i got a letter of academic misconduct. They really didn't specify how to see if it was secure. I use linux a lot, nmap is second nature, i really didn't think twice about using it.
.au if it helps.
That was in
Why not put up a couple of servers of different types on an isolated network at the school and then let the students bang on that. At least they would be able to go through the logs of the servers in question legally. Also, they could packet capture the entire event and review in class.
It wouldnt happen to be Whitman at kennesaw state would it?
... School of Loose Screws ...
Unless you're majoring as a PC Technician, you are likely to lose your marbles than your screws in the IT department. My marbles disappeared a long time ago.
a. Subtract marks for students that scan government servers. b. Bonus marks for the student that sets up his own web server and then scan it.
Oh well, what the hell...
When did Snorting a remote network become illegal?
Hey personally I think this sounds like a good assignment IF the professor provided his own servers. These are tools that anybody gaining knowledge in computer security should be familiar with. How hard would it be for the professor to setup a Windows and *nix box with some public services running, and host it from his home connection or atleast get some university resources dedicated to it.
-Eod
SANS seems to take it for granted that portscanning is illegal and immoral. However, I can't find anything on Google, and of course, IANAL. Is there any case precedent in the United States for the illegality of portscanning?
I would hazard a guess that it is not illegal. It is the equivalent of looking at a house from a public vantage point to see if any windows are open. Although such an action is suspicious (the person may next try to get in through a window), it certainly isn't illegal, at least in the United States. SANS seems to be overreacting.
There's no sig like this sig anywhere near this sig, so this must be the sig.
Get caught and you fail. Make a set of files on the server progressively more difficult to hack/open/retrieve.
Easy file to hack = C, More difficult file to hack = B, Very difficult file plus leave a calling card = A
A closed mouth gathers no foot.
Yes. But the vote was counted for Bush...
I of course mean running Nessus against a remote network... doh.
This sounds like something a Prof I had in school would do and subsequently, a reaction my university would have taken to it. Note that I'm not claiming this is going on there, just saying it doesn't seem like an outside possibility for any school.
If this is taking place at my alma mater or a similar institution then I can tell you how it probably went down.
A: Prof comes up with a realistic assignment for a university level security course and weighs it heavily since he is lazy and can only come up with one or two good assignments. B: The school denies his department's requests for funds to set up a server for this and any further course work. C: Prof is lazy (see point A) and so continues the assignment D: School responds by threatening disciplinary reaction.
Of course this places the students in a catch-22. They can either scan a university system and face possible action if detected or scan an external system and face possible legal action. I suppose they can also disregard the assignment and face possible failure.
This is irresponsible on the part of both the university and its faculty.
... on efnet in #conf.
Create four groups to defend their networks. If the Security Course is large enough then all Security Students else include the Network Class.
How it works is their are four networks with two trying to communicate with each other through the opposition network. The first part of the test is with the network class where they setup the network and no attacking and hijacking is permitted only reconnacince.
Next is protecting the network phase. This is where they put on certain firewall solutions and try not to be penetrated to the point of knowing the hddden network topology.
Last is the attack phase where each team tries to penetrate the enemy while defending theirs. Use of Honney pots and such is permitted.
During this creation the Instructor gives each team some network requirements for external customers. This is from an Apache or ISS web portal to any other diabolical customer based holes to patch and protect. This is so when communications between the two groups goes Encrypted there are still points of attack.
Also this must be done by a team who are at least Bondable and have had a brackground check.
In addition all network tools and internet apps must be first put to a Read Only medium. The network internal does not have any R/W devices nor are they permitted.
PS use campus surplus to create the network.
A similiar occurance happened at my university (University of Delaware). When I was an undergraduate, I took the 400 level security class. The teacher isn't a professor, but he's a staffer who happens to be amazingly knowledgable about all areas of unix and networking)
The assignments were some of the most practical security assignments you could imagine. For one assignment, he gave us the location of a target machine, and told us to "break in and find something that would make people a lot of money". The trick was to scan it with Nmap across an obscene number of ports (he was running a compromised telnet server on some really high port - like 11,000), telnet in, and look through the files to find a fictitious email about a stock buyout. ("But make sure not to scan any machines besides the target machine!") In another one, we telnetted into a mail server he set up, and emailed the TA with a faked 'from' address. "If it looks fake, you lose points", so you had to make damn sure to get all the fields looking immaculate. Another assignment was he gave us an XOR encrypted message, and we had to crack it. (The trick was to look for large areas with spaces, which gave away the key)
It was, all in all, a great class. Just one problem - the IT people *hated* the class. He told us he got a complaint during the Nmap assignment that it had been used to run 150,000 scans on campus machines. The computer science department adamantly defended the assignments, as important learning tools. It's an important issue of academic freedom, and (last I had heard) the CS department's concerns trumped IT's complaint.
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
But there's always the LAPD
You better watch out, there may be dogs about . .
This professor should be prevented from having any contact with computers for 5 years, and from communicating with or being within 100 yards of anyone under the age of 30 for 10 years.
How utterly irresponsible can a college professor actually be?!?!?!?!?
RHCE; are you certified? Karma: ambiguous.
I thought the point of obtaining a liberal arts education was to promote good ethics and work practices, provide a well-rounded academic experience, and ultimately, to prepare you for your career. Excuse me, but HOW The f u ck is this assignment helping the student accomplish any of this? This violates ethics and will not teach the students anything useful about working in the real world. (that is unless you are planning to become a covert computer forencis scientist who is trying to apprehend your latest child predator or terrorist). Is "hacking a network" something you would be proud to put on your resume when applying to, oh let's say, Lockeed Martin? NO. They are looking for people who are able to have good ethics (all those companies give you ethics training) and (more inmportantly) godd work ethics. Believe me, they don't want scipt kiddies and the like.
Having his minions secretly listening in on things that they have no legal right to? Nah, that reminds me of a different candidate.
I could see some profs doing it out of stupidity, but I could see Dan Bernstein doing it entirely out of arrogance...
Oh, you're not stuck, you're just unable to let go of the onion rings.
i'm here to packet and chew gum....and i'm allk out of gum
You can't 'snort' a remote network - snort is a Network Intrustion Detection System, so it looks for attacks against you on your local network.
"It doesn't cost enough, and it makes too much sense."
I was working a university unix lab, when, all of a sudden there was a rash of complaints of crashed solaris machines.
As I looked into it, one student fessed up, and handed over his assignment which was, essentially, to write a fork bomb, and run it, and "see what happens".
I told them to write down the answer "Lab Attendant swears at me, and tells me my professor is an idiot".
They had a ninja Chnin exam with extremley hard and actually unanswerable questions. The point of the exam was to actually force students to cheat in order to fail the ones they could catch.
At the end of the exam anyone left (who stayed voluntarily after the 10th question) was passed regardless of whether they had written down any answers or not.
As long as they hadn't got caught cheating so the expert cheaters were passed.
After all... The goal of the Ninja is to be able to aquire information undetected.
Perhaps, the only way to pass this class it to be able to do these tasks without getting detected by the university or authorities.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
Smart and fool go together as often as not. Never have you met so many people that can know so much about so little, people with mountians of theoritical knowledge and no idea how to apply it at all. We have a lab in our building that is devoted to studying networking, and literally most of the people in there couldn't point out the switch in their room, people that have, with a stright face, used the phrase "statically configured dynamic address". It's not like these are art majors who just don't know antyhing, they are all engineers who are studing networking.
That something like this happens really isn't that supprising to me. You get grad students and professors that have spent a lot of time on theory but have never applied the knowledge in meaningful ways and are out of touch with the real world. Thus they make requests and demands that are totally off the wall because the mental picture they have of how things work isn't anything like how it really works.
I'm in the class which recieved this assignment.
I am both an undergraduate CS major and a system administrator on campus. I work with the top-level sysadmins that complained about the assignment, and who likely reported it to the ISC. They're good people that know their stuff, but I think they acted poorly by publicising it. It was a simple assignment which meant no harm. The class has never been taught here before. The CS department's reading of the university AUP and Ethics Policy differed widely from the administration's, and a simple email could have eliminated the confusion. Instead it's on Slashdot.
I think the ISC and the administration's reading of the assignment's intent was way off base. They both seem to be under the impression that simple port scans are illegal and forbidden, when in fact they occur regularly on the residential network and are a part of having an internet connection.
The professor is the dean of the CS department and is a very smart guy. He doesn't deserve to have this situation turned against him publicly. We in the class think it's all pretty ridiculous, and will do the assignment using only the approved IPs which we were given today. This was a simple misstep, and should blow over quickly.
Instead we have half rate Sys Admins getting worried about these students hacking their systems, simply because they are too lazy to plug the holes
Man is the lowest-cost, 150-pound, nonlinear, all-purpose computer system which can be mass-produced by unskilled labor.
You can't blame the professor for this. It's not like he or she knows how the real world works. After all anyone with any sense well almost any would say this is a bad idea. The Univeristy had sense enough to say no to their own network being scanned then again they're dumb enough to allow it continue.
So at least the student will have a co-defendant if things go bad.
Oh wow how awesome! A far-stretched (yep, that's far-stretched. not far fetched for you double guessers out there! Think of it as stetching the rubberband, or in this case the meaning of a concept, even farther from it's actual meaning) comment related to the psyche of someone or some entity. ++ (that's double plus) points for SANS and the Slashdot award of practicing without a license. In the medical field they call people that do that 'quacks', interesting coincidence that a 'quack' is often described as someone with a loose screw.
a "practical"
What if a group of people, say neighbors, or firms, or even cities got together, strung some fiber or microwave links between them, and called it MyNet? Physically isolated from the Internet, but nevertheless including entities that are considered separate so far as the conventional or legal definition goes. I think laws such as child porno laws, or externally copyrighted music, would still apply because they are broadly defined. But what if these participating entities explicitly agreed to allow cracking, for one, or the use of strong encryption, or in general, uses which are legally prosecuted to protect the lowest common denominator in computer users, or to allow hooks for prosecuting. Is Internet-2 like this (probably not, because government money is involved). Seems like the Internet space is increasingly being regulated as if, or more harshly than it were meat-space.
I still say ethics should be a required course in IT.
At RIT, the NSSA (Network, Security, SysAdmin) program has a special lab set up for this, connected to the outside world by a single ethernet cable that's usually left unplugged. In this lab, teams of students take each other on - one to lock down a rack of servers, the other to turn the rest of the lab into zombies and break in. Of course, this is done in the safety of an isolated environment, on our own server, so it's a bit different. Teaching black-hat countersecurity stuff is just fine - how else are you to test your own - but come on now, in a safe environment. Another experience we get here? Anti-virus, by releasing viruses into our security lab. So how does Professor Packetslinger intend to teach that, releasing viruses into the wild?
There's an old saying that says pretty much whatever you want it to.
No, that's not at all how the law works.
Someone who leaves FTP service on with no password might be stupid, but you are still breaking the law if you take their stuff or use the server to hold warez.
Well... Yeah that is how the law works with intrusions, but port scanning is not breaking in (intrusion). It is like you walked up to someone's house and checked to see if the door was locked without actually even opening the door.
Yes, its kind of dubious, but its not breaking any laws (or at least shoulnd't).
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
First: This guy "Handler" from SANS should know full well that port scanning is not a crime. But he goes out of his way to make it look like one.
Except that research isn't illegal. And even if this weren't academic, this still wouldn't be illegal. Good thing you quoted him verbatim, because he didn't even come near anything illegal. His own blog refutes his own point! Then, he goes on to misquote the guy! "OUR WORDS" -- yeah, I guess he thinks that this is just enough to stop the libel suit. Jeeez!Second: The university did the worst thing possible. They made it look like the assignment was illegal, while neither condoning the assignment nor disallowing it. If they mistakenly told the professor to stop that assignment then I would say it was an over-reaction and they could correct that. If they ok'd it with the professor then they would be good guys. Instead they just whipped-out the 10 foot poll which makes them even more guilty than Mr. Handler.
Third: Our elected officials. The issue of the legality of port scans should not even be in question if they even had the slightest clue as to what it was. But instead lawyers and judges can't agree on this point. I just ask for any one group involved to have some common sense. Slashdotters should start emailing SANS in support of this professor.
I always thought that if I was a (tenured) professor would be a "Cheating 101" class. The objectives would be to teach the students how to cheat effectively. The class would have exams that were on arbitrary and difficult subjects. The students would be forced to cheat to pass them. The exams would be graded not only on how well they did on the exam itself, but how well they cheated and how well they avoided detection. (Even with me knowing they're cheating.)
The true objective wouldn't be to increase the student's ability to cheat, but to discover what techniques were being used by the students...
what he should have done was divided the students into small teams (by drawing lots), each responsible for setting up a set of servers on this isolated network to do specific tasks and then set the teams to securing their own servers while trying to penetrate the servers of the other teams.
Award points for how many other servers you cracked, minus how many times your own got cracked...
and just to put an edge to it, losing team buys dinner for the winners. Winners get to chose where the meal is (within reason)
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
First of all, SANS is considered the "entry level" security group. They overhype security issues on a regular basis. They remind me of Steve Gibson of GRC, another self proclaimed "security expert". They rehash old issues all the time. My favorite quote about them is actually from Dave Aitel though.
m l
"I think it's funny they call themselves handlers instead of "people without computer science degrees or any knowledge of computer security trying desperately to learn how to read shellcode and informing a legion of other people about vulnerabilities, worms, and exploits a. la. the blind and deaf leading the blind".
Reference http://lists.virus.org/dailydave-0405/msg00075.ht
It appears SANS is trying to throw into question the legality of port scanning. Did they get wrong too? Maybe they should make another class on this, charge $2500 for 5 days of powerpoint sessions instead of showing their ignorance.
A professor not adhering to a best practice is a minor issue, at best. However, one round of namecalling deserves another!
I expect to be modded flame/trolling for this, but it is the truth.
Would be to have seperated the class into two teams with two networks and then have them secure their networks. Then launch attacks angainst one another. This way they see both the way attacks are made along with how to protect their network from them.
A bunch of Tech Stuff
If there is a post to mod up, it is this one. There is going to be a lot of hype and over-reaction out of ignorance of the situation, and a misunderstanding of the intent of the assignment and the professor (the ISC's writeup of it is inflammatory and absurd). Help cut the sound-to-noise ratio and mod the parent up.
If we start buying CDs then the terrorists have already won.
I'm a professor and had some undergrads create a honey net out of outdated computers and open-source software (except for the windows honey box). The central computing folk were unhappy because I was looking at packets which got through my firewall -- violated the university privacy rules. Sysadmins across campus were REALLY unhappy because vulnerable machines (honey) existed -- the fact that they were contained was lost on them. I was forced to shut the honey net down. There was all sorts of irony in the situation.
the internet is a safe place. i dont care what fanatical people rant about. im fanatical and i say that as long as you take all the necessary precautions, ie: strong encryption, a secure/patched OS, penetration testing if you run your own server.... etc. you'll be fine 99% of the time. and the other 1% of the time you'll be prepared.
the second you put your service online it is YOUR business to secure it. its like opening a door on the sidewalk and telling people not to look in as they pass. its just not practical. if you cant handle your own shit what are you doing on the internet?
heres a clue - people who are going to fuck your shit up are most likely self taught. no one goes to school to become an elite hacker. people who are in these classes are most likely our best shot at protecting our future internet because unfortunately - they're the people who are gonna get the jobs they interview for... because of their degree. me? i'll run circles around half of those assholes but i'll never get the jobs they will nor the salary. c'est la vie.
this rant was much better in my head, trust me.
but i gotta train to catch. hah any women in the absecon, nj area who want to get some coffee meet me at the absecon train station at 4:50. i wear an element hoodie. see ya there.
The following email was sent to the members of the sysadmin group for the university.
I've removed the university's name, because it doesn't seem to have been made public yet. And yes, he did type "hear" instead of "here".
First off I support learning, fiddling, tinkering, etc. Also I believe, in general that we treat network traffic internal to [THE UNIVERSITY] as friendly, i.e. I don't ask for blocked ports, I don't put deny lists in my Windows configurations. I desire to play fair, and not unduly restrict access to and from other areas of campus. I believe that all of us have enough to worry about from the ugliness that comes from outside our network.
However, I also know this - Windows is always breakable, there are more ways than I can count, know or are familiar with to break into, scan, ping and generally poke a Windows box into giving up info. But I don't worry about this because I assume that the traffic coming from campus is attached to the following - IP address and username that make the person RESPONSIBLE for their behavior, wither they're coming over wireless or the modem pool or God Know's Where. I, however, am not familiar with the procedures and tools that the students are going to be using to explore [THE UNIVERSITY]'s network.
I work to make my resources available to folks on campus.
People from elsewhere are blocked at the border, you can't get to my Web & DB servers easily from off campus (no that's not a challenge to prove me wrong). Also, I don't have nitty gritty access to my subnet's router to shut all the unwanted crap off (IPX, NetBios, ARP, PING, SSH), nor can I make choices on how the average machines in my area are protected. You see I have this things called USERS and NO MATTER what steps I take to educate and contain their access and rights, they'll find a way to do something I told them not to do.
But wait...that's not what I'm hired to do anyway, I'm hear to provide them with the tools they need to support students and their professorship and give them enough information and setup an environment where they can work with people from all over campus. They do this with things that give me the heebie-jeebies, Remote desktop coupled with Automatic Profile generation via ZenWorks, but that's what they need to make what they do WORK. I don't need a CS student telling me that's bad..>DUH.
If you want me to play Corporate Network, I'm sorry I don't have the equipment, and I deeply apologize for not being a Paragon of Windows & Network Security. Trust me, I'd love to do all sorts of things to keep the rest of you out, but that's NOT what we do at [THE UNIVERSITY].
I don't go to my neighbors house, check the door, and if its unlocked, walk in and proceed to take an inventory of their belongings. I don't really care how educational it would be, I leave him alone, together we're more worried about people who AREN'T our neighbors bothering us. I HOPE that the students realize that they are mucking around in people's business and livelihoods, and that [THE UNIVERSITY]s internal network is NOT a good example of a corporate network with subdivisions and zones of security. If I'm going to start seeing activities from across campus that's NOT friendly then I'll have to assume that [THE UNIVERSITY]'s network is no longer safe, and I'll have to treat it in a manner similar to the Internet.
I would SUGGEST that for this class, Like we do over here in CBE for our telecom courses, SET UP a network for the students to do these sorts of activities, without jeopardizing anyone or anything. Also, in a longer term solution, an internship/partnership with a company that would allow these sorts of experiments. Just a thought.
If anything, they should require that the students restrict themselves only to university servers. That way they aren't liable for any third party complaints. But that would undoubtably reveal numerous holes in the university's servers, which would be embarrassing and time consuming for the university's IT department. And we all know that university IT departments spend more time avoiding work then doing it.
What I think happened: the university's IT director found out about it, realized how bad it could make him look, and convinced the Dean of Corrections that this was a bad, bad thing. Fucking Ivory Towers, that's why I'll never work in a university setting again.
I dont think that running a port scan is illegal by any standards or any computer/server on the internet.Its not that they are breaking into the computers but just seeeing whats ports are open or what services are running.
Trying to exploit any of the found vulnerabilities is a different story altogether.
Of course 'the prof' could/should have done it in a secured environment within the uni but its ok if he didnt.Mr Handler is obviously overreacting and giving it more attention than it deserves.
Lord of the Binges.
It's a bit long, but as long as I get a prompt after my "reconnaissance"...
Ah, arrogance and stupidity, all in the same package. How efficient of you. -- Londo Mollari
What's the course called, "Terrorist and hacker training 204"?
An Uncomfortable Truth
Are there *any* security tools that actually are in the public domain? Last time I checked, stuff like nmap, hping2 and the like was all copyrighted (and licensed under free licenses, of course, but decidedly not in the public domain).
quidquid latine dictum sit altum videtur.
I would think that if they don't operate their own honeypot for this purpose, their accreditation should be cancelled. who is this scurvy outfit, anyway?
if this is supposed to be a new economy, how come they still want my old fashioned money?
Don't even log it. However if our IDS throw up an alert for a prodding with some effort, like a port scan and then messing with the various services, I'll go and fire off an e-mail to the ISP.
The last two are available due to the fact that most sysadmins aren't being paid to look at logs all day; and that home users don't have the extra cash to pay a sysadmin at all.
Why read logs when you have computers that do it for you?
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
That's not going to get the students very far. Are there any public domain security tools?
TCAP-Abort
Comment removed based on user account deletion
Why read logs when you have computers that do it for you?
Done properly, all the port scanner programs I've seen have a setting to defeat automatic log readers from detecting the scan: random period wait between ports. The best ones also do random access port scaning instead of sequential.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
As a college professor, I routinely assign my networking & security students to probe (e.g., prot scan) systems to see what they will get.
The real story here is the hypocracy. The professor assigns his students to go probe other peoples' systems, while the school has a policy against people probing their systems.
Andy Out!
http://www.kenttrust.com/portscanning.htm
a nning.htm
A neet little look at this. I'm not sure about the accuracy of the information but it sounds right.
Also here is another link that has a case referenced.
http://www.asianlaws.org/cyberlaw/library/cc/ptsc
It says "In November 2001 a federal US court has dealt with a case of port scanning in the Moulton v. VC3 case under 18 USC Sec. 1030(a)(5)(B), of the Computer Fraud and Abuse Act of America. The facts of the case were as follows.
Scott Moulton was a network security consultant, who had a service and maintenance contract with the county 911 Center to perform computer network related work. He was arrested and charged with violating the Computer Fraud and Abuse Act after he port scanned the 911 center's computer network. The defendant stated that he was concerned with the security of the network and had been authorized by the county in the service contract to maintain the networks. The defendant scanned the vulnerability of the LAN network between the sheriff's office and the 911 Center and performed a series of remote port scans on the system. The system's network administrator was using a network analyzer and a firewall system and he was able to immediately notice the port scanning activity. The Sysop then e-mailed the defendant questioning him the reason and the motive for scanning the ports. On being challenged, the defendant behaved in a suspicious manner, by quitting the scanning activity and immediately emailed back, informing the administrator that he had a service contract with the county and he was authorized to check the security of the network.
Concerned about the network's security and the act of the defendant, the network administrator then contacted the sheriff, who in turn arrested the defendant on state and federal computer crime charges.
Charge:
Specifically, Moulton was charged with violating 18 USC Sec. 1030(a)(5)(B), which prohibits the "intentional accessing [of] a protected computer without authorization, [that] as a result of such conduct, recklessly causes damage."
Argument:
The county denied that they gave him authority or 'access' to conduct port scans on the system and argued that he accessed the computer unlawfully and with intention. Additionally the County alleged that it had to spend time and money to research the scanning and determine whether there were any penetrations of the system. But they admitted that Moulton caused no structural damage. In this case, the county argued that the act of port scanning itself was a crime. But the judge did not accept that argument.
Held:
The court said the statute clearly states that the damage must be impairment to the integrity and availability of the network. Since the county's network security was never actually compromised and no program or information was ever unavailable as a result of the defendant's activities. If there was no impairment from the scanning or the scans weren't so excessive or load bearing that the network's availability was interrupted, then there was no damage. Without damage, there is no crime, which is what the Courts held in the case. The court didn't need to address the damage element since the County failed to prove it conclusively.
"
Done properly, all the port scanner programs I've seen have a setting to defeat automatic log readers from detecting the scan: random period wait between ports. The best ones also do random access port scaning instead of sequential.
So run a tripwire on a handful of random ports, well away from normal traffic. Trip one or two and your IP gets banned or, if you're feeling vicious, redirected to a honeypot server.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
Ok,
so let's run through this scenario. The professor for a computer science security class wants students to scan some networks. This is the type of information he wants them to provide
"He wants them to write an evaluation of what they find: what ports are open and what service could be running on them, Host names and IP addresses, OS, version, last update, patch status, what shares are available, what kind of network traffic and what vulnerabilities they see."
Some people have suggested to setup a sandbox, my question is where are you going to get the servers? Do you think that shit appears magically? Who can verify the actual network sandbox was setup properly? The students? An outside consultant? You see all of this stuff costs $$$, I'm sure the professor has an already small budget to do his own research but that's about it.
The next point is how is this illegal? The students must use apps that are available on the public domain. And if you think some uber hacker must of written it you are incorrect. Did you know OSX has a port scanner built into it? I put in the address, it tells me all the open ports. Is that illegal? Oh and what type of services are running on them? Common, what is up with that, that's so easy to figure out! Just google the port num, and you'll get a listing of all the possible apps that could use this port.. It's not rocket science! You could also connect to it by telneting to the port and see if any user input returns a response from the server.
How is determining host names illegal?? A simple NSLOOKUP will tell you what the DNS name, and you can go even further and check those DNS lookup sites and figure out who the contact is. Try it.. It works pretty well!
All of the other information is easily accessable, if this equates to illegal hacking then I technically had no idea what illegal hacking really is..
Now if this guy wanted his students to actually try and break a system then yes, I don't agree with it. But if they're just simply exploring the different tools available to them on the internet what's the big deal?
MrJynxx
The school in question is Western Washington University.
The class is Computer Security CS461, taught by David Bover. (He also happens to be the head of the CS department.)
So run a tripwire on a handful of random ports, well away from normal traffic. Trip one or two and your IP gets banned or, if you're feeling vicious, redirected to a honeypot server.
Which doesn't harm this assignment in the slightest- since the actual assignment is to report what they saw during the scan, not what is the truth. If what the student sees during the scan is exactly what the professor sees during the scan, then the student gets the grade. Likewise, you'd have to do a lot more detective work than just redirecting traffic to a honeypot server to actually tie an IP address (possibly a dialup IP address) to a name to prosecute. If your time is so unvaluable that suing people for such a minor infraction is profitable use of your time, then you should be far more worried about developers in Bangalore than some student doing a port scan who is never seen again.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
So my point is it may be legal in some countries and illegal in others, I don't know. As well as he may be unintentionally launching a DOS attack.
What does this prove anyway? He should set up an isolated lab with various servers at various levels of 'hardening' and turn the students loose. The first person to crack a BSD machine would automatically get full credit. Minimal points for an unpatched Windows box.
While we're at it, why don't we just put some anthrax infected sheep into the subway or unleash rage infected monkeys into the dorms, just to see what happens?
putting the 'B' in LGBTQ+
Likewise, you'd have to do a lot more detective work than just redirecting traffic to a honeypot server to actually tie an IP address (possibly a dialup IP address) to a name to prosecute. If your time is so unvaluable that suing people for such a minor infraction is profitable use of your time, then you should be far more worried about developers in Bangalore than some student doing a port scan who is never seen again.
Who said anything about prosecution? I just want to waste their time, while keeping them from wasting mine.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
I don't know if I'm posting this in time to get an answer, but I just thought I'd ask a related question... with these kinds of stories, I always see people write comments such as, "if I saw that someone was poking at my ports to see if any of them were open..."
Well, I'm not a sysadmin so I don't know much about this kind of thing, but what sofware do you use to "watch" your computer to see if people are poking at it? I'm wondering about how to do this with primarily Linux, but also Windows, and OSX...
As far as I understand, on my Linux machine as long as I don't have any servers running on a particular port, I'm not open on that port. And even if I have, for example, rsync running, which I use between machines in my home, if it's not passed through my router's NAT, it's not available to the internet, right? How can I check if someone's poking at me? (I use a D-Link route and Gentoo linux)
Here is the actual assignment. Looks like he carefully told students not to hack into anything.
http://niksbox.net/Assignment3.pdf
I honestly don't know - check your local computer crime laws before trying it out, and check with your service provider. They can easily give you the chop even if the action is technically legal. Don't assume it's OK just because it's not supposed to do any damage.
"It doesn't cost enough, and it makes too much sense."
"When did Snorting a remote network become illegal?"
Just last year, where have you been? The War on Drugs is never ending. Congress will stop at nothing to save you from yourself, even if you are trying to suck a ground up motherboard into your nose.
Just Say No!
Behold, this dreamer cometh. Come now, and let us slay him... and we shall see what will become of his dreams.
There's a dam about a mile from my house and one day after a huge rainstorm 2 years ago I rode my bicycle down to the dam to watch the overflow. It was spectacular. It was about 8am saturday morning. I took my pocket digital camera and started taking pictures.
All the local guard came out and asked me who I was. I pointed out that I was a neighbor and they made me leave.
Now, I guess I could push the issue, but there's no doubt I'd be arrested.
So taking pictures these days in public is not appreciated.
Script it. Pseudo code to follow:I wrote something like this long ago but turned it off because of the amount of emails sent. But I could have just put in a counter to alert on the most egregious offenders like the SOB that attempted 2147 login attempts on my openssh server in a 10 minute time span.
The school in question is Western Washington University. indiana.edu The class is Programming on the Go B490, taught by Kay Connelly. (She also happens to be the Associate Director of the Center for Applied Cybersecurity Research)
Who said anything about prosecution? I just want to waste their time, while keeping them from wasting mine.
Well, the school did for one- any student caught scanning school computers will be refered to the Dean. My suggestions were to go to machines that are far less likely for anybody to be paying any attention to port scans in the logs.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
How would you teach security if not by trying out the attack tools?
I don't see what the hoopla is about here. He asked them to do a scan, not open them up and format the hard disk or download files on it.
Maybe his next assignment is the ethics. Maybe it's just a test to see if any of his students find this ethically wrong and refuse to do it. Maybe he would have given them extra points.
I run several servers on the Internet, and I get port scanned all the time. Even more so at home, where my dynamic DSL IP is hit by worms many times each day.
Dear American proto-hackers, you are welcome to come to Europe and learn the tools of your trade here. We meet every year between Christmas and New Year at the CCC Congress, and we have a LAN there, so people can get acquainted with the tools.
Unless they define the limits of the task quite tightly, I'd imagine that were one of his students to take it too far, then he'd be held partially responsible for any criminal activities. Also... Not really a great idea if some company comes a-knocking...
"Well... Yeah that is how the law works with intrusions, but port scanning is not breaking in (intrusion). It is like you walked up to someone's house and checked to see if the door was locked without actually even opening the door."
Where I live, that is quite clearly aggravated trespassing and actually justifies the use of lethal force.
Going up to the porch is acceptable. Trying the door is attempted burglary. Jumping the back fence is criminal trespass, and trying the backdoor is burglary.
-fb Everything not expressly forbidden is now mandatory.
Going up to the porch is acceptable. Trying the door is attempted burglary. Jumping the back fence is criminal trespass, and trying the backdoor is burglary.
Then again what if its a store? Or the preson thinks it is a store? Would you arrest someone because they walked to a place and pushed on the door?
I can't think how many times I tried to enter a place only to find it was locked. Maybe it was the wrong entrance or after hours, but doesn't mean I had intention of breaking in.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
is that something like a brazilian wax?
Its a bit like open source software.. The information is public, what problems are there by students looking at it. As long as the dont actually compromise anything, they could be helping it security.
In this case, I think the IT Staff are being idiots.
In Soviet Russia the insensitive clod is YOU!
"Then again what if its a store? Or the preson thinks it is a store? Would you arrest someone because they walked to a place and pushed on the door?"
The distinction is usually framed in terms of whether a reasonable person would believe it was acceptable. In a strip mall at 3:00 in the morning, you'd better have an explanation. A store that's usually open at 3:00 in the afternoon, but the door is locked, it's reasonable to try the door.
"I can't think how many times I tried to enter a place only to find it was locked. Maybe it was the wrong entrance or after hours, but doesn't mean I had intention of breaking in."
And the store owner would likewise have no reasonable apprehension of his life or property being in danger. He would be wrong to detain you or use force against you in a situation where you acted reasonably -- and he would be liable for assault if he did so. As for law enforcement officer, it's up to the officer to determine if there is cause for suspicion, and you could indeed find yourself in a position where you'd have to explain to the officer's satisfaction that you thought the door would be unlocked, open to the public, etc. Whether police officers are always able to take the point of view of "a reasonable person" is a subject of some debate, but you can be sure the state will take that view...
If keeping the peace were as simple as an elementary flowchart, we would never have needed a system of justice. I don't understand why people insist on trying to narrow down the idea of law and order by focusing on corner cases, or by trying to force false analogies to fit. (If I had a dollar for every time someone has explained copyright infringement in terms of stealing a car...)
-fb Everything not expressly forbidden is now mandatory.
The hyperbole displayed in this post is exactly the sort of behavior that computer security professionals should avoid engaging in. People who take undue offence at obviously innocent acts and run around making completely unfounded accusations of mal-intent and criminal liability are the sort of network operators who can make a workplace a living hell for people who are trying to get things done. Its a power trip and in a serious corporate environment it is totally inappropriate. Security professionals should be focused on real threats to business continuity rather then getting their rocks off by hunting down port scanners. It should be painfully obvious that nothing about this assignment is either illegal or immoral. The students are asked to perform a vulnerability assessment. They are asked to collect information; they are not asked to act on that information and break in. If you want to understand how security gets done it makes sense to take a look at someone who is doing it and see what they are doing. Its the kind of activity that might raise suspicion in the event that the intent was to use the information collected in the subsiquent commission of a crime, but that obviously isn't the intent here, so there is no REAL problem. If your Internet connected computer is so weak from a security standpoint that this kind of snooping is enough to impact your operation then I suggest you stop reading this and go check on it because you are probably offline right now. Obviously one needs to be careful in performing this sort of audit that one doesn't use aggressive tools that can impact the operation of a host, and students do need to understand the difference between collecting information and obtaining unauthorized access. It might make sense for this lesson to be bundled with a serious conversation about the ethical issues. Obviously, it would be preferable to ask students to look at a honeypot host rather then examining someone's live network, if for no other reason then this kind of probing is suspicious and, albeit EXTRMELY unlikely, could cause administrators to waste time investigating. However, to suggest that performing this kind of information collection against a remote host is a crime regardless of the intent of the exercise is, frankly, "just plain stupid and ignorant." Sans security ought to relax. The likelyhood that any of the targets of this exercise so much as noticed it is infinitesimal.
http://www.hackthissite.org/
or google for "hack my server"
p.s. didn't RTFA.
This is just amazing. By amazing, I mean to say an affront to ethical teaching. It promotes the wrong idea about proper conduct on the internet. It will spawn tons of alarms on different networks. Companies who get scanned will lose countless dollars and hours figuring what new attack was underway.
I strongly believe that the professor should be fired. The students should be told to NOT go forward with the assignment. And the name of the professor and university should be released so that such unethical or thoughtless behaviour by the professor and double-standard thinking by the school can be revealed and acted upon.
I can't believe the school would come back and say that the professor would not be reprimanded, that the assignment can go forward, but not to scan their own computer networks. This implies that the school admins know that it is a security issue and questionable behaviour, but is allowing it to go forward on the internet. Complete and utter retarded and *ss backwards thinking and reasoning.
For some companies I've worked at, a scan is reason enough to ban your IP, if not your IP address block. Performing a scan is grounds for dismissal, if not initiation of criminal charges of misuse of the business systems. This was the case at my old university. Misuse of school systems resulted in dismissal and/or legal proceedings.
The correct and responsible means of testing would have been to setup a training network. Obviously, there is a complete lack of responsible planning on the part of the professor and the school. Or perhaps a lack of understanding of what they are setting up their students and themselves up for.
The student who brought this up REALLY needs to bring this to the attention of his/her fellow students and prevent them from getting into trouble with businesses and the authorities.
Just because your superiors tell you to do it, doesn't mean it's okay to do it.
Winged Power Photography
I don't understand what's the big deal. Yes, it has some degree of illegality. However, would it also be illegal if you were a consultant for any company wanting this type of probing on their servers? No! So why not simply ask local company X if they would be interested in a free analysis of their servers which is normally valued at $xxK. I'm sure there would be many takers. You now have eliminated all illegalities in your assignment and can proceed with it. It's that easy. No need to get all butt-hurt about it.
http://www.be.wvu.edu/divmim/mgmt/kleist/MANG%20 493S%20Syllabus%202006.htm
Mon., 4/17/06 25 Wireless Security HOMEWORK/LAB 4, 5: Wardriving exercise in Morgantown with Apple laptop and Netstumbler, GPS device. Turn in a one page detailed description of the lab procedure, software and technique as well as a printed map of wireless access points in a certain geographic area of your choosing. NOTE: DO NOT HACK INTO THESE NETWORKS EVEN IF THEY ARE WIDE OPEN WITH NO PASSWORD AS THIS IS ILLEGAL. (Counts as 25 points). Due at beginning of class 4/22/
Note, some areas, the very act of wardriving is illegal.
Winged Power Photography
I'd tell the professor to 'sniff my packets' for sure!
If he really wanted to teach them the art of secure network recon, he should make the assignment 'syphon our network without being detected'. *of coarse, that one would probably be too easy, hence the un-named university. =p
the only permanence in existence, is the impermanence of existence.
Unless the school has a segregated network specially set up for this, there could be all kinds of potential problems.
Students running sniffing tools could see data that other students might consider confidential (even regardless of university policies that might not cover this).
Some scanning and sniffing techniques may compromise the network, and risk crashing workstations, servers,or network devices.
I wonder what the professor's response would be if a student were able to monitor the professor's computer session, or capture his e-mail.
Of course, a fast-track to an "A" might be for a group of students to set up an enclave of systems, set up attacks, and monitor them with appropriate tools.
One paper I published (2600 Magazine. It's also on my website) - I described how a neighbor came onto my wireless network, and how I was able to watch him with various tools. Naturally, I kept my data on a seperate drive and powered down. These students could set up a wireless access point, and see who comes onto it.
Sam Nitzberg
http: / / w w w . i a m s a m . c o m
s a m @ i a m s a m . c o m
Our assignment was very similar to this, except it was to discover the number of nodes, the routing, etc. of the network in one particular building on the campus (housing our classroom) - no port scanning, no attempts to compromise anything, but simply to "map out" the building's network.
One telltale phrase that hit a nerve with me was something that I remember nearly verbatim: "using tools available in the public domain." The examples he gave were essentially tools like traceroute, ping, etc.
Nobody in the class thought there was anything questionable about this, let alone illegal.
When you're not looking, this sig is in Latin.
Universities exist to promote advancement of knowledge and create citizens that will change society for the better my challenging existing dogma. As such, they have a responsibility to allow any legal means of inquiry and even support illegal but meaningful and essentially harmless pursuits such as civil disobedience. A university is not your dinner table and they shouldn't be able to dismiss students for farting.
Your stupidity, bleeding off the page, hurts me. It really, really hurts. Your ignorance is partially excusable due to the SANS's horrendous misrepresentation of the assignment, but still, you had to take it one step further.
the police ate my homework!
You're over reaching here.
There could be a lawsuit, but only because one doesn't need much justification to file a suit. To avoid being laughed out of court, however, you need to put together a better story than that.
Why hasn't slashdot ever heard from the G.N.A.A.'s lawyer?
It's not offtopic, dumbass. It's orthogonal.
At my school, I only ran into one teacher who ever used that term in describing an exam. The teacher was noted for being ridiculously difficult in comparison to any other teacher in the course. The drop rate from her class was fairly high. Her reputation included words and phrases like "Unhelpful" and "take anyone but her if seeking a Gen Ed."
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 SU CK IT MP AA
(Just playing devil's advocate here, I do not actually think that any of what I'm about to say is morally right in any way.)
Since when did allowing someone to access my web server become a right instead of a privilege that I specifically grant and can take away from anyone I choose at any time?
It happened the moment you decided to offer access to the public at large.
Let's try an example: Can shopping malls expel people for being black?
Not at all similar, you say? Too racial? Okay, try this one instead: Can shopping malls expel random people for no reason whatsoever?
The answer to both of those, BTW, is no. Despite the fact that it's private property, it's nevertheless considered a public area because the public is granted admission. The owner can eject somebody for cause (making a scene, acting inappropriately, etc), but he cannot eject random people for no reason at all.
Now, the mall *can* eject people for being black or just at random, but then they are setting themselves up for a lawsuit that they might lose.
Similarly, while you'd be well within your rights to block anybody you like for any reason you like, if you do it without cause, then you're setting yourself for a lawsuit that you might lose. Blocking an entire ISP because of a single user of that ISP portscanning you is a shotgun approach. It causes financial damage to that ISP. Now, assuming that the ISP notices and cares, then yeah, they could probably sue you for it and they might even win.
Take the controversial issue of spam blocking for another example. Consider the MAPS service. They publish lists of ISP's they don't like for being friendly to spammers. Other people/ISPs use these lists to filter email from these ISPs out. Result: MAPS has been ordered by courts to remove some of these ISPs from their lists when the ISP sued the MAPS people. This has happened on a number of occasions. Now, is it MAPS right to make these lists in any way they see fit? The obvious answer is yes, however if in making these lists they can knowingly cause damages to ISPs (and since their stated *goal* is to financially damage ISPs in order to make them eject the spammers, they can't really argue otherwise), then some courts have said that they are liable for their actions in that respect.
Is it right? Well, that's debatable. But it is what it is, and the grandparent was correct, you are not guaranteed to win a suit in such a circumstance.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Hell, set up some kind of a honeynet with several types of servers (Windows, Mac, *nix) in various states of security.
Nah! Too difficult to do.
You don't have to setup an honeypot or honeynet or whatever,
or do anything special, just scan any unpatched windows machine and that should be easy!
Finding Spyware, Malware, Backdoors, Trojans and dialers are bonus point.
BTW, you may not use Windows and Security,
in the same sentence, since that's a contradiction.
Student is to perform a remote security evaluation of one or more computer systems. The evaluation should be conducted over the Internet, using tools available in the public domain.
At no point in this does the professor state to do it on a public computer. hell. port scan your own pc. Over the internet. Using nmap. Jesus. what is the world coming to when the "security professionals" can't read english or think outside of the box. It almost makes me ashamed that I read their site so often.
Your sig(k) has been stolen. There is a puff of smoke!
Thank you for your submission. We do attempt to reply to all e-mail if possible. However, due to the volume of message we receive, we may miss one or two. Please accept our appologies if your e-mail is not responded to right away.
It may come as no surprise that the author of this article made so many logical fallacies in her rant. She probably hasn't taken English 101. Neither, apparently, has the web designer (who made at least two errors in the above quote).
Your sig(k) has been stolen. There is a puff of smoke!
It is not that the ISC is ignorant of the facts: several students have sent them the full text of the assignment (which has also been posted here). It is that the full assignment, including the following:
contradicts the story they have fabricated about a reckless professor urging his students into felonious activity. At no point did the assignment require activities that were illegal, immoral, or in violation of a literal reading of the university's acceptable use policy. To the contrary, any student who commits a crime does so on his own will and against the explicit instructions of the professor.
Yes, there are system administrators at the university who oppose this assignment, but this opposition is far from unanimous. Obviously the administrator of a poorly secured network does not want the vulnerabilities exposed. However, security through obscurity is irresponsible, and ultimately it is these admins who deserve the punishment (perhaps this prompted the efforts to squash the assignment?). You should note that some of the same admins who oppose this assignment routinely port scan the entire university network.
The truth of the matter is that this assignment is painfully appropriate to a computer security course, and is a great example of an academic assignment providing valuable, real-world experience.
Please let go of the conspiracy theories, this is a group of mature, responsible* and talented students , not a rag-tag bunch of script kiddie / hacker / terrorists. The professor is a well-respected professor of which I have heard nothing but the best praise. I promise you that nobody affiliated with assignment has any intent to harvest your ill-secured server into some massive zombie net, stealing your information or otherwise harming you. Twenty students scanning twenty machines is not a DDOS, no one is going to lose thousands of dollars in man-hours hunting down that befuddling port scan. For better or worse, unsolicited port scans are a fact of life. Be glad that the machine at the other end is well-intending student who will relay to you - not exploit - any vulnerabilities he finds.
Now may we please put pressure on the ISC to promote responsible journalism by providing readers with the full story, even if it isn't as sensational as the story they wish it was? If anyone should be in risk of losing his/her jobs, it is the irresponsible and dishonest author of this diary.
* Yes, there is an ethics course - it's mandatory.
And by the way, to clear up one small additional point of confusion on the part of the author: winter quarter 2006 takes place, believe it or not, in the winter of 2006.
If we start buying CDs then the terrorists have already won.
A server that can't survive this is like a baby left outside in the winter in Alaska... it shouldn't be there in the first place.
--
Beeing paranoid is a part of the job...
I don't care if you're talented. You have no idea how a scan is going to affect whatever applications I have running off of that pipe. What may not break one network may most certainly break another. You, with all your talent, can still make a mistake. I've had it happen to me and the reason why I was able to quickly recover was because I KNEW I WAS BEING SCANNED BEFOREHAND! Vendor comes in and says "Oh, this is going to be harmless." and surprise one little Nessus scan brings down half the unix farm until I unplug the laptop. If I really want you pen-testing my network then I'll bring you in as an intern. That way I know about and accept the risk I want to take instead of the unknown.
You make this bold, sweeping statement about security through obscurity but reread your quote. "You may" not "You will" The students do not have to turn in their work to the company they scanned so there is no way for that organization to take those findings and improve their system. If this was some big noble cause why didn't the prof contact some local businesses and have them agree to a pen-test in return for a report? The fact that the administration reserves the right to discipline any student that uses this assignment to scan the school's network speaks volumes. Your comment about admins who oppose this are ones who routinely port scan the school's network is a fallacy on so many levels that I simply chose to ignore it.
I don't care if the prof is going to cash his Nobel check and give the money to the starving poor in Africa. The assignment was ill conceived from the start. It wasn't professional or academic and there were viable alternatives other than going out into the wild and poking around people's perimeters without permission. What? Haven't heard of a test lab?
Absolutely nothing in your post has dissuaded me from the opinion that this entire issue was just plain dumb.
I don't want knowledge. I want certainty. - Law, David Bowie
I am not sure that we are in disagreement, perhaps you misjudged the point of my comment. The threads of this conversation have been littered with misinformation, an abundance of analogies involving car doors, and random calls for people to be arrested and to never teach again. A great deal of this stems from the ISC's awful coverage of the issue, a diary which foresees "incarceration", "expresses sympathy" to the families of the students, accuses the professor of being a "miserable failure" and otherwise grossly distorts the reality of the situation. It was this that I aimed to clarify. And please, may I ask you to swap out your pronouns and put "you" back in the closet. I am not the professor, I am not in the class, I never proclaimed myself talented and I am not going to port scan you - relax, I am friendly.
Despite the sensationalism of the ISC's writeup, there are legitimate concerns about this assignment, some of which you addressed. Specifically, there is the potential for this assignment to pose a risk to the machines on networks of innocent bystanders, even without the illegal exploitation of vulnerabilities that the diary suggested. As much as I enjoy your condescension, I have in fact heard of a test lab, and personally, I think that a test lab / honey net / willing company would all be great solutions.
Despite the having read excerpts from the assignment, it is still clear that your ignorance flavors your judgment. Typically the instructions regarding an assignment go beyond the print-out, so you cannot know whether the concerns you expressed are being taken into consideration or not. Honestly, I don't blame you for jumping to the conclusions you have; with the amount of information available online, your jump was fairly sound. You have every right to feel the way you do, but if it provides any comfort, I am confident that you are underestimating the professor.
My point regarding the admins was merely that the university's machines and networks (unlike some, apparently) are robust enough to withstand the port scans. Obviously the set of appropriate activities differs from admin to student. In this case, it is simply a matter of the port scans posing a greater threat to the admins than to the network. The students had already self-censored themselves to avoid networks containing sensitive student information, the registration system and anything else that might affect important day to day operation. There are in fact many networks on campus that would be great for this assignment; the administration's over-reaction is unfortunate both for the students and for companies such as yours.
This is the first time that this class was offered at the university, and I would be surprised if serious changes weren't made the second time around. Even as this whole thing dies down, the discussion remains valuable because similar assignments are conducted at universities across the nation (it's always good to make an example out of someone now and then). I am not here to dissuade you of anything, merely to clarify the sensationalist one-sided journalism spewed from the ISC's diary. Their irresponsible writeup is pleasantly contrasted by the legitimate concerns discussed in your post, even with your scolding tone. Goodluck to you, I wish no harm to your network.
If we start buying CDs then the terrorists have already won.
Contrary to popular belief amongst security professionals in the United Kingdom, port scanning is in fact illegal under UK law - Computer Misuse Act (1990). I am currently studying for an MSc in Information Security at the Royal Holloway, University of London and this matter actually came up during one of our lectures. It was hotly argued and debated, but our lecturer John Austen (Former head of the Metropolitan Police Computer Crimes Unit, New Scotland Yard) assured us that it was the case.
Warn those students not to scan UK-based systems, or they could end up in hot water. The UK's law states that either the offender or the system must have a "signifcant link" to the UK, so an American scanning a UK system but from the US would still fall foul of this law. The UK & US have a bilateral extradition treaty for computer related offenses, as has been demonstrated in the past.
Had I been given this assignment I'd do the same thing I've done numerous times before: ask a friend to have a duel between our home computers. Every time I change my firewall I get him to bang on it just to check. When I get a new tool I often let it loose on his home machine (with permission). There is no reason at all to assume that this assignment requires the students to break the law. Any computer on the net can be considered "an internet server" if it responds to even one port or a single ICMP type.
It MAY be a problem for the students on a campus network in their dorms because of the IT department's policy, but those who have their own 'net connection can do it without breaking the law. Give them a little credit: Any student who has made it to this class will already know how to act responsibly on the net.
There's nothing to see here. Move along...
On the one hand you take life too seriously, and on the other, you do not take playful existence seriously enough. Seth
I just had a similar assignment last quarter at a technical college in Southern California. The professor even told us where a company was that had a wide open wireless network. The company could "theoretically" be hit discretely sitting in a car in the supermarket parking lot with an 80% connection. Once there you would have access to their internal network as well as the Internet. But I would never do anything like that. That's just wrong. :)
I don't believe in karma, I just call it like I see it.
Let's see if I can translate. Campus IT considers the required activity an attack, so the solution is to REQUIRE the students to attack unwilling 3rd parties and burn their resources instead. The school apparently feels no responsability to PAY these 3rd parties for the mis-appropriated (that is, stolen) resources it uses for the purpose of collecting tuitions?
Before anyone asks what resources, consider the extra man hours that will be spent if/when 3rd party network admins detect that someone is 'casing the joint'.
Next, I suppose sociology students will be required to hang out in front of old ladies houses and report on things such as did she look scared? Did she call the cops? etc.
I can certainly see the value in the exercize, but the professor and/or the school should be the ones expending the resources to provide the students with servers to scan. They may do that EITHER by byilding their own example network, OR by contracting with a willing 3rd party to allow their network to be used.
port scanning is not breaking in (intrusion)
... The same applies to an ftp server with an anonymous login, or a telnet session without a password.
I was replying to the GP, who stated:
If someone does not want me to use their server, it is their responsibility to deny me access.
He is talking about way more than port scanning.
It doesn't hurt to be nice.
Perhaps the point to the lesson is to see who does it and then fail them...
You have to teach ethics someday particularly given the "information wants to be free" and the "I should be able to share _your_ property however I want" crowds.
Dan