Slashdot Mirror
Professor 'Packetslinger' Assigns Questionable Task
mrowton writes "A professor at an undisclosed university recently assigned a practical for his computer-security class. The practical, which is worth 15 percent of the students final grade, requires students to perform reconnaissance on an internet server using tools available in the public domain. While the university is allowing the practical to continue it has also stated that the techniques should not be performed on their own web servers. If students are caught performing any scans against university computers then it would prompt: "Disabling their student account and referring them to the Student Dean of Corrections." The assignment was enough for SANS to dub him 'Professor Packetslinger of the School of Loose Screws.'"
Now who would be the WB to publish the name of the university here?
I wonder if that paper will attract more students because of the assignment. Guys, whatever you do, just don't TK.
Virtual Betting on Facebook for non-geeks.
I thought there was a case not too long ago that says a scan is not an intrusion, thus is not illegal.
Why doesnt the professor construct a cheap server, with security out the wazoo? Then let the students attempt to bring down the sand box, rather than randomly probing servers which are probably used to run a business?
Dean of Corrections? good lord... =b
The World Wide Web is dying. Soon, we shall have only the Internet.
Scanning a system is not illegal... trying passwords would be, but seeing if anything is listening out on a host is not in anyway illegal.
The phrase "more better" is acceptable English. suck it grammar Nazis
He's not supplying his own honeypot servers, and didn't get the University to allow use of campus servers either? I'd think he could sell it to the IT group as a hardening exercise, since students would have to do full disclosure to get credit anyway.
Yup, just goes to show you that "smart" and "fool" aren't antonyms.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
Yeah, my money's definitely on Dan.
Dewey, what part of this looks like authorities should be involved?
If a police office needs to test out shooting a gun, he goes to a firing range. You wouldn't have him field test it.
I feel for the prof, there isn't a good "firing range" on the internet. It would make for an interesting business. Setup a virtual network of servers with targets/exploits and have the students try and hit them.
They should have an assignment that each student rob, or break into a bank. Any attemps to break into school secured areas would result in immediate suspension.
If you change it to anything other than an 'A' you automatically fail.
He who knows best knows how little he knows. - Thomas Jefferson
Legal solution #1: Contact a local business, explain you're a student learning about computer security, and ask for permission to hit their server.
Legal Solution #2: find out the address of a home computer on a broadband connection and hit that, preferably a friend who knows you're doing it or yourself.
Illegal Solution #1: Find out the address of a home computer on a broadband connection owned by the kind of luser who doesn't even know they have a log let alone how to check it.
Illegal solution #2: Hit a BUSY public server that you know is locked down well and likely to have only a single discoverable service, such as www.google.com, thus also giving the wonderful ability to turn in a two line report and STILL get the full purpose of the assignment; bonus points for mentioning the port ranges that were in stealth mode.
The last two are available due to the fact that most sysadmins aren't being paid to look at logs all day; and that home users don't have the extra cash to pay a sysadmin at all.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
If I notice someone poking around at my systems in such a way that looks like it's looking for exploits, I'll contact the ISP responsable and ask them to chave a chat with that user. If they blow me off, I'm likely to blacklist the ISP entirely.
Just like with your house, while it might not technically be illegal for you to sit on public land and case my house out like you are going to break in to it, you can bet I'll object if you try.
The NSA issued a press release stating that its whole domestic spying operation was just part of a homework assignment.
AKA Warden?
Is it a university or a prison?
we did this as an assignment for a network security at the small community college I attended. as long as the students are gathering information and not launching an assault whats the big deal. though I have to say that the college considered all the students to be security risk and so forced us to stay of the campus net during class. they would also pay close attention to anything we did when we were on the network
nothing to see here move along
Why not put up a couple of servers of different types on an isolated network at the school and then let the students bang on that. At least they would be able to go through the logs of the servers in question legally. Also, they could packet capture the entire event and review in class.
It wouldnt happen to be Whitman at kennesaw state would it?
... School of Loose Screws ...
Unless you're majoring as a PC Technician, you are likely to lose your marbles than your screws in the IT department. My marbles disappeared a long time ago.
a. Subtract marks for students that scan government servers. b. Bonus marks for the student that sets up his own web server and then scan it.
Oh well, what the hell...
When did Snorting a remote network become illegal?
Hey personally I think this sounds like a good assignment IF the professor provided his own servers. These are tools that anybody gaining knowledge in computer security should be familiar with. How hard would it be for the professor to setup a Windows and *nix box with some public services running, and host it from his home connection or atleast get some university resources dedicated to it.
-Eod
SANS seems to take it for granted that portscanning is illegal and immoral. However, I can't find anything on Google, and of course, IANAL. Is there any case precedent in the United States for the illegality of portscanning?
I would hazard a guess that it is not illegal. It is the equivalent of looking at a house from a public vantage point to see if any windows are open. Although such an action is suspicious (the person may next try to get in through a window), it certainly isn't illegal, at least in the United States. SANS seems to be overreacting.
There's no sig like this sig anywhere near this sig, so this must be the sig.
Get caught and you fail. Make a set of files on the server progressively more difficult to hack/open/retrieve.
Easy file to hack = C, More difficult file to hack = B, Very difficult file plus leave a calling card = A
A closed mouth gathers no foot.
I of course mean running Nessus against a remote network... doh.
This sounds like something a Prof I had in school would do and subsequently, a reaction my university would have taken to it. Note that I'm not claiming this is going on there, just saying it doesn't seem like an outside possibility for any school.
If this is taking place at my alma mater or a similar institution then I can tell you how it probably went down.
A: Prof comes up with a realistic assignment for a university level security course and weighs it heavily since he is lazy and can only come up with one or two good assignments. B: The school denies his department's requests for funds to set up a server for this and any further course work. C: Prof is lazy (see point A) and so continues the assignment D: School responds by threatening disciplinary reaction.
Of course this places the students in a catch-22. They can either scan a university system and face possible action if detected or scan an external system and face possible legal action. I suppose they can also disregard the assignment and face possible failure.
This is irresponsible on the part of both the university and its faculty.
... on efnet in #conf.
For extra bonus points social engineer your way into the server perferably using this situation as the senerio. "Yes, I'm from University Computing Services, I was told that you recently had a security threat concerning some students intructed to hack into your system......"
A similiar occurance happened at my university (University of Delaware). When I was an undergraduate, I took the 400 level security class. The teacher isn't a professor, but he's a staffer who happens to be amazingly knowledgable about all areas of unix and networking)
The assignments were some of the most practical security assignments you could imagine. For one assignment, he gave us the location of a target machine, and told us to "break in and find something that would make people a lot of money". The trick was to scan it with Nmap across an obscene number of ports (he was running a compromised telnet server on some really high port - like 11,000), telnet in, and look through the files to find a fictitious email about a stock buyout. ("But make sure not to scan any machines besides the target machine!") In another one, we telnetted into a mail server he set up, and emailed the TA with a faked 'from' address. "If it looks fake, you lose points", so you had to make damn sure to get all the fields looking immaculate. Another assignment was he gave us an XOR encrypted message, and we had to crack it. (The trick was to look for large areas with spaces, which gave away the key)
It was, all in all, a great class. Just one problem - the IT people *hated* the class. He told us he got a complaint during the Nmap assignment that it had been used to run 150,000 scans on campus machines. The computer science department adamantly defended the assignments, as important learning tools. It's an important issue of academic freedom, and (last I had heard) the CS department's concerns trumped IT's complaint.
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
But there's always the LAPD
You better watch out, there may be dogs about . .
This professor should be prevented from having any contact with computers for 5 years, and from communicating with or being within 100 yards of anyone under the age of 30 for 10 years.
How utterly irresponsible can a college professor actually be?!?!?!?!?
RHCE; are you certified? Karma: ambiguous.
Having his minions secretly listening in on things that they have no legal right to? Nah, that reminds me of a different candidate.
I could see some profs doing it out of stupidity, but I could see Dan Bernstein doing it entirely out of arrogance...
Oh, you're not stuck, you're just unable to let go of the onion rings.
i'm here to packet and chew gum....and i'm allk out of gum
You can't 'snort' a remote network - snort is a Network Intrustion Detection System, so it looks for attacks against you on your local network.
"It doesn't cost enough, and it makes too much sense."
They had a ninja Chnin exam with extremley hard and actually unanswerable questions. The point of the exam was to actually force students to cheat in order to fail the ones they could catch.
At the end of the exam anyone left (who stayed voluntarily after the 10th question) was passed regardless of whether they had written down any answers or not.
As long as they hadn't got caught cheating so the expert cheaters were passed.
After all... The goal of the Ninja is to be able to aquire information undetected.
Perhaps, the only way to pass this class it to be able to do these tasks without getting detected by the university or authorities.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
Smart and fool go together as often as not. Never have you met so many people that can know so much about so little, people with mountians of theoritical knowledge and no idea how to apply it at all. We have a lab in our building that is devoted to studying networking, and literally most of the people in there couldn't point out the switch in their room, people that have, with a stright face, used the phrase "statically configured dynamic address". It's not like these are art majors who just don't know antyhing, they are all engineers who are studing networking.
That something like this happens really isn't that supprising to me. You get grad students and professors that have spent a lot of time on theory but have never applied the knowledge in meaningful ways and are out of touch with the real world. Thus they make requests and demands that are totally off the wall because the mental picture they have of how things work isn't anything like how it really works.
I'm in the class which recieved this assignment.
I am both an undergraduate CS major and a system administrator on campus. I work with the top-level sysadmins that complained about the assignment, and who likely reported it to the ISC. They're good people that know their stuff, but I think they acted poorly by publicising it. It was a simple assignment which meant no harm. The class has never been taught here before. The CS department's reading of the university AUP and Ethics Policy differed widely from the administration's, and a simple email could have eliminated the confusion. Instead it's on Slashdot.
I think the ISC and the administration's reading of the assignment's intent was way off base. They both seem to be under the impression that simple port scans are illegal and forbidden, when in fact they occur regularly on the residential network and are a part of having an internet connection.
The professor is the dean of the CS department and is a very smart guy. He doesn't deserve to have this situation turned against him publicly. We in the class think it's all pretty ridiculous, and will do the assignment using only the approved IPs which we were given today. This was a simple misstep, and should blow over quickly.
Instead we have half rate Sys Admins getting worried about these students hacking their systems, simply because they are too lazy to plug the holes
Man is the lowest-cost, 150-pound, nonlinear, all-purpose computer system which can be mass-produced by unskilled labor.
You can't blame the professor for this. It's not like he or she knows how the real world works. After all anyone with any sense well almost any would say this is a bad idea. The Univeristy had sense enough to say no to their own network being scanned then again they're dumb enough to allow it continue.
So at least the student will have a co-defendant if things go bad.
a "practical"
I was working at a UNIX terminal lab in college when an enterprising young freshman decided to cat all the man pages together and pipe to lpr.
He had otherwise proven to be an apt UNIX geek so I heard several of his fellow lab users ask him why he thought their terminals had locked up--since asking me would be scary apparently, go figure--and I heard him mumble, "dunno" and then he hustled out before we figured out what happened.
The lab manager held his many thousand page printout in a large overfull box until he reappeared several days later...and said if he ever did something so stupid again, he'd pay for both incidents at $.10/page.
What if a group of people, say neighbors, or firms, or even cities got together, strung some fiber or microwave links between them, and called it MyNet? Physically isolated from the Internet, but nevertheless including entities that are considered separate so far as the conventional or legal definition goes. I think laws such as child porno laws, or externally copyrighted music, would still apply because they are broadly defined. But what if these participating entities explicitly agreed to allow cracking, for one, or the use of strong encryption, or in general, uses which are legally prosecuted to protect the lowest common denominator in computer users, or to allow hooks for prosecuting. Is Internet-2 like this (probably not, because government money is involved). Seems like the Internet space is increasingly being regulated as if, or more harshly than it were meat-space.
I still say ethics should be a required course in IT.
At RIT, the NSSA (Network, Security, SysAdmin) program has a special lab set up for this, connected to the outside world by a single ethernet cable that's usually left unplugged. In this lab, teams of students take each other on - one to lock down a rack of servers, the other to turn the rest of the lab into zombies and break in. Of course, this is done in the safety of an isolated environment, on our own server, so it's a bit different. Teaching black-hat countersecurity stuff is just fine - how else are you to test your own - but come on now, in a safe environment. Another experience we get here? Anti-virus, by releasing viruses into our security lab. So how does Professor Packetslinger intend to teach that, releasing viruses into the wild?
There's an old saying that says pretty much whatever you want it to.
No, that's not at all how the law works.
Someone who leaves FTP service on with no password might be stupid, but you are still breaking the law if you take their stuff or use the server to hold warez.
Well... Yeah that is how the law works with intrusions, but port scanning is not breaking in (intrusion). It is like you walked up to someone's house and checked to see if the door was locked without actually even opening the door.
Yes, its kind of dubious, but its not breaking any laws (or at least shoulnd't).
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
First: This guy "Handler" from SANS should know full well that port scanning is not a crime. But he goes out of his way to make it look like one.
Except that research isn't illegal. And even if this weren't academic, this still wouldn't be illegal. Good thing you quoted him verbatim, because he didn't even come near anything illegal. His own blog refutes his own point! Then, he goes on to misquote the guy! "OUR WORDS" -- yeah, I guess he thinks that this is just enough to stop the libel suit. Jeeez!Second: The university did the worst thing possible. They made it look like the assignment was illegal, while neither condoning the assignment nor disallowing it. If they mistakenly told the professor to stop that assignment then I would say it was an over-reaction and they could correct that. If they ok'd it with the professor then they would be good guys. Instead they just whipped-out the 10 foot poll which makes them even more guilty than Mr. Handler.
Third: Our elected officials. The issue of the legality of port scans should not even be in question if they even had the slightest clue as to what it was. But instead lawyers and judges can't agree on this point. I just ask for any one group involved to have some common sense. Slashdotters should start emailing SANS in support of this professor.
I always thought that if I was a (tenured) professor would be a "Cheating 101" class. The objectives would be to teach the students how to cheat effectively. The class would have exams that were on arbitrary and difficult subjects. The students would be forced to cheat to pass them. The exams would be graded not only on how well they did on the exam itself, but how well they cheated and how well they avoided detection. (Even with me knowing they're cheating.)
The true objective wouldn't be to increase the student's ability to cheat, but to discover what techniques were being used by the students...
what he should have done was divided the students into small teams (by drawing lots), each responsible for setting up a set of servers on this isolated network to do specific tasks and then set the teams to securing their own servers while trying to penetrate the servers of the other teams.
Award points for how many other servers you cracked, minus how many times your own got cracked...
and just to put an edge to it, losing team buys dinner for the winners. Winners get to chose where the meal is (within reason)
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
First of all, SANS is considered the "entry level" security group. They overhype security issues on a regular basis. They remind me of Steve Gibson of GRC, another self proclaimed "security expert". They rehash old issues all the time. My favorite quote about them is actually from Dave Aitel though.
m l
"I think it's funny they call themselves handlers instead of "people without computer science degrees or any knowledge of computer security trying desperately to learn how to read shellcode and informing a legion of other people about vulnerabilities, worms, and exploits a. la. the blind and deaf leading the blind".
Reference http://lists.virus.org/dailydave-0405/msg00075.ht
It appears SANS is trying to throw into question the legality of port scanning. Did they get wrong too? Maybe they should make another class on this, charge $2500 for 5 days of powerpoint sessions instead of showing their ignorance.
A professor not adhering to a best practice is a minor issue, at best. However, one round of namecalling deserves another!
I expect to be modded flame/trolling for this, but it is the truth.
Would be to have seperated the class into two teams with two networks and then have them secure their networks. Then launch attacks angainst one another. This way they see both the way attacks are made along with how to protect their network from them.
A bunch of Tech Stuff
If there is a post to mod up, it is this one. There is going to be a lot of hype and over-reaction out of ignorance of the situation, and a misunderstanding of the intent of the assignment and the professor (the ISC's writeup of it is inflammatory and absurd). Help cut the sound-to-noise ratio and mod the parent up.
If we start buying CDs then the terrorists have already won.
I'm a professor and had some undergrads create a honey net out of outdated computers and open-source software (except for the windows honey box). The central computing folk were unhappy because I was looking at packets which got through my firewall -- violated the university privacy rules. Sysadmins across campus were REALLY unhappy because vulnerable machines (honey) existed -- the fact that they were contained was lost on them. I was forced to shut the honey net down. There was all sorts of irony in the situation.
the internet is a safe place. i dont care what fanatical people rant about. im fanatical and i say that as long as you take all the necessary precautions, ie: strong encryption, a secure/patched OS, penetration testing if you run your own server.... etc. you'll be fine 99% of the time. and the other 1% of the time you'll be prepared.
the second you put your service online it is YOUR business to secure it. its like opening a door on the sidewalk and telling people not to look in as they pass. its just not practical. if you cant handle your own shit what are you doing on the internet?
heres a clue - people who are going to fuck your shit up are most likely self taught. no one goes to school to become an elite hacker. people who are in these classes are most likely our best shot at protecting our future internet because unfortunately - they're the people who are gonna get the jobs they interview for... because of their degree. me? i'll run circles around half of those assholes but i'll never get the jobs they will nor the salary. c'est la vie.
this rant was much better in my head, trust me.
but i gotta train to catch. hah any women in the absecon, nj area who want to get some coffee meet me at the absecon train station at 4:50. i wear an element hoodie. see ya there.
If anything, they should require that the students restrict themselves only to university servers. That way they aren't liable for any third party complaints. But that would undoubtably reveal numerous holes in the university's servers, which would be embarrassing and time consuming for the university's IT department. And we all know that university IT departments spend more time avoiding work then doing it.
What I think happened: the university's IT director found out about it, realized how bad it could make him look, and convinced the Dean of Corrections that this was a bad, bad thing. Fucking Ivory Towers, that's why I'll never work in a university setting again.
I dont think that running a port scan is illegal by any standards or any computer/server on the internet.Its not that they are breaking into the computers but just seeeing whats ports are open or what services are running.
Trying to exploit any of the found vulnerabilities is a different story altogether.
Of course 'the prof' could/should have done it in a secured environment within the uni but its ok if he didnt.Mr Handler is obviously overreacting and giving it more attention than it deserves.
Lord of the Binges.
It's a bit long, but as long as I get a prompt after my "reconnaissance"...
Ah, arrogance and stupidity, all in the same package. How efficient of you. -- Londo Mollari
What's the course called, "Terrorist and hacker training 204"?
An Uncomfortable Truth
Are there *any* security tools that actually are in the public domain? Last time I checked, stuff like nmap, hping2 and the like was all copyrighted (and licensed under free licenses, of course, but decidedly not in the public domain).
quidquid latine dictum sit altum videtur.
I would think that if they don't operate their own honeypot for this purpose, their accreditation should be cancelled. who is this scurvy outfit, anyway?
if this is supposed to be a new economy, how come they still want my old fashioned money?
Don't even log it. However if our IDS throw up an alert for a prodding with some effort, like a port scan and then messing with the various services, I'll go and fire off an e-mail to the ISP.
The last two are available due to the fact that most sysadmins aren't being paid to look at logs all day; and that home users don't have the extra cash to pay a sysadmin at all.
Why read logs when you have computers that do it for you?
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
That's not going to get the students very far. Are there any public domain security tools?
TCAP-Abort
I'm not easily offended, but lumping ARP, ping and SSH together with NetBios _and_ calling it "unwanted crap" sure makes my blood boil. Maybe another member of this university has access to the routers to turn off ARP? It's your duty to help this poor fellow.
Comment removed based on user account deletion
Why read logs when you have computers that do it for you?
Done properly, all the port scanner programs I've seen have a setting to defeat automatic log readers from detecting the scan: random period wait between ports. The best ones also do random access port scaning instead of sequential.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
As a college professor, I routinely assign my networking & security students to probe (e.g., prot scan) systems to see what they will get.
The real story here is the hypocracy. The professor assigns his students to go probe other peoples' systems, while the school has a policy against people probing their systems.
Andy Out!
Done properly, all the port scanner programs I've seen have a setting to defeat automatic log readers from detecting the scan: random period wait between ports. The best ones also do random access port scaning instead of sequential.
So run a tripwire on a handful of random ports, well away from normal traffic. Trip one or two and your IP gets banned or, if you're feeling vicious, redirected to a honeypot server.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
Ok,
so let's run through this scenario. The professor for a computer science security class wants students to scan some networks. This is the type of information he wants them to provide
"He wants them to write an evaluation of what they find: what ports are open and what service could be running on them, Host names and IP addresses, OS, version, last update, patch status, what shares are available, what kind of network traffic and what vulnerabilities they see."
Some people have suggested to setup a sandbox, my question is where are you going to get the servers? Do you think that shit appears magically? Who can verify the actual network sandbox was setup properly? The students? An outside consultant? You see all of this stuff costs $$$, I'm sure the professor has an already small budget to do his own research but that's about it.
The next point is how is this illegal? The students must use apps that are available on the public domain. And if you think some uber hacker must of written it you are incorrect. Did you know OSX has a port scanner built into it? I put in the address, it tells me all the open ports. Is that illegal? Oh and what type of services are running on them? Common, what is up with that, that's so easy to figure out! Just google the port num, and you'll get a listing of all the possible apps that could use this port.. It's not rocket science! You could also connect to it by telneting to the port and see if any user input returns a response from the server.
How is determining host names illegal?? A simple NSLOOKUP will tell you what the DNS name, and you can go even further and check those DNS lookup sites and figure out who the contact is. Try it.. It works pretty well!
All of the other information is easily accessable, if this equates to illegal hacking then I technically had no idea what illegal hacking really is..
Now if this guy wanted his students to actually try and break a system then yes, I don't agree with it. But if they're just simply exploring the different tools available to them on the internet what's the big deal?
MrJynxx
So run a tripwire on a handful of random ports, well away from normal traffic. Trip one or two and your IP gets banned or, if you're feeling vicious, redirected to a honeypot server.
Which doesn't harm this assignment in the slightest- since the actual assignment is to report what they saw during the scan, not what is the truth. If what the student sees during the scan is exactly what the professor sees during the scan, then the student gets the grade. Likewise, you'd have to do a lot more detective work than just redirecting traffic to a honeypot server to actually tie an IP address (possibly a dialup IP address) to a name to prosecute. If your time is so unvaluable that suing people for such a minor infraction is profitable use of your time, then you should be far more worried about developers in Bangalore than some student doing a port scan who is never seen again.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
I hope that's true. I've been sitting here wondering what kind of IT department would get worked up about a few portscans.
Find coupons in Greeley
So my point is it may be legal in some countries and illegal in others, I don't know. As well as he may be unintentionally launching a DOS attack.
What does this prove anyway? He should set up an isolated lab with various servers at various levels of 'hardening' and turn the students loose. The first person to crack a BSD machine would automatically get full credit. Minimal points for an unpatched Windows box.
While we're at it, why don't we just put some anthrax infected sheep into the subway or unleash rage infected monkeys into the dorms, just to see what happens?
putting the 'B' in LGBTQ+
Okay, so his approach to obtaining the material was less than ideal, at least he knows how to read!
Likewise, you'd have to do a lot more detective work than just redirecting traffic to a honeypot server to actually tie an IP address (possibly a dialup IP address) to a name to prosecute. If your time is so unvaluable that suing people for such a minor infraction is profitable use of your time, then you should be far more worried about developers in Bangalore than some student doing a port scan who is never seen again.
Who said anything about prosecution? I just want to waste their time, while keeping them from wasting mine.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
I don't know if I'm posting this in time to get an answer, but I just thought I'd ask a related question... with these kinds of stories, I always see people write comments such as, "if I saw that someone was poking at my ports to see if any of them were open..."
Well, I'm not a sysadmin so I don't know much about this kind of thing, but what sofware do you use to "watch" your computer to see if people are poking at it? I'm wondering about how to do this with primarily Linux, but also Windows, and OSX...
As far as I understand, on my Linux machine as long as I don't have any servers running on a particular port, I'm not open on that port. And even if I have, for example, rsync running, which I use between machines in my home, if it's not passed through my router's NAT, it's not available to the internet, right? How can I check if someone's poking at me? (I use a D-Link route and Gentoo linux)
Here is the actual assignment. Looks like he carefully told students not to hack into anything.
http://niksbox.net/Assignment3.pdf
I honestly don't know - check your local computer crime laws before trying it out, and check with your service provider. They can easily give you the chop even if the action is technically legal. Don't assume it's OK just because it's not supposed to do any damage.
"It doesn't cost enough, and it makes too much sense."
"When did Snorting a remote network become illegal?"
Just last year, where have you been? The War on Drugs is never ending. Congress will stop at nothing to save you from yourself, even if you are trying to suck a ground up motherboard into your nose.
Just Say No!
Behold, this dreamer cometh. Come now, and let us slay him... and we shall see what will become of his dreams.
Script it. Pseudo code to follow:I wrote something like this long ago but turned it off because of the amount of emails sent. But I could have just put in a counter to alert on the most egregious offenders like the SOB that attempted 2147 login attempts on my openssh server in a 10 minute time span.
Who said anything about prosecution? I just want to waste their time, while keeping them from wasting mine.
Well, the school did for one- any student caught scanning school computers will be refered to the Dean. My suggestions were to go to machines that are far less likely for anybody to be paying any attention to port scans in the logs.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
How would you teach security if not by trying out the attack tools?
I don't see what the hoopla is about here. He asked them to do a scan, not open them up and format the hard disk or download files on it.
Maybe his next assignment is the ethics. Maybe it's just a test to see if any of his students find this ethically wrong and refuse to do it. Maybe he would have given them extra points.
I run several servers on the Internet, and I get port scanned all the time. Even more so at home, where my dynamic DSL IP is hit by worms many times each day.
Dear American proto-hackers, you are welcome to come to Europe and learn the tools of your trade here. We meet every year between Christmas and New Year at the CCC Congress, and we have a LAN there, so people can get acquainted with the tools.
Yeah, all it would really take is a letter to the Dean with a sworn deposition that a professor has asked a student to commit a specified federal crime. If corrective action isn't taken immediately, RICO statutes come into play, and the Dean is named as a co-conspirator.
How is this different from a chemistry professor assigning a term project that involves synthesizing and distributing Ecstacy? (That happened, more or less, and the professor went to prison! -- it wasn't exactly 'an assignment' in that case, but what's the difference really?)
-fb Everything not expressly forbidden is now mandatory.
"Well... Yeah that is how the law works with intrusions, but port scanning is not breaking in (intrusion). It is like you walked up to someone's house and checked to see if the door was locked without actually even opening the door."
Where I live, that is quite clearly aggravated trespassing and actually justifies the use of lethal force.
Going up to the porch is acceptable. Trying the door is attempted burglary. Jumping the back fence is criminal trespass, and trying the backdoor is burglary.
-fb Everything not expressly forbidden is now mandatory.
Going up to the porch is acceptable. Trying the door is attempted burglary. Jumping the back fence is criminal trespass, and trying the backdoor is burglary.
Then again what if its a store? Or the preson thinks it is a store? Would you arrest someone because they walked to a place and pushed on the door?
I can't think how many times I tried to enter a place only to find it was locked. Maybe it was the wrong entrance or after hours, but doesn't mean I had intention of breaking in.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
is that something like a brazilian wax?
Its a bit like open source software.. The information is public, what problems are there by students looking at it. As long as the dont actually compromise anything, they could be helping it security.
In this case, I think the IT Staff are being idiots.
In Soviet Russia the insensitive clod is YOU!
"Then again what if its a store? Or the preson thinks it is a store? Would you arrest someone because they walked to a place and pushed on the door?"
The distinction is usually framed in terms of whether a reasonable person would believe it was acceptable. In a strip mall at 3:00 in the morning, you'd better have an explanation. A store that's usually open at 3:00 in the afternoon, but the door is locked, it's reasonable to try the door.
"I can't think how many times I tried to enter a place only to find it was locked. Maybe it was the wrong entrance or after hours, but doesn't mean I had intention of breaking in."
And the store owner would likewise have no reasonable apprehension of his life or property being in danger. He would be wrong to detain you or use force against you in a situation where you acted reasonably -- and he would be liable for assault if he did so. As for law enforcement officer, it's up to the officer to determine if there is cause for suspicion, and you could indeed find yourself in a position where you'd have to explain to the officer's satisfaction that you thought the door would be unlocked, open to the public, etc. Whether police officers are always able to take the point of view of "a reasonable person" is a subject of some debate, but you can be sure the state will take that view...
If keeping the peace were as simple as an elementary flowchart, we would never have needed a system of justice. I don't understand why people insist on trying to narrow down the idea of law and order by focusing on corner cases, or by trying to force false analogies to fit. (If I had a dollar for every time someone has explained copyright infringement in terms of stealing a car...)
-fb Everything not expressly forbidden is now mandatory.
The hyperbole displayed in this post is exactly the sort of behavior that computer security professionals should avoid engaging in. People who take undue offence at obviously innocent acts and run around making completely unfounded accusations of mal-intent and criminal liability are the sort of network operators who can make a workplace a living hell for people who are trying to get things done. Its a power trip and in a serious corporate environment it is totally inappropriate. Security professionals should be focused on real threats to business continuity rather then getting their rocks off by hunting down port scanners. It should be painfully obvious that nothing about this assignment is either illegal or immoral. The students are asked to perform a vulnerability assessment. They are asked to collect information; they are not asked to act on that information and break in. If you want to understand how security gets done it makes sense to take a look at someone who is doing it and see what they are doing. Its the kind of activity that might raise suspicion in the event that the intent was to use the information collected in the subsiquent commission of a crime, but that obviously isn't the intent here, so there is no REAL problem. If your Internet connected computer is so weak from a security standpoint that this kind of snooping is enough to impact your operation then I suggest you stop reading this and go check on it because you are probably offline right now. Obviously one needs to be careful in performing this sort of audit that one doesn't use aggressive tools that can impact the operation of a host, and students do need to understand the difference between collecting information and obtaining unauthorized access. It might make sense for this lesson to be bundled with a serious conversation about the ethical issues. Obviously, it would be preferable to ask students to look at a honeypot host rather then examining someone's live network, if for no other reason then this kind of probing is suspicious and, albeit EXTRMELY unlikely, could cause administrators to waste time investigating. However, to suggest that performing this kind of information collection against a remote host is a crime regardless of the intent of the exercise is, frankly, "just plain stupid and ignorant." Sans security ought to relax. The likelyhood that any of the targets of this exercise so much as noticed it is infinitesimal.
http://www.hackthissite.org/
or google for "hack my server"
p.s. didn't RTFA.
This is just amazing. By amazing, I mean to say an affront to ethical teaching. It promotes the wrong idea about proper conduct on the internet. It will spawn tons of alarms on different networks. Companies who get scanned will lose countless dollars and hours figuring what new attack was underway.
I strongly believe that the professor should be fired. The students should be told to NOT go forward with the assignment. And the name of the professor and university should be released so that such unethical or thoughtless behaviour by the professor and double-standard thinking by the school can be revealed and acted upon.
I can't believe the school would come back and say that the professor would not be reprimanded, that the assignment can go forward, but not to scan their own computer networks. This implies that the school admins know that it is a security issue and questionable behaviour, but is allowing it to go forward on the internet. Complete and utter retarded and *ss backwards thinking and reasoning.
For some companies I've worked at, a scan is reason enough to ban your IP, if not your IP address block. Performing a scan is grounds for dismissal, if not initiation of criminal charges of misuse of the business systems. This was the case at my old university. Misuse of school systems resulted in dismissal and/or legal proceedings.
The correct and responsible means of testing would have been to setup a training network. Obviously, there is a complete lack of responsible planning on the part of the professor and the school. Or perhaps a lack of understanding of what they are setting up their students and themselves up for.
The student who brought this up REALLY needs to bring this to the attention of his/her fellow students and prevent them from getting into trouble with businesses and the authorities.
Just because your superiors tell you to do it, doesn't mean it's okay to do it.
Winged Power Photography
I don't understand what's the big deal. Yes, it has some degree of illegality. However, would it also be illegal if you were a consultant for any company wanting this type of probing on their servers? No! So why not simply ask local company X if they would be interested in a free analysis of their servers which is normally valued at $xxK. I'm sure there would be many takers. You now have eliminated all illegalities in your assignment and can proceed with it. It's that easy. No need to get all butt-hurt about it.
http://www.be.wvu.edu/divmim/mgmt/kleist/MANG%20 493S%20Syllabus%202006.htm
Mon., 4/17/06 25 Wireless Security HOMEWORK/LAB 4, 5: Wardriving exercise in Morgantown with Apple laptop and Netstumbler, GPS device. Turn in a one page detailed description of the lab procedure, software and technique as well as a printed map of wireless access points in a certain geographic area of your choosing. NOTE: DO NOT HACK INTO THESE NETWORKS EVEN IF THEY ARE WIDE OPEN WITH NO PASSWORD AS THIS IS ILLEGAL. (Counts as 25 points). Due at beginning of class 4/22/
Note, some areas, the very act of wardriving is illegal.
Winged Power Photography
Unless the school has a segregated network specially set up for this, there could be all kinds of potential problems.
Students running sniffing tools could see data that other students might consider confidential (even regardless of university policies that might not cover this).
Some scanning and sniffing techniques may compromise the network, and risk crashing workstations, servers,or network devices.
I wonder what the professor's response would be if a student were able to monitor the professor's computer session, or capture his e-mail.
Of course, a fast-track to an "A" might be for a group of students to set up an enclave of systems, set up attacks, and monitor them with appropriate tools.
One paper I published (2600 Magazine. It's also on my website) - I described how a neighbor came onto my wireless network, and how I was able to watch him with various tools. Naturally, I kept my data on a seperate drive and powered down. These students could set up a wireless access point, and see who comes onto it.
Sam Nitzberg
http: / / w w w . i a m s a m . c o m
s a m @ i a m s a m . c o m
Our assignment was very similar to this, except it was to discover the number of nodes, the routing, etc. of the network in one particular building on the campus (housing our classroom) - no port scanning, no attempts to compromise anything, but simply to "map out" the building's network.
One telltale phrase that hit a nerve with me was something that I remember nearly verbatim: "using tools available in the public domain." The examples he gave were essentially tools like traceroute, ping, etc.
Nobody in the class thought there was anything questionable about this, let alone illegal.
When you're not looking, this sig is in Latin.
Universities exist to promote advancement of knowledge and create citizens that will change society for the better my challenging existing dogma. As such, they have a responsibility to allow any legal means of inquiry and even support illegal but meaningful and essentially harmless pursuits such as civil disobedience. A university is not your dinner table and they shouldn't be able to dismiss students for farting.
the police ate my homework!
You're over reaching here.
There could be a lawsuit, but only because one doesn't need much justification to file a suit. To avoid being laughed out of court, however, you need to put together a better story than that.
Why hasn't slashdot ever heard from the G.N.A.A.'s lawyer?
It's not offtopic, dumbass. It's orthogonal.
At my school, I only ran into one teacher who ever used that term in describing an exam. The teacher was noted for being ridiculously difficult in comparison to any other teacher in the course. The drop rate from her class was fairly high. Her reputation included words and phrases like "Unhelpful" and "take anyone but her if seeking a Gen Ed."
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 SU CK IT MP AA
(Just playing devil's advocate here, I do not actually think that any of what I'm about to say is morally right in any way.)
Since when did allowing someone to access my web server become a right instead of a privilege that I specifically grant and can take away from anyone I choose at any time?
It happened the moment you decided to offer access to the public at large.
Let's try an example: Can shopping malls expel people for being black?
Not at all similar, you say? Too racial? Okay, try this one instead: Can shopping malls expel random people for no reason whatsoever?
The answer to both of those, BTW, is no. Despite the fact that it's private property, it's nevertheless considered a public area because the public is granted admission. The owner can eject somebody for cause (making a scene, acting inappropriately, etc), but he cannot eject random people for no reason at all.
Now, the mall *can* eject people for being black or just at random, but then they are setting themselves up for a lawsuit that they might lose.
Similarly, while you'd be well within your rights to block anybody you like for any reason you like, if you do it without cause, then you're setting yourself for a lawsuit that you might lose. Blocking an entire ISP because of a single user of that ISP portscanning you is a shotgun approach. It causes financial damage to that ISP. Now, assuming that the ISP notices and cares, then yeah, they could probably sue you for it and they might even win.
Take the controversial issue of spam blocking for another example. Consider the MAPS service. They publish lists of ISP's they don't like for being friendly to spammers. Other people/ISPs use these lists to filter email from these ISPs out. Result: MAPS has been ordered by courts to remove some of these ISPs from their lists when the ISP sued the MAPS people. This has happened on a number of occasions. Now, is it MAPS right to make these lists in any way they see fit? The obvious answer is yes, however if in making these lists they can knowingly cause damages to ISPs (and since their stated *goal* is to financially damage ISPs in order to make them eject the spammers, they can't really argue otherwise), then some courts have said that they are liable for their actions in that respect.
Is it right? Well, that's debatable. But it is what it is, and the grandparent was correct, you are not guaranteed to win a suit in such a circumstance.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Student is to perform a remote security evaluation of one or more computer systems. The evaluation should be conducted over the Internet, using tools available in the public domain.
At no point in this does the professor state to do it on a public computer. hell. port scan your own pc. Over the internet. Using nmap. Jesus. what is the world coming to when the "security professionals" can't read english or think outside of the box. It almost makes me ashamed that I read their site so often.
Your sig(k) has been stolen. There is a puff of smoke!
It is not that the ISC is ignorant of the facts: several students have sent them the full text of the assignment (which has also been posted here). It is that the full assignment, including the following:
contradicts the story they have fabricated about a reckless professor urging his students into felonious activity. At no point did the assignment require activities that were illegal, immoral, or in violation of a literal reading of the university's acceptable use policy. To the contrary, any student who commits a crime does so on his own will and against the explicit instructions of the professor.
Yes, there are system administrators at the university who oppose this assignment, but this opposition is far from unanimous. Obviously the administrator of a poorly secured network does not want the vulnerabilities exposed. However, security through obscurity is irresponsible, and ultimately it is these admins who deserve the punishment (perhaps this prompted the efforts to squash the assignment?). You should note that some of the same admins who oppose this assignment routinely port scan the entire university network.
The truth of the matter is that this assignment is painfully appropriate to a computer security course, and is a great example of an academic assignment providing valuable, real-world experience.
Please let go of the conspiracy theories, this is a group of mature, responsible* and talented students , not a rag-tag bunch of script kiddie / hacker / terrorists. The professor is a well-respected professor of which I have heard nothing but the best praise. I promise you that nobody affiliated with assignment has any intent to harvest your ill-secured server into some massive zombie net, stealing your information or otherwise harming you. Twenty students scanning twenty machines is not a DDOS, no one is going to lose thousands of dollars in man-hours hunting down that befuddling port scan. For better or worse, unsolicited port scans are a fact of life. Be glad that the machine at the other end is well-intending student who will relay to you - not exploit - any vulnerabilities he finds.
Now may we please put pressure on the ISC to promote responsible journalism by providing readers with the full story, even if it isn't as sensational as the story they wish it was? If anyone should be in risk of losing his/her jobs, it is the irresponsible and dishonest author of this diary.
* Yes, there is an ethics course - it's mandatory.
And by the way, to clear up one small additional point of confusion on the part of the author: winter quarter 2006 takes place, believe it or not, in the winter of 2006.
If we start buying CDs then the terrorists have already won.
A server that can't survive this is like a baby left outside in the winter in Alaska... it shouldn't be there in the first place.
--
Beeing paranoid is a part of the job...
I don't care if you're talented. You have no idea how a scan is going to affect whatever applications I have running off of that pipe. What may not break one network may most certainly break another. You, with all your talent, can still make a mistake. I've had it happen to me and the reason why I was able to quickly recover was because I KNEW I WAS BEING SCANNED BEFOREHAND! Vendor comes in and says "Oh, this is going to be harmless." and surprise one little Nessus scan brings down half the unix farm until I unplug the laptop. If I really want you pen-testing my network then I'll bring you in as an intern. That way I know about and accept the risk I want to take instead of the unknown.
You make this bold, sweeping statement about security through obscurity but reread your quote. "You may" not "You will" The students do not have to turn in their work to the company they scanned so there is no way for that organization to take those findings and improve their system. If this was some big noble cause why didn't the prof contact some local businesses and have them agree to a pen-test in return for a report? The fact that the administration reserves the right to discipline any student that uses this assignment to scan the school's network speaks volumes. Your comment about admins who oppose this are ones who routinely port scan the school's network is a fallacy on so many levels that I simply chose to ignore it.
I don't care if the prof is going to cash his Nobel check and give the money to the starving poor in Africa. The assignment was ill conceived from the start. It wasn't professional or academic and there were viable alternatives other than going out into the wild and poking around people's perimeters without permission. What? Haven't heard of a test lab?
Absolutely nothing in your post has dissuaded me from the opinion that this entire issue was just plain dumb.
I don't want knowledge. I want certainty. - Law, David Bowie
I am not sure that we are in disagreement, perhaps you misjudged the point of my comment. The threads of this conversation have been littered with misinformation, an abundance of analogies involving car doors, and random calls for people to be arrested and to never teach again. A great deal of this stems from the ISC's awful coverage of the issue, a diary which foresees "incarceration", "expresses sympathy" to the families of the students, accuses the professor of being a "miserable failure" and otherwise grossly distorts the reality of the situation. It was this that I aimed to clarify. And please, may I ask you to swap out your pronouns and put "you" back in the closet. I am not the professor, I am not in the class, I never proclaimed myself talented and I am not going to port scan you - relax, I am friendly.
Despite the sensationalism of the ISC's writeup, there are legitimate concerns about this assignment, some of which you addressed. Specifically, there is the potential for this assignment to pose a risk to the machines on networks of innocent bystanders, even without the illegal exploitation of vulnerabilities that the diary suggested. As much as I enjoy your condescension, I have in fact heard of a test lab, and personally, I think that a test lab / honey net / willing company would all be great solutions.
Despite the having read excerpts from the assignment, it is still clear that your ignorance flavors your judgment. Typically the instructions regarding an assignment go beyond the print-out, so you cannot know whether the concerns you expressed are being taken into consideration or not. Honestly, I don't blame you for jumping to the conclusions you have; with the amount of information available online, your jump was fairly sound. You have every right to feel the way you do, but if it provides any comfort, I am confident that you are underestimating the professor.
My point regarding the admins was merely that the university's machines and networks (unlike some, apparently) are robust enough to withstand the port scans. Obviously the set of appropriate activities differs from admin to student. In this case, it is simply a matter of the port scans posing a greater threat to the admins than to the network. The students had already self-censored themselves to avoid networks containing sensitive student information, the registration system and anything else that might affect important day to day operation. There are in fact many networks on campus that would be great for this assignment; the administration's over-reaction is unfortunate both for the students and for companies such as yours.
This is the first time that this class was offered at the university, and I would be surprised if serious changes weren't made the second time around. Even as this whole thing dies down, the discussion remains valuable because similar assignments are conducted at universities across the nation (it's always good to make an example out of someone now and then). I am not here to dissuade you of anything, merely to clarify the sensationalist one-sided journalism spewed from the ISC's diary. Their irresponsible writeup is pleasantly contrasted by the legitimate concerns discussed in your post, even with your scolding tone. Goodluck to you, I wish no harm to your network.
If we start buying CDs then the terrorists have already won.
Had I been given this assignment I'd do the same thing I've done numerous times before: ask a friend to have a duel between our home computers. Every time I change my firewall I get him to bang on it just to check. When I get a new tool I often let it loose on his home machine (with permission). There is no reason at all to assume that this assignment requires the students to break the law. Any computer on the net can be considered "an internet server" if it responds to even one port or a single ICMP type.
It MAY be a problem for the students on a campus network in their dorms because of the IT department's policy, but those who have their own 'net connection can do it without breaking the law. Give them a little credit: Any student who has made it to this class will already know how to act responsibly on the net.
There's nothing to see here. Move along...
On the one hand you take life too seriously, and on the other, you do not take playful existence seriously enough. Seth
I just had a similar assignment last quarter at a technical college in Southern California. The professor even told us where a company was that had a wide open wireless network. The company could "theoretically" be hit discretely sitting in a car in the supermarket parking lot with an 80% connection. Once there you would have access to their internal network as well as the Internet. But I would never do anything like that. That's just wrong. :)
I don't believe in karma, I just call it like I see it.
"The ISC write-up is all hype and grotesquely distorts the actual assignment. There were no crimes committed, no one is going to jail."
I know. I was just going to the worst case scenario because the real scenario is boring.
-fb Everything not expressly forbidden is now mandatory.
Let's see if I can translate. Campus IT considers the required activity an attack, so the solution is to REQUIRE the students to attack unwilling 3rd parties and burn their resources instead. The school apparently feels no responsability to PAY these 3rd parties for the mis-appropriated (that is, stolen) resources it uses for the purpose of collecting tuitions?
Before anyone asks what resources, consider the extra man hours that will be spent if/when 3rd party network admins detect that someone is 'casing the joint'.
Next, I suppose sociology students will be required to hang out in front of old ladies houses and report on things such as did she look scared? Did she call the cops? etc.
I can certainly see the value in the exercize, but the professor and/or the school should be the ones expending the resources to provide the students with servers to scan. They may do that EITHER by byilding their own example network, OR by contracting with a willing 3rd party to allow their network to be used.
port scanning is not breaking in (intrusion)
... The same applies to an ftp server with an anonymous login, or a telnet session without a password.
I was replying to the GP, who stated:
If someone does not want me to use their server, it is their responsibility to deny me access.
He is talking about way more than port scanning.
It doesn't hurt to be nice.
Perhaps the point to the lesson is to see who does it and then fail them...
You have to teach ethics someday particularly given the "information wants to be free" and the "I should be able to share _your_ property however I want" crowds.
Dan
Typical Person with no brain or a deathwish perhaps. Self-perservation > prooving to ID10T's that have their heads stuck in the sand.