Slashdot Mirror
Professor 'Packetslinger' Assigns Questionable Task
mrowton writes "A professor at an undisclosed university recently assigned a practical for his computer-security class. The practical, which is worth 15 percent of the students final grade, requires students to perform reconnaissance on an internet server using tools available in the public domain. While the university is allowing the practical to continue it has also stated that the techniques should not be performed on their own web servers. If students are caught performing any scans against university computers then it would prompt: "Disabling their student account and referring them to the Student Dean of Corrections." The assignment was enough for SANS to dub him 'Professor Packetslinger of the School of Loose Screws.'"
I thought there was a case not too long ago that says a scan is not an intrusion, thus is not illegal.
Why doesnt the professor construct a cheap server, with security out the wazoo? Then let the students attempt to bring down the sand box, rather than randomly probing servers which are probably used to run a business?
He's not supplying his own honeypot servers, and didn't get the University to allow use of campus servers either? I'd think he could sell it to the IT group as a hardening exercise, since students would have to do full disclosure to get credit anyway.
Yup, just goes to show you that "smart" and "fool" aren't antonyms.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
They should have an assignment that each student rob, or break into a bank. Any attemps to break into school secured areas would result in immediate suspension.
If you change it to anything other than an 'A' you automatically fail.
He who knows best knows how little he knows. - Thomas Jefferson
If I notice someone poking around at my systems in such a way that looks like it's looking for exploits, I'll contact the ISP responsable and ask them to chave a chat with that user. If they blow me off, I'm likely to blacklist the ISP entirely.
Just like with your house, while it might not technically be illegal for you to sit on public land and case my house out like you are going to break in to it, you can bet I'll object if you try.
The NSA issued a press release stating that its whole domestic spying operation was just part of a homework assignment.
AKA Warden?
Is it a university or a prison?
SANS seems to take it for granted that portscanning is illegal and immoral. However, I can't find anything on Google, and of course, IANAL. Is there any case precedent in the United States for the illegality of portscanning?
I would hazard a guess that it is not illegal. It is the equivalent of looking at a house from a public vantage point to see if any windows are open. Although such an action is suspicious (the person may next try to get in through a window), it certainly isn't illegal, at least in the United States. SANS seems to be overreacting.
There's no sig like this sig anywhere near this sig, so this must be the sig.
A similiar occurance happened at my university (University of Delaware). When I was an undergraduate, I took the 400 level security class. The teacher isn't a professor, but he's a staffer who happens to be amazingly knowledgable about all areas of unix and networking)
The assignments were some of the most practical security assignments you could imagine. For one assignment, he gave us the location of a target machine, and told us to "break in and find something that would make people a lot of money". The trick was to scan it with Nmap across an obscene number of ports (he was running a compromised telnet server on some really high port - like 11,000), telnet in, and look through the files to find a fictitious email about a stock buyout. ("But make sure not to scan any machines besides the target machine!") In another one, we telnetted into a mail server he set up, and emailed the TA with a faked 'from' address. "If it looks fake, you lose points", so you had to make damn sure to get all the fields looking immaculate. Another assignment was he gave us an XOR encrypted message, and we had to crack it. (The trick was to look for large areas with spaces, which gave away the key)
It was, all in all, a great class. Just one problem - the IT people *hated* the class. He told us he got a complaint during the Nmap assignment that it had been used to run 150,000 scans on campus machines. The computer science department adamantly defended the assignments, as important learning tools. It's an important issue of academic freedom, and (last I had heard) the CS department's concerns trumped IT's complaint.
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
I'm in the class which recieved this assignment.
I am both an undergraduate CS major and a system administrator on campus. I work with the top-level sysadmins that complained about the assignment, and who likely reported it to the ISC. They're good people that know their stuff, but I think they acted poorly by publicising it. It was a simple assignment which meant no harm. The class has never been taught here before. The CS department's reading of the university AUP and Ethics Policy differed widely from the administration's, and a simple email could have eliminated the confusion. Instead it's on Slashdot.
I think the ISC and the administration's reading of the assignment's intent was way off base. They both seem to be under the impression that simple port scans are illegal and forbidden, when in fact they occur regularly on the residential network and are a part of having an internet connection.
The professor is the dean of the CS department and is a very smart guy. He doesn't deserve to have this situation turned against him publicly. We in the class think it's all pretty ridiculous, and will do the assignment using only the approved IPs which we were given today. This was a simple misstep, and should blow over quickly.
Would be to have seperated the class into two teams with two networks and then have them secure their networks. Then launch attacks angainst one another. This way they see both the way attacks are made along with how to protect their network from them.
A bunch of Tech Stuff
Ok,
so let's run through this scenario. The professor for a computer science security class wants students to scan some networks. This is the type of information he wants them to provide
"He wants them to write an evaluation of what they find: what ports are open and what service could be running on them, Host names and IP addresses, OS, version, last update, patch status, what shares are available, what kind of network traffic and what vulnerabilities they see."
Some people have suggested to setup a sandbox, my question is where are you going to get the servers? Do you think that shit appears magically? Who can verify the actual network sandbox was setup properly? The students? An outside consultant? You see all of this stuff costs $$$, I'm sure the professor has an already small budget to do his own research but that's about it.
The next point is how is this illegal? The students must use apps that are available on the public domain. And if you think some uber hacker must of written it you are incorrect. Did you know OSX has a port scanner built into it? I put in the address, it tells me all the open ports. Is that illegal? Oh and what type of services are running on them? Common, what is up with that, that's so easy to figure out! Just google the port num, and you'll get a listing of all the possible apps that could use this port.. It's not rocket science! You could also connect to it by telneting to the port and see if any user input returns a response from the server.
How is determining host names illegal?? A simple NSLOOKUP will tell you what the DNS name, and you can go even further and check those DNS lookup sites and figure out who the contact is. Try it.. It works pretty well!
All of the other information is easily accessable, if this equates to illegal hacking then I technically had no idea what illegal hacking really is..
Now if this guy wanted his students to actually try and break a system then yes, I don't agree with it. But if they're just simply exploring the different tools available to them on the internet what's the big deal?
MrJynxx
Here is the actual assignment. Looks like he carefully told students not to hack into anything.
http://niksbox.net/Assignment3.pdf
How would you teach security if not by trying out the attack tools?
I don't see what the hoopla is about here. He asked them to do a scan, not open them up and format the hard disk or download files on it.
Maybe his next assignment is the ethics. Maybe it's just a test to see if any of his students find this ethically wrong and refuse to do it. Maybe he would have given them extra points.
I run several servers on the Internet, and I get port scanned all the time. Even more so at home, where my dynamic DSL IP is hit by worms many times each day.
Dear American proto-hackers, you are welcome to come to Europe and learn the tools of your trade here. We meet every year between Christmas and New Year at the CCC Congress, and we have a LAN there, so people can get acquainted with the tools.
Its a bit like open source software.. The information is public, what problems are there by students looking at it. As long as the dont actually compromise anything, they could be helping it security.
In this case, I think the IT Staff are being idiots.
In Soviet Russia the insensitive clod is YOU!
The hyperbole displayed in this post is exactly the sort of behavior that computer security professionals should avoid engaging in. People who take undue offence at obviously innocent acts and run around making completely unfounded accusations of mal-intent and criminal liability are the sort of network operators who can make a workplace a living hell for people who are trying to get things done. Its a power trip and in a serious corporate environment it is totally inappropriate. Security professionals should be focused on real threats to business continuity rather then getting their rocks off by hunting down port scanners. It should be painfully obvious that nothing about this assignment is either illegal or immoral. The students are asked to perform a vulnerability assessment. They are asked to collect information; they are not asked to act on that information and break in. If you want to understand how security gets done it makes sense to take a look at someone who is doing it and see what they are doing. Its the kind of activity that might raise suspicion in the event that the intent was to use the information collected in the subsiquent commission of a crime, but that obviously isn't the intent here, so there is no REAL problem. If your Internet connected computer is so weak from a security standpoint that this kind of snooping is enough to impact your operation then I suggest you stop reading this and go check on it because you are probably offline right now. Obviously one needs to be careful in performing this sort of audit that one doesn't use aggressive tools that can impact the operation of a host, and students do need to understand the difference between collecting information and obtaining unauthorized access. It might make sense for this lesson to be bundled with a serious conversation about the ethical issues. Obviously, it would be preferable to ask students to look at a honeypot host rather then examining someone's live network, if for no other reason then this kind of probing is suspicious and, albeit EXTRMELY unlikely, could cause administrators to waste time investigating. However, to suggest that performing this kind of information collection against a remote host is a crime regardless of the intent of the exercise is, frankly, "just plain stupid and ignorant." Sans security ought to relax. The likelyhood that any of the targets of this exercise so much as noticed it is infinitesimal.
This is just amazing. By amazing, I mean to say an affront to ethical teaching. It promotes the wrong idea about proper conduct on the internet. It will spawn tons of alarms on different networks. Companies who get scanned will lose countless dollars and hours figuring what new attack was underway.
I strongly believe that the professor should be fired. The students should be told to NOT go forward with the assignment. And the name of the professor and university should be released so that such unethical or thoughtless behaviour by the professor and double-standard thinking by the school can be revealed and acted upon.
I can't believe the school would come back and say that the professor would not be reprimanded, that the assignment can go forward, but not to scan their own computer networks. This implies that the school admins know that it is a security issue and questionable behaviour, but is allowing it to go forward on the internet. Complete and utter retarded and *ss backwards thinking and reasoning.
For some companies I've worked at, a scan is reason enough to ban your IP, if not your IP address block. Performing a scan is grounds for dismissal, if not initiation of criminal charges of misuse of the business systems. This was the case at my old university. Misuse of school systems resulted in dismissal and/or legal proceedings.
The correct and responsible means of testing would have been to setup a training network. Obviously, there is a complete lack of responsible planning on the part of the professor and the school. Or perhaps a lack of understanding of what they are setting up their students and themselves up for.
The student who brought this up REALLY needs to bring this to the attention of his/her fellow students and prevent them from getting into trouble with businesses and the authorities.
Just because your superiors tell you to do it, doesn't mean it's okay to do it.
Winged Power Photography
Our assignment was very similar to this, except it was to discover the number of nodes, the routing, etc. of the network in one particular building on the campus (housing our classroom) - no port scanning, no attempts to compromise anything, but simply to "map out" the building's network.
One telltale phrase that hit a nerve with me was something that I remember nearly verbatim: "using tools available in the public domain." The examples he gave were essentially tools like traceroute, ping, etc.
Nobody in the class thought there was anything questionable about this, let alone illegal.
When you're not looking, this sig is in Latin.
I don't care if you're talented. You have no idea how a scan is going to affect whatever applications I have running off of that pipe. What may not break one network may most certainly break another. You, with all your talent, can still make a mistake. I've had it happen to me and the reason why I was able to quickly recover was because I KNEW I WAS BEING SCANNED BEFOREHAND! Vendor comes in and says "Oh, this is going to be harmless." and surprise one little Nessus scan brings down half the unix farm until I unplug the laptop. If I really want you pen-testing my network then I'll bring you in as an intern. That way I know about and accept the risk I want to take instead of the unknown.
You make this bold, sweeping statement about security through obscurity but reread your quote. "You may" not "You will" The students do not have to turn in their work to the company they scanned so there is no way for that organization to take those findings and improve their system. If this was some big noble cause why didn't the prof contact some local businesses and have them agree to a pen-test in return for a report? The fact that the administration reserves the right to discipline any student that uses this assignment to scan the school's network speaks volumes. Your comment about admins who oppose this are ones who routinely port scan the school's network is a fallacy on so many levels that I simply chose to ignore it.
I don't care if the prof is going to cash his Nobel check and give the money to the starving poor in Africa. The assignment was ill conceived from the start. It wasn't professional or academic and there were viable alternatives other than going out into the wild and poking around people's perimeters without permission. What? Haven't heard of a test lab?
Absolutely nothing in your post has dissuaded me from the opinion that this entire issue was just plain dumb.
I don't want knowledge. I want certainty. - Law, David Bowie
warning: This post is likely to contain gobs of dripping sarcasm. Consume at your own risk.