Professor 'Packetslinger' Assigns Questionable Task

mrowton writes "A professor at an undisclosed university recently assigned a practical for his computer-security class. The practical, which is worth 15 percent of the students final grade, requires students to perform reconnaissance on an internet server using tools available in the public domain. While the university is allowing the practical to continue it has also stated that the techniques should not be performed on their own web servers. If students are caught performing any scans against university computers then it would prompt: "Disabling their student account and referring them to the Student Dean of Corrections." The assignment was enough for SANS to dub him 'Professor Packetslinger of the School of Loose Screws.'"

Re:Sand box?

[spun]

Hell, set up some kind of a honeynet with several types of servers (Windows, Mac, *nix) in various states of security. There's absolutely no reason to make these students scan actual production servers. By using custom built servers, the professor will have more control over the lesson, and will be able to tell what the students are actually doing.

In related news...

[flyingsquid]

The NSA issued a press release stating that its whole domestic spying operation was just part of a homework assignment.

The same thing happened at my University

[Raul654]

A similiar occurance happened at my university (University of Delaware). When I was an undergraduate, I took the 400 level security class. The teacher isn't a professor, but he's a staffer who happens to be amazingly knowledgable about all areas of unix and networking)

The assignments were some of the most practical security assignments you could imagine. For one assignment, he gave us the location of a target machine, and told us to "break in and find something that would make people a lot of money". The trick was to scan it with Nmap across an obscene number of ports (he was running a compromised telnet server on some really high port - like 11,000), telnet in, and look through the files to find a fictitious email about a stock buyout. ("But make sure not to scan any machines besides the target machine!") In another one, we telnetted into a mail server he set up, and emailed the TA with a faked 'from' address. "If it looks fake, you lose points", so you had to make damn sure to get all the fields looking immaculate. Another assignment was he gave us an XOR encrypted message, and we had to crack it. (The trick was to look for large areas with spaces, which gave away the key)

It was, all in all, a great class. Just one problem - the IT people *hated* the class. He told us he got a complaint during the Nmap assignment that it had been used to run 150,000 scans on campus machines. The computer science department adamantly defended the assignments, as important learning tools. It's an important issue of academic freedom, and (last I had heard) the CS department's concerns trumped IT's complaint.

Isn't it his job to teach his students?

[Fefe]

How would you teach security if not by trying out the attack tools?

I don't see what the hoopla is about here. He asked them to do a scan, not open them up and format the hard disk or download files on it.

Maybe his next assignment is the ethics. Maybe it's just a test to see if any of his students find this ethically wrong and refuse to do it. Maybe he would have given them extra points.

I run several servers on the Internet, and I get port scanned all the time. Even more so at home, where my dynamic DSL IP is hit by worms many times each day.

Dear American proto-hackers, you are welcome to come to Europe and learn the tools of your trade here. We meet every year between Christmas and New Year at the CCC Congress, and we have a LAN there, so people can get acquainted with the tools.