Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Professor 'Packetslinger' Assigns Questionable Task

ScuttleMonkey posted more than 8 years ago | from the applications-flooding-in-for-the-school-of-loose-screws dept.

411

mrowton writes "A professor at an undisclosed university recently assigned a practical for his computer-security class. The practical, which is worth 15 percent of the students final grade, requires students to perform reconnaissance on an internet server using tools available in the public domain. While the university is allowing the practical to continue it has also stated that the techniques should not be performed on their own web servers. If students are caught performing any scans against university computers then it would prompt: "Disabling their student account and referring them to the Student Dean of Corrections." The assignment was enough for SANS to dub him 'Professor Packetslinger of the School of Loose Screws.'"

cancel ×

411 comments

Sorry! There are no comments related to the filter you selected.

Kerry / Edwards 2004 (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14830103)

I bet this yahoo voted for Kerry ....

Re:Kerry / Edwards 2004 (0)

Anonymous Coward | more than 8 years ago | (#14830224)

Yes. But the vote was counted for Bush...

Re:Kerry / Edwards 2004 (1)

KingSkippus (799657) | more than 8 years ago | (#14830320)

Having his minions secretly listening in on things that they have no legal right to? Nah, that reminds me of a different candidate.

Whistle Blower (1)

biocute (936687) | more than 8 years ago | (#14830104)

Now who would be the WB to publish the name of the university here?

I wonder if that paper will attract more students because of the assignment. Guys, whatever you do, just don't TK.

Re:Whistle Blower (1)

Johnny_Law (701208) | more than 8 years ago | (#14830147)

I'll be happy to whistle blow.

Indiana University's Kelley Business School had a CIS class for undergraduates that featured a final similar to this where students had to secure computers and take turns attacking each others machines.

Re:Whistle Blower (1)

marciot (598356) | more than 8 years ago | (#14830204)

Indiana University's Kelley Business School had a CIS class for undergraduates that featured a final similar to this where students had to secure computers and take turns attacking each others machines.

Which is perfectly alright, since the students set up these computers with the express purpose of attacking them. That is not a problem and in fact is the correct way to run a security class.

I beleive the issue at hand is that said professor required his students to probe machines that were "live" on the internet and were not under his student's control.

-- Marcio

Re:Whistle Blower (1)

FooAtWFU (699187) | more than 8 years ago | (#14830214)

Indiana University's Kelley Business School had a CIS class for undergraduates that featured a final similar to this where students had to secure computers and take turns attacking each others machines.
Each Other's Machines makes all the difference.

Re:Whistle Blower (0)

Anonymous Coward | more than 8 years ago | (#14830244)

That's not the university in question. I'm in the class which recieved this assignment.

In related news... (4, Funny)

flyingsquid (813711) | more than 8 years ago | (#14830172)

The NSA issued a press release stating that its whole domestic spying operation was just part of a homework assignment.

Re:In related news... (0, Offtopic)

Omaze (952134) | more than 8 years ago | (#14830418)

Also in related news:

Conducting reconnaisance on a used car by kicking the tires or requesting vehicle histories is illegal.

Looking at houses becomes a terrorist activity.

Is scanning a network illegal? (2, Interesting)

nharmon (97591) | more than 8 years ago | (#14830106)

I thought there was a case not too long ago that says a scan is not an intrusion, thus is not illegal.

Re:Is scanning a network illegal? (2, Informative)

RagingFuryBlack (956453) | more than 8 years ago | (#14830122)

The scan itself is not illegal. However, they're asking the students to go much further then the scan itself.

Re:Is scanning a network illegal? (1)

Marxist Hacker 42 (638312) | more than 8 years ago | (#14830242)

How so? All of the information requested in the assignement can be gotten from any server running a compliant web server, including Windows XP Personal Web Server, with a combination of port scanning tools, netstat, ping, and GRC's webhost. There shouldn't be any real break in at all- all of this information is offered up by the webserver to whomever wants it.

Re:Is scanning a network illegal? (1)

Krach42 (227798) | more than 8 years ago | (#14830331)

How so? All of the information requested in the assignement can be gotten from any server running a compliant web server, including Windows XP Personal Web Server, with a combination of port scanning tools, netstat, ping, and GRC's webhost.

Want to know what's funny? I can break into your house with perfectly legal tools.

Just because the tools are publicly available and have a non-illegal use, doesn't mean you can use them.

Re:Is scanning a network illegal? (1)

Marxist Hacker 42 (638312) | more than 8 years ago | (#14830381)

My point wasn't that the tools are legal. My point is that all of the information requested in the assignment is public information that ALL computers running webservers broadcast. Most browsers hide it, but the operating system of the host server is sent every time you browse a site, for example. All the other information requested in the assignment is similar public information. NONE of it requires gaining root access to the server in question, or even user level access.

Re:Is scanning a network illegal? (1)

lgw (121541) | more than 8 years ago | (#14830403)

Marxist Hacker 42 doesn't belive in property anyway, so it's not like he'll mind if you make use of the community goods stored in "his" house. Just don't damage anything on the way in - that window belongs to everyone!

Re:Is scanning a network illegal? (0)

Anonymous Coward | more than 8 years ago | (#14830415)

You forgot the second part:

There shouldn't be any real break in at all- all of this information is offered up by the webserver to whomever wants it.

It's not really breaking into my house if I open the door for you...

Re:Is scanning a network illegal? (2, Interesting)

Karzz1 (306015) | more than 8 years ago | (#14830312)

I read the article and did not see where intrusion was part of the assignment. From what I read, it was a vulnerability assessment, which would include a few simple scans. Knowing what I do about some scans, they can create a DOS attack (inadvertently of course; you arent going to be too clandestine if you get noticed DOSing your victim).

My point here is this; he did not assign any illegal activity from what I saw in the article. If someone could point me to where the actual assignment is written down, I might see something there, however all I saw was the ramblings of a paranoid person who has no clue as to what is and is not legal. If port scans and vulnerability scans truly are illegal, I have felons banging on my ports all day long.

Might not be illegal but it's bad form (3, Interesting)

Sycraft-fu (314770) | more than 8 years ago | (#14830171)

If I notice someone poking around at my systems in such a way that looks like it's looking for exploits, I'll contact the ISP responsable and ask them to chave a chat with that user. If they blow me off, I'm likely to blacklist the ISP entirely.

Just like with your house, while it might not technically be illegal for you to sit on public land and case my house out like you are going to break in to it, you can bet I'll object if you try.

Re:Might not be illegal but it's bad form (1)

'nother poster (700681) | more than 8 years ago | (#14830227)

I think in this case your sig should say "Those who can, do. Those who can't get their students to find spam zombies for them." ;)

Re:Might not be illegal but it's bad form (1)

gstoddart (321705) | more than 8 years ago | (#14830427)

If I notice someone poking around at my systems in such a way that looks like it's looking for exploits, I'll contact the ISP responsable and ask them to chave a chat with that user. If they blow me off, I'm likely to blacklist the ISP entirely.

Sadly, I find my firewall logs demonstrate far too many attempts to track down the ISP of each and every one.

The vast majority of stuff just gets summarily dropped at the firewall. But you'd be amazed at how many dictionary attacks I see on the server that SSH requests get forwarded to (the only inbound traffic which gets in).

Fortuntately, my SSH is configured to use really big honking encryption keys, so they either fail when they try to connect as a non-existent user or they fail when they don't have the right keys to get into the accounts that do. However, I guess even that isn't 100%.

Unfortunately, part of the reality of having anything that is actually facing the internet is it needs to be pretty heavily hardened -- because people are going to scan you and see what they can find.

The amount of packet traffic I see to my machine on a broadband network is flippin' HUGE.

Re:Might not be illegal but it's bad form (1)

IAmTheDave (746256) | more than 8 years ago | (#14830436)

If they blow me off, I'm likely to blacklist the ISP entirely.

Which, depending on the size and importance of your network, sets you up for a lawsuit. Assuming a free and unfettered internet, if you block an entire ISP from your network for what amounts to zero illegal activity, I would put it out there that a lawsuit would result in a court order to unblock said ISP.

Now, it's true, this doesn't take in to account things like private vs public networks or the actual network that you handle, but punishing for non-illegal activities is questionable at best.

Re:Is scanning a network illegal? (1)

PrvtBurrito (557287) | more than 8 years ago | (#14830178)

Yes, but it is commonly against school policy, which in some universities is apparently more important than law.

Re:Is scanning a network illegal? (1)

Arandir (19206) | more than 8 years ago | (#14830413)

Farting is not illegal, but if you do it at my dinner table, you're out of here! The university gets to make the rules about the university, including who gets to be a student. It doesn't matter how legal scanning a server is, you don't get to do it to their server AND be a student.

The world is not a one way street and you are not its traffic light. If you cannot get along with institutions, then do not be surprised when institutions do not get along with you.

Re:Is scanning a network illegal? (1)

MadMidnightBomber (894759) | more than 8 years ago | (#14830386)

From the Fine Article:

The "TASK"
Student is to perform a remote security evaluation of one or more computer systems. The evaluation should be conducted over the Internet, using tools available in the public domain.

You can't learn very much by doing a portscan; more intrusive scanning such as a nessus scan, or even attempted exploitation (metasploit perhaps?) would be needed to write a complete report. Besides when I used to work at a Uni, we would have busted people for port-scanning other hosts. Illegal or not, it's not within acceptable use guidelines.

Sand box? (2, Interesting)

WilyCoder (736280) | more than 8 years ago | (#14830112)

Why doesnt the professor construct a cheap server, with security out the wazoo? Then let the students attempt to bring down the sand box, rather than randomly probing servers which are probably used to run a business?

Re:Sand box? (4, Interesting)

spun (1352) | more than 8 years ago | (#14830158)

Hell, set up some kind of a honeynet with several types of servers (Windows, Mac, *nix) in various states of security. There's absolutely no reason to make these students scan actual production servers. By using custom built servers, the professor will have more control over the lesson, and will be able to tell what the students are actually doing.

Re:Sand box? (1)

apt142 (574425) | more than 8 years ago | (#14830273)

Or better yet, break the student body into teams. One Team scans the other team secures. And maybe swap teams after a good go at it.

You could grade based on what the student learned from both tasks.

Re:Sand box? (0)

Anonymous Coward | more than 8 years ago | (#14830159)

The way a similar class here works is that the prof has a stack of 2U servers in a rack that he gives control to students to secure/brake-in. This is segmented off and means that they come up with some cool schemes( like break in durring class to get a jump on competition) without compromising security.

This seems very unethical.

Re:Sand box? (1)

bloodredsun (826017) | more than 8 years ago | (#14830205)

Or even better, default installations of the more popular OS's and Web servers (you know who you are) so that these security professionals-to-be get a taste of the real world!

Once they're handled this, then step it up to a fully patched and locked down version.

Whatever we think he should have done, if this story is true his actions are unprofessional. The ban on University servers acknowledges that they could be compromised with some effect on services, so to recommend to test it on unknown thirdparties is just saying "not in my backyard".

Re:Sand box? (1)

hazem (472289) | more than 8 years ago | (#14830250)

Or even better, default installations of the more popular OS's and Web servers (you know who you are) so that these security professionals-to-be get a taste of the real world!

What that's missing, of course, are the users internal to the server/network that do everything they can to break the security of the network so they can run their favorite chat/game/interactive screen-saver.

Re:Sand box? (1)

Amouth (879122) | more than 8 years ago | (#14830229)

I got a network card here on my desk.. you plug it in and give it power and it just sends massive random data over the line.. as fast as the cable can handel.. the weird part is it is valid packets and switchs proccess them and forward them .. it died one day and took out a portion of the UNC network.. i keep it just incase i ever need to kill some ones network

Re:Sand box? (1)

grumpyman (849537) | more than 8 years ago | (#14830303)

Because university cuts down on budget so they use students as 'testers' on production servers :)

Can they please disclose the university? (1)

FooAtWFU (699187) | more than 8 years ago | (#14830132)

Then all of Slashdot can scan the university's computer for them!

Dean of Corrections? good lord... =b

What does it matter? (1)

Tweekster (949766) | more than 8 years ago | (#14830139)

Scanning a system is not illegal... trying passwords would be, but seeing if anything is listening out on a host is not in anyway illegal.

Re:What does it matter? (0)

Anonymous Coward | more than 8 years ago | (#14830336)

i routinely run port scans on hosts that i catch trying to break into my home computers all the time, and ones that are generating suspicious things in my logs. it seems that almost all breakin attempts are coming from compromised hosts (and most of them from asia in my case). if the admin was unaware that he was compromised, all he might see is my attempt to scan him.

A scan is not in intrusion in itself, especially when you can demonstrate that you are simply investigating some activity initiated by the person you scanned. unfortunately, there are some trigger-happy/retarded admins that just like to make examples out of individuals because they have evidence that they have been scanned.

Lemme get this straight (3, Interesting)

lheal (86013) | more than 8 years ago | (#14830143)

He's not supplying his own honeypot servers, and didn't get the University to allow use of campus servers either? I'd think he could sell it to the IT group as a hardening exercise, since students would have to do full disclosure to get credit anyway.

Yup, just goes to show you that "smart" and "fool" aren't antonyms.

In academia (1)

Sycraft-fu (314770) | more than 8 years ago | (#14830369)

Smart and fool go together as often as not. Never have you met so many people that can know so much about so little, people with mountians of theoritical knowledge and no idea how to apply it at all. We have a lab in our building that is devoted to studying networking, and literally most of the people in there couldn't point out the switch in their room, people that have, with a stright face, used the phrase "statically configured dynamic address". It's not like these are art majors who just don't know antyhing, they are all engineers who are studing networking.

That something like this happens really isn't that supprising to me. You get grad students and professors that have spent a lot of time on theory but have never applied the knowledge in meaningful ways and are out of touch with the real world. Thus they make requests and demands that are totally off the wall because the mental picture they have of how things work isn't anything like how it really works.

Undisclosed, huh? (1)

Just Some Guy (3352) | more than 8 years ago | (#14830144)

Five bucks says it's DJB [slashdot.org] :

  1. Impossible assignment? Check.
  2. Severe ramifications for students? Check.
  3. Callous disregard for everyone but the professor? Check.

Yeah, my money's definitely on Dan.

Re:Undisclosed, huh? (1)

petard (117521) | more than 8 years ago | (#14830247)

Unlikely. DJB is on sabbatical right now [cr.yp.to] , and I think UIC has "spring", "summer" and "fall" terms, not "winter" which would indicate a school that uses the quarter system.

FWIW, I believe all 3 of your assertions about his UNIX security assignment are incorrect. The assignment didn't look at all impossible. Consider *all* the software on sourceforge. 10 bugs is not a lot to find over an academic term, given such a mass to work off. It does not constitute "severe ramifications" or "callous disrespect" (especially in an elective course) to lay out expectations for students and then grade them according to the standards you set at the beginning of the term.

Firing ranges (1)

Twillerror (536681) | more than 8 years ago | (#14830154)

If a police office needs to test out shooting a gun, he goes to a firing range. You wouldn't have him field test it.

I feel for the prof, there isn't a good "firing range" on the internet. It would make for an interesting business. Setup a virtual network of servers with targets/exploits and have the students try and hit them.

you're mostly right (1)

BitterAndDrunk (799378) | more than 8 years ago | (#14830281)

But there's always the LAPD

Re:Firing ranges (1)

Sven Tuerpe (265795) | more than 8 years ago | (#14830370)

I feel for the prof, there isn't a good "firing range" on the internet.

There is. Check your spam folder.

Re:Firing ranges (1)

MindStalker (22827) | more than 8 years ago | (#14830443)

No reason too, the professor should have set up his own test servers. Either way I've taken some cisco courses that have you connect to specific test servers so you can practice real configurations.

What about criminology classes? (2, Insightful)

IntelliAdmin (941633) | more than 8 years ago | (#14830157)

They should have an assignment that each student rob, or break into a bank. Any attemps to break into school secured areas would result in immediate suspension.

Re:What about criminology classes? (1)

Tweekster (949766) | more than 8 years ago | (#14830194)

recon work is not illegal. I can do recon on a bank without penalty

go video tape a bank, go take pictures of security cameras, get plans for the building...alll legal.

go scan a computer, still legal...

start trying combinations on the vault...illegal.
start trying passwords on the server...illegal

do you notice a pattern

Re:What about criminology classes? (1)

SnowDeath (157414) | more than 8 years ago | (#14830301)

Haven't kept up with the latest from the Department of Fatherland Obsurdity have you? You can't go around videotaping anything in public lest you be thrown in jail without trial for terrorism charges.

Re:What about criminology classes? (0)

Anonymous Coward | more than 8 years ago | (#14830195)

He didn't ask them to break into servers... just case the joint. Big difference in actions and intent.

Next assignment - Hack in and change your grade (2, Funny)

digitaldc (879047) | more than 8 years ago | (#14830162)

If you change it to anything other than an 'A' you automatically fail.

Re:Next assignment - Hack in and change your grade (0)

Anonymous Coward | more than 8 years ago | (#14830221)

Then just to piss him off, you could show up the next semester with a transcript that shows you have a B, thereby circumventing whatever final grades he thought he was assigning. Sure, your GPA would drop a fraction of a point, but if you brought a camera I'm sure you could make good money off the video of DJB turning beet red.

2 legal, 2 illegal, solutions w/o getting caught (1)

Marxist Hacker 42 (638312) | more than 8 years ago | (#14830163)

Legal solution #1: Contact a local business, explain you're a student learning about computer security, and ask for permission to hit their server.

Legal Solution #2: find out the address of a home computer on a broadband connection and hit that, preferably a friend who knows you're doing it or yourself.

Illegal Solution #1: Find out the address of a home computer on a broadband connection owned by the kind of luser who doesn't even know they have a log let alone how to check it.

Illegal solution #2: Hit a BUSY public server that you know is locked down well and likely to have only a single discoverable service, such as www.google.com, thus also giving the wonderful ability to turn in a two line report and STILL get the full purpose of the assignment; bonus points for mentioning the port ranges that were in stealth mode.

The last two are available due to the fact that most sysadmins aren't being paid to look at logs all day; and that home users don't have the extra cash to pay a sysadmin at all.

Students should do it anyway (1)

WedgeTalon (823522) | more than 8 years ago | (#14830164)

Scan the schools' comps anyway and if caught social-engineer your way out of trouble for Double Bonus Points(TM)!

Re:Students should do it anyway (1)

MindStalker (22827) | more than 8 years ago | (#14830260)

For extra bonus points social engineer your way into the server perferably using this situation as the senerio. "Yes, I'm from University Computing Services, I was told that you recently had a security threat concerning some students intructed to hack into your system......"

Dean of Corrections? (2, Funny)

slickwillie (34689) | more than 8 years ago | (#14830173)

AKA Warden?

Is it a university or a prison?

So Scanning other's computers is OK? (1)

SauroNlord (707570) | more than 8 years ago | (#14830182)

So it is wrong for them to scan their own servers, but it's ok to look for exploits on non-university computers... Brilliant

yeah point is? (1)

sydres (656690) | more than 8 years ago | (#14830185)

we did this as an assignment for a network security at the small community college I attended. as long as the students are gathering information and not launching an assault whats the big deal. though I have to say that the college considered all the students to be security risk and so forced us to stay of the campus net during class. they would also pay close attention to anything we did when we were on the network
nothing to see here move along

Academic misconduct (0)

Anonymous Coward | more than 8 years ago | (#14830189)

I got asked to see if a server at my university was secure. I scanned it using nmap. It set off their IDS and i got a letter of academic misconduct. They really didn't specify how to see if it was secure. I use linux a lot, nmap is second nature, i really didn't think twice about using it.

That was in .au if it helps.

Stupid (1)

dannyelfman (717583) | more than 8 years ago | (#14830192)

This smells of script kiddie 101, not a ``computers security class''.

Why not put up a couple of servers of different types on an isolated network at the school and then let the students bang on that. At least they would be able to go through the logs of the servers in question legally. Also, they could packet capture the entire event and review in class.

KSU? (1)

blackomegax (807080) | more than 8 years ago | (#14830196)

It wouldnt happen to be Whitman at kennesaw state would it?

Screws and Marbles... (1)

creimer (824291) | more than 8 years ago | (#14830197)

... School of Loose Screws ...

Unless you're majoring as a PC Technician, you are likely to lose your marbles than your screws in the IT department. My marbles disappeared a long time ago.

Re:Screws and Marbles... (1)

TubeSteak (669689) | more than 8 years ago | (#14830304)

My marbles disappeared a long time ago.
Hence the stereotype of the single male computer geek.

Re:Screws and Marbles... (1)

corbettw (214229) | more than 8 years ago | (#14830445)

My marbles disappeared a long time ago.

Hence the stereotype of the single male computer geek.


Exactly, because all married males know exactly where their marbles are: in a jar in a cupboard in the kitchen.

Missing intructions (1)

HermanAB (661181) | more than 8 years ago | (#14830200)

a. Subtract marks for students that scan government servers. b. Bonus marks for the student that sets up his own web server and then scan it.

Re:Missing intructions (1)

gstoddart (321705) | more than 8 years ago | (#14830258)

a. Subtract marks for students that scan government servers. b. Bonus marks for the student that sets up his own web server and then scan it.

Bingo! Set up a dyndns.org entry to your own darned machine.

Got knows my firewall logs indicate that half the friggin world has been scanning my machine. Fortunately, I have a firewall to log such things for me and keep the buggers out. =)

When did Snorting a remote network become illegal? (1)

mcSey921 (230169) | more than 8 years ago | (#14830201)

When did Snorting a remote network become illegal?

Re:When did Snorting a remote network become illeg (1)

mcSey921 (230169) | more than 8 years ago | (#14830228)

I of course mean running Nessus against a remote network... doh.

Re:When did Snorting a remote network become illeg (1)

MadMidnightBomber (894759) | more than 8 years ago | (#14830327)

You can't 'snort' a remote network - snort is a Network Intrustion Detection System, so it looks for attacks against you on your local network.

Sounds like a fun class.. (1)

eodmightier (208901) | more than 8 years ago | (#14830203)

Hey personally I think this sounds like a good assignment IF the professor provided his own servers. These are tools that anybody gaining knowledge in computer security should be familiar with. How hard would it be for the professor to setup a Windows and *nix box with some public services running, and host it from his home connection or atleast get some university resources dedicated to it.

When did portscanning become illegal? (2, Interesting)

Kphrak (230261) | more than 8 years ago | (#14830208)

SANS seems to take it for granted that portscanning is illegal and immoral. However, I can't find anything on Google, and of course, IANAL. Is there any case precedent in the United States for the illegality of portscanning?

I would hazard a guess that it is not illegal. It is the equivalent of looking at a house from a public vantage point to see if any windows are open. Although such an action is suspicious (the person may next try to get in through a window), it certainly isn't illegal, at least in the United States. SANS seems to be overreacting.

Re:When did portscanning become illegal? (1)

j-tull (201124) | more than 8 years ago | (#14830279)

What if you're up in a tree with binoculars trying to hide your presence (similar to using stealth techniques)? Is that legal?

Now, what if a half naked coed walks by the window 20 times a day? Still legal?

Re:When did portscanning become illegal? (1)

Marxist Hacker 42 (638312) | more than 8 years ago | (#14830458)

If she doesn't pull the shades, yes, it is legal. The relevant legal principle is that there is no expectation of privacy in the public sphere.

Should have set up a honeypot-like system (1)

ip_freely_2000 (577249) | more than 8 years ago | (#14830218)

Get caught and you fail. Make a set of files on the server progressively more difficult to hack/open/retrieve.

Easy file to hack = C, More difficult file to hack = B, Very difficult file plus leave a calling card = A

Re:Should have set up a honeypot-like system (1)

know1 (854868) | more than 8 years ago | (#14830363)

leaving a calling card should result in an F grade....go to the back of the class

Is this really a problem? (1)

gebbeth (720597) | more than 8 years ago | (#14830220)

Alright, I may be wrong, but I was under the impression that there was no moral conflict with scanning a server. If there is a port open, it is by definition open for use (port 80 anyone). If someone does not want me to use their server, it is their responsibility to deny me access. If I am running a web server with content that I don't want out in the open, how can I fault someone for accessing it if I left it out in the open. The same applies to an ftp server with an anonymous login, or a telnet session without a password. Enumerating ports on a server is nothing more than determining which ports are open as described above. Its not like these students were instructed to break into servers and steal corporate secrets or credit card numbers.

Re:Is this really a problem? (1)

SydShamino (547793) | more than 8 years ago | (#14830297)

No, that's not at all how the law works.

Someone who leaves FTP service on with no password might be stupid, but you are still breaking the law if you take their stuff or use the server to hold warez.

That is no different than a stupid person leaving their car windows down with the engine running - you can stash heroin there for safe keeping or to transfer to a buddy, or you could steal the car, but either way you broke the law and are going to jail, and the other person will be cleared when it is certain they were just a stupid, unwilling participant.

Re:Is this really a problem? (0)

Anonymous Coward | more than 8 years ago | (#14830388)

Cite sources or shut up, asscake.

Re:Is this really a problem? (0)

Anonymous Coward | more than 8 years ago | (#14830437)

But scanning the server wouldn't be like breaking into the car, it would be like noticing that the window is open or the door is unlocked. Well, I guess it would be more like going around trying door handles to see which ones are locked, but not actually opening the doors. Then again this is a car analogy, and cars are not computers.

Re:Is this really a problem? (1)

Big_Al_B (743369) | more than 8 years ago | (#14830324)

Having well-known service ports open on a network reachable from other autonomous systems implies that they are "publicly" available.

However, scanning the entire TCP and UDP port ranges of some random reachable host in order to assess vulnerability is a differently colored equine.

If I'm running service on TCP80, does that mean you're invited to scan UDP10000-65535 to see what doors may be inadvertently unlocked? I would argue that you may not be breaking a law, but you are acting shady and with ill will towards my host.

Re:Is this really a problem? (1)

Sven Tuerpe (265795) | more than 8 years ago | (#14830424)

If I'm running service on TCP80, does that mean you're invited to scan UDP10000-65535 to see what doors may be inadvertently unlocked?

If you were not running any service on TCP port 80, would it be ok to ... try different URLs? After all, the URL is a user interface [useit.com] and the only way to learn more about the resource a URL points to is to give it a try and access it.

Re:Is this really a problem? (0)

Anonymous Coward | more than 8 years ago | (#14830326)

So I guess I shouldn't leave any windows open if I live near you... by your definition, I can't fault you for coming into my house and taking things since I didn't properly deny you access.

Honestly (1)

kukickface (675936) | more than 8 years ago | (#14830237)

This sounds like something a Prof I had in school would do and subsequently, a reaction my university would have taken to it. Note that I'm not claiming this is going on there, just saying it doesn't seem like an outside possibility for any school.

If this is taking place at my alma mater or a similar institution then I can tell you how it probably went down.

A: Prof comes up with a realistic assignment for a university level security course and weighs it heavily since he is lazy and can only come up with one or two good assignments. B: The school denies his department's requests for funds to set up a server for this and any further course work. C: Prof is lazy (see point A) and so continues the assignment D: School responds by threatening disciplinary reaction.

Of course this places the students in a catch-22. They can either scan a university system and face possible action if detected or scan an external system and face possible legal action. I suppose they can also disregard the assignment and face possible failure.

This is irresponsible on the part of both the university and its faculty.

The class is conducted... (1)

ninja_assault_kitten (883141) | more than 8 years ago | (#14830243)

... on efnet in #conf.

solution (0)

Anonymous Coward | more than 8 years ago | (#14830246)

Create four groups to defend their networks. If the Security Course is large enough then all Security Students else include the Network Class.

How it works is their are four networks with two trying to communicate with each other through the opposition network. The first part of the test is with the network class where they setup the network and no attacking and hijacking is permitted only reconnacince.

Next is protecting the network phase. This is where they put on certain firewall solutions and try not to be penetrated to the point of knowing the hddden network topology.

Last is the attack phase where each team tries to penetrate the enemy while defending theirs. Use of Honney pots and such is permitted.

During this creation the Instructor gives each team some network requirements for external customers. This is from an Apache or ISS web portal to any other diabolical customer based holes to patch and protect. This is so when communications between the two groups goes Encrypted there are still points of attack.

Also this must be done by a team who are at least Bondable and have had a brackground check.
In addition all network tools and internet apps must be first put to a Read Only medium. The network internal does not have any R/W devices nor are they permitted.

PS use campus surplus to create the network.

The same thing happened at my University (4, Interesting)

Raul654 (453029) | more than 8 years ago | (#14830266)

A similiar occurance happened at my university (University of Delaware). When I was an undergraduate, I took the 400 level security class. The teacher isn't a professor, but he's a staffer who happens to be amazingly knowledgable about all areas of unix and networking)

The assignments were some of the most practical security assignments you could imagine. For one assignment, he gave us the location of a target machine, and told us to "break in and find something that would make people a lot of money". The trick was to scan it with Nmap across an obscene number of ports (he was running a compromised telnet server on some really high port - like 11,000), telnet in, and look through the files to find a fictitious email about a stock buyout. ("But make sure not to scan any machines besides the target machine!") In another one, we telnetted into a mail server he set up, and emailed the TA with a faked 'from' address. "If it looks fake, you lose points", so you had to make damn sure to get all the fields looking immaculate. Another assignment was he gave us an XOR encrypted message, and we had to crack it. (The trick was to look for large areas with spaces, which gave away the key)

It was, all in all, a great class. Just one problem - the IT people *hated* the class. He told us he got a complaint during the Nmap assignment that it had been used to run 150,000 scans on campus machines. The computer science department adamantly defended the assignments, as important learning tools. It's an important issue of academic freedom, and (last I had heard) the CS department's concerns trumped IT's complaint.

Re:The same thing happened at my University (0)

Anonymous Coward | more than 8 years ago | (#14830340)

I visited a similar class, but they set up a lab of 8 pcs just for this course where you could only access the outside webserver through a proxy server.

They also had preopared images for VMware with security leaks so you could hack and scan them locally.

criminal (1)

Bad Boy Marty (15944) | more than 8 years ago | (#14830306)

This professor should be prevented from having any contact with computers for 5 years, and from communicating with or being within 100 yards of anyone under the age of 30 for 10 years.

How utterly irresponsible can a college professor actually be?!?!?!?!?

Re:criminal (0)

Anonymous Coward | more than 8 years ago | (#14830446)

Are you retarded?

A great skill to put on your resume (1)

SethEaston (920552) | more than 8 years ago | (#14830310)

I thought the point of obtaining a liberal arts education was to promote good ethics and work practices, provide a well-rounded academic experience, and ultimately, to prepare you for your career. Excuse me, but HOW The f u ck is this assignment helping the student accomplish any of this? This violates ethics and will not teach the students anything useful about working in the real world. (that is unless you are planning to become a covert computer forencis scientist who is trying to apprehend your latest child predator or terrorist). Is "hacking a network" something you would be proud to put on your resume when applying to, oh let's say, Lockeed Martin? NO. They are looking for people who are able to have good ethics (all those companies give you ethics training) and (more inmportantly) godd work ethics. Believe me, they don't want scipt kiddies and the like.

DJB? (1)

NerveGas (168686) | more than 8 years ago | (#14830323)


    I could see some profs doing it out of stupidity, but I could see Dan Bernstein doing it entirely out of arrogance...

obligatory bash quote (1)

know1 (854868) | more than 8 years ago | (#14830325)

i'm here to packet and chew gum....and i'm allk out of gum

better than a fork bomb (0)

Anonymous Coward | more than 8 years ago | (#14830354)

I was working a university unix lab, when, all of a sudden there was a rash of complaints of crashed solaris machines.

As I looked into it, one student fessed up, and handed over his assignment which was, essentially, to write a fork bomb, and run it, and "see what happens".

I told them to write down the answer "Lab Attendant swears at me, and tells me my professor is an idiot".

Re:better than a fork bomb (1)

Big_Al_B (743369) | more than 8 years ago | (#14830448)

I was working at a UNIX terminal lab in college when an enterprising young freshman decided to cat all the man pages together and pipe to lpr.

He had otherwise proven to be an apt UNIX geek so I heard several of his fellow lab users ask him why he thought their terminals had locked up--since asking me would be scary apparently, go figure--and I heard him mumble, "dunno" and then he hustled out before we figured out what happened.

The lab manager held his many thousand page printout in a large overfull box until he reappeared several days later...and said if he ever did something so stupid again, he'd pay for both incidents at $.10/page.

Reminds me of the last episode of Naruto (1)

vertinox (846076) | more than 8 years ago | (#14830366)

They had a ninja Chnin exam with extremley hard and actually unanswerable questions. The point of the exam was to actually force students to cheat in order to fail the ones they could catch.

At the end of the exam anyone left (who stayed voluntarily after the 10th question) was passed regardless of whether they had written down any answers or not.

As long as they hadn't got caught cheating so the expert cheaters were passed.

After all... The goal of the Ninja is to be able to aquire information undetected.

Perhaps, the only way to pass this class it to be able to do these tasks without getting detected by the university or authorities.

From the inside (2, Informative)

Anonymous Coward | more than 8 years ago | (#14830382)

I'm in the class which recieved this assignment.

I am both an undergraduate CS major and a system administrator on campus. I work with the top-level sysadmins that complained about the assignment, and who likely reported it to the ISC. They're good people that know their stuff, but I think they acted poorly by publicising it. It was a simple assignment which meant no harm. The class has never been taught here before. The CS department's reading of the university AUP and Ethics Policy differed widely from the administration's, and a simple email could have eliminated the confusion. Instead it's on Slashdot.

I think the ISC and the administration's reading of the assignment's intent was way off base. They both seem to be under the impression that simple port scans are illegal and forbidden, when in fact they occur regularly on the residential network and are a part of having an internet connection.

The professor is the dean of the CS department and is a very smart guy. He doesn't deserve to have this situation turned against him publicly. We in the class think it's all pretty ridiculous, and will do the assignment using only the approved IPs which we were given today. This was a simple misstep, and should blow over quickly.

If your server is secure, why worry? (1)

tbcpp (797625) | more than 8 years ago | (#14830389)

Really, folks, if I find someone poking around on my server, I'm not going to go screaming to the law. No, it's a notice to me that I need to beef up security.

Instead we have half rate Sys Admins getting worried about these students hacking their systems, simply because they are too lazy to plug the holes


 

Can't blame the professor (1)

portwojc (201398) | more than 8 years ago | (#14830391)

You can't blame the professor for this. It's not like he or she knows how the real world works. After all anyone with any sense well almost any would say this is a bad idea. The Univeristy had sense enough to say no to their own network being scanned then again they're dumb enough to allow it continue.

So at least the student will have a co-defendant if things go bad.

SANS forgot their phillips (0)

Anonymous Coward | more than 8 years ago | (#14830393)

Oh wow how awesome! A far-stretched (yep, that's far-stretched. not far fetched for you double guessers out there! Think of it as stetching the rubberband, or in this case the meaning of a concept, even farther from it's actual meaning) comment related to the psyche of someone or some entity. ++ (that's double plus) points for SANS and the Slashdot award of practicing without a license. In the medical field they call people that do that 'quacks', interesting coincidence that a 'quack' is often described as someone with a loose screw.

What the heck is... (1)

egeorge (547281) | more than 8 years ago | (#14830440)

a "practical"

What if there was a separate 'net? (1)

Nexus7 (2919) | more than 8 years ago | (#14830461)

What if a group of people, say neighbors, or firms, or even cities got together, strung some fiber or microwave links between them, and called it MyNet? Physically isolated from the Internet, but nevertheless including entities that are considered separate so far as the conventional or legal definition goes. I think laws such as child porno laws, or externally copyrighted music, would still apply because they are broadly defined. But what if these participating entities explicitly agreed to allow cracking, for one, or the use of strong encryption, or in general, uses which are legally prosecuted to protect the lowest common denominator in computer users, or to allow hooks for prosecuting. Is Internet-2 like this (probably not, because government money is involved). Seems like the Internet space is increasingly being regulated as if, or more harshly than it were meat-space.

So much for ethics... (1)

ivanmarsh (634711) | more than 8 years ago | (#14830466)

I still say ethics should be a required course in IT.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>