Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×

Professor 'Packetslinger' Assigns Questionable Task 411

mrowton writes "A professor at an undisclosed university recently assigned a practical for his computer-security class. The practical, which is worth 15 percent of the students final grade, requires students to perform reconnaissance on an internet server using tools available in the public domain. While the university is allowing the practical to continue it has also stated that the techniques should not be performed on their own web servers. If students are caught performing any scans against university computers then it would prompt: "Disabling their student account and referring them to the Student Dean of Corrections." The assignment was enough for SANS to dub him 'Professor Packetslinger of the School of Loose Screws.'"
This discussion has been archived. No new comments can be posted.

Professor 'Packetslinger' Assigns Questionable Task

Comments Filter:
  • Now who would be the WB to publish the name of the university here?

    I wonder if that paper will attract more students because of the assignment. Guys, whatever you do, just don't TK.
    • by flyingsquid ( 813711 ) on Wednesday March 01, 2006 @04:55PM (#14830172)
      The NSA issued a press release stating that its whole domestic spying operation was just part of a homework assignment.
  • by nharmon ( 97591 ) on Wednesday March 01, 2006 @04:48PM (#14830106)
    I thought there was a case not too long ago that says a scan is not an intrusion, thus is not illegal.
    • The scan itself is not illegal. However, they're asking the students to go much further then the scan itself.
      • How so? All of the information requested in the assignement can be gotten from any server running a compliant web server, including Windows XP Personal Web Server, with a combination of port scanning tools, netstat, ping, and GRC's webhost. There shouldn't be any real break in at all- all of this information is offered up by the webserver to whomever wants it.
        • How so? All of the information requested in the assignement can be gotten from any server running a compliant web server, including Windows XP Personal Web Server, with a combination of port scanning tools, netstat, ping, and GRC's webhost.

          Want to know what's funny? I can break into your house with perfectly legal tools.

          Just because the tools are publicly available and have a non-illegal use, doesn't mean you can use them.
          • My point wasn't that the tools are legal. My point is that all of the information requested in the assignment is public information that ALL computers running webservers broadcast. Most browsers hide it, but the operating system of the host server is sent every time you browse a site, for example. All the other information requested in the assignment is similar public information. NONE of it requires gaining root access to the server in question, or even user level access.
            • My point is that all of the information requested in the assignment is public information that ALL computers running webservers broadcast. Most browsers hide it, but the operating system of the host server is sent every time you browse a site, for example.

              No, a string is sent each time. I can make the string be anything I like. You aren't a developer, are you?

          • Marxist Hacker 42 doesn't belive in property anyway, so it's not like he'll mind if you make use of the community goods stored in "his" house. Just don't damage anything on the way in - that window belongs to everyone!
      • I read the article and did not see where intrusion was part of the assignment. From what I read, it was a vulnerability assessment, which would include a few simple scans. Knowing what I do about some scans, they can create a DOS attack (inadvertently of course; you arent going to be too clandestine if you get noticed DOSing your victim).

        My point here is this; he did not assign any illegal activity from what I saw in the article. If someone could point me to where the actual assignment is written down, I m
    • by Sycraft-fu ( 314770 ) on Wednesday March 01, 2006 @04:55PM (#14830171)
      If I notice someone poking around at my systems in such a way that looks like it's looking for exploits, I'll contact the ISP responsable and ask them to chave a chat with that user. If they blow me off, I'm likely to blacklist the ISP entirely.

      Just like with your house, while it might not technically be illegal for you to sit on public land and case my house out like you are going to break in to it, you can bet I'll object if you try.
      • If I notice someone poking around at my systems in such a way that looks like it's looking for exploits, I'll contact the ISP responsable and ask them to chave a chat with that user. If they blow me off, I'm likely to blacklist the ISP entirely.

        Sadly, I find my firewall logs demonstrate far too many attempts to track down the ISP of each and every one.

        The vast majority of stuff just gets summarily dropped at the firewall. But you'd be amazed at how many dictionary attacks I see on the server that SSH reque

        • Yeah, one of the big things that all of these worms have done is to make it so you can scan any random machine on the internet without much fear of raising any alarms. My machines get portscanned multiple times a day from stupid unpatched windows users, attempting to track them down is pointless. It's not like the old days where a portscan made someone sit up and take notice.
        • Don't even log it. However if our IDS throw up an alert for a prodding with some effort, like a port scan and then messing with the various services, I'll go and fire off an e-mail to the ISP.
      • If they blow me off, I'm likely to blacklist the ISP entirely.

        Which, depending on the size and importance of your network, sets you up for a lawsuit. Assuming a free and unfettered internet, if you block an entire ISP from your network for what amounts to zero illegal activity, I would put it out there that a lawsuit would result in a court order to unblock said ISP.

        Now, it's true, this doesn't take in to account things like private vs public networks or the actual network that you handle, but punishi

        • What in the fuck would be the justification for said lawsuit?

          In the real world the analogy would be someone suing because you lock your doors...

          There is no right to talk to my network and I can bloody well block whoever I want anytime I want...

          Now, while the above is a bit harshly worded, I would really like to hear how you think there would be any basis for this at all.
        • Since when did allowing someone to access my web server become a right instead of a privilege that I specifically grant and can take away from anyone I choose at any time?

          If I want to block all addresses starting with 66.6.x.x because i don't like the number 666, I have every right to.

          That's like saying that just because a person hasn't done anything illegal you are required to let them walk though your house.

          Damn there are a lot of strange opinions stated as fact on /.

          Now, if it's a provider that I am usin
        • Assuming a free and unfettered internet, if you block an entire ISP from your network for what amounts to zero illegal activity, I would put it out there that a lawsuit would result in a court order to unblock said ISP.

          Why is that? There's no reciprocal agreement in force, and blocking an ISP because their users are portscanning you is perfectly legal. Maybe a bit rude, but oh well.

        • Which, depending on the size and importance of your network, sets you up for a lawsuit. Assuming a free and unfettered internet, if you block an entire ISP from your network for what amounts to zero illegal activity, I would put it out there that a lawsuit would result in a court order to unblock said ISP.

          Could you point out the case citation that holds that the First Amendment guarantee of Freedom of Assembly doesn't apply to people who operate big networks?
      • If I notice someone poking around at my systems in such a way that looks like it's looking for exploits, I'll contact the ISP responsable and ask them to chave a chat with that user. If they blow me off, I'm likely to blacklist the ISP entirely.

        Must be nice to have a lot of time on your hands. If I was to sit at work and read my FW logs all day and contact every ISP that probed my ports (That kind' sounds dirty) then I would probably be sitting in front of my PC 24x7.
    • Yes, but it is commonly against school policy, which in some universities is apparently more important than law.
      • Farting is not illegal, but if you do it at my dinner table, you're out of here! The university gets to make the rules about the university, including who gets to be a student. It doesn't matter how legal scanning a server is, you don't get to do it to their server AND be a student.

        The world is not a one way street and you are not its traffic light. If you cannot get along with institutions, then do not be surprised when institutions do not get along with you.
  • Sand box? (Score:2, Interesting)

    by WilyCoder ( 736280 )
    Why doesnt the professor construct a cheap server, with security out the wazoo? Then let the students attempt to bring down the sand box, rather than randomly probing servers which are probably used to run a business?
    • Re:Sand box? (Score:5, Interesting)

      by spun ( 1352 ) * <{loverevolutionary} {at} {yahoo.com}> on Wednesday March 01, 2006 @04:53PM (#14830158) Journal
      Hell, set up some kind of a honeynet with several types of servers (Windows, Mac, *nix) in various states of security. There's absolutely no reason to make these students scan actual production servers. By using custom built servers, the professor will have more control over the lesson, and will be able to tell what the students are actually doing.
      • Or better yet, break the student body into teams. One Team scans the other team secures. And maybe swap teams after a good go at it.

        You could grade based on what the student learned from both tasks.
    • Or even better, default installations of the more popular OS's and Web servers (you know who you are) so that these security professionals-to-be get a taste of the real world!

      Once they're handled this, then step it up to a fully patched and locked down version.

      Whatever we think he should have done, if this story is true his actions are unprofessional. The ban on University servers acknowledges that they could be compromised with some effect on services, so to recommend to test it on unknown thirdparties i

      • Or even better, default installations of the more popular OS's and Web servers (you know who you are) so that these security professionals-to-be get a taste of the real world!

        What that's missing, of course, are the users internal to the server/network that do everything they can to break the security of the network so they can run their favorite chat/game/interactive screen-saver.
    • Because university cuts down on budget so they use students as 'testers' on production servers :)
    • Because college professors are anti-corporate socialists. This guy wants free intelligence on American business technology that he can exploit to conduct mass sabotage during summer break. Duh. Don't you watch Fox? I do!
  • Then all of Slashdot can scan the university's computer for them!

    Dean of Corrections? good lord... =b

  • by lheal ( 86013 ) <lheal1999@yahoo . c om> on Wednesday March 01, 2006 @04:53PM (#14830143) Journal

    He's not supplying his own honeypot servers, and didn't get the University to allow use of campus servers either? I'd think he could sell it to the IT group as a hardening exercise, since students would have to do full disclosure to get credit anyway.

    Yup, just goes to show you that "smart" and "fool" aren't antonyms.

    • Smart and fool go together as often as not. Never have you met so many people that can know so much about so little, people with mountians of theoritical knowledge and no idea how to apply it at all. We have a lab in our building that is devoted to studying networking, and literally most of the people in there couldn't point out the switch in their room, people that have, with a stright face, used the phrase "statically configured dynamic address". It's not like these are art majors who just don't know anty
      • We have a lab in our building that is devoted to studying networking, and literally most of the people in there couldn't point out the switch in their room, people that have, with a stright face, used the phrase "statically configured dynamic address".

        What's the big deal? I've done statically configured DHCP - it's quite useful for configuring servers, for instance.

  • Five bucks says it's DJB [slashdot.org]:

    1. Impossible assignment? Check.
    2. Severe ramifications for students? Check.
    3. Callous disregard for everyone but the professor? Check.

    Yeah, my money's definitely on Dan.

  • If a police office needs to test out shooting a gun, he goes to a firing range. You wouldn't have him field test it.

    I feel for the prof, there isn't a good "firing range" on the internet. It would make for an interesting business. Setup a virtual network of servers with targets/exploits and have the students try and hit them.

  • by IntelliAdmin ( 941633 ) * on Wednesday March 01, 2006 @04:53PM (#14830157) Homepage
    They should have an assignment that each student rob, or break into a bank. Any attemps to break into school secured areas would result in immediate suspension.
  • by digitaldc ( 879047 ) * on Wednesday March 01, 2006 @04:54PM (#14830162)
    If you change it to anything other than an 'A' you automatically fail.
  • Legal solution #1: Contact a local business, explain you're a student learning about computer security, and ask for permission to hit their server.

    Legal Solution #2: find out the address of a home computer on a broadband connection and hit that, preferably a friend who knows you're doing it or yourself.

    Illegal Solution #1: Find out the address of a home computer on a broadband connection owned by the kind of luser who doesn't even know they have a log let alone how to check it.

    Illegal solution #2: Hi
  • by slickwillie ( 34689 ) on Wednesday March 01, 2006 @04:55PM (#14830173)
    AKA Warden?

    Is it a university or a prison?
  • ... School of Loose Screws ...

    Unless you're majoring as a PC Technician, you are likely to lose your marbles than your screws in the IT department. My marbles disappeared a long time ago.
  • a. Subtract marks for students that scan government servers. b. Bonus marks for the student that sets up his own web server and then scan it.
    • a. Subtract marks for students that scan government servers. b. Bonus marks for the student that sets up his own web server and then scan it.

      Bingo! Set up a dyndns.org entry to your own darned machine.

      Got knows my firewall logs indicate that half the friggin world has been scanning my machine. Fortunately, I have a firewall to log such things for me and keep the buggers out. =)
    • Bonus points for hacking into the NSA's system and getting the list of people that have been wiretapped in the last six months.
  • When did Snorting a remote network become illegal?
  • by Kphrak ( 230261 ) on Wednesday March 01, 2006 @04:59PM (#14830208) Homepage

    SANS seems to take it for granted that portscanning is illegal and immoral. However, I can't find anything on Google, and of course, IANAL. Is there any case precedent in the United States for the illegality of portscanning?

    I would hazard a guess that it is not illegal. It is the equivalent of looking at a house from a public vantage point to see if any windows are open. Although such an action is suspicious (the person may next try to get in through a window), it certainly isn't illegal, at least in the United States. SANS seems to be overreacting.

    • It is the equivalent of looking at a house from a public vantage point to see if any windows are open. Although such an action is suspicious (the person may next try to get in through a window), it certainly isn't illegal, at least in the United States. SANS seems to be overreacting.

      Actually, I think port-scanning is a wee bit closer to turning the doorknobs on all exterior doors (but not opening them and going through), pushing the windowsills, and knocking on the walls looking for hidden doors. Grey-

    • In at least some states, port scanning is illegal.

      In Texas, for example, any unauthorized connection or attempt to connect to a computer is illegal.
  • Get caught and you fail. Make a set of files on the server progressively more difficult to hack/open/retrieve.

    Easy file to hack = C, More difficult file to hack = B, Very difficult file plus leave a calling card = A
  • by Raul654 ( 453029 ) on Wednesday March 01, 2006 @05:06PM (#14830266) Homepage
    A similiar occurance happened at my university (University of Delaware). When I was an undergraduate, I took the 400 level security class. The teacher isn't a professor, but he's a staffer who happens to be amazingly knowledgable about all areas of unix and networking)

    The assignments were some of the most practical security assignments you could imagine. For one assignment, he gave us the location of a target machine, and told us to "break in and find something that would make people a lot of money". The trick was to scan it with Nmap across an obscene number of ports (he was running a compromised telnet server on some really high port - like 11,000), telnet in, and look through the files to find a fictitious email about a stock buyout. ("But make sure not to scan any machines besides the target machine!") In another one, we telnetted into a mail server he set up, and emailed the TA with a faked 'from' address. "If it looks fake, you lose points", so you had to make damn sure to get all the fields looking immaculate. Another assignment was he gave us an XOR encrypted message, and we had to crack it. (The trick was to look for large areas with spaces, which gave away the key)

    It was, all in all, a great class. Just one problem - the IT people *hated* the class. He told us he got a complaint during the Nmap assignment that it had been used to run 150,000 scans on campus machines. The computer science department adamantly defended the assignments, as important learning tools. It's an important issue of academic freedom, and (last I had heard) the CS department's concerns trumped IT's complaint.
    • I was in the same class :)

      The machines he had asked us to scan were on EE/CIS research network. If I remember correctly, he explicitly asked us not to scan any other machines outside of the research network.
    • This sort of thing is precisely why my university has a dedicated Cyber-Security lab in our shiny new Computer Science Building that's its own network that's completely isolated from the Internet and the rest of campus.

      Too bad we don't have faculty around here clever enough to create an assignment like this one.
      • I don't know if they still do it, but in a graduate course at Texas A&M a few years ago, the class would divide into two halves.

        One half was assigned the task of setting up a computer so that it could not be penetrated. The other half had the job of penetrating that computer.

        And that was all done on a network isolated from the rest of the Internet.

  •     I could see some profs doing it out of stupidity, but I could see Dan Bernstein doing it entirely out of arrogance...
  • They had a ninja Chnin exam with extremley hard and actually unanswerable questions. The point of the exam was to actually force students to cheat in order to fail the ones they could catch.

    At the end of the exam anyone left (who stayed voluntarily after the 10th question) was passed regardless of whether they had written down any answers or not.

    As long as they hadn't got caught cheating so the expert cheaters were passed.

    After all... The goal of the Ninja is to be able to aquire information undetected.

    Perh
  • From the inside (Score:2, Informative)

    by Anonymous Coward
    I'm in the class which recieved this assignment.

    I am both an undergraduate CS major and a system administrator on campus. I work with the top-level sysadmins that complained about the assignment, and who likely reported it to the ISC. They're good people that know their stuff, but I think they acted poorly by publicising it. It was a simple assignment which meant no harm. The class has never been taught here before. The CS department's reading of the university AUP and Ethics Policy differed widely from the
  • You can't blame the professor for this. It's not like he or she knows how the real world works. After all anyone with any sense well almost any would say this is a bad idea. The Univeristy had sense enough to say no to their own network being scanned then again they're dumb enough to allow it continue.

    So at least the student will have a co-defendant if things go bad.
  • I still say ethics should be a required course in IT.
  • This is th kind of stuff that makes my blood burn, and I start re-reading 1984 again. But as with most big mess-ups in life, this requires the combined stupidity of multiple people.

    First: This guy "Handler" from SANS should know full well that port scanning is not a crime. But he goes out of his way to make it look like one.

    It's high time that the principles of academic freedom stop providing shields for felonious conduct or eventually the people and the government will take it away all together.

    Ex

  • I always thought that if I was a (tenured) professor would be a "Cheating 101" class. The objectives would be to teach the students how to cheat effectively. The class would have exams that were on arbitrary and difficult subjects. The students would be forced to cheat to pass them. The exams would be graded not only on how well they did on the exam itself, but how well they cheated and how well they avoided detection. (Even with me knowing they're cheating.)

    The true objective wouldn't be to increase th
  • stuff like this should be done on an isolated network... ie. for those with a lack of clue, not connected to anything else at all...

    what he should have done was divided the students into small teams (by drawing lots), each responsible for setting up a set of servers on this isolated network to do specific tasks and then set the teams to securing their own servers while trying to penetrate the servers of the other teams.

    Award points for how many other servers you cracked, minus how many times your own got

  • First of all, SANS is considered the "entry level" security group. They overhype security issues on a regular basis. They remind me of Steve Gibson of GRC, another self proclaimed "security expert". They rehash old issues all the time. My favorite quote about them is actually from Dave Aitel though.

    "I think it's funny they call themselves handlers instead of "people without computer science degrees or any knowledge of computer security trying desperately to learn how to read shellcode and informing a le
  • by StacyWebb ( 780561 ) on Wednesday March 01, 2006 @05:40PM (#14830576) Homepage
    Would be to have seperated the class into two teams with two networks and then have them secure their networks. Then launch attacks angainst one another. This way they see both the way attacks are made along with how to protect their network from them.
    • Interesting idea but I think that you'd run the risk of the geekiest students in the class taking over each team and the other kids not participating. Obviously this assignment was designed so that each student could prove they knew a little bit about portscanning and such. I think if you modified your approach to require like rounds where one student from each team launched an attack and another student had to respond it might guarantee more participation.
  • If anything, they should require that the students restrict themselves only to university servers. That way they aren't liable for any third party complaints. But that would undoubtably reveal numerous holes in the university's servers, which would be embarrassing and time consuming for the university's IT department. And we all know that university IT departments spend more time avoiding work then doing it.

    What I think happened: the university's IT director found out about it, realized how bad it could mak
  • I dont think that running a port scan is illegal by any standards or any computer/server on the internet.Its not that they are breaking into the computers but just seeeing whats ports are open or what services are running.
    Trying to exploit any of the found vulnerabilities is a different story altogether.

    Of course 'the prof' could/should have done it in a secured environment within the uni but its ok if he didnt.Mr Handler is obviously overreacting and giving it more attention than it deserves.
  • Are there *any* security tools that actually are in the public domain? Last time I checked, stuff like nmap, hping2 and the like was all copyrighted (and licensed under free licenses, of course, but decidedly not in the public domain).
  • I would think that if they don't operate their own honeypot for this purpose, their accreditation should be cancelled. who is this scurvy outfit, anyway?
  • "using tools available in the public domain"

    That's not going to get the students very far. Are there any public domain security tools?

  • by Fefe ( 6964 ) on Wednesday March 01, 2006 @07:18PM (#14831347) Homepage
    How would you teach security if not by trying out the attack tools?

    I don't see what the hoopla is about here. He asked them to do a scan, not open them up and format the hard disk or download files on it.

    Maybe his next assignment is the ethics. Maybe it's just a test to see if any of his students find this ethically wrong and refuse to do it. Maybe he would have given them extra points.

    I run several servers on the Internet, and I get port scanned all the time. Even more so at home, where my dynamic DSL IP is hit by worms many times each day.

    Dear American proto-hackers, you are welcome to come to Europe and learn the tools of your trade here. We meet every year between Christmas and New Year at the CCC Congress [www.ccc.de], and we have a LAN there, so people can get acquainted with the tools.
  • by sr180 ( 700526 ) on Wednesday March 01, 2006 @07:46PM (#14831528) Journal
    When I did my engineering degree, with the computer science subjects we were encouraged to explore the network and understand its topology. We even had assignments where we HAD to do this and report back with what we knew about what was where.

    Its a bit like open source software.. The information is public, what problems are there by students looking at it. As long as the dont actually compromise anything, they could be helping it security.

    In this case, I think the IT Staff are being idiots.

  • by Decius6i5 ( 650884 ) on Wednesday March 01, 2006 @08:26PM (#14831734) Homepage
    The hyperbole displayed in this post is exactly the sort of behavior that computer security professionals should avoid engaging in. People who take undue offence at obviously innocent acts and run around making completely unfounded accusations of mal-intent and criminal liability are the sort of network operators who can make a workplace a living hell for people who are trying to get things done. Its a power trip and in a serious corporate environment it is totally inappropriate. Security professionals should be focused on real threats to business continuity rather then getting their rocks off by hunting down port scanners. It should be painfully obvious that nothing about this assignment is either illegal or immoral. The students are asked to perform a vulnerability assessment. They are asked to collect information; they are not asked to act on that information and break in. If you want to understand how security gets done it makes sense to take a look at someone who is doing it and see what they are doing. Its the kind of activity that might raise suspicion in the event that the intent was to use the information collected in the subsiquent commission of a crime, but that obviously isn't the intent here, so there is no REAL problem. If your Internet connected computer is so weak from a security standpoint that this kind of snooping is enough to impact your operation then I suggest you stop reading this and go check on it because you are probably offline right now. Obviously one needs to be careful in performing this sort of audit that one doesn't use aggressive tools that can impact the operation of a host, and students do need to understand the difference between collecting information and obtaining unauthorized access. It might make sense for this lesson to be bundled with a serious conversation about the ethical issues. Obviously, it would be preferable to ask students to look at a honeypot host rather then examining someone's live network, if for no other reason then this kind of probing is suspicious and, albeit EXTRMELY unlikely, could cause administrators to waste time investigating. However, to suggest that performing this kind of information collection against a remote host is a crime regardless of the intent of the exercise is, frankly, "just plain stupid and ignorant." Sans security ought to relax. The likelyhood that any of the targets of this exercise so much as noticed it is infinitesimal.
  • by digital photo ( 635872 ) on Wednesday March 01, 2006 @08:51PM (#14831854) Homepage Journal
    This is just amazing. By amazing, I mean to say an affront to ethical teaching. It promotes the wrong idea about proper conduct on the internet. It will spawn tons of alarms on different networks. Companies who get scanned will lose countless dollars and hours figuring what new attack was underway.

    I strongly believe that the professor should be fired. The students should be told to NOT go forward with the assignment. And the name of the professor and university should be released so that such unethical or thoughtless behaviour by the professor and double-standard thinking by the school can be revealed and acted upon.

    I can't believe the school would come back and say that the professor would not be reprimanded, that the assignment can go forward, but not to scan their own computer networks. This implies that the school admins know that it is a security issue and questionable behaviour, but is allowing it to go forward on the internet. Complete and utter retarded and *ss backwards thinking and reasoning.

    For some companies I've worked at, a scan is reason enough to ban your IP, if not your IP address block. Performing a scan is grounds for dismissal, if not initiation of criminal charges of misuse of the business systems. This was the case at my old university. Misuse of school systems resulted in dismissal and/or legal proceedings.

    The correct and responsible means of testing would have been to setup a training network. Obviously, there is a complete lack of responsible planning on the part of the professor and the school. Or perhaps a lack of understanding of what they are setting up their students and themselves up for.

    The student who brought this up REALLY needs to bring this to the attention of his/her fellow students and prevent them from getting into trouble with businesses and the authorities.

    Just because your superiors tell you to do it, doesn't mean it's okay to do it.
  • Our assignment was very similar to this, except it was to discover the number of nodes, the routing, etc. of the network in one particular building on the campus (housing our classroom) - no port scanning, no attempts to compromise anything, but simply to "map out" the building's network.

    One telltale phrase that hit a nerve with me was something that I remember nearly verbatim: "using tools available in the public domain." The examples he gave were essentially tools like traceroute, ping, etc.

    Nobody in the class thought there was anything questionable about this, let alone illegal.

You can measure a programmer's perspective by noting his attitude on the continuing viability of FORTRAN. -- Alan Perlis

Working...