Educause Security Discussion mailing list archives
Re: SANS Post about EDU vulnerability scanning assignment
From: Michael Sinatra <michael () RANCID BERKELEY EDU>
Date: Wed, 1 Mar 2006 22:43:39 -0800
Gary Flynn wrote:
This was recently posted on SANS site: http://www.incidents.org/
[snip]
The "TASK" Student is to perform a remote security evaluation of one or more computer systems. The evaluation should be conducted over the Internet, using tools available in the public domain. You got it. This is verbatim. Professor Packetslinger wants the students to conduct illegal activity involving port scanning and vulnerability scanning.
[snip]
This is incredible; this University is encouraging illegal activity. They are encouraging students to do something that is, in the words of fellow Handler Adrien: "Illegal, unethical, immoral. How about just plain stupid and ignorant." And handler Swa had this to say: "Doing it is illegal in many parts of the world. But using authority to have somebody else do something illegal is in some places on this world even worse than the act itself and any decent prosecutor should chop the prof in fine pieces over this. Actually inciting somebody to do something illegal (even if the act isn't performed) might be a case on its own. Now if he fails a student over this, they might have no more reason not to put down an official complaint for being asked to perform illegal acts.
[snip] I admit to having been out of the loop when it comes to the legal side of these things, but the last I remember (around 2000-01) there had been at least one or two federal court decisions that found port scanning, without other substantive damage, and without intent to defraud, not to violate any US federal code. My understanding is that the USA PATRIOT act did NOT substantially change the port scanning aspect of cyber-law, although it did lower damage thresholds (which could be used against a port scanner). My last check of California law showed it to be pretty ambiguous on the subject--at best. Have there been recent decisions or laws that unambiguously indicate that port scanning--without other damage or intent to defraud--is inherently illegal? I am particularly interested in the US, but other countries' laws would be of some interest as well. Mind you, I agree that this is a really bad idea, but I'd like to understand the legal issues a bit more. thanks, michael
Current thread:
- SANS Post about EDU vulnerability scanning assignment Gary Flynn (Feb 28)
- <Possible follow-ups>
- Re: SANS Post about EDU vulnerability scanning assignment Jeni Li (Feb 28)
- Re: SANS Post about EDU vulnerability scanning assignment charlie derr (Feb 28)
- Re: SANS Post about EDU vulnerability scanning assignment Jeni Li (Feb 28)
- Re: SANS Post about EDU vulnerability scanning assignment Michael Sinatra (Mar 01)
- Re: SANS Post about EDU vulnerability scanning assignment Gary Flynn (Mar 02)
- Re: SANS Post about EDU vulnerability scanning assignment Randy Marchany (Mar 02)
- Re: SANS Post about EDU vulnerability scanning assignment John Bambenek (Mar 02)
- Re: SANS Post about EDU vulnerability scanning assignment Alec Yasinsac (Mar 03)
- Re: SANS Post about EDU vulnerability scanning assignment Randy Marchany (Mar 03)