Re: SANS Post about EDU vulnerability scanning assignment

[John Bambenek <bambenek () CONTROL CSL UIUC EDU>]

On Thu, 2 Mar 2006, Randy Marchany wrote:

> The only problem with this assignment is the failure to explicit require
> permission from the target of the scan. I give the same assignment but I
> EXPLICITLY REQUIRE they produce permission (email, paper form) from the
> target before they scan the systems. I also give them permission to scan
> machines in my lab. I also mention they can scan their own machines.
Failure
> to obtain permission means no grade and possible arrest. If the prof
makes
> these conditions explicit, I don't see a problem with the assignment. In
fact,
> if you read what he requires them to include in their report, it's
basically
> what you would get from an IT auditing firm. It's not clear from the
original
> post where the prof required permission ahead of time. It has been my
> experience to run across profs who forget that critical requirement :-).

As someone who has seen the assignment and is a part of SANS/ISC, I can
say he did not require or even mention
that permission should be gotten ahead of time.  When the University got
wind of it they explicitly said the
students could not scan ANY University system but they couldn't do
anything about the assignment, so "what you do
on your own time...".

In short, no one at the ISC is opposed to these assignments in concept, we
ARE opposed to running these kind of
assignments without getting advance permission.

j