SANS Post about EDU vulnerability scanning assignment

[Gary Flynn <flynngn () JMU EDU>]

This was recently posted on SANS site:
http://www.incidents.org/




An Assignment From Professor Packetslinger of the School of Loose Screws
(NEW)
Published: 2006-02-28,
Last Updated: 2006-02-28 19:38:19 UTC by Deborah Hale (Version: 1)

We received an email today from a concerned colleague at one of the
wonderful state colleges in the US.  We promised the colleague that we
would not reveal name or school so I won't. It is tempting, but I won't.
 This is an actual assignment. I am not making this up, this IS the
real thing.

So here is the story of the assignment from Professor Packetslinger.  In
a Computer Security class in the Winter of 2006 (which by the way is
next year if I remember correctly) the students have been given an
assignment.  The assignment is worth 15% of the final grade for the
class. (So refusing to do the assignment very well could drop a student
from an A to a B or worse
in the blink of an eye).

The "TASK"

Student is to perform a remote security evaluation of one or more
computer systems. The evaluation should be conducted over the Internet,
using tools available in the public domain.

You got it. This is verbatim.  Professor Packetslinger wants the
students to conduct illegal activity involving port scanning and
vulnerability scanning. He wants them to write an evaluation of what
they find: what ports are open and what service could
be running on them, Host names and IP addresses, OS, version, last
update, patch status, what shares are available, what kind of network
traffic and what vulnerabilities they see.

Hmm – seems to me that Professor Packetslinger wants the students to do
all of the background work for him.

Ok so now what must the students submit in writing to Professor
Packetslinger?

Let's see what he wants:

 "What the student must submit"

 The note to the students:

In conducting this work, you should imagine yourself to be a security
contracted bythe owner of the computer system(s) to perform a security
evaluation. (This tells me that Professor Packetslinger is well aware of
the laws and the fact that doing this without express permission and
authorization IS against the law in most countries and municipalities.
The same laws that the students are being asked to violate).

The student must provide a written report which has the following
sections: Executive summary, description of tools and techniques used,
dates and times of investigations (AKA break ins), examples of data
collected, evaluation data, overall
evaluation of the system(s) including vulnerabilities.

Can you believe it?  Amazing, simply amazing.  One important thing
Professor Packetslinger failed to request:

Dates of student's incarceration so that they can be excused from class
and not counted absent.

Ok, so the concerned colleague who contacted us about Professor
Packetslinger and his assignment went on to explain:
"We've barked this one up our own tree of management. Word came down
this morning that no direct action will be taken against the professor,
but if we catch any students doing these scans against our computers we
will not be exempting them from our existing procedure. Specifically,
disabling their student account and referring them to the Student Dean
of Corrections."



In other words, we won't discipline Professor Packetslinger, we won't
stop the assignment from going forward.  As long as the students don't
scan our computers, it is ok. If they scan our computers they will be
reprimanded and lose their privileges on campus.

This is incredible; this University is encouraging illegal activity.
They are encouraging students to do something that is, in the words of
fellow Handler Adrien:
"Illegal, unethical, immoral.  How about just plain stupid and ignorant."

And handler Swa had this to say:

"Doing it is illegal in many parts of the world. But using authority to
have somebody else do something illegal is in some places on this world
even worse than the act itself and any decent prosecutor should chop the
prof in fine pieces over this.

Actually inciting somebody to do something illegal (even if the act
isn't performed) might be a case on its own. Now if he fails a student
over this, they might have no more reason not to put down an official
complaint for being asked to perform illegal acts.

First thing to do: recall the assignment; tell the students they should
not even consider it.  Next (public) apologies from the professor are
the least. But at the _very_ least don't let him near kids anymore, as
an educator he's a miserable failure."

This from our resident comedian Tom:

"Next Weeks Assignment:  Spamming for Fun and Profit"
It is hard for me as a security professional to understand the logic of
Professor Packetslinger.  I have relatives in the fair city in which
this prestigious state university resides. I am going to ask them to
keep an eye on the local paper and shoot me off articles about the
arrests.  And I definitely will not recommend this school to my friends
and relatives. My sympathy goes out
to the students that will be forced into completing this assignment.  My
sympathy to their families, especially those who are caught and charged
with computer crimes.  I just hope that the dear professor gets to
experience the full impact of his illegal, unethical and immoral acts
and he too gets to spend some time behind bars.

How about the school?

As fellow Handler Lorna put it
"wonder how the school would feel about a law suit launched against THEM
because of this assignment!"

The school is allowing this assignment to go forward. They are as guilty
of this crime as the professor and the students. They too need to pay
the price and a lawsuit against them would be a small price to pay.