Re: SANS Post about EDU vulnerability scanning assignment

[Alec Yasinsac <yasinsac () CS FSU EDU>]

It seems to me it is the instructor's responsibility to provide the
resource for student assignments. On the one hand, it would be nice to
confine scanning assignments to controlled labs. On the other hand, if it
is essential >>to meet the learning objective<< to have a more
heterogenous network than is available within the instructor/department's sphere of
control, seems to me the instructor should attain permission for a well
defined target domain or set of domains. To leave that up to students seems like an
unnecessary risk to the instructor/department/school and a bit of a disservice to the student.

Just my 2 cents,
alec


On Thu, 2 Mar 2006,
Randy Marchany wrote:

> The only problem with this assignment is the failure to explicit require
> permission from the target of the scan. I give the same assignment but I
> EXPLICITLY REQUIRE they produce permission (email, paper form) from the
> target before they scan the systems. I also give them permission to scan
> machines in my lab. I also mention they can scan their own machines. Failure
> to obtain permission means no grade and possible arrest. If the prof makes
> these conditions explicit, I don't see a problem with the assignment. In fact,
> if you read what he requires them to include in their report, it's basically
> what you would get from an IT auditing firm. It's not clear from the original
> post where the prof required permission ahead of time. It has been my
> experience to run across profs who forget that critical requirement :-).
>
> -Randy