Re: consequences for student hacking

[Bob Mahoney <bobmah () MIT EDU>]

I don't know the current policy, but I think MIT had a successful
approach to this in years past:

Only the security team was allowed to scan on the main campus.
Departments who fully managed their own networks (CSAIL, Media Lab,
etc) were allowed to scan their own address space.  (The machines had
intentionally-reassuring hostnames, like "SECURITY-SCAN-1", for the
benefit of the log reading audience)

Random machines scanning the network were assumed to be compromised,
and taken off the net.  The resulting conversation with the owner
usually had three possible outcomes:

1) Machine is compromised  => cleanup and return to service

2) User is scanning intentionally, for "no good reason".  "Vigilante
bandwidth policing" in the dorms was a common Bad Reason...   A
stern, in-person talking to, and a serious ethics refresh were the
usual first-offense result.  (student network privacy was taken
seriously, and the lecture was not fun for the offender)  Subsequent
foolishness was rare, and dealt with more harshly.

3) Very occasionally, the student was scanning or sniffing
intentionally, but for an actual good reason we would accept.  This
was commonly a CS student trying to debug some project.  We would ask
probing questions, do an ethics refresh, set some limits, and send
them on their way.

The reality was that actual student hacking events were quite rare,
and usually did fall into the Vigilantism model.

The reasoning behind allowing "good reasons" was simple: We
(security) were tasked to support research and education, usually by
preventing or interrupting bad things.  But sometimes, we supported
the mission by not being an obstruction.

Guess at event distribution: 80% were Case 1, 15% Case 2, 5% Case 3

Just a random historical data point.  (and again, I do not know the
current policy regarding this issue)

-Bob

On Feb 19, 2008, at 4:38 PM, Bob Henry wrote:

> Boise State has a policy restricting the use of network scanners, host
> scanners, sniffers, etc. to those approved by the Network
> Engineer.  The
> consequences for violating the policy are described with these words:
>
> Depending on the seriousness of an offense, violation of this policy
> can result in penalties ranging from reprimand, to loss of use, to
> referral to University authorities for disciplinary action, to
> criminal
> prosecution.
>
> That's the theory.  I'm looking for a reality check.  What do your
> institutions do when you catch a student sniffing the wired or
> wireless
> network for userID's and passwords?
>
> Thanks,