February 28th, 2006, 10:25 PM
Just to funny!!!
Found this posted on the internet storm center, thought the gang here would get a chuckle out of it too.
Just makes me shake my head.
We received an email today from a concerned colleague at one of the state colleges in the US. We promised the colleague that we would not reveal name or school so I won't. It is tempting, but I won't. This is an actual assignment. I am not making this up, this IS the real thing.
So here is the story of the assignment from Professor Packetslinger. In a Computer Security class in the Winter of 2006 (which by the way is next year if I remember correctly) the students have been given an assignment. The assignment is worth 15% of the final grade for the class. (So refusing to do the assignment very well could drop a student from an A to a B or worse in the blink of an eye).
Student is to perform a remote security evaluation of one or more computer systems. The evaluation should be conducted over the Internet, using tools available in the public domain.
You got it. This is verbatim. Professor Packetslinger wants the students to conduct illegal activity involving port scanning and vulnerability scanning. He wants them to write an evaluation of what they find: what ports are open and what service could be running on them, Host names and IP addresses, OS, version, last update, patch status, what shares are available, what kind of network traffic and what vulnerabilities they see.
Hmm – seems to me that Professor Packetslinger wants the students to do all of the background work for him.
Ok so now what must the students submit in writing to Professor Packetslinger?
Let's see what he wants:
What the student must submit
The note to the students:
In conducting this work, you should imagine yourself to be a security contracted by the owner of the computer system(s) to perform a security evaluation.
(This tells me that Professor Packetslinger is well aware of the laws and the fact that doing this without express permission and authorization IS against the law in most countries and municipalities. The same laws that the students are being asked to violate).
The student must provide a written report which has the following sections: Executive summary, description of tools and techniques used, dates and times of investigations (AKA break ins), examples of data collected, evaluation data, overall evaluation of the system(s) including vulnerabilities.
Can you believe it? Amazing, simply amazing. One important thing Professor Packetslinger failed to request:
Dates of student's incarceration so that they can be excused from class and not counted absent.
Ok, so the concerned colleague who contacted us about Professor Packetslinger and his assignment went on to explain:
"We've barked this one up our own tree of management. Word came down this morning that no direct action will be taken against the professor, but if we catch any students doing these scans against our computers we will not be exempting them from our existing procedure. Specifically, disabling their student account and referring them to the Student Dean of Corrections."
In other words, we won't discipline Professor Packetslinger, we won't stop the assignment from going forward. As long as the students don't scan our computers, it is ok. If they scan our computers they will be reprimanded and lose their privileges on campus.
This is incredible; this University is encouraging illegal activity. They are encouraging students to do something that is, in the words of fellow Handler Adrien:
Illegal, unethical, immoral.
How about just plain stupid and ignorant.
And handler Swa had this to say:
Doing it is illegal in many parts of the world. But using authority to have somebody else do something illegal is in some places on this world even worse than the act itself and any decent prosecutor should chop the prof in fine pieces over this.
Actually inciting somebody to do something illegal (even if the act isn't performed) might be a case on its own. Now if he fails a student over this, they might have no more reason not to put down an official complaint for being asked to perform illegal acts.
First thing to do: recall the assignment; tell the students they should not even consider it. Next (public) apologies from the professor are the least. But at the _very_ least don't let him near kids anymore, as an educator he's a miserable failure.
This from our resident comedian Tom:
Spamming for Fun and Profit.
It is hard for me as a security professional to understand the logic of Professor Packetslinger. I have relatives in the fair city in which this prestigious state university resides. I am going to ask them to keep an eye on the local paper and shoot me off articles about the arrests. And I definitely will not recommend this school to my friends and relatives. My sympathy goes out to the students that will be forced into completing this assignment. My sympathy to their families, especially those who are caught and charged with computer crimes. I just hope that the dear professor gets to experience the full impact of his illegal, unethical and immoral acts and he too gets to spend some time behind bars.
How about the school?
As fellow Handler Lorna put it
Wonder how the school would feel about a law suit launched against THEM because of this assignment!
The school is allowing this assignment to go forward. They are as guilty of this crime as the professor and the students. They too need to pay the price and a lawsuit against them would be a small price to pay.
February 28th, 2006, 10:31 PM
Sounds like the easiest assignment ever!
"Yes sir, I managed to scan the Bank of England, find a nice service running on a convieniently open port, brake in and make a new bank account in my name and gave myself £1000000. -....... Now prove I didnt!....O yeah, you cant...."
February 28th, 2006, 10:31 PM
Yeah, I just read the ISC diary. I passed that to my former boss. He'll get a chuckle out of that, seeing as how we used to fight the C-suite mentality that faculty can do no wrong. The big question is: Why did the powers that be in the university not know that the activity was illegal, and could possibly be a federal offense if the students went outside the campus or actually got into a live business?
I'd be for getting the professor turned into the feds and make a poster boy of him.
February 28th, 2006, 10:37 PM
This sorta reminds me of something i saw on Pen and Teller's Bullshit. The episode was about bullshit cures including magnet therapy, that one wher eyou put metals into your blood, and something where they massage your feet claiming it redirects the energy in your body curing you of what ails ya. Well they followed the quack foot doc around for a bit and on one of his appointments the patient,dumbass, was signing up to take lessons from him. Well while on camera he told this lady that it was $1500 us dollars down then $100 a month for 15 months, and that WHILE SHE WAS STILL IN CLASS should go out in her town and PRACTICE ON PEOPLE. . . . retards all of them.
\"He who shall introduce into public affairs the principles of primitive Christianity will change the face of the world.\"
February 28th, 2006, 10:46 PM
WTF!! That prof is either a nut, or he is being very clever about this. Could he be looking for morality in his students? Could it be a case of he wants them to either
A) Refuse to do it and be prepared to lose the grade, or...
B)Team up with a buddy and pen test each other, or...
C) Contract themselves out to do a pen test on a live system, without any complete training.
Personaly I think he hasn't thought this out very well, but he might have some clue of what he wants.
If everything looks perfect, then there is something you don\'t know
February 28th, 2006, 10:48 PM
I can't believe that. Even the higher officials in the school know that the assignment is illegal, and yet they are allowing it to be continued? What is wrong with them? I feel really sorry for the guys who have to actually do the assignment - although surely they could just scan each other on the LAN (with their permission), pass them off as random IP addresses, and then just claim that the reason the professor cannot reproduce the results (if he tried) is because they (coincidentally) had dynamic IPs?
That is very sad. If that guy was in my school, he's be in the kinks by now.
February 28th, 2006, 10:56 PM
Somehow chaps...I just dont think its true...
March 1st, 2006, 12:17 AM
C'mon, bud, this is a well-respected university the US heartland. Don't think it would be possible for them to hire a bonehead in CS for IT Security?
I've been in education way too long to not believe it.
March 1st, 2006, 12:35 AM
This Prof. is a top notch guy. Great work...excellent work...hats off to the university...where did they find this criminal/teacher. I wish I was going to that school...for his next assignment...
Now with all the data you students collected on the last assignment and the few of you who have not been removed from the class to attend your criminal trial...I want you to select one of the insecure networks we discovered in the last assignment and find out how to break into the network...steal some critical and sensitive information...afterwards I want you to bring it to me and based on its value I will award bonus points to those who get something of actual monetary value. We will then distribute the profits to all remaining classmates...and I(the professor) will take a 25% cut. This assignment is worth 5% of your grade and can earn you up to 1 semester of free tuition. Get to work!
It's not a war on drugs it's a war against personal freedoms!
March 1st, 2006, 12:37 AM
BTW, check the updates. There are two. Sounds like this has hit a nerve.