We received an email today from a concerned colleague at one of the state colleges in the US. We promised the colleague that we would not reveal name or school so I won't. It is tempting, but I won't. This is an actual assignment. I am not making this up, this IS the real thing.
So here is the story of the assignment from Professor Packetslinger. In a Computer Security class in the Winter of 2006 (which by the way is next year if I remember correctly) the students have been given an assignment. The assignment is worth 15% of the final grade for the class. (So refusing to do the assignment very well could drop a student from an A to a B or worse in the blink of an eye).
Student is to perform a remote security evaluation of one or more computer systems. The evaluation should be conducted over the Internet, using tools available in the public domain.
You got it. This is verbatim. Professor Packetslinger wants the students to conduct illegal activity involving port scanning and vulnerability scanning. He wants them to write an evaluation of what they find: what ports are open and what service could be running on them, Host names and IP addresses, OS, version, last update, patch status, what shares are available, what kind of network traffic and what vulnerabilities they see.
Hmm – seems to me that Professor Packetslinger wants the students to do all of the background work for him.
Ok so now what must the students submit in writing to Professor Packetslinger?
Let's see what he wants:
What the student must submit
The note to the students:
In conducting this work, you should imagine yourself to be a security contracted by the owner of the computer system(s) to perform a security evaluation.
(This tells me that Professor Packetslinger is well aware of the laws and the fact that doing this without express permission and authorization IS against the law in most countries and municipalities. The same laws that the students are being asked to violate).
The student must provide a written report which has the following sections: Executive summary, description of tools and techniques used, dates and times of investigations (AKA break ins), examples of data collected, evaluation data, overall evaluation of the system(s) including vulnerabilities.
Can you believe it? Amazing, simply amazing. One important thing Professor Packetslinger failed to request:
Dates of student's incarceration so that they can be excused from class and not counted absent.
Ok, so the concerned colleague who contacted us about Professor Packetslinger and his assignment went on to explain:
"We've barked this one up our own tree of management. Word came down this morning that no direct action will be taken against the professor, but if we catch any students doing these scans against our computers we will not be exempting them from our existing procedure. Specifically, disabling their student account and referring them to the Student Dean of Corrections."
In other words, we won't discipline Professor Packetslinger, we won't stop the assignment from going forward. As long as the students don't scan our computers, it is ok. If they scan our computers they will be reprimanded and lose their privileges on campus.
This is incredible; this University is encouraging illegal activity. They are encouraging students to do something that is, in the words of fellow Handler Adrien:
Illegal, unethical, immoral.
How about just plain stupid and ignorant.
And handler Swa had this to say:
Doing it is illegal in many parts of the world. But using authority to have somebody else do something illegal is in some places on this world even worse than the act itself and any decent prosecutor should chop the prof in fine pieces over this.
Actually inciting somebody to do something illegal (even if the act isn't performed) might be a case on its own. Now if he fails a student over this, they might have no more reason not to put down an official complaint for being asked to perform illegal acts.
First thing to do: recall the assignment; tell the students they should not even consider it. Next (public) apologies from the professor are the least. But at the _very_ least don't let him near kids anymore, as an educator he's a miserable failure.
This from our resident comedian Tom:
Spamming for Fun and Profit.
It is hard for me as a security professional to understand the logic of Professor Packetslinger. I have relatives in the fair city in which this prestigious state university resides. I am going to ask them to keep an eye on the local paper and shoot me off articles about the arrests. And I definitely will not recommend this school to my friends and relatives. My sympathy goes out to the students that will be forced into completing this assignment. My sympathy to their families, especially those who are caught and charged with computer crimes. I just hope that the dear professor gets to experience the full impact of his illegal, unethical and immoral acts and he too gets to spend some time behind bars.
How about the school?
As fellow Handler Lorna put it
Wonder how the school would feel about a law suit launched against THEM because of this assignment!
The school is allowing this assignment to go forward. They are as guilty of this crime as the professor and the students. They too need to pay the price and a lawsuit against them would be a small price to pay.