Just to funny!!!

[Tiger Shark]

Oh come on... I like ISC... but they are making a leap here...

The prof doesn't ask for any information about vulnerabilities, (at least not from what is quoted), he asks for information about a publicly available target with publicly available tools....

So, what are we looking at? Let's start by NMaping the target... Not illegal in the USA. Then let's grab some banners.... Not illegal in the USA... Let's pull a whole web site and look through it's source... Not illegal in the USA... There's a whole lot of things that _can_ be done to provide the prof with the information he's looking for that is not illegal in the USA.

Then, what does he ask for? He asks for a properly documented "penetration test", (though what he asks for isn't really a pen test). Hmm... Seems to me like he's trying to teach them how to write a report... Not much more...

[rapier57]

We didn't see the entire document, so it is hard to judge specifics. However, the phrase "imagine yourself" to be a security contractor, and the section about reporting "dates and times of investigations (AKA break ins), examples of data collected, evaluation data" are of concern.

OK, student A says, "Cool, I now a 1337 hax0r, and I'll see what the local doctor's office has for security." He gets his imaginary permission and goes at it. Collects private data from a system with a vulnerability.

Can you say, "Joliet Jake?"

[Tiger Shark]

dates and times of investigations (AKA break ins)

It's the ISC handler that added the "AKA break ins" part of that... I'm not sure it was justified...

[rapier57]

Interesting take, TS. I'm checking on it. I'll let you all know if I find out if the handler did add that parenthetical comment, or if it was part of the original assignment document.

[mrg81]

I think Tiger Shark is right. On the other hand this website might be useful.

www.hulla-balloo.com/hack, what I am trying to say is that completing the levels on this website will eventually complete the assignment.

Hope it helps.

MRG.

[Aspman]

Apparently their English assignment was writing 419 emails.

[IKnowNot]

What is more interesting to note than anything else:
(From : http://isc.incidents.org/diary.php?date=2006-02-28 )

Yes this professor could have set up its own system for the students to use, yes they could have been instructed that they were to get permission from the owners of the systems first, yes they could have done any number of things to make this a valuable, worthwhile learning experience. That was not done unfortunately. ... We also have not and will not publish the entire document.

While I agree with the sentiments of Tiger Shark, I think something is missing here. Something we may never know, and something which is key to this entire discussion:

Exactly what parameters, what restrictions, and what applicable laws and regulations were conveyed to the students?

If there were none, at the very least the actions of the Professor were irresponsible, possibly criminal, but definitely hold the institution to possible future litigation.

Bare in mind I have a great respect for the Handlers at SANS.org.

I also respect their reasons for not disclosing the institution involved ( at this point. )

However, I do not agree, since they have disclosed this much, with them not disclosing the full document, just editing out any references to the originator and originating institution.

The litigation mentioned above can come from anyone who is attacked in any way during the duration of this assignment, and suffered any type of loss.
The deluge of subpoenas seeking information in damage suits to the institution, not to mention SANS.org, could be extremely costly. I am not saying SANS.org did wrong by making it public, quite the contrary, just that but they should have made everything public ( within reason. )

The issue for SANS.org is very complex.

So, how do they fit under the First Amendment http://www.law.cornell.edu/constitut...lofrights.html ?

Could their lack of specifics preclude them from the umbrella of protection of the Whistle Blower Statutes?

[rapier57]

BTW, Tiger, I got confirmation this AM that the parenthetical phrase was the handlers words. Thanks for pointing me in that direction. They have corrected the online text. Check it out.

Still, I have to say that the professor is asking for trouble and placing the university in an untennable situation with the assignment. Students hitting well-protected systems with agressive sys-ads and solid IDS/IPS and incident response will find the authorities knocking on their doors and subsequently the attorneys will be at the University's doors.

[Tiger Shark]

LOL...

I'm not suggesting that stupidity might not prevail... after all, we are talking college kids here.... But unless they were to go any further than grabbing publicly available information that is there for the taking then they haven't done anything illegal.... In fact, they haven't even done anything immoral either IMO... and let's be honest if a kid does the basic fingerprinting of a server out there they won't put any more work into it.... Hell, it's only a college assignment... They will do the minimum required to get a passing grade...

[mrg81]

hey,

I think i have some updates on this, A freind of mine told me that the professor has given some IP's to the students to perform the scan. So the assignment should not be performed on the live network, but on a set of IP's that he has given to them which I believe will not cause any problems.

MRG.