Just to funny!!! - Page 2
Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: Just to funny!!!

  1. #11
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Oh come on... I like ISC... but they are making a leap here...

    The prof doesn't ask for any information about vulnerabilities, (at least not from what is quoted), he asks for information about a publicly available target with publicly available tools....

    So, what are we looking at? Let's start by NMaping the target... Not illegal in the USA. Then let's grab some banners.... Not illegal in the USA... Let's pull a whole web site and look through it's source... Not illegal in the USA... There's a whole lot of things that _can_ be done to provide the prof with the information he's looking for that is not illegal in the USA.

    Then, what does he ask for? He asks for a properly documented "penetration test", (though what he asks for isn't really a pen test). Hmm... Seems to me like he's trying to teach them how to write a report... Not much more...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #12
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    We didn't see the entire document, so it is hard to judge specifics. However, the phrase "imagine yourself" to be a security contractor, and the section about reporting "dates and times of investigations (AKA break ins), examples of data collected, evaluation data" are of concern.

    OK, student A says, "Cool, I now a 1337 hax0r, and I'll see what the local doctor's office has for security." He gets his imaginary permission and goes at it. Collects private data from a system with a vulnerability.

    Can you say, "Joliet Jake?"

  3. #13
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    dates and times of investigations (AKA break ins)
    It's the ISC handler that added the "AKA break ins" part of that... I'm not sure it was justified...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #14
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    Interesting take, TS. I'm checking on it. I'll let you all know if I find out if the handler did add that parenthetical comment, or if it was part of the original assignment document.


  5. #15
    Senior Member
    Join Date
    Mar 2004
    Posts
    113
    I think Tiger Shark is right. On the other hand this website might be useful.

    www.hulla-balloo.com/hack, what I am trying to say is that completing the levels on this website will eventually complete the assignment.

    Hope it helps.

    MRG.

  6. #16
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    Apparently their English assignment was writing 419 emails.

  7. #17
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    What is more interesting to note than anything else:
    (From : http://isc.incidents.org/diary.php?date=2006-02-28 )

    Yes this professor could have set up its own system for the students to use, yes they could have been instructed that they were to get permission from the owners of the systems first, yes they could have done any number of things to make this a valuable, worthwhile learning experience. That was not done unfortunately. ... We also have not and will not publish the entire document.
    While I agree with the sentiments of Tiger Shark, I think something is missing here. Something we may never know, and something which is key to this entire discussion:

    Exactly what parameters, what restrictions, and what applicable laws and regulations were conveyed to the students?

    If there were none, at the very least the actions of the Professor were irresponsible, possibly criminal, but definitely hold the institution to possible future litigation.

    Bare in mind I have a great respect for the Handlers at SANS.org.

    I also respect their reasons for not disclosing the institution involved ( at this point. )

    However, I do not agree, since they have disclosed this much, with them not disclosing the full document, just editing out any references to the originator and originating institution.

    The litigation mentioned above can come from anyone who is attacked in any way during the duration of this assignment, and suffered any type of loss.
    The deluge of subpoenas seeking information in damage suits to the institution, not to mention SANS.org, could be extremely costly. I am not saying SANS.org did wrong by making it public, quite the contrary, just that but they should have made everything public ( within reason. )

    The issue for SANS.org is very complex.

    So, how do they fit under the First Amendment http://www.law.cornell.edu/constitut...lofrights.html ?

    Could their lack of specifics preclude them from the umbrella of protection of the Whistle Blower Statutes?
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  8. #18
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    BTW, Tiger, I got confirmation this AM that the parenthetical phrase was the handlers words. Thanks for pointing me in that direction. They have corrected the online text. Check it out.

    Still, I have to say that the professor is asking for trouble and placing the university in an untennable situation with the assignment. Students hitting well-protected systems with agressive sys-ads and solid IDS/IPS and incident response will find the authorities knocking on their doors and subsequently the attorneys will be at the University's doors.

  9. #19
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    LOL...

    I'm not suggesting that stupidity might not prevail... after all, we are talking college kids here.... But unless they were to go any further than grabbing publicly available information that is there for the taking then they haven't done anything illegal.... In fact, they haven't even done anything immoral either IMO... and let's be honest if a kid does the basic fingerprinting of a server out there they won't put any more work into it.... Hell, it's only a college assignment... They will do the minimum required to get a passing grade...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #20
    Senior Member
    Join Date
    Mar 2004
    Posts
    113
    hey,

    I think i have some updates on this, A freind of mine told me that the professor has given some IP's to the students to perform the scan. So the assignment should not be performed on the live network, but on a set of IP's that he has given to them which I believe will not cause any problems.

    MRG.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •