What is more interesting to note than anything else:
(From : http://isc.incidents.org/diary.php?date=2006-02-28 )

Yes this professor could have set up its own system for the students to use, yes they could have been instructed that they were to get permission from the owners of the systems first, yes they could have done any number of things to make this a valuable, worthwhile learning experience. That was not done unfortunately. ... We also have not and will not publish the entire document.
While I agree with the sentiments of Tiger Shark, I think something is missing here. Something we may never know, and something which is key to this entire discussion:

Exactly what parameters, what restrictions, and what applicable laws and regulations were conveyed to the students?

If there were none, at the very least the actions of the Professor were irresponsible, possibly criminal, but definitely hold the institution to possible future litigation.

Bare in mind I have a great respect for the Handlers at SANS.org.

I also respect their reasons for not disclosing the institution involved ( at this point. )

However, I do not agree, since they have disclosed this much, with them not disclosing the full document, just editing out any references to the originator and originating institution.

The litigation mentioned above can come from anyone who is attacked in any way during the duration of this assignment, and suffered any type of loss.
The deluge of subpoenas seeking information in damage suits to the institution, not to mention SANS.org, could be extremely costly. I am not saying SANS.org did wrong by making it public, quite the contrary, just that but they should have made everything public ( within reason. )

The issue for SANS.org is very complex.

So, how do they fit under the First Amendment http://www.law.cornell.edu/constitut...lofrights.html ?

Could their lack of specifics preclude them from the umbrella of protection of the Whistle Blower Statutes?