A notice was sent out to the LAN administrators today that raised eyebrows into orbit. Apparently one of the profs in CSci is teaching a Computer Security class, and passed out a competely unethical assignment.
The very foundation of this sort of action is getting permission first. The disclaimer:
In some states, this sort of unsolicited scanning is technically illegal. Admittedly, it is never prosecuted unless there is a greater offence being dealt with that this will assist with, but still illegal. This is a grossly unfair assignment for the students, and completely unethical as presented.
TaskIn short, this professor has given as an assignment to his students the task of performing an unethical action. By the Student Access Policy of this very university, if we catch these students scanning any of our systems their accounts will be disabled and they will be referred to the Student Dean for disciplinary action.
You are to perform a remote security evaluation of one or more computer systems. The evaluation should be conducted over the Internet, using tools available in the public domain.
Your evaluation should determine some or all of the following:What you must submit
- Host name and IP address.
- Operating system, version, last update, patch status.
- Open ports and, where possible, suggestion of the type of service provided on each port.
- Shared disk drives and printers.
- Network traffic.
- Vulnerabilities.
In conducting this work, you should imagine yourself to be a security contracted by the owner of the computer system(s) to perform a security evaluation. You provide a written report which has the following sections:Note:
- Executive summary.
- Description of tools and techniques used.
- Examples of data collected during your investigation.
- The evaluation data, listed above.
- Overall evaluation of the system(s), including vulnerabilities.
Since your remote evaluations of computer systems cannot be purely passive, you must take care to ensure that your actions are not seen as intrusive or threatening to the computer site being investigated.
You are to conduct your investigation using tools available in the public domain and must not attempt to hack into the system. If you detect vulnerabilities in the system, you must not exploit those vulnerabilities.
If you are challenged by a system manager, you may explain your actions and provide a copy of this document. You may also offer to provide a copy of your report to the system manager on completion of your evaluation. If asked to cease and desist, you are to do so immediately and consider another site for your investigation.
The very foundation of this sort of action is getting permission first. The disclaimer:
In conducting this work, you should imagine yourself to be a security contracted by the owner of the computer system(s) to perform a security evaluation.Is wrong from the start. When doing these sorts of scans you need to have the consent of the administration of the network in question. This statement is not a proxy for permission, especially when combined with this requirement:
The evaluation should be conducted over the Internet, using tools available in the public domain.Which pretty much says, "you can't use your home network."
In some states, this sort of unsolicited scanning is technically illegal. Admittedly, it is never prosecuted unless there is a greater offence being dealt with that this will assist with, but still illegal. This is a grossly unfair assignment for the students, and completely unethical as presented.
Aww... finally an assignment I was actually looking forward to doing. Figures it would require breaking the rules.