digg

Facebook Connect Join Digg About

Professor assigns hacking homework to students

securitydump.com The practical, which is worth 15 percent of the students final grade, requires students to perform reconnaissance on an internet server using open source security tools. Apparently the university considers it ok to mandate students to perform the scans on other internet servers, just not their own.

Who dugg this? Made popular Mar 2, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

70 Comments

show profanity settings
expand all
  • EpicSA, on 10/12/2007, -0/+2I love that there is no source, no name listed, no university listed...

    I could write an article like this just as easy.

    "An unnamed University today, issued a homework assignment to it's CS students requiring that they break into a bank and return funding to the school"

  • xst4t1kx, on 10/12/2007, -0/+2Reconnaissance isn't "hacking".
  • johnnycornholer, on 10/12/2007, -0/+1Hell I was just impressed by the poor spelling throughout the entire story. Heh
  • jaredseth, on 10/12/2007, -0/+1socket, find a house where the owner has left their door unlocked and go make yourself comfortable in their living room. When they come home and call the cops, try defending yourself by saying that they should have locked their doors if they didn't want you coming inside.

    While I agree that their insurance company would use this as an excuse not to pay benefits, I think you'll find that the police won't be quite as easy to mollify.
  • spxiii, on 10/12/2007, -1/+2lmfao! Hacking homework in computer security is certainly nothing new, but disallowing the use of university computers?? I'm sure it's just a scan using nmap, it's not like it would hurt anything.

    Ignorance in education.
  • inactive, on 10/12/2007, -0/+1Bad link, should have linked to the SANS article not to the severely misspelled blog.
  • bytefoo, on 10/12/2007, -0/+1Wheres the original blog link?
  • mrowton, on 10/12/2007, -0/+1What a hypocrite, if you do this to the school computers then you will get in trouble, but you must perform unauthorized scans on other web servers to pass the class...
  • tylerni7, on 10/12/2007, -0/+1This is pretty stupid... port scans happen all the time... like everyone else has said, it's basically the same as opening a webpage. Is it illegal if you telnet every port of a server until you get a response (I don't know but I'll just assume it isn't...). Unless they actually go and screw up the server somehow, I don't see what is so bad about this..
  • codeNinja, on 10/12/2007, -0/+1Didn't that guy in Britain just get convicted not too long ago for "hacking" a site that he donated some money to by simply trying to do some directory traversals on the server? It would be interesting to see how this type of thing would play out in court if someone who's server was being used to facilitate the stuff mandated by the class by a student were to sue.

    Just a thought...
  • snowbooch, on 10/12/2007, -0/+1@Bandito "Would it be so difficult for the professor to setup a few servers for the students to use for this practical? Set them up with different OS'es, different software packages, etc."

    I totally agree, Plus the professor could set up a real tricky one for some extra credit...maybe a situation where the student has to acquire something without getting logged or caught, i think it would be cool
  • mikedpirone, on 10/12/2007, -0/+0See that's why I think my school (even though it's a community college) is actually a pretty decent school. We have servers setup specifically for the network security students to try and hack. It's actually a good idea because it gives the students an idea of the tactics that possibly would be used against the servers they eventually might be controlling one day. Then again we get alot of funding from the state as well as from our county so we actually have alot more available to us then most 4 year colleges do.
  • spxiii, on 10/12/2007, -0/+0How is this not hacking? This is not a "script kiddy" tactic, it is how you identify potential vulnerabilities in a system. I can write a buffer overflow to take advantage of a web service, but it isn't going to do a whole lot of good if I don't know the service is running.

    For my computer security course in college we had a required "capture the flag" game that took the better part of a saturday. We broke into teams and were given a system to protect while we also had to hack into the other systems and put up our "flag" on a custom service that was running...a great exercise!

    As it turned out, one of my teammates allowed us to fall victim to social engineering by writing down the root password and leaving it laying out (!!!). That ended up being the only successful intrusion as hacking updated fedora boxes is no small task (in spite of redhat's running way too many services by default).
  • indiefan, on 10/12/2007, -0/+0We had a lab where we were required to sniff out passwords from an ftp session. Not really "hacking" but some of the students had never heard of packet sniffing before, so the university taught them how.
  • dipswitch, on 10/12/2007, -0/+0To REALLY pass the test you need to set your own score ;)

    And change the professors personal information in the gov. databases. -_-'''
  • craterburnsu, on 10/12/2007, -0/+0My security courses that i've taken so far on my way to my Bachlores we did exactly the same thing, just we were told where to do it, and warned we should not do it randomly, even though we all have and it is harmless. We also actualy just set up a few server in our schools network, the Dean had the Network Admin through everything on that router into the DMZ so we could actualy mess with those, had them set up with their own DNS ect. to make it all a very very exploitable place for us students to play with.
  • abonet, on 10/12/2007, -0/+0Maybe TCP should be considered illegal. Or maybe just the notion of "ports" should be made illegal. Maybe any computer on the internet without a firewall in front of it should be considered illegal.
  • romman00, on 10/12/2007, -0/+0dkoolaid - yes!!
  • oddmanout, on 10/12/2007, -0/+0everyone assumes that this guy is telling his students to 'attack' some server somewhere... all it says is he "requires students to perform reconnaissance on an internet server" all we know is that its not the schools, and that the school asked them not to do it to their servers.... where does it say if they had or didn't have permission? Everyone just ASSUMED that what they were doing was illigal.
  • dkoolaid, on 10/12/2007, -0/+0LOL, this is at my school. Should i say who it is?
  • spiritflare1, on 10/12/2007, -0/+0Actually, the university could get sued if a corporation is targetted or any institution which results in any kind of outage. It would be perceived as a hacking attempt from that source network (University) and with the blessing of the Prof. (haha).
  • SunnySideDown, on 10/12/2007, -0/+0I had a professor that allowed me to do the same. Apparently, its illegal in california but not in some other states.
  • tsunamisteve, on 10/12/2007, -0/+0This type of teaching has been going on in Purdue computer science courses for a while to the best of my knowledge.
  • joeyjojo, on 10/12/2007, -0/+0Can't blame the guy for not wanting to bite the hand that feeds.
  • inactive, on 10/12/2007, -0/+0So would the Gibson count?
  • wayhip, on 10/12/2007, -0/+0Apparently this is illegal in some jurisdictions. Also it proves nothing as he has no idea how hardened a network or server may be. Better to set up a lab with machines at various levels of hardening, then you would have a good base line for grading.
  • strictnein, on 10/12/2007, -0/+0Wow. Since scanning ports of computer is basically illegal... wow.

    Even at the small college I went to (that had like 50-60 people in the CS department) we had our own set of "hack" servers that were on their own network that we could do whatever we wanted to.
  • h4lofourt33n, on 10/12/2007, -0/+0 This would be cool if they set up a dummy server for it. However, telling the students to attack random internet servers, for class credit...something doesn't sound right. Regardless, I hope the school gets in trouble for this. Very unprofessional, What is SNAS?
  • epheterson, on 10/12/2007, -0/+0That's horribly wrong. That professor will lose respect, especially if he's worked in the field.
  • socket, on 10/12/2007, -0/+0The only issue I see here is the hypocrisy of the school. They should be willing to allow this being done on their own servers if they will encourage students to do it to others.
  • jfish, on 10/12/2007, -0/+0This sounds exactly like my homework for CS4001 Cyber Security at the University of Missouri. Our Prof was the ***** and could compromise any university managed server in minutes.
  • mrowton, on 10/12/2007, -0/+0The thing is that he is requiring students to do this against machines that they don't own.

    If a student picked a random server on the internet and then called to get permission then the person who owns the server would obviously say "no". Just as the university has said that this isn't to be done on their servers.

    Just because they dont get permission to do so doesn't mean its "ok" with the server they are scanning.

    Another thing. Its not just "port scanning." Finding out what ports are open on a server is one thing, but in order to test the patch level you have to take a few other steps (in the great majority of cases)

    When doing this type of scanning on company servers you always have to get permission first. Thats because if they aren't patched then it could cause problems (I've booted production servers like this)

    Also, just because I machine isn't secured doesn't mean its ok to compromise it. The old analogy about knocking on doors just doesn't apply to anything other than port scans.

    If they find an open network share (this is an example the students were given) than contains sensitive information and "test" the security then you can be darn sure that this is illegal.
  • ItsGus, on 10/12/2007, -0/+0this is dumb...
    Anyone who has taken any class on advanced networking or security knows that you have to understand how to hack in order to understand how to defend from hacks and create robust security...

    DUH
  • worthawholebean, on 10/12/2007, -0/+0Lame. No digg. How is reconnaissance equal to hacking?
  • kenhuman, on 10/12/2007, -0/+0sakibomb, while I agree with you that network probing is and should be considered hostile, the real problem comes up when people attempt to exploit possible vulnerabilities. Of all of the years I've spent maintaining school and corporate networks, the majority of port scans have been just that, port scans, leading to nothing else, and being harmless.
  • ivachen, on 10/12/2007, -0/+0I guess they should've used virtual machines. All the hacking I've done in class is through an VM network. You can learn what it's need to be taught in the emulated network and better yet, the professor won't be flame in public.
  • jo42, on 10/12/2007, -0/+0They can hack this server all they want: 127.0.0.1
  • a1programmer, on 10/12/2007, -0/+0What a wasted read.
  • r04dki11, on 10/12/2007, -0/+0The professor assigned the practical and the University (other people!) allowed it under specific guidlines. Yes this is stupid, but the professor didn't make the rules.
  • milieu, on 10/12/2007, -0/+0While I agree that the professor and the University should have created dummy servers, or got permission to perform the test against a school-owned server, I think the security guys are way off base. Port scanning is not illegal, or web surfing would be illegal too.

    From the SANS article:
    "He wants them to write an evaluation of what they find: what ports are open and what service could be running on them, Host names and IP addresses, OS, version, last update, patch status, what shares are available, what kind of network traffic and what vulnerabilities they see.."

    All of this is harmless, despite SANS's editorializing and fear-mongering. Most webpages collect more info than that from people who browse to that page. While there are laws against computer trespass, good luck getting a conviction when the information and computer are openly available to the public.
  • spamdies, on 10/12/2007, -0/+0pen testing involves a whole lot more than -port scanning or a syple nmap ping scan you loosers...
  • dkoolaid, on 10/12/2007, -0/+0it is wwu
  • Snarfalunch, on 10/12/2007, -0/+0Is this wwu.edu?
  • burningheretic6, on 10/12/2007, -0/+0Thats some nice homework...
  • absentmindedjwc, on 10/12/2007, -0/+0I WANT THIS TEACHER, lol
  • boazg, on 10/12/2007, -0/+0scanning!? that a lame project. we got to pick a project from a list ( i implemented a DNS sniffer, soon to be realeased). we did have a bonus on one assignment for the ID numbers (local equivilent of SSN) of members of parliment :).
  • sakibomb, on 10/12/2007, -0/+0i'd wager that most of the comments from folks that think port scanning is "ok" and don't think there is anything ethically wrong with probing a network have never run a production server or been responsible for maintaining a network.

    fyi, those of us that actually have a real stake in this discussion always treat network/system probing as hostile -- making this practice a serious liability for any university that encourages this type of bad netiquette.
  • devwal, on 10/12/2007, -0/+0Phish is a good band.
  • dataloss, on 10/12/2007, -0/+0"Only a backwards overly liberal state like California could try to make something as innocuous as port scanning illegal."

    Not really...

    It is illegal to walk a neighborhood checking each door to see if it is locked. That principle is frequently applied to portscanning "attacks."

    Not that I totally agree with it, but your other arguments don't hold up either. Portscanning != Using Firefox to open a web page. Firefox simply attempts a single connection to a single community-accepted standard port. It doesn't try to open a connection to every port between 1-65535.

    -dl
  • Writher, on 10/12/2007, -0/+0I had to do the same thing in my System Administration II class at my University. Nothing new here.
  • Fetching more discussions...
    Show 51 - 70 of 70 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.