Thursday, March 02, 2006

Professor assigns hacking homework to students

Apparently the university considers it ok to mandate students to perform the scans on other internet servers, just not their own.

OK, this is total crud. This professor is way off board, and should be held accountable for this (or at least the school). If you are going to condone the use of security tools, please offer a solution on campus, or using the classroom equipment. There seems to be double-standard here.

If this is nmap or other standard tools, then who cares where you are gathering your intel from? Who doesn't run a scan from time to time, in order to gather information about a server? There are countless reasons why you would do this. Maybe attacks were coming from it, maybe you wanted to know what software was running on it. Maybe you wanted to ping it for latency tests, maybe you wanted a list of open ports to test.

Doing recon on the Internet is little less than noise at best. Barring people from doing recon is like saying you cannot knock on my door. You cannot make rules out of your butt because they sound good. If somebody wants to ping or nmap a college web server there is no harm there. Just don't DDOS it.

read more | digg story

1 comment:

Mitchell Rowton said...

The thing is that he is requiring students to do this against machines that they don't own.

If a student picked a random server on the internet and then called to get permission then the person who owns the server would obviously say "no". Just as the university has said that this isn't to be done on their servers.

Just because they dont get permission to do so doesn't mean its "ok" with the server they are scanning.

Another thing. Its not just "port scanning." Finding out what ports are open on a server is one thing, but in order to test the patch level you have to take a few other steps (in the great majority of cases)

When doing this type of scanning on company servers you always have to get permission first. Thats because if they aren't patched then it could cause problems (I've booted production servers like this)

Also, just because I machine isn't secured doesn't mean its ok to compromise it. The old analogy about knocking on doors just doesn't apply to anything other than port scans.

If they find an open network share (this is an example the students were given) than contains sensitive information and "test" the security then you can be darn sure that this is illegal.