Re: Network Hacking

From: Privacy, please (no.spam@wanted.here)
Date: 02/22/03 

From: "Privacy, please" <no.spam@wanted.here>
Date: Fri, 21 Feb 2003 23:50:44 -0500

"Kevin Davisł" <zkevindavisz@cfl.rr.com> wrote in message
news:bspd5vktpnlvbmqrofhectsr6hceq6c20m@4ax.com...
> On Fri, 21 Feb 2003 14:28:36 -0500, "Privacy, please"
> <no.spam@wanted.here> wrote:
>
> >There are two entirely separate issues here:
> >
> >1. Network security. What teachers assign as homework is irrelevant.
>
> Wrong. If the teacher's assignment includes activities that the sys
> admin should be apprised of, they should be apprised of it.

I never said otherwise.

> justifying the professor's and student's actions leads to the
> justification of *any* student, no, make that *anyone* to hack into
> their system unannounced.

This is the same convoluted logic that had others claiming that students
searching for vulnerabilities on their school's network was the same thing
as grand theft auto and armed robbery.

> The professor and the students have made
> themselves no different than external hackers - except they have the
> advantage of being on the inside from square one.

By definition you can't be an 'external' hacker from the inside.

> Again, justifying
> the teacher's assignment is inherently giving him the authority to
> conduct security assessments.

I don't think there is anything wrong with that. I also don't see a problem
with electrical engineering students looking for shorts in the wiring on
campus, civil engineering students looking for problems with roads and
pedestrian bridges on campus. It is a school. The students should be doing
these things with the oversight and blessing of the administration.

> Such activities could also interfere with any security assessment that may
be
> in progress at the same time.

Actually a security assessment would notice the efforts and include them in
the report. Unless you think that they should post a warning "no hacking
while we try to make sure that nobody can hack"... A good security
assessment would discover that a CS professor was probing the network as a
class assignment.

> What you are overlooking is that the sys admin's security job and
> activities should not be dictated by some professor that has a wild
> hair.

(CTRL-S - what a lifesaver)

The sys admin's security job is dictated by any and all attempts, past
present and future to infiltrate the network. Doesn't matter if it is a
dedicated hacker from some european hacking gang or a six year old randomly
pushing buttons.

> Not ignoring it. Just stating that it is the sys admin's job to find
> and resolve those things, not some professor with some kind of
> delusions of granduer.

I've been asking all along - was the sys admin looking for them? Have all
security patches been applied properly? Was somebody even bothering to read
the security bulletins? Look at all of the damage caused by that SQL worm
recently: how many sys admins never applied the patch? Assume school X had
some public facing SQL servers and a professor had his students check the
network for vulnerabilities and they discovered that the appropriate patches
had not been applied. It would have been fairly obvious that the sys admin
had not been keeping up with the responsibilities of the position and
hopefully somebody would have ensured that the patches were applied and the
worm would not have had a chance to strike. It would have been a very good
thing that the teacher had checked into the problem.

> >You are deliberately being obtuse and refusing to understand the point.
> >Banks are not learning environments. Universities are.
>
> The University network was not established to provide a test bed for
> some professor teaching network security. It was established to
> provide a legitimate service to students and faculty. He is
> unnecessarily putting that resouce at risk.

The resource would have been at risk because of unapplied patches or untaken
security precautions.

> If the professor wishes to teach the students some hands on security, as I
have stated before,
> he needs to obtain funding for a small test lab or foot the bill on his
own.

Why should a professor have to foot the bill for educational resources?
Should the prof have to buy all of the books as well? Don't forget the
desks. You obviously haven't heard about how underfunded schools are.

> *That* would be your learning environment. This professor
> is being arrogant in that he feels that the sys admin needs his help
> in securing his network or at the very least being extremely
> presumptuous that the University's network is at his beck and call for
> teaching his network security class.

All I am saying is that I hope that teacher has tenure. This would have
been a pretty stupid reason to lose a job.