Re: Network Hacking

From: Kevin Davisł (zkevindavisz@cfl.rr.com)
Date: 02/23/03 

From: Kevin Davisł <zkevindavisz@cfl.rr.com>
Date: Sun, 23 Feb 2003 03:00:01 GMT

On Fri, 21 Feb 2003 23:50:44 -0500, "Privacy, please"
<no.spam@wanted.here> wrote:

>"Kevin Davisł" <zkevindavisz@cfl.rr.com> wrote in message
>news:bspd5vktpnlvbmqrofhectsr6hceq6c20m@4ax.com...
>> On Fri, 21 Feb 2003 14:28:36 -0500, "Privacy, please"
>> <no.spam@wanted.here> wrote:
>>
>> >There are two entirely separate issues here:
>> >
>> >1. Network security. What teachers assign as homework is irrelevant.
>>
>> Wrong. If the teacher's assignment includes activities that the sys
>> admin should be apprised of, they should be apprised of it.
>
>I never said otherwise.

You implied it. So let's clear this up front:

Do you feel that the professor acted improperly by instructing his
students to hack the University network without first getting approval
from the afffected entities?

If permission for such activities were sought and denied, do you
believe that the professor would be within his rights to proceed with
the activities anyways?

Now, if the professor had sought and obtained permission to do the
hacking on the University network, I have no quabble with him. I
would have a quabble with the idiots who agreed to let him do it,
though.

>> justifying the professor's and student's actions leads to the
>> justification of *any* student, no, make that *anyone* to hack into
>> their system unannounced.
>
>This is the same convoluted logic that had others claiming that students
>searching for vulnerabilities on their school's network was the same thing
>as grand theft auto and armed robbery.

(Note the absence of agreeing that it is inappropriate for this
professor to engage in unannounced hacking)

>> Again, justifying
>> the teacher's assignment is inherently giving him the authority to
>> conduct security assessments.
>
>I don't think there is anything wrong with that. I also don't see a problem
>with electrical engineering students looking for shorts in the wiring

That's just great. Having unexperienced engineers examine for
"shorts" in the wiring. What happens when they, themselves create a
short and bring down the power in the CS building? This is just a
boneheaded idea. Sure, let them get experience, but ONLY within a
controlled environment.

> It is a school.

Which needs it's power, network, etc for other things than for
inexperienced students to bring it down while playing with it.

>The students should be doing
>these things with the oversight and blessing of the administration.

Which, if they had half a brain would laugh hysterically at the
suggestion and then say no.

>> What you are overlooking is that the sys admin's security job and
>> activities should not be dictated by some professor that has a wild
>> hair.
>
>The sys admin's security job is dictated by any and all attempts, past
>present and future to infiltrate the network. Doesn't matter if it is a
>dedicated hacker from some european hacking gang or a six year old randomly
>pushing buttons.

He doesn't need the extra work load of finding and tracking down
student hackers directed by some idiotic professor. The sys admin's
time in doing so should be charged against the professor's expenses.

>I've been asking all along - was the sys admin looking for them? Have all
>security patches been applied properly? Was somebody even bothering to read
>the security bulletins? Look at all of the damage caused by that SQL worm
>recently: how many sys admins never applied the patch? Assume school X had
>some public facing SQL servers and a professor had his students check the
>network for vulnerabilities and they discovered that the appropriate patches
>had not been applied. It would have been fairly obvious that the sys admin
>had not been keeping up with the responsibilities of the position and
>hopefully somebody would have ensured that the patches were applied and the
>worm would not have had a chance to strike. It would have been a very good
>thing that the teacher had checked into the problem.

Again, what you are totally missing is that it is not the teacher's
responsibility and more importantly it is way outside his authority to
do this. You are also making erroneous assumptions 1) that the sys
admin is a drooling fool, in need of novice students hacking into the
network to expose security weaknesses and 2) That all of these
students will be honest and forthright in disclosing what they have
discovered.

>> The University network was not established to provide a test bed for
>> some professor teaching network security. It was established to
>> provide a legitimate service to students and faculty. He is
>> unnecessarily putting that resouce at risk.
>
>The resource would have been at risk because of unapplied patches or untaken
>security precautions.

Which is the responsibility of the sys admin to identify and resolve,
not some vigil-ante professor.

>
>> If the professor wishes to teach the students some hands on security, as I
>have stated before,
>> he needs to obtain funding for a small test lab or foot the bill on his
>own.
>
>Why should a professor have to foot the bill for educational resources?

Depends. This professor most certainly can teach an excellent network
security class without the need to instruct his students to hack the
University network. If he wants to provide them with a hands on
experience then he must either get permission from the University to
do this or obtain funding to establish a test lab. If the funding if
refused then he basically has 3 choices:

1) Use his own money to create a test lab.

2) Forget about the hands-on stuff

3) Ignore the University's denial and instruct his students to go
ahead and hack the University's network, thus risking his job.

>Should the prof have to buy all of the books as well? Don't forget the
>desks. You obviously haven't heard about how underfunded schools are.

Let's not forget about all the extra work that this nut is creating
for the sys admin. Maybe his salary should be adjusted for paying sys
admin's extra time for chasing down student hackers unneccessarily
directed by some moron professor.

Which Universities are underfunded? Certainly not all Universities
are. We don't know which one he works for. You are again making
assumptions.

>All I am saying is that I hope that teacher has tenure. This would have
>been a pretty stupid reason to lose a job.

No, it wouldn't. Organizations like Universities and Corporations
consider their networks vital to their existence nowadays. Because of
that the vast majority of them have established policies of acceptable
use and usually require their employees (professors) and students to
read, understand, and sign in agreement to adhere to these policies.
The consequences of violating them include being terminated.

---------------------------------------
What could possibly go wrong?