Remote Security Evaluation of Computer Systems

computer-security-evaluationI was reading a real interesting article on the SANS website right now. Seems they are rightly concerned about an email they’ve received about a University professor who is forcing their students to either break the law or fail part of their course! I’m not going to reproduce the whole email or their comments here, but I’m going to extract bits about it. The project entails the student to perform a security evaluation of computer systems owned by other companies. The student is suppose to conduct the evaluation over the Internet using any available tools in the public domain.

Whoa. Sounds interesting, I wonder if the professor concerned is aware of the various laws against unauthorized access to computer networks. The students are suppose to imagine that they are contracted by a company to perform a security  evaluation.

“Imagine yourself” to be contracted to perform the survey? Why would he need to tell people to do that unless he was all too aware that you are required to have authorization before undertaking this kind of work?

The email goes to to require the students to provide full records of when and how the systems were “evaluated”, what tools were used, “samples” of data collected and a handy cut out and keep chart of what systems had which vulnerabilities. Oh boy, be an awful shame if the wrong kind of people got hold of this information.

Never mind. I’m sure this is just a pro-forma project write up and the students will be permitted to audit their own organization in order to ensure that they can obtain the authorization they need to do this job, right?

So let me see if I have this one down clearly: We won’t intervene in this class content (in other words, we approve of this assignment), but we will take disciplinary action against anyone who hacks our own systems.

Frankly, what we have here is a professor and a university that seem anxious to disgrace themselves. I’m no lawyer, obviously, but I would suggest that they leave themselves not only open to ridicule but lawsuits from companies who are targeted by students, and/or the students themselves who are placed in the unenviable position of either messing up part of their course or breaking a law that could see them jailed if they’re caught.