When people don't take laws seriously pt 2 - bad science.
I'm reading a real
interesting article on the SANS website right now. Seems they are rightly concerned about an email they've received about a University professor who is forcing their students to either break the law or fail part of their course!
I'm not going to reproduce the whole email or their comments here, but I'm going to extract bits I want to reply to myself. To read the full article please use the link above!
The "TASK"
Student is to perform a remote
security evaluation of one or more computer systems. The evaluation
should be conducted over the Internet, using tools available in the
public domain.
Whoa. Sounds interesting, I wonder if the professor concerned is aware of the various laws against unauthorised access to computer networks.
In conducting this work, you should imagine yourself to be a
security contracted by the owner of the computer system(s) to perform a
security evaluation. "Imagine yourself" to be contracted to perform the survey? Why would he need to tell people to do that unless he was all too aware that you are
required to have authorisation before undertaking this kind of work?
The email goes to to require the students to provide full records of when and how the systems were "evaluated", what tools were used, "samples" of data collected and a handy cut out and keep chart of what systems had which vulnerabilities. Oh boy, be an awful shame if the wrong kind of people got hold of this information.
Never mind. I'm sure this is just a pro-forma project write up and the students will be permitted to audit their own organisation in order to ensure that they can obtain the authorisation they need to do this job, right?
"Word came down
this morning that no direct action will be taken against the professor,
but if we catch any students doing these scans against our computers we
will not be exempting them from our existing procedure. Specifically,
disabling their student account and referring them to the Student Dean
of Corrections."
So let me see if I have this one down clearly: We won't intervene in this class content (in other words, we approve of this assignment), but we will take disciplinary action against anyone who hacks our own systems. Can I get a "Hypocritical asshats!" from the front row?
Frankly, what we have here is a professor and a university that seem anxious to disgrace themselves. I'm no lawyer, obviously, but I would suggest that they leave themselves not only open to ridicule but lawsuits from companies who are targetted by students, and / or the students themselves who are placed in the unenviable position of either messing up part of their course or breaking a law that could see them jailed if they're caught.