Alarms at the university’s IT security center light up – pagers go off, phone calls are made, network traffic is captured and analyzed. Penetration scans are being run on a number of critical infrastructure servers, and evidence shows that it is originating from on-campus. Patterns are tracked to a classroom where Professor Packetslinger is running his Computer Security class, and students are working on an assignment to evaluate system security. This event, while providing several interesting examples of the ethics of computer security, illustrates one of the major problems with teaching computer security: methods learned in the classroom can easily overstep boundaries and harm real production systems.
Providing a security curriculum can be challenging, given the problems of understanding and using tools that can be used to compromise systems. Historically, when dangerous tools are involved, the primary method used to ensure that those tools don’t cause unintended problems is to use them far removed from potentially vulnerable systems. In the case of network security tools, this often meant creating a separate network, with attacker and target computers unattached to the larger network of the Internet. Besides the additional expense of those additional computers and the time required to setup and install a completely parallel system, such labs were disadvantaged by not being able to validly use the resources of the Internet or the campus network.
This document is in PDF format. To view it click here.