Dean David Hall sent an email to students in the College of Information Sciences and Technology reminding them that hacking on the school network is not permitted.

Can’t blame the students that much… the email suggests that they were just trying common exploits and on a pretty minor scale. It was probably some bored SRA kids trying their black hats on for size. But then again, hacking on the Penn State network is definitely not a good move when your activity is almost certainly linked to your Penn State ID. Check out the full email below.

Students and Faculty,

Yesterday, I was contacted by Penn State’s Information Technology Services (ITS) Security Operations and Services regarding reports of computer abuse they have received involving IST students. Specifically administrative units at Penn State and security offices elsewhere, including a fellow Big Ten University, have reported attempts by IST students to use common exploits to attack their production systems. While the number of reports is still small, it is disappointing to me that there are any. In the course of study within IST, students may learn about tools and techniques whose purpose is malicious (for example, software to take over systems or to compromise files on those systems). Law, policy, and ethics within the Information Technology field dictate that such tools and techniques NOT be used on operational networks and systems without strict and specific authorization and controls. University Policy AD20 (Computer and Network Security) states: “Conducting or attempting to conduct security experiments or security scans involving or using University Computer and Network Resources without the specific authorization of the Security Operations and Services Director is prohibited.” It also states: “University Computer and Network Resources must not be used to attempt to breach the security or security policy of other sites (either willfully or negligently).”

For students, disciplinary or legal action related to computer abuse may impact your student status or warrant intervention by the Penn State Office of Judicial Affairs.   In addition, it may have a negative impact on your future career, regardless if no damage was done to the target system. Penn State’s digital reputation can be impacted, as well. I urge you to follow the highest standards with regard to your actions both inside and outside the classroom. Please consult with your instructor and also contact Security Operations and Services (814) 863-9533 before attempting security experimentation on your own.

For faculty, in any class that involves explanation of malicious code, I urge you to remind students that what they learn must not be used on operational or production networks and systems. It is important that IST students be aware of attack vectors in preparation for their future careers in information technology. However, their exploration of such capabilities must be limited to laboratory environments not connected to the rest of the Internet.

Thank you for your attention to this extremely important matter.

David L. Hall

Dean and Professor
College of Information Sciences and Technology
Phone: (814) 865-3528