The Philosophy - Teaching Good People To Do Bad Things

Almost every university, whether public or private, offers some sort of degree in information technology, information systems, computer science, telecommunications - whatever "title" is given to the program, they're aiming to turn out students who can work somewhere in IT. Most of these graduates share the common trait of being "good people". From a trustworthiness standpoint, this is excellent - you don't want the person managing or maintaining your network to be prone to nefariousness. Or do you?

There is an increasing need for good guys who think like bad guys. Penetration testers, ethical hackers, and digital forensics analysts (just to name a few) are in high demand. However, universities are not turning out graduates with the skills needed to fill those positions. So where does a person go to learn those skills?

There are many places students can turn to online, however, the reputable sources are proprietary and expensive. Many open-source programs are all well documented with solutions, thereby allowing any student to simply download a solutions guide and quickly complete the course work (and therefore not learn the lesson). Then there are the fringe resources, that might (or often) lead a student into questionable or illegal behavior (I mean, really - who hasn't been down that road?).

So, to fill the gap, educators almost have an obligation to teach black-hat and grey-hat skills in a white-hat environment. The goal of this project is to create a virtualized "playground" for dirty deeds, and do it dirt cheap (sorry, AC/DC, couldn't help but rip you off for a minute).

By creating a virtualized, fully functioning enterprise environment, complete with all necessary network
services, we can allow students to conduct penetration testing with custom crafted vulnerabilities. Using
the skills gained by conducting said testing, those same students can then conduct a forensics analysis of
“crimes” committed by an attacker. Sort of a cops-and-robbers game, where the student is first the robber, then the cop.

Ideally, this cops-and-robbers approach would be compartmentalized into two distinctly different sets of coursework; one set focusing on learning about and exploiting vulnerabilities ("robbers"), the other set focusing on forensics ("cops"). Since this project focuses on developing future coursework, we will most likely work on both aspects in tandem. Teaching the different skill sets, however, should be done separately.

That said, let's get started.