COMP3911 explores techniques for attacking computer systems. We expect students to be responsible, ethical and professional, and comply with all relevant legislation, when they apply the knowledge gained in this module.

In some of the exercises, you will attack vulnerable applications that you run yourself; in others, you will attack vulnerable applications running in cloud-hosted VMs. In both cases, the applications have been designed with the intention that they be attacked, so that you can learn more about how the attacks work, and therefore how to defend against them. Attacking such applications is ethical and legal, but in general, this will not be the case.

Bona fide security researchers looking for vulnerabilities find themselves in a grey area, where their actions may be deemed ethical (assuming no intent to harm and a responsible disclosure approach) while still technically illegal. Whilst many organisations respond constructively to the actions of responsible researchers, this isn’t always the case.

If you are interested in reading more about this complex issue, here are some relevant resources:

• Royal Bank of Scotland security disclosure policy
• How to hack the uk tax system, i guess – a 3 step guide to a 57 day journey
• 45,000 Facebook users leave one-star ratings after hacker’s unjust arrest
• Casino screwup royale: a tale of “ethical hacking” gone awry
• Ethics in Security Vulnerability Research (PDF)