Domain: hackbusters.net
Stories and comments across the archive that link to hackbusters.net.
Comments · 21
-
Legality of the Honeypot part?
...a honeypot targeted at discovering zero-day exploits...
So, would this Microsoft research project violate some Super DMCA laws? For example, in Illinois, we have Public Act 92-728, which is the Illinois Super DMCA. This act was responsible for "killing" the LaBrea Tarpit software package.
Since IANAL, I will quote the writeup from the LaBrea website:This section of the Illinois Criminal Code was added on January 1, 2003 by Public Act 92-728 and defines an "unlawful communication device" as "any communication device which is capable of... facilitating the disruption... of a communication service without the express consent or express authorization of the communication service provider..."
It furthermore makes it a criminal offense if a person knowingly "possesses, uses, manufactures, assembles, distributes, leases, transfers, or sells" an "unlawful communication device... for the commission of a theft of a communication service or to receive, disrupt, transmit, decrypt, or acquire... any communication service without the express consent or express authorization of the communication service provider, or to conceal or to assist another to conceal from any communication service provider or from any lawful authority the existence or place of origin or destination of any communication". ...
From my reading of the law, "communication service provider" can be interpreted as "anyone who provides data transport anywhere along the path of the connection".
It is also a criminal offense if someone "possesses, uses, prepares, distributes, gives or otherwise transfers... plans or instructions for making or assembling an unlawful communication or access device..."
The penalties for violations of this section treat this as a Class A misdemeanor unless the infractions involve 10 or more "unlawful communication devices" in which case it is treated as a Class 4 felony. Cases involving 50 or more "unlawful communication devices" are treated as a Class 3 felony (the same as "aggravated battery", 2-5 years in prison). There is also a provision for civil actions with statutory damages of not less than $250.00 and not more than $10,000.00 for each "unlawful communication device." -
Something to consider...
Although the bill could be written to avoid this loophole, well-thought out bills are not common within our government.
This reminds me of the lebrea tarpit application , which assumes unused IP addresses in a network and intentionally responds to an ACK request, but never responds to anything else, causing virus-infected systems and hacker tools such as nessus to tie up their open ports trying to communicate with systems that don't really exist. This software is illegal in the developer's home state of Illinois because state lawyers argue that viruses (or maybe just the underlying TCP/IP packets) are a "service" , and they have a similar law which prohibits spoofing for the purpose of disrupting network services.
Although the purpose of lebrea is to disrupt a malicious attack, and not to gether information, I can't help but feel that if Code Red is a service, then discovering one's IP address may be considered "information gathering".
Any thoughts?
-
Re:GhostbustersNuts. I was agreeing with you until you finished quoting Ghostbusters
Now, Spamhaus might be violating rules
Whose rules is Spamhaus violating? The rules set by the State of Illinois? So freaking what? IIRC, spamhaus is based in England. If I were in Saudi Arabia, I could be sentenced to death because of my religious beliefs, but guess what--I'm not in Saudi Arabia, so I couldn't care less! Why is this any different? Spamhaus does not have a physical presence in Illinois, nor, for that matter, anywhere else in the United States, so why should they have to follow some stupid law that a non-technical, idiot politician in another country wrote?
I think that Spamhaus should have to present proof that e360insight is an illegitimate spamming business [spamhaus.org].
Again, I ask "why?"
Spamhaus doesn't block spam--they provide a database of IP addresses that mail server administrators can use at their own discretion to block suspected spam sources. So, if Spamhaus isn't blocking e360insight's mail servers (they aren't), then why should they have to "prove" that e360insight is a spammer? As I understand, Spamhaus essentially has a network of honeypot e-mail addresses. Anything hitting these addresses is, by definition, unsolicited, and therefore spam.
As far as accountability...well, if you are a mail server administrator, you decide to start using Spamhaus' database to make decisions about from whom you will accept e-mails, and you find that the amount of spam hitting your inbox has dropped by a factor of four, how much more accountability do you need? You always have the option of hard-coding an Allow rule into your mail server config files, if you find that you are missing e-mails from what you perceive to be legitimate sources.
The State of Illinois needs a reality check. They wrote a "Super DMCA" law a few years ago that essentially hamstrings IT security professionals (see http://www.hackbusters.net/ for more details), and this is just another example of poor legislation victimizing the innocent. -
Re:Spamhaus does alot of ignoring
Uh, no.
The theory is that if your ISP doesn't give a rip that you are spamming, then Spamhaus (and other blacklist operators) blacklist the offending network. Then *you* get pissed at your ISP and move somewhere else. Once enough customers jump ship because the ISP is irresponsible, then maybe they'll start to enforce their AUP's.
This was a concept that was thankfully pounded into my former employer's (an ISP) head before I started working there, but I still had to remind management quite frequently, that yes, we did in fact want to kick spammers off our network, no matter how many services they bought from us, for this very reason.
Yes, it's a PITA for the poor sap who's trying to send e-mail to Aunt Lucy but can't because his ISP is blacklisted, but it's an effective way of (let's be honest) coercing ISP's into playing nicely with others. Want proof? Why did the spammer spend the time, money and effort to take Spamhaus to court in Illinois? Because Spamhaus was *hurting* them. And that's a good thing >:]
Going slightly off-topic for a moment, this is an illustration of why I won't be moving to Illinois any time soon. For a related stupid story, see http://www.hackbusters.net/ -
This gets worse...
There was this other post... http://it.slashdot.org/comments.pl?sid=186090&cid
= 15358185
"It's like some sick competition between the US administration and the UK one.
"Oh, yeah, you think that telephone call database is slick, check this sh*t out. We're gonna make our subjects give up their crypto keys or go to jail"
"Oooh, good one!" (high five)"
It should be continued with
American Administration: "But still we have the DMCA and some states has even extended that to cover "unlawful" communication devices..." http://www.hackbusters.net/
UK administration: "Good one, I think I can top it though... wait a minute" UK administration drafting a bill ... "Check this out, this lands everyone that who tries to asses their information security in jail!"
American Administration: "Wicked!"... -
Re:Hey, Microsoft willingly employs HTTP as well!They fiddled with TCP, not HTTP. We do it all the time. Take TARPIT for example.
It is very common that we hack protocols to suit our needs.
NAT
ignoring ping requests
Anyone? -
The fellow in the article...
....who figured out how it worked (i.e., Browser Handler Object, HTTP POST of stolen account info to a site) is Tom Liston of Hackbusters. He's been sorting through this kind of thing for a while...
-
Darknet, invite naughty traffic on your net today!
I completely agree, after spending countless hours sifting through log files, tweaking triggers to help reduce the amount of false positives, the IDS is not the complete answer.
An IDS is only so efficient, you need to first really understand your network before deploying, and even after deployment, this is only the beginning.
We have been using Darknets, or honeypots for sometime, an excellent combination of tools, see Snort, ACID (Analysis Console for Intrusion Databases
As said before and in the article, this is a sophisticated set of tools and you need to understand your network, or you will find yourself chasing ghosts, Enter the Darknet (Honeypot).
Combined with the other tools, we have been using Honeyd , an excellent honeypot, simple to get up an going and very configurable.
Snort.org has an excellent howto documentation to get the IDS up an going, then you can add the honeypot.
It can be downright humorous how quickly you will begin to capture useful information. In addition, adding scripts to interact with the traffic will allow you to keep the user busy while you are collecting data, or Tarpitting the traffic making the port "sticky" dragging the connections, another good one would be LeBrea.
If you have any interest in network security, or simply want to monitor your home network, you need to take a look at darknet, or any of the other tools mentioned. -
LaBrea
http://hackbusters.net
Has there ever been a better way to fight them? -
Does it not sound similar to tarpits ?
I wonder how this is diffrent from a Tarpit with a program to report everyone who is visiting it. Related slashdot article
-
Does it not sound similar to tarpits ?
I wonder how this is diffrent from a Tarpit with a program to report everyone who is visiting it. Related slashdot article
-
Re:Increase in TCP 135 Activity
Let's see if we can't tar this thing up!
-
An example of the impact of this legislation
Perhaps a concrete example would help people to understand the impact of legislation like this.
I am an Open Source developer, and in the spring of 2001, I created LaBrea, a network defense application. LaBrea puts unused IP addresses on your network to use, creating a "network tarpit" that traps and holds connection attempts from worms and scanners.
On April 15th of this year, it came to my attention that a nearly identical version of the proposed Tennessee law had been enacted in Illinois and had become law as of January 1.
As I read through the law, I discovered that LaBrea appeared to meet the criteria for what was called an "unlawful communication device" because it both disrupted and concealed the true origin and destination of communication.
If, indeed, LaBrea represents an "unlawful communication device," then my continued distribution of LaBrea from my website within Illinois placed me in violation of the law, and opened me up to incredibly punitive criminal and civil penalties.
Additionally, on January 14th I had contacted the developers of every Windows personal firewall that I could find to explain a flaw that I had discovered under WinXP and Win2K. The firewall vendors had worked out patches and rolled them into their products, and I was in the process of coordinating the publication of the vulnerability information with the various organizations when I discovered that this provision was law in Illinois.
Under this law, simply disclosing information describing a technique for "defeating or circumventing any technology, device or software used by the provider, owner or licensee of a communication service or of any data, audio or video programs or transmissions to protect any such communication, data, audio or video services, programs or transmissions from unauthorized access, acquisition, disclosure, receipt, decryption, communication, transmission or re-transmission" is treated as a felony. I will not publish this information, nor will I allow the vendors to credit me when/if they choose to publish it.
I have been contacted by the MPAA who has attempted to assure me that there is some sort of requirement for "intent to defraud" under the Illinois law, but I cannot find any such language. Lawyers from the EFF have, essentially, agreed that such language does not exist.
And so, where does this leave me? I've pulled LaBrea from distribution because I cannot justify placing myself in a position where I could be subject to criminal and civil penalties to give away software for free.
Is it illegal for me to distribute LaBrea? I honestly don't know. But I certainly can't justify hiring a lawyer to sort it all out. Quite frankly, I'm getting to the point where I really just don't care anymore. It's difficult enough to write good software-- trying to do it while walking through a legal minefield is impossible.
That is the result of this stupid legislation. If you live in Tennessee, or if you're in a position to influence what goes on there, do whatever you can to get it stopped. There is no justification for passing this law immediately. If there are legitimate questions surrounding this legislation (and I believe there are), then table the dang thing and sort them out now , before it is enacted.
Further information can be found at the HackBusters website
-TL -
Don't let this one slip by...
In Illinois, this slipped in under the radar. Don't let this happen in Texas. I'm currently working to get the Illinois law changed, but if you can keep it from happening at all, you'll be much better off.
The killer question to ask on this is: "What specific illicit activity, that is not currently illegal under Texas law, is this new legislation targeting?" For further information on where things stand in Illinois, see the HackBusters site.
-
LaBrea
I know I am a bit late, but so far noboy else has mentionened LaBrea.
This is a tool for linux and windows, that can even be run on a linux boot floppy on an unused pc.
""LaBrea is a program that creates a tarpit or, as some have called it, a "sticky honeypot". LaBrea takes over unused IP addresses on a network and creates "virtual machines" that answer to connection attempts. LaBrea answers those connection attempts in a way that causes the machine at the other end to get "stuck", sometimes for a very long time.""
So, while this would be no foolproof protection for your users, it would stop many of the simpler attacs and slow the rest down, and you would automatically be notified if someone tried to scan the whole network or a new code red tried to propagate
-
Mixed strategy is best...
Like any other type of security strategy, a proper one should have several layers of defence. I think this idea is an excellent one, and would serve well as one layer in a complete strategy. Another good layer might be trapping. Of course heuristics and signature scanning should be used as well. The most important layer of all IMHO... training. Human training.
-
Tarpit
Maybe we should all Tarpit our networks, and implement a port level equivalent for Kazaa, Gnutella, etc ports.? This would really tie up their system.....
-
Throw SPAM to the tarpits!
It would be really cool to take the relay blackhole list to an extreme, and enhance it with something like LaBrea. That way, instead of just immediately refusing to accept spam, freeing the spammer to move on to the next host on the list, a "tarpit" relay would bog the spammer down, maybe slowing their spamstream down to the point that they're sending only one message per hour. If we could get just a small percent of the SMTP servers on the 'net running such a tarpit, that would reduce the amount of spam that we all get. That is, until the spammers rewrite their software to give up on slow relays.
-
Alternative to Imprisonment
DoS attacks can be nasty, but why don't you use something like LaBrea to slow them down a bit?
-
Doh!
Heres what I was just about to submit:
LaBrea - The Tarpit: Keep your friends close, your enemies closer.
- -
With the recent proliferation in worms (Code Red, Sircam, Nimda, etc) beyond either switching to a more secure? webserver or keeping up to date with the patches for your own and hoping that others do the same; approaches to actively dealing the problem have been limited. One can try to either contact the administrator[s] of the machines infected or take a slight more risky proactive approach. 'LaBrea' - The Tarpit offers proof of concept? for an interesting open source approach.
Linux today, Wired and Linuxsecurity have covered this developing project, more information is available from Hackbusters here, here, here, here, here, or here.
- -
Im off to sulk. :) -
Doh!
Heres what I was just about to submit:
LaBrea - The Tarpit: Keep your friends close, your enemies closer.
- -
With the recent proliferation in worms (Code Red, Sircam, Nimda, etc) beyond either switching to a more secure? webserver or keeping up to date with the patches for your own and hoping that others do the same; approaches to actively dealing the problem have been limited. One can try to either contact the administrator[s] of the machines infected or take a slight more risky proactive approach. 'LaBrea' - The Tarpit offers proof of concept? for an interesting open source approach.
Linux today, Wired and Linuxsecurity have covered this developing project, more information is available from Hackbusters here, here, here, here, here, or here.
- -
Im off to sulk. :)