Slashdot Mirror
The Honeypot Project
Wallahalla writes "Interesting article on ZDNet about HoneyPots (intentionally vulnerable computers placed on the net in hopes of attracting hackers). Security professionals, programmers and psychologists are all working together to try to enhance network security in the face of increasing attacks by the hordes of script kiddies running the net today." We mentioned these quite awhile ago. Actually its an interesting article. I'd like to say pretend that when I got 0wn23d that it was really just my HoneyPot fooling them.
If a kid walks into a store, steals a candybar, and is caught on video tape, then he deserves to be punished/arrested. If a kid breaks into my website, defames it, steal information, and causes damage to my systems, then he/she deserves to be arrested.
Amigori
------------
Being aware of your surroundings can help protect yourself.
"The quality of life is determined by its activites."--Aristotle
I was about to give up, but I'm feeling masochistic tonight, so let me give it one more shot.
I understand the overall point of his post. However, I focused on one somewhat tangental implication that he was making, namely, that there exist "white hat crackers" that are morally different from "black hat crackers", and thus they should be treated differently, in case the managers of the honey pots intended to prosecute break-ins (which personally I think is a good idea).
That's the point I took issue with. I don't think there is any difference between white/black hat hackers, except for motivation, and I don't care about motivation.
To summarize -- my point is about black hat hackers versus white hat hackers, and the fact that I don't recognize the distinction. That point is independent of any honey pot issues.
A honey pot is a machine that is intended to be broken into -- thus a black hat cracker breaking into one isn't bad at all, so long as you can log what he does and analyze it.
By the way, the purpose of a "honey pot" is not to be broken into, any more than a canary's purpose is to die in a coal mine. They're just indicators of a problem. Obviously it's bad when it gets broken into, because that indicates you have a security problem.
--
Sometimes it's best to just let stupid people be stupid.
Blocking "known" attackers sounds like a great idea...at first. And then you remember that many people are on a modem with a dynamic IP, and that most attacks are executed from previously hacked boxes. This is why counter-attacks are almost never a good idea; you generally end up attacking someone who's in your position, and then they mistake you for the real attacker, and you end up with a nice pretty lawsuit.
And the whole time the real attacker sits back and laughes his butt off.
There was a case quite a while ago about whether "hacking back" was legal or not. I don't really remember the details, but I think someone hacked into a company's servers, and the IT staff at the company saw this and "hacked back" (maybe they just DoS'd the attacker).
The one thing I still remember from this is the line (to paraphrase, most likely) "Not only did they do something illegal; they issued a press release bragging to the world that they did it."
The bottom line - think twice about this. Even if you are 100% sure that the IP you're about to flood is the IP of someone who's trying to bring down your system. I don't know the laws, but I don't think the same kind of "personal defense" laws apply here. (I could be wrong.)
________________________________________________
suwain_2
Sure, if I randomly decided to "poke around" at guessing the root password on the company's main server, I could understand being fired. But finding a new server on the network and seeing if your account works should not be something you challenge - provided that they only try their account.
BTW, people who try to crack the desktop of a security professional should be put on record as having being fired for both attempting to breach system security and for stupidity. ("Oh, let's go hack the IT security guy's desktop. Bet he'll never figure it out!" Duh...)
________________________________________________
suwain_2
Then my question still stands, whatever happened to that box? Did it get cracked?
The problem with "White Hat Hackers" is how do you tell the difference ? Chances are very good, you can't tell the difference until its too late. If I were a "Black Hat Hacker", one of the things I'd probably do is try to develope a relationship with the System Administrater by letting him know about one or two holes, make him think I'm on his side. Social Engineering is a skill most Hackers pickup pretty early on. The safest thing to do is don't trust anyone who is not a legal user of your system, assume anyone breaking into your system intends to harm it and act accordingly.
Jesus died for sombodies sins, but not mine.
"Our products just aren't engineered for security,"
-Brian Valentine,VP in charge of MS Windows Development
If you don't have the key it's your problem.
Your car can be used to commit a crime, even a murder.
Locking your car is a good thing for the society even if it's a bad thing for you.
the door was unlocked because the lock is broken and now its going to cost me $100 bucks to get a locksmith out here and i'll have to wait an hour for him to get here.
just leave it alone. if my battery goes dead enough times then i'll learn my lesson.
you are not entitled to screw around with with other peoples property just because you think you know whats best for them. feel free to voice your opinion but keep your hands off. thank you very much. i don't think that's an unreasonable request.
That's not enough to forestall all types of attacks. Ping flooding, which doesn't require a connection, for example.
"If I have seen further than other men, it is by stepping on their glasses." - Michael Swaine
It's quite an old news, please go to The Motives and Psychology of Black-hats in RootPrompt for detail.
Reading the IRC logs in the article you will find that there's one Pakistani hacker D1ck got caught in the honeypot, I suspected 'a group of suspected Pakistani hackers' is an overstatement, because the rest of the hackers are americans, say j4n3.
D1ck did say his main target was indian's website, but he did also initiate DDOS attack to some US websites, with the help of other US hackers.
In my point of view, it's more accurate to say "a group of US hackers and a pakistani hacker"
The ZDNet article does not mention how to build a honeypot, read Build a Honeypot for a hint.
Who do you think made the tools that the script kiddies use? Obviously, not stupid people ... at least people smart enough to know that if made readily available, the software could and would be used maliciously.
I meant that you could run several honeypots on a single machine. It would look like a fully network of boxes. You could "rebuild" a rooted system by making a backup of a single file (the loop'ed fs) and restoring it. You could refresh a system in 30 seconds.
Wouldn't it be embarrassing to break into one of those? It's like breaking into a police station WHILE EVERYONE IS THERE! hehe
I've always been for putting a spare computer/box/whatever for use as honeypot. Not only can you learn a little (after weeding out script kiddie traffic) about what tactics are most widespread but you can also learn VERY valuable information from mistakes you leave (intentionally or unintentionally) on the honeypot before it gets to the network you are trying to protect. I know a lot of people consider these just stomping grounds for computer crime but I feel that while that could be and is partially true the potential benefit from having such things outweights the presumed negative effects.
.--bagel--.---------------.
| aim: | bagel is back |
| icq: | 158450 |
( o ) one could say I'm rather baked
that's what I get for typing faster than I think...
Hi! This is the Sig, blatantly attached to the end of this comment.
--
--
You are a fucking moron.
I've done something similar in a very minor sense. When I was a big MUD admin, I'd startup a mud with the general codebase, and invite a buncha hackers into it to crash it and exploit any bug or cheat. Logged everyone, plugged all the holes, and it still runs without a player caused crash since the public opening.
But always remember that you can never be 100% secure, because crackers will always find another hole, no matter how tight the security.
--
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
Was there any outcome to that entire thing? I believe you are referring to the "crack this box" site that microsoft put up with a near final version of Windows 2000.
To summarize -- my point is about black hat hackers versus white hat hackers, and the fact that I don't recognize the distinction. That point is independent of any honey pot issues.
Oh. Then ignorance is the source of our problem, as I suspected.
You see, there is in fact an entity known in security circles as the "white hat". The "white hat" is the security expert that is on your side -- the white hat is the one who will, once a security hole is discovered, will tell you about it, or hack the code themselves to fix it. As opposed to the black hat who tries to break in to whatever he can, take whatever he can, and not tell anyone so he can do it again.
A true white hat wouldn't try to break into your honey pot unless he knew it was a honey pot, and he knew it was OK for him to try (either by being told, asking, or seeing a public announcment). If he succeded, he'd make sure you knew exactly what he did. The white hat wouldn't try to break into your main system at all, unless you contracted him to. In short, he wouldn't do things that piss you off.
So there is a big difference in action, not just motivation.
The original poster didn't make this distinction clear. In answer to his question, someone who breaks in and 'fixes things' without permission isn't a white hat. But it is there.
Obviously it's bad when it gets broken into, because that indicates you have a security problem.
Heh. Right. And since there are no elephants around, that means my elephant repellent works perfectly, right?
Actually, it's good when your honey pot gets broken into, and your main machines don't. You've realized there is a hole, and because the honey pot is not connected to anything important, the break-in didn't cost you anything, and you can fix the vulnerability before you lose 10,000 of your customers' credit cards.
The assumption is that you have security holes you don't know about, and letting the "black hats" tell you about them by exploiting them in a safe way is the point.
A honey pot that doesn't get cracked proves very little, and shouldn't make you feel much safer.
The enemies of Democracy are
There is also the fustration of the sys admin saying "This is not a secure way of doing this" and someone higher up saying "Yes, but your proposed way is more difficult. Lets do it the easy way."
Boss:
"Gee...lets just let anyone telnet into the system from anywhere because if we require ssh, then what if they don't have access?"
Admin:
Well, anyone can sniff across that wire and capture the passwords.
Boss:
"Well, then put ssh on the machine, but also leave telnet open. That should help."
Admin:
Okay...by the way - can I put you down as a reference?
This white hat cracker discussion reminds me of a sting the police conducted here a few Christmases ago. They put a new television in the back seat of a car and parked it unlocked in a shopping center lot. They were unsuccessful because passersby kept noticing the situation and would lock the car door. People will attempt to do good deeds, even if, as in your case and theirs, it's unwanted.
"If I have seen further than other men, it is by stepping on their glasses." - Michael Swaine
You're the F***ing troll, you imposter.
I gave up Catholicism for Lent
What is this computer used for?
Then try to answer that question. People don't attach computers to the internet for no reason. What services is it running? If it's an ftp server, what files are available? Is it a webserver? Look at the webpage. If ftp services are being provided but the ftp directory is empty or the webpage has is the default one install with the OS, then something is up.
Check for user activity. Are there any users? Goto ~/.netscape (if the machine is unix). What are the timestamps on the files. Does the user have any email. By looking at the appropriate files (depending on OS) you can tell when it was installed. Has anything changed since then? Do a find on files changed over the last seven days. If there is no user activity, something is definitly wrong!!
Check for changes made to configuration files. Check the files that a sysadmin would most likely change. If you can't find any changes (other than LOTS of logging - another Red Flag!), check to see if the system looks like a default install (if you are into this, you should know what default installs look like/the common security holes the vendor leaves open/etc.). If it is a default install and the install is older than a week, congratulations, you've found a Honey Pot.
One last check before getting the hell out of dodge, sniff the network. Who else is one it? Honey Pots tend to be isolated. If the only activity you see is yourself (unless you are connected at midnight, but then you deserve to get caught) or the only other traffic is logging activity (from the one you are on to somewhere else), You've been had!! Just for shits and grins, ping the subnet you are on. People and companies don't waste network equipment as it is fairly expensive. If the machine you are on is the only one on that subnet....
do a quick `rm -rf /` and never go back.
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
From what I've seen, the ``dotcom shakeout'' had little to do with the competency of the people working in the server room, and everything to do with the flawed business practices of the suits out in the front office.
If you don't have a valid plan for making profits, it doesn't matter how much you're paying your system administrators, or how clueless they are.
I have not locked the doors to my Jeep once in three years, and nobody has ever locked it for me.
Later they'll go back to irc and brag to their friends, especially about any social engineering hacks. That's how they "get the chicks" (uhhh, right)
Frankly, in this day and age social engineering takes more ingenuity and originality than any insipid root kit or named exploit (imho, of course). Firewalls, honeypots, and NIDSes can't compete against a single gullible sysadmin and a phone.
---
---
You are not what you own -- Fugazi, "Merchandise"
Remember the lesson that Winnie the Pooh taught us. If you try to disguise yourself as a little black rain cloud you can still get stung by the bees.
Let me get this straight... you dump a box onto some internal network; and then when an IS staffer says to him/herself "What the frick is that thing? It wasn't there yesterday..." and tries to figure out what your admittedly suspicious looking box is doing on the network they're responsible for...
Then you fire them?
You really shouldn't have to. Any decent IS staffer subjected to this kind of treatment should give you exactly what you deserve - a rude gesture - and walk out.
"Great men are not always wise: neither do the aged understand judgement." Job 32:9
I think you have to be invited to be considered a "White Hat" -- if you do nice things without an invitation, that makes you a "Gray Hat", and if you do bad things that makes you a "Black Hat". -Alec
Apparently you aren't exactly clued in as to what a "honey pot" is. It's a machine put on the 'net for the express purpose of (bold and itallics, so maybe it sinks in) letting it be cracked. If you don't want anyone on your system, obviously you wouldn't be running a honey pot.
Also, for your continued enlightenment, in security parlance the "white hats" are the guys on your side -- they are trying to help you, by discovering exploits, going over code, etc and reporting what they find, so people's security can be increased. They aren't attempting cracks on unsuspecting people's boxes. But a honey pot (see above) would be fair game, no?
The enemies of Democracy are
Also, suppose you had a white hat cracker. Would anyone running a honey pot care if the cracker broke in and plugged all the holes to prevent the kiddies from doing some real damage?
There's no such thing as a "white hat cracker". Quite frankly, I don't care if you find a vulnerability in my system. STAY THE HELL OUT OF MY SYSTEM. Send me an e-mail, fine, thank you. But I don't need roving bands of do-gooders changing my system (and more than likely screwing it up in the process).
Put it this way: If I happen to leave the windows open in my house, I do not want strangers "for my own good" climbing in the window, poking around, checking the locks, and then "fixing" anything they find. I'm going to throw their butt in jail just like any other criminal.
--
Sometimes it's best to just let stupid people be stupid.
I have this great idea for a honeypot, although it might seem a little futuristic.
Picture this: we create a series of directories that contain apparently classified military information. We'll call it something obscure, some sort of acronymn, like SDINet, for example . . . I bet that would keep a dedicated hacker occupied for hours, especially if you mixed in some binary files so they had to check each one before trying to view it on the server.
I know it seems bizzare, but I think it actually might work! And the best part is I don't think anyone has ever come up with anything like this before!
Let me know if you think it would work?
--
Rob Carlson
Just set up your router to allow incoming connections but not outgoing. Then if they get in they don't go anywhere.
Recourse Technologies
/*shameless plug*/
Commercial honeypots like these prolly are a bit more sticky than handcrafted ones.
Honestly though it's much better to know where people are and what they are doing, than wondering where they are and what they are doing.
Are we getting spammed? Or would this be like a DoS, DoI (Denial of Information/Intelligence)? Much better than a DuI.
I think it's a coordinated press assault. They are forcing news on us no matter how many times they have to say it.
Long live the Conspiracy Theories!
This message was brought to you by the letter B.
If I leave my garden hose outside, and then somebody strangles somebody with it, am I liable?
:)
My point is -- we know guns are made to shoot things, computers are *not* made to attack other systems. "Computers don't attack people, people attack people."
Never underestimate the bandwidth of a 747 filled with CD-ROMs.
RealityMaster101 claims, "There's no such thing as a 'white hat cracker.'" However I beleive I was such a creature (I am now, mostly retired) Back in the days of BBSes I used to send electronic mail to varrious sysops stating my intent to attempt to compromise their BBS, I said that if I do I would tell them how I did it, possibly suggust a fix, and not tell anyone else. I would then await a responce, usualy I got a go-ahead. I would then crack the system, or try to, then send in my results to the sysop.
So, RealityMaster101, I ask, do you consider my actions "White Hat Cracker" actions or "Black Hat?" Or something completly different?
BTW I realize that what I did is not what most people who claim the title "White Hat Cracker" do, and I do not mean to imply that they do or do not deserve their claimed title.
Little Brother, watching the watchers
Those are just the dumbass ones. Like someone who robs a bank and buys drinks for everyone at the local bar the next night, bragging about their big score. Those are probably the ones to be the least concerned about. They are at the low end with the ones you never hear from at the top.
"When it rains, it pours." --Morton's Salt
A true white hat wouldn't try to break into your honey pot unless he knew it was a honey pot, and he knew it was OK for him to try (either by being told, asking, or seeing a public announcment).
That's certainly one definition, but sorry to say, not the only one. As the original poster pointed out, there is another class of hacker that attempts to exploit security holes (often without permission), but doesn't do any damage and reports the exploit. I'm reminded of that Intel guy who got into a lot of trouble. He was clearly not a black hat, but he broke security without permission but was widely regarded as a "white hat" (I'll leave whether the action of justified or not to another discussion).
Actually, it's good when your honey pot gets broken into, and your main machines don't.
You're confusing the issue. There are three possible security states:
1. No breaks in security
2. Break in security, but they hit the honey pot
3. Break in security, and they hit the main system.
Clearly these are in order of our preference. It's better to have the honey pot hit than the main system, but best of all is not have any security breeches at all.
A honey pot that doesn't get cracked proves very little, and shouldn't make you feel much safer.
That's absurd! Do I feel less safe when my canary continues to live in the coal mine, because there might be bad air pockets that I don't know about? Should I feel better when the canary dies because "now I know where a bad air pocket is"?
By your logic, I should feel ultra-safe when my honey pot is cracked once a day! And even safer when it's cracked once an hour!
I think if my honey pot went a year without being cracked (despite numerous attempt), it would say something. This is like saying that it's good when your software is ultra-buggy, because that helps you track down more bugs.
I can just imagine you talking to your boss: "Hey boss, good news and bad news: The good news is we were cracked 11 times last week." "WHAT?? What's the bad news???" "We haven't been cracked at all this week."
--
Sometimes it's best to just let stupid people be stupid.
The Recourse box I mentioned in the original post actually generates fake data on the system in an effort to make it look more usable. Part of its config is to input some executive names, and it does (beyond that) the random generation of a lot of other data -- you could never tell, since the data is input into the cage from the outside. The goal is to make the box look like a mailserver. When I first saw it, it wasn't very sophisticated, but I've heard that the spoofed content has grown more convincing. It probably still wouldn't stand incredible scrutiny.
Of course, there are entirely different rules for bastion-sacraficial-lamb-host honeypots and virtual-machine/chroot()-cage honeypots -- one is just meant to be hacked and postmortemed -- the other is much more of an audit tool, and preferably doesn't need reinstalling after a hack.
On the former, you can clean up your tracks easily; on the latter, well, most have several dead giveaways -- if people bother to check. (the pid of init, for example) But many don't -- especially the script kiddies that may mass-hack a whole corporate block (hopefully starting with that wide-open honeypot).
Which is why, while I distrust the government to an extent, I distrust corporations far more.
The enemies of Democracy are
The purpose of the criminal law is to punish crimes against the legal order, not to vindicate personal vendettas. The people you seem to want to punish are not roving bands of hooligans but more like door-to-door missionaries, who may be misguided but who certainly shouldn't be criminalized. They want to share their insight and help you, even if you can't see it that way.
Read the rest of this comment...
Possibly a lack of commas, more likely Taco failing to decide between 'say' or 'pretend'. Particularly in light of the fact that he typo'd on 0wn3d too.
More evidence of the downward spiral of editorial quality here.
Hmmm
perl -e 'fork||print for split//,"hahahaha"'
If the honeypot is intentionally more vulnerable than the real server, then you are just demonstrating known exploits.
If the honeypot is *more* secure than the real server, why did you waste time securing the honeypot that could have been spent securing the real server?
Finally, if the honeypot is equal in security to the real server, you are cutting the odds of a real server being hacked to:
reals/(honeypots+reals)
In most large organizations honeypots will be a very small number compared to reals. In small organizations you could make a difference, but how many small orgs can afford an extra server or two?
The idea that you can learn about the attacker while watching him closely is intriguing, but while you're watching the honeypot, who's watching the reals?
My gut tells me that money would be better spent helping NetBSD and others with code audits. Of course IANASecurity Expert, so what do I know...
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
There are two types of honeypots -- the passive kind and the reactive kind. The former merely sits there and alerts you when someone enters your system. The latter actually responds to the attack by reconfiguring your system to deny access to the intruder. The latter is a far better implementation.
The way reactive honey pots work is to tell the firewall to block access from the intruder's address, temporarily or even permanently. Linux really shines here, since the firewall code in the kernel is particularly well suited to this sort of solution, though you can accomplish the same effect with most any operating system. And for those who are even more adventuresome, reactive honey pots can be configured to flood the intruder's IP, denying access not only to your own machine but to all potential victims.
Passive honeypots are good as an information-gathering tool for measuring your visibility on the net and the current state of script-kiddy activity, but reactive honeypots are definitely the way to go. They're the proactive solution to a chronic problem.
Read the rest of this comment...
If Mitnick prooved anything, it was that social engineering will always be a greater threat than the script kiddie thing. Attacks from 'within' are more dangerous, and often harder to detect than outside attacks. I still believe the best measure of your systems' vulnerability is the inside-facing attitude your team and co-workers have towards your security methodologies.
Also, because the internet is as subject to fads and trends as any other social medium, I think you'll find 'script kiddy-ing' become less and less 'cool' over the days. There is always a renaissance towards the more hand-made, home-grown ways of doing something; in the case of hacking, this narrows the list of possible offenders considerably due to the increased need for talent and knowledge in such hacking styles.
http://www.mp3.com/subatomicacorn
"Old man yells at systemd"
He was clearly not a black hat, but he broke security without permission but was widely regarded as a "white hat" (I'll leave whether the action of justified or not to another discussion).
That's where the term "grey hat" came from -- the need for a middle ground. Usually grey hats are the guys that aren't on your side, but aren't actively trying to steal your data for malicious purposes.
You're confusing the issue. There are three possible security states:
1. No breaks in security
2. Break in security, but they hit the honey pot
3. Break in security, and they hit the main system.
Clearly these are in order of our preference.
Only if your honey-pot stays unhacked for a year, while under constant barage, and you never change the software (including for bug-fixes), then yeah, you can draw a good conclusion. Even then, you have to distinguish between a barrage of script-kiddies using old tools and a creative cracker (who might not even take the bait of your honey pot).
Do I feel less safe when my canary continues to live in the coal mine, because there might be bad air pockets that I don't know about?
There's a reason for that: The cave/canary system is very simple. If there is gas, the canary dies. If the canary is alive there is no gas.
Software, however, is extremely complex. If your system doesn't get cracked, that doesn't mean there are no exploits. I think that this should be obvious to anyone that ever has looked at BugTraq -- look at all the exploits, and then ask yourself if your machine has been cracked with each and every one of them that might have applied. New exploits show up on BugTraq for software more than 1 second old, which means people were running that software, with that exploit, but were unaware.
The thing is, in the security industry admins take the very safe assumption that there is an exploit they don't know about. That's why they log everything, in the hopes that if someone finds that exploit before they do, hopefully they can figure out what the bastard did and who he was.
This is why #2 is the most desireable -- you found out about the exploit, but before it did you any harm.
There is actually a #4 -- finding about the exploit from a "white-hat" source like BugTraq. This is the most desireable, since it didn't involve putting any of your machines at risk. What you put as #1 is actually the 3rd most desireable option (though still well above having an important machine cracked)
Should this happen constantly? No, but you can't run your server for a day, week, or month with no (detected) cracks and call it secure. Check BugTraq -- if something appears there for software you run or have ran, and realize that your system not getting cracked was luck, not security.
The enemies of Democracy are
Apparently you are not clued in to a concept called "context". I was responding to the poster's point (and his implied "roving band of do-gooder white hat 'crackers'"), not the overall "honey pot" article.
--
Sometimes it's best to just let stupid people be stupid.
I'm glad I'm not at a public library---HoneyPot woulda surely sparked their filters.
-k
Lesson - Dont use ftp.
anonymous file transfers? - use apache
authenticated file transfers - use ssh+(scp/sftp)
I mean, how the hell do you firewall a passive
ftp server? or active for clients? add nat and things get screwed. Yes everething is possible, but why do it the hard and unsecure way?
Yes, lusers love ftp, but life is hard.
signatures pending - ansa@kos.to - (dont mail there)
The catch in your argument is that hackers usually don't just look through open windows or press buttons but rather have to go to real length to get into the system - this is more like breaking thru a wall with a bulldozer or breaking the glass over the fire alarm (gee these fire alarms are soo tempting.).
I read that, with some kind of trojans( like M$ Windows :-P ), you can chat with the owner of the machine. It is a good question whether a machine that is already compromised by a trojan shouldn't be considered fair prey or a public meeting place - simple because the software on the machine doesn't act much different than napster, gnutella or icq. I don't argue that installing the trojan without the owners consent in the first place is illegal.
To put it another way, hell, what if Cmdr. Taco suffered of amnesia and suddenly accused us all of hacking his webserver over port 80, abusing it and clogging its drive ?
I'm still trying to figure out what people mean by 'social skills' here.
'You clearly don't understand the culture' -- oh my. *YOU* don't understand the culture at all, and no mistake. How can you possibly be so *naive*? The analogy with the 'missionary' that goes around your house and climbs in your window is a very accurate one. *That's* the kind of people we are talking about here. You say you are ready to trust the guy you find inside your house because he says he is a 'white hat'? Come *on*, you won't survive a month out there.
TA (I've monitored some of these people since 1988)
Look, a black hat isn't a script kidde in IRC advertising how many boxes he's (I'm sure the women out there will forgive me for not using a gender-neutral pronoun in this case) owned. Not the guy who wrote the script-kiddie tools and bragged about those either.
A black hat is a cracker with malicious intent. While this may mean kiddies, it also includes the people trying to grab a couple thousand credit cards so they can go on a shopping spree. It includes the cracker performing industrial espionage, so their employer can get a competitive advantage. It includes whoever would want your data, and sure as hell isn't going to brag about getting it on IRC.
Script kiddies are annoying, but what makes them annoying is also what makes them the least of your concerns.
The enemies of Democracy are
But you must realize something here. Unless its an extreme case, nothing moniterily is taken or damaged, and no physical good is stolen. I am not defending data theft, just saying there is a difference if someone lifts my pRon and resume as compared to someone ripping out my harddrive or taking my whole computer.
Oh, then why did the line you quoted include the line "honey pot"?
As to missing the </b> tag, my excuse is sleep deprivation. What is your excuse for missing the word you yourself quoted?
The enemies of Democracy are
A large hosting company I have worked with use honeypots to divert crackers away from production machines. They name them enticing names like "finance.xyz.com" and "credit.xyz.com" to attract crackers. They run pretty much out-the-box (unpatched) installs of *BSD, Solaris, etc and just sit back and watch.
Hi! This is the Sig, blatantly attached to the end of this comment.
I'd be scared to see what Winnie the Pooh would look like if it was e. e. milne... :-)
...actually, I tried to post what it would look like in e. e. cummings style, but CowboyNeal's lameness filter prevented me! Now *that's* funny...
how incredibly funny it is to see the dotcoms eat it!
They failed because they thought that nerf, ping-pong and sandals were the end of the rainbow. Remember when nerds had no taste, AND they were smart.
Last time this site was slashdotted, I read through all their whitepapers and came away with the impression that they *do* turn people over to the appropriate authorities if they feel doing so is justified.
I'm guessing that rfp said it best...
Yes, it's likely entrapment. No, no one's really sure whether it'll hold up in court. No, you don't know what you're hoping to accomplish. Yes, it's a really bad idea. Worry about getting your IDS and firewall rules up to date and your security policies and tripwires strictly monitored before you bother with nonsense like a honeypot.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
;-)
Capt. Ron
crazy dynamite monkey
So, assuming script kiddies are such a big problem, what are the ethics of writing these scripts? Does that serve any purpose, other than weakening security?
Just wondering what people think about this...
Recourse's first product was a honeypot. They have a remarkable technical team, which, commercially, makes them the one to watch in this space.
/proc fs within the cage). Other tipoffs include memory locations, pids for processes like init, etc.
Honeypots are some of the fluffiest of security products, imo, far less useful that firewalls, integrity verification software, etc. But having a cage environment to examine the activities and practices of a cracker can be useful in determining how to post-mortem a bad situation, as well as help gather evidence to get law enforcement involved.
Honeypots that want to provide maximum auditing and usefulness tend to try to run a virtual machine -- either by virtue of chroot'd cages, or virtual machines. The problem is keeping a sophisticated attacker in the cage. As was pointed out on Bugtraq, it is fairly easy, owing to kernel behavior, to detect that one is in a cage. You can send kill signals to pids that aren't in your visible process list, and the kernel responses will tip you off that you are only being shown part of the process table (the Recourse product simulates a live
Nonetheless, my real-world experience tells me that your greatest risk is an attack from the script kiddies, with the fresh d/l from bugtraq or the like, or even unreleased exploits, not sophisticated crackers seeking entry into specific boxes. In this case, the honeypot can be very valuable -- first as an easily-cleaned distraction (a good honeypot LOOKS like it is a machine at work, but isn't) -- then as a trace of activities, so you can prevent further incidents. Properly placed, it can help lure in attacks first, providing a warning that can be responded to before other real product boxes get compromised.
It has been pointed out, and bears repeating, that the right place for a honeypot is on a DMZ, where it does not have priveleged access to protected hosts. People have put honeypots behind firewalls in protected nets, and then had them be used as jump-off points for much more serious compromises.
If someone gets caught hacking even in his own network (other than for research purposes, which he should do on a machine dedicated to that purpose), he deserves to get fired. If there is a problem, you can always walk up to the box and ask for access. (If you don't already have access!)
There simply is NO reason for hacking boxes in your network!!!
Cheers, Ulli
Simple things should be simple, complex things should be possible.
Damn right - Bang! Gone.
Mis-clicks are fine, we all do them. Even rattling the door-knob is kewl. But the minute you try to break in you're outta there. I run big networks, stuff comes & goes all of the time and a certain degree of interest is expected (& welcomed.)
This does not extend to trying to trying to break into boxes that aren't yours.
I don't care if it's called "Hax0rs l00t" once you've determined the front door is closed then pass it onto the right folks & move on. Raise the alarm, stick your head into the Net Security Admin's office, ask them for follow-ups, bring it up at a Change Control meeting, whatever but breaking into something that isn't yours & you haven't the authority to access is grounds for (immediate) termination.
No apologies, no excuses.
Again, we have folks in charge of keeping the network organized, they should know about anything new or different on the network, ask or tell them. We have folks in charge of security, they should be notified about any concerns you have. Unless your job-description specifically includes it and you've got written permission from someone above you so empowered you do not go breaking into things - I don't care how justified you think you are or how suspicious (or innocuous) it looks. If you haven't the brains to do this then good riddance.
I've had boxes on my networks that did everything from SEC compliance monitoring to transferring billions of dollars of bonds daily to running high-power X-ray machines treating live humans in real-time. Your fucking around could harm any one of those - at that point not only would I fire your ass but I'd see that charges were pressed against you (in addition to those from next-of-kin of the person's whose radiation therapy you just screwed.)
I work in the real world where boxes are doing important things and no Lone Ranger can be expected to track everything themselves. We've got ways things are done & they're there precisely so things don't slip through the cracks, don't become security issues and some kid who can't keep his fingers out of things doesn't break something important.
To paraphrase (and reinterpret) your closing line:
Any decent IS staffer respects the environment they work in & works with their team. If they can't do that then they get what they deserve - a final paycheck & a walk to the door.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
Yeah, I know, I was shooting for maybe a (+1, Funny) on that post, but it looks like most people are missing the joke. It's basically exactly what Cliff Stoll did in his book back then. The link on "anyone" goes to his homepage.
Ah, you young Slashdotters disappoint me. Such quality reading material out there that you seem to have missed . . . :-)
--
Rob Carlson
However, this does not extend to trying to break into something.
If you suspect a problem go talk to the folks who would know about it, or tell security. Hell, my pager number is pasted on my office door flag me! DON'T go breaking into stuff blindly.
I've said this more thoroughly in another thread but yes, you're right, there is an acceptable level of "Huh? What're you doing here?" and then there's going beyond one's authority. If someone can't appreciate the difference between these two then they're judgement is so poor I don't want them no matter how tight the job market.
Marlo Thomas - Free To Be ... You And Me (1972 Television Cast) "There's some kinds of help that are the kind of help we can all do without."
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
Oh, then why did the line you quoted include the line "honey pot"?
OK, let's take this slowly. The original poster's comment that I quoted was:
The key concept that I pulled out is the implication that we shouldn't care if "white hat crackers" break into systems and "plug all the holes". Whether it's a honey pot system or not is irrelevent; the point is that he implies that we should look favorably upon people who break into systems with goodness and purity in their heart in order to fix them.
--
Sometimes it's best to just let stupid people be stupid.
It seemed funny and innocent enough at the time. I mean, a pot of honey is a good thing, right? And it sounds kind of humorous, right?
I wish to hell that I'd looked up the technical definition of "honeypot" before I registered honeypot.net. You wouldn't believe the amount of crap my firewall picks up. I can't count the number of Windows-specific trojans I get scanned for on a daily basis. Yeah, I try to report as many as possible, but it's pretty much a losing battle.
A hint to l33t skr1pt k1dd13z: if a box has "honeypot" in the name, then it's probably not really a honeypot. Just leave it alone, would ya?
Dewey, what part of this looks like authorities should be involved?
By the way...
As to missing the tag, my excuse is sleep deprivation.
I wasn't mocking the lack of the </b> tag, I was mocking your use of the bold tag to scream your point as if someone wouldn't be able to understand it otherwise.
--
Sometimes it's best to just let stupid people be stupid.
They stopped the project when people started hacking the upstreams ;).
Monkey sense
Been there too. Had a primary DNS server get rooted. Caught it with in about 10 min. (Luckly) Just as we were preparing to slash and burn with a fresh install on the infected system the secondary server's hard drive made a horrible screeching sound, fell over, and died. We were stuck with a rooted server as our only DNS server... That sucked!
While we were shoving a new hard drive into the secondary server the primary server popped up with "eth0 in promisious mode" on the console. Eeeech! We had to unplug the ethernet cable to the primary DNS server while we quicky reinstalled Linux on the secondary server... we were dead for about an hour.
~Sean
PS: we now have three DNS servers with chrooted name servers, LIDS, and firewall rules on the servers and on the outside firewall.
No, he was talking about the l33t hackorz that downloaded the source for windows... turns out that it was just a 3 gigabyte file that had the string "Bill Gatez rulez" over and over again.
-nite
I'm a good cook. I'm a fantastic eater. - Steven Brust
Remember the "Cuckoo's Egg" ! How did Clifford Stoll made to track back to the german spy that had entered several computers: he just created a big amount of false military documents and the cracker spend enough time for being localized.
And at the begining he was just trying to discover a difference of 75 cents between to accounting systems.
It was in the 80's, so honeypot are not a new idea.
Gee, wonder where they got their inspiration...
--
A feeling of having made the same mistake before: Deja Foobar
You think you're joking...
why are you coward enough that you can't post as yourself? and most importantly....why are you being so MEAN?? I can't help it if I'm over weight. I'm disabled. You're supposed to have sympathy for me.
I gave up Catholicism for Lent
Then it is heavly loged not to procecute people but to find out how they are trying and make sure their real servers can't be cracked in this way.
How is this any more valuable then just paying close attention to your productive boxen (like any sysadmin would)?
I believe it would have a 10 fold effect if script kiddies were taken to court and cained. I think we should have these honey pots sitting out ready to be owned. Once owned they should figure out were these people are and prosecute them to the full extent of the law... if we fined/jailed a few kiddies it wouldn't take long beofre the whole comunity started to respect other people property... remember - people are not born with an instinct of respect. It is only through cost beneift analysis that respect is given, example... if there was a 10% chance of me being caught, and a mandatory $5,000.00 fine for hacking, then god knows someone with a brain wouldn't be doing it.
just my $00.02
----------
No army can withstand the strength of an idea whose time has come.
----------
No army can withstand the strength of an idea whose time has come.
- Victor Hugo
Generally we give them names of interest to tech-types but nothing the general user community, sometimes just make 'em look like standard workstations, occasionally we called them things like "payroll" or other tempting titles. We then track all traffic to & from these boxes identifying the source & their intentions. Generally we'd get a few mistake-hits or just-clicking-around ones a week but often enough we'd find someone with some intent trying to get onto them.
Generally it was a semi-knowledgeable employee just poking around & seeing what they could get into. We'd usually then track their other activities closely in order to make sure they hadn't gotten into anyplace they ought not have. After we'd assured ourselves they weren't nefarious we'd usually call them in, put a scare to them with the records of their exploits & warn them to cut it out or loose their job. Occasionally where they were using tools or other more-then-casual attempts we'd just fire them on the spot.
A few times it was IS staffers. Then we'd follow the same drill, try to determine what they were doing & why, then when called in if they couldn't give a good accounting of themselves cut them loose, again on the spot. Actually we'd usually delay them with paperwork & other excuses while we ran a complete lock-out and performed fast reviews of any systems they could have compromised. In one case where the fellow wanted to storm out a fast-thinking HR staffer got someone to 'accidentally' block their car & wait a half hour while we found the 'bad-parker'.
IS folks with that poor judgement and too easy access were just asking for future trouble & they aren't worth it. Of the few that I've fired this way over the years at least two later came to bad ends, including one who diddled with another companies accounting system.
Needless to say none of this was ever advertised within the company, particularly with IS. It was all on a strictly need-to-know basis & only done in-person, nothing emailed or electronically documented (wow - a reason for interoffice mail!) Oftentimes we'd hire a trusted outside firm to install the systems & track the activity (had one guy come in for years as a "special cleaner" specializing in electrical closets!)
Firewalls and elaborate outside security are great things but most serious damage comes from folks inside. Keeping a check with decoys and other measures is only prudent.
-- Michael
Then there's that contractor I discovered trying to crack my personal desktop box...
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
Right at the very end of the article is the most important point of general corporate security. Namely, that by far the biggest threats are from within, by employees or other authorized users. It's certainly more sensational to be cracked, but it's a lot more damaging to be scammed by somebody who knows exactly where you keep the crown jewels.
C'mon now .. its more the other way .. hacks that 'come from the outside', but are really someone you know and trust. Or someone who has gained valuable information from someone you know and trust. It's the same in all walks of life: abuse, murder .. why stop at hacking? I'm not saying that there is /no/ hacking from cold-callers .. I'm just saying that the number pales in comparison to those you'd least suspect.
....
People who wish to steal or break in usually do so only because they know what the value of what's inside
http://www.mp3.com/subatomicacorn
"Old man yells at systemd"
How about: read my first book, The Cuckoo's Egg. Better yet, read my article in the May 1988 issue of the Communications of the ACM, "Stalking the Wily Hacker"
Cheers to all,
-Cliff (still keeping a low profile)
Maybe it was one of those new cars where the lights go on and off automatically? =)
Micro$oft did this months ago!
I've done this yupe of thing before. The only difference was that it was on a live box. It was fun to watch the cracker work there through the hoops to elevate their access. Of course I shut the hole before it was enlarged grossly, but it was one of the most educational security classes I've been through.
Yep, I never spell check.
More incorrect spellings can be found he
The article doesn't seem to mention prosecution. Do the people running the honey pots just sit back and watch what the script kiddies are doing, plug the holes, and forget about it? Or are they filing in court? Also, suppose you had a white hat cracker. Would anyone running a honey pot care if the cracker broke in and plugged all the holes to prevent the kiddies from doing some real damage?
Whether it's a honey pot system or not is irrelevent
Maybe to you, but I don't think that was the original poster's intent. That's why he said "honey pot", not something else. As I said, what you quoted contradicts your claim that he wasn't talking about honey pots.
He was asking if you would prosecute someone who broke into your honey pot (a ridiculous question if you take out the word honey pot, eh?), and if you would be pissed if someone plugged up the holes in said honeypot.
Why you decided this meant systems in general is beyond me. Which is why I put that in bold, since you seemed to have missed some key info.
And lastly, asking "would you care if..." is not the same as "you shouldn't care if...", and the latter wasn't what the poster said either.
The enemies of Democracy are
Sounds like you were a very generous unpaid security consultant to me.
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
Yeah, guns don't kill people, bullets do.
~Sean
When Nostradamus refers to the millenium, he's talking about the thousandth year.
When we count together and get to one hundred, do me a favor; recognize that one hundred is not 101, okay?
SDMI: Finally! Music that won't rip or burn! Brought to you by the fine folks at RIAA.
Yah - I know exactly what you mean. I was rooted through my anonymous FTP server - RedHat 6.2 default. It was interesting and absolutely terrifying to see what they were doing. Set my eth0 to "promiscuous" mode and were logging everything - including emails I sent my wife. Luckily I found out a few days later. They have been back, but the firewall was there to greet them :-) Everything looked like it had been run from a script... pretty elaborate. Stuff was hidden inside /usr/lib/kerneld ... a bogus directory I think. As far as I can tell they helped themselves to some MP3s and left. I know what you mean about feeling dumb, but its not like you shouldn't be able to run an anon FTP... I remember wuftp was broken in RedHat 5.? I guess I should have learnt this daemon sucks. Now it looks like OpenBSD even has an exploit in their ftp server.
I forgot to mention that getting prior approval is a necessity is an understatement. It is a CYA statement. Imagine how fast your job will go down the tubes when the Big Boss realizes that the major security breach that was highly publicized came from someone getting out of your toy honeypot. Not that they wouldn't try something if you got the approval anyhow, but it's usually best to lean towards the cautious side.
Yep, I never spell check.
More incorrect spellings can be found he
entrapment: The inducement, by law enforcement officers or their agents, of another person to commit a crime for the purposes of bringing charges for the commission of that artificially-provoked crime. This technique, because it involves abetting the commission of a crime, which is itself a crime, is severely curtailed under the constitutional law of many states.
An enforcement offical didn't pay the hacker to do it. No enforcement offical claimed that there was anything worthwhile to steal/hack/exploit inside of the honeypot. The person cracked the honeypot of their own violition. Its no worse than undercover police operating "stings" to catching those who deal in not so legal activities like prostitution and drug dealing.
Perhaps you should be educated as well. A honey pot is indeed as you claim a system meant to be cracked, but it is a trap. It is not advertised, in other words. You are thinking of the "crack this box" systems, which are different in that they are secure systems set up as a challenge for crackers. Honey pots are systems which are vulnerable by design so crackers will be attracted to them and indeed can be caught and prosecuted.
As for the white hats cracking honey pots, obviously they would have no idea of the purpose of the system unless they were able to get in further and surmise this on their own. If they were to plug the holes in the system, as suggested in prior posts, they would effectively be closing the doors to all your mousetraps and removing the cheese. Very helpful, indeed!
Maybe to you, but I don't think that was the original poster's intent. That's why he said "honey pot", not something else. As I said, what you quoted contradicts your claim that he wasn't talking about honey pots.
You insist on trying to tell me what my point is. I don't care whether his point was about honey pots or not, my point is that I'm taking issue with the whole question of whether a "white hat cracker" is good or not.
If it makes you happy, then feel free to limit my point to saying that yes, a white hat cracker breaking into a honey pot is just as bad as a black hat cracker breaking into one. But my point is broader than that.
--
Sometimes it's best to just let stupid people be stupid.
My gut tells me that money would be better spent helping NetBSD and others with code audits. Of course IANASecurity Expert, so what do I know...
Damn straight you're not a security expert. (And I think you meant OpenBSD). Nobody is a security "expert". Some of us are older, wiser, and bear a lot more scars than others, but *none* of us are experts.
Until you have had a system properly fucked over, you know *nothing* about security.
There are a surprising number of companies saying "We are InfoSec Experts" out there who leave there own internal systems open to flagrant abuse. Like leaving certain ports (137, 139 etc) open to the Internet, and then give the receptionist a domain account. How hard is *that* to crack? ("Hello, I'm from the auditors. What name do you type in to the computer in the morning? Good, that sound right. Now, just let me check. What do you type in the other box? Thankyou. That's the right answer!)
Back on topic: Honeypots are tremendously valuable if, and only if, they are well run.
In the ongoing battle between the infosec "good guys" (mostly sysadmins) and the infosec "bad guys" (mostly l33t k1dd13s, but with a peppering of serious, professional criminals) the good guys are at a crippling disadvantage. We have to get every single thing right all the time. The bad guys only need to find one single, trivial mistake, and then it's w00t! r00tkit!
These nasty little untalented, bored, socially malformed little twerps have all the cards; That wouldn't be so bad, but they freely give these cards to anyone. Nothing wrong with that. Except that some of the recipients (OK, a small number, but it only takes one) are working for serious, professional blow-your-brains-out-and-cover-you-in-concrete professionals.
Honeypots are one of the few tools that let us monitor, study and comprehend what's going on. (That, and assiduous reading of alt.2600 etc.)
We, the responsible victims of attacks, choose to monitor the attackers in any way we can. We do this because we want the Internet to be a useful place. And we are happy to forward information gained to law-enforcement types.
If script kiddies dont like this then, hey! Build your own sodding network. When you get 100 million people connected, I'll come and look.
Crackers won't be deterred by the possibility of entrapment. The good ones will be cautious, the script kiddies will be caught.
Chris Kuivenhoven is a thief, beware
In Australia, the Attorney-General recently determined (and did not announce) that evidence from honeypot machines can't be used in prosecuting offenders unless there's a wiretap order (warrant) for that system. The reasoning was that creating a system that is "intended to be broken into" is sort of like giving permission to the intruder and likely to jeopardise a case.
In my job I hear that "attacks from within" line a lot. My question for you is - how are you SURE that the attacker came from within? Valid User ID in log files? Attack from an "inside" IP? You can't trust either one. I'd say that most of the attacks that are labeled "inside" are actually attacks that came from a compromised user account and/or a hacked internal box ala what happened to M$. "There are very few real hackers in the entire world. You've never heard of them and you never will."
Just wait till some crappy band steals your nic.
Or VMWare.
__________________
If I find the good samaratian that's rolling up my Jeep's windows and locking the doors I'm going to be pissed. I don't have a key for the doors, that's why I keep 'em unlocked - and the windows are hard to see thru.... Leave my Jeep alone!
yeah, your an idiot. There is such a thing as white hat crackers, sorry. Since your analogy was poor, I'll provide a poor one as well. I walk past your car in a parking lot and notice that your lights are on, after looking around and calling a little bit, no one comes, since of course I don't know who to call because your name isn't written on the car. I reach in, shut the light off and lock the doors.
I don't think so; if you were running user mode conceiveably you'd be doing important tasks on the other modes (besides the honeypot) The danger would be that the rooted honeypot could be used to suck up cycles and bring the whole system to a halt. Not to mention the danger that the implementation wouldn't be perfect and that they could somehow access the other modes--shared resources could make this a possibility. It would be better to make a honeypot that shares a minumum of resources with other machines. I don't really like the whole concept--if script kiddies are able to root your honeypot, it is just as useful to launch a DoS or do whatever they do as is any other machine, and you could be held (slightly)responsible. Not to mention the fact that it will be pretty obvious that they've got a honey pot--it won't be doing anything! I can't imagine a hacker not doing a 'users' upon login, and figuring out something was up, especially with the recent publicity.
/* This post not warrantied for mission critical applications. */
How do you attract people to your honeypot system if it's configured just like your other systems, as the article said?
I've read of configurations with all traffic to unsupported ports redirected to a honeypot system: "someone trying to telnet/ftp to my web server? I'll send you to my honeypot for observation instead."
But if you're running a standard, normally configured system as the article mentioned, this doesn't make sense anymore. How's this work?
>Particularly in light of the fact that he typo'd on 0wn3d too.
:)
Considering leet speak is both bad spelling an using numbers as letters... It's entirely appropreate to misspell "Own3d"
Own32d.... I get it... Owned to the power of 32 bits... a higher level of owned...
Tacos just out leeting the leet...
I don't actually exist.
From the people I know who do this, they never report it to authorities, but rather to CERT's and the like. The goal is to learn new cracker techniques and watch behavior once they break into the system. A lot of DDOS tools get found this way, because crackers will upload them to machines they have broken into. The goal is to then share this information with the security community, not just to bust a couple unsuspecting people.
The one interesting thing about this, is they took "production" machines without intentionally putting vulnerabilities on them. I think this is the way to do it, because it allows you to view the weaknesses of your servers...
> someone who breaks in and 'fixes things' without permission isn't a white hat
You're right. I was thinking a white hat with permission, as well as a gray hat without permission. I just forgot to make that clear.
"Oh, bother." -- Winnie the Cracker
I first came across this idea while reading "The Cuckoos's Egg" in junior high school. I'd like to say that I thought it was an excellent book, the entire story was very exciting to me. I enjoyed the cloak and dagger senario placed in the computer world.
...and I'm not sure we should trust this Kyle Sagan either.
Not much to really say, but that the books grabs you (or me at least) and is a quick read. Very enthralling, just watching the cat and mouse game play out between the cracker and the other guy.
This is a perfect application for user-mode-linux. You can setup and run any number of complete virtual linux systems on a single box without compromising the integrity of the host system.
Anyone who actually makes changes (good or bad) after breaking in isnt a white hat. That is definitely black hat country.
There is no such thing as luck. Luck is nothing but an absence of bad luck.
I would just like to say to the "script kiddies" of the world--YOU SUCK. God, it took me 4 hours to fix my damn system. Using pitiful log cleaners and then leaving a paper trail as long as the Nile, my old FTP server was exploited. It was sad. I caught them within 4 hours of being rooted. I quickly patched the hole(sometimes I wonder if I am an idiot) and quickly started on a firewall project, which I finished later that night. For all the other people that have been rooted, I feel for you. And my advice to sys admins, watch your systems, little things like load averages can point to a break in.
___________
I don't care what it looks like, it WORKS doesn't it!?!
If my honeypot is hacked into and then it is used to launch an attack against another system, am I liable for intentionally leaving an unsecured server on the internet?
Is this similar to leaving a gun rack unlocked, then somebody takes one of the guns and commits a crime with it?
To me that doesn't sound logical. If I leave my car doors unlocked, am I giving implicit permission for someone to enter it? Maybe if I leave the door open, flapping in the breeze, maybe then I can see the implicit permission.
How about the policewoman (or man I suppose) masquerading as a whore. Doesn't that look like an invitation?
Don't mis-understand, I'm not arguing with you--unless you happen to be this Attorney-General. Just listing some of my thoughts on this.
You insist on trying to tell me what my point is.
Not at all. You must not get my point.
You said you don't want anyone cracking your box, and this was abundantly clear. However it was also abundantly clear that the original poster was talking about honey pots, not machines in general. So your response made no sense -- I figured you must have missed a word or two. I guess not.
I don't care whether his point was about honey pots or not
But then why were you going on about "context" and "the key point I extraced"? Apparently the poster's context didn't mean anything to you.
So you don't want people breaking into your box for any reason-- well no shit. As I already pointed out, you are not the kind of person who'd be running a honey pot, so what purpose did your post serve?
white hat cracker breaking into a honey pot is just as bad as a black hat cracker breaking into one.
A honey pot is a machine that is intended to be broken into -- thus a black hat cracker breaking into one isn't bad at all, so long as you can log what he does and analyze it. That you feel it would be bad means you wouldn't be running a honey pot. This is why I responded in the first place -- it seemed you must not know what a honey pot is.
But my point is broader than that.
Who cares? You're "broader point" is that you don't want white hats breaking into your box. But since you wouldn't be running a honey pot anyway, your "point" can only apply to the very machines about which the poster was specifically not asking about. So much for "context".
So instead of thinking you missed information (sorry about that), I'm instead thinking "why the hell did he reply to a post with the exact opposite of what the post asked about?"
The enemies of Democracy are
Well, of course it's not rocket science. The best detective work never is. You don't use a technical solution to solve what is not really a technical problem. If you try to use just technical solutions, you end up in nothing more than an "arms race."
It's sort of like piracy. The solution to piracy has nothing to do with the method you use; the real solution comes down to a simple formula: If the money it costs to break a software's copy protection scheme is greater than the cost of simply buying more copies of the software, then the copy protection is effective. The "thrill of the chase" is a lot less rewarding if the victory is pyrrhic. It has nothing to do with morals or technology -- it is pure business.
It's the same in this case. Of course it's not rocket science. It's war. The solution is not a scientific one, it is a law enforcement or warrior's problem. Stated similary to the above...the risk in breaking into a system lies in getting caught. If the punishment mitigated by the likelihood of getting caught exceeds the rewards of breaking in for most people, you win. It has nothing to do with being truly impervious, or having the best "technical" solution.
It bothers me when people look snidely at good ideas because they aren't "rocket science," or worse, don't fit the pet paradigm of some self-appointed "expert." Simple ideas are often the best ones, and you use the paradigm that fits the problem. Suggesting a purely technical methodology to prevent hacking is akin to suggesting the use of modern medical techniques to debug code. The expertise doesn't fit the issue.
I sit with these folks on IRC a lot (they tend to invade the rooms where I discuss serious matters like gardening). They're upfront about who they are, because it's all part of their persona. They crave attention. If you don't already know who they are, then they'll come out and tell you to your face. Why would they hide behind anonymity? What would they have to hide? And what good would come of it? Anonymous hacking gets you even fewer babes than regular hacking.
If you're suffering from credit-card fraud, then you should call up the company and tell them you're angry. They don't want to lose a customer and will almost always handle it right over the phone. Consumer Reports is a good place to look for a local agency if they're unresponsive. I don't see your point.
Read the rest of this comment...
Yours was a very funny post. Bravo!
Its really interesting, because I used to be the type of person that would not neccessarily approve of such a trap in the name of protecting the curious individual who wanted to see what was out there. But the fact is, the people doing these things are becoming too big of a problem. And it seems that the whole purpose of snooping around has been sort of eliminated with the open source movement and Linux. Why snoop around when you can have your own *nix box with just about anything available at your fingertips, for free?
-winter fantom
Hi! This is the Sig, blatantly attached to the end of this comment.
And this, my comrades, is EXACTLY why the "dotcom shakeout" happened. When Job Admin can't keep a 10 year from breaking into his site using a script, which by the way takes advantage of a 3 month old exploit and the kid barely understands, how can one expect that site to make a profit.
Burn Hollywood Burn
I'd love to have a honeypot, and I'm sure it would be fun to play around with them.. but this reminds me about the true nature of many network adminstrators.
The reality is that most administrators know about most vulnerabilities, but a large number of them are too lazy or busy to fix them. A lot of them have the "nobody cares enough to hack me" mentality.. which isn't really effective since people scan blocks of IP addresses at a time.
Hopefully some adminstrators will get their acts together after reading about honeypots.
"War is hell" -- General Sherman Techumseh