Slashdot Mirror
Know Your Enemy: Honeynets
bewmIES writes "The guys over at the Honeynet project have released the latest chapter in their "Know Your Enemy" series describing how to implement a honeynet. This is great reading even if you don't have any plans to implement one and does a very good job explaining the elementary concepts behind it all, along with the implications." Extremely interesting reading here.
So spoof from their nameservers. Spoof from any host they generate a significant amount of traffic to. Spoof from their database server. Etc.
The fact is, it's unwise to implement a straight packet drop. Look below and you'll see that he actually is doing it cluefully, so the post is not valid in his particular instance, but valid in many others.
regards.
We are still getting restitution checks from the script kiddie we busted with our honeypot. Looks like the money will pay for the honeypot and our time invested in it, several times over.
Break in, patch it yourself? :-)
> their server/network/etc has security problems
> without opening yourself up for nasty things?
I don't think you can. I had a friend in high school who was suspended for the same reason. He pointed out a security flaw that someone (not him) later exploited.
My advice, unless you're being paid to audit someone's security, don't bother. It isn't worth it.
I think that Christopher Robin and his hackers (Pooh, Eeyore, Piglet, etc) would all be willing to get into this l33t deal!
Do the "white-hat" car jackers open up the car, get the registration, move it to a safe place, and then contact you about your easily defeatable car locks? :)
I don't think that accidentally creating a crappy network is the same thing as having a honeynet...
Now you won't. You don't know what you're talking about. Yes, you're going to drop all packets FROM THAT SOURCE IP ADDRESS ONLY. Unfortunately, there are a few billion other IP addresses on the Internet that your firewall will be happy to accept packets from.
Feel free to ipchain-away your own first hop out, and see if it affects your ability to load, say, www.yahoo.com. Of course it won't.
You're not really as an 3I33T4 H4X0R as you think you are. Leave this kind stuff to the professionals, please.
---
A network designed to be hacked, sounds like Microsofts corporate network to me.
You say you want a revolution....
Apr 22 06:17:20 mayday portsentry[9235]: attackalert: Host 211.205.178.64 has been blocked via dropped route using command: "/etc/portsentry/portsentry.bash 211.205.178.64 111"
The nice thing about portsentry is that you can have it issue a command in response to an attack. In this case instead of using the default portsentry settings, it executes a custom built script using the IP as an argument. If you trigger portsentry, you can still see port 80, and 443, but nothing else.
Try to hack my 31337 firewall!
I get hit with about 10-15 of these a day:
Apr 22 06:17:20 mayday portsentry[9235]: attackalert: Connect from host: 211.205.178.64/211.205.178.64 to TCP port: 111
Apr 22 06:17:20 mayday portsentry[9235]: attackalert: Host 211.205.178.64 has been blocked via dropped route using command: "/etc/portsentry/portsentry.bash 211.205.178.64 111"
I know what the port 111 exploit is, but I have never used it, yet I get many hits from this exploit a day on my servers. This is just one hit. I know how to stop it (portsentry/ipchains is a wonderful thing) and as you can see it is logged.
There are many more attacks coming in, this is just one example. Sure, I can read on how they are performed, but that only makes me book-smart. I need to be able to see in real-time (or playback) exactly what a black-hat is going to do with my systems.
Honeypots/nets also give crackers a chance to practice their skills -- which can then be used against real targets -- with little repercussion.
Perhaps you should read this. It shows you the "proper" way to setup a honeypot so that it cannot be used as a jump-point. I don't want to be just book-smart when it comes to my network. I want to know how they get in and what they do. Yes, I have secured my network (as best as you can that is) but that is not the point. Eventually *SOMEONE* is going to get in, somehow. I am going to be the one picking up the pieces when it happens. I would love to say that I am "good enough" that no one will crack my network, but I don't believe anyone is.
What I expect to learn from crackers hitting my honeypot is an overall "pattern". I expect to learn how to become a black hat, because it will make me a better white hat.
How much more can we really learn from the drooling 13-year-old script kiddies of the world?
Not all crackers fit that description I am guessing. Hopefully a honeypot will help me find this out for certain.
Try to hack my 31337 firewall!
How is the honeynet system under more stress than the normal systems? Do you pay hackers to attack it in preference to your other systems? I don't see how that would work, since as soon as a hacker knows that this isn't a real box, they'll move on to more profitable and/or fun targets. If you incite hackers to attack it by making it an easy target, then you're not really testing what would happen to a real system, are you?
Your right to not believe: Americans United for Separation of Church and
Just out of curiosity, how was a Welsh teenager arrested in Wales by the U.S. FBI? As Deng Xiaoping would say, "What about the U.K.'s sovereignty?".
Your right to not believe: Americans United for Separation of Church and
That is a good reason, thanks for the explanation. I'm still not sure that it's the best use of resources, but it does sound like it provides some useful information.
Your right to not believe: Americans United for Separation of Church and
I just thought it was interesting that it was reported as an FBI arrest, not a British arrest with FBI participation. If this keeps up, Jon Johanson may have something to fear from U.S. law enforcement after all...
Your right to not believe: Americans United for Separation of Church and
I've been hearing about these for a while, but to be honest I don't see how a honeynet will really help your network.
Maybe someone can explain the attraction to me, but it seems that although honeynets may observe a new attack technique every once in a while, on the whole they're not the most effective prevention method. The time would be better spent auditing the security level of your machines, improving your patch application time, analyzing log files from your production machines, etc.
Your right to not believe: Americans United for Separation of Church and
That's exactly why honeypots suck. Network admins have too many other things to be doing/working on than setting up systems and trying to catch hackers/crackers. There's just not enough time.
BilldaCat
It seems to me that this whole idea seems rather like the legal doctrine of entrapment and also by non lawenforcement types. Scary.
The death of one man is a tragedy; the death of a million is a statistic --Joseph Stalin
Its a game of social engineering. You can tell the whole department so that everyone knows there. Now you aren't solely to blame. Tell the whole university and then you are to blame for being an accomplice. Usually its safe to keep your mouth shut until someone in authority learns their lesson -- the results though may not be favoured.
---
-
ping -f 255.255.255.255 # if only
I answered this question in a previous article about Honeypots. This the link to the individual post doesn't work, I'll repost it here:
I just want to add a few thing:
One of the things the HoenyNet Project does and has hinted at in some it's documents is changing the location of the configuration file for syslogd. Unfortunately it's doesn't seem to mention this in it's new paper. But how do you check it?
# strings /usr/sbin/syslogd | grep "/etc/syslog.conf"
If you don't get a response, the configuration file is NOT /etc/syslog.conf. This a DEFINITE indication that you are on a Honeypot.
# strings /usr/sbin/syslogd | grep "^/"
One of those files is being used as the configuration file. They've also done this with Bash's history file:
# strings /bin/bash | grep ".bash_history"
Nothing there, look at one of these responses:
# strings /bin/bash | grep "~"
And since this is a Honeypot, some of the commands used to hide your tracks may be modified or removed. There are more than a dozen ways to erase a hardrive without using `rm -rf /`, get to know some of them.... And as was pointed out in the results of their resent challenge, removing a file doesn't necessarily mean that it has been erased. *grin*
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
Last time I looked the slashdot submission bin was not everything2.. we dont need 3 different links to the story, what we do need is a single link to this "next chapter" you speak of. I dont see anything there that I havn't read before.
How we know is more important than what we know.
I'll take a meatnet over the honeynet anyday.
IANAV (vegeterian).
You did all that you could do in this case. It really is not your problem. If it is your problem, i.e. you work for the company or you are an admin but on a different project, etc. Get the response in writing. Make sure that your warning is in writing too. That way, no one can blame you when some scanner out their smells a defective version of Bind and ends up owning your box.
Someone you trust is one of us.
Use anonymous email. It protects you and looks more like a threat. Just for good measure, send it to the SAs first, then to their non-techie PHBs if no action is taken.
--
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
Second, if you really care about the data and the security of the network then you should volunteer to help patch it. You can't run to the professor's supervisor because you'll still end up looking like a whiner.
Third, stay anonymous when you notice some else isn't doing their job correctly. It's the only way to nudge someone into action in regards to their job duties but not embarass them or break any trust/respect you have with them.
I do agree with you, honeypots are a great resources for studying crackers and their techniques, but they are not a means to securing a network no more than giving druggies a "Drug Park" to shot up in solves the drug problem.
Same thing goes for this. If you set up a system to act as a honeynet, you can still go after the people who hacked it. You didn't invite them in, and you even used the security settings that a given distribution comes with. (Sure, any decent sysadmin would've made them better, but you could argue that you did leave the door locked.)
Now, if you set up the honeynet and started a 'who can crack it deepest' contest, then you're generally waiving that right.
OK. So what do you do if you get a cracker? Do you prosecute or do you just record data? If you do prosecute, does it depend on intent (just port sniffing (and maybe letting the sysadmin know of a security flaw), attempted breakin, successful breaking, 0wn1n9 the box, etc.)? I personally think that white hat crackers (say, just portsniffing letting the sysadmin know about security flaws) and some grey hats (maybe breaking in and then fixing some security flaws and then e-mailing the sysadmin) shouldn't be punished for just poking around (although the grey hat thing is iffy). Similarly, I think that black hats should be slapped down as quickly as possible. The best thing we can do is to stop the script kiddies as quickly as possible. If the honeynet data can be used for that, great. Otherwise, how is this any different than, say, reading a security bulletin?
So how exactly do you tell someone that their server/network/etc has security problems without opening yourself up for nasty things?
It's a big problem ! My response is to either invoice them for the work, or ignore it as it's just not my problem. If they want to know about site issues, then it's (part of) what I do for a living.
If they're not a client, then their site isn't any of my business. It's a big 'Net - at any time, most of it is broken in some way -- and I'm never going to fix it all myself. Nothing good will come of pointing out the glaring holes
If they can't afford me, then I might work for free -- but they're still a client, and there's a commercial relationship going on, even if no money changes hands. If we can't set this up right; i.e. they're going to listen to me, they're going to give me the authority to fix it properly, and they're not going to obstruct me doing it, then I can't work a proper client relationship and I'm best leaving it alone entirely.
If they don't want to hear it, don't tell them.
You wouldn't have got it fixed anyway, and their arrogance isn't worth involving yourself over.
Someone else's bugs just aren't your problem. Even if this is "crashing airliner fault" territory, the current climate of legal, business, engineering and ethical practice just doesn't like whistleblowers -- messengers keep getting shot, because someone doesn't like their message.
If, on the other hand, he came to me, and said
Then it becomes much easier to prosecute -- especially if I hum and haw, and vaguely try and disuade him before leting him twist my rubber arm.FOr another analogy, the honeypot is rather like a nice house with a cheap lock. No matter how cheap the lock, it's still illegal to break in. You breaking in is not likely to be entrapment unless I go to you and actually suggest that you break in -- or otherwise goad you into committing a crime which you might not arguably otherwise commit.
IANAL I just like reading up on the law
--
Free Software: Like love, it grows best when given away.
The sysop didn't even respond to the third email containing detailed explanation on what to change in which files to correct the problem...
To my knowledge the system was never fixed. We talked about making a web-page with one button: "don't push this!" causing a rm -Rf as root...
and then mail the URL to the head of department!
I wonder how many systems out there are as badly configured as this example?
So, hack into it and patch it for the poor bastard. Never tell him. You'll be saving your own ass, saving the ass of the moron who can't find time to do his job, and your preserving University's security, all in one fell swoop.
Or, just post the name of the University here on /., and I'm sure someone will help remind him of his gaping orifice.
--SC
You read fiction? I write it! Lemme know what you th
Hah,
;) Pass in RAW SQL etc.
;) he had a shell acount too. I instantly vaporized his ass. Its like a never ending battle. You cant hope to stop them all, just most of them.
I recently set up a counter-strike server. I decided to install portsentry and a couple other detailed logging programs.
I locked the machine down hunted down every last bug found that I had time for. Spent a couple of days hunting bugtraq etc.
The sheer number of times I was portscanned was stupid. I had it set up to send me an email for each port scanning. I now get 4 a day!
That is ok. The email server is closed and doesnt actually let anyone but localhost send mail. I cant count how many times that was pried at.
FTP services run, every time the same exploits are attempted.
People trying weird shit with my php and perl scripts I wrote / had on my server. Trying to get freaky with my URL variables
In short only one person got r00t
I think setting up a Honeynet would be kinda fun if I had time. I just dont really give a shit as long as no one is breaking my system down. Portscan all you want. Who cares. (Someone tried to flood ping me once.. too bad the machine is sitting on an OC-12, OC3 and redundant DS3's)
You cant win. You can only hope to stay slightly ahead of the game.
Jeremy
As with any criminal activity the person committing the crime will balance the risks of getting caught and the rewards of the crime. (Barring insanity; e.g. Mass murderers who eat people).
If a system like this can analyze the patterns and signatures of the "blackhats" it provides part of the solution. If it is combined with the tracing abilities to determine where to hack came from (a script kiddie using a local ISP in Dallas, Texas or hacker using a computer at his work)
There is the distinct possiblity that some people can get caught.
Currently the only people being tracked and caught are the big news story ones, of credit card theft from Barnes and Noble etc. If we can empower people to present a threat back at these blackhats then we can work to prevent more of them. Eventually if these types of traps are set up and successful on a larger scale home users can implement a smaller honeynet to keep people out or track those who do the crimes.
IMHO; computers will eventually be like Kwik-E-Marts or protective parents who video tape the baby sitter. All of the data will be tracked and stored and the analyzation tools will be easy enough that the person committing the crime will have a good chance of being caught. This will become more and more important as everyone gets always-on broadband connects attached to their home computers.
Bzzt Whir Click
Even if you _don't_ leave your door locked, if someone comes into your house and steals things, you can still charge them.
What difference does it make how hard you try to keep them out? Burglary is still a crime.
Well, when I told my school about their security problems, not a great deal happens.
;)
The I wrote a security analysis paper, detailing how one would gather username and password pairs for virtually every student in the school.
Then they started to listen
You can link to an individual post in an old article; the comment number is an anchor in the HTML document. So, you'd want to do it like so:
http://slashdot.org/articles/00/12/19/1820227.shtm l#225
HTH.
--
--
We have fought the AC's, and they have won.
Understand: I am not a lawyer (though I play one on the Net) and a lawyer clueful in netlaw would be your best advisor. My understanding of The Way Things Work is that if you put a rig online, and are paying the costs of connection (rig itself, net feed, etc.) you have the final say on what goes on there, subject to your internet connection provider and local and national laws. (For instance, trading bomb recipes is ok, spam and kiddie porn are not.) If your ISP (or whoever) is OK with the honeypot/honeynet, and you declare open season on going in, then it should be as kosher as an orange. Of course, the responcibility will fall on you to prevent relay attacking (going from one telnet site to another to [somewhat] hide the attacker's origins) and spamming etc. (Jail sucks, from what I've been told ;)
If you are good at what you're doing, and are 110% sure that no one can get out from your honey*, then go for it. The information gained from such a net are really useful.
However, be forewarned.
Windows.. Good for targeting rocks.
I used to be someone else. Now I'm someone better.
Real life is underrated.
Was it necessary to include transcripts of an individual attack on a single system in order to illustrate the concept of honeynets?
Would you rather it just say " we got cracked". If you don't like it you don't have to read it, but if you want to know then you got to read it to learn....
________
Does anyone actually have a Java program designed to control air traffic, or for the operation of a nuclear facility?
"All systems placed within the Honeynet are standard production systems. These are real systems and applications, the same you find on the Internet. Nothing is emulated nor is anything done to make the systems less secure."
In other words a Honeynet is the same as any other firewall protected intranet, with the possible exception that someone is actually paying attention to the logs, etc.
I have this new idea for a vehicle I call a "Safety Mobile." It's identical to any other car, except the person driving is acting responsible and paying attention. Do I get kewl write-ups and Slashdot props?
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
"Well then, break into his account, and change the password to something secure! When he gets back, he'll go straight to you for the correct password, and you can assure him that at least his account was safe."
Unfortunately, that kind of thing can get a person fired. When you're working with people of the mentality that anyone who warns them of security holes is likely to be the one who later exploits that same hole, you are working with unpredictable, dangerously stupid people. Technically, if you log in to an account that is not yours, even with the intent of being helpful, it's an unauthorized access. The fact that you were clearly being helpful will not be met with any more common sense this time than the last.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Reminds me of the time the brilliant sysadmin (read hobbyist) at a company I used to work for upgraded the Netware server and put a paper in everyone mailbox (centrally located - mind you) telling everyone that their password would be changed to - you guessed it - "password" - over the weekend !
When I informed a VP who was leaving on vacation for a week that he should have a trusted person change his password temporarily so it wouldn't be "password" for a whole week, you know what he said, right?
"Oh
I now work with much more competant people, thankfully, but that sure is a supporting anecdote for the theory that idiots rise to the top of the management hierarchy!
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
How do you tell someone that they are running a "Honeypot" server unintentionally?
I used to have the habit of talking to people about security issues on networking around my high school. As people are, they scoffed at a kid explaining to them security issues... and when their network was compromised (not by me) my attempt at pointing out their security problems came to their mind... They remembered me speaking to them, of course, and since I knew about their security problems I "had to be" the person who compromised their system...
That was high school -- I learned to keep my mouth shut...
About a month ago, when I first started reading about the honeypot project I noticed that my Universities box was running a version of linux that had a few security issues.. as in the same security issues that allowed others to access and control the Honeypot for a little. (I am not mentioning my U's name!) -- I acted against reason and informed the administrator (who I had as a professor) about the problem... their answer was strange: "I know about the problem but I just don't have enough time to deal with it right now. I think I might take a look at patching it sometime this summer..."
Now I am worried the same thing will happen.. my precious U's network will be compromised and the admin will be thinking "Wait.. I remember someone who knew about this security problem.."
So how exactly do you tell someone that their server/network/etc has security problems without opening yourself up for nasty things?
Actually a virtual Honey Net implemented on a single machine which could deceive an intruder into thinking they were hopping from machine to machine.. with fake lag, etc. would be cool and much less expensive. Linux boxes masquerading as MVS or VAX VMS or old 3Com NetbuilderII's for that matter would all be neat fake-outs.
While this could be a great way to find out more information on the hackers' techniques, but with an open door, and potentially hundreds of hackers kicking down the door, how can they accurately track who did what, where?
Thinking back to city riots -- cars overturned, stores looted, signs destroyed... who got caught? (not a perfect analogy, but you get my drift)
Note that these machines are still considered part of the network, and are usually priced ~$3000 as at this price mark they will enter a different bracket of penalties for the hacker.
:/
Also note the honeynet does not use sensors within the network to collect data, but relies upon the firewall to gather data. Anyone can pretty much do this with most any firewall.
Recourse's Mantrap documents everything on a per machine basis (incl. keystroke logging). This unfortunately is designed more for corperate use than for my home
The problem with honeypots and honeynets is that, in the end, they end up simply encouraging crackers. When systems are put online for the specific purpose of being hacked, crackers are more than happy to ablige by comprosing them. And the more boxes they can crack, the more likely they are to get caught up in the whole "blackhat" mythos. Honeypots/nets also give crackers a chance to practice their skills -- which can then be used against real targets -- with little repercussion.
Furthermore, putting a honeypot or honeynet up is almost asking for people to become blackhats. Most crackers / blackhats have huge egos, hence their need to deface web pages with their 1337 group names. These kind of people would love to be the subject of a honeypot study, if for no other reason then getting the chance to see that their childish actions have had an effect on somebody. Crackers want to be perceived as disruptive and a threat; they want to look "cool" and dangerous and mysterious. Why encourage these people by giving them the kind of attention they're looking for?
And of course, there's also the fact that a honeypot is a waste of resources. It seems pretty silly to set up a system specifically to be cracked? There's plenty of better uses for a spare box; why not set up a distributed-processing unit or an open- source FTP server if you don't know what else to do with an old computer?
I understand the need to find out cracking techniques. But this kind of stuff is hardly secret by now; I don't see any reason to continue useless navel-gazing "studies" of cracker behavior. How much more can we really learn from the drooling 13-year-old script kiddies of the world?
tools: exploits downloaded off the various security websites
tactics: gcc exploit.c -o exploit;
motives: 3y3 y4m a l33t hax0r d00d!!
were you expecting to see a sig here? perhaps you'd rather see the inside of an ambulance!
I don't know how to say this, but reading this article gives me an uneasy feeling, and sets off my bullshit detector. Its excessive use of buzzwords (honeynet, blackhat, etc) and attempts at sounding important just don't jibe with what I know. Example: "We have even captured real time video shots of blackhats involved in the attacks on our systems. This gives us insight on how blackhats target and attack systems." How does this follow? You got some webcam video of some guy sitting in front of a PC, what insight is to be gained from that? Jeez. Another gem: "one of the primary sources of information a Honeynet can gather is communication amongst blackhats, such as IRC" WHOO BOY! You can sit on irc and watch script kiddies talk...this is one of the primary uses of a "Honeynet"? Computer security folks have a bad enough reputation as it is for being scam artists and buzzword propagators, and I think we can safely put the people referenced by this article into the "full of bullshit" file.
So, a honeynet is just like any other firewall protected network, except for the fact that people are actually paying attention to network security?
While I don't think I agree with the effectiveness of a 'dedicated' honeynet over any other real network, this does bring to light the interesting effect this will have on network security in general. Right now, l33t k1dd3z have a 'you can't catch me' attitude. Witness the recent exploits of a Welsh hacker who thought that he was so far above the law that he could do what he wanted to any website he wanted in the name of his own little sense of morality.
Most of these kids *know*, not just think, that they are never going to be caught.
As more and more business and organizatons employ honeypots and 'honeynets', trying to catch crackers before they crack, more and more cases of idiots like these are going to get in trouble for breaking the law. Rooting a server is going to be seen less and less like fairly innocent grafitti and more and more like knocking over a convenience store and beating up the clerk, and then walking out with only a slushee. People will still do it, but attacks will be fewer and further between, and the people who get cracked will be those who've invited it by not putting up the equivalents of bullet-proof glass and panic alarms.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
I've recently been involved in setting up a "honeynet" at a university who I do consultancy work for on their IT systems, including security. A major problem was the sheer number of times it was attacked by a large number of people at the university, often bouncing off external machines.
I had expected them to catch a few people who had been virtually running wild on the network over the last year. As it turned out, there were too many attacks to be able to narrow it down or to follow up on every event logged.
It made for a frightening reality as to the sheer volume of attacks that go on. A uni is obviously at more risk than most places due to the high volume of computer geeks with too much time to kill. Still, it's a real wakeup call to the scale of what goes on.
It's not entrapment if you aren't trying to prosecute anyone. It's more like videotaping a burglar's activities at your door to find out how burglars break in, and analyzing the tool marks to see how to make the door secure against other burglars.
--
spam spam spam spam spam spam
No one expects the Spammish Repetition!
Scientists restrict study to entire physical universe; creationist
Free unix account: freeshell.org
These kind of people would love to be the subject of a honeypot study, if for no other reason then getting the chance to see that their childish actions have had an effect on somebody. Crackers want to be perceived as disruptive and a threat; they want to look "cool" and dangerous and mysterious. Why encourage these people by giving them the kind of attention they're looking for?
For one thing, the study results are expressed in generalities in terms of hacker tactics. How excited can a person become about being a statistic? I can't see someone seeking attention by publicly defacing web sites becoming overly enamored with the idea of being treated as an anonymous lab rat.
I understand the need to find out cracking techniques. But this kind of stuff is hardly secret by now; I don't see any reason to continue useless navel-gazing "studies" of cracker behavior.
How else do you propose to discover new cracking techniques, or examine cracking tactics? It seems to me that honeynets are an excellent opportunity to both conduct reconnaissance on crackers and validate security models in a practical environment. As the article states, black hat ingenuity should never be underestimated, and I can't see what is to be gained by being complacent about security. According to your argument, if we ignore the problem, it will go away. Attention is not the only thing these guys are seeking; some of them mean to do real harm, and we can't tell the difference a priori.
Toronto-area transit rider? Rate your ride.
Is it just me, oir could this article have been shortened a bit, or at least presented as more of an outline? Was it necessary to include transcripts of an individual attack on a single system in order to illustrate the concept of honeynets? Way too long to read completely and thoroughly.
Also, the content was kind of unrealistic, but I won't continue on that track. Karma's low enough without getting "redundant"-ed.
If you fall off a building, go real limp, because maybe you'll look like a dummy and people will be like hey, free dummy