OpenBSD 3.0 Honeypot Whitepaper

Tortured Potato writes "This white paper, by Michael Anuzis, details how he set up an OpenBSD 3.0 honeypot, watched it get cracked and then analyzed it -- all within 28 hours. Fascinating stuff...this is the first OpenBSD honeypot I've heard of."

Its a reminder

[mgv]

Of just how much you need a firewall these days.

Especially if you run windows.

Michael

Re:Its a reminder

Not really much good a firewall will do when you have the public who needs to get thru to port 80 and IIS is running. If you dont know how to fix the "out-of-box" MS security problems after install, then your you *ARE* screwed, no matter what you use in front.

Re:Its a reminder

Of just how much you need a firewall these days.
- Wrong assumption. Firewall cannot stop attacks. It can stop direct access to services what are not meant to served to outside world but it still lets traffic through. if you are relying on the firewall only then you will be facing many suprises...

Especially if you run windows.
-And have clueless admins. If system is configured wisely you do not need any hotfixes and patches to secure the system.

From the article:

[SuiteSisterMary]

Most honeypots out there tend to be Redhat Linux as it's has the worst record for security out of pretty much every OS out there

Oooh, dems fightin' words! (runs into the General Store and closes the curtains, peeking out)

Re:From the article:

[Rhinobird]

(dives behind watering trough)

Not sure, but he could be talking about just the *nix environments. If not then we have to go get the sheriff and the undertaker, there's a gonna be a shoot out!

Re:From the article:

Actually, most of the compromised servers were Redhat Linux in the version 6 days ( circa 1998-99) because all services were enabled by default, leaving the system wide open. Of course, inexperienced (stupid wouldn't be polite) admins share the blame.

I must say, around 1998, the Linux kernel and userland was terrible. It's come a long way, thanks to the ridiculous hype and commercial investment.

Re:From the article:

[SuiteSisterMary]

Actually, most of the compromised servers were Redhat Linux in the version 6 days ( circa 1998-99) because all services were enabled by default, leaving the system wide open. Of course, inexperienced (stupid wouldn't be polite) admins share the blame.

I've said it before, and I'll say it again. 10, 15, 20 years ago, the security advisories were all the same, only the names were different. SunOS, Solaris, HP-UX, IRIX. Sendmail, CERN httpd, X.

What is a honeypot?

[Crypt0rchid]

I think I'm not the only one who's reading this article and asking himself what a honeypot is. Could anyone please explain what it is? Thank you in advance.

Re:What is a honeypot?

[Innomi]

A honeypot is a machine set up for the sole purpose of distracting hackers away from your main network by putting up an easy target.

Re:What is a honeypot?

[snake_dad]

You can learn a lot about honeypots and network security in general on the Honeynet site. Browse the challenges, and the results, and be amazed ;)

Re:What is a honeypot?

[Wakko+Warner]

On a similar note, what is your IP address?

- A.P.

Re:What is a honeypot?

[RazzleDazzle]

I like you, you remind me of when I was young and stupid. I have yet to see an example of your wonderful and baseless statements.

Re:What is a honeypot?

[Beryllium+Sphere(tm)]

Not the sole purpose.

A honeypot is also a research tool into cracking trends and techniques.

Re:What is a honeypot?

[BarefootClown]

127.24.88.72. Why do you ask?

Re:What is a honeypot?

[evilviper]

warez.slashdot.org

Re:What is a honeypot?

192.168.0.1 but i have a honeypot set up on 127.0.0.1. Dare you to crack it.

Re:What is a honeypot?

Jeez, this doesn't even get a "Funny" moderation?

Re:What is a honeypot?

Well, I am running 88.0.0.0/24 at the moment. Why is that?

He didn't wipe out enough info on those images

http://www.google.ca/search?q=cache:b3jn4bU41cYC:w ww.omegapunx.org/+muffinface+band&hl=en&ie=UTF -8

Re:He didn't wipe out enough info on those images

[Fishstick]

I imagine so...
omegakidd

This is a Hoax

This is not possible we all know that oBSD can't be hacked, only redhat Linux and Windows.

Re:This is a Hoax

It's not a hoax, it's called a honey-pot system. It's intention is just that, to be hacked!

White paper ?

[kraf]

This white paper, by Michael Anuzis, details how he set up an OpenBSD 3.0 honeypot, watched it get cracked and then analyzed it -- all within 28 hours

You can do it with a default install in 30 minutes.

Re:White paper ?

[heimotikka]

You can do it with a default install in 30 minutes.

So you actually can predict that your box will be hacked by two individual hackers in 30 minutes, analyze what they were doing and write a doc about it? You'll need good timing. Please - please read the articles before begging for karma.

Re:White paper ?

[tep-sdsc]

The 30-minute timeframe (to the first intrusion on a default install) is not a bad guess. My logs show that many machines in my net are probed on average once every 15-180 minutes.

If the machines were default installs, they would have fallen. I'm seeing all the usual (for this week) stuff: SSH, apache, NIMBDA/Code.Red, FTP, etc.

Add about 15 minutes for installing a sniffer+hub in parallel instead of the single-host honeypot here, and 45-60 minutes of setup would get you a few hours of fun and amusement.

I think that the nost interesting part of this particular honeypot was the single honeypot system, instead of the victim + sniffer that I've used and almost always seen used.

Re:White paper ?

[heimotikka]

Yeah, let's not argue about time... Sweep scans are very common - I get mostly ftp-scans.
What I'm intrested is using virtual servers to fake a net of computers - virtual honeynet - net of honeypots. Could be cheaper and faster to setup than with real hardware. I've heard that there are people already doing this using usermodelinux. With that one could setup a honeypot in minutes...

Re:White paper ?

After hacking into the virtual honeypots, the intruder will most likely notice it's a virtual machine. He will then try to exploit the virtual machine program to gain access.

You just gave a new door for a hacker to enter your machine.

And seeing how you much you try to protect your machine will most likely excite the cracker.

use a real man's OS

[flaw1]

Windows doesn't come with shitty, insecure services like Apache2 and OpenSSH.

Re:use a real man's OS

[Junta]

Yeah, they just ship with really tight and secure IIS and Windows Media Player.....

Re:use a real man's OS

[esarjeant]

did anyone else notice the recently-cracked USA Today site switched from Solaris this year?

Hmm, I wonder if they're kicking themselves now.

Re:use a real man's OS

> did anyone else notice the recently-cracked USA Today site switched from Solaris this year?

Ah yes, they switched from Solaris to Windows 2000.

And, not only did they get cracked, but, according to Netcraft, their uptime has dropped from 100 days for Solaris, to an average of 23 days for Windows 2000.

First OpenBSD honeypot

[snake_dad]

this is the first OpenBSD honeypot I've heard of

Which is not very surprising for an OS that has had "One remote hole in the default install, in nearly 6 years!". An interesting read 'though.

By the way, there is a slashbox for OpenBSD Journal, which can be enabled here. It featured this story yesterday.

Re:First OpenBSD honeypot

[platypus]

Well that doesn't mean you're secure.
It's worth remembering for some OpenBSD worshipping newbie zealots that every OS is as secure as the admin installing/maintaining the server.
Let me say that I know the seasoned OpenBSD users surely are not prone to that, but that is true for (nearly) any OS, and for all *nixes.

Re:First OpenBSD honeypot

[jazman_777]

It's worth remembering for some OpenBSD worshipping newbie zealots that every OS is as secure as the admin installing/maintaining the server.

Given two equally paranoid and skilled sysadmins, the one using OpenBSD has a head start over the one using Linux. Linux machines are owned so easily and often, it often occurs to admins, "gee, maybe I should study all the crackers roaming about my boxes."

Info on the 'Hacker'

[DeeEm]

If anyones interested, the website for the 'hacker' is omegapunx.org, his msn name is omegakidd@hotmail.com
E-Mail: omegakidd@tfz.net
E-Mail2: omegakidd@cheguevara.zzn.com
aim: eromlenosam
aim2: shoogy maple
aim3: satan the killer
msn: omegakidd@hotmail.com
yahoo: omegakidd
irc@efnet: omegakidd

Re:Info on the 'Hacker'

The hackers web page is now suffering the /. effect. Thats some sweet irony.

Re:Info on the 'Hacker'

[gTsiros]

"aim: eromlenosam"

mason elmore?

Re:Info on the 'Hacker'

[omegakidd]

yep.

Enough with the political correctness!

[Second_Derivative]

Why the consistent use of "he/she"? I'm sorry but I've yet to see anyone of the female persuasion who is enough of a lowlife to become a script kiddie.

Re:Enough with the political correctness!

That bugs the SHIT out of me.

Why not just say "they"?

Damn people!

Re:Enough with the political correctness!

[JerkBoB]

Why the consistent use of "he/she"?

Perhaps Elmore is transgendered? Observe (from http://www.omegapunx.org):

My brother's girlfriend Danyel gave me this purply long skirt thingy. It is soo cool. I would wear it to school tommorow, but there are these kids in the loccer room who hate gay people. They say things like "Man, if you are gay I am going to kick your ass." And stuff like that. So, they would probably think I am gay or something and kick my ass. Welp, what are you going to do in this world these days.

Re:Enough with the political correctness!

[lucius]

Because it's incorrect. "They" is plural.

English has no gender-neutral nominative singular pronoun, fool.

Re:Enough with the political correctness!

What about "Trinity"? Didn't she crack the IRS d-base? You're not the only one who thinks she's a guy however...

Re:Enough with the political correctness!

If everyone started using it in the singular then it would become correct.

Then we would have the 'gender-neutral nominative singular pronoun' that we need.

You can usually tell if it is plural from context.

Let the English language continue to evolve as it has in the past... incorrect my ass

Fool.

Re:Enough with the political correctness!

[AndrewHowe]

Then what are "I" and "you"?
You clearly don't know what you are talking about, because the case (you said nominative) is irrelevant here.
It's in the third person singular that English has gender specific pronouns, and that goes for nominative (he/she), oblique (him/her) and genitive (his/her).
So who is the fool?

Re:Enough with the political correctness!

[Beetjebrak]

IT would be a proper word for a script kiddy.

Re:Enough with the political correctness!

[CarrionBird]

Am I the only one who remebers being taught in school that he rather than he/she is correct when gender is indefinite? Has English been rewritten too?

Cracking the Honeypot

[hugesmile]

I took a honetpot to Prom, and it took me 28 hours to crack her and analyze it too....

google cache link

Muffinface Google search

ph34r omegapunx

[nyquist_theorem]

obligatory link to omegapunx's google-cached website is here

the best entry is certainly May 31st, when this gem appeared:

It seems to me that the Americans are actually the terrorists. I would elaborate right now but I am too lazy to type that much right now.
9:30PM: I had some fun with smoke bombs. I lit like 5 in my back yard and there was this pretty big smoke could going into my front yard. Sense it looked so cool I searched for some more smoke bombs, and all I could find was like 3. But then I lit them in the feild and that was cool. There was this cloud of blue smoke like 4 and a half feet from the ground. It was soo cool.

Re:ph34r omegapunx

[nerdguy0]

Who wants to visit him, looks like a home adderess:

Registrant:
OmegaPunx
5233 Welcome Ave N.
Crystal, Minnesota 55429
US

Registrar: Dotster (http://www.dotster.com)
Domain Name: OMEGAPUNX.ORG
Created on: 03-MAY-02
Expires on: 03-MAY-03
Last Updated on: 03-MAY-02

Administrative, Technical Contact:
Elmore, Mason omegakidd@tfz.net
OmegaPunx
5233 Welcome Ave N.
Crystal, Minnesota 55429
US
(763)531-0637

Here's a map, and an picture of his house.

Re:ph34r omegapunx

Anybody want to slip this location into the USAF's mainframe, so that they'll bomb him instead of innocent Afghans?

Re:ph34r omegapunx

Who is omegapunx and what does this have to do with anything?

Re:ph34r omegapunx

ph34r this

yikes!

Re:ph34r omegapunx

[satanami69]

The picture in the mapquest link is better. Look for the tab that says "Aeirel photo". It's in color too.

Or OpenBSD

[its a reminder] of just how much you need a firewall these days.

Especially if you run windows.

Who said anything about windows? The whitepapar was about a vulnerability in OpenBSD being exploited. So perhaps you should have said:

"its a reminder or just how much you need a firewall these days" and left it at that.

My favorite quote...

[twistedcubic]

My brother's girlfriend Danyel gave me this purply long skirt thingy. It is soo cool. I would wear it to school tommorow, but there are these kids in the loccer room who hate gay people. They say things like "Man, if you are gay I am going to kick your ass." And stuff like that. So, they would probably think I am gay or something and kick my ass. Welp, what are you going to do in this world these days.

Re:My favorite quote...

[omegakidd]

Yeah, that skirt is soo cool.

Doesn't this prove at secure systems are bad ?

[Krapangor]

Well, there isn't really such a thing like a secure system.
So all this pro-OpenBSD propaganda by Theo de Rat saying "OpenBSD is secure, really, always" is rather a bad thing. I lulls sysadms into the belief that their system is save, making them unaware of the fact that a system is never secure at all.
Of course, the sources of every OS should be explicitly checked for security holes. But this shouldn't be the single feature of an OS. In fact claiming an OS "secure" just due to these checks is serving security rather badly.
I sometimes wonder if the OpenBSD project hasn't excatly the opposite effects than intended by it's maintainers for these very reasons. On the other hand there are some cynical commentators out there, who claim that the main intend of OpenBSD is to boost Theo's ego.

Re:Doesn't this prove at secure systems are bad ?

[platypus]

yupp

Re:Doesn't this prove at secure systems are bad ?

[RazzleDazzle]

What maintainers are you talking about that have said that OpenBSD is a system that needs no attention once it is up and running? If anyone installs any operating system, they should be aware of insecurites. It doesn't matter that one OS seems to have slightly more or less MARKETING as being secure; if you buy or use a product based on marketing, you deserve what you get. I don't recall any of the OpenBSD maintainers claiming their OS is so good you will not ever be hacked. If the admins don't upkeep their system, they will be exploited.

Re:Doesn't this prove at secure systems are bad ?

[RazzleDazzle]

Of course I notice that July 2, 02 is when the majority of these took place. Hmmmm... popular exploit is found in a program that everyone has enabled (probably everyone has SSHD enabled). Slow, unimformed, uncarring sysadmins don't know or dont care to patch their systems. From Feb 11, 2000 to July 1, 2002 (over 2 years) there are only about 1/10 of the defacements. Not bad I would say. This doesn't prove much about OpenBSD except that there are some incompetent admins using it.

Re:Doesn't this prove at secure systems are bad ?

[deanpole]

I use OpenBSD. My biggest complaint is that binary updates are not provided, even though the initial installtion was from binaries. No, we need to manually patch, build, install, and configure. For this reason, unless you are a skilled and determined software developer, OpenBSD could easily be less secure for you. Theo you suck.

Does Theo realize this behavior will make unpached openbsd system more likely, thus encouraging greater deveopment of root kits?

Re:Doesn't this prove at secure systems are bad ?

[LionMan]

Note that statistically,
0.31% of defaced sites were running OpenBSD, which greatly contrasts with netcraft's statistics that over 59% of indexed web sites use the Apache httpd server, and considering that Apache runs on the BSD's, Linux, commercial *nix's, Windows, MacOS ... even assuming an equal distribution, this means that the defaced sites are at least two orders of magnitude less than the total sites using OpenBSD (ok, that is a lot of assuming, but I couldn't find statistics of server OS distribution).

Re:Doesn't this prove at secure systems are bad ?

and really what does binary patches do for security? If you dont like OpenBSD, don't use it, and stop your bitching...

Re:Doesn't this prove at secure systems are bad ?

[Zenki]

You also have to account for the percentage of Apache httpd servers running on which operating system.

0.31% of defaced sites being OpenBSD is impressive by itself. However, if 0.31% of the defaced sites translates to 100% of the OpenBSD web server installations out there, then you have a real problem.

Re:Doesn't this prove at secure systems are bad ?

[gregorio]

I lulls sysadms into the belief that their system is save, making them unaware of the fact that a system is never secure at all.

This is a honeypot, It was engineered to be *vulnerable*, they are not talking about OpenBSD as a whole, only this installation.

Re:Doesn't this prove at secure systems are bad ?

[bcaulf]

We should note that it is absolutely easy to create an easily attacked Apache configuration, no matter what the O/S. Indeed, software like Apache, which takes orders from strangers over the Internet and plugs into any number of other random software systems on the server, is impossible to secure in a systematic idiot-proof way. Apache serving flat HTML, no problem. Apache doing dynamic things, forget it. It is going to require expertise and configuration management to achieve any kind of security.

When a site running on an O/S is defaced, that does not necessarily have anything at all to do with the O/S.

fraction of cracked boxes

This makes me wonder what's the proportion of cracked to uncracked machines. I know I've had a box cracked from underneath me and I've found a set of other cracked boxes, but I wonder how many I've missed. Granted, I probably wouldn't have missed MuffinFace and his posse, but man.

I think it may be time to knuckle down and write a *good* set of iptable rules instead of the wacky mash I've got now.

Obligatory anti-linux statement

[Hieronymus+Howard]

Why is it that BSD users always feel the need to knock Linux? This article kicks off with "Most honeypots out there tend to be Redhat Linux as it's has the worst record for security out of pretty much every OS out there". RH is pretty damn secure compared with Windows, which seems to have a major security alert almost every day.

HH

Re:Obligatory anti-linux statement

Maybe because it would be pretty silly for linux people to bitch about themselves ? :)

Re:Obligatory anti-linux statement

[HappyPhunBall]

Because it is true...but wait! It is true because RH is by far the most common Linux one could hope to encounter on the net, especially in the hands of neophyte 'nix users. Any other distro that strives to knock RH out of the top spot should also be prepared to wear the most hacked crown. Does this mean that RH is really less secure than other Linux distros? Not in my experience it, it just happens to be very popular and thus a likely target. RH has produced some less than stellar distros in the past, but I would feel comfortable putting 7.2 or 7.3 up against any other offering available currently. That includes FreeBSD and OpenBSD as well. I run all of them for different reasons, and they all are vulnerable to attack to various degrees. Vulnerable is vulnerable, but I think popular tells the real story here.

Re:Obligatory anti-linux statement

Why is it that Linux users always feel the need to knock Windows? Your post said "RH is pretty damn secure compared with Windows, which seems to have a major security alert almost every day". Windows is pretty damn secure compared with many OS's.

Did you ever think that as Linux is to Windows, BSD is to Linux ;o)

Re:Obligatory anti-linux statement

[phoxix]

Stuff that effects Redhat not only effects redhat, but the rest of the open source community itself. Last time I checked, redhat used mostly standardized open source software to get the job done. (i.e. openssh for sshd, apache for httpd, etc)

So when redhat has a new securty flaw, it isn't so much as a redhat problem as it is to a open source community security flaw.

Sunny Dubey

Re:Obligatory anti-linux statement

[GigsVT]

The problem with Red Hat was that a default install used to throw a million half-configured, un-firewalled, and unneeded services.

The emphasis is because this is no longer true. A basic firewall is installed by default unless you explicitely say not to during the install, and the only questionable service that is left running is sunrpc. (probably because the errors caused by it not running when it needs to be aren't always very clear). Of course a home user probably doesn't need sunrpc.

Other than sunrpc, I think the only other running services are sshd, sendmail, configured to only accept connections from localhost, and maybe one more I am forgetting. The point is, Red Hat is pretty damn secure now, by default.

Re:Obligatory anti-linux statement

[JoeBuck]

I like the folks at Red Hat, they have made huge contributions to everyone. The OpenBSD folks, for example, can't build a single executable without using a compiler that has been developed and maintained largely by Red Hat folks over the last ten years (about 50% of all gcc development work over the last decade, if not more, has been by Red Hat/Cygnus people, and it was their business/marketing people that got the funding to allow all those guys to work full-time on gcc).

Nevertheless, Red Hat has in the past put out releases that were horribly insecure, and this has been a problem for the net as a whole. They've gotten much better, but by the time a release sold in stores requires so many updates to make it secure that it would take 12 hours to download them all on a dialup modem, that makes the retail version dangerous to the public, a product that should be recalled. This goes both for Windows and Linux. Bad security doesn't just affect the owner of the system, an "owned" system is commonly used as a launch pad for distributed denial of service attacks.

Maybe the thing to do is to get any BSD or Linux distribution that is sold at retail or shipped on CDs that might not be current, to "phone home" the first time the system is connected to the net (telling the user what is happening, of course), so that the very first thing that happens is that all security updates that enable remote exploits get installed.

Re:Obligatory anti-linux statement

ooohhh - cant give this a point because it is favourable to windows - get a life moderators.

Re:Obligatory anti-linux statement

[norwoodites]

This is not entirely true. Out of the 12 people who have blanket write privs. 8 are from redhat, but out of the about 2364 recent changes to gcc, less halve of the changes were made by redhat people. Most of the changes by non-redhat people have been major changes to gcc. Redhat for generic simd support which is pretty cool but it still needs some work. The cpp (the c pre-processor) has been bumped up. The new

Re:Obligatory anti-linux statement

Why is it that BSD users always feel the need to knock Linux?

Because we're smart enough to choose an OS that's easy to use and maintain, instead of choosing the awful Rube Goldberg contraptions distributed by RedHat and Mandrake.

I tried to add a user, but the bowling ball fell off the track, and now the web server is down!

Re:Obligatory anti-linux statement

Short answer: desperation. *BSD is fading away and there is frustration and resentment in the increasingly morose *BSD community. Sure, we all know that *BSD really is a failure, but why? Why did *BSD fail? Once you get past the fact that *BSD is fragmented between a myriad of incompatible kernels, there is the historical record of failure and of failed operating systems. *BSD experienced moderate success about 15 years ago in academic circles. Since then it has been in steady decline. We all know *BSD keeps losing market share but why? Is it the problematic personalities of many of the key players? Or is it larger than their troubled personalities?

The record is clear on one thing: no operating system has ever come back from the grave. Efforts to resuscitate *BSD are one step away from spiritualists wishing to communicate with the dead. As the situation grows more desperate for the adherents of this doomed OS, the sorrow takes hold. An unremitting gloom hangs like a death shroud over a once hopeful *BSD community. The hope is gone; a mournful nostalgia has settled in. Now is the end time for *BSD.

Re:Obligatory anti-linux statement

it's because the original post sucks, dumbass. cite me a widely-used system less secure than windows.

In Other News SecureBSD released

After Theo lost his precious "no remote hole" boast he has started up another project named SecureBSD.

IP

Do you have an I?. Then we can all be leet haxors and see if we can break into his box. My bet is that there is at least someone on slashdot that could break in(I am pretty darn sure there are quite a large number of highly skilled black hats that read slashdot.).

OmegaPunx's aka Elmore Mason's Phone Number

From Betterwhois.com

Registrant:
OmegaPunx
5233 Welcome Ave N.
Crystal, Minnesota 55429
US

Registrar: Dotster (http://www.dotster.com)
Domain Name: OMEGAPUNX.ORG
Created on: 03-MAY-02
Expires on: 03-MAY-03
Last Updated on: 03-MAY-02

Administrative, Technical Contact:
Elmore, Mason omegakidd@tfz.net
OmegaPunx
5233 Welcome Ave N.
Crystal, Minnesota 55429
US
(763)531-0637
I tried calling the number, but no one answered (at 9:30AM EST) let me know if

Re:OmegaPunx's aka Elmore Mason's Phone Number

i called it and his mother picked up. didn't say anything, just muted the phone and giggled. gosh what a wanker.

Re:OmegaPunx's aka Elmore Mason's Phone Number

You or mr. Mason?

Re:OmegaPunx's aka Elmore Mason's Phone Number

[RazzleDazzle]

HAHAHA... this is like 25 minutes from my house, maybe I should drive over there and wait for him and take some pictures and post them online and send them to the Mike A, and maybe one to the kid himself with a link to the story about how he *hacked*(snickering) a honeypot. There could be a ton of fun with this. HA... plus in a few hours I am going to the TC BSD User Group meeting. I wonder if his momma is gonna drop him off there... :) I will be looking for you Mason Elmore a.k.a. OmegaKidd

Re:OmegaPunx's aka Elmore Mason's Phone Number

I called him, he answered

I asked him if he knew he was the most famous dumbass on slashdot, he said 'yeah'

i hung up

Re:OmegaPunx's aka Elmore Mason's Phone Number

You don't need to, he's already posted pictures of himself online.

Grr, avoiding the lameness filter since I'm a fast typist...

Re:OmegaPunx's aka Elmore Mason's Phone Number

I called... he knows he got posted. Slashdot his phone line! His momma sounds pissed too :-)

Re:OmegaPunx's aka Elmore Mason's Phone Number

[omegakidd]

eh. that was my sister.

Re:OmegaPunx's aka Elmore Mason's Phone Number

Glad to get the confirmation. I've called the MN state attorney general. Hope you got a document shredder.

Re:OmegaPunx's aka Elmore Mason's Phone Number

[RazzleDazzle]

Just a quick and dirty follow-up, he was not at the TCBUG meeting. And maybe I could take some pictures of him that looked nice and clear. I have access to a nice 3.1 gigapixel camera and it could blow away his apparently $.50 camera. What dirty pictures he has, how could someone sell a camera that sucks as bad as his??? I did notice he was taking a lot of pictures with the camera facing the light on the ceiling.

Re:OmegaPunx's aka Elmore Mason's Phone Number

What do you expect from the "kids" LegoCam?

Excellent learning resource!

[Demerara]

This article is valuable not so much for how to set up a honeypot (and no doubt this discussion will ventilate that issue) but, to a security newbie (me), it shows how the analysis of the logs proceeded.
Nice one. One question though - why not publish the IP of the hackers? Why protect their anonymity?

Re:Excellent learning resource!

Good question. Corny, isn't it?

Re:Excellent learning resource!

We (try to) hide the IP/information of the hackers since we respect their privacy, and hope they do the same. Also, we don't want any vigilante white-hats who think it's their mission to DDoS the "bad guys" going after anyone, etc.

When Bruce Perens says

"It is not the job of Linux advocates to promote BSD" when the topic was Open Source, what makes YOU think a BSD advocate should spend any time defending GNU/Linux?

You are seeing the reaping of what 'the leaders of Linux' sow.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:new poll suggestion

Whoah dude you missed out on something! She's Dark angel on TV. Here she is:

http://www.jessicaalba.net/wallpaper.html

I thought

[pardasaniman]

I thought this had something to do with Winnie the Pooh using BSD. Oh well.

active honeypot - 200.49.83.130

He's a Windows honeypot, in case anyone wants to practice (note: please be nice, you are beign watched :)

200.49.83.130

Re:active honeypot - 200.49.83.130

[Strog]

A post from an AC doesn't make me feel warm and fuzzy that this IP really is a honeypot and not a former employer/bank/gav/etc. they want hacked.

I'm not saying it isn't but I just would have some reservations about it being legit.

Re:active honeypot - 200.49.83.130

[ZigMonty]

The IP's host name is host083130.metrored.net.ar if anyone cares. ar is Argentina isn't it? It looks like a dialup or other home connection. It certainly isn't www.whitehouse.gov or anything like that.

Re:What's a white paper?

The term "whitepaper" refers to a technical specification and/or writing of a document. Yes, there are other types of papers.

Obscuring the IP

[tg_schlacht]

Well for one thing the IP may be dynamic. Some other person may have been assigned that IP. Another thing is that they might have been working from a compromised system (though I doubt that in this case.)

In any case the anonymity of at least one of them was not really too well protected as several of the posts above indicate.

NAT issue

[deepchasm]

From the article:

If the hacker is smart enough to find out with a simple 'ps ax' that the processes you're running aren't the same as the processes he or she may have seen when they port scanned you (if they take the time to do that), they may realize port forwarding is going on which may raise suspicion

Firstly, assuming they used a tool like "nmap" to do the portscan they would already know that some of the ports are forwarded - nmap states which ones are in the results of the scan (I believe it can tell by the differences in TCP sequence numbers.)

Secondly, why would this detract from the realism of the situation? Not everyone who wants to provide limited services on the internet buys additional IPs. I know I don't have the money to!

Julian

Re:NAT issue

OpenBSD uses random TCP sequence numbers, therefore it isn't very useful to nmap openbsd for finding initial sequence numbers when the firewall admin could simply apply "modulate state" for extra protection. For documentation man pf.conf(5) and search on down for "STATE MODULATION".

Re:NAT issue

[netcoyote]

I have a /29 network on my DSL at home. So I put a honeypot behind a bridged firewall. From the outside the world, no one can see the firewall. I allowed all in bound traffic, but blocked outbound traffic from the honeypot. I set up a tcpdump to log all traffice to the honeypot so I could see what was happening. It's a nice solution for honeypot

Re:NAT issue

OpenBSD uses random TCP sequence numbers, therefore it isn't very useful to nmap openbsd for finding initial sequence numbers

Every reasonable OS in the world uses random TCP sequence numbers. Doing otherwise creates a major security hole, as was documented as early as 1985.

Re:NAT issue

I thought that it was because an OpenBSD firewall didn't change the TTL, thus making it effectively invisible.

want to know who ;-)

A quick serach for the band NAME "Muffinface"in the article and viola

Please be gentle :-)

Friday May 10th, 2002
At this moment I am uploading all of my music to this comp so it can go on this web page. Tommorow the band that I am in, Muffinface, will be playing at my friends house. So that is cool. That is all for today. Oh yeah, and also for the music. If you want ftp access, when it is up. The username and password will be music. And the FTP is just omegapunx.org port 21.

Re:want to know who ;-)

on his "links" page his lists Slashdot. Of course, he links to 'www.slashdot.org' showing he has no idea...

Re:want to know who ;-)

slashdot.org was the original doman dumbass. .com came later.

Re:want to know who ;-)

[cureless]

There's a slashdot.com!? .... wow, you learn new things every day.

cl

Re:want to know who ;-)

[Strog]

The problem isn't with slashdot.org but with the www. part. Used to have problems with the cookies if you used www.slashdot.org instead of slashdot.org. Maybe you should watch who you are calling names if you don't understand either. But, this is /. afterall so I wouldn't expect anything less from an AC.

Firewall, shmirewall

[alienmole]

Its a reminder

Of just how much you need a firewall these days.

Let's think that through. Let's say this honeypot had a standard packet-filtering firewall in front of it, e.g. the kind implemented by ipchains in Linux. Assume there are two services which we wish to expose to the outside world: Apache and SSH. So we set the firewall to forward all HTTP connections to Apache and all SSH connections to OpenSSH.

Now, how secure is this network? You've got a firewall, so you're secure, right? Just two minor little flaws: the security holes mentioned in the article are in Apache and SSH. Your firewall didn't add any security at all! You're just as exposed as the next guy with no firewall.

Sticking a firewall in front of your network and thinking you're secure can be very dangerous, if it lulls you into thinking that the machines behind the firewall are now secure. Most exploitable holes are not on the thousands of unused ports that a firewall blocks - they're on the ports that the firewall lets through.

I should mention that with a stateful firewall, you can get greater security, since it monitors the actual content of the connection and may be able to detect hack attempts. However, stateful firewalls tend to be more expensive, less transparent (require more maintenance), and if they're commercial, more expensive. And many hacks can't even be detected by a stateful firewall, and there are all sorts of tunneling tricks that can be used to circumvent this kind of security. Ultimately, the only way to be secure is to make sure that every box that can be accessed from the outside is completely secure.

Especially if you run windows.

Along those lines, one of my favorite firewall-related quotes came from a sysadmin whose mail server and entire internal 70-station LAN had been infected by NIMDA: "But we have a firewall! How did it get through??"

Re:Firewall, shmirewall

Maybe I read your reply wrong, but sounds like you don't understand the point of a honey-pot system. It's intension *IS* to get hacked into!

Stateful firewalling (such as IPF or PF) in BSD is a lot better than ipchains, especially considering they're not pseudo-stateful but rather true stateful firewalls. On another note, when you us the word forwarding, not all firewalls 'forward'. My main OpenBSD is ipless (no one can access it) and doesn't do ip forwarding, yet filters @ layer 2 & 3, statefully! Now if filtering was setup normally, in a non-honey-pot system then this would be ok + s/key disabled.

PS: Nimda is a virus, not related to packet filtering firewalls.

Re:Firewall, shmirewall

[alienmole]

Yes, you read my reply wrong. I was replying to someone who suggested that this article indicated the need for firewalls, and pointing out that firewalls don't necessarily protect you from attacks like these.

I agree that a lot can be done with stateful firewalls. My point was really to dispel the notion that many people have that any old firewall will protect you from attacks like these. Although in the end, it's kinda futile, since just the word "firewall" conjures up visions of shiny magic boxes in people's heads, and overcoming the marketing is tough.

As for Nimda, IIRC it spread through HTTP attacks as well as email, so it was more of a worm than a virus. Regardless, it is related to firewalls in the way implied by the previous paragraph. There are people out there who believe that their firewall protects them from exploits like Nimda. In fact, Nimda is a great case in point, since even if you had a stateful firewall which prevent the Nimda HTTP hack, your workstations could still become infected via email, potentially ultimately infecting your servers, and once again proving that admins shouldn't believe everything the slick salesman told them about the $18,000 Checkpoint Firewall-1 they just bought.

Re:Firewall, shmirewall

[evilviper]

You are correct, to a point... Stateful packet filtering can be more secure, but certainly not for reasons you suggest.

Stateful packet filters only check the first packet, and then only for the source, some flags, and then pass it through. Then it will make sure that following pieces of the conversation are limited to the same source, destination, and ports. What good does this do? Well, instead of just blindly passing ports through, you can say that inbound connections are only allowed if they are responses to outbound requests (net client), and vise versa (net servers).

with a stateful firewall, you can get greater security, since it monitors the actual content of the connection and may be able to detect hack attempts

I'm afraid that's just not true. A stateful firewall is really only concered with the protocol, flags that are initally set, and source and dest ports. The contents could be pure random binary data sent to Apache or SSH, the firewall doesn't care.

So, if your firewall is set to allow connections to Apache and SSH, the worm or exploit will still get through. As far as more secure, you could configure your firewall to prevent outbound connections, stopping the spread of worms from your machine to others, preventing the use of your machine to attack others, and preventing outbound connections (e.g. Sub7, outgoing e-mails, et al.)... However, even in that restrictive configuration, you are just as susceptible to an attacker connecting with SSH, or an exploit sending a: rm -rf /

So, properly configured, a stateful firewall still can NOT prevent you from being exploited. However, it can prevent your server from being of any use to an attacker (or a worm).

Re:Firewall, shmirewall

"My main OpenBSD is ipless (no one can access it)..." Are you absolutely sure about that? I ask because I am quite sure that you are wrong.

Re:Firewall, shmirewall

[alienmole]

Stateful packet filters only check the first packet, and then only for the source, some flags, and then pass it through. Then it will make sure that following pieces of the conversation are limited to the same source, destination, and ports.

You're correct that a firewall which exclusively perform OSI layer-3&4 stateful inspection works like this. I was speaking loosely, since commercial firewalls tend to be less focused than this. Perhaps I should have said "stateful multi-layer inspection firewalls", which is a more accurate description of the hybrid nature of many "stateful" commercial firewalls. These firewalls perform inspection at multiple OSI layers, in many cases right up to layer 7, the application layer. Firewalls like this are quite capable of protecting against the HTTP attacks of Nimda and Code Red.

When I said "monitors the actual content of the connection", I again spoke too loosely: I was talking about the protocol content at the application layer, which is what layer-7 firewalls monitor.

So, properly configured, a stateful firewall still can NOT prevent you from being exploited.

Some of the layer-7 firewalls can prevent certain application exploits. Even something like this SSH hole could potentially be blocked by such a firewall, but it would depend on the specifics of the exploit and on what the firewall was checking for. But everything I said was intended to emphasize that firewalls do not provide a complete security solution, no matter how stateful they are or what network layer they operate at.

Re:Firewall, shmirewall

[mgv]

Yes, you read my reply wrong. I was replying to someone who suggested that this article indicated the need for firewalls, and pointing out that firewalls don't necessarily protect you from attacks like these.

I agree with most of what has been posted above. What I was pointing out in my initial post is just how quickly any system that has a routable IP address will most likely be probed. I'm not saying that firewalls are total protection. But I'm not turning off the firewall on my DSL connetion right now either.

In particular, having a windows 9X (no security) or win XP (Default user has admin rights with no password) on a machine without a firewall is likely to be compromised rather quickly.

Michael

Re:Firewall, shmirewall

It's very easily possible.

http://www.openlysecure.org/openbsd/how-to/invis ib le_firewall.html

Only accessed from console.

Re:Firewall, shmirewall

[Fjord]

It hink he was refering to protocol filtering firewalls that do more than this. For example, in 1996 I worked at a place where the firewall would inspect the HTTP protocol and would terminate it if it looked fishy. This was a problem because I was attempting to POST using data other than url-encoded (my own mime type, this was before xml) from an application in one service network to another in another service network and it would terminate the connection. Turn off the protocol filtering and it would work (in this case it was because of what I think is a bug as it was more retrictive than the spec).

Re:Firewall, shmirewall

[evilviper]

Okay, I understand what you meant.

Some of the layer-7 firewalls can prevent certain application exploits. Even something like this SSH hole could potentially be blocked by such a firewall

That's doubtful... Not impossible, but doubtful. To do that, the firewall (App-Layer Reverse SSH Proxy Actually) would need to generate SSH keys, decrypt all incomming traffic, then re-encrypt it before sending it back out again (just like a filtering HTTPS proxy). So, every server that the firewall serves will be seen as having the same key (the one on the firewall). Also, a firewall that does app-layer filtering, it is rather vulnerable to attack, itself.

Besides that, the OpenSSH vulnerability is easy to protect against. You simply have to disable S/Key (ChallengeResponse) auth, or upgrade to the latest version.

Blocking exploits AFTER they have happened is not the job of a firewall (that's the IDS' part). Rather, a firewall should be able to block the attacks, or somehow help to render them useless.

<rant>
I don't see much value in reverse proxies. They are slow, not likely to block most exploits, and vulnerable themselves.

You'd be much better off using a stateful firewall/router with a good ruleset, in combination with running services as a normal user, chroot-ing services, or using software that will keep the software in line (Systrace, imsafe, or something similiar).

I happen to recall some commerical software similiar to imtrace that would detect strange behavior in running services, kill the process, ban the IP that caused the behavior temporarily, then restart the service. Their 'hack this server' site was a fairly impressive demonstration. Anyone happen to know the company name or URL?
</rant>

A Gay Script Kiddie too?

[XBL]

My brother's girlfriend Danyel gave me this purply long skirt thingy. It is soo cool. I would wear it to school tommorow, but there are these kids in the loccer room who hate gay people.

This guy has a lot going for him. He can crack any kid's computer that tried to beat him up.

Re:A Gay Script Kiddie too?

[BrookHarty]

This guy has a lot going for him. He can crack any kid's computer that tried to beat him up.

He can pack a gun, would that earn you more respect?

Its a good thing they didnt post the kids IPs, these kids are just kids and should be left alone. They dont need more gay-bashing or script kidding bashing. He just wanted to hack to put on a IRC bot script, which is pretty harmless, wrong, but harmeless.

Re:A Gay Script Kiddie too?

[GigsVT]

He just wanted to hack to put on a IRC bot script, which is pretty harmless, wrong, but harmeless.

Tell that to the guy I just send a $600 bill to for cleaning up his computer after he was hacked by a "harmless kid looking to run IRC bots".

I'm sure he would disagree about how harmless it was.

Re:A Gay Script Kiddie too?

[BrookHarty]

I did say Harmless, and wrong. re-read my post.

Re:A Gay Script Kiddie too?

[GigsVT]

But it's not harmless, monetary damages and lost productivity are real harm, it's not just a morality issue, there are tangible damages.

Re:A Gay Script Kiddie too?

[zootread]

heh.. that reminds me of back in 1994 (give or take a year), when I was a teenager, and went around cracking systems. I'd see other crackers running those stupid IRC bots and I'd of course send them fake messages to their tty that their phone line has been traced and they will be prosecuted. I'd see them logout immediately (if I didn't kill their processes myself) and never show up again. Good times.

Re:A Gay Script Kiddie too?

[BrookHarty]

If your system is compromised, and you don't know, what harm has been caused? Not all comprimised systems produce monetary damages or lost productivity. But I'm sure you can find your system cracked, spend a million dollars on upgrading security, and consulting fees, and say some "script kiddie" just cost your company a million dollars.

Re:A Gay Script Kiddie too?

[GigsVT]

If your system is compromised, and you don't know, what harm has been caused? Not all comprimised systems produce monetary damages or lost productivity.

All compromised systems cost people in the form of time spent cleaning it up. Once a system is compromised, unless you were running an integrity checking program, it's basically impossible to trust any binary on it without a clean reinstall, or a tedious comparison of checksums.

In a business environment, this means downtime, and lost money, in addition to whatever you have to pay whoever is cleaning it up.

Leaving up a system that is known to be compromised could expose you to legal liability from the actions of the cracker.

I can't believe you think cracking is harmless. Even if it is never discovered, that means that your privacy is compromised, your bandwidth and resources are stolen, and could possibly open you up to more malicious attacks if there is a badly secured backdoor installed.

Maybe you are just trying to rationalize your own illegal behavior? Cracking cost companies real money, not just fabricated figures.

A lot of the numbers are trumped up, and sometimes people overreact, like those kids that were put on extended suspension for hacking their school computer, but that doesn't mean that cracking is harmless, it is far from it.

Re:A Gay Script Kiddie too?

[BrookHarty]

My god, you guys rate crackers as terrorists or murders. WTF is wrong with you?! Yes you need to protect your systems, and you need to slap the kids on the wrists for cracking, but if a kid trespasses, you put a bigger lock on your door, you don't build a new house and shoot the kid. Get some fucking perspective.

Maybe you are just trying to rationalize your own illegal behavior?

Maybe your a tight assed republican, hard core christen who believe in the death penalty, and hates gays.

BTW, people can support a prosecuted group, and not belong to that group. I for one, believe that the "Zero Tolerance" approach is more evil than murder. You need to look at each case, and punish for the level of intent. Stop believing the FUD, crackers/hackers have been around for 30+ years on our computer systems, only a very few cause monetary damage. But yes, he was pretty harmless compared to most, and yes I believe its wrong to enter a computer uninvited.

Re:A Gay Script Kiddie too?

[GigsVT]

Maybe your a tight assed republican, hard core christen who believe in the death penalty, and hates gays.

Libertarian, and I have no position on the death penalty. Homosexuals are OK by me.

I view crackers more like shoplifters. I don't believe what they do is harmless, and the potential loss is much higher than in the case of shoplifting, but it is usually on the same scale.

I'm not believing FUD, I'm basing my opinion on the damage I have personally seen crackers cause. I do some freelance consulting in my spare time, and sometimes I do cleanups after someone is broken into. It's a serious matter, not to be taken lightly, when a business server is compromised.

Re:A Gay Script Kiddie too?

[waferbuster]

Hmm, my perspective is that if someone trespasses into my house uninvited (because the lock I have is not pick-proof, or by breaking a window, or some other overt method of bypassing my wishes), it's not an issue of my lock/security being inadequate. It's an issue of some kid not respecting my rights. Locks are to keep out the honest people. For others, there are other deterrents.

I do think this kid isn't going to be doing much 3l33t playing for a while... his mommy is probably going to spank him (figuratively) for the hassles this is causing her, once she understands what he was trying to do.

A couple of weeks ago, I did a simple workstation install of BSD. While I had it connected outside my firewall getting packages via FTP, some kiddie rooted it and started sending out mass emails from my IP. Needless to say, I was *not* a happy camper. I'm just glad that no complaints were filed with my ISP.

I think having this kid wash cars for the local Windows Users Group members would be appropriate.

Re:A Gay Script Kiddie too?

[BrookHarty]

Here the kids have to work in the animal shelter, help putting the animals down, and sweeping up the ashes. I dont think we have boot camp here, but Id rather them be scared straight then end up in prision.

Re:A Gay Script Kiddie too?

[Shanep]

Hey, there are even gays on the other side of the fence, so to speak...

Here is Theo de Raadt slamming into Darren Reed over Darren having a bit of a poke at OpenBSD practices in the shadow of the recent OpenSSH hole that led to a remote exploit in the default install.

I spend more than 8 hours of every single day of my life auditing code (and over the last week, 16+ hours a day), and here is some gay guy from Australia who spent all of Usenix in San Antonio years ago moping with droopy eyes after a very straight and girlfriended Mudge is not going to tell me that I am not doing enough

I love reading Theo's posts.

Re:A Gay Script Kiddie too?

but, like 'packing a gun', what he did was illegal. Breaking and entering is most certainly NOT harmless. The more people realize that they can get in serious trouble for this kind of thing (go to jail), the less it may happen.

Re:A Gay Script Kiddie too?

i think you're full of crap. what kind of consulting do you really do? consulting with goatse.cx???

you're one of those people who just argues for the sake of arguing. potential loss this and that -- all your opinions, personal anecdotes, and no hard facts to back them up. you're just making it all up, pretending to be a "concerned" individual. the only thing you should be concerned with is your consulting work with goatse.cx.

BLAH

[Junior+Macintosh]

For some interesting reading related to this article, take a look at the text files that come with the exploit that was used to crack this honeypot.

Most hacked?

[the_rev_matt]

> Most honeypots out there tend to be Redhat Linux as it's has the worst record for security out of pretty much every OS out there, and so it makes for a good honeypot since the goal is to get hacked.

Obviously, he's never heard of Windows.

Re:Mmmm....

I love you Hunnybunny!

Omegakidd postings to alt.hacking and other grps

Link to newsgroups provides clues of information sources used by this script kiddy. No direct references to this exploit though.

Re:Details of one of the hackers

[omegakidd]

That has already been posted...

Got guts?

[autocracy]

Wow... most of us feel good about getting a story we've written posted on Slashdot. You got a story written about you! Kudos man... now if only it wasn't a story about something you did that was incredibly stupid!

"Hacker 1" who's "Hacker 2"?

[jarodss]

Ok, so we have info on "Hacker 1" but what about his litte friend "Hacker 2"? Who is he? Maybe omegakidd can help us out with that one...

Re:"Hacker 1" who's "Hacker 2"?

[capnjack41]

He may have been mentioned on the about page...

About Omegapunx

operating system: FreeBSD 4.5
processer: 845Mhz AMD Duron Processor
ram: 576 MB
ide1: 40 GB Hard Drive
ide2: 52x CD-ROM
nic: Linksys 10/100 base NIC
monitor: 17" Hewlett Packard
info: It all started out when me(omegakidd) and Joe(punkman) created a channel on EFnet. Then I decided to get omegapunx.org. That is the end of that.

Re:"Hacker 1" who's "Hacker 2"?

[jarodss]

He's actually updated this page, he says his friend doesn't want the publicity or something along those lines in the forum.

operating system: FreeBSD 4.5
processer: 845Mhz AMD Duron Processor
ram: 576 MB
ide1: 40 GB Hard Drive
ide2: 52x CD-ROM
nic: Linksys 10/100 base NIC
monitor: 17" Hewlett Packard
info: It all started out when me(omegakidd) and my friend created a channel on EFnet. Then I decided to get omegapunx.org. That is the end of that.

Re:"Hacker 1" who's "Hacker 2"?

[capnjack41]

hmm...well, I suppose he's learned his lesson by now. Maybe we should leave the poor bastard(s) alone.

Re:"Hacker 1" who's "Hacker 2"?

....I'm sure they know that they aren't some big 'hackers' why are they so stupid to you people? they're just messin around
YOU'RE CRAZY!

Re:A Gay Script Kiddie too? No.

[LoonXTall]

Clothing doesn't make people gay. Try reading this book and see if you look at the world in the same way ever again.

Dollar Bill

[80N]

I've got a dollar bill with www.omegapunx.org written on it. Do I win something?

Re:Dollar Bill

[omegakidd]

Hmm. wow. thats cool. you win the dollar bill of the person who had no clue what he was doing.

My sincerest apologies.

[mikeanuzis]

First, my apologies to the Honeynet Project (http://project.honeynet.org), the Distibuted Honeypot Project (http://www.lucidic.net), and everyone else who does research in the field of honeynets for releasing a paper which revealed the identity of the hackers involves, as this clearly doesn't fall into the scope of releasing a good whitepaper on the topic. Second, my sincerest apologies to the two hackers who compromised my honeypot. I went through and tried to conceal the identity of the two hackers involved, but it's true I knew they could still be traced by searching google's cache for pretty much any sentence on the cached page I displayed. I had no intention of revealing their identities, and it's clear I thoroughly overestimated the level of maturity of my target audience. To be completely honest, I would rather have never had this article featured on deadly.org and /. if I had known ahead of time how badly the two hackers personal information would be exploited. To those people who read this, please stop bugging the hackers involved. They appear to be nothing more than innocent (and slightly unwise) kids. Let's grow up for a minute here for their sake. It can't be all bad, because after all they did hack a honeypot... so I guess there's a moral to be learned with this story, but please don't take their humiliation any farther than it's already gone. I'm honored my whitepaper was featured on these great websites, and I hate to feel like I'm crashing the party... but I can't help but feel bad for the poor hackers involved. With utmost sincerity, Michael Anuzis

Re:My sincerest apologies.

[Alric]

Oh please, don't be so self-righteous.

Those two kids are probably loving the attentiong right now. Did you even check out their website? /. is featured in his Links section. I agree that people shouldn't be calling him at home or otherwise harassing him, but a few emails or guestbook entries is a small price to pay for getting caught in the midst of a stupid, stupid (and illegal) act.

The white paper was a good read; just keep in mind that these kids are most likely bragging to their friends about their being on the front page of slashdot.

Peace.
Alric.

Re:My sincerest apologies.

[LionMan]

I disagree;
attention it is, but not positive attention. Their servers are being hit with posts of 'that was a dumb thing to do' (look at the guest book) and the like. It's a lot of negative attention, and the kids are probably feeling pretty shitty right now being the target of name-calling and attacks (verbal, and their computers are probably being attacked also.)
Don't stereotype that just because they are teenagers they crave any type of attention.

Re:My sincerest apologies.

Um, that's not the honeypot paper author. It's the omega kid trying to damage control posing as the paper author.

Check out the uid.

Re:My sincerest apologies.

I agree with you. What I hope is that they've learned their lesson with this happening. And turn to the good side. Would they learned their lesson if they wouldn't get this attention? Will this help them turning to the good side?

Michael shouldn't have made some of the screenshots public. But he could have said he searched their identify and how he did that. That's the interesting part. That's what a sysadmin would have needed if he found out his box has rooted.

Re:My sincerest apologies.

Right on. This is the only post the user had ever made. I guess we can add "identity theft" to omega kidd's list of crimes. He's picking a fight with openbsd users. He'll regret this.

Whose sincerest apologies?!

[andfarm]

Note that this user has only posted one message, and has no information linking them to the actual author of the article. The legitimacy of the message should be IN QUESTION.

(Off topic: How did this posting get +1 without any other comments to get karma from?)

Photo here...

[10+Speed]

http://www.omegapunx.org/pics/me/Pict0003.JPG

Re:Photo here...

[satanami69]

I swear from pic 3 to 5 it looks like the dude in blue is about to go down on you. And where the hell is pic 18 at?

It was a honeypot, he did nothing wrong

[mangu]

The purpose of a honeypot is to get knowledge from the hacker. In this case, I think the sysadmin should pay the hacker for the knowledge gained.

Re:It was a honeypot, he did nothing wrong

[GigsVT]

God, you people are so full of shit. I guess if I leave my house unlocked, it is OK to hang out inside and eat some of my food.

Re:It was a honeypot, he did nothing wrong

[brianosaurus]

no, dipshit.

a honeypot is basically a computer with a "hack me please" sign on it. its more analogous to you leaving your door open with a sign saying "free food", in which case it would appear to be OK to hang out and eat at your place.

Re:It was a honeypot, he did nothing wrong

[waferbuster]

Wrong!

Like a lot of folks, you are missing the *intent* with which he accessed the computer. It's one thing to surf web pages served by a computer belonging to someone else, which are intended to be publicly accessed. It's another thing entirely to use a recently publicized exploit to gain root access to someone's computer without their approval.

The proper analogy would be driving down the street until you spot a house with newspapers piled up on the porch (indicating that the house is probably unguarded/unoccupied), and then going around back and breaking a window to enter and eat the food.

Results are important, but let's not confuse the fact that the kid was unable to use his illicit root access due to configuration of the honeypot and his own ineptitude. He intended to break in... he didn't just accidently stumble into root mode.

Re:It was a honeypot, he did nothing wrong

[GigsVT]

Yeah those women that wear short skirts in bad parts of town are asking to be raped too.

Re:It was a honeypot, he did nothing wrong

[mosch]

Could I please have the IP address of the servers you admin, so I can give you some knowledge? I'll send you a bill afterwards.

Re:It was a honeypot, he did nothing wrong

[mangu]

Yeah those women that wear short skirts in bad parts of town are asking to be raped too.

Not exactly raped, but there are female police officers who do that to catch men who are looking for prostitutes, where prostitution is illegal. If not done exactly right, this is called "entrapment" and the perpetrator walks free.

A badly designed honeypot may be contributing to hacking, and may be considered as participating in the crime. The honeypot sysadmin may be an accessory before the fact.

Thinking from a moral standpoint, i.e. considering the spirit of the law instead of merely the letter, I believe the guiltiest part here was the sysadmin who set the trap. He was an experienced computer professional who induced a somewhat confused teen to commit an illegal act.

Re:It was a honeypot, he did nothing wrong

[GigsVT]

He was an experienced computer professional who induced a somewhat confused teen to commit an illegal act.

You don't understand entrapment.

http://www.lectlaw.com/def/e024.htm

ENTRAPMENT - A person is 'entrapped' when he is induced or persuaded by law enforcement officers or their agents to commit a crime that he had no previous intent to commit; and the law as a matter of policy forbids conviction in such a case.

The part in bold is important. The kid had a previous intent to commit the acts of breaking into a computer. He was not enticed into cracking because he saw the honeypot, in fact it's nearly impossible to argue that, he had to have been running a vulnerability scanner on random subnets that he did not own, looking for computers to break into before he would even find the honeypot, that clearly establishes intent to break into computers.

Re:It was a honeypot, he did nothing wrong

ok, so what does it really matter in this case?

mr. openbsd admin is not after him. in fact, mr. openbsd admin is happy that the kid hacked into his experiment, making it a success.

did you want to sue the kid yourself? what's your point? maybe you're such a goatse.cx person that you can't just leave this matter for what it is.

Kid wants to hide his screenshots.

[Shanep]

As of the 13th of July, our script kid friend wants to hide his screenshots section for some reason.

Too bad Google has it cached.

Re:Kid wants to hide his screenshots.

[omegakidd]

Wouldn't you want to?

Re:Kid wants to hide his screenshots.

[Shanep]

I think you've been given a bit of a bad wrap here.

Script kiddying is nothing to be proud of, but I don't think it's anything to be ashamed of either. People who take care of servers on the net, who don't keep them patched should be ashamed. Before someone jumps down my throat, I'm not refering to the Honeypot, it did what it was supposed to do, I'm refering to real production servers.

If it were'nt for root kits, there would be less desire to keep secure, as a believe real hackers are a rarity amongst all the script kids. Script kids keep admins on their toes. Kids will be kids.

It's 3:48

Time for a reminder that BSD is dead:

BSD is dead and has been for a long time.

Join us again at 3:58 for another reminder. Coming up next: traffic and weather together.

Mirror site of the whitepaper

[mikeanuzis]

For those interested the site the whitepaper was on has been temporarily disabled by the web hosting company due to too much traffic.

Another copy of the whitepaper is available at:
http://www.anuzisnetworking.com/whitepapers/

And to verify, yes it was in fact me who posted the above apology. --Michael Anuzis

Not Online

[serialdj]

Just an interesting note that the whitepaper in question has been removed from the web site. Started reading it yesterday and was unable to finish reading it. Slashdot effect? Anyone have it saved, could ya send it to me at robert.fleming@rogers.com

Re:Not Online

[omegakidd]

Well, the web site has went over it's bandwidth limit. But you can search for the cached one on google or just to to the one that he posted.

It's 9:04

Time for another reminder that BSD is dead:

BSD has more holes than Swiss cheese! No wonder it can't be used in any type of business environment.

Coming up next, traffic and weather together.

Elegy for *BSD

I am a *BSD luser
and I try hard to be brave
That is a tall order
*BSD's foot is in the grave.


I tap at my toy keyboard
and whistle a happy tune
but keeping happy's so hard,
*BSD will die real soon.


Each day I wake and softly sob
Nightfall finds me crying
Not only am I a zit faced slob
but *BSD is dying.

It's 11:00. Do you know where your BSD is?

I'm sorry I have to tell you this, but I think it's dead ma'am.

Time of death: 5 years ago.