Honeytokens: The Other Honeypot

martyros writes "I just read a fascinating article by Lance Spitzner securityfocus.com about a concept he calls honeytokens. The idea is similar to that of a honeypot, which he defines as "an information system resource whose value lies in unauthorized or illicit use of that resource". Rather than having a computer that's designed to be broken into, however, you have say, a record in a database or a file has no legitimate use; ergo, if anyone uses it, it must be illegitimate. An example he gives: adding a record to the hospital database for a guy named "John F. Kennedy". It doesn't correspond to a real person, so no one has any business looking at the file. If someone does access it, you know that they're abusing their privileges somehow. The article has several other clever examples, which I found very thought-provoking."

Or they made a mistake

[buffer-overflowed]

Or there's a flaw in your software.

Or they were poking around bored.

Or you've been hacked in which case you won't have an access record anyway if the hacker did their job right.

Yes, quite superior to a honeypot, in every way.

Re:Or they made a mistake

actually, if i found a record named "john f. kennedy", i'd definitely look it up, just because i am curious and i would want to know why it is in there...

Re:Or they made a mistake

[in7ane]

I agree, it's just too likely that it will be people from within the organization just 'poking around' with no ill intent.

It's just human nature - same as having to open a box with the sign 'do not open' on it :)

Add to this that authorized workers will likely be told about these and told to keep out - causing a flood of 'I wonder what's in there...'

Re:Or they made a mistake

[captain_craptacular]

I agree, the database example is especially bad.

It's very easy for beginners to write erroneous SQL which will access every record in a table.
There are also lots of situations in SQL in which you legitimately need to access every row in a table, or in which the database does so on your behalf.

For example:
If you have a non-indexed table called Names. and you do select * from names where last_name = 'Smith'. Every row will be looked at. Legitimately.

Re:Or they made a mistake

[MrScience]

Either way (on the first two examples), it would be usefull to know you had a flaw, or that there were bored employees perusing patient files.

Re:Or they made a mistake

[highcaffeine]

I was going to mod this down (overrated), but decided I'd rather reply.

No one said that honeytokens are superior in every way to honeypots and should be used in place of the latter. That you pulled out of your hindquarters. Basically, what you said could be expressed similarly in this example: "Seat belts are not absolutely superior in every way to the steel frame of a car, so what's the point in buckling up?"

I would hope that makes it clear how faulty your logic is. Like using seat belts in addition to a protective steel frame, to provide added protection, honeytokens could be used in addition to honeypots. Their ultimate goals are the same: protect your life (frame/seat belts) or your data (honey[pot|token]). If your life/data is that important, why not provide all the layers of security you can?

One advantage that honeytokens do have is in who they can help protect against. Honeypots are typically deployed to detect and help figure out how to protect against external threats. Anyone with a shred of sense about security knows, however, that you also need to protect against internal threats. Deploying honeytokens can help in that vein, by posssibly detecting internal abuse of your systems.

Just because honeytokens won't protect against everything, solve global hunger, and bring about world peace, doesn't mean they shouldn't or can't be used effectively.

Re:Or they made a mistake

[aafiske]

"Or they were poking around bored.

Or you've been hacked in which case you won't have an access record anyway if the hacker did their job right."

Well, for point one, if someone is bored and is poking around a medical database, that's a problem. And someone using a honeytoken credit card number is never okay. It's not something you do because you're bored.

And the hacker might have compromised one system and gotten data, but the point is that you put some fake data in there as well. So then hacker says 'hooray, I've gotten the CFO's password, let me go check out some interesting numbers in their computers' and suddenly they're caught red-handed, because that login doesn't exist in reality, and the computer in question is set up to notify people immediately on a honeytoken login.

These examples are taken from the article. It's a pretty clever idea and is much more versatile than the idea of a honeypot just as a server.

Re:Or they made a mistake

[Titusdot+Groan]

There are lots of applications where poking around bored is unacceptable; Medical, Financial, Law Enforcement, National Security to name the first few that come to mind.

I personally don't want the system administrator at my Doctor's office browsing my health records or random people at my bank browsing my financial information.

Re:Or they made a mistake

[singularity]

Or they made a mistake

Yeah, no employer would want to know about accidental DB access...

Or there's a flaw in your software.

Yeah, I *definitely* would not want to know about that.

Or they were poking around bored.

Once again, no employer would want to know about curious poking-around by employees.

Or you've been hacked in which case you won't have an access record anyway if the hacker did their job right.

Yeah, not worth it to take 30 seconds to make up a false record, since *every* cracker covers their tracks perfectly.

Yes, quite superior to a honeypot, in every way.

Different tools, different uses.

Re:Or they made a mistake

[dasmegabyte]

Ok -- I think this isn't necessarily a bad idea, so long as you don't expect it to be the end-all, be-all of security. I often perform wierd ad-hoc queries on tables for data mining purposes, or to help our support team do things that their program just won't do (like cross index reports for a list of ids).

Some DBAs LOVE to think that their precious data is only access the way they want it to be accessed. I once had a guy tell me, flat out, "You guys should never be doing ad hoc queries. Write and submit a stored procedure for everything you do." I have never heard a more ivory tower asshole statement in my life, and you better believe I didn't listen for a second. Nor should I have, nor would he really want me to...when the CEO comes over and asks for usage statistics for a potential customer, he doesn't want to be told "Wait until the DBA shmuck reviews this query first." It becomes harder to justify your excessive salary when all you do is prevent us programming peons from doing our job and call it "security."

If I pull up a honeyrecord, and you're my dba, you should ask me about it, but not assume my account has been hacked and lock it down. Which means this is nothing more than yet another check measure. You'll still have to eye your logs and know your system.

You know, this is actually a great way to prove somebody from outside has been data mining, and prosecute them for it. Put bullshit data in your db. If it shows up on somebody's website as fact, you'll know they were grabbing your shit. Producers of maps do similar things...invent dead end streets and place them where nobody will ever try to go. If you look at somebody else's map, and you find your BS street, you know they plagarized. Just make sure you never buy a house on that street. Heh.

Re:Or they made a mistake

[wmshub]

If you are a desk clerk at a hospital, then the hospital would have every right to fire you.

Hospital records are supposed to be kept as private as possible. Employees who satisfy their own curiousity without caring whose privacy they compromise should never have be allowed to have jobs where "poking around" in private data is possible.

Re:Or they made a mistake

[SewersOfRivendell]

Or they were poking around bored.

If so, they deserve to be fired. Boredom is not an excuse for violating patient privacy.

Re:Or they made a mistake

[buffer-overflowed]

And a red flag should be triggered regardless of the legitimacy of the data.

Therefore, having illegitimate data serves almost no purpose except to make it arguably more easy to detect.

You should be able to detect behaviors of this type without resorting to this method.

Re:Or they made a mistake

[Anonvmous+Coward]

"Yes, quite superior to a honeypot, in every way."

Nitpick nitpick nitpick.

All this negativity because the intentionally vague yet illustrative example didn't pass the "can I poke a hole in it?" test.

The concept is sound. It just requires a little creative thinking to make it work in your own specialized case. Try putting energy into making the concept work instead of pointing out the flaws in the illustrative example.

Re:Or they made a mistake

[timmyf2371]

The UK's Data Protection Act is designed to stop things even like this.

Employees within an organisation should not be accessing records about a customer/patient without the client's consent - ill intent or no ill intent.

Particularly records such as hospital records - staff should under no circumstances be accessing records for any person, ie John F Kennedy, unless required by the customer/client/patient.

If employees are poking around in files which are designed to trap them, what is to say they're not poking around in your records without your consent - is this breach of privacy acceptable to you?

Re:Or they made a mistake

[questamor]

Producers of maps do similar things...invent dead end streets and place them where nobody will ever try to go.

When I worked in mapping, this is exactly what we did, and we kept a database of the false information and could check quite quickly if another supplier's dataset matched ours, "bug for bug"

The false street is one, and is used in products where an extra nonexistent street wasn't something that could have problems with the use of the map in particular. There are dozens of other methods for different datasets, depending on their use. That's been going on for decades in the mapping industry.

Re:Or they made a mistake

[buffer-overflowed]

Actually everyone has expanded on what I was saying. Admitting it's not a perfect example or a perfect solution.

Only one person responded to the or it's a mistake, which is probably the biggest flaw in the example.

I could use a troll, you want the job?

Re:Or they made a mistake

[IWannaBeAnAC]

Maybe, just maybe, in a hospital database I would agree. But there are many fields where you would want people to notice and flag suspicous looking records.

Even in the hospital example, what would you do if the office worker noticed something was wrong? Say, there was an obvious typo or something like that, potentially serious if nobody notices. Do you want the worker to be afraid of reporting it?

While I can see the obvious abuse, poking around stuff that you wern't specifically told to poke is the stuff of legends, it would be a shame if society evolved into a "no permission means no look, no touch" attitude.

Sure, I can see that honeytokens can (and are - after all its just a version of the old 'put a marked note in the safe' trick that has been used in one form or another probably forever) be really useful - but it isn't a replacement for TRUST. I wouldn't want to see this applied universally, especially on public networks.

Re:Or they made a mistake

[Cordath]

"Or they were poking around bored."

That's exactly the sort of "abuse" that a honeytoken in a hospital database is supposed to alert you to. Patient data is confidential and employees should not be looking at a patient record unless they have a reason to. Being bored doesn't cut it, and the employees *know* it. It's like bored police officers breaking out the impounded cocaine for a party with the hookers in holding.

Heck, now I have to wonder if the police intentionally impound guns and drugs associated with fictitious crimes... A bottle of gin and doobie could be a honeytoken? Who'da thunk it!?

Re:Or they made a mistake

[IWannaBeAnAC]

Interesting. I would have expected that "national security" is one of the few places where 'random' poking around, following up idle speculations etc. is absolutely worth doing, because you might uncover something important.

I can see this might be a problem in the USA though. In mosts countries, the secret services have nothing to do with law enforcement so a spook coming across a record that showed minor suspicous (in a criminal sense) behaviour, as long as it has no national security implications, would just ignore it. Unfortunately, in the USA, the agency likely to be doing the (illegal) snooping is the one and the only FBI, it means that (1) the national security has its hands tied by being constrained by procedures designed for ordinary criminals, and (2) procedures that ought to be use ONLY for serious national security (eg echelon?, unauthorized wiretaps etc) get misappropriated for urban law enforcement.

Re:Or they made a mistake

[owlstead]

Well, they do not have to be convicted right away. Maybe somebody will ask what the hell they were doing there first.

Re:Or they made a mistake

[in7ane]

Random employees at a hospital - no it would not be ok. But how about a more likely scenario of your doctor (who has the righ to access) looking through their database and stumbling onto something like this. Or an even more likely case of a product database at [insert retailer/manufacturer name here].

Don't get me wrong, I'm all for privacy and security, this just seems like a method that will give far too many false positives (intrusions) for it to be effective.

Re:Or they made a mistake

[Big+Jason]

By that logic, I the UNIX Admin, should give you the root password because you think you need it to write some half-ass code, or do a "chmod -Rf 777 ..". DBAs and SAs exist to *manage* the environment, your job is to write shoddy code.

Re:Or they made a mistake

[timmyf2371]

But how about a more likely scenario of your doctor (who has the righ to access)

AFAIK, a doctor has the right to access his/her own patients in the course of their work - the laws governing this are very strict.

If a record is false and there is no real person who the doctor has ever attended to, what right does he have to access the data?

Re:Or they made a mistake

[jeremyp]

Why are you letting beginners write SQL to access your live database without any testing on your test system?

Re:Or they made a mistake

[vsprintf]

It's very easy for beginners to write erroneous SQL which will access every record in a table.

Not just beginners. Half of the reporting and maintenance querries are likely to hit their trick records. They'd be constantly responding to false positives.

Re:Or they made a mistake

[jeremyp]

Put three records in then.

Once is happenstance
Twice is coincidence
Three times is enemy action.
(Goldfinger)

Re:Or they made a mistake

[feepness]

Or there's a flaw in your software.

Or they were poking around bored.

Or you've been hacked in which case you won't have an access record anyway if the hacker did their job right.

Yes, quite superior to a honeypot, in every way.

It's not superior it's a tool. You wouldn't want to ignore any tool, would you? Any of the above things are REASONABLE flags for you to have a look-see... maybe not get crazy, but at least look around.

Would you NOT want to know about flaw in your software?

Would you NOT want to know about the nosy employees and whether they had a legitimate reason or a pattern of snoopiness?

Would you NOT want to know about hackers if they don't "do their job right"?

Oh I see, you'd prefer to setup a honeypot and congratulate yourself on how clever you are.

Re:Or they made a mistake

[anderm7]

On the other hand, if the record is false, no ones privacy has been violated.

Re:Or they made a mistake

[ajs318]

Employees who satisfy their own curiousity without caring whose privacy they compromise should never have be allowed to have jobs where "poking around" in private data is possible.

I can't agree with that. My sense of morbid curiosity makes gerbils look positively ignorant. As long as you never (a) reveal information you shouldn't have accessed, nor (b) base a decision on such information, it is not a problem for me. Possession of information is never wrong {claiming otherwise creates the concept of thoughtcrime}, though it can certainly be misused.

Re:Or they made a mistake

[fyonn]

If employees are poking around in files which are designed to trap them

this is vaguely reminiscent of the trivial pursuit case. basically a guy wrote lots of trivia books and was worried about ppl "stealing" his trivia facts for their own competing trivia books. so he planted a false bit of trivia (that columbo's first name was philip) and waited for someone to copy it. and trivial pursuit were the ones who did and they promptly got sued. of course the case got thrown out of court (you copy one person it's plagarism, you copy hundreds, it's research) but it's still an interesting point I think...

and of course, proof of my own vast store of trivia ;)

dave

Re:Or they made a mistake

[dasmegabyte]

God, it's assholes admins like this that give IT a bad name...and are probably the reason why so many jobs are getting outsourced. I mean, why keep around people who think it's their job to be a beligerent elitist and in the process stop everybody else from getting their job done? I didn't think Nick Burns was a funny character at all...I thought he was a sick composite.

Listen. Management doesn't mean discouragement. It does not mean banning a person from doing what they need to do because you're too fucking lazy to make it safe. There's a huge difference between indescriminately giving somebody root and letting them run select statements in a database or on a particular set of tables. It's the difference between giving the inventory guy the keys to your warehouse, or letting him run around INSIDE without hassling him every five minutes. I used to work for the records center for the NY Department of Criminal Justice, and they didn't run as tight a ship as some of the UN*X admins I've known. That's because if they denied access to everything like some sysadmins, the "runners" wouldn't be able to pull what they needed, and law enforcement would suffer as a consequence.

Besides, as much as you like to think of it as such, this isn't your system. You may be in charge of it, but chances are you don't use the thing. The customers do -- the customers and the staff who serve them. You may be in charge of it, but you have no ownership over it. You're in charge like the custodial staff is in charge of the toilet.

You can keep the bad guys out of the building with your firewalls and your routers and your proxies. You can keep the idiots in house out of the sensitive shit, back up the data every 17 seconds and dust everybody's keyboards at night for unknown fingerprints. Hell, you can even come up with some cockamamie password policy, like i have to have at least one korean symbol in my password that changes bihourly. Do whatever makes you feel like you actually know dick about security -- just don't keep me from doing my job. If I can't run a query for a troubled customer, we've lost business. If you have to monitor one extra user account for suspicious activity, we haven't lost anything. Not only is creating potholes like this counterproductive, it also doesn't improve security in the least. I've never known an "exploratory hacker" who cared a whit about getting access to a person's read only accounts when it's often just as easy to get root. Why eat hamburger when you can eat steak?

Re:Or they made a mistake

[ill_mango]

I dont think people are getting the main idea here. The honeytoken concept shouldnt be used as a way to identify EXACTLY who is illegally accessing your data. It should be used as a way to show who MIGHT be illegally accessing your data. Each incident should be investigated, but not every incident will yield some internal leak or security hole. Sure there are lots of ways your honeytoken could be accessed, but if you catch even 1 breach for every 20 or so accesses, isnt that worth it?

Re:Or they made a mistake

[RatBastard]

Completely and utterly irrelevant. Someone accessed a file without proper authorization. Hospital staff are quite aware of the rules and it doesn't matter a bit if they know that Micky Mouse, John F Kennedy and Hugh G. Rection are fakes. They still broke a rule they knew was in place.

Re:Or they made a mistake

[antirename]

Here's what I've been doing for years. I have folder on my drive with a very suggestive name. Looks like porn... a few really good videos, some nice pic series, a few porn games, the usual stuff but fairly high quality. This folder is sure as hell not in any area that the webserver or anything else connected to the web should be able to touch, it is in a fake user's directory. The last few .exe files on the list are not porn games, though. At least that's not all they are. They've had some rather nasty viral code (not in the GPL sense) wrapped into them. The only way those files will ever be accessed is if the box has been compromised or I really screw up running as root (which would corrupt my logs, but otherwise do nothing since the box is *nix). Those files have been accessed once. I screwed up and didn't apply a patch I should have. The script kiddie, on the other hand, went off the radar a few minutes after those "special" files were downloaded. Yeah, I had to rebuild the machine to be safe (faster then figuring out how much damage the little fucker did and I really didn't care who he/she/it was), but at least I got some satisfaction out of it :) Now, this part is of course purely hypothetical, but maybe something like this could be used to "poison the well" on those PTP networks the RIAA is trying to monitor. There are .exe compression programs out there that do a GREAT job of convincing antivirus software that a piece of software doesn't REALLY contain something like, say, Chernobyl. If you run MS shit on your box (or have a gaming box running MS like I do), give it a try for your own amusement. Then, when you're done, give the hype about "sandboxes" and "heuristics" some thought. Of course, script kiddies don't always run antivirus software, but why not be thorough? Fuck 'em if they can't take a joke.

Re:Or they made a mistake

[digitalsushi]

my friend works at a GIS place. he corrects map coordinates. commercial map vendors will make fake streets to catch people using their data. so they have a policy. if its a commercial source, they need one more commercial source saying the same thing, else its bogus. government maps are always ok, though.

Re:Or they made a mistake

[anderm7]

It would depend heavily on how the security policy was written. If it references "patient data/files," it could be argued that Hugh G. Rection is not a patient, and thus there was no violation. The violator would only have to prove that he read only Hugh G. Rection's file. If it only specifies "data/files," well, then you're screwed.

Re:Or they made a mistake

[Jonathan]

As long as you never (a) reveal information you shouldn't have accessed, nor (b) base a decision on such information, it is not a problem for me. Possession of information is never wrong {claiming otherwise creates the concept of thoughtcrime}, though it can certainly be misused.

Well, every government in the world would disagree with you. Saying you photocopied those Top Secret stealth submarine plans merely for your own curiosity won't stop you from doing time.

Re:Or they made a mistake

[gregmac]

Well, they do not have to be convicted right away. Maybe somebody will ask what the hell they were doing there first

No. Lock them up and throw away the key. In fact, screw that.. anyone have a stake, rope and some matches handy?

If you acess the data, you're doing something illegal. Just like if you have MP3's you're obviously depraving record companies of profits. Or a smart card reader, you're obviously stealing tv.

Hail DMCA!

Re:Or they made a mistake

[ahaning]

So, when my shortest-path solutions come out oddly for my GIS labs, can I explain in my report that the problem could be that John F. Kennedy Boulevard doesn't actually exist?

Re:Or they made a mistake

[Lershac]

Photocopying is quite a different thing from looking at them. Copying creates another instance of the information that can be accessed in an uncontrolled fashion. Merely LOOking at them just makes you knowledgable abt them.

I have "accidentally" seen classified info b/c it was in the open. I was quite officially sworn to secrecy about it. It happens whether legitimately or illegitimately, and needs to be dealt with in a reasonable and thoughtful manner.

Re:Or they made a mistake

[WhiteDragon]

Well, why not just have the database log the records that were selected, instead of every record in the database. Select * from names where last_name='Smith' would not flag this particular honeytoken (John F. Kennedy), but select * from names would.

Re:Or they made a mistake

[chickenwing]

More info on copyright traps in maps here

Re:Or they made a mistake

[nexex]

during the elizabeth smart saga, several employees were fired from the health care org my father works for for accessing her health care records, just satisfying your curiosity can get you fired.

Re:Or they made a mistake

[Poofat]

Step One: Go to local hospital.
Step Two: Burst in and start looking at people's medical history.
Step Three: Get arrested. (It will take a while, most hospitals have crappy security)
Step Four: Go to jail after your argument fails in court.

Possession of information cannot be prosecuted, but illegally obtaining it can.

Re:Or they made a mistake

[questamor]

Retard. That's got absolutely nothing to do with the streets we added. If an ambulance took a dart into a street that was a 5 house cul-de-sac to try getting anywhere quicker then you best hope you get some smarter ambulance drivers.

You've made a presumption on the kind of data we put into maps and you are simply wrong.

Re:Or they made a mistake

[SatanicPuppy]

I do a lot of database work. I guarantee I'd trip some of these record-bombs just doing my job.

I mean, most times I'm supposed to be looking for weird stuff. I mean, right now I have access to info on people that I KNOW would be appalled to find out someone is privy to everything about some private part of their life. I don't get my jollies off it or anything, but there is no way I can fix some of these problems without ever taking a look at the actual data.

Now, I could hack together some access controls, or just a little snoop program that tells some administrator who's been browsing his files without having to hide a bunch of stupid fake entries. Seems like that would be a better solution, and that's old, proven tech.

Just my opinion.

Re:Or they made a mistake

[ReallyQuietGuy]

it would be a shame if society evolved into a "no permission means no look, no touch" attitude.

Society's already there. Where have you been?

Re:Or they made a mistake

Well I have something of the same on my server. I get tires of seeing all the script kiddies doing a "get default.ida" buffer overflow in the off chance that I was using IIS, so I decided to accomodate them. I touched a file called default.ida in the webroot directory, and entered this text: Funny, I never get a repeat customer any more...

Re:Or they made a mistake

Accck ok code is [html] [form] [input type crash] [/form] [/html] Use the correct brackets >

Re:Or they made a mistake

[tedgyz]

Maybe I'm missing the point, but I thought he was referring to mining of that data for something like spam lists. Nobody is going jump on you for doing a

select count(*) private_user_info_table;

Re:Or they made a mistake

[shut_up_man]

Agreed. I think the traps should be at a higher level than pure data, such as business logic. Then when someone runs a PutLunchOnBill("JFK") the alarms would go off. I'd also suggest only implementing the honeytokens in the production environment, not development where people will be doing all kinds of ad hoc stuff.

It does raise an interesting question though - who gets told about the honeytokens? The best idea would be to keep the practice as quiet as possible, but then you run the risk of new developers writing stuff that sets everything off (and then the most likely managerial decision would be to turn the honeytoken off, not redevelop).

Re:Or they made a mistake

[Fryboy]

Good story, and madlove the tuckermax reference :)

Re:Or they made a mistake

[dasmegabyte]

"Brown nosing corporate fuckwit?" Look buddy, I don't know what things are like in your neck of the woods, but around here map making is one of the last great profitable jobs for the small businessman. These fake streets are one of the ways they keep corporate panzers like InfoUSA from buying all the information and hording it over people for subscription fees and tourist maps that only show what THEY want.

Maybe it would be better if you HAD died in that accident. One less dumbass who can't check facts or even think before he posts.

Re:Or they made a mistake

[quintessencesluglord]

Great! Entrapment as a means of maintaining law and order. Treat people like criminals, and they tend to act like criminals.

How about teaching hospitals? Private information is routinely passed back and forth between people who do not directly affect you care. Interesting case studies are gone over as means of education. Hell, some people check records just to know you made it through alright (gasp! they care).

Does it really sound like a crime?

Also, open reports and rounds tend to be common among hospital staff. The "need to know" basis for information exchange is a bit pedestrian in potential crisis situations. Having everyone fully informed tends to be the best course of action: Suppose an MD happens upon you lying on the floor. Would you prefer a MD had some general information concerning your case (even though, at the time, they were not directly involved with your care), or would you prefer them to go through your chart while you are having chest pains?

The problem isn't so much "poking around" as ill-conceived information systems. Any system that denies people's basic nature is doomed to fail. Curiosity shouldn't be a crime. Know for a fact the MDs are repulsed about your hemorrhoids, just as much as you are repulsed by goatese. But you still look, don't you?

Re:Or they made a mistake

[Zemran]

The British used to do this a lot during WWII. In north Africa the Germans were very impressed with the maps they 'captured' from dead British tank commanders as they were so detailed. The maps had been specially written with hazards where the British felt weak and less hazards than there were in reality, where the British defences were strongest. Even at the end of the war the Germans were still saying that the British maps were best and had not caught on :)

Re:Or they made a mistake

[Zemran]

I would think that in a hospital it is more important for people to flag up possible errors and to look into things like false names. If the false name was in a VD clinic then maybe it should be ignored but what about areas where dangerous drugs are given out? If someone dies from an overdose because they are being prescribed 8 times the required dose of some drug that makes them happy could the hospital be held responsible for that negligence?

Re:Or they made a mistake

[StrawberryFrog]

I can't agree with that. My sense of morbid curiosity makes gerbils look positively ignorant.

So what you are saying is that your personal temperament is more important than doing a sensitive job in a profesional manner.

Possession of information is never wrong

Oh good. Can I then install several surveilance cameras and microphones in your bedroom and bathroom?

Re:Or they made a mistake

Well, I know for sure that at least some government maps have interesting "mistakes" near military installations.

Re:Or they made a mistake

[boogy+nightmare]

To the best of my knowledge....

This is not really what the data protection act is meant to mean, a company has an entry under the data protection act which tells both the public and workers what may or may not be held by the company legally.

For example the company i work for has many enteries under the data protection act (what details they may hold on staff, what info they hold on clients etc etc)when i started as i have access to the data base (as would hospital staff) i sign the data protection act which says that i have access to the information and could in effect see the information that is contained in any persons entry but am not allow by law to misuse or divulge this information in any way.

Example when i worked for the TV licencing in the UK i had access to the database and wrote reports that braught in the CC nums of all the people that payed their licence by debit or credit card, beucase we were allowed to hold that information and i was legally allowed to view it then thats fine, if i was to corrupt that or sell it then i would be proseccuted under the data protection act (very very very bad, would probably not get another IT job ever) and the computer misuse act amongst others.

I have also signed the offical secrets act at a higher level which technically means i am not supposed to tell you that i signed it, this is basicly for government and secret data, this would be the place to use the honeytokens.

I beleive that in this country (UK) that any person using medical records has to,by law, sign the data protection act which gives them the right to browse through all records but doesnot allow them to use or disclose the information found with the prosecution.

i may be wrong, who knows or really licks giraffes bottoms :)

S

Re:Or they made a mistake

[Moraelin]

If you absolutely need to do something legitimate on short notice, that the program won't do, I do believe that most DBAs will have understanding. There'll be some assholes, but most will actually be reasonable guys.

If your SQL statement looks legitimate and harmless enough, I don't think many people will give you a too hard time for that. E.g., let's say you tripped the security trigger with a "select count(*) from patients where patient_id in (select patient_id from diagnostic where disease like '%Alzheimer%')". It will probably trip a few honeytokens all right, because it goes through classified diagnostic information. However it only gives back a count, and nothing actually linking the diagnostic to a name and address. And I don't think anyone will fire you or anything for that.

On the other hand, if you do a "select distinct patient_name, patient_address, credit_card_nr, credit_card_expiry from billing_data where credit_card_expiry > SYSDATE" then you damn better have a _very_ good explanation of why you needed that data. And your company damn better have a honeypot/honeytoken to catch that kind of a statement.

On the other hand, if you actually have a program to write, I can't see what's wrong with actually using those stored procedures that your DBA writes.

Contrary to the "I'm a super-star, I'll make my own rules and write my own simplistic SQL statements" attitude some people have, databases are a science in their own right. Expecting everyone to be an expert in SQL because they skimmed through a book is like expecting someone to be an expert in C because they skimmed through a book.

Re:Or they made a mistake

[Kierthos]

No, entrapment would be telling a co-worker "Hey, you should check out those records. There's one for a guy named after JFK in there." and then getting them fired for doing so.

Second, what if there is a guy actually in the hospital named after JFK? Not the name I'd choose to make a honeypot file... I'd choose something incrediblly outrageous like Throckmorton Q. Security or something like that.

Third, I wonder what options exist for saying "Hey, I just clicked on the wrong file."? I've been to a couple of hospitals for various injuries or visiting friends, and it's pretty damn easy to mis-key the name and pull up the wrong file (as many systems assume that if there is only one entry for a given last name, you _must_ be seeking that one), or click on the wrong file name if more then one is retrieved for a given last name.

Now, if they are checking and finding out that J. Random Employee looked at dozens of case files in the space of an hour, but was only supposed to be looking at maybe 10 or so, that's a problem. But one file? Eh....

Kierthos

Re:Or they made a mistake

[IWannaBeAnAC]

Society's already there. Where have you been?

I hadn't noticed it yet, but I am not from the USA. As usual, the rest of the world is lagging behind ;)

Re:Or they made a mistake

[chefren]

Or you've been hacked in which case you won't have an access record anyway if the hacker did their job right.

This is just another reason to put that old dot matrix printer to some use. Log security alerts to it. There's not a hacker in the world who can erase that log. Very nice for honeypots.

Re:Or they made a mistake

[the_duke_of_hazzard]

Mind if I point by telescope at your bathroom then?

Re:Or they made a mistake

[Rip!ey]

As long as you never (a) reveal information you shouldn't have accessed, nor (b) base a decision on such information, it is not a problem for me.

Reading through the posts here, I find that your opinion on this matter is remarkably common. Now given that the readership of Slashdot is largely made up of the people who might be responsible for implementing and operating the type of database that the article considers, it is disturbing to see that such people thing nothing of the idea of poking around in other peoples confidential information. Especially given that they are likely to have greater access to the same said information than anyone, as well as the ability to cover their tracks. Indeed, they appear to think it is perfectly acceptable. To call it disturbing is an understatement.

Re:Or they made a mistake

[shilly]

I don't want you peering in my bedroom window and watching me. Your innocent intentions and the fact you haven't got a video camera in your hand make bugger all difference. I want my medical records treated in the same way.

Re:Or they made a mistake

[shilly]

I really hope that you aren't a health professional. If you are, you should consider whether you are practising in compliance with your duties as a professional. These will include duties in relation to consent and privacy. They will be framed in language like this:
"You must respect the confidentiality of your patients, clients and users.
You must treat information about patients, clients or users as confidential and use it only for the purpose for which it was given. You must not knowingly release any personal or confidential information to anyone who is not entitled to it,and you should check that people who ask for information are entitled to it. You must only use information about a patient,
client or user:
1. to continue to care for that person; or
2. for purposes where that person has given you specific permission to use the information.
You must also keep to the conditions of any relevant data-protection legislation and follow best practice for handling confidential information relating to individuals at all times. Best practice is likely to change over time, and you must stay up to date.You must be particularly careful not to reveal, deliberately or accidentally, confidential information that is
stored on computers."
(This is from standards for some UK health professionals, but the rules are pretty universal.)
When you're up before the Conduct Committee for having poked around in someone's medical records, pleading mitigation by way of curiosity is not going to save you from being struck off.

Re:Or they made a mistake

[u38cg]

Usually it's more subtle than wholesale botching. They'll introduce a little kink in a river, or something like that. Something that you would never find unless you were standing staring at the ground with the map in front of you.

This happened in the UK a year or two ago; the AA (a motoring organisation) was caught with its pants down stealing mapping data from the Ordnance Survey's published maps. They were caught on the basis of several of these little wiggles.

Re:Or they made a mistake

[lars_stefan_axelsson]

In mosts countries, the secret services have nothing to do with law enforcement so a spook coming across a record that showed minor suspicous (in a criminal sense) behaviour, as long as it has no national security implications, would just ignore it.

I'm reminded of the situation with the German Verfassungsschuts, i.e. the counter espionage. Since the Germans have (very) bad experiences with the "Secret State Police" (GeStaPo) breaking down doors in the middle of the night, hauling away people in their pyamases never to be heard from again, the Verfassungsschuts is forbidden by law to have any law enforcement powers. If they need a spie arrested they have to collect the evidence and go to the police like any other citizen would have to.

This suits the Verfassungsschuts just fine, since they reason: "If we're not allowed to thwart crime we cannot be required to report crime whenever we see it, like the police must." Thus enabling them to look the other way when the police wouldn't have been able to.

Of course in the US much of this is moot anyway, since the police there is allowed to commit crimes to investigate crimes (such as posing as a buyer of narcotics) to a much greater degree than is the norm in Europe. (And plea bargains and turning states evidence and whatnot).

Re:Or they made a mistake

[I-am-FooDog]

With a fake record there would be no attending physician or nurse so how would the fake person die from an overdose? In the case of a real patient the attending healthcare worker would have the minimum access necessary to the patients records. This is the concept of least privledge... enough to do the job and no more. It is very apparent you have never been in a healthcare information systems / security setting. This is a very legitimate action especially in the post HIPAA world of privacy \ security.

Re:Or they made a mistake

[arkanes]

It's like this: A clerk needs to have access to all employee records, because he might have a legitimate need to access any given employees records. He access lots every day, and it's not worth the layer of beurocracy to have him fill out forms for every access. On the other hand, he shouldn't be going browsing, because thats a violation of privacy. So you add records that he would NEVER legitimatly be asked to look at, and if those are accessed then you know he's been doing something he's not supposed to.

Re:Or they made a mistake

[_14k4]

Not to mention the programmers nightmare when he has to write financial reports against said database and code to ignore the "fake" records..

Talk about spec changes and scope creep..

Re:Or they made a mistake

[Bizaff]

Depending on your intent, I'd have to disagree. If your intent is to catch people misbehaving, keep it quiet. But that seems wrong to me.

If your intent is to protect privacy, make it public knowledge to all your employees - then they'll know better and have NO excuse. I'd assume everyone working with such data knows the privacy rules/laws/whatever, but informing them that for the hospital's protection these honeytokens are out and about seems fair.

Re:Or they made a mistake

[IWannaBeAnAC]

I'm reminded of the situation with the German Verfassungsschuts, i.e. the counter espionage. Since the Germans have (very) bad experiences with the "Secret State Police" (GeStaPo) breaking down doors in the middle of the night, hauling away people in their pyamases never to be heard from again, the Verfassungsschuts is forbidden by law to have any law enforcement powers. If they need a spie arrested they have to collect the evidence and go to the police like any other citizen would have to.

I believe this is the situation in most places (well, not the Gestapo bit, but the bit about counter-espionage being hands-length from law enforcement).

This suits the Verfassungsschuts just fine, since they reason: "If we're not allowed to thwart crime we cannot be required to report crime whenever we see it, like the police must." Thus enabling them to look the other way when the police wouldn't have been able to.

I'm sure it suits them very well. If you are looking for a spy the last thing you want to do is alert them by hauling their colleagues off for stealing the office paperclips.

Of course in the US much of this is moot anyway, since the police there is allowed to commit crimes to investigate crimes (such as posing as a buyer of narcotics) to a much greater degree than is the norm in Europe. (And plea bargains and turning states evidence and whatnot).

Yeah, I think most people in the world agree that capitalism works fairly well for running an economy. The USA is the only country I know though where laissez-faire capitalism extends to the legal system!

Re:Or they made a mistake

[Glonoinha]

Bah - anybody that snoops through confidential data using the standard user interface is a loser anyways and deserves to get caught.
Real hackers restore the database from a backup tape onto their home system so they can make massive SQL cursors and throw them into their favorite data analysis tool for hours worth of casual browsing fun.

Re:Or they made a mistake

[Zemran]

As someone with very high security clearance I find your assumption amusing :) and you answer does not cover my point. If a doris at a hospital sees an error, then I would rather she queried it. I frequently query things that look wrong to me. I do not always find out the result of my query but that is not the point. If I see what looks like an error it would be remiss of me if I did not investigate; especially in the the current climate of increased security. That does mean I sometimes look at records that are not relevant to me. I have to own up to this before I get asked about it but it is something that is expected of me rather than something that is seen as wrong. If I saw a record for someone that I did not know and I ignored that record it could turn out to be someone using our system to spy on sensitive sites.

Re:Or they made a mistake

[Stone316]

For one, I don't think you want 'beginners' accessing the database directly. I would think these systems would have GUI front ends and the only people that would be able to access the data is the DBA's and _maybe_ business analysts. If a DBA is snooping around, there isn't much your going to be able to do to stop him. At some point your going to have to trust someone 100%. L8r

Re:Or they made a mistake

[Stone316]

Some DBA's love to have complete control over their systems because of some 'shmuck' programmer/analysts. Ask a DBA how many times he has been awaken in the middle of the night because some dweeb corrupted data, dropped a table, etc. Maybe you know how to write good SQL, but the sad fact is more programmer/analysts don't know what an index is or how to use one. Poorly written adhoc SQL can kill database performance. The DBA's get miffed because he's the one getting tossed into hot water, not the programmer. He is the one responsible for database performance and if some schmuck is executing poorly written SQL, he has to answer for it. So give your DBA a break... Most people don't understand the pressure a DBA is under if his database has mission critical data and uptime requirements. While I don't advocate writting stored procedures for every bit of SQL that has to be executed, I do try and get as much control over the environment as possible.

Re:Or they made a mistake

[gurps_npc]

Nope. They do not add through streets, only cul-de-sacs, alleys, that kind of thing.

The basic idea is that it will be a small thing that people will not use.

Re:Or they made a mistake

[lars_stefan_axelsson]

I believe this is the situation in most places (well, not the Gestapo bit, but the bit about counter-espionage being hands-length from law enforcement).

Actually, now that I think about it, I don't think that's generally true in much of Europe. It's not in the Nordic countries, that I know for sure. The SÄPO (Security Police) in Sweden are a branch of the Police. BUT, and that's a but, they're separate from the rest of the police, i.e. they don't handle "ordinary" crime.

Yeah, I think most people in the world agree that capitalism works fairly well for running an economy. The USA is the only country I know though where laissez-faire capitalism extends to the legal system!

Actually that's true. We may call ourselves Socialist (Democratic), but the meaning of the word "socialism" has actually drifted in Europe over the years to be mostly equivalent to "liberal" in US parlance. There's a large portion of laisses-faire capitalism (though often with more restraint than in the US). We're keeping that separate from the rest of the government though, for now. Corporations still have to apeal to common (well) sense, when addressing the legal problems of business climate, they can't just buy one that suits them.

That'll probably (and lamentably) change though.

Re:Or they made a mistake

[overunderunderdone]

(a) reveal information you shouldn't have accessed, nor (b) base a decision on such information, it is not a problem for me.

I think you are overestimating your ability to not use the information you gain, or you haven't really found anything significant.

Possession of information is never wrong

Ahh, but if you had to *act* to get that information then it is not a thought crime, it is simply a crime. If you access my private medical data (for instance) when you had no reason to other than "morbid curiousity" you have commited a crime. What you are thinking is irrelevant, accessing the data - an act - is the crime. This is just a way of catching you doing it.

I would imagine that somebody working on the database may inadvertently trip one of these "honeytokens" but then if you really have a legitimate reason to be hitting that data then you're OK. As for the term "honeytoken" I've always called this "salted" data or a "salted list" which is what they called this concept before computers and before somebody at a honeypot project mistakenly thought they invented something new ;)

Re:Or they made a mistake

[I-am-FooDog]

Sorry, had I known you had a high security clearance I would have made the assumption you knew everything.
A clearance is not a measure of knowledge, it is a measure of risk or trust.

Someone with a "high security clearance" should understand the concept of "need to know." If you are a clinician and you access data on a patient without authorization that is a violation of the HIPAA privacy rule. If Doris sees an error on her patient then by all means report it, fix it...whatever. If Doris isn't caring for a bogus entry in a database, she has no authority to query that record. Doris accessing a patient entry in a database which she has no authorization for, violates the HIPAA privacy rule, as in against the Federal Regulation.

Put very simply no clinician can access data on a patient without one of 2 things:
1) Permission by the patient (or representative)
2) Permission by the (previously authorized) attending clinician, such as a doctor seeking consultation with his peer.

This entire article is about using false entries as a way to catch would be HIPAA rule violations and \ or violators.

Re:Or they made a mistake

[quintessencesluglord]

Before you can become a health professional, you will have to go to school. Part of that schooling will entail case studies. How do you rectify education concerns without, by measure of degree, infringing on someone's right to privacy? Consent is one thing. Privacy is another. If someone really wanted to push the issue, there can be no legal consent given because the person(s) are in an obvious state of distress. MDs get consents for operations. That doesn't prevent them from being sued. So again, it is fine and good to quote the regs, but what do they actually mean? Ever asked a colleague their opinion on how to best treat a particular case? Did you get the client's permission beforehand? Please, do tell.

Re:Or they made a mistake

[Rick+the+Red]

OK, so how do I avoid the false record? It would have to have NULL as the value of every field to avoid showing up in any query, and even then it might show up if you were doing data maintenance and were searching for NULL values. So if I perform a query that returns 8200 records and one of those is "John Kennedy" I can be fired for a HIPPA violation? Give me a break! There's got to be more to this than accessing an invalid data entry gets you fired.

And if I bring up a record and see that every field is NULL, how in the hell am I violating that patient's privacy if it is a legitimate record, let alone if it's a fake patient? There's no information to see! If there were any information, even if it's fake, that record would turn up on legitimate searches.

Give me all patients prescribed Tylinol on July 12, 2003. Hey, there's a patient named John F. Kennedy; I wonder what it's like to live with a famous name like that, poor bastard. OH MY GOD, "Date of admission: November 27, 1963" -- President John F. Kennedy is alive and living in THIS HOSPITAL! HIPPA be damned, I'm calling the New York friggin Times!

Re:Or they made a mistake

[I-am-FooDog]

Don't be obtuse. The name John F. Kennedy was used to illustrate a point, you know an example.

The point of having a fake record would be that it wouldn't have NULL values for the fields. It would appear as a normal record. The fact that it shows up on legitimate searches isn't a problem, and would be a legitimate task for someone in Quality Control or someone involved in reporting to the State or Federal Databases. It all boils down to "need to know." If you are looking in a patient's record and you have no need to know (not treating, billing etc...) you are in violation of HIPAA. The whole point of the honeytoken is to discover someone that is possibly engaging in an unauthorized activity. Could it be a mistake? It sure could, and little would happen after it was investigated. If the same person kept making these mistakes, or made a number of them in a short period of time then it would be time for some training and / or HR procedures ( including termination for repeat offenders).

Each HIPAA violation is a 100.00 fine. Pretty cheap until an entire database is compromised. A local hospital in my area had a temp nurse that also owned her own business. She queried the database for names and SSN's. Once she had them she billed medicaid for services her business never performed. The cost to taxpayers was in the millions. A few honeytokens may have tipped the hospital off, before the feds knocked on the door.

This was pre April 2003 so the HIPAA privacy rule wasn't in force; had it been, that hospital would have had a for sale sign out front.

Re:Or they made a mistake

[shilly]

"If someone really wanted to push the issue, there can be no legal consent given because the person(s) are in an obvious state of distress."

Bollocks. That isn't the law on consent or on privacy. Distress doesn't automatically prevent someone from giving legal consent; nor is it true that everyone receiving medical treatment is in distress anyway.

Clearly, in an educational setting, part of taking an adequate consent will include explaining to the patient the extent of involvement of students in investigations, discussions and treatment.

Here's a handy hint the next time you discuss a case with a colleague: try doing what most medics do and talk about the "37 year old female presenting with early-onset parkinson's". The patient's name and address are of bugger-all value in discussing the case.

Are you really a doctor of some sort? If you are, why are you talking about "the client's permission"?

Re:Or they made a mistake

[shilly]

(PII = patient identifiable information)
I know that these things are grey. That's why I objected to your saying that they weren't. You said "there can be no consent" where distress is an issue. That's not a statement describing shades of grey. It's also not true.

Furthermore, there is no contradiction between rules requiring you to obtain specific permission to use PII for purposes other than care and using such information in an educational setting. You just have to get the consent of the person concerned.

Of course, anonymisation is sometimes imperfect--so you try not to provide too many identifying details when discussing cases with colleagues. This doesn't condone your choosing not to get *any* consent or make *any* effort at de-identification.

Your choice of words is very interesting. You talk about "the consent form". While a useful written record, the important thing about getting consent is the communication with the patient. You should be making a reasonable effort to tell the patient how you would like to use information about them. I doubt many would give a fiddly fuck about whether a student was affiliated with a particular school. But they would want to know that you were planning on using their case as an educational tool.

You make an entirely valid point about the conditions of a client's care being dynamic. That's why consent obligations are dynamic as well. If you find you have a new reason for sharing information about the patient, you should talk to them again and gain additional consent.

I don't approve of honeypots in medical information systems either. But you were implying that you believed you had a right to share information with other colleagues and to poke around medical records sets in a pretty unrestrained manner. I wouldn't try that approach in the UK! The point about need to know is, frankly, a bit silly. A large teaching hospital might have perhaps 1000 patients. You can hardly start reading all their records on the basis that you might need to know the information in an emergency. Hospital doctors are usually pushed just to keep up with the records for patients they are caring for.

I'm really not sure what you're talking about with the brain swipes paragraph.

Finally, I will rephrase my question as a statement, so that you don't have to share any information that you don't want to. I sincerely hope that you are not a health professional: your perspective on PII is bizarre and if are a health professional and you put it into practice, you are pretty much certain to be in contravention of your professional obligations. Thankfully, your choice of language seems to indicate that you're not a medic.

Popular anti-spam technique

I seed all my pages with special "token" email addresses that will only be found by a spammer using harvesting software (or a really really bored user). Normal people will never find it and never want to use it. It works amazingly well.

Re:Popular anti-spam technique

[Greedo]

Even better (IMHO) is a system I developed for dynamic pages.

Each page is seeded with a random, unique email address. Also, that address is stored in a database, along with the time it was generated, the page it was displayed on, and info about the viewer (i.e. IP address, UserAgent, etc.).

Then, if that email is ever used, another automatic system reads that data out of the database and can correlate it.

It's interesting to see some things. Like how long after an email is harvested is it being used (as little as 4 hours), and whether the people harvesting are also spamming (usually not). This way, you can fight spam by attacking/blocking the spammers *and* the people doing the harvesting.

Oh, and I claim prior art ... in case Bezos is reading this.

Re:Popular anti-spam technique

[DeltaSigma]

I do the same thing, except I harvest e-mail addresses from slashdot and post those.

Re:Popular anti-spam technique

[entrager]

What does this do besides generate spam for the "token" address?

Re:Popular anti-spam technique

[geggibus]

I don't normally care alot about spam, it's annoying sometimes but.. today.. gah! A spammer is currently using my mailaddress as return-address: so all bounces end up in my mailboox... since everything probably is from the spammer it's kind of interesting though, think i'll wait until it stops and then analyze it ... ;)

Re:Popular anti-spam technique

[sakeneko]

You and a good many anti-spammers. I have a bunch of friends that have spamtrap addresses on web pages in "blind links" -- links that enclose no text or graphics. They can't be accessed by normal web browsers, but spammers using software to scrape the web for email addresses get them just fine.

Blind spamtrap addresses aren't entirely foolproof. There are a few kooks who deliberately look for addresses in blind links or known to belong to other anti-spammers and feed them to web sites. But blind spamtraps are a whole lot less likely to have this happen than spamtrap@spambouncer.org.... (No, you do NOT want to send email to that address unless you are a spammer. If you are, have at it.) <G>

Re:Popular anti-spam technique

[howhardcanitbetocrea]

probably because you didn't think of it

Re:Popular anti-spam technique

[AzureLunatic]

Oh, that sucks. Happened to me once.

I took a look at the parent website and saw a lot of Plausible Deniability in action -- they outsourced their advertising to contractors, who were supposed to send the adverts only to e-mail addresses who were open to receiving commercial e-mail. Shyeah, right. As if any of them were really doing that...

Nothing new here, move along

[ebh]

This sort of thing has been around for decades. I remember as far back as the early 1970s, hobbyist magazines' "Buyer's Guide" issues would have deliberately bogus entries to ensure that their competitors didn't steal the data wholesale for their own buyer's guides.

Re:Nothing new here, move along

[AndroidCat]

Encyclopaedias have done this for ages too. Make up a boring tiny entry for .. Boring Arkansas, and wait for a rival to copy it, then sue them. (Appologies if there is a Boring Arkansas, I am so sorry for you.)

Re: Nothing new here, move along

[Black+Parrot]

> This sort of thing has been around for decades. I remember as far back as the early 1970s, hobbyist magazines' "Buyer's Guide" issues would have deliberately bogus entries to ensure that their competitors didn't steal the data wholesale for their own buyer's guides.

I actually did it on computers a decade ago, and I doubt that I was a groundbreaker even then.

Already by then VMS provided ACLs and a very sophisticated security monitor that you could program plugins for ("plugin" for lack of a better term), so I set up a plugin that would mail me an e-message upon a certain trigger, and then put the trigger in the ACLs for some dummy files where some of our irresponsible support staff wasn't supposed to be playing around.

Re:Nothing new here, move along

[valkraider]

There is a Boring, Oregon.

There is a city nearby called Oregon City which leads us to this wonderful sign.

Re:Nothing new here, move along

[throwaway18]

>This sort of thing has been around for decades.
Reputedly this technique has been used for log tables since the seventeenth century.

A few hundred years before the invention of the electronic gadgets slasdotters take for granted people were navigating the world in sailing ships and calculating thier longditude and latitude with a sextant to measure the angle from the ground to the sun or a star, a clock and a book of log tables. Napier produced log tables in the 1600's but an accurate shipboard clock was only invented in 1764.

A book of log tables can be used to multiply integers quickly using A*B=antilog(log A + log B) or to calculate triginometic funcitions like sine, cosine and tan.

Original production of a book of log table took a lot of mathematical work. Publishers reputedly seeded the books with errors in the last digit to catch copiers. Link

Re:Nothing new here, move along

[ADOT+Troll]

Some people have pointed out that maybe someone just looking through a database on legitimate business sees an interesting patient file, and opens it up, just to look.

One reason this idea would be especially good for hospitals is because such actions have gotten hospitals sued in the past. Simply put, no hospital employee is supposed to view a patient's information unless required. So, if Nurse Betty is looking up "John F. Kennedan's" file, and also sneaks a peek at "John F. Kennedy's", she just broke federal law, and the hospital is going to want to know about that.

As for false positives in other instances, people seem to be just trolling. For example, every single day at a former employer of mine, a cell phone provider, we'd get false positives on customer who may or may not have been using fraudulent information to sign up for service. As such, we would stop and call the verification services we used, and verify that customer. So sure, out of thirty customers a day, it would generate five warnings, four of which were false. But one of them wasn't, and that makes all the difference.

Re:Nothing new here, move along

Map makers do the same thing. They include non existant map features (i.e. bogus streets) so that they can catch people trying to copy and resell their maps.

Re:Nothing new here, move along

[Nexus+Seven]

which leads us to this wonderful sign

"Could not find file" - that's not very wonderful.

Re:Nothing new here, move along

[AndroidCat]

Just don't enter Climax (Sask) illegally with pigeons

Re:Nothing new here, move along

[AzureLunatic]

Yes. Checking for false positives is always in order. False positives should not automatically mean the same consequences as true positives where the penalty for having a true positive is enormous.

(I can understand the need for having a false positive on, say, a HIV screening for a blood donor meaning that the blood donor gets permanently rejected, because a false positive in that situation means that someone can't donate anymore, and a false negative means that someone gets a deadly disease. But a case where a false positive loses an innocent person their job is not cool.)

Otherwise, if touching the record accidentally for a legitimate reason gets you canned, the technique should really be named "honey bucket" rather than "honey token"...

Re:Nothing new here, move along

[nexex]

geez, whats with the java applet just to show a tiny image? good way to waste bandwidth and peoples time i guess...

Re:Nothing new here, move along

[KrispyKringle]

I recently configured Samhain (a Tripwire-esque host-based IDS) and one of the suggestions, which I found pretty cool, was create a file such as /etc/safe_passwd. Set Samhain to log any access attempts, and see what happens.

Nothing new under the sun.

Re:Nothing new here, move along

[AftanGustur]

I remember as far back as the early 1970s, hobbyist magazines' "Buyer's Guide" issues would have deliberately bogus entries to ensure that their competitors didn't steal the data wholesale for their own buyer's guides.

Yep, and even today, Iceland's biggest telephone company (former state monopoly) has bogus entries in it's telephone databases to be able to prove if someone copies them..

Re:Nothing new here, move along

[jazman]

Yes, but don't forget according to the USPTO anything obvious, well known for decades etc, when augmented with the text "with a computer" makes an entirely new invention that is worthy of a patent and not at all obvious to anybody. I'm surprised they haven't already got a patent on it.

Re:Nothing new here, move along

[Lost+Engineer]

As I recall, these hand-calculated log tables were fraught with errors anyways. At least the ones they used for shell aiming were, although that's probably not such a bad thing.

Nothing new

[deman1985]

I've used the same concept before on my work computer. I plant suspiciously named files on my desktop or (usually) less obvious places so if someone tries to search my computer and comes across this file, reports its contents, and I hear about it, I know it's time to change my password ;)

Re:Nothing new

[dook43]

Not a great idea. Especially if you try to name files things like "lolita-1.jpg" that contains bogus text or something...It's highly likely that you'd get called down for it in the first place and have to explain to your boss, "It's not really kiddie porn! It's just some text to trap someone searching my computer! Go ahead! Click on it!" The last thing someone will do is click on a picture called lolita.jpg, even if you insist to them that it's not really a lolita picture.

Re:Nothing new

[deman1985]

I have enough prestige in my company where it's no big deal to explain what's up to those on the inside. It works and has pointed me to a couple people I can't trust in the company in the past year that I've used this method.

Re:Nothing new

[dnoyeb]

Me too. especially email. I have an address in my address book with the name of

"This mail was send by virus"

something like that, and I expect the email to bounce back at which point I know I have been infected.

also people have been hiding email addresses in web pages to test spammers for a while now.

Re:Nothing new

[fobbman]

Good point. Instead, put those files on a CO-WORKER'S PC, and monitor your bosses email traffic looking for the termination directives for that co-worker. No biggie, as he was behind in his tithing payments anyway.

Re:Nothing new

[JUSTONEMORELATTE]

David, is that you?
When I got my first admin job (first root password) my boss did something like this. He had open perms (755) on his home dir, then a private dir (700) with a file named .sex
He also had a cron job on another box that checked last-access-time for the .sex file.
My sense of ethic has come along way since then, in part because of the (perfectly reasonable) way he talked to me when I got caught.
DavidH, if you ever read this, thanks again.

--

wow

[stratjakt]

What corporation in this post dot-bomb era wastes resources and employee time on bogus bughunts like this anyways?

These all sound like over elaborate rube goldberg devices to secure the doggy door on your house.

Just like "ringers"

[vegetablespork]

Folks who rent mailing lists add "ringers," which, if they receive a mailing after the term of the rental is up, yield prima facie evidence of violation of the rental contract.

This is an interesting use of a known technique to help detect the unauthorized use of data, and alert administrators that the barn door is open--and maybe even who opened it.

Re:Just like "ringers"

[Walt+Dismal]

The adding of ringers is indeed an old practice but still a useful one. It's also used by intelligence agencies and can point a leak straight back to a single source. The Soviets used it during the Cold War and, sadly, people have died because of it.

After John Kerry's campaign manager's laptop - with his campaign information - was stolen in San Francisco this year under very suspicious circumstances, and shortly thereafter, the same thing happened to Democratic candidate for SF mayor Angela Alioto, I realized that all political candidates should add ringers to their databases for campaign contributors. In the event that an opponent engineers a theft of data and uses it to solicit funds from people on the list, this might be used to identify the player.

And these thefts DO occur more often than you might imagine. It's kind of odd how it's only Democrats whose databases have been stolen. There was also a database theft from a Democratic gubernatorial candidate in Tennessee... call me paranoid, but it's all documented.

Re:Just like "ringers"

[bugnuts]

I do exactly this. I usually embed the name of the company I'm ordering from into the information I use.

Rand McNally used to have tiny fake roads. Lots of things do this.

There was a even recent study using fake emails to test out spam tactics.

Search?

[ajiva]

What happens if someone does a search for that happens to find "John F. Kennedy" and several other patients. Does that mean the person was in the wrong place?

Re:Search?

[OECD]

What happens if someone does a search for that happens to find "John F. Kennedy..."

Or, God forbid, someone with the name "John F. Kennedy" checks into that hospital.

Re:Search?

[WindBourne]

Does that mean the person was in the wrong place?
Well, yes. He is suppose to be in the Arlington National Cemetary, not a hospital.

Re:Search?

[raduga]

really?

I could have sworn I saw him post to this this site last week.

Re:Search?

[SagSaw]

If somebody is doing random searches of a hospital database, they are most likely doing something wrong, as most medical records are confidential and subject to strict controls. In this case, each time "John F. Kennedy's" record is accessed, somebody needs to find out why. Perhaps it was a typo or data-entry error, perhaps it was a script that was mistakenly pulling records due to a bug, or perhaps its an intruder on the network or an employee up to no good. In any case, it would be important to find and correct the cause.

The problem...

[melete]

The problem with this (and with a lesser degree, with honeypots) is that these tokens will get accessed in legitimate ways -- for example, what if your secretarial staff is creating a mailing list, and "JFK" gets sent something? Or you have a browse function in an application that uses the database?

It's a good idea, but not a panacea.

Re:The problem...

[DaveAtFraud]

Unfortunately, the hospital example isn't the greatest but the idea is to add such a record with contradictory information such that known/legitimate uses of the database will not extract it. In this case that might be setting both the "is a patient" and the "deceased" indicators to true or "discharged on" and "in room number" fields or showing the patient as being in a non-existant room. This approach works best when designed into the data from the start since checking multiple, supposedly redundant fields can be specified as a requirement for all systems accessing the data.

A variantion on this in the non-digital world is using either different middle initials, different first names, adding a mail-stop, etc. to the address you use for signing up for a magazine subscription, etc. When you start getting junk mail with that address, you know they sold your address to someone else. People have been doing this for a long time.

Re:The problem...

[mindstrm]

You generally work around it. It's not as simple as "was this account accessed". I mean, you can track that on legitimate accounts.. you don't need fake ones..
but inserting fake addresses into the customer database, with fake credit cards and whatever so that you can tell when your database has been compromised, or otherwise, is a good idea, and has been done by many smart people for ages.

If the secretarial staff sends a message to that user, you'll know where it came from, and won't have a problem with it. If your competitor sends a message to it, you KNOW your database was stolen.

Re:The problem...

[Ben+Hutchings]

The database validation rules should prevent records from being in bogus states like that.

Or maybe there's just someone

named John F. Kennedy at your hospital?

John F. Who?

[RobertB-DC]

An example he gives: adding a record to the hospital database for a guy named "John F. Kennedy". It doesn't correspond to a real person, so no one has any business looking at the file.

Of course, there are some places where "John F. Kennedy" is a perfectly valid database entry. Actually, it's a database entry for which a lot of people make it their business to look at the file.

Which, I suppose, shows exactly why the Honeytoken concept makes sense...

Re:John F. Who?

[JoeBuck]

A woman I knew since grade school got a job in American Express's credit card clearance center in New York in the 80s. Seems some of her colleagues would spend hours every day looking for celebrities' credit card records just so they could gossip (back then the system was less automated than it is now, and an actual person would need to verify that a charge was valid in many more cases than today). I'm sure that this kind of thing still happens. Putting in bogus entries with celebrity names would catch such people, as they are only supposed to consult a record when someone tries to use the card in question.

Yes, this is old news

[brooks_talley]

Yahoo (and presumably other search engines follow suit) keeps some bogus entries in the DB so they can detect someone stealing their whole DB.

Some print newspapers run bogus classified ads so they can detect a competitor trying to bulk up their own classified section.

Some anti-spam companies post to newsgroups specifically to get addresses harvested; any email to those addresses is the sign of a spammer.

Handy, but hardly breaking news. Might as well run an article about a researcher discovering the usefulness of packet switched networks.

Cheers
-b

Re:Yes, this is old news

[jez9999]

Some print newspapers run bogus classified ads so they can detect a competitor trying to bulk up their own classified section.

Heh. And what do they do when they find out? Classified ads are hardly gonna be copyrighted material. Even if they were, I can't see the advertiser being anything other than happy about the free advertising in an extra newspaper.

Re:Yes, this is old news

[dmeranda]

Forgot about the ICANN whois database? It's just full of bogus records. The honey is bountiful and overflowing :-)

Chief problem...

[thorgil]

To: Chief Financial Officer
From: Security help desk
Subject: Access to financial database

Sir,

The security team has updated your access to the company's financial
records. Your new login and password to the system can be found below.
If you need any help or assistance, do not hesitate to contact us.

https://finances.ourcompany.com
login: cfo
password: H0n3yt0k3n

Security Help Desk
-----------------------

Ok... whats stopping the Chief Financial Officer from logging in on that account...

Security 1: Hacker!.. Fry Him!!!

Security 2: Oops!

Security 1: Sorry boss!

Maps too

[SilentTristero]

Maps have had these for years; they call them 'ducks.' Bogus small roads that don't exist for instance. If they show up on a competitor's map, they're poaching.

Strangely, couldn't find a reference to this on google. I wonder if google themselves practice this kind of thing...

-- Tristero

Re:Maps too

[thorgil]

Couldn't that be dangerous?

I mean, what if the ambulance guys find a shortcut on the map and end up in a swamp?
Or misses the right (correct) road (second road to the left on the map)?

Re:Maps too

[angryelephant]

doesn't this make the map somewhat worthless? i buy maps so i know accurately which roads go where. many times in hiking or mountain biking i want to take the road closest to a particular point, park my car, and take off. something like this could potentially screw up a whole afternoon.

Re:Maps too

[SilentTristero]

I don't think it makes the whole map worthless, although sometimes when I get somewhere and the road's not where the map says it is, I wonder whether it's deliberate or just an error or change since the map was made.

You only need one duck on a given map, and one assumes they'd be dead ends, tiny roads, or just real roads modified subtly enough to detect (even a misspelled name would work). I guess it's like watermarking in a way...

-- Tristero

Re:Maps too

[a20vertigo]

More than likely, public services and government types get their maps directly from a survey company, with some kind of explicit promise against honey-roads... Still, it would hurt the smaller towns and anyone who couldn't afford the premium "non-fake" maps.

Re:Maps too

[Heggsy]

Happened to me last year, and I was damn annoyed about it.

I was on a driving holiday in Cornwall (peerless beauty) and talking time out to visit some of the ancient sites, many of which are in the middle of moorland, and a mile or two off the road. When trying to find one particular site, an abandoned 11th Century village, I wasted nearly 2 hours trying to find a small dead-end road marked on the map which seemed to me to be the best starting point for the trek to the village. Eventually I got my compass out and after some triangulation concluded that I was in the right place, but the road did not in fact exist. Sure enough, the abandoned village was where it was supposed to be too.

Now admittedly this wasn't an Ordinance Survey map, and I should have got my compass out and started checking earlier. However, since the site was clearly marked on the map, you would think that the mapmaker would have assumed that someone, someday would actually want to visit it...

Hmm, this turned out to be a longer rant than I had anticipated. Still, it did make me bloody cross.

Re:Maps too

[count3r]

The concept here is putting insignificant fake data on a map. What you're saying is that you don't believe the particular example (a fake road) is insignificant (and I think many people, including me, would agree). But the concept is still viable-- just pick better (more insignificant) data to fake-- any label will do...

Re:Maps too

[Doctor7]

As I've found out when planning a couple of treasure hunts, this happens with whole villages in the UK, either because they once had something important enough to make them worth naming, and no longer do, or (I'm almost certain) because some of the fake villages that were added back in WWII still get reproduced on modern maps.

Re:Maps too

[overunderunderdone]

Another post on this thread by an actual map company employee mentioned that they ad dead-end roads, and that they have other techniques as well depending on the purpose of the map to (as much as possible) eliminate any real inconvenience to map users while still having "honeytokens" to catch copyright infringement.

I've noticed that there is one road map of my area that has a small pond on my property on the wrong side of a highway and have wondered if that was an intentional error. It would be a perfect kind of error to catch a copycat without any inconvenience to users. It's a road map and the pond isn't even visible from the road - no harm that it's wrong since it doesn't relate to the purpose of the map at all.

Similar to anti-spam provisions

[iamatlas]

I'm not so sure that this is anything too new, the placement of fake data to detect unauthorized use. This perrson is simply coining a term and solidifying the concept by relating it to existing terminology and concepts. (a good thing)

Otherwise though, I've been aware of these sorts of misuse/abuse detection schemes for some time- specifically in the area of email harvesting for spam. Place a fake or otherwise unused address in a list or directory, and if it ever receives mail, you know the sender was harvesting.

Re:Similar to anti-spam provisions

[melete]

No, it's not new. Didn't Cliff Stoll do something like this when he was tracking down hackers at LLNL?

Re:Similar to anti-spam provisions

[BlueWonder]

Didn't Cliff Stoll do something like this when he was tracking down hackers at LLNL?

No.

Cliff Stoll did something like this when he was tracking down hackers at LBL.

The article probably wouldn't have mentioned Cliff for using this technique if he hadn't. :-)

RIAA Using HoneyTokens

Another good example would be the RIAA putting bogus music files on P2P networks. For example, if you query and download a file that is named "Metallica - Enter Sandman.mp3" then chances are you have other files that are of dubious lineage.
The sword here cuts both ways, unfortunately.

----
Like listening to music? Then use Fission, the MP3 player with a brain!

I do this already

[L.+VeGas]

By placing arsenic in your water bottle that you leave in the refrigerator, you can tell who's been pilfering your lunch.

Re:I do this already

[Jaguar777]

By placing arsenic in your water bottle that you leave in the refrigerator, you can tell who's been pilfering your lunch.

I prefer to use a bottle of honey. You catch more people that way. I even tried vinegar, but honey works best :)

Re:I do this already

[Elwood+P+Dowd]

You can solve this problem by labeling your lunch "Meat Experiment."

Similarly, you can label your beverage "Fluid Excretion Experiment."

Re:I do this already

[dschl]

I have heard stories of leaving gloves dusted with dye powder (same stuff used in money shipments) in your locker, just for the glove-thief on drilling rig crews. You always know who is stealing your gloves, but the bright red hands of the thief let everyone else know, too. If you are feeling a little bit nastier, you dust the inside of the glove with caustic, and then leave it in your locker for the glove thief. The caustic is a bit more dangerous, because if he rubs his eyes just before his fingers start burning, it could cause severe eye damage.

The lunch thief in my drilling crew was the motorman, who did five years in Kingston pen for armed robbery. Claimed he was "reformed", so I guess he didn't really consider sandwich theft to be much of a crime. I was tempted to add ex-lax or something worse just for him, but never got around to it.

Re:I do this already

[multipartmixed]

I live about 5 miles from the Kingston Pen, and I can tell you that, without a shadow of a doubt, that nobody who has spent any time there will ever be reformed. This goes double for the guards -- the only difference between the guards and the inmates is what side of the bars they're on.

Re:I do this already

[Sam+Nitzberg]

I used to bring in just enough milk to work for my own needs for the week. I'd bring in my milk on Monday, knowing that, no matter what my usage, there would be enough for the manner in which I drink milk for the duration of the week. I also would let one coworker (an old friend of mine) use small amounts of milk for his coffee.

I might have some left over, but I would always have enough. One of my coworkers, who felt that we should all share and be nice, was helping himself to my milk. He was consuming my milk, and producing shortages. He offered to give me money to bring in larger amounts, or cover his share, but I wanted MY milk, and under my control. I spoke to him about the usurption of authority over the milk in my domain, but to little or no effect. His using my milk for tea, coffee, cereal, etc... was going to have to stop.

I came up with two solutions :
(1) chain my milk within my lunchbox. That's the defensive approach.

I went with (2)
I put on the side of my milk container an access control list / authorized user list. The names of myself and my friend appeared under the title, "Authorized access list."

This worked.

Every employee accessing the fridge saw the message, and it was received as being pretty funny. It generated much chatter about the milk bandit, and his identity became increasingly widespread, where he had saught anonymity. But, it put the "bad guy" on notice, and noone, except those appearing on the list dared to be seen handling the milk containers.

These days, adding photo IDs would be a nice touch.

Anyway, I didn't have a problem again...

Sam Nitzberg
http://www.iamsam.com

Re:I do this already

[nlaporte]

A friend of mine once worked in a chem lab where they, for some reason, needed to use non-denatured 95% ethanol. You know, Everclear. Well, it transpired that there every day the level in the bottle would be a little lower than it should have been. My friend had the bright idea of putting in a little phenolphthalein (main ingredient in Ex-Lax) into the bottle, as that apparently wouldn't disrupt whatever they were using it for. Presto, no more EtOH gone!

Re:I do this already

[FroMan]

The lunch thief in my drilling crew was the motorman, who did five years in Kingston pen for armed robbery.

Claimed he was "reformed", so I guess he didn't really consider sandwich theft to be much of a crime.

I was tempted to add ex-lax or something worse just for him, but never got around to it.

Truth to tell, I don't think I'd ever have gotten around to pissing off the guy who was convicted of armed robbery too. Especially after he claims to have been "reformed" and is still stealing my lunch.

One potential problem...

[TWX]

If records are globally viewable, or easily accessed without particular trouble, curiousity might lead people who otherwise wouldn't look through something to peek. Granted, in the JFK/Hospital example, people really should no poke around, but in other Internet based examples, curiousity is common. Lock stuff up a bit if you want to keep the honest people out, it's much more legitimate than leaving it open yet without having business.

And before someone makes an analogy to leaving one's house's door unlocked, Like computers, I lock my front door unless I'm expecting company.

Been around for awhile

[miyako]

...several years in fact, although in a different form.
A while back a bunch of businesses created a website called slashdot to monitor people who were surfing the net instead of doing work.

This is new?

[shamino0]

I seem to remember that phone companies have been doing this for decades in order to catch people illegally copying the phone book.

Phone listings are not proprietary - anyone can publish a phone book. But you can't copy someone else's publication (like the telco's official phone book.)

In order to tell if a third-party phone book is legal or not, the telcos put a bunch of bogus listings in ever one. When third-party books are published, the telco can check to see if the bogus listings are in it. If they are, then they know that the book is an illegal copy of the telco's phone book. A book that doesn't pirate the telco's book (e.g. using listings purchased from the telco or by asking people to contribute contact information) will not have those listings in it.

This sounds like the same concept applied to a new purpose.

Re:This is new?

[Lionel+Hutts]

Right idea, wrong conclusion.

It is perfectly legal to copy all the listings out of a phone book under your own name with no attribution.

The phone book publishers that caught people copying this way discovered that it did them no good.

Re:This is new?

[SammyTheSnake]

It is perfectly legal to copy all the listings out of a phone book under your own name with no attribution.

Presumably it's only legal, though, if you only copy the legitimate entries, otherwise you're copying their creative effort without permission!

Smith, James T. 555 8466
Smith, John P. 555 1234
Smith, John T. 555 6868
Smithe, Johannes Wildomfridge Kanolpe 123456789123456789

Wanted: .sig, will pay bottle tops.

Re:This is new?

[enjo13]

Not true..

The particular work (in this case a phone book) IS copyrightable. Just because the information is public record and/or easily obtainable does not mean that the actual text is not copyrightable.

That's the WHOLE POINT of this scheme. If another phone book pops up that just contains the valid entries, one can assume that the company producing that book did proper research and produced the information from non copyrighted sources.

However, the appearance of those false numbers provides evidence that those people did in fact garner their information from a copyrighted source (another phone book).

Witchhunt

[HomerNet]

This really strikes me as a wasteful use of resources (as someone already pointed out earlier). However, this whole concept (honeypot, honeytoken) shows how people are so paranoid they INVITE other people to prove them right.

It's like this: Let's say there's a ravine. This ravine is in a somewhat dangerous area of the mountains, and so people are generally told to avoid it. However, this ravine is the shortest walking distance between two towns. Some park ranger with an inflated sense of superiority and WAY to much time on his hands decided that this ravine is now OFF LIMITS because it's dangerous, so he plants some mines. If people step on the mines, well, it's their fault, because the park ranger declared the ravine off limits.

Re:Witchhunt

[Renli]

I don't see how it invites them. To see any honey tokens I have on my system people must ALREADY be in my system. Which is illegal without my permission. This isn't about inviting people to break in, its about catching those who have already.

For example. If I stick a file called creditcard-num in a directory as a honeytoken how do people know its there? hmm? They don't. They have to be doing something they aren't allowed to be doing in the first place.

As far as your park ranger analogy...*laughs* Planting a honey token is different then planting a mine (in more ways then one). The token won't actually DO anything. Its just a marker so you can see results of others actions. A mine hoever does actually DO something. Thats totally different.

Re:Witchhunt

[mabhatter654]

Actually this would prevent "Witchhunts" because you the administrator have pre-knowladge about what's going on. Typically, a private word or two to a single employee about a security faux pas travels faster than a company-wide memo...and gains you respect for being sneakier than them too.

My experience is that company-wide emails are ignored by most, and often cause witchhunts from the deskbound execs...this causes sys admin to loose respect.

You also gain knowladge about who really needs particular access and why. That way you can know when you have a real security threat and someone just data mining.

Re:Witchhunt

[HomerNet]

I don't see how it invites them. To see any honey tokens I have on my system people must ALREADY be in my system. Which is illegal without my permission. This isn't about inviting people to break in, its about catching those who have already.

It has less to do with people on your computer and more to do with other computers that you would use. Humans are, by nature, curious. Hackers and geeks (read: Just about anyone who reads /.) are by nature proactive when it comes to computers. Let's say; I come across a file on the hard drive of the computer I'm using at work. I'm perfectly within my rights to use this computer, and I'm supposed to be digging around in this directory. However, some overcontrolling nazi of a system administrator thinks that users will only open the files they are "allowed" to open (in his/her limited world view) has placed this file in a diliberate attempt to catch someone who is "trying to access a file that they aren't allowed to." The legal system has a word for this, it's called "entrapment."

This isn't to say that there aren't files that need security and protection and genuinly need restricted access. I don't want my bank's financial records in the hands of some lame cracker with a shell script. What I have a problem with is overcontrol and people thinking that certain information is really important when it's not.

For example. If I stick a file called creditcard-num in a directory as a honeytoken how do people know its there? hmm? They don't. They have to be doing something they aren't allowed to be doing in the first place.

What are you doing allowing people on your computer without your permission? Have you no firewall? Have you no secured gateway? Are you not using Linux/UNIX? Unless you're using the computer your corprate IT department gave you and restricted your permissions on, chances are you've taken enough precautions to keep out all but the most ambitious black hat hackers. (Script kiddie crackers probably won't even see your computer if you're practicing proper security.)

As far as your park ranger analogy...*laughs* Planting a honey token is different then planting a mine (in more ways then one). The token won't actually DO anything. Its just a marker so you can see results of others actions. A mine hoever does actually DO something. Thats totally different.

Park ranger == Overcontrolling nazi system administrator

Ravine == Some site or path that people "in the know" have used since it's discovery in mostly harmless ways

Mines == Honeytokens

If you think these honeytokens don't do anything, trip one at work and see how long you have a job. For even more family fun, go to some government web site and trip one, and time how long it takes the arrest warrant to arrive.

Re:Witchhunt

[HomerNet]

You also gain knowladge about who really needs particular access and why. That way you can know when you have a real security threat and someone just data mining.

This would be applicable if the entire purpose of honeytokens was to track data access for security. Honeytokens are designed to trap unsuspecting people. The frustrating thing is, not a hacker worth their salt breaks into a system or file just to see what's there. That's left for the luzors that want to prove that they're better than everyone else.

Re:Witchhunt

[overunderunderdone]

You're so right! I certainly wouldn't want any database with my personal data, medical records, or credit card number using any kind of wasteful "security". Information wants to be free!!! I'm sure anyone with access (even if it they gave themselves access via one of these "exploits" I've heard so much about) is just poking around because they're curious. Only a Nazi control freak would prevent them from getting that data.

It is comforting to know that you don't have any of these hangups about "privacy" that others on /. do. If you don't mind curious people looking at your medical or financial data I'm sure you don't mind if the curious people work for the government.

Re:Witchhunt

[Renli]

Ok, we have to different views of the use of honeytokens. I'm talking about putting them in places where I know only I myself will (should be) able to access them. Thus if it is accessed I know someone who doesn't have permission is in my system. Your talking about putting them somewhere to invite curious people to look at them. Two different things in my opinion. I agree in your way it reeks of entrapment.

As for allowing people on my system without my permission, obviously I meant people breaking in. And yes i have a firewall etc etc etc. However if this was the be all and end all of security there wouldn't be crackers now would thier? And yes i use Linux/Unix. RH 7.2 heavily patched and FreeBSD also kept up to date. Along with a Windows box I need for work.

Again I still find the mine/ravine anology funny and pointless (no offense). Putting a token somewhere your allowed to be is wrong but not why they should be in use. Putting a token where your NOT allowed to be is how it should be done.

As for people being curious, tough shit. You break the rules or the law, don't whine to me. The reason the world is going to hell in a hand basket is because people don't take responsibility for their actions. I'm as curious as anyone. It got me into shit in high school. I got punished. You want to access something that your not allowed/suppose to be/have no right to.....go ahead. Just don't complain if you get caught.

false alarm

[painehope]

I can see someone accessing a record just because it's interesting.

A bored nurse at a hospital is browsing through patient files, sees "John F. Kennedy", and for shits and giggles, opens the record to see if he had a gunshot wound to the head.

Same if you call it "Bwana Guana the Flying Butt Monkey", or hide the file, or someone notices that it hasn't been accessed since last year, etc.

Re:false alarm

[RocketScientist]

But the point is that under HIPAA rules, browsing that information and pulling it up if you don't need to is illegal. RTFA. You'd be violating Mr. Kennedy's rights to have private records.

Similarly, lookng up the names of baseball players, movie actors, or any other celebrities is illegal. No one has the right to anyone else's medical records unless they have a specific need, specifically to provide healthcare or accurate billing.

They're very strict about that, otherwise you end up with hospitals selling that data to insurers and pharmaceutical companies for advertising and whatnot.

Re:false alarm

[JoeBuck]

That's the whole point: this is a technique to catch your staff when they do something that they are not supposed to (like violate the privacy of celebrities). These things don't stop at shits and giggles: if someone gets at a rich man's financial records, that someone can then engage in identity theft, or sale of embarrassing gossip to tabloids, or fanboy/fangirl invasion of a sick person's hospital room, etc.

Re:false alarm

[painehope]

I think that you, and everyone else who replied to my comment, are missing the point. It's not about what nurses can and can't do, it's about false alarms being rung. I did RTFA. It wasn't about fucking nurses and the HIPAA, it was about presenting false tokens to intruders.

I showed a few scenarios whereby data might become interesting to someone. Maybe at a hospital, reading someone's records is illegal. Other places, it is not. I can look through your data at my job to my heart's content. It might not be ethical w/out a good reason, and will get your ass fired if you're doing something unethical, but it's not illegal.

To the original point : there could be a number of cases of false alarms for things like file accesses. Say I'm running du -m -s against the user's home directories on the file server, to figure out who the biggest users of space are. Or I'm running it against some other data repository. Either one would access a bogus account's files or some other trigger. Or you have a bug in a script that checks a database or...there's a million reasons why something could happen to set something like this off.

Now, for things like planting tokens ( passwords, etc. ) and then waiting for them to be used, there's very little chance of ever having a false positive. I didn't think I would have to point out what I didn't say, or explain what I did say to such a degree, but this is /., and we appear to have the marketed cornered on medical record experts whose hobbies include reading /. and the privacy laws as they pertain to celebrities and advertisement.

Re:false alarm

[RatBastard]

But as the sysadmin you have the right to access the files in the manner you describe and that kind of access is going to be addressed in the protocols set up by your company (if there are any brains in the IT Dept.). And yes, bugs in search engines or database searches might also generate false positives, but again, you'd have protocols in place to deal with them. You wouldn't just fire Joe Newbie Codemonkey bbecause his script was dodgy (well, if he was a clueless dink and produced shoddy wiork...), you'd deal with the problem.

NO system is perfect. This is just another tool.

Re:false alarm

[vsprintf]

No one has the right to anyone else's medical records unless they have a specific need, specifically to provide healthcare or accurate billing.

Well, apparently your records are the only things in a hospital that are private. They want you to walk down the hall with your butt hanging out of that bass-ackwards "gown". Then there are the rookie nurses on the night shift that are convinced you need a catheter. *shudder* I swear they just wanted to check it out, play with the K-Y, and cause pain. THAT is the kind of abuse that needs to be stopped, the hell with my records!

Re:false alarm

[overunderunderdone]

Um... that's the whole point. A bored nurse browsing through patient files for shits and giggles is commiting a crime for which not only she but also her employer can be held both liable in both civil and criminal court.

Some people don't like other people getting their shits and giggles by reading their medical records (or financial records, credit card #'s etc.) It's one thing for your doctor to know about that embarassing incident/disease/etc. it's quite another for a (potentially gossipy) nurse - after all if she found your records so amusing, so might a few of her friends, perhaps some of them are also your friends/relatives/co-workers/employers etc.

Re:false alarm

[SuiteSisterMary]

Yes, if you're in hospital, you're risking winding up as training material.

http://upalumni.org/medschool/appendices/ for example. Or, look for a book called 'Complications: A Surgeon's Notes on an Imperfect Science.'

This ain't anything new

[TheCrazyFinn]

Fred Saberhagen describes using a Honeytoken to defeat an enemy in one of his Berserker stories. Apparently it's an old Dictionary & Encyclopeadia Publishers trick to prevent plagiarism. they put in a number of reasonable entries that nobody's ever going to need, and if anybody copies them, they know they've been plagiarised, and can prove it in court

'He copied our encyclopaedia, and we know this because he has entries we made up out of whole cloth.'

Re:This ain't anything new

[Mudcathi]

Wow, that's reaching way back! I remember that story... cripes, that other old geezer was right, there really is nothing new under the sun.

Not cheap to put in an existing database...

[fleabag]

So how does the batch processing that runs against most databases work out the bogus records? You'd need a "bogus" flag or an exclude file. This is the kind of stuff that has systems pumping out thousands of letters to "John F. Kennedy" reminding him that his payment is overdue... Once this mechanism is embedded in the system design, then it will become widely known, and everyone including the janitor's dog will know that they will get fired if they look that the JFK record.

As an academic exercise, great. In the real world..no thanks. However the principle of slightly altering documents to catch the unwary is an old one - the person thinks the document is a copy, whereas it is really unique to them - they publish on f**kedcompany - and they get busted.

Re:Not cheap to put in an existing database...

[RatBastard]

Having worked with large and confidential databases I can assure you that your concerns are trvial. Almost all mailing address databases have fields to supporess mailing forms/correspondence to a particular record. It's no more comlicated than putting in a "Mr./Ms./Mrs./Dr." title field.

Re:Not cheap to put in an existing database...

[overunderunderdone]

. However the principle of slightly altering documents to catch the unwary is an old one.

I think this particular breed of "honeytoken" is called a "canary trap". Make each copy unique and use a colorful phrase or two which just cry's out to be quoted verbatim and you know who the leak is.

Also, I think you are overstating the technical problems. The example given is just that, an example. I would assume though that in the example JFK's record is an old record, he's not in the hospital, his bill is paid up etc. There may be a few false positives but many of those will be immediately obvious - just ignore them.

Telephone book

[mfh]

Telephone companies have been doing this for years.

They list bogus entries in phone books and then scan other lists for occurrences of these entries. Subscriber lists and customer information is copyrighted and non-freely-distributable, supposedly (these terms may be slightly wrong).

If they start showing up in other databases (like other companies' phone books), calls are made. It's an excellent way to prevent the copying of their property en masse.

Re:Telephone book

[Lionel+Hutts]

There is no copyright in white-pages-style phone listings, so doing this is pointless.

Re:Telephone book

[mindstrm]

Yes, there is.

You cannot take the phone book, and just print up your own, copying it verbatim. The collection in it's entirety IS a copyrighted work, like a database.

Collections of otherwise uncopyrightable inforamtion constitute a new work, and are copyrightable.

Re:Telephone book

[Lionel+Hutts]

The difference between our viewpoints is, mine is correct, while yours is stupid.

"We conclude that the names, towns, and telephone numbers copied by Feist were not original to Rural and therefore were not protected by the copyright in Rural's combined white and yellow pages directory. As a constitutional matter, copyright protects only those constituent elements of a work that possess more than a de minimis quantum of creativity. Rural's white pages, limited to basic subscriber information and arranged alphabetically, fall short of the mark. As a statutory matter, 17 U.S.C. 101 does not afford protection from copying to a collection of facts that are selected, coordinated, and arranged in a way that utterly lacks originality. Given that some works must fail, we cannot imagine a more likely candidate. Indeed, were we to hold that Rural's white pages pass muster, it is hard to believe that any collection of facts could fail." Feist Publications, Inc. v. Rural Telephone Service Co., 499 U.S. 340, 363 (1991).

Some uneducated people used to believe the contrary...until 1991.

Re:Telephone book

[Maserati]

Wouldn't the honeytoken entries be protected as an original work ?

Re:Telephone book

[Lionel+Hutts]

Good question. I think the answer is twofold:

1. They may not be sufficiently "original" to be copyrightable, since they're just made up at random to look like real entries. This is a tough call, since the standard is so low. In contrast, if it was a book of paintings of the Old Masters, say, and you added one which was your own genuine artwork, you would have a case.

2. Even if they were theoretically protected, they would have no value. Money damages in copyright are measured by some combination of what the copied work is worth to the copier (here, a negative amount) and what the copyright holder loses from the copying (which, again, is nothing here; the fact that he loses from copying the noncopyrighted entries doesn't count). You couldn't possibly get enhanced damages for willful copying if you had disguised the copyrighted fake entries as freely copyable real entries. If the copyright holder qualified for equitable relief (an injunction to stop continued copying), at most, he would get the copier ordered to remove the fake entries, which he would have to identify. This might cause the copier a little trouble (having to reprint his phone books or whatever), but wouldn't stop him from copying the "good" entries again.

In general, trying to extend your "monopoly" on the fake entries to the real ones might prevent you from getting any relief on the grounds of "copyright misuse," and might be an antitrust violation, the DMCA attitude notwithstanding.

Real Life Use . . .

[TwP]

When I fill out forms or give out personal information, I will deliberately put in some erroneous data. For instance, putting X as my middle initial or putting an apartment number on the address for my house. Now when I get junk mail I can figure who is selling or giving away my information and stop doing business with those entities.

Not as good as they sound, but useful

[photon317]

These are just another tool, which when employed with other layers of tools, *may* help provide you some circumstantial evidence of malintent.

As noted in other comments, if you just put in some trigger to notice on the database system itself if anyone access JFK's record - well, if the database system is compromised, the trigger can be bypassed as well. It will catch only "legit" accesses without system compromise - as in someone pulling the record through a normal interface such as a hospital records application, in which case the failure was on the part of whoever implemented your security policies and allowed the record to be accessed through this interface, it was not a hack.

The more interesting usage is the fake SSNs and CCs. These could prove more useful it would seem. If 5% of the credit cards in your company's database are known-fakes, and you register these known-fakes with Visa/MC centrally, then even if your DB was infiltrated carefully, they'll be caught when they try to use the numbers by Visa or MC themselves, a seperate system unlikely to have been simultaneously compromised.

But for numbers like SSNs and CCs, this really isn't a solution, it just raises the bar a notch. If this were common practice, then the intelligent theif would rip off CC databases from 2-3 seperate major retailers and compare them to figure out which were dupes. If there was a central list of fake cards from Visa that everyone used so that they matched, you'd just have to work at another company that also used the dupe list to have your own copy of the numbers to avoid. In the case of SSNs, before you go off using them for malicious purposes, you'd probably compare them against another database from state driver records or some such thing to filter out the bad ones...

In other words, you've made their job a bit harder, but it's not a magic bullet by far, nothing ever will be.

Re:Not as good as they sound, but useful

[photon317]

You're right it sounds like bad policy. I guess what you're fighting there is that who's authorized changes quickly and the system isn't designed to facilite rapidly changing permissions. Perhaps medical works and patients should have mag cards on them in a hospital, where they can scan into terminals in the room to indicate who's treating who at what time? Then you could set policies based on scans (if a Dr has a scan record with this patient within X hours of a recorded event in their patient history, grant access...)

Been done for years - whens the patent applicatio?

[cait56]

As has been pointed out in numerous replies, this practice has existed for decades if not centuries. The earliest version I am aware of was done by Almanacs and Encyclopedia's. Unindexed and uncross-referenced articles would be inserted on the theory that nobody except a copier would find them.

So all veteran /. readers should be awaiting a story on the issuance of a patent covering the technique.

Re:oh, you mean like my penis?

[nightsweat]

I'm pretty sure you can leave access to that thing wide open and it'll still be as safe and untouched as if it were translated to Navajo and encrypted with 3DES.

No, but reading the article is :)

[Jaguar777]

I guess you didn't see this in the beginning of the article.

"While the concept of honeytokens may not be new (think Cliff Stoll and The Cuckoo's Egg), the term is."

Or they were poking around....

[autopr0n]

Or they were poking around bored.

Or there's a flaw in your software.

Well, then you'll just end up with a record of an 'intrusion' from localhost. if there is something wrong with your software, you should fix it anyway.

Or they were poking around bored.

The whole point is that they shouldn't be poking around. I certanly wouldn't want hospital employees 'poking around' in medical records. If someone is 'poking around' in sensitive data, then they are a hacker. If it's someone from your organization, you should either bitch at 'em or fire 'em, depending on what kind of work you do.

Or you've been hacked in which case you won't have an access record anyway if the hacker did their job right.

Not if you burn logs straight to a multisession CD...

Re:Or they were poking around....

[wirelessbuzzers]

Yes, you're right, that's about what I would do. I might actually report it instead of looking at it mylelf, but there's a good chance that I'd do it.

I think that JFK thing was a bad example.

entrapment

[chmilar]

Isn't this what the cops/lawyers call "entrapment"?

Re:entrapment

[sfjoe]

No. Entrapment is when you entice or coerce someone to do something they wouldn't ordinarily do.

Re:entrapment

[SuiteSisterMary]

Entrapment would be a cop, dressed up as a drug dealer, walking up to somebody and saying 'hey, man, want to buy some cocaine?'

This, is more like a cop, dressed up as a drug dealer, just standing around, waiting for people to come up to *him* and *ask to buy* of their own volition.

Web developers have known this trick for a while

[thalakan]

I first saw it mentioned at Black Hat 2002 in Vegas last year. The idea was that you would create fake session tokens for web applications and then monitor them for access by applications trying to brute force the session token values.

I mentioned it to a web developer who said that the idea has actually been implemented in some of the large e-commerce sites he's worked on.

Not False Alarm

[SuperHighImpact]

A bored nurse at a hospital is browsing through patient files, sees "John F. Kennedy", and for shits and giggles, opens the record to see if he had a gunshot wound to the head.

I don't see this as a false alarm at all. Nobody is allowed to access a patient's records "for shits and giggles." Doing so is a violation and this person would be caught and rightfully so. Hopefully, they would lose their job, and be forced into a life of crime to support their family.

really stupid idea

[cr@ckwhore]

This idea sounds good on paper, but won't work in practice.

Here's the flaw... how does the system know when data is being accessed illegitimately? Just because there's a dummy record in a database, doesn't mean that it won't be accessed. The example given with the patient table fails to account for times when the software itself will access the data for various purposes ... updating information, reporting, etc.

Exactly how would one go about monitoring data access? In theory, it's simple ... enable some form of auditing on the database server. Ok, but then the flaw... how does the auditing system know which data reads are good and which are bad? Even on a bogus fake record, there will be legitimate data reads by the application software that uses the database.

Re:really stupid idea

[geckofiend]

And of course nobody could write a system to take into account the tiny number of times a bogues record would need to be accessed.

Did you even READ the article to realize that it doscusses far more than simple database records before spouting off at the mouth?

Re:really stupid idea

[cr@ckwhore]

How about this ... I engineer these types of systems as my profession, so I know what I'm talking about... did you even bother to READ and understand my post before spouting off in such a rude manner? I don't think you did.

Not that new...

[bluephone]

It's also called "salting" the records, or seeding the records as well. It's been used for ages. Last time I remember seeing it on a large scale was with those whole-country telephone databases on CD that were popular in the 1990's, before they were availabel free on the net. Some companies were rather restrictive with the licenses, and prohibited using the databases for mailing lists, cold calls, etc., and seeded the database with fake entries so they could tell when it was being abused.

Renting a mailing list?

[autopr0n]

Folks who rent mailing lists add "ringers," which, if they receive a mailing after the term of the rental is up, yield prima facie evidence of violation of the rental contract.

I can't think of a single legitimate reason to 'rent' a mailing list.

Re:Renting a mailing list?

[vegetablespork]

I'm inclined to agree, but it's a very common practice.

Re:Renting a mailing list?

[homer_ca]

"I can't think of a single legitimate reason to 'rent' a mailing list."

So tbey can charge more to 'sell' a mailing list?

Re:Renting a mailing list?

[pinkfalcon]

When I worked for a mail order company for songbooks, we rented a list of all the youth groups and churches in the U.S. for a one time mailing. Those who responded got put on our real list and we threw away the rest.

Re:Renting a mailing list?

[Andrew+Ford]

As far as I understand it anyone who responds is then your contact and you can legitimately add them to your own list.

Re:Renting a mailing list?

[PhilHibbs]

Actualy, I'd prefer that my details be rented than be sold. At least when the rental is up, I might stop receiving the junk. Also a sale implies that the receiver is free to sell it on to others, rental strongly implies an agreement not to do so.

Targeted mailing lists do it too.

[MrScience]

I worked for one of the largest shareware catalog companies (yeah, way back then, my first job :), and had to write software that would come up with the reports of what customers were interested in, when they last purchased, etc. etc. etc.

Whenever our company would sell this targeted list of previous customers to other companies, they would also insert several bogus names that led back to our owners. Each name was setup to recieve a particular piece of junk mail. This list could only be used by that company X many times.

That way, as soon as that other company sold our names to a 3rd party, we could sue.

I obviously don't work there any more. :)

Re:oh, you mean like my penis?

[AssFace]

Are you coming on to me?

It was the honey that did it, wasn't it?

I knew I was probably doing it wrong.

One note on false positives "problem"

[Nemus]

Some people have pointed out that maybe someone just looking through a database on legitimate business sees an interesting patient file, and opens it up, just to look.

One reason this idea would be especially good for hospitals is because such actions have gotten hospitals sued in the past. Simply put, no hospital employee is supposed to view a patient's information unless required. So, if Nurse Betty is looking up "John F. Kennedan's" file, and also sneaks a peek at "John F. Kennedy's", she just broke federal law, and the hospital is going to want to know about that.

As for false positives in other instances, people seem to be just trolling. For example, every single day at a former employer of mine, a cell phone provider, we'd get false positives on customer who may or may not have been using fraudulent information to sign up for service. As such, we would stop and call the verification services we used, and verify that customer. So sure, out of thirty customers a day, it would generate five warnings, four of which were false. But one of them wasn't, and that makes all the difference.

Theres never going to be some "All seeing Eye of God" security system, but every little bit helps. Especially, as noted, in both banking and hospitals, where customer's information is bound to a need-to-know basis by federal law.

Re:Works for spam of the paper kind, too

[n7ytd]

An interesting thing to do, next time you supply your address for some reason, (sweepstakes at the mall, supermarket savings club, etc.) change the way you write your name: if your name is John Q. Public, write it down as J Quincy Public, or John W. Public; whatever.

It's mildly amusing to track how your name gets sold to credit cards and magazines and such. You may even get a telemarketer calling for Mr. J Quincy! Woo-hoo!

Um...

[autopr0n]

A bored nurse at a hospital is browsing through patient files, sees "John F. Kennedy", and for shits and giggles, opens the record to see if he had a gunshot wound to the head.

I don't think Nurses are supposed to be able read through random people's medical files out of bordom. There are all kinds of crazy regulations required by the HIPA or whatever for handling medical information in the US as it is.

hmm

[H3g3m0n]

ergo it would see somone has been watching the Matrix ;)

Not new at all... dictionaries, maps, etc.

[Dr.+Zowie]

Dictionaries, maps, and many books have included these things for decades, perhaps centuries. Most modern maps have tiny errors that are intended to be insignificant except as copyright "markers". Dictionaries contain false entries intended to serve as markers and preserve the collection copyright. Many books (especially editions of public-domain works or collections of multiple works) contain deliberate (originally not-so-deliberate) typos that mark the particular edition.

As far as I can tell, "honeytoken" is just a nice sounding buzzword for an ages-old technique.

Re:Not new at all... dictionaries, maps, etc.

[Tumbleweed]

> Dictionaries contain false entries intended to serve as markers and preserve the collection copyright.

That must be where that word 'nukyuler' comes from that I keep hearing W use, right?

Re:Not new at all... dictionaries, maps, etc.

[julesh]

Dictionaries contain false entries intended to serve as markers and preserve the collection copyright

I can understand maps, but ... dictionaries? I don't think this would work. You see, there are quite a lot of people who will, from time to time, just pick up a dictionary and browse. Try to find interesting words that they've never heard of before. So, if a dictionary had (for example) the entry 'Grig (n) the piece of a ringpull on a drink can that gets pushed inside the can upon opening' someone will probably notice this. Then they'll be talking to somebody at some point and an opportunity to use this fabulous word 'grig' will arise. So they will. And the person they're talking to will say 'what's a grig?' and they'll explain. And so on, until maybe a few thousand people are using the word. And maybe one of those looks at another dictionary and finds that it isn't in there, so he calls his friend the lexicographer who happens to work for that dictionary publisher and tells him about the word.

'Are you sure about this?'
'Oh yes. I've looked it up in and its in there, so it must be a real word.'
'Oh, I'll get it put into the next edition then'.

You see? This doesn't work with languages, which aren't actually a real thing that can be studied independently of the works that describe them.

Keeping staff on the reservation....

[Rahga]

I can imagine this reaching some level in intranet circles. This is not a new idea.... In fact, it's far more common in real life. You know, social engineering and all that stuff. As a quick example, the only thing memorable about "Eyes Wide Shut" was the "musican's password" goofup.

Old, old idea.

[DdJ]

People have been doing this for ages, at least out here in the "really real world".

Mapmakers put fake cities on their maps in obscure places, so that they can tell whether another mapmaker just copied their maps (illegal) or whether they went out and compiled their own information.

Folks who put together directories (like phone books) that forbid their use by telemarketers put fake people (with real phone numbers) in there to identify telemarketers that are illegally using the directory as a basis for telemarking calls.

There's even a sort-of-backwards example from cryptography, that I believe Schneier came up with. You are all probably familiar with the basic concept that if you crack someone's crypto, you can't use the info you get from cracking their crypto unless you can plausibly explain how you got that info by another mechanism. There are big chunks of Cryptonomicon dedicated to this idea, and it's a real idea. Well, one way to tell if your crypto has been hacked is to find a really funny joke and to transmit it only by your crypto mechanism. Most folks who'd crack your crypto would have a hard time believing that the cleartext of the joke was never transmitted anywhere, so they see less reason to be anal about the normal procedures. So, you watch to see if the joke "leaks out" into the world. If so, and if you maintained other security, then your crypto has been broken.

You'll find all sorts of examples of this basic idea, going back for centuries.

Re:Old, old idea.

[ralmeida]

Yeah, I have this really, really, really good joke, but I can't tell you because I use it as a honeytoken.

I also have a simple proof of Fermat's Last Theorem, but it's being used as a honeytoken also. Sorry.

Re:Old, old idea.

[nosferatu1001]

that's ok, there's already a proof out...or does that mean your crypto has been broken?...

Re:Old, old idea.

[Col+Bat+Guano]

"So, you watch to see if the joke "leaks out" into the world. If so, and if you maintained other security, then your crypto has been broken."

I'm not sure that's a good plan.
Microsoft had windows 3.1 as the encrypted joke, and look where we have ended up!

Wise detected pilfering info from Installshield

[raaum]

basically because of a honeytoken like entity

someone at installshield had an entry in some internal company data source using her maiden name (and had used her maiden name nowhere else). she recieved solicitations from wise and got suspicious.

now installshield is sueing the hell out of wise, see this article, and this news release

Re:Wise detected pilfering info from Installshield

[quinkin]

A perfect example of honeytokens.

Thanks for the links, very interesting.

Wise din't exactly live up to it's name...

Q.

It's Called Auditing

[moby]

Already been done.

Honeytoken box

[Stephen+Samuel]

When I first got broadband, I had a machine that had NOTHING pointing to it, other than a random DNS name that you had to know about in order to look at it. (blth23845x.bchai.hsadsl.bctel.net or something like that). I started a Web server, and watched the logs -- knowing that ANYBODY who connected to my machine was doing it as part of an IP range scan.

I automatically generated reports on that basis.

I also generated reports for probes to some of the other 'nasty' ports.

possible database hack detected on slashdot

[circletimessquare]

Hi Slashdot People! (Score:6, Insightful)
by John F. Kennedy (666) on 2003.07.17 16:38 (#666)

I love Windows! It never crashes. Linux Sucks. Hilary Rosen is having my baby. Filesharers are evil. Lessig is a communist. Matrix Reloaded Sucked. The Twin Towers Sucked. Online gamers are asocial dweebs. No, you cannot make a beowulf cluster of these. Nothing like this whatsoever happens in Soviet Russia.

[ Reply to This ]

666 replies beneath your current threshold.

Tom Clancy's Canary Trap

[ketan]

This sounds similar to (but distinct from) the Canary Trap that Tom Clancy described in one of his novels. I think it was "Cardinal of the Kremlin," though I may be wrong. I don't know if the idea was Clancy's originally, but that's where I saw it. Basically, each copy of a classified report has various meaningless differences, like an intentional misspelling or use of a different phrase. Each person is given a slightly different and unique version of the report. If it ends up being leaked, it's relatively straightforward to figure out where the leak originated. I guess that sounds a lot like watermarking/fingerprinting files as well, though this was for both hard and soft copies.

Re:Tom Clancy's Canary Trap

[multipartmixed]

FWIW, I'm 99.99% that's from COTK. I didn't read much Clancy in those days (still don't, actually), but I remember that ploy and time frame clearly. I'm pretty damned sure I was reading COTK at the time. The one about the soviet tank commander, right?

The CIO Dupe, must beware ...

[OldHawk777]

Friendly Fun,

Oh Boy! I like this, I can have fun at work. I can just do a little after work beer drinking with the network Gestapo and maybe some other stuff come up with some mutual interest topic. Then, I do an attack search for a few select terms, names, phrases, ... built from common interest and a few ... to much trouble.
Maybe, after $30 of beer, just ask "What are honeychips and honeypots?" [I know honeytoken, but I don't know what I am talking about]. I then remember the slurred examples with intent and context. Auh Heck, to much trouble, I'll do it my old fashion way ....
Next day I do a few innocent (stealthy) searches for information, identify probable honeytokens of interest, then surreptitiously share with the curiously paranoid (most of us humans) individuals. Then let them search for and access the honeytokens.
Great practical joke on a few managers and Bosses. I am willing to bet I can get a CIO a/o CTO to fall for the joke. I mean, I know the DoD CIOs implemented PKI for everyone in DoD, then forgot (or never knew) that a private e-Signature smartcard (non-biomet) encryption key does not have a DoD Master-key to unlock all the encrypted files wanted for a criminal investigation. Oh, whoops ... there were, I think, other gaffs. I know the F-500 company I work for has plenty of dupes.
I would never do it, but I would not want to work at a company that laid traps that anyone could fall in, due to normal curiosity and the right manipulation. Sounds like entrapment and poor ethics ....

OldHawk777

Reality is a self-induced hallucination.

Used in Intelligence

Nothing new here. The idea isn't necessarily to detect intrusion, but to track dissemination of data.

Say you have a soldier who you don't mind having a copy of your secret plans, but you'd still be willing to execute him if those secret plans ever appear anywhere else, say, in the possession of an enemy soldier you've captured.

So you put an intentional artifact into the plans, some subtle flaw or detail that is unique to that copy of the message.

The secret getting out is one thing. The trail needed to punish the individual responsible is another.

Not to be a hater

[BelugaParty]

but I'd read about this in a small town (tribnet.com) newspaper ... ooh ... I'd say ... months ago... sooo, yes i'm that special. and no, I'm not sure if the paper was intended for PKD.

This reminds me of...

[rusty0101]

...Tom Clancies rendition of finding out who is selling the secrets.

Assuming you have agents in your enemies area, you provide each of your local agents with a slightly different copy of the material. Each copy is worded slightly differently, or contains a different trivial but interesting fact as part of the document.

If one of the local agents is selling information to the enemy, and one of your agents in the enemies area is spotting the material comming in, the wording, or trivia that gets back to you will indicate which of your local people is passing the material on.

If you have time, you generate two slightly different reports each time, and start doing psuedo random distribution of the copies, and track who had which copies that made it to the other side.

If you do not have an agent on the other side, you can sometimes cause your enemies themselves to show their hand by how they react to "wrong" information.

-Rusty

This is a great idea

[faust2097]

One place I worked at had 'root' as a honeytoken on all their production servers, there was a separate administrator account [they never would tell me what its name was...] and if anyone logged in as root it set off all sorts of alarms. I thought that was cool.

Re:This is a great idea

[multipartmixed]

cat /etc/passwd | grep ^0:

Unless, of course, you were running UNIX boxes, in which case trying to log in as root was pretty stupid anyhow. Well, unless you had really custom kernels. But that seem like an enormous waste of effort.

Re:This is a great idea

[PPGMD]

We do this on our Windows boxes.

All our admins get their own name based login, and our master admin account is an employee that we made up.

The actual administrator account has no privileges, and our IDS will go crazy if it logs in.

Re:Sorry-ass bosses.

[pla]

When the Boss steals, it's big-time, way more than any of you make in a year at your salaried job.

The big guys don't need to steal to drain the company. The laws (and corporate policies) allow them to do things the rest of us would spend hard time in the federal pen for.

As a trivial (though not unusual) example, at my previous job, the CEO made a bad call about handling a bug in a customer's software. Relatively minor bug, but due to the nature of the software, he and the company might actually have had to endure criminal proceedings if they handled his bad call poorly.

So the solution? He left the company with nearly a ten MILLION dollar parting bonus, sort of vaguely admitted responsibility, regulators considered the matter suitably dealt with, and the problem went away.

Think about that... This guy broke the law, so they gave him millions of dollars.

And some folks wonder why so many of us outright despise corporate America.

As Eric Idle once said, after killing a dozen or so tribesmen in Monty Python's "The Meaning of Life", "Back home they'd hang me, but here they gimme a fuckin medal!".

Newspaper

[Lt+Razak]

We did the same thing at our newspaper. We added a bogus name, but an address that went to one of our friends/relatives. If they ever recieved a magazine/newspaper/letter for them at that address with the bogus name, we'd know that our subscription lists was stolen. (Which is our largest asset)

SQL Error: Re:Or they made a mistake

[Coventry]

Uhm, WHY would an organization have a table filled with names that isn't indexed? I agree with in concept, but any organization that has its act together enough to consider using honeytokens and honeypots should also know better than to have crappy db schemas where something like a customer's name isn't indexed...

Re:SQL Error: Re:Or they made a mistake

[S.Lemmon]

As my pappy, one of the last great pencil makers, used to say: "I think you're missing the point there son".

Yes a name would probably be indexed, but that was just an example and not a guide to database design. Unless you index every field, at some point you're going pretty darn likely to have to go looking for something that's index-free.

Interesting Lawsuit

[Tikiman]

A "Honeytoken" was the subject of a $300 million lawsuit that involved trivia, Columbo, and the Supreme Court:

Columbo's First Name and The Supreme Court - The "Philip Columbo" Story

= the mapmaker's trick for catching plagiarists

[G4from128k]

Honeytokens sounds similar to the map publisher's trick of adding fake towns to maps. If a competitor copies the map, the original author/copyright holder can catch the copier by looking for the fake town.

Depends on how cunning they are.

[Eevee]

There's a pair of roads near me with a cutover road between them. However, many years ago, when checking a map of the area (from a major name company) I found two cutovers listed. One correctly named and one with a bogus but plausible name. (Don't you love themed areas?) Bingo!

As far as safety or directions go, I can't see anyone having any problems. The cutover is really only there to avoid dumping people onto the main roads to go around the block; no firefighter would bother to zig-zag from one road to the other that way.

Hospital staff using SQL?

[aligma]

Well, I don't know about the rest of the world, but in Australia I don't think hospital staff in general know SQL! Besides, if someone can use SQL to access the hospital database you have a problem anyway. If you think about it, a hospital would have some kind of built interface to the database, wouldn't it?

Re:Hospital staff using SQL?

[easyfrag]

Its probably not a case of someone actually writing SQL, more than likely they will have something like Crystal Reports or Cognos Impromptu which can let users point and click their way to retrieving all sorts of data. If the backend is MSSQL Server then even Microsoft Access can act as a front end.

fake files on kazaa???

[pair-a-noyd]

Aren't all those fake files on the p2p networks honeytokens??

They are lures, if you bite then you are doing something illegal and they get your IP address just for biting the bait???

Bam! Nothing to it...

I've ALWAYS suspect this..

Re:fake files on kazaa???

[EvilSporkMan]

Only if "conspiracy to commit copyright infringement" is illegal, otherwise you've merely wasted your time.

Re:fake files on kazaa???

[Rikardsen]

They can do even better: distribute songs with small variations in text and melody, then pursuit anyone humming let's say "hit me baby once again"

Re:fake files on kazaa???

[cheesyfru]

This wouldn't work, though. Even if you do "bite the bait", you'll be downloading a file which the copyright owner is giving to you. Whether it's fake or not, you have every right to download a file if the copyright holder is offering it to be downloaded, P2P network or not.

Not exactly revolutionary...

[nmg196]

Not exactly revolutionary... This is just list seeding.

You shove in one-time known fake name into a mailing list (postal or e-mail) that you sell and then if any mail arrives at that address sent by someone you didn't sell the list to, then you know that they've been abusing their terms for use of the list. I do the same thing with websites... I register for websites I write with sitename_seed@mydomain.com and if any of the 'seed' addresses get mail, then I know that someone's been harvesting addresses from that site. Thankfully this has never happened (yet!).

Maps, SE

[po8]

Mapmakers will commonly seed slight defects into their maps (e.g. nonexistent roads) to detect copying.

A related practice in software engineering is "fault seeding", in which bugs are deliberately injected into code to see if they are found during V&V. (The deliberate bugs should be removed before the product ships, of course. :-)

Old ideas, but quite useful.

done

[louisfreeman]

Our company uses this trick. There are 'honey-addresses' in our database. (a correct address belonging to an employee, with a completely wrong name) As soon as anything arrives at one of those adresses we know someone has made illegal use of an address from our database. Whatever gets send tells us who. Legal action follows ....

License # 853 OKG

[Mainframes+ROCK!]

I heard that some police departments in the 70s had the license plate "853 OKG" for Jim Rockford's car (from "The Rockford Files" TV show) in their databases to detect cops running plates for their own amusement ...

That's an idiotic comparison

[multipartmixed]

He was talking about *querying* the database, not *modifying* it.

Or, do you umask 077 all your files, and just change ownership to who think should view 'em?

It must be a bitch trying to keep track of all those DSOs.

Old Idea

[lawngnome]

I heard about rand mcnally(sp?) doing this with their maps, they would insert a fake town name and when someone else ripped off their content to make new maps they would reproduce the fake town and get busted...
nice idea though...

Old idea

[howhardcanitbetocrea]

While it is a good idea, it not a new idea at all. They ahve been doing it on maps for years. Maps nearly always have a non-existant feature so if copied the owner can say "we know it is our map". And his idea of using different content to try to identify who is leaking something? I did it years ago and was inspired by a book or newspaper story or somthing...

Credit cards and SSNs?

[sakeneko]

If you go making up honeytoken credit card numbers and social security numbers, you'd better be sure they *are* bogus, not real numbers that belong to someone you don't know. Otherwise, your honeytoken might be someone's real data....

Oops wouldn't cover it in that case. <wry grin>

Thought provoking?

[rjoseph]

Along the same lines as many of the other posts, I've seen instances of this in places I've worked all the times. In fact, my school already does this with SSN numbers in the database because there were incidents of the SSN database being stolen, and as many services in the town are offered to students, they were interested in seeing if the "honeytokens" (or we could just call them fake records like we've been doing for years) were actually being used.

What I don't get is the why the poster thought this article was so amazingly thought provoking? Ok, so it's a fairly interesting idea, but frankly it's just an old idea with a new name, and even if it was an original idea, it still wouldn't be that revolutionary.

Galactic center studies are though provoking. Graviational waves are thought provoking. Genome research is thought provoking. This is most definitely is not.

Re:Thought provoking?

[Wameku]

Maybe you're waiting for someone to post to your reply. but I will agree with you. This article though intriguing is hardly thought provoking. Mayhaps if I was crapping on a toilet this article would pique(sp?) my interest. as I am not. it does not. :)

Gaaaawd

[jjwahl]

Damn!

I don't normally rant about shit like this but this just irked me this time....

Why are you letting beginners write SQL to access your live database without any testing on your test system?

This kind of comment is so fucking presumptuous. I wish that some people would account for the possibility that their assumption is not accurate - i.e. This doesn't mean that beginners are writing SQL to access a live database without any testing (although granted, it *could* mean that)!!!
What if it is a legitimate developer accessing the database in ways that legitimate developers do, running a legitimate query on a legitimate table that happens to not have an index on a column that should?
Maybe the DBA forgot to index that column???

Forgive my nit-pickishness but I'm a little pissy today.

Ergo

[Winjer2k]

Is it just me, or are posters over-using "ergo"? Ever since Matrix Reloaded came out, every other post has "ergo." (yes, I'm exaggerating). Every time I hear that word, I imagine the architect saying "ERgooo." It's kind of annoying :p

Re:Ergo

[quinkin]

Hear hear.

If I hear or see one more illiterate, media mesmerised, teenage reprobate massacring not only the english language but any others they can pretend to have a passing knowledge of - I will have to gouge out my own eyes and perforate my eardrums.

Over-reacting you may say?? Well at least the pain will fade instead of growing ever more powerful as the global IQ diminishes...

Q.

Shouldn't Cliff Stoll's girlfriend

get credit for this. She was the one who said something to the effect of "if the hacker wants data, then give it to them." They did, and the hacker was connected long enough for them to track him down. Greed is the downfall of most criminals, preceded only by stupidity.

We call them canaries...

[jonesvery]

One of the companies that I work for has been using "canary records" for several years; records are created and deleted regularly, and the data itself contains some embedded information indicating its creation and deletion date in our DB.

Thankfully we've never encountered any cases of these records appearing in the outside world, but if (when?) one does, the record itself may help us to identify when the breach/leak occurred, so that we've got a starting point for futher investigation.

I suspect that this practice may be fairly common even though it isn't discussed much -- in order for it to be effective, you really shouldn't discuss the program at department or company-wide meetings.

While something like this won't make your data any more secure, part of any good security program is practices and tools to help you determine whether, when, and how your data *does* get compromised, and canaries can be one tool to help with the first two items on that list.

Is that all?

[Handpaper]

I know of somebody working at a fast food delivery outlet with a customer db keyed to phone numbers (you do know the company) who would enter every local number anyone gave him to see if he got a hit. AFAIK he only used this to freak out girlfriends (by turning up to collect them from home for a second date when they hadn't yet given him their address), but it was a clear breach of the UK's Data Protection Act, and could have landed him in deep trouble.

honeytokens... seeding

[dmallery]

twenty years ago we were marketing our mailing list of DECPro subscribers to our advertisers (suprise!)

every list sale had unique seed names/addresses inserted and we tracked whatever arrived at those addresses. every sales agreement had a paragraph in which the renter agreed that there were seed addresses inserted.

you mean like cddb?

[Foresto]

This reminds me of the cddb being stolen by Gracenote. Last time I checked, they were still claiming to own the database of audio discs (they may have changed their tune by now), despite the fact that it was built mostly from submissions by people like me. Gracenote basically took our diligent work, and started restricting access to it in order to make money. How do we know that they didn't build their own database? Because it contains entries for unpublished CDs that don't exist outside the homes of a few specific people; effectively honeytokens.

(Fortunately, an alternative now exists.)

Stops email viruses, too

[cskaplan]

I've always thought this would be a good way to stop email viruses on a local server, if you're foolishly using a virus propagator like Outlook. You create a special mail alias that doesn't belong to anyone. Everyone puts it in their Outlook address books. Any message sent to that address is a virus, and the server automatically blocks any subsequent messages that look like it.

Simple enough. In fact I once asked a sysadmin about it and he said they were doing just that, which wouldn't surprise me. On the other hand I was still receiving bonehead viruses, so maybe it wasn't working as well as it might have.

Re:Stops email viruses, too

[pair-a-noyd]

You mean like this?
mailto:spammesilly@gt.rr.com

I have another one too that's pretty much the same but it begins with trolling4spam@ and it's a dead giveaway.

They both actually function and I do get mail through them. But they allow me to discover who gives out what and how far it spreads.

They also allow me to finetune my spam filtering system.

we've been doing this for years

[Trailer+Trash]

How many of us have used fake email addresses to identify spammers?

Error in nomenclature..

[heyitsme]

Note in the definition that we do not state a honeypot has to be a computer, merely that its a resource that you want the bad guys to interact with. That is exactly what a honeytoken is, a honeypot that is not a computer. Instead it is some type of digital entity. A honeytoken can be a credit card number, Excel spreadsheet, PowerPoint presentation, a database entry, or even a bogus login and password.

Then why the new buzzword?

G@damn m@therFsckers!

[soft_guy]

GodD&*Mnit!!

We don't want to hear about any more GOOD IDEAS!!!

We only want to hear about PANACEAS!!!

Don't post any more articles unless it describes something that that is an END ALL - BE ALL for ALL situations.
Otherwise, we're just not interested!!

So true!

[twitter]

And look what a bunch of theives we have here they must have simply coppied other people's phone books! They ought to be hung like horses for the crime of unauthorized copying. So immoral.

Well

[mindstrm]

I guess I'm not talking about the US then.

Tom Clancy thought up something similar

I don't quite remember which novel it was (maybe "Hunt for Red October"?) but in one of his novels, Clancy tells that Jack Ryan rose to prominence within the CIA because he proposed / developed a method of traversing confidential internal documents and replacing insignificant words with similar words (that retained the meaning of the sentence). The different versions of the document were then handed out to people that were entitled to a copy. If there was an internal leak, you knew who compromised security by comparing the leaked document with the documents distributed to individuals. This idea is going back 15 years.

I think the concept of honeytokens has much merit, and the author does emphasise that they are inexpensive to implement (for all those who think they offer little benefit).

Re:Tom Clancy thought up something similar

[Darth_brooks]

The idea you're talking about is a canary trap (even the dumbest canary won't get caught, so long as it keeps its mouth shut), and is much older than tom clancy. I seem to remember that coming up in either cardinal of the kermlin or, more likely, patriot games.

Re:Tom Clancy thought up something similar

[phillymjs]

Yup, it's Patriot Games, which I just happened to randomly pull off my bookshelf and begin rereading this week. Jack talks about it at some length with someone from one of the British intelligence agencies.

~Philly

This is an old trick

[stinky+wizzleteats]

Among Novell people. Netware's logging and auditing has always been excellent, and we would take advantage of this by leaving directories lying around named "admin" or similar, that were located outside normal userspace. This means that only people with more rights than normal users could access the file. It was an excellent way to weed out excess privileges on the network, especially when walking into a previously ill managed mess.

French railroad "standard" procedure...

[Pig+Hogger]

French engines are fitted with a myriad of safeties who, once tripped, must be resetted in order for the train to proceed. However, to reset those safeties, you have to break a seal so the broken seal indicates that a safety feature has been tripped.

So, whenever a careless engineer trips something, he merely writes in the log "deliberately tripped such and such safety to demonstrate it to so-and-so", and no one is the wiser...

new ? exciting ? ......

[Ozric]

It is called a lure, you fish with it! Computer people should get out more!

Now move alone folks nothing new here.

This reminds me of the current trend to re-write every law on the books to deal with computers systems. We don't need it, just use your heads folks.

Not the same, but similar technique

[_narf_]

I remember a long time ago, at a company I worked for, we were having an issue with someone poking into someone else's mailbox.

I mean, what we did was no big deal at all really, all we did was have a script run out of cron that would report a change to the mailboxes atime to an outside address.

The idea was that the person whose mailbox was being violated would KNOW when they accessed it, and a notification that happened at a time they didnt expect would alert them to someone poking around.

Anyhoo... just popped into mind reading this.

Might I suggest?

[xenocide2]

If you're worried about the Germans infiltrating your data stream, might I suggest an appropriate joke?

Q:Wenn ist das Nunstruck git und Slotermeyer?
A:Ja!...Beiherhund das Oder die Flipperwaldt gersput.

Land mines for data miners

[nlper]

Despite the "New! New! New!" conclusion of the original article, this concept has been around for quite a while in print publishing.

Back in the 1980s, for example, science fiction bookstores would have to deal with people who found a previously undiscovered JRR Tolkien novel by browsing through Books in Print. The book didn't exist, however; it was merely an artifact added to provide evidence of someone stealing the BIP publisher's data.

If memory serves, Tom Clancy touched on a similar idea in one of his novels, having slightly different phrasings to key parts of intelligence documents which would allow investigators to better determine the route of leaked information.

Folks in magazine publishing used to use a similar ruse to track how subscriber info was being sold by competitors. You'd subscribe to one magazine as "Elvis J. Presley", for example, and another as "Elvis Q. Presley." By checking the middle initial of incoming junk mail, you could tell who had been selling your name and to whom they'd sold it.

Like I said, the idea's been around a while. The honeypot aspect is merely a new context and tracking mechanism.

Tyler

I get thousands of reports per day

[Colin+Smith]

From just a dozen systems. The problem is *not* methods of detecting hackers or people accessing information.

The problem is information overload. It's false
positives.

Can you imagine the number of badly coded VB applications there are out there in the real world? Can you imagine the number of mistakes people make when executing queries

In a perfect world or with an unlimited security budget this stuff would be useful, unfortunately some of us don't live in a perfect world or have unlimited security budgets.

patients aren't in the hospital until in DB

[wadiwood]

So the JFK record would have to be corrupted, because if it emulated a correct record, then when the senior ward supervisor (nurse) was rostering staff to look after patients, JFK would be selected and allocated automatically. You'd have to fake all the way up to the top, ie ward, doctor, everything. And then the staff would recognise it as fake. Hospital patient databases are mostly for making sure patients get the right treatment, and a legal record of that treatement, and a financial record of the cost of that treatment, so a fake record would still have to be accessible to people responsible for these.

It doesn't make sense to say that nobody should be looking at the JFK record. It would make more sense to see the ward staff go nuts trying to find where he nicked off to (like an altzheimer's patient). He's in the computer so he should be in the hospital. If it is merely a historical record, the same problem would apply to the accounting staff (why hasn't he paid his bill?).

And mostly when you go into a hospital or medical facility they get you to sign something that says vaguely that you consent to have your details available to anyone they deem appropriate. They're not going to come back and try to get your permission separately to give details to the cardiac doctor if you happen to have a heart attack while staying with them!

I understand the concept, but I think the example is fairly poor. Perhaps it would be more accurate to say something like "access to this record should be limited". And I think the concept may be fairly old, eg in WWII examples of feeding the enemy false data, rather than actually imprisoning the detected spy.

Re:patients aren't in the hospital until in DB

[nexex]

not to mention that, but it would marked as false, or a dupe in the db, people get paid to find such things

Re:patients aren't in the hospital until in DB

[zero_offset]

Hospital patient databases are mostly for making sure patients get the right treatment, and a legal record of that treatement, and a financial record of the cost of that treatment

I worked on various types of medical database software for eight years. The systems are for making sure insurance claims are filed and paid, they are NOT for making sure patients get the right treatment. That's what doctors and nurses are for. Even the systems which incorporate electronically recorded patient notes and that type of thing do so only because of regulatory requirements.

The "real work" of most hospitals and doctors' offices is still very much a handwritten, manual, hands-on process, and that's how they prefer it, and in my opinion that's a good thing.

At one point we experimented with support for a couple of "expert systems" (back when they were the hot new shit) and the crazy stuff they'd sometimes come up with was enough to scare anybody into hoping the staff stays in the loop.

Re:patients aren't in the hospital until in DB

[aug24]

You'd have to fake all the way up to the top, ie ward, doctor, everything.

...and the difficulty with that is...?

That sounds to me exactly like the correct thing to do. A completely correct fake hierarchy of information with no relations to the completely correct (we hope!) real hierarchy of information.

That way no-one should be looking at any of it and anyone who does is ipso facto in the wrong.

J.

Is there a real, dictionary word for this?

[NotQuiteReal]

Obviously, the general consensus is, that is this an old idea.

I remember an old SF story with the same plot line - An Asimov or a Saberhagen (Berzerker) tale having to do with a fake entry on a "galactic chart" that leads the bad guys astray...

My question is; Is there a real word for this practice? How bought industry jargon, at least?

Hey you cryptographers/encyclopedea'istes (gah) out there - what's the term?

These don't cut it: "map trap", "copyright thingy", "honey token", etc...

I don't know what I am looking for, but I'll know it when I see it (and verify it with a dictionary, or at least lots of google hits :-)

These errors are called salt.

[isdnip]

This is standard process in the database biz, including things like mailing lists and (as others have noted here) maps. The term for it is "salting". Calling them "honeytokens" is applying the wrong seasoning... and treating it as new on /. is also silly.

New title for thread...

[doi]

Vagina: The Other Honeypot

Sorta honeytokenish ATM number protection

When I got my ATM card, I wrote three 4-digit numbers on the back of the card, and showed it to my friends.

Friend: "Oh, I see! You hid the pass code among some fake passcodes!"
Me: "No, ALL of them are fake. I keep the real one in my head. I figure that a thief will think what you are thinking, and try all three numbers. Then the machine will eat the card."

Re:arrgh store your own damn rekkids

[slaida1]

Particularly records such as hospital records - staff should under no circumstances be accessing records for any person, ie John F Kennedy, unless required by the customer/client/patient.

If so what's the point of storing those records in hospitals? Hospitals aren't storages for peoples various papers, let patients store their own damn records.

Forget Clancy

[hughk]

The idea has been really in use for some time to protect secret British Cabinet documents. Each document would bve uniquely identified using variable spacing. I had heard word subsititution discussed but have doubts if it would be implemented. This is why when a newspaper gets hold of a leaked document, they are careful to destroy the original and not to quote too much verbatim.

What if there is a mistake

[Zemran]

So if a Doris sees 2 entries for Fred Bloggs she cannot correct the error until she has contacted both Fred Bloggs to ask their permission to delete the duplicate. Except she cannot look at the data to find out the address unless she writes to them and asks for permission...

This is illegal

[Cardbox]

In civilized countries you are not only not allowed to set traps for burglars, it has now been established that you owe a duty of care to anyone who breaks into your premises and trespasses on your land. If you know that kids might climb through your fence to hide in the long grass and get stoned, then KEEP OUT notices are not enough and if you have any hazards (deep wells, wires hidden in the grass) they must be made safe.

The logical correlative of this is that if you provide files with the intention that they should be downloaded by people who break into your system, and those files are engineered to cause damage, you will be (possibly criminally) liable for any damage you cause. "I didn't expect anyone to come this way" would be no defence when the only conceivable purpose of these files is to cause harm.

Re:This is illegal

[antirename]

Hey, I never said I was civilized. When it comes to script kiddies, I'm not. The only reason they would be in that part of the system is that they ALREADY did something malicious. In which case, fuck them. What are they going to do, complain? "I rooted this box with my 0-day and all I got was this nasty virus?" Give me a break.

Re:This is illegal

[ojQj]

That seems reasonable for cases where people could suffer bodily harm, but this isn't such a case.

Not only that, but I'm not sure I agree with the comparison even if you equate computer damage to bodily harm. Try the following metaphor: some kid trespasses on your property and breaks into a properly secured locked box to steal fireworks you were storing there. He then takes them home and tries to set them off, and he gets hurt in the process. Are you then liable?

Of course in the grandparent posts case, I guess you do still have a non-zero probability that some innocent could accidentally come across the files and be harmed by them. But assuming this guy is setting up his security conscientiously, I still think the probability is close enough to zero as to be negligable.

So put the trigger on columns, not rows

[Moraelin]

Most databases offer very flexible triggers. E.g., at least in Oracle you get to execute a whole script if you want to. And if you go through some middleware, you've got even more freedom.

So a "select * from names where last_name = 'Smith'" can be made to trigger exactly nothing. Assuming that the names table really contains nothing but names and ids.

On the other hand let's say it's something like "select * from PATIENTS where last_name = 'Smith'", where the PATIENTS table also contains house address, private phone number, etc. That is already retrieving private data for every single patient with the last name 'Smith'. With a well programmed honeytoken for a bogus patient called 'Random J Smith', it won't trip because the statement scans for 'Smith', it will trip because it retrieves that kind of private data.

If you do get your trigger tripped by something like that, you probably at least have an incompetent programmer (should have selected only the fields needed anyway), or at worst someone mining data about the patients. (No doctor treats all patients named 'Smith', so they have _no_ business retrieving the data for _all_ of them.)

And precisely _because_ it's easy for beginners to write bad programs, I do expect that programs dealing with such sensitive data be thoroughly tested. Yes, including by honeytokens and whatnot.

When you deal with that kind of sensitive data, taking the usual "oh well, we'll just write bad buggy code and patch it later" approach is plain old irresponsible. Letting any newbie code directly against the live hospital data without any safety checks, is as irresponsible as letting any newbie reprogram an airplane's systems in flight. A program which has to work on that kind of data should be thoroughly tested for any possible flaws, and have a competent team trying to hack into it too.

And yes, you'll never be 100% sure that it's bug free, but the honeytokens sound like a great extra way in which you can test it. And I fail to see why more bugs caught is a horrible thing.

people who get off on seeing co-workers fired

[evil_one666]

People who get off on seeing co-workers fired are a desperately sad bunch. I suspect the author of the article is among them

In the case of the hospital, patient records must, by law, be kept confidential. Additionally as human beings we must respect the emotions and dignity of others, which means that health problems are private. Therefore redundancy, or at least strong a reprimand, is an appropriate course of action for an employee who violates patient privacy.

In the case of the private company I think that it is sad that the author would like to see an employee put out of work for attempting to access a financial report. It appears that the justification for this is that the user and pass for the report came from an email to somebody in "management" (those in management apparently being sacred)

I wonder if the same action would be taken against somebody in management who looked at the emails of their secretary...

I suspect not

Its bad enough that injustice and double standards in the workplace are encouraged by those at the top. But when sys-admin "collaborators" in the rank and file seem to enjoy putting their coworkers out of a job (either for selfish gain, or blind vindictiveness) it is particularly distasteful.

Old technology version

[Keith_Beef]

You rent a house, put some cops inside it, then deliberately lose the door key, with the address marked on the keyring. Then you just wait for the burglars to come visiting. The key with the address on it is the honeytoken, the house is the honeypot. Or would this be thrown out of court for being "entrapment"? IANAL.

honeytokens, can they cost lives?

[nounderscores]

That might be a good example of where not to use honeytokens. When the books were written, "nobody but a few scientific and engineering applications would need that kind of accuracy," but what if someone did? A faulty calculation could result in a failed project or worse.

Furthermore, this kind of honeytoken requires a list of honeytokens to be stored somewhere, which would be a high value target for thieves.

Re:honeytokens, can they cost lives?

[forgotmypassword]

no, it's probably safe

The last digit is going to be rounded anyhow, so the uncertainty is atleast 0.5*10^-n, for the last nth digit.

so the uncertainty of the honeytoken number will have the uncertainty of about 10 good numbers added together.

I would say the chances of a scientist doing a calculation

• with fewer than 10 numbers
  
• and one of those numbers being a honeytoken number
  
• and the accuracy being pushed to the last digit (which is bad anyhow, but it happens)
  

is slim to none.

Re:honeytokens, can they cost lives?

[Bob+McCown]

I would say the chances of a scientist doing a calculation...is slim to none.

Thank you Intel. Now I dont have to worry about that processor bug.

According to this map

[nounderscores]

"According to this map the enemy couldn't have possibly come up this way. There's supposed to be a big wall over there. That's why I said that it would be a waste of time to send scouts to check that approach out."

"Sir, since we're all going to die, may I speak freely."

"Sure."

"You're an idiot, Sir."

This has been done in direct marketing for year's.

[Gnabicus]

Having worked in catalog sales we used to spike our lists with fictional names using address's of co-worker before loaning/renting out the lists for limited use. Everytime a piece of mail was r'cvd for that name, the co-worker would simply bring it in for the list manager and he'd double check to make sure that our list was being used by authorized person's only. Or that our outsourced list broker was properly compensating us. I like the idea of taking this old technique and updating it for data access. The one drawback is how will you know if the person actually accessed the file maliciously or by mistake? Database endusers sometimes need to browse records to verify and compare information.

Berserker - Fred Saberhagen

[bigsmelly]

I remember reading this sort of idea in a Berserker Novel, by Saberhagen.

As I recall, the Berserkers (think alien terminator endoskeletons, built for a war that ended eons ago, but now trying to exterminate mankind) had captured a space ship.

So the captain had to destroy the galactic encyclopedia, so the Berserkers couldn't find any human planets.

However, he was stopped by one of the passengers, because the passenger was one of the authors of said encyclopedia.
As an anti-piracy measure, fake "honeyplanets" had been added to the encylopedia, so if anyone brought out their own version, the authors could point out the fictious planet.

Of course, this fooled the machines and everyone was happy in the end. ... the point is, people do this all the time anyway, with existing data (i.e books) , so they can find who plagurises them.....

Choosing A Good One Takes Some Thought

[HeresJohnny]

>> "Another element of a honeytoken's value is their flexibility. You are really only limited by your imagination. As we have demonstrated in the section above, honeytokens excel as a detection mechanism. However, honeytokens can do so much more. Not only can they detect an..."

Selection of a honeytoken, while apparently a useful tool, is not trivial. For example, an IDS seeing the honeytoken on the wire is not adequate to determine a security violation. Suppose that the executive is actually reading her email. It sounds like a good idea, but while only limited to your imagination, it is also limited by the ability to determine context of the use of the honeytoken.

Various Searches

[corian]

An example he gives: adding a record to the hospital database for a guy named "John F. Kennedy". It doesn't correspond to a real person, so no one has any business looking at the file.

But, even in that case there are valid explanations. Suppose you're checking your hospital database, for, say, males, certain age, certain blood type, etc. Depending on what data is entered for the Kennedy record, it could match many searches. Not all database checks are by name.

MS patched that...

[wirelessbuzzers]

...or at least it seems so. I was proofing a script against HTML insertion attacks, and tried that for kicks. It doesn't crash IE6/Win2k.

not new

[uebermts]

as many have already pointed out, this is not a new idea.
Here in Germany the Telekom (former govment owned) has used this since years.
When the first phone books and yellow pages on CD appeared, many other companies came up with the idea to reverse engineer the data and do their own.
To prevent other companies from stealing these data they had several fake entries, that were only on these CDs.
The other companies had first to scan and OCR the paper books and since a few years the government forced the Telekom to sell these data.

Can anyone say ENTRAPMENT.

[Frobozz0]

If there's a record in a database about a famous dead person and I stumble upon it, aren't I more likely to click on it than if it was just a no-name person? Is that not the very definition of entrapment? Even if I wasn't looking at the record for nefarious reasons, I'd be in violation, for being curious. Granted, what's wrong is wrong is wrong... but for god's sake we're human beings!

obvious...old news

[GirTheRobot]

The mailing list industry has been using this sort of concept for years with rented lists. Say you want to buy a list from a list-house for a one-time use. In that list will be several "seed" addresses which are checked by that mail-house. That way they can nail you for using the list more than once or sharing it.

actually, this _can_ work

[bracher]

In a former life, I was managing the data for the alumni department of a college. They had several 'bogus' records in their data. The idea being that Mrs. Martha Jones (fictitious, but better than Jane Doe, no?) at such and so an address actually ended up in the home mailbox of the VP, or his mom, or the director in charge of mailings. If the mailing house managing the account ever sold the list (that would be early-90s data hacking), they would know because the VP would suddenly start getting non-college mail addressed to this fictitious name.

Decidedly low-tech, but effective.

I do this when filling out forms

[jago25_98]

And then see what Junk Mail I recieve.

It's amazing who makes the Data Protection Act.

Oh Bother.....

[Scrumper]

Poor Pooh is going on a wild honeypot chase....

Time to bone up on copyright

[Squirrel+Killer]

The particular work (in this case a phone book) IS copyrightable. Just because the information is public record and/or easily obtainable does not mean that the actual text is not copyrightable.

You might want to read Feist Publications, Inc. v. Rural Telephone Service Co., 499 U.S. 340, which severely scaled back copyright protection on database.

This is just plain stupid..

[iramkumar]

I read the article so no RTFA replies please and IANAL.
It looks more like tempting a person to commit an activity and may be of questionable legal validity. Moreover if you enticingly share invalid information or have a bad security model you are equally liable.

All this stuff about honeypots and honeytokens seems to be some sort of PSYCHOLOGICAL/SOCIOLOGICAL maneuvuring to solve a technical problem

Re:This is just plain stupid..

[DingoTango]

Actually, the problem is sociological, wherein Edwards' Law comes into play: You cannot apply a technological solution to a sociological problem." - Edwards' Law.

Direct mail list sellers seed their lists

[MMHere]

Direct mail advertisers often use lists "rented" from a list provider, paying a lease fee. Certain demographics / list subsets may be quite valuable and are priced appropriately.

If the advertiser is paying for a fixed number of uses of the list, the list provider wants to ensure that the advertiser doesn't go beyond the agreed-upon number of uses. So the lists are seeded with dummy names back to the provider.

If the list provider sees too many mailings on those seed names, the advertiser gets busted.

They've been doing this for at least twenty years (that I know about), but has probly been going on for lots longer...

Yours was different to the ones I worked on.

[wadiwood]

Mine was mostly used in public hospitals where insurance payouts were generally irrelevant as your stay in a public hospital is fully paid by our Australian Government. Sometimes it takes a long time to get in. The system doesn't determine the correct treatment. The medical staff do that, and then key in what their plan is, and the system keeps track of it, so that the next shift know what pills to give patients when etc. There is usually a hardcopy somewhere (that the rellies can't find it, times have changed). The hardcopy gets scribbled on and the scribble gets typed into the computer. I knew a doctor who described the system as a device to keep nurses away from patients. And it was keeping nurses busy for at least 25% of their shift. Bleck. Even my GP keeps all his notes on the computer and the computer prints the scripts - so even I can read them. I agree that the "expert systems" for determining treatment are about as useful as the yellow pages for finding a music shop in a CBD shopping area.