Fun Things To Do With Your Honeypot System

An anonymous reader writes "Whitedust is running an interesting article on honeypots and their uses. From the article: 'Most papers deal with the potential gains a honeypot can give you, and the proper way to monitor a honeypot. Not very many of them deal with the honeypots themselves... Honeypots can be used to ensnare and beguile potential hackers; entice them to give you more research information, and actively defend your production network."" From the article: "Once an attacker has taken all the trouble to set up shop on your honeypot, he'll probably want to see what else there is to play with. If your honeypot is like most traditional honeypots, there's not much for an attacker to do once he gets in. What you really want if for the attacker to transfer down all the other toys in his arsenal so you can have a copy as well. Giving an attacker additional targets with various operating systems and services can help him decide to give you his toys. The targets can be real, but you'll get almost as much mileage if they're simulated. A good place to start is to put a phantom private network up hung off the back of the honeypot."

Like I Have That Kind of Time

[aaronhaley]

In addition to all of the things on the network I normally have to do at the office let me set up an entire phantom network just to "jack" with hackers. Yeah, I'll get right on that.

Re:Like I Have That Kind of Time

If you don't have the time to work out how to analylse how people are attacking your network and part of your job or indeed your job is defending your network; you shouldn't be damn well doing it.

Standard.

Re:Like I Have That Kind of Time

Not only that but you are not "sticking it to man" by toying with a these crackers because 99.99% of the time, that cracker you are messing with is an automatted script. Wow, you showed that script and automatted process a thing or two. If your hacked box does not respond as it should, it will be treated as one of many that are owned and not quite acting like the other X that are owned by the same script are.
It's not like someone is watching all of these owned PCs and providing them with food, water, and the correct amount of light on an individual basis.

Re:Like I Have That Kind of Time

[Ant+P.]

Sounds like a good idea for a livecd, actually.

Re:Like I Have That Kind of Time

[moro_666]

agreed. you should always examine what's going on and who is doing it. in some cases where the law won't bend in your direction, you can even do a counter attack with the child's own toys and teach him a fairly nice lesson. it isn't nice or legal but it feels good.

What is Honeypot

[in2mind]

For those who dont know what a honeypot is: [From Wikipedia.]

____________________________________________
Honeypot is literally the term for a container of honey but is used in several different ways, often playing off the image of sweetness being used as a lure:

* A computer system set up as a trap for attackers; see Honeypot (computing)
* Traps designed to catch conventional criminals; see honey trap

Re:What is Honeypot

[portmapper]

A honey trap is fun to prepare, but beware of actually beeing exploited. To limit damage, it will help to put a transparent firewall in front of the honeypot and start blocking (perhaps allow a few outbound connections, and then block). You don't want your owned honeyput as a base of attack, do you? The OpenBSD packet filter has the needed funcionality using an OS that does not have a few local root kernel exploits a month.

Re:What is Honeypot

What is a Honeypot? Jesus, how low Slashdot has dropped, why it's almost Digg.

Re:What is Honeypot

[nv5]

I understand it's customary not to RTFA before commenting. However for those amongst us, who do break that rule from time to time, the TFA is actually discussing that very issue in the paragraph "Traffic Mangling":

Once you've got the Wiley hacker attacking your honeypot, the last thing you want to do is let him attack the rest of your network from the honeypot, or worse, attack someone else's network. A good line of defense in this instance is traffic mangling.

Traffic mangling requires an inline box running software like Hogwash. ...

Re:What is Honeypot

[masterzora]

The difference is that here he's just karma whoring whereas on Digg they would genuinely need such an explanation.

Re:What is Honeypot

You did not understand that traffic mangling is not the same as using a firewall.

Re:What is Honeypot

[donaggie03]

Why mark this redundant? I didn't know what a honeypot was . . To be fair, I was kinda getting the idea from the context of the other posts, but the definition still helps.

Re:What is Honeypot

Yeah - I mean "interesting things to do with your honeypot" . . . I only opened this article because I thought it was porn.

Nice...

Nice article.

What with the rumours that Mckinnon was caught by a US Military Honeypot it's interesting to read what can be done with sych systems.

Think you missed the point...

The idea is not to have a good chuckle at script kiddies and such. It's to get some inside info on what kind of tools they use, and how. Which in turn, will allow you to (hopefully) better understand how and where your network may be compromised.

Re:Think you missed the point...

[aaronhaley]

No I get the point. I was making a joke, but I still thing it's silly. Why don't you just secure your network and you don't have to worry about it. Unless I worked for a security company or network vendor I wouldn't waste my time trying to score a hacker's toolkit. Unless I'm running something that's home made I don't really need to honeypot it. The # of "real" hackers out there compared to script kiddies is very small. I can download the script kiddie tools myself if I want. Nice AC post by the way.

Re:Think you missed the point...

[heinousjay]

Why don't you just secure your network and you don't have to worry about it

Oh, is that all? Good to see you've boiled network security down to a single step. I'd say write a book, but it would only have one page so that's probably a waste of your time.

Re:Think you missed the point...

[mewp]

Oh, is that all? Good to see you've boiled network security down to a single step. I'd say write a book, but it would only have one page so that's probably a waste of your time.

Haha owned.

Re:Think you missed the point...

[udderly]

Haha owned.

Supposed to be "pwn3d"

Re:Think you missed the point...

[alfs+boner]

You got 0wned, dumbass.

Re:Think you missed the point...

[mcrbids]

Why don't you just secure your network and you don't have to worry about it.

In my life, I've identified a few key words that are highly accurate in ferreting out people who waste time. One of these is "paradigm". Those who wax poetic about "paradigm" are typically those who haven't bothered to figure out how things work, and are trying to convince you to do whatever it is that they think might work.

Big waste - RUN!

I've come to discover that "just" is a key word. It positively identifies those who have no idea what they're talking about. The most rediculous, inane, and useless activities I've ever seen all started with the word "just" in the job description. Like:

"Solar power is feasible - just bring down the cost of manufacturing"...

or,

"Sex is no big deal - just get a girlfriend"... (big one for many who peruse these boards)

or,

"The software works great - we just need to change a few basic assumptions..."

So, watch that word, "just". It usually fortells major catastrophe and certainly unrealistic expectations!

Re:Think you missed the point...

[NickFitz]

Just today I had somebody asking "Have you seen the email about that little problem?" I replied that no, I hadn't, but I had seen the one about the bloody big problem.

And a fun way to get free warze.

[LWATCDR]

Just put on unpatched Win 98 box naked on the Internet and a wait. You will soon have a hard drive full of porn and warze.

Actually it sounds like fun. Throw up VMWare and a few images and you could make an enter virtual network for a hacker to go nuts over.
Add in a PDP-11 Emulator, some hacked NASA and Air Force sites, a fake database or two, some Word documents showing that the US has a secert base in the middle of the everglades.....
could be fun.
Sounds like a great Hacker DnD game. Get a bunch of people to set up these things and the game is too find out what the is going on. :)

Re:And a fun way to get free warze.

[quonsar]

Thou shall not use an programming language that works on only one OS.

Thou shall not program computers in any language until having mastered the one you speak and write in.

Re:And a fun way to get free warze.

[LWATCDR]

Thanks I missed that typo.

Re:And a fun way to get free warze.

[tfried]

A place, I once worked at, had a dozen or so entirely unpatched Win98 boxes connected directly to the net - for years. And guess what? Of course I wouldn't have trusted those boxes one inch, but I've never heard of any hacking troubles with those boxes, either (ok, neither IE nor Outlook were used on those computers, but other than that, no protection at all).

Yes, Win98 may be seriously vulnerable in hundreds of ways (even though it has hardly any networking functionality), but it just isn't targetted nowadays, in my experience. Try the same thing with WinXP, and you're compromised in less than a minute.

Re:And a fun way to get free warze.

[winkydink]

Actually, a lot of malware is already vmware-aware and avoids hosts running windows under vmware. More and more getting this functionality every day.

Re:And a fun way to get free warze.

[dugjohnson]

I'm just curious as the the grammatical rule that makes it "an programming language". I thought you use "an" when the following word begins with a vowel or a silent "h" as in "an hour". Could you point me to the rule that makes "an programming language" preferable to "a programming language".

Re:And a fun way to get free warze.

[kasperd]

Actually, a lot of malware is already vmware-aware and avoids hosts running windows under vmware.

If they can tell the difference, it means the emulation is not as good as it could be. In that case you probably should look for a better emulator.

Re:And a fun way to get free warze.

[Clovert+Agent]

A place, I once worked at, had a dozen or so entirely unpatched Win98 boxes connected directly to the net - for years.

I seriously doubt it - not if you mean "in the last several years". Any unprotected box hanging directly off the net will be scanned and fingerprinted within minutes if not seconds of connecting, and exploited automatically. Botnets aren't kiddies' toys anymore: they're very professionally run and your unpatched '98 box is just grist for the mill.

About five years ago I timed scans off a dialup connection in, let's say, a hostile part of the world - average of around 20 seconds from connect to scan. It hasn't gotten any better since.

Re:And a fun way to get free warze.

[Joe+U]

And if he corrects it to read:

"Thou shall not use any programming language that works on only one OS. "

Then it's a typographical error, most likely a soft-broken 'Y' key, and the joke falls apart. Making fun of someone with a broken keyboard is just mean. He might be on his way to CompUSA right now for all you know.

Now, if he corrects it to read:

"Thou shall not use a programming language that works on only one OS. "

Then it's grammatical, and the joke will hold up. The world will be safe from poor grammar. You will have fulfilled your destiny. Crush the lesser races, conquer the galaxy, unimaginable power, unlimited rice pudding...Etcetera, etcetera...

(or not)

Re:And a fun way to get free warze.

Oh no, the emulation works great. They tell by looking at the name of the display driver. Either it's a special one provided by vmware to optimize the performance, or it's one for some ancient framebuffer-based hardware that noone sane uses anymore. Duh.

Cheers, Kuba

Re:And a fun way to get free warze.

I'm surprised a /.'er would recommend VMware, with XEN the clear winner in the honeypot niche. Just check out The Potemkin Honeyfarm for more info... These guys are actually able to deploy an image is less than a second and do all sorts of whacky business to delude hackers into believing they're roaming the internet freely :-)

Re:And a fun way to get free warze.

[Magic5Ball]

If they can tell the difference, it means the emulation is not as good as it could be.

No, the emulation is better than good if leaving signs like VM video card strings in place keeps the script kiddies away.

Re:And a fun way to get free warze.

[x2A]

You do, which is why the poster has corrected their sig to say 'a' instead of 'an'. You (as I) didn't see the reply pointing out the 'an' until it was fixed, making it look as if the reply suggested using 'an' instead of 'a', but a lil extra thought makes it obvious that it was the other way round.

Re:And a fun way to get free warze.

You should be more tolerant. Perhaps English is not his native language? How can he improve if he's not allowed to write...

Re:And a fun way to get free warze.

[x2A]

No, the emulation's fine, vmware was never designed to be undetectable, instead it was designed to provide a stable host-machine-hardware-independant machine... ie, if I installed Windows (known for not coping with motherboard/chipset changes well at all) in vmware on one machine, and move the virtual machine to another completely different set up machine, it will still run with no problems and no driver changes required. This is one of the things that makes vmware such a great tool.

This means that you can detect that specific hardware configuration and tell that it's vmware.

Re:And a fun way to get free warze.

[solid_liq]

Thou shall not program computers in any language until having mastered the one you speak and write in.

I take this to mean you do not program computers in any language? After all, you have not mastered English either. You left a dangling preposition. The correct way to phrase this is:

Thou shalt not program computers in any language until having mastered the one in which you speak and write.

;)

Re:And a fun way to get free warze.

[GC]

That is a load of crap, though I admit it will probably depend on your IP range.

I routinely check a few Class-Cs and it takes around 5 minutes for a scan to appear on our firewall logs. Mostly 1433 port these days, which Win98 will quite hapilly drop.

After about 30 minutes I *might* get a port 139 scan, which many Win98 installations will *still* drop.

Cut the crap and the Microsoft bashing, I'm much more concerned about the spate of port 22 scans, and the brute force ssh password attacks going on right now.

Re:And a fun way to get free warze.

[donaggie03]

Psh ... duh ... How can he improve if we aren't here to relentlessly torment him on his mistakes?

Re:And a fun way to get free warze.

[Cid+Highwind]

Cut the crap and the Microsoft bashing, I'm much more concerned about the spate of port 22 scans, and the brute force ssh password attacks going on right now.

Fail2ban is your friend. Throttle those ssh botnets down to a few login attempts per hour and eventually the operator will go after a less secure target.

Re:And a fun way to get free warze.

[elyons]

//Thou shall not use an programming language that works on only one OS. /Thou shall not program computers in any language until having mastered the one you speak and write in. . . .having mastered the one in whichyou speak and write.

Re:And a fun way to get free warze.

[OverflowingBitBucket]

If your aim is to hide the fact you are running on a virtual machine, you are quite correct. VMware may not be the best choice.

But calling for a "better emulator" because you are using a tool for a purpose outside of the one it was designed for is a bit rude. It's a bit like asking for a better spreadsheet than Excel because you are having trouble writing a book with it. Not quite the right tool for the job.

VMware does a nice job of hosting a guest operating system inside another. They don't try to hide the fact it is a virtual machine at all (check driver names, certain memory ranges, disk serials, presence of VMware tools, etc). I'd rather have the option of running at a decent speed without being burdened by the virtual machine going to great lengths to hide itself from the guest.

Having said that, having an optional toggle to turn on machine-hiding features would be really, really nice, and no doubt make the tool much more useful for hosting honeypot systems.

Re:And a fun way to get free warze.

[TheLink]

Well if malware refuses to run on vmware guests, then that's good for me - because I run a fair number of servers as vmware guests, including my firewall.

BTW: is it copyright infringement if you redistribute a hacker's tools without his permission? Could the hacker use the DMCA as well?

Re:And a fun way to get free warze.

[NormalVisual]

That reminds me of a joke I heard years ago:

A new Harvard freshman was lost and looking for the library. He approached what obviously was an upperclassman, and asked "Excuse me, could you please tell me where the library is at?" The upperclassman looked down his nose at the freshman, and replied, "My good sir, here at Harvard we do *not* end our sentences with a preposition." The freshman is a bit taken aback, and rephrases his question: "Okay, could you please tell me where the library is at, asshole?"

There aren't too many grammar jokes out there, so I guess you have to take them as you can get them.

Re:And a fun way to get free warze.

[Matey-O]

I'll vouch for this. My firewall had exactly 1 open port. ssh. I created an unintentionally weak account when configuring samba and the system was pwned in less than 24 hours.

Re:And a fun way to get free warze.

[jayloden]

Even better, use Joanna Rutkowksa's Red Pill technique, which effectively identifies a VM in a single instruction based on the address of the IDTR.

Re:And a fun way to get free warze.

[aztracker1]

Xen can't run windows.. for that you need VMware, Qemu, or some other virtualization program. Curse you vile microsoft for removing the Xen support you had earlier on... (IIRC, MS was one of the first companies to support Xen)

Re:And a fun way to get free warze.

[shadowmas]

This is why i disabled root login and plain password login on the remote ssh virtual server which i own. now the only way to login to it is using a normal user account (with ssh key) and then do a su or sudo.

They can try all the passwords they want but they simply won't be able to login. you could also change the port which SSH runs on and tar-pit any ip ranges which give you constant trouble (It's really fun to see bot's stay for hours on end trying to check a single login).

Re:And a fun way to get free warze.

[quonsar]

wow. just, wow. i'm literally deafened by the incredible WHOOSHING sound occurring in this thread.

Re:And a fun way to get free warze.

[traabil]

About five years ago I timed scans off a dialup connection in, let's say, a hostile part of the world - average of around 20 seconds from connect to scan. It hasn't gotten any better since.

Surely, someone must have made tools to beat 20 seconds - I mean, it's gone five years.

Re:And a fun way to get free warze.

[x2A]

I don't think this will work on hard virtual machines, such as new AMD/Intel processors that virtualise the privileged instructions on-chip with additional circuitry (as her 'blue pill' would indicate), but checking the hardware configuration still would (except in 'blue pill' type configurations where IOMMU's etc are used to fully simulate the external environment, but we're going off track a little here).

Re:And a fun way to get free warze.

[ShadoHawk]

Where do I sign up for the unlimited rice pudding? No really! I need to know!

Re:And a fun way to get free warze.

I thought Xen could run Windows? /?

Re:And a fun way to get free warze.

[freeweed]

It isn't a load of crap.

Just this past weekend I had to switch providers, and of course verify the connection without a router or other firewall in between me and the outside world.

Firewall software on the laptop picked up 139 attempts within the first 60 seconds. Within 5 minutes I had well over a dozen common ports being probed: the usual NetBIOS ports, 1433, 1434, 21, 80, 23, 69, and a few others.

Didn't see a single port 22 attempt in the 5 hours I left the laptop "naked". Haven't bothered to check the router's logs since as it drops just about everything.

It isn't Microsoft bashing to point out that the vast majority of computers on the Internet run Windows, and the vast majority of scans aim at common open Windows ports. Hell, there are botnets still running that haven't changed in 5 years or more, still going at the old Win95/98 "single character password" crack.

Re:And a fun way to get free warze.

[Almahtar]

I can vouch for this. A while ago I hooked a box running snort up to a residential cable connection as a databases class project. It logged attacks perpetrated against it, ran whois queries on offending IP's, categorized attackers and attack density by country, etc. You'd be amazed how frequently attacks and scans were perpetrated. Heck, 2 of the first 10 attacks on our server came from IP's owned by the US Department of the Interior :-p I don't want to slashdot the server (residential cable is pretty brittle...), but I can watch its homepage and watch the little AJAX ticker of the latest attack change a few times a minute...

Fun things such as...

...watch the cracker do god knows what and then get hassled by the feds?

NASA

[wootest]

Host NASA servers? :)

Idiot

[Frosty+Piss]

Do you have so much time on your hands that you find it amusing to prattle on about common spelling errors? Or does it some how make you feel superior to spot a misused "an" and point it out to the whole world as is "see, this person is an idiot, whereas I am a superior human!". Good lord, get a life.

Re:Idiot

Do you have so much time on your hands that you find it amusing to prattle on about common spelling errors? Or does it some how make you feel superior to spot a misused "an" and point it out to the whole world as is "see, this person is an idiot, whereas I am a superior human!". Good lord, get a life.

Errors:
1. "Somehow" is one word.
2. as is "see, this person is an idiot As is?
3. a superior human!". With the type of English that one uses in the U.S., sentence-ending punctuation is usually contained within the quotation marks and one doesn't usually use two of them in one sentence.
4. Good lord Generally, "Lord"--when used in this context--is capitalized.

Damn, it's great to have so much time on my hands so I can feel so superior!

Re:Idiot

[udderly]

Dude (or Dudette), are you new here? Didn't you realize that correcting other people and then feeling superior is what /. is all about. Heck, it's one big "I'm smarter than you" pissing contest.

Re:Idiot

Damn, it's great to have so much time on my hands so I can feel so superior!

feel, being the operative word.

Re:Idiot

"Waa! Waa! Waa! I can't write English so I'm going to attack those who point out my mistakes instead of improving myself."

Stop whining and read a grammar book instead. Who the hell was stupid enough to mod you as "Insightful", another former D- student?

Re:Idiot

I can't write English so I'm going to attack...

You missed a comma; that should be, "I can't write English, so I'm going to attack..."

Re:Idiot

With the type of English that one uses in the U.S., sentence-ending punctuation is usually contained within the quotation marks and one doesn't usually use two of them in one sentence.

This is correct usage in English-as-one-has-been-taught-by-liberal-arts-maj ors, however it is incorrect in English-as-it-is-used-in-international-technical-c ommunications. Quotation marks enclose input or output string reproduced verbatim, without sentence-ending punctuation to avoid confusion ("ls /usr/bin" and "ls /usr/bin." return very different results). Guess which we use here on slashdot...

a fake shell

[Per+Wigren]

Something funnier (IMHO) would be to write a simple wrapper over the shell which gives crazy error messages and other things:

root@honeypot:~# whoami
I have no idea.
root@honeypot:~# ls
PRESS PLAY ON TAPE
root@honeypot:~#

and so on... :)

Re:a fake shell

[TheRaven64]

On a network I used to admin, I added a companion of the well known 'whoami' command; a 'whereami' command, which always replied 'You're in the village.'

Re:a fake shell

[joper90]

That is hardcore..

Re:a fake shell

[east+coast]

What's so funny about "PRESS PLAY ON TAPE"? Oh, I see... you think you're all fancy with all your "floppy drives" and "hard drives" now don't ya?

Re:a fake shell

[complete+loony]

You're in a maze of twisty passages all alike. You are likely to be eaten by a grue.

Re:a fake shell

pickup the lamp

Re:a fake shell

[Ronald+Dumsfeld]

Something funnier (IMHO) would be to write a simple wrapper over the shell which gives crazy error messages and other things:

Would giving you the root password to the Deathrow cluster help with this?
ssh root@dahmer.vistech.net
password: password

You might want to Nmap the machine first, there's something screwy with it though. ;-)

Re:a fake shell

[Gulthek]

$whoami

'You are number six.'

$whoareyou

'That would be telling.'

Most people..

[dubbreak]

Most people use their honey pots for surfing the web, checking email and sometimes playing games.

Nice Agenda

What rumours? Are you actually even interested in honeypots? A look at your post suggests your primary interest is in McKinnon.

Re:Nice Agenda

[gd23ka]

Go away back to Wikipedia where that kind of bullshit belongs.

Heh.

[Renraku]

Give them a virus that you wrote. Put a bunch of what appear to be self-extracting zip files in a directory and attach a virus to the extractor. Give them fun names, too. Like Montauk Project, Philadelphia Experiment, Roswell, etc.

Re:Heh.

[Lehk228]

what makes you think they would run your SFX zip files? AFAIK every archive app can unpack SFX files as well as regular compressed files

Re:Heh.

[Jeremi]

Give them a virus that you wrote.

On that note, has anyone done any security audits of the popular remote-exploit tools? It would be fun to write a "special" version of wu-ftpd 1.0 (or whatever) that recognizes when a particular tool is trying to exploit it, and responds by taking advantage of a bug in that tool to give you a root shell on the attacker's machine.... ;^)

Risk to others

What if someone uses the trojans, etc. they install on your honeypot to launch an attack on some other site? Since your express purpose is to watch what they do, you can't claim ignorance.

Are you liable for any damages?
Are you causing problems for law enforcement or other sysadmins by helping the attacker obscure their identity?

Seems like you would need to filter outbound traffic VERY carefully. It would be almost impossible to do this without the attacker knowing -- they'd realize it was a honeypot and get the hell out of there.

Re:Risk to others

I sure did RTA:

"It's impossible to stop all outgoing exploits with manglers, but it can give you peace of mind that the outside world is relatively protected from your compromised honeypot [...]"

Very reassuring.

And what about all the morons who read an article like that and think it would be fun to set up a honeypot, but don't bother with all the hard, boring, work of isolating it?

Re:Risk to others

[Jeremi]

What if someone uses the trojans, etc. they install on your honeypot to launch an attack on some other site?

I'd say that a proper honeypot would simulate the other site as well. Once you've taken the blue pill, there's no escape... ;^)

Re:Risk to others

What if someone uses the trojans, etc. they install on your honeypot to launch an attack on some other site?

Easy. Then just use a simulated honeypot instead of the real thing. =)

Honey can lead to infant botulism

[itismike]

Sorry to do this, but I think that it is somewhat careless to assume that all new parents that might be reading Slashdot are in fact aware of the unique danger that honey presents to infants. Just in case someone comes across this and isn't aware, please look into the concerns related to infant botulism before getting the bright idea to feed your newborn some honey. Now go ahead and make the jokes - I just think that this needed to be said.

Re:Honey can lead to infant botulism

[neiltrodden]

I'm only replying to this post so that I can validate that, a: it is real, and b: I am NOT hallucinating.

Re:Honey can lead to infant botulism

I think your joke-o-meter is miscalibrated... either that, or mine is.

Re:Honey can lead to infant botulism

[rylin]

Well, camel spiders ARE bad for babies!

Re:Honey can lead to infant botulism

[Guru2Newbie]

But camel spiders dipped in honey are delicious!

Re:Honey can lead to infant botulism

And you have done neither, since you might be having a hallucination that your post has both appeared and generated this response.

Re:Honey can lead to infant botulism

[itismike]

You must be new here. Please click Parent to see the relivance.

Re:Honey can lead to infant botulism

[rivetgeek]

....Im guessing you might be new EVERYWHERE. My point still stands, the article, thread, and conversation has nothing to do with giving honey to children. Please exit the high horse ride to your left.

Re:Honey can lead to infant botulism

[JYavner]

The probability is about 15 million to 1 against a baby being harmed by honey. If you really care, why don't you avoid putting the baby in a car seat (200,000 to 1 chance of death every time Baby goes for a ride)?

The "no honey for babies" thing makes as much sense as the "no aspirin for children" thing. Some kid died from an ultra-rare syndrome and the parents decided to make the death "meaningful" by going on a crusade against a usually-harmless substance. Breast milk is much better than honey, anyway.

Re:Honey can lead to infant botulism

wont somebody PLEEEEZ think of the children!

Re:Honey can lead to infant botulism

the article, thread, and conversation has nothing to do with giving honey to children.

Yes, that was the point of the joke, which are are stubbornly refusing to get even when beat over the head with it. The comment "This article has nothing about babes and bees. Everyone knows that babes just love fresh honey." prompted the poster to "misinterpret" talking about babes as babies and to post his "helpful" tip. Get it now?

Re:Honey can lead to infant botulism

[Jeremi]

Breast milk is much better than honey, anyway

True, but I'll be damned if I can find a place that will sell it to me. For now I guess I'll just stick with soda.

Re:Honey can lead to infant botulism

[__aaclcg7560]

When I made my reference to "babes", I meant a female adult. I forgot to consider that this reference to a honeypot might just be way to above most /. readers. Honey and nipples are a great combination. :P

Re:Honey can lead to infant botulism

Don't worry, he won't reply. He's off sheepishly pretending he doesn't care, meanwhile that inner voice inside of him is going, "Fuck. I'm stupid. I think I'll stay off Slashdot for a few weeks and hope people forget how stupid I was today."

A swarm

Drive around randomly blasting a half dozen points with the MAC addresses starting with 00008F (Rayethon Systems and the fine maker of these). Unfortunaly those in the Middle East would be the only ones to get the joke.

Just one problem -

[njdj]

a fake database or two, some Word documents showing that the US has a secert base in the middle of the everglades....

You'll then get pulled in by Homeland Security and shipped to Gitmo for revealing that the US has a secret base in the middle of the Everglades.

Re:Just one problem -

[aztracker1]

Maybe you could point out one example of someone (a U.S. citizen) being shipped to a U.S. run prison on foreign soil? Not to be a troll, but wtf!? You know, I really can't stand G.W. and to be honest, I think Huessane(sp) should have had a bullet through his head back in the late 70's, or the very least in the early 90's.

I'm just sick of seeing crap like this everywhere I turn... Yeah, you hate Bush, you feel cheated, you think the war is all about the oil.. whatever. The fact is that half the crap that comes out of the media machine is just that, crap.. liberal, conservative, all crap.

At least I can say one good thing about G.W. Bush... you know where he stands on things, because he doesn't change his answers, speaches, or actions because it's what the latest poll's results were twisted to say. The majority isn't always right... In any case, I'm so sick of seeing political B.S. spewed every chance some asshole on slashdot gets.

Re:Just one problem -

"...human beings and fish can coexist peacefully..." - Glad I know where he stands there...

"I'm so sick of seeing political B.S. spewed every chance some asshole on slashdot gets"

Er, Pot. Kettle.

Re:Just one problem -

[Dion]

At least I can say one good thing about G.W. Bush... you know where he stands on things, because he doesn't change his answers, speaches, or actions...

Dude, there are two things wrong with this:

• It's perfectly fine to change your mind when new data comes to light, holding on to a belief against evidence is stupidity.
• Bush does change his standpoint from time to time, just look at the whole "Let's ignore Bin laden" to "war on terr".

Really, Bush and his handlers have run your country into the ground, demonstrated their complete lack of respect for human and civil rights as well as your own constitution and yet there are sheep like you who just bend over while praising the Great Leader.

I mean, doesn't a graph like this one tell you that Reagan, Bush I and Bush II are not conservatives, but rather creditcard maxing out white trash?

Doesn't conservatism mean spending less money?

Re:Just one problem -

Well, since I'm not a U.S.A. citizen, it'd be quite likely. (But it'll be the CIA, not homeland security.)

pr0n

[Khashishi]

Just fill the honeypot with pr0n and there will be plenty for the hacker to play with.

Re:pr0n

[fusion9290991]

As long as it doesn't make my network interfaces stick together...

no longer honeypot

[bobamu]

now a honey cluster

or a hive?

this has endless potential

I feel a little ashamed now

Honeypot considerations

[Dryanta]

Make sure that everything rlogs to an append-only hardened blackbox with a high securelevel. Preferably obsd. Also, make sure you have banners that will hold up in court. A honeypot is not something to be viewed as 'extra work' for a network administrator, but ESSENTIAL when combined with a few IDS sensors. It is the way to keep on top of your overall network security, and gives you a few extra IP blocks to add to your overall firewall ruleset. If you are really lucky, you will bring down some asshat that tries to compromise the network you have spent all those hours configuring and hardening.

Fun things to put on honeypots

[Animats]

• Call up a venture capitalist friend and ask for some rejected business plans for really stupid business ideas. Put them on your honeypot.
• Get some publicly available geophysical data for real oil wells, and change all the locations to somewhere else with comparable geology but no oil.
• Get some rejected porno images from people in the industry. Buy the reproduction rights. Put Digimarc watermarks on them. Wait for them to reappear elsewhere. Sue. Profit.

Bad advice

[frovingslosh]

from the aericle:

Simulated traffic can be used in conjunction with simulated targets....If you want to really see what the attacker is all about, simulate traffic that looks like someone trading MP3s, or traffic that looks like someone transferring business documents. If the attacker spends most of his time looking at the MP3 traffic, he is probably pretty harmless. If he spends his time looking at the documents, he is probably pretty dangerous.

Yea, right. Great advice, right up to the day that the RIAA and their FBI thugs come breaking down your door and taking every computer that you own and anything else they want too, because the hacker that broke into your system and saw all that traffice was an RIAA hacker.

Re:Bad advice

[frostoftheblack]

The key word there was simulate. I'm sure if you really had the time to devise a system like that, you'd find legal mp3z and faked or otherwise declassified business documents. Ha.

Re:Bad advice

So they would use evidence they gained whilst illegally hacking into your honeypot?

Not to mention it is only simulated traffic, so you aren't really distributing the files, so they don't have a case anyway.

Re:Bad advice

[frovingslosh]

No wonder you post as an AC, with insight like that! Sure it's simulated traffic, that would hardly stop the law from breaking down your door, destroying your stuff and generally making your life miserable if the RIAA asked them too. Would the RIAA hacking be illegal? Sure, there are plenty of cases of that and worse on record, but the law applies to you and somehow not to them, or have you not been paying attention. And of course you are just setting yourself up for extreme legal fees, the ones that RIAA racketeering typically threatens people with as part of their "pay us five figures now, or even if you are innocent we'll run your legal fees up so high that you'll wish you did" approach to filing suits on people. Is that approach itself illegal? Yup. Do they get away with it? They sure do.

Consider how this one looks to a visiting non-Geek

[umbrellasd]

"Fun Things To Do With Your Honeypot System"

non-Geek: "Is this a sexual reference? I don't get it...are they talking about that weird cyber thing?"

"From The Article"

[jonabbey]

Zonk, is it necessary to edit down what your submitters give you and take half of the post to include part of the referenced article?

Re:"From The Article"

[morie]

So true!

It's not like anyone was interested enough to RTFA in the first place, so why quote from it?

That was my experience in late-90s as well

[billstewart]

I used to have a lab with a DSL like and a couple of quasi-honeypot machines on it. The Win95 (or was it Win98?) machine was never bothered; the RedHat 6 machine kept getting brutally attacked every week so after a few rebuilds I named it "kenny". Now, the Windows machine was partly not bothered because it wasn't doing anything interesting enough to be very vulnerable - there wasn't a web or FTP server, it wasn't sharing any disks or printers, I usually used Netscape browsers instead of IE, and if you did break in all you'd get for your trouble was a Windows machine. I had another Linux box on the network that was always running a scrolling tcpdump (AFAIK nobody ever bothered it - I had fewer services installed on it because it only had 500MB disk), and could see a variety of interesting traffic.

• One week I saw it sending lots of pings to a university in Sweden. I checked with the admin there, who said it looked like my machine had been infected with Stacheldraht DDOS client and was reporting back to an infected machine at his site, and told me how to clean it up.
• Another week the pings were to Washington University in St. Louis. I forget whether their machine had attacked mine or mine had attacked theirs, but either way it seemed appropriate since they'd probably used wuftpd to break in to my machine. Cleaned it up again.
• Another week I did a "find" looking for something under root's home directory, and found a whole ~/.something directory I didn't recognize. I did an "ls", which couldn't find that directory - they'd replaced /bin/ls, but forgot to update the date stamp on the file, and also forgot to update the date stamp on /bin/ps. "ps" was hacked to not report the processes they were running from their hidden ~/.whatever directory - but "ls" wasn't hacked to hide things in /proc :-). So I cleaned up their semi-clever little rootkit.
• After I cleaned up one of the latter two attacks, their next act was an "rm -rf /" on poor Kenny. Stupid thugs; at least they could have tried something interesting.

Most cool business networks are semi-homemade

[billstewart]

Many business network connections are made of vanilla parts - a web server, Pix or Checkpoint firewall, a VPN appliance for employees to connect from home, mostly static web pages or decorative Flash navigation. Pretty boring, and not much point in breaking in unless you want somewhere to run a zombie server or you're a skr1p7 k1dd13 who still thinks scribbing on websites is way 1337 k3wl. At most there's a pre-packaged e-commerce server that lets you order things with credit cards, but you could have gotten the credit card numbers from professionals, or if you're a professional carder you could have run a pr0n site and ripped off anybody who fell for your "age verification" trap.

But the more interesting networks for a cracker are usually at least semi-custom - they may have some standard components, but maybe they're arranged in some customized combination, or there's a bunch of dynamic-html scripting that wasn't written quite right so there are exploits to look for Maybe it's the database hooks you can feed malicious SQL, or maybe there's something else in there.

I agree that unless you're a security researcher of some kind, you probably don't need a source of new cracker tools - but if you're running a customized production site, you do need to know what's being used to attack you, so you can block against it, whether it's your own company or whether it's a type of service you're providing to multiple customers.

Yeah, like you'd trust *those* warez...

[billstewart]

Sure, there are worse places to get warez, but the type of people who crack into a site to get a place to store warez are _not_ the types of sources you'd want to trust.

Shameless plug

[LordSnooty]

http://www.csc.liv.ac.uk/~greg/sshdfilter/

Get this and your ssh brute force attack worries will be over. They're only popular because ssh tends not to block repeated attempts by default, and many other avenues have been closed to the crackers. So make sure you block this particular route.

Tis a pity ...

[Infernal+Device]

Too bad you can't trace the hackers back to the source and order a hit squad on them ... well, maybe in Russia.

It's all fun and games...

[JustJake]

until someone uses your honeypot as a platform to attack someone else. Or were you thinking that bad guys never use machines under their control in this manner?

Who are these security people with so much free time that they can monitor a honeynet for hours on end and create bogus traffic to move across it in order to entertain a bored 16-year-old hacker from who knows where? Every serious professional I know is up to his eyeballs in real work.

Re:It's all fun and games...

It's been said before, it will be said again: simulated targets.

Re:It's all fun and games...

[avatar4d]

You could simply have a router/firewall or something else monitor the traffic and send a message to you if any traffic comes from the honeypot/net. There should really be no traffic going to/coming from this section of the network so it would be easy to trigger.

Obligatory

[Shadyman]

In Soviet Russia, Honeypots hack YOU.

Re:And a fun way to get free warze. Raises

[davidsyes]

computer RPG to a whole new.. umm. "level"...

But, I like the part about a secret base in the Everglades.

What would be cool is faking a database of chupacabra-human mutagenics data claiming the efficacy of a new breed of supersoldier.

Nice point on language

[FoamingToad]

I'm particularly wary of people over-using the word "obviously", as it's one that seems to be frequently used to prop up a shaky logical proposition.

Re:Consider how this one looks to a visiting non-G

[Lissajous]

A visiting what? C'mon - I mean seriously.....this *is* slashdot!

In defense of 'Paradigm'

[Bobby+Orr]

I like the word 'paradigm.' True, sometimes it is abused. Sometimes it is only a hand-waving obfuscation. However it is also correctly used, if only occasionaly. In those cases, it is a correct and careful word choice which refers to both method and reasoning ("A set of assumptions, concepts, values, and practices that constitutes a way of viewing reality for the community that shares them, especially in an intellectual discipline" -- dictionary.com). Is there any other single word which can replace 'paradigm?"

honeypots not just for networks...

There are honeypots for old-school dial-in hackers too, see Sandtrap, for example.

Undressing the ladies

[Dareth]

... I hear undressing the ladies in Russia is easy... getting them to put down their knives,axes, and AK's is much much more difficult!

Re:And a fun way to get free warze. Raises

[LWATCDR]

Well the secret base in the Everglades is because of a one of the greatest wastes of tax money in the history of Florida.
In the late 60s everyone thought SSTs where going to be the next big thing. So they started to build a replacment of the Miami air port 50 miles west of Miami out in the Everglades... Well the EPA came and stopped it but not before a HUGE runway, control tower, and many parts of the terminal where built.
Airlines used to use it for practice since it is a huge modern airport in the middle of no where with no traffic.
Show up really pretty on Google Earth :)

the model is based on a Bee.o.wolf cluster

[wilec]

"now a honey cluster"

Not exactly, the model is based on a Bee.o.wolf cluster

"'or a hive?"

Yes the hive organization is like that of Bee.ORG

"this has endless potential"

POT! Ok, this explains everything :)

"I feel a little ashamed now"

Really, yea you should, but then I guess so should I.
"Oh Papa I am so 'shamed" ... place this one :)

Wabi-Sabi
Matthew