Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Help Perfect The Cracker Antfarm With honeyd

timothy posted more than 11 years ago | from the where-are-the-red-ants dept.

Security 93

Niels Provos would like you to help create the perfect lure for crackers. In the style of similar challenges presented by the Honeynet Project, Provos, a doctoral candidate at CITI (a research institute at the University of Michigan) has announced a public competition for contributions to his honeyd project, which the project page describes as "a small daemon that creates virtual hosts on a network." Honeyd does more than that terse description implies, though: read on to see how you can contribute to creative cracker snaring.

Behind door number three ...

Rather than wait for production systems to be cracked, honeypot makers arrange sting operations: they set up as traps intentionally tempting target machines loaded with tools to observe any break-ins.

Though the projects' names (and their rosters of hackers) are confusingly similar, honeyd is distinct from the Honeynet Project. Both are concerned with watching intruders' behavior for analysis and, in the long run, preventing their exploits, but the projects vary in their scope. Honeyd offers specific software tools to effect the appearance of a crackable box (and can simulate thousands of crackable machines at once); the Honeynet Project is broader, and uses honeyd within its larger framework of studying cracker attacks.

"Honeyd creates virtual honeypots that simulate operating system characteristics to such a degree that it fools fingerprinting tools like nmap or xprobe," says Provos. "As such it is a virtual honeypot that may be used for all kinds of purposes -- network sensors, decoys, et cetera. As the Honeynet project investigates interesting honeypot technologies, Honeyd got me involved with the [Honeynet Project] and is my contribution."

The competition Provos is organizing is in turn a chance for others to contribute to his honeypot tool; a variety of prizes (including a trip to CanSecWest/core03) will go to the programmers who provide the best improvements to the current version (0.5) of honeyd. He's hoping to field contributions to upgrade the user interface, better analyze information captured as intruders try to break in, provide simulated P2P programs, and more. Though there's a list of suggestions on the site, anything to more effectively mimic genuine target machines is welcome.

License requirements are friendly to open source programmers: "Source code features to be integrated into Honeyd need to be covered by a BSD-like license. Service emulations and graphical user interface [submissions] may be either BSD-like or GPL."

Though the honeynet.org page says that Provos is sponsoring the challenge, he says others (like Honeynet Project lead Lance Spitzer) have put up the prizes. "As I am still a poor student, I anticipate that my only financial expenses are going to be shipping costs."

What inspired the idea of a contest, rather than simply waiting for code to roll in from interested hackers? "The Honeynet project has held very successful challenges in the past," says Provos. "Additionally, Lance Spitzer and Marcus Ranum have been giving tutorials on honeypots and noticed that all the participants really enjoyed working with Honeyd. As a result, Lance encouraged me to hold this challenge."

What's in it for them?

Spitzer, one of the challenge judges, lists a few things he'd like to see come out of this contest. "All the plumbing and features are there for developing your own honeypots. I would love to see these capabilities extended and making it easier to use. For example, it would be great [to see] new emulated services added, a port to Windows, and a GUI to make it easier to use."

Spitzer has recently published a book about honeynets as well, so he has a good reason to want some attention focused on this sort of calculated intruder watching.

"I am most interested in the balance of getting realism with as little risk of abuse," says Job de Haas, another judge for the competition and CEO of security consulting firm ITSX. "The idea is to build simulated services, but you want to end the realism where it starts to undermine the security of the system beyond control." De Haas says that one of the system's weak points right now is that it's simply difficult for new users to know where to begin. "Hopefully lots of useful examples will come out of the challenge, to make it easier to get started."

I send you this file to ask your advice about breaking in.

Code submissions from hundreds of contributors (all of them savvy enough about cracking to contribute in the first place) raise the prospect of at least a few of them trying to sneak in their own malware to subvert the competition, but the organizers discount the possibility of a backdoor or other crack being submitted.

While it's unlikely that malicious code would make it far, Provos says that to be on the safe side (and make sure it doesn't hurt his working environment), "Personally, I run all new code under a systrace sandbox, and before new code gets integrated into the official honeyd source code it has to pass a source code audit."

Similarly, De Haas says that he's not worried about malicious code, but is "alert that someone might try. Generally we're quite used to dealing with untrusted code. On the other hand I don't consider myself unhackable, it can always happen. You mostly try to minimize the damage it can do."

"Generally the community is very good about this." says Spitzner. "While I doubt this would happen, you do have to be concerned about it. Fortunately, the judges we have (except for me :) are outstanding at code review."


Further reading: We've mentioned the Honeynet Project a few times before -- here's one story from July 2001 and other from July 2002; a search on "honeynet" will yield several more.

cancel ×

93 comments

Sorry! There are no comments related to the filter you selected.

FPISS (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5326406)

FP! Cocksuckers! This is my first first post! Ha ha ha! I WIN!

FP! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5326411)

FIRST POST!

Re:FP! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5326448)

ACTUALLY I beat u http://features.slashdot.org/comments.pl?sid=54208 &cid=5326406

Jesus Saves! (-1)

Anonymous Coward | more than 11 years ago | (#5326414)

Ask Jesus into your heart today!

The ONLY way, truth and life

Re:Jesus Saves! (-1, Offtopic)

Memetic (306131) | more than 11 years ago | (#5326465)

But does he also make offsite backups?

Re:Jesus Saves! (-1, Funny)

Jesus, Son Of God (651375) | more than 11 years ago | (#5326477)

No, that's my dad's job, you know, being sys admin and all.

Jesus, Son of God most high (-1, Offtopic)

Jesus, Son Of God (651375) | more than 11 years ago | (#5326420)

Jesus, Son of God most high,
who didst in a manger lie,
who upon the cross didst die:
hear us, holy Jesus.

Jesus, once an infant small,
cradled in the oxen's stall,
though the God and Lord of all:
hear us, holy Jesus.

Be thou with us every day,
in our work and in our play,
when we learn and when we pray:
hear us, holy Jesus.

When we lie asleep at night,
ever may thy angels bright
keep us safe till morning light:
hear us, holy Jesus.

Make us brave without a fear,
make us happy, full of cheer,
sure that thou art always near:
hear us, holy Jesus.

May we prize our Christian name,
may we guard it free from blame,
hating all that causes shame:
hear us, holy Jesus.

May we grow from day to day,
glad to learn each holy way,
ever ready to obey:
hear us, holy Jesus.

May we ever try to be
from all angry tempers free,
pure and gentle, Lord, like thee:
hear us, holy Jesus.

May our thoughts be undefiled,
may our words be true and mild,
make us each a holy child:
hear us, holy Jesus.

Jesus, from thy heavenly throne,
watching o'er each little one,
till our life on earth in done:
hear us, holy Jesus.

Re:Jesus, Son of God most high (-1)

Anonymous Coward | more than 11 years ago | (#5326429)

I RAPED JESUS

JESUS SAVES! (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#5326437)

You said it!

Re:JESUS SAVES! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5326445)

How can a fictional character save?

Well, Scrooge Mc Duck invests... (-1)

Anonymous Coward | more than 11 years ago | (#5326489)

If Scrooge Mc Duck invests, then I'm quite sure Jesus can save.

JESUS SAVES! (-1, Troll)

archeopterix (594938) | more than 11 years ago | (#5326654)

But Gretzky gets the rebound! News at eleven.

As a caucasian (-1)

Anonymous Coward | more than 11 years ago | (#5326424)

I resent this!

Help Perfect The Cracker Antfarm With honeyd? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5326425)

Wha'choo talkin' about Willis?

They're making this harder than it needs to be (5, Funny)

Waffle Iron (339739) | more than 11 years ago | (#5326439)

When I feel a cracker attack coming on, I don't sit around waiting to "lure" crackers. Instead, I just head down to the local supermarket and buy a few boxes.

There's no need to deal with sticky messy honeypots, either. You can get Honey Grahams with the delicious honey flavor baked right in.

Re:They're making this harder than it needs to be (1, Funny)

mrtroy (640746) | more than 11 years ago | (#5326472)

You OBVIOUSLY didnt read the article.
You crazy fool! Going to the supermarket and buying boxes of crackers! All you have to do is put out a honeypot and crackers will come to you. I think it has something to do with a jar of pennies and grocery gateway.

NOTE: grocery gateway did not like when I did this and i take no responsibility for your actions involving jars of pennies and acquiring crackers. It IS after all blackhat.

Re:They're making this harder than it needs to be (0)

Anonymous Coward | more than 11 years ago | (#5326558)

I love you, i think geniuses like you should be gods, or better, sys admins, (hey all the people at micron technology)I READ YOUR E-MAIL!

Re:They're making this harder than it needs to be (3, Funny)

xanadu-xtroot.com (450073) | more than 11 years ago | (#5326577)

There's no need to deal with sticky messy honeypots, either.

Yea? Tell that to Pooh...

Re:They're making this harder than it needs to be (0)

Anonymous Coward | more than 11 years ago | (#5326603)

i love you guys, but seriously get some sun or something, and become a comedian and i think (now this is purely marketing) what if we took the honey and smeeered it on pretty women, would it attract more crackers? and do the crackers have to be crackers? could they be wheat bread or maybe something a little more health conscious? have an apple?

Is it easy to tell that you're in a honey pot? (-1, Redundant)

Anonymous Coward | more than 11 years ago | (#5326440)

How hard is it to make a honey pot look lived in?

I mean, anybody can walk into a house and tell almost instinctively if anybody is living there at the current time.

It is nothing you can put your finger on, it is just a "sense".

Is the same true for honey pots? Can a hacker that is familiar with System X instinctively tell if (s)he is in a real live in-use System X or just a honey pot of System X?

Is it easy to tell that you're in a honey pot? (5, Insightful)

Boss, Pointy Haired (537010) | more than 11 years ago | (#5326447)

How hard is it to make a honey pot look lived in?

I mean, anybody can walk into a house and tell almost instinctively if anybody is living there at the current time.

It is nothing you can put your finger on, it is just a "sense".

Is the same true for honey pots? Can a hacker that is familiar with System X instinctively tell if (s)he is in a real live in-use System X or just a honey pot of System X?

(posted AC the first time by accident)

Re:Is it easy to tell that you're in a honey pot? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5326519)

What the fuck? This post should be modded as redundant. Just because this asshole decided he wanted karma for his "wit", doesn't mean you faggots have to give it to him. First of all, he's a fucking retard. Second of all, IT'S FUCKING REDUNDANT!!! You're all asshats. Suck my dick. Fuck you.

Re:Is it easy to tell that you're in a honey pot? (0)

Anonymous Coward | more than 11 years ago | (#5326561)

Mom, is that you?

Re:Is it easy to tell that you're in a honey pot? (2, Interesting)

sporty (27564) | more than 11 years ago | (#5326541)

I'd wager you can..

Audit a live system somewhere, where people "live" to copy everything that isn't "sensitive". Then fake the sensitive info, like passwords, card numbers and names.

That is how you do final tests before production. You make a system so lifelike, it is infaliable.. or nealy so.

Re:Is it easy to tell that you're in a honey pot? (4, Interesting)

TopShelf (92521) | more than 11 years ago | (#5326563)

That's an interesting point - you'd need to create output files with varying dates and times (to look like production data), log files, etc. I would think one idea would be to take a snapshot of your live environment at a given time, then create a honeypot when needed that alters file create/mod dates appropriately. Not easy, but it's a thought...

Re:Is it easy to tell that you're in a honey pot? (2, Interesting)

fudgefactor7 (581449) | more than 11 years ago | (#5326666)

Couldn't you just write a script (or something) to "touch" random files? That would change the dates. Then add a bunch of fake users (some disabled, naturally, as that's a nice target.) That might work.

Re:Is it easy to tell that you're in a honey pot? (0)

Anonymous Coward | more than 11 years ago | (#5326899)

Well, see.. the thing is, most crackers are idiots.

Re:Is it easy to tell that you're in a honey pot? (3, Interesting)

martyros (588782) | more than 11 years ago | (#5327461)

It depends on what your goal is. If you're looking to collect new exploits, well, it's pretty easy to make things seem real on the outside. The earlier versions of honeyd (if I recall correctly from my conversations with Neils) didn't actually allow an attacker to get very far with an attack, because they didn't run any actual services, just a fake thing that mimicked a service. The purpose wasn't to actually entrap and convict hackers, or to observe their modes of operation and so on; but to collect information about new attacks (for signature detectors in firewalls) and to hide your real system in among a bunch of fakes.

If you're looking to actually observe crackers "in the wild", you have to make your system look reasonably real; while at the same time making sure the attackers can't do any real damage from your machine (else you may be implicated in their crimes). The Honeynet project has a lot of good tips and tricks on this sort of thing. For example, not allowing more than 10 outgoing connections (so that it can't be used to scan or launch a DDOS attack), and putting a message in motd saying, "The network is acting kind of flaky, we're working on it, blah blah blah."

In fact, making a realistic honeypot is essentially just social engineering... hmm...

Re:Is it easy to tell that you're in a honey pot? (2, Insightful)

oddrune (102921) | more than 11 years ago | (#5327492)

With so many inexperienced system administrators out there - is it possible? It's so easy to put a [insert linux distro here]-system online, say "hey, it worked", and forget about it, that I doubt that anyone would raise an eyebrow when entering a 'dead' system.

Re:Is it easy to tell that you're in a honey pot? (4, Insightful)

Marcus Brody (320463) | more than 11 years ago | (#5327540)

Doesnt need to look lived in...

For starters - scripts, scanners, worms, script kiddies arent ever going to notice the difference.

Furthermore, more advanced crackers wouldnt neccessarily be put off by such a box... e.g. they may see a nice unused NT sitting in the corner of a lab, just waiting for her to install that new DDOS tool...

However, I guess leet dudes like us would smell a rat!

FP! (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5326454)

In Soviet Russia, the honey cracks you!

Damn, YOU FAIL THE SHIT out of IT (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5326845)

You failed so hardcore it's not even funny.

Mmm... (2, Funny)

grub (11606) | more than 11 years ago | (#5326457)


Mmmm... Honeynet Cheerios </homer>

Hmmm...? (4, Interesting)

Anonymous Coward | more than 11 years ago | (#5326462)

For example, it would be great [to see] new emulated services added, a port to Windows, and a GUI to make it easier to use.
...how many people that set up honeypots use Windows or need a GUI?

Furthermore, how many developers that make these kind of tools want to cater to the Windows/GUI crowd?

Re:Hmmm...? (4, Interesting)

srmalloy (263556) | more than 11 years ago | (#5326521)

...how many people that set up honeypots use Windows or need a GUI?

You're right; who needs a honeypot when you can just set up a Windows system, which is automatically a hack magnet?

Seriously, though, having a Windows honeypot would be useful simply because of the enormous variety of attacks directed at Windows systems. Having a system designed to attract and log attacks would give more information than trying to examine the post-mortem data after a Windows box has been 'H4C|20R3D'.

Re:Hmmm...? (0)

Anonymous Coward | more than 11 years ago | (#5326929)

Actually, there are a few honeypots written for Windows. But they are rather simple, for example fake telnet/ftp.

"Rain Forest Puppy" ?? (-1, Flamebait)

tmark (230091) | more than 11 years ago | (#5326467)

One of the judges is one "Rain Forest Puppy". To me, this jeopardizes the credibility of the contest, just as if a judge was "Anonymous Coward" or "Big F*cking Idiot".

Re:"Rain Forest Puppy" ?? (4, Informative)

glitch_ (48803) | more than 11 years ago | (#5326517)

Rain Forest Puppy is a well known cracker/hacker. Not necessarily a black hat, but I would put him in a "various shades of gray" hat. It seems that he feels more comfortable going by that name. Just like rappers go by their nicknames, someone like RFP likes to go by his handle. That does not make him a bad person, just someone with a goofy name. :)

Re:"Rain Forest Puppy" ?? (4, Insightful)

Hanashi (93356) | more than 11 years ago | (#5326540)

I guess it only puts the contest in question for you. For most of the rest of us, at least, those of us involved in the security community, Rain Forest Puppy's involvement is a source of positive credibility, not negative. He's well known and very well respected.

Re:"Rain Forest Puppy" ?? (5, Informative)

arglesnaf (454704) | more than 11 years ago | (#5326589)

Rain Forest Puppy is a very respected cracker who posts to the Bugtraq mailing lists.

A PCWorld interview is here [pcworld.com]

He is also cited as the discoverer of several MS vulnerabilities by Microsoft themselves: [microsoft.com]

Re:"Rain Forest Puppy" ?? (0)

Willis Wasabi (96857) | more than 11 years ago | (#5326600)

Yeah, Rain Forest Puppy. The fact that it doesn't ring a bell means you really aren't involved with security. Here's a clue: http://www.wiretrip.net/rfp/2/index.asp

Re:"Rain Forest Puppy" ?? (0)

Anonymous Coward | more than 11 years ago | (#5326601)

Well, even I know that RFP is quite known within the security scene.
To most people interested in this sort of thing, this probably makes the contest even more credible.

Re:"Rain Forest Puppy" ?? (0, Offtopic)

StuffYourReligion (452006) | more than 11 years ago | (#5327638)

So tmark makes a sincere statement of his own skeptical opinion (and identifies it as such), and he gets modded down as flamebait!? His lack of familiarity with RFP provoked insightful and presumably educational responses from a few people, letting those of us who had never heard of RFP know who he was.

Thank you to those who had the decency to write tmark a nice reply, rather than moderate him or her down. I hope you negative moderators get meta-modded to your own little honey pot in hell. I would have given him "+1; insightful" but it wasn't my turn.

P.S. Go ahead and slap me too (my karma can take the abuse). How about an "offtopic?" That's my favourite. Oh, and no... I don't mind if someone doubts my own words because I have a stupid handle. Skepticism is healthy.

University of Michigan?? (-1, Offtopic)

rmohr02 (208447) | more than 11 years ago | (#5326468)

Blasphemy!

(see my email address)

Genius! (5, Funny)

bdesham (533897) | more than 11 years ago | (#5326476)

This is perfect! Since crackers never visit Slashdot, they'll never see this one coming!

Re:Genius! (4, Funny)

Joe the Lesser (533425) | more than 11 years ago | (#5326611)

Actually, I think most of /.er's are probably caucasian...

Re:Genius! (1)

jaavaaguru (261551) | more than 11 years ago | (#5328089)

From Websters:

Cracker
5. A nickname to designate a poor white in some parts of the Southern United States. --Bartlett.

Wordnet says's it's synonymous with Redneck. How is that not caucasian (A member of any of the white races of mankind)?

Re:Genius! (1)

andrewski (113600) | more than 11 years ago | (#5328485)

Who's white? As for me, I am more of a light pink color. My girlfriend is slightly olive-toned. We are both caucasian, but neither one of us is white. I know asian people who, when you put my skin next to theirs, are much much whiter than I. In fact, I can't think of anyone I know that is acutally white. Black people aren't black, they are brown. Who the fuck came up with this color-coding system anyway?

Re:Genius! (1)

jaavaaguru (261551) | more than 11 years ago | (#5328590)

I agree it's silly.

Re:Genius! (1)

SmokeSerpent (106200) | more than 11 years ago | (#5330204)

There's no such thing [smh.com.au] as a caucasian (or any other "race") anyway.

Re:Genius! (1)

tsm_sf (545316) | more than 11 years ago | (#5337804)

Who the fuck came up with this color-coding system anyway?

Homeland Security?

Re:Genius! (2, Insightful)

arvindn (542080) | more than 11 years ago | (#5326872)

You were probably just trying to be funny, but just in case you thought its really a bad idea to discuss honeypots on /. :

You are essentially arguing for security through obscurity. Consider how a cracker would start to attack a system. They would most likely have some portscanning scripts that would pick up a vulnerability. Honeypots are perfect for this. You set up a virtual machine that detects a vulnerability.

Next, the cracker has r00ted your machine and wants to exploit it. They've read about honeypots on /. and wonder if it is one. So how do they find out? From the outside, a honeypot looks just like any other machine.

If you let the world know that you are running a honeypot on a certain IP, then you're doing something stupid. But knowledge about honeypots in itself does not decrease their effectiveness.

Re:Genius! (1)

mgessner (46612) | more than 11 years ago | (#5327203)

OT (in reply to the OP's .sig):

I actually took a Differential Equations test drunk.

I got a 96%.

It's safe to drink and derive! It's fun!

The judges include ... (-1, Offtopic)

burgburgburg (574866) | more than 11 years ago | (#5326480)

Rain Forest Puppy.

But when I say it, people try to involuntarily medicate me again. Where's the justice?

Oh, wait, it's ... (-1, Offtopic)

burgburgburg (574866) | more than 11 years ago | (#5326722)

over there, in a box.

As a network op ... (3, Funny)

borgdows (599861) | more than 11 years ago | (#5326486)

Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems.

...adding personality to daemons is pure evil!

I've been watching too much Dave Chapel... (0, Funny)

Ted_Green (205549) | more than 11 years ago | (#5326488)

I thought they were trying to catch a white boy.

Re:I've been watching too much Dave Chapel... (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5326504)

fuck you nigga'!!

Editors take note (-1, Offtopic)

The Evil Couch (621105) | more than 11 years ago | (#5326492)

Further reading: We've mentioned the Honeynet Project a few times before -- here's one story from July 2001 and other from July 2002; a search on "honeynet" will yield several more.

Now THAT'S how you post a dupe.

who gives a flying fook? (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#5326530)

you geeks need to go outside and get some fresh air, you spend too much time with honey and crackers, wuit being fat, fatties!!

Amazon Gift Certificates? (0)

Anonymous Coward | more than 11 years ago | (#5326566)

Can I just say, "boo, Provos boo"? I can't believe he picked Amazon gift certifacates as prizes. Doesn't he know we hate Amazon? We still do, right?

Write my dissertation for me! (3, Funny)

murphj (321112) | more than 11 years ago | (#5326585)

Dear Slashdot,
I'm a little busy right now, and having trouble finishing my dissertation. Can you guys finish it up for me? Thanks a bunch,
Niels Provos
PS - If you help, you can call yourself Dr., too!

Hacker? (2, Insightful)

kramer2718 (598033) | more than 11 years ago | (#5326641)

Aren't they actually trying to trap hackers? When I read the title, I naturally assumed that the post refered to an attempt to catch people who break into protected software. Has that use of the term 'cracker' gone away? If so, what does 'hacker' mean now days?

Re:Hacker? (0)

Anonymous Coward | more than 11 years ago | (#5329873)

There is more than one definintion of hacker [reference.com] . It seems no matter which definition people use, someone gets upset. Yet so many other words have multiple definitions and people learn to live with it.

Warez (2, Funny)

cybermage (112274) | more than 11 years ago | (#5326670)

Give each honeypot an IP of 127.0.0.1. All the co01 wArEz is there. Crackers will flock to them.

Cracker Lure (-1, Offtopic)

t0ny (590331) | more than 11 years ago | (#5326692)

Niels Provos would like you to help create the perfect lure for crackers According to Eddy Murphy and the Rap community, all you need is an Eddie Bauer store next to a Gap, with a Starbucks next to that.

Mirror Pro Al Qaeda Sites. (4, Interesting)

cybermage (112274) | more than 11 years ago | (#5326697)

and find out how the NSA/CIA hack boxes.

I thought.... (0)

Anonymous Coward | more than 11 years ago | (#5326779)

...a better lure for crackers was Coors Lite and ham hocks...

my wish list for catching crackers (0)

Anonymous Coward | more than 11 years ago | (#5326842)

I just wish that I could silently discover their physical location including where they live and hang out. Then later I will calmly beat them senseless, tightly tie them up naked to a splintery and rusty nail loaded light pole and invite anyone to come and view, beat, steal from them at their leisure. Or perhaps I will simply break into their house perhaps taking things I like, perhaps just rearranging or destroying some things or simply just depending upon my violation of their privacy. Then I can leave behind some contrived journal of justifications about how I am actually doing them a favor or they are just tools of the evil corporate overlords or any other mindless, parroted, monkey speak.

That or send these folks to the pen and let them get ass raped on a daily basis.

You don't break into my system, I don't crush your spine.

Re:my wish list for catching crackers (0)

Anonymous Coward | more than 11 years ago | (#5326922)

The Bush administration has taken your advice to heart and forced legislation through Congress enabling it. They also found some radical terrorist propaganda (www.txdemocrats.org [txdemocrats.org] ) in your browser cache, so you are the first to be convicted under these new laws and recieve your fitting punishment. Congratulations!

u f ux will nevar keep up w/ me!! (0, Funny)

Anonymous Coward | more than 11 years ago | (#5326885)

thees pplz think there so smart with there hacker catching toolz well ive nver once been caught and its not gonna happen netime soom LOL! honststly u pplz r serios idiots if u think taht this piece of shit softwarez is gunna protect u.

THERE IS NO HIDING FROM ThA L337 sKWaD!!!!! LOL

Re:u f ux will nevar keep up w/ me!! (1, Funny)

Anonymous Coward | more than 11 years ago | (#5327462)

Judging by your innate ability to type (and with such profound grammar I might add); I think that this "piece of shit softwarez" would more than suffice when it comes to my protection. By the way... If there is "NO HIDING FROM ThA L337 sKWaD!!!!" then come find me ;) I'd bet that you couldn't break my system if I gave you root.

Feeding the machine? (0)

Anonymous Coward | more than 11 years ago | (#5326915)

I think it would be cromulent to ask if contests such as this only embiggens the problem?

ANYONE ELSE GETTING SICK OF CRACKER BULLSHIT? (0)

Anonymous Coward | more than 11 years ago | (#5326954)

As a system administrator, I do my best to secure my systems. But god damn it, they always seem to find a way in and fuck things up. Hell, I'm dealing with something right now.

If you get into my box, I PUT A BULLET IN YOUR HEAD. That is about the only fucking thing that will stop them.

Anyone spare some bullets?(and a gun for that matter)

No more need for honeypots!

Sick of it!

Do you fly kites in thunderstorms? (0)

Anonymous Coward | more than 11 years ago | (#5327250)

If not, then why bait lusers into attacking part of your network? At best, you'll slow down some kiddie that's stupid enough to try to break into a box that's a honeypot.

On the other hand, if you get someone with half a clue, they'll realize what you're doing and move on to another target in the same network. "Oh, I see, you must be trying to distract me from the real fun over here... *clicky clicky*"

The only time I can see this being interesting is if you have a chunk of bandwidth that's not yours, and not doing anything productive. At least when they get frustrated and call in the DDOS attack, your personal 'net access won't be affected.

My technique is simple: lock stuff down and above all else, don't look interesting! Look boring. Be the Cavalier in a parking lot full of Cadillacs. Guess which one they'll break into first?

honeypot daemons (0)

Anonymous Coward | more than 11 years ago | (#5327306)

Hmm. I think what they are looking for is a combination of LaBrea's Tarpit programs and Fred Cohen's Deception Tool Kit. As far for making honeypots look alive, you better do better than that. They need to start looking at ways to do user emulation.

Buffer overruns in honeyd (4, Funny)

iamacat (583406) | more than 11 years ago | (#5327379)

While obviously malicious code might be easy to spot, how difficult would it be for someone to slip an obscure buffer overflow into honeyd and have fun after its released. Anyone knows of any good hacks that happened BECAUSE of the honeypot bugs?

There used to be a package called COPS to check UNIX security. The author made use of eval to scan users' .rhosts for suspicious entry. I promptly modified my own file to contain some ` characters and UNIX commands. Worked like a charm. Thought about modifying sendmail to send a few randomly selected local messages to a random local account, but decided it would be too mean. Exchanging screens of two lab suns with screendump and screenload or playing sounds telling a user that his or her shoe is untied is as far as I got.

What next ? Oscars for puppetry ? Nerds get a grip (0)

zymano (581466) | more than 11 years ago | (#5327576)

Calm down tech zealots. The oscars are about real living people acting. There are alot of super COOL people in the acadamey that look down at TECH movies. They like movies like "About Smidt"(sucked donkey dong) and "Girl interrupted"(chickfilm).

The oscars are trick pulled overones eyes. Most corrupt voting system that would put a tear in a teamsters eye.

By the way , does anyone else think CMDRTACO and HEMOS need to be laid off due to the economy shrinking in bad tech story submitions?

Honeynets in physical security (3, Insightful)

Marcus Brody (320463) | more than 11 years ago | (#5327627)

Such tactics as honeypots are probably good methods for prospective risk assesment. It has been used in physical security with some success - I remember the story of Marty Pell (not the lead singer from wet wet wet...).

A few years ago the was a whole succession of major politicol and tabloid leeks to the British press. Talk surfaced of some "Hacker" with an agenda.... Some legal firm (I think) who were a little shady (e.g. contracts with arms companies, MI6 etc) caught him in the end. Such a company has pretty steep security. Everything got shredded. Occasionally, they would leek false documents into their trash, and see if they would appear in the media.

One of their fake stories was published in a broadsheet. Marty Pell was caught on CCTV stealing there trash. The guy was the worlds most prolific dumpster diver - a house full of trash, not the slightest hacking skill.

Makes you wander - is this whole hacking/internet security really just a bit of an academic excersice at times?

Anyway i digress, I was on-topic at some point....

Re:Honeynets in physical security (1)

Slashdot Fool (102557) | more than 11 years ago | (#5334049)

His name is Benjamin Pell. See, for example: http://www.guardian.co.uk/Archive/Article/0,4273,4 156062,00.html

Steff

Entrapment (1)

iangoldby (552781) | more than 11 years ago | (#5328006)

Niels Provos would like you to help create the perfect lure for crackers.

IANAL, but I think that doing this sort of thing in the UK could be considered by the authorities to be entrapment. Just something to think about. (I believe entrapment law is much more strict in the UK than in the US.)

Re:Entrapment (1)

andrewski (113600) | more than 11 years ago | (#5328592)

IANAL but the entrapment laws only apply to law enforcement officers and agencies. As an individual who is not a LEO, or even as a LEO operating outside of work hours, feel free to entrap.

Re:Entrapment (1)

iangoldby (552781) | more than 11 years ago | (#5329632)

I'm glad someone knows more about it than me. Thanks.

Re:Entrapment (0)

Anonymous Coward | more than 11 years ago | (#5338945)

That's good. I'm a VIRGO.

Re:Entrapment (1)

rosie_bhjp (40538) | more than 11 years ago | (#5330306)

It should be OK for even the police/fbi to do.
Police in various cities have parked cars on city streets waiting for a break in. The cars are there as bait for a car thief to take. Once they get in, the police remotely lock the doors, disable the engine, and promptly arrest them for grand theft auto.

This is really just the online equivalent of that.

Entrapment would be a cop notifying you of a system with security flaws, encouraging you to break into it, and then arresting you when you follow his advice.

Honeynets just give the appearance of a parked car with the doors unlocked.

Re:Entrapment (0)

Anonymous Coward | more than 11 years ago | (#5330965)

Yeah! It's only one more of those things that make you americans smell shit from ten miles away.

It's a pity since your country is a great nation no doubt... but thinks like entrapment is pure bastardry.

Re:Entrapment (1)

iangoldby (552781) | more than 11 years ago | (#5333478)

It should be OK for even the police/fbi to do.

Yes, but I asked about UK law. I know US law is a lot more permissive in this respect. As I said, I don't know much about law, but this would definitely be illegal in the UK.

There was a bit of a news story [zdnet.co.uk] recently about about the UK Government considering changing the law to make entrapment of paedophiles by police officers posing as children in online chat rooms legal.

Interesting that Article 6 of the EU Convention on Human Rights outlaws evidence gathered by entrapment.

Follow up article (2, Informative)

cascadefx (174894) | more than 11 years ago | (#5328338)

A good follow up to this post is a short introduction to honeyd [infosecuritymag.com] by Marcus Ranum in the latest issue of Information Security Magazine. A good little overview of what the program does and how to potentially use it.

The problem (0)

math0ne (567591) | more than 11 years ago | (#5328941)

The problem i see with honey pots is that i think it would be pretty unlikly to actually catch anyone with something like this. All of the people that i know that are involved in hacking large amounts of servers are very varefull about security. Using a contolled outside shell account to set up the scan on another hacked box. Systems like this may be good for catching people that are not serious about it and mabey watching trends and getting the tools that people use. But look at efnet the big channels there have hundreds of hacked edu's totally unconnected to any of the ops. You'd think if it was easy to tell who was doing it it would be done already.

Wrong approach (1)

ajv (4061) | more than 11 years ago | (#5331107)

If you were doing this at home, would you deliberately put on a flimsy curtain on an outside door with a bright shiny VCR and big ass TV (fake store demo) inside in the hope of attracting theives to your place?

I didn't think so.

Go do something useful.

Andrew

The perfect lure for crackers (0)

Anonymous Coward | more than 11 years ago | (#5331573)

How about a big barrel of moonshine, a row of cans to shoot from the porch at, and a plate of pork rinds? :)

Hmmm (1)

shiroi_kami (651169) | more than 11 years ago | (#5332171)

Interesting, count me in... I'm getting hungry.

You can find an antfarm of crackers: (0)

Anonymous Coward | more than 11 years ago | (#5332348)

here [forbes.com]
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>