lanceKSNI.NET

• Next message: Robert Graham: "Re: Cracked; rootkit - entrapment question?"
• Previous message: Paul L Schmehl: "Re: Cracked; rootkit - entrapment question?"
• Next in thread: Robert Graham: "Re: Cracked; rootkit - entrapment question?"
• Maybe reply: Lance Spitzner: "Re: Cracked; rootkit - entrapment question?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 1 Mar 2000, Drew Smith wrote:

> I'd like to create a honeypot of sorts; a chroot environment that looks
> and feels like the machine, and that allows the cracker to do everything
> he normally would want to from the shell. I'd like to log everything to
> another machine, and get the police in on it.
>
> My question is this: how far can I go while remaining legal? Is this
> entrapment? I really despise these kids - if you're going to hack my
> machines, at least show some prowess at it! They did, unfortunately,
> wipe the utmp and wtmp entries, remove themselves from all the logs, etc
> - so I don't really have too much to start from.

I've been running honeypots for almost a year now, with great success.
I have yet to have any legal/entrapment issues. However, I have been using
honeypots to learn the tools/tactics of the bad guys, not to catch them.
For me, a successful honeypot means the badguys never knew they were being
watched. I wrote up a paper on this, "To Build A Honeypot".

http://www.enteract.com/~lspitz/honeypot.html

Hope that helps ...

Lance

• Next message: Robert Graham: "Re: Cracked; rootkit - entrapment question?"
• Previous message: Paul L Schmehl: "Re: Cracked; rootkit - entrapment question?"
• Next in thread: Robert Graham: "Re: Cracked; rootkit - entrapment question?"
• Maybe reply: Lance Spitzner: "Re: Cracked; rootkit - entrapment question?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]