Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cracked; rootkit - entrapment question?

From: lance () KSNI NET (Lance Spitzner)
Date: Thu, 2 Mar 2000 08:25:13 -0600

On Wed, 1 Mar 2000, Drew Smith wrote:


      I'd like to create a honeypot of sorts; a chroot environment that looks
and feels like the machine, and that allows the cracker to do everything
he normally would want to from the shell.  I'd like to log everything to
another machine, and get the police in on it.

      My question is this:  how far can I go while remaining legal?  Is this
entrapment?  I really despise these kids - if you're going to hack my
machines, at least show some prowess at it!  They did, unfortunately,
wipe the utmp and wtmp entries, remove themselves from all the logs, etc
- so I don't really have too much to start from.


I've been running honeypots for almost a year now, with great success.
I have yet to have any legal/entrapment issues.  However, I have been using
honeypots to learn the tools/tactics of the bad guys, not to catch them.
For me, a successful honeypot means the badguys never knew they were being
watched.  I wrote up a paper on this, "To Build A Honeypot".

http://www.enteract.com/~lspitz/honeypot.html

Hope that helps ...

Lance
Previous By Date Next
Previous By Thread Next

Current thread: