[TriLUG] Honeypots attract flies

Mike Johnson mike at enoch.org
Mon Jul 15 10:13:34 EDT 2002 

Jon Carnes [jonc at haht.com] wrote:
> The difference in our two points of view are that you have the time to
> continuously monitor your "Honeypot", and by your eternal vigilance, down
> the compromised system before it can be used to propagate the evil that men
> do...

This is an important point.  You -cannot- simply set up a Honeypot and
forget about it, or just occasionally check it.  You -have- to watch it
like a hawk.  These things are not fire and forget, nor are the for
beginners.  It's horribly easy to set up a system that's trivially
compromised (hundreds of people do this every day), but it's a much more
difficult task to set it up so that you catch all of the data you need
and to ensure that your system is not used to harm others (or even your
own network!).  The article originally pointed to was written by someone
who pretty much knew what they were doing.  However, had someone of a
slightly higher skill level gotten into their honeypot, things could
have gone much worse.

People have long debated the legalities of Honeypots.  However, imagine
how screwed you would be if a system you -knowingly- set up to be
compromised was used to attack a corporation, a .gov, or worse, a .mil.
They will not be happy with you, and have every right to not be happy.
Better still, go on and set up a Honeypot on your corporate net without
permission from higher ups.  Then, let it be compromised and used to
attack the rest of your network, possibly even to the point of having
sensetive data copied.  How long will your job last?
 
> May you be ever vigilant!

Jon is spot on here.  Neither of us are saying Honeypots are, in and of
themselves, bad.  However, you must be extremely careful.  Liken it to
handling a disease.  For the entire lifetime, you have to be paying a
tremendous amount of attention.

Mike
-- 
"Let the power of Ponch compel you!  Let the power of Ponch compel you!"
   -- Zorak on Space Ghost

GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF  C821 89C4 DF9A 5DDD 95D1
GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20020715/47170c4b/attachment.pgp>

More information about the TriLUG mailing list