Date: Sun, 25 Jun 2000 20:13:30 +0200 From: Poul-Henning Kamp <phk@critter.freebsd.dk> To: "Jeffrey J. Mountin" <jeff-ml@mountin.net> Cc: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, Narvi <narvi@haldjas.folklore.ee>, security@FreeBSD.ORG Subject: Re: jail(8) Honeypots Message-ID: <13330.961956810@critter.freebsd.dk> In-Reply-To: Your message of "Sun, 25 Jun 2000 12:48:17 CDT." <4.3.2.20000625122615.00afbf00@207.227.119.2>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <4.3.2.20000625122615.00afbf00@207.227.119.2>, "Jeffrey J. Mountin" writes: >At 08:56 AM 6/25/00 -0700, Cy Schubert - ITSD Open Systems Group wrote: >> > The thing is a booby-trap. It is somewhat similar to running a simulated >> > "buggy" application with the sole puropse of catching the would-be >> > attackers. >> > >> > I'm not sure if and how much it pays in the long run. >> >>I don't think it would hold up in court, as it would be entrapment. So >>what would the sense be in setting up a booby-trap? > >How so? Only if you are with a law enforcement agency would it be >entrapment. At least in the US, but then there is a term similar to >"enticement" (forget the legalese version), which may apply. Doubtful, but >entirely possible that by attracting bears with a honeypot, which is >surrounded by a fence, which the bear climbs, falls, and then has recourse >to turn around and sue you for tempting it. Regardless, I'm fairly certain >that the authorities would be interested. If you put a gold-bar on the sidewalk which activated a burglar alarm if touched, that would be illegal. If you put it inside your locked house it would be 100% legal, even if it could be seen through the window. Setting up a honey-pot host is legal, as long as you don't try to invite people to break into it. Ie: don't call it nah-nah-you-can-t-hack-me.foo.com and don't tell anybody about it. Jails(8) are probably the currently safest way to do it, but not the most "authentic" looking way. Finding out that you're in a jail is trivial and I pressume that it will become common knowledge for script-kiddies RSN. In other words: a high-fidelity honey pot should probably be a machine of its own behind a rather facist firewall, but as a tripwire/indication a jail(8) based honeypot will do just fine. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD coreteam member | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?13330.961956810>