Know Your Enemy: Honeynets 73
bewmIES writes "The guys over at the Honeynet project have released the latest chapter in their "Know Your Enemy" series describing how to implement a honeynet. This is great reading even if you don't have any plans to implement one and does a very good job explaining the elementary concepts behind it all, along with the implications." Extremely interesting reading here.
Re:I am building one. (Score:1)
The fact is, it's unwise to implement a straight packet drop. Look below and you'll see that he actually is doing it cluefully, so the post is not valid in his particular instance, but valid in many others.
regards.
honeypots are great...! (Score:2)
Re:Slightly OT but... (Score:1)
Re:Slightly OT but... (Score:1)
> their server/network/etc has security problems
> without opening yourself up for nasty things?
I don't think you can. I had a friend in high school who was suspended for the same reason. He pointed out a security flaw that someone (not him) later exploited.
My advice, unless you're being paid to audit someone's security, don't bother. It isn't worth it.
PhOOHy (Score:1)
Re:Entrapment (Score:1)
Re:A honeynet (Score:1)
Re:I am building one. (Score:2)
Now you won't. You don't know what you're talking about. Yes, you're going to drop all packets FROM THAT SOURCE IP ADDRESS ONLY. Unfortunately, there are a few billion other IP addresses on the Internet that your firewall will be happy to accept packets from.
Feel free to ipchain-away your own first hop out, and see if it affects your ability to load, say, www.yahoo.com. Of course it won't.
You're not really as an 3I33T4 H4X0R as you think you are. Leave this kind stuff to the professionals, please.
---
A honeynet (Score:1)
Thats exaclty what this does. (Score:1)
The nice thing about portsentry is that you can have it issue a command in response to an attack. In this case instead of using the default portsentry settings, it executes a custom built script using the IP as an argument. If you trigger portsentry, you can still see port 80, and 443, but nothing else.
I am building one. (Score:3)
Apr 22 06:17:20 mayday portsentry[9235]: attackalert: Connect from host: 211.205.178.64/211.205.178.64 to TCP port: 111
Apr 22 06:17:20 mayday portsentry[9235]: attackalert: Host 211.205.178.64 has been blocked via dropped route using command: "/etc/portsentry/portsentry.bash 211.205.178.64 111"
I know what the port 111 exploit is, but I have never used it, yet I get many hits from this exploit a day on my servers. This is just one hit. I know how to stop it (portsentry/ipchains is a wonderful thing) and as you can see it is logged.
There are many more attacks coming in, this is just one example. Sure, I can read on how they are performed, but that only makes me book-smart. I need to be able to see in real-time (or playback) exactly what a black-hat is going to do with my systems.
Honeypots/nets also give crackers a chance to practice their skills -- which can then be used against real targets -- with little repercussion.
Perhaps you should read this [rootprompt.org]. It shows you the "proper" way to setup a honeypot so that it cannot be used as a jump-point. I don't want to be just book-smart when it comes to my network. I want to know how they get in and what they do. Yes, I have secured my network (as best as you can that is) but that is not the point. Eventually *SOMEONE* is going to get in, somehow. I am going to be the one picking up the pieces when it happens. I would love to say that I am "good enough" that no one will crack my network, but I don't believe anyone is.
What I expect to learn from crackers hitting my honeypot is an overall "pattern". I expect to learn how to become a black hat, because it will make me a better white hat.
How much more can we really learn from the drooling 13-year-old script kiddies of the world?
Not all crackers fit that description I am guessing. Hopefully a honeypot will help me find this out for certain.
Re:Another new thing ... Same as the old thing (Score:1)
How is the honeynet system under more stress than the normal systems? Do you pay hackers to attack it in preference to your other systems? I don't see how that would work, since as soon as a hacker knows that this isn't a real box, they'll move on to more profitable and/or fun targets. If you incite hackers to attack it by making it an easy target, then you're not really testing what would happen to a real system, are you?
Re:Cops in the convenience stores... (Score:1)
Just out of curiosity, how was a Welsh teenager arrested in Wales by the U.S. FBI? As Deng Xiaoping would say, "What about the U.K.'s sovereignty?".
Re:Honeynets: I just don't get it (Score:1)
That is a good reason, thanks for the explanation. I'm still not sure that it's the best use of resources, but it does sound like it provides some useful information.
Re:Cops in the convenience stores... (Score:1)
I just thought it was interesting that it was reported as an FBI arrest, not a British arrest with FBI participation. If this keeps up, Jon Johanson may have something to fear from U.S. law enforcement after all...
Honeynets: I just don't get it (Score:2)
I've been hearing about these for a while, but to be honest I don't see how a honeynet will really help your network.
Maybe someone can explain the attraction to me, but it seems that although honeynets may observe a new attack technique every once in a while, on the whole they're not the most effective prevention method. The time would be better spent auditing the security level of your machines, improving your patch application time, analyzing log files from your production machines, etc.
Re:I am building one. (Score:2)
You are apparently not familiar with portsentry, and have just parroted the most common misconception. Portsentry is configured by default to only block hosts when it is running in standard mode. In standard mode portsentry binds to each port it monitors and requires a host to complete a full TCP connection to the port before it will go off. On most modern operating systems it is nearly impossible to spoof a full TCP connection, variables like the ISN are generated from the machine's random number generator.
The portsentry documentation explicitly states that is isn't smart to do dynamic blocking on anything other than TCP connections. There also exists a whitelist file of IP addresses that will never be blocked, it is encouraged to put the addresses of your critical internal machines and routers in it. According to the portsentry website they have not one confirmed report of someone baiting portsentry and having it DoS their own machine. Not that it can't happen but you would have to make several specific misconfigurations that go directly against what is written in the manual.
Re:Slightly OT but... (Score:2)
Re:Thats exaclty what this does. (Score:1)
Still, most people use the default action of completely dropping the connection, and they should know it's unwise to do so....
-gleam
Re:I am building one. (Score:5)
I get hit with about 10-15 of these a day:
Apr 22 06:17:20 mayday portsentry[9235]: attackalert: Connect from host: 211.205.178.64/211.205.178.64 to TCP port: 111
Apr 22 06:17:20 mayday portsentry[9235]: attackalert: Host 211.205.178.64 has been blocked via dropped route using command: "/etc/portsentry/portsentry.bash 211.205.178.64 111"
I know what the port 111 exploit is, but I have never used it, yet I get many hits from this exploit a day on my servers. This is just one hit. I know how to stop it (portsentry/ipchains is a wonderful thing) and as you can see it is logged.
Portsentry/ipchains is *not* a wonderful thing in that instance. It would be much wiser for you to at least implement a brief timeout on the drop.
Here's a scenario:
I know your box is up, because I can connect to you at port 80, or whatever. So I portscan you.
And your box isn't up. EH? Oh! You must have some sort of portscan detector that automatically drops packets! Let's see if I can get to port 80!
Nope! Hmmmmm.
So what do I do? I spoof a portscan from the last hop between you and me. Lo, you block that IP. Lo, you lose your entire upstream.
Lo, you're screwed. All because you let an imperfect program control your TCP/IP stack.
Sure, blocking port scanners is OK. Just don't let them use it as an opportunity to launch a denial of service attack.
Think it through.
-gleam
Entrapment (Score:1)
Re:Slightly OT but... (Score:1)
---
Re:Slightly OT but... (Score:1)
I answered this question in a previous article about Honeypots [slashdot.org]. This the link to the individual post doesn't work, I'll repost it here:
I just want to add a few thing:
One of the things the HoenyNet Project does and has hinted at in some it's documents is changing the location of the configuration file for syslogd. Unfortunately it's doesn't seem to mention this in it's new paper. But how do you check it?
# strings /usr/sbin/syslogd | grep "/etc/syslog.conf"
If you don't get a response, the configuration file is NOT /etc/syslog.conf. This a DEFINITE indication that you are on a Honeypot.
# strings /usr/sbin/syslogd | grep "^/"
One of those files is being used as the configuration file. They've also done this with Bash's history file:
# strings /bin/bash | grep ".bash_history"
Nothing there, look at one of these responses:
# strings /bin/bash | grep "~"
And since this is a Honeypot, some of the commands used to hide your tracks may be modified or removed. There are more than a dozen ways to erase a hardrive without using `rm -rf /`, get to know some of them.... And as was pointed out in the results of their resent challenge, removing a file doesn't necessarily mean that it has been erased. *grin*
Linking skillz (Score:2)
Where's the Beef? (Score:1)
IANAV (vegeterian).
Re:Slightly OT but... (Score:1)
Re:Entrapment (Score:3)
Re:Slightly OT but... (Score:1)
--
Re:Slightly OT but... (Score:1)
Second, if you really care about the data and the security of the network then you should volunteer to help patch it. You can't run to the professor's supervisor because you'll still end up looking like a whiner.
Third, stay anonymous when you notice some else isn't doing their job correctly. It's the only way to nudge someone into action in regards to their job duties but not embarass them or break any trust/respect you have with them.
Re:That's not the point. (Score:2)
I do agree with you, honeypots are a great resources for studying crackers and their techniques, but they are not a means to securing a network no more than giving druggies a "Drug Park" to shot up in solves the drug problem.
Re:You mean "forensic analysis" (Score:1)
Same thing goes for this. If you set up a system to act as a honeynet, you can still go after the people who hacked it. You didn't invite them in, and you even used the security settings that a given distribution comes with. (Sure, any decent sysadmin would've made them better, but you could argue that you did leave the door locked.)
Now, if you set up the honeynet and started a 'who can crack it deepest' contest, then you're generally waiving that right.
Honeynets (Score:1)
Re:Entrapment (Score:1)
It would be kind of like buying a car thats a common target, parking it in the good times parking lot (local place, more cars get stolen from that lot each week then the whole rest of the city combined - last i checked anyway), and then hiding cameras to watch it, and see how the theif gets in and takes it.
does he use a slim jim? How does he defeat the ignition lock? etc etc. Maybe we will catch something that we havn't seen before.
Not a wholly bad example eather. Evidently the "black hat" car stealing community has their own guide files and standard ways of teaching the trade, much like script kiddies. (saw a news show that interviewed an ex car theif and showed some of the manuals a while back)
-Steve
Re:Entrapment (Score:1)
-Steve
Invoice them or ignore it (Score:1)
So how exactly do you tell someone that their server/network/etc has security problems without opening yourself up for nasty things?
It's a big problem ! My response is to either invoice them for the work, or ignore it as it's just not my problem. If they want to know about site issues, then it's (part of) what I do for a living.
If they're not a client, then their site isn't any of my business. It's a big 'Net - at any time, most of it is broken in some way -- and I'm never going to fix it all myself. Nothing good will come of pointing out the glaring holes
If they can't afford me, then I might work for free -- but they're still a client, and there's a commercial relationship going on, even if no money changes hands. If we can't set this up right; i.e. they're going to listen to me, they're going to give me the authority to fix it properly, and they're not going to obstruct me doing it, then I can't work a proper client relationship and I'm best leaving it alone entirely.
If they don't want to hear it, don't tell them.
You wouldn't have got it fixed anyway, and their arrogance isn't worth involving yourself over.
Someone else's bugs just aren't your problem. Even if this is "crashing airliner fault" territory, the current climate of legal, business, engineering and ethical practice just doesn't like whistleblowers -- messengers keep getting shot, because someone doesn't like their message.
Re:Entrapment (IANAL) (Score:2)
If, on the other hand, he came to me, and said
Then it becomes much easier to prosecute -- especially if I hum and haw, and vaguely try and disuade him before leting him twist my rubber arm.FOr another analogy, the honeypot is rather like a nice house with a cheap lock. No matter how cheap the lock, it's still illegal to break in. You breaking in is not likely to be entrapment unless I go to you and actually suggest that you break in -- or otherwise goad you into committing a crime which you might not arguably otherwise commit.
IANAL I just like reading up on the law
--
Re:Slightly OT but... (Score:1)
The sysop didn't even respond to the third email containing detailed explanation on what to change in which files to correct the problem...
To my knowledge the system was never fixed. We talked about making a web-page with one button: "don't push this!" causing a rm -Rf as root...
and then mail the URL to the head of department!
I wonder how many systems out there are as badly configured as this example?
Re:Slightly OT but... (Score:1)
So, hack into it and patch it for the poor bastard. Never tell him. You'll be saving your own ass, saving the ass of the moron who can't find time to do his job, and your preserving University's security, all in one fell swoop.
Or, just post the name of the University here on /., and I'm sure someone will help remind him of his gaping orifice.
--SC
Re:University Implementation (Score:1)
I recently set up a counter-strike server. I decided to install portsentry and a couple other detailed logging programs.
I locked the machine down hunted down every last bug found that I had time for. Spent a couple of days hunting bugtraq etc.
The sheer number of times I was portscanned was stupid. I had it set up to send me an email for each port scanning. I now get 4 a day!
That is ok. The email server is closed and doesnt actually let anyone but localhost send mail. I cant count how many times that was pried at.
FTP services run, every time the same exploits are attempted.
People trying weird shit with my php and perl scripts I wrote / had on my server. Trying to get freaky with my URL variables
In short only one person got r00t
I think setting up a Honeynet would be kinda fun if I had time. I just dont really give a shit as long as no one is breaking my system down. Portscan all you want. Who cares. (Someone tried to flood ping me once.. too bad the machine is sitting on an OC-12, OC3 and redundant DS3's)
You cant win. You can only hope to stay slightly ahead of the game.
Jeremy
Future Implications (Score:1)
If a system like this can analyze the patterns and signatures of the "blackhats" it provides part of the solution. If it is combined with the tracing abilities to determine where to hack came from (a script kiddie using a local ISP in Dallas, Texas or hacker using a computer at his work)
There is the distinct possiblity that some people can get caught.
Currently the only people being tracked and caught are the big news story ones, of credit card theft from Barnes and Noble etc. If we can empower people to present a threat back at these blackhats then we can work to prevent more of them. Eventually if these types of traps are set up and successful on a larger scale home users can implement a smaller honeynet to keep people out or track those who do the crimes.
IMHO; computers will eventually be like Kwik-E-Marts or protective parents who video tape the baby sitter. All of the data will be tracked and stored and the analyzation tools will be easy enough that the person committing the crime will have a good chance of being caught. This will become more and more important as everyone gets always-on broadband connects attached to their home computers.
Re:You mean "forensic analysis" (Score:1)
What difference does it make how hard you try to keep them out? Burglary is still a crime.
Re:Slightly OT but... (Score:2)
The I wrote a security analysis [wh3rd.net] paper, detailing how one would gather username and password pairs for virtually every student in the school.
Then they started to listen
Re:Slightly OT but... (Score:1)
You can link to an individual post in an old article; the comment number is an anchor in the HTML document. So, you'd want to do it like so:
http://slashdot.org/articles/00/12/19/1820227.shtm l#225 [slashdot.org]
HTH.
--
Re:Not for everyone: Somewhat Legal Opinion (Score:2)
Windows.. Good for targeting rocks.
Re:MMMMM.....Lengthy! (Score:1)
Was it necessary to include transcripts of an individual attack on a single system in order to illustrate the concept of honeynets?
Would you rather it just say " we got cracked". If you don't like it you don't have to read it, but if you want to know then you got to read it to learn....
________
Another new thing ... Same as the old thing (Score:1)
"All systems placed within the Honeynet are standard production systems. These are real systems and applications, the same you find on the Internet. Nothing is emulated nor is anything done to make the systems less secure."
In other words a Honeynet is the same as any other firewall protected intranet, with the possible exception that someone is actually paying attention to the logs, etc.
I have this new idea for a vehicle I call a "Safety Mobile." It's identical to any other car, except the person driving is acting responsible and paying attention. Do I get kewl write-ups and Slashdot props?
Re:Slightly OT but... (Score:1)
"Well then, break into his account, and change the password to something secure! When he gets back, he'll go straight to you for the correct password, and you can assure him that at least his account was safe."
Unfortunately, that kind of thing can get a person fired. When you're working with people of the mentality that anyone who warns them of security holes is likely to be the one who later exploits that same hole, you are working with unpredictable, dangerously stupid people. Technically, if you log in to an account that is not yours, even with the intent of being helpful, it's an unauthorized access. The fact that you were clearly being helpful will not be met with any more common sense this time than the last.
Re:Slightly OT but... (Score:2)
Reminds me of the time the brilliant sysadmin (read hobbyist) at a company I used to work for upgraded the Netware server and put a paper in everyone mailbox (centrally located - mind you) telling everyone that their password would be changed to - you guessed it - "password" - over the weekend !
When I informed a VP who was leaving on vacation for a week that he should have a trusted person change his password temporarily so it wouldn't be "password" for a whole week, you know what he said, right?
"Oh
I now work with much more competant people, thankfully, but that sure is a supporting anecdote for the theory that idiots rise to the top of the management hierarchy!
Re:Entrapment (Score:2)
The key word here, the courts have found, is "predisposition." If I remember the article correctly, in Randy Weaver vs. the FBI the FBI had caught him in a sting operation selling a sawed off shotgun. However, the judge ruled in his favor because he was not predisposed to that type of crime. (This is separate from the whole standoff incident, BTW.)
So even if a police or civilian group "entraps" you in a sting operation, you may still go to jail if you were criminally predisposed, and you may go free if you were not.
(I wish I had some relevant links, but time is short.)
--
Slightly OT but... (Score:5)
I used to have the habit of talking to people about security issues on networking around my high school. As people are, they scoffed at a kid explaining to them security issues... and when their network was compromised (not by me) my attempt at pointing out their security problems came to their mind... They remembered me speaking to them, of course, and since I knew about their security problems I "had to be" the person who compromised their system...
That was high school -- I learned to keep my mouth shut...
About a month ago, when I first started reading about the honeypot project I noticed that my Universities box was running a version of linux that had a few security issues.. as in the same security issues that allowed others to access and control the Honeypot for a little. (I am not mentioning my U's name!) -- I acted against reason and informed the administrator (who I had as a professor) about the problem... their answer was strange: "I know about the problem but I just don't have enough time to deal with it right now. I think I might take a look at patching it sometime this summer..."
Now I am worried the same thing will happen.. my precious U's network will be compromised and the admin will be thinking "Wait.. I remember someone who knew about this security problem.."
So how exactly do you tell someone that their server/network/etc has security problems without opening yourself up for nasty things?
Re:Slightly OT but... (Score:1)
I'm know as the schools "hacker" (read: I can fix computers, not hack).
What I did to insulate myself, once I learned that I was known as the hacker in my school, was to get to know the main computer teacher.
Once he trusted me, I would mention that there were various holes in the school's server (Ex. the folder containing the school district's website was set to read/write over smb with no password) to the teacher and not the main network guy.
That way I wasn't threatening the Guy In Charge but I was able to alert the proper folks without risking my neck. Though, I seem to get alot of comments about how "It's good your on our side."
Moral of the Story: Don't tell the admin. Alert someone below the admin, who simply has to pass the message on.
Kalrand
-the voice of reason
Virtual Honeynet (Score:1)
Yes, interesting, but... (Score:1)
Thinking back to city riots -- cars overturned, stores looted, signs destroyed... who got caught? (not a perfect analogy, but you get my drift)
Honeypots and Law (Score:1)
Also note the honeynet does not use sensors within the network to collect data, but relies upon the firewall to gather data. Anyone can pretty much do this with most any firewall.
Recourse [recourse.com]'s Mantrap documents everything on a per machine basis (incl. keystroke logging). This unfortunately is designed more for corperate use than for my home
The problem with honeypots / honeynets (Score:2)
The problem with honeypots and honeynets is that, in the end, they end up simply encouraging crackers. When systems are put online for the specific purpose of being hacked, crackers are more than happy to ablige by comprosing them. And the more boxes they can crack, the more likely they are to get caught up in the whole "blackhat" mythos. Honeypots/nets also give crackers a chance to practice their skills -- which can then be used against real targets -- with little repercussion.
Furthermore, putting a honeypot or honeynet up is almost asking for people to become blackhats. Most crackers / blackhats have huge egos, hence their need to deface web pages with their 1337 group names. These kind of people would love to be the subject of a honeypot study, if for no other reason then getting the chance to see that their childish actions have had an effect on somebody. Crackers want to be perceived as disruptive and a threat; they want to look "cool" and dangerous and mysterious. Why encourage these people by giving them the kind of attention they're looking for?
And of course, there's also the fact that a honeypot is a waste of resources. It seems pretty silly to set up a system specifically to be cracked? There's plenty of better uses for a spare box; why not set up a distributed-processing unit or an open- source FTP server if you don't know what else to do with an old computer?
I understand the need to find out cracking techniques. But this kind of stuff is hardly secret by now; I don't see any reason to continue useless navel-gazing "studies" of cracker behavior. How much more can we really learn from the drooling 13-year-old script kiddies of the world?
Re:Honeynets: I just don't get it (Score:2)
If you're running a real production network, you probably already do monitor attacks as they happen (provided you have a clue). The difference is, if you register an attack on your production boxes, you want, and need, to shut it down immediately--block the attack, patch the hole, get control again. Almost by definition, you are only going to catch initial compromise attacks that way--until, of course, that one time you don't.
The idea with a honeynet is that you don't have to worry about immediately responding and securing the system against the compromise--you can let the intruder wander around a bit and get a feel for what he's going to do once he's inside. What's the second step? How can you secure yourself against that? Because at some point, you're going to get someone who you can't catch at the first step. So in my mind, that's the attraction. How can you build a defense in depth if you don't ever see what a hacker can do once they get inside? If you've got a honeynet running, you can leave the front door unlocked and see what the guy does after he's in the house--and then you know what to lock up inside the house. The next guy might not come in through the front door, but you'll still be in good shape.
a funny quote (Score:1)
tools: exploits downloaded off the various security websites
tactics: gcc exploit.c -o exploit;
motives: 3y3 y4m a l33t hax0r d00d!!
Re:Honeynets: I just don't get it (Score:1)
Presumably, these would be helpful for specialists and researchers, not for Joe Average Netgeek. If you're studying security issues in a comprehensive way, it makes sense that a honeynet could be a useful tool. It would also be a good testbed for simulated attacks. I don't think the authors were advocating that the general population set these things up all over the place.
This approach struck me as analogous to using a live stress test as part of a system deployment. There are some things you can only find out with real systems instead of emulators.
I might agree that the paper treats this as a more significant idea that the rest of us may think. But you can't blame the guys for wanting to describe it well -- would we prefer if they learned to stammer? JMHO
I don't know about this. (Score:1)
Cops in the convenience stores... (Score:2)
While I don't think I agree with the effectiveness of a 'dedicated' honeynet over any other real network, this does bring to light the interesting effect this will have on network security in general. Right now, l33t k1dd3z have a 'you can't catch me' attitude. Witness the recent exploits of a Welsh hacker [wired.com] who thought that he was so far above the law that he could do what he wanted to any website he wanted in the name of his own little sense of morality.
Most of these kids *know*, not just think, that they are never going to be caught.
As more and more business and organizatons employ honeypots and 'honeynets', trying to catch crackers before they crack, more and more cases of idiots like these are going to get in trouble for breaking the law. Rooting a server is going to be seen less and less like fairly innocent grafitti and more and more like knocking over a convenience store and beating up the clerk, and then walking out with only a slushee. People will still do it, but attacks will be fewer and further between, and the people who get cracked will be those who've invited it by not putting up the equivalents of bullet-proof glass and panic alarms.
Re:Cops in the convenience stores... (Score:1)
Re:Slightly OT but... (Score:1)
-B
Re:Slightly OT but... (Score:2)
I told the system administrator -- as my school's computer policy *requires* me to. (I might add, however, that the policy says "the network... or the Internet... I could have some fun pointing out security flaws in a proxy server in Afghanistan...") I was told "Just for telling me that, I could suspend your account and ban you from the computer lab."
I think the best approach is to just not help people unless they ask. Sure, it seems responsible to try to point out a security risk, but most network administrators seem to construe good-natured tips as being threats... The *real* ironic thing is that someone has been running a brute-force attempt to guess the admin's password for quite some time now; they're perfectly okay with this...
________________________________________________
Re:I am building one. (Score:1)
University Implementation (Score:2)
I had expected them to catch a few people who had been virtually running wild on the network over the last year. As it turned out, there were too many attacks to be able to narrow it down or to follow up on every event logged.
It made for a frightening reality as to the sheer volume of attacks that go on. A uni is obviously at more risk than most places due to the high volume of computer geeks with too much time to kill. Still, it's a real wakeup call to the scale of what goes on.
Re:Another new thing ... Same as the old thing (Score:1)
Re:Virtual Honeynet (Score:1)
Re:Another new thing ... Same as the old thing (Score:1)
You mean "forensic analysis" (Score:3)
--
spam spam spam spam spam spam
No one expects the Spammish Repetition!
Not for everyone (Score:1)
That's not the point. (Score:3)
These kind of people would love to be the subject of a honeypot study, if for no other reason then getting the chance to see that their childish actions have had an effect on somebody. Crackers want to be perceived as disruptive and a threat; they want to look "cool" and dangerous and mysterious. Why encourage these people by giving them the kind of attention they're looking for?
For one thing, the study results are expressed in generalities in terms of hacker tactics. How excited can a person become about being a statistic? I can't see someone seeking attention by publicly defacing web sites becoming overly enamored with the idea of being treated as an anonymous lab rat.
I understand the need to find out cracking techniques. But this kind of stuff is hardly secret by now; I don't see any reason to continue useless navel-gazing "studies" of cracker behavior.
How else do you propose to discover new cracking techniques, or examine cracking tactics? It seems to me that honeynets are an excellent opportunity to both conduct reconnaissance on crackers and validate security models in a practical environment. As the article states, black hat ingenuity should never be underestimated, and I can't see what is to be gained by being complacent about security. According to your argument, if we ignore the problem, it will go away. Attention is not the only thing these guys are seeking; some of them mean to do real harm, and we can't tell the difference a priori.
MMMMM.....Lengthy! (Score:1)
Also, the content was kind of unrealistic, but I won't continue on that track. Karma's low enough without getting "redundant"-ed.
Re:Honeynets: I just don't get it (Score:1)