|
Security Incidents
mailing list archives
Re: Cracked; rootkit - entrapment question?
From: lance () KSNI NET (Lance Spitzner)
Date: Thu, 2 Mar 2000 08:25:13 -0600
On Wed, 1 Mar 2000, Drew Smith wrote:
I'd like to create a honeypot of sorts; a chroot environment that looks
and feels like the machine, and that allows the cracker to do everything
he normally would want to from the shell. I'd like to log everything to
another machine, and get the police in on it.
My question is this: how far can I go while remaining legal? Is this
entrapment? I really despise these kids - if you're going to hack my
machines, at least show some prowess at it! They did, unfortunately,
wipe the utmp and wtmp entries, remove themselves from all the logs, etc
- so I don't really have too much to start from.
I've been running honeypots for almost a year now, with great success.
I have yet to have any legal/entrapment issues. However, I have been using
honeypots to learn the tools/tactics of the bad guys, not to catch them.
For me, a successful honeypot means the badguys never knew they were being
watched. I wrote up a paper on this, "To Build A Honeypot".
http://www.enteract.com/~lspitz/honeypot.html
Hope that helps ...
Lance
 By Date 
By Thread
Current thread:
- Re: getting to the point with DDoS, (continued)
|
Intro
