Tuesday, May 09, 2006

Honeypots are not entrapment...usually.

I was listening to one of my favorite podcasts, PaulDotCom Security Weekly (episode 26), where they were talking about an e-mail from reader who described a slick little honeypot that was created to catch students who were trying to break into systems. There were two machines running from bootable CD's and a shell script that logged into an Administrator account from one to the other every hour and a half. The machine getting logged into check at a particular interval to see who was logged in and gathered all relevant data if they were. Well, they busted a kid shortly after setting it up and he was expelled.

So, entrapment or not? Hell no! Why not?

Well, first, the sysadmin who implemented this solution is not law enforcement--this is an important detail in the definition of entrapment.

Second, the sysadmin did not trick the student into doing anything he wouldn't normally have done.

You say, "The student wouldn't normally have logged into that system." Bull crap! How did the student end up with the password? He sniffed it. Why was he sniffing the network? To break into a system. If it wasn't this system, it might have been a more important system that might have taken longer because that password sniffed on the wire would have been encrypted.

This is a beautiful example of how to use a honeypot. It provided low hanging fruit that prevented an attacker from getting into a critical system.

I say, "Bravo. Well done. And, you're wrong, Twitchy!" ;-)

1 comment:

Shabbir said...

Thanks for pointing me to the pauldotcom website. I am always looking for good podcasts for my hour long one way commutes...