Honeypots: Bait for the Cracker Set up a server and fill it with tempting files. Make it hard but not impossible to break into. Then sit back and wait for the crackers to show up.Observe them as they cavort around in the server. Log their conversations with each other. Study them like you'd watch insects under a magnifying glass. The Honeynet Project team, an invitation-only security group, has been working with the project, a network that exists only to allow the team to watch who cracks it, in order to determine what crackers do and why they do it. The team will soon publish a paper on their research. But some say that honeynets and honeypots, single servers used for cracker observation, are really nothing more than electronic wiretapping and entrapment and charge that the systems are unethical and possibly illegal. London SecTech systems administrator Dan Adams, who is following the project closely, said that honeynets are ethically similar to installing electronic surveillance equipment in a nursery school. Honeynets give crackers a large space in which to roam. They present obstacles that are challenging enough to engage them but not difficult enough to frustrate them completely, Adams said. "They get to play with stuff, and they chatter excitedly among themselves about all the 'kewl warez' they are finding, while the security people who set it up are watching their every move with amusement," Adams said. "Frankly, I have mixed emotions about spying on people, even if they aren't nice people." "It's like opening a fake store, loading it with cool stuff, and sitting back hoping someone will break into it," he said. But since entrapment involves coercing someone to commit a crime they would not otherwise have committed, attorney Jason Wilson said that the typical honeynet or honeypot would not be considered entrapment under United States law. "If you, for example, asked the team members to anonymously spread the word around the hacker corners of the Net that there was an unprotected network chock full of goodies, then there could be an argument made for entrapment," Wilson said. "The honeynet systems got hacked within just a week of being deployed. The first attack occurred on June 4, 2000," Shah said. "There was no publicity of the honeynet being live, the systems contained absolutely no information of any value, yet they were hacked." Shah said the team has learned about the tools that attackers use. But perhaps more importantly, they have also learned about crackers' motives for attacking systems: Many don't crack a system because they want to access information, they crack it simply because they can. The crackers also use systems to launch attacks on other networks or to run private chat systems. The ability to monitor private conversations is one of the reasons that some have ethical problems with honeynet. One of the original honeynet team members, J.D. Glaser, director of engineering at security firm Foundstone, recently resigned from the project. He hopes it won't continue to grow. Glaser said that he has become increasingly convinced that electronic wiretapping is wrong, even when it's used for research. He also feels that creating an enticing hazard in order to study criminal behavior is wrong and may actually promote criminal behavior. "Expanding the honeypot seems dangerously close to tramping on others' rights, even criminals' rights," Glaser said. "There are not many laws or precedence yet set in this area, and I think the success or failure of honeypots will soon be a factor in determining new laws or justifications for government activity. "And it would be hypocritical for me to be against the government doing it, but somehow find a way to justify my own reasons." Glaser also believes that it's unfair to watch and not get involved in situations where the team has knowledge that crackers they are watching are also compromising other systems. "If you monitor something, you are obligated to report what you learn, both to (the person) who is getting robbed and to the authorities. You cannot just watch and not get involved. In my mind it makes you part of the act." But Glaser also added that when the team did report the problems to systems owners, "They were actually pissed at us. Out of about 125 people we contacted, only one was thankful. The others were very not happy and looked at us as the bad guys." The honeynet first went live in the last week of May. It started as a homegrown project by Lance Spitzner, who is a part of Sun Microsystems' GESS Global Security Team. The honeynet network is based out of Lance's extra bedroom. The honeynet is a standard production system, running real server software and applications. Nothing is emulated, nor is anything done to make the system more insecure. And like virtually all other networks, a honeynet is protected by a firewall that screens and filters inbound and outbound data. The risks and vulnerabilities discovered within a honeynet are the same that exist in many organizations today. They do share all the information they gather on their website and with security programs such as CERT and the SANS GIAC (System Administration, Networking, and Security Institute). But they won't go to any great lengths to track the crackers down. Most security experts think that honeynets and honeypots are best used to track, trap and trace crackers who have already entered a particular system. The most famous honeypot of this type was devised by Clifford Stoll and documented in his book Cuckoo's Egg. Stoll was an astronomer who became a systems manager. When working in the Lawrence Berkeley Lab, he noticed an intruder who was using the lab as a launching board to crack into U.S. government networks, in order to steal and sell military and intelligence information. "You rarely hear about any really elite hackers falling into a honeypot. They seem to draw in moderately skilled people, at best," said Adams. "Honeypots and nets strike me as an interesting sociopolitical experiment, and a great way to confirm what we already know -- that systems are under constant attack. But I haven't learned anything that I didn't already know."