I disagree on the "bait" system. It shows that you have good security that
is working if you can trap the intruder without their knowing it, and
record all their attempts to branch out from the "bait" system.
Successfully busting a hacker that didn't get to any "real" systems is a
good deterent.
Busting one that compromised you is bad press.
On Wed, 21 Jul 1999, [iso-8859-1] Myllym�ki Sakari wrote:
>
> In 1995 a Finnish criminal law was amended to cover computer break in.
> This statute criminalizes also attempt, so rattling doorknobs is a crime
> at least here in Finland. Apart from that I don't think unsolicited
> security testing is anything else than a feeble excuse to go hacking
> other peoples sites. No offence meant, but I feel bit strongly on this.
>
> Another question is the usefullness of "bait" systems. The police have
> limited resources (at least here and I believe elsewhere too) and are
> not too keen to investigate crime if there is no real damage. Also your
> company may not be happy to get all the publicity to prosecute for
> breaking in to the weakened system. My experience of the press is, They
> tell you had a serious hacker attack no matter if they never even get in
> and your customers opinion of your security goes down. Or am I wrong?
>
> Sakari Myllym�ki
>
> > -----Alkuper�inen viesti-----
> > L�hett�j�: Bill Stackpole [SMTP:[EMAIL PROTECTED]]
> > L�hetetty: 20. hein�kuuta 1999 18:33
> > Kopio: [EMAIL PROTECTED]
> > Aihe: RE: Response to hack attempt? - The ethics of rattling door
> > knobs .
> >
> > Just curious what other think about the rattling door knobs question.
> > Is it
> > wrong to probe a system for security flaws if you have no evil intent?
> > I
> > check my neighbor's doors when they are on vacation to make sure no
> > one has
> > broken in, look in the windows to make sure everything is normal.
> > Does that
> > make me a criminal? I doubt it.
> >
> > Over the years, I've called many a company to inform them of potential
> > security risks I have observed. Some have come to me in the mail,
> > some as
> > extraneous packets on my Internet connection and others as the result
> > of my
> > testing the effectiveness of certain security tools.
> >
> > I do such things to help people build more secure systems. I'm
> > interested
> > in what others think about the ethics or criminality of such conduct.
> >
> > Your comments.
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Rabid Wombat [SMTP:[EMAIL PROTECTED]]
> > > Sent: Monday, July 19, 1999 6:45 PM
> > > To: Bill Stackpole
> > > Cc: [EMAIL PROTECTED]
> > > Subject: RE: Response to hack attempt?
> > >
> > >
> > > This is why setting up a "bait" system with a chroot "jail" is a
> > good
> > > idea. If you can't nail them for probing, you get a chance to nail
> > them
> > > for hacking into the (deliberately weakened) system, and have logs
> > to show
> > > what they try to do from there. Probing may be akin to rattling the
> > > doornob to see if it's locked, but hacking the bait system is B&E.
> > >
> > > -r.w.
> > >
> > >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
