Welcome to WebmasterWorld Guest from 184.108.40.206
The Web Honeynet Project, an independent group of Honeynet researchers from Securiteam and the ITOSF have decided to launch web application honeynets with a new twist. The twist is, they plan to name not only the attack details, as is usual, but also to divulge the IP addresses and other tracking information about the attackers themselves.
"Note: In the interest of full disclosure, my company, <a href="http://www.microsolved.com/">MicroSolved, Inc.</a> sells a honeypot solution that we have created for organizations of various sizes.
Brent Huston is president and CEO of MicroSolved Inc., a systems and network security-consulting service for Fortune 500 companies and government facilities. He has 15 years of professional experience in cyber security testing, network monitoring, scanning protocols, firewalls, viruses and virus prevention formats, incident response, forensic computing and hacker techniques. He also served as co- author and technical editor of <a href=">http://www.amazon.com/Hack-Proofing-Your-Ecommerce-Site/dp/192899427X">Hack Proofing Your E- Commerce Site</a>."
Anyway, I think it is finally time to pull out the checkbook and make a donation to honeynet.
A google on "Web Honeynet Project" returns many interesting reads.
The very first return from google actually lists IP ranges.
then scroll down on second page.
Listing those IP addresses could get them into trouble...
As you well aware, there are many open logs viewable by doing web searches on IP's or UA's.
The only difference I see is that rather than providing a full-log entry, somebody has provided analysis of the activity.
Are IP Address considered copyright infringement or something? Or protected assets?
They are openly accessible through ARIN, RIPE, APNIC or any of the others.
However copying the registrars data and then presneting in a similar fashion might be considered infringement.
There are web sites and companies that have accumulated the data and present the entire data set by countries of origin.
Either instance would certainly be a possibility for litigation.
However as previously stated, just providing a range of IP's should really NOT present any issues.
The reason I brought it up is that posting somebody's IP address along with a claim that they are attacking computers could be seen as libel/slander
Aye, I agree!
Thus is the ip and Whois were submitted with a complete log entry and not statement accompanied neither documet (EX: "heads up") than how might is possibly be construed as libel/slander.
Now here come another user and says "Oh yeah that harvester was at my site", however doesn't quote or provide the original Whosis or log entry?
Than what actually is the 2nd party libel for? ;)
Of course, it's hypothetical hodge podge.
The reason I brought it up is that posting somebody's IP address along with a claim that they are attacking computers could be seen as libel/slander.
It's only libel (libel is written, slander is oral) if you knowingly post false information with malicious intent. If the information is correct what's there to worry about?
If the information is correct what's there to worry about?
Many litigation's and their outcome are not solved immediately.
Long awaited and/or delayed trial dates may actually benefit the wrong person.
in the end, it all may boil down to whom either desires or has the capibilities to finance continuious filling of documentation that the court may require or the wrongful party may file.
Many people (especially with lesser means) have just been known to throw in the towel because the potential expense is beyond their capabilities.
If the information is correct what's there to worry about?
That reminds me of a story...
A guy and his friend are sitting in his living room talking when all of a sudden a commotion breaks out in the street in front of the house. Two robbers are having a gun battle with police and bullets are flying everywhere. One guy lays on the floor behind the couch and the other stands up to see what's going on.
"What in heaven's name are you doing?", said the man on the floor, "Do you want to get killed?"
"Why should I worry?" said the man who was standing, "I didn't do anything wrong."
My point is... why make yourself a target?
why make yourself a target?
Maybe the IP address was spoofed, maybe it's in a DHCP pool used by more than one machine, who knows what human is associated with the action, but the FACT remains that the activity was tracked and associated with the IP address and it's recorded in your server log.
As long as you're sticking to facts and not falsehoods you're usually in good shape.
There's also a big difference between claiming ThePlanet appears to have a botnet running in their network vs. claiming ThePlanet is actually running the botnet. We all know severs get compromised, and home PCs, it's just a way of life, a fact. Now the only real problem I see is once the problem has been corrected, how do the victims get off the list, bad PR removed from search engines, etc.?
Guess I don't see how saying "0.0.0.0 is involved in a botnet" is accusing any specific human or company, it's just reporting activity, not making accusations. No worse IMO than saying I heard gunshots in the vicinity of 1300 Block of Mockingbird Lane.
If this were a real problem all the RBL's, DNSBL's and such would cease to exist. There is also a fine line drawn in how you label your list. Calling it a "blacklist" which has a very negative connotation to anyone in the list vs. a "blocklist" which sounds more like a security or policy thing.
Also, reasons for IPs to exist on the list need to follow a clearly written policy of how IPs are selected for the list, otherwise you could end up in an ORBS-like situation (sued) if you're peddling a list filled with falsehoods.
[edited by: incrediBILL at 2:29 am (utc) on Jan. 31, 2007]