The notable thing was not that Russell was able to crack the worm’s code, but that he was able to copy it. After two days Code Red II instructs the infected computer to reboot, effectively erasing all traces of itself, but not before spreading to other machines and leaving behind two back doors, which allow computer intruders, or “black hats,” to return at a future date and penetrate the system. Russell was able to catch the worm because he had engineered his home computer to be a honeypot, a machine designed to look like a regular computer but that allows itself to be attacked by hackers and records their every move.

Honeypots are not new. But now, linked together in what are called honeynets and designed to look like regular computer networks, they are becoming essential tools in the business of computer security. Perhaps the best example is the Honeynet Project, created in 1999 by Lance Spitzner, a Chicago-based senior securities architect for Sun Microsystems, to “learn the tools, tactics and motives of the black-hat community.” Spitzner, a former U.S. Army tank officer, says that when he left the military to become a “computer geek” he was amazed at how little was known about the habits of hackers. “In the Army,” he says, “we studied the enemy’s tactics. We studied how they fought, why they fought. Entire units were devoted to this: it was called intelligence.” But while hackers were good at sharing information about network vulnerabilities, the computer-security professionals were constrained by business interests and legal concerns from sharing information. Will the system administrator of a bank or a hospital volunteer the fact that its computers were compromised? If a company’s unsecured computers become a platform for attacking another company, will it be liable? Besides, hack victims are hard pressed simply to clean up the mess and get their machines back up and running, let alone examine what hit them.

“I needed to get intelligence on the bad guys,” says Spitzner. “But since I couldn’t go out and hack them or find them or talk to them, I got an idea. Why not throw up a regular computer, let them get on it and then see what they do?” So he did. He built a simple Linux system at home and connected it to the Internet. Within 15 minutes it was scanned, probed and hacked. His home system metamorphosed into the Honeynet Project, staffed by 30 computer-security experts and a psychologist who work free of charge in their spare time. It records and analyzes hacks of all types and posts the results at project.honeynet.org, giving network administrators a valuable security forum. “Honeynet is a groundbreaking project,” says Stephen Northcutt, the central technical figure of the Security Administration and Network Security Institute. “It gives us a very complete view of a particular exploit which until now has otherwise been impossible.”

In addition, says Max Kilger, a Stanford-trained social psychologist, the group is trying to understand the hacker mind-set. Status in the black-hat community, for example, is in part a function of how many machines the individual hacker has entered, or “owns.” It’s also important, says Kilger, to realize that black hats aren’t always bent on mischief or crime, but occasionally trade roles, sometimes helping out a friend with a security problem or tracking down a malicious intruder.

One goal of the Honeynet Project is to develop intrusion-detection systems, which can predict attacks and help ward them off. “Millions of dollars have been spent to do predictive analysis and early warning for computer hacking,” says Jeff Stutzman, a former Navy intelligence officer who now works as a security expert for Cisco Systems. He has helped produce a simple model for Honeynet that in preliminary tests has succeeded in anticipating common types of attacks. The model is based on the fact that an attack is usually preceded by a series of exploratory actions, such as a network scan to search for vulnerable hosts, then an individual probe. “There is an attack continuum that we follow,” Stutzman says. “And it goes: Web surfing, network scanning, individual-host probing, attempted intrusion, intrusion, escalation of privileges.” Stutzman expects that Honeynet’s intrusion predictor will give a system administrator a three-day warning, but it won’t anticipate attacks by the better hackers, who can probe, enter and hack a machine in one sitting.

Honeypots raise new questions. Do they, for example, violate a hacker’s privacy by recording his actions? “The Justice Department tells us they think we’re OK, but no one’s really looked into this before,” says Spitzner. Do they constitute entrapment? According to Spitzner, the Honeynet Project does nothing to lure hackers, and it uses the information for study rather than law enforcement. Though he acknowledges that there may be occasions when the group feels obligated to give a heads-up to authorities, law enforcement is not the purpose of its data collection, and he doubts whether its data would be useful in a prosecution.

This week the Honeynet Project will publish a book describing the first two years of its findings, “Know Your Enemy,” and will set up a new generation of honeynets. Rather than nondescript boxes waiting for random probes, the new honeypots will mimic real targets: e-commerce sites, university computers, hospitals. This is expected to attract a different breed of hackers–computer pirates and others in search of specific information, rather than those just cruising the Internet for a box to bust or a mischievous new worm to let loose. These are the people the security business needs to watch above all. They are the blackest of black hats.