RE: Heisenberg in the honeypot

["Chuck Fullerton" <chuckf69 () ceinetworks com>]

Harlan,

Since I'm not well versed on the Principle, I'd have to say the application
is flawed.

As far as lab testing, this may work if your a security tester in a large
corporation who have everything they need in the lab to test it.  But what
about the guy with no lab.  The Internet is his lab.  That's why we have
Honeypots.  People scan all the time.  When a Honeypot responds to a scan
favoratively to a cracker, then he just found his target to test it on
(Along with a number of people who don't keep their servers patched).  To
the Cracker, it all looks the same.  It won't be until he's poked around in
the box that he may be able to figure out it's a honeypot.  By then it's too
late.

With Honeypots being used to keep exploits withheld from large scale use...
I think it's just the opposite.  It's honeypots that are first in finding
many of the 0 day exploits.  The administrators of these honeypots can then
investigate what happened and, if valid, report it to the powers that be.
This can then, in turn, elevate the priority of patches for systems.



-----Original Message-----
From: Harlan Carvey [mailto:keydet89 () yahoo com]
Sent: Monday, June 21, 2004 12:18 PM
To: honeypots () securityfocus com
Cc: Chuck Fullerton
Subject: RE: Heisenberg in the honeypot


Chuck,

Thanks for the response...

> This principle is flawed.  If you apply this
> principle to a different
> subject as well, let say, police sting operations,
> Then this would become a
> valid defense effectivly making All Sting operations
> Illegal.

Interesting.  Are you saying that the HUP is flawed,
or the application I'm proposing is flawed?

Either way, I think what you've brought up is a very
good analogy...people do bad stuff, knowing that there
are things such as sting operations.  However, that's
not quite what I'm asking...what I'm asking is if
anyone out there believes that simply b/c honeypots
are known to exist, are *new* exploits and techniques
being withheld from large scale use.  With police
sting operations, there are no new techniques they are
countering...the operations are set up around
well-known actions/habits of individuals and groups.

> The point of a Honeypot is that you make it look as
> real as possible.  That
> way the Cracker doesn't know its a honeypot.  The
> more we have out here on
> the Internet the safer everyone will be because
> there is a greater chance of them getting caught.

I agree, to a point.  Let's say I have a lab, and I've
discovered something entirely new...not based on brute
force or password cracking or anything like that, but
entirely new.  If I had nefarious intentions, I would
most likely test it in a lab, and then test it against
other systems in a controlled manner.  I might even
refine that technique in the lab.  If I were then to
release it outside of the lab, say, use it to gain
access to networks other than my own, I wouldn't
release it as part of a worm...I would target specific
 infrastructures where the value of the information
exceeded the level of effort I had to expend.  I would
also target only those systems that I knew were
managed in a less-than-secure nature...and didn't have
honeypots.