Honeypots mailing list archives
RE: Heisenberg in the honeypot
From: "Chuck Fullerton" <chuckf69 () ceinetworks com>
Date: Mon, 21 Jun 2004 13:55:47 -0400
Harlan, Since I'm not well versed on the Principle, I'd have to say the application is flawed. As far as lab testing, this may work if your a security tester in a large corporation who have everything they need in the lab to test it. But what about the guy with no lab. The Internet is his lab. That's why we have Honeypots. People scan all the time. When a Honeypot responds to a scan favoratively to a cracker, then he just found his target to test it on (Along with a number of people who don't keep their servers patched). To the Cracker, it all looks the same. It won't be until he's poked around in the box that he may be able to figure out it's a honeypot. By then it's too late. With Honeypots being used to keep exploits withheld from large scale use... I think it's just the opposite. It's honeypots that are first in finding many of the 0 day exploits. The administrators of these honeypots can then investigate what happened and, if valid, report it to the powers that be. This can then, in turn, elevate the priority of patches for systems. -----Original Message----- From: Harlan Carvey [mailto:keydet89 () yahoo com] Sent: Monday, June 21, 2004 12:18 PM To: honeypots () securityfocus com Cc: Chuck Fullerton Subject: RE: Heisenberg in the honeypot Chuck, Thanks for the response...
This principle is flawed. If you apply this principle to a different subject as well, let say, police sting operations, Then this would become a valid defense effectivly making All Sting operations Illegal.
Interesting. Are you saying that the HUP is flawed, or the application I'm proposing is flawed? Either way, I think what you've brought up is a very good analogy...people do bad stuff, knowing that there are things such as sting operations. However, that's not quite what I'm asking...what I'm asking is if anyone out there believes that simply b/c honeypots are known to exist, are *new* exploits and techniques being withheld from large scale use. With police sting operations, there are no new techniques they are countering...the operations are set up around well-known actions/habits of individuals and groups.
The point of a Honeypot is that you make it look as real as possible. That way the Cracker doesn't know its a honeypot. The more we have out here on the Internet the safer everyone will be because there is a greater chance of them getting caught.
I agree, to a point. Let's say I have a lab, and I've discovered something entirely new...not based on brute force or password cracking or anything like that, but entirely new. If I had nefarious intentions, I would most likely test it in a lab, and then test it against other systems in a controlled manner. I might even refine that technique in the lab. If I were then to release it outside of the lab, say, use it to gain access to networks other than my own, I wouldn't release it as part of a worm...I would target specific infrastructures where the value of the information exceeded the level of effort I had to expend. I would also target only those systems that I knew were managed in a less-than-secure nature...and didn't have honeypots.
Current thread:
- Re: Heisenberg in the honeypot, (continued)
- Re: Heisenberg in the honeypot Ranjeet Shetye (Jun 21)
- Re: Heisenberg in the honeypot MrDemeanour (Jun 21)
- Re: Heisenberg in the honeypot Christian Kreibich (Jun 21)
- Re: Heisenberg in the honeypot Robert Judy (Jun 21)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
- Minefields Lance Spitzner (Jun 22)
- Re: Minefields MrDemeanour (Jun 23)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 21)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 21)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot James Riden (Jun 22)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 22)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)