Re: Heisenberg in the honeypot

[Harlan Carvey <keydet89 () yahoo com>]

> HUP applies to quantum physics 

Yes, I'm aware of that.  

> - there is no reason why observing a
> honeypot has to change the behaviour of the person
> who is using it.

I never said anything about observing a honeypot. 
What I'm referring to is using honeypots as a
mechanism to observe the behaviour of attackers.
 
> I've seen a spectacularly inept cracker forget to
> remove the install
> files for one of his/her root kits - stored in /rk
> no less - so it's
> entirely possible a given attacker won't know it's a
> honeypot.

I'm sure...but again, you've completely missed the
point.  

What I'm looking at is this...if attackers with 0-day
exploits know that honeypots are out there (being used
to observe them and their techniques), then would they
(the attackers) be more likely to target systems and
networks where they know for sure are no honeypots,
for fear that their exploits/techniques would be
disassembled, examined, explained, and protected
against?

Perhaps another way of putting it...say I have a brand
spanking new exploit (not blocked by firewalls, and no
IDS rules exist for it), something no one has ever
even considered.  Let's say that I'm particularly
nefarious, and intend to use this exploit for
malicious purposes.  Now, do you think I would run
this exploit against arbitrary targets, knowing that
somewhere out there, a honeypot would collect the data
and someone might figure out what I was doing?  Or do
you think I would do a little recon (even of a
physical nature) first, to ensure that I've got a
really juicy, easy to access target...with NO
honeypots?