Honeypots mailing list archives

RE: Heisenberg in the honeypot

From: "Chuck Fullerton" <chuckf69 () ceinetworks com>
Date: Mon, 21 Jun 2004 10:38:32 -0400

This principle is flawed.  If you apply this principle to a different
subject as well, let say, police sting operations, Then this would become a
valid defense effectivly making All Sting operations Illegal.

The point of a Honeypot is that you make it look as real as possible.  That
way the Cracker doesn't know its a honeypot.  The more we have out here on
the Internet the safer everyone will be because there is a greater chance of
them getting caught.

Chuck Fullerton


-----Original Message-----
From: H Carvey [mailto:keydet89 () yahoo com]
Sent: Friday, June 18, 2004 8:48 AM
To: honeypots () securityfocus com
Subject: Heisenberg in the honeypot




This is a question that's been banging around inside my head for a while...
It's been said that honeypots can be used to "know your enemy"...but setting
up a honeypot and having someone attack it, you get to see how attacks are
performed, what steps a particular attacker takes once on the system, etc.
So my question is...has anyone considered the Heisenberg Uncertainty
Principle, with regards to honeypots?  Specifically, honeypots are used to
capture/"observe" attacks, and the HUP states that by the very act of
observing something, we inherently alter that event/object.  As the HUP
applies to honeypots, please bear with me...  Honeypots and honeynets for
detecting activity have been around for a while now, and are essentially
public knowledge.  While it may not be publicly known exactly *where* these
systems are, many know that they're out there.  So...if someone has a 0-day
exploit or a new technique that they've developed, would one think that
they'd fire it off against a system that *could be* a honeypot, thereby
exposing that new exploit/technique?  Or would they specifically target
machines that they know are NOT honeypots?  The next question, I guess,
would be...what kind of things are we really seeing in the honeypots?  Worms
are pretty indiscriminate, as are skript kiddies.  So, are we (or perhaps
more appropriately, the honeypots) seeing new things?  If so, where are such
things documented?    I helped Lance decipher the attack that was listed in
his "Know your enemy: Worms at War" paper.  Even that was a classic,
textbook example of what someone would do on a Win9x system.    Thoughts are
appreciated...

Current thread:

Re: Heisenberg in the honeypot, (continued)
- - Re: Heisenberg in the honeypot Harlan Carvey (Jun 21)
    - Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 21)
    - Re: Heisenberg in the honeypot Ranjeet Shetye (Jun 21)
  - Re: Heisenberg in the honeypot MrDemeanour (Jun 21)
- Re: Heisenberg in the honeypot Christian Kreibich (Jun 21)
- Re: Heisenberg in the honeypot Robert Judy (Jun 21)
  - Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
    - Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
    - Minefields Lance Spitzner (Jun 22)
    - Re: Minefields MrDemeanour (Jun 23)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 22)
  - RE: Heisenberg in the honeypot Harlan Carvey (Jun 21)
    - RE: Heisenberg in the honeypot Chuck Fullerton (Jun 21)
    - RE: Heisenberg in the honeypot Harlan Carvey (Jun 22)
    - Re: Heisenberg in the honeypot James Riden (Jun 22)
    - Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
    - RE: Heisenberg in the honeypot Chuck Fullerton (Jun 22)
    - RE: Heisenberg in the honeypot Harlan Carvey (Jun 22)
    - Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
    - Re: Heisenberg in the honeypot PCSage Information Services (Jun 22)
    - Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)

(Thread continues...)