Honeypots mailing list archives
Re: Heisenberg in the honeypot
From: Harlan Carvey <keydet89 () yahoo com>
Date: Mon, 21 Jun 2004 07:15:47 -0700 (PDT)
Robert,
An astute observation. A more proper (closer) analogy than the HUP is the Criminal Forensics Sciences principle that states, essentially, investigating a crime scene contaminates the crime scene.
I believe you're referring to Locard's Exchange Principle. Would this be correct? Even so, I don't think that given what I'm trying to get at, Locard's is more correct. Essentially, what I'm asking is, if the really, really bad guys (ie, collectively referred to as the mysterious and ethereal "underground" or "blackhats") know that someone's watching, would they be inclined to use their latest and greatest techniques, knowing that doing so would leave evidence on a (properly set up, monitored, and managed) honeypot that could be used to identify that technique, and potentially warn others, allowing them to protect their systems?
Starting from the moment of discovery of the crime, each action taken during the investigation disturbs the evidence somewhat
I could see very well how Locard's would apply toward incident response investigations...a supposedly compromised system is approached by a first responder or investigator.
HUP is an example of a broader "law" which manifests itself in various manners across all reality.
Exactly.
Each attack will be tailored to the particular system under attack according to the characteristics of the system under attack.
True, but that can't be done until the particular system is identified...either a priori, or though OS fingerprinting or header/banner analysis. Some sort of a priori knowledge of the system(s) can be obtained through asking, disgruntled employees, DNS zone transfers, etc...all w/o out sending packets to the system itself. But that's where we get off topic, I'm afraid. My original question still applies...if an attacker has a new technique or exploit, how likely is he/she to use it knowing that honeypots are in use? Thanks for the response, Harlan
Current thread:
- Heisenberg in the honeypot H Carvey (Jun 19)
- Re: Heisenberg in the honeypot Qv6 (Jun 21)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 21)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 21)
- Re: Heisenberg in the honeypot Ranjeet Shetye (Jun 21)
- Re: Heisenberg in the honeypot MrDemeanour (Jun 21)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 21)
- Re: Heisenberg in the honeypot Christian Kreibich (Jun 21)
- Re: Heisenberg in the honeypot Robert Judy (Jun 21)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
- Minefields Lance Spitzner (Jun 22)
- Re: Minefields MrDemeanour (Jun 23)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot Qv6 (Jun 21)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 21)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 21)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot James Riden (Jun 22)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 22)