Re: Heisenberg in the honeypot

[Robert Judy <rjudy () sfasu edu>]

An astute observation. A more proper (closer) analogy than the HUP is 
the Criminal Forensics Sciences principle that states, essentially, 
investigating a crime scene contaminates the crime scene. this is 
true for both physical evidence and information from witnesses and 
suspects (especially people.) Starting from the moment of discovery 
of the crime, each action taken during the investigation disturbs the 
evidence somewhat (more and more,) some things more than others and 
sometimes to the extent the crime cannot be reliably investigated 
because evidence becomes thoroughly corrupt.

They have a name for that principle, a little research should get you 
more information along that line.

HUP is an example of a broader "law" which manifests itself in 
various manners across all reality.

Each attack will be tailored to the particular system under attack 
according to the characteristics of the system under attack. When any 
changes are made to the system under attack, or an attack is launched 
against a similar but different or different system the method of 
attack can (should) change accordingly.

The HoneyPot will give you information on how the attacker is 
attacking that particular system which MAY provide information on how 
they attack all systems or only on how they attack similar systems, 
or only on how they are attacking that particular system.

Keep thinking!

rmj

> This is a question that's been banging around inside my head for a while...
>
>
>
> It's been said that honeypots can be used to "know your enemy"...but 
> setting up a honeypot and having someone attack it, you get to see 
> how attacks are performed, what steps a particular attacker takes 
> once on the system, etc.
>
>
>
> So my question is...has anyone considered the Heisenberg Uncertainty 
> Principle, with regards to honeypots?  Specifically, honeypots are 
> used to capture/"observe" attacks, and the HUP states that by the 
> very act of observing something, we inherently alter that 
> event/object.  As the HUP applies to honeypots, please bear with 
> me...
>
>
>
> Honeypots and honeynets for detecting activity have been around for 
> a while now, and are essentially public knowledge.  While it may not 
> be publicly known exactly *where* these systems are, many know that 
> they're out there.  So...if someone has a 0-day exploit or a new 
> technique that they've developed, would one think that they'd fire 
> it off against a system that *could be* a honeypot, thereby exposing 
> that new exploit/technique?  Or would they specifically target 
> machines that they know are NOT honeypots?
>
>
>
> The next question, I guess, would be...what kind of things are we 
> really seeing in the honeypots?  Worms are pretty indiscriminate, as 
> are skript kiddies.  So, are we (or perhaps more appropriately, the 
> honeypots) seeing new things?  If so, where are such things 
> documented? 
>
>
>
> I helped Lance decipher the attack that was listed in his "Know your 
> enemy: Worms at War" paper.  Even that was a classic, textbook 
> example of what someone would do on a Win9x system. 
>
>
>
> Thoughts are appreciated...


--
Robert M. Judy
Technical Specialist
College of Education
Stephen F. Austin State University
P.O. Box 6103
SFA Station
Nacogdoches, TX 75962
936-468-1424
KD5FEE