Honeypots mailing list archives

RE: Heisenberg in the honeypot

From: Harlan Carvey <keydet89 () yahoo com>
Date: Mon, 21 Jun 2004 11:22:59 -0700 (PDT)

Chuck,

Since I'm not well versed on the Principle, I'd have
to say the application is flawed.


Okay, fair enough.

As far as lab testing, this may work if your a
security tester in a large
corporation who have everything they need in the lab
to test it.  But what
about the guy with no lab.


That's where I can see your point...that someone found
something, and tests/hones it on the Internet b/c
he/she doesn't have any other means of doing so.

People scan all the time.  When a
Honeypot responds to a scan
favoratively to a cracker, then he just found his
target to test it on
(Along with a number of people who don't keep their
servers patched).  To
the Cracker, it all looks the same.  It won't be
until he's poked around in
the box that he may be able to figure out it's a
honeypot.


True, but scanning and exploiting unpatched systems
doesn't exactly qualify as zero-day.  And my point
isn't knowing that a box is a honeypot or not, but
instead targeting network where I know there are no
honeypots.  For example, if I meet someone online or
in a bar and find out they're a sysadmin, I can get to
know them, chat w/ them, develop an understanding of
their technical abilities...then mention honeypots. 
If they tell me, "yeah, but we don't have any" or
simply don't know what I'm talking about...

With Honeypots being used to keep exploits withheld
from large scale use...
I think it's just the opposite.  It's honeypots that
are first in finding many of the 0 day exploits.


Two things really quick...as I may agree with your
comments.  First is, I'm not saying that honeypots are
keeping exploits withheld so much as I'm suggesting
that b/c honeypots are out there, the folks w/ the
0-days may be more careful in targeting...the
distinction may be subtle.

The second thing is...I'm not familiar w/ any sites
that are providing information on 0-days discovered w/
honeypots.  Do you have any sites you can provide,
aside from the ubiquitous Google?  I am familiar w/
the HoneyNet project, as well, and I have even
participated (been a while) in analysis of
information, but to be honest, there wasn't anything
0-day about what I saw.

Current thread:

Re: Heisenberg in the honeypot, (continued)
- - Re: Heisenberg in the honeypot MrDemeanour (Jun 21)
- Re: Heisenberg in the honeypot Christian Kreibich (Jun 21)
- Re: Heisenberg in the honeypot Robert Judy (Jun 21)
  - Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
    - Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
    - Minefields Lance Spitzner (Jun 22)
    - Re: Minefields MrDemeanour (Jun 23)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 22)
  - RE: Heisenberg in the honeypot Harlan Carvey (Jun 21)
    - RE: Heisenberg in the honeypot Chuck Fullerton (Jun 21)
    - RE: Heisenberg in the honeypot Harlan Carvey (Jun 22)
    - Re: Heisenberg in the honeypot James Riden (Jun 22)
    - Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
    - RE: Heisenberg in the honeypot Chuck Fullerton (Jun 22)
    - RE: Heisenberg in the honeypot Harlan Carvey (Jun 22)
    - Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
    - Re: Heisenberg in the honeypot PCSage Information Services (Jun 22)
    - Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
    - Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
    - Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
    - Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)

(Thread continues...)