Honeypots mailing list archives

RE: Heisenberg in the honeypot

From: "Chuck Fullerton" <chuckf69 () ceinetworks com>
Date: Tue, 22 Jun 2004 10:38:57 -0400

Ok.. This response brings up this question...

Are you assuming that this person has inside information that there is
definately no honeypots being used in the network?

If so then obviously they are going to use that as their test lab.
However...

Without the inside info, how can the person be totally sure without a doubt
that there is no honeypot there?

Chuck.

-----Original Message-----
From: Harlan Carvey [mailto:keydet89 () yahoo com]
Sent: Tuesday, June 22, 2004 6:44 AM
To: honeypots () securityfocus com
Cc: James Riden
Subject: Re: Heisenberg in the honeypot

HUP applies to quantum physics


Yes, I'm aware of that.

- there is no reason why observing a
honeypot has to change the behaviour of the person
who is using it.


I never said anything about observing a honeypot.
What I'm referring to is using honeypots as a
mechanism to observe the behaviour of attackers.

I've seen a spectacularly inept cracker forget to
remove the install
files for one of his/her root kits - stored in /rk
no less - so it's
entirely possible a given attacker won't know it's a
honeypot.


I'm sure...but again, you've completely missed the
point.

What I'm looking at is this...if attackers with 0-day
exploits know that honeypots are out there (being used
to observe them and their techniques), then would they
(the attackers) be more likely to target systems and
networks where they know for sure are no honeypots,
for fear that their exploits/techniques would be
disassembled, examined, explained, and protected
against?

Perhaps another way of putting it...say I have a brand
spanking new exploit (not blocked by firewalls, and no
IDS rules exist for it), something no one has ever
even considered.  Let's say that I'm particularly
nefarious, and intend to use this exploit for
malicious purposes.  Now, do you think I would run
this exploit against arbitrary targets, knowing that
somewhere out there, a honeypot would collect the data
and someone might figure out what I was doing?  Or do
you think I would do a little recon (even of a
physical nature) first, to ensure that I've got a
really juicy, easy to access target...with NO
honeypots?

Current thread:

Re: Heisenberg in the honeypot, (continued)
- - Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
    - Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
    - Minefields Lance Spitzner (Jun 22)
    - Re: Minefields MrDemeanour (Jun 23)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 22)
  - RE: Heisenberg in the honeypot Harlan Carvey (Jun 21)
    - RE: Heisenberg in the honeypot Chuck Fullerton (Jun 21)
    - RE: Heisenberg in the honeypot Harlan Carvey (Jun 22)
    - Re: Heisenberg in the honeypot James Riden (Jun 22)
    - Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
    - RE: Heisenberg in the honeypot Chuck Fullerton (Jun 22)
    - RE: Heisenberg in the honeypot Harlan Carvey (Jun 22)
    - Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
    - Re: Heisenberg in the honeypot PCSage Information Services (Jun 22)
    - Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
    - Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
    - Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
    - Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
- Re: RE: Heisenberg in the honeypot Guilhem (Jun 22)