Honeypots mailing list archives
RE: Heisenberg in the honeypot
From: "Chuck Fullerton" <chuckf69 () ceinetworks com>
Date: Tue, 22 Jun 2004 10:38:57 -0400
Ok.. This response brings up this question... Are you assuming that this person has inside information that there is definately no honeypots being used in the network? If so then obviously they are going to use that as their test lab. However... Without the inside info, how can the person be totally sure without a doubt that there is no honeypot there? Chuck. -----Original Message----- From: Harlan Carvey [mailto:keydet89 () yahoo com] Sent: Tuesday, June 22, 2004 6:44 AM To: honeypots () securityfocus com Cc: James Riden Subject: Re: Heisenberg in the honeypot
HUP applies to quantum physics
Yes, I'm aware of that.
- there is no reason why observing a honeypot has to change the behaviour of the person who is using it.
I never said anything about observing a honeypot. What I'm referring to is using honeypots as a mechanism to observe the behaviour of attackers.
I've seen a spectacularly inept cracker forget to remove the install files for one of his/her root kits - stored in /rk no less - so it's entirely possible a given attacker won't know it's a honeypot.
I'm sure...but again, you've completely missed the point. What I'm looking at is this...if attackers with 0-day exploits know that honeypots are out there (being used to observe them and their techniques), then would they (the attackers) be more likely to target systems and networks where they know for sure are no honeypots, for fear that their exploits/techniques would be disassembled, examined, explained, and protected against? Perhaps another way of putting it...say I have a brand spanking new exploit (not blocked by firewalls, and no IDS rules exist for it), something no one has ever even considered. Let's say that I'm particularly nefarious, and intend to use this exploit for malicious purposes. Now, do you think I would run this exploit against arbitrary targets, knowing that somewhere out there, a honeypot would collect the data and someone might figure out what I was doing? Or do you think I would do a little recon (even of a physical nature) first, to ensure that I've got a really juicy, easy to access target...with NO honeypots?
Current thread:
- Re: Heisenberg in the honeypot, (continued)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
- Minefields Lance Spitzner (Jun 22)
- Re: Minefields MrDemeanour (Jun 23)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 21)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 21)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot James Riden (Jun 22)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 22)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)