Re: sniffer/promisc detector

[Valdis.Kletnieks () vt edu]

On Sat, 17 Jan 2004 12:55:17 EST, haesu () towardex com said:

> by the time you think your enemy is less capable than you, you've already lost
> the war.

On the other hand, does the fact that police usually only catch the stupid crooks
mean that police forces are a bad idea?

1) How often is your site graced by the presence of a script kiddie who *would* fall
for a honeypot, but who has enough exploits stashed to be a serious threat? (Remember,
it only takes 1 unpatched 1U back there in row 17, rack 4, for him to get a foothold).

2) How often is your site visited by a talented Black Hat who's more capable than you,
and who wouldn't be tricked by a honeypot?

3) How do you even know your answer to (2) is correct? Think long and hard
about this one - when was the last time you took *everything* down and booted
from known good media and checked for rootkits?  And how do you know it was
good media? (Go and re-read Ken Thompson's "On Trusting Trust" and Karger and
Schell's paper on a Multics pen-test, and then take another REALLY close look
at that boot CD.)

I tend toward paranoia.  However, I once received a box claiming to be from IBM
Software Distribution, with the format of shipping labels that IBM SD had, and
even sealed with IBM anti-tamper Q-tape the same way IBM SD does.

There was a birthday card in it.  Addressed to me.  From a friend who wasn't an
IBM employee at the time.  I was most impressed. ;)

Attachment: _bin
Description: