From: Bennett Todd (bet@rahul.net)
Date: Thu Jun 06 2002 - 10:22:30 EDT
I've gotten a lot of thoughtful feedback on my proposal; I think
there's a lot of agreement that it's either a purely bad idea (a
possibility I don't reject out of hand:-), or else if it is to be
done, extreme care must be taken to tune the honeypot so that
excessive resources aren't wasted by the pen-testers.
So we shouldn't have things that tempt the pen-testers to waste a
lot of time trying to break in, and whatever the honeypot offers it
shouldn't be so easy and obvious as to look out of place, nor so
obscure that it cannot be found, nor so serious that they feel they
have to make an emergency report.
So far one idea has occurred to me; toss a sacrificial box out
there, run BIND on it, but don't have NS records pointing to it in
public DNS. BIND is a security catastrophe, so just make sure the
version is one down-rev so there are known security problems, and
see if they find it.
-Bennett
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:22 EDT