|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: sniffer/promisc detector
On Sat, 17 Jan 2004 12:55:17 EST, [email protected] said: > by the time you think your enemy is less capable than you, you've already lost > the war. On the other hand, does the fact that police usually only catch the stupid crooks mean that police forces are a bad idea? 1) How often is your site graced by the presence of a script kiddie who *would* fall for a honeypot, but who has enough exploits stashed to be a serious threat? (Remember, it only takes 1 unpatched 1U back there in row 17, rack 4, for him to get a foothold). 2) How often is your site visited by a talented Black Hat who's more capable than you, and who wouldn't be tricked by a honeypot? 3) How do you even know your answer to (2) is correct? Think long and hard about this one - when was the last time you took *everything* down and booted from known good media and checked for rootkits? And how do you know it was good media? (Go and re-read Ken Thompson's "On Trusting Trust" and Karger and Schell's paper on a Multics pen-test, and then take another REALLY close look at that boot CD.) I tend toward paranoia. However, I once received a box claiming to be from IBM Software Distribution, with the format of shipping labels that IBM SD had, and even sealed with IBM anti-tamper Q-tape the same way IBM SD does. There was a birthday card in it. Addressed to me. From a friend who wasn't an IBM employee at the time. I was most impressed. ;) Attachment:
pgp00015.pgp
|