On Sat, 17 Jan 2004 12:55:17 EST, haesu@towardex.com said:
by the time you think your enemy is less capable than you, you've already lost the war.
On the other hand, does the fact that police usually only catch the stupid crooks mean that police forces are a bad idea? 1) How often is your site graced by the presence of a script kiddie who *would* fall for a honeypot, but who has enough exploits stashed to be a serious threat? (Remember, it only takes 1 unpatched 1U back there in row 17, rack 4, for him to get a foothold). 2) How often is your site visited by a talented Black Hat who's more capable than you, and who wouldn't be tricked by a honeypot? 3) How do you even know your answer to (2) is correct? Think long and hard about this one - when was the last time you took *everything* down and booted from known good media and checked for rootkits? And how do you know it was good media? (Go and re-read Ken Thompson's "On Trusting Trust" and Karger and Schell's paper on a Multics pen-test, and then take another REALLY close look at that boot CD.) I tend toward paranoia. However, I once received a box claiming to be from IBM Software Distribution, with the format of shipping labels that IBM SD had, and even sealed with IBM anti-tamper Q-tape the same way IBM SD does. There was a birthday card in it. Addressed to me. From a friend who wasn't an IBM employee at the time. I was most impressed. ;)