Date: Wed, 31 Aug 2016 20:01:14 +0000
From: Peter Todd <pete@petertodd.org>
To: James MacWhyte <macwhyte@gmail.com>
Message-ID: <20160831200114.GA23079@fedora-21-dvm>
References: <20160824014634.GA19905@fedora-21-dvm>
	<CAH+Axy4ahvQOG5=jGn68u0m5dTTmFCJ0isfOEt-Be=63ot55dg@mail.gmail.com>
	<82507740-C4A3-4AF2-BA02-3B29E5FECDE4@petertodd.org>
	<CAH+Axy6eOtqoLt5A40qYQG4S6UgFfEQeaM3Dgo677ZaH3NhQ5Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="XsQoSWH+UP9D9v3l"
Content-Disposition: inline
In-Reply-To: <CAH+Axy6eOtqoLt5A40qYQG4S6UgFfEQeaM3Dgo677ZaH3NhQ5Q@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>,
	Jeff Coleman <jeff@ledgerlabs.io>
Subject: Re: [bitcoin-dev] Capital Efficient Honeypots w/ "Scorched Earth"
 Doublespending Protection
Precedence: list


--XsQoSWH+UP9D9v3l
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Aug 31, 2016 at 07:48:50PM +0000, James MacWhyte wrote:
> >
> > >I've always assumed honeypots were meant to look like regular, yet
> > >poorly-secured, assets.
> >
> > Not at all. Most servers have zero reason to have any Bitcoin's accessi=
ble
> > via them, so the presence of BTC privkeys is a gigantic red flag that t=
hey
> > are part of a honeypot.
> >
>=20
> I was talking about the traditional concept. From Wikipedia: "Generally, a
> honeypot consists of data (for example, in a network site) that appears to
> be a legitimate part of the site but is actually isolated and monitored,
> and that seems to contain information or a resource of value to attackers,
> which are then blocked."
>=20
> I would argue there are ways to make it look like it is not a honeypot
> (plenty of bitcoin services have had their hot wallets hacked before, and
> if the intruder only gains access to one server they wouldn't know that a=
ll
> the servers have the same honeypot on them). But I was just confirming th=
at
> the proposal is for an obvious honeypot.

Ah, yeah, I think you have a point re: naming - this isn't quite the
traditional honeypot, as we uniquely have the ability to give the attackers=
 a
reward in a way where it's ok for the intruder to know that they've been
detected; with traditional non-monetary honeypots it's quite difficult to c=
ome
up with a scenario where it's ok for an intruder to gain something from the
intrusion, so you're forced to use deception instead.

Perhaps a better term for this technique would be a "compromise canary"? Or
"intruder bait"? After all, in wildlife animal research it's common to use =
bait
as a way of attracting targets to discover that they exist (e.g. w/ wildlife
cameras), even when you have no intention of doing any harm to the animal.

--=20
https://petertodd.org 'peter'[:-1]@petertodd.org

--XsQoSWH+UP9D9v3l
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJXxzeHAAoJEGOZARBE6K+yicgH/A3E3hvtlDLzJ2OFgWVudVho
QdAAY52Co0QLn1+TZA+xlYUXFP0C7IVcBFkEKYsfQ8IgYRJio4/9Gil2R8zXAjpP
eHhkVxU7ltKeVl3bXpVrHhSdXC3pZvPb/9xCZPC0Q9lDQtFS4mQTGKeO3bBHuwsU
oM+4HH6a93s/+Borqh77oGdEhSrNDvv8Gd5Yn7SQmj4QuDMwdrfv1YBsDeUpc3Z3
je7HleWOFjopSPQf3534HfsS3VeLnzkmuulsHb6h8h4d9Y03vfX6F0lJ6NcI77F7
3RsKBg73wMJxQ8XQrlgHPyDC9ON/5JZER6JKeFKxJSvn+XyXGae2coP+EIook70=
=mccF
-----END PGP SIGNATURE-----

--XsQoSWH+UP9D9v3l--