Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 8395D94D for ; Thu, 25 Aug 2016 14:27:37 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wm0-f45.google.com (mail-wm0-f45.google.com [74.125.82.45]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 03452129 for ; Thu, 25 Aug 2016 14:27:36 +0000 (UTC) Received: by mail-wm0-f45.google.com with SMTP id i5so74917746wmg.0 for ; Thu, 25 Aug 2016 07:27:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=n8g/JmMS3KN/gBVVv6KJk/FLJHqGF+WhHzNvG8ZmZJ8=; b=wJYpGlFXoiE4BXYS6pgrPCeQoNJXonL4Mo9L9OpDox9g3vmomFRX+d9I9Vvi1QRptg JBfpETzm6K3h+AC/6rGg/MQ65cMxg9hyFV8WVMMzv9LEH0p9pSXJUVmnRF8zkrGt+w8O 5R+5zEbfqKx9mzn+sM+LNC4K8J7o4yZ/tvsmpZMUoGAfr3iY2Kt6Z07Jrq+nYZ8orXv9 6TFSH9fClPr94VmFsUgQxxyUzttuVzFZWFEzea2nWowVq2i4Fe0k7KRxTbsZM9UWQvSx UlV3q36dHn3NxFRt2SPGMyi511oggT3PYqJ5d2O64V6Bs4mFR0Q58+1CTBxsQSHTyVtE bW1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:subject:message-id:mail-followup-to :references:mime-version:content-disposition:in-reply-to:user-agent; bh=n8g/JmMS3KN/gBVVv6KJk/FLJHqGF+WhHzNvG8ZmZJ8=; b=fvnVstB55MEkE9+LuG5irVPlJyaUowl4hULGiAaK6LBfe6MslcI5Vu6eZBAQti1jMf QLjpp3l+rTmWWRHj9yuWAnQnHXq2zad01AY0mLdPnP30ilEw6rQO2LA6jX2RocjNchdb 55l3RUViqF/ZDeVF0Z2CnaZbz84j5OmNH66pbLmYhqhDY6QIK7NNYBLlgRKjQfbec0oc geVy78yCnBfuawDD2Dl47JoZqMnRaxxamBNR321x0t3A0+dpbk7gRMQEUkT5ztH4UKBE 3B2H2Z+/jlBZoA4dbQROUhcjSvMARa7DWj/oH6+E7q4TtSTYSmxZVFT/JUHw0mbEkKb0 Eshg== X-Gm-Message-State: AEkoouuty7aufR9U6aP3Tx5zFi6f6MgNc+rOnpUvtIwlNSY5iVjhoza5S/Hhkt38CJ9b1w== X-Received: by 10.28.15.3 with SMTP id 3mr28902427wmp.31.1472135255083; Thu, 25 Aug 2016 07:27:35 -0700 (PDT) Received: from nex ([2a02:aa16:1105:4a80:8dca:36fa:f553:3831]) by smtp.gmail.com with ESMTPSA id e12sm38919764wmg.17.2016.08.25.07.27.33 for (version=TLS1_2 cipher=AES128-SHA bits=128/128); Thu, 25 Aug 2016 07:27:33 -0700 (PDT) Date: Thu, 25 Aug 2016 16:27:32 +0200 From: Christian Decker To: bitcoin-dev@lists.linuxfoundation.org Message-ID: <20160825142732.GA11295@nex> Mail-Followup-To: Christian Decker , bitcoin-dev@lists.linuxfoundation.org References: <20160824014634.GA19905@fedora-21-dvm> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] Capital Efficient Honeypots w/ "Scorched Earth" Doublespending Protection X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Aug 2016 14:27:37 -0000 On Thu, Aug 25, 2016 at 02:54:47AM +0000, James MacWhyte via bitcoin-dev wrote: > I've always assumed honeypots were meant to look like regular, yet > poorly-secured, assets. If the intruder could identify this as a honeypot > by the strange setup (presigned, non-standard transactions lying around) > and was aware that the creator intended to doublespend as soon as the > transaction was discovered, wouldn't they instead prefer to not touch > anything and wait for a non-bait target to appear? Is the assumption here > that the intruder wouldn't know this is a honeypot, or that they would know > and it's just assumed that they would rather take their chances on this > instead of causing some other trouble? That strongly depends on the value of the compromised machine to the attacker. If he has syphoned all the data from it and has no further use for it then the he will probably trip the tripwire to get the coins even though this will make the compromise apparent. If however he is planning to use it as a foothold to further compromise your company, send spam or similar, he will likely try to avoid these tripwires. In which case a classic honeypot, that attempts to look like a regular system is what you're looking for.