1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
Return-Path: <pete@petertodd.org>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 10F60892
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 31 Aug 2016 20:01:25 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from outmail149058.authsmtp.co.uk (outmail149058.authsmtp.co.uk
[62.13.149.58])
by smtp1.linuxfoundation.org (Postfix) with ESMTP id 27BF724D
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 31 Aug 2016 20:01:23 +0000 (UTC)
Received: from mail-c232.authsmtp.com (mail-c232.authsmtp.com [62.13.128.232])
by punt20.authsmtp.com (8.14.2/8.14.2/) with ESMTP id u7VK1Lef088905;
Wed, 31 Aug 2016 21:01:21 +0100 (BST)
Received: from petertodd.org (ec2-52-5-185-120.compute-1.amazonaws.com
[52.5.185.120]) (authenticated bits=0)
by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id u7VK1HRd023307
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
Wed, 31 Aug 2016 21:01:18 +0100 (BST)
Received: from [127.0.0.1] (localhost [127.0.0.1])
by petertodd.org (Postfix) with ESMTPSA id 649F0400D3;
Wed, 31 Aug 2016 19:57:56 +0000 (UTC)
Received: by localhost (Postfix, from userid 1000)
id 4EB2B20526; Wed, 31 Aug 2016 20:01:14 +0000 (UTC)
Date: Wed, 31 Aug 2016 20:01:14 +0000
From: Peter Todd <pete@petertodd.org>
To: James MacWhyte <macwhyte@gmail.com>
Message-ID: <20160831200114.GA23079@fedora-21-dvm>
References: <20160824014634.GA19905@fedora-21-dvm>
<CAH+Axy4ahvQOG5=jGn68u0m5dTTmFCJ0isfOEt-Be=63ot55dg@mail.gmail.com>
<82507740-C4A3-4AF2-BA02-3B29E5FECDE4@petertodd.org>
<CAH+Axy6eOtqoLt5A40qYQG4S6UgFfEQeaM3Dgo677ZaH3NhQ5Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature"; boundary="XsQoSWH+UP9D9v3l"
Content-Disposition: inline
In-Reply-To: <CAH+Axy6eOtqoLt5A40qYQG4S6UgFfEQeaM3Dgo677ZaH3NhQ5Q@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-Server-Quench: ae3d14ec-6fb5-11e6-829e-00151795d556
X-AuthReport-Spam: If SPAM / abuse - report it at:
http://www.authsmtp.com/abuse
X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR
aQdMdQMUGUATAgsB AmAbWVVeUFx7WGs7 bghPaBtcak9QXgdq
T0pMXVMcUQIOeh15 ZEoeUBpxdwIIeX9y Y0MsDyVYCEV+IBVg
RBgGEHAHZDJmdWgd WRVFdwNVdQJNdxoR b1V5GhFYa3VsNCMk
FAgyOXU9MCtqYA9c WgARJFZabEgFHzU9 ShYeVRUoG0AUXyIv
NFQ5bRZWJ00WKE4y PFdpdFsCLx9YaEVy GFxHBCJCP1QHSyst
AktiR0kCHTZBQCBa agAA
X-Authentic-SMTP: 61633532353630.1037:706
X-AuthFastPath: 0 (Was 255)
X-AuthSMTP-Origin: 52.5.185.120/25
X-AuthVirus-Status: No virus detected - but ensure you scan with your own
anti-virus system.
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW
autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>,
Jeff Coleman <jeff@ledgerlabs.io>
Subject: Re: [bitcoin-dev] Capital Efficient Honeypots w/ "Scorched Earth"
Doublespending Protection
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Aug 2016 20:01:25 -0000
--XsQoSWH+UP9D9v3l
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Aug 31, 2016 at 07:48:50PM +0000, James MacWhyte wrote:
> >
> > >I've always assumed honeypots were meant to look like regular, yet
> > >poorly-secured, assets.
> >
> > Not at all. Most servers have zero reason to have any Bitcoin's accessi=
ble
> > via them, so the presence of BTC privkeys is a gigantic red flag that t=
hey
> > are part of a honeypot.
> >
>=20
> I was talking about the traditional concept. From Wikipedia: "Generally, a
> honeypot consists of data (for example, in a network site) that appears to
> be a legitimate part of the site but is actually isolated and monitored,
> and that seems to contain information or a resource of value to attackers,
> which are then blocked."
>=20
> I would argue there are ways to make it look like it is not a honeypot
> (plenty of bitcoin services have had their hot wallets hacked before, and
> if the intruder only gains access to one server they wouldn't know that a=
ll
> the servers have the same honeypot on them). But I was just confirming th=
at
> the proposal is for an obvious honeypot.
Ah, yeah, I think you have a point re: naming - this isn't quite the
traditional honeypot, as we uniquely have the ability to give the attackers=
a
reward in a way where it's ok for the intruder to know that they've been
detected; with traditional non-monetary honeypots it's quite difficult to c=
ome
up with a scenario where it's ok for an intruder to gain something from the
intrusion, so you're forced to use deception instead.
Perhaps a better term for this technique would be a "compromise canary"? Or
"intruder bait"? After all, in wildlife animal research it's common to use =
bait
as a way of attracting targets to discover that they exist (e.g. w/ wildlife
cameras), even when you have no intention of doing any harm to the animal.
--=20
https://petertodd.org 'peter'[:-1]@petertodd.org
--XsQoSWH+UP9D9v3l
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCAAGBQJXxzeHAAoJEGOZARBE6K+yicgH/A3E3hvtlDLzJ2OFgWVudVho
QdAAY52Co0QLn1+TZA+xlYUXFP0C7IVcBFkEKYsfQ8IgYRJio4/9Gil2R8zXAjpP
eHhkVxU7ltKeVl3bXpVrHhSdXC3pZvPb/9xCZPC0Q9lDQtFS4mQTGKeO3bBHuwsU
oM+4HH6a93s/+Borqh77oGdEhSrNDvv8Gd5Yn7SQmj4QuDMwdrfv1YBsDeUpc3Z3
je7HleWOFjopSPQf3534HfsS3VeLnzkmuulsHb6h8h4d9Y03vfX6F0lJ6NcI77F7
3RsKBg73wMJxQ8XQrlgHPyDC9ON/5JZER6JKeFKxJSvn+XyXGae2coP+EIook70=
=mccF
-----END PGP SIGNATURE-----
--XsQoSWH+UP9D9v3l--
|
