On Jun 13, 2013, at 5:39 PM, Michael Thomas <m...@mtcc.com> wrote: > On 06/13/2013 05:28 PM, Scott Helms wrote: >> Bill, >> >> Certainly everything you said is correct and at the same time is not useful >> for the kinds traffic interception that's been implied. 20 packets of >> random traffic capture is extraordinarily unlikely to contain anything of >> interest and eve if you do happen to get a juicy fragment your chances of >> getting more ate virtually nil. An effective system must either capture >> and transmit large numbers of packets or have a command and control system >> in order to target smaller captures against a shifting list of addresses. >> Either of those things are very detectable. I've spent a significant >> amount of time looking at botnet traffic which has the same kind of >> requirements. >> > > I think you're having a failure of imagination that anything less than > a massive amount of information sent back to the attacker could be > useful. I think there are lots and lots of things that could be extremely > useful that would only require a simple message with "got here" back to the > attacker if the "got here" condition was sufficiently interesting. Spying > doesn't > have the same motivations as typical botnets for illicit commerce. > > Mike >
and even botnets for illicit commerce may only be interested something that is small and may not change very often so will not need regular exflitration... e.g. on a server, the current password of a user who can sudo or a few private keys