I've gotten a lot of thoughtful feedback on my proposal; I think there's a lot of agreement that it's either a purely bad idea (a possibility I don't reject out of hand:-), or else if it is to be done, extreme care must be taken to tune the honeypot so that excessive resources aren't wasted by the pen-testers.
So we shouldn't have things that tempt the pen-testers to waste a lot of time trying to break in, and whatever the honeypot offers it shouldn't be so easy and obvious as to look out of place, nor so obscure that it cannot be found, nor so serious that they feel they have to make an emergency report. So far one idea has occurred to me; toss a sacrificial box out there, run BIND on it, but don't have NS records pointing to it in public DNS. BIND is a security catastrophe, so just make sure the version is one down-rev so there are known security problems, and see if they find it. -Bennett
msg00542/pgp00000.pgp
Description: PGP signature
