KnuckleDragger March 3, 2008 1:56 PM

I had read an article a while back about Bruce using a honey pot to track down a person who had hacked his company’s site or was DOSing the company for some reason and politely asked him to stop rather than turn him in to the cops.
Ive searched for a few hours and cant locate this article, if anyone can point me in the right direction it would be greatly appreciated. Thank you.

Nicholas Jordan March 3, 2008 3:06 PM

@we’re not getting better at defending ourselves.

cite: Greg Bollella
“If you’re going to control something, you must make sure that the time between sensing and command is limited by some maximum amount. For example, you can’t download something from the web when trying to control something else because what you are trying to control will then fail. It’s a fundamentally different system from what we are used to today.” (end cite)

It seems so simple at first, kinda like run down to the mall and buy a book on programming and in a few months I will go to work as a programmer. Then, at the other end of the spectrum, someone goes to college and forks thousands to an economic system based on knowing what they are talking about ~ then ends up doing something else. This is common.

Taken that we need a fundamentally different system from what we are used to today, what is the system that is in use to day. They used to teach me at AA that the first step to recovery was admitting that you have a problem. This was amazing to me that I had a problem and I would assert that you get up one day and you quit drinking – that’s all there is to it. ( The whole thing was kinda stupid because I was too young to drink anyway )

When the 87-92 economic flat-fall took the size of the want-ads down to low-carb levels, I decided to test my hypothesis in real world conditions. I learned that fear is an adjunct that removes most of the work. Many difficulties that appear to be problems are so simply because of lack of fear. I get swamped with proponents for the soft-life. They skew perception and demand compliance just like AA did when I was too young to legally drink and had to steal or bluff every sip – in so doing denying any counterexample. The moanin dolittles maintain a tightly limiting acceptance factor to enforce a Life-is-cruel/Life-is-mean belief system that is characteristic of the problem under discussion. Politely asking them to stop enticing with pitches for soft-life will not thwart massive replacement of system libraries nor will people who are not afraid be able to admit they have a problem.

Paul Slade March 3, 2008 3:34 PM

@knuckledragger, I don’t recall seing such an artice. Steve Gibson of GRC recounts such a tale but I fail how to see how you would get the two mixed up….

@Bruce. I spent two days out of three walking around Infosec Europe asking the various vendors if they provided any User Security Awareness Training. You know how big an exhibition it is – I found just ONE company that seemed remotely interested in talking to me although they did not have any specific products.
I will be interested to see how the landscape has changed in the last 12 months. Customers I deal with rarely will discuss user training and those that do ‘will handle it’ themselves.

Rich March 3, 2008 5:44 PM


perhaps you’re thinking about his company’s mail server? I think he talked about it in ‘Secrets and Lies’. He kept getting emails from people chastising him for his email server responding accurately with version info to a HELO. So he changed it to a fake version response (a very old Sendmail) as a joke, and then got people chastising him for running a server with known vulnerabilities.

“Bruce Schneier doesn’t need honeypots, hackers get stuck in his production servers…”

TokyoDevil March 4, 2008 12:48 AM

Kind of an interview, indeed. Ha ha ha.

The more I read about security, the more I realize that Asimov (Nightfall) was right — the greatest threat to society are the unreasonable, since they are dedicated to adapting reality to their dogma rather than adapting their dogma to reality.

SteveJ March 4, 2008 4:49 AM

I think the journalist is precisely wrong when he says internet insecurity will reach a tipping point where it gets much better.

The reason is that to have a genuine tipping point, you need some positive-feedback process. Otherwise you don’t “tip”, you just nudge backwards and forwards around an equilibrium.

The equilibrium is economic – we pay for as much security as is worth paying for, and no more. Now, there are a few fairly draconian things you could do (such as making computer owners legally liable for what their machine does, whether they know it’s doing it or not), which would significantly shift the equilibrium (suddenly a lot of home computer users would be willing to spend a few more dollars a month on security).

On the whole though there is no “tip”, only “nudge”. The above measure, while it might produce a significant change in the way we do security, would only affect botnets: it would not address any other security problem.

So I think that we are going to hum along at relatively stable levels of insecurity: sometimes trending upwards and sometimes down. New security measures such as IPSec will come into use as and when they are worth it, against a background of better attacks, but no one security measure will affect more than a small proportion of attacks. We’re never going to have a “Five Year Plan” to make the internet “secure”, because it’s just not worth the cost, in the view of the people who’d have to pay for it (i.e. me and you).

The most efficient way to deal with theft and vandalism via the internet is to prevent some of it, and insure the rest, so that is what will happen.

Keith March 4, 2008 5:10 AM

@ Paul Slade

maybe awareness companies don’t for to InfoSec Europe (there were a few in ’05 I think). I know “The Security Company” were there in 07 and they would have been more than vaguely interested. Not sure if EasyI were there. Then there’s Gary Hinson’s noticebored fairly sure they were not there but have an interesting approach.

Anyway the interesting development as far as I’m concerned is the move by companies offering corporate comms into security comms. Again small orgs that you can find (or interestingly seem to find you) if interested.

If you want personal, rather than corporate, awareness then is quite good (and has useful stuff for internal corporate comms as well).

Lastly a plug for the Security Awareness Special Interest Group

aul Slade March 4, 2008 6:17 PM

OK, maybe I didn’t get to speak to everyone but given the quantity of vendors etc. there and given the importance of user education, I find it astonishing that I struggled to find companies that even considered offering the service.
Sure, CSIA were plugging getsafeonline but I was looking for customised corporate solutions (at the time).

Nicholas Jordan March 5, 2008 8:41 AM

@ steve:”… precisely wrong when he says internet insecurity will reach a tipping point …”

Most marketing follows this technique, it is a brutal the moment when the person who tries to run their first business disccovers how much of this is actually the basis that drives commerce. Posit of “..reach a tipping point..” elicits respondent’s idea of what is to happen without the pull being evident. A similar technique is used in professional acting, the talent goes soft after building tension – the viewer fills in with intrinsic world model and entertainment for profit achieves it’s legitimate purpose.

@(such as making computer owners legally liable for what their machine does, whether they know it’s doing it or not)

Such an attack, if correctly orchestrated, could be done by hiding illegal content in file meta information, even the file name can be used to hide content. Then, with the level of work we see where self-insulation by workers is in the form of employment-insulation, a claim of certain type of content that could be discovered by real forensics would go unquestioned and could then be used to take down non-compliance with established mythology. The defect in this approach is it is known that true offenders will only keep massive collections. This does not allow me to rest on the issue, but I have scripting turned off in the browser and will not open email attachments. It is for fear of the type of attack I describe. The tools Boris Alexeev is working on could be used to work the filename with Deterministic Finite Automa such that propogation of internet communities sharing an enthusiasim for special interests but only comprising 20% of the population could achieve brutally effective results in crushing resistance to established mythology systems by becoming Government funded, and in so doing rule the 80% by subtle shifts in the naming.

I cannot comment further, I have seen the power of their system. They control all information channels. My Social Engineer knows how this system works.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.