AO Honeypot

[therenegade]

I've been having a look at a few old threads..rants basically,that go on about how AO's deteriorated and how much better it was in the 'good old days'.I know I havent exactly been on here for long,but here're a few thoughts:
AO seems to me..a group of individuals who come on and share knowledge..now,before someone points out to me that this is what a forum's meant to do..I already know:P
The forum serves it's purpose admirably really(although I'm sure there'll be a few who might say that the 'level' of the posts been discussed has gone down somewhat)..however..it is essentially people sharing their own experiences,which again has it's advantages.What it does not do though,is provide a unifying factor.How about a honeypot set up specifically for AO members..thus enabling us to have some kind of common meeting ground?Setting it up would be a learning experience to a lot of people,and studying it(logs et cetera et cetera)would provide invaluable experience to most.And it might get AO back to it's former glory
I realise the idea has a few flaws..economic constraints not being the least,how about giving it a shot though?

[MrLinus]

Hrmm... And how would you setup a honeypot specifically for AO members, given that by it's very nature it's meant to be open? Additionally, one of the reasons that many companies avoid honeypots is the risk factor. In order for a honeypot to be truly useful, IMO, one needs it to be as true to a real machine as possible. A single mistake on a honeypot and you open the rest of your servers (depending on where it's positioned, etc.). Keep in mind that JUPM has more than just AO to look after (last time I checked there were numerous websites -- about 12 or so).

Cost doesn't strike me as the biggest issue (you can build a small, cheap honeypot for the cost of a low end machine and the time to build). Risk, however, is far more of a concern for a corporation like JUPM, I would think.

..thus enabling us to have some kind of common meeting ground?

I thought that's what the forums were for?

You might want to visit the Honeynet Project as they often post logs and such.

[Tiger Shark]

The biggest flaw I can see in an "open honeypot" where the logs are available is that an attacker can use it to see if his techniques go unlogged or not. If he goes unlogged then he could quite easily then go after the non-honeypot machines on the same network. If he is logged he can adjust his techniques until he becomes unlogged and do the same as above.

It could quite easily become a very nice little testing ground for attackers and thus it's purpose is utterly subverted.