[NCAP-Discuss] why enhanced controlled interruption - not legal
Jeff Schmidt
jschmidt at jasadvisors.com
Fri Feb 25 19:33:24 UTC 2022
> Matt said one way exfiltration could be controlled / mitigated - I
> beleive you straw-manned how _you would do what Matt suggested and [""
> what you say above] don't want wanna misquote you...
I pointed out the ways that exfiltration *can* *not* be controlled/mitigated, particularly with HTTP/S-based communication and anything over UDP. I do not believe those significant weaknesses can be technically mitigated - if someone wants to provide a specific technical model to prove me wrong I'm all ears. Matt's suggestion was light on technical details. I've done this and I know what's involved. You do too Danny - how would you do it?
> Controlled Interruption certainly checks the "convenience" box.
CI is the best imperfect solution to a problem with no perfect solutions. Four years (!) of NCAP wheel-spinning all but proves this; no one has come up with anything better. In all but human-browser-HTTP/S cases CI provides a superior notification experience and simply can't cause unintended data exfiltration in any case. Despite all of us *wanting* the data generated by such a honeypot to be panacea, in fact the data generated would be unreliable for the intended purpose. Reducing CI to mere convenience is a mischaracterization.
Jeff
More information about the NCAP-Discuss
mailing list