Den 3 feb 2015 19:19 skrev "coderman" <coderman@gmail.com>:
>
> On 2/3/15, dan@geer.org <dan@geer.org> wrote:
> > ...
> > John, you know this I'm sure, but for the record the highest
> > security places use sacrificial machines to receive e-mail and
> > the like, to print said transmissions to paper, and then those
> > (sacrificial) machines are sacrificed, which is to say they
> > are reloaded/rebooted.  Per message.  The printed forms then
> > cross an air gap and those are scanned before transmission to
> > a final destination on networks of a highly controlled sort.
> > I suspect, but do not know, that the sacrificial machines are
> > thoroughly instrumented in the countermeasure sense.
>
> this is defense to depths layered through hard experience lessons ;)
>
>
>
> > ...  For the
> > entities of which I speak, the avoidance of silent failure is
> > taken seriously -- which brings us 'round to your (and my)
> > core belief: The sine qua non goal of security engineering is
> > "No Silent Failure."
>
> there was an interesting thread here last year on instrumenting
> runtimes to appear stock (vulnerable) but which fail in obvious ways
> when subversion is attempted. (after all, being able to observe an
> attack is the first step in defending against such a class...)
>
> "hack it first yourself, before your attacker does..."

Canary bugs / honeypot bugs?