Den 3 feb 2015 19:19 skrev "coderman" <[1]coderman@gmail.com>:
   >
   > On 2/3/15, [2]dan@geer.org <[3]dan@geer.org> wrote:
   > > ...
   > > John, you know this I'm sure, but for the record the highest
   > > security places use sacrificial machines to receive e-mail and
   > > the like, to print said transmissions to paper, and then those
   > > (sacrificial) machines are sacrificed, which is to say they
   > > are reloaded/rebooted.  Per message.  The printed forms then
   > > cross an air gap and those are scanned before transmission to
   > > a final destination on networks of a highly controlled sort.
   > > I suspect, but do not know, that the sacrificial machines are
   > > thoroughly instrumented in the countermeasure sense.
   >
   > this is defense to depths layered through hard experience lessons ;)
   >
   >
   >
   > > ...  For the
   > > entities of which I speak, the avoidance of silent failure is
   > > taken seriously -- which brings us 'round to your (and my)
   > > core belief: The sine qua non goal of security engineering is
   > > "No Silent Failure."
   >
   > there was an interesting thread here last year on instrumenting
   > runtimes to appear stock (vulnerable) but which fail in obvious ways
   > when subversion is attempted. (after all, being able to observe an
   > attack is the first step in defending against such a class...)
   >
   > "hack it first yourself, before your attacker does..."

   Canary bugs / honeypot bugs?

References

   1. mailto:coderman@gmail.com
   2. mailto:dan@geer.org
   3. mailto:dan@geer.org