New story drop! “Terms and Conditions” is live!!
Come for Harvestide, stay for the part where everyone realizes they probably should’ve read page 37...

https://docs.google.com/document/d/1voXtGy74ZBHt50_X7YdaPdB2vHx3fmp3YJQ47v8mIRg/edit?usp=sharing

#Noir #CyberSecurity #EULA #PopTarts @sashatheflamingo

Sasha insisted we co-author this, and honestly, after the weekend she had, I didn’t have the authority to say no. 🦩

- We arrived at @bsidesroc as first-timers
- We left with a suspicious number of new friends, at least three inside jokes, and what I can only assume is the beginning of Sasha’s unofficial “Flamingo Ambassador Program.”

Sasha, for her part, would like it formally noted that:
- She achieved a 100% success rate in attracting delightful humans
- She was questioned about her honeypots approximately 47 times (conservative estimate)
- She may now have more friends in Rochester than I do

Post-conference, we migrated to Bitter Honey, which Sasha has classified as “Tequila Research HQ.”

Extensive… research… was conducted. 👍

Findings include:
- The tequila selection is both impressive and slightly dangerous
- The food is absolutely worth writing home about
- “Quick dinner” is a fictional concept when you’re surrounded by great people

Somewhere between the laughter, the stories, and the “just one more” moments, the night quietly turned into one of those you wish you could bottle. 💃

The flight home added a touch of airborne chaos, with turbulence strong enough to keep everyone seated, including the FAs. Sasha remained calm, mostly because she does not believe in gravity. 🛩️

And now it’s Monday. 🤷‍♀️

Sasha is back to monitoring global flamingo #honeypot operations.
I’m back to working on my Portugal move.

But we’re both still carrying that post-conference glow, the kind powered by community, connection, and just the right amount of tequila-fueled storytelling!!

Rochester, we’ll be back!!!

While a good chunk of the security world is migrating en masse to RSA Conference and BSidesSF like packets following the loudest broadcast signal…

Sasha and I have chosen a different route. 🦩

No mega-lines.
No vendor badge bingo.
No fighting for oxygen near the espresso machine (which I will not be drinking anyway).

Instead, we’re heading to BSides Rochester — a con we’ve never been to, which makes it immediately more interesting.

New hallways.
New humans.
New stories waiting to happen.

These are the places where conversations aren’t rushed, where ideas don’t have to compete with a 40-foot LED wall, and where you can actually hear someone say, “wait, show me that again” and mean it.

Sasha is already flapping at operational readiness, prepared to charm, observe, and possibly recruit new flamingo agents into the ever-expanding network.

As for me?
I’m looking forward to the kind of hallway track that turns into three hours of “how did we even get onto this topic” and ends with something genuinely useful.

To everyone heading to the big shows, have fun, stay hydrated, and may your badge scans be swift.

We’ll be over here… discovering something new. 😼

I love that this is a very popular password on my honeypots - everywhere - "8675309" 🦩

#CyberSecurity #Infosec #Honeypot #DeceptionTech @sashatheflamingo

The SSH Key Breadcrumb Trap 🦩

Most honeypots have one fatal flaw: they're too clean.
Empty bash history. Pristine directories. No evidence of actual use. Attackers notice.

So I plant breadcrumbs. 🤷‍♀️

Realistic bash history. A private SSH key in .ssh/. History showing SSH connections to "other servers" using that key.

Those "other servers"? Also honeypots!

When bots hit my honeypots, they brute force and move on. Boring.
But when a HUMAN does post-compromise recon, finds that key, and tries to pivot to those other servers?

Critical Wazuh alert, because only humans do this!!

Bots don't read history files. They don't hunt for lateral movement opportunities. They don't use found SSH keys.

Standard attacker tradecraft requires checking for keys and using them. If they skip it, they might miss real opportunities. If they follow it, I know I'm dealing with an actual human threat actor.

It's a catch-22. And it works beautifully. (And "@sashatheflamingo Approved")
Full writeup coming to sashatheflamingo.xyz soon!!

#Cybersecurity #HoneyPot #ThreatIntel #Deception

Honeypot Thought: Why I Deploy "Student Blogs"

Quick question for my threat intel peeps:

When attackers compromise infrastructure, are they always going after your crown jewels, or are they looking for something else entirely?

Hint: A medical student's personal blog - hosted on cheap VPS because university IT policies are restrictive - might be more valuable to an attacker than you think. 😉

Not because of what's ON it, but because of what they can DO with it!!

Cheap hosting. College/University nearby. SSH & FTP access because that's how the student "updates" their site. Perfect pivot point. 🦩

More on this coming SOON!

But if you're only thinking about honeypots as "fake business infrastructure," you're missing a huge piece of the attacker playbook!!

@sashatheflamingo #cybersecurity #infosec #ThreatIntel #honeypot

Honeypot Deployment Pro Tip: Let Them Think They're Winning

Want to know a dirty little secret about honeypot deployment that I've been using for years?

When you spin up a new production server with SSH access, don't immediately lock it down behind a non-standard port. Let it sit on port 22 running your actual SSH daemon for the first 4-6 weeks.

Let the attackers find it. Let them probe it. Let them catalog it in their target lists as "real infrastructure worth attacking."

Then, after they've committed you to memory:

Move your real SSH to a non-standard port. Deploy OpenCanary SSH on port 22 configured to match the EXACT version banner of whatever you were running before.

Now here's the magic: The attackers think they're still hitting the same production system. But you're collecting every username and password combination they try. They don't know they've been demoted from "attacking production" to "feeding your threat intelligence."

It's totally deceptive. They invested weeks cataloging your server. They're not going to just give up because you didn't respond the way they expected.

I've been running this technique for years across my global honeypot network. Works every single time.

Remember to match the SSH version banner exactly - down to the patch level. OpenSSH 8.2p1 vs 8.2p2 matters to some scanners. Make it identical.

This is how you turn production infrastructure into long-term intelligence gathering without anyone noticing the transition.

You're welcome. 🦩
@sashatheflamingo #cybersecurity #infosec #honeypot #deceptiontech

Friday lunch experiment.

New café. Good food. Phone propped up on the table with the Wazuh dashboard glowing like a tiny command center. 🦩

Instead of doomscrolling the news, I’m watching my honeypots.

Every few seconds another line rolls in:

- Somewhere: SSH spray
- Somewhere else: WordPress exploit from 2016
- And just now… a heroic attempt at admin / admin

The attackers believe they’re hunting servers.

In reality they’ve wandered into a carefully arranged terrarium where everything they do gets logged, labeled, and occasionally laughed at.

The café thinks I’m checking messages.

Meanwhile I’m quietly watching the internet’s least productive fishing expedition unfold in real time while eating lunch.

Honestly, this might be the best monitoring interface ever invented:

Good food.
A glass of prosecco.
And attackers enthusiastically hacking machines that exist purely to waste their afternoon.

#cybersecurity #infosec #honeypot