Though certainly an iconic figure, I’ve never been a particular fan of Tweety. I find earlier versions of the character cruel and malicious, while later versions (possibly, I’ll admit, because of those earlier versions) seem faux-innocent and cruelly manipulative.

Sylvester, on the other hand, is often a more relatable character, especially when he recognizes that cats eat birds and struggles to control his baser inclinations. He’s also a fun contrast to Wile E Coyote in his frequent use of complicated plans and Rube Goldberg machines, which invariably go terribly wrong. This shtick sometimes involves blueprints which Sylvester tears up in anger after the plan goes badly, and even one where an angelic version of Sylvester emerges from the wreck of an off-camera explosion to do so. So far as I can recall, Sylvester was not a frequent customer of Acme Corp, though, and was more a do-it-yourself figure.

Though usually described as a “tweety bird”, Tweety was usually portrayed as a canary, and I would assume that the use of “canary yellow” was part of the gag. At any rate, canaries were a popular pet,

likely because of their size, singing, and the fact that they tend to be solitary.

Domestic canaries originated in Macaronesia, which includes the Canary Islands, after which the birds are named.

Even though I’ve been hearing about it my whole life, I decided to double-check the story that canaries were used by miners to test air quality. Turns out that it’s true! Apparently, in the past, both mice and canaries have been used by miners because they are more sensitive to carbon monoxide and other harmful gases than humans are.

According to a story in the BBC, canaries were preferred because their reaction to carbon monoxide was more apparent, and I suspect that their responses to whistles and other noises might make them easier to “monitor” by the miners. In any case, the UK government began phasing out the use of canaries in 1986, in favour of new, electronic detectors.

Which brings us to Thinkst.

As often happens in the world of InfoSec (or cybersecurity, or cyber, or whatever you want to call it today), the same terms are used in different ways, by different groups or companies, for different reasons. That’s one of the reasons why I’m referring to the company, which will be well-known to anyone who listens to the Risky Business podcast.

In the words of Thinkst founder Haroon Meer, “To be honest, I think we are the stupidest product out there. We are super simple, and we work. In part, that’s what security needs – you need building blocks that you can rely on.”

One of the things I find so interesting about Meer is that he describes his company as a “detection” company, rather than “deception” – which is the term used more generally in the field. I think the distinction is subtle, but important. If your goal is deception, you are trying to trick your adversary in some way – usually with the intent of redirecting them to attack the wrong target. This is useful, but I would not consider it a primary objective for most teams.

Honeypots are interesting, and can be very useful, but are generally complicated and hard to maintain. Will they defend your network? Not really. They may draw some attention away from other parts of your network, and may help you gather information, and may give you advance warning...

Um, if I’m defending a network, I’d prefer to avoid words like “may” as much as possible.

What Thinkst does is build and sell canaries. But aren’t they just honeypots?

Yes, and they are the sorts of things that you can build and maintain for yourself. And yet most companies don’t, because it requires a lot of up-front work and expertise that many organizations aren’t willing to use for such purposes, along with careful planning and ongoing maintenance. So, Thinkst created a tool which can be plugged in, configured in minutes, simulate a variety of server types and devices, and is intended only to detect intrusions.

This is not a commercial, though, so I want to talk about Canarytokens instead.

Conceptually similar, these are essentially bits of bait strewn around your network, traps which attackers will trigger, giving you very clear signals that there is an intruder.

This is where the “deception” part comes in. As a simple example, think about having a directory on your network which contains your tax information. And, along with filenames like “Taxes-2025.xlsx”, “Taxes-2024.xlsx” and such, there’s one called “Tax Summary 2020-2025.xlsx”. An intruder will grab all of the files, and open them. But “Tax Summary 2020-2025.xlsx” is actually a canarytoken, which will be triggered when it is opened, and will notify you.

If you receive this notification, you know with certainty that someone was in your network and opened that specific file. Very high fidelity signal, and all it needed was you deploying a single file.

While Thinkst has a product which allows customers to create, deploy, and track their own tokens within their own environments, they also provide a free service, CanaryTokens.org, where the public can create and manage their own canarytokens.

Frankly, I think this is a brilliant idea. While there is a cost associated with providing the service, the cost is comparatively low because the canarytokens will only generate traffic if they are triggered. It’s also a great way to not only make the world safer, but draw attention to the work they do, and improve their reputation. In contrast, their canaries are very expensive by home-use standards, but extremely cost-effective by corporate standards, especially for such high-fidelity signals.

Not a coal-mine, and no canaries were harmed in the provision of this service, but you get the idea.

Cheers!