Honeypots: RE: Birthday of terms honeypot and honeynet

["David Gillett" <gillettdavid () fhda edu>]

  I'd look for an etymological link between the use of the term
"honeypot" in computer systems, and its use as a spycraft term 
dating back to at least the 1950s.  In the latter context, a
"honeypot" was an operation to lure an opposing diplomat or
agent into a compromised situation -- usually sexual -- in order
to obtain blackmail material....

David Gillett


> -----Original Message-----
> From: Ian Baker [mailto:ibaker () codecutters org]
> Sent: January 23, 2004 03:35
> To: Aleksey V. Lukatsky
> Cc: honeypots () securityfocus com
> Subject: Re: Birthday of terms honeypot and honeynet
>
>
> Aleksey,
>     (Assuming that it's details on the honeypot 
> implementation that you are
> looking for).
>
> Quick synopsis - users dialled-in to a series of modem banks 
> fronting a
> VAXcluster containing a newpaper story database. After a 
> hacking event (and
> you had to be hacker-class to get in, back in those largely 
> pre-Internet
> days..), Ops got together with a couple of developers to 
> develop what they
> termed a "honeypot". To be honest, it was more of a Trojan in 
> my view at the
> time (an apparently not-very-secure VAX with external links 
> to much more
> interesting things than old newspaper stories).
>
> Since legitimate users would never break the menu and attempt 
> to access the
> (IIRC) "set host" command, it was considered a 100% 
> indication of hack/crack
> activity.
>
> Access would immediately shut-down on all other connections in that
> particular modem bank (investigations from the previous 
> attack indicated
> that a lot of activity involved trying phone numbers in 
> sequence) and take
> the bank off-line. Too many attempts on different banks would 
> shutdown the
> site & divert to backup links.
>
> Ops would be automatically paged by the honeypot, and could 
> manually request
> a phone trace (while watching the actions of the intruder in 
> real-time).
>
> I can't talk much about the specific implementation (too long 
> ago) - the
> discussion had really centred around this Trojan concept that was just
> starting to become prevalent (I'd looked at something similar while at
> college in '85, on a CDC mainframe, and had later duplicated 
> some of the
> functions on a uVAX at a secure establishment).
>
> Knowing the people involved, I would not be in the least 
> surprised if the
> term came up on either an international BBS or something 
> internal to British
> Telecom (we worked with many of their VAX-based services).
>
> I think the main "thrill" was the idea of turning a cracking 
> exploit against
> the crackers themselves.
>
> Can't/won't go into details, but it was used "in anger" and resulted a
> prosecution during my time with the company.
>
> Regards,
>
> Ian Baker
> Webmaster, codecutters.org