Honeypots mailing list archives

Re: Need your helping defining honeypots


From: "Richard.Salgado () usdoj gov" <Richard.Salgado () usdoj gov>
Date: Fri, 16 May 2003 16:31:34 -0400 (EDT)

Date:   05/16/2003  04:34 pm -0400  (Friday)  
From:  Richard Salgado
To:  "honeypots () securityfocus com@inetgw".WTGATE2.CRMGW
Subject:  Re: Need your helping defining honeypots

The second definition (or some version of it) is preferable to the first for a few reasons.  Basically, the original 
definition assumes that to be a honeypot, the deployment must be a "security" resource.  This is likely the most common 
use among the members of this list, but a honeypot is not necessarily deployed to learn about how blackhats probe, 
attack or compromise a system, or to find means to enhance security.  A honeypot may be used by law enforcement, for 
example, to create a fake warez service to further the investigation of pirate groups.  In that case, law enforcement 
isn't looking for lessons on how to secure systems; the agents are trying to find bad guys and use a honeypot to do so. 
 To limit the definition to "security" and "probes, attacks and compromise" misses a world of other potential goals for 
a fake-production server.

In my world, the essence of a honeypot is much closer to the second option than the first. It is a system used to 
monitor unauthorized or illicit activity.  The definition needs to be broad enough to capture honeypots with a 
security-research goal as well as deployments aimed at other misuses of networks and data.  (I think Lance would like 
to be sure that the definition covers honey tokens as well).  Perhaps the we could combine the two definitions as 
follows:

"A honeypot is a computer resource the value of which lies in monitoring unauthorized or illicit use of the resource."

Richard Salgado
Computer Crime and Intellectual Property Section
U.S. Department of Justice


eshirey () pclocals com@inetgw 05/16/03 02:54PM >>>
Lance Spitzner wrote:

Recently I released a paper attempting to define honeypots.
I've received alot of great feedback on that.  Some of the
feedback has been we may be able to improve on the definition.
Honeypots are extremely flexible and can be used for many
different things.  As such, I propose two different possible
definitions.  Comments/input GREATLY appreciated!


Option 1:
---------
A honeypot is a security resource who's value lies in being
probed, attacked, or compromised.


Option 2:
---------
A honeypot is a resource operated to monitor the use by entities 
who are unauthorized, or have reason to believe they are unauthorized, 
to use those resources. 



Do you have a preference for either defintion, a different
defintion, or perhaps a combination of the both?  If so, why?
Let us know.

Thanks!

                                                                                                                        
                                                                                                                        
                                                                                                                        
                                                                                                                        
                                                                                                                        
                                                                                                                        
                                                                                                                        
                                                                                                                        
                                                                                                                        
                                                                                                                        
                                                                                                                        
                                                                                                                        
                                                                                                                        
                                                                                                                        
                                                                                                                     

Current thread: