RE: Need your helping defining honeypots

["John McCracken" <john () mccrackenassociates com>]

I concur with Richard and believe the definition should cover the spectrum
of unauthorized and illicit use.

Thanks!
John McCracken

All Outgoing E-mail is Virus-Scanned:
Symantec AntiVirus Scan Engine
-----Original Message-----
From: Richard.Salgado () usdoj gov [mailto:Richard.Salgado () usdoj gov] 
Sent: Friday, May 16, 2003 3:32 PM
To: honeypots () securityfocus com
Subject: Re: Need your helping defining honeypots

Date:   05/16/2003  04:34 pm -0400  (Friday)  
From:  Richard Salgado
To:  "honeypots () securityfocus com@inetgw".WTGATE2.CRMGW
Subject:  Re: Need your helping defining honeypots

The second definition (or some version of it) is preferable to the first for
a few reasons.  Basically, the original definition assumes that to be a
honeypot, the deployment must be a "security" resource.  This is likely the
most common use among the members of this list, but a honeypot is not
necessarily deployed to learn about how blackhats probe, attack or
compromise a system, or to find means to enhance security.  A honeypot may
be used by law enforcement, for example, to create a fake warez service to
further the investigation of pirate groups.  In that case, law enforcement
isn't looking for lessons on how to secure systems; the agents are trying to
find bad guys and use a honeypot to do so.  To limit the definition to
"security" and "probes, attacks and compromise" misses a world of other
potential goals for a fake-production server.

In my world, the essence of a honeypot is much closer to the second option
than the first. It is a system used to monitor unauthorized or illicit
activity.  The definition needs to be broad enough to capture honeypots with
a security-research goal as well as deployments aimed at other misuses of
networks and data.  (I think Lance would like to be sure that the definition
covers honey tokens as well).  Perhaps the we could combine the two
definitions as follows:

"A honeypot is a computer resource the value of which lies in monitoring
unauthorized or illicit use of the resource."

Richard Salgado
Computer Crime and Intellectual Property Section
U.S. Department of Justice


> > > eshirey () pclocals com@inetgw 05/16/03 02:54PM >>>
Lance Spitzner wrote:

> Recently I released a paper attempting to define honeypots.
> I've received alot of great feedback on that.  Some of the
> feedback has been we may be able to improve on the definition.
> Honeypots are extremely flexible and can be used for many
> different things.  As such, I propose two different possible
> definitions.  Comments/input GREATLY appreciated!
>
>
> Option 1:
> ---------
> A honeypot is a security resource who's value lies in being
> probed, attacked, or compromised.
>
>
> Option 2:
> ---------
> A honeypot is a resource operated to monitor the use by entities 
> who are unauthorized, or have reason to believe they are unauthorized, 
> to use those resources. 
>
>
>
> Do you have a preference for either defintion, a different
> defintion, or perhaps a combination of the both?  If so, why?
> Let us know.
>
> Thanks!