Re: Need your helping defining honeypots

[Ed Shirey <eshirey () pclocals com>]

Lance Spitzner wrote:

> Recently I released a paper attempting to define honeypots.
> I've received alot of great feedback on that.  Some of the
> feedback has been we may be able to improve on the definition.
> Honeypots are extremely flexible and can be used for many
> different things.  As such, I propose two different possible
> definitions.  Comments/input GREATLY appreciated!
>
>
> Option 1:
> ---------
> A honeypot is a security resource who's value lies in being
> probed, attacked, or compromised.
>
>
> Option 2:
> ---------
> A honeypot is a resource operated to monitor the use by entities 
> who are unauthorized, or have reason to believe they are unauthorized, 
> to use those resources. 
>
>
>
> Do you have a preference for either defintion, a different
> defintion, or perhaps a combination of the both?  If so, why?
> Let us know.
>
> Thanks!
>
>  
Lance,

I think option 1 is *much** better for 2 reasons:

#1) It's simple and concise, with no frills.  It is the essence of a 
honeypot.

#2) Option 2 assumes intent, and as you pointed out in numerous places
in your book,  many of today's threats are caused by worms, which don't
have intent, per se.  One could presume the intent of the original author is
what determines authorized/unauthorized, but still..

"Of each thing, ask what is it's essense" -- this is why Option 1 is the 
best.