Re: Need your helping defining honeypots

["Matt Fisher" <mattfisher () comcast net>]

I feel honeypots are essentially decoys:

 " A honeypot is a decoy device or system deployed to attract the attention
of intruders, with the intention of  monitoring and tracking intrusion
attempts for the purposes of researching and securing against evolving or
imminent threats. "


----- Original Message ----- 
From: "Ed Shirey" <eshirey () pclocals com>
To: <honeypots () securityfocus com>
Sent: Friday, May 16, 2003 2:54 PM
Subject: Re: Need your helping defining honeypots


> Lance Spitzner wrote:
>
> > Recently I released a paper attempting to define honeypots.
> > I've received alot of great feedback on that.  Some of the
> > feedback has been we may be able to improve on the definition.
> > Honeypots are extremely flexible and can be used for many
> > different things.  As such, I propose two different possible
> > definitions.  Comments/input GREATLY appreciated!
> >
> >
> > Option 1:
> > ---------
> > A honeypot is a security resource who's value lies in being
> > probed, attacked, or compromised.
> >
> >
> > Option 2:
> > ---------
> > A honeypot is a resource operated to monitor the use by entities
> > who are unauthorized, or have reason to believe they are unauthorized,
> > to use those resources.
> >
> >
> >
> > Do you have a preference for either defintion, a different
> > defintion, or perhaps a combination of the both?  If so, why?
> > Let us know.
> >
> > Thanks!
> Lance,
>
> I think option 1 is *much** better for 2 reasons:
>
> #1) It's simple and concise, with no frills.  It is the essence of a
> honeypot.
>
> #2) Option 2 assumes intent, and as you pointed out in numerous places
> in your book,  many of today's threats are caused by worms, which don't
> have intent, per se.  One could presume the intent of the original author
is
> what determines authorized/unauthorized, but still..
>
> "Of each thing, ask what is it's essense" -- this is why Option 1 is the
> best.