Re: Need your helping defining honeypots

[George Washington Dunlap III <dunlapg () umich edu>]

I guess the first question to ask is, what is the purpose of this 
definition?  How will the definition itself be used?

A lot of the definitions counter-proposed on this list so far have
described in more detail how honeypots are normally used CURRENTLY.  This
may be more enlightening to someone who just wants a quick, consise answer
to his question.  These are the kinds of answers I'd give my boss if I was 
trying to convince him to set up a honeypot.

The options given, however, is very abstract.  They doesn't immediately
tell you what their value is, but it leaves open all kinds of
possibilities;  although they usually have to be followed up with a couple
of examples.  It makes the person hearing the definition do some thinking.  
For people interested in synthesis, or trying to come up with new ideas,
something like these is probably better.

In #1, the defining value is that it's "designed to be probed, attacked, 
or compromised."  In #2, the defining value is that they're designed to 
monitor "unauthorized users".

Both of them are more abstract and designed to be broad and predictive,
rather than descriptive; and I think for making you think more 
outside-the-box, #1 is more useful.  Saying "they're designed to monitor 
unauthorized users" makes me think about how to monitor behavior, which I 
think is pretty well understood and won't generate many new ideas.  Saying 
"they're designed to be probed, attacked, or compromised" makes me think 
about all the different ways I could use a machine that was probed, 
attacked or compromised; it makes me think backwards, and is likely to be 
more fruitful in generating novel ideas.

Or look at it this way: do you want people to focus on using the probes,
attacks, and compromises of honeypots to their advantage, or do you want
people to focus on how to monitor "unauthorized" activity well?

So, that's my $0.02. As for me, I vote for #1.  (Unless, of course, your
audience is not people innovating honeypots but on practical people
looking at existing uses of honeypots; in that case, you'd better make a
more informative answer than either of these two.)

 -George

<grammarnazi> P.S., it should be "whose", not "who's" in the first
definition. </grammarnazi> ;)



On Fri, 16 May 2003, Lance Spitzner wrote:

> Recently I released a paper attempting to define honeypots.
> I've received alot of great feedback on that.  Some of the
> feedback has been we may be able to improve on the definition.
> Honeypots are extremely flexible and can be used for many
> different things.  As such, I propose two different possible
> definitions.  Comments/input GREATLY appreciated!
>
>
> Option 1:
> ---------
> A honeypot is a security resource who's value lies in being
> probed, attacked, or compromised.
>
>
> Option 2:
> ---------
> A honeypot is a resource operated to monitor the use by entities 
> who are unauthorized, or have reason to believe they are unauthorized, 
> to use those resources. 
>
>
>
> Do you have a preference for either defintion, a different
> defintion, or perhaps a combination of the both?  If so, why?
> Let us know.
>
> Thanks!

-- 
+-------------------+-----------------------------------------
| dunlapg () umich edu | http://www-personal.umich.edu/~dunlapg 
+-------------------+-----------------------------------------
| They spoke into being the work of their hands
|  From the void of the wire and the wood
| They stood on that stage and they sang and they played
|  And they said that it was good
| They said let there be light
|  Let there be love, let there be music
|       - Andrew Peterson, "Let There Be Light"
+------------------------------------------------------------
| Outlaw Junk Email! Support HR 1748 (www.cauce.org)