Re: Moving forward with defintion of honeypots

[Jeremy Bennett <jeremy_f_bennett () yahoo com>]

--- Lance Spitzner <lance () honeynet org> wrote:
> First, many people are including the term 'decoy' in the 
> definition.  While honeypots can 'decoy', I don't think 
> that should be in the definition.  The term decoy implies 
> "to lure or entrap".  Often honeypots don't lure.  You just 
> put them out there and the bad guys find them on their own 
> intiative, nothing special is done to insare the attacker.  
> The Honeynet Project has being doing this for years now.

Not sure I agree, Lance. To say you don't do anything "special" to lure
attackers to the honeynet is a bit dubious. You attempt to make your
honeypots look as much like real systems as possible. I would call that
using deception or artifice to insnare your prey. 
If I'm a duck hunter I make my decoy look as much like a duck as
possible. I don't try to make it look better than a duck. By making
your honeypots look more like real systems you are making your decoys
look like the things your prey seeks.

I understand the desire to move away from the "negative' words like
decoy and deception but the fact is that is exactly what we're doing
and there's nothing wrong with it. I believe decoy is absolutely the
correct term for the honeynet.

There is a question whether a low-interaction honeypot like honeyd
deployed as an early warning system qualifies as a decoy. In this case
it is more akin to a trip wire or doorway sensor than it is to a decoy.
However, even in this scenario, we are still attempting to make a
"machine" look as much like a real host as possible. Thus, still a
decoy or a lure. When honeyd logs activity it is just like the
fisherman's lure bobbing in the water. 

As they say "A rose by any other name..."

-J