Re: Moving forward with defintion of honeypots

[Per Gustav Ousdal <pgo-ml () ousdal com>]

On Tuesday 20 May 2003 05:23, Lance Spitzner wrote:
> In the past week we have received over thirty postings
> about the definition of honeypots, each posting suggesting
> a different defintion.  I think we are all beginning to
> realize just how tough it is to define this technology.
> Honeypots are an extremely powerful tool that can
> accomplish many different things.  Some trends I've noticed.
>
> First, many people are including the term 'decoy' in the
> definition.  While honeypots can 'decoy', I don't think
> that should be in the definition.  The term decoy implies
> "to lure or entrap".  Often honeypots don't lure.  You just
> put them out there and the bad guys find them on their own
> intiative, nothing special is done to insare the attacker.
> The Honeynet Project has being doing this for years now.

Well, I disagree with this point. Although my mother tounge is not English, I 
still hope I am entitled to an opinion. I've always felt that honeypot is a 
bad name for these things, (unless they actually DO implement luring or 
entraping technics). And the point your making suggests that also. In my 
world a honeypot is pretty much bait (specialized bait for bees, ants and 
other animals who likes honey). 

This fits pretty good with the lawenforcment senario (i.e. fake warz site): 
Warz dudes "feeds" on warz, right? ;) Although, even the lawenforcement use 
fits nicely in under the term decoy as well.

A decoy *can* be combined with luring technics, (but often at the price of 
raising suspicion if faced with an intelligent and calculating enemy, and 
especially if you over do it). Placing one of those plastic ducks on a lake 
is hardly luring, (once you start making quack, quack noises it's a different 
story) but it is a decoy. Placing an empty tent camp in the woods is a decoy. 
A decoy is something that appears to be something, but it's not (i.e Company 
HQ/empty tents, legimate production system/"honeypot" system). And it is a 
decoy regardless of wether you lure the enemy to it or not. 

I feel your use of decoy fits more with what I would call a trap (or atleast 
part of a trap). A trap to me is getting (luring) the enemy to where you want 
them to be. (Waiting at the enemy at terrain that gives you an advantage is 
also a trap).

I rather liked the definition which included decoy. In fact in many situations 
I envision myself using this definition: "A honeypot is a decoy". Or, if it 
was not clear from the context; "A honeypot is a computer resource that 
functions as a decoy". If it still was not clear I would analyse the 
situation, and adopt it to context: "A honeypot is a computer resource that 
functions as a decoy, we will use it to.../or it may be used for.... etc"

IMHO: decoy would be a much more appropriate name than honeypot.

> Second, many people are including in the definition how
> honeypots are used to learn or research.  Once again, while
> honeypots can do this, they can do so much more. They
> can be used for preventing attacks (such as LaBrea Tarpit)
> or be used purely for detection similar to an IDS
> system (such as Honeyd).  We have to be very careful
> in our defintion to ensure we do not imply why we would
> want to use a honeypot.

Just like a decoys may be used for numerous things:
- draw/(waste) enemy fire
- slow the enemy down
- give them false impresion on our numbers
- trap/ambush
etc, etc

Regards,

Per