RE: Moving forward with defintion of honeypots

["John McCracken" <john () mccrackenassociates com>]

Bernie raises some very good points and I do like the suggested mix of the
two. However, and this may be capricious, but a question/concern for those
knowledgeable in the litigation arena; is "monitoring" by definition
sufficient to include an evidentiary collection of data or should
"monitoring and/or intercept" or just "intercept" be added to the mix?

May not matter for the purposes herein, but I've seen far less grind the
wheels of justice to a halt and I am curious what some of the legal minds
think as I can see a possible argument that monitoring, by definition, may
not embrace the act of collecting/seizing data like intercept would.

Thanks!
John McCracken

-----Original Message-----
From: Bernie, CTA [mailto:cta () hcsin net] 
Sent: Tuesday, May 20, 2003 10:37 AM
To: Lance Spitzner; honeypots () securityfocus com
Subject: Re: Moving forward with defintion of honeypots

I would agree with mix / mod of Option A and B. However, I 
believe that we should add the word security to the definition 
in order to satisfy legal use or intent, and potential privacy 
violation issues. 

Considering that in most current Honeypot (decoy) 
deployment topologies Users with honest intent may 
unknowingly land upon the gates of a honeypot while 
expecting privacy of their activities to be maintained, there 
may be a risk of running afoul of certain privacy, 
eavesdropping, wiretapping laws. 

That is, directly monitoring/recording an individual's actions 
without their permission could generally be considered 
eavesdropping or wiretapping (at least here in the USA), 
unless such monitoring/recording is performed by law 
enforcement with a valid COURT ORDER, or unless such 
monitoring/recording is performed as to protect the system 
from unauthorized use and to ensure that the system is 
functioning properly.

Furthermore, using a honeypot as a general decoy and 
eavesdropping resource, may provide grounds for entrapment. 

Therefore, I would suggest the a mix of A and B as follows:

"A honeypot is an information system security resource 
whose value lies in being probed, attacked, or compromised, 
which may contribute to the monitoring of unauthorized or 
illicit use of that resource"


On 19 May 2003, at 22:23, Lance Spitzner wrote:
> ...
> Honeypots do not solve a specific problem, they are a 
> highly flexible tool with many different applications to
> security.  This is one of the things that makes honeypots
> unique.
>
> Based on all the feedback we have been getting, I've 
> narrowed this down into two options.
>
> Thoughts?
>
>
> OPTION A
> --------
>   "A honeypot is an information system resource who's
>    value lies in being probed, attacked, or compromised"
>
>
> OPTION B
> -------- 
>   "A honeypot is an information system resource who's
>    value lies in monitoring unauthorized or illicit use of 
>    that resource"

-
****************************************************
Bernie 
Chief Technology Architect
Chief Security Officer
cta () hcsin net
Euclidean Systems, Inc.
*******************************************************
// "There is no expedient to which a man will not go 
//    to avoid the pure labor of honest thinking."   
//     Honest thought, the real business capital.    
//      Observe> Think> Plan> Think> Do> Think>      
*******************************************************