RE: Moving forward with defintion of honeypots

["Fabien Pouget" <Fabien.Pouget () eurecom fr>]

Hi Lance,


The two options answer the question: what is the use of a honeypot?
But they do not answer the following: What is a honeypot?

So I consider that both are not really definitions.

Let's take an apple. It can be used as marmalade, stewed fruit,
inspiration source (Newton), etc. But that is not an apple definition.
An apple is "a round fruit with a firm white inside and a green, red or
yellow skin".

A honeypot definition must define the intrinsic characteristics of a
honeypot.  
Honeypot usages may change over time, but its definition must remain the
same.

Hope that helps,

Cheers,

Fabien






-----Original Message-----
From: Lance Spitzner [mailto:lance () honeynet org] 
Sent: mardi 20 mai 2003 05:23
To: honeypots () securityfocus com
Subject: Moving forward with defintion of honeypots


In the past week we have received over thirty postings
about the definition of honeypots, each posting suggesting
a different defintion.  I think we are all beginning to
realize just how tough it is to define this technology. Honeypots are an
extremely powerful tool that can accomplish many different things.  Some
trends I've noticed. 

First, many people are including the term 'decoy' in the 
definition.  While honeypots can 'decoy', I don't think 
that should be in the definition.  The term decoy implies 
"to lure or entrap".  Often honeypots don't lure.  You just 
put them out there and the bad guys find them on their own 
intiative, nothing special is done to insare the attacker.  
The Honeynet Project has being doing this for years now.

Second, many people are including in the definition how honeypots are
used to learn or research.  Once again, while honeypots can do this,
they can do so much more. They 
can be used for preventing attacks (such as LaBrea Tarpit)
or be used purely for detection similar to an IDS 
system (such as Honeyd).  We have to be very careful
in our defintion to ensure we do not imply why we would
want to use a honeypot.

Honeypots do not solve a specific problem, they are a 
highly flexible tool with many different applications to security.  This
is one of the things that makes honeypots unique.

Based on all the feedback we have been getting, I've 
narrowed this down into two options.

Thoughts?


OPTION A
--------
  "A honeypot is an information system resource who's
   value lies in being probed, attacked, or compromised"

 
OPTION B
-------- 
  "A honeypot is an information system resource who's
   value lies in monitoring unauthorized or illicit use of 
   that resource"


-- 
Lance Spitzner
http://www.tracking-hackers.com