RE: Honeypot Defintion - Almost There, or a new path?

["John McCracken" <john () mccrackenassociates com>]

I too had a problem with monitoring that diminished with further
enlightenment; however, "detect" by definition appears to better qualify and
kudos to Bernie for the most comprehensive rendition yet. Reads like it came
from a dictionary. :)

Thanks!
John McCracken

-----Original Message-----
From: Bernie, CTA [mailto:cta () hcsin net] 
Sent: Saturday, May 24, 2003 9:33 AM
To: honeypots () securityfocus com
Cc: Lance Spitzner
Subject: Re: Honeypot Defintion - Almost There, or a new path?


I feel Marc's perspective has merit. 

After pondering the definitions presented thus far, and while
considering a simple technical definition of a Computer, i.e., "A
device that receives, stores, processes, and presents data in
response to commands", I suggest this definition:

Honeypot:
"An automated computer system for detecting erroneous, 
unauthorized or illicit use of system resources."

As an old embedded system engineer, I decided to include 
the word "automated" as to infer the implicit use of 5 basic
functions of automation: 
1. Collection of Information 

2. Communication of Information (man-machine, machine- 
machine) 

3. Computation of Information  (data logging and data 
processing) 

4. Control of Operations (both human and machine) 

5. The logical coordination among the preceding four functions

I use the word "detecting" to move away from the user 
application and *legal* usage, which may include "monitoring". 
 
I included the word "erroneous" to express that honeypots 
may also detect incidents which are not specifically 
unauthorized or illicit. For example, we deploy a honeypot as 
a security safeguard - When a legitimat User attempts to login 
to their website. However, after failing to correctly enter their 
password more than X times, the User triggers the security 
safeguard and is automatically redirected to the honeypot to 
detect if the incident is an erroneous action, unauthorized or 
illicit. 

I have used honeypots in this topology for some time and have 
foud the resource significantly beneficial in design, debug and 
enhancement of a systems functional utility as well as the 
user interface of web-based applications.  


Thoughts?


On 23 May 2003, at 17:05, Marc Dacier wrote:
> Based on this "usage", is this "information system resource" a
> honeypot ? I would tend to say yes but your definition leads me
> to believe that you would say no.
>
> Can't we come up with a definition that does not take the usage
> into account at all ?
>
> > Since this is the preferred option of the two, this is
> > what we will go with.
>
> Mmmmm ... the least worst of the two 'definitions' does not
> make a good one :-)
>
> Reactions, remarks ?
>
> Cheers,
> Marc

On 23 May 2003, at 9:30, Lance Spitzner wrote:

<snip>

 "A honeypot is an information system resource who's
    value lies in monitoring unauthorized or illicit use 
    of that resource"


   "A honeypot is an information system resource who's
    value lies in unauthorized or illicit use of that 
    resource"

<snip>

-

-
****************************************************
Bernie 
Chief Technology Architect
Chief Security Officer
cta () hcsin net
Euclidean Systems, Inc.
*******************************************************
// "There is no expedient to which a man will not go 
//    to avoid the pure labor of honest thinking."   
//     Honest thought, the real business capital.    
//      Observe> Think> Plan> Think> Do> Think>      
*******************************************************