HoneyPot Definition gone wild

[FRITZ Michael <Michael.FRITZ () nextiraone at>]

Hi Guys & Girls,

we´re now coming close to the 100 statements.
As we all see - it´s not easy defining a valuable statement.
Just a small suggestion:
Honeypots are evolving technology
Every honeypot is different
Honeypots are used for different purposes

Based on one´s purpose a honeypot is & will be different for everyone

So why are we trying to define something in one or two sentences which can´t
be
narrowed done so closely, dependend on what purpose somebody is following. 

gruesse Michi




-----Ursprüngliche Nachricht-----
Von: Kohlenberg, Toby [mailto:toby.kohlenberg () intel com]
Gesendet: Montag, 26. Mai 2003 01:48
An: cta () hcsin net; honeypots () securityfocus com
Cc: Lance Spitzner
Betreff: RE: Honeypot Defintion - over thinking it.


I've seen a number of interesting suggestions and lots of good thoughts
but
I keep seeing definitions that seem overly complex.
Here's my reasoning- you can use a honeypot for lots of things-
research, intrusion
detection, entertainment (the honeypot drinking game? every time your
attacker tries
a DOS command on a unix system you have to drink! ), whatever. The
question isn't what
you're using it for. The question is, how is a honeypot different from
any other system
on the network? For instance, the definition that has been offered up
recently:
"A honeypot is an information system resource who's value lies in
monitoring 
unauthorized or illicit use of that resource" 
is a good start but it doesn't get to the heart of the matter. Any
system may 
have value in monitoring it for unauthorized or illicit activity.

The key distinction about a honeypot is that there is _no_ legitimate
reason for someone
to be on it. Therefore, I submit this definition:

"A honeypot is a system or dataset for which there is no legitimate
reason for someone
to interact with it and therefore _all_ use can be considered
unauthorized."

I think it really is that simple. What do y'all think?

toby

> -----Original Message-----
> From: Bernie, CTA [mailto:cta () hcsin net] 
> Sent: Saturday, May 24, 2003 7:33 AM
> To: honeypots () securityfocus com
> Cc: Lance Spitzner
> Subject: Re: Honeypot Defintion - Almost There, or a new path?
>
>
>
> I feel Marc's perspective has merit. 
>
> After pondering the definitions presented thus far, and while
> considering a simple technical definition of a Computer, i.e., "A
> device that receives, stores, processes, and presents data in
> response to commands", I suggest this definition:
>
> Honeypot:
> "An automated computer system for detecting erroneous, 
> unauthorized or illicit use of system resources."
>
> As an old embedded system engineer, I decided to include 
> the word "automated" as to infer the implicit use of 5 basic
> functions of automation: 
> 1. Collection of Information 
>
> 2. Communication of Information (man-machine, machine- 
> machine) 
>
> 3. Computation of Information  (data logging and data 
> processing) 
>
> 4. Control of Operations (both human and machine) 
>
> 5. The logical coordination among the preceding four functions
>
> I use the word "detecting" to move away from the user 
> application and *legal* usage, which may include "monitoring". 
>  
> I included the word "erroneous" to express that honeypots 
> may also detect incidents which are not specifically 
> unauthorized or illicit. For example, we deploy a honeypot as 
> a security safeguard - When a legitimat User attempts to login 
> to their website. However, after failing to correctly enter their 
> password more than X times, the User triggers the security 
> safeguard and is automatically redirected to the honeypot to 
> detect if the incident is an erroneous action, unauthorized or 
> illicit. 
>
> I have used honeypots in this topology for some time and have 
> foud the resource significantly beneficial in design, debug and 
> enhancement of a systems functional utility as well as the 
> user interface of web-based applications.  
>
>
> Thoughts?
>
>
> On 23 May 2003, at 17:05, Marc Dacier wrote:
> > Based on this "usage", is this "information system resource" a
> > honeypot ? I would tend to say yes but your definition leads me
> > to believe that you would say no.
> >
> > Can't we come up with a definition that does not take the usage
> > into account at all ?
> >
> > > Since this is the preferred option of the two, this is
> > > what we will go with.
> >
> > Mmmmm ... the least worst of the two 'definitions' does not
> > make a good one :-)
> >
> > Reactions, remarks ?
> >
> > Cheers,
> > Marc
>
> On 23 May 2003, at 9:30, Lance Spitzner wrote:
>
> <snip>
>
>  "A honeypot is an information system resource who's
>     value lies in monitoring unauthorized or illicit use 
>     of that resource"
>
>
>    "A honeypot is an information system resource who's
>     value lies in unauthorized or illicit use of that 
>     resource"
>
> <snip>
>
> -
>
> -
> ****************************************************
> Bernie 
> Chief Technology Architect
> Chief Security Officer
> cta () hcsin net
> Euclidean Systems, Inc.
> *******************************************************
> // "There is no expedient to which a man will not go 
> //    to avoid the pure labor of honest thinking."   
> //     Honest thought, the real business capital.    
> //      Observe> Think> Plan> Think> Do> Think>      
> *******************************************************