On Tue, 2003-05-20 at 04:23, Lance Spitzner wrote:
>
> First, many people are including the term 'decoy' in the
> definition. While honeypots can 'decoy', I don't think
> that should be in the definition. The term decoy implies
> "to lure or entrap". Often honeypots don't lure. You just
> put them out there and the bad guys find them on their own
> intiative, nothing special is done to insare the attacker.
> The Honeynet Project has being doing this for years now.

Mhmm I think this is difficult to put concisely. Basically you want to
define something like a mousetrap without cheese -- the only thing I can
think of that does something like that in the real world is a minefield.

> Second, many people are including in the definition how
> honeypots are used to learn or research. Once again, while
> honeypots can do this, they can do so much more. They
> can be used for preventing attacks (such as LaBrea Tarpit)
> or be used purely for detection similar to an IDS
> system (such as Honeyd). We have to be very careful
> in our defintion to ensure we do not imply why we would
> want to use a honeypot.

I fully agree with this -- it's the old mechanism versus policy argument
I guess.

> Based on all the feedback we have been getting, I've
> narrowed this down into two options.
>
> Thoughts?
>
>
> OPTION A
> --------
> "A honeypot is an information system resource who's
> value lies in being probed, attacked, or compromised"
>
>
> OPTION B
> --------
> "A honeypot is an information system resource who's
> value lies in monitoring unauthorized or illicit use of
> that resource"

Among those I still prefer the first one. Actually if you just drop
"decoy" from my attempt I still like it:

"A honeypot is an information system resource set up for the purpose of
monitoring and logging the activities of entities that probe, attack or
compromise it."

Cheers,
Christian.
--
________________________________________________________________________

http://www.whoop.org

[ reply ]