Okay folks, attempting to define what a honeypot is has
been extremely interesting (and challenging). If
nothing else, I think we are all beginning to realize just
how powerful and flexible honeypots can be. I've also got
a feeling no matter which definition we use, we will not
be able to make everyone happy. However, we will try to
get there as close as possible :)

Based on the feedback we have gotten over the past week,
it looks like Option B was the preferred option. That
definition is as follows.

"A honeypot is an information system resource who's
value lies in monitoring unauthorized or illicit use
of that resource"

Since this is the preferred option of the two, this is
what we will go with. HOWEVER, I'm uncomfortable with the
word 'monitoring' in the definition. I was thinking we
could remove it. Not all honeypots derive their value
from being monitored. For example, I may build a honeypot
so it gets hacked, just so I can do forensics on it and
develop my forensic skills. Sticky honeypots like LaBrea
Tarpit are not used to monitor scanning activity, but
slow down scans. A deceptive honeypot may not be used to
monitor attackers, but used to give the attacker bad or
deceiving information. I was thinking that if we remove
the word monitoring, the definition is more flexible.
It includes the concept of monitoring, but other concepts
as well.

Am I being to anal here, too detailed oriented? Without
the word monitoring, the defintion would look like this.

"A honeypot is an information system resource who's
value lies in unauthorized or illicit use of that
resource"

Thoughts?

Thanks!

lance

[ reply ]