|WikiProject Computer Security / Computing||(Rated Start-class, High-importance)|
|WikiProject Computing||(Rated Start-class, Mid-importance)|
Lance Spitzner has some great info on Honeypots at: http://www.trackinghackers.com
Need for Caution
"Honeypots can carry risks to a network, and must be handled with care. If they are not properly walled off, an attacker can use them to actually break into a system."
I suppose, but I'd like to see this fleshed out. Just what is it that makes a honeypot (which is or should be designed to be secure) more vulnerable than production systems? Is the main danger the danger from the very sophisticated intruders, who would choose to abuse a honeypot in order to show their prowess? I ask because some types of abuse that honeypots detect or thwart are not committed by sophisticated users, they are committed by "script kiddies" or the next level above them. There is such a thing as "production" abuse, with the best example being that committed millions of times daily by spammers. These abusers typically have neither the time nor the desire to concentrate on any one system: they just want enough abusable systems be able to send their spam. If a system is unusual or not immediately obvious as an exploitable target the abuser moves on. His goal is not to abuse any particular system or systems, his goal is to use abuse to cheaply and somewhat anonymously send his spam.
I think there's also a bit of confusion. Lance Spitzer describes, I think, general and very broad honeypots. For those honeypots and for the class of abusers who would tend to try to defeat them (the sophisticated abusers) the warning surely is valid. For single-purpose honeypots (e.g., open relay honeypots) the vulnerability should be about the same as the vulnerability of production systems. The first open relay honeypot I advocated was sendmail (a production software component), run so that it accepted everything and delivered nothing (easy to do on any system with no legitimate email function.) At that time (2001) sendmail -bd was the command needed to run sendmail in that mode. That's where my alias (Minasbeede = "Minus bd") arose. Such a honeypot would be no more nor no less vulnerable than a production system running sendmail as a real server.
Nothing I write is meant to advocate incaution. Comments that assume it is and then criticize it are welcome: part of the essence of caution is that nothing be taken for granted, nothing be overlooked, nothing left unexamined.
Minasbeede 16:35, 14 December 2005 (UTC)
Is it time to make this a disambiguation page, and move the text to honeypot (computers)? That's an awful long list at the top of alternative, non-trivial synonyms. - DavidWBrooks 19:49, 7 February 2006 (UTC)
- I say go for it! Many of the linked pages are small now but they look ripe for expansion. -SCEhardT 19:56, 7 February 2006 (UTC)
- I'l wait a day to see if anybody complains. - DavidWBrooks 20:06, 7 February 2006 (UTC)
- Further thought: The new page should probably be honeypot (electronic) in a similar way to spam (electronic) because the article covers devices that aren't strictly computers -SCEhardT 20:44, 7 February 2006 (UTC)
- Well, somebody just did the exact opposite of what I was intending, merging a couple of honeypot sub-terms into this one. - DavidWBrooks 22:34, 7 February 2006 (UTC)
Oh, sorry, I didn't see this discussion was going on! I hate leaving so many stubs lying around when they're all realated (although after the merge I think Honey trap should be merged into Sting operation). So it's really just the merge of the computer and espionage stuff which are fairly well related, although I did toss quite a bit about the implementation details. Ewlyahoocom 22:47, 7 February 2006 (UTC)
I support the proposal to create a separate Disambig page. RayGates 21:01, 8 February 2006 (UTC)
I do not think these terms are similar enough (or small enough) to justify a merge. Plus, a lot of content was lost. I am reverting the merge for now - please discuss here before making such drastic changes. -SCEhardT 22:47, 7 February 2006 (UTC)
- Alright, good luck with it. I look forward to seeing what you come up with (as long as its not 5 stubs and no articles ;-). Ewlyahoocom 23:02, 7 February 2006 (UTC)
- 5 stubs each clearly different and unrelated terms are much more menaingful than a single large poorly structured article. If you think a merge is a good idea, consider if there is still a connection if the page and stubs are translated into another language. Alex Law 23:46, 7 February 2006 (UTC)
- You evidently haven't looked at the articles in question. There might be 2, possibly even 3, articles (or stubs) in here but currently the information is spread out horizontally i.e. each of the current articles repeats the same ideas with a lot of duplication, plus some information which might not be encyclopedic. Ewlyahoocom 06:47, 8 February 2006 (UTC)
- Speaking as somebody whose three years on wikipedia has seen many a sub-stub grow to such proportion that the problem is keeping its size down, I don't think creating a series of stubs, as the disambiguation would do, is a problem. They will either grow, or not, as wikipedia sees fit. If they don't, they aren't really a problem. But having to wander through a bunch of unrelated topics in a single article to find the tidbit you're searching for - that is a problem. - DavidWBrooks 19:02, 8 February 2006 (UTC)
I understand all the words but still don't know what this means. If the attacker wants to break in (and the wanting to break in is important) then the attacker will look for anything vulnerable. The warning appears to assume the honeypot is in an environment that requires high security and that the attacker wishes to compromise the high security. Of course you want to be cautious in a high-security case. Many honeypots (e.g., open proxy honeypots) are intended to detect bulk abusers. The abuser doesn't care about any particular site per se, he just wants to exploit vulnerabilites he can find. For such abusers the probability of accomplishing any sort of attack through the honeypot is very small. He checks for apparent vulnerability. If he finds it, he abuses. If not, he goes on to the next IP in the list. It's not careful, meticulous, analytical hacking, it's bulk abuse, done as quickly and simply as possible. As such honeypots are often no more than applications that run under standard environments (e.g., Jackpot, the Bubblegum Proxypot) the greater risk, if there is a risk, resides almost totally in the risks that characterize that environment and not in the honeypot application. I'd think it foolhardy at the very least to deploy any honeypot that is intended to combat hard-core abusers without a very thorough understanding of the security risks and implications. In other words, the people most likely to use honeypots in the high-security environments hardly need this warning: their awareness surpasses that implied by the caution statement. I'd hope. Minasbeede -User:Minasbeede
Merges suggested (Feb 2007)
I have suggested merging a number of related stub articles into this article. I think it is better for an encyclopedia article to contain descriptions of a number of closely-related topics. As things stand right now, with all the topics stuck on their own pages, it is more like a dictionary. Sure, maybe the short definitions found in the header sections should be copied into Wiktionary, but instead of deletion from Wikipedia, they should be gathered together into one place. It seems to me like this article here is the best candidate. Think about it - if you want to learn about the topic, wouldn't you like to have the most important stuff all on one page? Sure, Wikipedia makes it easy to click on wiki links, but who wants to have to click on every link, sorting the related from the tangential? Cbdorsett 05:49, 11 February 2007 (UTC) Here is a list of the topics, separated so that any distinct issues can be commented on in their own place.
- Merge All I agree with Cbdorsett. I noted these merge proposals while clearing a Backlog. I would do the merges myself right now, but it would probably be more fruitful if the interested party who tagged them proceeded. Alan.ca 12:24, 11 February 2007 (UTC)
- Merge all There's no real defining characteristic that distinguishes any of those from a honeypot (victim host is even defined to be another term for honeypot). Currently, it seems that we have multiple forks of the same article, with varying degrees of information. Mindmatrix 15:36, 11 February 2007 (UTC)
I removed the Etymology section since it was uncited, and I believe it to be suspicious. The reason is that I thought that the term came from the nickname for bedpan as being a "honeypot" and that this malware host is like a bedpan for software. I of course cannot include this in the article because it is completely researched, but given other possibilities for the origin and in the spirit of keeping Wikipedia accurate rather than long, I'm removing it. If it is added again I hope that it cites sources I will not be a pain and I'll leave it where it is.
I cannot find any reference about this sentence on the Internet; Google returns only circular references to Wikipedia. Does anybody have more information? 126.96.36.199 (talk) 07:32, 23 June 2008 (UTC)
There has been recent coinage of a new term of a "fermented honeypot" with the origional usage posted [] by Toby Kohlenberg. To be honest his article is not very explanitory of the usage and confusing to many non computer-security professionals. From what I can tell it is a modification of a honeypot system to include an additional incentive to attackers and some form of reverse attack tailored to the discovered exploit. I have contacted the author for additional information for inclusion as a sub-type. (note numerous attempts at creating a seperate page has resulted in the title getting "salted" Halcyonforever (talk) 19:31, 15 January 2009 (UTC)
Removal of sections promoting various honeypot solutions - March 2009
I've removed a few poorly-written sections that appeared to exist mainly to promote various open source projects. While not disputing that there may be some pertinent information in the removed text, I feel that the tone, grammar and composition of some of the sections was of such low standard that it would be better to remove them for now. Hopefully an editor more experienced with the subject matter can review and reincorporate some/all of the removed text into the article as appropriate. juux ☠ 08:02, 25 March 2009 (UTC)
I would guess that this name comes from the same idea as "one can catch more flies with honey than with vinegar". Are there any reliable sources for this or for any other etymology? Nyttend (talk) 02:15, 1 July 2009 (UTC)