Talk:Honeypot (computing)

Lance Spitzner has some great info on Honeypots at: http://www.trackinghackers.com

Need for Caution

"Honeypots can carry risks to a network, and must be handled with care. If they are not properly walled off, an attacker can use them to actually break into a system."

I suppose, but I'd like to see this fleshed out. Just what is it that makes a honeypot (which is or should be designed to be secure) more vulnerable than production systems? Is the main danger the danger from the very sophisticated intruders, who would choose to abuse a honeypot in order to show their prowess? I ask because some types of abuse that honeypots detect or thwart are not committed by sophisticated users, they are committed by "script kiddies" or the next level above them. There is such a thing as "production" abuse, with the best example being that committed millions of times daily by spammers. These abusers typically have neither the time nor the desire to concentrate on any one system: they just want enough abusable systems be able to send their spam. If a system is unusual or not immediately obvious as an exploitable target the abuser moves on. His goal is not to abuse any particular system or systems, his goal is to use abuse to cheaply and somewhat anonymously send his spam.

I think there's also a bit of confusion. Lance Spitzer describes, I think, general and very broad honeypots. For those honeypots and for the class of abusers who would tend to try to defeat them (the sophisticated abusers) the warning surely is valid. For single-purpose honeypots (e.g., open relay honeypots) the vulnerability should be about the same as the vulnerability of production systems. The first open relay honeypot I advocated was sendmail (a production software component), run so that it accepted everything and delivered nothing (easy to do on any system with no legitimate email function.) At that time (2001) sendmail -bd was the command needed to run sendmail in that mode. That's where my alias (Minasbeede = "Minus bd") arose. Such a honeypot would be no more nor no less vulnerable than a production system running sendmail as a real server.

Nothing I write is meant to advocate incaution. Comments that assume it is and then criticize it are welcome: part of the essence of caution is that nothing be taken for granted, nothing be overlooked, nothing left unexamined.

Minasbeede 16:35, 14 December 2005 (UTC)

It looks like the sentence quoted is no longer in the article so this section is an orphan. Minasbeede (talk) —Preceding undated comment added 00:28, 27 August 2019 (UTC)

Disambig

Is it time to make this a disambiguation page, and move the text to honeypot (computers)? That's an awful long list at the top of alternative, non-trivial synonyms. - DavidWBrooks 19:49, 7 February 2006 (UTC)

I say go for it! Many of the linked pages are small now but they look ripe for expansion. -SCEhardT 19:56, 7 February 2006 (UTC)

I'l wait a day to see if anybody complains. - DavidWBrooks 20:06, 7 February 2006 (UTC)

Further thought: The new page should probably be honeypot (electronic) in a similar way to spam (electronic) because the article covers devices that aren't strictly computers -SCEhardT 20:44, 7 February 2006 (UTC)

Well, somebody just did the exact opposite of what I was intending, merging a couple of honeypot sub-terms into this one. - DavidWBrooks 22:34, 7 February 2006 (UTC)

Oh, sorry, I didn't see this discussion was going on! I hate leaving so many stubs lying around when they're all realated (although after the merge I think Honey trap should be merged into Sting operation). So it's really just the merge of the computer and espionage stuff which are fairly well related, although I did toss quite a bit about the implementation details. Ewlyahoocom 22:47, 7 February 2006 (UTC)

I support the proposal to create a separate Disambig page. RayGates 21:01, 8 February 2006 (UTC)

Merge

I do not think these terms are similar enough (or small enough) to justify a merge. Plus, a lot of content was lost. I am reverting the merge for now - please discuss here before making such drastic changes. -SCEhardT 22:47, 7 February 2006 (UTC)

Alright, good luck with it. I look forward to seeing what you come up with (as long as its not 5 stubs and no articles ;-). Ewlyahoocom 23:02, 7 February 2006 (UTC)

5 stubs each clearly different and unrelated terms are much more menaingful than a single large poorly structured article. If you think a merge is a good idea, consider if there is still a connection if the page and stubs are translated into another language. Alex Law 23:46, 7 February 2006 (UTC)

You evidently haven't looked at the articles in question. There might be 2, possibly even 3, articles (or stubs) in here but currently the information is spread out horizontally i.e. each of the current articles repeats the same ideas with a lot of duplication, plus some information which might not be encyclopedic. Ewlyahoocom 06:47, 8 February 2006 (UTC)

Speaking as somebody whose three years on wikipedia has seen many a sub-stub grow to such proportion that the problem is keeping its size down, I don't think creating a series of stubs, as the disambiguation would do, is a problem. They will either grow, or not, as wikipedia sees fit. If they don't, they aren't really a problem. But having to wander through a bunch of unrelated topics in a single article to find the tidbit you're searching for - that is a problem. - DavidWBrooks 19:02, 8 February 2006 (UTC)

Clarifications

I understand all the words but still don't know what this means. If the attacker wants to break in (and the wanting to break in is important) then the attacker will look for anything vulnerable. The warning appears to assume the honeypot is in an environment that requires high security and that the attacker wishes to compromise the high security. Of course you want to be cautious in a high-security case. Many honeypots (e.g., open proxy honeypots) are intended to detect bulk abusers. The abuser doesn't care about any particular site per se, he just wants to exploit vulnerabilites he can find. For such abusers the probability of accomplishing any sort of attack through the honeypot is very small. He checks for apparent vulnerability. If he finds it, he abuses. If not, he goes on to the next IP in the list. It's not careful, meticulous, analytical hacking, it's bulk abuse, done as quickly and simply as possible. As such honeypots are often no more than applications that run under standard environments (e.g., Jackpot, the Bubblegum Proxypot) the greater risk, if there is a risk, resides almost totally in the risks that characterize that environment and not in the honeypot application. I'd think it foolhardy at the very least to deploy any honeypot that is intended to combat hard-core abusers without a very thorough understanding of the security risks and implications. In other words, the people most likely to use honeypots in the high-security environments hardly need this warning: their awareness surpasses that implied by the caution statement. I'd hope. Minasbeede -User:Minasbeede

Merges suggested (Feb 2007)

I have suggested merging a number of related stub articles into this article. I think it is better for an encyclopedia article to contain descriptions of a number of closely-related topics. As things stand right now, with all the topics stuck on their own pages, it is more like a dictionary. Sure, maybe the short definitions found in the header sections should be copied into Wiktionary, but instead of deletion from Wikipedia, they should be gathered together into one place. It seems to me like this article here is the best candidate. Think about it - if you want to learn about the topic, wouldn't you like to have the most important stuff all on one page? Sure, Wikipedia makes it easy to click on wiki links, but who wants to have to click on every link, sorting the related from the tangential? Cbdorsett 05:49, 11 February 2007 (UTC) Here is a list of the topics, separated so that any distinct issues can be commented on in their own place.

• Honeytoken
• Honeynet
• Victim host
• Client honeypot / honeyclient

I did not include Honeymonkey because I think it is too far removed, but it of course should remain as a "see also" link. Cbdorsett 05:54, 11 February 2007 (UTC)

• Merge All I agree with Cbdorsett. I noted these merge proposals while clearing a Backlog. I would do the merges myself right now, but it would probably be more fruitful if the interested party who tagged them proceeded. Alan.ca 12:24, 11 February 2007 (UTC)
• Merge all There's no real defining characteristic that distinguishes any of those from a honeypot (victim host is even defined to be another term for honeypot). Currently, it seems that we have multiple forks of the same article, with varying degrees of information. Mindmatrix 15:36, 11 February 2007 (UTC)

Since nothing's been done since February, and I - as a new reader to this article - support the merge, I have merged honeynet. EuroSong ^talk 23:32, 24 August 2007 (UTC)

Etymology issues

I removed the Etymology section since it was uncited, and I believe it to be suspicious. The reason is that I thought that the term came from the nickname for bedpan as being a "honeypot" and that this malware host is like a bedpan for software. I of course cannot include this in the article because it is completely researched, but given other possibilities for the origin and in the spirit of keeping Wikipedia accurate rather than long, I'm removing it. If it is added again I hope that it cites sources I will not be a pain and I'll leave it where it is.

Tyler (talk) 17:09, 7 April 2008 (UTC)

The First Honeypot

Since the software called Honey Pot written at the UPL University of Wisconsin predated the world wide web and web browser most stories about the History of Honey Pots are very likely wrong. Scottprovost (talk) 21:10, 10 April 2015 (UTC) The early FTP site operators on the Internet were often surprised to find, for instance, that there were people wanted their own copy of every IBM Redbook. Many of these organizations did not even own IBM equipment so rtfm servers became known for being "Honey Pots" (places the poo bears can not resist) This had nothing to do with hacking and all to do with what was called newbie curiosity. Many modified their FTP Servers to serve one packet per second or less. Since many newbies did not know how to kill their FTP and Gopher sessions, their hand was stuck in the cookie jar or their head in the honey pot. This became worse as more commercial service brought civilians and non academics to the net and tripwires and tar-pits were added. Things have changes since then and terms mean something different now but as for history, poo bears were generally AOL users new to the Internet that had no idea they were doing something unacceptable when they tried to download massive binary files of no use to them over a 300 baud modem. Scottprovost (talk) 21:41, 10 April 2015 (UTC)

Sugarcane

A honeypot that masquerades as an open proxy is known as a sugarcane.

I cannot find any reference about this sentence on the Internet; Google returns only circular references to Wikipedia. Does anybody have more information? 193.206.71.135 (talk) 07:32, 23 June 2008 (UTC)

I've now removed this statement, since no one replied. 193.206.71.135 (talk) 08:57, 3 July 2008 (UTC)

Fermented honeypot

There has been recent coinage of a new term of a "fermented honeypot" with the origional usage posted [[1]] by Toby Kohlenberg. To be honest his article is not very explanitory of the usage and confusing to many non computer-security professionals. From what I can tell it is a modification of a honeypot system to include an additional incentive to attackers and some form of reverse attack tailored to the discovered exploit. I have contacted the author for additional information for inclusion as a sub-type. (note numerous attempts at creating a seperate page has resulted in the title getting "salted" Halcyonforever (talk) 19:31, 15 January 2009 (UTC)

Removal of sections promoting various honeypot solutions - March 2009

I've removed a few poorly-written sections that appeared to exist mainly to promote various open source projects. While not disputing that there may be some pertinent information in the removed text, I feel that the tone, grammar and composition of some of the sections was of such low standard that it would be better to remove them for now. Hopefully an editor more experienced with the subject matter can review and reincorporate some/all of the removed text into the article as appropriate. juux ☠ 08:02, 25 March 2009 (UTC)

Etymology?

I would guess that this name comes from the same idea as "one can catch more flies with honey than with vinegar". Are there any reliable sources for this or for any other etymology? Nyttend (talk) 02:15, 1 July 2009 (UTC)

Edit Summary

Fat fingered it, so for this the Edit Summary doesn't match the edit action. 99.181.142.87 (talk) 07:38, 17 June 2012 (UTC)

Yes, it is duplication. It's a rephrasing of the second sentence of the paragraph. — Arthur Rubin (talk) 09:02, 17 June 2012 (UTC)

Medium Interaction?

Why is there no Medium Interaction category?

Kippo/cowrie describe themselves as such. Additionally i think the categorization of an independent service in that case ssh is a viable category. : There is even a scientific Article titled Medium interaction Honeypots. : http://julien.desfossez.free.fr/doc/midinthp.pdf :

NichtAllwissender (talk) 02:40, 3 June 2016 (UTC)

External links modified

Hello fellow Wikipedians,

I have just modified one external link on Honeypot (computing). Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

• Added archive https://web.archive.org/web/20140110215558/http://www.vsrdjournals.com/CSIT/Issue/2012_02_Feb/Web/10_Gaurav_Kaushik_586_Research_Communication_Feb_2012.pdf to http://www.vsrdjournals.com/CSIT/Issue/2012_02_Feb/Web/10_Gaurav_Kaushik_586_Research_Communication_Feb_2012.pdf

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 10:49, 6 November 2017 (UTC)