And what about two other tools you mention, Collapsar and the Potemkin Virtual Honeyfarm?

Provos: With Collapsar, from Purdue, the idea is being able to deploy nodes all over the Internet but the analysis is centralized. The Potemkin Virtual Honeyfarm, developed by researchers at the University of California, offers a lot of addresses on a network and provides high-profile addresses for all of them. It's a lightweight system of honeypots, of cloned honeypots. I don't believe it's open source at this point.

And what's the Honeywall for?

Holz: With Honeywall, you have a device to mitigate risk. If a cracker compromises your honeypot, you want to contain him within that honeynet. It's a kind of intrusion-prevention system that prevents outgoing attacks.

So does Google use a honeypot to watch for attacks?

Provos: I can't say anything about Google.

As you point out in your book, there may be legal reasons -- the legal concept of entrapment is sometime brought up -- that may discourage use of honeypots even for protective purposes.

Provos: We're not lawyers so we're suggesting you talk with your legal counsel if you want to use honeypots. But we'd like to see a top-notch lawyer really look at this area.

There don't seem to be a lot of commercial honeypot products and you don't hear people talk about honeypots much.

Provos: Many antivirus companies use honeypots. A lot of the time, people don't want to discuss something they've put out there to catch problems. Even if you don't plan to deploy a honeypot, in our book you'll get insights into botnets and insider attacks.