Forgot your password?
typodupeerror
Security Your Rights Online

Use a Honeypot, Go to Prison? 507

Posted by CmdrTaco
from the sticky-situations dept.
scubacuda writes "Using a honeypot to detect and surveil computer intruders might put you on the working end of federal wiretapping beef, or even get you sued by the next hacker that sticks his nose in the trap, according this (old) Security Focus article. Honeypots could be federal criminal law calls "interception of communications", a felony that carries up to five years in prison. Because the Federal Wiretap Act has civil provisions, as well as criminal, there's even a chance that a hacker could file a lawsuit against a honeypot operator that doesn't have their legal ducks in a row. "It would take chutzpah," said Richard Salgado, senior counsel for the Department of Justice's computer crime unit, "But there's a case where an accused kidnapper who was using a cloned cell phone sued for the interception of the cell phone conversations... And he won.""
This discussion has been archived. No new comments can be posted.

Use a Honeypot, Go to Prison?

Comments Filter:
  • oh no! (Score:5, Funny)

    by fjordboy (169716) on Thursday May 22, 2003 @03:49PM (#6017886) Homepage
    I always knew that something bad would come of Pooh and his addiction...

    Who knew that honeypots would lead to jail? I bet even Owl and Rabbit didn't know that!
  • Err... (Score:5, Insightful)

    by .com b4 .storm (581701) on Thursday May 22, 2003 @03:50PM (#6017905)
    If it's YOUR system, then how are you "intercepting" anything? If someone tries to crack into a system that is yours, then who cares if it is a honeypot or not? This is like a burglar suing a homeowner because he cut himself on a knife he was stealing along with the rest of their silverware...
    • Re:Err... (Score:3, Funny)

      by gid (5195)
      This is like a burglar suing a homeowner because he cut himself on a knife he was stealing along with the rest of their silverware...

      Ah but the burglar CAN sue you for cutting himself on your knife. Welcome to the good old US of A.
      • Re:Err... (Score:4, Insightful)

        by fjordboy (169716) on Thursday May 22, 2003 @03:56PM (#6017972) Homepage
        He won't win though. He can sue all he wants..the results won't be in his favor.

        I can *sue* you for making this post if I have the money and a lawyer...I might be the laughingstock of the courtroom, but I have the right to sue you.
        • Re:Err... (Score:5, Interesting)

          by Fulcrum of Evil (560260) on Thursday May 22, 2003 @04:02PM (#6018043)

          He won't win though

          He might. Burglars have successfully sued homeowners for falling through a roof and injuring themselves whilst breaking into said house.

          • Re:Err... (Score:5, Funny)

            by outsider007 (115534) on Thursday May 22, 2003 @04:10PM (#6018123)
            next we'll see handicapped burglars suing homeowners for not providing wheelchair access to their valuables.
        • Re:Err... (Score:5, Insightful)

          by antis0c (133550) on Thursday May 22, 2003 @04:06PM (#6018087)
          Lets not forget the man who successfully sued a car owner for driving over his hand as he was trying to steal his hub caps.

          I think it's fucked up myself too. Sure if someone is entering my house, I can shoot them. But by God if they cut themselves on a steak knife I left out I might be liable for thousands.

          Oh well, in the larger scheme of things our legal system is still new. It will take a while for stuff like this to get sorted out.
          • As antis0c said:

            Lets not forget the man who successfully sued a car owner for driving over his hand as he was trying to steal his hub caps.

            I think it's fucked up myself too. Sure if someone is entering my house, I can shoot them. But by God if they cut themselves on a steak knife I left out I might be liable for thousands.

            Oh well, in the larger scheme of things our legal system is still new. It will take a while for stuff like this to get sorted out.

            Obviously, the solution is to leave a gun out that the

          • Re:Err... (Score:5, Funny)

            by cptgrudge (177113) <cptgrudge@gmaSLA ... com minus distro> on Thursday May 22, 2003 @04:25PM (#6018276) Journal
            Burglar scopes out my house as a score.

            Burglar enters my house through a window.

            Window breaks, burglar cuts arm.

            I hear it, grab my gun, and see the burglar bleeding on my oriental throw rug.

            I say, "Sorry man, I don't really want to kill you, but I won't be liable for it and there's less paperwork that way."

            BAM!

      • Re:Err... (Score:5, Informative)

        by stratjakt (596332) on Thursday May 22, 2003 @04:01PM (#6018040) Journal
        No, but he could sue you if he fell down the stairs because there was no guard rail, or suffered 3rd degree burns because there were no smoke alarms.

        Both of these have to do with building/safety/fire codes, and you're liable for anything that happens to anyone if you dont meet code.

        Of course, the burglar still goes to jail.

        Its a case of two wrongs not making a right, it makes for two punishmens.
    • Re:Err... (Score:5, Funny)

      by Anonymous Coward on Thursday May 22, 2003 @03:53PM (#6017930)
      So I guess the fact that I have event logging on my Windows 2000 server makes me a criminal.

      Stupidity always manages to get its way...
      • Or logging HTTP requests, or logging dropped firewall packets, or ...

        Dumb frickin' laws. Just goes to prove that the population is rising at logarithmic levels while the universal IQ is a constant.

    • Re:Err... (Score:4, Insightful)

      by EmagGeek (574360) <gterich@aol.LISPcom minus language> on Thursday May 22, 2003 @03:54PM (#6017944) Journal
      "This is like a burglar suing a homeowner because he cut himself on a knife he was stealing along with the rest of their silverware... "

      And there's tons of legal precedent out there making homeowners liable for injuries incurred on their premises, regardless of the motivation of the "visitor."

      If you look at all of the cases out there, one could make a very strong argument that homeowners are required by this precedent to make their homes safe for burglars.

      This really isn't any different if you think about it. We have to make sure we exercise care for the safety of criminals. It's sad, but unfortunately becoming more true every day.
    • Re:Err... (Score:3, Interesting)

      by u19925 (613350)
      "If someone tries to crack into a system that is yours, then who cares if it is a honeypot or not?"

      not really. if you put an expensive jewel in your front yard, display it prominently, tell others that there are no security measures preventing theft, blah.... and then put a trap which would kill intruder. well, you will go to jail for doing that.
      • So all hosts on the internet are an "attractive nuisance"? Also, I don't think honeypots cause any sort of bodily or monetry harm (unless you consider the cracker's time worth money). I don't think this is an apt analogy.
      • The chief difference between a honeypot and a man-trap is that the honeypot doesn't kill intruders. Duh.

      • Re:Err... (Score:5, Interesting)

        by .com b4 .storm (581701) on Thursday May 22, 2003 @04:04PM (#6018065)

        not really. if you put an expensive jewel in your front yard, display it prominently, tell others that there are no security measures preventing theft, blah.... and then put a trap which would kill intruder. well, you will go to jail for doing that.

        That's an interesting analogy, but the "trap which would kill intruder" part is silly. A honeypot does not kill a cracker, it does not trojan their system(s), it doesn't do anything except act like a generic and (usually) unsecured box. If I have an expensive jewel in my front yard, and I have a security camera (heh) that records some guy stealing it, can he sue me for video taping him on _MY_ property stealing _MY_ possession?

        • Re:Err... (Score:3, Informative)

          by MrWinkey (454317)
          Yes he can IF you do not have one of them lil stickers that says

          "Premises subject to video monitoring"

          Or one of them like that. There are even laws that say how big that sticker is supposed to be.
    • Re:Err... (Score:3, Insightful)

      by stratjakt (596332)
      No, it's like a burglar suing because you caught him in the act on CCTV without his permission.

      Actually, it's nothing like it, since the law is about electronic communications.

      You know, the reason Linda Tripp got in so much shit for taping Lewinski's conversations.

      If someone calls you on the phone, you cant tape it to use it against them (unless they know it's being taped).

      So, honeypots aside, if you apply this to computers, does not any sort of log count? Web hit logs? Cookies that you didnt know abo
      • Re:Err... (Score:5, Informative)

        by Brian Knotts (855) <.bknotts. .at. .cascadeaccess.com.> on Thursday May 22, 2003 @04:07PM (#6018099)
        If someone calls you on the phone, you cant tape it to use it against them (unless they know it's being taped).

        Yes, you can...depending on the state.

        It just happened that Ms. Tripp's taping occurred in Maryland, where both parties must consent to taping. Many states only require one party's consent, however.

      • So, honeypots aside, if you apply this to computers, does not any sort of log count? Web hit logs? Cookies that you didnt know about? Email spools?

        I think it would only count if your system was acting as a relay between two end-points. Then, it would also only count if you didn't publicize what you are doing. I think that I am going to add that onto my systems... "Any information passed through this system may be logged and used as the operator sees fit or under court subpeona. If you do not agreee, di
      • Re:Err... (Score:4, Interesting)

        by tomhudson (43916) <.barbara.hudson. ... bara-hudson.com.> on Thursday May 22, 2003 @04:14PM (#6018162) Journal

        The FCC has ruled ( taping telephone conversations [consumer-action.org] ) regulations do not apply to law enforcement investigations, emergency situations or patently unlawful conversations .

        So, since a breakin into a honeypot is an "illegal conversation" between your server and some hacker, started by the hacker, FCC rules don't apply.

    • Re:Err... (Score:5, Insightful)

      by kikta (200092) <{jason} {at} {kikta.net}> on Thursday May 22, 2003 @04:01PM (#6018031)
      The article talks about the problem occuring if and when the intruder uses the honeypot to connect to a third system and the honeypot acts as an intemediary between the two (and logs all the keystrokes & traffic). Regardless, this is pretty far-fetched, IMHO. Yes, a jury of idiots may side with the cracker, but a jury of idiots could theoretically do almost whatever they please. Just hope that the appeals court is sane.
    • This is like a burglar suing a homeowner because he cut himself on a knife he was stealing along with the rest of their silverware...

      You obviously don't live in the USA. I'm sure it's happened, and maybe the burglar didn't win but I bet (s)he had their day in court.
    • Which could probably happen. =)
    • Re:Err... (Score:3, Informative)

      by Shackleford (623553)
      If someone tries to crack into a system that is yours, then who cares if it is a honeypot or not? This is like a burglar suing a homeowner because he cut himself on a knife he was stealing along with the rest of their silverware...

      I'd say that your analogy is quite accurate. But it may not even matter. What you said reminds me of this apparently true story, from here. [ebaumsworld.com] It goes as follows:

      "Terrence Dickson of Bristol, Pennsylvania, was leaving a house he had just finished robbing b

    • This is like a burglar suing a homeowner because he cut himself on a knife he was stealing along with the rest of their silverware...

      Kinda, but to extent the analogy, I can shoot the burglar dead if my life is being threatened, so there is a line there where my liability ends and my right of self defense begins. Where is that line when it comes to a computer system?

      I don't think anyone knows the answer to that right now, since the courts are still wrestling with it. Hopefully there will be a few luc

  • by eaglebtc (303754) * on Thursday May 22, 2003 @03:51PM (#6017913)
    Whatever happened to good-old-fashioned access logs? On the other hand, this is just like setting up bear traps. Only difference is, the bears can't sue you in court. But they'll probably eat you alive if they ever get out of the trap.
  • by Nagatzhul (158676) on Thursday May 22, 2003 @03:52PM (#6017921)
    Hmmmm..... How can you intercept your own communications? Does that mean it violates federal law to use voice mail or an answering machine? After all, they also "intercept" communications.
    • It's not about intercepting your own, but intercepting someone else's communications. It wouldn't be intercepting if it were your own communications.

      I remember reading this article when it came out on SF, so give me a break if I'm shaky on the details. That said, the point was that if a cracker breaks into your honeypot and launches an attack from there (or just uses it to check his email and chat on IRC) which you log, you have intercepted communications in which you were not participating.

      Obviously

  • by Travoltus (110240) on Thursday May 22, 2003 @03:52PM (#6017923) Journal
    If I put a sign on all my machines saying "all activity on this machine is subject to monitoring. If you don't like it, leave now", am I still lia-bull??
    • Well, where would you put the sign? An intruder may never see the login banner. If it turns out you need to CYA by notifying intruders that they may be recorded, you'd have to change your sendmail response string, IIS banner, and everything else that a bad guy might crawl through. At which point your honeypot no longer looks like a normal system. And you still wouldn't have covered Trojan Horses.

      Not to mention that the most common attacks will be automated and the bad guy will never see your notification.
  • Heh. (Score:5, Funny)

    by k03 kalle (669378) <kalle@networ[ ]is.org ['kth' in gap]> on Thursday May 22, 2003 @03:53PM (#6017928) Homepage
    The computers you own are not actually yours. They are owned by the United States govt. Everyone go download their new distributed CPU project called "Count The Votes". Oh, wait, they installed it for me. Thank you govt. :D On a serious note though. Its getting to be that regular Americans can't do anything without fear of getting sued or suing someone else. McDonalds coffee anyone?
  • Eh, I wouldn't worry (Score:4, Interesting)

    by I Am The Owl (531076) on Thursday May 22, 2003 @03:53PM (#6017933) Homepage Journal
    If you're, say, Fyodor [insecure.org] and you're running a honeypot (like he does, he's involved w/ the project), you can more or less count on the fact that the perp is some poor minor or college student who won't be able to bring suit in court. Hell, if you're Fyodor, this works when you're on the other side, too.
  • Exploit (Score:5, Funny)

    by DJ Rubbie (621940) on Thursday May 22, 2003 @03:54PM (#6017942) Homepage Journal
    I can see this might happen:

    1) Find Open Windoze SMB share (or any open, insecure systems)
    2) "Hack" into it
    3) Try to get caught (log files, whatever)
    4) Claim that was a honeypot
    5) Sue for profit

    It does seem this easy.
  • WANTED... (Score:2, Funny)

    by LordYUK (552359)
    Small, yellow bear wearing red shirt.

    Suspect goes by the name of "Winnie the Pooh" which he received because he smears feces all over his victims after he murders them. Suspect keeps company with the likes of a bouncing self proclaimed "thug" named "Tigger" and a small yet crafty mastermind of evil "Piglet".

    Suspects should be conidered armed and dangerous. If seen, please contact Detective Christopher Robinson.

    We advise the public to keep all Honeypots safely out of sight and or smell.
  • So Homeland Security is more important than Home Security? ;-)

    Better unlock my door for the Feds!
  • by binaryDigit (557647) on Thursday May 22, 2003 @03:55PM (#6017963)
    Couldn't this be avoided by making the honeypot actually "do something", thereby making it not a "honeypot"? IE, stick some files on there and call it a backup server (unimportant files of course) or whatever. After all, isn't the most effective honey pots those that fool the intruder into thinking that it's a real "site", what better way than to sorta make it real? Nothing illegal about monitoring your own real site right?
  • loopholes (Score:3, Insightful)

    by Anonymous Coward on Thursday May 22, 2003 @03:55PM (#6017964)
    What does it say about a society that allows a person *caught in the act* of committing a crime to sue because he wasn't caught "legally"?

    I mean, I know there's always the opportunity for abuse, etc., but... come on! I mean, a lawbreaker sues because something bad happened *while breaking the law*.

    That's just sad. And not sad as in: 'that criminal is an idiot'... sad as in: 'that justice system needs some work'.

  • It looks to me... (Score:5, Insightful)

    by zutroy (542820) on Thursday May 22, 2003 @03:57PM (#6017984) Homepage
    ...like the article is actually saying that you could be sued if a hacker used your honeypot machine to hack into another machine that's not on your network. The argument is that you set up a machine to be hacked, and it got hacked, and was then used to hack others...kind of like saying that you've become an accomplice in hacking. So the lesson is to secure your honeypot machine, so it can't be used for evil.
  • by dtolton (162216) * on Thursday May 22, 2003 @03:57PM (#6017990) Homepage
    I'm as against the invasion of federal powers as the next guy,
    but something that hurts that cause is overly reactionary or
    alarmist agruments. This articles strikes me that way.

    Anyone who has spent some time in a court room realizes that
    judges are not the completely inept morons they are often made
    out to be. Sure someone could "sue" you for breaking a
    wiretapping law, that doesn't however mean they would win.
    People seldom appreciate the difference between those two
    things, anyone can sue for just about anything. Whether or not
    they win the case is an entirely different thing.

    Saying that monitoring a honey pot is a violation of the federal
    wiretapping act is a huge legal stretch IMO. Even though a
    honeypot is designed to be hacked, it still has to be hacked.
    They still have to commit a felony to get into it, that's the
    equivalent of saying that if someone hacks into your workstation
    and you happen to be monitoring it at the time you are then in
    violation of the federal wiretapping act. That is just patently
    absurd.

    The one example they use isn't very compelling to me either.
    They are as usual light on the details, but "tapping" a cell
    phone that isn't yours is an entirely different story than
    monitoring a computer that you own and operate.

    Every once in a while we get crazy laws on the books, and off
    the wall judges pushing their own agenda's, but when things make
    it to the supreme court or the higher courts, things usually
    shake out in a logical and reasonable fashion. The first time
    someone get's *successfully* prosecuted under this, then I'll
    buy it.
  • by deadfishhotmail.com (548162) <deadfish@h o t m a i l . c om> on Thursday May 22, 2003 @03:57PM (#6017994) Journal
    We trust you have received the usual lecture from the local System Administrator. It usually boils down to these four things: #1) Respect the privacy of others. #2) Think before you type. #3) Everything is being recorded #4) You've just rooted my server, before continuing your hacking please read the complete TOS in /usr/share/tos. If you do not agree to the TOS you must stop hacking my server immediately. root#
    That outta do it!
  • Honey Pot? (Score:4, Funny)

    by LordYUK (552359) <jeffwright821@@@gmail...com> on Thursday May 22, 2003 @03:57PM (#6017995)
    I've tried some weird combinations before, but mixing honey with pot never occured to me.

    Does it get you a better buzz?
  • by EmagGeek (574360)
    I wonder if putting phony MP3's on your ftp server in hopes of confusing the powers that be might fall under this. After all, isn't that sort of honeypot-ish?

    I wonder what this would mean for other "red herring" type of defense measures....
  • by Hamstaus (586402) on Thursday May 22, 2003 @04:01PM (#6018035) Homepage
    Wait a minute!

    No anti-MS sentiment... posted by Taco... not a dupe...

    This story is a honeypot! Whatever you do, don't post any comments! It's a trick! It's a tri^&T3ATZ
    NO CARRIER
  • how come the federal agents are allowed to use honeypots, as in the case of the russian hackers, when private investigaters cant ?
  • hmmm (Score:3, Insightful)

    by Tumbleweed (3706) on Thursday May 22, 2003 @04:02PM (#6018048)
    Is there any way to mark an entire Slashdot story as a Troll? This is ridiculous.

    ( Go ahead, mod me down - I can take the hit. )
    • Ok, venturing way OT, but yes, there is a site where you can vote on stories. K5 [kuro5hin.org]. However, here on /., no way.

  • Honey pots (Score:4, Insightful)

    by Nonillion (266505) on Thursday May 22, 2003 @04:04PM (#6018061)
    This just goes to show just how low spamers are willing to sink. I have been hosting my own mail server for several years now because it's the ONLY way for me to combat unwanted e-mail. If some worthless spamer is going to wine about a honey pot or my server rejecting his/her e-mail I say TOUGH FUCKING SHIT! It's MY machine, MY bandwidth, MY rules... period. If I want viagra, penis/breast enlargements, debt consolidation, loans re-financed or hot asian chicks I'll seek you out myself..

    >SELECT * FROM spamers WHERE clue > 0
    >0 rows returned
  • FUD in summary (Score:5, Informative)

    by Kaz Riprock (590115) on Thursday May 22, 2003 @04:06PM (#6018082)

    RTFA. The use of a honeypot won't get you in trouble. The prosecution of someone hacking your honeypot won't get you in trouble. The prosecution of someone hacking your fileserver based solely on the honeypot's logs has the *potential* to get you in trouble.
  • "But there's a case where an accused kidnapper who was using a cloned cell phone sued for the interception of the cell phone conversations... And he won."

    This specific case seems VERY different than using a honeypot for computer security, and it sounds like the alleged kidnapper may have actually had a case. I'd like to see more information about that case before making comparisons, unfortunately I was unable to find any.
  • Ja tänään vetäsen perseet olalle!
    • a translation (Score:2, Informative)

      by Anonymous Coward
      Sorry, he was too fast, hence the finnish language. What he ment to say is that he has a 30 years of experience in similar cases and none of them have led to any actual results, so it's just a waste of time talkin' about this issue, he thinks.
  • Would this work the other way around? I mean, I know it sounds ludicrous that someone protecting their own systems could get in trouble for doing so, but let's take a different look at this using a slightly differnet situation.

    Let's say you're somebody (maybe Fyodor [insecure.org]) and you break into someone's system and subsequently monitor it through screenshots [slashdot.org]. This is a rather clearcut case, is it not? The wiretapping is bad no matter which sides you place the two parties on.

    Furthermore, this smacks of vigilan

  • I wonder, is US Goverment the only one in the world keeping such stupid laws or other countries have same or similar stupidy in place?
    • I wonder, is US Goverment the only one in the world keeping such stupid laws or other countries have same or similar stupidy in place?

      It's not just us (US), it's endemic to all bureacracies. It's quite possibly caused by the toxic side effects of Administratium [liv.ac.uk].
  • RIAA & Honey Pots (Score:4, Interesting)

    by splatter (39844) on Thursday May 22, 2003 @04:12PM (#6018142)
    I was reading this and had a thought. Has anyone set up a FTP or P2P honey pot to attract attention from the RIAA?

    This could be a great way to annoy the RIAA when they try and sue or fine someone that actually doesn't have illegal material on their hard drive.
    Has anyone done this yet? Any storys? Could the honey pot project be used to simulate a FTP server with mp3 goodies?

    DP
    • Re:RIAA & Honey Pots (Score:3, Interesting)

      by The Jonas (623192)
      Could the honey pot project be used to simulate a FTP server with mp3 goodies?

      Sure can. The RIAA already does it to downloader's with bogus mp3's and crippled music files. Just serve up the crap you downloaded from them. Then if they try to sue or hack your box then countersue under the allegation that they were already sharing these files and did not provide with any "fair use" instructions when you d'loaded them from the myriad of fake users/servers they have dishing this junk out to the public. Wh
  • by jd (1658) <imipak@yaCOLAhoo.com minus caffeine> on Thursday May 22, 2003 @04:15PM (#6018172) Homepage Journal
    Some States explicitly authorize wiretapping, where the other party is NOT informed. South Carolina is one such State.


    Now, normally Federal law usurps State law, so this wouldn't matter. However, in a case where it is dubious as to whether the Federal law applies, it's perfectly possible that it could be ruled that State law takes precedence in this case.


    The second thing to consider is that you can't profit by someone's crime. Thus, it would be illegal for a cracker to attack a honeypot for the purpose of making money via the Federal law. The cracker would then be placed in the position of needing to prove that their attack was for unprofitably malicious purposes.

  • A Modest Proposal (Score:5, Insightful)

    by dolbywan_kenobi (168484) <trubblman AT yahoo DOT com> on Thursday May 22, 2003 @04:16PM (#6018175)
    Perhaps this is a wake-up call for us computer users here in the USA. Who really speaks for computer users here? What we need IMO is an NRA equivalent to represent the interests of computer users, of people who are interested in fair-use issues, reasonable intellectual property laws and accountability of elected representatives. Interest groups like the NRA and AARP have shown that Congress-people do listen when people organize.
  • by phillymjs (234426) <slashdot&stango,org> on Thursday May 22, 2003 @04:38PM (#6018379) Homepage Journal
    According to the law, I, as an authorized user of a computer that belongs to my employer, have no legal right to privacy concerning files I store on that computer, or e-mail sent from/received by that computer-- the employer, as owner, can monitor it at will.

    And now, the law says that I, the owner of a computer system, have no right to monitor or intercept the comings and goings of an UNauthorized user on said system? In fact, I can be sued for doing so?

    How is this not a ridiculous double standard? Not counting any "I understand my computer system is subject to monitoring" policy form you may sign at work. Doesn't UNAUTHORIZED computer access trump any kind of claim to privacy that the unauthorized user may make?

    Furthermore, would you be covered by putting a disclaimer somewhere on that system? I would imagine that something like "ALL users of this system are subject to monitoring. By continuing to access this system you signal your willingness to be monitored. If you do not agree, disconnect now." would do the trick.

    ~Philly
  • by infonography (566403) on Thursday May 22, 2003 @04:42PM (#6018409) Homepage
    While I do have a bare shred of faith that a Judge will understand the intent here is not to defraud. The intent is to Defend/Detect an attack. It's a defense system that does not cause harm. What you are in fact creating is a Electronic Burglar Alarm. Has I understand tracing the offender is ok, attacking his system isn't. Informing the Domain's Admin/Owner/Upstream Provider is ok. Wasting a Hacker's time in a honey pot isn't illegal, frying their brain like in a William Gibson novel (attractive thought it may be) would be.

    On the Honey Pot issue, what differentiates it from a Online game? You put it there, people come and there are rules to get in. It would seem that the argument that putting up a Honeypot is an invitation to enter (the Honeypot only). While a SysAdmin could learn valuable lessons from observation, the defense of the Alleged hacker could be that they 'KNEW' it was a Honeypot and that the price of entry was cleverness not cash. Therefore they are playing a game, one in nature much like Ultima online or Neverwinter Nights.

    Don't worry about this, it's for the most part a groundless fear. If you did actually come under attack by some foolish District Attorney, likely You would be getting calls from the likes of Johnny Cochran and Alan Dershowitz offering free legal.

    This article is fearmongering a distant cousin of trolling.
    • Don't worry about this, it's for the most part a groundless fear. If you did actually come under attack by some foolish District Attorney, likely You would be getting calls from the likes of Johnny Cochran and Alan Dershowitz offering free legal.

      It must be nice to live someplace high-profile enough that someone like Johnny C. would be interested in helping you. I live in a small town in the upper Midwest; do you really think any big-name lawyer would provide me with a pro bono defense?

  • by cmburns69 (169686) on Thursday May 22, 2003 @04:44PM (#6018444) Homepage Journal
    Anybody notice how "Honey pots" backwards is "Stop yenoh!". A quick google [google.com] of the word reveals it to have to do with food, so "honey pots" is code for "Stop food!". This madness must be ended!

    An online Starcraft RPG? Free, only at [netnexus.com]
    In soviet russia, all your us are belong to base!
    Karma: Redundant!
  • by zutroy (542820) on Thursday May 22, 2003 @04:50PM (#6018510) Homepage
    Now is NOT the time to write your congresspeople! The article was saying that this COULD be considered illegal under a ridiculous interpretation of existing law. Not exactly something to get angry about.

    Playing Chicken Little in these forums somehow means that you rack up incredible karma.

    If everyone lived this cautiously, we'd never leave our houses for fear of getting sued.
  • Also lock me for.... (Score:3, Interesting)

    by Erik_Kahl (260470) on Thursday May 22, 2003 @04:55PM (#6018559)
    Intrusion Detection Systems often are used in this same way. They monitor traffic and report suspicion actions. Some (snort included) capture and record packet dumps....much like taping a conversation.

    Intrusion Prevention Systems do the same thing, except they have the ability to actaully interfere with the conversation and drop packets or block hosts. Imagine a wire tap that could mute one of the callers to interfere with meaningful conversation.

    Firewalls too. Lets also lock up everyone using a firewall. A firewall, or cluster of firewalls monitor all the traffic (eamil, web, ftp, etc.) in and out of almost every business network on the internet. ALL of these devices are looking at and selectivly recording traffic on those networks.

    Nearly every network security tool can be compared to a wire tap....however, its my damn wire!

    The real question to ask is:

    Can I legally tap my own wires?

    As a business owner, is it legal for me to record and be aware of the incoming and outgoing communications from my business?

  • by johnnick (188363) on Thursday May 22, 2003 @05:05PM (#6018652)
    To address the issues raised in the article:

    Federal wiretap laws prohibit interception of electronic communications, including traffic monitoring across a network. There are exceptions for network protection, but Salgado said that is an "uneasy fit" for honeypots, because they are set up with the expectation of being attacked.

    This isn't entirely correct. If you are the owner of the network, you can monitor what happens on it. You can doubly protect yourself by putting a banner on your login page that says that any use of the network is subject to monitoring, but the key thing that courts have looked at with regard to such monitoring is whether the person had a legitimate expectation of privacy in the communication. I think a judge would have a tough time accepting an argument that someone attacking your network had a legitimate expectation of privacy in his/her attack.

    Even if you were only allowed to monitor your network for defensive purposes, I think the honeypot could arguably qualify as a defensive tool. For example, I have limited budget for physical security at my home. I recognize that there are a number of ways that someone could break in, and I take steps to secure or prevent those. However, if someone is determined to break in, I must recognize that they will find a way. To deal with that possibility, I try to recognize where an intruder might be able to break in, and I have cameras in those areas. If I could only afford a certain number of cameras, I might make one path a little easier or attractive than the others so that the intruder would take that path and thereby pass in front of the camera allowing me to gather evidence of the crime. The intruder has already committed the crime by being inside the house, the camera simply collects the evidence. By placing a honeypot and monitoring it, you are simply putting an intrusion detector on a place where unauthorized individuals are likely to go, if they are already committing the crime of being inside your network without authorization.

    An operator might be held liable for damages if a compromised honeypot is used to launch an attack against a third party. "We don't know" if such liability would hold up in court, Salgado said.

    This is theoretically possible, and I actually wrote another article for USENIX's magazine ";login:" on this subject called, "You've Been Cracked...And Now You're Sued."[1] But, if you're setting up a honeypot, you ought to be sophisticated enough to isolate it and prevent outbound attacks on other networks (or at least either notify those networks that they are being attacked or shut down the attack as soon as it starts). There's really no excuse for setting up a honeypot and then allowing it to be used as a zombie.

    A hacker charged with illegal activities involving a honeypot could argue entrapment, which Salgado said is a difficult defense. He said it might not apply to so-called passive honeypots.

    Salgado is correct that entrapment is a very difficult defense. The article doesn't point out, however, that the defense of entrapment is also only available to someone who is being prosecuted as the result of activity by a government agent (like the DOJ, FBI or some state or local law enforcement agency). If your company (or client), as a non-governmental entity, sets up a honeypot and a cracker gets prosecuted because of it, the defense of entrapment is not available. See the legal definition of entrapment at http://dictionary.lp.findlaw.com/

    Furthermore, as Salgado also notes, because a honeypot is a purely passive thing, even if you were a government agent, you are not really inducing or encouraging a potential cracker to go attack it. If you were a government agent and set up a honeypot and then anonymously went to hacker sites and talked about this fantastic server with all kinds of really cool stuff on it and how easy it was to own, etc., etc., then you might be setting yourself up for the defense of entrapment.

    John

    [1] ;login: The Magazine of USENIX & Sage, vol. 26, no. 2 (Berkeley, CA : USENIX Association, 2001): pp. 73-76.
  • by darf (182630) * on Thursday May 22, 2003 @05:22PM (#6018816)
    Ok, so I can sound like the last 50 people that said this: I am not a lawyer. Fine, done.

    Here is how I have been trained in regards to wire tap (I am a security analyst):

    The wiretap act is broad and prohibits intentional interception (use, etc) of someone else's electronic communications. This Act (see 18 U.S.C. p2511(1)) has a bunch of exceptions two of which are relevant to this discussion:

    1. The provider exception may apply if the communications were intercepted during active monitoring for the purposes of system defense,

    2. The consent of party exception may apply if you have banners declaring that you monitor all traffic.

    From what I have been instructed, I only need to really take care with #1 which is what I'm exactly doing when I fire up a honey pot. (#2 is a part of company policy so it is not optional.)

    If I deploy a honey pot for the purpose of monitoring and protecting my network, then I should be able to claim exemption from the Wiretap Act via #1 above. Of course the honeypot damn well better be deployed for the purposes of defense and not something I just threw on the corporate network without authorization.

    That's the theory anyway; as far as I know, this has not been tested in the courts yet.
  • by radulovich (47127) on Thursday May 22, 2003 @05:42PM (#6018967) Homepage
    Poulsen is showing an incredible lack of thought in writing this article.

    First, if a person runs a honeypot on their network, a network they control, or a device that they control, then it is not interception of communications. It is _logging_ responses and action taking place _within_ that device, not _intercepting_ communications. There have to be three parties to intercept - the sender, the receiver, and the interceptor.

    Second, even if it were interception of communications (which it is not), then not only would all of the system logs in Unix/Windows be illegal, but so would every web server log in the US. Even worse, that caller ID display that you have would also be illegal - it intercepts information to display on your phone.

    Finally, if monitoring a honeypot is illegal, then monitoring a hacked server would be as well. So, if your machine were infected by a virus that talked to an IRC channel, the you would be guilty of an illegal interception of communication.

    If anyone ever loses a lawsuit because of this, appeal, and also sue your own lawyer for incompetence!!!

    Read the source email (http://www.securityfocus.com/archive/119/293431/2 002-09-23/2002-09-29/0), and remember that even though Salgado (author of the email) is a legal professional, that half of all lawyers still lose in court (by definition). (in other words, get another opinion - or maybe two or three.

    Salgado does not have a good grasp of this. This can be shown simply. If he were correct, then the phone companies would require a wirtetap order to even _view_ their phone logs for any suspected phreaking on their network. Somehow, I doubt that Ma Bell gets a wiretap order for to look at their phone logs.

    Mark Radulovich, CISSP

  • This is silly... (Score:4, Insightful)

    by anubis (87418) on Thursday May 22, 2003 @07:23PM (#6019640)
    This is just silly. An illegal wiretap is intercepting a communication between two computer/people/objects without either 1.) the permission of one party, 2.) a court order. If you are a party to the communication (i.e. the honeypot) you are intercepting communications to and from your own machine. Seems like there are bigger things to be worried about.
  • It's an IDS!! (Score:4, Interesting)

    by tiny69 (34486) on Thursday May 22, 2003 @07:42PM (#6019779) Homepage Journal
    Using a honeypot to detect and surveil computer intruders might put you on the working end of federal wiretapping beef, or even get you sued by the next hacker that sticks his nose in the trap,
    There is an easy fix for this. Stop calling them honeypots and start calling them what they really are, an intrusion detection system. Saying that your IDS was broken into will also go over better with the judge and jury.
  • by whereiswaldo (459052) on Thursday May 22, 2003 @09:47PM (#6020576) Journal
    Welcome to the USA, where common sense is absolutely irrelevant. Got a sensational case? There's a lawyer and a judge out there somewhere who'll see to it that you win.
    Disgusting.
  • by minas-beede (561803) on Thursday May 22, 2003 @10:10PM (#6020711)
    A question important to those who run open relay honeypots and open proxy honeypots (proxypots.)

    These are 100% accurate aginst spam - filters and blacklists are not. Will they be outlawed?

    Check out the bubblegum proxypot. It's a neat way to hurt spammers:

    http://world.std.com/~pacman/proxypot.html

    Don't forget the relay spam honeypot (Jackpot):

    http://jackpot.uk.net
  • by bourne (539955) on Thursday May 22, 2003 @10:54PM (#6020967)

    First of all, Richard Salgado has got to tell people to be very careful. He's a prosecutor for the government. He's got to say things that err on the side of safety, and of never condoning possible violations of the law. (He's a nice guy, and a good speaker. He's just very obviously in one corner, and has the party line to hew to).

    Secondly, read 18 U.S.C. Section 2511 [usdoj.gov]. That lays out the _exceptions_ to the Wiretap Act, which includes the Provider exception, which boils down to: if you own the machine, and have appropriate banners, and the wiretap is done "while engaged in any activity which is a necessary incident to the rendition of [the rightful adminstrator's] service or to the protection of the rights or property of the provider of that service...". The reason the gov't is goosey about honeypots is, if it is a property laid out to be broken into, then is the wiretapping justfied? If you're doing it as part of the defense of your network, consensus tends to be yes. If you're doing it for shits and giggles, there tends to be less consensus. The gov't needs to be able to prosecute anyone, so without court cases telling them otherwise they're leaning to the stricter interpretation.

    Thirdly, if you're interested, read the posted practical assignments for the SANS GCFA (Forensics) [giac.org] course/certification. The original assignment (the only one posted currently) has three parts, the third of which is Describe in detail your authority as a system administrator with regards to this statute. [giac.org] Keep in mind that none of those people are lawyers, but most of them sat through a course including Richard Salgado talking on this issue, and all of them worked their butt off to write the paper and pass the course. More work than goes into, say, a /. post 8).

Life. Don't talk to me about life. - Marvin the Paranoid Anroid

Working...