Use a Honeypot, Go to Prison? 507
scubacuda writes "Using a honeypot to detect and surveil computer intruders might put you on the working end of federal wiretapping beef, or even get you sued by the next hacker that sticks his nose in the trap, according this (old) Security Focus article. Honeypots could be federal criminal law calls "interception of communications", a felony that carries up to five years in prison. Because the Federal Wiretap Act has civil provisions, as well as criminal, there's even a chance that a hacker could file a lawsuit against a honeypot operator that doesn't have their legal ducks in a row. "It would take chutzpah," said
Richard Salgado, senior counsel for the Department of Justice's computer crime unit, "But there's a case where an accused kidnapper who was using a cloned cell phone sued for the interception of the cell phone conversations... And he won.""
Re:Err... (Score:5, Informative)
Both of these have to do with building/safety/fire codes, and you're liable for anything that happens to anyone if you dont meet code.
Of course, the burglar still goes to jail.
Its a case of two wrongs not making a right, it makes for two punishmens.
FUD in summary (Score:5, Informative)
RTFA. The use of a honeypot won't get you in trouble. The prosecution of someone hacking your honeypot won't get you in trouble. The prosecution of someone hacking your fileserver based solely on the honeypot's logs has the *potential* to get you in trouble.
Re:Err... (Score:3, Informative)
I'd say that your analogy is quite accurate. But it may not even matter. What you said reminds me of this apparently true story, from here. [ebaumsworld.com] It goes as follows:
"Terrence Dickson of Bristol, Pennsylvania, was leaving a house he had just finished robbing by way of the garage. He was not able to get the garage door to go up since the automatic door opener was malfunctioning. He couldn't reenter the house because the door connecting the house and garage locked when he pulled it shut. The family was on vacation, and Mr. Dickson found himself locked in the garage for eight days. He subsisted on a case of Pepsi he found and a large bag of dry dog food. He sued the homeowner's insurance claiming the situation caused him undue mental anguish. The jury agreed to the tune of $500,000."
So it can happen, whether it sounds just or not.
Re:Err... (Score:5, Informative)
Yes, you can...depending on the state.
It just happened that Ms. Tripp's taping occurred in Maryland, where both parties must consent to taping. Many states only require one party's consent, however.
a translation (Score:2, Informative)
Re:What about home security cameras? (Score:1, Informative)
Local issues involved (Score:4, Informative)
Now, normally Federal law usurps State law, so this wouldn't matter. However, in a case where it is dubious as to whether the Federal law applies, it's perfectly possible that it could be ruled that State law takes precedence in this case.
The second thing to consider is that you can't profit by someone's crime. Thus, it would be illegal for a cracker to attack a honeypot for the purpose of making money via the Federal law. The cracker would then be placed in the position of needing to prove that their attack was for unprofitably malicious purposes.
Re:USA? How about other countries? (Score:1, Informative)
Re: Urban Ledgend "Stella's" (Score:2, Informative)
Re:Heh. (Score:4, Informative)
Obligatory Coffee Lawsuit Facts link [google.com]. I wish people would stop bringing up this example incorrectly.
Re:Err... (Score:5, Informative)
http://www.snopes.com/legal/lawsuits.asp [snopes.com]
And since you almost certainly believe all the crap about that McDonalds coffee lawsuit (and probably won't read through the entire page I referenced above) here's the important details left out in most tellings of it:
http://www.atlanet.org/consumermediaresources/tie
Re:Err... (Score:3, Informative)
"Premises subject to video monitoring"
Or one of them like that. There are even laws that say how big that sticker is supposed to be.
Re:Prove it. (Score:5, Informative)
Second Story Burglar Sues Homeowner [aol.com]
Danbury, CT - An admitted second story burglar is suing a homeowner. Michael Malone attempted to enter a three-story residence by climbing a tree to gain admittance through an open third floor window. Unfortunately for Malone, the tree limb broke and the 275 pound burglar crashed to the ground. When the homeowner heard the commotion, he went outside to investigate. In the dark, he spied a figure moving toward the rear of his five acre lot and fired one round from a
I thought I had seen a story more along the lines you suggest, but I think I'm remembering the scene from Liar Liar. I googled for a bit and didn't find any "real" stories (snopes didn't have anything either).
I did find this -- Check this out:
New Twists on Occupiers Liability [rbs.com]
Can a Burglar Sue a Homeowner for Injuries Sustained During a Break-in?
Anyone who trespasses on land to commit a criminal act is deemed to have willingly accepted all risks of injury while on the land. For example, if a burglar slips and falls down a dimly lit staircase while breaking and entering into your home, there is no liability imposed on the homeowner.
Even a criminal trespasser, however, has some rights. A homeowner will be liable for creating "a danger with intent to do harm" or for acting "with reckless disregard for the safety" of a trespasser. If you have seen the movie "Home Alone" then I am sure that you can think of several examples which would fall into this category. A trip wire attached to the trigger of a shotgun clearly creates danger intended to harm the trespasser. In British Columbia, the Occupiers Liability Act tries to differentiate between accidental injuries to trespassers and deliberate attempts to cause harm or injury to trespassers. Generally speaking, there will be no liability for the accidental injury to a trespasser but there will be liability for the deliberately caused injury.
I think it's an urban legend. I don't think you can be sued unless you do something like set up a booby-trap or shoot him or something.
Re:Err... (Score:2, Informative)
OpenBSD 3.2 (GENERIC) #25: Thu Oct 3 19:51:53 MDT 2002
==================
U.S. Government Warning
****UNAUTHORIZED ACCESS PROHIBITED BY LAW -- TITLE 18 U.S. CODE SECTION 1030****
WARNING: The use of this U.S. Government system is restricted to authorized
users only. Unauthorized access, use, or modification of this computer system
or of the data contained herein or in transit to/from this system constitutes a
violation of Title 18, United States Code, Section 1030 and state criminal and
civil laws. These systems and equipment are subject to monitoring to ensure
proper performance of applicable security features or procedures. Such
monitoring may result in the acquisition, recording and analysis of all data
being communicated, transmitted, processed or stored in this system by a user.
If monitoring reveals possible evidence of criminal activity, such evidence may
be provided to law enforcement personnel.
So, it may be a bit misleading, and could in theory get me in trouble, it does at least warn the "h4x0r" that they could get themselves in trouble.
Re:A Modest Proposal (Score:3, Informative)
Sigh... nothing to see here (Score:4, Informative)
Here is how I have been trained in regards to wire tap (I am a security analyst):
The wiretap act is broad and prohibits intentional interception (use, etc) of someone else's electronic communications. This Act (see 18 U.S.C. p2511(1)) has a bunch of exceptions two of which are relevant to this discussion:
1. The provider exception may apply if the communications were intercepted during active monitoring for the purposes of system defense,
2. The consent of party exception may apply if you have banners declaring that you monitor all traffic.
From what I have been instructed, I only need to really take care with #1 which is what I'm exactly doing when I fire up a honey pot. (#2 is a part of company policy so it is not optional.)
If I deploy a honey pot for the purpose of monitoring and protecting my network, then I should be able to claim exemption from the Wiretap Act via #1 above. Of course the honeypot damn well better be deployed for the purposes of defense and not something I just threw on the corporate network without authorization.
That's the theory anyway; as far as I know, this has not been tested in the courts yet.
Another question: Is spam a "communication"? (Score:4, Informative)
These are 100% accurate aginst spam - filters and blacklists are not. Will they be outlawed?
Check out the bubblegum proxypot. It's a neat way to hurt spammers:
http://world.std.com/~pacman/proxypot.html
Don't forget the relay spam honeypot (Jackpot):
http://jackpot.uk.net
See Wiretap Act, 18 U.S.C Sec. 2511 (Score:5, Informative)
First of all, Richard Salgado has got to tell people to be very careful. He's a prosecutor for the government. He's got to say things that err on the side of safety, and of never condoning possible violations of the law. (He's a nice guy, and a good speaker. He's just very obviously in one corner, and has the party line to hew to).
Secondly, read 18 U.S.C. Section 2511 [usdoj.gov]. That lays out the _exceptions_ to the Wiretap Act, which includes the Provider exception, which boils down to: if you own the machine, and have appropriate banners, and the wiretap is done "while engaged in any activity which is a necessary incident to the rendition of [the rightful adminstrator's] service or to the protection of the rights or property of the provider of that service...". The reason the gov't is goosey about honeypots is, if it is a property laid out to be broken into, then is the wiretapping justfied? If you're doing it as part of the defense of your network, consensus tends to be yes. If you're doing it for shits and giggles, there tends to be less consensus. The gov't needs to be able to prosecute anyone, so without court cases telling them otherwise they're leaning to the stricter interpretation.
Thirdly, if you're interested, read the posted practical assignments for the SANS GCFA (Forensics) [giac.org] course/certification. The original assignment (the only one posted currently) has three parts, the third of which is Describe in detail your authority as a system administrator with regards to this statute. [giac.org] Keep in mind that none of those people are lawyers, but most of them sat through a course including Richard Salgado talking on this issue, and all of them worked their butt off to write the paper and pass the course. More work than goes into, say, a /. post 8).