Use a Honeypot, Go to Prison?

scubacuda writes "Using a honeypot to detect and surveil computer intruders might put you on the working end of federal wiretapping beef, or even get you sued by the next hacker that sticks his nose in the trap, according this (old) Security Focus article. Honeypots could be federal criminal law calls "interception of communications", a felony that carries up to five years in prison. Because the Federal Wiretap Act has civil provisions, as well as criminal, there's even a chance that a hacker could file a lawsuit against a honeypot operator that doesn't have their legal ducks in a row. "It would take chutzpah," said Richard Salgado, senior counsel for the Department of Justice's computer crime unit, "But there's a case where an accused kidnapper who was using a cloned cell phone sued for the interception of the cell phone conversations... And he won.""

Err...

[.com b4 .storm]

If it's YOUR system, then how are you "intercepting" anything? If someone tries to crack into a system that is yours, then who cares if it is a honeypot or not? This is like a burglar suing a homeowner because he cut himself on a knife he was stealing along with the rest of their silverware...

Intercepted communications?

[Nagatzhul]

Hmmmm..... How can you intercept your own communications? Does that mean it violates federal law to use voice mail or an answering machine? After all, they also "intercept" communications.

Re:Err...

[EmagGeek]

"This is like a burglar suing a homeowner because he cut himself on a knife he was stealing along with the rest of their silverware... "

And there's tons of legal precedent out there making homeowners liable for injuries incurred on their premises, regardless of the motivation of the "visitor."

If you look at all of the cases out there, one could make a very strong argument that homeowners are required by this precedent to make their homes safe for burglars.

This really isn't any different if you think about it. We have to make sure we exercise care for the safety of criminals. It's sad, but unfortunately becoming more true every day.

loopholes

[Anonymous Coward]

What does it say about a society that allows a person *caught in the act* of committing a crime to sue because he wasn't caught "legally"?

I mean, I know there's always the opportunity for abuse, etc., but... come on! I mean, a lawbreaker sues because something bad happened *while breaking the law*.

That's just sad. And not sad as in: 'that criminal is an idiot'... sad as in: 'that justice system needs some work'.

Re:Err...

[fjordboy]

He won't win though. He can sue all he wants..the results won't be in his favor.

I can *sue* you for making this post if I have the money and a lawyer...I might be the laughingstock of the courtroom, but I have the right to sue you.

It's all about selective enforcement.

[Anonymous Coward]

If the FBI wants to nail you for cybercrime, there are a lot of other far more ambiguous statutes to nail somebody under. The real question is: Have you attracted the ire of the FBI?

Consider the $5,000 damage threshold [google.com]. The FBI won't even prosecute you unless there is an upstanding member of the community (usually corporate) who will attest that you have damaged them to the tune of $5,000 or more. Who would claim that a honeypot did them 5 grand in damages? That is the real question.

Keep in mind that nmap creator Fyodor managed to hack some jerk of a Slashdot user [slashdot.org] and brag about it on his website without getting prosecuted. This is because he knew the rule of selective enforcement.

Re:Err...

[stratjakt]

No, it's like a burglar suing because you caught him in the act on CCTV without his permission.

Actually, it's nothing like it, since the law is about electronic communications.

You know, the reason Linda Tripp got in so much shit for taping Lewinski's conversations.

If someone calls you on the phone, you cant tape it to use it against them (unless they know it's being taped).

So, honeypots aside, if you apply this to computers, does not any sort of log count? Web hit logs? Cookies that you didnt know about? Email spools?

Maybe I can sue slashdot for tracking my IP to stop me from posting too much.

Of course I cant, this is basically just a bunch of "OMG big brohter is teh suck" geek whining.

It looks to me...

[zutroy]

...like the article is actually saying that you could be sued if a hacker used your honeypot machine to hack into another machine that's not on your network. The argument is that you set up a machine to be hacked, and it got hacked, and was then used to hack others...kind of like saying that you've become an accomplice in hacking. So the lesson is to secure your honeypot machine, so it can't be used for evil.

Re:oh no!

[I8TheWorm]

Does this mean I'll have to turn off my server logging, since it could quite possibly "monitor" an intruder?

Re:Err...

[kikta]

The article talks about the problem occuring if and when the intruder uses the honeypot to connect to a third system and the honeypot acts as an intemediary between the two (and logs all the keystrokes & traffic). Regardless, this is pretty far-fetched, IMHO. Yes, a jury of idiots may side with the cracker, but a jury of idiots could theoretically do almost whatever they please. Just hope that the appeals court is sane.

hmmm

[Tumbleweed]

Is there any way to mark an entire Slashdot story as a Troll? This is ridiculous.

( Go ahead, mod me down - I can take the hit. )

Honey pots

[Nonillion]

This just goes to show just how low spamers are willing to sink. I have been hosting my own mail server for several years now because it's the ONLY way for me to combat unwanted e-mail. If some worthless spamer is going to wine about a honey pot or my server rejecting his/her e-mail I say TOUGH FUCKING SHIT! It's MY machine, MY bandwidth, MY rules... period. If I want viagra, penis/breast enlargements, debt consolidation, loans re-financed or hot asian chicks I'll seek you out myself..

>SELECT * FROM spamers WHERE clue > 0
>0 rows returned

Re:Err...

[antis0c]

Lets not forget the man who successfully sued a car owner for driving over his hand as he was trying to steal his hub caps.

I think it's fucked up myself too. Sure if someone is entering my house, I can shoot them. But by God if they cut themselves on a steak knife I left out I might be liable for thousands.

Oh well, in the larger scheme of things our legal system is still new. It will take a while for stuff like this to get sorted out.

Jury of idiots

[mrlatito]

See OJ verdict. :)

A Modest Proposal

[dolbywan_kenobi]

Perhaps this is a wake-up call for us computer users here in the USA. Who really speaks for computer users here? What we need IMO is an NRA equivalent to represent the interests of computer users, of people who are interested in fair-use issues, reasonable intellectual property laws and accountability of elected representatives. Interest groups like the NRA and AARP have shown that Congress-people do listen when people organize.

Re:Err...

[Anonymous Coward]

Just remember, the only people serving on juries are those who weren't stupid enough to get out of jury duty! If you don't like stupid verdicts, don't throw out your summons!

Bullshit double fucking standards!

[phillymjs]

According to the law, I, as an authorized user of a computer that belongs to my employer, have no legal right to privacy concerning files I store on that computer, or e-mail sent from/received by that computer-- the employer, as owner, can monitor it at will.

And now, the law says that I, the owner of a computer system, have no right to monitor or intercept the comings and goings of an UNauthorized user on said system? In fact, I can be sued for doing so?

How is this not a ridiculous double standard? Not counting any "I understand my computer system is subject to monitoring" policy form you may sign at work. Doesn't UNAUTHORIZED computer access trump any kind of claim to privacy that the unauthorized user may make?

Furthermore, would you be covered by putting a disclaimer somewhere on that system? I would imagine that something like "ALL users of this system are subject to monitoring. By continuing to access this system you signal your willingness to be monitored. If you do not agree, disconnect now." would do the trick.

~Philly

Re:loopholes

[FroMan]

Hmmm, I almost agree with you here. Problem is, then we have the government rooting around your home looking for a crime without evidence. We do need protection from the government.

However, when a crime is occuring on personal property I do not think that the same rules that apply to law enforcement should apply to the property owner.

Consider: In some states both parties must be aware that they are being recorded on the telephone. However, say some weirdo calls me in middle of the night and makes a death threat. Should I have to tell him, hold on, I have to tell you I am recording before you attempt to threaten my life? No, that is absurd.

One note on the honey pot idea though. If someone is using a honey pot as a jump off point to launch an attack from, the honey pot might be considered aiding a criminal in the act of commmiting a crime. Since the honey pot is intentionally put out there with security holes to act as a catch spot.

Just an idea. Sort of like vigilante justice, let the law enforment enforce the law.

Re:loopholes

[WaxParadigm]

Problem is that without rules about "proper" ways of obtaining evidence you'd revert back to a society where police just let themselves into your home, w/o probable cause, etc. I don't want the police to smash and grab - let's leave that for the criminals.

Please calm down...

[zutroy]

Now is NOT the time to write your congresspeople! The article was saying that this COULD be considered illegal under a ridiculous interpretation of existing law. Not exactly something to get angry about.

Playing Chicken Little in these forums somehow means that you rack up incredible karma.

If everyone lived this cautiously, we'd never leave our houses for fear of getting sued.

Re:Prove it.

[flyneye]

As far as Malone goes,the homeowner shouldn't have fired without aquiring a target,nor should he
have used a .22.
Never use anything less than a .45 (a hollowpoint .40 would've definitly bled the bastard to his just reward.)Never shoot to wound.
an injured animal is more dangerous than before.(hope i dont need to explain that one)Using a .45 is probably best because its a slower heavier round and will give you time to position the culprit before he bleeds in the wrong place or position and mucks up your story.Lastly,kill the fucker so he doesn't continue to come back,hit your neighbors or kill someone in the commission of another crime.f**k em and those who would defend em as well.

Re:Heh.

[intermodal]

thats what the slash was there for, fucknut. http SLASH gaming. that way people can visit web pages and/or game. The real users, i.e. people who know how to run servers (with all that entails, including all the services of the other network) would be on the network with full services. You, I suspect would be on the HTTP/(thats a slash)gaming network judging from your ability to comprehend simple concepts.

Is Gator Advertising illegal then??

[Anonymous Coward]

Wouldn't Gator's software be intercepting messages for a conversation (between you and the website you are visiting), that it is not a part of?

I would think any ISP tracking/monitoring, web-tracking monitoring by a third-party (not you, and not the internet site) would be illegal by FCC regulations?

I'm not a lawyer, obviously, so what do the rest of you, more educated folks think?

Re:Prove it.

[cyril3]

What is insightful about an exortation to use a high calibre weapon to shoot to death possibly unarmed trespassers so they don't come back.

In Australia the home owner would be guilty of manslaughter at least and if he had used a weapon without having first been threatened directly by the trespasser would spend some time in jail. Home owners are allowed only defensive action that is proportionate to the perceived threat. You shoot blindly into the dark and you're in trouble.

And setting man-traps (even accidental) is definately a no-no. It's plain illegal. And there was a case not long ago where a home-owner electrified a garden fishpond with mains electricity to "discourage" a local animal predator and who killed a trespasser who stumbled into the pond. They were guilty of manslaughter.

This is silly...

[anubis]

This is just silly. An illegal wiretap is intercepting a communication between two computer/people/objects without either 1.) the permission of one party, 2.) a court order. If you are a party to the communication (i.e. the honeypot) you are intercepting communications to and from your own machine. Seems like there are bigger things to be worried about.

Can't do it in Oz either...

[Goonie]

In Australia, the mere presence of an intruder in your house or on your property is not sufficient grounds to blaze away.

The more out-there states of the US have rules on self-defence that are a lot more unrestrictive than just about anywhere else in the Western world.

Re:Back under the bridge,

[intermodal]

fuck yourself.

Re:Err...

[rifter]

Personally I would consider any place that honours the rights of a burglar committing an act of terrorism above the rights of a law abiding citizen in their own home far more the fascist shithole than one which allows the responsible protection of one's life, family, and property.

I really don't understand at all how anyone in one of the supposed "enlightened lands" where the reverse is true can live there, knowing that criminals can break in and kill and rape their wives and children and be protected by the state in doing so, since they have been disarmed and are given no rights of self defense. Any reasonably civilized society could not allow such a thing, as it is pure barbarism, as far as I am concerned.

Sorry to say it but...

[whereiswaldo]

Welcome to the USA, where common sense is absolutely irrelevant. Got a sensational case? There's a lawyer and a judge out there somewhere who'll see to it that you win.
Disgusting.

Re:Moral issue

[The Cisco Kid]

Properly setup honeypots do not allow themselves to be used to break into other live systems.