Slashdot Mirror
Use a Honeypot, Go to Prison?
scubacuda writes "Using a honeypot to detect and surveil computer intruders might put you on the working end of federal wiretapping beef, or even get you sued by the next hacker that sticks his nose in the trap, according this (old) Security Focus article. Honeypots could be federal criminal law calls "interception of communications", a felony that carries up to five years in prison. Because the Federal Wiretap Act has civil provisions, as well as criminal, there's even a chance that a hacker could file a lawsuit against a honeypot operator that doesn't have their legal ducks in a row. "It would take chutzpah," said
Richard Salgado, senior counsel for the Department of Justice's computer crime unit, "But there's a case where an accused kidnapper who was using a cloned cell phone sued for the interception of the cell phone conversations... And he won.""
I always knew that something bad would come of Pooh and his addiction...
Who knew that honeypots would lead to jail? I bet even Owl and Rabbit didn't know that!
The anti-salmon
If it's YOUR system, then how are you "intercepting" anything? If someone tries to crack into a system that is yours, then who cares if it is a honeypot or not? This is like a burglar suing a homeowner because he cut himself on a knife he was stealing along with the rest of their silverware...
"Wow, you're like some kind of superhero able to ward off happiness and success at every turn."
-- Ryan Stiles
The computers you own are not actually yours. They are owned by the United States govt. Everyone go download their new distributed CPU project called "Count The Votes". Oh, wait, they installed it for me. Thank you govt. :D
On a serious note though. Its getting to be that regular Americans can't do anything without fear of getting sued or suing someone else. McDonalds coffee anyone?
If you're, say, Fyodor and you're running a honeypot (like he does, he's involved w/ the project), you can more or less count on the fact that the perp is some poor minor or college student who won't be able to bring suit in court. Hell, if you're Fyodor, this works when you're on the other side, too.
--sdem
Hey, I could SWEAR I saw this about two weeks ago. Anyone else?
I can see this might happen:
1) Find Open Windoze SMB share (or any open, insecure systems)
2) "Hack" into it
3) Try to get caught (log files, whatever)
4) Claim that was a honeypot
5) Sue for profit
It does seem this easy.
Please direct all bug reports to
I just know this is a dupe, and I want to score "First Dupe!", but I cannot find a link to the story....
So, according to this (new) article, ISS is wide open to the further embarrassment of having suit brought against them for having their website defaced.
Small, yellow bear wearing red shirt.
Suspect goes by the name of "Winnie the Pooh" which he received because he smears feces all over his victims after he murders them. Suspect keeps company with the likes of a bouncing self proclaimed "thug" named "Tigger" and a small yet crafty mastermind of evil "Piglet".
Suspects should be conidered armed and dangerous. If seen, please contact Detective Christopher Robinson.
We advise the public to keep all Honeypots safely out of sight and or smell.
This is my sig. Its pathetic.
A Pooh needs his honey!
So Homeland Security is more important than Home Security? ;-)
Better unlock my door for the Feds!
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
Couldn't this be avoided by making the honeypot actually "do something", thereby making it not a "honeypot"? IE, stick some files on there and call it a backup server (unimportant files of course) or whatever. After all, isn't the most effective honey pots those that fool the intruder into thinking that it's a real "site", what better way than to sorta make it real? Nothing illegal about monitoring your own real site right?
What does it say about a society that allows a person *caught in the act* of committing a crime to sue because he wasn't caught "legally"?
I mean, I know there's always the opportunity for abuse, etc., but... come on! I mean, a lawbreaker sues because something bad happened *while breaking the law*.
That's just sad. And not sad as in: 'that criminal is an idiot'... sad as in: 'that justice system needs some work'.
First post!
It is illegal to mod me down because it would be a violation of the Federal Wiretap Act. I will sue anyone who mods this post down! And I will win to, because I trust the justice system to help the innocent like me!
Run a webserver go to prision?
Running a honeypot *could* possibly be considered entrapment but then again so could vendor-lock-in if you want to start s_t_r_e_t_c_h_i_n_g it that far.
If the FBI wants to nail you for cybercrime, there are a lot of other far more ambiguous statutes to nail somebody under. The real question is: Have you attracted the ire of the FBI?
Consider the $5,000 damage threshold. The FBI won't even prosecute you unless there is an upstanding member of the community (usually corporate) who will attest that you have damaged them to the tune of $5,000 or more. Who would claim that a honeypot did them 5 grand in damages? That is the real question.
Keep in mind that nmap creator Fyodor managed to hack some jerk of a Slashdot user and brag about it on his website without getting prosecuted. This is because he knew the rule of selective enforcement.
That if a person is taking measures to protect one's self, then whatever crime was committed agains't the victim. Then the attacker still has his rights to sue or whatever But whatever they did to the person protecting themselves' whatever the person did to protect themself (if it was illegal or not) the victim should be able to sue back with the higher charge, whether that higher charge was from the attacker or victim. Then again I am not a law maker. SO there are lots of flaw's with what I just said.
...like the article is actually saying that you could be sued if a hacker used your honeypot machine to hack into another machine that's not on your network. The argument is that you set up a machine to be hacked, and it got hacked, and was then used to hack others...kind of like saying that you've become an accomplice in hacking. So the lesson is to secure your honeypot machine, so it can't be used for evil.
This law only applies to phones! Only certain people, none of which are in any postion to make laws, have theorized that it could apply to computer networks. Im shocked and slashdot would be spreading this fud around. If you guys would only read the actual law you would be fine!
I'm as against the invasion of federal powers as the next guy,
but something that hurts that cause is overly reactionary or
alarmist agruments. This articles strikes me that way.
Anyone who has spent some time in a court room realizes that
judges are not the completely inept morons they are often made
out to be. Sure someone could "sue" you for breaking a
wiretapping law, that doesn't however mean they would win.
People seldom appreciate the difference between those two
things, anyone can sue for just about anything. Whether or not
they win the case is an entirely different thing.
Saying that monitoring a honey pot is a violation of the federal
wiretapping act is a huge legal stretch IMO. Even though a
honeypot is designed to be hacked, it still has to be hacked.
They still have to commit a felony to get into it, that's the
equivalent of saying that if someone hacks into your workstation
and you happen to be monitoring it at the time you are then in
violation of the federal wiretapping act. That is just patently
absurd.
The one example they use isn't very compelling to me either.
They are as usual light on the details, but "tapping" a cell
phone that isn't yours is an entirely different story than
monitoring a computer that you own and operate.
Every once in a while we get crazy laws on the books, and off
the wall judges pushing their own agenda's, but when things make
it to the supreme court or the higher courts, things usually
shake out in a logical and reasonable fashion. The first time
someone get's *successfully* prosecuted under this, then I'll
buy it.
Doug Tolton
"The destruction of a value which is, will not bring value to that which isn't." -John Galt
IANAL but wish I was.
Trolling is a art,
You bled on my knife, you bastard! If you live I'm going to sue your ass off!!!
Sheesh, evil *and* a jerk. -- Jade
Who is this "Poster" guy and why does he own all of my comments?!?
I've tried some weird combinations before, but mixing honey with pot never occured to me.
Does it get you a better buzz?
This is my sig. Its pathetic.
That would mean a voice mail recording of a wrong number is a crime because you intercepted a call that was not meant to be directed at you.
Gibble: Descriptive of an emotional state in which one's mind is scrabbling for some purchase on reality
I wonder if putting phony MP3's on your ftp server in hopes of confusing the powers that be might fall under this. After all, isn't that sort of honeypot-ish?
I wonder what this would mean for other "red herring" type of defense measures....
Wouldn't the standard log on banner that states that any and all use of the system could be monitored, used in court, etc, etc, be useful in preventing legal action? How can someone sue you if you warned them that you were monitoring them?
"No Comm, No Bomb"
I think Fyodor has already demonstrated this here, don't you?
"interception of communications", a felony that carries up to five years in prison.
Unless you're John Ashcroft and his brownshirts. What about whatever the NSA picks up? Echelon? Carnivore? Even if data that wasn't covered by a warrant is discarded, it was still intercepted.
Trolling is a art,
Over and over our courts are issuing rulings against people who are trying to protect themselves from people who are trying to do them harm. There are precedents in the physical world. Shop owners are getting sued by criminals caught in traps or injured in some way and winning. I guess it was only a matter of time before the e-world was impacted by this. Pretty soon users will be getting sued for deleting SPAM!
Wait a minute!
No anti-MS sentiment... posted by Taco... not a dupe...
This story is a honeypot! Whatever you do, don't post any comments! It's a trick! It's a tri^&T3ATZ
NO CARRIER
I moderate "-1, Fool"
how come the federal agents are allowed to use honeypots, as in the case of the russian hackers, when private investigaters cant ?
Siggy Say, Siggy Do
Slashdot did not sponsor Fyodor's breakin. He did that on his own.
Is there any way to mark an entire Slashdot story as a Troll? This is ridiculous.
( Go ahead, mod me down - I can take the hit. )
How is using a honeypot an "interception of communications"? The attack is coming in on your own machine, which you have set up and are sacrificing in the name of enhanced security. Under the law, this is known as "permissable deception." (Yeah, I learned this from Law & Order.)
If a cop poses as a "prostitute" and attempts to solict from a John, they can be found guilty of solicitation of sex. If I throw a "server" holding lots of "important data" on my network, and I catch some hacker breaking in, presumably, under the same idea, he is now guilty of a cyber-crime, and can be tried and found guilty.
There is a cyber-war going on, and as in a land war, you must know your enemy. Think of using a honeypot as gathering intel on your attacker, learning his ways and developing methods to protect against his attacks.
This just goes to show just how low spamers are willing to sink. I have been hosting my own mail server for several years now because it's the ONLY way for me to combat unwanted e-mail. If some worthless spamer is going to wine about a honey pot or my server rejecting his/her e-mail I say TOUGH FUCKING SHIT! It's MY machine, MY bandwidth, MY rules... period. If I want viagra, penis/breast enlargements, debt consolidation, loans re-financed or hot asian chicks I'll seek you out myself..
>SELECT * FROM spamers WHERE clue > 0
>0 rows returned
"I bow to no man" - Riddick
Sounds like an urban legend to me.
Debunking the "59 Deceits"
RTFA. The use of a honeypot won't get you in trouble. The prosecution of someone hacking your honeypot won't get you in trouble. The prosecution of someone hacking your fileserver based solely on the honeypot's logs has the *potential* to get you in trouble.
Mordor...a magical, mythical land where women are more rare than dragons--but where every man would rather find a dragon
"But there's a case where an accused kidnapper who was using a cloned cell phone sued for the interception of the cell phone conversations... And he won."
This specific case seems VERY different than using a honeypot for computer security, and it sounds like the alleged kidnapper may have actually had a case. I'd like to see more information about that case before making comparisons, unfortunately I was unable to find any.
Adidas To Bring Back Sneakernet
First of all, it's YOUR computer, you are allowed to monitor your network however you like.
This has nothing to do with a cloned cell phone, which is illegal to begin with, and the perp wasn't trying to commit a crime on the cellphone itself.
It would be like this: A criminal gets into your house because you leave the door open intentionally. He starts tearing the place apart and in the process trips and breaks his arm. How can he possibly sue YOU? Sure, you left the door open, and maybe that weakens your case against him, but he has no right to sue you.
Now, suppose the criminal takes the bus to work during the day and also used it to get to your house that night. Lets say he trips and breaks his arm on the bus due to long-standing negligence of the bus owner. Does he have a case against the bus owner.. maybe! I think that's more like the cell phone example.
I think this is just silly, any judge with half a brain would understand that breaking into a computer is wrong, regardless of the honeypot.
Yeah, the laws are fucked up and upside down when it comes to computers and networks, but not THIS stupid.....
Ja tänään vetäsen perseet olalle!
suddap and hide da piglet
Let's say you're somebody (maybe Fyodor) and you break into someone's system and subsequently monitor it through screenshots. This is a rather clearcut case, is it not? The wiretapping is bad no matter which sides you place the two parties on.
Furthermore, this smacks of vigilanteism. If people start taking the law into their own hands, what happens to the whole idea of a codified system of justice? Or, indeed, justice at all? Wiretapping is best left to the justice system.
--sdem
Consider the case of Biswaneth Halder, the CRWU student who walked into a campus building two weeks ago and shot a man to death because no one would investigate the hacking and deletion of his web site. His letter to Congress gives a clear account of what it's like to try to get the FBI to prosecute a cybercrime case where no financial damage can be demonstrated.
This is not to say, however, that Mr. Halder was sane.
Someone named an OS for me.
Sorry, he was too fast, hence the finnish language. What he ment to say is that he has a 30 years of experience in similar cases and none of them have led to any actual results, so it's just a waste of time talkin' about this issue, he thinks.
I wonder, is US Goverment the only one in the world keeping such stupid laws or other countries have same or similar stupidy in place?
Less is more !
...you cannot get the FBI or other crime organizations to help you.
You mean the mafia? Or did you mean other anti-crime organizations?
Please direct all bug reports to
I was reading this and had a thought. Has anyone set up a FTP or P2P honey pot to attract attention from the RIAA?
This could be a great way to annoy the RIAA when they try and sue or fine someone that actually doesn't have illegal material on their hard drive.
Has anyone done this yet? Any storys? Could the honey pot project be used to simulate a FTP server with mp3 goodies?
DP
"(I) have this unfortunate condition that causes me not to believe a single thing any politician says when a mic's on.
Most of if not all of the destruction blamed on Pooh is really the work of Gopher...Just ask Rabbit and please leave Pooh and his honey alone.
My mother in law is worse than yours...and yes I will trade!
Now, normally Federal law usurps State law, so this wouldn't matter. However, in a case where it is dubious as to whether the Federal law applies, it's perfectly possible that it could be ruled that State law takes precedence in this case.
The second thing to consider is that you can't profit by someone's crime. Thus, it would be illegal for a cracker to attack a honeypot for the purpose of making money via the Federal law. The cracker would then be placed in the position of needing to prove that their attack was for unprofitably malicious purposes.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Perhaps this is a wake-up call for us computer users here in the USA. Who really speaks for computer users here? What we need IMO is an NRA equivalent to represent the interests of computer users, of people who are interested in fair-use issues, reasonable intellectual property laws and accountability of elected representatives. Interest groups like the NRA and AARP have shown that Congress-people do listen when people organize.
...as the Feds slapped the cuffs on him and threw him against the hood of the car.
there's even a chance that a hacker could file a lawsuit against a honeypot operator
The honeypot law is clearly mimicking the idea of a honeypot -- the honeypot owner becomes the honeypot for a lawsuit.
What if you use a beowulf cluster of honeypots? Couldn't you be executed under California's three strikes rule?
Repeal the DMCA!
Thank you for alerting me on this serious matter. I will most definitely purchase the latest in firewall and virus technology now that I know of the dangers.
On the matter of this notorious Fyodor, I think I'm pretty safe since I'm neither planning on pissing him off with juvenile pranks, nor am I using an insecure Windows workstation. Then again, what do I know, alas - I'm not a proud american.
How small a thought it takes to fill a whole life
Well I guess I'm going to jail, my cell phone ocassionally intercepts other communications and I hear their conversation in the background of mine...damn the luck.
Gibble: Descriptive of an emotional state in which one's mind is scrabbling for some purchase on reality
... as he reached for the soap.
Robots are everywhere, and they eat old people's medicine for fuel.
Actually, if one of your employees investigated the break-in, or you lost some important business information, or lost profits, or something like that, then the FBI WILL get involved. It's not hard to rack up $5000 in damages -- just a few hours of work by a few employees + loss of business damages adds up to much more than $5000 for almost any organization.
For instance, if someone (say, Fyodor or Kevin Mitnick) hacked into your box and deleted all of your home video files, you could easily apply the *AA's mathematics and calculate your "loss of sales" into the quadrillions! Because after all, you were going to sell those home video files.
Well, juvenile pranks was one thing, but allowing someone to break into your system by not using a firewall was the second dumb thing. Serves him right!. I'm proud of the Slashdot editors for supporting Fyodor, just because it's technically a crime doesn't mean that this kid didn't deserve it! Shooting a spammer is probably a crime too but most of them deserve to die.
I read an article in the paper yesterday about a bankrobber that got his charge reduced from "Armed Robbery" to plain old Robbery because the teller accidentally saw his gun - he didn't mean to show it to her. She saw it when he lifted his shirt to stuff the money in his pants.
Like the beaver, it's just Dam one thing after another
(I repeat, will not)
;)
Yeah, we heard you the first time.
Ergo, I strongly urge you all to use firewall software and anti-virus packages with updated virus definitions.
That, or keep extremely valuable stuff on your machine.
Actually, I've never really had a use for antivirus software, just don't run untrusted binaries. (that includes outlook, btw)
As for firewalls, I can recommend one.
If you're not a major hub of commerce, the FBI just doesn't care. Consider.
This sort of thing provides good justification for having a loging banner on a system. Make it clear that "unauthorized use is prohibited, and activity on said systems may be monitored." From that point on you should be well justified in any monitoring of your network.
So long as you can prove that the systems are not configured for ues by the general public, There shouldn't be much to build a case on. Getting around entrapment may be a little harder ("but your honor, when i set up that RedHat 6.2 box, named it "Hax0r|\/|e", and connected it to a comcast hispeed line with no firewall, I had no idea something bad would happen!"), but that's a whole new thread.
There are some people that if they don't know, you can't tell 'em.
I did a little research to see if I could validate or invalidate A Proud American's claims. While he is marginally correct on the facts, his interpretation is very far off.
First and foremost, I learned that the FBI and other similar anti-crime organizations of the U.S. government will not (I repeat, will not) prosecute or even attempt to investigate computer-related security crimes that involve less than $5,000 in liabilities.
Semi-true. There is a technical $5,000 threshold in order for the FBI to have federal jurisdiction over cybercrimes. State law still applies. Additionally, the FBI can probably gain jurisdiction to charge with other laws (they've mentioned RICO) if the crimes cross state lines (and there is judicial precedent that sets the bar merely at passing through an out-of-state router, in the case of a threat delivered over AIM with both perpetrator and victim in the same state).
Also, the $5,000 threshold is not particularly strict under new guidelines in the USA PATRIOT Act, so that they encompass summed damages from different attacks, damages in downtime and time responding, etc. In other words, the bar is very low and easily met with semi-probably damages; $5,000 is more of a requirement to prevent people from being charged for, say, portscanning. See here: http://www.astalavista.com/technologies/library/cr ime/usa.shtml.
And civil suits are always an available alternative.
Prison is actually fairly easily awarded; often we complain just as much about the strict jail time for such minor crimes as the lack of jail time.
Other measures of prosecution are becoming much harsher and stricter now, too, especially with all our terror enforcement (er, I mean anti-terror, Mr. Ashcroft, sir) measures. I mentioned RICO above (see here: http://lists.insecure.org/lists/isn/2000/Feb/0029. html.
So prison is a real possibility; federal prosecution is pretty easy to get; but you should all still make sure you keep up to date with security. Just don't rely on A Proud American for your information.
Oh, yah. And befriend me. Please? Pretty please? I'll be your friend!
According to the law, I, as an authorized user of a computer that belongs to my employer, have no legal right to privacy concerning files I store on that computer, or e-mail sent from/received by that computer-- the employer, as owner, can monitor it at will.
And now, the law says that I, the owner of a computer system, have no right to monitor or intercept the comings and goings of an UNauthorized user on said system? In fact, I can be sued for doing so?
How is this not a ridiculous double standard? Not counting any "I understand my computer system is subject to monitoring" policy form you may sign at work. Doesn't UNAUTHORIZED computer access trump any kind of claim to privacy that the unauthorized user may make?
Furthermore, would you be covered by putting a disclaimer somewhere on that system? I would imagine that something like "ALL users of this system are subject to monitoring. By continuing to access this system you signal your willingness to be monitored. If you do not agree, disconnect now." would do the trick.
~Philly
Nah, I think he said it right the first time.
Once again America is caught red handed in having one of the most screwed up justice systems in the democratic world. I would almost rather have people lose hands for stealing then have good people who are trying to protect themselves get sued or put in jail even using some loophole that an arrogant politician managed to weasel into some anti-"do anything that used to be legal" bill.
those people who think they know everything are a great annoyance to those of us who do. -isaac asimov
While I do have a bare shred of faith that a Judge will understand the intent here is not to defraud. The intent is to Defend/Detect an attack. It's a defense system that does not cause harm. What you are in fact creating is a Electronic Burglar Alarm. Has I understand tracing the offender is ok, attacking his system isn't. Informing the Domain's Admin/Owner/Upstream Provider is ok. Wasting a Hacker's time in a honey pot isn't illegal, frying their brain like in a William Gibson novel (attractive thought it may be) would be.
On the Honey Pot issue, what differentiates it from a Online game? You put it there, people come and there are rules to get in. It would seem that the argument that putting up a Honeypot is an invitation to enter (the Honeypot only). While a SysAdmin could learn valuable lessons from observation, the defense of the Alleged hacker could be that they 'KNEW' it was a Honeypot and that the price of entry was cleverness not cash. Therefore they are playing a game, one in nature much like Ultima online or Neverwinter Nights.
Don't worry about this, it's for the most part a groundless fear. If you did actually come under attack by some foolish District Attorney, likely You would be getting calls from the likes of Johnny Cochran and Alan Dershowitz offering free legal.
This article is fearmongering a distant cousin of trolling.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
that I fall back on great wisdom gleaned from movies. "The Man Who Would Be King" talked about using a good law for a bad purpose. This is such a time. Should a criminal in the midst of a criminal act be allowed to point accusatory fingers? I think not. Ergo: fuck the criminal bastards.
I have contacted my Congressmen and bitched about how this is "a bad idea, and it damages the very security fabric of the Internet and Internet Commerce," but they're in Congress, so that means they're also retarded...I'm sure they had no idea what I was talking about. But I still URGE you all in the strongest possible terms to write your Congress-person and tell them about the shitty legislation that keeps getting passed. They won't know any better if you don't complain. They still will not know any better, but at least you can say you tried, which is better than doing nothing at all--because as we all know the only thing needed for evil to triumph is for good men to do nothing.
An overlooked point is that fyodor did not compromise a random connection, but the stanford.edu network. Perhaps he used one of his collected exploits?
If we don't fight for ourselves no one will.
Anybody notice how "Honey pots" backwards is "Stop yenoh!". A quick google of the word reveals it to have to do with food, so "honey pots" is code for "Stop food!". This madness must be ended!
An online Starcraft RPG? Free, only at
In soviet russia, all your us are belong to base!
Karma: Redundant!
Online Starcraft RPG? At
Dietary fiber is like asynchronous IO-- Non-blocking!
Anybody read Cliford Stoll's book "Cuckoo's Egg"? He peppered his file system with files containing key word phrases of military interest in order to catch a Hacker.
Somebody had better warn Winnie the Pooh about this. He could really get himself into a lot of trouble.
Now is NOT the time to write your congresspeople! The article was saying that this COULD be considered illegal under a ridiculous interpretation of existing law. Not exactly something to get angry about.
Playing Chicken Little in these forums somehow means that you rack up incredible karma.
If everyone lived this cautiously, we'd never leave our houses for fear of getting sued.
I have a honeypot behind a firewall.
The cracker breaks thru the firewall.
The cracker uses the honeypot to go outside the firewall and attack another computer. Your computer has a *.doc file that states, " Use of this computer grants permission for monitoring." As long as that file was on the computer before the date of the hacking, I would hope that the jury would say that you had permission to monitor.
Looks about the same as;
A car runs a red light and is involved in an accident. The occupants of the car sue the other person for turning in front of them when the light was red already.
I'd love to be on either one of those juries.
Oh wait, I have been on one of those sort of case. Not all jurors are dumb.:-) Two days to get to the jury, 2 minutes to render a verdict.
Then why is Fyodor a free man? And how do you explain the lack of prosecution of this case?
I think you and the parent are both right. I think you're correct in saying that if the FBI wants someone badly enough, they can prosecute them for damn near anything. I think the parent is right that they will almost never pursue a case where a corporation is not the victim. They don't want to involve themselves in defending Internet cranks.
That's why Fyodor's gotten away scott free, and I can't say I blame him. Maybe it will teach these jokers some manners.
Someone named an OS for me.
Intrusion Detection Systems often are used in this same way. They monitor traffic and report suspicion actions. Some (snort included) capture and record packet dumps....much like taping a conversation.
Intrusion Prevention Systems do the same thing, except they have the ability to actaully interfere with the conversation and drop packets or block hosts. Imagine a wire tap that could mute one of the callers to interfere with meaningful conversation.
Firewalls too. Lets also lock up everyone using a firewall. A firewall, or cluster of firewalls monitor all the traffic (eamil, web, ftp, etc.) in and out of almost every business network on the internet. ALL of these devices are looking at and selectivly recording traffic on those networks.
Nearly every network security tool can be compared to a wire tap....however, its my damn wire!
The real question to ask is:
Can I legally tap my own wires?
As a business owner, is it legal for me to record and be aware of the incoming and outgoing communications from my business?
I think any claim that an attempted trespass qualifies as a "communication" should be treated with severe skepticism, at best.
"But there's a case where an accused kidnapper who was using a cloned cell phone sued for the interception of the cell phone conversations... And he won."
Good. So don't illegally tap peoples phones.
Isn't that what the EFF is around for, to protect our digital rights?
To address the issues raised in the article:
;login: The Magazine of USENIX & Sage, vol. 26, no. 2 (Berkeley, CA : USENIX Association, 2001): pp. 73-76.
Federal wiretap laws prohibit interception of electronic communications, including traffic monitoring across a network. There are exceptions for network protection, but Salgado said that is an "uneasy fit" for honeypots, because they are set up with the expectation of being attacked.
This isn't entirely correct. If you are the owner of the network, you can monitor what happens on it. You can doubly protect yourself by putting a banner on your login page that says that any use of the network is subject to monitoring, but the key thing that courts have looked at with regard to such monitoring is whether the person had a legitimate expectation of privacy in the communication. I think a judge would have a tough time accepting an argument that someone attacking your network had a legitimate expectation of privacy in his/her attack.
Even if you were only allowed to monitor your network for defensive purposes, I think the honeypot could arguably qualify as a defensive tool. For example, I have limited budget for physical security at my home. I recognize that there are a number of ways that someone could break in, and I take steps to secure or prevent those. However, if someone is determined to break in, I must recognize that they will find a way. To deal with that possibility, I try to recognize where an intruder might be able to break in, and I have cameras in those areas. If I could only afford a certain number of cameras, I might make one path a little easier or attractive than the others so that the intruder would take that path and thereby pass in front of the camera allowing me to gather evidence of the crime. The intruder has already committed the crime by being inside the house, the camera simply collects the evidence. By placing a honeypot and monitoring it, you are simply putting an intrusion detector on a place where unauthorized individuals are likely to go, if they are already committing the crime of being inside your network without authorization.
An operator might be held liable for damages if a compromised honeypot is used to launch an attack against a third party. "We don't know" if such liability would hold up in court, Salgado said.
This is theoretically possible, and I actually wrote another article for USENIX's magazine ";login:" on this subject called, "You've Been Cracked...And Now You're Sued."[1] But, if you're setting up a honeypot, you ought to be sophisticated enough to isolate it and prevent outbound attacks on other networks (or at least either notify those networks that they are being attacked or shut down the attack as soon as it starts). There's really no excuse for setting up a honeypot and then allowing it to be used as a zombie.
A hacker charged with illegal activities involving a honeypot could argue entrapment, which Salgado said is a difficult defense. He said it might not apply to so-called passive honeypots.
Salgado is correct that entrapment is a very difficult defense. The article doesn't point out, however, that the defense of entrapment is also only available to someone who is being prosecuted as the result of activity by a government agent (like the DOJ, FBI or some state or local law enforcement agency). If your company (or client), as a non-governmental entity, sets up a honeypot and a cracker gets prosecuted because of it, the defense of entrapment is not available. See the legal definition of entrapment at http://dictionary.lp.findlaw.com/
Furthermore, as Salgado also notes, because a honeypot is a purely passive thing, even if you were a government agent, you are not really inducing or encouraging a potential cracker to go attack it. If you were a government agent and set up a honeypot and then anonymously went to hacker sites and talked about this fantastic server with all kinds of really cool stuff on it and how easy it was to own, etc., etc., then you might be setting yourself up for the defense of entrapment.
John
[1]
"The plural of anecdote is not data."
I would like a lawyer or at least somebody to explain to me the reasoning behind this law. How does using a honeypot to capture hacker traffic in order catch the newest vulnerabilities (remember, that's the main point of a honeypot, not catching and prosecuting hackers) differ from say, maintaining a log of who has logged on my computer?
The hacker is willfully sending my computer information in an attempt to try and get my computer to send back the juicy, sweet forbidden information to him. How does recording this, then, differ from a log, or for that matter, recording AIM conversations, recording phone conversations on my own line, keeping answering machine messages, or a billion other ways in which we keep information transmitted to us via electronic means? If information is sent to us, then we should be allowed to keep it and use it for whatever we want to.
--Stephen
Did you ever notice that *nix doesn't even cover Linux?
I strongly urge you all to use firewall software and anti-virus packages with updated virus definitions
Ehh... but if you live in Michigan or a few other states, you won't be able to go that route, and so you're doubly screwed.
*sigh*
Have EVDO, will travel.
Some 17 year old kid pretends to be a woman. Fyodor, who so desperate for female companionship because he's never been on a date falls for it. He is so heartbroken, he resorts to criminal activity?
If you look up "loser" in the dictionary, you will find a picture of Fyodor.
Police who leave GPS-enabled cars around for crooks to steal in major cities? They track the car once it is stolen and disable it when they are ready to make an arrest... more info at Wired.com.
Aftermath follows.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Ok, so I can sound like the last 50 people that said this: I am not a lawyer. Fine, done.
Here is how I have been trained in regards to wire tap (I am a security analyst):
The wiretap act is broad and prohibits intentional interception (use, etc) of someone else's electronic communications. This Act (see 18 U.S.C. p2511(1)) has a bunch of exceptions two of which are relevant to this discussion:
1. The provider exception may apply if the communications were intercepted during active monitoring for the purposes of system defense,
2. The consent of party exception may apply if you have banners declaring that you monitor all traffic.
From what I have been instructed, I only need to really take care with #1 which is what I'm exactly doing when I fire up a honey pot. (#2 is a part of company policy so it is not optional.)
If I deploy a honey pot for the purpose of monitoring and protecting my network, then I should be able to claim exemption from the Wiretap Act via #1 above. Of course the honeypot damn well better be deployed for the purposes of defense and not something I just threw on the corporate network without authorization.
That's the theory anyway; as far as I know, this has not been tested in the courts yet.
Now if the RIAA intercepts (or monitors) info about files being transmitted how is that not communications intercepts?
"It's so convenient to have a system where everyone is a criminal" - A. Hitler
The parent comment has been moderated to +5 three times now by the users, and each time it has been instantly reset to +2. The new comment moderation system makes it impossible to see the moderation totals, but you can bet this is the editors in action. They are modbombing again, just like the post of doom, and they're getting away with it because no one can see the moderation totals. Shameful.
its because you live in a place without common sense.
liabilities in cybercrimes is just matter of taste.
for any data you can make up worth of 5000$ easily, count your time too if you can't say that your picture collection and slowed internet traffic isn't worth over 5k$.
and yes in some actual cases the liabilities are 'taken from the hat' so to speak, and it's up to the supposed cracker to deny the valuability of the data.. but if you take the average script kiddie he WILL crack himself quite fast and sign any paper the authorities wish without blinking (or arguing that the damages don't make any sense).
world was created 5 seconds before this post as it is.
NOBODY with the startup funds required ($1M or so) wants to pay the cost of freedom, so none of us are going to get it.
The all amateur volunteer route has been tried. GeekPAC was an abject failure. Enthusiam and a "desire to represent the community" means jack shit when one is talking real world politics.
It would have cost about $1M to start up if it had been done last year, this kind of organization needs a full-time high-profile lobbyist to front for it in Congress and top-bracket political pro to run the mass activism side. The actual raising to buy political candidates would have cost far more and would come out of our pockets.
Plus full-time staff to answer phones and e-mail, open envelopes, mobilize volunteers, analyze new legislation, etc. etc. etc.
It's too late to do this at the $1M level in time to affect the 2004 elections, and after that, it's going to be too late, all the laws the RIAA/MPAA and Ashcroft can think of will get enacted, after all, who's going to oppose it.
The Election Commission deadlines for too many states have come and gone. Perhaps several million dollars properly used might make it possible to do IMMEDIATE filings where the deadlines haven't quite happened yet and in other cases, be used to persuade the right people to get deadlines extended, but if nobody or no small group (there are lots of high-tech millionaires, some of which read slashdot) was willing to raise $1M, several million ain't happening.
So. . . the kind of civli liberties long-term growth of the high-tech economy and for that matter, to keep our machines secure will become part of history, and the future of high-tech is going to be made outside the USA.
If your net worth is over $5M and you're reading this, if you want to know who is to blame for the end of online freedom, don't blame the RIAA/MPAA/Ashcroft, go look in a mirror.
Tech Public Policy stuff
Poulsen is showing an incredible lack of thought in writing this article.
2 002-09-23/2002-09-29/0), and remember that even though Salgado (author of the email) is a legal professional, that half of all lawyers still lose in court (by definition). (in other words, get another opinion - or maybe two or three.
First, if a person runs a honeypot on their network, a network they control, or a device that they control, then it is not interception of communications. It is _logging_ responses and action taking place _within_ that device, not _intercepting_ communications. There have to be three parties to intercept - the sender, the receiver, and the interceptor.
Second, even if it were interception of communications (which it is not), then not only would all of the system logs in Unix/Windows be illegal, but so would every web server log in the US. Even worse, that caller ID display that you have would also be illegal - it intercepts information to display on your phone.
Finally, if monitoring a honeypot is illegal, then monitoring a hacked server would be as well. So, if your machine were infected by a virus that talked to an IRC channel, the you would be guilty of an illegal interception of communication.
If anyone ever loses a lawsuit because of this, appeal, and also sue your own lawyer for incompetence!!!
Read the source email (http://www.securityfocus.com/archive/119/293431/
Salgado does not have a good grasp of this. This can be shown simply. If he were correct, then the phone companies would require a wirtetap order to even _view_ their phone logs for any suspected phreaking on their network. Somehow, I doubt that Ma Bell gets a wiretap order for to look at their phone logs.
Mark Radulovich, CISSP
This is retarded... What sort of f*ckwitts are making this shit up?
I'm so disgusted with all of this that I just can't find the words to express my disgust with this stupidity.
This just gets worse and worse every day.
You may as well just report to the chipping center and have your GPS/microphone/thought monitoring/cashless society-chip implanted now and beat the rush.
Better yet, just lay down on the table and let them suck your brains out and pump your head full of mashed potatoes so that you need not worry about anything, especially thinking for yourself.
Remember, thinking is a thought crime and Tuesdays are Soylent Green day!
After reading the story about Fyodor, a Slashdot-sponsored hacker who invaded the computer systems of other users, I came to realize some things.
Bullshit. Where's the proof? The only proof you trolls ever give are links to other troll's journals. I have never seen any proof, that Fyoror did anything illegal.
The "victim" however, admits that he knowingly made fraudulent statements.
Life is too short to proofread.
AFAIK, there isn't any federal law that says that the owner of foo.com can't set up a "fake" foo.com, or that he incurs any liability (financial or legal) for doing so. If J.R.Hacker has no authorization to access foo.com, then he has exactly the same level of authorization to access the fake foo.com, and has no legal grounds to complain that the fake system didn't actually contain the credit card numbers he was looking for.
They have caches of fyodor's comments and his web page, hosted offsite, and numerous people who have testified that the mirrors are accurate. Why don't you actually read the article? "Trolls journals" indeed.
since you didn't lost $5,000 or more in funds, you cannot get the FBI or other crime organizations to help you.
I'll bet that just for the fee of a couple 12-packs of beer you could get a local biker gang to break the hacker's fingers for you.
But for my American counterparts I feel for you . From the sounds of it logging anything that happens even on your own computer could be illegal . You can probably get around this by including with an "unathorized access prohibitted . Subject to the terms and conditions of [website]" , where website address is a huge disclamer including "all activities may be logged" . for when the person attempts to use any services simply set this as the motd and be done withit . Any ways I am Not a lawyer so if you do this then still get sued to bad for you , get your legal advice not from slashdot but from a lawyer. P.S. Any thing like this in Canada?
YHBT... he's a well known troll over on K5. If I hadn't already posted in this story I'd have modded it down.
I do not read or respond to AC's. If you want a discussion, log in. Otherwise, don't waste your time.
Wouldn't Gator's software be intercepting messages for a conversation (between you and the website you are visiting), that it is not a part of?
I would think any ISP tracking/monitoring, web-tracking monitoring by a third-party (not you, and not the internet site) would be illegal by FCC regulations?
I'm not a lawyer, obviously, so what do the rest of you, more educated folks think?
troller.
The proof, written by Fyodor's own hand. If that's a hoax (including the multitude of screen shots), it's a damn elaborate hoax.
I have a motion sensor alarm installed in my home. Does this constitute illegal monitoring? How is that any different than monitoring via a honeypot?
My rights don't need management.
This is just silly. An illegal wiretap is intercepting a communication between two computer/people/objects without either 1.) the permission of one party, 2.) a court order. If you are a party to the communication (i.e. the honeypot) you are intercepting communications to and from your own machine. Seems like there are bigger things to be worried about.
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
Look here and
here and here
The more out-there states of the US have rules on self-defence that are a lot more unrestrictive than just about anywhere else in the Western world.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
If the Feds want to have a look-see at your computer to make sure you're not a terrorist, that last thing they want is for you to notice them and blab to someplace like Slashdot.
So they put the public on notice that monitoring your computer is illegal. Many people (well, not Slashdotters, I guess) will stop monitoring. Those that don't will be afraid to publicly announce that they caught the Feds snooping in their systems or to devulge how the Feds got in and what back doors or loggers they left behind.
[Turning tin-foil hat around the other way...]
Or maybe the RIAA put 'em up to it!You were 80% angel, 10% demon. The rest was hard to explain. - Over The Rhine
"Math in a song is good."-Linford
that being true,
How can monitoring the honeypot possibly be
interception, which imply's actively interfering/capturing the data at some mid-point??
I can do anything thing leagel on my network that i please if some trespasses on my network they are subject to being caught by me I have a server that monitors all AIM traffic at work we don't look at ever but if something ever came up about harassment we would be able to prove it. If i look at detailed log file on a server that does nothing other than log its self how is that wrong for me to do on my own network? thats bs and will dismissed as such the first time it will be challenged in a real court.
This must be Thursday, I never could get the hang of Thursdays.
Welcome to the USA, where common sense is absolutely irrelevant. Got a sensational case? There's a lawyer and a judge out there somewhere who'll see to it that you win.
Disgusting.
I submitted this story about 3 times right around when the first security focus article came out. All 3 got rejected. Dangit.
Aside from the legal liability (which is obviously ridiculous and possibly quite realistic ;) of intercepting communications, say, as the article suggests, that the hacker sets up a chat. By leaving it up (monitoring it, of course) you are indirectly helping the hackers that use said chat.
Of course if you see the hacker actually hacking somebody else (very realistic scenario) you really *should* do something. Is alerting them enough? Would you be happy if you get a phone call saying: "So sorry friend, you should reinstall your servers, I just had an incredibly fun and instructive week watching some hackers make swiss cheese out of your systems."
You can probably gather from the above I am not a big fan of honeypots. Aside from all else I think they could give you a false sense of security- you watch the honeypot with an eagle eye, while your other systems get hacked - unless your security is perfect, and then why bother. I do see their use, it is likely you would detect at least a probe - but if your system is at all typical, you allready have a bunch of probes every day...
Reading slashdot beats working - Q
A question important to those who run open relay honeypots and open proxy honeypots (proxypots.)
These are 100% accurate aginst spam - filters and blacklists are not. Will they be outlawed?
Check out the bubblegum proxypot. It's a neat way to hurt spammers:
http://world.std.com/~pacman/proxypot.html
Don't forget the relay spam honeypot (Jackpot):
http://jackpot.uk.net
What about the words of Police Chief Wiggum?
...once a man is in your home anything you do to him is nice and legal.
Wiggum:
Homer: Is that so? (out window) Oh Flanders, won't you join me in my kitchen?
Wiggum: Uh, it doesnt work if you invite them in.
Ned: Hidely Hey!
Homer: Go home.
Ned: Toodly Doo!
The Government of Canada is creating a new offence targeting those who would set traps in a any place under section 247 of the Criminal Code. The Government of Canada is creating a new offence targeting those who would set traps in a place used for a criminal purpose and intending to cause injury or death.
One of our government departments asked for express permission to monitor private communications (see Comments on Specific Provisions of Bill C-36) which could be invoked as part of some ammendments post 9-11. Now there is a bill before Parliament to ammend the criminal code to clarify the role of IDS (and by extension one would think, honeypots). Ironically it's the same bill that will deal with the boobytrapped pothouse law.
Under our criminal code, currently, "Every one who, by means of any electromagnetic, acoustic, mechanical or other device, wilfully intercepts a private communication is guilty of an indictable offence and liable to imprisonment for a term not exceeding five years."
The amendment would create exceptions to the offences of intercepting a private communication and of disclosing its content to ensure quality control in the communications industry. A proposed amendment to the Financial Administration Act (section 161) will ensure that federal departments and agencies may take reasonable measures to manage and protect their computer systems, which may include the interception of private communications.
In order to protect the privacy of persons in Canada, limits would be imposed and use of information intercepted by private IDS systems will be controlled under the Criminal Code.
For example, it is questionable as to whether in email, users have an expectation of privacy. Consider an IDS that captures full packet content. Is it interception of private communications? It could be as simple as setting the correct snaplen in your Snort rule :)
Where I have a problem with this is that a honeypot, by definition, shouldn't have any legitimate use. So how can it be interception of private communications (with what)? Of course this would vary with the statutes in that jusidiction.
When it comes to the liability issues, Honeypots should never be deployed without monitoring outgoing activities. It is likely an obligatory duty of due care to other fellow netizens to not knowingly leave a vulnerable machine out there that could be used to attack other machines. I can see a definite liability issue there of opening up a few shares and walking away for a few months without checking.
IANAL, but AFAIC the safest way is to adapt an explicit policy that individual communications will be monitored as a matter of course in aggregate for suspicious activity, which will be reported to authorities. One might be able to ensure to the best of their abilities that this warning is seen by implementing klaxon that returns a warning to this effect on all unserved ports on your honeypot. Always monitor the honeypot and have reasonably documented procedures on what you plan to do when it gets hacked to minimize damage to your neighbours.
B
It's easy to draw lines in our minds as to what a subject means. In reality our lives are complex, our behaviours are complex, even are solutions are often complex sometimes to the point of introducing further complexities. Yet we learn to compromise as a way of getting things done. So laws get passed that are complex, and worse off, they often have tacked on legislation that is moronic when applied to our basic prinipals as a mass. But these things happen, and when we find that we oppose something enough to act on it, then I suppose that if we truly are a ruling republic, we shall act to make things as we want them to be (however complex). I think any more regarding law I am tired of thinking about them. I'm tired of trying to find that elegant solution that like in so many fields just doesn't exist given our current inteligence/moral stance. Anyway, I don't really have a point.. it's far too complex =)
First of all, Richard Salgado has got to tell people to be very careful. He's a prosecutor for the government. He's got to say things that err on the side of safety, and of never condoning possible violations of the law. (He's a nice guy, and a good speaker. He's just very obviously in one corner, and has the party line to hew to).
Secondly, read 18 U.S.C. Section 2511. That lays out the _exceptions_ to the Wiretap Act, which includes the Provider exception, which boils down to: if you own the machine, and have appropriate banners, and the wiretap is done "while engaged in any activity which is a necessary incident to the rendition of [the rightful adminstrator's] service or to the protection of the rights or property of the provider of that service...". The reason the gov't is goosey about honeypots is, if it is a property laid out to be broken into, then is the wiretapping justfied? If you're doing it as part of the defense of your network, consensus tends to be yes. If you're doing it for shits and giggles, there tends to be less consensus. The gov't needs to be able to prosecute anyone, so without court cases telling them otherwise they're leaning to the stricter interpretation.
Thirdly, if you're interested, read the posted practical assignments for the SANS GCFA (Forensics) course/certification. The original assignment (the only one posted currently) has three parts, the third of which is Describe in detail your authority as a system administrator with regards to this statute. Keep in mind that none of those people are lawyers, but most of them sat through a course including Richard Salgado talking on this issue, and all of them worked their butt off to write the paper and pass the course. More work than goes into, say, a /. post 8).
can you're house be broken into, and the burglar will walk away suing you for getting cut on the broken window.
I write code.
Pay the (cr|h)ackers a nominal sum for the job of compromising your machine as security testers, then instantly fire and sue them for damages. or something...
--
"Extra Anus Kills Four-Legged Chick" -- Headline
Yet another example of people not thinking about what they read, and/or believing everything they see on the internet or in the mass media. I once read that aliens landed nearby, but that doesnt make it true. First of all, prove I have a honeypot, and not just a linux box sitting there with nothing on it. I normally run stuff to monitor peoples connections to my systems... prove otherwise. "Innocent until proven guilty." Next, its my God given right to monitor my systems, and as such, I am of the belief that anyone saying I can't are in violation of my constitutional rights. Hence, don't believe everything you read...
Some of the things you can do are to use a separate machine to monitor your network activity, and filter out some of the more dangerous things (or even filter out all outgoing telnet/ssh/etc...)
Honeypots for trapping spammers are much easier - they're not usually trying to log in and try lots of exploits out to other machines, they're just going for the open relay and open proxy, and if you do a good trap, their first couple of messages will get forwarded (they'll be test messages run by the spammer), and the rest can get
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
He is the UK farmer who was just recently paroled after serving time (he was sentenced to 'life' in prison) for shooting and killing a 16 year old punk burglar by the name of Fred Barras, who had broken into the Martin farmhouse with an accomplice.
...and maybe some other citizen's life, as criminals tend to not be too picky about others 'rights' during the commission of their crimes ...although the British courts didn't see it that way. Shame on them.
Evidently the Barras family is in the profession of burglary, and Mr Martin simply saved the British taxpayers some money
www.tonymartinsupportgroup.org
Not all of them have banned the possession of more than a few of these licensed Pooh "massagers", but some have.
fencepost
just a little off
Semi-true. There is a technical $5,000 threshold in order for the FBI to have federal jurisdiction over cybercrimes.
True; however, there is no requirement that the $5,000 threshold relate to a single incident. If, for example, Fluffi Bunni knocks over 6 sites doing damage of $1,000 each, and those 6 sites all report it to the Fed with enough evidence to connect them all to Fluffi Bunni, then the $5,000 threshold is satisfied. In other words, the Feds can aggregate cases involving the same perpetrator.
This is why they encourage businesses to report incidents, even if they can't / won't prosecute them all. If several businesses all report related incidents, that's something they can work on.
I'm not sure how it'd even be practical for the FBI to get involved in everyone's home movie theft cases. It'd be like getting the secret service involved everytime you wanted to go out in to a crowded area.. The government already does enough useless crap, I really don't want the FBI spending hundreds of thousands of dollars finding out who sent a trojan horse disguised as YOUREAWINNER.EXE to uncle Jimmy and deleted his family vacation movies.