Slashdot Mirror
Use a Honeypot, Go to Prison?
scubacuda writes "Using a honeypot to detect and surveil computer intruders might put you on the working end of federal wiretapping beef, or even get you sued by the next hacker that sticks his nose in the trap, according this (old) Security Focus article. Honeypots could be federal criminal law calls "interception of communications", a felony that carries up to five years in prison. Because the Federal Wiretap Act has civil provisions, as well as criminal, there's even a chance that a hacker could file a lawsuit against a honeypot operator that doesn't have their legal ducks in a row. "It would take chutzpah," said
Richard Salgado, senior counsel for the Department of Justice's computer crime unit, "But there's a case where an accused kidnapper who was using a cloned cell phone sued for the interception of the cell phone conversations... And he won.""
If you're, say, Fyodor and you're running a honeypot (like he does, he's involved w/ the project), you can more or less count on the fact that the perp is some poor minor or college student who won't be able to bring suit in court. Hell, if you're Fyodor, this works when you're on the other side, too.
--sdem
Couldn't this be avoided by making the honeypot actually "do something", thereby making it not a "honeypot"? IE, stick some files on there and call it a backup server (unimportant files of course) or whatever. After all, isn't the most effective honey pots those that fool the intruder into thinking that it's a real "site", what better way than to sorta make it real? Nothing illegal about monitoring your own real site right?
I'm as against the invasion of federal powers as the next guy,
but something that hurts that cause is overly reactionary or
alarmist agruments. This articles strikes me that way.
Anyone who has spent some time in a court room realizes that
judges are not the completely inept morons they are often made
out to be. Sure someone could "sue" you for breaking a
wiretapping law, that doesn't however mean they would win.
People seldom appreciate the difference between those two
things, anyone can sue for just about anything. Whether or not
they win the case is an entirely different thing.
Saying that monitoring a honey pot is a violation of the federal
wiretapping act is a huge legal stretch IMO. Even though a
honeypot is designed to be hacked, it still has to be hacked.
They still have to commit a felony to get into it, that's the
equivalent of saying that if someone hacks into your workstation
and you happen to be monitoring it at the time you are then in
violation of the federal wiretapping act. That is just patently
absurd.
The one example they use isn't very compelling to me either.
They are as usual light on the details, but "tapping" a cell
phone that isn't yours is an entirely different story than
monitoring a computer that you own and operate.
Every once in a while we get crazy laws on the books, and off
the wall judges pushing their own agenda's, but when things make
it to the supreme court or the higher courts, things usually
shake out in a logical and reasonable fashion. The first time
someone get's *successfully* prosecuted under this, then I'll
buy it.
Doug Tolton
"The destruction of a value which is, will not bring value to that which isn't." -John Galt
I wonder if putting phony MP3's on your ftp server in hopes of confusing the powers that be might fall under this. After all, isn't that sort of honeypot-ish?
I wonder what this would mean for other "red herring" type of defense measures....
He won't win though
He might. Burglars have successfully sued homeowners for falling through a roof and injuring themselves whilst breaking into said house.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
First of all, it's YOUR computer, you are allowed to monitor your network however you like.
This has nothing to do with a cloned cell phone, which is illegal to begin with, and the perp wasn't trying to commit a crime on the cellphone itself.
It would be like this: A criminal gets into your house because you leave the door open intentionally. He starts tearing the place apart and in the process trips and breaks his arm. How can he possibly sue YOU? Sure, you left the door open, and maybe that weakens your case against him, but he has no right to sue you.
Now, suppose the criminal takes the bus to work during the day and also used it to get to your house that night. Lets say he trips and breaks his arm on the bus due to long-standing negligence of the bus owner. Does he have a case against the bus owner.. maybe! I think that's more like the cell phone example.
I think this is just silly, any judge with half a brain would understand that breaking into a computer is wrong, regardless of the honeypot.
Yeah, the laws are fucked up and upside down when it comes to computers and networks, but not THIS stupid.....
I was reading this and had a thought. Has anyone set up a FTP or P2P honey pot to attract attention from the RIAA?
This could be a great way to annoy the RIAA when they try and sue or fine someone that actually doesn't have illegal material on their hard drive.
Has anyone done this yet? Any storys? Could the honey pot project be used to simulate a FTP server with mp3 goodies?
DP
"(I) have this unfortunate condition that causes me not to believe a single thing any politician says when a mic's on.
you know, the more bad laws they pass regarding the internet, the more I think we don't need an internet as much as we need an HTTP/gaming network and a seperate network for real users who actually use HTTP, FTP, IRC, SSH, Telnet, etc. etc. ad nauseum. The more I learn about computers, the more I find that actually using any of it is considered a crime in most contexts. That, my friend, is the biggest problem.
Somebody please elect some legislators who actually understand that information technology involves more than hotmail and the hamster dance?
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
I read an article in the paper yesterday about a bankrobber that got his charge reduced from "Armed Robbery" to plain old Robbery because the teller accidentally saw his gun - he didn't mean to show it to her. She saw it when he lifted his shirt to stuff the money in his pants.
Like the beaver, it's just Dam one thing after another
I did a little research to see if I could validate or invalidate A Proud American's claims. While he is marginally correct on the facts, his interpretation is very far off.
First and foremost, I learned that the FBI and other similar anti-crime organizations of the U.S. government will not (I repeat, will not) prosecute or even attempt to investigate computer-related security crimes that involve less than $5,000 in liabilities.
Semi-true. There is a technical $5,000 threshold in order for the FBI to have federal jurisdiction over cybercrimes. State law still applies. Additionally, the FBI can probably gain jurisdiction to charge with other laws (they've mentioned RICO) if the crimes cross state lines (and there is judicial precedent that sets the bar merely at passing through an out-of-state router, in the case of a threat delivered over AIM with both perpetrator and victim in the same state).
Also, the $5,000 threshold is not particularly strict under new guidelines in the USA PATRIOT Act, so that they encompass summed damages from different attacks, damages in downtime and time responding, etc. In other words, the bar is very low and easily met with semi-probably damages; $5,000 is more of a requirement to prevent people from being charged for, say, portscanning. See here: http://www.astalavista.com/technologies/library/cr ime/usa.shtml.
And civil suits are always an available alternative.
Prison is actually fairly easily awarded; often we complain just as much about the strict jail time for such minor crimes as the lack of jail time.
Other measures of prosecution are becoming much harsher and stricter now, too, especially with all our terror enforcement (er, I mean anti-terror, Mr. Ashcroft, sir) measures. I mentioned RICO above (see here: http://lists.insecure.org/lists/isn/2000/Feb/0029. html.
So prison is a real possibility; federal prosecution is pretty easy to get; but you should all still make sure you keep up to date with security. Just don't rely on A Proud American for your information.
Oh, yah. And befriend me. Please? Pretty please? I'll be your friend!
While I do have a bare shred of faith that a Judge will understand the intent here is not to defraud. The intent is to Defend/Detect an attack. It's a defense system that does not cause harm. What you are in fact creating is a Electronic Burglar Alarm. Has I understand tracing the offender is ok, attacking his system isn't. Informing the Domain's Admin/Owner/Upstream Provider is ok. Wasting a Hacker's time in a honey pot isn't illegal, frying their brain like in a William Gibson novel (attractive thought it may be) would be.
On the Honey Pot issue, what differentiates it from a Online game? You put it there, people come and there are rules to get in. It would seem that the argument that putting up a Honeypot is an invitation to enter (the Honeypot only). While a SysAdmin could learn valuable lessons from observation, the defense of the Alleged hacker could be that they 'KNEW' it was a Honeypot and that the price of entry was cleverness not cash. Therefore they are playing a game, one in nature much like Ultima online or Neverwinter Nights.
Don't worry about this, it's for the most part a groundless fear. If you did actually come under attack by some foolish District Attorney, likely You would be getting calls from the likes of Johnny Cochran and Alan Dershowitz offering free legal.
This article is fearmongering a distant cousin of trolling.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
Intrusion Detection Systems often are used in this same way. They monitor traffic and report suspicion actions. Some (snort included) capture and record packet dumps....much like taping a conversation.
Intrusion Prevention Systems do the same thing, except they have the ability to actaully interfere with the conversation and drop packets or block hosts. Imagine a wire tap that could mute one of the callers to interfere with meaningful conversation.
Firewalls too. Lets also lock up everyone using a firewall. A firewall, or cluster of firewalls monitor all the traffic (eamil, web, ftp, etc.) in and out of almost every business network on the internet. ALL of these devices are looking at and selectivly recording traffic on those networks.
Nearly every network security tool can be compared to a wire tap....however, its my damn wire!
The real question to ask is:
Can I legally tap my own wires?
As a business owner, is it legal for me to record and be aware of the incoming and outgoing communications from my business?
To address the issues raised in the article:
;login: The Magazine of USENIX & Sage, vol. 26, no. 2 (Berkeley, CA : USENIX Association, 2001): pp. 73-76.
Federal wiretap laws prohibit interception of electronic communications, including traffic monitoring across a network. There are exceptions for network protection, but Salgado said that is an "uneasy fit" for honeypots, because they are set up with the expectation of being attacked.
This isn't entirely correct. If you are the owner of the network, you can monitor what happens on it. You can doubly protect yourself by putting a banner on your login page that says that any use of the network is subject to monitoring, but the key thing that courts have looked at with regard to such monitoring is whether the person had a legitimate expectation of privacy in the communication. I think a judge would have a tough time accepting an argument that someone attacking your network had a legitimate expectation of privacy in his/her attack.
Even if you were only allowed to monitor your network for defensive purposes, I think the honeypot could arguably qualify as a defensive tool. For example, I have limited budget for physical security at my home. I recognize that there are a number of ways that someone could break in, and I take steps to secure or prevent those. However, if someone is determined to break in, I must recognize that they will find a way. To deal with that possibility, I try to recognize where an intruder might be able to break in, and I have cameras in those areas. If I could only afford a certain number of cameras, I might make one path a little easier or attractive than the others so that the intruder would take that path and thereby pass in front of the camera allowing me to gather evidence of the crime. The intruder has already committed the crime by being inside the house, the camera simply collects the evidence. By placing a honeypot and monitoring it, you are simply putting an intrusion detector on a place where unauthorized individuals are likely to go, if they are already committing the crime of being inside your network without authorization.
An operator might be held liable for damages if a compromised honeypot is used to launch an attack against a third party. "We don't know" if such liability would hold up in court, Salgado said.
This is theoretically possible, and I actually wrote another article for USENIX's magazine ";login:" on this subject called, "You've Been Cracked...And Now You're Sued."[1] But, if you're setting up a honeypot, you ought to be sophisticated enough to isolate it and prevent outbound attacks on other networks (or at least either notify those networks that they are being attacked or shut down the attack as soon as it starts). There's really no excuse for setting up a honeypot and then allowing it to be used as a zombie.
A hacker charged with illegal activities involving a honeypot could argue entrapment, which Salgado said is a difficult defense. He said it might not apply to so-called passive honeypots.
Salgado is correct that entrapment is a very difficult defense. The article doesn't point out, however, that the defense of entrapment is also only available to someone who is being prosecuted as the result of activity by a government agent (like the DOJ, FBI or some state or local law enforcement agency). If your company (or client), as a non-governmental entity, sets up a honeypot and a cracker gets prosecuted because of it, the defense of entrapment is not available. See the legal definition of entrapment at http://dictionary.lp.findlaw.com/
Furthermore, as Salgado also notes, because a honeypot is a purely passive thing, even if you were a government agent, you are not really inducing or encouraging a potential cracker to go attack it. If you were a government agent and set up a honeypot and then anonymously went to hacker sites and talked about this fantastic server with all kinds of really cool stuff on it and how easy it was to own, etc., etc., then you might be setting yourself up for the defense of entrapment.
John
[1]
"The plural of anecdote is not data."
which is great except that the fact he was robbing your house is not admissible, if there was a jury, they would not be told of this.
Poulsen is showing an incredible lack of thought in writing this article.
2 002-09-23/2002-09-29/0), and remember that even though Salgado (author of the email) is a legal professional, that half of all lawyers still lose in court (by definition). (in other words, get another opinion - or maybe two or three.
First, if a person runs a honeypot on their network, a network they control, or a device that they control, then it is not interception of communications. It is _logging_ responses and action taking place _within_ that device, not _intercepting_ communications. There have to be three parties to intercept - the sender, the receiver, and the interceptor.
Second, even if it were interception of communications (which it is not), then not only would all of the system logs in Unix/Windows be illegal, but so would every web server log in the US. Even worse, that caller ID display that you have would also be illegal - it intercepts information to display on your phone.
Finally, if monitoring a honeypot is illegal, then monitoring a hacked server would be as well. So, if your machine were infected by a virus that talked to an IRC channel, the you would be guilty of an illegal interception of communication.
If anyone ever loses a lawsuit because of this, appeal, and also sue your own lawyer for incompetence!!!
Read the source email (http://www.securityfocus.com/archive/119/293431/
Salgado does not have a good grasp of this. This can be shown simply. If he were correct, then the phone companies would require a wirtetap order to even _view_ their phone logs for any suspected phreaking on their network. Somehow, I doubt that Ma Bell gets a wiretap order for to look at their phone logs.
Mark Radulovich, CISSP
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
can you're house be broken into, and the burglar will walk away suing you for getting cut on the broken window.
I write code.