Use a Honeypot, Go to Prison?

scubacuda writes "Using a honeypot to detect and surveil computer intruders might put you on the working end of federal wiretapping beef, or even get you sued by the next hacker that sticks his nose in the trap, according this (old) Security Focus article. Honeypots could be federal criminal law calls "interception of communications", a felony that carries up to five years in prison. Because the Federal Wiretap Act has civil provisions, as well as criminal, there's even a chance that a hacker could file a lawsuit against a honeypot operator that doesn't have their legal ducks in a row. "It would take chutzpah," said Richard Salgado, senior counsel for the Department of Justice's computer crime unit, "But there's a case where an accused kidnapper who was using a cloned cell phone sued for the interception of the cell phone conversations... And he won.""

Well then make it useful

[binaryDigit]

Couldn't this be avoided by making the honeypot actually "do something", thereby making it not a "honeypot"? IE, stick some files on there and call it a backup server (unimportant files of course) or whatever. After all, isn't the most effective honey pots those that fool the intruder into thinking that it's a real "site", what better way than to sorta make it real? Nothing illegal about monitoring your own real site right?

Re:Err...

[Fulcrum+of+Evil]

He won't win though

He might. Burglars have successfully sued homeowners for falling through a roof and injuring themselves whilst breaking into said house.

RIAA & Honey Pots

[splatter]

I was reading this and had a thought. Has anyone set up a FTP or P2P honey pot to attract attention from the RIAA?

This could be a great way to annoy the RIAA when they try and sue or fine someone that actually doesn't have illegal material on their hard drive.
Has anyone done this yet? Any storys? Could the honey pot project be used to simulate a FTP server with mp3 goodies?

DP

Re:This is all false information (no, it's not)

[KrispyKringle]

Howdy,

I did a little research to see if I could validate or invalidate A Proud American's claims. While he is marginally correct on the facts, his interpretation is very far off.

First and foremost, I learned that the FBI and other similar anti-crime organizations of the U.S. government will not (I repeat, will not) prosecute or even attempt to investigate computer-related security crimes that involve less than $5,000 in liabilities.

Semi-true. There is a technical $5,000 threshold in order for the FBI to have federal jurisdiction over cybercrimes. State law still applies. Additionally, the FBI can probably gain jurisdiction to charge with other laws (they've mentioned RICO) if the crimes cross state lines (and there is judicial precedent that sets the bar merely at passing through an out-of-state router, in the case of a threat delivered over AIM with both perpetrator and victim in the same state).

Also, the $5,000 threshold is not particularly strict under new guidelines in the USA PATRIOT Act, so that they encompass summed damages from different attacks, damages in downtime and time responding, etc. In other words, the bar is very low and easily met with semi-probably damages; $5,000 is more of a requirement to prevent people from being charged for, say, portscanning. See here: http://www.astalavista.com/technologies/library/cr ime/usa.shtml.

And civil suits are always an available alternative.

Prison is actually fairly easily awarded; often we complain just as much about the strict jail time for such minor crimes as the lack of jail time.

Other measures of prosecution are becoming much harsher and stricter now, too, especially with all our terror enforcement (er, I mean anti-terror, Mr. Ashcroft, sir) measures. I mentioned RICO above (see here: http://lists.insecure.org/lists/isn/2000/Feb/0029. html.

So prison is a real possibility; federal prosecution is pretty easy to get; but you should all still make sure you keep up to date with security. Just don't rely on A Proud American for your information.

Oh, yah. And befriend me. Please? Pretty please? I'll be your friend!

A burglar alarm is not a wiretap

[infonography]

While I do have a bare shred of faith that a Judge will understand the intent here is not to defraud. The intent is to Defend/Detect an attack. It's a defense system that does not cause harm. What you are in fact creating is a Electronic Burglar Alarm. Has I understand tracing the offender is ok, attacking his system isn't. Informing the Domain's Admin/Owner/Upstream Provider is ok. Wasting a Hacker's time in a honey pot isn't illegal, frying their brain like in a William Gibson novel (attractive thought it may be) would be.

On the Honey Pot issue, what differentiates it from a Online game? You put it there, people come and there are rules to get in. It would seem that the argument that putting up a Honeypot is an invitation to enter (the Honeypot only). While a SysAdmin could learn valuable lessons from observation, the defense of the Alleged hacker could be that they 'KNEW' it was a Honeypot and that the price of entry was cleverness not cash. Therefore they are playing a game, one in nature much like Ultima online or Neverwinter Nights.

Don't worry about this, it's for the most part a groundless fear. If you did actually come under attack by some foolish District Attorney, likely You would be getting calls from the likes of Johnny Cochran and Alan Dershowitz offering free legal.

This article is fearmongering a distant cousin of trolling.

A Honeypot is Not Entrapment

[johnnick]

To address the issues raised in the article:

Federal wiretap laws prohibit interception of electronic communications, including traffic monitoring across a network. There are exceptions for network protection, but Salgado said that is an "uneasy fit" for honeypots, because they are set up with the expectation of being attacked.

This isn't entirely correct. If you are the owner of the network, you can monitor what happens on it. You can doubly protect yourself by putting a banner on your login page that says that any use of the network is subject to monitoring, but the key thing that courts have looked at with regard to such monitoring is whether the person had a legitimate expectation of privacy in the communication. I think a judge would have a tough time accepting an argument that someone attacking your network had a legitimate expectation of privacy in his/her attack.

Even if you were only allowed to monitor your network for defensive purposes, I think the honeypot could arguably qualify as a defensive tool. For example, I have limited budget for physical security at my home. I recognize that there are a number of ways that someone could break in, and I take steps to secure or prevent those. However, if someone is determined to break in, I must recognize that they will find a way. To deal with that possibility, I try to recognize where an intruder might be able to break in, and I have cameras in those areas. If I could only afford a certain number of cameras, I might make one path a little easier or attractive than the others so that the intruder would take that path and thereby pass in front of the camera allowing me to gather evidence of the crime. The intruder has already committed the crime by being inside the house, the camera simply collects the evidence. By placing a honeypot and monitoring it, you are simply putting an intrusion detector on a place where unauthorized individuals are likely to go, if they are already committing the crime of being inside your network without authorization.

An operator might be held liable for damages if a compromised honeypot is used to launch an attack against a third party. "We don't know" if such liability would hold up in court, Salgado said.

This is theoretically possible, and I actually wrote another article for USENIX's magazine ";login:" on this subject called, "You've Been Cracked...And Now You're Sued."[1] But, if you're setting up a honeypot, you ought to be sophisticated enough to isolate it and prevent outbound attacks on other networks (or at least either notify those networks that they are being attacked or shut down the attack as soon as it starts). There's really no excuse for setting up a honeypot and then allowing it to be used as a zombie.

A hacker charged with illegal activities involving a honeypot could argue entrapment, which Salgado said is a difficult defense. He said it might not apply to so-called passive honeypots.

Salgado is correct that entrapment is a very difficult defense. The article doesn't point out, however, that the defense of entrapment is also only available to someone who is being prosecuted as the result of activity by a government agent (like the DOJ, FBI or some state or local law enforcement agency). If your company (or client), as a non-governmental entity, sets up a honeypot and a cracker gets prosecuted because of it, the defense of entrapment is not available. See the legal definition of entrapment at http://dictionary.lp.findlaw.com/

Furthermore, as Salgado also notes, because a honeypot is a purely passive thing, even if you were a government agent, you are not really inducing or encouraging a potential cracker to go attack it. If you were a government agent and set up a honeypot and then anonymously went to hacker sites and talked about this fantastic server with all kinds of really cool stuff on it and how easy it was to own, etc., etc., then you might be setting yourself up for the defense of entrapment.

John

[1] ;login: The Magazine of USENIX & Sage, vol. 26, no. 2 (Berkeley, CA : USENIX Association, 2001): pp. 73-76.

Bogus Article by Poulson

[radulovich]

Poulsen is showing an incredible lack of thought in writing this article.

First, if a person runs a honeypot on their network, a network they control, or a device that they control, then it is not interception of communications. It is _logging_ responses and action taking place _within_ that device, not _intercepting_ communications. There have to be three parties to intercept - the sender, the receiver, and the interceptor.

Second, even if it were interception of communications (which it is not), then not only would all of the system logs in Unix/Windows be illegal, but so would every web server log in the US. Even worse, that caller ID display that you have would also be illegal - it intercepts information to display on your phone.

Finally, if monitoring a honeypot is illegal, then monitoring a hacked server would be as well. So, if your machine were infected by a virus that talked to an IRC channel, the you would be guilty of an illegal interception of communication.

If anyone ever loses a lawsuit because of this, appeal, and also sue your own lawyer for incompetence!!!

Read the source email (http://www.securityfocus.com/archive/119/293431/2 002-09-23/2002-09-29/0), and remember that even though Salgado (author of the email) is a legal professional, that half of all lawyers still lose in court (by definition). (in other words, get another opinion - or maybe two or three.

Salgado does not have a good grasp of this. This can be shown simply. If he were correct, then the phone companies would require a wirtetap order to even _view_ their phone logs for any suspected phreaking on their network. Somehow, I doubt that Ma Bell gets a wiretap order for to look at their phone logs.

Mark Radulovich, CISSP