Slashdot Mirror
Use a Honeypot, Go to Prison?
scubacuda writes "Using a honeypot to detect and surveil computer intruders might put you on the working end of federal wiretapping beef, or even get you sued by the next hacker that sticks his nose in the trap, according this (old) Security Focus article. Honeypots could be federal criminal law calls "interception of communications", a felony that carries up to five years in prison. Because the Federal Wiretap Act has civil provisions, as well as criminal, there's even a chance that a hacker could file a lawsuit against a honeypot operator that doesn't have their legal ducks in a row. "It would take chutzpah," said
Richard Salgado, senior counsel for the Department of Justice's computer crime unit, "But there's a case where an accused kidnapper who was using a cloned cell phone sued for the interception of the cell phone conversations... And he won.""
I always knew that something bad would come of Pooh and his addiction...
Who knew that honeypots would lead to jail? I bet even Owl and Rabbit didn't know that!
The anti-salmon
If it's YOUR system, then how are you "intercepting" anything? If someone tries to crack into a system that is yours, then who cares if it is a honeypot or not? This is like a burglar suing a homeowner because he cut himself on a knife he was stealing along with the rest of their silverware...
"Wow, you're like some kind of superhero able to ward off happiness and success at every turn."
-- Ryan Stiles
The computers you own are not actually yours. They are owned by the United States govt. Everyone go download their new distributed CPU project called "Count The Votes". Oh, wait, they installed it for me. Thank you govt. :D
On a serious note though. Its getting to be that regular Americans can't do anything without fear of getting sued or suing someone else. McDonalds coffee anyone?
I can see this might happen:
1) Find Open Windoze SMB share (or any open, insecure systems)
2) "Hack" into it
3) Try to get caught (log files, whatever)
4) Claim that was a honeypot
5) Sue for profit
It does seem this easy.
Please direct all bug reports to
Couldn't this be avoided by making the honeypot actually "do something", thereby making it not a "honeypot"? IE, stick some files on there and call it a backup server (unimportant files of course) or whatever. After all, isn't the most effective honey pots those that fool the intruder into thinking that it's a real "site", what better way than to sorta make it real? Nothing illegal about monitoring your own real site right?
...like the article is actually saying that you could be sued if a hacker used your honeypot machine to hack into another machine that's not on your network. The argument is that you set up a machine to be hacked, and it got hacked, and was then used to hack others...kind of like saying that you've become an accomplice in hacking. So the lesson is to secure your honeypot machine, so it can't be used for evil.
Who is this "Poster" guy and why does he own all of my comments?!?
Wait a minute!
No anti-MS sentiment... posted by Taco... not a dupe...
This story is a honeypot! Whatever you do, don't post any comments! It's a trick! It's a tri^&T3ATZ
NO CARRIER
I moderate "-1, Fool"
This just goes to show just how low spamers are willing to sink. I have been hosting my own mail server for several years now because it's the ONLY way for me to combat unwanted e-mail. If some worthless spamer is going to wine about a honey pot or my server rejecting his/her e-mail I say TOUGH FUCKING SHIT! It's MY machine, MY bandwidth, MY rules... period. If I want viagra, penis/breast enlargements, debt consolidation, loans re-financed or hot asian chicks I'll seek you out myself..
>SELECT * FROM spamers WHERE clue > 0
>0 rows returned
"I bow to no man" - Riddick
RTFA. The use of a honeypot won't get you in trouble. The prosecution of someone hacking your honeypot won't get you in trouble. The prosecution of someone hacking your fileserver based solely on the honeypot's logs has the *potential* to get you in trouble.
Mordor...a magical, mythical land where women are more rare than dragons--but where every man would rather find a dragon
I was reading this and had a thought. Has anyone set up a FTP or P2P honey pot to attract attention from the RIAA?
This could be a great way to annoy the RIAA when they try and sue or fine someone that actually doesn't have illegal material on their hard drive.
Has anyone done this yet? Any storys? Could the honey pot project be used to simulate a FTP server with mp3 goodies?
DP
"(I) have this unfortunate condition that causes me not to believe a single thing any politician says when a mic's on.
Perhaps this is a wake-up call for us computer users here in the USA. Who really speaks for computer users here? What we need IMO is an NRA equivalent to represent the interests of computer users, of people who are interested in fair-use issues, reasonable intellectual property laws and accountability of elected representatives. Interest groups like the NRA and AARP have shown that Congress-people do listen when people organize.
...as the Feds slapped the cuffs on him and threw him against the hood of the car.
... as he reached for the soap.
Robots are everywhere, and they eat old people's medicine for fuel.
I did a little research to see if I could validate or invalidate A Proud American's claims. While he is marginally correct on the facts, his interpretation is very far off.
First and foremost, I learned that the FBI and other similar anti-crime organizations of the U.S. government will not (I repeat, will not) prosecute or even attempt to investigate computer-related security crimes that involve less than $5,000 in liabilities.
Semi-true. There is a technical $5,000 threshold in order for the FBI to have federal jurisdiction over cybercrimes. State law still applies. Additionally, the FBI can probably gain jurisdiction to charge with other laws (they've mentioned RICO) if the crimes cross state lines (and there is judicial precedent that sets the bar merely at passing through an out-of-state router, in the case of a threat delivered over AIM with both perpetrator and victim in the same state).
Also, the $5,000 threshold is not particularly strict under new guidelines in the USA PATRIOT Act, so that they encompass summed damages from different attacks, damages in downtime and time responding, etc. In other words, the bar is very low and easily met with semi-probably damages; $5,000 is more of a requirement to prevent people from being charged for, say, portscanning. See here: http://www.astalavista.com/technologies/library/cr ime/usa.shtml.
And civil suits are always an available alternative.
Prison is actually fairly easily awarded; often we complain just as much about the strict jail time for such minor crimes as the lack of jail time.
Other measures of prosecution are becoming much harsher and stricter now, too, especially with all our terror enforcement (er, I mean anti-terror, Mr. Ashcroft, sir) measures. I mentioned RICO above (see here: http://lists.insecure.org/lists/isn/2000/Feb/0029. html.
So prison is a real possibility; federal prosecution is pretty easy to get; but you should all still make sure you keep up to date with security. Just don't rely on A Proud American for your information.
Oh, yah. And befriend me. Please? Pretty please? I'll be your friend!
While I do have a bare shred of faith that a Judge will understand the intent here is not to defraud. The intent is to Defend/Detect an attack. It's a defense system that does not cause harm. What you are in fact creating is a Electronic Burglar Alarm. Has I understand tracing the offender is ok, attacking his system isn't. Informing the Domain's Admin/Owner/Upstream Provider is ok. Wasting a Hacker's time in a honey pot isn't illegal, frying their brain like in a William Gibson novel (attractive thought it may be) would be.
On the Honey Pot issue, what differentiates it from a Online game? You put it there, people come and there are rules to get in. It would seem that the argument that putting up a Honeypot is an invitation to enter (the Honeypot only). While a SysAdmin could learn valuable lessons from observation, the defense of the Alleged hacker could be that they 'KNEW' it was a Honeypot and that the price of entry was cleverness not cash. Therefore they are playing a game, one in nature much like Ultima online or Neverwinter Nights.
Don't worry about this, it's for the most part a groundless fear. If you did actually come under attack by some foolish District Attorney, likely You would be getting calls from the likes of Johnny Cochran and Alan Dershowitz offering free legal.
This article is fearmongering a distant cousin of trolling.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
You might be thinking of this...
.22 caliber revolver. When the homeowner attempted to locate the intruder, Malone hid in the brush then collapsed from a bullet wound to his buttocks. Malone's lawsuit alleges that he almost bled to death due to the homeowner's negligence in not notifying the police in a timely manner. The homeowner did not notify the police until one hour after the attempted break-in. Two hours after the incident, the police found Malone in a pool of blood.
Second Story Burglar Sues Homeowner
Danbury, CT - An admitted second story burglar is suing a homeowner. Michael Malone attempted to enter a three-story residence by climbing a tree to gain admittance through an open third floor window. Unfortunately for Malone, the tree limb broke and the 275 pound burglar crashed to the ground. When the homeowner heard the commotion, he went outside to investigate. In the dark, he spied a figure moving toward the rear of his five acre lot and fired one round from a
I thought I had seen a story more along the lines you suggest, but I think I'm remembering the scene from Liar Liar. I googled for a bit and didn't find any "real" stories (snopes didn't have anything either).
I did find this -- Check this out:
New Twists on Occupiers Liability
Can a Burglar Sue a Homeowner for Injuries Sustained During a Break-in?
Anyone who trespasses on land to commit a criminal act is deemed to have willingly accepted all risks of injury while on the land. For example, if a burglar slips and falls down a dimly lit staircase while breaking and entering into your home, there is no liability imposed on the homeowner.
Even a criminal trespasser, however, has some rights. A homeowner will be liable for creating "a danger with intent to do harm" or for acting "with reckless disregard for the safety" of a trespasser. If you have seen the movie "Home Alone" then I am sure that you can think of several examples which would fall into this category. A trip wire attached to the trigger of a shotgun clearly creates danger intended to harm the trespasser. In British Columbia, the Occupiers Liability Act tries to differentiate between accidental injuries to trespassers and deliberate attempts to cause harm or injury to trespassers. Generally speaking, there will be no liability for the accidental injury to a trespasser but there will be liability for the deliberately caused injury.
I think it's an urban legend. I don't think you can be sued unless you do something like set up a booby-trap or shoot him or something.
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
Anybody notice how "Honey pots" backwards is "Stop yenoh!". A quick google of the word reveals it to have to do with food, so "honey pots" is code for "Stop food!". This madness must be ended!
An online Starcraft RPG? Free, only at
In soviet russia, all your us are belong to base!
Karma: Redundant!
Online Starcraft RPG? At
Dietary fiber is like asynchronous IO-- Non-blocking!
To address the issues raised in the article:
;login: The Magazine of USENIX & Sage, vol. 26, no. 2 (Berkeley, CA : USENIX Association, 2001): pp. 73-76.
Federal wiretap laws prohibit interception of electronic communications, including traffic monitoring across a network. There are exceptions for network protection, but Salgado said that is an "uneasy fit" for honeypots, because they are set up with the expectation of being attacked.
This isn't entirely correct. If you are the owner of the network, you can monitor what happens on it. You can doubly protect yourself by putting a banner on your login page that says that any use of the network is subject to monitoring, but the key thing that courts have looked at with regard to such monitoring is whether the person had a legitimate expectation of privacy in the communication. I think a judge would have a tough time accepting an argument that someone attacking your network had a legitimate expectation of privacy in his/her attack.
Even if you were only allowed to monitor your network for defensive purposes, I think the honeypot could arguably qualify as a defensive tool. For example, I have limited budget for physical security at my home. I recognize that there are a number of ways that someone could break in, and I take steps to secure or prevent those. However, if someone is determined to break in, I must recognize that they will find a way. To deal with that possibility, I try to recognize where an intruder might be able to break in, and I have cameras in those areas. If I could only afford a certain number of cameras, I might make one path a little easier or attractive than the others so that the intruder would take that path and thereby pass in front of the camera allowing me to gather evidence of the crime. The intruder has already committed the crime by being inside the house, the camera simply collects the evidence. By placing a honeypot and monitoring it, you are simply putting an intrusion detector on a place where unauthorized individuals are likely to go, if they are already committing the crime of being inside your network without authorization.
An operator might be held liable for damages if a compromised honeypot is used to launch an attack against a third party. "We don't know" if such liability would hold up in court, Salgado said.
This is theoretically possible, and I actually wrote another article for USENIX's magazine ";login:" on this subject called, "You've Been Cracked...And Now You're Sued."[1] But, if you're setting up a honeypot, you ought to be sophisticated enough to isolate it and prevent outbound attacks on other networks (or at least either notify those networks that they are being attacked or shut down the attack as soon as it starts). There's really no excuse for setting up a honeypot and then allowing it to be used as a zombie.
A hacker charged with illegal activities involving a honeypot could argue entrapment, which Salgado said is a difficult defense. He said it might not apply to so-called passive honeypots.
Salgado is correct that entrapment is a very difficult defense. The article doesn't point out, however, that the defense of entrapment is also only available to someone who is being prosecuted as the result of activity by a government agent (like the DOJ, FBI or some state or local law enforcement agency). If your company (or client), as a non-governmental entity, sets up a honeypot and a cracker gets prosecuted because of it, the defense of entrapment is not available. See the legal definition of entrapment at http://dictionary.lp.findlaw.com/
Furthermore, as Salgado also notes, because a honeypot is a purely passive thing, even if you were a government agent, you are not really inducing or encouraging a potential cracker to go attack it. If you were a government agent and set up a honeypot and then anonymously went to hacker sites and talked about this fantastic server with all kinds of really cool stuff on it and how easy it was to own, etc., etc., then you might be setting yourself up for the defense of entrapment.
John
[1]
"The plural of anecdote is not data."
Ok, so I can sound like the last 50 people that said this: I am not a lawyer. Fine, done.
Here is how I have been trained in regards to wire tap (I am a security analyst):
The wiretap act is broad and prohibits intentional interception (use, etc) of someone else's electronic communications. This Act (see 18 U.S.C. p2511(1)) has a bunch of exceptions two of which are relevant to this discussion:
1. The provider exception may apply if the communications were intercepted during active monitoring for the purposes of system defense,
2. The consent of party exception may apply if you have banners declaring that you monitor all traffic.
From what I have been instructed, I only need to really take care with #1 which is what I'm exactly doing when I fire up a honey pot. (#2 is a part of company policy so it is not optional.)
If I deploy a honey pot for the purpose of monitoring and protecting my network, then I should be able to claim exemption from the Wiretap Act via #1 above. Of course the honeypot damn well better be deployed for the purposes of defense and not something I just threw on the corporate network without authorization.
That's the theory anyway; as far as I know, this has not been tested in the courts yet.
Poulsen is showing an incredible lack of thought in writing this article.
2 002-09-23/2002-09-29/0), and remember that even though Salgado (author of the email) is a legal professional, that half of all lawyers still lose in court (by definition). (in other words, get another opinion - or maybe two or three.
First, if a person runs a honeypot on their network, a network they control, or a device that they control, then it is not interception of communications. It is _logging_ responses and action taking place _within_ that device, not _intercepting_ communications. There have to be three parties to intercept - the sender, the receiver, and the interceptor.
Second, even if it were interception of communications (which it is not), then not only would all of the system logs in Unix/Windows be illegal, but so would every web server log in the US. Even worse, that caller ID display that you have would also be illegal - it intercepts information to display on your phone.
Finally, if monitoring a honeypot is illegal, then monitoring a hacked server would be as well. So, if your machine were infected by a virus that talked to an IRC channel, the you would be guilty of an illegal interception of communication.
If anyone ever loses a lawsuit because of this, appeal, and also sue your own lawyer for incompetence!!!
Read the source email (http://www.securityfocus.com/archive/119/293431/
Salgado does not have a good grasp of this. This can be shown simply. If he were correct, then the phone companies would require a wirtetap order to even _view_ their phone logs for any suspected phreaking on their network. Somehow, I doubt that Ma Bell gets a wiretap order for to look at their phone logs.
Mark Radulovich, CISSP
This is just silly. An illegal wiretap is intercepting a communication between two computer/people/objects without either 1.) the permission of one party, 2.) a court order. If you are a party to the communication (i.e. the honeypot) you are intercepting communications to and from your own machine. Seems like there are bigger things to be worried about.
First of all, Richard Salgado has got to tell people to be very careful. He's a prosecutor for the government. He's got to say things that err on the side of safety, and of never condoning possible violations of the law. (He's a nice guy, and a good speaker. He's just very obviously in one corner, and has the party line to hew to).
Secondly, read 18 U.S.C. Section 2511. That lays out the _exceptions_ to the Wiretap Act, which includes the Provider exception, which boils down to: if you own the machine, and have appropriate banners, and the wiretap is done "while engaged in any activity which is a necessary incident to the rendition of [the rightful adminstrator's] service or to the protection of the rights or property of the provider of that service...". The reason the gov't is goosey about honeypots is, if it is a property laid out to be broken into, then is the wiretapping justfied? If you're doing it as part of the defense of your network, consensus tends to be yes. If you're doing it for shits and giggles, there tends to be less consensus. The gov't needs to be able to prosecute anyone, so without court cases telling them otherwise they're leaning to the stricter interpretation.
Thirdly, if you're interested, read the posted practical assignments for the SANS GCFA (Forensics) course/certification. The original assignment (the only one posted currently) has three parts, the third of which is Describe in detail your authority as a system administrator with regards to this statute. Keep in mind that none of those people are lawyers, but most of them sat through a course including Richard Salgado talking on this issue, and all of them worked their butt off to write the paper and pass the course. More work than goes into, say, a /. post 8).