-
April 17th, 2003, 09:48 PM
#11
Ah but some attackers are addicted. They can't stop. And it's not just a question of logging but the actual act of putting up a box to encourage and entice someone into breaking in. If I do that and I'm not a law enforcement type, is that entrapment? I may bait him/her with some juicy "credit card numbers". By putting that there I'm encouraging them to break the law.
(playing devil's advocate here -- I personally believe in the idea of a honeypot and think it's an important part of a full security system).
-
April 17th, 2003, 10:13 PM
#12
Here are a few links on the entrapment issue. From every thing I have seen entrapment is inplace to protect people form the goverment so it would not aplly in this case. Oh and things to remember about entrapment, if you ask someone if hes a cop he can lie to you and its not entrapment. If you match a police cars speed and he is speeding he can ticket you (if his lights where not on you could preforme a citizans arrest right back). If a cop offers you drugs/sex and you accept its not entrapment.
http://www.geocities.com/uthurs_alco...ntrapment.html
http://caselaw.lp.findlaw.com/data/c...nt14/15.html#6
So yes to be entrapment it has tpo involve a goverment offical of some type. Honey pots would not be entrapment
Who is more trustworthy then all of the gurus or Buddha’s?
-
April 17th, 2003, 10:48 PM
#13
Hrmm... I stand corrected... So then the issue is more of a privacy one (as per Lance Spitzer's comments here: http://cert.uni-stuttgart.de/archive.../msg00098.html ) and perhaps not wiretapping per say. But an issue of privacy. If he breaks into the system and expects privacy but you view his conversations/email, he might have a civil case against. I doubt it would be a federal or felony case.
As ridiculous as it sounds, it's no different than the thief suing for medical costs when he fell down the basement stairs (actual court case). Civil litigation is weird (especially -- IMHO -- in the US). The possibility is there. I think it just hasn't been tested. But as the article points out, "..not aware of anyone being prosecuted for hacking a honeypot, which, after all, is meant to be hacked."
-
April 17th, 2003, 10:58 PM
#14
How many companies prosecute hackers at all...it doesn’t happen often. For the civil side of things there is at least one case that sets a precedent here. I will try and find a link but what it boiled down to is some one getting fired over what was said in email...the person brought a wrongful termination suit on his company arguing that it was private email, the company argued that it was on a company server and they had the right to do whatever they wanted with any data on the server. Would be hackers looking to bring civil suits be warned the company one that case, as the owner of a computer any data on that computer is mine you have no inherent assumption of privacy for any of your files.
Oh check out www.snopes2.com I believe the criminal suing and winning over a broken lag was an urban legend.
So yes in the US our legal system is broken but its not THAT broken.
Also note I am talking about US laws. Some European countries have much more stringent entrapment/privacy laws and I am not familiar with them.
-
April 17th, 2003, 11:22 PM
#15
bballad:
citizans arrest can only happen if it is at least a felony.... at least here in Co. If you try for a traffic violation, they will just laugh at you.
<edit> besides, you wanna try arresting some one with a gun? especially a cop??? lol </edit>
-
April 18th, 2003, 02:00 AM
#16
Originally posted here by bballad
Oh check out www.snopes2.com I believe the criminal suing and winning over a broken lag was an urban legend.
So yes in the US our legal system is broken but its not THAT broken.
Also note I am talking about US laws. Some European countries have much more stringent entrapment/privacy laws and I am not familiar with them.
The one I was referring to I had heard in High School. Given that situations where persons can be found either not guilty or aquitted can still be sued (O. J. Simpson probably the most notorious), it shouldn't be surprising. One example I found is a bit dated which made finding an original news story harder ( http://www.joeha.com/whiteboard/wbnnov172000.htm -- based in Australia ). You need only look at lawsuits at friviolous lawsuits like the one against McDonalds et al over obseity; hot coffee; or this one -- family sued over the fact the thief was electrocuted ( http://overlawyered.com/archives/03/feb3.html#0226a ). I think if someone thinks you've done them wrong, no matter what the situation, they will try to get something out of you -- even if you did it to protect yourself.
Anyways, yes, companies haven't done much and that is more of an issue. The FBIs idea of "anonymous" prosecution as it were (not identifying companies who wanted to press charges) sounded promising but I wonder if anything has been done. Perhaps the events of the 80s/90s where lots of attempts to press charges were left unattended for the most part except for a few high media cases.
In addition, I wonder how many companies actually deploy something more than just a firewall never mind a honeypot. Maybe that's why it's not a seriously considered issue.
Lastly, on the issue of private email there is something to consider in regards to that case versus say an attacker using a honeypot. I don't know if the same precendent could be apply versus an employee. An employee would know that email belongs to the company, that it passes through the company servers and such. An attacker may not since he may not be 100% sure it passes through the company itself. What if it's hosted on a 3rd party? I don't think it's clear cut as to what the decision is.
Bit dated but might want to consider it:
http://www.madcapps.com/writings/stop.htm
http://www.loundy.com/CASES/Bourke_v_Nissan.html
Other ones I found that contradict it:
http://www.divorcelawinfo2.com/mylaw...=3&article=402
http://www.loundy.com/CASES/Smyth_v_Pillsbury.html
As I was putting this message together it did occur to me however given the present state of the US right now I think that things would be in favour of companies being able to monitor their employees and others.
-
April 18th, 2003, 02:47 AM
#17
Junior Member
Regardless of the law, you have every right to track anyone on your property or your server. It is not right that you be arrested on the charges "You are found guilty of watching a car take a left turn at the intersection." If the risks of getting "caught" are low, you should do what you can to collect information about the hacker that is supplied to your server. You can use this to fix the problem, block the hacker's IP address or block the hacker through other, more static, identification means, or report the hacker to the police, saying that you recieved an anonomous letter informing you of the hacker.
In response to what MsMittens said, having credit card numbers on your server does not in any way justify hacking.
-
April 18th, 2003, 03:36 AM
#18
Junior Member
I guess i could say honeypots are relatively new here at the Philippines, our laws does not cover such technologies yet. I believe that honeypots are security devices that operate onthe premise of baiting a possible intruder,it qualifies as entrapment equipment and should be enabled only on possible intrusion scenarios with law enforcement officers present,... at least in theory .
Linux will give you everything,except an imagination >>
-
April 18th, 2003, 03:57 AM
#19
Junior Member
I think the real thing to considor is that unless the case is high profile and attracts special police attention, or makes it to a court, then there is really no governmental body which can really enforce these laws. So, any honeypots that are in use are better suited to how (at least as I see it) real internet policing takes place. Which is to use the logs to try to trace the hacker back so that you can then contact his ISP. ISP's usually don't want to have that kind of activity going on and will often work to ensure that the hacker can not continue.
Now I am not saying that this is any kind of perminant solution because all they have to do is do a little unlogged daisy chaining or switch ISP's or something. But it would at least give you a method for fighting back against script kiddies.
However, this thread brings up a good topic. Until we can start to get computer people in government, I don't things will end up like we would like to see them be. In the current state of having mostly Old Lawyers/Businessmen who often don't know the first thing about computers and are 12:00 flashers making laws about how this wonderful cyber world should be governed just doesn't work. However, we also tread a fine line by getting the government involved because often the government is too slow to accept changing realities, and often doesn't do what needs to be done because of political pressures and agendas. Just look at government shutdowns over budget debates to see why government should not be involved.
I think the best thing for the online community is to for the online community to self govern. Because as far as I am concerned the government which governs least, governs best.
BoskKraken
----------------------
AntiOnline Newbie
-
April 18th, 2003, 03:58 AM
#20
I already know of one (to remain unnamed) security consulting firm, which has come under counter-suit for running a HoneyNet. And at least one case where heavy and paranoid logging used by the sys-admins of a site was used by a cracker to counter-sue the site stating "Invasion of privacy" claims (he/she had a normal user account on the site). Not to mention the house robber who sued the home owner when he got stuck in their chimney for 3 days whilst attempting to rob them blind.
This disturbing information simply supports what many already fear to be true; legality is all relative to the scum factor of the other parties attorney.
Get OpenSolaris http://www.opensolaris.org/
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|