Honypots are legal
Results 1 to 8 of 8

Thread: Honypots are legal

  1. #1
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779

    Honypots are legal

    Ok we hashed this out last month, but I feel this article answered a lot of the questions that we never fully agreed on.
    http://www.securityfocus.com/infocus/1703

    He has a wonderful description of entrapment for those of you that still think a honey pot causes you to commit entrapment.

    Now perhaps the guy who wrote honyd will stop acting like a child and repost his work.
    Who is more trustworthy then all of the gurus or Buddha’s?

  2. #2
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    what bballad is refering to is this thread that was posted back in the middle of April. It has/had some interesting debate in it, and some interesting points brought up by the article linked in that thread.

    I'll go tool around the securityfocus site and read that article in a bit. Thanks for the update and link bballad.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  3. #3
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    I just finished reading the article in my spare time here at work, and to me it's still rather nebulous.

    There still stands the possibility that using a honeypot could be considered illegal. If it's not being used to secure an organization from unauthorized access then you could very well be in violation of either the Federal Wiretap Act, the Electronic Communication Privacy Act or various different state privacy acts.

    This guy raises some very good points, but still there are parts that are left open. Like he said here:

    At times, honeypots are used for research purposes, to better understand who the threat is and how they operate. Such honeypots do not directly secure an organization, instead the information they collect is indirectly used to help defend against threats. The less the honeypot is being used to protect your organization, the less likely it falls under exemption of Service Provider Protection

    I'm sure that this is going to go to court at some point in the near to mid future. I'm also pretty sure that most of the lower courts will refuse to rule on this and it's going to have to go to one of the big federal courts or perhaps even the supreme court to be heard.

    Also his discussion on bannering is right on target. You HAVE to have bannering up that says that any unauthorized access is prohibited, and that by logging in you are consenting to everything you do being logged and disseminated to others. A company I worked for a few years back got bit by that very thing. Someone hacked their network, there was nothing telling this person that it was illegal, and after going to court over it the "hacker" was freed. I started working for that organization as the court case was just wrapping up.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

  4. #4
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    Originally posted here by Lv4
    I just finished reading the article in my spare time here at work, and to me it's still rather nebulous.

    There still stands the possibility that using a honeypot could be considered illegal. If it's not being used to secure an organization from unauthorized access then you could very well be in violation of either the Federal Wiretap Act, the Electronic Communication Privacy Act or various different state privacy acts.

    This guy raises some very good points, but still there are parts that are left open. Like he said here:




    I'm sure that this is going to go to court at some point in the near to mid future. I'm also pretty sure that most of the lower courts will refuse to rule on this and it's going to have to go to one of the big federal courts or perhaps even the supreme court to be heard.

    Also his discussion on bannering is right on target. You HAVE to have bannering up that says that any unauthorized access is prohibited, and that by logging in you are consenting to everything you do being logged and disseminated to others. A company I worked for a few years back got bit by that very thing. Someone hacked their network, there was nothing telling this person that it was illegal, and after going to court over it the "hacker" was freed. I started working for that organization as the court case was just wrapping up.
    Correct if you are useing a hony pot for reasearch it would be a good idea to put a banner on the most commen ports saying "this is a privet machine and all activity may be logged". If it is part of your security infustructure it is exempt form the privacy laws.

  5. #5
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    But if the attacker gains access to your system in such a way that they never see the banner, is it still ok to monitor them. I believe that was one of the other major issues raised by the previous article.

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    Lv4 if im not mistaken their were a couple cases like the one you spoke of but they all involved anonymous logon which was allowed by oversight. Which is why the DoD recommends a banner be displayed stating that the site is for use by authorized personal only. This does not apply to buffer overruns and other means of entry where no intended entrance exists.

    An ao member was prosecuted for going a level higher on an ftp server than he was authorized to go using a double dot. No notice of un-authorized entry was shown and he reported this to the isp. He wound up in very deep ****.

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=

    ELECTRONIC COMMUNICATIONS PRIVACY ACT

    UNITED STATES CODE


    TITLE 18. CRIMES AND CRIMINAL PROCEDURE
    PART I--CRIMES
    CHAPTER 119--WIRE AND ELECTRONIC COMMUNICATIONS INTERCEPTION AND
    INTERCEPTION OF ORAL COMMUNICATIONS

    (4) "intercept" means the aural or other acquisition of the
    contents of any wire, electronic, or oral communication through
    the use of any electronic, mechanical, or other device;

    (5) "electronic, mechanical, or other device" means any
    device or apparatus which can be used to intercept a wire, oral,
    or electronic communication other than--

    (a) any telephone or telegraph instrument, equipment or
    facility, or any component thereof, (I) furnished to the
    subscriber or user by a provider of wire or electronic
    communication service in the ordinary course of its business and
    being used by the subscriber or user in the ordinary course of
    its business or furnished by such subscriber or user for
    connection to the facilities of such service and used in the
    ordinary course of its business; or (ii) being used by a
    provider of wire or electronic communication service in the
    ordinary course of its business, or by an investigative or law
    enforcement officer in the ordinary course of his duties;

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=

    A security officer is an investigative officer and running a honeypot IS part of the ordinary course of his duties.

    The Wiretap Act protects against unauthorized interception of electronic communications. If the communication is to/with my computer I have every right to monitor all activities on it. There’s no interception going on at all. I (my computer) am the intended recipient.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  7. #7
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    Originally posted here by mohaughn
    But if the attacker gains access to your system in such a way that they never see the banner, is it still ok to monitor them. I believe that was one of the other major issues raised by the previous article.
    Irelivant, as long as the banner is on the FTP, Telnet and SSH ports you have done your due diligance. THose are the expected entry points, if they come in some other way its not your fault that they didn't see the banner

  8. #8
    Senior Member
    Join Date
    Mar 2003
    Posts
    372
    Tedob1 - well to be honest that case was about 6 or 7 years ago. It didn't involve an anonymous user at all, but it did involve a teen hacking in to the system and basically brute forcing his way on a username that was non-admin. He was pretty sloppy when he did it, but it was suprising about his defense.

    I would rather not publically name the organization, but if you are interested in who it was feel free to PM me about it.

    Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •