Use a honeypot, go to prison?

There is some discussion now that RUNNING a honeypot could be considered illegal, and leave the organization that runs it open to lawsuits from the hackers they are tracking. The Register has an interesting article discussing this that can be found here.

A quick excerpt from the article:

Quote:

---

But that monitoring is what federal criminal law calls "interception of communications," said Salgado, a felony that carries up to five years in prison. Fortunately for honeypot operators, there are exemptions to the Federal Wiretap Act that could be applied to some honeypot configurations, but they still leave many hacker traps in a legal danger zone.

---

just thought I would share what I found this morning on my daily perusal of the Register, and I hadn't seen in here on AO yet.

First off if the "hackers" werent snooping around your machine's then they and you wouldnt be in court. I highly doubt a judge will rule in their favor if you can prove they were unlawfully snooping around and got caught. Personally I think its a bunch of **** but thats just me. I mean if you catch someone snooping around outside your house can he sue you for making your house a tempting target to him as a burglar? not only no but hell no! Our laws are just a bunch of **** when it comes to computers.

Its not that you're getting sued for having a honeypot. The concept is that you would be sued for using the honeypot to track the hacker- in effect reverse hacking him.

To steal your analogy, it would not be like the burglar suing you for having a tempting house to break into. It would be like you spotting a burglar scoping your house and following him back to his house. At that point, you would be stalking him.

I think the premise of the article or the comments by Salgado are flawed though. A honeypot, in my opinion does not "intercept" communications. It simply monitors and logs communications that are directed at it.

It would be like saying video surveillance equipment is illegal because it records the actions of a burglar that breaks into your house. Or, its like saying that CallerID is illegal because you are intercepting information to identify the source of the "intrusion" into your phone system.

I am sure you can stretch the law and distort it to make it apply this way, but I think that if you come to me I am allowed to monitor your actions without violating any law.

Just my $.02

Oh my...

So does this basicly mean that a hacker/cracker is whineing that someone is violateing his right to privacy on the internet? You have got to me kidding me...

What this sounds like to me is that some newbie hacker/script kiddie got nailed by someone who took offence to the hacker digging around his network neighborhood (sp?) and now he gets to deal with the consequnces...

Leave it to a newbie to whine and complain the most about what he knows the least about...


My $.02 and a cup of coffee at waffle house :)

This has been discuessed to death here...just see any of the super dcma threads there are at least four on this topic.

As for use a hony pot go to jail, well the register is known to be sansationalist form time to time. The law is too broad to be applied until the courts strip it down its safe to assume security devices are legal...remember the state goverments have to fallow their own laws, I know Il (one of the states with SDCMA) has firewalls and NAT running, they probably have honnypots running as well, they would not have knowingly passed a law that they where violateing.

I agree we have beat DMCA and Super-DMCA to death, but this is different.

This article discusses using the Federal Wiretap Act to snag you for "intercepting" communications without the other party's consent.

I submit that A, they are trespassing in the first place so its not "wiretapping" and B) it wouldn't hold up in court.

They do make the point that it may depend on the proximity of your honeypot to the real server. In other words, if Joe Hacker was trying to get to Server A and you redirect the connection to Honeypot A that is somewhere else on a whole other subnet or something you, in effect, have intercepted and hijacked the communication intended for Server A.

I question whether the law would apply in that way though. Again, Joe Hacker would be trespassing on your network in the first place so you are within your rights. If you have a fake safe in your house to "attract" burglars while you hide you real valuables in a Pringles can in the cupboard can the burglar sue you for tricking him? I don't think so.

So does this mean that if someone called my house, got my answering machine, but i picked up in the middle of it, did not turn off the machine and started the conversation i would be up for federal charges? what would happen if i had no message on my machine to alert the caller that he was about to begin speaking to a tape recorder? Or if the caller entered into a 3 way conversation with someone else while speaking to myself and my answering machine?

This is about to get really scary...

Wire tap should not apply here, you are alowed to record your own conversation..I guess you could put a note on a default web/the entrence ftp message of your honey pot that stated that you where logging...but I think you could argue that logging is implied on all systems.

Ah but there is another issue with the Honeypot, Super DMCA aside. What about the question of entrapment? This is a question my students always ask when we discuss honeypots and it's one that I don't think there is a true answer for, at least no legal precendent that I have been able to find thus far or heard of.

I've also thought about the "hacker" types found in books like @Large. If putting out a honeypot attracts them and they use it, is it not like putting out illicit drugs and encouraging the junkie?

If I remember correctly only police or other law enforecment types can entrap. Its not like you are forceing the hacker to break into your system, and its not like putting drugs out for a junkie a hacker is not addicted and should have the self controll to not break in...Is it illigal to put up security cameras? If cameras are fine then loggin on a honey pot is fine.

Ah but some attackers are addicted. They can't stop. And it's not just a question of logging but the actual act of putting up a box to encourage and entice someone into breaking in. If I do that and I'm not a law enforcement type, is that entrapment? I may bait him/her with some juicy "credit card numbers". By putting that there I'm encouraging them to break the law.

(playing devil's advocate here -- I personally believe in the idea of a honeypot and think it's an important part of a full security system).

Here are a few links on the entrapment issue. From every thing I have seen entrapment is inplace to protect people form the goverment so it would not aplly in this case. Oh and things to remember about entrapment, if you ask someone if hes a cop he can lie to you and its not entrapment. If you match a police cars speed and he is speeding he can ticket you (if his lights where not on you could preforme a citizans arrest right back). If a cop offers you drugs/sex and you accept its not entrapment.

http://www.geocities.com/uthurs_alco...ntrapment.html
http://caselaw.lp.findlaw.com/data/c...nt14/15.html#6

So yes to be entrapment it has tpo involve a goverment offical of some type. Honey pots would not be entrapment

Hrmm... I stand corrected... So then the issue is more of a privacy one (as per Lance Spitzer's comments here: http://cert.uni-stuttgart.de/archive.../msg00098.html ) and perhaps not wiretapping per say. But an issue of privacy. If he breaks into the system and expects privacy but you view his conversations/email, he might have a civil case against. I doubt it would be a federal or felony case.

As ridiculous as it sounds, it's no different than the thief suing for medical costs when he fell down the basement stairs (actual court case). Civil litigation is weird (especially -- IMHO -- in the US). The possibility is there. I think it just hasn't been tested. But as the article points out, "..not aware of anyone being prosecuted for hacking a honeypot, which, after all, is meant to be hacked."

How many companies prosecute hackers at all...it doesn’t happen often. For the civil side of things there is at least one case that sets a precedent here. I will try and find a link but what it boiled down to is some one getting fired over what was said in email...the person brought a wrongful termination suit on his company arguing that it was private email, the company argued that it was on a company server and they had the right to do whatever they wanted with any data on the server. Would be hackers looking to bring civil suits be warned the company one that case, as the owner of a computer any data on that computer is mine you have no inherent assumption of privacy for any of your files.

Oh check out www.snopes2.com I believe the criminal suing and winning over a broken lag was an urban legend.

So yes in the US our legal system is broken but its not THAT broken.

Also note I am talking about US laws. Some European countries have much more stringent entrapment/privacy laws and I am not familiar with them.

bballad:

citizans arrest can only happen if it is at least a felony.... at least here in Co. If you try for a traffic violation, they will just laugh at you.
<edit> besides, you wanna try arresting some one with a gun? especially a cop??? lol </edit>

Quote:

---

Originally posted here by bballad


Oh check out www.snopes2.com I believe the criminal suing and winning over a broken lag was an urban legend.

So yes in the US our legal system is broken but its not THAT broken.

Also note I am talking about US laws. Some European countries have much more stringent entrapment/privacy laws and I am not familiar with them.

---

The one I was referring to I had heard in High School. Given that situations where persons can be found either not guilty or aquitted can still be sued (O. J. Simpson probably the most notorious), it shouldn't be surprising. One example I found is a bit dated which made finding an original news story harder ( http://www.joeha.com/whiteboard/wbnnov172000.htm -- based in Australia ). You need only look at lawsuits at friviolous lawsuits like the one against McDonalds et al over obseity; hot coffee; or this one -- family sued over the fact the thief was electrocuted ( http://overlawyered.com/archives/03/feb3.html#0226a ). I think if someone thinks you've done them wrong, no matter what the situation, they will try to get something out of you -- even if you did it to protect yourself.

Anyways, yes, companies haven't done much and that is more of an issue. The FBIs idea of "anonymous" prosecution as it were (not identifying companies who wanted to press charges) sounded promising but I wonder if anything has been done. Perhaps the events of the 80s/90s where lots of attempts to press charges were left unattended for the most part except for a few high media cases.

In addition, I wonder how many companies actually deploy something more than just a firewall never mind a honeypot. Maybe that's why it's not a seriously considered issue.

Lastly, on the issue of private email there is something to consider in regards to that case versus say an attacker using a honeypot. I don't know if the same precendent could be apply versus an employee. An employee would know that email belongs to the company, that it passes through the company servers and such. An attacker may not since he may not be 100% sure it passes through the company itself. What if it's hosted on a 3rd party? I don't think it's clear cut as to what the decision is.

Bit dated but might want to consider it:
http://www.madcapps.com/writings/stop.htm
http://www.loundy.com/CASES/Bourke_v_Nissan.html

Other ones I found that contradict it:

http://www.divorcelawinfo2.com/mylaw...=3&article=402
http://www.loundy.com/CASES/Smyth_v_Pillsbury.html

As I was putting this message together it did occur to me however given the present state of the US right now I think that things would be in favour of companies being able to monitor their employees and others.

Regardless of the law, you have every right to track anyone on your property or your server. It is not right that you be arrested on the charges "You are found guilty of watching a car take a left turn at the intersection." If the risks of getting "caught" are low, you should do what you can to collect information about the hacker that is supplied to your server. You can use this to fix the problem, block the hacker's IP address or block the hacker through other, more static, identification means, or report the hacker to the police, saying that you recieved an anonomous letter informing you of the hacker.

In response to what MsMittens said, having credit card numbers on your server does not in any way justify hacking.

I guess i could say honeypots are relatively new here at the Philippines, our laws does not cover such technologies yet. I believe that honeypots are security devices that operate onthe premise of baiting a possible intruder,it qualifies as entrapment equipment and should be enabled only on possible intrusion scenarios with law enforcement officers present,... at least in theory :).

I think the real thing to considor is that unless the case is high profile and attracts special police attention, or makes it to a court, then there is really no governmental body which can really enforce these laws. So, any honeypots that are in use are better suited to how (at least as I see it) real internet policing takes place. Which is to use the logs to try to trace the hacker back so that you can then contact his ISP. ISP's usually don't want to have that kind of activity going on and will often work to ensure that the hacker can not continue.

Now I am not saying that this is any kind of perminant solution because all they have to do is do a little unlogged daisy chaining or switch ISP's or something. But it would at least give you a method for fighting back against script kiddies.

However, this thread brings up a good topic. Until we can start to get computer people in government, I don't things will end up like we would like to see them be. In the current state of having mostly Old Lawyers/Businessmen who often don't know the first thing about computers and are 12:00 flashers making laws about how this wonderful cyber world should be governed just doesn't work. However, we also tread a fine line by getting the government involved because often the government is too slow to accept changing realities, and often doesn't do what needs to be done because of political pressures and agendas. Just look at government shutdowns over budget debates to see why government should not be involved.

I think the best thing for the online community is to for the online community to self govern. Because as far as I am concerned the government which governs least, governs best.

I already know of one (to remain unnamed) security consulting firm, which has come under counter-suit for running a HoneyNet. And at least one case where heavy and paranoid logging used by the sys-admins of a site was used by a cracker to counter-sue the site stating "Invasion of privacy" claims (he/she had a normal user account on the site). Not to mention the house robber who sued the home owner when he got stuck in their chimney for 3 days whilst attempting to rob them blind.

This disturbing information simply supports what many already fear to be true; legality is all relative to the scum factor of the other parties attorney.

I had read this threw a link on packetstorm today but didnt have time to post anything on it so im glad this thread is here.

I think Salgado is trying to tap into the frustration of a privacy minded but much stomped upon community for publicity. Hoping he'll find support for anything thats anti DMCA because thats what this law is about Copy right protection and catching those "defrauding" service providers, and thereby promote himself.

Now "defrauding" service providers there's a term to watch out for. This makes NAT a felony, but for him to say his very education and degree make HIM illegal is just a bit much.

Running a honey pot is not "Intercepting communication" because thats the address the hacker intended to communicate with. Building a room on a house not connected to the interior rooms but only to the outside and then leaving the door with a very easy lock to circumvent to see who's been breaking in is not entrapment (hey thats not a bad idea...RT Honeypots) even though its the only purpose for it

The whole idea of using a honey pot and going to jail is just insane. If the loser hacker/cracker wasn't intruding into systems that they had no right to be in they wouldn't have a case at all. This smacks of the cases in which the criminal sues the home owner for owning a rottweiler that bites them. Never mind the fact that the SOB was robbing the house. What the hell do people think now a days? Not much is what I think!!

::coffee::
ccKid

Quote:

---

Originally posted here by khanacarm
Regardless of the law, ....

In response to what MsMittens said, having credit card numbers on your server does not in any way justify hacking.

---

First, in regards to your comment of "Regardless of the law", I don't think one should do something that is illegal to catch criminals. That said, I also believe that honeypots are very legal and things like the SuperDMCA are making it more difficult for "white hats" to do their job properly. My posts here, as I mentioned earlier, are merely a "Devil's Advocate" point of view.

Second, I'm not saying that it justifies hacking. I'm saying that it might encourage hacking for some. If you go into an Alcholics Anonymous meeting with an armful of hard liquor, are you not tempting them? It's not illegal. Some will have the will power to withstand it. Others won't. Same idea. You are encouraging them to hack. Since you are doing that -- encouraging them to "break the law" -- who are you bring charges against them?

As for litigation (as brought up by some more recent posts) that's the laws in the US. You can sue pretty much over anything. One thing that isn't mention is the reward that is sometimes given out. Sometimes its a few thousands (like the thief who was electrocuted) sometimes it's a dollar. The judge/jury awards things based on what they feel is right and what is felt to be deserved. No system is perfect. One thing that they have here in Canada that seems to limit some of that is the ability of the "criminal" to "profit from the crime". It's not allowed. I wonder if that's why in Canada we don't see that much litigation by criminals against their victims unlike in the US.

I don't know if removing government from cyberspace will help. It would be better if they asked us or got the community involved. One bad case and those laws will be removed. I find that a lot of the laws coming out of the US right now are "reactionary" laws to an already paranoid system. If we didn't have trespassing laws, you couldn't charge someone with breaking into your computer. If we didn't have someone watching the activities of some of our members, we'd have more child porn and more "stalkers". What we need is more balance in regards to the involvement of government in cyberspace. Attempts to control it so that you can catch the "bad guys" won't work.

There seems t obe a lage belife here in fake lawsuits.
Check out the legal link on this page http://66.165.133.65/
No criminal has gotten money from hurting himself while commiting a crime...and the US has laws that keep a crimianl from profiting in any way from his crime. Of the other suits that where mentiond the only one that was real and that the company being sued lost was the McDonalds coffe case. That case was not frivolus McDonlads new for a long time that their coffe was dangerously hot and finaly ran into a person that wouldn't take soem free food to shut up about it.

That being said, if some one breaks the law by hacking into your system and you catch them in your honey pot they cannot sue you or get of on entrapment claims (well they can sue you but they will lose the case and be hit with the court fees ect.)

Operating a honey pot? What has this world come to?

Quote:

---

Originally posted here by bballad
There seems t obe a lage belife here in fake lawsuits.
Check out the legal link on this page http://66.165.133.65/
No criminal has gotten money from hurting himself while commiting a crime...and the US has laws that keep a crimianl from profiting in any way from his crime.

---

I know it's a bit off subject here, but I thought I would weigh in on that quote.

There is currently a case here in the San Francisco bay area where a criminal is suing because he got shot twice while attempting to rob a convenience store. He says that "deadly force" wasn't needed and that he's been psychologically scarred from the event. He also says he suffers from nightmares because of it. He was injured during the criminal activity... and no, this isn't an Urban Legend, this is something the news has been talking about for the past few days.

I'll see if I can find a link to that today and will post it here... FWIW KTVU is the one that I have heard reporting this, I even heard them talking about this before I came in to work this morning.

Quote:

---

Originally posted here by Lv4


I know it's a bit off subject here, but I thought I would weigh in on that quote.

There is currently a case here in the San Francisco bay area where a criminal is suing because he got shot twice while attempting to rob a convenience store. He says that "deadly force" wasn't needed and that he's been psychologically scarred from the event. He also says he suffers from nightmares because of it. He was injured during the criminal activity... and no, this isn't an Urban Legend, this is something the news has been talking about for the past few days.

I'll see if I can find a link to that today and will post it here... FWIW KTVU is the one that I have heard reporting this, I even heard them talking about this before I came in to work this morning.

---

Let me know who that one comes out.. Unfortunately once a gun is involved you enter a gray area, where each state is a little different. Here in IL I can shoot someone who has broken into my house/business with no warning, in Indiana you must yell out I have a gun before you shoot them. This also changes if the robber also had a gun if he dose then it is legally assumed he had intent to kill you so any action you take is self-defense.

Dose any one know a Lawyer we can bring in on this, all of my info comes from personal reading verified by a friend who is a lawyer in environmental law what we need is input from a prosecutor or criminal defense attorney.

If you bloat about you have a honeypot, and INTISE the intruder, then while they hack it you report them, then YES its not legal, its entrapment. But if its there, and you just have it there for whatever means then no. its perfrectly legal.

Quote:

---

Originally posted here by TSeNg
If you bloat about you have a honeypot, and INTISE the intruder, then while they hack it you report them, then YES its not legal, its entrapment. But if its there, and you just have it there for whatever means then no. its perfrectly legal.

---

Unless you are a member of a law enforcement or federal agency it is not entrapment. There is no way a private citizen can commit entrapment, it just isn't possible the entrapments laws specifically mention government official/law enforcement official.

*YOU MUST HAVE LEGAL ATHORITY TO COMMIT ENTRAPMENT*

you will not go to jail/get fined for busting a hacker for breaking in to your honey pot...nor will you infringe on his privacy as it is a private system he has no rights.

Over the past two months, my organization has been using a honeypot for research. It's disguised as a "normal" system, as the entire purpose of a honeypot is to act like a normal system. Going back to the Indiana law, where you have to yell "I have a gun" before you fire, an "authorized users only" banner on our honeypot should cover us, right? After all, once you go past the banner, you're legally trespassing.

The thought of having our own system's capabilities rendered useless in court is sad.

OMG! Its perfectly legal in my mind. In a sense it's a security system for your computer. And basicly does the same thing that a security system does for your house! There is no reason for it to be illegal unless you use it in that way.

Basically, it all boils down to owning up to your actions. If you get caught attempting to hack/crack someone else's system, end of story...done. No whining, complaining, making excuses. As far as violating a hacker/crackers rights or "stalking" them? Everyone assumes that they are the exception to the rules. Bullshit. If I find someone attempting to rob my house, not only will I follow him home, but I will also kick his ass in his front yard.
As a network administrator, alot of my energy is spent on security issues. This is because there are those out there who believe that if you don't lock something up - tight - then it's an implied invitation. I firmly believe that if I create something - a file, program, whatever- it belongs to me. We all know right from wrong, we are just trying to ignore that fact and citing technicalities in order to do so.

bballad - All I can say is things are sure a lot different in Illinois than they are in the NorthWest!! Out here, not only will the cop ticket you (with or without his lights on!) but you will be charged a fee to ENTER the courtroom and the Judge will ignore the reason for the traffic citation - telling you you're guilty before you can even enter your plea! I don't agree with your analogy re: "If a cop offers you drugs/sex and you accept its not entrapment" . . . If it looks like a duck and quacks like a duck . . . Excuse me, but why isn't that cop or government agent out arresting the murders, rapists, burglars, child molesters, etc. that are still at large? Are things so slow that millions of tax dollars need to be spent setting up elaborate 'sting operations' just to entrap individuals who might otherwise NOT have stepped that far over the line? I just have to think that when you threaten private individuals into believing they and their family are at risk from Mafia retaliation . . . UNLESS they DO cooperate in your illegal endeavor . . . you've gone a bit too far (True case)! (I really need to quit watching CourtTV!!)

MsMittens - I believe that unless the government actually knows what it's talking about . . . it should keep its nose out of cyberspace for now. Script kiddies who have nothing better to do with their time than create destructive virii and the like or break into someone elses system . . . because it's there - deserve to have their toys taken away, get stuck in a honeypot for a few days (tying up their resources for a change) and/or be made to reimburse those they have harmed. I'm tired of seeing my tax dollars being funnelled into an educational/governmental system which continues to breed more and more irresponsible individuals . . . whether newbie hackers out for a thrill or idiot politicians who create million dollar committees that accomplish nothing. Just look at the great job the US government did in deregulating the transportation industry . . . IT STILL hasn't recovered. I realize you are playing "Devil's Advocate" but thinking "One bad case and those laws will be removed" is a bit naive . . I would wager that Canada has just as many obsolete laws still on the books, as the US has.
Todays society has little to NO moral/ethical standards. It seems few individuals are willing to accept responsibility for their actions and prefer to place the blame on their rotten childhood, poor environment or the fact that Mommy and Daddy didn't get them that BMW convertible they wanted for their 16th birthday. Doesn't anyone believe in the "Golden Rule" anymore? How about plain old fashioned consideration? There will always be someone trying to make an easy buck and to heck with the consequences . . . Government agencies will continue playing "Big Brother" and it will still take the "Powers That Be" way too long to get it right! Change can begin only when individuals are held accountable for their actions and accept responsiblity . . . If that means slowing their bandwidth, getting them kicked from their ISP or, heaven forbid, their making restitution for the millions and millions of dollars in damages they caused AND I can help that become a reality . . . I'm all for it. I became a member of AntiOnline BECAUSE I want to be part of the solution . . . rather than a victim of the problem. What we NEED is to ensure instructors spend MORE time teaching students to be responsible PC users and LESS time learning how to write destructive scripts or programs. We need parents who supervise and restrict their kids activities on the Internet, rather than turning a blind eye because it's easy, they're too busy, don't care or are computer illiterate themselves. We need communities who've realized that adults, the elderly, the disabled and the poor, could benefit from computer classes, donations of discarded/outdated systems, software or hardware and volunteer mentoring just as much, if not more, than children can. Sorry to vent but that's my 2 cents worth.

Little Mama - I couldn't agree with you more! I'd love to introduce you to a certain person I know in Oregon . . . you guys could kick ass together!! (I might even join you.) I know I got a bit carried away but I can't help wishing I lived in a town where I didn't have to lock my doors or windows, a world where I didn't have to spend all my time researching new security measures, the latest 'bug' or downloading fixes, patches, hardware, software, security and/or virus updates, management personnel appreciated employees wanting to grow with the company, who took pride in doing a good job and where businesses actually produced quality merchandise that was worth what you paid for it. And, before you ask, NO . . . I don't believe in Santa Claus or the Easter Bunny.

V.

Quote:

---

Originally posted here by Darksnake
First off if the "hackers" werent snooping around your machine's then they and you wouldnt be in court. I highly doubt a judge will rule in their favor if you can prove they were unlawfully snooping around and got caught. Personally I think its a bunch of **** but thats just me. I mean if you catch someone snooping around outside your house can he sue you for making your house a tempting target to him as a burglar? not only no but hell no! Our laws are just a bunch of **** when it comes to computers.

---

also the government does this all the time in catching criminals its called a sting

when they pose as prostitutes or poor old ladies and even drug dealers to entice or entrap a would be criminal lol

i think the whole argument is a joke

Quote:

---

Originally posted here by vvirtho
bballad - All I can say is things are sure a lot different in Illinois than they are in the NorthWest!! Out here, not only will the cop ticket you (with or without his lights on!) but you will be charged a fee to ENTER the courtroom and the Judge will ignore the reason for the traffic citation - telling you you're guilty before you can even enter your plea! I don't agree with your analogy re: "If a cop offers you drugs/sex and you accept its not entrapment" . . . If it looks like a duck and quacks like a duck . . . Excuse me, but why isn't that cop or government agent out arresting the murders, rapists, burglars, child molesters, etc. that are still at large? Are things so slow that millions of tax dollars need to be spent setting up elaborate 'sting operations' just to entrap individuals who might otherwise NOT have stepped that far over the line? I just have to think that when you threaten private individuals into believing they and their family are at risk from Mafia retaliation . . . UNLESS they DO cooperate in your illegal endeavor . . . you've gone a bit too far (True case)! (I really need to quit watching CourtTV!

---

Umm you seem to have missed the point of my statement...the only people who can commite entrapment is a goverment agent/cop. In saying that the entrapment laws are very complex..Police can go under cover/run stings. What they can't do is entice you to commit a crime that you would normaly commit. If he offers to see you drugs and you buy not entrapment. If he forces you to do drugs/commit a crime then it is entrapment. As long as you commit a crime of your own free will its not entrapment...

If you plane on breaking laws, be smart about it and know all the laws that can affect you, its the only way not to get caught..if you are dealing/buying drugs, or are involved in prostitiution and you expect the question are you a cop to protect you then you are in for a long stay in jail.

I didn't miss your point . . . I know what you said . . . I just don't happen to agree with you. The sting operation I mentioned was carried out by the FBI and featured on a program shown on the CourtTV cable channel. The FBI agents involved were undercover (of course) and when one private citizen balked at joining in with their planned crime, the agents convinced him they were "in bed" with the Mob and if he DIDN'T get with the plan . . . his family might end up 'swimming with the fishies"! That's entrapment but Mr. Citizen still wound up in prison! MY POINT was . . . instead of wasting tax dollars trying to get someone to commit a crime . . . how about going after some of the criminal element still at large?! Enough said.
V.

Here two URLs about Canadian Criminal Code laws that can apply on the subject.

PART VI: INVASION OF PRIVACY
http://laws.justice.gc.ca/en/C-46/41049.html

PART IX: OFFENCES AGAINST RIGHTS OF PROPERTY
http://laws.justice.gc.ca/en/C-46/41558.html

I used to study this two laws to know the legality of wardriving. From the understanding I got, the communication between a hacker and a computer I own is not private and I can do what I see fit. To be fully protected by the law, I must put a banner to beware a intruder to not trespassing and telling him that the system is under surveillance.

How can a computer (honeypot) be a trap :confused: Nowhere a sign telling hackers, I'm a victim, please hack me!

If logging someone's movements about your honeypot is illegal, should I be concerned about tracking a web user's browsing habits on my apache server?

Also, what if I log a hacker's movements on a production server? Is this illegal? Does the illegality only come into play because a honeypot has no business-related value?

This is just plain dumb. In my mind, if someone exploits a service running on a honeypot or a production server, they are breaking in and should be subject to the same laws that one would apply to video surveilance.

I agree, but I'm not too knowledgeable of the laws in place for this type of monitoring. It may be a good idea to check your state laws relating to monitoring internet activity. :confused:

Browsing this thread brings up a relatively old story that I heard about a while ago. Where some cat burgler landed on a knife in someone's kitchen, cut up their foot pretty good, and then sued. Shockingly, I believe the burgler one, claiming that the knife being left on the counter created an unnecessary risk.

Is it just me, or is this honey pot issue eerily similar?

--PhirePhreak