are honeypots illegal in the us under the dmca or any other law for that matter
i know it could be like entrapment but i dont plan to prosecute for breaking my honeypot of coarse my others boxes are a differnt story
thx
Printable View
are honeypots illegal in the us under the dmca or any other law for that matter
i know it could be like entrapment but i dont plan to prosecute for breaking my honeypot of coarse my others boxes are a differnt story
thx
I think right now the answer is "I don't know" since really honeypots haven't been contested in court. I would think the SuperDMCA would be more likely the law that would contest the use of honeypot but the big key is intention:
(sample of the Michigan SuperDMCA -- apparently, based on this I cannot wear my 2600 blue box shirt in Michigan) :DQuote:
Prohibited conduct with regard to telecommunications access device; violation as felony; penalty; amateur radio service; forfeiture; order; definitions.
Sec. 540c.
(1) A person shall not assemble, develop, manufacture, possess, deliver, offer to deliver, or advertise an unlawful telecommunications access device or assemble, develop, manufacture, possess, deliver, offer to deliver, or advertise a telecommunications device intending to use those devices or to allow the devices to be used to do any of the following or knowing or having reason to know that the devices are intended to be used to do any of the following:
(a) Obtain or attempt to obtain a telecommunications service with the intent to avoid or aid or abet or cause another person to avoid any lawful charge for the telecommunications service in violation of section 219a.
(b) Conceal the existence or place of origin or destination of any telecommunications service.
(c) To receive, disrupt, decrypt, transmit, retransmit, acquire, intercept, or facilitate the receipt, disruption, decryption, transmission, retransmission, acquisition, or interception of any telecommunications service without the express authority or actual consent of the telecommunications service provider.
(2) A person shall not modify, alter, program, or reprogram a telecommunications access device for the purposes described in subsection (1).
(3) A person shall not deliver, offer to deliver, or advertise plans, written instructions, or materials for the manufacture, assembly, or development of an unlawful telecommunications access device or for the manufacture, assembly, or development of a telecommunications access device that the person intends to be used or knows or has reason to know will be used or is likely to be used to violate subsection (1). As used in this subsection, “materials” includes any hardware, cables, tools, data, computer software, or other information or equipment used or intended for use in the manufacture, assembly, or development of an unlawful telecommunications access device or a telecommunications access device.
Surely the question is not "are honeypots legal", but would the "evidence" so obtained be acceptable in court?
Hey, if you leave your car unlocked and someone steals it, that is not entrapment, it is stupidity?
Just a thought?
Very interesting in deed! I wonder how the anonymisers and proxies get around paragraph (1) (b). I guess they don't go to Michigan.... :eek:
I would imagine we'll see a court case dealing with honeypots pretty soon. However I would highly doubt that if you caught a bad guy, that you would be in too much trouble as long as you turned in all your evidence. But make sure you are not too overly aggressive about the whole thing. Just remember the key phrase, "What would a reasonable and prudent person do?"
I don't see why a honeypot system is any different from any other system. Unless you are actually entrapping the attacker (example: offer them money or other reward to hack your honeypot), then any evidence should be admissable.
Just because it doesn't have any real purpose, doesn't mean a honeypot isn't still a computer system as defined by the relevant laws. Here are some other scenarios
- A machine has been set up to be a web server but has yet to be actually used as one
- A machine has previously been set up as a web server but is no longer used as one, and has been left turned on with net access
How are either of those scenarios different from a honeypot? None whatsoever. IANAL however.
Slarty
so if i only use the info i gather to learn from and not to bring people to court im definatly fine right?
im in NY any super dmca laws to worry about
the dmca sucks its almost like we dont own our own property with what it says about by passing copy protection if i want to mod my x-box i shuold be able to.
droffohcam03
I would say you are OK, the question is really if evidence so gathered is acceptable, NOT if you have done anything wrong? Otherwise:
1. Hackers are right, and the FBI and USSS can go play with themselves......hacking is no longer a crime?
2. Anyone who leaves an unprotected server/open relays is a nasty criminal leading poor skiddies into temptation??? :eek: and should be punished (come to think of it, the open relays bit wouldn't be all bad :D ?)
Just make sure you do it on a laboratory machine and DON'T try to hack back.
Cheers
The link I provided should give you info about the SuperDMCA. Generally, there are no rules in regards to honeypots (and the same can be said for the most part, scanning but it's still an iffy area since it truly hasn't been challenged in court).
There was one weird area of Honeypots that Lance Spitzner brought up in the Honeypot SecurityFocus Bugtraq: Privacy. He contends that privacy is more the issue than entrapment. This Article I believe covers his point of view.
yeah msmittens that was another one of my conserns becasue im monituring them with out them knowing and if they compromise my box i can see what teir doing without them knowing and isent covered under some of though wiretap law?
Hmmm
I would go for...............
1. The machine is your private property and you have the right to monitor what happens on it? otherwise keylogging and IDS software would be illegal?
2. They came to you, you did not go to them, or security cameras would be illegal?..............they monitor people's activity?
Just a thought
If you had a voice recorder set up in your house and a crook broke in and happened to use his cell phone while he was their it would be admissible in court....so why if someone breaks into a honey pot would that be a violation of their privacy? Maybe I'm missing something here but if they are illegally intruding on your property then I would think they gave up the right to keep what they are doing private.
i found this site it helped me out thought i post it here http://www.securityfocus.com/infocus/1703
I may be wrong, but at most stores and gas stations, they need signs posted saying they are monitering via cameras ("this facility is monitered by camera"). Maybe if you place something similar on your box, readme.txt files or something, maybe even name the machine/honeypot "monitered" that would bypass some of this privacy concern... just a thought...Quote:
Originally posted here by nihil
2. They came to you, you did not go to them, or security cameras would be illegal?..............they monitor people's activity?
Just a thought
a while back I posted a thread entitled "use a honeypot, go to prison?" It was a link to an interesting article writen by Kevin Poulsen at SecurityFocus and posted by our paranoid friends over at the Register... anyway, you can find my original thread here
or you can find the direct link to the Register story here
So far I know of no court cases against honeypots so this is still a "grey" area for legality purposes. My view is that I don't think it's illegal to run or operate a honeypot... but I could be wrong on this (let's hope not).
I think that is probably to deter robbers and shoplifters.................but there are none in banks and post offices, yet the cameras are still there................also in bars...............if I saw a sign like that in a bar I would leave before the fighting started :) Hotels & airports have them as well?Quote:
I may be wrong, but at most stores and gas stations, they need signs posted saying they are monitering via cameras
Cheers
remember that if :
1) your machine is compromised and then
2) used to attack another machine and
3) you have *deliberatly* left your machine open
then you could probabily be sued.
What if you set up a machine that extensively logged all access in the same way that a honeypot would, but you didn't just set it up to be hacked. For example, I've got a linux box running with sshd and apache which I use to make work that I've done at home available to me at uni, and so my friends can download stuff off me easily. If someone came onto my computer and I decided to log all their access and monitor what they were doing, would I be invading their privacy? (bearing in mind that this computer is not set up as a honeypot)
ac
Technically yes if you did not inform them that they were being monitored. You know those support calls you make and you hear that lovely but monotoned voice that says "This call may be monitored for quality assurance". While the call is between you and the tech support (and any managers thereafter depending on the level of experience of the techie), the fact that the call is logged and potentially open (your expectation of privacy is gone) you have to be informed.Quote:
If someone came onto my computer and I decided to log all their access and monitor what they were doing, would I be invading their privacy? (bearing in mind that this computer is not set up as a honeypot)
While logging activities would be, IMO, a grey area I'd still put up a notice so that people know there isn't an expectation of privacy. Just as a CYA policy. :D
MsMittens, I'm not doubting you. I see what you're saying and it sounds logical to me, but why then, are large website administrators, etc. not prosecuted for having log files on their computers? I mean, plenty of people must access their sites, and by default, most httpd's take a decent amount of logs.
For example, could antionline be sued just because the site doesn't have a big banner on the front of it that says that access to the site is logged? I would really doubt that there is no logging for a site like this.
Again, this comment isn't meant to be a flame or anything...I agree with you, but the fact is that I don't know enough about this, so I've got to assume that other do and ask questions.
Thanks,
ac
[edit] I see there is a link to a security policy at the bottom of the main page which explains in great detail how information is used. Is that for this site, or for some of the advertisements at the bottom of the page? [/edit]
You mean the Privacy Policy? That's for AO and some of the advertising on the site. As long as you have it written somewhere that you are collecting information and how you intend to use it (to indicate the level of expected privacy then you are covered).Quote:
I see there is a link to a security policy at the bottom of the main page which explains in great detail how information is used. Is that for this site, or for some of the advertisements at the bottom of the page?
As you can see, JUPM does collect information about users via logging. In effect, the Privacy Policy found at most Websites is the CYA policy. I believe that should answer your initial question as to why webmasters at large websites aren't prosecuted for keeping logs. While most people don't read the Privacy Policy at websites (and really you should to see what information is open, what is being monitored regularly and what they do with your information), it is the Privacy Policies that usually indicate how information (logging and data mining) is being ued and what level of privacy expectation someone should have for a particular site.Quote:
What information are you collecting and how are you collecting it?
Every computer connected to the Internet is given a domain name and a set of numbers, that serve as that computer's "Internet Protocol" IP address. When a visitor requests a page from any Web site within the JUPM Network, our Web servers automatically recognize that visitor's domain name and IP address. The domain name and IP address reveal nothing personal about you other than the IP address from which you have accessed our site. We use this information to examine our traffic in aggregate, and to investigate misuse of the JUPM Network, its users, or to cooperate with law enforcement. See also Will you disclose the information you collect to outside third parties? We do not collect and evaluate this information for specific individuals. Our Web servers do not automatically record e-mail addresses of the visitors.
Hmmm,
I was wondering if the "rules" are different for a private computer as opposed to one that is "visible" on the net and/or open to the public?
Seems to me that it is the person hacking into the private computer who is commiting the invasion of privacy?
Cheers
Actually, last I checked, that was B&E. I find laws to be a bit weird when you get down to the technicalities of the law.Quote:
Seems to me that it is the person hacking into the private computer who is commiting the invasion of privacy?
IMHO a honeypot is just like any other computer. It would just happen to be a computer that has good loging systems/IDS's.
If you hacked joe shmoe, and joe requests the logfile from a proxy that the attacker went through, would it be illegal for the proxy to give up that log?
How can you define what the true intent of a computers use is.....all the admin has to say is that its his personal PC and no one could say other wise.
just my thoughts, take them with a grain of salt
According to CISSP cert info., honeypots are legal. Honepots are used for enticement, which is not illegal.
Anything used for entrapment, such as a user clicking on a link but actaully downloads illegal software is illegal.
I'd say it'd depend on how they define their privacy policy. Reality is that if the FBI comes with a warrant only an idiot wanting to get a new roommate called "Bubba" would balk. If an individual requests it, it'd be unlikely if the proxy would respond at all. Joe Shmoe has a better chance if he files a complaint with police and let them take it further with the court system.Quote:
If you hacked joe shmoe, and joe requests the logfile from a proxy that the attacker went through, would it be illegal for the proxy to give up that log?
Uh. No. Companies identify what they own so as to avoid issues of ownership and to enforce security measures. Computers, networks, proprietary information are all property of the company. So an admin cannot just say "it's my personal pc" unless it really is. Intent is a hard thing to prove but it's done all the time in murder cases (Murder in the First degree versus Murder in the Second Degree: the difference? Intent) so it's not that impossible.Quote:
How can you define what the true intent of a computers use is.....all the admin has to say is that its his personal PC and no one could say other wise.
CISSP/ISC(2) is not the law. I think scanning is perfectly legal. Courts in various states might disagree with that. Until it's tested in court, it's still grey area IMHO.Quote:
According to CISSP cert info., honeypots are legal. Honepots are used for enticement, which is not illegal.
Anything used for entrapment, such as a user clicking on a link but actaully downloads illegal software is illegal.
As far as the Entrapment possibility.. Let's remember that Google is so much fun. Let's be clear first what entrapment means.
So unless you are a police officer or a member of some other law enforcement agency, or encouraged by a law enforcement agency, you are NOT committing entrapment if you setup a honeypot and the user chooses to download illegal software or what-have-you.Quote:
The inducement, by law enforcement officers or their agents, of another person to commit a crime for the purposes of bringing charges for the commission of that artificially-provoked crime. This technique, because it involves abetting the commission of a crime, which is itself a crime, is severely curtailed under the constitutional law of many states.
There was a story on TechTV about four months ago that had to do with a man who was having problems with people getting into his system, He built a honeypot for collecting info on the hackers and to try to get their ISP to help stop them. I do not know if anything happened to him, but the info he collected was turned over to the FBI. as for scanning, was not illegal in itself, but posting the info is. I just wish I could remember the name of the story for the honeypot.
Thank you for your time.
paper on a court case about port scannng,
http://216.239.39.104/search?q=cache...hl=en&ie=UTF-8
a colunm by Dan Gillmor
http://weblog.siliconvalley.com/colu...s/000946.shtml