Honeypots mailing list archives
RE: Jail Time for Honeypots?
From: Mark Embrich <mark_embrich () yahoo com>
Date: Wed, 23 Apr 2003 09:58:20 -0700 (PDT)
From the Security Focus article:
That leaves a third "provider exemption" as the most promising for honeypot fans. This allows the operator of a system to eavesdrop for the purpose of protecting their property or services from attack. But even that exemption probably wouldn't apply to a system that's designed to be hacked, Salgado said. "The very purpose of your honeypot is to be attacked... so it's a little odd to say we're doing our monitoring of this computer to prevent it from being attacked." ------ I would argue that Salgado is incorrect. Yes, the purpose of the honeypot is to be attacked, but that doesn't mean we don't have any right to protect it. I would argue that we are protecting the honeypot by learning an attacker's modus operandi. Therefore, increasing our ability to protect our production machines. Until there is a definition of "for the purpose of protecting their property or services from attack" and it specifically says "no honeypots or honeynets," I won't let legislation stop me from doing my job. Obviously, this also means that I need to specify that "for the purpose of protecting their property or services from attack" includes honeypots and honeynets in my company's documentation. ------ Salgado further comments: Instead, Salgado favors configurations where a hacker is invisibly rerouted to a honeypot after beginning an attack on a production machine. "The closer the honeypot is to the production server, the less likely that it's going to have some of the legal issues that we're talking about," he said, because the monitoring becomes part of the normal process of protecting the production machine. ------- Well, if it was that easy to tell what is an attack, we wouldn't need honeypots at all would we? Does anyone know if Salgado has any practical experience in information security? Also, wouldn't the rerouting be in violation of the Super-DMCA bill? "Any device or software that conceals 'the existence or place of origin or destination of any telecommunications service.'" (Poulsen, Security Focus, "'Super-DMCA' fears suppress security research" <http://www.securityfocus.com/news/3912>) Hope that stirs the fires a bit. Mark Embrich __________________________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo http://search.yahoo.com
Current thread:
- RE: Jail Time for Honeypots? Scott Mraz (Apr 19)
- <Possible follow-ups>
- RE: Jail Time for Honeypots? Mark Embrich (Apr 24)