Honeypots mailing list archives

Re: Honeynet Alliance Charter Question

From: Sushant Sinha <sushant () umich edu>
Date: Wed, 16 Mar 2005 10:39:14 -0500

I think until and unless you have actively solicited someone to break in, you 
can use the log data to prosecute. You can actively solicit someone by
1. asking him to break in by an out-of-band mechanism (or by an open break-in 
challenge)
2. joining a bot-net by your own
3. running a client on honeypot which actively monitors blackhat communication 
channels like IRC, demonstrating a vulnerability and then, you cannot sue for 
someone exploiting it

I cannot think of more, but, I think most of the cases data CAN be used to 
prosecute.

-Sushant.

On Wednesday 16 March 2005 08:19 am, Chris Brenton wrote:

On Wed, 2005-03-16 at 02:33, Adam Carlson wrote:

From what I've read entrapment only applies when one is attempting to
use the information to criminally prosecute individuals.


Agreed, it comes down to intent. If the information is collected for the
sole purpose of prosecution, you are on a gray line. There are some easy
ways around this however:

1) Develop a process of collecting logs from all your primary systems,
not just your honeypot.
2) Give your honeypot some active but minor role in your network, such
as a backup secondary DNS server.

Given both of the above, entrapment becomes a non-issue.

From what I understand from the entrapment
laws, if there is some collaboration between the honeynet alliance and
law enforcement, then the honeynet alliance could be guilty of
entrapment.


Unfortunately, this line can be fuzzy. If you've had zero interaction
with law enforcement regarding a specific incident, but have worked with
law enforcement in the past on previous incidents, it *could* be enough
to show "reasonable doubt". Its not a given however as each situation is
different.

I think a big part of liability depends on whether or not you are
monitoring with the intent of using it in a criminal prosecution.


Bingo, thus the first item above. If collecting logs is part of your
daily operations, its certainly not focused on prosecution.

HTH,
Chris

Current thread:

Honeynet Alliance Charter Question Adam Carlson (Mar 15)
- Re: Honeynet Alliance Charter Question sushant (Mar 15)
  - RE: Honeynet Alliance Charter Question Christopher Cook (Mar 15)
  - Re: Honeynet Alliance Charter Question Adam Carlson (Mar 16)
    - Re: Honeynet Alliance Charter Question Chris Brenton (Mar 16)
    - Re: Honeynet Alliance Charter Question Sushant Sinha (Mar 16)
    - Re: Honeynet Alliance Charter Question Adam Carlson (Mar 16)
    - Re: Honeynet Alliance Charter Question Chris Brenton (Mar 16)
- Re: Honeynet Alliance Charter Question Lance Spitzner (Mar 16)
- <Possible follow-ups>
- RE: Honeynet Alliance Charter Question Croad Christopher D Contr AFRL/IFOSS (Mar 16)