Re: Honeynet Alliance Charter Question

[sushant () umich edu]

I think its a question of legal law. Law states that you cannot use "entrapment"
as a means to prosecute someone. For example, you think a guy is a contract
killer. Now, to prove that, you goto him and offer $10,000 if he kills someone.
And when he is close to the killing, you cannot arrest him because thats
"entrapment".

Similarly, you cannot set up a honeypot and ask someone to break into it, and
then charge him for breaking in. If you write a client to join a botnet and
hacker controlling the botnet issues a command to DoS a particular website.
Then, you cannot prosecute him for issuing such a command to your machine.

More of such instances can be created but the bottom line is: "If you actively
lure an attacker, then you cannot charge him for breakin"
-Sushant.

Quoting Adam Carlson <ajcarlson () ucdavis edu>:

> Greetings all,
>     I was wondering if someone could explain to me the meaning and
> purpose of the honeynet alliance requirement 4.8 involving data capture.
>
>  From this page:
>
> http://www.honeynet.org/alliance/charter.txt
>
> "4.8  Organizations that deploy honeynets and related technologies for
>      data capture must use passive means.  No active means of data
>      capture are acceptable under the Alliance.  "
>
> What types of activity would be considered "passive" data capture as
> opposed to "active".  I see how tcpdump would be considered passive,
> while something like nmap would be considered active, but is there a
> more formal definition/description that could be used to help classify
> data capture methods when they aren't so obvious?  Having a better
> understanding of the intent of this requirement might help me understand
> how to interpret it as well.  Please let me know any thoughts you might
> have.
> Thank you for any assistance, -Adam
>
>
> --
> Clatto Verata Nicto