Honeypots mailing list archives
RE: Honeynet Alliance Charter Question
From: "Christopher Cook" <cookc () ritacacas net>
Date: Tue, 15 Mar 2005 22:56:49 -0500
[Disclaimer: I'm no lawyer, or even especially smart.] Entrapment is a difficult legal question, and not a new one. We bat this around periodically. Here's one of the main examples I've used: if you park an expensive, unlocked bicycle at the back end of a dark parking lot and hide in the bushes until someone tries to snag it, is that entrapment? In some countries, yes, it is. If you leave an apparently vulnerable server on a bad corner of the Internet (are there good corners?), unlocked and unprotected, there's an argument that you've done that same thing. Now, I'm not really making that argument myself -- I like Honeypots and Tarpits a lot -- but I realize that I'm working on somewhat questionable legal ground. The boundaries will hopefully become clearer once there's a body of case law to work from, but I don't want one of those cases to be my body, either. Chris ______________________________ Christopher Cook, GIAC GSEC IT Security Engineer
-----Original Message----- From: sushant () umich edu [mailto:sushant () umich edu] Sent: Tuesday, March 15, 2005 10:06 PM To: honeypots () securityfocus com Subject: Re: Honeynet Alliance Charter Question I think its a question of legal law. Law states that you cannot use "entrapment" as a means to prosecute someone. For example, you think a guy is a contract killer. Now, to prove that, you goto him and offer $10,000 if he kills someone. And when he is close to the killing, you cannot arrest him because thats "entrapment". Similarly, you cannot set up a honeypot and ask someone to break into it, and then charge him for breaking in. If you write a client to join a botnet and hacker controlling the botnet issues a command to DoS a particular website. Then, you cannot prosecute him for issuing such a command to your machine. More of such instances can be created but the bottom line is: "If you actively lure an attacker, then you cannot charge him for breakin" -Sushant. Quoting Adam Carlson <ajcarlson () ucdavis edu>:Greetings all, I was wondering if someone could explain to me the meaning and purpose of the honeynet alliance requirement 4.8 involving data capture. From this page: http://www.honeynet.org/alliance/charter.txt "4.8 Organizations that deploy honeynets and related technologies for data capture must use passive means. No active means of data capture are acceptable under the Alliance. " What types of activity would be considered "passive" data capture as opposed to "active". I see how tcpdump would be considered passive, while something like nmap would be considered active, but is there a more formal definition/description that could be used to help classify data capture methods when they aren't so obvious? Having a better understanding of the intent of this requirement might help me understand how to interpret it as well. Please let me know any thoughts you might have. Thank you for any assistance, -Adam -- Clatto Verata Nicto
Current thread:
- Honeynet Alliance Charter Question Adam Carlson (Mar 15)
- Re: Honeynet Alliance Charter Question sushant (Mar 15)
- RE: Honeynet Alliance Charter Question Christopher Cook (Mar 15)
- Re: Honeynet Alliance Charter Question Adam Carlson (Mar 16)
- Re: Honeynet Alliance Charter Question Chris Brenton (Mar 16)
- Re: Honeynet Alliance Charter Question Sushant Sinha (Mar 16)
- Re: Honeynet Alliance Charter Question Adam Carlson (Mar 16)
- Re: Honeynet Alliance Charter Question Chris Brenton (Mar 16)
- Re: Honeynet Alliance Charter Question sushant (Mar 15)
- <Possible follow-ups>
- RE: Honeynet Alliance Charter Question Croad Christopher D Contr AFRL/IFOSS (Mar 16)