RE: Honeynet Alliance Charter Question

["Christopher Cook" <cookc () ritacacas net>]

[Disclaimer: I'm no lawyer, or even especially smart.] 

Entrapment is a difficult legal question, and not a new one.  We bat this
around periodically.

Here's one of the main examples I've used: if you park an expensive,
unlocked bicycle at the back end of a dark parking lot and hide in the
bushes until someone tries to snag it, is that entrapment?  In some
countries, yes, it is.

If you leave an apparently vulnerable server on a bad corner of the Internet
(are there good corners?), unlocked and unprotected, there's an argument
that you've done that same thing.

Now, I'm not really making that argument myself -- I like Honeypots and
Tarpits a lot -- but I realize that I'm working on somewhat questionable
legal ground.  The boundaries will hopefully become clearer once there's a
body of case law to work from, but I don't want one of those cases to be my
body, either.

Chris


______________________________
Christopher Cook, GIAC GSEC
IT Security Engineer

> -----Original Message-----
> From: sushant () umich edu [mailto:sushant () umich edu]
> Sent: Tuesday, March 15, 2005 10:06 PM
> To: honeypots () securityfocus com
> Subject: Re: Honeynet Alliance Charter Question
>
> I think its a question of legal law. Law states that you cannot use
> "entrapment"
> as a means to prosecute someone. For example, you think a guy is a
> contract
> killer. Now, to prove that, you goto him and offer $10,000 if he kills
> someone.
> And when he is close to the killing, you cannot arrest him because thats
> "entrapment".
>
> Similarly, you cannot set up a honeypot and ask someone to break into it,
> and
> then charge him for breaking in. If you write a client to join a botnet
> and
> hacker controlling the botnet issues a command to DoS a particular
> website.
> Then, you cannot prosecute him for issuing such a command to your machine.
>
> More of such instances can be created but the bottom line is: "If you
> actively
> lure an attacker, then you cannot charge him for breakin"
> -Sushant.
>
> Quoting Adam Carlson <ajcarlson () ucdavis edu>:
>
> > Greetings all,
> >     I was wondering if someone could explain to me the meaning and
> > purpose of the honeynet alliance requirement 4.8 involving data capture.
> >
> >  From this page:
> >
> > http://www.honeynet.org/alliance/charter.txt
> >
> > "4.8  Organizations that deploy honeynets and related technologies for
> >      data capture must use passive means.  No active means of data
> >      capture are acceptable under the Alliance.  "
> >
> > What types of activity would be considered "passive" data capture as
> > opposed to "active".  I see how tcpdump would be considered passive,
> > while something like nmap would be considered active, but is there a
> > more formal definition/description that could be used to help classify
> > data capture methods when they aren't so obvious?  Having a better
> > understanding of the intent of this requirement might help me understand
> > how to interpret it as well.  Please let me know any thoughts you might
> > have.
> > Thank you for any assistance, -Adam
> >
> >
> > --
> > Clatto Verata Nicto