Re: Honeynet Alliance Charter Question

[Adam Carlson <ajcarlson () ucdavis edu>]

Thanks a lot for the responses.  So it seems that as long as the 
Honeynet Alliance is not in any way partnering with law enforcement and 
not intending to partner with law enforcement, we are in agreement that 
the alliance and its members should not have to worry about entrapment.

So I ask again, why is that regulation necessary and what is it 
attempting to regulate?  Would having a honeypot that is an active, 
backup dns server as you suggest be allowed under the alliance?  Does 
passive data capture basically mean no active scanning but all other 
types of activity are ok?  What behavior is defined as "data capture" in 
regards to this regulation?

I could interpret the regulation in a number of ways, which is why I was 
wondering what the intent of it is.  I think I might need someone who 
helped write the regulations to clarify what types of honeynet activity 
they are trying to prevent from happening within the alliance.  I do not 
think it would be legal concerns because  I don't think this regulation 
actually does much to alleviate legal issues, but the alliance charter 
members could have had a different opinion on that matter.

If anyone was a part of the regulations creation process or has 
knowledge of what 4.8 was intended to do and can let me know, I would 
very much appreciate it.  I think it could have been out of legal 
concerns, however it may have been for other reasons, like moral 
concerns.  Either way I would just like to have a good understanding of 
the alliance's position on the subject.  Thanks again for the responses 
thus far.  -Adam

Chris Brenton wrote:
> On Wed, 2005-03-16 at 02:33, Adam Carlson wrote:
>
> > From what I've read entrapment only applies when one is attempting to 
> > use the information to criminally prosecute individuals. 
>
>
> Agreed, it comes down to intent. If the information is collected for the
> sole purpose of prosecution, you are on a gray line. There are some easy
> ways around this however:
>
> 1) Develop a process of collecting logs from all your primary systems,
> not just your honeypot.
> 2) Give your honeypot some active but minor role in your network, such
> as a backup secondary DNS server. 
>
> Given both of the above, entrapment becomes a non-issue.
>
>
> > From what I understand from the entrapment 
> > laws, if there is some collaboration between the honeynet alliance and 
> > law enforcement, then the honeynet alliance could be guilty of 
> > entrapment. 
>
>
> Unfortunately, this line can be fuzzy. If you've had zero interaction
> with law enforcement regarding a specific incident, but have worked with
> law enforcement in the past on previous incidents, it *could* be enough
> to show "reasonable doubt". Its not a given however as each situation is
> different. 
>
>
> > I think a big part of liability depends on whether or not you are 
> > monitoring with the intent of using it in a criminal prosecution. 
>
>
> Bingo, thus the first item above. If collecting logs is part of your
> daily operations, its certainly not focused on prosecution. 
>
> HTH,
> Chris