Honeypots mailing list archives
Re: Honeynet Alliance Charter Question
From: Adam Carlson <ajcarlson () ucdavis edu>
Date: Wed, 16 Mar 2005 07:50:32 -0800
Thanks a lot for the responses. So it seems that as long as the Honeynet Alliance is not in any way partnering with law enforcement and not intending to partner with law enforcement, we are in agreement that the alliance and its members should not have to worry about entrapment.
So I ask again, why is that regulation necessary and what is it attempting to regulate? Would having a honeypot that is an active, backup dns server as you suggest be allowed under the alliance? Does passive data capture basically mean no active scanning but all other types of activity are ok? What behavior is defined as "data capture" in regards to this regulation?
I could interpret the regulation in a number of ways, which is why I was wondering what the intent of it is. I think I might need someone who helped write the regulations to clarify what types of honeynet activity they are trying to prevent from happening within the alliance. I do not think it would be legal concerns because I don't think this regulation actually does much to alleviate legal issues, but the alliance charter members could have had a different opinion on that matter.
If anyone was a part of the regulations creation process or has knowledge of what 4.8 was intended to do and can let me know, I would very much appreciate it. I think it could have been out of legal concerns, however it may have been for other reasons, like moral concerns. Either way I would just like to have a good understanding of the alliance's position on the subject. Thanks again for the responses thus far. -Adam
Chris Brenton wrote:
On Wed, 2005-03-16 at 02:33, Adam Carlson wrote:From what I've read entrapment only applies when one is attempting to use the information to criminally prosecute individuals.Agreed, it comes down to intent. If the information is collected for the sole purpose of prosecution, you are on a gray line. There are some easy ways around this however: 1) Develop a process of collecting logs from all your primary systems, not just your honeypot. 2) Give your honeypot some active but minor role in your network, suchas a backup secondary DNS server.Given both of the above, entrapment becomes a non-issue.From what I understand from the entrapment laws, if there is some collaboration between the honeynet alliance and law enforcement, then the honeynet alliance could be guilty of entrapment.Unfortunately, this line can be fuzzy. If you've had zero interaction with law enforcement regarding a specific incident, but have worked with law enforcement in the past on previous incidents, it *could* be enough to show "reasonable doubt". Its not a given however as each situation isdifferent.I think a big part of liability depends on whether or not you are monitoring with the intent of using it in a criminal prosecution.Bingo, thus the first item above. If collecting logs is part of yourdaily operations, its certainly not focused on prosecution.HTH, Chris
Current thread:
- Honeynet Alliance Charter Question Adam Carlson (Mar 15)
- Re: Honeynet Alliance Charter Question sushant (Mar 15)
- RE: Honeynet Alliance Charter Question Christopher Cook (Mar 15)
- Re: Honeynet Alliance Charter Question Adam Carlson (Mar 16)
- Re: Honeynet Alliance Charter Question Chris Brenton (Mar 16)
- Re: Honeynet Alliance Charter Question Sushant Sinha (Mar 16)
- Re: Honeynet Alliance Charter Question Adam Carlson (Mar 16)
- Re: Honeynet Alliance Charter Question Chris Brenton (Mar 16)
- Re: Honeynet Alliance Charter Question sushant (Mar 15)
- <Possible follow-ups>
- RE: Honeynet Alliance Charter Question Croad Christopher D Contr AFRL/IFOSS (Mar 16)