Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Jail Time for Honeypots?

From: Mark Embrich <mark_embrich () yahoo com>
Date: Wed, 23 Apr 2003 09:58:20 -0700 (PDT)
From the Security Focus article:


That leaves a third "provider exemption" as the most
promising for honeypot fans. This allows the operator
of a system to eavesdrop for the purpose of protecting
their property or services from attack. But even that
exemption probably wouldn't apply to a system that's
designed to be hacked, Salgado said. "The very purpose
of your honeypot is to be attacked... so it's a little
odd to say we're doing our monitoring of this computer
to prevent it from being attacked." 

------

I would argue that Salgado is incorrect.
Yes, the purpose of the honeypot is to be attacked,
but that doesn't mean we don't have any right to
protect it.  I would argue that we are protecting the
honeypot by learning an attacker's modus operandi. 
Therefore, increasing our ability to protect our
production machines.

Until there is a definition of "for the purpose of
protecting their property or services from attack" and
it specifically says "no honeypots or honeynets," I
won't let legislation stop me from doing my job. 
Obviously, this also means that I need to specify that
"for the purpose of protecting their property or
services from attack" includes honeypots and honeynets
in my company's documentation.

------

Salgado further comments:

Instead, Salgado favors configurations where a hacker
is invisibly rerouted to a honeypot after beginning an
attack on a production machine. "The closer the
honeypot is to the production server, the less likely
that it's going to have some of the legal issues that
we're talking about," he said, because the monitoring
becomes part of the normal process of protecting the
production machine.

-------

Well, if it was that easy to tell what is an attack,
we wouldn't need honeypots at all would we?
Does anyone know if Salgado has any practical
experience in information security?

Also, wouldn't the rerouting be in violation of the
Super-DMCA bill?  "Any device or software that
conceals 'the existence or place of origin or
destination of any telecommunications service.'"
(Poulsen, Security Focus, "'Super-DMCA' fears suppress
security research"
<http://www.securityfocus.com/news/3912>)

Hope that stirs the fires a bit.
Mark Embrich


__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com
Previous By Date Next
Previous By Thread Next

Current thread: