Norwich University student Bob Pelletier concludes his review of the role of honeypots in intrusion detection work. In this article he looks at liability and ethical issues surrounding honeypot usage. I (Kabay) have condensed his text (with Bob’s approval) to fit the format of this newsletter.

* * *

Liability

A legal issue involving the use of honeypots is called downstream liability. Who is liable for attacks launched from a honeypot - the attacker or the owner of the system? No court rulings have been published yet that directly address this issue.

A difficulty about downstream liability is that it is decided at the state level, not the federal. This can make things difficult because downstream attacks can occur almost anywhere.

Deciding if a honeypot owner will be liable for the attack is hard to predict. For the time being, it is best to properly secure a honeypot’s outgoing traffic to prevent downstream attacks. This can be accomplished through such mechanisms as a firewall that properly filters outgoing traffic. Lance Spitzner’s book, “Honeypots: Tracking Hackers,” is an excellent resource to research proper data control mechanisms and practices.

It is not uncommon for an attacker to compromise a computer system and run an FTP warez server on the machine. Who is liable for the contraband on the computer system? Once again, it is best to properly secure a honeypot’s outgoing traffic to safeguard against copyright violation issues.

Ethics

Laws provide guidance but may not suffice in determining whether we ought to do certain things. For example, is it ethically correct to pose a computer system as something it is not? A honeypot poses as just another vulnerable computer system, when in actuality it is a research and monitoring tool. Is this fair to the attacker, or do they deserve it?

As for entrapment, although this is not a legal problem, this does not mean that the way a honeypot entices attackers is not unethical. Creating a vulnerable computer system on purpose is similar to baiting an animal. The question becomes, do honeypots provoke illegal actions such as hacking? If so, are they not unethical by most standards? It is understood that recording somebody’s conversations without his or her permission is usually unethical. Even if it’s legal, is recording keystrokes from an IRC session taking place on a honeypot ethical? Is it ethical to create a vulnerable system that could potentially be used to harm other computer systems?

M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.