Norwich University student Bob Pelletier concludes his review of the role of honeypots in intrusion detection work. In this article he looks at liability and ethical issues surrounding honeypot usage. I (Kabay) have condensed his text (with Bob\u2019s approval) to fit the format of this newsletter.* * *LiabilityA legal issue involving the use of honeypots is called downstream liability. Who is liable for attacks launched from a honeypot - the attacker or the owner of the system? No court rulings have been published yet that directly address this issue.A difficulty about downstream liability is that it is decided at the state level, not the federal. This can make things difficult because downstream attacks can occur almost anywhere.Deciding if a honeypot owner will be liable for the attack is hard to predict. For the time being, it is best to properly secure a honeypot\u2019s outgoing traffic to prevent downstream attacks. This can be accomplished through such mechanisms as a firewall that properly filters outgoing traffic. Lance Spitzner\u2019s book, \u201cHoneypots: Tracking Hackers,\u201d is an excellent resource to research proper data control mechanisms and practices.It is not uncommon for an attacker to compromise a computer system and run an FTP warez server on the machine. Who is liable for the contraband on the computer system? Once again, it is best to properly secure a honeypot\u2019s outgoing traffic to safeguard against copyright violation issues.EthicsLaws provide guidance but may not suffice in determining whether we ought to do certain things. For example, is it ethically correct to pose a computer system as something it is not? A honeypot poses as just another vulnerable computer system, when in actuality it is a research and monitoring tool. Is this fair to the attacker, or do they deserve it?As for entrapment, although this is not a legal problem, this does not mean that the way a honeypot entices attackers is not unethical. Creating a vulnerable computer system on purpose is similar to baiting an animal. The question becomes, do honeypots provoke illegal actions such as hacking? If so, are they not unethical by most standards? It is understood that recording somebody\u2019s conversations without his or her permission is usually unethical. Even if it\u2019s legal, is recording keystrokes from an IRC session taking place on a honeypot ethical? Is it ethical to create a vulnerable system that could potentially be used to harm other computer systems?* * *At this point, Kabay intervenes to state that in his opinion, we use deception all the time in information security. For example, we do not label server rooms with signs that say \u201cIMPORTANT VULNERABLE SERVER ROOM.\u201d Instead, we just label them, say, \u201cE-301b.\u201d We remove operating-system identification banners from logon screens and even remove prompts from remote logon dialogs to reduce the information flow to potential attackers. So I see absolutely nothing wrong at all with having a system that is clearly marked, \u201cAUTHORIZED USERS ONLY\u201d that is used a honeypot. If thieves break into my home despite the \u201cPRIVATE PROPERTY - NO TRESPASSING\u201d signs and I have cameras to track their movements so I can help put them in jail, I have no sympathy for whines of dismay about my having invaded their privacy. If they want privacy, they can stay out of my computer systems.I hope everyone understands that the rant in the paragraph above is purely Mich Kabay\u2019s and that no blame for this redneck arrogance can be assigned to Bob Pelletier.