Honeypots, Part 4

Norwich University student Bob Pelletier concludes his review of the role of honeypots in intrusion detection work. In this article he looks at liability and ethical issues surrounding honeypot usage. I (Kabay) have condensed his text (with Bob’s approval) to fit the format of this newsletter.

* * *

Liability

A legal issue involving the use of honeypots is called downstream liability. Who is liable for attacks launched from a honeypot – the attacker or the owner of the system? No court rulings have been published yet that directly address this issue.

A difficulty about downstream liability is that it is decided at the state level, not the federal. This can make things difficult because downstream attacks can occur almost anywhere.

Deciding if a honeypot owner will be liable for the attack is hard to predict. For the time being, it is best to properly secure a honeypot’s outgoing traffic to prevent downstream attacks. This can be accomplished through such mechanisms as a firewall that properly filters outgoing traffic. Lance Spitzner’s book, “Honeypots: Tracking Hackers,” is an excellent resource to research proper data control mechanisms and practices.

It is not uncommon for an attacker to compromise a computer system and run an FTP warez server on the machine. Who is liable for the contraband on the computer system? Once again, it is best to properly secure a honeypot’s outgoing traffic to safeguard against copyright violation issues.

Ethics

Laws provide guidance but may not suffice in determining whether we ought to do certain things. For example, is it ethically correct to pose a computer system as something it is not? A honeypot poses as just another vulnerable computer system, when in actuality it is a research and monitoring tool. Is this fair to the attacker, or do they deserve it?

As for entrapment, although this is not a legal problem, this does not mean that the way a honeypot entices attackers is not unethical. Creating a vulnerable computer system on purpose is similar to baiting an animal. The question becomes, do honeypots provoke illegal actions such as hacking? If so, are they not unethical by most standards? It is understood that recording somebody’s conversations without his or her permission is usually unethical. Even if it’s legal, is recording keystrokes from an IRC session taking place on a honeypot ethical? Is it ethical to create a vulnerable system that could potentially be used to harm other computer systems?

* * *

At this point, Kabay intervenes to state that in his opinion, we use deception all the time in information security. For example, we do not label server rooms with signs that say “IMPORTANT VULNERABLE SERVER ROOM.” Instead, we just label them, say, “E-301b.” We remove operating-system identification banners from logon screens and even remove prompts from remote logon dialogs to reduce the information flow to potential attackers. So I see absolutely nothing wrong at all with having a system that is clearly marked, “AUTHORIZED USERS ONLY” that is used a honeypot. If thieves break into my home despite the “PRIVATE PROPERTY – NO TRESPASSING” signs and I have cameras to track their movements so I can help put them in jail, I have no sympathy for whines of dismay about my having invaded their privacy. If they want privacy, they can stay out of my computer systems.

I hope everyone understands that the rant in the paragraph above is purely Mich Kabay’s and that no blame for this redneck arrogance can be assigned to Bob Pelletier.