Honeypots: Re: Honeynet Alliance Charter Question

[Chris Brenton <cbrenton () chrisbrenton org>]

On Wed, 2005-03-16 at 02:33, Adam Carlson wrote:
> From what I've read entrapment only applies when one is attempting to 
> use the information to criminally prosecute individuals. 
Agreed, it comes down to intent. If the information is collected for the
sole purpose of prosecution, you are on a gray line. There are some easy
ways around this however:

1) Develop a process of collecting logs from all your primary systems,
not just your honeypot.
2) Give your honeypot some active but minor role in your network, such
as a backup secondary DNS server. 

Given both of the above, entrapment becomes a non-issue.

> From what I understand from the entrapment 
> laws, if there is some collaboration between the honeynet alliance and 
> law enforcement, then the honeynet alliance could be guilty of 
> entrapment. 
Unfortunately, this line can be fuzzy. If you've had zero interaction
with law enforcement regarding a specific incident, but have worked with
law enforcement in the past on previous incidents, it *could* be enough
to show "reasonable doubt". Its not a given however as each situation is
different. 

> I think a big part of liability depends on whether or not you are 
> monitoring with the intent of using it in a criminal prosecution. 
Bingo, thus the first item above. If collecting logs is part of your
daily operations, its certainly not focused on prosecution. 

HTH,
Chris