Re: legality of sacrificial host to prosecute [was RE: cyber copsting ]

[David.S.Endler () usa xerox com (Endler, David S)]

Here is a helpful message from John Nicholson, someone who actually has law
experience:-)

                        -dave

-----Original Message-----
From:   JohnNicholson () aol com [SMTP:JohnNicholson () aol com]
To:     David.S.Endler () usa xerox com
Subject:        Re: IDS: legality of sacrificial host to prosecute [was RE:
cyber copsting ]

> What sources or experiences are you pulling from to glean this
>  information?

My law degree and common sense (not, of course, to say that the law _always_

follows common sense. ;-)  ).

First, and foremost, entrapment is a defense, not a crime in and of itself. 
When a person is being prosecuted for a crime, the defendant can claim 
entrapment and attempt to avoid being found guilty. In order to establish 
entrapment, the defendant has the burden of proving either that he or she 
would not have committed the crime but for the undue persuasion or fraud of 
the government agent, or that the encouragement was such that it created a 
risk that persons not inclined to commit the crime would commit it,
depending 
on the jurisdiction. 

I have a house. In my house I have an alarm system. I have motion detectors 
in the places where someone might be more likely to break in.  Is it 
entrapment if someone  opens a window and comes in and gets caught by the 
police because my motion detector set off the alarm? No, because I have not 
created a situation in which the would-be thief was forced or deluded (by
me) 
into committing the crime.

Alternatively, (and maybe more accurately) you've seen that most jewelry 
stores take their goods out of their window displays at night.  Say a
jewelry 
store decides that this looks bad, and wants to leave jewelry in the window,

but doesn't want to risk the valuable real stuff.  So, they put cheap
costume 
jewelry in the window. When someone breaks in and steals the fake jewelry,
is 
the jewelry store guilty of entrapment for displaying such nice looking fake

jewelry and tempting the thief into breaking in? No, again because the 
jewelry has not done anything to force the thief into breaking in.

A honey pot is an area of your network that you set up so that if someone is

going to break in, they break in where you are ready for them. This is not 
entrapment, and it's not a crime. You are simply recognizing that there are 
vulnerabilities in your network and there are people out there who are
trying 
to exploit them, and so you are trying to minimize the damage and maximize 
the chance that you will be able to catch the "thief".

I'm not suggesting that you go out into some hacker chat room and post the 
techniques for breaking into your system then dare anyone to do it. You 
probably wouldn't be able to prosecute in that case. But your system is
still 
private property. If someone breaks in, they are committing a crime and 
you're not aiding and abetting the crime just because you took steps to 
mitigate the damage from a break in.

Now, extending the law of property to the cyber realm, just as you are not 
allowed to booby trap your house, you might be liable if you rigged up a 
system that could fry an intruder's PC. But, to claim it, the intruder would

have to come forward and say, "While I was hacking into this system, the 
system set off a booby trap and fried my PC." That's still a tough argument 
to make for the hacker.

Hope this helps clarify the issue.

John