RE: legality of sacrificial host to prosecute [was RE: cybercop s ting ]

[chunt () ikon com (Hunt, Charles)]

Isn't this where a sound security policy comes into play?  IE the banner
stating lawful access policies once logged in and/or monitoring of one logs
constantly.  Documentation of an evil entity has proven to be (almost
always) damaging against said party (due diligence).  Anyway, whether the
info is misinformation or not, it is within a corporations security
perimeter.  I don't believe there is anything saying that all documents
within a said company must be true and accurate. (credit reports of the
future - disputes no longer allowed, because now the companies won't make
mistakes)

And yet on another tangent, you can't bust someone for trying to hack a
virtual subnet.  (Try proving the damage done to an entity that doesn't
exist).

Having a honeypot doesn't mean you are entraping anyone.  Putting picture
frame up over the safe in your home isn't entrapment for the burglar (But
I'd love the see such a defense).  The persons this package is intended for
aren't suppossed to be there in the first place.  If they can see your
honeypot, then they are in the wrong already.  Why not slow them down and
document a little more for the defense to choke on. 

Sorry for the tangents....
2 cents and soapbox later

-----Original Message-----
From: Endler, David S
To: Eric
Cc: ids () uow edu au
Sent: 10/9/99 1:49 PM
Subject: IDS: legality of sacrificial host to prosecute [was RE: cybercop
sting ]

------------------------------------------------------------------------


        >In the United States, setting up a computer to detect and catch
people 
        >attempting to break into your systems is not entrapment.
        >
        >For example, in Texas, the following is the definition of
entrapment from
        >the state's Penal Code, Section 8 - General Defenses to
Criminal
Responsibility
        < <snip>
Thanks for the legal clarification, I think to explain what I meant a
little
more:  It can be counterproductive to have a honey pot system if the
hacker
finds out he's being monitored and decides to seek revenge, or if he
circumvents your controls to gain access to your intranet or network. 
By entrapment, I meant: to use a computer system for the sole purpose of
luring an individual into committing a crime in order to prosecute the
person for it.  True, so technically this is not entrapment if the
authorities are not involved until after the crime takes place.  Instead
this technique involves "abetting" the commission of a crime, which is
itself a crime, and is severely curtailed under the constitutional law
of
many states.  Abetting is "the act of encouraging or inciting another to
do
a certain thing, such as a crime. For example, many countries will
equally
punish a person who aids or abets another to commit a crime." 
If you want to eventually prosecute an intruder, the solution seems to
be
that any misinformation or data that could encourage a hacker to break
the
law should be made available through only an act of breaking the law
itself
(breaking into the honeypot system first) to gain that information.  But
is
making that system purposely weak preclude you from prosecuting a
hacker?
Just because I leave the keys to my house laying on the front mat, does
that
mean I can't press charges against anyone who gains unauthorized entry
with
them?  sigh. . I knew there was a reason I eschewed law school.
hmmm any comments or legal experts out there?
                                -dave