Re: legality of sacrificial host to prosecute

[JohnNicholson () aol com (JohnNicholson () aol com)]

For those of you who think this is flogging a dead horse, I apologize for the 
bandwidth. However, this seems to be an issue about which there is a great 
deal of confusion, so it seems worthwhile to try and clear it up.

In a message dated 10/12/1999 1:20:56 PM Eastern Daylight Time, 
FMartins () pt imshealth com writes:

> b) First, and foremost, entrapment is a defense, not a crime in and of 
itself.
>  
>  
>  It all depends on the entrapment, because if you are "Home Alone" and 
> fanatic about security you can kill someone ... so you prevent a crime and 
> make another worse =)

Fernando, you are correct that in the US you cannot legally kill someone just 
because that person broke into your house. As I mentioned in my note to 
David, you are not allowed to boobytrap your house. However, entrapment is a 
legal term with a precise definition. Merely setting up a honeypot is not 
illegal and does not qualify as "entrapment". 

>  So, "in the eyes of the law" you CANT say that entrapment NEVER can be a 
> crime.

Yes, I can. As I and at least one other person have said, entrapment is a 
defense. When a person is being prosecuted for committing a crime, the 
defense of entrapment can be raised if the government (or possibly someone 
else) created a situation where the defendant would not have committed the 
crime BUT FOR the fraud or coersion of the government.  If I put out a 
honeypot and someone breaks into my system, the existence of the honeypot did 
not coerce that intruder into breaking into my system.

>  
>  c) So, they put cheap costume jewelry in the window. When someone breaks 
in 
> and steals the fake jewelry, is the jewelry store guilty of entrapment for 
> displaying such nice looking fake jewelry and tempting the thief into 
> breaking in? No, again because the 
>  jewelry has not done anything to force the thief into breaking in.
>  
>  If i was a customer on that jewelry, i'll start a law action for the owner 
> of the jewlry pay me an "audit" on my jewls, because if he is working with 
> fakes, i need a second opinion, and i must pay for it, so they must pay to 
me 
> that (makes no sense, but tell me that there is no lawyer that take my 
case? 
> eheh). What i didnt tell is that i have a jewelry my self, and i just want 
to 
> make some noise about competitors, and even if i must loose some money to 
win 
> more later, i dont care. Then this guy find out what i was doing and the 
> story starts all over again ...
>  The entrapment was legal, my request its not illegal, and my motivation is 
> understandable (just not for my competitor, but clients will like it).
>  Watch the IDS tests and opinions about them ...
>  You are not making nothing illegal, but yet you can get in trouble with an 
> entrapment ... was the NSAKey_ an entrapment? =;o)

I'm afraid we might have a little bit of a language barrier here, but it 
sounds like you are diverging from the topic a little. First, to your point 
regarding the fake jewelry. If a jeweler is potentially dealing in fakes, 
then having anything you purchase from that jeweler appraised is a good idea. 
However, that was not the point of the example. the point of the example was 
only to say that if a jewelry store puts fake jewelry in the window, that 
does not provide a thief with the defense of "entrapment".

[The NSAKey story may never be satisfactorily explained. Just like Roswell, 
some people are always going to believe that there is a massive government 
conspiracy.]

However, you do raise a valuable point about the costs of creating 
information for a honeypot. Just as a thief may not be fooled by cheap, 
obviously fake costume jewelry, a hacker might not be fooled by quick and 
dirty "fake data" placed in a honeypot, and might not stay in the system long 
enough to leave enough evidence with which to track and prosecute the hacker. 
 When evaluating whether it is worth the time and effort to create a 
honeypot, you have to take into account the resource cost of developing and 
preparing the fake data.

>  
>  d) A honey pot is an area of your network that you set up so that if 
someone 
> is going to break in, they break in where you are ready for them. This is 
not 
> entrapment, and it's not a crime.
>  
>  It all depends again in what the honeypot will do about it, like the admin 
> will just kill this guy or will he start some bandwith waste for pay back? 
so,
>  not so clear about who's doing a crime, if we are pointing just chances 
and 
> not specify in details the rest.

As I said above, under US property law you are not allowed to boobytrap your 
property. But, we are talking about two potentially separate crimes. First, 
the burglar/hacker breaks in. This is a crime, regardless of whether the 
burglar is intending to steal fake jewelry or fake data, and regardless of 
whether the house/system is boobytrapped. If the house is boobytrapped, and 
the would-be burglar is killed or injured, then the owner of the house may be 
quilty of a crime, too, and the burglar may have an action for damages 
against the home owner, but that does not mean that the burglar is not guilty 
or that the burglar can claim the defense of entrapment.

  
>  e)  If someone breaks in, they are committing a crime and you're not 
aiding 
> and abetting the crime just because you took steps to 
>  mitigate the damage from a break in.
>  
>  I'll defend that "attacker" to the point where you prove that in a 
honeypot 
> enviroment with bad admin configurations as a decoy, this kid as bad 
> intentions, and just not some bad browser for example ... so its not so 
clear 
> after all ...

Now you are talking about the level of activity by the hacker.  I wouldn't 
advocate weakening the portections around your honeypot to the point where a 
misconfigured request from a browser could get in.  I'd just say you might 
not want to have the security on the honeypot as up to date as the rest of 
your system.  Maybe say 6 months back on updating exploits.  

But, assuming that someone using a bad browser does manage to get in, allow 
me to offer an analogy to your bad browser example.  Say I live in an 
apartment building and I give a friend a key to my apartment and tell my 
friend to go to my apartment and take an envelope off of the counter.  My 
friend goes to my building, goes to what he mistakenly thinks is my 
apartment, finds the door unlocked and walks in and takes an envelope off the 
counter.  My friend has made a mistake.  If my friend is subsequently 
arrested and charged with breaking and entering and burglary (for going into 
the wrong apartment and taking the envelope off the counter), my friend has a 
defense because he did not intend to commit the crime and thought he was 
doing something he had permission to do.

If we have a person using a bad browser who somehow pulls a file out of the 
honeypot, that person may have made a mistake and is probably not worth 
prosecuting. If, however, the honeypot's security is properly configured and 
only someone who runs an exploit and hacks in can get access, then the point 
of the fake data in the honeypot is to give that person enough rope to hang 
himself. 

>  I can talk very clear about this specific problem, because i have lived an 
> experience like it being my self the supposed bad guy (that everyone of you 
> know that i'm not, am i? eheheh)
>  

Fernando, I might have a little more trouble believing the "bad browser" 
story from someone on this list. It's certainly possible, but, to go back to 
my apartment analogy, if my friend was caught in the next door apartment 
claiming that the door was unlocked but with a lock picking set in his 
pocket, that might make his defense of "mistake" a little more suspect.

John