From: cwright@bdosyd.com.au
Date: Sun Nov 11 2007 - 22:44:24 EST
I also was not the party arguing entrapment. This was your argument. I have argued incitement.
Your idea of tracking using honeynets is simplistic. "trackable false credit card numbers" for instance. You seem to hope that a skilled attacker will consistently use your honeynet systems and come to trust them. Also, offline validation tools exist for credit cards.
Your challenge is simple. Please show me anywhere that this has worked. Yes I am a sceptic. I like proof. To prove this, give me just one case from the US, UK, AU, NV or CA. This is a single case where an attacker has been caught and charged then convicted using honeycookies.
One case - they are readily available to search.
They (honeynets) are a valid academic research tool, but I am yet to see the proof of your claims. If there is I would love to see it. Until then it is just theory. I have by the way checked Westlaw and Lawtel and most of the other case law repositories. Strangely I can not find a single case where a honeycookie has been the pivotal point in the capture of a wireless attacker.
As for your insistence on entrapment, I would suggest that you look instead to "an incitement to commit a criminal act". This issue has been addressed before. For instance Overill (2003);
"In the cyber-defence context, it should be noted that the use of ‘honey-pots’ for enticing or entrapping intruders,[1] in order to determine their identities and monitor their techniques at close range, raises an interesting issue: it is at least possible that the use of a honey-pot might be held to constitute an incitement to commit a criminal act; as such it might render the deployer, rather than the intruder, liable to prosecution." [2]
And in the UK Computer Misuse Act it is stated;
"On a charge of incitement to commit an offence under this Act the question where the incitement took place is immaterial to the accused’s guilt."
You have been watching too many movies - ignore entrapment. As I have stated I have not been the one to bring this up and you are confusing "incitement to commit a criminal act" with entrapment. They are not related per se.
Further, there is the issue that if the attacker uses the honeynet to launch another attack against an external site, you are in effect "aiding, abetting, counselling or procuring commission of an offence".
This was addressed by Hilary E Pearson in 1996 in "LIABILITY OF INTERNET SERVICE PROVIDERS". The issues you are skirting are not in fact new or unaddressed legally.
Pearson (1998) in "Intellectual Property and the Internet. A Comparison of U.K. and U.S. Law" [3] addressed this issue further. In fact, you should not that the issue of honeynets where in fact addressed over 5 years before Lance Spitzner came out with "Know Your Enemy". In fact, it is stated that;
"To establish incitement, it must be proved that the defendant knew or believed that the person incited has the necessary mens rea to commit the offence, but as the mens rea for an offence under Section 1 of the Computer Misuse Act is merely that the defendant intends to secure access to a program and knows that such access is unauthorized, this will probably not be too difficult to establish. "
In fact, you are actively stating that the enticement is being offered. Again, forget entrapment. You are clearly stating incitement.
As Hillary (1998) further states;
"An alternative approach is to charge the Internet host with aiding, abetting, counselling or procuring commission of an offence. In each case, the defendant must have the intention to do the acts which he knows to be capable of assisting or encouraging the commission of a crime, but does not actually need to have the intent that such crime be committed. "
>From what you are stating you have the intention to monitor and watch while the attacker commits a crime. This is a crime as you have procured the means.
As for the 4th amendment in the US, this protects against Protects against unreasonable searches and seizures. It does not have any relevance to the post at all. You may also wish to read "Section 1029. Fraud and related activity in connection with access devices", USA. In particular the section to the effect;
"if any of the parties engages in any conduct in furtherance of such offense, shall be fined an amount not greater than the amount provided as the maximum fine for such offense under subsection (c)".
Regards,
Craig Wright (GSE-Compliance)
[1] As defined by Spitzner, L. (ed.) (2001) Know Your Enemy, Addison-Wesley-Longman; Honeynet project at http://project. honeynet.org
[2] Overill, Richard E. (2003) "Reacting to cyber-intrusions: the technical, legal and ethical dimensions" J.F.C. 2003, 11(2), 163-167
[3] Pearson, Hillary E. (1998) "Intellectual Property and the Internet. A Comparison of U.K. and U.S. Law" The Journal of World Intellectual Property 1 (5), 827–840. doi:10.1111/j.1747-1796.1998.tb00038.x
-----Original Message-----
From: ep [mailto:captgoodnight@hotmail.com]
Sent: Monday, 12 November 2007 1:45 PM
To: Craig Wright
Cc: pen-test@securityfocus.com
Subject: RE: How to track down a wireless hacker
>>CG,
>>Pen Testing is not forensics and incident response as much as you would
like this. Forensics and Incident response are the other side of the
argument. As for what I know on forensics,
>>lets see. I am one of the 14 people with a GIAC GSE level accreditation,
co-author of a forensic book and about 20 peer reviewed published papers.
Oh, also post grad law and 15+ years
>>experience in digital forensics (21 security).
>>As for Honeynets - I have run several.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:12 EDT