I believe that I "was over" the web cookie idea and if you read the post I did
state to not include this.
I also was not the party arguing entrapment. This was your argument. I have
argued incitement.
Your idea of tracking using honeynets is simplistic. "trackable false credit
card numbers" for instance. You seem to hope that a skilled attacker will
consistently use your honeynet systems and come to trust them. Also, offline
validation tools exist for credit cards.
Your challenge is simple. Please show me anywhere that this has worked. Yes I
am a sceptic. I like proof. To prove this, give me just one case from the US,
UK, AU, NV or CA. This is a single case where an attacker has been caught and
charged then convicted using honeycookies.
One case - they are readily available to search.
They (honeynets) are a valid academic research tool, but I am yet to see the
proof of your claims. If there is I would love to see it. Until then it is just
theory. I have by the way checked Westlaw and Lawtel and most of the other case
law repositories. Strangely I can not find a single case where a honeycookie
has been the pivotal point in the capture of a wireless attacker.
As for your insistence on entrapment, I would suggest that you look instead to
"an incitement to commit a criminal act". This issue has been addressed before.
For instance Overill (2003);
"In the cyber-defence context, it should be noted that the use of ?honey-pots?
for enticing or entrapping intruders,[1] in order to determine their identities
and monitor their techniques at close range, raises an interesting issue: it is
at least possible that the use of a honey-pot might be held to constitute an
incitement to commit a criminal act; as such it might render the deployer,
rather than the intruder, liable to prosecution." [2]
And in the UK Computer Misuse Act it is stated;
"On a charge of incitement to commit an offence under this Act the question
where the incitement took place is immaterial to the accused?s guilt."
You have been watching too many movies - ignore entrapment. As I have stated I
have not been the one to bring this up and you are confusing "incitement to
commit a criminal act" with entrapment. They are not related per se.
Further, there is the issue that if the attacker uses the honeynet to launch
another attack against an external site, you are in effect "aiding, abetting,
counselling or procuring commission of an offence".
This was addressed by Hilary E Pearson in 1996 in "LIABILITY OF INTERNET
SERVICE PROVIDERS". The issues you are skirting are not in fact new or
unaddressed legally.
Pearson (1998) in "Intellectual Property and the Internet. A Comparison of U.K.
and U.S. Law" [3] addressed this issue further. In fact, you should not that
the issue of honeynets where in fact addressed over 5 years before Lance
Spitzner came out with "Know Your Enemy". In fact, it is stated that;
"To establish incitement, it must be proved that the defendant knew or believed
that the person incited has the necessary mens rea to commit the offence, but
as the mens rea for an offence under Section 1 of the Computer Misuse Act is
merely that the defendant intends to secure access to a program and knows that
such access is unauthorized, this will probably not be too difficult to
establish. "
In fact, you are actively stating that the enticement is being offered. Again,
forget entrapment. You are clearly stating incitement.
As Hillary (1998) further states;
"An alternative approach is to charge the Internet host with aiding, abetting,
counselling or procuring commission of an offence. In each case, the defendant
must have the intention to do the acts which he knows to be capable of
assisting or encouraging the commission of a crime, but does not actually need
to have the intent that such crime be committed. "
From what you are stating you have the intention to monitor and watch while
the attacker commits a crime. This is a crime as you have procured the means.
As for the 4th amendment in the US, this protects against Protects against
unreasonable searches and seizures. It does not have any relevance to the post
at all. You may also wish to read "Section 1029. Fraud and related activity in
connection with access devices", USA. In particular the section to the effect;
"if any of the parties engages in any conduct in furtherance of such offense,
shall be fined an amount not greater than the amount provided as the maximum
fine for such offense under subsection (c)".
Regards,
Craig Wright (GSE-Compliance)
[1] As defined by Spitzner, L. (ed.) (2001) Know Your Enemy,
Addison-Wesley-Longman; Honeynet project at http://project. honeynet.org
[2] Overill, Richard E. (2003) "Reacting to cyber-intrusions: the technical,
legal and ethical dimensions" J.F.C. 2003, 11(2), 163-167
[3] Pearson, Hillary E. (1998) "Intellectual Property and the Internet. A
Comparison of U.K. and U.S. Law" The Journal of World Intellectual Property 1
(5), 827?840. doi:10.1111/j.1747-1796.1998.tb00038.x
-----Original Message-----
From: ep [mailto:captgoodnight@hotmail.com]
Sent: Monday, 12 November 2007 1:45 PM
To: Craig Wright
Cc: pen-test@securityfocus.com
Subject: RE: How to track down a wireless hacker
CG,
Pen Testing is not forensics and incident response as much as you would
like this. Forensics and Incident response are the other side of the
argument. As for what I know on forensics,
lets see. I am one of the 14 people with a GIAC GSE level accreditation,
co-author of a forensic book and about 20 peer reviewed published papers.
Oh, also post grad law and 15+ years
experience in digital forensics (21 security).
As for Honeynets - I have run several.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
