[NCAP-Discuss] Honeypot refresher

Jeff Schmidt jschmidt at jasadvisors.com
Thu Apr 30 16:18:36 UTC 2020 

On 4/30/20, 10:24 AM, "Danny McPherson" <danny at tcb.net> wrote:
>   Jeff, while I certainly understand the primitives was any actual legal 
>   analysis done on JAS's conclusion there?  I don't see any citations and 
>   have always wondered if while intuitive, did this benefit from any legal 
>   advice?

Yes, the legal advice we received was around the "solicitation of traffic" issue, as described in our report (page 24).  A honeypot used in this fashion, as Verisign's comment correctly confirms, creates a scenario where "sensitive traffic from an installed system – without the advance consent of the user or system administrator – may be drawn outside the local network."  By implementing a honeypot, the implementor is knowingly and intentionally causing traffic to be sent - over the Internet - that would not have otherwise been sent.

While we did not obtain a (capital O) Opinion from Counsel, we did have extensive discussions with international contract attorneys and privacy attorneys at Perkins Coie about these issues.  Their concerns were:

(1) Other honeypot projects (including the ones you cite) focus on responding to/servicing *inbound* requests, not technically causing/soliciting traffic to be sent that would otherwise not be sent.

(2) Other honeypot projects (including the ones you cite) focus on creating interaction with folks suspected in Good Faith of being bad actors or traffic generated by malware.  A collision honeypot would increase the risk and reduce the level of security of mostly good actors.  Many of those good actors are commercial entities.

(3) A collisions honeypot would be created with the a-priori knowledge that it would cause sensitive information to be transmitted over the Internet.   Or, as Google correctly said: " “Unfortunately, some protocols will send sensitive information unsolicited (e.g., login.example/login.php?user=fred and HTTP cookies). The honeypot will specifically not log this sort of information, but this doesn't change the fact that the information has been communicated over the Internet.”  Knowing this will happen increases liability++.  Knowing this in advance and doing it anyway would likely be considered reckless, negligent, or other bad things, in ensuing litigation.

(4) Global jurisdictional and liability issues were essentially insurmountable.  The opportunity for resulting litigation was significant++.  One attorney suggested a Class Action scenario may be possible.  All bad.

These are very, very different situations.

Jeff

More information about the NCAP-Discuss mailing list