[NCAP-Discuss] Honeypot refresher

Danny McPherson danny at tcb.net
Thu Apr 30 16:23:01 UTC 2020 

> 
> Yes, the legal advice we received was around the "solicitation of
> traffic" issue, as described in our report (page 24).  A honeypot used
> in this fashion, as Verisign's comment correctly confirms, creates a
> scenario where "sensitive traffic from an installed system – without
> the advance consent of the user or system administrator – may be drawn
> outside the local network."  By implementing a honeypot, the
> implementor is knowingly and intentionally causing traffic to be sent
> - over the Internet - that would not have otherwise been sent.
> 
> While we did not obtain a (capital O) Opinion from Counsel, we did
> have extensive discussions with international contract attorneys and
> privacy attorneys at Perkins Coie about these issues.  Their concerns
> were:
> 
> (1) Other honeypot projects (including the ones you cite) focus on
> responding to/servicing *inbound* requests, not technically
> causing/soliciting traffic to be sent that would otherwise not be
> sent.
> 
> (2) Other honeypot projects (including the ones you cite) focus on
> creating interaction with folks suspected in Good Faith of being bad
> actors or traffic generated by malware.  A collision honeypot would
> increase the risk and reduce the level of security of mostly good
> actors.  Many of those good actors are commercial entities.
> 
> (3) A collisions honeypot would be created with the a-priori knowledge
> that it would cause sensitive information to be transmitted over the
> Internet.   Or, as Google correctly said: " “Unfortunately, some
> protocols will send sensitive information unsolicited (e.g.,
> login.example/login.php?user=fred and HTTP cookies). The honeypot will
> specifically not log this sort of information, but this doesn't change
> the fact that the information has been communicated over the
> Internet.”  Knowing this will happen increases liability++.  Knowing
> this in advance and doing it anyway would likely be considered
> reckless, negligent, or other bad things, in ensuing litigation.
> 
> (4) Global jurisdictional and liability issues were essentially
> insurmountable.  The opportunity for resulting litigation was
> significant++.  One attorney suggested a Class Action scenario may be
> possible.  All bad.
> 
> These are very, very different situations.

Thanks Jeff, I understand this.

Per Patrik's response and the SAC066 request specifically about this, do 
you have any materials that can be shared with the DG on this?  Should 
this be a Capital 'O' opinion?


-danny

More information about the NCAP-Discuss mailing list