Honeypots Illegal? - Security

This is a discussion on Honeypots Illegal? - Security ; On Tue, 11 Dec 2007 12:34:56 +0000, Daniel James wrote: > In article news: , Unruh wrote: >> >> Under Canadian law there is no such thing as implied consent. No >> >> warning is needed for access to be ...

+ Reply to Thread
Page 4 of 4 FirstFirst ... 2 3 4
Results 61 to 77 of 77

Thread: Honeypots Illegal?

  1. Re: Honeypots Illegal?

    On Tue, 11 Dec 2007 12:34:56 +0000, Daniel James wrote:

    > In article news:<8Gq7j.49133$Zn.41718@edtnps90>, Unruh wrote:
    >> >> Under Canadian law there is no such thing as implied consent. No
    >> >> warning is needed for access to be unauthorized, only the fact that
    >> >> it is not authorized.

    > [snip]
    >> Yes, so when you read a web page from Canada you are breaking the law,
    >> since you are accessing and altering data on that computer (see log
    >> files) without authorization. Real enlightened.


    Nope, authorization and the communication of that authorization are
    different things.

    If you are authorized, even if you didn't know it, then there is no illegal
    act.

    If you had been told you were authorized by someone with authority to
    tell you this, (N.B. positive communication is required), _even if this
    information is in error_, then you have not committed a crime because there
    was no intent.

    > No, not AIUI. When you access such a site you *MAY* be breaking the law,
    > but you probably aren't.
    >
    > You may legally view such a site if you have the consent of the site
    > owner. The law may not enshrine a doctrine of implied consent, but in
    > practice the owners of publicly accessible website make those sites
    > public with the intent that they will be accessed by third parties and
    > *do* give consent for those parties to access the site.


    Note that this is not implied consent, the consent is granted by the
    provision of services clearly intended for public access, (e.g. a website).

    How is the clearly intended part determined in court? By the use of what
    is known as a "reasonable man" test: The court considers what a
    reasonable man would think given the facts in question. The regular use
    of "reasonable man" tests are one of the reasons Americans tend to think
    Canadian laws are excessively broad or vague, (which they would be under
    the American system).

    > You will only be prosecuted if you access a site that was not intended to
    > be public


    Correct, if the authorization exists, then there is no actus reus for
    unauthorized access, even if you thought that you were unauthorized.

    --
    Phoenix

  2. Re: Honeypots Illegal?

    In article news:, Unruh wrote:
    > >You may legally view such a site if you have the consent of the site
    > >owner. The law may not enshrine a doctrine of implied consent, but in

    >
    > Ah, so canada DOES have a doctrine of implied consent.


    I don't think I said or implied that.

    I'm not Canadian -- and I don't know whether what's been said about Canada
    not having a doctrine of implied consent is correct -- but I'm not
    speaking specifically of Canada.

    > You are claiming it is in the practice not the written law. But
    > practice has legal force. Canada follows precident as well as written
    > law.


    No, I'm not. I'm saying that if consent isn't implicit it may (or may not)
    still be granted. Commonsense will usually tell you (and the courts) which
    it is.

    > You make my point perfectly. Canadian law tends to be written so as to
    > make everything illegal ( over broad laws) in the expectation that the
    > court system will only apply it in the "right" circumstances. Which of
    > course does not always occur. Thus people HAVE been prosecuted under
    > the Mischief to Data act for deleting their own data. Fortunately the
    > appeal courts have not gone along with it.


    Then your point isn't quite what I thought it was ... but I'm happy to be
    in agreement.

    There probably are times when it should be an offence for people to delete
    their own data -- e.g. when they have a duty to keep records for a certain
    length of time and fail to do so -- but one would hope that prosecutions
    would not be brought in other cases.

    > >If a website is mentioned in an advertisement, say, and you visit it to
    > >discover more about the advertised product or to place an oder you can
    > >point to the advertisement as an explicit statement of consent.

    >
    > Hardly. It is at best implied consent, since none of those state "You
    > have premission to access this web site." And usually they point to
    > only a single page, but the actual material is linked to from that
    > page, and you surely cannot mean that consent is transitive-- if I give
    > you consent to A I am giving you consent to everything I own.


    Well ... IANAL but I'd say that publishing a web address in an advert
    constituted an invitation to visit that web site, and that publishing
    links to other pages on the main page was a further invitation to look
    around. Any pages not linked (directly or indirectly) would not be
    included in the invitation.

    This may come down to what you were saying, above, about practice having
    legal force (I'm sure it's not explicitly enshrined in any statute) and
    about the expectation that the court system will make sensible judgements;
    but I don't see any justification for your assertion a couple of posts ago
    that "when you read a web page from Canada you are breaking the law".
    --
    Cheers,
    Daniel.






  3. Re: Honeypots Illegal?

    In article news:<13lusg42qdjjg22@news.supernews.com>, Rick Pikul wrote:
    > Nope, authorization and the communication of that authorization are
    > different things.
    >
    > If you are authorized, even if you didn't know it, then there is no illegal
    > act.


    Succinct. Thanks.

    > Note that this is not implied consent ...


    No, exactly. There may not be "implied consent", but there can still be
    consent (as you said).

    > The regular use of "reasonable man" tests are one of the reasons
    > Americans tend to think Canadian laws are excessively broad or vague,
    > (which they would be under the American system).


    My lawyer friends here in the UK have considerably more respect for the
    Canadian legal system than for that south of the border.
    --
    Cheers,
    Daniel.




  4. Re: Honeypots Illegal?

    In article news:, Unruh wrote:
    > >A honeypot does not intercept packets, it just handles packets that are
    > >addressed to it.

    >
    > And the person then reads the results of those interceptions. That is
    > where the problems arise.


    No, the logs aren't interceptions, either. Logging is what the honeypot
    does, it's not intercepting anything -- just doing its job. Anyone who
    knew what the honeypot was and did would expect logging, an would expect
    that the logs would be read.

    Anyone trying to crack the system might not know that it was a honeypot,
    but then they almost certainly didn't ask.

    Where interception might come into all of this is later on. If the logs
    from the honeypot are used to identify the IP address of a wannabe
    cracker, say, and that IP address is blocked from the site as a whole.
    THAT would be interception ... but I'd be amused (and horrified) to see a
    court rule it to be an unreasonable act (whatever the law said).

    --
    Cheers,
    Daniel.



  5. Re: Honeypots Illegal?

    Daniel James writes:

    >In article news:, Unruh wrote:
    >> >You may legally view such a site if you have the consent of the site
    >> >owner. The law may not enshrine a doctrine of implied consent, but in

    >>
    >> Ah, so canada DOES have a doctrine of implied consent.


    >I don't think I said or implied that.


    Yes, you did when you said "the law may not enshrine a doctine of implied
    consent, but..." and then pointed out that implied conset did exist and
    was recognised by the courts.



    >I'm not Canadian -- and I don't know whether what's been said about Canada
    >not having a doctrine of implied consent is correct -- but I'm not
    >speaking specifically of Canada.


    >> You are claiming it is in the practice not the written law. But
    >> practice has legal force. Canada follows precident as well as written
    >> law.


    >No, I'm not. I'm saying that if consent isn't implicit it may (or may not)
    >still be granted. Commonsense will usually tell you (and the courts) which
    >it is.


    Do you mean "if consent isn't EXPLICIT"? If it is granted when it is not
    explicity, then it is an "implied consent". "Common sense" is a very poor
    basis for a law, because one person's "common sense" is the next person's
    idiocy. A legal system in which laws are written overbroad, with the
    expectation that the courts will apply "common sense" in their application
    is a very bad legal system.



    >> You make my point perfectly. Canadian law tends to be written so as to
    >> make everything illegal ( over broad laws) in the expectation that the
    >> court system will only apply it in the "right" circumstances. Which of
    >> course does not always occur. Thus people HAVE been prosecuted under
    >> the Mischief to Data act for deleting their own data. Fortunately the
    >> appeal courts have not gone along with it.


    >Then your point isn't quite what I thought it was ... but I'm happy to be
    >in agreement.


    >There probably are times when it should be an offence for people to delete
    >their own data -- e.g. when they have a duty to keep records for a certain
    >length of time and fail to do so -- but one would hope that prosecutions
    >would not be brought in other cases.


    Those cases are not cases which should fall under things like "mischief to
    data". They may fall under other laws. The problem is prosecution HAS been
    brought under other cases. Eg, I could imagine that the prosecution could
    use such an overbroad law where they discovered a drug dealer had erased
    his own client list. They could not get him on the drug dealing as they had
    no evidence, so decided to try for the overbroad prosection of him erasing
    his own data.



    >> >If a website is mentioned in an advertisement, say, and you visit it to
    >> >discover more about the advertised product or to place an oder you can
    >> >point to the advertisement as an explicit statement of consent.

    >>
    >> Hardly. It is at best implied consent, since none of those state "You
    >> have premission to access this web site." And usually they point to
    >> only a single page, but the actual material is linked to from that
    >> page, and you surely cannot mean that consent is transitive-- if I give
    >> you consent to A I am giving you consent to everything I own.


    >Well ... IANAL but I'd say that publishing a web address in an advert
    >constituted an invitation to visit that web site, and that publishing
    >links to other pages on the main page was a further invitation to look
    >around. Any pages not linked (directly or indirectly) would not be
    >included in the invitation.


    That is certainly a doctrine of implied consent. The publication of the
    site or advert implying consent to actually visity the site. That is
    different from a law of explicit consent, where the user must obtain the
    explicit consent for the contemplated behaviour.
    Of course any attempt to try to run the web or any computer activity on a
    basis of only explicit consent would make criminals of everyone
    immediately. But then some contries believe that is a good way to write
    laws-- make everyone a criminal and then you could decide on whom to
    prosecute based on other criteria (popularity with the government,
    race,....). I happen to think it is a bad way of setting up laws.




    >This may come down to what you were saying, above, about practice having
    >legal force (I'm sure it's not explicitly enshrined in any statute) and
    >about the expectation that the court system will make sensible judgements;
    >but I don't see any justification for your assertion a couple of posts ago
    >that "when you read a web page from Canada you are breaking the law".
    >--
    >Cheers,
    > Daniel.
    >






  6. Re: Honeypots Illegal?

    Daniel James writes:

    >In article news:, Unruh wrote:
    >> >A honeypot does not intercept packets, it just handles packets that are
    >> >addressed to it.

    >>
    >> And the person then reads the results of those interceptions. That is
    >> where the problems arise.


    >No, the logs aren't interceptions, either. Logging is what the honeypot
    >does, it's not intercepting anything -- just doing its job. Anyone who
    >knew what the honeypot was and did would expect logging, an would expect
    >that the logs would be read.


    honey pots are there so that people do NOT know that they are honeypots. If
    everyone knows they are honeypots ( sites set up specifically to entrap
    people engaging in "bad" behaviour) they loose their purpose.


    >Anyone trying to crack the system might not know that it was a honeypot,
    >but then they almost certainly didn't ask.


    The logs are interceptions. Just because a honeypot does it does not make
    it not an interception. Humans read those logs. If those logs indicate
    communication between two people, neither of whom agreed to the recording
    of the data, they would fall under wiretap laws, is what the argument is.



    >Where interception might come into all of this is later on. If the logs
    >from the honeypot are used to identify the IP address of a wannabe
    >cracker, say, and that IP address is blocked from the site as a whole.
    >THAT would be interception ... but I'd be amused (and horrified) to see a


    No that would be banning them from the site. The interception occured when
    the communication was recorded. It does not matter what was done with the
    recording. The crime is in the recording.


    >court rule it to be an unreasonable act (whatever the law said).




  7. Re: Honeypots Illegal?

    Walter Mautner :
    > mr.b wrote:
    >
    > > On Thu, 06 Dec 2007 13:31:18 -0500, Douglas O'Neal wrote:
    > >
    > >> Make it a bit more specific. You have a picture on your wall. I look at
    > >> your picture without your permission. Have I then stolen your picture?
    > >> If not, what is the difference between using your computer with only
    > >> trivial traces of that use left and using the picture as was intended?
    > >> What exactly has been "stolen" in either case?

    > >
    > > this is interesting...I'm thinking...even though we've gotten a bit away
    > > from the legality of honeypots...which I employ...and enjoy...but
    > > accessing a publicly accessible computer is definitively different from
    > > passively observing a picture on a wall, is it not? the law is fairly
    > > clear about unauthorised access -at least here in Canada.

    >
    > Once you, as the "intruder" get the warning, it is unauthorized.
    > But then, a "publicly accessible" computer is what it is - either by
    > intention or by missing basic protection (AKA blondeness) like passwords
    > and firewalls. As an example, if you deliberatly change the defaults (XP
    > firewall on) to make your computer accessible, it is ... well, a publicly
    > accessible computer. Someone else just taking a peek then, isn't a
    > criminal, as long as he doesn't damage/change your data or your computer.


    Interesting. Where is the line between cracking and interoperability?
    Is identd cracking? Hardly. finger?

    But this is a new era when interop is less important than security, so
    we secure, then interop. :-P

    > That could happen to you having p2p software loaded and running, as an
    > example. There isn't a damage, if you missed the obligation to protect your
    > data or at least place a visible warning in the way.



    --
    Any technology distinguishable from magic is insufficiently advanced.
    (*) http://blinkynet.net/comp/uip5.html Linux Counter #80292
    - - http://www.faqs.org/rfcs/rfc1855.html Please, don't Cc: me.

  8. Re: Honeypots Illegal?

    Unruh :
    > "s. keeling" writes:
    >
    > >Rick Pikul :
    > >>
    > >> Under Canadian law there is no such thing as implied consent. No warning
    > >> is needed for access to be unauthorized, only the fact that it is not
    > >> authorized.

    >
    > >Take that, ambulance chasers. We don't need to hire lawyers to vet
    > >login screen banners in this enlightened people's paradise. :-)

    >
    > Yes, so when you read a web page from Canada you are breaking the law,
    > since you are accessing and altering data on that computer (see log files)
    > without authorization. Real enlightened.


    The owner of that server told it to do that (in its config), not me.
    Get a clue.


    --
    Any technology distinguishable from magic is insufficiently advanced.
    (*) http://blinkynet.net/comp/uip5.html Linux Counter #80292
    - - http://www.faqs.org/rfcs/rfc1855.html Please, don't Cc: me.

  9. Re: Honeypots Illegal?

    Daniel James :
    > In article news:, S. keeling
    > wrote:
    > > If a firewall dropping packets is interception, what's spamassassin or
    > > procmail or exim rules? This whole subject just doesn't pass the
    > > smell test.

    >
    > I think you're missing some irony, somewhere along the line.
    >
    > I wasn't suggesting that firewalls were or should be illegal, I was
    > using the example of firewalls -- which I think everyone agrees are not
    > only legal but are also essential security tools -- to highlight the
    > point about honeypots.
    >
    > A honeypot does not intercept packets, it just handles packets that are
    > addressed to it.
    >
    > A firewall does intercept packets, it handles packets that are addressed
    > to some other server process and filters them.
    >
    > Ergo: if the act of interception is the criterion by which legality is
    > to be judged then honeypots are legal and firewalls are not (or to put
    > it another way: The law is an ass).
    >
    > Capisce?


    Eminently, and an excellent exposition. "The smell test" wasn't
    directed at your comments. It was intended for the OP.


    --
    Any technology distinguishable from magic is insufficiently advanced.
    (*) http://blinkynet.net/comp/uip5.html Linux Counter #80292
    - - http://www.faqs.org/rfcs/rfc1855.html Please, don't Cc: me.

  10. Re: Honeypots Illegal?

    On Wed, 12 Dec 2007 11:21:29 +0000, Daniel James wrote:

    > In article news:<13lusg42qdjjg22@news.supernews.com>, Rick Pikul wrote:
    >> The regular use of "reasonable man" tests are one of the reasons
    >> Americans tend to think Canadian laws are excessively broad or vague,
    >> (which they would be under the American system).

    >
    > My lawyer friends here in the UK have considerably more respect for the
    > Canadian legal system than for that south of the border.


    Of course, we took the best parts of the British system in making ours.

    Thanks to Gen. Wolfe, we also ended up with the better parts of the French
    system.

    --
    Phoenix

  11. Re: Honeypots Illegal?

    In article news:, Unruh wrote:
    > >I don't think I said or implied that.

    >
    > Yes, you did when you said "the law may not enshrine a doctine of implied
    > consent, but..." and then pointed out that implied conset did exist and
    > was recognised by the courts.


    No, I said that consent might be present even if it were neither explicitly
    given nor implied in law.

    Cheers,
    Daniel.



  12. Re: Honeypots Illegal?

    Daniel James writes:

    >In article news:, Unruh wrote:
    >> >I don't think I said or implied that.

    >>
    >> Yes, you did when you said "the law may not enshrine a doctine of implied
    >> consent, but..." and then pointed out that implied conset did exist and
    >> was recognised by the courts.


    >No, I said that consent might be present even if it were neither explicitly
    >given nor implied in law.


    I am sorry, but I used the term "implicit consent" to mean that the law
    will assume that consent in that circumstance is given even it that consent
    is not explicitly given by a written or verbal means. You seem to be
    using some strangely different meaning of the term.

    >Cheers,
    > Daniel.
    >



  13. Re: Honeypots Illegal?

    Unruh :
    > "Magnate" writes:
    >
    > >So just as it's not illegal to leave your house unlocked, it shouldn't be
    > >illegal to leave an unprotected system on your network (whether as a
    > >honeypot or for any other purpose).

    >
    > It is not illegal. Whether or not it should be is contentious matter. If
    > you by your negligence contribute to damage to a third party, a strong


    Huh? Of course!

    > civil damages. Placing your computer on the net with no protection
    > IS negligence, and it can certainly damage third parties (DOS
    > attacks, breakin attacks, etc)


    I think you've a different understanding of "honeypot" from what I
    have. I understand it as, "Anything can get in. Nothing gets out."
    Honeypots are supposed to simulate successful execution for the
    cracker, yes? Honeypots should not be capable of being turned into
    zombies. They gather information. They do not facilitate
    connectivity.


    --
    Any technology distinguishable from magic is insufficiently advanced.
    (*) http://blinkynet.net/comp/uip5.html Linux Counter #80292
    - - http://www.faqs.org/rfcs/rfc1855.html Please, don't Cc: me.

  14. Re: Honeypots Illegal?

    In article news:<78d8j.134$5l3.94@edtnps82>, Unruh wrote:
    > >No, I said that consent might be present even if it were neither

    explicitly
    > >given nor implied in law.

    >
    > I am sorry, but I used the term "implicit consent" to mean that the law
    > will assume that consent in that circumstance is given even it that
    > consent is not explicitly given by a written or verbal means. You seem
    > to be using some strangely different meaning of the term.


    Yes, that's what "implicit consent" usually means -- not that consent *is*
    implicitly given, but that the law will *assume* that consent was intended
    in all cases where it is not explicitly refused.

    Under jurisdictions in which the law does not guarantee to make that
    assumption (i.e. where there is no "doctrine of implicit consent") it is
    possible that a site owner may consent to others accessing the site
    without explicitly saying so. Anyone accessing the site must decide for
    himself whether or not the site is one that is intended to be public -- in
    almost all cases it will be.

    If the site owner objects to the fact that someone has accessed his site
    he can take legal action against that person, and the courts will decide
    whether it was reasonable for that person to assume that they had the site
    owners consent to act as they did. I imagine that in almost all cases the
    court would rule that accessing the site was not unreasonable, but there
    might be exceptions (e.g. use so frequent as to constitute a denial of
    service, or use so frequent as to cause the site owner to incur additional
    bandwidth charges). Exceptions of this sort would not be possible under a
    system that enshrined a notion of implicit consent, so systems that do not
    do so are more flexible -- and potentially fairer to all concerned.

    It's not quite the same thing, but there was a case here in the UK
    recently in which someone was prosecuted for using another person's WiFi
    connection without permission. He'd parked his car outside a private house
    with an unsecured wireless access point and accessed the internet from his
    laptop using the householder's broadband connection. As the wireless
    connection was not in any way secured, it would not have been possible to
    prosecute this person under a system that enshrined a doctrine of implicit
    consent.

    I can't find the original news item, now, but there's some discussion
    here: http://news.bbc.co.uk/1/hi/magazine/6960304.stm

    Cheers,
    Daniel.





  15. Re: Honeypots Illegal?

    "s. keeling" writes:

    >Unruh :
    >> "Magnate" writes:
    >>
    >> >So just as it's not illegal to leave your house unlocked, it shouldn't be

    i ^^^^^^^^^^^^^^^
    >> >illegal to leave an unprotected system on your network (whether as a

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^
    >> >honeypot or for any other purpose).

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

    Note the phrase I was refering to.




    >>
    >> It is not illegal. Whether or not it should be is contentious matter. If
    >> you by your negligence contribute to damage to a third party, a strong


    >Huh? Of course!


    But that would make it illegal to leave an unprotected system....,
    something he said should never be illegal.


    >> civil damages. Placing your computer on the net with no protection
    >> IS negligence, and it can certainly damage third parties (DOS
    >> attacks, breakin attacks, etc)


    >I think you've a different understanding of "honeypot" from what I
    >have. I understand it as, "Anything can get in. Nothing gets out."
    >Honeypots are supposed to simulate successful execution for the
    >cracker, yes? Honeypots should not be capable of being turned into
    >zombies. They gather information. They do not facilitate
    >connectivity.




  16. Re: Honeypots Illegal?

    Daniel James writes:

    >In article news:<78d8j.134$5l3.94@edtnps82>, Unruh wrote:
    >> >No, I said that consent might be present even if it were neither

    >explicitly
    >> >given nor implied in law.

    >>
    >> I am sorry, but I used the term "implicit consent" to mean that the law
    >> will assume that consent in that circumstance is given even it that
    >> consent is not explicitly given by a written or verbal means. You seem
    >> to be using some strangely different meaning of the term.


    >Yes, that's what "implicit consent" usually means -- not that consent *is*
    >implicitly given, but that the law will *assume* that consent was intended
    >in all cases where it is not explicitly refused.


    No. It cannot mean that. It can mean that under certain conditions it will
    assume consent is given, but certainly not "in all cases".
    On the other hand it is rarely written, since if it is written, it is no
    longer implicit consent, but legally defined consent, which is not
    implicit. It is then explicit.



    >Under jurisdictions in which the law does not guarantee to make that
    >assumption (i.e. where there is no "doctrine of implicit consent") it is
    >possible that a site owner may consent to others accessing the site
    >without explicitly saying so. Anyone accessing the site must decide for
    >himself whether or not the site is one that is intended to be public -- in
    >almost all cases it will be.


    >If the site owner objects to the fact that someone has accessed his site
    >he can take legal action against that person, and the courts will decide
    >whether it was reasonable for that person to assume that they had the site
    >owners consent to act as they did. I imagine that in almost all cases the
    >court would rule that accessing the site was not unreasonable, but there
    >might be exceptions (e.g. use so frequent as to constitute a denial of
    >service, or use so frequent as to cause the site owner to incur additional
    >bandwidth charges). Exceptions of this sort would not be possible under a
    >system that enshrined a notion of implicit consent, so systems that do not
    >do so are more flexible -- and potentially fairer to all concerned.


    >It's not quite the same thing, but there was a case here in the UK
    >recently in which someone was prosecuted for using another person's WiFi
    >connection without permission. He'd parked his car outside a private house
    >with an unsecured wireless access point and accessed the internet from his
    >laptop using the householder's broadband connection. As the wireless
    >connection was not in any way secured, it would not have been possible to
    >prosecute this person under a system that enshrined a doctrine of implicit
    >consent.


    >I can't find the original news item, now, but there's some discussion
    >here: http://news.bbc.co.uk/1/hi/magazine/6960304.stm


    >Cheers,
    > Daniel.
    >





  17. Re: Honeypots Illegal?

    On Sun, 16 Dec 2007 13:41:21 +0000, Unruh wrote:

    > Daniel James writes:
    >
    >>Yes, that's what "implicit consent" usually means -- not that consent *is*
    >>implicitly given, but that the law will *assume* that consent was intended
    >>in all cases where it is not explicitly refused.

    >
    > No. It cannot mean that. It can mean that under certain conditions it will
    > assume consent is given, but certainly not "in all cases".
    > On the other hand it is rarely written, since if it is written, it is no
    > longer implicit consent, but legally defined consent, which is not
    > implicit. It is then explicit.


    Implied consent is the principal that when you take no action to stop
    something, even though you could have, you are consenting.

    There really isn't any arguing with this definition when it comes to
    Canadian law, given that that was the definition used when the Supreme
    Court ruled on the issue.

    --
    Phoenix

+ Reply to Thread
Page 4 of 4 FirstFirst ... 2 3 4