Is your network protection legal?
Subject: Security UPDATE, April 23, 2003
* HARDER TIMES FOR SECURITY RESEARCHERS?
Three recent events might significantly affect security researchers. The first event occurred at the RSA 2003 Conference in San Francisco. Richard Salgado, Department of Justice (DOJ) senior counsel for the computer crime unit, gave a talk in which he warned users who deploy honeypots about potential criminal liabilities.
According to a "SecurityFocus" report, \[http://securityfocus.com/news/4004\] Salgado discussed the potential legal ramifications of operating a honeypot. Under the US Federal Wiretap Act, your use of a honeypot to monitor your network traffic might constitute interception of communications. Salgado outlined a few points that shed some light on the law.
According to Salgado, three legal exemptions might apply to some honeypot configurations. One exemption might apply if a party being monitored consents to the monitoring. Another might apply if a victim invites law enforcement to intercept communications. A third might apply if the honeypot operator clearly eavesdrops on communications to protect his or her services and property.
The DOJ recommends that to use the first potential exception, the honeypot operator might display a banner warning users that the system is monitored. The second potential exemption is self-explanatory. The third is probably the most viable. However, Delgado said he sees a potential legal problem in that instance because the purpose of a honeypot is to lure attackers. He noted that it's unusual to claim that one is protecting services and property when one sets up a system specifically to draw attacks. Clearly, honeypots are meant to protect networks--not the computers that run the honeypot software. In some ways, a honeypot is similar to a man trap in a secure installation: An attacker breaks through the first door of the man trap, then can't gain access through the second door. Meanwhile, the first door has closed, and the attacker is trapped and caught. Aren't honeypots much like man traps?
The second event of potential significance to security researchers involves the Digital Millennium Copyright Act (DMCA). Recently, lawyers acting on behalf of particular vendors used the act to silence security researchers about a particular matter that involved, if I interpret correctly, reverse engineering. "The Register" \[http://www.theregister.co.uk/content/55/30259.html\] reported that presenters canceled a talk slated for the recent InterZ0ne security conference after lawyers threatened to litigate if the presentation took place.
Apparently, researchers Billy Hoffman and Virgil Griffith would have detailed problems with the Blackboard Transaction System that many colleges use to manage student accounts and electronic commerce transactions. The system uses student ID cards as the vehicle for transactions. The two researchers were about to offer source code and design plans that would let someone emulate or create Blackboard reader systems.
The third event that might affect security researchers relates again to honeypots. Niels Provos developed the Honeyd program, which I've discussed in a previous Security UPDATE commentary \[http://www.secadministrator.com/articles/index.cfm?articleid=38077\]. Provos is a German national based in Michigan--and Act 328 of 1931 of the Michigan Penal Code includes a clause \[http://www.michiganlegislature.org/printdocument.asp?objname=mcl-750-540c&version=txt\] that states that a person "shall not assemble, develop, manufacture, possess, deliver, offer to deliver ... \[an unlawful telecommunications device that is intended to be to used to\] ... conceal the existence or place of origin or destination of any telecommunications service."
Because Honeyd emulates a network of computers and can emulate different OSs, the program conceals the source of communication. A fuzzy line of interpretation in the law leaves Provos vulnerable to prosecution. \[http://securityfocus.com/news/3912\] Provos chose to move his Honeyd software out of the country to a server in the Netherlands \[http://niels.xtdnet.nl/honeyd/\]. Access to the software now requires that users answer three questions about their location, nationality, and local laws before they're given access to the site. But an attorney at the Electronic Frontier Foundation (EFF) \[http://www.eff.org\] says even that move might not be enough.
Apparently, new state laws along with relatively new federal laws put security practitioners in a precarious situation. Such people might want to rethink how they operate and report their findings.
Increasing caution is required to avoid unnecessary confrontations. Something as simple as running a honeypot could now bring legal trouble--perhaps even intruders' lawsuits against you--if you don't handle matters correctly regarding state and federal laws. Read the stories to learn more details, and consult with your legal advisers to ensure that you're operating legally in this shifting landscape.