Thursday, April 14, 2005

Entrapment?

The Honeypots mailing list has a <a href="http://seclists.org/lists/honeypots/2005/Apr-
Jun/0012.html">discussion going on whether or not the use of
honeypots can be considered entrapment. I dislike any argument that
tries to treat honeypots as entrapment.

I think that Randy Bachman
answers his own question with his definition of a valid entrapment
defense:

  A valid entrapment
defense has two related elements: (1) government inducement of the
crime, and (2) the defendant's lack of predisposition to engage in
criminal conduct.
  

The
entrapment argument fails to pass argument #2 because the attacker is
already predisposed to commit the crime. The attacker is already
accessing a system without authorization.

Law enforcment is not
going to bust someone for port scanning. However, they will go after
the attacker that uses SQL injection to break into a system, honeypot or
not. "Average" users do not do that sort of thing so the predisposition
argument fails.

Can you argue entrapment just because that third drunk
you've rolled in the subway turned out to be a sober police officer
pretending to be drunk?