FBI E-Mail Wiretaps - The Carnivore System

CharlieG writes "It seems the the FBI has been electronic wiretapping various e-mail accounts for a while now. First with a system called Omnivore, and now with a "More Selective" system called Carnivore. You can read about it on MSNBC.COM"

Re:Unnecesary Paranoia?

"dress the part"

That holds up as well as "i raped her because she was dressed that way"

Try again troll!

Re:PGP

"correct me if I'm wrong, but"

You are VERY wrong.

Try looking through the countless times people have made that very claim on Usenet (such as sci.crypt). I suppose deja.com would be useful for this.

Now, look at how many times those claims have been refuted. (Hint: "All")

Now, before someone says "those are just government lackeys" posting the refutations, look through the posting histories of the persons making the refutations. Well-respected individuals in the cryptographic community, many of whom are rather anti-government in perspective, have been among those to cry "hogwash" when people claim (yet-again) "PGP is cracked."

BTW, claiming that "PGP is cracked" is (for some dumb reason) a VERY common thing, yet no one has been able to give a good answer when any crypto-fluent person has asked "How?" (Show me the weakness in the protocol, show me the weakness in the algorithm, show me the *method* you claim was used to crack PGP ... it's probably anecdotal or a matter of "human engineering" and not PGP-related at all.)

Don't get me wrong, I'm of the opinion that a bit of paranoia is quite wise indeed. But letting paranoia overrule belief in scientific evidence, reproducible at will, well that's just folly.

Only 100 times? I seriously doubt it.

The article says the technology has only been used 100 times, which leads me to believe it's reserved for big-time criminals.

If someone is a big enough fish to warrant [no pun intended] this, they're probably going to be using encryption anyway.

That's a very charitable reading of the passage.

The exact quote was"Federal investigators say they have used Carnivore in fewer than 100 criminal cases since its launch early last year."

1. Domestic intelligence and civil forfeitures ("arresting property") are also part of the FBI charter, along with criminal prosecution
2. This system is also available to the states, and massive wiretap abuses on the state and county level (under state warrant) apear to be far more widespread than Federal abuses -- if only because there are 50 states and thousands of counties. Any search engine will turn up hundreds of case, and some cases, like Dade County Fl, LA County, CA, and Ct State police, have thousands of individual violations spanning years
3. The FBI would not (and is not required to disclose surveillance ordered by FISA courts (a special intelligence court that has refused only one warrant request in over 10,000 requests). FISA requests have leaped from an average of under 250/yr in in 1978-1993 to about 1000/yr today (exact number unknown), and include telephone and wireless taps, breaking and entry, surreptitious seizure of property w/o an inventory to the 'victim'.

There are many more loopholes in this statement, and there is no question that the FBI has a policy of deliberately constructing such evasions for public consumptions, as dozens (hundreds) of prominent cases have shown, as well as televised testimony on Iran/Contra, Watergate, etc.

Disclaimer: I am, if anything, pro-intelligence. However, Ir recognize the intrinisic dangers of secret (and hence, relatively unaccountable) actions, plans, and operations.

Re:Only 100 times? I seriously doubt it.

[civilizedINTENSITY]

many more loopholes
"cases" implies it went to trial, yes? but they are scanning many many more to find the ones to investigate...and of those investigated only 100 went to trial.
imagine they said: "we randomly read your written mail, but only 100 cases were brought to trial based on what we found last year"

Re:Only 100 times? I seriously doubt it.

[blameless]

Good point.

Re:4th Amendment anyone?

Typical response of a Slashdot alarmist. Note the Libertarian party plug.

No, FBI does not monitor email without a valid search warrant based on suspected criminal activity. Just like with a wiretap of ordinary phone convdersations.

FBI agents have protected us from suspected criminals and subversives well in the past - John Dillinger, Martin Luther King, and John Lennon come to mind. To gather useful information about suspected criminal activity, a network of informers is necessary. ISPs have been cooperating with law enforcement from the very start, in case you didn't know. Just view your ISP as an FBI informer (and probabably a paid informer at that).

Read the article again. The FBI is not going to waste its time and money spying on people who use the internet for legitimate purposes. NSA and CIA are not authorized to spy on American citizens at all, only on foreign nationals.

Cool it and cut the paranoia. The United States Constitution set up a system of checks and balances to prevent abuses of power by any one branch of government. The FBI has proper authorization from Congress for these activities.

Can I buy one of these

and use it to sort through my spam?

Or perhaps the FBI will offer a special spam-filtering service. FBI SpamGuard.

Re:No wiretapping without a specific warrant

if you want envelopes get PGP. otherwise regular email is like sending postcards.

Re:PGP is not the answer

PGP is okay, but I'm moderately certain the NSA can crack it fairly quickly. Don't know about the FBI.

Keep in mind, the largest employer of mathematicians in the world is the NSA and that they are one of the largest computer buyers.

They have sealed documents written by Alan Turing was back around WWII and the suspicion is they are 2-10 years ahead of anyone in the "normal world" of encryption/decryption.

Please. Take it from someone who makes a good living proving theorems: the NSA may employ the largest number of PhD's in mathematics, but in mathematics, what counts is quality, not quantity.

RSA is the product of three clever people (well five, if you add Diffie and Hellman), none of whom work for the US government. The best mathematical minds (which are found all over the globe, not just the US) are mostly in academia, with a handful working for industry (ATT) or government labs.

It's safe to assume that NSA has access to more computing power than anyone else, but if there is a mathematical flaw in RSA (as opposed to, say, flaws in implementation, which have been found on numerous occasions), it is far more likely it will be found by a smart individual or two who does not work for NSA. The mathematics here is number theory, which has been attracting some of the best mathematical talent for centuries. And like computer geeks, it's not money that attracts mathematical talent, much less the chance to work for a secret government agency, it's the subject matter.

BTW: Peter Shor works for ATT. ;-)

Re:But it isn't widely deployed.

[rodgerd]

I think you need to read a little more closely. STARTLS extensions are described in an RFC which is implemented by:

• Sendmail
• Exchange
• qmail
• PostFix

There are plenty of MTAs that don't have support (e.g. Exim, Zmailer), but the above cover a huge chunk of the installed MTA base. The main challenge to TLS is an better key exchange mechanism, which is the current main impedement.

Re:But it isn't widely deployed.

[rodgerd]

Having gone back and re-read a bunch of information, I can tell you:

• Sendmail Pro difintely currently has TLS.
• Sendmail 8.11 betas have TLS support.
• These guys have a TLS wrapper for existing sendmail installations.

So I jumped the gun a bit on BSDLed sendmail having TLS - it will RSN, or you can use a wrapper. On the upside, I was also wrong about zmailer, who apparently have TLS now. Encrypted linux-kernel anyone?

Re:ANother reason to use PGP

[Gregg+M]

As long as PGP can't be decrypted, we can shrug our shoulders at stories like this.

Not so fast... Read this!

Re:Unnecesary Paranoia?

[Lullabye]

Deal with this troll....

People dress they way that makes them feel best...not the way that makes you feel best, so they should be persecuted? Anyone, ANYONE, has the right to appear as they want, without fear of being classified, harassed by law enforcement, or any thing of the like. If you judge based on how someone looks...you are a bigot...end of fucking story. (PS people carrying around chains could rightfully be construed as agressive because it is a weapon they are carrying, people who just look weird on the street shouldn't be held to the same stereotype).

Your comments are idiotic

[Loundry]

Pol Pot, Hitler, and Stalin's regimes are identical to what is happening today.

I know you were being sarcastic, but what you are saying is at least partially true. The United States Government is slipping close and closer to totalitarianism by the day. Read The Ominous Parallels and be convinced.

What is your solution? Shall we put a direct hyperlink on Yahoo! to the Anarchist's cookbook so that script kiddies can stop their DoS attacks and start making napalm in their garage?

Bifurcation.

Everyone is awfully concerned about the black ops in the big bad government reading their email and flagging them because they say the word 'bong', but I haven't seen a single suggestion for how crime could be lessened.

Those who trade freedom for security shall have neither (paraphrased, but it's true). Personally, I think crime would be reduced if more law-abiding citizens would carry concealed weapons.

Come back to earth, Slashdot readers.

Ad hominem.

The government isn't secretly reading all of our emails to see if we like to wear pink fuzzy slippers and listen to Duran Duran.

Strawman. Then again, if someone in government were interested in that sort of thing, would you find it in the least bit offensive that some anonymous, government official could go quietly sifting through your private mail with no warning?

Have you considered that there are people working for the government who care about our country as much, if not more than, we do?

Yes, there are a few people in government who feel that way. Have you considered that there are also plenty of people in government that are as corrupt and sinister as anyone who is not a government employee? Have you considered that ther are also plenty of people in government who are more than happy to abuse their right to use force to achieve their goals?

How many executive orders has President Clinton signed? How is the seizure of property under drug laws consistent with the Constitution? What is the ratio of laws enacted to laws repealed in this century? Why should I be forced to pay money into a bankrupt income redistribution scheme (that can be either Medicare or Social Security)? What right does the government have to listen to what I'm saying in private anyway? Is it because I might say something "wrong" and the government needs to make sure that I don't?

Re:If a data stream runs through a computer....

[Anonymous+Coed]

As the old saying goes, just because you're paranoid doesn't mean people aren't out to get you. Yes, this tool Carnivore could be a great boon to legtimate law-enforcement. And the surveillence infrastructure it provides could also be used for a wide range of aconstitutional[1] activities. There really just no way of knowing whats really going on, given the secretive nature of the beast. So, you're willing to just trust the FBI in all matters? Then why bother with search warrants at all? Just let the nice policeman come and take you away because some computer printout listed you as a possible subversive. I'm sure the kindly old judge will sort it all out for the best.

A little Citizen Oversight is always a good thing in a democracy... by the way, it'd be nice if we actually had a democracy.

[1] aconstitutional -- something that might sound legal given current statutes / administrative rules / judicial interpretation, but which undoubtedly goes against the spirit of the Constitution in general and probably also the widely-ignored 4th amendment.

Re:What is the FBI's interest in "clones"?

[Anonymous+Coed]

I imagine they would take an interest in the clone army I am growing in my underground lair, if only they knew. You see, I probably shouldn't talk about it in my email as much as I do... that's prolly how they'll find me. Maybe I should look into one of these "PGP" thingies I keep hearing about.

use a different mailserver

[xdc]

Correct me if I'm being naive, but can't a suspect easily circumvent a Carnivore tap on the suspect's ISP's mailserver by using an SMTP server other than the local ISP's server?

The spamming of the Internet has restricted outsiders from many mailservers, but there are still a lot of servers that will relay mail. And if it is/were technologically feasible to encrypt the session between the suspect and the random remote mailserver, then not even a capture of all ISP traffic would reveal the contents of the transaction. The FBI or other investigative entity would have to detect such relevent connections originating from the suspect's account and chase all over the Internet trying to procure logs and data.

Re:fp

[Vishak]

Please reply carefully please feed the troll

Interesting situation:

[Dast]

What if they had some ISP upstream install this system and it caught some ranking member of the fbi or other branch of government in illegal activities? That would be fun. :)

I guess it comes down to this: if you don't like that your tax dollars are being spent on this, write your representative. And be sure to encrypt your mail. Personaly, I'd love to encrypt every bit of it, but not enough people use it to make it worth it. *sigh*

Re:I'm convinced

[Shadowlore]

What is your solution? Shall we put a direct hyperlink on Yahoo! to the Anarchist's cookbook so that script kiddies can stop their DoS attacks and start making napalm in their garage?

Why do people seem to feel the need when faced with an argument they can't logically counter, they swing to extremes, putting words into the argument that didn't exist? You did precisely this.

Did you see anyone make those suggestions? Nope. You did, not anyone else.

Want to know how to 'reduce crime'? Deal with it, don't try to 'prevent it'. Care to guess how many ways you can commit a crime, even unknowingly? want to reduce the crime? Reduce the crime possibilities. Guaranteed to work. And without spending extra money, and eavesdropping on communications.

Re:PGP is not the answer

[Dusty]

PGP is not the answer (Score:2)
>And as far as crypto goes, strong crypto is nice. But if you've ever read books on
>information security that covered the whole field, you'd realize a very small chapter
>would be devoted to crypto, and a very large chapter to organizational security because
>social engineering and dumpster diving are both far easier than cracking crypto in most
>cases. It's easier to pay a secretary $10K than to spend $100K cracking some crypto.
>And probably more effective to boot.

But it is a lot harder to automate social engineering. Which requires field officers with some skill, and someone to type in the results.

Re:they DO require a warrant

[symbolic]

Paranoia or not, every new government policy (no matter how stupid), has to start somewhere. After they screw up a few times, subjecting themselves to massive ridicule, lawsuits (of course, it's the taxpayers who will pay any awards), and the like, the policies will change. We're seeing this with the brainlessness behind some of the no-knock raids, and the public concern over what, in some cases, has amounted to arming a group of uniformed chimps with deadly weapons.

Just what is all of this "we're going to rid the world of crime through technology" mentality, which is slowly eroding the rights of the free world, supposed to accomplish? Will it *really* get rid of drug dealers, terrorists, or pedophiles - much less eliminate their intent? I don't think it will...people who want to commit crimes are like anyone else - they'll simply route around the obstacles, seeking the path of least resistance and the greatest potential for success. When criminals realise that their e-mail could lead to their demise, they'd have to be really stupid to continue using it. Crime existed long before e-mail and the internet, and any government official who thinks that things like Carnivore give them a leg up...belong...well...right where they are. Mindlessness and government are hardly strange bedfellows.

Re:Modify SMTP

[Sangui5]

True, but they would have to get it from the recipients ISP, not the senders, which is a lot more work.

I suppose a better system that RSA would be to use Diffie-Hullman, and don't log the exchange. No private key to give away. They still may be able to pull the unencrypted mail from a user's mail spool file, but that can be done on a per-individual basis.

My point isn't keeping the FBI from reading the mail of people they have a warrent to monitor. I don't want it to be technically feasible for them to monitor large numbers of people indescriminately.

If the FBI gets a warrent to put a Carnivore machine in my ISP's network, they get to read everything, including my mail which they do not have a specific warrent for. If they cannot just pull stuff indescriminately, they have to get a warrent for the particular individual that they want. No judge would issue a warrent for 'every mail spool on the server' (I hope), although the may (wrongly) issue a warrent to monitor a criminal's ISP. By reducing the feasability of a quasi-legal general tap, I protect my own liberties, while still allowing the FBI to monitor those people who really need it, in the eyes of a judge.

Re:Modify SMTP

[Sangui5]

use a client that connects to the addressee's mail server directly

I was sort of assuming that. I was fairly sure that most clients do that anyway, although I could easily be wrong. I've never been at a site that allowed mail to be sent in any other way, but I don't really have a large sample size.

It is perfectly true that even assuming that all communications are between your machine and the addressee's ISP, all the FBI needs is to get the ISP's private key. (Although as I mentioned elsewhere, Diffie-Hullman eliminates that somewhat). However, the point is to make semi-targeted automatic scanning infeasable.

Re:But it isn't widely deployed.

[Sangui5]

Best that I can tell, sendmail doesn't implement it. I might be horrible misreading the RFC, but it seems that EHLO will cause a supporting MTA to return a line with STARTTLS on it, and that STARTTLS is a valid imperitive on such MTA's.

I'm trying this on 8.9.3. I looked on sendmail.org, and couldn't find any reference to STARTTLS, or RFC 2487, so I don't think 8.10.* does either. If you have info on an official version of sendmail that supports this, I'd be very interested.

Now, if STARTTLS were supported on sendmail, then the main problem would be the key exchange mechanism. If it is supported on sendmail, then you have (with sendmail alone) a large chunk of the MTA's. But as I said, sendmail doesn't appear to support this.

But it isn't widely deployed.

[Sangui5]

If sendmail supported these extentions, and the default behavior of the clients was to try to use STARTTLS, then, well, everything would be happy.

That is, postfix admits that it is a bit different than sendmail, and can cause problems (although minor and few). In any case, the effort spent into developing parallel projects would (IMHO) be better spent extending what is essentially _the_ SMTP program, sendmail. You would get 'automatic' deployment of secure SMTP, transparently to the end users, and almost transparently to the sysadmins (just upgrade sendmail, which is a good thing to do anyway).

PGP isn't a good solution because it requires too much work on the part of the mail senders/recipients. Postfix w/the TLS extension won't work for a related reason. It's too much to expect sysadmins all over the world to switch software, put work into learning it's quirks, and possibly loose functionality that was in sendmail.

Re:It's a waste of time & resources.

[Kyobu]

Yeah, but that's in the first year, and it's a new technology. Wait for it to catch on like phone wiretapping, and you'll see a lot of activity. Or, there'll be a lot of activity, but you won't hear much about it. To show you I'm not a paranoid, here's an example. In Los Angeles, the city where I live, the District Attorney, Gil Garcetti, who is well-known to periodically behave in completely improper ways, set up a phone wiretap. This was no ordinary wiretap, however. This was a wiretap which existed for over a month on the pay phone in the jail downtown, a block from Union Station. All calls made from that phone were monitored, without any evidence of wrongdoing or any specificity or discretion in who was being listened to. Also, on another occasion, an entire cell phone companyn was made the subject of a wiretap, because an employee was a suspect. So obviously it made sense to tap the customers of the company. Neither of these stories were covered much in the LA Times.

Re:The big picture

[lazarusL]

..."how can you be opposed to it?"

Well, you see, I read this thing once, in grammar school. The called it the Fourth Amendment and had me write a paper on it. Perhaps you've heard of it....

(BTW, are you trolling, or are you really that clueless? No matter, your likely troll allowed me to make this point.)

"No I can't" (tracking prevents article???)

[lazarusL]

"You can read about it [23]on MSNBC.COM"

No I can't. Not with lynx and junkbuster.

Apparently there is some form of blocking involved. What is http://msid.msn.com/mps_id_sharing/redirect.asp? This appears to be the factor preventing us from seeing the article without tracking/blocking/whatever.

Re:Read the article...

[lazarusL]

Can't read the article, for some reason. (Why is it blocked anyway?)

Re:wiretapping

[lazarusL]

They are AOL, and wrote the infamous AOL TermsOfService agreement, to which your friend agreed when subscribing. If your friend doesn't like the practices of that particular Disney-esque company, he should subscribe to a real ISP and investigate their policies in advance.

Re:Slighty OT: PGP & IM

[lazarusL]

"People who say you should be using PGP for any sensitive communications are right."

s/for any sensitive commuications/for any communications/

Of course, I might also s/PGP/GnuPG/g myself. :-)

Is this BetweenUs thing Open Source (since closed source is anathema in secure communications) and does it have a URL?

If I can't see the source, I'm sure not going to trust it (and even then... heh.)

Journaling Email Systems

[swb]

I'm surprised that no one has come out with a journaling email system; one that will keep a seperate copy of every mail message that is sent for posterity. Given the popularity of email snooping by businesses, it seems like the kind of thing they'd be clamoring for.

I know its somewhat unrealistic (my 600 person business has around 16 GB in the live mail system right now) from a storage and retention perspective, but given the dropping costs of storage (both disk and tape) it doesn't seem that unrealistic.

Re:PGP is not the answer

[Jonathan+White]

A few quick points...
1. The NSA cannot crack PGP on anything near a realtime basis, the FBI probably couldn't even uudecode...

2. The NSA was 2-10 years ahead but that was decades ago. The NSA most certainly lost their "lead" due to the sheer numbers of mathematicians working in academia and the private sector. Combine this with the more talented cryptographers avoiding the NSA for moral and monetary reasons.

3. Dumpster diving / social engineering are not applicable here.

Re:No wiretapping without a specific warrant

[HiThere]

Why do you believe that being "legally required" to obtain a warrant would mean that they refrain until they have one? How would anyone know? If there is no reasonable possibility that they would be punished for violation, what is the deterrence value? Do you believe that there is a reasonable possibility that violation would lead to ... well, to even a nasty note in their personale file?

See the book "The FBI vs. the First Amendment".

Consider the slogan "Be sure you're right, then go ahead."

Re:That was then, this is now

[HiThere]

Of course, that doesn't exactly apply to quantum computers. But then we don't yet have any.

Re:the part MSNBC didn't print

[SonicRED]

Michaels continued, "This new guy, Rich, our cryptologist, is working on brute forcing the 12 bit encryption algorythym used in the MS Word protection scheme we are running across so frequently. The other day he looks at me and says, 'You know, it would really make my job easier if we could do something like this automatically, the numbers are hurting my head.'

Bingo! Right there we knew we had something. We got together with the brightest minds in the industry to create something truly special."

PRESS RELEASE: REDMOND WASHINGTON
Microsoft announces MS Carnivore 2000 ...

Encrypt the Effin' World

[dr_strangelove]

Look, folks, this stuff is only a problem because people don't routinely encrypt e-mails. Tha stuff is transmitted "en clair", and is therefore fair game for the dinks down at the Ministry of Love.

Encrypt your e-mail. Encrypt your hard drives. Encrypt anything else you can think of.

And send random encrypted e-mail to totally bogus destinations, just to keep things interesting...

Yes you do.

[Elwood+P+Dowd]

You do know what sort of hardware they have.

You know for certain that they will be able to crack your security. If the government picks a specific target, they will succeed. This is why we *all* have to use strong encryption. So that they can only selectively decrypt.

And I don't mean that everyone needs to use PGP email. We need gnuFreeZone, or a relative. Every packet.
--

Re:Easy work around

[FunnyBunny]

There is a fairly easy work around that piece of legislation. IT has been used in the financial community for a while now. What you need to do is have your Key being held by a custodian outside the UK jurisdiction. Then set up an agreement that in the case of any legal action against you the custodian is automatic required to refuse delivery of the key to you. That way you can not be held in contempt since you abide by the law requesting the key, but you are not getting it since something outside your control hinders it.

Of course, if you are the focus of an investigation the existance of such an agreement will be discovered. In the US they would then claim contempt or obstruction, I suspect the UK would be similar. Financial institutions have more money, and consequently a better chance of avoiding contempt charges.

Re:Secure (oh yes? :-) ) Communications

[mattbee]

Personally I would like to see an offshore provider giving https based webmail. This would probably be a lot more accesible to end users then PGP currently is and would surely start to cause problems for the US & UK governments and their dodgy schemes for monitoring access.

I'm sure offshore https web mail is perfectly safe, what with that recently US government-certified copy of Netscape with its super-safe 128-bit encryption you'd be using to access it... (fnord)

Re:The FBI is looking out for you

[rmrfken]

And how is this different from the powers which they have to tap any other form of communication? Just because the net is the new "frontier" people think that it must somehow be magically different from the offline world. This is blatently not true - the net is a different medium sure, but it's the same old shit nonetheless.

I actually disagree that the net is the same old status quo, mainly due to the fact that its global and for the moment allows anonymity (remember we actually got daily updates on the Russian coup via uucp). My main gripe is the attempt to make it so.

The difference is that off the net they are restricted by the 4th amendment... There is a large difference between knowing a person is a criminal and tapping his line (which can be done with precision) and casting a large net and dredging up all interesting information and promising to throw out the ones which don't directly relate to the case.

This technology bugs me for the same reason that somebody standing over my shoulder and watching me reply to e-mails bugs me (This means you John)...

Basically the reason they give for the system not being abused (People monitor it) is the very reason it is subject to abuse... You will probably say "but it [abuse] also happens in phone taps and in real life" and I would have to say, it doesn't mean it also has to happen where I spend most of my time.

Re:The FBI is looking out for you

[rmrfken]

You really don't see whats going on do you?

This is a 'free speech' quashing technology, I know that even though I harbor no criminal intent, I'll be carefully checking everything I send out for possible misinterpretation by our Friends in Blue.

This new sniffer allows unprecedented access to all unencrypted traffic as this is a sniffer at
the backbone... What we have here is merely the FBI promising to use this technology only with a proper search warrant.

You must realize that their comments are much more worrisome than sniffer technology:

"He [Marcus Thomas, chief of the FBI's Cyber Technology Section at Quantico] also noted that criminal and civil penalties prohibit the bureau from placing unauthorized wiretaps, and any information gleaned in those types of criminal cases would be thrown out of court."

Which if you read between the lines says "Don't worry, if we tapped you illegally you can challenge us in court and we will throw it out."

See all these are steps toward a penultimate police state. Ponder this, in a few years technology will have advanced to the point where we can all have our own "police buddy robot" which follows us around making sure we're not commiting any crimes, and bill^H^H^H^Hfining us for the ones we do commit. Safety for all!

This would in fact be fine even if the laws stay static, however new laws are being added by the minute and 20 years from now, it'll be near impossible from accidentally commiting a crime.
(When was the last time you jaywalked?)

Today, with California's 3 strikes rule, if you get caught Jaywalking (Misdemeanor) 3 times, its raised to a Felony and you, my dear non-criminal citizen, are now a convicted felon who gets to go straight to jail. Of course, judges, being human, will try to throw the case out of court, but the fact remains that even if common sense prevails, its growing ever more difficult to "stay on the right side of the law" and what happens when intelligent systems are advanced to the point where a computer does sentencing (Don't say it isn't possible, Brazil is already beta testing a computerized real-time traffic judge)

This technology is even worrisome for companies and governments! Witness the France suing the US over Echelon, They caught the US passing intercepted messages to a US company, allowing it to snake a contract from a competing French company.

Re:PGP is not the answer

[rmrfken]

Actually I worked as an admin for a Mathematics Dept where most of the faculty was under contract with the NSA, They were working on exactly that.

Plus you are betting that their computers are too slow.

Yawn

[Kaa]

So the FBI can read my unencrypted emails if it gets a court order and plugs a computer into my ISP's network? Really? Who could have guessed this?! This is soooo unheard of! Soon the heroic guys in blue (or black, or whatever) will be able to tap not only the email traffic, but also IP packets. They even gave a code name to their future project -- they call it a 'sniffer'. Script kiddies everywhere were reported trembling in their sandals.

Kaa

Re:The FBI is looking out for you

[Kaa]

As much as we all love the net, I don't think that any of us can deny the fact that it does provide an easy to use and easy to conceal method for criminals and other dubious types to communicate, without regard for national laws or borders.

As opposed to, say, telephone? Or maybe paper mail?

Kaa

Oooh

[Colin+Winters]

Man, I bet it's tough to figure out what the FBI is using. A packet sniffer that saves everything, and then they probably do a "grep bomb *" or something like that. I think it's time to switch away from cleartext email-everyone should start using pgp.

Colin Winters

This is not a surprise. Use PGP.

[Argyle]

Even the govt. can't crack PGP mail on a realtime basis. Encrypted email provides for secure communications. The only surprising thing is that people continue to send unencrypted emails. It's unfathomable why businesses don't use encrypted email exclusively. http://www.pgp.com/

Re:This is not a surprise. Use PGP.

[logiceight]

Maybe because businesses want to still read their employees email? =)

Re:Modify SMTP

[parkrrrr]

I'm not sure I understand what you're suggesting. If you encrypt the SMTP connection using a public key retrieved from the SMTP server, then you're simply encrypting the link between your machine and the one at your ISP (unless you run your own mail server, or use a client that connects to the addressee's mail server directly... most clients don't do that.) If you're suggesting what you seem to be suggesting, it's your home ISP's private key the FBI would need.

Once they have that private key, there's nothing stopping them from decrypting every SMTP transaction, unless the private key is different for each user. In that case, you've just started requiring users to authenticate with the SMTP server before they get their personal public key, and even then you're only protecting their outgoing mail up to the local SMTP server. What happens when it gets forwarded to the recipient's server? Why would your ISP and his go out of their way to waste cycles encrypting that link, especially with the FBI breathing down their necks?

I just think transport-level encryption is the wrong tool for the job, especially since it doesn't protect particularly well against traffic analysis or someone on the inside at your ISP. If you are running a drug ring and you want to keep your communications private, encrypt everything (even the letters to Grandma) and use a chain of anonymizing crypto-enabled proxies with random delays to conceal the destination of your mail, and send yourself lots of dummy email of random sizes through the same proxies to hamper traffic analysis.

If you're not running a drug ring, encrypt everything anyway. Think of it as sending your email in an envelope instead of on a postcard. If it's too hard for Grandma to decrypt your letters, tell her to dump AOL and set her up with a real mail client that supports PGP.

Re:Encrypt

[jmauro]

Free SWAN can't do this yet. It still needs to be manually configured. Although they're trying.

Re:PGP

[declan]

Well, trog, you're also right in a very limited sense: PGP could suffer from such problems. But there's a big difference between a theoretical possibility and reality, and PGP's source has undergone unusually exhaustive scrutiny. There is no evidence that RSA or any other algorithm used in PGP is crippled inadvertently or intentionally. Time to put this urban legend to rest.

Re:Wool makes my eyelids itch

[declan]

Your skepticism is, sadly, justified. Take a look at this article for background on illegal FBI eavesdropping:

The Privacy Snatchers (from time.com)

(Too bad I wasn't able to include the LAPD scandal in that piece.)

They have the sequence wrong...

[sugarman]

After Omnivore, shouldn't it be Orn and Ox?

Re:Already exists

[8.012]

The correct Transport Layer Security RFC is 2246, not 2446. It is available at http://www.ietf.org/rfc/rfc2246.txt

PGP at MIT

[revscat]

This is really simple. Go get PGP from MIT:

http://web.mit.edu/network/pgp.html

It's free. It's strong. It's open-source. Annoy the government. Use it.

- Rev.

Having been on the recieving end of this kind of..

[epseps]

I can tell you all it's scary stuff. Don't believe it when they tell you it's for court ordered 'wiretaps' because that is only one use for it.

Here is a scenario:

Political Group A decides to collaborate on a project with polital Group B.

Since they are in physically different locations, they communicate on the internet.

Both A and B decide they need to protest at a certain location this year (like a politcal convention)

With the help of Carnivore, the FBI knows about the location and the plans.

Group A and group B are arrested for loitering as soon as they step off the bus and kept in jail for the duration of the convention.

The charges are dropped because of lack of evidence, illegal survelance, or they were just kept too long without areignment.

The govenment has succesfully prevented citizens from voiceing grievances.

Also while waiting for charges to be thrown out because of illegally obtained evidence, the citizens computers, books, and notebooks can be confiscated as evidence and kept for a very long time. (hint, they don't confiscate things made out to be polical flyers...yet)

You don't know what you are talking about

[epseps]

Is that your personal experience?

They can take you to trial. They don't have to present evidence at the hearing. I know.. I've had it happen to me. Once the trial starts and the prosecution gives their evidence and the defence claims it was illegally obtained, the judge agrees (hopefully) and throws out the case.

Now what has this cost you, an innocent person?

36 hours in jail. Here in NYC it's central booking..not pretty.

Missed work for that 36 hours, if you don't have coins or a phone card, you don't get to call your employer and you may be fired...hell..you may be fired anyway only criminals go to jail right?

You may want to get out of jail so bad, that you sign a confession or rat out other innocent people. (they just want some names of people you are involved with...no big deal..they just want the names to make the brass downtown happy it doesn't mean anything...whats for supper tonight in holding...they can't eat that bologne again it's rancid!...So tell us some names of your friends..)

Lawyers fees. You don't really want a public defender do you?

Missed work for your araignment.

Missed work for your trial.

Stress.

Heres the deal: Cops can arrest you for whatever they want whenever they want. You may not get convicted, but you will have a part of your life taken away. That is never right and always a big deal.

Re:The FBI is looking out for you

[Staciebeth]

I refuse to accept that my 4th amendment rights protecting me from unreasonable search and seizure should be violated because there are criminals. I have done nothing wrong (and, if I have, that must be proven, innocent until proven guilty, and all that) and should not get punished, spied upon, or evesdropped upon simply because someone else has.

The Truth About Encryption

[WillAffleck]

I've been reading a lot of posts from people saying things along the lines of "use PGP".

While I think it's cool to do things like that, you should know that you're not safe.

Face it, all they need to do is monitor the emissions from your computer and monitor. This is why the govt requires TEMPEST machines - anything else is never secure.

I know, I used to code on them back when I was in the Canadian Armed Forces.

The ugly truth about encryption and security is this:

There is no such thing as a totally secure system.

Which also reminds me of this:

The easiest way to defeat any security method is to use physical access methods through inside personnnel.

So, stop worrying - Big Brother already knows all about your dirty linen - he just doesn't care about it.

Re:The Truth About Encryption

[Siqnal+11]

You have to remember that encryption is a tool like any other, and its use or misuse is determined by personal ethics and law. In the same way that a gun advocate can advocate that every citizen should be able to bear arms while saying murder is bad, geeks have a seperation between "owning" and "using".

Re:The FBI is looking out for you

[Steve+B]

Why was the fourth ammendment introduced in the first place?

For the same reason the First, Second, ... , and Tenth Amendments were introduced -- the Founders of the American Republic knew that government will abuse its powers unless kept on a short tight leash.

The existance of wiretap orders for other people who have given law enforcement enough justification to get a warrent, has nothing to do with your 4th ammendment rights, because they aren't searching and seizing you!

The Fourth Amendment specifically lists one's "papers" in its guarantee against unreasonable search and seizure. Obviously, this includes e-mail, unless you are going to take the position that the Bill of Rights only applies technologies known in 1790.
/.

Re:ANother reason to use PGP

[British]

And I thought I was a bit on the weird side for having encrypted convos(that were not any threat to national secuirity) with PGP to friends and egging them on to use PGP religiously. Guess I'm not so crazy.

So when is there going to be https://slashdot.org?

Industrial Espionage

[DrLoveMD]

i'll tell you what they are going to use this for (aside for snooping on citizens, and admittedly, criminals): Industrial Espionage. Let's just say that the Federal Bureau of Intimidation happens upon a piece of corporate email that just so happens to lay out either a plan of action in their new business strategy, or some other highly classified corporate information. They can either ignore this highly tantalizing piece of info, of they can sell it off to the highest bidder. bullshit, right? they'd never do that. wrong. they've done it before, and they will do it again. the FBI has "helped out" companies that have been cooperative with them. this will just make it easier. i'm starting to be glad i always use ssl and ssh... :)

Not PGP. IPv6

[Dwonis]

If ISPs would start providing IPv6 connections, software developers would accelerate supporting it, and soon the average use could use the IPSec layer built in to IPv6.

The problem is that ISPs say "we have to wait for software to be available for consumers", and software developers say "we have to wait for IPv6 availability to consumers". I say, "get your asms in gear!"
--------
"I already have all the latest software."

Re:PGP

[Dwonis]

Of course a long term solution for email is to build encryption into the mail protocol.

No, the long-term solution is the security built into IPv6. Push your ISP for IPv6 today!
--------
"I already have all the latest software."

Wool makes my eyelids itch

[The+Queen]

Internet wiretaps are conducted only under state or federal judicial order, and occur relatively infrequently.

Oh, good! I guess that guy from alarmist.org was wrong this whole time! Phew, now I can safely go back to surfing for underage Asian girlie pron!

The Divine Creatrix in a Mortal Shell that stays Crunchy in Milk

Re:Wool makes my eyelids itch

[Bearpaw]

Internet wiretaps are conducted only under state or federal judicial order, and occur relatively infrequently.

And they use the magic words "drugs" and "terrorism", so anything they do is ok. Really.

"'National security': the root password to the [United States] Constitution." - Phil Karn

Not really...

[The+Queen]

From their site:

The system is telling you that the only way to send a secure, encrypted message is to send it to another Hushmail user.

It's a closed system...they can't encrypt for anyone but their own users. :-/

Thanks for trying, please play again.

The Divine Creatrix in a Mortal Shell that stays Crunchy in Milk

Re:Just a little paranoia to soothe the soul

[bnenning]

There are physical limits on how much you can brute-force. A perfect cryptosystem takes O(2^N) time to crack an N-bit key, so doubling the key length tremendously increases the difficulty.

Let's assume ASCII White has some top-secret algorithm that lets it check 10 keys per floating point operation. That's 128 trillion keys per second, or around 2^48. This is how long it would take to brute-force various key lengths:
56 bits: 2^8 seconds, or 4 minutes. No problem.
64 bits: 2^16 seconds, less than a day. Still not too bad.
80 bits: 2^32 seconds, around 100 years (I think). Not very easy.
128 bits: 2^80 seconds, 3.8*10^16 years. Not gonna happen.

Of course specific algorithms are likely to have weaknesses, but the point is that pure brute-force does not work with sufficiently large keys.

Legal Issues

[La+Camiseta]

Wouldn't there be some legal issues with this system? Because it looks at every message going over the network, wouldn't that be considered an invasion of privacy on the people that there isn't a wiretap order on? Could any of you clear this up for me?

quote

[operagost]

That quote has also been attributed to Benjamin Franklin:

"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."

Re:The FBI is looking out for you

[isil]

1) a computer only does what it is programmed to do. if it is programmed to react to something that would push your buttons, would you be as non-chalant about the invasion?

2) if you are under the impression that snooping into JQP's email is going to stop criminal activity, i guess you also support gun legislation, the death penalty and '3 strikes-you're out'.

Carnivore Bait

[ktakki]

I know a Class III butcher who can convert our sirloin to ground beef.

k.
--
"In spite of everything, I still believe that people
are really good at heart." - Anne Frank

Re:No wiretapping without a specific warrant

[aonifer]

I resort to the oldest argument against encryption: if YOU aren't doing anything wrong, why do you care if THEY read your emails?

If you aren't doing anything wrong, why do you care if they install cameras in your house? If you aren't doing anything wrong, why do you care if they install microphones in your bedroom?

Re:Just a little paranoia to soothe the soul

[bugg]

I've always felt that if someone with that much computational power/intelligence skill so that they could crack my PGP keys or just take my HD, then I'm screwed anyway. It's just like how The Club won't keep professionals from stealing my car, but it'll stop the 99.99% of those hoodlums out there who just want to joyride.

The big picture

[bguilliams]

If the government has a technique that can decrease crime, prevent terrorism, and save lives, how can you be opposed to it? It's not possible to analyze all the data they could potentially retrieve. They have their hands full with the data they mean to find. I see no reason for unnecesary paranoia.

Re:The big picture

[Sygnus]

The only pedophiles in Germany after Hitler came to power were the homosexuals within the ranks of the Nazi party.

EXCUSE ME?!?! Most pedophiles are straight men - NOT homosexuals! Get your fucking facts straight before you go around calling gays pedophiles!

Re:The big picture

[pallex]

Yeah, its just freedom of information. Ie, giving the FBI the freedom to read YOUR information.

Re:The big picture

[guinsu]

Hey, I've got a great way that the government can "decrease crime, prevent terrorism, and save lives", lets allow the FBI to open up everyone's mail and read it to make sure theres nothing bad in there. And lets also let them install cameras in everyone's homes. That would go a long way towards decreacing crime and preventing terrorism, don't you think?

Tim

Re:The big picture

[Ian+Wolf]

If the government has a technique that can decrease crime, prevent terrorism, and save lives, how can you be opposed to it?
The road to hell (or a police state) is paved with good intentions. IMHO the system being described violates our rights as defined under Search & Seizure. Without this right, law enforcement agencies would have the ability to choose a home, individual, auto, computer, etc at random in a quest to find illegal materials.
Imagine that your neighbor is an FBI agent and he doesn't like you very much. Now imagine that he could just walk right into your home without a warrant. Now think about the things in your home that may be illegal. An MP3, a dubbed VHS tape, a burned copy of a proprietary software cd, or even a cuban cigar. This may sound like a far fetched scenario to you, but this kind of stuff happened over two hundred years ago. British tax collectors would literally storm into homes to make sure that every bag of sugar or tea had the appropriate stamp on them. The only thing that keeps things like this from happening again are the Bill of Rights and the countless others who actually take them seriously and not for granted.
It's not possible to analyze all the data they could potentially retrieve. They have their hands full with the data they mean to find.
Maybe not right now, but oh the times they are a changing.
I see no reason for unnecesary paranoia.
I feel much safer already.

Re:The big picture

[Alarmist]

If the government has a technique that can decrease crime, prevent terrorism, and save lives, how can you be opposed to it?

I like my privacy, and I want my government to respect it. I don't care for being watched all the time. I don't like being treated as a potential suspect. I don't like the entire "guilty until proven innocent" air that this entire mess has.

Does this decrease crime? Perhaps--only government officials will be authorized to harass and kill innocent people now. Does it save lives? Sure--if people are afraid to kill other people because the men with guns will kill anyone at the drop of a hat, it certainly will. Aren't a few lives lost to clerical errors worth that? Does it prevent terrorism? Absolutely not! It gives our government free license to act like armed hoodlums. Bullies with guns who can destroy lives on a whim.

Is your safety and that of your family worth so little?

I see no reason for unnecesary paranoia.

Nor do I. This isn't paranoia: it's a genuine, well-founded fear. There's nothing irrational about being afraid and distrustful of people who will pry into your private life just because it suits their fancy.

Fight the Power.

Re:The big picture

[arivanov]

If the government has a technique that can decrease crime, prevent terrorism, and save lives, how can you be opposed to it?

Pol Pot and Yeng Sari had such highly successful techniques. Cambodja virtually had no crime. It also did not have any literate cittizens left and had 25% of the population killed.

Hitler also had such technique. The crime level in Nazi germany was very low. There were almost no pedofils left in Germany for example. So if broght now Hitler Germany would not have had any "child p0rn" problems as there were no consumers for "chid p0rn" left. He simply treated them like the jews. Actually jews had higher survival rates than pedos and gay in Nazi Germany and Stalin USSR.

Stalin and his followers also had such technique. The crime level in the ex-eastern block was never asv low as in nazi germany but it was mostly petty crime. Not shooting in the streets like now.

Are all these compelling reasons for us to restore anyone of these? Clone them maybe?

I'm convinced

[bguilliams]

Pol Pot, Hitler, and Stalin's regimes are identical to what is happening today. Without doubt, allowing our government to make an attempt to prevent crime is akin to bringing to life Orwellian visions.

What is your solution? Shall we put a direct hyperlink on Yahoo! to the Anarchist's cookbook so that script kiddies can stop their DoS attacks and start making napalm in their garage?

Everyone is awfully concerned about the black ops in the big bad government reading their email and flagging them because they say the word 'bong', but I haven't seen a single suggestion for how crime could be lessened.

Come back to earth, Slashdot readers. The government isn't secretly reading all of our emails to see if we like to wear pink fuzzy slippers and listen to Duran Duran. Have you considered that there are people working for the government who care about our country as much, if not more than, we do? Why does everyone assume that the Cigarette Smoking Man is after them?

Re:I'm convinced

[I+R+A+Aggie]

Have you considered that there are people working for the government who care about our country as much, if not more than, we do?

I enjoy comments such as yours, as it gives me an opportunity to trot out one of my favorite qoutes:

Of all tyrannies a tyranny exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience. -- C. S. Lewis (1898-1963)

According to you, we in the USA no longer need the 1st, 2nd, 4th or 5th amendments. Why should the FBI (or any LEO) be burdened by having to go to a court for a search warrant? surely, if you have nothing to hide, you have nothing to fear if they show up and ask to inspect your residence. And why shouldn't criminals be made to testify against themselves???

Oh, yeah, I'm sure I'm gonna trust 'em to be honest. They wouldn't break any laws, like allowing the White House access to background check files of potential political foes. They wouldn't plant evidence, or give false testimony (hey to the L.A. PD!), nor do anything unjust!

No, never!

James

Spidering?

[Zak3056]

Sigh, the FBI does rquire a warrant to use Carnivore, and to top it off, it's _really_ hard to get. As for tossing extraneous data, it's the software that analyzes all the traffic, not humans. IANAFBIA, but from my experience, c-vore only _collects_ data on the target, agents don't even see the rest of the cruft.

Your comment made me think about something. Wiretap investigations will usually expand into the people you communicate with, and that communicate with you, based on the illegal activities you are engaged in (your associates, customers, suppliers, etc).

Here's my question: You, who are not the subject of Carnivore's attention,and have nothing at all to do with the subject, are into something illegal (for example, you run Joe's Online Pot emporium, or some such). By some chance, both you and the subject receive the same "Make Money Fast!" piece of spam. Is it likely that Carnivore will see the list of addresses in the cc header as associates to be investigated further, and produce your own incoming and outgoing email to the FBI as part of the unrelated investigation?

Anyone else see that possibility here?

Re:No wiretapping without a specific warrant

[kirwin]

Why shouldn't a letter sent via electronic means not enjoy the same protections as a letter sent by the post office? The USPS is a branch of the US government. AOL, Earthlink, Mindspring, and Joe Q. Hometown ISP are not. It is a federal offense for the average person to tamper with USPS items, but the USPS has the right to open packages if they contain items that the USPS prohibits (explosives, poisonous reptiles, and something else I am forgetting) if they can establish probable cause.

nothing will stop the FBI doing this until

[gonar]

nothing will stop the FBI (or anyone else for that matter) doing this until federal legislation raises e-mail to the same privacy standard as telephones and snail-mail.

even then they won't stop, but at least they will need a warrant.

however, the likelyhood of such legislation ever being passed, especially with President V-Chip Jefferson Clipper in office is precisely zero.

Re:nothing will stop the FBI doing this until

[grahamsz]

Hmmm but if the carnivore has spotted the names of various drugs in a disproportionately large number of ur emails, isnt that grounds for a warrant?

Re:nothing will stop the FBI doing this until

[Ian+Wolf]

_That_ information would be inadmissable, but it would still be grounds for a warrant.

Once the warrant is obtained however any further information gathered is admissable. This system could very easily be used as a fishing net for finding criminals.

Its a stretch, but the law enforcement official could make a claim of "Plain Sight" as the information/activity was in plain view of a legal surveilance/investigation. Its a stretch, but remotely plausible that a Judge could allow it, although I doubt it would hold up on an appeal, but you never know.

Re:nothing will stop the FBI doing this until

[sqlrob]

Not with the Meth Antiproliferation act. They find references to the drugs, they don't need the warrant.

Re:nothing will stop the FBI doing this until

[sqlrob]

And you know what's gonna happen?

You get slapped with "Obstructing Justice" charges for blocking an investigation. Any bets on how long it would take for them to try crap like that?

Re:nothing will stop the FBI doing this until

[blameless]

The awful part is that, assuming one has the resources to battle their way through the system & gets vindicated in the appeals court, it's too late, because so much peripheral damage has been done to your job, marriage, reputation, etc.

Re:nothing will stop the FBI doing this until

[blameless]

Well....

The article specifically says they need a warrant now

Re:nothing will stop the FBI doing this until

[blameless]

It all comes down to intent. If you send email with the intent of hindering an investigation, then that's illegal.

Re:nothing will stop the FBI doing this until

[blameless]

IANAL, but I'm pretty sure that that info, as well as any evidence resulting from its discovery, is inadmissable.

Re:nothing will stop the FBI doing this until

[iKernel]

Three ideas:
1. Send lots of fake e-mail like "I love bombs that don't explode near the president of my ISP"
2. Use 128 Mb keys for encryption. (Pretty secure, but rather slow, I'd say.)
3. Send e-mail like this "bomb president" repeated about 10^1000 times. That should slow down the system so it misses the legitimate bomb threats :)
--Jon

Re:nothing will stop the FBI doing this until

[iKernel]

SO you're saying that's illegal to send e-mail?

Re:nothing will stop the FBI doing this until

[KahunaBurger]

Hmmm but if the carnivore has spotted the names of various drugs in a disproportionately large number of ur emails, isnt that grounds for a warrant?

But it can't do that. I mean, it won't just "notice" them. Its a computer. If its purpose was to scan for drug references in all emails, they could do that, but it would have to be on purpose. They couldn't use the "plain sight" defense to validate the evidence, because it requires an extra deliberate step to gather. You can't get a warrent based on evidence that you should have needed a warrent to get. It taints the process all the way down the line.

-Kahuna Burger

Re:Just Read the ZDNet Story

[VB]

Nope, not all the Feds are evil. I've worked with a couple.

Only takes one.....

Linux rocks!!! www.dedserius.com

Re:Read the article...

[mrogers]

Their entire system sounds basically like a system that takes all the email in the system, applies a set of regexs to the headers and takes all email too and from there target.

I doubt it. It seems more likely that they would hook into the ISP's DHCP kit and whenever the suspect dialled in, record all the data comprising his/her PPP session. That way they would get all the suspect's traffic and none of anyone else's. This method is similar to a conventional wiretap (it identifies the suspect with a phone number and assumes the right to intercept any traffic on that phone line), so they would probably have less legal hassles using this method than waiting for the data to leave the ISP's computers and then filtering it. After all, if they wanted to do that, they could just as easily do it from the Pentagon and not bother driving out to Sticksville TN to install a Carnivore...
$ cat < /dev/mouse

Satellite services...

[slykens]

I was sitting here thinking about how the FBI could wiretap an encryted satellite connection with the opposing downlink in a country outside of their jurisdiction...

But I realized that to operate the satellite in the US, the user would need FCC approval, and I doubt that would be given if the FBI couldn't wiretap the connection...

Too bad the constitution is ignored anymore.

FreeS/WAN

[FattMattP]

This is just another reason why things such as FreeS/WAN are so very important.

Re:Secure Communications

[nconway]

Rather than webmail (which kinda sucks - I'd much prefer mutt for email than Netscape, or even Mozilla), what about someone providing off-shore secure POP or IMAP4-SSL? Most good mail clients (including fetchmail and mutt) support IMAP + SSL.

Is Hushmail off-shore?

Also, I'm Canadian. How are Canada's laws on personal privacy (excuse my ignorance, Canada is pretty boring ;D). If Canada is reasonably lax, I might look into setting up something myself...

Accept Your Fate

[lapsan]

What bothers me more than anything about this, as well as many other types of so-called "protective" laws, is that it feels more and more every day as though "they" are just preparing us for something.

We can feel comfortable putting chips in our pets in case we lose them... buying into a "service" that allows the car companies to unlock your doors... not minding too much that the govt. is peeking at big, bad, evil criminals email because it isn't like we should let them get away with anything.

I truly dislike it when people, even I, compare current-day laws and situations to things such as Nazi Germany.... so I won't. It is really hard not to though.

how does this work?

[ketamine]

How exactly does this work? From reading the article it seems like the software is basicly a packet sniffer. But what packets are they sniffing? How can they have access to traffic of the entire Internet?

Re:The FBI is looking out for you

[jxxx]

Yup, only criminals need fear The Law.

Of course, in order to determine that your email didn't contain reference to a plot to kill a helicopter full of British agents, as well as how pretty SLC is this time of year they have to scan it.
For some reason I don't feel much better when the cops offer to rehang the door after kicking it in.
The possibility of your neighbor painting his door to look like yours, and that fooling the black helicopters doesn't help either.

Ooh! Look, your sarcasm is showing.

Re:Secure Communications

[Ioldanach]

Except that HushMail is located in the U.S., and therefore subject to the Carnivore wiretap.

Re:The FBI is looking out for you

[TheReverand]

Yes that's right. It is impossible to be born in the United States and ever live in London. Why are you such a fucking idiot?

Love,

Some guy who isn't Jon Erikson

Re:Read the article...

[TheCarp]

Actually this would make ALOT of sense. It would even be incredibly easy to impliment...however did you notice their claims?

They were claiming to be able to go through however many millions of messages per day. No single person gets that many. The ONLY reason to do that would be to sift through the ISPs entire feed for information.

Secondly they said this is specifically for gathering email. This makes sense though. Much of the time I do NOT check my email from my ISP dialup. I often check it from work. Even so...they would really not need such a powerful system to search through 1 persons traffic....hell even 10 peoples traffic. Even if they had DSL lines...they can't truely generate THAT much traffic.

Uh oh

[Legion303]

FBI experts acknowledge that Carnivore's monitoring can be stymied with computer data such as e-mail that is scrambled using powerful encryption technology. Those messages still can be captured, but law officers trying to read the contents are "at the mercy of how well it was encrypted," Mr. Thomas said.

Translation: We just cracked PGP this week.

-Legion

Only Criminals Really Have to Worry...

[JavaFox]

While Carnivore does have some serious implications regarding online privacy, Marcus Thomas made a good point when he said that any information gathered by an unauthorized wiretap would be inadmissable in criminal court.

What is everybody worried about? If the FBI were to read your e-mail before you were a suspected threat, what would they be able to do with that information? Nothing. They certainly couldn't take you to court.

Hey moderators

[gfxguy]

Moderate this guy up! My sentiments, exactly.
----------

Re:Same rules as non-Internet should apply.

[wrenling]

oh, they cant use THAT email
but they VERY well can use that as a reason to begin investigating you. Just because the current set of evidence is inadmissable does not mean they are not going to try and find MORE evidence later on.

Its not just what they are currently after - remember that the FBI has to continually justify its existance by targetting and 'destroying' dangerous criminals. And its always nice to have a list of extra targets at hand.

Re:Secure Communications

[yist]

I wonder if providing free encryption based web mail services would be something

You mean like HushMail?

Re:4th Amendment anyone?

[jareds]

I'm pretty sure he was being sarcastic.

hahahahaha

[Tom7]

Gotta love "spook" in emacs...

strategic North Korea Legion of Doom NSA AK-47 Khaddafi Cocaine
assassination World Trade Center PLO cracking White Water Serbian
Delta Force BATF

Ft. Meade BATF Clinton Albania radar Khaddafi assassination COSCO
Cocaine Mossad terrorist FBI World Trade Center munitions clones

BATF radar Mossad jihad nuclear Kennedy smuggle $400 million in gold
bullion Ft. Meade [Hello to all my fans in domestic surveillance]
supercomputer AK-47 genetic Honduras Legion of Doom

Just a little paranoia to soothe the soul

[Benley]

>As long as PGP can't be decrypted

And I'm SURE that the unveiling of ASCII White, the US Government's newest fastest supercomputer clocked at 12.8 teraflops, has absolutely no effect on this statement. Or even better, what's to stop them from combining that with ASCII Blue and ASCII Red into one giant cluster? Answer: nothing.

The unfortunate reality of this world tends to be that if they want you bad enough, they've GOT you. We must also keep in mind that PGP stands for Pretty Good Privacy and not Incredible Super Unbreakable-in-this-universe Privacy. PGP can be brute-forced just like any other encryption.

Deal with it.

wiretapping

[locutus2k]

There should be something illegal about this. Just this morning I was talking to a friend who was telling me that AOL sent him a message regarding one that was sent to him. AOL informed him "the language contained in this message is not appropiate for viewing". What I would like to know is who the hell they think they are to decide what kind of languace is acceptable.

Re:let me be the first to say...

[undertoad]

oh shit, I was second. see
http://slashdot.org/comments.pl?sid=00/07/11/157 204&cid=95

no they don't

[twitter]

They are listening to everything.

What would you think if all of your snail mail letters came to you opened and scanned by "electronic eyes."?

Obviously, something is wrong.

Steganography is *NOT* juvenile

[Cheshire+Cat]

While I agree that hiding plaintext in a stenanographic message is a shoddy idea, I don't think hiding a securely encrypted one is. Here's why:

Say some agency notices that you're sending encrypted e-mails to certain people. Even though they don't know what you're saying, they can be reasonably sure that its something you don't want anyone else to know. Otherwise why would you encrypt it? Furthermore, judging by the size of it they can reasonably deduce how much data you're sending. Anyways, just by keeping track of whom your encrypted mail goes to, such an agency can build a very interesting picture of your activities.

However if your message is stenangraphicly encoded, its just another layer of protection. Specifically it protects against the above scenario.

Crazy Idea! Neural net scanning encrypted docs

[skiy]

yeah, suppose they had got a load of plaintext with incriminating phrases in, encrypted it and run it through a really big, back propogation neural net telling it that this is bad, doing the reverse for OK stuff.

IANECTANNE (Here we go: I am not even close to a Neural Network engineer) so I'd love to here some critisism of this theory.

Besides, When Quantum computers come out, the NSA will be the first to have one, and then where will we be?

Just my £0.02.
skiy.

Re:No wiretapping without a specific warrant

[cburley]

The really amazing thing is, America's founding fathers saw this very thing coming. The 4th amendment was not an after thought. It was put in to deliberately undermine tyranny within the nation they were building.

Ditto the 1st amendment, which we're all exercising here...

...and the 2nd amendment, which probably a substantial percentage of us not only refuse to exercise, but are only too willing to concede to obtain "security" -- the exact sort of security the FBI is promising to provide by doing these kinds of things.

Not that I'm convinced there are violations of the 4th amendment going on here! Maybe there are, I don't know offhand. But those reacting negatively to this story should carefully consider whether they really wish to view the 2nd amendment as allowing the government any ability to infringe on the right of the people to keep and bear arms. This right is written, IMO, much more succinctly and with less opportunity for semantic revisionism than at least some portions of the 1st and 4th. (Consider how variable is the practical meaning of "unreasonable", which is used in the 4th, versus "right", used in the 2nd. Or how the right to assemble is apparently limited to cases where the assembly petitions the government in the 1st. If that latter wording was interpreted as strictly as some interpret the 2nd, that'd mean two or three people do not have the right under the 1st amendment to get together unless the government recognized that they were preparing a petition considered by that government to be valid! There's a comma before "and" fortunately; just as there's one after "State" in the 2nd, both physically and, more pertinently, semantically.)

Yes, the "preamble" to the 2nd amendment confuses some people, but if you're right (and I believe you are) that the founders meant to ensure we could throw off tyrannical government (after all, isn't that exactly what they wrote was their, and our, duty in the Declaration of Independence?), it's no longer possible for me to accept that "security of a free State" somehow means "preservation of a (possibly tyrannical) government" -- that the right to keep and bear arms extended only to those the government approved as members of its militia ("military", as some would have it today) -- especially since I can't see how such an amendment would even be necessary in a document designed to limit, rather than merely authorize, that very government!

More and more I'm convinced that the true genius of the USA is its grounding in the core concept that the people, themselves, are ultimately responsible for their own safety, security, and governance. However, I'm continuing to think about and research these issues, perhaps to someday post some material on my web site, since they pertain not just to human government, but to designing large-scale systems (software and otherwise) as well.

Re:No wiretapping without a specific warrant

[cburley]

f you aren't doing anything wrong, why do you care if they install cameras in your house? If you aren't doing anything wrong, why do you care if they install microphones in your bedroom?

These days, if "they" have installed all that equipment in your house, you had better be doing something "wrong"...

...else the ratings will go down, the advertisers will pull out, and the equipment will be removed!

(Okay, maybe not so much "wrong" but "naughty". ;-)

Re:Just a thought.

[cburley]

NO REASONABLE EXPECTATION OF PRIVACY

I generally agree with this line of reasoning. Though, the "people", i.e. the government they elect, have the right to decide whether the public airwaves will be regulated not just in terms of broadcasting but in terms of reception, so there is some wriggle room there.

I just think it's more fair to expect those who broadcast -- even by wireless phone -- to meet stringent standards than to do so of those who receive broadcasts. Put the burdens on those who choose to exploit the public airwaves than on those who merely listen in, is my general leaning.

Maybe the USA's choice of restricting reception is based substantially on a pro-corporate mind-set in Congress and the White House -- "we can't have people listening in to cell calls without the threat of punishment, else our cell-phone companies wouldn't earn so much short-term profit!"?

It pretty much always bugs me when corporations expect government to regulate and otherwise bail them out when the corporations choose to deploy (or just use) weak technologies or expect inadequate business plans to pay off handsomely. (Ref DeCSS, DAT tax, etc.)

(Yeah, I'm a Republican, but one with a strong Libertarian, and engineering, streak. I don't just "want" smaller government for some personal sense of freedom; I believe anything much bigger than a minimal government will fail at its core mission. Leave it to the corporations to use technologies that preserve privacy, and to consumers and citizens to be alert to privacy issues and choose technologies accordingly, is my general outlook. After all, just as many corporate officers and their lawyers seem to believe they're entitled to huge profits despite poor business plans and/or execution, many citizens believe they're entitled to health care, food, housing, a nice early retirement, etc. -- all at someone else's expense, if necessary. Our nation started selling off its peoples' freedoms long before the War on Drugs, even before the War on Poverty -- seems like the New Deal was the first big jump from self-sufficiency to government-enforced collective inter-dependence. In that environment, it's not surprising corporations, run by many of these same citizens in a country still enjoying a great deal of entrepeneurial spirit, would adopt similar views, and even see them as important to defending the USA's viability for business entities in the face of rising confiscation to meet the increasing entitlements. No, these views are not popular; I post them not to debate, having heard all the counter-arguments, but to give them the occasional airing they deserve in contexts where similar issues are argued in a simpler context. I realize most everyone here will argue for preserving the liberties to which they're accustomed, and for preserving their entitlements as well -- that's not news here or pretty much anywhere else. So, governments -- US, Canadian, or otherwise -- are therefore patted on the back for making "good decisions" almost exclusively in cases where they do not choose to permit individual citizens to make those decisions for themselves. This discussion of the impliciations of the FBI activities is therefore a welcome change of pace!)

Re:The FBI is looking out for you

[BadERA]

And what if you're a "criminal" only as defined by an unjust law? This only further exacerbates the potential harm that can be caused...

ummm...first?

[hlprmnky]

Is this a first post? I couldn't resist. Also, I am amazed that this type of information (FBI wiretaps of e-mail accounts) should surprise *anyone*.

Re:can and string

[Vanders]

Have you never watched the Simpsons? Tapping this sort of Can & String communications protocol is far too easy, it's how Millhouse was found when he ran away from filming the Radioactive Man film. :)

Re:Time to fire up GPG...

[ClubStew]

No it won't. I've been following this for a while and a small group of us through the Mozilla newgroup might start working on a project to add it in through Mozilla's nsCOM interfaces (so much easier now without the explicit plugin API). There is, of course / as always, government restrictions on Americans exporting certain grades of encryption with certain ciphers (but no restrictions on them watching us!

Supposed backdoor in M$ CryptoAPI to help FBI?

[ClubStew]

Sometime back there was a bunch of news flying around about a supposed "backdoor" into Microsoft's CryptoAPI for use by the NSA. Now, even while I agree that PGP is the answer, I'm sure there's those who will use SSL certs through Outlook Express or something that might give way to that supposed backdoor. So now, I guess, we will find out (somehow) if that rumor was correct

If it exists and if the FBI has access to use it, someone's gotta say something eventually (the FBI can't hide the aliens or Mulder's whereabouts for ever!)

Encrypt to slow down?

[Trinition]

OK,s o we could all encrypt our e-mail, right? Sure, thney might still be able to crack it, but it would take them longer to do so. If enough people did it, it would create a traffic jam in their system.

Re:Secure Communications

[ChrisGB]

I heard about a guy who owns an Island off the coast of Britain somewhere. Because it wasn't in British waters he had it effectively setup as his own country. He had his own laws, his own money and you needed a passport to get in.

There was talk about him hosting servers there to allow people to be free from the usual laws of the UK. Of course this then threw up the argument that only porn hosters and drug barons would be interested or have reason to use this kind of protection - typical ;-)

Re:Secure Communications

[nlvp]

Actually, he was in British waters and that's why they article thought he probably wouldn't succeed.

Here is the link: On the BBC News Website

and you might enjoy the book Cryptonomicon by Neal Stephenson, which talks about offshore data havens and is a reasonably good read.

Re:its interesting to me...

[tensionboy]

heh, you should learn to recognize a troll when you see one.

its interesting to me...

[tensionboy]

... that this doesn't make people want to go out and bomb federal buildings. If your postal mail was being critiqued to this point, or if a private citizen (or the ISP itself) was invading your email privacy like this w/o apology, there'd be hell to pay.

or have we all become so passive as to let this slide somehow?

Lawsuits over DeCSS and Napster - i'd love to see someone take this one on.

Re:its interesting to me...

[wholen1]

Bombing anything does not equate with making a stand. How can one consider that to even be a intelligent statement?

How silly to expect the deaths of 300 people to be equal or justified to stimy the ability of someone to tap your email.

Here on the other hand are some intelligent questions, and if you don't know them - then you should not post about how 'bad' things are: What are the names of the congressmen and women that represent your district on the state level, in both houses. What are their addresses? What are the names of the congressmen and women that represent you on a Federal Level? What are their addresses. How many more years do each one of them have until re-election.

You see, the only revolution worth fighting at this point is one on a low-level political battle. The theory is that we outnumber them, we have the power, we can make them do what we want, but we actually have to take some action by contacting those whom we have elected to represent us.

It's a scary thought, because they probably won't even finish the letter that starts out with, "We gonna bomb if'n we don't get some dad burned change around this here nation. This is what we want.. " W1 OHP since 93

Re:The FBI is looking out for you

[jejones]

Hmmmm. FBI raw data from interviews for security clearance are supposed to be private, too, but that didn't stop the Clinton administration.

Re:they DO require a warrant

[jejones]

Do they need the warrant to access any data from it, or do they just need the warrant to access data about a specific person? Seems to me that they could be getting a lot of data from traffic analysis without necessarily targeting a specific person.

3rd time this week

[datadictator]

we're seeing a story on privacy invasion !
And it's only Tuesday ?

Is it just me or is there a very scary pattern emerging here ?

Duck, Echelon lives !

Re:A good invention

[datadictator]

If they get the kina spam I get, knowing the IQ of the average FBI Agent I am guessing a lot of them is gonna be signing up at
teenage-bestiality.com
I can just imagine the looks on those spamming bastards faces when they see a registration by agent_smith@fbi.gov :-)

carnivore

[kpeerless]

While I'm bitterly unhappy with the carte blanche given the Canadian not so secret service as far as wire tapping is concerned, I at least have a little input here, in that I get to vote for the government. The thought that the FBI is perusing my email drives me into a white rage. But then what would you expect from an orginization that allowed a twisted dork like J. Edgar to man the helm all those years. I wonder if 'fuck the FBI' triggers their little animal?

Re:If a data stream runs through a computer....

[KahunaBurger]

and you believe the feds ? why ?

Because I'm not paranoid? Because the system saves them man hours and computer time? Because the entire point of the report is that this new system replaces a system with less filtering? Because the privacy advocate who I was mocking accepted the same premises that I do and yet still managed to be paranoid about it?

Mostly because I'm not paranoid. And because the article stated that courts have already upheld the system. but hey, maybe the machines really aren't wiretapping at all, just trying to get enough information on every single person that they can plant false messages and frame anyone on earth for whatever they want! does that make your paranoid little mind happier?

-Kahuna Burger

not a lot

[KahunaBurger]

This was 100 times in one year. The first year even. That seems like kind of a lot.

not really. The article said that it was availble to both federal agents and state agencies, right? So of all the investigations of all the state and federal law enforcement agencies over a year, in under a hundred cases did they feel it would be useful to investigate email communications. It would have helped put it in perspective if they said how many phone wiretaps were used in the same amount of time. probably hundreds of times as many.

-Kahuna Burger

Re:not a lot

[blameless]

The last thing the FBI wants to do is put it in perspective.

Re:If a data stream runs through a computer....

[KahunaBurger]

It would be TRIVIAL for an ISP to setup their mail server to blindly send copies of all messages and ONLY messages to and from the person being monitored to the FBI system...instead they insist on having THEIR box process EVERYONES messages.

Funny isn't it? Everyone gets their panties in a wad about the government getting warrents to check your email, but you flat out say that IPS's could redirect and read your email without anyone knowing, and no one cares? You know, you can bash my veiw of history all you want, but I trust my government more than any business on the planet.

Oh and yeah, I know history and I still think you're paranoid. We don't live in a police state, no matter how much you'd like to believe it.

-kahuna Burger

Re:4th Amendment anyone?

[KahunaBurger]

As for the other part of your closing line, I don't know what you could mean. I can't see how you could possibly claim money, without ignorance, to be a reason to vote to support a huge, corrupt government that can't steal enough money from the people to support its rampant spending.

It was actual a reference to a private momento to my past that I keep in my wallet to remind me that people can emerge from the suckiest of situations when they are not abandoned. I have yet to meet a libertarian who really cared how his politics would have effected my real life had they been in place. One accused me of "bringing emotions into it" for even bringing the reality of my life up (this in the same conversation where he "proved" that property rights were the most important of all rights because people didn't like it when he grabbed their hat's right off of their heads. Dork.) The comment was intentionally ambiguous. Meanwhile...

Your assertion that a warrant that allows the government blanket access to the private email of every customer of a "suspected criminal's" ISP does not constitute "unreasonable" is laughable.

Honey, when they work with the phone company, they have theoretical access to "every customer". Access by their machine is irrelevant if it only gives them access to the filtered data.

And no, you don't have to think that every person on earth is out to get you to be paranoid. And why would a libertarian need to think that clinton et al had our best interests at heart? These are the people who believe we can turn education over to corporations whose only interst is in the bottom line, and the "hidden hand of the free market" will make them all as lambs. I happen to believe in the not so hidden hand on the ballot that holds politicains in line.

-Kahuna Burger

Re:Automated Search Warrant Request Software

[__aapbgd5977]

This is one of the most ridiculous things I've heard. It takes a Judge or Magistrate to issue a search warrant - you can't get one with just an automated web engine - law enforcement has to apply for them, and the applications are almost always in person, with cop and judge in the same room. And the things are difficult to get, especially ones involving a wiretap. You have to be unable to get sufficient evidence by any other reasonable means. Further, Judges closely supervise the implementation and conduct of wiretaps, and those wiretaps are required to minimize the monitoring of conversations unrelated to the crime being investigated, even conversations with the suspects, let alone others not involved in the investigation.

To get back close to the real topic, the fact that the government can sample a large volume of mail for a couple of keywords is minimized - only things relating to the crime are pulled out of the stream. And like other posters have said, if you don't encrypt your mail, that's like sending a postcard - anyone can read it.

The rest of your comment is just silly dogma. Too bad a search of Dogpile and Google didn't find anything even close to what you are claiming. I'll resist the temptation to flame you vigorously, but needless to say, your post is quite inaccurate in just about every aspect, from your claims about software, to your claims of vast archives of records tracking you on the internet.

People express quite a bit more disagreement when they've been a victim of crime, and the criminal's privacy is held more important the victim's life, liberty and property.

ObDisclaimer: I am an attorney, but this is not legal advice. Consult your own lawyer before acting on any information contained in this post.
==
"This is the nineties. You don't just go around punching people. You have to say something cool first."

i have a great idea that will protect us all

[provolone]

how about we put electronic collars on everyone and shock them when they do something we dont like of course we would determine this democratically so it would all be ok . what ? you dont like this ? i bet youre a criminal arnt you and you just want to steal or murder or do other evil stuff . we voted on it democratically didnt we ? maybe you should have done something about it then . what ? you werent represented ??? this is democracy of course you were . this may sounjd extreme but its only a matter of time before something like this happens i just hope that america turns around before we get there

Re:Read the article...

[amh131]

Here is the problem I have. The "data source" is not a "known one". They are not listening to "His line" they are listening to the whole ISP. Even if its just a header grep...they have NO RIGHT to recieve and look through ANY data except that which comes from or two who they are looking at...even if it is JUST a gheader grep.

But it's unreasonable to require FBI agents to wear blinders and earplugs in case they observe a crime that they weren't directly investigating!

Satellite phones

[ArchieBunker]

Ever hear of those cell phones that use satellites instead of relay towers to communicate? People use them all over europe because you don't need towers built everywhere and the sound quality is much better. You will NEVER see them in the US because the government can't easily tap into your conversation.

Re:Satellite phones

[grahamsz]

Umm i've travelled fairly extensively in europe and I live here too and i've never actually seen one of these phones.

Certainly they do exist but they are about the size of a suitcase, cost thousands of dollars + several doller a minute in calls.

Personally i've never seen cell networks like the ones in finland and estonia.

Finland deserves credit because i've travelled up north into the country and still get a better reception with a Uk cellphone than i get in my apartment in central Edinburgh. Not to mention that they have boosters every few metres along the subways so you aren't ever out of touch, and cells on every single goddam rock that sticks out of the sea too :)

Estonia on the other hand deserves equal amounts of credit for developing a network to rival the UK ones and yet only 10 years ago they were part of the USSR and the rate of growth there is just mindblowing.

Re:No wiretapping without a specific warrant

[aozilla]

"I'll do ya one better. Why shouldn't a letter sent via electronic means not enjoy the same protections as a letter sent by the post office? Correct me if I'm wrong here, but tapping into a phone line isn't a federal offense, where as opening someone's postal mail most certainly is."

This is public data. You're sending it unencrypted through a public network. Why shouldn't this enjoy the same protections as a POSTCARD sent through the post office, i.e., they can't interfere with the delivery, but reading it is perfectly legal. If you go in front of a police office and start yelling about crimes you've committed, is it an illegal search for the cops to listen to it?

Right. This doesn't sound like a tragedy...

[shren]

The FBI defends Carnivore as more precise than Internet wiretap methods used in the past. The bureau says the system allows investigators to tailor an intercept operation so they can pluck only the digital traffic of one person from among the stream of millions of other messages. An earlier version, aptly code-named Omnivore, could suck in as much as to six gigabytes of data every hour, but in a less discriminating fashion.

To effectively spy on a known or possible criminal, one needs in this day to watch thier electronic mail as well as thier phone. And, supposedly, they still have to get a court order to use the system.

So it doesn't sound like a tragedy or a monstrous attack on human rights. There are people that I want the government to spy on - terrorists, organized crime, and the like.

One thing that does make me happy about this, as well, is that it seems to indicate that the NSA is following it's charter of not spying on American Citizens, because the FBI has this as a seperate project from the NSA.

Re:I'm a loser, so it doesn't matter

[bendude]

do

The law is the law, we cannot pick and choose which laws apply to us and which don't. Anyone who breaks the law is a criminal. No need to look at the situation involved, most people in western society are prepared to take you for a criminal should they hear that you regularly break the law. Now, bring on laws which are impossible to keep. Legislate thick and fast so the punters don't even know what's hitting them. With the right mix you can make everyone a criminal. The laws will mean less and the punters will start to ignore any laws that get in the way. Now we've got a good proportion of society who are becoming serious criminals. Tell everyone that they need you to protect them from all the criminals. Increase your powers and make more laws to ensure that protection.

loop



A Polish Catholic preist once said (something like) "When they came for the Jews, I didn't want to cause any trouble so I kept my mouth shut. When they came for the blacks, It still wasn't my fight so again I said nothing. When they cane for the Gays, and other undesirables, I figured that speaking up now was a bit ridiculous since I'd said nothing yet. When they came for me, there wasn't actually anyone left to speak up for me."

Re:Automated Search Warrant Request Software

[fridgepimp]

Well,

I don't know about the rest of the towns you live in, but Search Warrents are easy to get. I think I've posted this before (wiretapping are harder to get). It takes approximately 15 minutes from the unwarrented knock at the door to the knock w/ warrant in hand in our town (small, nw washington...less than 100k ppl).

The process works this way:

Officer: Sir, I'd like to come in your house. Your neighbor's brother's sister's cousin said you might have a gun, and based on this we would like to search your home.

Homeowner: What? Umm...What is this about?

Officer: Sir, I think you know what I'm speaking about.

Homeowner: Well, I think you're going to need to get a warrant before you come making demands like that.

Officer: Ok, be right back. (Walks back to car, picks up radio) Hey dispatch, I need a warrant...wake up that judge. (waits for judge to be patched through, busts out his warrant form, fills it out, lists "asked me to show a warrant, I think he did it" as his probable cause, raises his right hand, swears an oath, gets approval, and signs the judge's name to the warrant, returns to door) Sir, I now have a warrant, please step aside.

Homeowner: WTF? (Watches his house get ransacked).

The following story was related to me (along with a number of others) by our County Prosecutor at a breakfast I attended. He was attempting to reassure us that Law Enforcement had very few practical limitations on it's exercise of power...therefore we could sleep easy at night knowing that.

-fp

suprise! I think NOT.

[brainchild2b]

Is anyone suprised at the FBI? Think:

Give someone unlimited power.
Add in unlimited money
Add in awesome technology

What would you do? Power Corrupts.

If you are really worried about security then send your data in STEGO pictures to hide it. Don't encrypt it so much. A STRONG WALL invites a beating... but a wall you can't detect well, YOU will live it the HELL alone :-)

Re:4th Amendment anyone?

[a42]

It does not matter what the FBI says, they may not do this and be in compliance with our Constitution.

Actually, it all hinges on what the courts determine to be unreasonable. Thus far, they seem to feel that it is not unreasonable to infringe on the privacy of many in order to root out the wrong doings of a few. If you read the 4th amendment too much you might start to think that random drug testing is unconstitutional -- what is more unreasonable than seizing the contents of ones bladder without probable cause (not to mention that it can then be used to incriminate you) -- yet it happens all the time.

Re:4th Amendment anyone?

[a42]

as long as the participation of the testee is voluntarily. If it is demanded by that person's employer--even as a condition of their employment--it is fine.

That's subject to interpretation. Yes, I am free to quit my job if my employer requests a drug test. I'm also free then to lose my house and starve. I've gotta think that violates my "right to be secure" as guaranteed by the 4th.

As such, this practice violates the rights of the very soldiers who are sworn to defend those rights.

I could apply your "right to quit their job" argument here and say that, since all armed service is currently voluntary that these soldiers voluntarily gave up their right to refuse. Having been one of those soldiers (or sailors as the case may be) I won't because I don't think it is a particularly valid argument.

Re:I'm sure they filter...

[Ron+Harwood]

Hmmm, touché.

Re:Source code to Carnivore

[Ron+Harwood]

egrep -i 'free.*sex.*pictures' $mbox ; if [ $? ] then mail agntbob@fbi.gov $mbox; continue; fi

That part is especially rich...

Email Wiretapping

[sxpert]

Seems that the cases for which the software has been used featured stupid people.
if I was to do some sort of crime, I would definitely tend to encrypt all communications...
This is similar to the echelon crap. It can go through plain text, but encrypted stuff is another matter.

Job killer

[fleener]

Just another example of computer automation stealing blue collar jobs. The boys back in Flint, Michigan were really looking forward to ritzy desk jobs reading e-mail.

I doubt the FBI would allow this

[J.C.B.]

I'm not a lawyer, but I would think that the FBI and the Courts wouldn't let an ISP encrypt mailserver traffic so that the FBI's wiretap would be useless. I'm sure if this became commonplace. A part of the authorization for the wiretap would contain a clause that say that the FBI get access to and unencrypted connection.

Remember J. Edgar Hoover? He'd look at your mail.

[J.C.B.]

We have no guarantees that the FBI is only looking for criminal's email, and no way to verify that they are doing what they say they are.

So what's stopping the FBI from collecting personal emarassing info on prominent Americans and other people they don't like?

Hoover did this all through his tenure as Director of the FBI. He had dirt and unsubstantiated rumors on hundreds of journalists, celebrities, authors, politicians, suspected communists, etc, etc. Just think of what they could do if they can read your email.

Internet spies (who IS the penisbird?)

[Sonicboom]

The .gov is watching EVERYTHING we do online!!!
That "penisbird" is not just a harmless troll... it's probably a government fronted spy operation.

Secure SMTP?

[ZZane]

Are there any Secure SMTP systems out there? Basically an architecture somewhat like SSH in that the protocol basically remains the same but operates on a different port and encrypts all incoming/outgoing communctications and possibly encrypts the message store. If we could come up with a standard system for this (with the encryption portion developed outside the US in a country with lax encryption export control) it would solve a lot of the wiretapping/sniffing issues with e-mail. It's not difficult to do and since user's wouldn't have to interact with it directly it shouldn't be hard to implement seamlessly.

As for encrypting to the client that's a little more difficult since you'd have to have client-side support but still easily doable. Eventually things like this will become standard, so why not do it now? :)

-Zane

:Carnivore Article

[jack.tar]

Wow! Never having been to an MSNBC article before, and having my browser set to warn me before accepting cookies without permission, I was mildly surprised to say the least. I am a privacy person, and as such, I will "screw" with cookies. Sometimes I will accept the first two and decline all others, another time I will alternately accept and decline or do as I fancy. There is nothing on the www that is more important than my privacy. It would appear that I will never read an article on MSNBC.com since I counted and rejected over 103 cookies after accepting the first one. But it doesn't end there. It seems that they run in threes...cancel, cancel, cancel and try to hit the browser's back button before the next group of threes arrives. I guess that this is really "surfing the web" as waves come in predictable patterns most of the time also. (It took 27 more cookies before the back button worked, that works out to nine more groups of threes before my dexterity was up to the challenge of hitting the back button in the interim.) I guess that having MSNBC cause me to just close my browser would have hurt my feelings as a Linux user, so I did bear with it (and count them) until I prevailed. I have no comment on this wonderful article as I guess that I will never get that far if I was to repeat the process. If, however, there was to be a consensus on "Cookie Monster", this one would be my nomination.

Re:The MSNBC link is an idiot

[jack.tar]

Are you saying that it will eventually load? Perhaps I gave up too soon? Perhaps I will try again...or not...

Very simple idea ...

[sparkz]

The GPL requires that any software based upon the original also be GPL.
Would it not be possible to release an encryption system (even as simple as "a=b, b=c, c=d", etc so that HAL becomes IBM), get it widely used as open-source, under a license which states:
This software is available for free use, modification and redistribution by all, excepting decryption by any other than the intended recipient - and of course, the intended recipient is always in plaintext
Then if any gov't used any evidence based on "decrypting" the simple code, all you have to do is show that the mail was encrypted with that software, and countersue the goverment involved....
Okay, if I was plotting assasinating the US President I'd be disinclined to use something simple; use PGP or something as an "extra", but the point is that even a simple code with the correct legal terming would make it impossible to incriminate yourself by using the software.

I am in the UK where we are under threat of the RIP (Regulation of Investigatory Powers) bill - suitably named in a Reverse-Polish stylee, which has terrifying consequences!

Re:Why is it ISP wide?

[Metrol]

What you're thinking about could only be implemented if the FBI's box were aware of what IP was being handed out to which phone number. Even then, if the caller has blocked his caller id then that would fail as well.

The only way to just drop a box in to sniff would be to sniff everything that is moving across that ISP's network. Even if the ISP was using a static IP for that customer, the FBI box would still have to be exposed to all the rest of that network's traffic. It's the nature of the beast.

Far as I'm concerned, the FBI should not be granted the authority to enter a private business to do snooping. If they want to get at a specific person, they should have to do so by tapping their phone line at their home or office, just like the days of old. Private enterprises should not be at the whim of criminal investigations, warrant or not.

Re:PGP is not the answer

[Metrol]

Frankly, I don't really care if CSE, CSIS, FBI, NSA, CIA, KKK, FSB, - whoever - reads my mail.

Frankly, I don't care that the National Socialists are taking Jews off to live in camps. I'm not Jewish, so this has very little impact on me.

So it seems they're arresting people who have spoken out against them. I don't speak out, so this has little impact on me.

Oh, now they've got a party member assigned to every social club in the country. I don't belong to any of those, so this doesn't impact me either.

...Shall I go on?

Spook the Spook

[Lan-Z]

So the CIA is monitoring the FBI and the NSA is monoriting the CIA. Were does this stop you ask? It doesn't, it never will!! You have to live with the fact that everyone is spooking everyone. It just makes you wonder who is at the top.

Re:Secure (oh yes? :-) ) Communications

[grahamsz]

Well why not use 2048 bit DSA encryption like everyone over in Europe does?!

Re:Secure Communications

[grahamsz]

Yes the island is Sealand and the server hosting company are HavenCo. Admittedly Ryan Lackey (was that his name) dissed the idea that we could get @havenco.com addresses but I think he read into that as a problem with their own security since people could register like admin47@havenco.com and piss about like they do on hotmail.

Perhaps we could apply to their free colo department with a proposol for offering SSH and PGP based email services to the masses. Certainly not @havenco.com but something else could be sorted surely.

Re:I know what the FBI use it for

[grahamsz]

I dunno, i've never trusted David Duchovney very much :)

Re:Secure Communications

[grahamsz]

Well yes I mean like hushmail.

However hushmain are based in Texas, for all we know they have a carnivore in their building munching up peoples private keys.

Admittedly a sealand hosted one, well we couldn't know about that either, but at least it's significantly less likely that the sealand authorities would bother snooping on communications.

Re:ANother reason to use PGP

[pjl5602]

Yeah, but the problem is the fact that the PGP key management does not scale well.&nbsp Sure, it's easy to have the keys of a few of your buddies, but how easy is it to get the keys from joe-blow off the net?&nbsp The user did not register their public key?&nbsp Which registry did the user put their key on?&nbsp PGP v2.x? PGP v5.x? Clueless user does not understand how to send their public key? Makes it a bit of a pain in the ass.

X.509 certs might be a better way to go since it has the URL of the LDAP server from whence you can get the individual's public key.

Re:ANother reason to use PGP

[pjl5602]

Somehow, someway, I need to verify that it's really their key, and if I couldn't find their key before, I could get it then.

Right, and this process does not scale.

x.509 certs place the burden of proof on the organization signing the key.&nbsp So, you then need to trust the signer, but typically their terms and conditions will be available for you to take a look at to see if you find their verification process valid.

Re:ANother reason to use PGP

[Requiem+Aristos]

I wouldn't trust the keys from joe-blow just because they had the same name and addy attached. Somehow, someway, I need to verify that it's really their key, and if I couldn't find their key before, I could get it then.

Also, I would use both PGP and x.509. You can exchanged mail signed with an x.509 cert to transfer/verify the public key. I have not found an easy way to do general encryption with x.509 certs the way I can with pgp. Besides, how many webmail places will verify an x.509 signed mail?

For the best of both worlds, have Thawte sign your PGP key. Most pgp registries mirror, and the clueless users are likely using the windows version which makes registering keys painfully simple.

Re:This would be a surprise?

[psydeshow]

What do you mean "forged"? That email has your electronic signature on it, which makes it legally binding, etc etc.--- can you prove it WASN'T you that pressed the send button?

Re:ANother reason to use PGP

[Lathi-]

Is this site legit? It seems so, but is difficult to believe. The page appears to be a fragment of a larger site, but there is only one link (and to a bogus domain). Who can vouch for this site's authenticity?

Since they scan...

[perlprog]

Their application scans for specific words or groups of words. Everyone should include hot words that would bog down their efforts. Emacs has such a macro to include a handful of these terms.

Ha, that's the heart of it

[Perianwyr+Stormcrow]

At least governments have, in name, some sort of guiding principle that can be called upon.

Corporations have no such thing, and it's quickly becoming clear that the real threat to your privacy nowadays is corporate, and is aimed at your quality of life.

This is not to say that the government doesn't put its fingers where they don't belong- indeed, I'm sure we are abused far more than we know in this regard, simply because it is so easy to do so- but I worry far more about individuals and companies stealing my information than I do a government agency. A few reasons:

1) The government agency probably already has a stupefying amount of data on me, and I probably give little motivation for it to collect more. I don't overestimate my own importance here- surveillance takes real man-hours- and I'd be inclined to think I'm not worth it at the moment. This does not stop me from using PGP/Hushmail simply because I feel like it, though.

2) Businesses can make a lot of money with just a little personal information. Defending against long-term, incremental profiling is extremely difficult, and companies likes Doubleclick have been dragging little bits of info out of me long before I even knew they existed, and easily assembling them into a whole, I'm sure. Contrast this with government surveillance, which must be more intensive and longer-term to gain anything meaningful.

Basically, the government needs to work harder to invade your privacy, and you probably aren't worth it. On the other hand, invading the fringes of your privacy is very profitable for business.

--Perianwyr Stormcrow

If the law is unjust...

[Perianwyr+Stormcrow]

the concept of civil disobedience in no way makes you exempt from the consequences of that law. It simply means that you are deliberately protesting the existence of said law, with your own self-sacrifice.

Would you be willing to spend time in jail to defend your right to encryption? Something tells me that most people posting here probably wouldn't.

That's what is most frustrating to me: if you want to fight the rise of a police state, let's actually fight it- let's analyze the system that lets the FBI get these warrants under circumstances we consider questionable- not simply fight the technologies that we *find out about through the media*, and are probably not even half of the whole story. Vote for professional gadflies. Become one yourself.

But don't just be the moral equivalent of a me too poster, vulnerable to Slashdot Privacy Hysteria.

--Perianwyr Stormcrow

IPv6 and Internet Wiretap

[rcarsey]

It'll be interesting to see who pushes for IPv6 with its native encryption. Will ISP's and lawmakers push for this technology which will inevitably come sooner or later?

Re:4th Amendment anyone?

[toph42]

"...you might start to think that random drug testing is unconstitutional"

Random drug testing in no way violates the protections granted by the 4th amendment, as long as the participation of the testee is voluntarily. If it is demanded by that person's employer--even as a condition of their employment--it is fine. Every employee has a right to quit their job if they don't agree with the policies of their employer.

However, if the government mandates these drug tests, without consent of the tested, then 4th amendment rights are infringed. For example, military members are randomly tested, and refusal to cooperate is a violation of the Uniform Code of Military Justice. As such, this practice violates the rights of the very soldiers who are sworn to defend those rights. A harsh irony indeed.

Topher
Got Freedom?

Re:4th Amendment anyone?

[toph42]

Paranoia is one of the many reasons I don't vote libertarian. I keep one of the others in my wallet.

Webster defines "paranoia" as "a tendency on the part of an individual or group toward excessive or irrational suspiciousness and distrustfulness of others. I do not distrust everyone, and a distrust of the government is by no means irrational. Do you mean to say that you feel that people like Bill Clinton, Al Gore, &c. are deserving of blind faith in the driver's seat of our lives?

As for the other part of your closing line, I don't know what you could mean. I can't see how you could possibly claim money, without ignorance, to be a reason to vote to support a huge, corrupt government that can't steal enough money from the people to support its rampant spending.

Your assertion that a warrant that allows the government blanket access to the private email of every customer of a "suspected criminal's" ISP does not constitute "unreasonable" is laughable.

Topher
Got Freedom?

Re:4th Amendment anyone?

[toph42]

FBI agents have protected us from suspected criminals and subversives well in the past - John Dillinger, Martin Luther King, and John Lennon come to mind.

John Dillinger was created by the government. Prohibition (a great mistake that apparently taught nothing) created a black market that made gangs and gang warfare profitable. We are once again in the same situation, with the so called "War on Drugs" creating a wasteland of gang activity.

Perhaps you are just a white supremacist, but I can't see what makes you believe Dr. King was a criminal.

Cool it and cut the paranoia. The United States Constitution set up a system of checks and balances to prevent abuses of power by any one branch of government. The FBI has proper authorization from Congress for these activities.

Yes, there does exist a system of checks against government abuse. However, they are being ignored and the apathy of people (such as our AC here) is what is allowing it to happen.

It doesn't have to be this way. We can fight now with our vote, and reclaim the freedom being stolen from us by fatcat bureaucrats. Vote for a President that will end the insane War on Drugs, allow you to live your life as a free American, and restrict the federal government to its Constitutional limits. Harry Browne is one.

Topher Got Freedom?

Herbivore!

[cthulhubob]

Carnivore is actually version 3. Herbivore enjoyed some success, but was quickly discontinued once it was found that it could only check to see whether the carrots were instigating a mass-uprising against the government.

Little do they know...

I have heard the tortured screams of the vegetables! For it is Harvest Day - and for them, it is the Holocaust!

Re:PGP

[RyuMaou]

Absolutely! This is the main reason Windows NT, and now Windows 2000, is so insecure. They were both developed with *usability* in mind, not security. Now, any security that's added on is suspect because it relies on code that is inherently insecure!

If it's a secure system you're after, first design in the security, then make it user-friendly. Oh, and don't forget to take a page from the designers of IPv6 and make it ungradable and backwards compatible, too. (No wonder security consultants get paid so much!)

Cheers!
RyuMaou

expect this from the government

[eufaula]

about par for the course from the government. First we have the telco's wiretapping phone calls and listening for keywords (rememeber that movie - bomb, president, and allah in the same call) and there you are on their list of people to watch. although they are just using it for criminal investigation. yeah right. now they are telling us that they have this technology to use "when ordered." hmm..... bet i'm already a suspect....

Re:Unnecesary Paranoia?

[SigVn]

So...If somebody dresses in a manner that offends you, you feel that it is Ok for them to harrased by the cops.

Reminds me of a line from The Dead Kennedys

"It's the Suede-Denim Secret Police. They have come for your uncool nice"

And that is sorta what the whole topic is about Eh?

Re:Time to fire up GPG...

[SigVn]

But your Goverment is not going to opperess anyone. NO REALLY. Just ask them. YOU: Are you going to oppress any one? US GOVT: No. Of course not. What would make you think a thought like that. Silly boy (girl, whatever) are you paraniod or something?

Re:Secure Communications

[SquadBoy]

They have banned *kiddie* porn. Which IMO is a good thing and as for spammers think of the scene in the opening movie for Fallout where they put the one guy on his knees and shot him in the back of the head. That is what should happen to spammers so either way unless you need to die in a big way this is not a bad thing about Havenco.

As far as drug trafficing...

[AntiPasto]

I hope they don't go after the average stoner, 'cause I think if you're high you might tend to just giggle at the letters "PGP" than use it...

----

feature, not bug!

[streetlawyer]

?". How would you like your every email to be archived in your FBI file and then subject to exploitation by your political opponents? "Candidate Jones once made a joke about black people being shiftless. It's here in this email he sent to his sister in 1998."

While I am undecided on this particular wiretap proposition, I would have thought that this would be a feature, not a bug. Someone who makes jokes about black people being "shiftless" in emails is unfit for public office, and as a citizen, I have the right to know that I'm being asked to vote for a Kloset Klansman. I'm not sure the FBI are the right people to be holding this information, but someone ought to.

Re:feature, not bug!

[John+Jorsett]

I'm not sure the FBI are the right people to be holding this information, but someone ought to.

Now this is frightening. You're actually willing to have some agency keep track of your private communications so that they can be examined for thought crimes. People who are so willing to give up their freedoms for some perceived 'higher good' just amaze me.

Re:feature, not bug!

[ethereal]

Someone who makes jokes about black people being "shiftless" in emails is unfit for public office, and as a citizen, I have the right to know that I'm being asked to vote for a Kloset Klansman.

So you've never done or said anything in your life that wasn't politically correct? Even back before there was a concept of politically correct? Never told or laughed at a blonde joke? I hope you never plan to run for office, then - I guess you wouldn't get your vote.

The public will just have to continue to evaluate candidates on the same basis that we evaluate each other - based on what they say and what they do in public. You have no right to anyone's private communications, and without a court order neither does the government.

Re:No wiretapping without a specific warrant

[b0r1s]

Now here's an argument for better encryption.

Um, everything's an argument for better encryption to /. readers isn't it? I resort to the oldest argument against encryption: if YOU aren't doing anything wrong, why do you care if THEY read your emails? Take, for instance, the emails I wrote this morning. If the FBI wants to hear about how drunk I got over the weekend, I'm sure they'll enjoy these little tidbits of informations. If, however, they're looking for stories about people planning a nationwide terror campaign, I'm sure they're realize they read the wrong email within a few seconds, and most likely delete it.

Obviously, I can sympathize with businesses concerned about "confidential" traffic, but if what they're sending is really that important, send some peon from the mailroom to deliver it personally.


================================================ =
If ignorance is bliss, wipe the smile off my face

Re:PGP

[John+Jorsett]

E.g. if I'm chatting through ICQ with a friend, the connection used by the two clients would be automatically encrypted.

Freedom from ZeroKnowledge Systems can do this for you, although to get the full benefit, both of you have to be using it. I agree that it would be nice if these features came built-in, but one difficulty up to now was the export controls the U.S. put on strong encryption products. No U.S. vendor wanted to be excluded from the rest of the world by building this into their products. There was also, to be honest about it, not much of a demand for it, either.

Re:PGP

[John+Jorsett]

. With SSH you can scramble any connection. So, why not scramble the traffic between mailservers?

This works until the FBI (enabled by congressional legislation) gets around to establishing a system of "black boxes" like Britain's, where all the email traffic in the ISP gets routed through the government's hardware. Only end-to-end encryption can be relied on.

Re:The FBI is looking out for you

[John+Jorsett]

The current Presidential administration shows the folly of saying 'I'm not a criminal, so who cares?". How would you like your every email to be archived in your FBI file and then subject to exploitation by your political opponents? "Candidate Jones once made a joke about black people being shiftless. It's here in this email he sent to his sister in 1998."

I'm continually alarmed by the people who think anything the authorities want to do is ok, because they're 'helping' us. My personal correspondence belongs to me not anyone else, and I shouldn't have to wonder about who is reading it besides those I want to. The Constitution requires warrants to be issued for very good reasons, and those reasons apply here.

Re:It's a waste of time & resources.

[Ian+Wolf]

You'd probably be surprised. Most criminals can be pretty stupid. And if it has been used 100 times, than its safe to assume that those 100 were not using encryption. There are still people out there that think cell phones are completely secure.

Re:TO: myfriend@theotherispintown.com

[stephenbooth]

Why am I reminded of all those games of paranoia I played as a student?

Trust the computer. The computer is your friend.

Hey I read that mail! Report to your nearest termination centre NOW mal!

While you're at it why not drop into the Electronic Frontier Foundation and pick up a blue ribbon?

I have had a deep distrust of the online activities of bodies like the FBI since reading "Crime and Puzzlement" by John Perry Barlow in 1990. I guess their tech has improved but I doubt their motives will have. The right to protection from crime does have some costs but I think Carnivore and Omnivore have swung a bit too far.

Re:Selective filtering

[maunleon]

Well, I don't fully understand how this works either. Why do they need a "SUPERFAST COMPUTER" to wiretap email? They could just make copies of the email in transit, then use a slow computer to do the filtering and delete the uninteresting copies. Noone is going to notice a 5-second delay in email.

The only explanation is that they indend to use this beast to filter large amounts of random TCP data. Maybe hook it up in a backbone, listen for interesting messages, then trace them back to the source.

Such power is useless for mail filtering, especially if they have the luxury of taking it to the ISP's location. Heck, all you really have to do is get a warrant and force the ISP to Bcc: all incoming and outgoing mail from a person to a FBI mail account.

Re:Finally! Wiretapping for the 'net

[sqlrob]

Mr. Thomas is entirely correct --- Carnivore is just a very complicated sniffer. And while privacy advocates are correct --- the government COULD sniff anyone. But the government COULD also wiretap anyone. The rule of law is what prevents that. The FBI can pay through the nose if they get caught making illegal wiretaps.

But the difference is in scale. Yeah, they could tap everyone, but it would be (relatively) difficult. When they have a phone tap for John Smith down the block, they aren't getting your calls. But, if they have an e-mail tap for John Smith on your ISP, they can be getting your e-mails and have to actively filter against that. Whoops! some got through. Hey, they happen to mention doing something strange to someone named Jon Katz and Natalie Portman. I don't think it's legal to use grits that way, maybe we need a warrant on this guy.

Re:Selective filtering

[EricEldred]

It seems to me, if DMCA is used that broadly, couldn't it be used to argue against the FBI decrypting email communication?

Good point--that's obviously the reason the FBI and its friends are specifically exempted from the DMCA provisions. The FBI also requires telecommunications companies to provide facilities for wiretapping, at the companies' expense.

It used to be, the Constitution prohibited the government from taking away your rights. Now the Congress prevents you from taking away the rights of the police.

I wonder how many people see the difference.

Whoops! Re:There is probably no real Carnivore.

[King+of+Pain]

Please forgive my temporary stupidity. The FBI could not get away with using a classified system to obtain evidence in current criminal cases. However, law enforcement agencies could use the AI to search large amounts of evidence already collected via normal means that is used after the AI is declassified. Similarly, the CIA needs Echelon and other surveillance systems in order to avoid admitting the existence of the AI. (However, even after the AI is declassified, we will still need the military, but mainly as an international police force willing to use deadly force if necessary.)

Furthermore, the above statements about enforcing perjury were vague and misleading. Perjury will just be like all other crimes: the testimony of one witness will be sufficient to convict, providing the witness was privy to enough evidence. For example, Lewinsky could prove Clinton committed perjury even without using the taped phone calls or the dress. The important point is that perjury will become much less of a problem. The AI's "lie detection" capabilities will probably be implemented by allowing everyone hearing testimony under penalty of perjury to "feel" the relative credibility of the testimony. (Obviously, this will never apply to normal speeches made by politicians.)

This will be simultaneously good and bad for witnesses testifying in court. On the positive side, the judges will probably stop allowing questions outside the scope of the case at hand, so surprise questions about indiscretions will be less of a problem for witnesses. This means Clinton would never have been asked about Lewinsky in the Jones sexual harassment case, if the AI had been declassified. Jones' testimony would have been sufficient. On the negative side, testifying under penalty of perjury will be very intrusive for witnesses because your "true colors" will come "shining through." For most witnesses compelled to testify, the negatives will usually outweigh the positives, although less witnesses will be necessary. My reasoning is that court cases usually deal with wrongdoing, so witnesses having knowledge of wrongdoing will often not be completely innocent.

There is probably no real Carnivore.

[King+of+Pain]

The announcement of this Carnivore system is probably a legal strategy that would allow the FBI to secretly obtain information from the Internet via the currently secret AI (Artificial Intelligence) before the AI can be declassified. Therefore, any criminals (or would-be criminals) out there should not assume that the FBI will have problems sorting through the information obtained from a potential "Carnivore" "wiretap" or that simple codes or keywords would fool them. Although I'm not a lawyer, I doubt the law would limit the use of better technology to sort through large amounts of evidence since there is no obvious constitutional violation.

Furthermore, after declassification, there will be the ability to obtain phone calls and net traffic from the past, but law enforcement will need probable cause before it can obtain the information. Use of the AI to obtain evidence of criminal acts before the AI is declassified will likely be considered unconstitutional as violating the prohibition of Ex Post Facto laws (retroactive laws) to the extent it is used in ways that a reasonably prudent person, ignorant of the AI, would believe was impossible. The notable exceptions will be the use of the AI for 100% accurate lie detection and to obtain total recall of past events from witnesses. (This would be considered mere "recovery" of admissible evidence already known to a reasonably prudent person rather than a new type of evidence.) One way this could be implemented is by allowing the witness to "relive" a past event in a high-fidelity "dream," and then questioning the witness about what happened while the information is fresh in his/her mind. Also, it would be possible to obtain videotapes of a witness' past perceptions of sight and hearing, but this might be considered overly intrusive and often cumbersome. Furthermore, if a witness lies, it will be easy to prove perjury, even in cases where it previously would have been impossible. It is easy to predict that a lot of innocent prisoners will be released after the AI is declassified and many more guilty will be caught. In fact, for a while, many lesser offenses will probably be ignored or easily plea bargained down because of clogged dockets. Of course, the AI will be most useful for crime prevention (the real, but heretofor unobtainable, goal), stopping all or almost all violent crimes.

The law makes criminals of us all.

[skybird0]

Jon Erikson (eriksonj@yahoo.com) on Tuesday July 11, @11:19AM EDT wrote:

"The idea that the FBI can scan E-mails as they enter or leave your ISP sounds scary at first, but what you have to remember is that you are not a criminal."

How many times have you broken some law in the past year? I'd lay 100 to 1 odds that it is greater than zero.

The law makes criminals of us all.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:they DO require a warrant

[^_^x]

Sigh, the FBI does rquire a warrant to use Carnivore, and to top it off, it's _really_ hard to get.

Perhaps, but can you tell me when the last time the FBI requested a wiretapping warrant of any kind, and didn't get it?

Also, I may be misinformed/awful at remembering, but can't they request a wiretap warrant from a court in one place, when the warrant is in a different city?

Re:The FBI is looking out for you

[xjosh]

OK, breath deeply. Now lets think about this. Why was the fourth ammendment introduced in the first place? There were no phones, there wasn't even much of a postal service yet. But there were homes and doors and people capable of breaking them down to search your home. And there were police who might hear that you were seen leading a little kid into your home just before he was reported missing, and they might want to search your home. So we have the means to search your home and people who would want to. What do we do? We write an ammendment that says they can't do it unreasonably and a bunch of laws laying out a "reasonable" procedure.

Now the present. We have something besides your home, the internet, which people may want to search. We have ways for them to search it. And we still have an ammendment and a bunch of laws that say when and how they can do it. The existance of wiretap orders for other people who have given law enforcement enough justification to get a warrent, has nothing to do with your 4th ammendment rights, because they aren't searching and seizing you! As we understand carnivore and are discussing it, noone is spying on you.

If I may draw further on your analogy...

This Carnivore, at least it seems to me, is the electronic equivalent of the town's locksmith being required to hand over keys to the police so that they can walk through every house in town until they wind up finding the one they were looking for. Certainly that's not a reasonable method to conduct a search.

xjosh

Mailing Random Numbers

[herbierobinson]

I like this. We can start mailing files full of random numbers to government employees who cross us along with a clear text comment like "Use your XYZZY key, they'll never break this." Perhaps mailing to FBI managers randomly selected from the directory, too.

Should I worry with email like this

[logiceight]

I was thinking if I'm not a criminal I have nothing to worry about, then I checked my email.

Secrets the Government doesn't want you to know
Make $10,000 in one WEEK!!!
Re: Getting new Social Security Number
Create a new credit card rating
Hot sexy asian girls!!
Hot sexy teenagers!!!
Hot sexy asian teenagers!!!!

Of course sometimes I get email from total scum...

Mass email with 10 MILLION ADDRESSES!
Microsoft Windows 98 Newsletter for July

Gee, nothing incriminating here

Alternate link.

[Jetifi]

For those of you who don't want to supply anything with "MS" in the title, look up the article on Crpytome

Open source carnivore

[Howl]

So would the open source version of 'carnivore' be called Vegan? Vegitarian?

QUESTIONS QUESTIONS QUESTIONS QUESTIONS!

[Marrow]

1. Is the state of California law being followed which states that a person who is the subject of a wiretape must be informed after X period of time. Both sides of the conversation must be informed by law. 2. Who gets to see the data besides the FBI? 3. Is this data stored on a form of write-once media that cannot be altered: Like cdr? 4. What is done with the data? Is it databased? When does the data get thrown out? How is the data discarded? 5. Is the data being used to create "Hand offs" to other agencies or officers for investigations not directly involved with the crime being investigated. 6. Is the day to day visits of the federal agents to the device being used to modify the search parameters or merely to collect data. If they are modifying the search, then they are probably doing so to STOP collecting data has been collected by mistake... and they have already broken the law. 7. When was the last time one FBI agent turned in another agent for any crime. When has any agent ever been charged with a illegal wiretap. If the law is never used, it may as well not exist. 8. Does the data stay within the FBI or are they using outside experts/services to process it? Are they allowed to? 9. Just because they collected data in "error" that would not be admissible, does not mean that data is not valuable. Is an accounting track kept of who has access to the data within FBI to insure that INDIVIDUALS within the FBI are not using the info for personal gain? Or political gain? 10. Does carnivore have the ability to perform man-in-the-middle replacement of information. Could it be used to plant evidence on a system by inserting information into a download that was not intended/requested? 11. Does the telco or ISP have the right to monitor the OUTPUT on to their network by this machine? The device should not be allowed to insert data. FBI has the right to listen, does it have the right to insert data?

Re:time for more "spook" sigs

[brer_rabbit]

I just added "Carnivore" and "Omnivore" to my local spook.lines file:

Carnivore Qaddafi ammunition Omnivore colonel Area 51 Ortega genetic explosion COSCO Illuminati Operation SHAMROCK SCUD missile strategic Kenneth Starr Kibo

Re:No wiretapping without a specific warrant

[cronik]

I disagree, this is much more like tapping a trunk and applying a voice recognition algorithim. If I encrypted my e-mail and they cracked the 1024 bit crypto then that would be like opening sealed envlopes. The post office analogy would be more like all post cards going through a central office that read them to see if they were sent to a certain person. The FBI does not, in all likelyhood, have the ability to open my PGP crypto so if I want to send something I use that. Close the envelope and seak it good, then they won't want to hassel with it.

Re:The FBI is looking out for you

[cronik]

So, you broke the law by going two mph over the speed limit, the cop asks you to step away from the car and executes you because the magnitude of the crime dosen't matter.

Re:The FBI is looking out for you

[cronik]

Brazil anyone?

(no not trolling, it is a ref. to a very very good movie)

just like it's the nineteen fifties all over again

[john_locke]

Maybe this is borderline off topic, but during the early days of the fbi's war on organized crime, it was not legal for the agents to wiretap the phones and houses of mob bosses. This was mostly because J edgar Hoover was busy chasing after communists and socialists to make his agency looks statistically well, and he knew that trying to stop the mob was going to be a mess. But regardless of this, the FBI wiretapped the phones and homes of suspected members of the mob for years, although they had no warrants to do so, and it was illegal.

Anyway, I'm just saying that in the past, the FBI has illegally wiretapped "suspicous" citizens, and it could happen again. History has a funny charateristic of repeating itself a lot.

There was a show on this last weekend on either the discovery or history channel, but i forget which... anyway.

Re:No wiretapping without a specific warrant

[linzeal]

Prisoner #645662477 ....eh hem Mr. Davis your e-mail has been sorted for the day... if you would like to bring an official government email disk and submit to the required physical....um....exams we would gladly hand over all the e-mail we deem suitable for the patriotic citizen we know you to be.

Re:The FBI is looking out for you

[Jon+Erikson]

if you are under the impression that snooping into JQP's email is going to stop criminal activity, i guess you also support gun legislation, the death penalty and '3 strikes-you're out'.

Of course, I have no tolerance whatsoever for those that engage in criminal acts of any kind. Sin is sin, and the magnitude of it matters not in the long run. And owning a gun is my Constitutional right and allows me to protect myself from the criminals that would otherwise terrorise society.

---
Jon E. Erikson

Re:The FBI is looking out for you

[Jon+Erikson]

Let's start by realizing that different people have different sets of ethics...

Sorry my friend, but ethics are ethics, and have been laid down from a source that cannot be denied. Interpretations of ethics can vary, but these are mere exercies in logic-chopping and do not change the fact that we have a set of ethics which we were given by the Lord.

The 'betterment of society' is not served, and is in fact harmed, by a law enforcement group which intentionally violates the law, ever, even once. It doesn't matter if they catch a thousand murders and ten thousand rapists at the same time, if they had to violate one law to do so, they have made the world a worse place. It's simply a matter of principle.

I'd like to see you explain that to someone whose daughter has just been raped in one of the incidents you describe. "Sorry, we could have stopped it, but I would have had to jaywalk to do so, and my principles wouldn't allow it". Sure, it's an extreme example, but the point is that in the fact of crime, especially violent crime, your shining Constitutional principles seem like an escape from reality.

Obviously my principles are different from yours.

Obviously.

And to answer your question, it depends on the criminals. In particular, it depends on what laws they are guilty of breaking. I mean, it makes a big differance if they are all guilty of murder, say, or just, you know, jaywalking or speeding or maybe growing a bit of pot and then smoking it.

And as I believe I've said before, sin is sin, and trying to count the "amount" of sin is a foolish and pointless exercise. If you are guilty of a crime, you must be punished. It's as simple as that.

---
Jon E. Erikson

Re:The FBI is looking out for you

[Jon+Erikson]

So, if you're not afraid of the FBI looking at your e-mails to your sister, you're surely not afraid at letting ME look at those same e-mails, no?

Did you read my post? You didn't did you. What I said was that I'm not bothered by letting a computer read my E-mail. A computer does not make value judgements about your life. Unless you are a computer, I don't want you reading my E-mails, you sound like you'd make a value judgement.

Can't you see it's a matter of principle, or are you just dumed-down by mass-media hysteria not to realize your fundamental rights are being trampled???

It's also a matter of principle that criminals need to be stopped, and that these kinds of measures need to be taken for the betterment of society. After all its no use having free access to source code if you're barricaded in your home by armed criminals is it?

---
Jon E. Erikson

Re:The FBI is looking out for you

[Jon+Erikson]

You really don't see whats going on do you?

Why do you say that? It appears as though I live in a different world to you, but whether either one is more "real" is open to interpretation.

This new sniffer allows unprecedented access to all unencrypted traffic as this is a sniffer at the backbone... What we have here is merely the FBI promising to use this technology only with a proper search warrant

And how is this different from the powers which they have to tap any other form of communication? Just because the net is the new "frontier" people think that it must somehow be magically different from the offline world. This is blatently not true - the net is a different medium sure, but it's the same old shit nonetheless.

See all these are steps toward a penultimate police state. Ponder this, in a few years technology will have advanced to the point where we can all have our own "police buddy robot" which follows us around making sure we're not commiting any crimes, and bill^H^H^H^Hfining us for the ones we do commit. Safety for all!

And this nothing to do with the net at all - if the net had never been invented (by the American government who then allowed you to use it) we could still have robots following us around.

---
Jon E. Erikson

Why is it ISP wide?

[BDew]

ZDNet has an arti cle also.

I guess my question is why this has to be ISP wide. They claim that they only use it for specific cases, and not an "Echelon" style global system, but if that's the case why do they have to cover the whole ISP? Why can't they just get the IP given the "target" by the ISP and only read HIS mail?

Carnivor

[S�gnal+ll]

An earlier version, aptly code-named Omnivore, could suck in as much as to six gigabytes of data every hour

this beast is eating too much. It will have the same destiny as the dinosaurs.

can and string

[Highlordexecutioner]

It is getting to the point where two soup cans and a length of string, is the only way of secure communication. Or you could break out the old hollow log and a couple of sticks.

Re:can and string

[Highlordexecutioner]

Ah yes I keep forgetting to lookup my TV archives for the answers of life (and no I am not being sarcastic I really mean it).

Re:Finally! Wiretapping for the 'net

[Captain+Constitution]

I support neither Carnivore nor regular wiretaps. But allowing Carnivore will allow for easier evidence planting than a regular wiretap. IP address spoofing is incredibly easy. Thankfully, we have laws preventing such fraud. From U.S. Code, Title 18, Part I, Chapter 25, Section 514:

Whoever, with the intent to defraud - (1) draws, prints, processes, produces, publishes, or otherwise makes, or attempts or causes the same, within the United States; (2) passes, utters, presents, offers, brokers, issues, sells, or attempts or causes the same, or with like intent possesses, within the United States; or (3) utilizes interstate or foreign commerce, including the use of the mails or wire, radio, or other electronic communication, to transmit, transport, ship, move, transfer, or attempts or causes the same, to, from, or through the United States, any false or fictitious instrument, document, or other item appearing, representing, purporting, or contriving through scheme or artifice, to be an actual security or other financial instrument issued under the authority of the United States, a foreign government, a State or other political subdivision of the United States, or an organization, shall be guilty of a class B felony.

We all know the government allows wiretapping, but there is no precedent for internet wiretapping. Let's nip this one in the bud and write letters to Congress. Let them know you care about your rights as an American citizen.

Re:Hellen Keller

[Estanislao+Mart�nez]

Did you recently hear that because of Hellen Keller's being an outspoken advocate for disabled people's rights the FBI had a file on her?

Helen Keller was a fellow socialist. Surely the FBI had a file on her just because of that.

Re:Secure Communications

[happystink]

Someone asked that during the Q+A with the havenco guy and they didn't seem too interested in it. I wonder how much publicity it'd really get them among the people who are likely to use them anyway, do you think it'd get much coverage? (not rhetorical, I can't tell really. crazy internet press!) Colo a box at havenco though and you can do it!

Right up there with Echelon

[Llah]

This development doesn't suprise me in the least, gradually everything will be saturated with electronic monitoring... A computer in every house, jacked into the net 24-7 with modern connections... a lovely goal, as a geek, I love the idea, as a paranoid citizen of a great country with an unfortunately corrupt and evil government, I despise the implications this might have in the future. Right now our phone calls are scanned for dirty words "bomb", "assassinate", Presidents... a search for dissidents. The same sort of privacy invasion could certainly apply to Carnivore. Not to commit another slippery slope fallacy, but its so easy when you are thinking about the actions of the government... ... from there, its a hop skip and a jump to sedition profiling by the NSA... this making any future changes to our government structure next to impossible as they know who to watch and remove. Its a scary thought, perhaps I am too paranoid, but I've a reason to be!

Slighty OT: PGP & IM

[toyboat]

People who say you should be using PGP for any sensitive communications are right.

Recently I have been searching for an instant messaging type software that uses strong encryption for windows. Eventually I found one called BetweenUS which seemed exactly what I wanted. It can use an agreed upon password mode with Triple DES or Blowfish, or it can use your PGP keyring and keys from any version > 5.0. I thought this was really cool. After reading all about it, I went to download but found the product had been sold to another company that no longer supports it. I did manage to finally find a copy, but now I am curious why it just got dropped. Does anyone know anything about it? It seems great, supports encrypted file transfers, instant messanges, and chat with up to 25 people in a channel (or 100 with a server component that is also discontinued). Or maybe does anyone know about something *BETTER* than this? Thanks

Re:It's a waste of time & resources.

[toyboat]

This was 100 times in one year. The first year even. That seems like kind of a lot.

That is not the point

[TranquilStorm]

The number of times the system has been used is not the point. The point is the system itself and the potential that lies in a system like this for abuse.

Anyone watch 'Cops'? I have seen an enforcement officer pull up to a car where two people are talking, take them into custody and search their persons. Why? They are talking in an area known for its drug traffic, so obviously, they meet the burden of probable cause. The fact they are guilty makes everything fine in the eyes of its viewers. The fact that two people taken into custody simply because they are conversing in a place known for its drug traffic does not dawn on the average viewer that something has gone wrong. A criminal was removed from the street. The fact that constitutional rights were disregarded is immaterial.

A system like this, however, is even worse. Why?

Lets consider the need for a 'warrant'. OK, so to use this to target one individual a warrant needs to be obtained, and then they can only study one individual. Fine. This works out. Down the line as the technology improves, they begin to probe more. Instead of searching for one person, they code into the system to search for the target person, and certain keywords. This will be an easy step to make, since the courts already have given the power to use the technology. Does anyone know that this happens? Not on your life. Does the FBI begin to open more files based on "anonymous tips". I would be willing to bet so.

Now, lets consider the current 'defacto standard' of the executive branch of reasonable probable cause. While scanning the packets for the targeted individual, the start seeing an increasing number of encrypted packets in mail as concerned, law-biding citizens begin to protect their digital information. Do these go to the individual being investigated? Are they going to an accomplice of the individual? Don't know, but we should capture them and analyze them to determine what these packets are. These individuals have something to hide, because they are taking 'extraordinary' steps (that will be the word they use in court to defend their actions, if they ever are caught using this information) to hide obviously illegal activates from law enforcement. The simple fact that these extraordinary steps are being taken will be viewed as sufficient probable cause to investigate further. Again, no one will know, but the case files opened with an anonymous tip at the Bureau will be increasing and the Bureau will hold press conferences showing off their latest and greatest conquests in the name of upholding the law.

The system can process gigabytes of data an hour. With today's modern storage, no one will ever know if the box they carry in is capable of storing exabytes of data. Well, now the data needs to be stored and studied off-site, since the broadband users are becoming more prevalent in our society. The simple explanation will be that creating a system like this capable of analyzing the information in real-time and remaining portable is a technological impossibility. A much more thorough analysis can be provided in the facilities in Washington, and will only look at data that is in direct relation to the warrant and the targeted individual. Problem is, no one knows what data they actually are analyzing. If the data can be sifted through this data looking for information related to the targeted information, how large a leap is it for this same system to look for other trends, keywords, etc. It does not cost the taxpayers any money, and additional man-hours are not needed to do this research. The new cases opened in the weeks following the investigation were all a direct result of law biding citizens providing anonymous tips. The fact that this system is in use has nothing to do with the increasingly concerned anonymous citizen of the country.

And one day, we will be asking ourselves with the technology that is available today, how does one actually deliver a tip to the FBI that is anonymous, since they have tapped the phones, can trace snail mail and have video record of any person within 500 feet of any Bureau office? Yet, with all this technology, an amazingly increasing number of law biding conscientious citizens are managing to provide the anonymous tips to remove criminals from the streets, so everything is alright, isn't it?

Re:I'm sure they filter...

[91degrees]

Some time ago there was a sub culture of spook fodder. This essentially involved putting at the end of each email something along the lines of

Spook Fodder: Clinton, FBI, Bomb, gun, KGB, President.

Haven't seen any of this recently. Maybe it was just that not enough people were joining in to make it work.

Re:PGP is not the answer

[Tomin8tor]

> 1. The NSA cannot crack PGP on anything near a > realtime basis, the FBI probably couldn't even > uudecode...

Well, you're probably right about the FBI, they do have a bit of a record of being screw ups from time to time. And I wouldn't suggest that even the NSA can crack PGP on a real-time basis (or at least, that would be a surprise).

> 2. The NSA was 2-10 years ahead but that was
> decades ago. The NSA most certainly lost
> their "lead" due to the sheer numbers of
> mathematicians working in academia and the
> private sector. Combine this with the more
> talented cryptographers avoiding the NSA for
> moral and monetary reasons.

I agree there are a number of mathematicians working in academia and the civilian world. And I do believe the gap has narrowed. However, I also know that the NSA funds quite a few research projects in academia (some obviously, others less so) and has a lot of data that the outside world has just never seen. And they also have a pretty horrendous amount of money to play with. And a lot of compute power. I think all that adds up to them still having a lead, though it may be measured in months rather than years now in some areas.

Of course, unless they opened up their archives and let us see the stuff they know, some parts of this discussion will always be problematic and hypothetical.

3. Dumpster diving / social engineering are not applicable here.

Correct, except insofar as the cry made about the parsing of communications being a call for strong crypto. The truth is, if any of these agencies want to know about you (which admittedly is differentiated from them noticing you by trolling all the data streams), they can certainly find it out by easier methods than cracking your crypto.

As for 1024 or 512 key crypto being uncrackable, just keep believing that. It's probably fairly secure (it would take a fair bit of compute power or some sophisticated routines to crack) but how many times throughout history have unbreakable codes been broken? Lessee....quite a few. How many times throughout history has the government been steps ahead of what anyone thought? A fair few.

I can't prove that PGP is crackable or has been compromised already. I wouldn't think that if I were a government agency who could do so, I'd want it known publicly. I'd probably restrict the number of people who knew about it and tie them down with surveillance and various security agreements.

This (and the process that selects people to work for such bureaux) would serve to effectively prevent comment so the public will probably never really know what a well funded government agency can actually accomplish, and the agencies like it that way.

And of course, everyone that believes in unbreakable crypto or a lack of governement capability in decryption no doubt pleases the powers that be to no end...

As usual, you can think what you like. Until the government perfects its brain wave scanners, anyway. ;)

Re:Secure Communications

[fredbox]

Actually, US feds and the Canadian crown have an 'arrangement' where each may spy on the citizenry of the other and share the info, in order not to run afoul of their own laws. IOW, the Mounties dig up the dirt to send the FBI, and vice versa. This is why the FBI knows so much about American citizens and the Canadian government knows virtually nothing. The RCMP is actually competent.

Re:This would be a surprise?

[Ketzer]

While it's true that it's easy to forge email on the internet, that's not where the billg mail came from in the Microsoft case. The MS v. DOJ thing wasn't really my point, just an example.

But to continue that example, you don't have to intercept anything. Presumably, you have A bunch of email correspondence, incoming and outgoing, sitting on Gates' machine in his office, probably in Outlook 2014 or something. All that email is just files, maybe plaintext, maybe encrypted. Supposing that somebody has the passwords needed to access the files. For the sake of argument, we'll say they he wrote them down on a slip of paper and some nefarious person found it. They boot up his machine, find the files. They decrypt them if needed, then open up a text editor. They replace the sentence "No, of course I won't threaten other companies, that would be immoral!" with "Yeah, yank the Win9x licenses from a couple of OEMs, see how they like that." Save. Encrypt again if needed, shutdown. Leave.

Next thing you know DOJ discovers incriminating emails on Gates' machine from the MS internal network. Of course, more work would be required than just that one little act, but the philosophical point is that email is just bits on hard drives, and is therefore no more reliable than heresay, which is inadmissable.

Some might say that you are responsible for anything done by your user, so guard your password closely. Some are even saying this in court. IIRC a company is being sued for having negligently low security, allowing themselves to be used for DoS on another company. I personally think that's going way too far. Say you're a newbie, you boot up your machine and log on to your cable modem service, which is putting you on a network. Next thing you know somebody has used your machine as a gateway to hack Amazon, and you're being sued for millions. Not really reasonable.

Yawn

[Ketzer]

sigh. Another "oh no, Big Brother is listening" post.

I'm as big a proponent of privacy and anonymity on the net as the rest of you, but geez, get over this already.

Yes, the government is monitoring your email. No, you're not going to be able to prevent it. If it bothers you, use heavy encryption. And as someone else wise posted, use it casually and constantly. Put 128-bit encryption on jokes you email to your friends and text files with your grocery lists. Otherwise encryption begins to stand out an say "I'm important, crack me!" much like a guy in a black jumpsuit and ski-mask tends to draw the attention of cops in the physical world.

If they can do it on phones...

[d2htornado]

If they can tap a phone, why not an email address? To me, it just seems like the next logical step in technology. I don't feel that it infringes on privacy or anything like that, as long as it is used with the same discression that they (hopefully) use on phone taps. The only reason anyone should actually be worried about this new technology is if they've got something to hide.

Re:Already exists

[photon317]

Also, you can use OpenSSL+SSLwrap over standard sendmail.

Re:Same rules as non-Internet should apply.

[cosmic_0x526179]

point 1: where does it say email only. If they have said warrant, I would suggest that it covers all electronic traffic thru the ISP.

point 2: if indeed it is a sniffer, then that device could easily sniff traffic other than that which is covered by the warrant. If I ran an ISP and I were servered with said warrant, I would certainly want some form of certification that the device will only be monitoring the person in question. Don't the telco's have security departments to deal with warrants and associated issues ? If the sniffer is/can gather electronic traffic from other than the intended target, shouldn't the remaining users of the ISP have a right to know when it is installed ?

point 3: what happens if the ISP is hotmail (or AOL or someone big) ? see points 1 & 2.

point 4: why does this smack of McCarthyism ? Wasn't JEH in bed with McCarthy on rooting out the red menace (meant figuratively of course) ?

- just another cosmic ray -

I'm a loser, so it doesn't matter

[BobTheWonderchicken]

I always figure that not much goes on in my life so if the government wants to watch me they can go on ahead. Not like I do anything interesting. If someone was reading my e-mail I would feel satisfaction in the fact that they had to, sometimes I don't want to. Kate

It's not ISP wide - it's person specific

[Terpy_242]

The c_vore system is using a person's identity to key against raw internet traffic. As mentioned, this is not an echelon type system where they look for keywords that are likely to provide information regarding crimes or terrorism. This kind of filtering can only be done when there are foreigners involved anyway. Americans, at least for now, are protected by some pretty good oversight. They go to the ISP where that individual has an account and start from there? Wow, that sounds pretty good to me. It's alot better than them trying to filter all content all over the internet (impossible). I think this time the government is actually doing it right. Going to the ISP where the person's email account is at even further reduces the likelyhood that the will inadvertantly intercept your email. They use this less than 100 times a year? Wait... How many ISPs are there? Which one does the criminal or suspected criminal use? Is it the same as your ISP? Did you email the criminal? Why did you email the criminal? Don't be the criminal... don't email the criminal. Wait until your good buddy the ciminal is in the clear. If you commit a crime are suspected of it, your privacy will be violated. I guarantee it. Whether you know about it or not and no matter what technology you use. If you are falsely accused it's a real bummer. Just happened to me recently.

please...

[drglen]

anyone who is surprised by this needs their head examined, ... all your internet traffic is logged on some level either by someone watching, your isp, or by you yourself... you are never alone when you connect to the internet.. wether malicously or not

Re:please...

[phil+reed]

There's always somebody who says this, but they never manage to present any evidence. You wouldn't happen to have any evidence lying around, would you?


...phil

Re:Secure Communications

[powerpuffgrrl]

Hushmail is an Anguillian based company now operating in Dublin, Ireland with servers in Canada. No Feds there. Only their marketing is in Texas. There is a company setting up server farm in Sealand, but as far as I know they don't have plans for web based encrypted email. They also banned pornsites and spammers from using their servers.

Why do they want to...

[pompousjerk]

Oh gee, great. They can now intercept the fact that my website had one hit last week. And I shudder to think what could happen when they read my Wired.com newsletter or my tech support crap.

Do they think they are actually going to get something juicy??

Oh, wait a minute, this is the government we are talking about here. Endless stupidity.

Maybe they'll monitor my underwear drawer next to see if all my breifs are white.

http://yottys.homestead.com

Re:If a data stream runs through a computer....

[phil+reed]

What if the police were snooping on conversations over short wave radio by tuning to the frequency of the people they were interested in.

Bad example. Radio is inherently a broadcast medium, e-mail is more-or-less directed.


...phil

Re:No wiretapping without a specific warrant

[cduffy]

Not so. The first 10 amendments were agreed on before the Constitution itself was put in place. Indeed, the Constitution was ratified only with the agreement that the 10 amendments would follow; Several states' representatives refused to agree otherwise.

So "amendment" doesn't mean "afterthought". Politics. Such fun stuff.

Heard of TWINKLE?

[isaac]

Really? Care to say how? Do you mean a backdoor in the program (the source is available) or a problem with the encryption algorithms? Are you a mathematician? Do you think the NSA has managed to prove that factoring isn't NP (which would be quite an accomplishment, esp. for a government organization)? Or, maybe, you mean that they've managed to prove that problems in NP can be solved more quickly (which would be the greatest mathematical achievement in decades). Truth is, if factoring cannot be solved in less than polynomial time, no organization, no matter how many mathematicians they employ, is going to be able to crack PGP fairly quickly.

Heard of TWINKLE? How far ahead of this do you think the NSA might be?

FWIW, I once worked a case for the FDLE, after which they tried to recruit me for their computer crimes unit. They were quite sanguine about encryption, saying they regularly shipped encrypted documents off to the NSA for decrypts, depending on how crucial they were to the case.

Also remember that given access to the private key, keylength is less important than passphrase strength.

It takes some work to use PGP securely, and ultimately, if some TLA wants your cleartext, they'll get it one way (cracking crypto) or another (Van Eyck, TEMPEST).

-Isaac

Re:Heard of TWINKLE?

[Azog]

It doesn't suprise me to hear that the NSA is used by other organizations to break encrypted documents.

However, I would bet that a lot of those documents were encrypted using regular DES. The NSA can probably break DES in a minute or two by brute-force, using specialized hardware.

However... Suppose they can break Triple-DES, or Blowfish, or RSA, or whatever.

It is important to note that it would be difficult for them to safely use that information.

If the FBI/NSA/CIA/DOJ/DOD/whatever ever did something using knowlege that could have only been obtained by breaking one of those codes, the cat would be out of the bag.

The situation is very similar to Bobby Shaftoe's division in the Cryptonomicon, which had the job of running around creating plausible "cover stories" to explain why the Allies knew so much.

For the NSA et. al. to USE information they got from breaking 3DES or one of the other "strong" systems, they would first have to create a plausible alternative way for them to have obtained that information. And, that would have to be a legal way if they wanted to use it in court.

Now, they may do that. Apparently, they get a lot of "anonymous tips". Uh huh. But if there are say, three or four people in a conspiracy to cream-pie the president, and they only communicate through PGP, with good passphrases, and they are careful about Van Eck and other bugging... if they get caught and dragged in front of a judge, how will the Secret Service present the evidence?

As soon as the secret is out, people would switch encryption methods. (Well, some people. The people who care enough to use encryption, anyway.)


Torrey Hoffman (Azog)

Re:Heard of TWINKLE?

[Azog]

Yes, but the effect is the same. If the conspirators get arrested, they will realize that either:

1. Their encryption was broken
2. Or, they were bugged (but why?)
3. Or, one of their members is a traitor
4. They screwed up some other way that got the cops onto them.

If they are confident enough to rule out #3 and #4, 1 is the only other choice.

So assume they get their day in court. Even if the Secret Service doesn't present evidence from broken encryption, (and instead uses evidence from regular bugging, search and seizure, whatever) the question still arises: Why were these people under investigation in the first place?

What got the Secret Service looking at them? Was it just because they were using PGP? Not likely - too many people use PGP for them all to be checked out. So, their messages must have been cracked and scanned for incriminating phrases.

The conspirators lawyer will ask for sure. And the secret will be out. Or at least, people will be suspicious. If it happens a few times, people will believe the NSA can crack PGP.

This hasn't happened yet. So either the NSA cannot crack PGP, or they have been very very cautious how they have used the ability.


Torrey Hoffman (Azog)

Re:The FBI is looking out for you

[Nathaniel]

"It's also a matter of principle that criminals need to be stopped, and that these kinds of measures need to be taken for the betterment of society. After all its no use having free access to source code if you're barricaded in your home by armed criminals is it?"

Let's start by realizing that different people have different sets of ethics, and not everyone believes that the government has a strong sense of ethics. For example, I am confident that the government is extreamly hypocrytical, which by my sense of ethics is one of the worst things possible.

Asking dictionary.com about 'principle' gives "basic truth, law, or assumption", "A rule or standard, especially of good behavior" and "The collectivity of moral or ethical standards or judgments".

When you say "It's also a matter of principle that criminals need to be stopped...", it's reasonable for me to ask "Who's principle, who's ethics, which laws, and at what price?"

The question many people are raising is if catching the criminals is important enough to justify breaking the law, violating the constitution, and ignoring the bill of rights.

My answer is "No, of course it isn't worth it! The rules of society, as described by the constitution, make it clear that catching the criminals is NOT the most important thing."

Let me make this as clear as I can manage. The 'betterment of society' is not served, and is in fact harmed, by a law enforcement group which intentionally violates the law, ever, even once. It doesn't matter if they catch a thousand murders and ten thousand rapists at the same time, if they had to violate one law to do so, they have made the world a worse place. It's simply a matter of principle.

Obviously my principles are different from yours.

And to answer your question, it depends on the criminals. In particular, it depends on what laws they are guilty of breaking. I mean, it makes a big differance if they are all guilty of murder, say, or just, you know, jaywalking or speeding or maybe growing a bit of pot and then smoking it.

Re:The FBI is looking out for you

[Nathaniel]

"Sorry my friend, but ethics are ethics, and have been laid down from a source that cannot be denied."

Wow. I'm just amazed.

You can't argue with logic like that. You can point and laugh, but you can't argue with it.

Just for the record, in order to prove that it can be done, I deny them. I also deny your god. Please refrain from stating that it isn't possible, as it obvious is. Tell me again that I can't deny something, and I'm likely to do just that, if I want.

It is my belief that criminals can be caught and punished without breaking the law. It takes a little more work, but it's still possible.

Breaking the law in order to catch someone and punish them is a lot like the death penalty. Is it fair for me to assume that you don't agree with the death penalty?

"And as I believe I've said before, sin is sin, and trying to count the "amount" of sin is a foolish and pointless exercise. If you are guilty of a crime, you must be punished. It's as simple as that."

You seem to be confusing 'sin' with 'crime'. Crime is defined by society. 'Sin', for those who believe, is defined by some higher power.

the important point here is that society can, and often does, change the definition of crime. Drinking alcohol in the United States is a good example. It's legal. It's illegal. It's legal again. Of course, this caused some confusion.

It is my belief that there currently exist many laws which actively harm society. Society would be better off without some of the laws.

I'm willing to suppose it may be a bit of a leap for you to agree that some laws harm society. Let's see if we can agree that there are laws which are just downright silly, and don't need to exist.

Please refer to www.dumblaws.com and see if you can find even one law which makes something a crime when it need not be.

Failing that, please explain the ethics behind this law:

New Mexico, Las Cruces:
You may not carry a lunchbox down Main Street.

Is this a crime because The Lord told someone it should be?

Is it a sin?

Does it harm anyone?

Can you suggest any possible reason for this law?

Can you begin to understand how I might think that someone might be guilty of a crime yet still not need to be punished?

Re:PGP

[trog]

While you are correct in your statement that PGP has never been "cracked", this is an over-simplistic view of the software's strength. Any mismanagement of the way the protocols are used could possibly weaken the crypto, which could be enough to be cracked. The algorythms are only as secure as they proport to be when they are implemented according to their reference implementation. While no one has the computing power to brut-force full strength RSA, perhaps an inadvertantly crippled RSA could be broken. This is a big problem with any crypto implementation.

Re:PGP

[trog]

This is not the case at all. Recently, there was discovery of a bug in PGP that made it possible to guess keys. See http://www.securityfocus.com/bid/1251

There have been several other bugs found in PGP; I can't remember the specifics, but I believe that the above bug was in PGP for over a year for being discovered, in spite of the fact that the code was open for everyone to see.

If you've ever actually looked at the code for PGP, you'll see it's HORRIBLE. PGP is coded really sloppily. My comments were more directed at the high probability of an acidental implementation error due to programming practice, not an intentional crippling.

This is particularly the case with Open Source projects, as willingness to code something rarely translates to being the best person to do it. Bruce Schneier commented on this in his Cryptogram newsletter. See:

http://www.counterpane.com/crypto-gram-9909.html

http://www.counterpane.com/pitfalls.html

http://www.counterpane.com/whycrypto.html

And please, this isn't a flame. This is born out of experience.

Easy work around

[bstadil]

There is a fairly easy work around that piece of legislation. IT has been used in the financial community for a while now. What you need to do is have your Key being held by a custodian outside the UK jurisdiction. Then set up an agreement that in the case of any legal action against you the custodian is automatic required to refuse delivery of the key to you. That way you can not be held in contempt since you abide by the law requesting the key, but you are not getting it since something outside your control hinders it.

Re:Easy work around

[mOdQuArK!]

I believe that one of the controversial provisions of this UK law, is that it doesn't matter whether you CAN physically produce the key or not - if you don't hand it over when the police ask for it, they can throw you in jail until you do.

I remember reading a news story where someone sent an encrypted message containing details about a "crime" to an important high official, but without giving him the key (and they threw away the key themselves). They challenged the UK police to arrest that high official, since he had "evidence of a crime", but wouldn't(couldn't) give the key.

Funny how law enforcement seems to be a little more reasonable about enforcing stupid laws (in just about any country) when it comes to arresting "important" people.

Re:4th Amendment anyone?

[panda]

Exactly! Which is why I refuse to work anywhere that a drug test is mandatory. I don't use illegal drugs, just the legal ones. :-) I do, however, refuse to work where I AM NOT TRUSTED.

Re:The FBI is looking out for you

[Pig+Hogger]

...we have a set of ethics which we were given by the Lord.
...
"Sorry, we could have stopped it, but I would have had to jaywalk to do so, ...

... And our Lord Jesus H. Fucking Christ spread his buns, and said: "Thou shalt not jaywalk, and always cross on thy green lights"... [Peter 89:45.12]

--
Here's my mirror

Re:The FBI is looking out for you

[Pig+Hogger]

The idea that the FBI can scan E-mails as they enter or leave your ISP sounds scary at first, but what you have to remember is that you are not a criminal. They're hardly going to want to read your E-mail about your trip to see your sister at BJU are they? It's not like there are people reading your personal mail, it's just a machine and can't make value Judgements on what you write.

So, if you're not afraid of the FBI looking at your e-mails to your sister, you're surely not afraid at letting ME look at those same e-mails, no?

By the same token, you won't mind either me looking at those e-mails you sent to that chick you met last month at Catalina, no?

Can't you see it's a matter of principle, or are you just dumed-down by mass-media hysteria not to realize your fundamental rights are being trampled???

--
Here's my mirror

Re:ANother reason to use PGP

[Detritus]

The link on the page is bad, their home page is here.

PGP not enough - and a solution

[Omnifarious]

Just encrypting your e-mail with PGP is not enough. The sender and recipient histories can still be tracked. Here is my proposed solution to this problem...

Have several anonymous remailers scattered around the world with well published public keys. Each remailer will decrypt the message with it's private key, find the new sender in the decrypted message, strip the original envelope information, and send the message along to the next remailer.

Your message ends up encrypted in multiple layers that get stripped off one by one by each remailer. Eventually, it will get to its destination where the recipient will strip the last layer of encryption off.

This way, there is no reasonable way anybody can track who you're getting messages from, or who you're sending them to. Even if the remailers keep connect logs, or message logs, you still can't tell.

I'm thinking of writing this up as a python script that uses gpg and that can be set up as a filter in your .forward or .qmail file.

Modify SMTP

[Sangui5]

One possibility would be extending sendmail. If sendmail.org added a secure version of the various protocols (using the (almost) newly expired RSA public-key system), it would be invisible to the user.

I suppose one could have SMTP report if it supports the new protocol, (SHLO to go along with EHLO/HELO ?) and if wherever the mail is being send does, you could use an extended set of commands to request a public key (KREQ ? ) from the server, send a session key (SKEY ), and encrypt the remainder of the session.

Since sendmail is nearly umbiquitous, they could define the protocol however they pleased, publish it as a RFC per the usual routes, and have a defacto standard. One could (should) do the same thing with http, IMHO. Of course that would be up to the WC3.

Unfortunatly encrypting the content of SMPT transfers/http doesn't protect against traffic analysis. Oh well...

Re:Modify SMTP

[parkrrrr]

Unfortunatly encrypting the content of SMPT transfers/http doesn't protect against traffic analysis. Oh well...

It doesn't even protect against the FBI getting the plaintext. Remember, the wiretaps they're talking about here are with the (sometimes grudging) consent of the ISP, so if encrypted SMTP became the norm they'd just require the ISP to provide them with the private key of the mailserver as well, or to provide a tap into the unencrypted stream within the server software itself. The only way to be sure of your encryption is to trust both ends of the link.

Re:Steganography is juvenile

[Poe]

With steganography you are hiding the fact of encryption.
You can have the strongest encryption in the world, and it will not protect you from a subpoena for the (private) key.
Security through obscurity isn't "bad" any more than lemurs are "bad".
When security through obscurity interferes with the verification and validation of an algorithim, that will make the algorithim weaker. That could be considered bad.
When you think you are hiding information and you are not, that could be considered bad. The link that I gave is to a steganography program that helps to hide the fact of seganography from stegonagraphic analysis.
I should, and do, use a lock on my safe that is so good that I can put that safe on a street corner, complete with a diagram of the lock, and no one can get into it.
But I think I'll put that safe (with that same strong lock) in my house, instead. Maybe behind a portrait.

Re:The FBI is looking out for you

[finkployd]

The idea that the FBI can scan E-mails as they enter or leave your ISP sounds scary at first, but what you have to remember is that you are not a criminal.

Sure that's how it starts, but I challange you to find a time in modern history where power DIDN'T corrupt. It's not a matter of if, it's a matter of when they begin to use this to go after political dissidents and anyone else they don't like.

Finkployd

Re:PGP is not the answer

[Disco+Stu]

PGP is okay, but I'm moderately certain the NSA can crack it fairly quickly. Don't know about the FBI.

Really? Care to say how? Do you mean a backdoor in the program (the source is available) or a problem with the encryption algorithms? Are you a mathematician? Do you think the NSA has managed to prove that factoring isn't NP (which would be quite an accomplishment, esp. for a government organization)? Or, maybe, you mean that they've managed to prove that problems in NP can be solved more quickly (which would be the greatest mathematical achievement in decades). Truth is, if factoring cannot be solved in less than polynomial time, no organization, no matter how many mathematicians they employ, is going to be able to crack PGP fairly quickly.

You're right about the social engineering part, though.

Carnivore Jam

[griffjon]

So, if anyone finds or guesses the list of people the FBI listens for, cc: them and/or spoof them in every email you send. Add a few extra X-headers to trip it up. It'll fit nicely with the X-Jam-Echelon header, and will in fact maybe even be synergistic.

Nice choice

[LionMan]

It's always nice to know that the FBI has given up on plantae and is only going for animalia now. I mean, with all the decision involved before, they had to choose if they wanted greens or blood!
I wonder if I'm meat or celery to them . . .

Big Brother is Watching . . .

[LionMan]

Hmm, if we open up our lives and give away privacy, we can exchange it for security!
I think it was Winston Churchill who said, "He who would give up privacy for security deserves neither." How about that?

What is the FBI's interest in "clones"?

[cpeterso]

:-)

Re:PGP

[jilles]

True, but at least it's a bit more controlled than right now while still working transparently for the user. Of course a long term solution for email is to build encryption into the mail protocol.

But the thing I was trying to show is that the way we currently deal with networking is unsafe. TCP deals with reliable point to point connections, but these connections are unsafe. It leaves it to applications on top of it to deal with encryption and most applications don't do this. I would like to see encryption pushed down in such a way that it works transparently for applications. E.g. if I'm chatting through ICQ with a friend, the connection used by the two clients would be automatically encrypted.

Steganography is juvenile

[Plasmic]

[Retrieve hammer from hardware store]

Speak these words: "Steganography equals security by obscurity."

[Inflict one wound to torsoe with hammer]

Speak these words: "Security by obscurity is bad."

[Inflict one wound to torsoe with hammer]

Speak these words: "The encryption I use should be so strong that I should be able to give encrypted copies of my deepest, darkest secrets to anyone that asks for them, provide them with the software I used to encrypt it along with a whitepaper describing how my encryption method works, teach them how to use it, and be confident that they won't be able to read that document."

[Pin 1st place ribbon on chest; you've won!]

Re:Steganography is juvenile

[tietokone-olmi]

BZZZZT, wrooong, but thank you for playing.

Steganography isn't for keeping information unreadable.You can already do that with encryption. The point is that you may not be able to send encrypted information through open channels without a man in black coming to your door and busting your aft section for "hindering the work of law enforcement" or something like that.

The point of steganography is to hide the fact that you're communicating encrypted data in the first place.

Yes, that smells like security through obscurity, but imagine this: You have an encryption algorithm so devious that it's unbreakable (in reasonable time, I mean) and the resulting data is indistinguishable from the stuff you get from /dev/urandom on a good day (which means that it can't be proven to be encrypted data and not meaningless noise). Now hide that data in the low-order bits of an image (replacing the already random enough data there) and no one can prove the data is encrypted since there is no significant difference between the output of (say) RC4 and cat /dev/urandom.

Admittedly there are some caveats to this particular technique (although they can mostly be avoided if care is taken):

• There are some (computer generated, mostly) images where the low-order bits aren't random enough in the source image that replacing them with noise would go undetected. With good selection of the carrier data, this doesn't matter. Just use scanned photographs or something like that.
• Not all encryption algorithms and/or keys are good enough to get you encrypted data that can't be distinguished from noise. RC4 comes pretty close; I'm not sure about other algorithms.

Re:PGP is not the answer

[handorf]

Just one interesting side point to #2.

IIRC, the US Government is the single biggest employer of Mathematicians worldwide.

Care to guess how many of those are doing crypto?

Last post!

[Russ+Nelson]

How about last post??
-russ

Re:PGP is not the answer

[Russ+Nelson]

You have no clue. Cryptographers are quite certain that 1024-bit keys generate uncrackable crypto. 512 they're less certain about.
-russ

Re:Selective filtering

[BeIshmael]

BTW, how does wiretapping interact with encrypted data? What if they tap the email and discover that it's all PGP'ed? Can they brute-force it?

At the surface, it seems like they should be able to brute force it consistent with the court order for the wire tap. Just out of curosity, though, what about the DMCA's protections on decoding encrypted information?

To wit: From Jack Valenti's, MPAA Chairman, deposition:

10 Q You said any use of DVD that involves
11 coping is illegal. Is that right?
12 A I think what I said was, any time you
13 circumvent encryption according to the DMCA you're
14 violating the law. That's what I said.

It seems to me, if DMCA is used that broadly, couldn't it be used to argue against the FBI decrypting email communication?

Just a thought.

Don't count on 4th Amendment for protection

[catfood]

Someone wrote:

Hmmm but if the carnivore has spotted the names of various drugs in a disproportionately large number of ur emails, isnt that grounds for a warrant?

And then Kahuna wrote back:

But it can't do that. I mean, it won't just "notice" them. Its a computer. If its purpose was to scan for drug references in all emails, they could do that, but it would have to be on purpose. They couldn't use the "plain sight" defense to validate the evidence, because it requires an extra deliberate step to gather. You can't get a warrent based on evidence that you should have needed a warrent to get. It taints the process all the way down the line.

That's true... if the FBI is interested in a criminal prosecution. As far as I know, but I am not a lawyer nor particularly knowledgeable in the area, the Exclusionary Rule (legal precedent that says you can't use tainted evidence in court) is the only significant disincentive for an illegal search.

If the FBI or other law enforcement agency is more interested in simply harrassing, intimidating, or embarrassing a target, then the Exclusionary Rule has no practical effect.

I just saw Guilty by Suspicion on video the other night. True story, McCarthy era: film director harrassed by FBI agents, blacklisted because he wouldn't testify that his friends were Communists.

Our protagonist in the movie (Robert DeNiro) was investigated and bullied on suspicion of something that isn't (and wasn't) even illegal. The only prosecutions coming out of the McCarthy investigations were for perjury and contempt of Congress, against people who either wouldn't talk to the HUAC or who were caught lying to it. Nobody was convicted of merely being a Party member. But that didn't stop the FBI and the HUAC from carrying out their dirty tricks. And the FBI couldn't be challenged under the Exclusionary Rule because they weren't presenting evidence at trial.

Yes, it would be extremely difficult or impossible for law enforcement to use evidence inappropriately gathered by Carnivore in a criminal trial--they really do have to follow the rules there. But it would be relatively easy to use Carnivore or a similar device to gather information for other purposes, given just a little cooperation from ISPs.

I honestly don't think harrassment or intimidation is the primary purpose of Carnivore. It actually seems pretty mild compared to other more intrusive and less targeted means of investigation. But don't assume that the Fourth Amendment will protect you outside of a criminal courtroom!

Re:The FBI is looking out for you

[Steve+B]

It's also a matter of principle that criminals need to be stopped

Oh, I absolutely agree! The FBI proposes to commit a crime (violation of the Fourth Amendment), and in fact has thereby already committed a crime (conspiracy to deprive citizens of civil rights under color of law). They must be stopped. QED.
/.

That is how it's supposed to be. Is it that way?

[Convergence]

That is what I expect. That's how it's supposed to be. But is it that way in practice? Is it that way 95% of the time? What about the other 5%?

Re:TO: myfriend@theotherispintown.com

[barleyguy]

At least in paranoia, you could send your clones off to the termination center and hide out for a while. In real life, there's only one you.

I think it's getting to the point where the cost of "protection" (or the illusion thereof) is that we have a government that is going to get worse than the crime was to start with.

Well, screw the FBI. I'm going to go smoke a bowl and clean my machine gun. :-)

Re:No wiretapping without a specific warrant

[Kintanon]

Um, everything's an argument for better encryption to /. readers isn't it? I resort to the oldest argument against encryption: if YOU aren't doing anything wrong, why do you care if THEY read your emails? Take, for instance, the emails I wrote this morning. If the FBI wants to hear about how drunk I got over the weekend, I'm sure they'll enjoy these little tidbits of informations. If, however, they're looking for stories about people planning a nationwide terror campaign, I'm sure they're realize they read the wrong email within a few seconds, and most likely delete it.



Because it's none of their damn business. They ahve no need to know and hence shouldn't be looking. If they are going to look anyways then I'm going to find a way to stop them. And I'm going to do it because it's my RIGHT as a human being not to have every detail of my private life examined by some government thug to be sure it meets with his approval.

Kintanon

There's bad and good in this.

[Performer+Guy]

The dire warnings seem overstated considering what is already accepted practice. They just pull the suspects emails in question prior to searching. Omnivore sounds like it was open to abuse and if that was deployed it should never have been, it's like wire tapping a small town to get evidence on one individual. Carnivore sounds like a right minded attempt to restrict scanning to the suspects account.

So what's new?
They still need a court order and they could always tap the suspects phone any time as things stand. This just let's them tap an account than might be moving on a dial in from different locations. The whole system has always been build on trust and controlled by the fact that any abuse of the system won't pass muster as evidence in court anyway.

So, if a Judge let them deploy Omnivore it sounds like there's a need for some legislation to prevent this sort of dragnet approach in future but the Carnivore system is exactly the kind of thing I'd expect the FBI to be getting up to, why is everyone so surprised? The intention of developing Carnivore as a discriminating filter seems to be a move in the right direction IF it only traps and searches the email of the suspect, and that's the whole point of the newer system.

Move along folks, there's nothing to see here.

Just Read the ZDNet Story

[VB]

This is outrageous. The FBI admits this is nothing more than a glorified sniffer. And, we all know a sniffer grabs plaintext passwords which many systems/services use. Looks like it's time to start watching my login records a little more closely.

The analogy used was "It's the electronic equivalent of listening to everybody's phone calls to see if it's the phone call you should be monitoring." Actually, I'd say it's more analogous to having a bug in every home that uses that network. Considering that e-mail communications originating from one private residence destined for another private residence would qualify for some privacy protection, I would offer that placement of the "Carnivore" on a public wire steps way over the bounds of legitimate surveillance jurisdiction.

I guess what shocks me the most is that they actually demonstrated this technology. They expect buy-in?

Of course, there's always encryption....


Linux rocks!!! www.dedserius.com

Re:No wiretapping without a specific warrant

[AndroSyn]

Well if your not encrypting your mail, its like sending out only postcards. If you wanted things private, you would put your message in a nice envelope and mail it that way...

Email isn't really all that different, it just seems that we all expect our postcards to be completely private.

Read the article...

[TopShelf]

"Internet wiretaps are conducted only under state or federal judicial order, and occur relatively infrequently."

"The FBI defends Carnivore as more precise than Internet wiretap methods used in the past. The bureau says the system allows investigators to tailor an intercept operation so they can pluck only the digital traffic of one person from among the stream of millions of other messages. An earlier version, aptly code-named Omnivore, could suck in as much as to six gigabytes of data every hour, but in a less discriminating fashion."

This sounds like it is indeed meant for targeting specific suspects, after having obtained the legal permission to do so. Is it open to potential abuse? Certainly - but aren't unencrypted internet data transmissions open to snooping anyway? This just sounds like a high-powered info-sifter...

Re:Read the article...

[TheCarp]

Thats not what I am suggesting at all.

There is a huge difference between tapping a phone line and listening in, and tapping the whole trunk and listening to every call, for every person on the block, simultaneously.

It opens the system up for abuse. It means that ALL email going through the ISP can be logged...once the system is in place, ALL users email is subject to the whims of the human FBI agent who installed it and set it up.

Protecting people from this is a trivial problem, and gives them NO less legitimate information.

Re:Read the article...

[TheCarp]

> This sounds like it is indeed meant for
> targeting specific suspects,

Well it deponds on how you wish to look at it really. Assuming its a given that they have the right to wiretap (I am putting aside the fact that I have major philosophical problems with law and law enforcement here)....they have the right to listen in on "data" (conversations email etc) comming from a known data source (victem er I mean bad guys phone) to gather evidence against him.

Their entire system sounds basically like a system that takes all the email in the system, applies a set of regexs to the headers and takes all email too and from there target.

Here is the problem I have. The "data source" is not a "known one". They are not listening to "His line" they are listening to the whole ISP. Even if its just a header grep...they have NO RIGHT to recieve and look through ANY data except that which comes from or two who they are looking at...even if it is JUST a gheader grep.

The difference may not seem important but it is. If they wiretap your phone line, they can't abuse that to listen to my conversations, unless I use your phone. In this case there is the possibility of abusing their "wiretap" on YOU to listen to MY email because I am on the same ISP as you.

if YOU are the target...they have NO right to have MY mail ever even TOUCH their system.

Re:If a data stream runs through a computer....

[TheCarp]

> Because I'm not paranoid?

Perhaps because you inore history? I would submit that the entire history of the human race is the history of power abused by indivbiduals.

Do we forget that the FBI is the same organization that has abused its powers in the past. Would you consider it part of the FBIs job to forge letters to heads of the Maffia and heads of the US Communist party in attempts to litterally provoke the two organisations to violence against each other? Well they did it! I have seen the declassified papers on it!
(www.thesmokinggun.com - an archive of files obtained under the FOIA)

Furthermore....what they CLAIM to want is EASILY obtainable without "Carnivore". It would be TRIVIAL for an ISP to setup their mail server to blindly send copies of all messages and ONLY messages to and from the person being monitored to the FBI system...instead they insist on having THEIR box process EVERYONES messages.

If Carnivore was the ONLY way to do the job, that would be one thing. The fact is, it isn't. In fact its the MOST intrusive method possible. It means THEY are sorting through data that they have NO right to access, in order to get at the data they do have the right to.

Re:If a data stream runs through a computer....

[TheCarp]

> Funny isn't it? Everyone gets their panties in a
> wad about the government getting warrents to
> check your email, but you flat out say that
> IPS's could redirect and read your email without
> anyone knowing, and no one cares?

I care...unfortunaly its unavoidable. Its the way that email was implimented, there is no way to stop an eavesdropper on that level.

My point was simply that they can get exactly the information they CLAIM to want, yet they seem to be insisting on a MORE intrusive system where the ONLY protection against them accessing more data than they "should" is well them.

Why would they insist on this, when they can get the SAME data through LESS intrusive channels?

Do I trust my ISP more than the Federal Government? Only because I have no other choice, short of convincing everyone I know to use PGP (fat chance that).

My ONLY objection, in the context of this discussion, is that this system can be abused by the FBI, with, essentially, no oversight. Using the ISP system to divert mail would require complicity between ISP and FBI to be abused...and that at least marginally raises the bar.

FBI agents are human beings. Human beings sometimes do bad things, even with the best intentions. As such, there must always be some level of protection in place to limit the damage that they can do.

Again...what I am suggesting is truely trivial difference, if they are truely only doing what they claim to be doing. However it protects the people at large, if their intions are other than their claims. Seems like a win all around (unless of course your an FBI agent who wants to abuse your carnivorous machine)

Re:No wiretapping without a specific warrant

[TheCarp]

To extend your analogy better....

What they are doing is going to the post office and saying "There is a person in this city who we are investigating. We have a warrent that lets us read his mail before it gets to him." (assuming thats possible - remember this is an analogy)

Then demanding that the Post office turn over ALL mail that comes to the post office to the FBI and lets the FBI sort out this persons mail from the rest.

They arn't opening the letters per se...(tho in the case of email the distinction is blurred as the envelope doesn't conceal the contents) but demanding to look at "ALL" envelopes and make their own determination as to what they have access to.

Not How Terrorists Operate

[Nightspore]

The idea that grepping through piles of cached email for 'bomb', 'allah' and 'president' would be helpful at all helpful to the FBI is ludicrous. Actual plans for terror campaigns are usually communicated something like:

From: susie777@hotmail.com (** ACTUALLY Brian O'Connor **)

Subject: Party! (** ACTUALLY Bombing of British Consulate **)

Hey girls(** ACTUALLY Fellow members of IRA splinter group **)! The party (** ACTUALLY attack preparation meeting **) is at Sheila's (** ACTUALLY Sean's **) on Saturday (** ACTUALLY Monday **). I'm bringing chairs (** ACTUALLY bomb material **) and Cindy (** ACTUALLY Michael **) is bringing hats and cake (** ACTUALLY automatic weapons and the map **). See you there!

Susie

If they are going to read my e-mail....

[Bill+Daras]

If the FBI wants to read my e-mail, no problem. All I ask is that they have an agent click on my All-Advantage referrer link. They could then use their accounts to help subsidize the project.

Re:they DO require a warrant

[molog]

Even if this is originally intended as a positive thing, this can be abused latter down the line. Once the government can monitor all communications it will be abused despite the positive affects it could have. They would not have to waste thousands of man hours to analyze one hours worth of traffic. Parsers and analyzers have been getting better and they could easily sort out the people they would want to go after for just about anything. I might be paranoid but I have good reason to be.
Molog

So Linus, what are we doing tonight?

Same rules as non-Internet should apply.

[meckardt]

If they have a warrant to collect emails to/from a specific person, fine. If they don't have a warrant, any evidence collected is inadmissible in court.

Gonzo

Re:referral ids

[nlvp]

Ah - an anonymous coward who doesn't know how to read a URL. I'm not an Amazon referrer you idiot, and there is therefore no referrer ID in that link, it just tells you what the book is.

Why don't you learn what you're talking about before throwing accusations like that around, and if you're going to accuse people, have the guts to do it with your name attached.

Encrypt

[burris]

Run, don't walk, to Free S/WAN and get free IP/SEC transport level encryption for your Linux box. It can be configured to automagically negotiate strong encryption between any other IP/SEC box on the net (even using other vendor's products).

Burris

Re:The FBI is looking out for you

[KahunaBurger]

I refuse to accept that my 4th amendment rights protecting me from unreasonable search and seizure should be violated because there are criminals.

OK, breath deeply. Now lets think about this. Why was the fourth ammendment introduced in the first place? There were no phones, there wasn't even much of a postal service yet. But there were homes and doors and people capable of breaking them down to search your home. And there were police who might hear that you were seen leading a little kid into your home just before he was reported missing, and they might want to search your home. So we have the means to search your home and people who would want to. What do we do? We write an ammendment that says they can't do it unreasonably and a bunch of laws laying out a "reasonable" procedure.

Now the present. We have something besides your home, the internet, which people may want to search. We have ways for them to search it. And we still have an ammendment and a bunch of laws that say when and how they can do it. The existance of wiretap orders for other people who have given law enforcement enough justification to get a warrent, has nothing to do with your 4th ammendment rights, because they aren't searching and seizing you! As we understand carnivore and are discussing it, noone is spying on you.

Jon had it exactly right. As long as the FBI has the right and in fact the duty to obtain search or wiretap warrents, they will expand those rights into new forms of communication. It no more invades your rights than a legal, warrented search of your neighbor does.

-Kahuna Burger

PS, some people have expressed distrust at the number of internet wire tap orders obtained. But I'd be a lot more worried if they weren't getting any. Their going through the warrent process indicates that those warrents are neccassary, indicates that they are working within the system. Not perfectly, but its an indication that internet wiretapping is being taken as seriously as phone tapping. And thats what we want, right?

Re:4th Amendment anyone?

[KahunaBurger]

What part of "under a wiretap warrent" didn't you understand? If they get a warrent, its ok by the 4th. The 4th is about getting warrents, and issuing them under propable cause.

And one more time, they aren't reading the email of anyone except those who are on the carnivore tapes when they pull them. Saying otherwise is kinda like claiming that if I listen to police traffic on a scanner I am in fact listening to all my neighbors' cell phone calls because the equipment I have hears all of them not just what I'm tuned in on. Or that if I search DejaNews for "the keeper" I'm also performing an inapropriate background check of my potential employees by looking for their email addresses on porn, gay and alternative lifestyle newsgroups. Because, hey, that info is being scanned by the same program that gives me back my search results.

Paranoia is one of the many reasons I don't vote libertarian. I keep one of the others in my wallet.

-Kahuna Burger

If a data stream runs through a computer....

[KahunaBurger]

And no record of it is kept after analysis, does it make an invasion of privacy?

I'd say no. The article was perfectly clear. The idea is to get messages for people/accounts on which there is a warrent. The computer sifts the data for those messages, and only saves those ones. The people whose messages are analysed by the computer but not saved, not read not noted, have suffered no invasion of their privacy.

Look at it this way. What if the police were snooping on conversations over short wave radio by tuning to the frequency of the people they were interested in. Could you seriously say that every person in the area using a short wave radio had had their privacy invaded because the radio equipment used at some level recieved every signal, even though the police only heard and recorded one? Its just as silly to claim that they are "invading" anyone's privacy but the person whose messages they actually read when they download the carnivor files.

People who have a problem with the ability of law enforcement to get warents for wiretaps, should just say so. But when everything turns into some "Big Brother" paranoia rant, it just diminishes your credibility when you try to alert people to a real problem.

Heh, story of SlashDot : The Hacker Who Cried 'Big Brother'

-Kahuna Burger

Re:If a data stream runs through a computer....

[KahunaBurger]

My ONLY objection, in the context of this discussion, is that this system can be abused by the FBI, with, essentially, no oversight. Using the ISP system to divert mail would require complicity between ISP and FBI to be abused...and that at least marginally raises the bar.

Again...what I am suggesting is truely trivial difference, if they are truely only doing what they claim to be doing. However it protects the people at large, if their intions are other than their claims. Seems like a win all around (unless of course your an FBI agent who wants to abuse your carnivorous machine)

Actaully, I wonder about that. I have not had a lot of expereince with the rules of evidence, but would having a third party route all the data really result in as high a "quality" of evidence as the FBI harvesting it themselves? The advantage I see of the Carnivore method is that the data is filtered directly from the "feed". In your suggestion, could the ISP really guarenty the completeness of the info they were providing? Would their credibility become another route by which the data could be attacked (so, you claim to have provided these forwards to the FBI of the defendant's email. But as the provider, you are certainly capable of making a indistinguishable forgery of such a mesasage, right? Did you have any billing problems with the defendant?)

On a slightly more serious note, your method would require the FBI to tell the ISP exactly who the target was, risking a civilly disobedient ISP doing the forwards, but tipping off the subject of the surveillance. Of course with Carnivore, if the ISP couldn't tell what it was scanning for, they wouldn't know that it wasn't pulling an "echelon".

So, the best case senerio (given the existance of wiretapping laws, etc) would be: FBI shows up with a machine and two peices of paper. One is a authorized warrent, the other is a third party affidavate (I dunno, someone backed by the ACLU) stating that the filtering is programed only to pick out the email address of one individual, the one covered under warrent. You could even have the third party program and install the Carnivores, and then provide the kit and kaboodle to the FBI at the end, giving them the data and the chance to confirm that said 3rd party programmed it corectly.

Of course a system like that would take a lot of work to get in place and people with the energy to do that much work on this topic generally wouldn't like it because its compromise. So they will probably just keep doing it the way that makes some people nervous, and those people will keep making noise. Real life is too bad that way.

-Kahuna Burger

Trust

[KahunaBurger]

One problem with the Carnivore system is that we can't trust the FBI to only do selective filtering - they need to intercept all messages and then sort out the ones that apply - except we can't trust them not to take my messages with them!

Are you not trusting the FBI, or not trusting the technology? The entire point of the system is that the FBI isn't just browsing through and deciding to take your messages. "They" aren't doing the sorting, no individual is going to say "hey! I know we just had a warrent for guy X but a line in guy Y's email caught my eye and I think we should look into it!" In fact, that is exactly what this systen is meant to avoid. Get it? The entire point of carnivore is to 1) save man hours, and 2) avoid invading the privacy of people who aren't covered by the warrent.

Why is this bad? Given the existance of wiretapping warrents that can be applied to electronic communications, how can you guys possibly object to a technological solution to decrease the human instinct to notice things other than what they are looking for. Computers don't see anything except what they're looking for. Have you ever done a web search for breed rescues and had your computer say "Hey, this isn't related, but there a kinda neat article over on Slashdot about overclocking."? No? Me neither. But I regularly browse the "new titles" section of the library for one topic and end up with an interesting book on something else. If you are concerned about law enforcement exceeding their warrent, you should be celebrating Carnivore.

If, on the other hand you just salivate like pavlov's dogs at the words "wiretapping" and "messages" Carnivore would be a bad thing by definition.

-Kahuna Burger

Warrants difficult to get? LOL LOL LOL!

[jjsaul]

I have to interpret as humor any post that claims that warrants are difficult to get. Clearly you have never worked in law enforcement or in the legal field. The system has been warped to make it easier and easier, and the common-law created by the conservative S.Ct. has admitted evidence obtained through clearly improper police procedure under the "good faith" exception. Even Miranda was under attack, and will be overturned if the next president to seat a Justice is republican. Doubt me? Read Scalia's writings some time. If you want to see how 'carnivore' will be abused, look at the L.A. scandals, and recall that the statistics hold that for every prosecuted instance of police misconduct, at least 100 other instances are successfully covered up. I have great respect and gratitude for many of the police officers patrolling the streets, but nothing but contempt and scouring anger toward those who abuse their power. And it goes without saying that this system will be abused, as every other police power is eventually abused. The question is always, do we want to accept that abuse in favor of the criminal activity it will stop? Do we want to accept that this will be used to spy on ex-wives, on political foes? What if it is the only way to stop a virologist version of the Unibomer?

G.Gordon Liddy was once a prosecutor. Do you think he would blanch at faking a warrant if he felt that he was fighting a just cause? Have you seen the enemies lists he compiled for Nixon, with recommendations of assassination? Don't fool yourself into thinking that it is always rational, good-hearted people running the show. And whatever your politics, remember that the other side will occasionally have control of this mechanism, and will use it with the same fervor as a Gordon Liddy or James Carville - pick your villian.

Finally! Wiretapping for the 'net

[J.+Chrysostom]

The article says:

Marcus Thomas, chief of the FBI's Cyber Technology Section at Quantico, said Carnivore represents the bureau's effort to keep abreast of rapid changes in Internet communications while still meeting the rigid demands of federal wiretapping statutes. "This is just a very specialized sniffer," he said.

He also noted that criminal and civil penalties prohibit the bureau from placing unauthorized wiretaps, and any information gleaned in those types of criminal cases would be thrown out of court. Typical Internet wiretaps last around 45 days, after which the FBI removes the equipment. Mr. Thomas said the bureau usually has as many as 20 Carnivore systems on hand, "just in case."

Mr. Thomas is entirely correct --- Carnivore is just a very complicated sniffer. And while privacy advocates are correct --- the government COULD sniff anyone. But the government COULD also wiretap anyone. The rule of law is what prevents that. The FBI can pay through the nose if they get caught making illegal wiretaps.

The Carnivore system is perfectly consistant with the current laws and norms on government surveilence. To question Carnivore but allow for regular wiretaps, is in my opinion, an indefensible view point.

Re:This would be a surprise?

[rgmoore]

've wondered about this one for a while. In the MS v. DOJ thing, apparently they used a bunch of emails from Billy G. as evidence.

Admittedly, I didn't follow it all that closely, (by them time I had first heard about it, I was sick of hearing about it) but why didn't he just say "I didn't write that."

It should be virtually impossible to prove that email was written by any particular person. I could set my "Real Name" to Bill Gates and send out an email, or if I really wanted to put effort into it I could even make it look like it really came from bgates@microsoft.com. It's not that hard to create a file with a certain set of text in it, so an email header that says "this is from person X" doesn't at all guarantee that it actually is.

While it's true that it's easy to forge email on the internet, that's not where the billg mail came from in the Microsoft case. In that case, the email was from Microsoft's internal email system. It had been turned over to the government as part of the pre-trial discovery phase, which is basically when the lawyers for the two sides are allowed to demand that the other side turn over information that might be relevant to the case.

Furthermore, the emails weren't just random mails from billg to the rest of the world. They were part of multiparty email correspondance on particular issues. IOW for Gates to disavow the emails, he would have had to claim that someone was not only forging his name but was also intercepting his personal emails and forging a conversation on his behalf. Not only that, but they were doing so not on some leaky internet system but on Microsoft's presumably secure internal system, and that the other people he was corresponding with, who presumably encountered him at least occasionally in person never brought up the topic of the emails in non-email conversation so that the forgery never came to light. That claim would be so obviously bogus that all it would do is damaged Gates's credibility as a witness and not impeach the credibility of the email at all.

Re:This would be a surprise?

[rgmoore]

Next thing you know DOJ discovers incriminating emails on Gates' machine from the MS internal network. Of course, more work would be required than just that one little act, but the philosophical point is that email is just bits on hard drives, and is therefore no more reliable than heresay, which is inadmissable.

Yes, and written letters are just bits of ink on pieces of paper, but using them is quite common in legal circles. Fairly reasonably, if I ask you for your records and I find something incriminating in them (and bear in mind that you also have to provide copies to the court, so I can't change them and claim that they're original) it should be your burden to prove that the incriminating comments were forged, rather than mine to prove that they're genuine! If anything, people should be suspicious if they show something unusually exculpatory, since you're far more likely to modify them in a way that reflects well on you than to forge records that incriminate you. In any case, IIRC these aren't emails from Gates's desktop machine; they're from the corporate email archive.

Getting back to something closer to the article that triggered the discussion, the FBI isn't talking about either of these things. They're talking about intercepting email in transit, so my original interpretation of the more conventional approach to header forging is more of what the FBI would be interested in. In thise case, though, the FBI's tap is actually less likely to be forged than a random email, since they're going to be tapping his immediate upstream connection, so a forger would need to insert their forgeries exactly there rather than at any random point in the network. As for the FBI being able to forge the email, they could potentially do that no matter what system you used, so you're going to have to trust them to be honest in any case.

One interesting aspect of this is that it suggests that if you're a criminal you shouldn't PGP sign your incriminating emails. If they're PGP signed, it provides the FBI with excellent evidence to use in court that they're not forged; unsurprising since proving authenticity is the intent of signing them. If they're unsigned, though, it'll be a lot easier to claim that the FBI forged them. You can probably enhance the effect by signing all of your non-incriminating emails (which you figure that even the most hardened criminal would have) so that you can intimate that the FBI forged the incriminating ones but were unable to forge the signature since they didn't have your private key.

I'm sure they filter...

[Ron+Harwood]

After all they search for words like "assasinate", "bomb", and "president"...

They don't actually look for words like "make", "money" and "fast" or even "buy", "cheap" and "toner"...

...and they certainly wouldn't be looking for words like "XXX", "asian", and "sluts"... or would they? ;)

PGP

[LazyGun]

PGP is the answer

Re:PGP

[jilles]

Nah, too cumbersom. I think the whole problem is that TCP connections are not private. With SSH you can scramble any connection. So, why not scramble the traffic between mailservers? While we're at it, why not compress the data as well. I think encryption has to be built in to the network and not just added on to it. Basically any trafic to and from a PC can be read right now, unless you specifically choose to encrypt it. I would like to have it the other way around. Anything from chat sessions to ftp to X sessions I want encrypted.

Re:PGP

[^_^x]

Of course, they must have one.
...wait a sec...
*CLICK, CLICK*
There, my key is now 4096 bits, problem solved. ^_^

Seriously, I think PGP is too versatile to be cracked so easily. i.e. I have a 2048/1024 DH/DSS key with the CAST cypher, but I also have a 2048 bit RSA key with the IDEA cypher. You can also have custom key sizes, for example Will Price at PGP has a 4000 bit DH key.

Powerful and flexible.

I recommend looking up "PGPDisk." It's easier to use than the already dead-simple normal PGP. It creates a virtual disk volume that's encrypted, and can auto-unmount itself. It's good even when the PC crashes, too. (In tact, data saved until crash is still there when you reboot.)

...however I don't know if it's out for Linux.

Re:No wiretapping without a specific warrant

[Metrol]

Why should electronic communication be legally less protected than telephone communication?

I'll do ya one better. Why shouldn't a letter sent via electronic means not enjoy the same protections as a letter sent by the post office? Correct me if I'm wrong here, but tapping into a phone line isn't a federal offense, where as opening someone's postal mail most certainly is.

This is NOT wiretapping folks. This is the process of ripping open your sealed envelopes. Worse yet, it rips all of them open with only a flimsy promise to only look at the letters in question. The FBI does not have a great track record for being trusted to abide by only playing by the rules of a search warrant.

The really amazing thing is, America's founding fathers saw this very thing coming. The 4th amendment was not an after thought. It was put in to deliberately undermine tyranny within the nation they were building.

Government Promotion of PGP

[grahamsz]

Personally I think systems like this do nothing but promote the use of PGP.

At the end of the day we all know that they almost certainly cant crack PGP encrypted stuff... except that I only started using PGP for vaguely sensitive mail when i first heard about the echelon system.

I was always aware that my comms could be intercepted and certainly running a packet sniffer on a network brings in some interesting stuff, but I never really considered it was practical to filter all online traffic in that manner.

The govt have coming forward and said "Guess what? We're already doing it!!" probably does about the same good for PGP usage as handing out $10 bills with every download.

It really is a shame that the bulk of the public dont understand the reasons why encryption is a good thing. Sadly the conventional press tend to see it more as a system for protecting criminals rather than free speech, and popularist public opinion is against PGP.

4th Amendment anyone?

[toph42]

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

It does not matter what the FBI says, they may not do this and be in compliance with our Constitution.

Let your representatives know that you don't want the Constitution ignored, or vote for a candidate that will demand that the government complies.

Look for a candidate at the Libertarian Party home page.

Topher
Got Freedom?

Devil's Advocate

[Darguz]

While I'm just as concerned over privacy issues as the next person, I just want to address one point here. In the article, Mark Rasch, a former federal computer-crimes prosecutor says "It's the electronic equivalent of listening to everybody's phone calls to see if it's the phone call you should be monitoring."

I disagree -- I think it's more like opening a telephone junction box to see which line you should be tapping. With that box open you have the potential of tapping all those lines, but you just tap the one. The computer may be monitoring all the traffic, but obviously it has no understanding of what it's processing; if the system is used properly (and granted, that may be a big IF), it's only recording suspect traffic.


--

Unnecesary Paranoia?

[SigVn]

What is unnecesary Paranioa?

When I was a kid, I hung with a lot of skins and punks. The Cops would shake us down every time they saw us.

It wasn't that they knew we were up to something. (although yea sometimes we were... but no more then anyone else). I personaly have never had a record, but the cops knew we were trouble, mostly because we were skins & punks. (And no I was not a bigot)

It is not a question of being a crook, it is a question of being percived as a "unwanted element". We were an unwanted element.

I do not feel comfertable with the FBI (or anybody) with this kind of power. How long to they start shaking you down.

What about Echelon?

[AntiPasto]

Maybe the FBI's just trying to figure out if Echelon exists or not.

----

Old theory, now considered invalid.

[skybird0]

from http://www-dse.doc.ic.ac.uk/~nd/surprise_97/journa l/vol4/spb3

2.1 Heating up over lost information
A great deal of time has been spent on investigating whether quantum theory places any fundamental limits on computing machines. As a result, it is now believed that physics does not place any absolute limits on the speed, reliability or memory capacity of computing machines. One consideration that needs to be made however, concerns the information that may be 'lost' in a computation [23]. In order for a computer to run arbitrarily fast, its operation must be reversible (i.e. it's inputs must be entirely deducible from its outputs). This is because irreversible computations involve a 'loss' of information which can be equated to a loss in heat, and thus the restricted ability of the system to dissipate heat will in turn limit the performance of the computer. An example of information being lost can be seen in an ordinary AND gate. An AND gate has two inputs and only one output, which means that in the process of moving from the input to the output of the gate, we loose one bit of information.

In 1976, Charles Bennett proved that it is possible to build a universal computer entirely from reversible gates, and that expressing a program in terms of primitive reversible operations does not significantly slow it down. A suitable universal and reversible gate with which we could build a computer is the Toffoli gate.

What Is The Real Purpose?

[Alarmist]

The article says that less than one hundred cases have involved evidence gathered from Internet wiretapping.

To read one person's e-mail, the FBI requires a separate machine in a locked cage co-located at the ISP. Why?

The FBI came forward asking for assistance in developing eavesdropping standards, when they have technical people in house who can do this sort of thing. Why broadcast the existence of this system?

Perhaps we are witnessing a schism between the FBI and other agencies. Imagine this:

You're an ISP. One day, you get a call from someone claiming to be a FBI agent and saying that they need to install a machine and eavesdropping equipment at your ISP to gather evidence for prosecution. Now, being a technically savvy person, you realize that most criminals that the FBI would be interested in don't write each other e-mail detailing their crimes. The few that do are mostly white-collar types who are involved in insider trading or some other form of high-dollar business crime. Reluctantly, you agree.

Agents with FBI credentials show up and install the machine. You have no way of knowing what it's grabbing, but you bite the bullet and hope for the best. Here's the kicker: the agents were installed by someone else--CIA, perhaps, or NSA--an agency whose charters explicitly forbid spying on US citizens inside US borders. They want the ability to spy on domestic citizens, so they set this up and pretend to be the FBI, hoping that ISPs will be so cowed by government agents that they won't follow up the matter.

The FBI gets wind of this somehow and spills the beans in an "accidentally-on-purpose" sort of way. The competing agency, whoever it is, is incensed by this and the FBI gets to reclaim its turf. Then, because the FBI is so clearly and visibly involved in this, they get to keep the machines, figure out how to get the data from them, and use them as if nothing were wrong. They have denied another agency a means of control.

Far-fetched, admittedly, but it is a possibility.

Still, I must say that I am saddened by the further erosion of our rights. What next? Radio collars?

The FBI is looking out for you

[Jon+Erikson]

In this brave new world of information, traditional agencies such as the FBI have to have some way of maintaining their ability to protect the people that they serve, that is you. And they can't do this by ignoring such a major new technology such as the Internet.

As much as we all love the net, I don't think that any of us can deny the fact that it does provide an easy to use and easy to conceal method for criminals and other dubious types to communicate, without regard for national laws or borders. As more and more people move online, the criminals will follow, and for the FBI to ignore this would be failing us in their duty.

The idea that the FBI can scan E-mails as they enter or leave your ISP sounds scary at first, but what you have to remember is that you are not a criminal. They're hardly going to want to read your E-mail about your trip to see your sister at BJU are they? It's not like there are people reading your personal mail, it's just a machine and can't make value judgements on what you write.

Unfortunately the massive growth of the net has meant that this sort of thing was inevitable and indeed neccessary thanks to the kind of large-scale, global operations that the FBI is involved with. For them to not do this would be the wrong thing in this case, and it is a blow for criminals everywhere.

---
Jon E. Erikson

Re:The FBI is looking out for you

[griffjon]

Further, damnit, I'm NOT a criminal, so I shouldn't be treated as one. This is a classic case of guilty until proven innocent.
Just because I'm not a criminal doesn't mean I want the gov't, or my next door neighbor, to be able to read my email. Of course, that's why I have a huge PGP key (check my userpage)...

I am a private citizen, and my personal life is no business of the government.

It's a waste of time & resources.

[blameless]

The article says the technology has only been used 100 times, which leads me to believe it's reserved for big-time criminals.

If someone is a big enough fish to warrant [no pun intended] this, they're probably going to be using encryption anyway.

If they're investigating pot trafficking

[blameless]

Do they use Herbivore?

Sorry...I couldn't resist.

PGP is not the answer

[Tomin8tor]

PGP is okay, but I'm moderately certain the NSA can crack it fairly quickly. Don't know about the FBI.

Keep in mind, the largest employer of mathematicians in the world is the NSA and that they are one of the largest computer buyers.

They have sealed documents written by Alan Turing was back around WWII and the suspicion is they are 2-10 years ahead of anyone in the "normal world" of encryption/decryption.

And as far as crypto goes, strong crypto is nice. But if you've ever read books on information security that covered the whole field, you'd realize a very small chapter would be devoted to crypto, and a very large chapter to organizational security because social engineering and dumpster diving are both far easier than cracking crypto in most cases. It's easier to pay a secretary $10K than to spend $100K cracking some crypto. And probably more effective to boot.

Frankly, I don't really care if CSE, CSIS, FBI, NSA, CIA, KKK, FSB, - whoever - reads my mail. They'll find the effort not worthwhile. That's the ultimate secret - just be slightly odd and mostly boring... ;)

Tomb

Re:Secure Communications

Such a thing already exists.

HushMail

Already exists

[lazarusL]

("apt-get install postfix-tls" if you use Debian.)

Take a look at RFC 2446 (Transport Layer Security) and RFC 2487 (SMTP Service Extension for Secure SMTP over TLS) for details.

For an implementation, look at postfix-tls:

Authors:
Postfix : Wietse Venema Wietse Venema;
TLS extension : Lutz Jänicke Lutz Jänicke

Start with the postfix site and then the TLS site if you don't have the ability to apt-get source I guess.

Heading for Braindead . . .

[Badgerman]

Paraphrasing Robert Anton Wilson:

Imagine an authoritarian system as a pyramid with an eye on top (look at a dollar bill). Now, the guy at the top wants to control the people down below, but he has to rely on them for information. So he uses coercion to control them and extract information, but since fear of punishment, hate, and paranoia are driving the people below, they only say what will prevent punishment. The system reflects itself down the pyramid, and due to increasing ignorance, becomes brain dead over time.

It seems this is the way we're heading with cybersleuthing, techno-eavesdropping, lawyers throwing lawsuits round, etc. We're all paranoid as hell, everyone doesn't trust anyone, and there are more and more threats each day.

It appears the FBI is making yet another contribution to this. I wonder how this will be abused (and thus increase mistrust), how errors will be made (and thus increase mistrust), and how many bad precidents and angry reactions this will produce. I wonder how many lawsuits and court cases will result from their snooping.

In their quest to enforce laws, the FBI makes themselves that much harder to trust by being more invasive. Ironic that.

I know what the FBI use it for

[grahamsz]

They have the carnivore sniff out any mime encoded JPGs containing an above average level of flesh tones.

These are then filtered out and despatched to agents personal computers, saving them several hours a day in hunting for pr0n.

These extra hours are what will really give them the advantage combatting cyber-terrorism.

they DO require a warrant

[djrogers]

I wouldn't much mind if this sort of thing required a warrant and if they were required to toss any data without a specific person's (or IP, at the outside) name/id on it.

Sigh, the FBI does rquire a warrant to use Carnivore, and to top it off, it's _really_ hard to get. As for tossing extraneous data, it's the software that analyzes all the traffic, not humans. IANAFBIA, but from my experience, c-vore only _collects_ data on the target, agents don't even see the rest of the cruft.

Let's get off of our parannoid horses for a minute, and think about this rationally. Do you _really_ think that the FBI would waste the thousands of hours of manpower it would require to manually analyze just one hour's worth of unfiltered data? Even if they did see that metallica.MP3 file you e-mailed to your aunt, would they really care enough to note who you are? Of course not, they're after the sick-ass guy who brags about whipping pre-pubescent girls and rubbing salt in their wounds (trust me, I'm _not_ overstating this).

Besides, if you really need to overthrow the gov't (of course one day we will, history teaches us that) you'll just have to use encryption...

A good invention

[tssm0n0]

Now the FBI can read all my spam... god knows I don't wanna read that crap.

Re:Selective filtering

[corniche]

in the UK, there is a bill being passed that if the police etc. wants to look at your encrypted data, you are required to supply the key. faliure to comply results in a jail sentence
(up to 10 years i think)
also, never be 100% sure that your encryption is safe, you never know quite what technology they've got....

{shhhhh... the froggies are asleep.}
spam-proofing?

Re:This would be a surprise?

[Ketzer]

I've wondered about this one for a while.
In the MS v. DOJ thing, apparently they used a bunch of emails from Billy G. as evidence.

Admittedly, I didn't follow it all that closely, (by them time I had first heard about it, I was sick of hearing about it) but why didn't he just say "I didn't write that."

It should be virtually impossible to prove that email was written by any particular person. I could set my "Real Name" to Bill Gates and send out an email, or if I really wanted to put effort into it I could even make it look like it really came from bgates@microsoft.com. It's not that hard to create a file with a certain set of text in it, so an email header that says "this is from person X" doesn't at all guarantee that it actually is.

I know what many of you will say: "But you can track it's path through the mail servers, and if you're really thorough, you can pin it to an internal IP and MAC address and time of origin." Even that doesn't prove who was using that machine.

Steganography.

[Poe]

Rather than using PGP, which is likely to get the undevided attention of any government agency, use steganography.
Take your plaintext, encrypt it, hide it in some of the least signifigant bits in an image, attach the image to an ordinary email, and off it goes!

The thing that bothers me

[mindstrm]

about wiretaps is this.....

Originally, you have this telephone system.

Then.. the feds (or whoever, law enforcement) says 'hey.. would it be possible for us to listen to someone's phone call?' .. well.. technically it wasn't a challenge. So.. in the course of their investigation, they could make a court order the phone company to let them listen.. because *it was something they were capable of already, without difficulty*.

It was just evidence gathering.

Can anyone see how this is a world different than the feds saying 'you may not build a phone system unless we can wiretap it?'. It's a very different scenario. The first was simply evidence gathering based on what was available, the second is an actual attack on privacy, or, in other words, 'we forbid you from making a secure, private system'.

People.. everyone *must* start using encryption!

This would be a surprise?

[waldeaux]

... I'm not surprised. We've already given away so many rights "for the baaaaaiiiiiiiiiibiiiees", the whole 1984 blew past us a long time ago.

The scariest part of this is that people can, and frequently DO send e-mail from different places. Also, multiple people frequently use the same phone line. So consider these two situations:

1. Someone who sends e-mail at home and at work.
2. Two roommates who send e-mail from the same computer.

It is very easy to forge e-mail. What's to stop someone from forging e-mail in the name of someone in two places? Nothing of course. What guarantee is there that the FBI will understand that they could easy get false data? None of course. Since we're already setting up classes of crimes for which "innocent until proven guilty" is no longer upheld (in practice), it won't be long until someone is convicted of a crime based upon what is fraudulent electronic evidence.

Of course it has probably happened already.

Secure Communications

[grahamsz]

Personally I would like to see an offshore provider giving https based webmail. This would probably be a lot more accesible to end users then PGP currently is and would surely start to cause problems for the US & UK governments and their dodgy schemes for monitoring access.

In the UK i believe the police can now demand ISPs route certain customers traffic through them and whilst I dont do anything that i'm particularly worried about online it's still not a very comforting thought.

I wonder if providing free encryption based web mail services would be something that havenco would be prepared to provide as a publicity stunt?

ANother reason to use PGP

[DevTopics]

To me, this is just another reason to use PGP for my email. Let's face it, email is insecure in every way you look at it: it can be wiretapped, it can be faked, it can be changed on the way, and so on.

So I think that stories like this should be brought to a greater attention (read: Joe User should notice that). And we should get used to "sealing" our email with PGP like we're used to seal our envelopes.

One other nice thing about encrypted email is: your ISP couldn't be held responsible for anything you say. I'm responsible for what I say, and you are responsible for what you say, and not vice versa. And this should be true for everyone.

As long as PGP can't be decrypted, we can shrug our shoulders at stories like this.

Re:That was then, this is now

[Darguz]

The book "Applied Cryptography" looks at cracking a 256 bit key:

It starts by stating that to change a single bit in a processor, you would (according to the laws of thermodynamics) need an amount of energy no less than kT where T is the absolute temperature of the system, and k is the Boltzman constant. If you run a computer at 3.2 degrees Kelvin, and with k being 1.38*10^-16 ergs/K, you would need 4.4*10^-16 ergs to set or clear a bit.

The sun releases about 1.12*10^41 ergs in a year, so if you could collect all the energy from it for 32 years (of course, Earth would soon become very cold and dead then), you could have a your computer count up to 2^192, but you wouldn't have any energy left to do anything with the counter (such as cracking a key). A typical supernova releases about 10^51 ergs. If you collect all that energy, you could count up to 2^219.

The conclusion is that unless computers are built from something other than matter, and occupy something other than space, a brute force attack against a 256 bit key is not possible.


--

Just a thought.

[mindstrm]

Coming from a Canadian point of view here....

It has long been viewed in north america (though the US changed it's law for some reason or other) that the public airwaves were just that; public. We regulated who could use what spectrum for what in order to make everybody happy. (if everyone fought, radio would be useless).

Then, one day.. along came the cellular telephone. Lo-and-behold, these phones used standard FM in their allocated bands. So.. people with radio scanners could listen to phone calls.
Now. .in the US.. it is now a crime to have a scanner that can listen in on cellular calls (let alone actually doing it). However.. when the same was proposed in canada.. the crtc said this:
The airwaves are a public resource; they always have been and they always will be. The celluular providers had *NO REASONABLE EXPECTATION OF PRIVACY* for their calls. They were broadcasting in the clear.
Remember, regulation states who can broadcast, not who can listen.
So.. cellular providers deal with this up here by pushing digital.

How is the internet any different? You KNOW that you don't have control over your packets once they are out of your network. Perhaps your upstream has an agreement wiht you guaranteeing certain privacy.. but what about their upstream? What about everyone? By it's nature, the internet is not a single resource, but a vast collection of networks all hooked together, covering every juristiction and idology known to man.

Regardless of what the 'ignorant' public might think, there is *NO REASONABLE EXPECTATION* of privacy when putting packets on the internet, unless they are encrypted. Period.

I'm not saying the itnernet is a public resource, like the airwaves.... but you *know* you can't control where those packets go. So .. ENCRYPT.

Difference between FBI and Congress

[/]

When Congress enacts this sort of program, they always give it a name like "The Freedom of Infants and Children Act" or the "Prevention of Violence to Puppies Act" with a rider that slips in the big-brother grants of power.

The FBI, on the other hand, gives it a name that can't help but encourage visions of a government run-amok eating its citizens. Which, come to think of it, is not too far from the truth.

No wiretapping without a specific warrant

[Zulfiya]

"It's the electronic equivalent of listening to everybody's phone calls to see if it's the phone call you should be monitoring," Mr. Rasch said. "You develop a tremendous amount of information."

This guy is right on the money. This isn't about targeting a suspect and confirming other evidence (as wiretapping is meant to be), but about trolling for suspects. Why should electronic communication be legally less protected than telephone communication?

I wouldn't much mind if this sort of thing required a warrant and if they were required to toss any data without a specific person's (or IP, at the outside) name/id on it. There's no need for this level of invasion. I also suspect, rather like the cybersensor filters, they're going to pick up more false hits than real crime, and wind up investigating and harassing uninvolved people.

Now here's an argument for better encryption.

TO: myfriend@theotherispintown.com

[AntiPasto]

SUBJ: Hello friend! MSG: Ahhh I love living in the United States, I love the government and its astoundingly perfect mindset that guards my every right and freedom. I am glad that you, my friend, my comrade, are living in this land that beats all others.

It's so double plus good to be alive and protected by the Ministry of the FBI!

----

Automated Search Warrant Request Software

[Your+Robotic+Pal]

I also thought that requiring a search
warrant would reasonably limit privacy
invasions by any agency.

Until I found a website for an automated
search warrant request software package.

Like most of you, I don't do anything that anyone would be concerned about. I don't even keep copies of DeCss around, nor do I download metallica songs. And after seeing the anonymous family photo with the cucumber, the dog and what appears to be a small cheerleading squad, I haven't much interest in downloading Pr0n. With caffeine as my only drug, I'm not exactly worried...

I even pay my parking tickets and cable bill.

What is scary is the website I found (there are at least three packages for this)detailing software designed for automating search warrant requests (probable cause, non?) and capable of processing over 1100 search warrant requests per hour!

I found these sites by accident while looking for information on search engine technology in 1996. I won't list the URLS, but you can find them. One site talked about how much faster it would be when electronic authorization (EDI) interaction became available.

Imagine how low the threshold of probable cause will slip once some eager programmer decides that online email profiling data can go immediately into the search warrant request software, returning approval in under thirty seconds.

There are no laws saying that e-mail, packet scans and IP traffic logs cannot be held indefinately, or archived for the last 120 days. This didn't apply to telephone calls - while call logs could be accessed, recording the actual conversations required a warrant - so speech that occured before the warrant was safe, or left as hearsay evidence. With digital archiving of all traffic, the landscape has changed.

In the future, search warrants will effectively be *retroactive* - and can contain complete records of what you've done for months.

For most people, privacy is seen as a way to hide indiscretions from general knowledge, or as a way to "get away" with crime. It isn't - that's a small quirk that can be handled through our current legal system.

Privacy is really the way that we guarantee our right to stay at arm's length from our government (well, at least the individuals in it) and our ability to disagree and express that disagreement (without fear of punitive retaliation)to those in power, be they government officials, Microsoft or the MPAA.

As long as we have that, everything else in a democracy can work. We don't really want a truly libertarian state (Been to Moscow lately?), but a democracy that embraces responsibility and liberty like RSM embraces pizza and ego.

So Get off your dead asses
and write those letters now!
snicker.

Selective filtering

[11223]

One problem with the Carnivore system is that we can't trust the FBI to only do selective filtering - they need to intercept all messages and then sort out the ones that apply - except we can't trust them not to take my messages with them! The solution is to have your email users use an encrypted mail transport system so that when the FBI requests a wiretap, they are only given the key to decrypt the messages of the account they're looking for. There are a few (but not widely deployed) systems that do this already, but a better one could be possible now that RSA will be expiring soon.

BTW, how does wiretapping interact with encrypted data? What if they tap the email and discover that it's all PGP'ed? Can they brute-force it?

the part MSNBC didn't print

[happystink]

FBI sources were quoted as saying that among the first people targeted would be the people who put random Echelon keywords in their .sigs. "They all thought they were clever" Michaels said, "but it was just lame and annoying, and only a few hundred people ever did it, so it wasn't even effective. We were sitting around drinking one night and were like 'What the shit, let's test this on those guys!' and we've been following them ever since. Mostly it's just a bunch of guys talking about beard trimmers and PGP, it's kind of depressing."