Slashdot Mirror
FBI E-Mail Wiretaps - The Carnivore System
CharlieG writes "It seems the the FBI has been electronic wiretapping various e-mail accounts for a while now. First with a system called Omnivore, and now with a "More Selective" system called Carnivore. You can read about it on MSNBC.COM"
There's always somebody who says this, but they never manage to present any evidence. You wouldn't happen to have any evidence lying around, would you?
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
Bad example. Radio is inherently a broadcast medium, e-mail is more-or-less directed.
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
Not so. The first 10 amendments were agreed on before the Constitution itself was put in place. Indeed, the Constitution was ratified only with the agreement that the 10 amendments would follow; Several states' representatives refused to agree otherwise.
So "amendment" doesn't mean "afterthought". Politics. Such fun stuff.
Heard of TWINKLE? How far ahead of this do you think the NSA might be?
FWIW, I once worked a case for the FDLE, after which they tried to recruit me for their computer crimes unit. They were quite sanguine about encryption, saying they regularly shipped encrypted documents off to the NSA for decrypts, depending on how crucial they were to the case.
Also remember that given access to the private key, keylength is less important than passphrase strength.
It takes some work to use PGP securely, and ultimately, if some TLA wants your cleartext, they'll get it one way (cracking crypto) or another (Van Eyck, TEMPEST).
-Isaac
I am not a lawyer, and this is not legal advice. For Entertainment Purposes Only.
Let's start by realizing that different people have different sets of ethics, and not everyone believes that the government has a strong sense of ethics. For example, I am confident that the government is extreamly hypocrytical, which by my sense of ethics is one of the worst things possible.
Asking dictionary.com about 'principle' gives "basic truth, law, or assumption", "A rule or standard, especially of good behavior" and "The collectivity of moral or ethical standards or judgments".
When you say "It's also a matter of principle that criminals need to be stopped...", it's reasonable for me to ask "Who's principle, who's ethics, which laws, and at what price?"
The question many people are raising is if catching the criminals is important enough to justify breaking the law, violating the constitution, and ignoring the bill of rights.
My answer is "No, of course it isn't worth it! The rules of society, as described by the constitution, make it clear that catching the criminals is NOT the most important thing."
Let me make this as clear as I can manage. The 'betterment of society' is not served, and is in fact harmed, by a law enforcement group which intentionally violates the law, ever, even once. It doesn't matter if they catch a thousand murders and ten thousand rapists at the same time, if they had to violate one law to do so, they have made the world a worse place. It's simply a matter of principle.
Obviously my principles are different from yours.
And to answer your question, it depends on the criminals. In particular, it depends on what laws they are guilty of breaking. I mean, it makes a big differance if they are all guilty of murder, say, or just, you know, jaywalking or speeding or maybe growing a bit of pot and then smoking it.
Wow. I'm just amazed.
You can't argue with logic like that. You can point and laugh, but you can't argue with it.
Just for the record, in order to prove that it can be done, I deny them. I also deny your god. Please refrain from stating that it isn't possible, as it obvious is. Tell me again that I can't deny something, and I'm likely to do just that, if I want.
It is my belief that criminals can be caught and punished without breaking the law. It takes a little more work, but it's still possible.
Breaking the law in order to catch someone and punish them is a lot like the death penalty. Is it fair for me to assume that you don't agree with the death penalty?
"And as I believe I've said before, sin is sin, and trying to count the "amount" of sin is a foolish and pointless exercise. If you are guilty of a crime, you must be punished. It's as simple as that."
You seem to be confusing 'sin' with 'crime'. Crime is defined by society. 'Sin', for those who believe, is defined by some higher power.
the important point here is that society can, and often does, change the definition of crime. Drinking alcohol in the United States is a good example. It's legal. It's illegal. It's legal again. Of course, this caused some confusion.
It is my belief that there currently exist many laws which actively harm society. Society would be better off without some of the laws.
I'm willing to suppose it may be a bit of a leap for you to agree that some laws harm society. Let's see if we can agree that there are laws which are just downright silly, and don't need to exist.
Please refer to www.dumblaws.com and see if you can find even one law which makes something a crime when it need not be.
Failing that, please explain the ethics behind this law:
New Mexico, Las Cruces:
You may not carry a lunchbox down Main Street.
Is this a crime because The Lord told someone it should be?
Is it a sin?
Does it harm anyone?
Can you suggest any possible reason for this law?
Can you begin to understand how I might think that someone might be guilty of a crime yet still not need to be punished?
While you are correct in your statement that PGP has never been "cracked", this is an over-simplistic view of the software's strength. Any mismanagement of the way the protocols are used could possibly weaken the crypto, which could be enough to be cracked. The algorythms are only as secure as they proport to be when they are implemented according to their reference implementation. While no one has the computing power to brut-force full strength RSA, perhaps an inadvertantly crippled RSA could be broken. This is a big problem with any crypto implementation.
This is not the case at all. Recently, there was discovery of a bug in PGP that made it possible to guess keys. See http://www.securityfocus.com/bid/1251
l
There have been several other bugs found in PGP; I can't remember the specifics, but I believe that the above bug was in PGP for over a year for being discovered, in spite of the fact that the code was open for everyone to see.
If you've ever actually looked at the code for PGP, you'll see it's HORRIBLE. PGP is coded really sloppily. My comments were more directed at the high probability of an acidental implementation error due to programming practice, not an intentional crippling.
This is particularly the case with Open Source projects, as willingness to code something rarely translates to being the best person to do it. Bruce Schneier commented on this in his Cryptogram newsletter. See:
http://www.counterpane.com/crypto-gram-9909.htm
http://www.counterpane.com/pitfalls.html
http://www.counterpane.com/whycrypto.html
And please, this isn't a flame. This is born out of experience.
There is a fairly easy work around that piece of legislation. IT has been used in the financial community for a while now. What you need to do is have your Key being held by a custodian outside the UK jurisdiction. Then set up an agreement that in the case of any legal action against you the custodian is automatic required to refuse delivery of the key to you. That way you can not be held in contempt since you abide by the law requesting the key, but you are not getting it since something outside your control hinders it.
Help fight continental drift.
Exactly! Which is why I refuse to work anywhere that a drug test is mandatory. I don't use illegal drugs, just the legal ones. :-) I do, however, refuse to work where I AM NOT TRUSTED.
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
... And our Lord Jesus H. Fucking Christ spread his buns, and said: "Thou shalt not jaywalk, and always cross on thy green lights"... [Peter 89:45.12]
--
Here's my mirror
So, if you're not afraid of the FBI looking at your e-mails to your sister, you're surely not afraid at letting ME look at those same e-mails, no?
By the same token, you won't mind either me looking at those e-mails you sent to that chick you met last month at Catalina, no?
Can't you see it's a matter of principle, or are you just dumed-down by mass-media hysteria not to realize your fundamental rights are being trampled???
--
Here's my mirror
The link on the page is bad, their home page is here.
Mea navis aericumbens anguillis abundat
Just encrypting your e-mail with PGP is not enough. The sender and recipient histories can still be tracked. Here is my proposed solution to this problem...
Have several anonymous remailers scattered around the world with well published public keys. Each remailer will decrypt the message with it's private key, find the new sender in the decrypted message, strip the original envelope information, and send the message along to the next remailer.
Your message ends up encrypted in multiple layers that get stripped off one by one by each remailer. Eventually, it will get to its destination where the recipient will strip the last layer of encryption off.
This way, there is no reasonable way anybody can track who you're getting messages from, or who you're sending them to. Even if the remailers keep connect logs, or message logs, you still can't tell.
I'm thinking of writing this up as a python script that uses gpg and that can be set up as a filter in your .forward or .qmail file.
Need a Python, C++, Unix, Linux develop
One possibility would be extending sendmail. If sendmail.org added a secure version of the various protocols (using the (almost) newly expired RSA public-key system), it would be invisible to the user.
I suppose one could have SMTP report if it supports the new protocol, (SHLO to go along with EHLO/HELO ?) and if wherever the mail is being send does, you could use an extended set of commands to request a public key (KREQ ? ) from the server, send a session key (SKEY ), and encrypt the remainder of the session.
Since sendmail is nearly umbiquitous, they could define the protocol however they pleased, publish it as a RFC per the usual routes, and have a defacto standard. One could (should) do the same thing with http, IMHO. Of course that would be up to the WC3.
Unfortunatly encrypting the content of SMPT transfers/http doesn't protect against traffic analysis. Oh well...
With steganography you are hiding the fact of encryption.
You can have the strongest encryption in the world, and it will not protect you from a subpoena for the (private) key.
Security through obscurity isn't "bad" any more than lemurs are "bad".
When security through obscurity interferes with the verification and validation of an algorithim, that will make the algorithim weaker. That could be considered bad.
When you think you are hiding information and you are not, that could be considered bad. The link that I gave is to a steganography program that helps to hide the fact of seganography from stegonagraphic analysis.
I should, and do, use a lock on my safe that is so good that I can put that safe on a street corner, complete with a diagram of the lock, and no one can get into it.
But I think I'll put that safe (with that same strong lock) in my house, instead. Maybe behind a portrait.
Thank you for not thinking.
The idea that the FBI can scan E-mails as they enter or leave your ISP sounds scary at first, but what you have to remember is that you are not a criminal.
Sure that's how it starts, but I challange you to find a time in modern history where power DIDN'T corrupt. It's not a matter of if, it's a matter of when they begin to use this to go after political dissidents and anyone else they don't like.
Finkployd
And they use the magic words "drugs" and "terrorism", so anything they do is ok. Really.
"'National security': the root password to the [United States] Constitution." - Phil Karn
PGP is okay, but I'm moderately certain the NSA can crack it fairly quickly. Don't know about the FBI.
Really? Care to say how? Do you mean a backdoor in the program (the source is available) or a problem with the encryption algorithms? Are you a mathematician? Do you think the NSA has managed to prove that factoring isn't NP (which would be quite an accomplishment, esp. for a government organization)? Or, maybe, you mean that they've managed to prove that problems in NP can be solved more quickly (which would be the greatest mathematical achievement in decades). Truth is, if factoring cannot be solved in less than polynomial time, no organization, no matter how many mathematicians they employ, is going to be able to crack PGP fairly quickly.
You're right about the social engineering part, though.
So you've never done or said anything in your life that wasn't politically correct? Even back before there was a concept of politically correct? Never told or laughed at a blonde joke? I hope you never plan to run for office, then - I guess you wouldn't get your vote.
The public will just have to continue to evaluate candidates on the same basis that we evaluate each other - based on what they say and what they do in public. You have no right to anyone's private communications, and without a court order neither does the government.
Your right to not believe: Americans United for Separation of Church and
So, if anyone finds or guesses the list of people the FBI listens for, cc: them and/or spoof them in every email you send. Add a few extra X-headers to trip it up. It'll fit nicely with the X-Jam-Echelon header, and will in fact maybe even be synergistic.
Returned Peace Corps IT Volunteer
It's always nice to know that the FBI has given up on plantae and is only going for animalia now. I mean, with all the decision involved before, they had to choose if they wanted greens or blood!
I wonder if I'm meat or celery to them . . .
-Leo
Hmm, if we open up our lives and give away privacy, we can exchange it for security!
I think it was Winston Churchill who said, "He who would give up privacy for security deserves neither." How about that?
-Leo
:-)
cpeterso
True, but at least it's a bit more controlled than right now while still working transparently for the user. Of course a long term solution for email is to build encryption into the mail protocol.
But the thing I was trying to show is that the way we currently deal with networking is unsafe. TCP deals with reliable point to point connections, but these connections are unsafe. It leaves it to applications on top of it to deal with encryption and most applications don't do this. I would like to see encryption pushed down in such a way that it works transparently for applications. E.g. if I'm chatting through ICQ with a friend, the connection used by the two clients would be automatically encrypted.
Jilles
[Retrieve hammer from hardware store]
Speak these words: "Steganography equals security by obscurity."
[Inflict one wound to torsoe with hammer]
Speak these words: "Security by obscurity is bad."
[Inflict one wound to torsoe with hammer]
Speak these words: "The encryption I use should be so strong that I should be able to give encrypted copies of my deepest, darkest secrets to anyone that asks for them, provide them with the software I used to encrypt it along with a whitepaper describing how my encryption method works, teach them how to use it, and be confident that they won't be able to read that document."
[Pin 1st place ribbon on chest; you've won!]
Just one interesting side point to #2.
IIRC, the US Government is the single biggest employer of Mathematicians worldwide.
Care to guess how many of those are doing crypto?
-- IANAEG - I am not an elder god.
I enjoy comments such as yours, as it gives me an opportunity to trot out one of my favorite qoutes:
According to you, we in the USA no longer need the 1st, 2nd, 4th or 5th amendments. Why should the FBI (or any LEO) be burdened by having to go to a court for a search warrant? surely, if you have nothing to hide, you have nothing to fear if they show up and ask to inspect your residence. And why shouldn't criminals be made to testify against themselves???
Oh, yeah, I'm sure I'm gonna trust 'em to be honest. They wouldn't break any laws, like allowing the White House access to background check files of potential political foes. They wouldn't plant evidence, or give false testimony (hey to the L.A. PD!), nor do anything unjust!No, never!
James
How about last post??
-russ
Don't piss off The Angry Economist
You have no clue. Cryptographers are quite certain that 1024-bit keys generate uncrackable crypto. 512 they're less certain about.
-russ
Don't piss off The Angry Economist
At the surface, it seems like they should be able to brute force it consistent with the court order for the wire tap. Just out of curosity, though, what about the DMCA's protections on decoding encrypted information?
To wit: From Jack Valenti's, MPAA Chairman, deposition:
10 Q You said any use of DVD that involves
11 coping is illegal. Is that right?
12 A I think what I said was, any time you
13 circumvent encryption according to the DMCA you're
14 violating the law. That's what I said.
It seems to me, if DMCA is used that broadly, couldn't it be used to argue against the FBI decrypting email communication?
Just a thought.
Someone wrote:
And then Kahuna wrote back:
That's true... if the FBI is interested in a criminal prosecution. As far as I know, but I am not a lawyer nor particularly knowledgeable in the area, the Exclusionary Rule (legal precedent that says you can't use tainted evidence in court) is the only significant disincentive for an illegal search.
If the FBI or other law enforcement agency is more interested in simply harrassing, intimidating, or embarrassing a target, then the Exclusionary Rule has no practical effect.
I just saw Guilty by Suspicion on video the other night. True story, McCarthy era: film director harrassed by FBI agents, blacklisted because he wouldn't testify that his friends were Communists.
Our protagonist in the movie (Robert DeNiro) was investigated and bullied on suspicion of something that isn't (and wasn't) even illegal. The only prosecutions coming out of the McCarthy investigations were for perjury and contempt of Congress, against people who either wouldn't talk to the HUAC or who were caught lying to it. Nobody was convicted of merely being a Party member. But that didn't stop the FBI and the HUAC from carrying out their dirty tricks. And the FBI couldn't be challenged under the Exclusionary Rule because they weren't presenting evidence at trial.
Yes, it would be extremely difficult or impossible for law enforcement to use evidence inappropriately gathered by Carnivore in a criminal trial--they really do have to follow the rules there. But it would be relatively easy to use Carnivore or a similar device to gather information for other purposes, given just a little cooperation from ISPs.
I honestly don't think harrassment or intimidation is the primary purpose of Carnivore. It actually seems pretty mild compared to other more intrusive and less targeted means of investigation. But don't assume that the Fourth Amendment will protect you outside of a criminal courtroom!
Oh, I absolutely agree! The FBI proposes to commit a crime (violation of the Fourth Amendment), and in fact has thereby already committed a crime (conspiracy to deprive citizens of civil rights under color of law). They must be stopped. QED.
/.
/. If the government wants us to respect the law, it should set a better example.
That is what I expect. That's how it's supposed to be. But is it that way in practice? Is it that way 95% of the time? What about the other 5%?
At least in paranoia, you could send your clones off to the termination center and hide out for a while. In real life, there's only one you.
:-)
I think it's getting to the point where the cost of "protection" (or the illusion thereof) is that we have a government that is going to get worse than the crime was to start with.
Well, screw the FBI. I'm going to go smoke a bowl and clean my machine gun.
--- "So THAT's what an invisible barrier looks like!" - Time Bandits
Um, everything's an argument for better encryption to /. readers isn't it? I resort to the oldest argument against encryption: if YOU aren't doing anything wrong, why do you care if THEY read your emails? Take, for instance, the emails I wrote this morning. If the FBI wants to hear about how drunk I got over the weekend, I'm sure they'll enjoy these little tidbits of informations. If, however, they're looking for stories about people planning a nationwide terror campaign, I'm sure they're realize they read the wrong email within a few seconds, and most likely delete it.
Because it's none of their damn business. They ahve no need to know and hence shouldn't be looking. If they are going to look anyways then I'm going to find a way to stop them. And I'm going to do it because it's my RIGHT as a human being not to have every detail of my private life examined by some government thug to be sure it meets with his approval.
Kintanon
Check out JoshJitsu.info for Brazilian Ji
The dire warnings seem overstated considering what is already accepted practice. They just pull the suspects emails in question prior to searching. Omnivore sounds like it was open to abuse and if that was deployed it should never have been, it's like wire tapping a small town to get evidence on one individual. Carnivore sounds like a right minded attempt to restrict scanning to the suspects account.
So what's new?
They still need a court order and they could always tap the suspects phone any time as things stand. This just let's them tap an account than might be moving on a dial in from different locations. The whole system has always been build on trust and controlled by the fact that any abuse of the system won't pass muster as evidence in court anyway.
So, if a Judge let them deploy Omnivore it sounds like there's a need for some legislation to prevent this sort of dragnet approach in future but the Carnivore system is exactly the kind of thing I'd expect the FBI to be getting up to, why is everyone so surprised? The intention of developing Carnivore as a discriminating filter seems to be a move in the right direction IF it only traps and searches the email of the suspect, and that's the whole point of the newer system.
Move along folks, there's nothing to see here.
This is outrageous. The FBI admits this is nothing more than a glorified sniffer. And, we all know a sniffer grabs plaintext passwords which many systems/services use. Looks like it's time to start watching my login records a little more closely.
The analogy used was "It's the electronic equivalent of listening to everybody's phone calls to see if it's the phone call you should be monitoring." Actually, I'd say it's more analogous to having a bug in every home that uses that network. Considering that e-mail communications originating from one private residence destined for another private residence would qualify for some privacy protection, I would offer that placement of the "Carnivore" on a public wire steps way over the bounds of legitimate surveillance jurisdiction.
I guess what shocks me the most is that they actually demonstrated this technology. They expect buy-in?
Of course, there's always encryption....
Linux rocks!!! www.dedserius.com
www.dedserius.com
VB != VisualBasic
Well if your not encrypting your mail, its like sending out only postcards. If you wanted things private, you would put your message in a nice envelope and mail it that way...
Email isn't really all that different, it just seems that we all expect our postcards to be completely private.
"The FBI defends Carnivore as more precise than Internet wiretap methods used in the past. The bureau says the system allows investigators to tailor an intercept operation so they can pluck only the digital traffic of one person from among the stream of millions of other messages. An earlier version, aptly code-named Omnivore, could suck in as much as to six gigabytes of data every hour, but in a less discriminating fashion."
This sounds like it is indeed meant for targeting specific suspects, after having obtained the legal permission to do so. Is it open to potential abuse? Certainly - but aren't unencrypted internet data transmissions open to snooping anyway? This just sounds like a high-powered info-sifter...
Stop by my site where I write about ERP systems & more
> Because I'm not paranoid?
Perhaps because you inore history? I would submit that the entire history of the human race is the history of power abused by indivbiduals.
Do we forget that the FBI is the same organization that has abused its powers in the past. Would you consider it part of the FBIs job to forge letters to heads of the Maffia and heads of the US Communist party in attempts to litterally provoke the two organisations to violence against each other? Well they did it! I have seen the declassified papers on it!
(www.thesmokinggun.com - an archive of files obtained under the FOIA)
Furthermore....what they CLAIM to want is EASILY obtainable without "Carnivore". It would be TRIVIAL for an ISP to setup their mail server to blindly send copies of all messages and ONLY messages to and from the person being monitored to the FBI system...instead they insist on having THEIR box process EVERYONES messages.
If Carnivore was the ONLY way to do the job, that would be one thing. The fact is, it isn't. In fact its the MOST intrusive method possible. It means THEY are sorting through data that they have NO right to access, in order to get at the data they do have the right to.
"I opened my eyes, and everything went dark again"
> Funny isn't it? Everyone gets their panties in a
> wad about the government getting warrents to
> check your email, but you flat out say that
> IPS's could redirect and read your email without
> anyone knowing, and no one cares?
I care...unfortunaly its unavoidable. Its the way that email was implimented, there is no way to stop an eavesdropper on that level.
My point was simply that they can get exactly the information they CLAIM to want, yet they seem to be insisting on a MORE intrusive system where the ONLY protection against them accessing more data than they "should" is well them.
Why would they insist on this, when they can get the SAME data through LESS intrusive channels?
Do I trust my ISP more than the Federal Government? Only because I have no other choice, short of convincing everyone I know to use PGP (fat chance that).
My ONLY objection, in the context of this discussion, is that this system can be abused by the FBI, with, essentially, no oversight. Using the ISP system to divert mail would require complicity between ISP and FBI to be abused...and that at least marginally raises the bar.
FBI agents are human beings. Human beings sometimes do bad things, even with the best intentions. As such, there must always be some level of protection in place to limit the damage that they can do.
Again...what I am suggesting is truely trivial difference, if they are truely only doing what they claim to be doing. However it protects the people at large, if their intions are other than their claims. Seems like a win all around (unless of course your an FBI agent who wants to abuse your carnivorous machine)
"I opened my eyes, and everything went dark again"
To extend your analogy better....
What they are doing is going to the post office and saying "There is a person in this city who we are investigating. We have a warrent that lets us read his mail before it gets to him." (assuming thats possible - remember this is an analogy)
Then demanding that the Post office turn over ALL mail that comes to the post office to the FBI and lets the FBI sort out this persons mail from the rest.
They arn't opening the letters per se...(tho in the case of email the distinction is blurred as the envelope doesn't conceal the contents) but demanding to look at "ALL" envelopes and make their own determination as to what they have access to.
"I opened my eyes, and everything went dark again"
The idea that grepping through piles of cached email for 'bomb', 'allah' and 'president' would be helpful at all helpful to the FBI is ludicrous. Actual plans for terror campaigns are usually communicated something like:
From: susie777@hotmail.com (** ACTUALLY Brian O'Connor **)
Subject: Party! (** ACTUALLY Bombing of British Consulate **)
Hey girls(** ACTUALLY Fellow members of IRA splinter group **)! The party (** ACTUALLY attack preparation meeting **) is at Sheila's (** ACTUALLY Sean's **) on Saturday (** ACTUALLY Monday **). I'm bringing chairs (** ACTUALLY bomb material **) and Cindy (** ACTUALLY Michael **) is bringing hats and cake (** ACTUALLY automatic weapons and the map **). See you there!
Susie
If the FBI wants to read my e-mail, no problem. All I ask is that they have an agent click on my All-Advantage referrer link. They could then use their accounts to help subsidize the project.
Molog
So Linus, what are we doing tonight?
So Linus, what are we going to do tonight?
The same thing we do every night Tux. Try to take over the world!
If they have a warrant to collect emails to/from a specific person, fine. If they don't have a warrant, any evidence collected is inadmissible in court.
Gonzo
Why don't you learn what you're talking about before throwing accusations like that around, and if you're going to accuse people, have the guts to do it with your name attached.
Salocin.com
Burris
But it can't do that. I mean, it won't just "notice" them. Its a computer. If its purpose was to scan for drug references in all emails, they could do that, but it would have to be on purpose. They couldn't use the "plain sight" defense to validate the evidence, because it requires an extra deliberate step to gather. You can't get a warrent based on evidence that you should have needed a warrent to get. It taints the process all the way down the line.
-Kahuna Burger
...will work for Chick tracts...
OK, breath deeply. Now lets think about this. Why was the fourth ammendment introduced in the first place? There were no phones, there wasn't even much of a postal service yet. But there were homes and doors and people capable of breaking them down to search your home. And there were police who might hear that you were seen leading a little kid into your home just before he was reported missing, and they might want to search your home. So we have the means to search your home and people who would want to. What do we do? We write an ammendment that says they can't do it unreasonably and a bunch of laws laying out a "reasonable" procedure.
Now the present. We have something besides your home, the internet, which people may want to search. We have ways for them to search it. And we still have an ammendment and a bunch of laws that say when and how they can do it. The existance of wiretap orders for other people who have given law enforcement enough justification to get a warrent, has nothing to do with your 4th ammendment rights, because they aren't searching and seizing you! As we understand carnivore and are discussing it, noone is spying on you.
Jon had it exactly right. As long as the FBI has the right and in fact the duty to obtain search or wiretap warrents, they will expand those rights into new forms of communication. It no more invades your rights than a legal, warrented search of your neighbor does.
-Kahuna Burger
PS, some people have expressed distrust at the number of internet wire tap orders obtained. But I'd be a lot more worried if they weren't getting any. Their going through the warrent process indicates that those warrents are neccassary, indicates that they are working within the system. Not perfectly, but its an indication that internet wiretapping is being taken as seriously as phone tapping. And thats what we want, right?
...will work for Chick tracts...
And one more time, they aren't reading the email of anyone except those who are on the carnivore tapes when they pull them. Saying otherwise is kinda like claiming that if I listen to police traffic on a scanner I am in fact listening to all my neighbors' cell phone calls because the equipment I have hears all of them not just what I'm tuned in on. Or that if I search DejaNews for "the keeper" I'm also performing an inapropriate background check of my potential employees by looking for their email addresses on porn, gay and alternative lifestyle newsgroups. Because, hey, that info is being scanned by the same program that gives me back my search results.
Paranoia is one of the many reasons I don't vote libertarian. I keep one of the others in my wallet.
-Kahuna Burger
...will work for Chick tracts...
I'd say no. The article was perfectly clear. The idea is to get messages for people/accounts on which there is a warrent. The computer sifts the data for those messages, and only saves those ones. The people whose messages are analysed by the computer but not saved, not read not noted, have suffered no invasion of their privacy.
Look at it this way. What if the police were snooping on conversations over short wave radio by tuning to the frequency of the people they were interested in. Could you seriously say that every person in the area using a short wave radio had had their privacy invaded because the radio equipment used at some level recieved every signal, even though the police only heard and recorded one? Its just as silly to claim that they are "invading" anyone's privacy but the person whose messages they actually read when they download the carnivor files.
People who have a problem with the ability of law enforcement to get warents for wiretaps, should just say so. But when everything turns into some "Big Brother" paranoia rant, it just diminishes your credibility when you try to alert people to a real problem.
Heh, story of SlashDot : The Hacker Who Cried 'Big Brother'
-Kahuna Burger
...will work for Chick tracts...
Are you not trusting the FBI, or not trusting the technology? The entire point of the system is that the FBI isn't just browsing through and deciding to take your messages. "They" aren't doing the sorting, no individual is going to say "hey! I know we just had a warrent for guy X but a line in guy Y's email caught my eye and I think we should look into it!" In fact, that is exactly what this systen is meant to avoid. Get it? The entire point of carnivore is to 1) save man hours, and 2) avoid invading the privacy of people who aren't covered by the warrent.
Why is this bad? Given the existance of wiretapping warrents that can be applied to electronic communications, how can you guys possibly object to a technological solution to decrease the human instinct to notice things other than what they are looking for. Computers don't see anything except what they're looking for. Have you ever done a web search for breed rescues and had your computer say "Hey, this isn't related, but there a kinda neat article over on Slashdot about overclocking."? No? Me neither. But I regularly browse the "new titles" section of the library for one topic and end up with an interesting book on something else. If you are concerned about law enforcement exceeding their warrent, you should be celebrating Carnivore.
If, on the other hand you just salivate like pavlov's dogs at the words "wiretapping" and "messages" Carnivore would be a bad thing by definition.
-Kahuna Burger
...will work for Chick tracts...
I have to interpret as humor any post that claims that warrants are difficult to get. Clearly you have never worked in law enforcement or in the legal field. The system has been warped to make it easier and easier, and the common-law created by the conservative S.Ct. has admitted evidence obtained through clearly improper police procedure under the "good faith" exception. Even Miranda was under attack, and will be overturned if the next president to seat a Justice is republican. Doubt me? Read Scalia's writings some time. If you want to see how 'carnivore' will be abused, look at the L.A. scandals, and recall that the statistics hold that for every prosecuted instance of police misconduct, at least 100 other instances are successfully covered up. I have great respect and gratitude for many of the police officers patrolling the streets, but nothing but contempt and scouring anger toward those who abuse their power. And it goes without saying that this system will be abused, as every other police power is eventually abused. The question is always, do we want to accept that abuse in favor of the criminal activity it will stop? Do we want to accept that this will be used to spy on ex-wives, on political foes? What if it is the only way to stop a virologist version of the Unibomer?
G.Gordon Liddy was once a prosecutor. Do you think he would blanch at faking a warrant if he felt that he was fighting a just cause? Have you seen the enemies lists he compiled for Nixon, with recommendations of assassination? Don't fool yourself into thinking that it is always rational, good-hearted people running the show. And whatever your politics, remember that the other side will occasionally have control of this mechanism, and will use it with the same fervor as a Gordon Liddy or James Carville - pick your villian.
Marcus Thomas, chief of the FBI's Cyber Technology Section at Quantico, said Carnivore represents the bureau's effort to keep abreast of rapid changes in Internet communications while still meeting the rigid demands of federal wiretapping statutes. "This is just a very specialized sniffer," he said.
He also noted that criminal and civil penalties prohibit the bureau from placing unauthorized wiretaps, and any information gleaned in those types of criminal cases would be thrown out of court. Typical Internet wiretaps last around 45 days, after which the FBI removes the equipment. Mr. Thomas said the bureau usually has as many as 20 Carnivore systems on hand, "just in case."
Mr. Thomas is entirely correct --- Carnivore is just a very complicated sniffer. And while privacy advocates are correct --- the government COULD sniff anyone. But the government COULD also wiretap anyone. The rule of law is what prevents that. The FBI can pay through the nose if they get caught making illegal wiretaps.
The Carnivore system is perfectly consistant with the current laws and norms on government surveilence. To question Carnivore but allow for regular wiretaps, is in my opinion, an indefensible view point.
While it's true that it's easy to forge email on the internet, that's not where the billg mail came from in the Microsoft case. In that case, the email was from Microsoft's internal email system. It had been turned over to the government as part of the pre-trial discovery phase, which is basically when the lawyers for the two sides are allowed to demand that the other side turn over information that might be relevant to the case.
Furthermore, the emails weren't just random mails from billg to the rest of the world. They were part of multiparty email correspondance on particular issues. IOW for Gates to disavow the emails, he would have had to claim that someone was not only forging his name but was also intercepting his personal emails and forging a conversation on his behalf. Not only that, but they were doing so not on some leaky internet system but on Microsoft's presumably secure internal system, and that the other people he was corresponding with, who presumably encountered him at least occasionally in person never brought up the topic of the emails in non-email conversation so that the forgery never came to light. That claim would be so obviously bogus that all it would do is damaged Gates's credibility as a witness and not impeach the credibility of the email at all.
There's no point in questioning authority if you aren't going to listen to the answers.
Yes, and written letters are just bits of ink on pieces of paper, but using them is quite common in legal circles. Fairly reasonably, if I ask you for your records and I find something incriminating in them (and bear in mind that you also have to provide copies to the court, so I can't change them and claim that they're original) it should be your burden to prove that the incriminating comments were forged, rather than mine to prove that they're genuine! If anything, people should be suspicious if they show something unusually exculpatory, since you're far more likely to modify them in a way that reflects well on you than to forge records that incriminate you. In any case, IIRC these aren't emails from Gates's desktop machine; they're from the corporate email archive.
Getting back to something closer to the article that triggered the discussion, the FBI isn't talking about either of these things. They're talking about intercepting email in transit, so my original interpretation of the more conventional approach to header forging is more of what the FBI would be interested in. In thise case, though, the FBI's tap is actually less likely to be forged than a random email, since they're going to be tapping his immediate upstream connection, so a forger would need to insert their forgeries exactly there rather than at any random point in the network. As for the FBI being able to forge the email, they could potentially do that no matter what system you used, so you're going to have to trust them to be honest in any case.
One interesting aspect of this is that it suggests that if you're a criminal you shouldn't PGP sign your incriminating emails. If they're PGP signed, it provides the FBI with excellent evidence to use in court that they're not forged; unsurprising since proving authenticity is the intent of signing them. If they're unsigned, though, it'll be a lot easier to claim that the FBI forged them. You can probably enhance the effect by signing all of your non-incriminating emails (which you figure that even the most hardened criminal would have) so that you can intimate that the FBI forged the incriminating ones but were unable to forge the signature since they didn't have your private key.
There's no point in questioning authority if you aren't going to listen to the answers.
After all they search for words like "assasinate", "bomb", and "president"...
;)
They don't actually look for words like "make", "money" and "fast" or even "buy", "cheap" and "toner"...
...and they certainly wouldn't be looking for words like "XXX", "asian", and "sluts"... or would they?
BlackNova Traders
PGP is the answer
Why should electronic communication be legally less protected than telephone communication?
I'll do ya one better. Why shouldn't a letter sent via electronic means not enjoy the same protections as a letter sent by the post office? Correct me if I'm wrong here, but tapping into a phone line isn't a federal offense, where as opening someone's postal mail most certainly is.
This is NOT wiretapping folks. This is the process of ripping open your sealed envelopes. Worse yet, it rips all of them open with only a flimsy promise to only look at the letters in question. The FBI does not have a great track record for being trusted to abide by only playing by the rules of a search warrant.
The really amazing thing is, America's founding fathers saw this very thing coming. The 4th amendment was not an after thought. It was put in to deliberately undermine tyranny within the nation they were building.
The line must be drawn here. This far. No further.
Umm i've travelled fairly extensively in europe and I live here too and i've never actually seen one of these phones.
:)
Certainly they do exist but they are about the size of a suitcase, cost thousands of dollars + several doller a minute in calls.
Personally i've never seen cell networks like the ones in finland and estonia.
Finland deserves credit because i've travelled up north into the country and still get a better reception with a Uk cellphone than i get in my apartment in central Edinburgh. Not to mention that they have boosters every few metres along the subways so you aren't ever out of touch, and cells on every single goddam rock that sticks out of the sea too
Estonia on the other hand deserves equal amounts of credit for developing a network to rival the UK ones and yet only 10 years ago they were part of the USSR and the rate of growth there is just mindblowing.
At the end of the day we all know that they almost certainly cant crack PGP encrypted stuff... except that I only started using PGP for vaguely sensitive mail when i first heard about the echelon system.
I was always aware that my comms could be intercepted and certainly running a packet sniffer on a network brings in some interesting stuff, but I never really considered it was practical to filter all online traffic in that manner.
The govt have coming forward and said "Guess what? We're already doing it!!" probably does about the same good for PGP usage as handing out $10 bills with every download.
It really is a shame that the bulk of the public dont understand the reasons why encryption is a good thing. Sadly the conventional press tend to see it more as a system for protecting criminals rather than free speech, and popularist public opinion is against PGP.
It does not matter what the FBI says, they may not do this and be in compliance with our Constitution.
Let your representatives know that you don't want the Constitution ignored, or vote for a candidate that will demand that the government complies.
Look for a candidate at the Libertarian Party home page.
Topher
Got Freedom?
While I'm just as concerned over privacy issues as the next person, I just want to address one point here. In the article, Mark Rasch, a former federal computer-crimes prosecutor says "It's the electronic equivalent of listening to everybody's phone calls to see if it's the phone call you should be monitoring."
I disagree -- I think it's more like opening a telephone junction box to see which line you should be tapping. With that box open you have the potential of tapping all those lines, but you just tap the one. The computer may be monitoring all the traffic, but obviously it has no understanding of what it's processing; if the system is used properly (and granted, that may be a big IF), it's only recording suspect traffic.
--
--
What? WHAT?!! Oh.
What is unnecesary Paranioa?
When I was a kid, I hung with a lot of skins and punks. The Cops would shake us down every time they saw us.
It wasn't that they knew we were up to something. (although yea sometimes we were... but no more then anyone else). I personaly have never had a record, but the cops knew we were trouble, mostly because we were skins & punks. (And no I was not a bigot)
It is not a question of being a crook, it is a question of being percived as a "unwanted element". We were an unwanted element.
I do not feel comfertable with the FBI (or anybody) with this kind of power. How long to they start shaking you down.
Yes I can not spell...Wait....for a second there I almost cared.
----
If the government has a technique that can decrease crime, prevent terrorism, and save lives, how can you be opposed to it?
The road to hell (or a police state) is paved with good intentions. IMHO the system being described violates our rights as defined under Search & Seizure. Without this right, law enforcement agencies would have the ability to choose a home, individual, auto, computer, etc at random in a quest to find illegal materials.
Imagine that your neighbor is an FBI agent and he doesn't like you very much. Now imagine that he could just walk right into your home without a warrant. Now think about the things in your home that may be illegal. An MP3, a dubbed VHS tape, a burned copy of a proprietary software cd, or even a cuban cigar. This may sound like a far fetched scenario to you, but this kind of stuff happened over two hundred years ago. British tax collectors would literally storm into homes to make sure that every bag of sugar or tea had the appropriate stamp on them. The only thing that keeps things like this from happening again are the Bill of Rights and the countless others who actually take them seriously and not for granted.
It's not possible to analyze all the data they could potentially retrieve. They have their hands full with the data they mean to find.
Maybe not right now, but oh the times they are a changing.
I see no reason for unnecesary paranoia.
I feel much safer already.
"The words of the prophets are written on the Slashdot walls."
from http://www-dse.doc.ic.ac.uk/~nd/surprise_97/journa l/vol4/spb3
2.1 Heating up over lost information
A great deal of time has been spent on investigating whether quantum theory places any fundamental limits on computing machines. As a result, it is now believed that physics does not place any absolute limits on the speed, reliability or memory capacity of computing machines. One consideration that needs to be made however, concerns the information that may be 'lost' in a computation [23]. In order for a computer to run arbitrarily fast, its operation must be reversible (i.e. it's inputs must be entirely deducible from its outputs). This is because irreversible computations involve a 'loss' of information which can be equated to a loss in heat, and thus the restricted ability of the system to dissipate heat will in turn limit the performance of the computer. An example of information being lost can be seen in an ordinary AND gate. An AND gate has two inputs and only one output, which means that in the process of moving from the input to the output of the gate, we loose one bit of information.
In 1976, Charles Bennett proved that it is possible to build a universal computer entirely from reversible gates, and that expressing a program in terms of primitive reversible operations does not significantly slow it down. A suitable universal and reversible gate with which we could build a computer is the Toffoli gate.
To read one person's e-mail, the FBI requires a separate machine in a locked cage co-located at the ISP. Why?
The FBI came forward asking for assistance in developing eavesdropping standards, when they have technical people in house who can do this sort of thing. Why broadcast the existence of this system?
Perhaps we are witnessing a schism between the FBI and other agencies. Imagine this:
You're an ISP. One day, you get a call from someone claiming to be a FBI agent and saying that they need to install a machine and eavesdropping equipment at your ISP to gather evidence for prosecution. Now, being a technically savvy person, you realize that most criminals that the FBI would be interested in don't write each other e-mail detailing their crimes. The few that do are mostly white-collar types who are involved in insider trading or some other form of high-dollar business crime. Reluctantly, you agree.
Agents with FBI credentials show up and install the machine. You have no way of knowing what it's grabbing, but you bite the bullet and hope for the best. Here's the kicker: the agents were installed by someone else--CIA, perhaps, or NSA--an agency whose charters explicitly forbid spying on US citizens inside US borders. They want the ability to spy on domestic citizens, so they set this up and pretend to be the FBI, hoping that ISPs will be so cowed by government agents that they won't follow up the matter.
The FBI gets wind of this somehow and spills the beans in an "accidentally-on-purpose" sort of way. The competing agency, whoever it is, is incensed by this and the FBI gets to reclaim its turf. Then, because the FBI is so clearly and visibly involved in this, they get to keep the machines, figure out how to get the data from them, and use them as if nothing were wrong. They have denied another agency a means of control.
Far-fetched, admittedly, but it is a possibility.
Still, I must say that I am saddened by the further erosion of our rights. What next? Radio collars?
www.alarmist.org
I like my privacy, and I want my government to respect it. I don't care for being watched all the time. I don't like being treated as a potential suspect. I don't like the entire "guilty until proven innocent" air that this entire mess has.
Does this decrease crime? Perhaps--only government officials will be authorized to harass and kill innocent people now. Does it save lives? Sure--if people are afraid to kill other people because the men with guns will kill anyone at the drop of a hat, it certainly will. Aren't a few lives lost to clerical errors worth that? Does it prevent terrorism? Absolutely not! It gives our government free license to act like armed hoodlums. Bullies with guns who can destroy lives on a whim.
Is your safety and that of your family worth so little?
I see no reason for unnecesary paranoia.
Nor do I. This isn't paranoia: it's a genuine, well-founded fear. There's nothing irrational about being afraid and distrustful of people who will pry into your private life just because it suits their fancy.
Fight the Power.
www.alarmist.org
In this brave new world of information, traditional agencies such as the FBI have to have some way of maintaining their ability to protect the people that they serve, that is you. And they can't do this by ignoring such a major new technology such as the Internet.
As much as we all love the net, I don't think that any of us can deny the fact that it does provide an easy to use and easy to conceal method for criminals and other dubious types to communicate, without regard for national laws or borders. As more and more people move online, the criminals will follow, and for the FBI to ignore this would be failing us in their duty.
The idea that the FBI can scan E-mails as they enter or leave your ISP sounds scary at first, but what you have to remember is that you are not a criminal. They're hardly going to want to read your E-mail about your trip to see your sister at BJU are they? It's not like there are people reading your personal mail, it's just a machine and can't make value judgements on what you write.
Unfortunately the massive growth of the net has meant that this sort of thing was inevitable and indeed neccessary thanks to the kind of large-scale, global operations that the FBI is involved with. For them to not do this would be the wrong thing in this case, and it is a blow for criminals everywhere.
---
Jon E. Erikson
Jon Erikson, IT guru
The article says the technology has only been used 100 times, which leads me to believe it's reserved for big-time criminals.
If someone is a big enough fish to warrant [no pun intended] this, they're probably going to be using encryption anyway.
Browser? I barely know her!
Do they use Herbivore?
Sorry...I couldn't resist.
Browser? I barely know her!
PGP is okay, but I'm moderately certain the NSA can crack it fairly quickly. Don't know about the FBI.
;)
Keep in mind, the largest employer of mathematicians in the world is the NSA and that they are one of the largest computer buyers.
They have sealed documents written by Alan Turing was back around WWII and the suspicion is they are 2-10 years ahead of anyone in the "normal world" of encryption/decryption.
And as far as crypto goes, strong crypto is nice. But if you've ever read books on information security that covered the whole field, you'd realize a very small chapter would be devoted to crypto, and a very large chapter to organizational security because social engineering and dumpster diving are both far easier than cracking crypto in most cases. It's easier to pay a secretary $10K than to spend $100K cracking some crypto. And probably more effective to boot.
Frankly, I don't really care if CSE, CSIS, FBI, NSA, CIA, KKK, FSB, - whoever - reads my mail. They'll find the effort not worthwhile. That's the ultimate secret - just be slightly odd and mostly boring...
Tomb
Pleasure in the job puts perfection in the work.
There was never a genius without a tincture of madness.
Aris
Such a thing already exists.
HushMail
("apt-get install postfix-tls" if you use Debian.)
Take a look at RFC 2446 (Transport Layer Security) and RFC 2487 (SMTP Service Extension for Secure SMTP over TLS) for details.
For an implementation, look at postfix-tls:
Start with the postfix site and then the TLS site if you don't have the ability to apt-get source I guess.
Paraphrasing Robert Anton Wilson:
Imagine an authoritarian system as a pyramid with an eye on top (look at a dollar bill). Now, the guy at the top wants to control the people down below, but he has to rely on them for information. So he uses coercion to control them and extract information, but since fear of punishment, hate, and paranoia are driving the people below, they only say what will prevent punishment. The system reflects itself down the pyramid, and due to increasing ignorance, becomes brain dead over time.
It seems this is the way we're heading with cybersleuthing, techno-eavesdropping, lawyers throwing lawsuits round, etc. We're all paranoid as hell, everyone doesn't trust anyone, and there are more and more threats each day.
It appears the FBI is making yet another contribution to this. I wonder how this will be abused (and thus increase mistrust), how errors will be made (and thus increase mistrust), and how many bad precidents and angry reactions this will produce. I wonder how many lawsuits and court cases will result from their snooping.
In their quest to enforce laws, the FBI makes themselves that much harder to trust by being more invasive. Ironic that.
"The Sage treasures Unity and measures all things by it" - Lao Tzu
They have the carnivore sniff out any mime encoded JPGs containing an above average level of flesh tones.
These are then filtered out and despatched to agents personal computers, saving them several hours a day in hunting for pr0n.
These extra hours are what will really give them the advantage combatting cyber-terrorism.
Sigh, the FBI does rquire a warrant to use Carnivore, and to top it off, it's _really_ hard to get. As for tossing extraneous data, it's the software that analyzes all the traffic, not humans. IANAFBIA, but from my experience, c-vore only _collects_ data on the target, agents don't even see the rest of the cruft.
Let's get off of our parannoid horses for a minute, and think about this rationally. Do you _really_ think that the FBI would waste the thousands of hours of manpower it would require to manually analyze just one hour's worth of unfiltered data? Even if they did see that metallica.MP3 file you e-mailed to your aunt, would they really care enough to note who you are? Of course not, they're after the sick-ass guy who brags about whipping pre-pubescent girls and rubbing salt in their wounds (trust me, I'm _not_ overstating this).
Besides, if you really need to overthrow the gov't (of course one day we will, history teaches us that) you'll just have to use encryption...
Think outside the... Hey, where'd the friggin' box go?
Now the FBI can read all my spam... god knows I don't wanna read that crap.
in the UK, there is a bill being passed that if the police etc. wants to look at your encrypted data, you are required to supply the key. faliure to comply results in a jail sentence
(up to 10 years i think)
also, never be 100% sure that your encryption is safe, you never know quite what technology they've got....
{shhhhh... the froggies are asleep.}
spam-proofing?
.................................................
I've wondered about this one for a while.
In the MS v. DOJ thing, apparently they used a bunch of emails from Billy G. as evidence.
Admittedly, I didn't follow it all that closely, (by them time I had first heard about it, I was sick of hearing about it) but why didn't he just say "I didn't write that."
It should be virtually impossible to prove that email was written by any particular person. I could set my "Real Name" to Bill Gates and send out an email, or if I really wanted to put effort into it I could even make it look like it really came from bgates@microsoft.com. It's not that hard to create a file with a certain set of text in it, so an email header that says "this is from person X" doesn't at all guarantee that it actually is.
I know what many of you will say: "But you can track it's path through the mail servers, and if you're really thorough, you can pin it to an internal IP and MAC address and time of origin." Even that doesn't prove who was using that machine.
Rather than using PGP, which is likely to get the undevided attention of any government agency, use steganography.
Take your plaintext, encrypt it, hide it in some of the least signifigant bits in an image, attach the image to an ordinary email, and off it goes!
Thank you for not thinking.
about wiretaps is this.....
.. well.. technically it wasn't a challenge. So.. in the course of their investigation, they could make a court order the phone company to let them listen.. because *it was something they were capable of already, without difficulty*.
Originally, you have this telephone system.
Then.. the feds (or whoever, law enforcement) says 'hey.. would it be possible for us to listen to someone's phone call?'
It was just evidence gathering.
Can anyone see how this is a world different than the feds saying 'you may not build a phone system unless we can wiretap it?'. It's a very different scenario. The first was simply evidence gathering based on what was available, the second is an actual attack on privacy, or, in other words, 'we forbid you from making a secure, private system'.
People.. everyone *must* start using encryption!
The scariest part of this is that people can, and frequently DO send e-mail from different places. Also, multiple people frequently use the same phone line. So consider these two situations:
It is very easy to forge e-mail. What's to stop someone from forging e-mail in the name of someone in two places? Nothing of course. What guarantee is there that the FBI will understand that they could easy get false data? None of course. Since we're already setting up classes of crimes for which "innocent until proven guilty" is no longer upheld (in practice), it won't be long until someone is convicted of a crime based upon what is fraudulent electronic evidence.
Of course it has probably happened already.
Personally I would like to see an offshore provider giving https based webmail. This would probably be a lot more accesible to end users then PGP currently is and would surely start to cause problems for the US & UK governments and their dodgy schemes for monitoring access.
In the UK i believe the police can now demand ISPs route certain customers traffic through them and whilst I dont do anything that i'm particularly worried about online it's still not a very comforting thought.
I wonder if providing free encryption based web mail services would be something that havenco would be prepared to provide as a publicity stunt?
So I think that stories like this should be brought to a greater attention (read: Joe User should notice that). And we should get used to "sealing" our email with PGP like we're used to seal our envelopes.
One other nice thing about encrypted email is: your ISP couldn't be held responsible for anything you say. I'm responsible for what I say, and you are responsible for what you say, and not vice versa. And this should be true for everyone.
As long as PGP can't be decrypted, we can shrug our shoulders at stories like this.You found a sword: +4 damage, +5 moderator points
The book "Applied Cryptography" looks at cracking a 256 bit key:
It starts by stating that to change a single bit in a processor, you would (according to the laws of thermodynamics) need an amount of energy no less than kT where T is the absolute temperature of the system, and k is the Boltzman constant. If you run a computer at 3.2 degrees Kelvin, and with k being 1.38*10^-16 ergs/K, you would need 4.4*10^-16 ergs to set or clear a bit.
The sun releases about 1.12*10^41 ergs in a year, so if you could collect all the energy from it for 32 years (of course, Earth would soon become very cold and dead then), you could have a your computer count up to 2^192, but you wouldn't have any energy left to do anything with the counter (such as cracking a key). A typical supernova releases about 10^51 ergs. If you collect all that energy, you could count up to 2^219.
The conclusion is that unless computers are built from something other than matter, and occupy something other than space, a brute force attack against a 256 bit key is not possible.
--
--
What? WHAT?!! Oh.
If the government has a technique that can decrease crime, prevent terrorism, and save lives, how can you be opposed to it?
Pol Pot and Yeng Sari had such highly successful techniques. Cambodja virtually had no crime. It also did not have any literate cittizens left and had 25% of the population killed.
Hitler also had such technique. The crime level in Nazi germany was very low. There were almost no pedofils left in Germany for example. So if broght now Hitler Germany would not have had any "child p0rn" problems as there were no consumers for "chid p0rn" left. He simply treated them like the jews. Actually jews had higher survival rates than pedos and gay in Nazi Germany and Stalin USSR.
Stalin and his followers also had such technique. The crime level in the ex-eastern block was never asv low as in nazi germany but it was mostly petty crime. Not shooting in the streets like now.
Are all these compelling reasons for us to restore anyone of these? Clone them maybe?
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Coming from a Canadian point of view here....
.in the US.. it is now a crime to have a scanner that can listen in on cellular calls (let alone actually doing it). However.. when the same was proposed in canada.. the crtc said this:
.. ENCRYPT.
It has long been viewed in north america (though the US changed it's law for some reason or other) that the public airwaves were just that; public. We regulated who could use what spectrum for what in order to make everybody happy. (if everyone fought, radio would be useless).
Then, one day.. along came the cellular telephone. Lo-and-behold, these phones used standard FM in their allocated bands. So.. people with radio scanners could listen to phone calls.
Now.
The airwaves are a public resource; they always have been and they always will be. The celluular providers had *NO REASONABLE EXPECTATION OF PRIVACY* for their calls. They were broadcasting in the clear.
Remember, regulation states who can broadcast, not who can listen.
So.. cellular providers deal with this up here by pushing digital.
How is the internet any different? You KNOW that you don't have control over your packets once they are out of your network. Perhaps your upstream has an agreement wiht you guaranteeing certain privacy.. but what about their upstream? What about everyone? By it's nature, the internet is not a single resource, but a vast collection of networks all hooked together, covering every juristiction and idology known to man.
Regardless of what the 'ignorant' public might think, there is *NO REASONABLE EXPECTATION* of privacy when putting packets on the internet, unless they are encrypted. Period.
I'm not saying the itnernet is a public resource, like the airwaves.... but you *know* you can't control where those packets go. So
When Congress enacts this sort of program, they always give it a name like "The Freedom of Infants and Children Act" or the "Prevention of Violence to Puppies Act" with a rider that slips in the big-brother grants of power.
The FBI, on the other hand, gives it a name that can't help but encourage visions of a government run-amok eating its citizens. Which, come to think of it, is not too far from the truth.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
This guy is right on the money. This isn't about targeting a suspect and confirming other evidence (as wiretapping is meant to be), but about trolling for suspects. Why should electronic communication be legally less protected than telephone communication?
I wouldn't much mind if this sort of thing required a warrant and if they were required to toss any data without a specific person's (or IP, at the outside) name/id on it. There's no need for this level of invasion. I also suspect, rather like the cybersensor filters, they're going to pick up more false hits than real crime, and wind up investigating and harassing uninvolved people.
Now here's an argument for better encryption.
-- I'm not evil, I'm
It's so double plus good to be alive and protected by the Ministry of the FBI!
----
warrant would reasonably limit privacy
invasions by any agency.
Until I found a website for an automated
search warrant request software package.
Like most of you, I don't do anything that anyone would be concerned about. I don't even keep copies of DeCss around, nor do I download metallica songs. And after seeing the anonymous family photo with the cucumber, the dog and what appears to be a small cheerleading squad, I haven't much interest in downloading Pr0n. With caffeine as my only drug, I'm not exactly worried...
I even pay my parking tickets and cable bill.
What is scary is the website I found (there are at least three packages for this)detailing software designed for automating search warrant requests (probable cause, non?) and capable of processing over 1100 search warrant requests per hour!
I found these sites by accident while looking for information on search engine technology in 1996. I won't list the URLS, but you can find them. One site talked about how much faster it would be when electronic authorization (EDI) interaction became available.
Imagine how low the threshold of probable cause will slip once some eager programmer decides that online email profiling data can go immediately into the search warrant request software, returning approval in under thirty seconds.
There are no laws saying that e-mail, packet scans and IP traffic logs cannot be held indefinately, or archived for the last 120 days. This didn't apply to telephone calls - while call logs could be accessed, recording the actual conversations required a warrant - so speech that occured before the warrant was safe, or left as hearsay evidence. With digital archiving of all traffic, the landscape has changed.
In the future, search warrants will effectively be *retroactive* - and can contain complete records of what you've done for months.
For most people, privacy is seen as a way to hide indiscretions from general knowledge, or as a way to "get away" with crime. It isn't - that's a small quirk that can be handled through our current legal system.
Privacy is really the way that we guarantee our right to stay at arm's length from our government (well, at least the individuals in it) and our ability to disagree and express that disagreement (without fear of punitive retaliation)to those in power, be they government officials, Microsoft or the MPAA.
As long as we have that, everything else in a democracy can work. We don't really want a truly libertarian state (Been to Moscow lately?), but a democracy that embraces responsibility and liberty like RSM embraces pizza and ego.
So Get off your dead asses
and write those letters now!
snicker.
BTW, how does wiretapping interact with encrypted data? What if they tap the email and discover that it's all PGP'ed? Can they brute-force it?
FBI sources were quoted as saying that among the first people targeted would be the people who put random Echelon keywords in their .sigs. "They all thought they were clever" Michaels said, "but it was just lame and annoying, and only a few hundred people ever did it, so it wasn't even effective. We were sitting around drinking one night and were like 'What the shit, let's test this on those guys!' and we've been following them ever since. Mostly it's just a bunch of guys talking about beard trimmers and PGP, it's kind of depressing."
sig:
See the "..for smart people" banners Wired runs here? Look elsewhere guys.