Slashdot Mirror
FBI E-Mail Wiretaps - The Carnivore System
CharlieG writes "It seems the the FBI has been electronic wiretapping various e-mail accounts for a while now. First with a system called Omnivore, and now with a "More Selective" system called Carnivore. You can read about it on MSNBC.COM"
Such a thing already exists.
HushMail
("apt-get install postfix-tls" if you use Debian.)
Take a look at RFC 2446 (Transport Layer Security) and RFC 2487 (SMTP Service Extension for Secure SMTP over TLS) for details.
For an implementation, look at postfix-tls:
Start with the postfix site and then the TLS site if you don't have the ability to apt-get source I guess.
Further, damnit, I'm NOT a criminal, so I shouldn't be treated as one. This is a classic case of guilty until proven innocent.
Just because I'm not a criminal doesn't mean I want the gov't, or my next door neighbor, to be able to read my email. Of course, that's why I have a huge PGP key (check my userpage)...
I am a private citizen, and my personal life is no business of the government.
Returned Peace Corps IT Volunteer
Paraphrasing Robert Anton Wilson:
Imagine an authoritarian system as a pyramid with an eye on top (look at a dollar bill). Now, the guy at the top wants to control the people down below, but he has to rely on them for information. So he uses coercion to control them and extract information, but since fear of punishment, hate, and paranoia are driving the people below, they only say what will prevent punishment. The system reflects itself down the pyramid, and due to increasing ignorance, becomes brain dead over time.
It seems this is the way we're heading with cybersleuthing, techno-eavesdropping, lawyers throwing lawsuits round, etc. We're all paranoid as hell, everyone doesn't trust anyone, and there are more and more threats each day.
It appears the FBI is making yet another contribution to this. I wonder how this will be abused (and thus increase mistrust), how errors will be made (and thus increase mistrust), and how many bad precidents and angry reactions this will produce. I wonder how many lawsuits and court cases will result from their snooping.
In their quest to enforce laws, the FBI makes themselves that much harder to trust by being more invasive. Ironic that.
"The Sage treasures Unity and measures all things by it" - Lao Tzu
> This sounds like it is indeed meant for
> targeting specific suspects,
Well it deponds on how you wish to look at it really. Assuming its a given that they have the right to wiretap (I am putting aside the fact that I have major philosophical problems with law and law enforcement here)....they have the right to listen in on "data" (conversations email etc) comming from a known data source (victem er I mean bad guys phone) to gather evidence against him.
Their entire system sounds basically like a system that takes all the email in the system, applies a set of regexs to the headers and takes all email too and from there target.
Here is the problem I have. The "data source" is not a "known one". They are not listening to "His line" they are listening to the whole ISP. Even if its just a header grep...they have NO RIGHT to recieve and look through ANY data except that which comes from or two who they are looking at...even if it is JUST a gheader grep.
The difference may not seem important but it is. If they wiretap your phone line, they can't abuse that to listen to my conversations, unless I use your phone. In this case there is the possibility of abusing their "wiretap" on YOU to listen to MY email because I am on the same ISP as you.
if YOU are the target...they have NO right to have MY mail ever even TOUCH their system.
"I opened my eyes, and everything went dark again"
They have the carnivore sniff out any mime encoded JPGs containing an above average level of flesh tones.
These are then filtered out and despatched to agents personal computers, saving them several hours a day in hunting for pr0n.
These extra hours are what will really give them the advantage combatting cyber-terrorism.
Sigh, the FBI does rquire a warrant to use Carnivore, and to top it off, it's _really_ hard to get. As for tossing extraneous data, it's the software that analyzes all the traffic, not humans. IANAFBIA, but from my experience, c-vore only _collects_ data on the target, agents don't even see the rest of the cruft.
Let's get off of our parannoid horses for a minute, and think about this rationally. Do you _really_ think that the FBI would waste the thousands of hours of manpower it would require to manually analyze just one hour's worth of unfiltered data? Even if they did see that metallica.MP3 file you e-mailed to your aunt, would they really care enough to note who you are? Of course not, they're after the sick-ass guy who brags about whipping pre-pubescent girls and rubbing salt in their wounds (trust me, I'm _not_ overstating this).
Besides, if you really need to overthrow the gov't (of course one day we will, history teaches us that) you'll just have to use encryption...
Think outside the... Hey, where'd the friggin' box go?
Now the FBI can read all my spam... god knows I don't wanna read that crap.
in the UK, there is a bill being passed that if the police etc. wants to look at your encrypted data, you are required to supply the key. faliure to comply results in a jail sentence
(up to 10 years i think)
also, never be 100% sure that your encryption is safe, you never know quite what technology they've got....
{shhhhh... the froggies are asleep.}
spam-proofing?
.................................................
I've wondered about this one for a while.
In the MS v. DOJ thing, apparently they used a bunch of emails from Billy G. as evidence.
Admittedly, I didn't follow it all that closely, (by them time I had first heard about it, I was sick of hearing about it) but why didn't he just say "I didn't write that."
It should be virtually impossible to prove that email was written by any particular person. I could set my "Real Name" to Bill Gates and send out an email, or if I really wanted to put effort into it I could even make it look like it really came from bgates@microsoft.com. It's not that hard to create a file with a certain set of text in it, so an email header that says "this is from person X" doesn't at all guarantee that it actually is.
I know what many of you will say: "But you can track it's path through the mail servers, and if you're really thorough, you can pin it to an internal IP and MAC address and time of origin." Even that doesn't prove who was using that machine.
Rather than using PGP, which is likely to get the undevided attention of any government agency, use steganography.
Take your plaintext, encrypt it, hide it in some of the least signifigant bits in an image, attach the image to an ordinary email, and off it goes!
Thank you for not thinking.
about wiretaps is this.....
.. well.. technically it wasn't a challenge. So.. in the course of their investigation, they could make a court order the phone company to let them listen.. because *it was something they were capable of already, without difficulty*.
Originally, you have this telephone system.
Then.. the feds (or whoever, law enforcement) says 'hey.. would it be possible for us to listen to someone's phone call?'
It was just evidence gathering.
Can anyone see how this is a world different than the feds saying 'you may not build a phone system unless we can wiretap it?'. It's a very different scenario. The first was simply evidence gathering based on what was available, the second is an actual attack on privacy, or, in other words, 'we forbid you from making a secure, private system'.
People.. everyone *must* start using encryption!
The scariest part of this is that people can, and frequently DO send e-mail from different places. Also, multiple people frequently use the same phone line. So consider these two situations:
It is very easy to forge e-mail. What's to stop someone from forging e-mail in the name of someone in two places? Nothing of course. What guarantee is there that the FBI will understand that they could easy get false data? None of course. Since we're already setting up classes of crimes for which "innocent until proven guilty" is no longer upheld (in practice), it won't be long until someone is convicted of a crime based upon what is fraudulent electronic evidence.
Of course it has probably happened already.
Personally I would like to see an offshore provider giving https based webmail. This would probably be a lot more accesible to end users then PGP currently is and would surely start to cause problems for the US & UK governments and their dodgy schemes for monitoring access.
In the UK i believe the police can now demand ISPs route certain customers traffic through them and whilst I dont do anything that i'm particularly worried about online it's still not a very comforting thought.
I wonder if providing free encryption based web mail services would be something that havenco would be prepared to provide as a publicity stunt?
So I think that stories like this should be brought to a greater attention (read: Joe User should notice that). And we should get used to "sealing" our email with PGP like we're used to seal our envelopes.
One other nice thing about encrypted email is: your ISP couldn't be held responsible for anything you say. I'm responsible for what I say, and you are responsible for what you say, and not vice versa. And this should be true for everyone.
As long as PGP can't be decrypted, we can shrug our shoulders at stories like this.You found a sword: +4 damage, +5 moderator points
The book "Applied Cryptography" looks at cracking a 256 bit key:
It starts by stating that to change a single bit in a processor, you would (according to the laws of thermodynamics) need an amount of energy no less than kT where T is the absolute temperature of the system, and k is the Boltzman constant. If you run a computer at 3.2 degrees Kelvin, and with k being 1.38*10^-16 ergs/K, you would need 4.4*10^-16 ergs to set or clear a bit.
The sun releases about 1.12*10^41 ergs in a year, so if you could collect all the energy from it for 32 years (of course, Earth would soon become very cold and dead then), you could have a your computer count up to 2^192, but you wouldn't have any energy left to do anything with the counter (such as cracking a key). A typical supernova releases about 10^51 ergs. If you collect all that energy, you could count up to 2^219.
The conclusion is that unless computers are built from something other than matter, and occupy something other than space, a brute force attack against a 256 bit key is not possible.
--
--
What? WHAT?!! Oh.
If the government has a technique that can decrease crime, prevent terrorism, and save lives, how can you be opposed to it?
Pol Pot and Yeng Sari had such highly successful techniques. Cambodja virtually had no crime. It also did not have any literate cittizens left and had 25% of the population killed.
Hitler also had such technique. The crime level in Nazi germany was very low. There were almost no pedofils left in Germany for example. So if broght now Hitler Germany would not have had any "child p0rn" problems as there were no consumers for "chid p0rn" left. He simply treated them like the jews. Actually jews had higher survival rates than pedos and gay in Nazi Germany and Stalin USSR.
Stalin and his followers also had such technique. The crime level in the ex-eastern block was never asv low as in nazi germany but it was mostly petty crime. Not shooting in the streets like now.
Are all these compelling reasons for us to restore anyone of these? Clone them maybe?
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Coming from a Canadian point of view here....
.in the US.. it is now a crime to have a scanner that can listen in on cellular calls (let alone actually doing it). However.. when the same was proposed in canada.. the crtc said this:
.. ENCRYPT.
It has long been viewed in north america (though the US changed it's law for some reason or other) that the public airwaves were just that; public. We regulated who could use what spectrum for what in order to make everybody happy. (if everyone fought, radio would be useless).
Then, one day.. along came the cellular telephone. Lo-and-behold, these phones used standard FM in their allocated bands. So.. people with radio scanners could listen to phone calls.
Now.
The airwaves are a public resource; they always have been and they always will be. The celluular providers had *NO REASONABLE EXPECTATION OF PRIVACY* for their calls. They were broadcasting in the clear.
Remember, regulation states who can broadcast, not who can listen.
So.. cellular providers deal with this up here by pushing digital.
How is the internet any different? You KNOW that you don't have control over your packets once they are out of your network. Perhaps your upstream has an agreement wiht you guaranteeing certain privacy.. but what about their upstream? What about everyone? By it's nature, the internet is not a single resource, but a vast collection of networks all hooked together, covering every juristiction and idology known to man.
Regardless of what the 'ignorant' public might think, there is *NO REASONABLE EXPECTATION* of privacy when putting packets on the internet, unless they are encrypted. Period.
I'm not saying the itnernet is a public resource, like the airwaves.... but you *know* you can't control where those packets go. So
Nah, too cumbersom. I think the whole problem is that TCP connections are not private. With SSH you can scramble any connection. So, why not scramble the traffic between mailservers? While we're at it, why not compress the data as well. I think encryption has to be built in to the network and not just added on to it. Basically any trafic to and from a PC can be read right now, unless you specifically choose to encrypt it. I would like to have it the other way around. Anything from chat sessions to ftp to X sessions I want encrypted.
Jilles
When Congress enacts this sort of program, they always give it a name like "The Freedom of Infants and Children Act" or the "Prevention of Violence to Puppies Act" with a rider that slips in the big-brother grants of power.
The FBI, on the other hand, gives it a name that can't help but encourage visions of a government run-amok eating its citizens. Which, come to think of it, is not too far from the truth.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
This guy is right on the money. This isn't about targeting a suspect and confirming other evidence (as wiretapping is meant to be), but about trolling for suspects. Why should electronic communication be legally less protected than telephone communication?
I wouldn't much mind if this sort of thing required a warrant and if they were required to toss any data without a specific person's (or IP, at the outside) name/id on it. There's no need for this level of invasion. I also suspect, rather like the cybersensor filters, they're going to pick up more false hits than real crime, and wind up investigating and harassing uninvolved people.
Now here's an argument for better encryption.
-- I'm not evil, I'm
It's so double plus good to be alive and protected by the Ministry of the FBI!
----
Of course, they must have one.
...wait a sec...
*CLICK, CLICK*
There, my key is now 4096 bits, problem solved. ^_^
Seriously, I think PGP is too versatile to be cracked so easily. i.e. I have a 2048/1024 DH/DSS key with the CAST cypher, but I also have a 2048 bit RSA key with the IDEA cypher. You can also have custom key sizes, for example Will Price at PGP has a 4000 bit DH key.
Powerful and flexible.
I recommend looking up "PGPDisk." It's easier to use than the already dead-simple normal PGP. It creates a virtual disk volume that's encrypted, and can auto-unmount itself. It's good even when the PC crashes, too. (In tact, data saved until crash is still there when you reboot.)
...however I don't know if it's out for Linux.
warrant would reasonably limit privacy
invasions by any agency.
Until I found a website for an automated
search warrant request software package.
Like most of you, I don't do anything that anyone would be concerned about. I don't even keep copies of DeCss around, nor do I download metallica songs. And after seeing the anonymous family photo with the cucumber, the dog and what appears to be a small cheerleading squad, I haven't much interest in downloading Pr0n. With caffeine as my only drug, I'm not exactly worried...
I even pay my parking tickets and cable bill.
What is scary is the website I found (there are at least three packages for this)detailing software designed for automating search warrant requests (probable cause, non?) and capable of processing over 1100 search warrant requests per hour!
I found these sites by accident while looking for information on search engine technology in 1996. I won't list the URLS, but you can find them. One site talked about how much faster it would be when electronic authorization (EDI) interaction became available.
Imagine how low the threshold of probable cause will slip once some eager programmer decides that online email profiling data can go immediately into the search warrant request software, returning approval in under thirty seconds.
There are no laws saying that e-mail, packet scans and IP traffic logs cannot be held indefinately, or archived for the last 120 days. This didn't apply to telephone calls - while call logs could be accessed, recording the actual conversations required a warrant - so speech that occured before the warrant was safe, or left as hearsay evidence. With digital archiving of all traffic, the landscape has changed.
In the future, search warrants will effectively be *retroactive* - and can contain complete records of what you've done for months.
For most people, privacy is seen as a way to hide indiscretions from general knowledge, or as a way to "get away" with crime. It isn't - that's a small quirk that can be handled through our current legal system.
Privacy is really the way that we guarantee our right to stay at arm's length from our government (well, at least the individuals in it) and our ability to disagree and express that disagreement (without fear of punitive retaliation)to those in power, be they government officials, Microsoft or the MPAA.
As long as we have that, everything else in a democracy can work. We don't really want a truly libertarian state (Been to Moscow lately?), but a democracy that embraces responsibility and liberty like RSM embraces pizza and ego.
So Get off your dead asses
and write those letters now!
snicker.
BTW, how does wiretapping interact with encrypted data? What if they tap the email and discover that it's all PGP'ed? Can they brute-force it?
FBI sources were quoted as saying that among the first people targeted would be the people who put random Echelon keywords in their .sigs. "They all thought they were clever" Michaels said, "but it was just lame and annoying, and only a few hundred people ever did it, so it wasn't even effective. We were sitting around drinking one night and were like 'What the shit, let's test this on those guys!' and we've been following them ever since. Mostly it's just a bunch of guys talking about beard trimmers and PGP, it's kind of depressing."
sig:
See the "..for smart people" banners Wired runs here? Look elsewhere guys.