Slashdot Mirror
ACLU Files For Carnivore Info
Robert J. Berger writes: "A press release from the ACLU says they are using the Freedom of Information Act to seek all of the
codes, records, letters and memorandums related to the FBI programs dubbed 'Carnivore', 'Omnivore' and 'Etherpeek.' "The FBI is saying 'trust us, we're not violating anybody's privacy,"' said Barry Steinhardt, associate director of the ACLU. "With all due respect, we'd like to determine that for ourselves.""
EarthLink will do FBI's surveillances itself.
-- http://thegirlorthecar.com funny dating game for guys
Just skimming the Freedom of Information Act, one particular exemption catches my eye --
...would disclose techniques and procedures for law enforcement investigations or prosecutions, or would disclose guidelines for law enforcement investigations or prosecutions if such disclosure could reasonably be expected to risk circumvention of the law
I'd think the FBI might make the case that if the design of the *vore systems shows WHAT it monitors -- how it selects such -- then this clause might apply. Certainly, this would seem to allow the FBI to refuse to describe *which* ISPs are being monitored... But then, I'm neither a lawyer nor a Fed.
Only the dead have seen the end of war.
Etherpeek is the name of a commercial packet sniffer/network analysis tool.
k ing-glass-you'll-hear-better?
I sense a lack of imagination where the naming of secrets is concerned. What's next: Operation Trashpicker or Operation Hold-your-ear-against-the-wall-Here-use-this-drin
I guess even spies get bored.
k.
--
"In spite of everything, I still believe that people
are really good at heart." - Anne Frank
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
However, they often return something just as useful, in that the government redacts the information returned "for security purposes." While redact means edit, in such cases it is effectively, black out with a wide felt-tip marker.
If SlashDot were redacted the way most "important" data received through FoI requests, it would appear like this:
Posted by ***** on *****
from the ***** dept.
***** writes: "A press release from the ***** says they are using the Freedom of Information Act to seek all of the ***** related to the ***** " The ***** is saying ' *****
[
I've lived in forign countries where the government owned all the land, took care of all the health care, (third world country so you can imagine what that was like) and could search homes or stop people without any reason at all.
I don't really believe that the government doesn't have our best interest in mind at least for the most part. There is no possible way the FBI could read all email, and I would go even farther to say there's no way they are going to get the software installed at all ISPs. There's dozens of Mom and Pa Internet shops that simply aren't going to do it. The FBI found a loophole where they can gather information a possibly catch criminals. I truely don't believe there's a consipiracy to label everyone as a bad guy.
Is what they are doing wrong? Yes I think so. Is it particulary dangerous to our freedom? Probably not, especially when compared to what goes on in some other countries. I'm glad the ACLU is stepping in but really what can they do about it? I'm sure that this sort of thing will still go on unless Congress opens an investigation and puts a stop to it. So if you are worried about the FBI reading your mail then encrypt it. Personally I have nothing to hide.
Never knock on Death's door:
The Anti-Blog
Anyone with any influence who disagrees with the government is going to be tracked, bugged, and if they're influential enough, eventually shot. No, it's not the Soviet Union, but it's a lot more oppressive than you'd like to think. The minute you speak out about the oppression, you start to find out exactly how close we are to fascism.
(I'll believe it when I see it).
The FBI is sharing information regarding Carnivore with industry at this time to assist them in their efforts to develop open standards for complying with wiretap requirements. The FBI did so two weeks ago, at the request of the Communications Assistance for Law Enforcement Act (CALEA) Implementation Section, at an industry standards meeting (the Joint Experts Meeting) which was set up in response to an FCC suggestion to develop standards for Internet interception. [1]
What's interesting in this case is the FBI's press department, and their use of the word 'industry'. Usually, one would assume that they are referring to the 'computer' industry, but here, apparently, they are refering to the 'law enforcement' industry. See the CALEA web site, and you'll understand...
-jerdenn
Dunno if this is all over the country, but PacBell sends us here in California a list of legal notifications to have your phone tapped. They include beeping every 10 or so seconds, a verbal notification, and others.
Email, of course, doesn't need any notification of saving the conversation if it is the send or receiving party that is doing it. But if there is a third party tapping your email line, they don't have to notify you. I'm curious if it is easier for the FBI to wiretap email than it is phone conversations, ie do they have to install remote hardware near the point of the tap for phone conversations?
-- Moondog
Right now the problem with encryption is two-fold:
1) PGP/GnuPG is still too complicated for an average computer user, not to mention Mom and Pop who just want to get their "internet experience".
2) Strong encryption doesn't come as a default option in any popular e-mail program that I know of. Intentional or not, this severely cuts down the number of potential encryption users from the start.
It isn't much.
My question, which was not covered on the Web site nor on any story I've read to date, is what the FBI expects of the ISP that has one of these things put on its site.
Perhaps a good Boardwatch article?
One point not made in the Slashdot comment is that Congress is also interested in the issue. House Majority Leader Dick Armey has asked the FBI to stop using Carnivore until 4th Ammendment issues have been looked at, and the House Judiciary Committee is holding hearings on the matter on July 24th. That means that this isn't just a lonely fight of a few privacy advocates; some big guns in the government are at least interested and asking the right kinds of questions.
There's no point in questioning authority if you aren't going to listen to the answers.
One of the problems with sending encrypted mail is that I talk to a lot of non-geeks.. is there any support planned for GPG in Mozilla? Or some compaible alternative? This might be a chance to get encrypted communications more mainstream (I certainly make heavy use of SSH as is; It beats having to set up stupid display variables!)
How about the web though? If "the man" can see what you're surfing, I don't know if I might like that. Do slashdot comments count as mail? What about hotmail? Or for that matter, ICQ? The hordes use ICQ a lot, and I know more than one person that sends drug-related info over it (much to my concern). If they're going to tap that, then this isn't about an email sniffer, it's about a network packet sniffer looking for strings.
*sigh* Land of the free, indeed. Don't argue with the man, or he'll bust yo ass! It's not like you need to worry, unless you're a drug dealer/money laundrer/commie red pinko/branch davidian/mob leader/columbian national/insert group-of-the-month here
..don't panic
Really, is seeing the technical specs and source code going to help determine if the Carnivore system invades privacy? The FBI stated that all email traffic in an ISP goes through Carnivore. If that isn't invading privacy, what is?
I'll try and guess how Carnivore works (the software that is, IDNJS about networks). I assume it requires too much disk to log the entire text of every message (and be too cumbersome to search, and be a tremendous waste of cpu). I bet they just index every message and check it against a list of "flags" - names, phrases, addresses or other terms related to ongoing investigations. If a message turns up a flag, the Carnivore notifies HQ and the message is logged. I bet the From:, To:, Cc: and Bcc: addresses immediately become flags as well. Perhaps all email traffic immediately following the flagged message would be logged for a certain period of time. Encrypted messages are ignored, but the From:, To:, Cc: and Bcc: addresses can still be checked.
At least that's how I would build the system. Now, as a hypothetical exercise, how would you defeat it? Encryption helps, for sure. You'd need to change email addresses frequently, though. Or you could do what I do and live in a developing country. My ISP couldn't figure out if someone hacked into their system if their life depended on it, let alone figure out how to track anything.
All I can tell you is the FBI will become the world's top experts on spam, as 60% of the carnivore's food will be spam. I can imagine a team of 30-year-old college drop outs working in a basement outside DC, reading page after page of spam on some trusty 1983 VAX machines.
Yeah. The government can suck your dick. Cause one fucking box is no way, no how gonna suck down multiple OC48
Ahaha.. uncle sam you dumbfucker.
No, he means GPG (aka GnuPG, the GNU Privacy Guard), a GPL'ed, open source alternative for PGP which does not use patented algorithims.
The Mozilla Crypto FAQ has a little bit of information on encryption and the News/Email client.
"Can of worms? The can is open... the worms are everywhere."
so far, we've no evidence that the system is a) always-on, and b) indiscriminate.
So far we also have no evidence that the system is NOT always-on and NOT indiscriminate.
"Innocent until proven guilty" applies to those that the government accuses. The government itself is a separate category, and the functionaries of governments (both the US and others) have a long track record of improper actions.
Government is granted extraordinary power. Strict scrutiny of government operations by the citizens is both proper and necessary to keep the government from exceeding both its own rules and its mandate.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Hi all, Here is some info that you may find interesting. I have worked in and out of the architectural/design/building industry for the better part of the last 14 years. In that time I have worked on the design and build of many telcom centers and ISP's. For this work security is stringent and done on a per project, eyes only basis.Most of these places (I am generalizing due to very real security issues in the telcom industry) are designed with very highly secure areas where the main switch/com centers and computer rooms setup with the following (very generalized and non specific) criteria: 1. switch/control centers have to be on an 'open' wall so that they may be visually inspected for bugs and taps. 2. computer centers and the racks they mount to have to have 100% visible access as well. 3. walls of secure areas usually have leadlined wallboard and welded wire mesh installed from deck to deck behind the leadlined wallboard. 4. these installations usually use the box within a box within a box scenario (ie secure areas within secure areas within even more secure areas built just as above.) 5. highly secure and mostly invisible CSTV systems monitor every square inch of the space inside and out of these installs, capable of doing so in complete darkness(i have done quite a few casinos that use very similar CSTV systems which can see every player and dealer at any given time) These are not the only security measures involved in building a telcom but this is as far as i can go without having to post as an AC. The folks working inside these areas have to have all sorts of additional clearances/citizenship requirements etc. Building these installations is not easy due to the fact that even the staff of contractors doing the build out typically have to pass security checks and sign nondisclosure agreements as to what they have seen and built. Telcoms are not the only types of businesses that have to follow these stringent security measures. There are a great many 'local companies' all over that are really offices for other agencies. You may or may not be aware of this but many times when these places are built they use names of 'private' corporations etc. to hide thier real ownership. Ironically, the ISP's that I worked on didn't have such security in thier design criteria (usually they are mostly concerned with disaster proofing and service interruption proofing) but if things keep going as they are it would not surprise me if they had to implement these types of upgrades due to the *ivor boxes being located within thier facilities. If that happens we will see a lot of ISP's go under as this type of construction, whether new build or retrofit is really very expensive. To sum it up, let me say this: the freedom of information act is really an obscene joke. I have seen documents released for the purposes of building these installations where as much as 90% of the actual design criteria is totally blacked out, 5% is readable but 'classified' (and usually printed in nonreproducable photo blue) and the remaining 5% is as generalized as this post is. Even if *ivor information is released to us via FOI act it will be mostly useless and not yield any clues as to the level that security is going to be compromised by it. Hopefully, there are some IT folks out there who work in these facilities that can provide us some insight to the systems without compromising themselves and thier positions. After all, matters of National Security are not a joke and in the big picture a little loss of personal privacy may seem trivial compared to whats really at stake (read:I am not in agreemnet with them doing this but I do understandwhy they are doing this). If you want privacy in your email the answer is very simple: use strong encryption and exercise due diligence in deleting/scrubbing your email after reading it. If enough people use highly encrypted email bigbrother will not have the time to decrypt all of it enmasse.
Prospecting Stinks. Stop Wasting Time on Cold Calling.
Summary: just how much does the Carnivore box monitor? Does it look only at IMAP/POP2/POP3/SMTP traffic, or is its charter far, far broader to capture at least the endpoints of communciations using other modes of operation? Does this mean that the FBI therefore has a trace of all your activity available to it? The rest of this article looks at just how much the FBI would have to monitor in order to trace all possible mail traffic conduits.
The telephone industry has been told they have to design switchgear to make ubiquitious wiretaps easier. That mandate has not, to date, been extended to Internet Service Providers...but I can see where the ISP business will be nailed in just this way. Unfortunately for law enforcement, such a law would only help them catch the really, really, stupid criminal or the casual criminal -- the hard-core types would enlist the aid of cybercriminals [no, not hacker you dimwit] to help them hide their tracks.
Frankly, the Internet marketplace provides a number of opportunities to thwart this sort of stuff. Some examples:
This is not intended to be a primer on how to "get around" the FBI Carnivore box. This is intended to show (a) how difficult the task is to monitor all mail given current technology, and (b) to show how combating the technology already in place may cause privacy concerns far greater than mentioned already.
The monitoring of paper mail is, by comparison, a far easier task: you have a handful of choke points (USPS, FedEx, UPS, DHL, and so forth) who need to be in the good graces of law enforcement to do their job. The monitoring of fax and modem traffic is done using pen-and-trace wiretaps, recognizing the unique wideband signals to identify the difference. (Did you know it's extrememly difficult -- read "expensive" -- to extract content from V.34 and V.90 traffic from a tap?)
In contrast, once you get access to the digital Internet. how do you monitor ALL the ways to exchange mail?
>>>We do not have a constitutional right to privacy
Okay, I'll assume you live in the US, and therefore cannot use that as an excuse for ignorance. You may remember hearing of a case about 25 years ago called 'Roe v. Wade'. The crux of the decision was based on the fact that people in the US DO have a constitutional right to privacy. It is not specifically written (AFAIK) but it has been interpreted thus.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
From what I've read of the system, it's a box that gets plugged in to the ISPs network and sniffs the traffic.
But don't most ISPs use ethernet switches rather than hubs?
If so, the Carnivore box would only receive traffic addressed to it (none) and maybe the occasional wayward packet.
Am I missing something? Are the feds doing some sort of MAC hacking or Tempest monitoring or other weird voodoo?
Is it just me, or does the ACLU go after the stupidest things (not to say that this is stupid)? When was the last time you heard of them really changing the life of or liberating the average American citizen?
You mean like the 85 innocent people released from death row in the last 24 years?
Going after any infringment of American's rights, no matter how small, is not stupid. Some day you might just thank them for it.
>Dunno if this is all over the country, but PacBell sends us here in California a list of legal notifications to have your phone tapped. They include beeping every 10 or so seconds, a verbal notification, and others.
:P)
These are standard notifications that a conversation is being *RECORDED* (by a corporation), not that it is being *TAPPED*. (What, you think the FBI is going to play a bunch'o beeps to warn the terrorists
> But if there is a third party tapping your email line, they don't have to notify you.
Unless that third party is acting under a court order, they'd be in violation of the Electronic Privacy act of 1991. Class 2 felony, I believe.
This is EXACTLY the kind of thing the successor to the KGB mandates in every Russian ISP. So what's the difference? The FBI guys wear white hats? These people need to be stopped NOW. With this in place, any individual even making a joke about drugs, politics or blowing up Congress in email will be susceptible to surveillance and harassment. Once they have your name in their little (big!) file they're NOT going to delete it, and you can look forward to a life under surveillance. The concept that 270 million people need to be searched in order to capture the tiny percentage of the population who are terrorists and drug dealers and child porno's is morally and intellectually bankrupt. They might as well just do mandatory house-to-house searches.
The revolution will NOT be televised.
The beta of the next version of BlackICE Sentry (from Network ICE) has Carnivore features built in. Administrators can configure "from" or "to" patterns to capture e-mails to the disk in mbox format. It can keep up with full-duplex 100-mbps connections, so you can tap into links between switches. This version runs on Linux, Solaris, or WinNT. It costs $5000, though.
*Few cases* where they've crossed the Line? What color is the sky on your planet?
Let's look at the scoreboard, shall we?
The FBI, under the control of J. Edgar Hoover, compiled dossiers on hundreds of thousands of American citizens who never committed any crime at all. The contents of those dossiers were used routinely to blackmail people that Hoover (in his sole opinion) considered "unamerican."
Did you know that Hoover considered the move to integrate Major Leage Baseball a "communist plot?"
Did you know that Hoover spent thousands of tax dollars on investigating Desi Arnaz, because he didn't like the way that "The Untouchables" glorified the secret service, a rival to his beloved FBI?
Surely you're aware of the FBI's harassment of Martin Luther King, which included anonymous written demands that he commit suicide?
How about the FBI handing over dossiers on hundreds of Bill Clinton's republican opponents to the White House staff, with NO legal justification to do so?
Get real: The FBI occasionaly deigns to do its real job, when they can fit it in to their busy schedule of trying to clamp down on any serious dissent in the USA. Thank god for our courts.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."