Slashdot Mirror
Emergency Hearing About Carnivore - Updated
Joe Moloughney was the first of several folks to point out that an emergency hearing is scheduled for 19:30GMT (3:30 Washington time) regarding disclosure of information about the FBI's Carnivore data surveillance system. The Electronic Privacy Information Center (EPIC) filed suit (pdf) and were granted the hearing because their request for details on how Carnivore works (under the Freedom of Information Act) have not yet been acted upon. [Updated 11:45GMT by t] voodoogumbo writes with an updated from Fox News that "[t]he courts declined to unwrap Carnivore."
Carnivore is a crackers dream come true. Imagine a remotely accessible box designed specifically for sniffing and that is required by law.
It's obvious that these boxes will be cracked one day, it's just a mater of time. Carnivore is still just a computer with software written by humans.
Any ISP would be right to refuse a black box on their network. They even might be able to argue that it can unreasonably impact the safety of their business.
every time i read about these sorts of systems, i have these weird mixed feelings about them. on the one hand, i don't want anyone looking through my stuff without my permission. on the other hand, i want to feel secure knowing that the government to which i pay taxes is doing what it can to protect me from harm. how can i as a citizen demand that the government have the utmost respect for my privacy when demanding that respect cripples its ability to protect me?
if timothy mcveigh had sent an email about 1 federal plaza, would that picture of the fireman and the bloody little girl ever been taken?
if he had and there had been no such thing as carnivore in place, would we have kicked ourselves about it?
sometimes this reminds me of when my friends would come over in middle school and forget their cigarettes at my house. i tried to hide them in my room from my mother, and i'd throw a fit about how it was my room and she should stay out if she went in there to put away my laundry or whatever, but i was really worried that she would find the smokes and yell at me for something i didn't do (which i didn't). her response was always, "what are you so worried about if you've got nothing to hide?"
what are we so worried about?
london is drowning and i live by river
how else could you differentiate different emails passing through the system?
How bout using software installed on ISP systems instead of some ominous black box clearly put their by watchers to avoid being watched. And once again I have to wonder if Cringley has his finger on a better pulse than EPIC or EFF with his article suggesting the FBI wants to start the process of creating an off switch for this newfangled 'internet'.
The main point here is not that the FBI is tapping e-mails. The general trend in National Intelligence (*muffled laughter*) is obviously going to yeild things like Carnivore, but what groups like the ACLU want is what we all want, KNOWLEDGE! We simply want to know what the hell is going on in this little black box, because we as citizens have a responsibility to watch the watchers.
Red tape or not, there should have been more information available on this little gizmo before the sudden accross the board implementation came about. Steady encroachments on rights are bad enough, but sudden sweeping moves deserve intense and widely publisized scrutiny in my opinion. Sets a good example...
I rember when a couple people filed under the freedom of information act to get the forumla the IRS uses to select people for an audit. Naturally the IRS objected, and even after a court victory, they still refused to give out that information. What did they do? They ran to congres and asked them to make and exemption, which they did. Bastards. I can only guess what is going to happen here... again.
----------------------------------------------
I don't really mind double posts on
Computers are intellectual amplifiers, in the same sense that a fork lift is a physical amplifier; they both allow you to handle loads you could not handle unassisted.
The most dangerous aspect of "Computer Crime" is that it is really "Thought Crime" in the sense that Orwell meant in "1984". The problem with "Thought Crimes" is that there is no way to prove you didn't commit them. Example: FBI seizes your computer, they 'find' child pornography on the machine. Go ahead, prove that they planted the evidence. Everything on a hard drive is ones and zero's and as such it can ALWAYS be faked.
I have a personal friend who has been doing police work for 20 years. When I asked him why he quit doing narcotics work he explained that he got tired of framing people. "Look" he said, "drug dealers aren't stupid, they don't keep drugs in their own homes. Every time you read about a bust where the narcotics agents break down a dealers door and find drugs you can just about bet that they brought the evidence along with them."
Law enforcement does not need Carnivore for the same reason that they really don't need to decrypt messages; traffic analysis alone is enough for them to learn almost everything about you. All they need to know is who you are talking to and when you talk to them. This is one of the main reasons that the US has lifted the export restrictions on data.
Carnivore is just snoopy people who want to spy on everybody. Given the chance, they would read everybody's snail mail - not because they would get useful information but just because they could; that is how stupid, petty people behave.
Everybody who believes that with Carnivore the government will only read the mail they are authorized to read is entitled to their belief. I - on the other hand - quit believing in the Tooth Fairy a number of years ago.
That statement should be amended right after 'gather' with "...in a court of law...". Just because evidence gathered by carnivore cannot be used in court does not mean that FBI analysts can't use it. Hell, just because the email is legal doesn't mean the FBI can't use it.
For instance, suppose I'm sending out emails supporting drug reform. The FBI, gunning for a pedophile on my ISP, scoops up my messages. Even though what I am doing is legal, even though the feds don't have a warrant, I could easily be added to a database of possible drug users at the FBI or, even more nefariously, those messages could be reported to my local police (or my boss) who would then keep an eye on me for something they could use in a court of law.
Such an ability would be stunningly simple to incorporate into Carnivore with keyword searches, nobody has to read it unless it gets flaged by the search.
By the tone of this post you might be led to believe I don't trust the FBI... you would be abso-fucking-lootly correct.
Insanity is the last line of defence for the master diplomat. But you have to lay the groundwork early.
Actually it is possible for a government to do this kind of thing, and some governments have found it desirable. An example is the former East German (DDR) government's Stasi secret police. After Communism fell, the unified German regime opened up the Stasi records and people were shocked at how many of their neighbors had been snitching on them.
It worked kind of like Amway: Joe recruits Mary, Mary recruits five of her friends, they each recruit five, etc. There's a threat of blackmail for those who resist being recruited. These people didn't have to be on the Stasi payroll; they were public-spirited citizens. Of course, half the people being snitched upon were also working for the Stasi, but the Stasi liked this feature. It kept everyone on their toes.
The other interesting thing that came out was the level of detail that the Stasi agents was recording. Incredibly trivial stuff. Not that the Stasi used most of this trivia. That wasn't the point. In techie terms, they were interested in Granularity. Hi-rez surveillance.
For those who didn't see the Congressional hearing on Carnivore on C-SPAN last week (you can watch all 3 hrs and 15 minutes of it from here), it showed one thing - it is currently not known what exactly Carnivore does.
Almost everyone assumes that Carnivore tracks e-mail - this may not be all. During the hearing suggestions and speculations covered a lot of TCP/IP protocols - from the near admission of the FBI that they have tracked ftp transfers, through the constant mentioning by the FBI pannelists that they look at packets, to the tracking of http requests, streaming media server connections, etc.
One of the panelists, the CEO of a small ISP in the DC area, testified that it took one of his sysadmins about 3 lines of configuration code and half an hour to implement tracking of e-mail (incoming and outgoing) on the CEO's account, which would have satisfied the needs of the FBI if this is were the only thing Carnivore does. The fact that the ongoing Earthlink lawsuit was brought up allegedly because Earthlink was unable to provide the requested information to the FBI (with a valid court order and all), seems to indicate that Carnivore is after much more than simple e-mail.
Among other interesting things that came out at that hearing was the security aspect of Carnivore - no sysadmin in their right mind would welcome a "black box" to become part of their LAN, and at the same time be accessible remotely.
Meanwhile, back in the real world, the FBI's pattern of behavior indicates that it is indeed a threat to law-abiding citizens. For an FBI official to propose to install some black box into the Internet takes as much cheek as a repeatedly-convicted embezzler applying for the position of chief accountant.
/.
/. If the government wants us to respect the law, it should set a better example.
This point needs to be re-iterated from time to time: it doesn't matter how important you are; what matters is how easy it is to conduct surveillance on people. If you need special equipment and lots of people to monitor a single person, the resources will obviously be concentrated on only the most important targets. However, if you can do it practically automatically with minimal hardware and manpower, then even your "little schmoe from Asshole, Indiana" becomes a potential target.
First of all, he's important to people currently in the government. That's because he's a member of the electorate and the government wants desperately to get re-elected. Knowing Joe Schmoes' party affiliations, special interests and voting histories helps targeting the campaign.
A more sinister use of the e-mail snooping would be gathering dirt on your political or business competitors. History knows several examples (Nixon and allegedly Clinton admins, for instance) of this kind of abuse. This application would probably not affect your average Joe Schmoe, though, because he doesn't wield direct power or pose a direct threat.
Knowing Joe Schmoe's habits is also important to businesses. Why do you think they'd like you to tell them your name, e-mail address and sometimes even income and hobbies before they let you use their web services? Profiling people is a serious business today.
So, don't take comfort in thinking that you're not important enough...
I've posted this before, in a different form. But since people keep on making the same boneheaded statement again and again, I have to keep on presenting myself as an Average Joe exception to the rule.
First, I'm not Joe Schmoe from Asshole, Indiana. I'm from a small town in Iowa, which is probably even more podunk than Asshole, Indiana is. And I'm fairly certain I've been under surveillance at least once in my life, and maybe far more often than that.
Back in 1993 I was just getting interested in crypto, and I had an email exchange with a notorious arms dealer who was under investigation by the U.S. Government for arms smuggling. His name was Phil Zimmerman, the guy who wrote PGP. It was an innocuous email conversation talking about large number theory. But realistically, Phil was under investigation for arms smuggling (specifically, violation of ITAR/EAR), so it seems pretty reasonable for me to believe that he was under some kind of surveillance.
Guess what? Since I was talking to him, that meant I was under surveillance, too.
How many of us here have friends who are active in the phreak community? Go on, raise your hands. How many of you believe that your friends are so 1337 that they'll never be caught, never be fingered to the cops by their friends? Wow. So you have 1337 phreak acquaintances or friends, and you think that they might come under police investigation someday?
Well, guess what, buddy. If they come under investigation... so do you.
Loyd Blankenship, from Steve Jackson Games, found this out the hard way. Remember the Secret Service raid on SJG? That was predicated, in large part, on Blankenship's association with people the government declared to be naughty. It was a pretty tenuous freakin' association, too--and the Secret Service still decided to swoop down and raid the place.
In my last job, I was doing InfoSec for a San Francisco start-up which was going to be expanding into Europe. This concerned me, because a lot of European businesses are partially owned by the government, and the European intelligence agencies (particularly France's DGSE) have been known to eavesdrop on communications for purposes of economic espionage. The NSA does the same thing for American firms--but the NSA claims that it only does so to counteract foreign governmental abuses of their intelligence apparata.
Was I concerned about the DGSE? Hell yes. Little ol' me, the hayseed who grew up on an Iowa farm, was working in an industry where governments commit economic espionage.
A few months ago I became tangentially involved in a criminal investigation. Although I wasn't the target of the criminal investigation, I worked closely with the individual who was under the FBI's spotlight. Guess what? That spotlight got pointed against me, too. Not for long, just long enough for the FBI to realize that I had nothing to do with it. But I didn't like it one bit.
We don't have to be important or criminals to come under the spotlight of government scrutiny. We don't have to be doing anything wrong. We can be community leaders, outstanding citizens and decent human beings--and still, if you associate, knowingly or unknowingly, with people which the government is taking an interest in... well, you can expect to get hit.
Period.
I'm currently involved in implementing software to allow cellular carriers to comply with CALEA.
What the FBI is doing with Carnivore is completely contrary to how surveillance has been done in the past, if the stories about Carnivore are true. From what I understood, the Carnivore system is locked up in some cage, hooked up to the ISP's network and left alone. Only the FBI personnel are allowed to touch it.
The way surveillance has been done in the past is the FBI or any law enforcement agency goes to a carrier with a paper warrant written by a judge that says they can conduct surveillance on a person in a particular geographical area for a certain length of time. The carrier then provisions the wiretap equipment (owned by the carrier) to allow the LEA's Law Enforcement Monitor (LEM) to login and receive surveillance data. The surveillance should stop when the warrant expires if it is not renewed by a judge. The judge does regular reviews of the surveillance to make sure it is all compliant with the law.
With Carnivore, all of the accountability above is missing. The FBI owns and maintains the equipment and can be doing whatever they want with it regardless of whether or not there is a warrant. Who knows if they have implemented the automatic expiration of warrants (we had to in order to be compliant with FCC regulations). At least with the current scheme of things, the carrier has to be presented with a warrant and knows what is being done on its network.
With what I have seen the FBI try to get out of the CALEA law, they are really trying to expand their wiretap capabilities. An example: The FCC's latest CALEA standard allows LEA to continue surveill conference calls that the subject under surveillance has already hung up on or may or may not be a particpant of (in dispatch systems).
I think Carnivore is just another example of the FBI trying to expand its capabilities. I think this is also a case of asking for forgiveness rather than permission. Permissions would have taken too long in their eyes.
Prediction: It'll turn out that the failure to act on the FOIA request was just administrative red tape and such, and that there's nothing wrong/sinister going on here.
My guess is that you're probably correct that Carnivore isn't some nefarious conspiracy on the part of the FBI. However, having worked in large bureaucracies, I think you're wrong that the dealy is just red tape. The first instinct of a bureaucrat is to stonewall any request for information. Disclosure never is to their advantage. At best, there's no harmful stuff there, but the organization/bureaucrat isn't going to get any brownie points for doing the right thing by releasing it. At worst, there's going to be something horrible that will embarrass the organization. get them a hearing on capitol hill, and possibly ruin the bureaucrat's career. The the first question that runs thru a bureaucrat's mind when getting a request like this is: "What's in this stuff they're requesting? Do they know something? I'd better have our staff review it before releasing so maybe we can bury it or at least get our story straight about it."
Look, while I understand that people don't like the idea of having the government read their e-mail, I think that a lot of people frankly overestimate their importance in the grand scheme of things. There are millions upon millions of people in this country. And yet some little schmoe from Asshole, Indiana thinks that he is so important that the "gummint" has got dozens of agents watching his every move and reading every little piece of mail that he gets.
Puh-leeeeeeze. Unless the FBI all of a sudden raises its number of employees by a factor of ten thousand or so, surveillance on every American citizen is not possible. Even if it were, why would the government bother? They've got better things to do than watch you defile yourself in front of electronic porn. Somebody here on Slashdot has got a sig that says "Big Brother doesn't care about you." That's right. Don't be so deluded and self-important as to believe that people actually care about what you're doing.
Personally, I think that the only people that need to be monitored are those who are worried about the government monitoring them. By expressing worries, they've expressed that they are probably doing something illegal or extralegal. This is why I am (more or less) in favor of Carnivore. It's not the end of privacy in America by a long shot. People who believe that it is are probably conspiracy theorists who should go back to figuring out who shot JFK (hint: his initials were LHO.)
"Please use email for all of your future correspondence with our Congressional overseers- it makes, er, participating in politics that much easier for you. Yeah."