Slashdot Mirror
Emergency Hearing About Carnivore - Updated
Joe Moloughney was the first of several folks to point out that an emergency hearing is scheduled for 19:30GMT (3:30 Washington time) regarding disclosure of information about the FBI's Carnivore data surveillance system. The Electronic Privacy Information Center (EPIC) filed suit (pdf) and were granted the hearing because their request for details on how Carnivore works (under the Freedom of Information Act) have not yet been acted upon. [Updated 11:45GMT by t] voodoogumbo writes with an updated from Fox News that "[t]he courts declined to unwrap Carnivore."
every time i read about these sorts of systems, i have these weird mixed feelings about them. on the one hand, i don't want anyone looking through my stuff without my permission. on the other hand, i want to feel secure knowing that the government to which i pay taxes is doing what it can to protect me from harm. how can i as a citizen demand that the government have the utmost respect for my privacy when demanding that respect cripples its ability to protect me?
if timothy mcveigh had sent an email about 1 federal plaza, would that picture of the fireman and the bloody little girl ever been taken?
if he had and there had been no such thing as carnivore in place, would we have kicked ourselves about it?
sometimes this reminds me of when my friends would come over in middle school and forget their cigarettes at my house. i tried to hide them in my room from my mother, and i'd throw a fit about how it was my room and she should stay out if she went in there to put away my laundry or whatever, but i was really worried that she would find the smokes and yell at me for something i didn't do (which i didn't). her response was always, "what are you so worried about if you've got nothing to hide?"
what are we so worried about?
london is drowning and i live by river
how else could you differentiate different emails passing through the system?
How bout using software installed on ISP systems instead of some ominous black box clearly put their by watchers to avoid being watched. And once again I have to wonder if Cringley has his finger on a better pulse than EPIC or EFF with his article suggesting the FBI wants to start the process of creating an off switch for this newfangled 'internet'.
The main point here is not that the FBI is tapping e-mails. The general trend in National Intelligence (*muffled laughter*) is obviously going to yeild things like Carnivore, but what groups like the ACLU want is what we all want, KNOWLEDGE! We simply want to know what the hell is going on in this little black box, because we as citizens have a responsibility to watch the watchers.
Red tape or not, there should have been more information available on this little gizmo before the sudden accross the board implementation came about. Steady encroachments on rights are bad enough, but sudden sweeping moves deserve intense and widely publisized scrutiny in my opinion. Sets a good example...
Computers are intellectual amplifiers, in the same sense that a fork lift is a physical amplifier; they both allow you to handle loads you could not handle unassisted.
The most dangerous aspect of "Computer Crime" is that it is really "Thought Crime" in the sense that Orwell meant in "1984". The problem with "Thought Crimes" is that there is no way to prove you didn't commit them. Example: FBI seizes your computer, they 'find' child pornography on the machine. Go ahead, prove that they planted the evidence. Everything on a hard drive is ones and zero's and as such it can ALWAYS be faked.
I have a personal friend who has been doing police work for 20 years. When I asked him why he quit doing narcotics work he explained that he got tired of framing people. "Look" he said, "drug dealers aren't stupid, they don't keep drugs in their own homes. Every time you read about a bust where the narcotics agents break down a dealers door and find drugs you can just about bet that they brought the evidence along with them."
Law enforcement does not need Carnivore for the same reason that they really don't need to decrypt messages; traffic analysis alone is enough for them to learn almost everything about you. All they need to know is who you are talking to and when you talk to them. This is one of the main reasons that the US has lifted the export restrictions on data.
Carnivore is just snoopy people who want to spy on everybody. Given the chance, they would read everybody's snail mail - not because they would get useful information but just because they could; that is how stupid, petty people behave.
Everybody who believes that with Carnivore the government will only read the mail they are authorized to read is entitled to their belief. I - on the other hand - quit believing in the Tooth Fairy a number of years ago.
That statement should be amended right after 'gather' with "...in a court of law...". Just because evidence gathered by carnivore cannot be used in court does not mean that FBI analysts can't use it. Hell, just because the email is legal doesn't mean the FBI can't use it.
For instance, suppose I'm sending out emails supporting drug reform. The FBI, gunning for a pedophile on my ISP, scoops up my messages. Even though what I am doing is legal, even though the feds don't have a warrant, I could easily be added to a database of possible drug users at the FBI or, even more nefariously, those messages could be reported to my local police (or my boss) who would then keep an eye on me for something they could use in a court of law.
Such an ability would be stunningly simple to incorporate into Carnivore with keyword searches, nobody has to read it unless it gets flaged by the search.
By the tone of this post you might be led to believe I don't trust the FBI... you would be abso-fucking-lootly correct.
Insanity is the last line of defence for the master diplomat. But you have to lay the groundwork early.
For those who didn't see the Congressional hearing on Carnivore on C-SPAN last week (you can watch all 3 hrs and 15 minutes of it from here), it showed one thing - it is currently not known what exactly Carnivore does.
Almost everyone assumes that Carnivore tracks e-mail - this may not be all. During the hearing suggestions and speculations covered a lot of TCP/IP protocols - from the near admission of the FBI that they have tracked ftp transfers, through the constant mentioning by the FBI pannelists that they look at packets, to the tracking of http requests, streaming media server connections, etc.
One of the panelists, the CEO of a small ISP in the DC area, testified that it took one of his sysadmins about 3 lines of configuration code and half an hour to implement tracking of e-mail (incoming and outgoing) on the CEO's account, which would have satisfied the needs of the FBI if this is were the only thing Carnivore does. The fact that the ongoing Earthlink lawsuit was brought up allegedly because Earthlink was unable to provide the requested information to the FBI (with a valid court order and all), seems to indicate that Carnivore is after much more than simple e-mail.
Among other interesting things that came out at that hearing was the security aspect of Carnivore - no sysadmin in their right mind would welcome a "black box" to become part of their LAN, and at the same time be accessible remotely.
This point needs to be re-iterated from time to time: it doesn't matter how important you are; what matters is how easy it is to conduct surveillance on people. If you need special equipment and lots of people to monitor a single person, the resources will obviously be concentrated on only the most important targets. However, if you can do it practically automatically with minimal hardware and manpower, then even your "little schmoe from Asshole, Indiana" becomes a potential target.
First of all, he's important to people currently in the government. That's because he's a member of the electorate and the government wants desperately to get re-elected. Knowing Joe Schmoes' party affiliations, special interests and voting histories helps targeting the campaign.
A more sinister use of the e-mail snooping would be gathering dirt on your political or business competitors. History knows several examples (Nixon and allegedly Clinton admins, for instance) of this kind of abuse. This application would probably not affect your average Joe Schmoe, though, because he doesn't wield direct power or pose a direct threat.
Knowing Joe Schmoe's habits is also important to businesses. Why do you think they'd like you to tell them your name, e-mail address and sometimes even income and hobbies before they let you use their web services? Profiling people is a serious business today.
So, don't take comfort in thinking that you're not important enough...
I've posted this before, in a different form. But since people keep on making the same boneheaded statement again and again, I have to keep on presenting myself as an Average Joe exception to the rule.
First, I'm not Joe Schmoe from Asshole, Indiana. I'm from a small town in Iowa, which is probably even more podunk than Asshole, Indiana is. And I'm fairly certain I've been under surveillance at least once in my life, and maybe far more often than that.
Back in 1993 I was just getting interested in crypto, and I had an email exchange with a notorious arms dealer who was under investigation by the U.S. Government for arms smuggling. His name was Phil Zimmerman, the guy who wrote PGP. It was an innocuous email conversation talking about large number theory. But realistically, Phil was under investigation for arms smuggling (specifically, violation of ITAR/EAR), so it seems pretty reasonable for me to believe that he was under some kind of surveillance.
Guess what? Since I was talking to him, that meant I was under surveillance, too.
How many of us here have friends who are active in the phreak community? Go on, raise your hands. How many of you believe that your friends are so 1337 that they'll never be caught, never be fingered to the cops by their friends? Wow. So you have 1337 phreak acquaintances or friends, and you think that they might come under police investigation someday?
Well, guess what, buddy. If they come under investigation... so do you.
Loyd Blankenship, from Steve Jackson Games, found this out the hard way. Remember the Secret Service raid on SJG? That was predicated, in large part, on Blankenship's association with people the government declared to be naughty. It was a pretty tenuous freakin' association, too--and the Secret Service still decided to swoop down and raid the place.
In my last job, I was doing InfoSec for a San Francisco start-up which was going to be expanding into Europe. This concerned me, because a lot of European businesses are partially owned by the government, and the European intelligence agencies (particularly France's DGSE) have been known to eavesdrop on communications for purposes of economic espionage. The NSA does the same thing for American firms--but the NSA claims that it only does so to counteract foreign governmental abuses of their intelligence apparata.
Was I concerned about the DGSE? Hell yes. Little ol' me, the hayseed who grew up on an Iowa farm, was working in an industry where governments commit economic espionage.
A few months ago I became tangentially involved in a criminal investigation. Although I wasn't the target of the criminal investigation, I worked closely with the individual who was under the FBI's spotlight. Guess what? That spotlight got pointed against me, too. Not for long, just long enough for the FBI to realize that I had nothing to do with it. But I didn't like it one bit.
We don't have to be important or criminals to come under the spotlight of government scrutiny. We don't have to be doing anything wrong. We can be community leaders, outstanding citizens and decent human beings--and still, if you associate, knowingly or unknowingly, with people which the government is taking an interest in... well, you can expect to get hit.
Period.