Slashdot Mirror
University to Review Carnivore
stubob writes "CNN.com is reporting in this article that within the next 2 weeks a university will be selected to review Carnivore. This is apparantly a follow-up to this story posted on Slashdot last week. It will be a hardware and software review, lasting until December. The FBI has not decided which university will perform the review, and no information was given on who at the university will actually be performing the review."
And then we're supposed to accept the results as having some significance or relevence?
Excuse me, but have you EVER known an "impartial" review, when the reviewee pays the reviewer?
OF COURSE they're going to pick people most likely to be sympathetic, and ply them with "sweeteners" to "encourage" a favourable result.
If the FBI wanted a genuinely honest result, they would be taking a hands-off approach. They'd make Carnivore available to a RANDOM assortment of Universities, place NO constraints on who was to do the testing (detailed records would be ok, though, and very desirable), and provide proof that they had NO contact with the researchers, the University, or ANY friends or relations, during the work.
(They could reasonably be expected to ensure that no other intelligence agency did, either, though.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
No, I think it is cheaper to just bribe someone at an university to say there's nothing wrong with it than appointing an entire comittee :-)
Every expression is true, for a given value of 'true'
Hey, wait a minute, how does Carnivore get its logs back to the FBI? Is the FBI going to have removable media in this thing and have the logs sent by snail-mail? Otherwise how the heck is this thing going to transmit stuff back when its installed at a busy site with a saturated outgoing connection? Would the ISP be able to do traffic analysis on the transmitted traffic to determine what kind of data the thing is logging?
So many questions, so few answers.
-- Remember: Wherever you go, there you are!
Um, no. The FBI has been exonerated repeatedly for what happened at Waco.
Not that I would trust the FBI to keep its nose clean, but at least blame them for things that are actually their fault.
-jon
Remember Amalek.
I was thinking they would probably send it to School of the Americas.
Where did you get the idea I was anti-gov't? I'm actually pro-gov't. The reality is that academic research is skewed by government funding.
In the end, only Congress and the courts will be able to check the powers of the DOJ, which is reaching beyond the 4th ammendment with Carnivore.
The court of public opinion will only be satisfied with complete public disclosure and verification that their rights aren't being violated.
I bet the University they select will be
one that receives grants from DOJ. If not,
then there would certainly be some other
financial/political conflict of interest. After
all, Every university receives copious ammounts of funding from the US Government.
Actually, it wont be the University as much as the professors at the university. There *has* to be at least one professor in the DOJ's pocket somewhere.
Shouldn't they be appointing a comittee that will take a few years to make up their minds?
They had better make it public. I wonder if the documents that the universities recieve will be part of the publicized review, or is that too much to ask of the FBI.
I am always wary of that sort of thing because universities are easily pushed around by the NSA and other similar bunches of spooks-in-suits... If they are easily pushed around on what cryptography research they can do and/or publish, why not deliver a fixed report after some smoke-filled-room discussions... Not to sound like a paranoid, but i'm usually skeptical of this sort of thing because we always find out 20 years later once things get declassified that the public was being lied to. It happened with the civil rights movement, where the army and the FBI were keeping lots of surveilance people busy watching potential rabble-rousers... It will happen again now with this, and we'll only find out after it's too late, and it'll happen yet again with tomorrow's technology so the powers that be can keep any free thinkers under thier thumbs...
---
Play Six Pack Man. I
I would suggest that if ISPs and privacy minded individuals are really bothered by a Carnivore system - why not put our own filter in place upstream of the Carnivore box?
Filter out all but the packets that pertain to the subject under the warrant - the Carnivore system gets NO chance to exceed its legal bounds.
You could even get fancier and "expunge" the subject line from the mail header packets that are fed to Carnivore.
I doubt this would be more than a few weeks worth of work for the right hackers 8-) Maybe even be a "floppy" distribution like the one-floppy router project. Call it ZooKeeper (feeds the Carnivores and Omnivores).
The FBI can't really object - we can make the source code available for THEM to audit. It does exactly what they need, so a court should back up someone using it (i.e. they ARE cooperating fully).
Any takers?
I think the FBI is great and does a great job, but I'm not going to give them the keys to my house because they tell me they won't search it without a really good reason.
OK... From the story....
But privacy advocates and some members of Congress fear the system may cast too wide a net, encompassing private information about legal activities and leading to potential abuses.(emphasis added)
Some members of congress feel that there is potential for abuses. The only way for potential abuse is for monitoring information of non criminals/suspects which means private americans and corporations, From what I understand the FBI was instuted to protect, in part, the protection of Americans privacy. Some of our own congressmen admit, by implication, that the FBI is corrupt. I don't know about everybody else but if I had a choice I would not want the FBI involved in anyhthing remotely close to me due to the possibility of abuses. In fact if I had a choice I would have the power of the FBI GREATLY reduced so that Americans privacy would have more protection.
If at first you don't succeed, skydiving is not for you.
I remember seeing a interesting documentary on A&E about Las Vegas slot machines. There's an industry where the software that runs the machines quite likely could be (and as the documentary pointed out, has been) tampered with in favor of the issuing party. This is extremely serious, because if people don't believe the machines are giving them fair odds, they won't play, and Vegas would be finished (the machines run the town).
To prevent this, the ROMs that the machines run are *tightly* monitored by a government review board, who, I would assume, employ assembly language gurus and the like to make sure nothing fishy is up - and this board can randomly inspect any machine, at and time, for any reason, and god help you if your rom doesn't match the one on file.
Such a system would work very well to control the carnivore system, I think. Of course, my country isn't proposing to do anything this insane, yet.. When I think about it, sweet jesus, it's scary - they want to be able to tap any email or internet connection (packets are packets, right) at any time!
There's got to be a mecahnism put into some of the popular mail readers (mozilla?) to allow for hard encryption during transit happen real soon like. I mean, who gives a @#$@ how crappy the passwords are stored (put them in a .conf file) just so long as they're being *used* for email, ideally, transparently. Then carnivore is effectively useless. Too bad Microsoft wouldn't implement something like that - would be sweet. Or even if ICQ supported it (there is a ICQ client for secure comm now, Linux only..)
Just some thoughts.
..don't panic
Phone rings...someone on the other end of the line picks up.
Voice: "Hello?"
FBI Director: "Uh, yes, hello, this is the director of the FBI speaking. Ummm...I'm doing some..uhh..research here and I need to know the top ten most government funded universities in the US."
Voice: "Well, University X received this much, University Y received this much, and University A tops the list with a wopping X amount of money given to it by the government."
FBI Director: "Right!! Thanks!"
Director slams down phone. Leans out of office window, yelling:
"Johnson!! That university that we were looking to test Carnivore? I've got one lined up!"
This was meant to be humorous, not to be taken serious by any stretch of the imagination. Please moderate and reply accordingly
It is kind of auspicious listing this article right after the one about universities being
bought out for research.
LibBT: BitTorrent for C - small - fast - clean (Now Versio
This is ridiculous. The government is monitoring communications and won't reveal the manner in which they do it? The FBI should be forced to comply with FOIA requests for any and all documents related to Carnivore. The FBI is the servant of the citizenry, not its keeper, and should be put back in its place.
Oh, but Bush and the CIA didn't do anything! And he certainly didn't pardon most of the people involved before he left office!
Pax Digitalia
They should pull a trick like the CIA did when it was discovered their involvement with cocaine and Latin American contras - do an internal investigation and state that we found nothing out of order. The media/public bought it last time.
You are more than the sum of what you consume.
You are more than the sum of what you consume.
Desire is not an occupation.
After getting reaction from privacy and law enforcement groups, one will be recommended to Attorney General Janet Reno. He said the university will be selected partly based on its technical expertise in computers and its ability to conduct a "thorough and timely" review. Reno said the university experts will have "total access" to any information they need to conduct their review.
OK Kids.. Here's five dollars, you have twenty minutes to 'review' the system.. No you may NOT open the box - Heres the instruction manual:
Welcome to new CARNIVORE system
Your new CARNIVORE system made from component of hi quality. If use, keep dry. Not to open style case with not user serviceable parts inside.
To Operate
1) Press POWER button
2) plug to NETWORK connection
3) Wait for single beep tone
4) Leave connected- Only AGENT use now
If Problem occur
1) Check power cord - Is plug in?
2) Did POWER button completely depress?
3) Contact AGENT for assistance, No user serviceable parts inside.
air and light and time and space
This may be a little reaching, but perhaps instead of a university researching it, why not have Universities test it out on a private internet?
Internet2 is already there, with several tech-filled campuses using it. Why not just have the Internet2 test out the Carnivore and have those U's figure out its flaws, its innards, and what vulnerabilities to people's rights it would have.
To me, that seems like the best idea, and it won't disturb anything with other countries or people's rights, just make the U's on I2 a little more worked, but for the good of everyone.
Dragon Magic
Human nature is the same everywhere; the modes only are different. -- Earl of Chesterfield
Seriously, do you want to end up with a bunch of students reading through (Ada, no doubt) obfuscated (wait, I already said Ada) source code and trying to figure out what it does? After all, the researchers are all too busy working on corporate research to be able to do this...
Anyway, all there needs to be is ONE buffer overflow/security hole in the code, and then the FBI can get in and push bits around on the stack until it's reading everybody's email. Remember to check for that!
Free BeOS, runs from a Linux partition
Question: Does the FBI Training Academy count as a university?
Fire and Meat. Yummy.
It will likely be reviewed by a bunch of students who will do exactly as the feds say, in lieu of being prosecuted for the 14 gigs of w4r3z they have on their computers.
The leader of the review will be a professor who will be spared from charges related to that 17 yr. old freshman he was screwing last semester..
Someone unbiased and objective, I'm sure. Kinda ironic this followed right on the heels of Katz's article on the tainting of academia from outside influences.
"Extremism in defense of liberty is more fun."
I've got a plate of rice crispie treats and a pint of Guinness that says they do it. Anyone want to bet?
This is my signature. There are many signatures like it but this one is mine..
If you're looking for an objective review of software, you don't go to the company chosen by the publishers, as it will obviously be swayed.
If this is a public inquiry required by the gov't, why not let the public decide which university? Anyone else think this is a bit strange?
Also, totally OT, but... this is killing me...
Anyone else worried about G.W.'s ties to the CIA? I mean, his father was the head of the CIA for a while (during iran contra, i might add), and now, all of a sudden, BOOM his son is up for President. His son with 5 years of political experience...
So the former head of the CIA pulls some strings and gets his son nominated for president... Said son states that one of his 3 main platforms is national security....
I'm scared, and I'm wondering why noone is talking about this.
I guess it isn't really even offtopic. I mean, Carnivore is the FBI's surveilance system. Does anyone honestly believe that the CIA doesn't have a surveilance system in place?
I don't like Gore either, but with GW's puppetness, CIA ties and stated platform of national security, I'm more than a little worried.
Now, this should only be done when a full wiretap authorization has been given by a court order. The part that needs Real Close Examination is the logging of enabling and disabling such captures. If that's sloppy or has holes then anyone could be monitored without proper authorization.
Beyond that one should be asking what will be done to review that logging - will this be done by the FBI, making sure that the FBI is only watching who the courst have said they could? Self monitoring has certain weaknesses ...
This also applies to the "trace and trap" or "pen register" modes, where only the From: and To: information is being captured. The code review can confirm that the mode works as it should, but it also should confirm that moving from trap and trace to full capture mode gets logged as well
US citizens might consider the establishment of a standard for wiretap authorization; perhaps as a rider to CALEA. This would involve digital signatures for enabling levels of authorization, with an indirect process to generate the electronic command - the FBI asks, the court grants and sends the enabling command. And the code is well reviewed for any holes in the enabling and logging logic.
The real question is whether or not they will suspend use of the box during the investigation- otherwise they can just milk this thing for as long as they want and keep using the system, or switch to a different method that is equally invasive...
Is this going to be used as a final decision regarding the use of this email interceptor?
We just read an article which suggested that Academia is progressing towards profitability and less credibility
Am I too harsh in thinking that nothing will come as a result of a long and drawn out process of 'experts' reviewing the integrity of the system. It all depends on who they ask to review it.
If we are lucky, then somebody of good faith will be able to post intimate details of the inside guts of the system. Can we only hope, so we can keep our right to privacy?
I can just picture two CompSci students working on the Carnivore box...
Mike: Hey, what's this thing do?
John: Hmm, seems like that's the part used to detect everyone's e-mail address as it passes through Carnivore.
Mike: You know what would be cool?
John: What?
Mike: I've got a way or hacking this thing. Let's keep quite about it, and when the FBI install these babies, we can use the hack to read everyone's email!
John: And why would we do that for? Other than for fun, of course.
Mike: To score with the chicks, John! To score with the chicks!
John: Oooooooh! Great idea!
*shudder* I _know_ guys in college who would really do this kind of thing...
Tongue-tied and twisted, just an earth-bound misfit, I
Learning to fly, Pink Floyd.
The FBI should ask Jon Katz what university would be best for the review. Without his help, they might select a university influenced by UnichemaMcPetroColaNikeDollars and not really do any real research.
-------------
The truth is out th- oh, wait, here it is...
Let me reiterate.. at least two universites.
Having only n universities examine the machine is a 'bad idea'(TM). For any real security evaluation, you ought to have at least n+1 teams examine the device.
Let me reiterate... at least n+1 universities.
Why do they even need the system in the first place? ISP's can provide them with all the information they are legally entitled to when they present the ISP with a court order. Why do they need their own unmonitored access to all email on the ISP?
As stated in the above post, this outside review of the software doesn't prevent the FBI from making changes in the future without notifying anyone. I think the FBI is great and does a great job, but I'm not going to give them the keys to my house because they tell me they won't search it without a really good reason.
Don't forget that Friday is Hawaiian shirt day.
"We will provide a superb education for all our students for years to come," said an FBI-U rep. "Well, at least until our 'faculty' get done 'researching' that Carnivore thing."
Sandidge
Bob Jones seems an obvious choice.
"Extremism in defense of liberty is more fun."
Why does the FBI get to choose the University that is going to review Carnivore in the first place? Why a University? It's like asking Bill Clinton to choose the person to investigate his latest impropriety (Ginger Lynn, the porn star... wait for it.) Or like Micro$oft appointing the Judge to preside over their anti-trust trial.
/. reader, but because the hackers and the Fed are natural adversaries. It's the only way to make sure Carnivore gets a thorough PEER-REVIEW. Hackers would really get under the thing's skin, while academics will complement it's object-oriented design, oogle the UML specs and give a favorable review in exchange for a research grant. The only hope is that, since this thing will end up at a University... Well, their security ain't the best.. We'll get to see it somehow.
The decision of who and how will review Carnivore OUGHT to be made by a panel of SECURITY EXPERTS, not the people accused of 'wrongdoing' in the first place. I'd like the decision-maker to be Bruce Scheiner, and I'd like him to hand Carnivore over to the L0pht guys (umm, excuse me, @stake).
It should be the hacker community that gets to scrutinize Carnivore. Not because I'm a
In the very least, I hope a formidable research University gets the nod. Someplace like CMU, MIT, or UC Berkeley would/might do this right. I'm sorry but if they hand it to Harvard or Yale, our communal goose is cooked.
-- What you do today will cost you a day of your life.
The WSJ ran an article this morning that had a less happy veneer. The high points were that the FBI was claiming Carnivore was classified information, and that thoguh they'd submit it for evaluation, it would not become public knowledge in any form whatsoever. The article is here at http://interactive.wsj.com/articles/SB965861735609 205665.htm
And here are relevant excerpts:
"The Federal Bureau of Investigation declined to give to Congress details of its Carnivore Internet surveillance system, telling a member of a House oversight committee that some of the documents he requested include classified information and others are the subject of a pending lawsuit seeking their release"
"...the bureau wrote that it is "not presently in a position" to provide documents he requested. "There remains substantial public misunderstanding and misinformation about the system," wrote John Collingwood, assistant director for public affairs."
"...the Justice Department has been negotiating such a review with the University of California at San Diego's Supercomputing Center, said Tom Perrine, the center's manager of security technologies."
and my favorite:
"Mr. Perrine said that part of the FBI's challenge using Carnivore is conducting Internet wiretaps under U.S. laws that predate the Internet. "Carnivore is probably the best program and the most privacy-protective program that [the FBI] could have written given the lack of guidance in law from Congress," he said."
Returned Peace Corps IT Volunteer
What we need here is a redundant array of inexpensive universities (RAIU). At least four universities should be set to the task of evaluating Carnivore, independantly. Meanwhile, one additional university is given the task of checking the findings of the other four as they come in. If any of the results don't match previous statements made by the FBI, you throw them out.
;-)
Seems simple to me...
Once the FBI submits Carnivore to public (the university) scrutiny - will they then be able to install their boxes with impunity, without continuous monitoring? Perhaps I'm stating the obvious, but how hard would it be for them to fill a box with some fairly innocuous code and then run whatever they want once they get the green light and the spotlight dies down? Just a thought.
-artistX
Let me reiterate.. at least two universites.