Slashdot Mirror
University to Review Carnivore
stubob writes "CNN.com is reporting in this article that within the next 2 weeks a university will be selected to review Carnivore. This is apparantly a follow-up to this story posted on Slashdot last week. It will be a hardware and software review, lasting until December. The FBI has not decided which university will perform the review, and no information was given on who at the university will actually be performing the review."
I've got a plate of rice crispie treats and a pint of Guinness that says they do it. Anyone want to bet?
This is my signature. There are many signatures like it but this one is mine..
If you're looking for an objective review of software, you don't go to the company chosen by the publishers, as it will obviously be swayed.
If this is a public inquiry required by the gov't, why not let the public decide which university? Anyone else think this is a bit strange?
Also, totally OT, but... this is killing me...
Anyone else worried about G.W.'s ties to the CIA? I mean, his father was the head of the CIA for a while (during iran contra, i might add), and now, all of a sudden, BOOM his son is up for President. His son with 5 years of political experience...
So the former head of the CIA pulls some strings and gets his son nominated for president... Said son states that one of his 3 main platforms is national security....
I'm scared, and I'm wondering why noone is talking about this.
I guess it isn't really even offtopic. I mean, Carnivore is the FBI's surveilance system. Does anyone honestly believe that the CIA doesn't have a surveilance system in place?
I don't like Gore either, but with GW's puppetness, CIA ties and stated platform of national security, I'm more than a little worried.
Now, this should only be done when a full wiretap authorization has been given by a court order. The part that needs Real Close Examination is the logging of enabling and disabling such captures. If that's sloppy or has holes then anyone could be monitored without proper authorization.
Beyond that one should be asking what will be done to review that logging - will this be done by the FBI, making sure that the FBI is only watching who the courst have said they could? Self monitoring has certain weaknesses ...
This also applies to the "trace and trap" or "pen register" modes, where only the From: and To: information is being captured. The code review can confirm that the mode works as it should, but it also should confirm that moving from trap and trace to full capture mode gets logged as well
US citizens might consider the establishment of a standard for wiretap authorization; perhaps as a rider to CALEA. This would involve digital signatures for enabling levels of authorization, with an indirect process to generate the electronic command - the FBI asks, the court grants and sends the enabling command. And the code is well reviewed for any holes in the enabling and logging logic.
The real question is whether or not they will suspend use of the box during the investigation- otherwise they can just milk this thing for as long as they want and keep using the system, or switch to a different method that is equally invasive...
Is this going to be used as a final decision regarding the use of this email interceptor?
We just read an article which suggested that Academia is progressing towards profitability and less credibility
Am I too harsh in thinking that nothing will come as a result of a long and drawn out process of 'experts' reviewing the integrity of the system. It all depends on who they ask to review it.
If we are lucky, then somebody of good faith will be able to post intimate details of the inside guts of the system. Can we only hope, so we can keep our right to privacy?
I can just picture two CompSci students working on the Carnivore box...
Mike: Hey, what's this thing do?
John: Hmm, seems like that's the part used to detect everyone's e-mail address as it passes through Carnivore.
Mike: You know what would be cool?
John: What?
Mike: I've got a way or hacking this thing. Let's keep quite about it, and when the FBI install these babies, we can use the hack to read everyone's email!
John: And why would we do that for? Other than for fun, of course.
Mike: To score with the chicks, John! To score with the chicks!
John: Oooooooh! Great idea!
*shudder* I _know_ guys in college who would really do this kind of thing...
Tongue-tied and twisted, just an earth-bound misfit, I
Learning to fly, Pink Floyd.
You've never worked at a University, huh?
Comparing it to Windows will be a moot point, since El Dorado is going to have a 40% larger code base than XP.
The FBI should ask Jon Katz what university would be best for the review. Without his help, they might select a university influenced by UnichemaMcPetroColaNikeDollars and not really do any real research.
-------------
The truth is out th- oh, wait, here it is...
Let me reiterate.. at least two universites.
Having only n universities examine the machine is a 'bad idea'(TM). For any real security evaluation, you ought to have at least n+1 teams examine the device.
Let me reiterate... at least n+1 universities.
Why do they even need the system in the first place? ISP's can provide them with all the information they are legally entitled to when they present the ISP with a court order. Why do they need their own unmonitored access to all email on the ISP?
As stated in the above post, this outside review of the software doesn't prevent the FBI from making changes in the future without notifying anyone. I think the FBI is great and does a great job, but I'm not going to give them the keys to my house because they tell me they won't search it without a really good reason.
Don't forget that Friday is Hawaiian shirt day.
"We will provide a superb education for all our students for years to come," said an FBI-U rep. "Well, at least until our 'faculty' get done 'researching' that Carnivore thing."
Sandidge
Bob Jones seems an obvious choice.
"Extremism in defense of liberty is more fun."
Why does the FBI get to choose the University that is going to review Carnivore in the first place? Why a University? It's like asking Bill Clinton to choose the person to investigate his latest impropriety (Ginger Lynn, the porn star... wait for it.) Or like Micro$oft appointing the Judge to preside over their anti-trust trial.
/. reader, but because the hackers and the Fed are natural adversaries. It's the only way to make sure Carnivore gets a thorough PEER-REVIEW. Hackers would really get under the thing's skin, while academics will complement it's object-oriented design, oogle the UML specs and give a favorable review in exchange for a research grant. The only hope is that, since this thing will end up at a University... Well, their security ain't the best.. We'll get to see it somehow.
The decision of who and how will review Carnivore OUGHT to be made by a panel of SECURITY EXPERTS, not the people accused of 'wrongdoing' in the first place. I'd like the decision-maker to be Bruce Scheiner, and I'd like him to hand Carnivore over to the L0pht guys (umm, excuse me, @stake).
It should be the hacker community that gets to scrutinize Carnivore. Not because I'm a
In the very least, I hope a formidable research University gets the nod. Someplace like CMU, MIT, or UC Berkeley would/might do this right. I'm sorry but if they hand it to Harvard or Yale, our communal goose is cooked.
-- What you do today will cost you a day of your life.
The WSJ ran an article this morning that had a less happy veneer. The high points were that the FBI was claiming Carnivore was classified information, and that thoguh they'd submit it for evaluation, it would not become public knowledge in any form whatsoever. The article is here at http://interactive.wsj.com/articles/SB965861735609 205665.htm
And here are relevant excerpts:
"The Federal Bureau of Investigation declined to give to Congress details of its Carnivore Internet surveillance system, telling a member of a House oversight committee that some of the documents he requested include classified information and others are the subject of a pending lawsuit seeking their release"
"...the bureau wrote that it is "not presently in a position" to provide documents he requested. "There remains substantial public misunderstanding and misinformation about the system," wrote John Collingwood, assistant director for public affairs."
"...the Justice Department has been negotiating such a review with the University of California at San Diego's Supercomputing Center, said Tom Perrine, the center's manager of security technologies."
and my favorite:
"Mr. Perrine said that part of the FBI's challenge using Carnivore is conducting Internet wiretaps under U.S. laws that predate the Internet. "Carnivore is probably the best program and the most privacy-protective program that [the FBI] could have written given the lack of guidance in law from Congress," he said."
Returned Peace Corps IT Volunteer
What we need here is a redundant array of inexpensive universities (RAIU). At least four universities should be set to the task of evaluating Carnivore, independantly. Meanwhile, one additional university is given the task of checking the findings of the other four as they come in. If any of the results don't match previous statements made by the FBI, you throw them out.
;-)
Seems simple to me...
Once the FBI submits Carnivore to public (the university) scrutiny - will they then be able to install their boxes with impunity, without continuous monitoring? Perhaps I'm stating the obvious, but how hard would it be for them to fill a box with some fairly innocuous code and then run whatever they want once they get the green light and the spotlight dies down? Just a thought.
-artistX
Let me reiterate.. at least two universites.