Slashdot Mirror
Carnivore-like tool released as Open Source
Joe Smith writes "NetworkICE released a new Carnivore-like tool that does *everything* FBI said Carnivore is supposed to do." Of course there's no way the FBI will accept this, and the conspiracy theorists will use this as proof that Carnivore is doing more then the FBI is 'fessing up to.
companies using their own technology: they have to make it possible to
do so, but they domn't have to smuggle in any mysterious black box.
The fuss about Carnivore is it breaks with this model, and with no
convincing explanation. You don't need to be paranoid to suspect
there is more to this device than the FBI alleges. (Cringely
suggested it might contain a sabotage device...)
If people would just encrypt their mail none of this would even be an issue. I mean come on people... all it does is search through messages as they go through the mail server and pull out the ones that are addressed to/from the persons being investigated. If those persons were SMART they'd encrypt the communication and all that could be gathered was a record of transmissions and nothing else.
OK, suppose they do it. Now it's a black box that the FBI guy says is running the open-source version of Carnivore. Great.
Old version: "Trust us, the closed-source version only captures SMTP headers and throws out ones with the wrong From: line"
Open-sourced version: "Trust us, the CARNIVOR.EXE on this box was compiled from the open source version that you geek types wrote."
Hands up, anyone who's sleeping better at night.
Open source has nothing to do with this debate. It all comes down to trust. Do we trust the FBI or not? Regrettably, FBI's track record over the past 50 years has been pretty consistent in demonstrating that they're not worthy of our trust.
In 5 years, I'll no longer dare to make statements like this. Somehow, my political views will evolve to a more mature position, whereby I recognize that FBI has a legal and moral duty to defend me against terrorists, pedophiles, computer programmers, and drug dealers.
I wonder if FBI will have a brain-scanning version of Carnivore in 20 years that'll determine whether my political views really changed over that time, or if I was just duckspeaking in order to stay out of Room 101?
From a "Kill Carnivore" POV this was an excellent move. As noted in the summary, the FBI now has to explain why Carnivore is to be preferred over the open version with the same functionality.
But from a "Promote Open Source/Free Software" POV it's unfortunate because the explanation the FBI is likely to use is "open source can't be trusted". We already know that's false (whether diametrically opposed or orthogonal is a matter of debate), but how imagine Bill Gates quoting Louis Freeh or Janet Reno as saying that "our secrets have to be protected by secret software" or "open source == child molesting terrorists".
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
While I agree with most of your sentiments, my real dislike of the Carnivore (or RIP in the UK) situation is this:
Citizens don't mind that their government agents are able to obtain wiretap warrants on specific people, because the warrants have to come from a particularly high authority and there must be a valid reason for obtaining each and every individual wiretap. The privellege of being able to legally listen in on someone's conversations is balanced against the level of evidence required to be submitted in advance, and also the accountability for your actions if you wiretap for malicious reasons rather than investigating crime.
However, with these new systems, the government agents now have full unguarded access to most but not all of the country's email. There is full anonymity for the agents involved, and there is no accountability. They do not need to give any reasoning to obtain the authority to spy on people, because they've installed near-blanket surveillance on their nation.
Onto the topic of an open-source versus secret carnivore, I'd like to see that there really was a system of authority in operation, ie only the named person's email is captured. As for criminals reading the code to get out of the surveillance, firstly the FBI would be using this to _monitor_ someone, and if it all goes quiet they would investigate why, and if it's via manipulations to get out of the monitored stream, they could trace through that with the ISP and close any hole. Secondly, simply not using email or using an ISP without Carnivore will get you out of trouble, as will end-to-end encrypted IPv6 streams when they hit mainstream, much more effective than reading thorough source code.
Carnivore is the stuff of Orwellian futures, and I just want to see some declaration of accountability to the public here, not demonizing of Internet users as drug dealing terrorist paedophiles.
Does my bum look big in this?
FCC Makes Wiretapping Easier for Cops
FBI wants to wiretap phones without court order
ACLU & EPIC Challenge Wiretapping
There was a story last year about hundreds of convinctions in LA that need to be reviewed because defendants were never told that evidence came from illegal wiretaps. The latimes.com article has expired, but here's an archive from the IP list.
Not to mention the historic abuses of the FBI against people like Martin Luther King, Jr. King didn't do anything illegal, but the wiretaps did catch him having an affair. An anonymous FBI agent urged King to commit suicide to avoid exposure.
You can't say "it can't happen here". It *did* happen here. Just don't let it happen again.
-- Don't Tase me, bro!
I was just thinking (dangerous, I know) that perhaps this whole Carnivore debate is really just a smokescreen. After all, if you're suspected of being involved in a federal crime, how difficult is it to track your e-mail? I'm sure that if the FBI came in with a subpoena, they could easily set up an e-mail wiretap at the ISP level. They could try packet sniffing, set up a dummy DNS server to intercept their transmissions, all without infringing on the privacy of others. The fact that an open-source project can do the same does seem to indicate that they have something to hide.
What exactly is the rationale for Carnivore then? It's like wiretapping every phone in America then saying that they'll only turn it on with a court order... you'd never be able to trust them at their word. Why shouldn't the same protections that protect us from unauthorized wiretaps protect our e-mail?
The real purpose behind Carnivore is probably less about catching criminals, and more about government testing the waters. They can get by with an Echelon in other countries because the average American wouldn't care if we spied on France. But, what would be the reaction if Echelon were used for domestic surveillance? (Which only the FBI can legally do?) Carnivore probably isn't going to do much to fight crime, just lead to criminals forging their e-mails, getting multiple Hotmail accounts, and generally making it impossible to accurately trace.
Carnivore as a system is irrelevant. It's real purpose is to see how far the FBI can go in this area, one step more on the slippery slope towards a Big Brother police state. Perhaps the intentions of Carnivore are good, but we all know what the road to hell is paved with...
Want to see more of the DMCA? Vote Gore, the favorite of the MPAA!
What makes Carnivore different is:
Email has always been insecure. If you're really concerned about the mail that leaves your workstation, learn to use PGP, and get all your friends to use PGP. Suddenly, you won't care nearly as much about who's reading your email because it's all encrypted.
A. The governent has the ability to catch all the paedophiles, terrorists and so on by means of black boxes which read all their email. Since the boxes are black, you have to take it on Government say-so that they operate legally and only under warrant. The government therefore has the capability to silently upgrade the box to spy at any time on the private communication of all its law-abiding citizens, and send the men in balaclavas round to fetch anyone that seems subversive. Meanwhile all terrorists and paedophiles with two brain cells to rub together are not using the internet to discuss their evil plans.
B. The black box is not in place, or an open solution is used instead, and a few people use the internet to plan crimes.
I would suggest that under the US constitution option B is the only viable one. Ditto the European Human Rights laws. And personally I would certainly prefer option B.
To put it a different way: If a relative of yours was blown up after two men in trench coats planted a bomb, and this could have been prevented had all policemen had orders to shoot on sight all people wearing trench coats, would this have been the right thing to do? Sometimes we have to choose the lesser of two evils.
Rather than having to hire specialists to pore over the OS Carnivore alternative and fix any holes or weaknesses that they find, they can, at no cost, simply use the version that they paid for.
That argument doesn't hold water, because the furor over Carnivore stems not from the fact that it might have flaws or weaknesses, but that nobody quite knows what Carnivore's capabilities are. Are you absolutely sure it's just tapping email? Or maybe there's built-in packet sniffing, as well. Perhaps it maintains its own duplicate cache of every web page you access.
Or, since Carnivore is a black box, perhaps it scans *every* email or web page request and does some fancy pattern matching on it. Under the auspices of looking at Joe Blow's email, the FBI has a tool in which to look for whatever they want: people downloading kiddie porn, people building bombs, people passing military secrets... which they have NO RIGHT to look for beyond look at Joe Blow's email.
Nobody's bitching about Carnivore because it might have a flaw. The big stink is the fact the FBI won't give any more information on Carnivore than sound bites, and people are justifiably worried that Carnivore might do more than just tap one persons emails.
I also don't understand how an alternative that is different in only one respect (open sourced) and supposedly has the exact same functionality is superior to the closed source version. To me, a well-designed program is a well-designed program, whether it was designed in total secrecy or GPLed.
It's not about the design. If this were simply about security flaws you'd be correct.
This is about the capability of software you know nothing about. An open version allows an ISP to make 100% sure that all it does is tap email. With the FBI's black box, you have to take your chances.
Open source, in this instance, provides a much greater level of security and comfort than proprietary software.
--
While the FBI refuses to comment on specific products, spokeswoman Chris Watney confirmed that the information is all the bureau is interested in. How they get it, as long as it's legal and complete, doesn't matter, she said.
So it appears to me that the FBI has no problem with ISP's using this software. At least that's the way I interpret it. If this is so, then there's no problem here that I can see. Yes, carnivore may have done more than this software does, but the FBI is backed into a hole, and since they claim that they only need specific information, which this software provides, then we win this battle.
For you conspiracy buffs out there, this may change in the future when they come out with "Carnivore ME" that has enhanced features that they claim are proprietary and can't legally be reverse engineered in the U.S. thanks to stupid laws passed like the DMCA and such.
Mas vale cholo, que mal acompañado.
A better analogy which captures more of what the FBI is doing would be: "Suppose some terrorist group was using the US postal service to plot its plans." Unencrypted e-mail is like a post card, encrypted e-mail is like a letter inside of an envelope.
While e-mail is faster than snail mail, it lacks the immediate feedback of a phone conversation; in addition it leaves an audit trail that any terrorist organization would be fools to leave.
I would think that something like ICQ would be a better choice for clandestine plotting than e-mail.
Another way of handling communication would be through https and some secure forms to a .com site; your 'order' could be "Bomb the UN building at 3:OO PM".
In any case the whole "We've got to read your mail" paranoia on the part of the FBI is mostly unnecessary; traffic analysis alone will give them the vast majority of the information they need to have on any terrorist organization.
Besides, sending an e-mail message like "You da bomb" gets you looked at by Echelon anyway.
The FBI just wants Carnivore because it is full of petty snoopy people who like to read other peoples mail. Since 99.9999% of all email is of the innocent variety, they have to read an awful lot of innocuous stuff to find the sort of criminal communications that they claim are "flooding the Internet".
Anyone who is seriously worried that their daughter is going to be kidnapped and raped by political terrorists also needs to be worried about being electrocuted by a lightning strike in a dust storm; since the two events are roughly equal in probability.
The broadcast media and newspapers have a hidden agenda; both of these groups are terrified of the potential competition that the Internet can be for them - so they want the Internet as crippled as they can make it. That is the real motivating reason for all of the stories of "slavering pedophile boogie men who are going to turn your rosy cheeked 8 year old into a porn - ho".
If you want to see how ridiculous all of these stories are remember that the Internet is just a medium of communication like the air or the US Mail is. Substitute "Air" or "Postal Service" for Internet and the absurdity of the stories is apparent:
"A Pedophile was arrested today. Authorities said that he 'talked' to a little girl on her way to school. The FBI renewed its demand before congress to get parabolic microphones and laser snooping devices on every street corner so that they could listen in to all conversations to prevent that sort of crime from happening."
"You can never tell who is plotting crimes by using the air to talk to each other, so we need to have the ability to snoop on all conversations. Besides, if you aren't doing anything wrong how could you object? Warrants, we don't need no steenking warrants; this is an emergency, all civil rights need to be suspended for the duration."
Curious that no one has listed the links for the Page, Company, or Source Code. Let alone the Forum or associated presentation. Maybe this will help: http://www.networkice.com/altivore/
-a.e.mossberg
If the Australian Government passed a bill approving a carnivore-like system to be used in Australia, you wouldn't hear too many complaints from the public. ASIO (equiv to CIA) has the power to intercept and read your e-mail if they suspect you of engaging in criminal activities. No guidelines are given to what constitutes 'suspicion', it's completely arbitrary and at the discretion of the agent involved.
--
Daniel Zeaiter
daniel@academytiles.com.au
http://www.academytiles.com.au
ICQ: 16889511
Here's my thoughts on the whole Carnivore situation...
The FBI has retained the right to perform legal wiretaps on telephones (old-school communications device) for years. They have specific guidelines that they must follow in order to set them, including a signed order from a judge.
Today, we obviously rely more on e-mail (new-school communications device). Does this give us a license to use this new device for whatever crimimal acts we want? If I want to plot a kidnapping/assination/kiddie porn ring (NOTE: I don't...), should I have the unrestricted freedom to make all of my plans online? If the FBI got wind that a crime ring was planning to kidnap, rape, and exploit YOUR wife/son/daughter/sister/brother/etc. by planning the dispicable act entirely through e-mail, would you not want to have some means to protect your loved ones? The FBI would still need to obtain the appropriate warrants to place the tap device on the criminal's ISP (BTW - these orders are time sensitive - the [whatever]ivore device can only be on the system for a specific period of time), and collect the information required to perform their mission.
OTOH, if the criminals were solely using the telephone to plot, would you have a different view or expectation as to their capture?
I'm not saying that the FBI (or any governmental agency, for that matter) should have unrestricted access to our personal lives - that is CLEARLY a breach of the law. However, the intelligence oversight in this country is EXTREMELY restrictive, and is designed to protect U.S. citizens. In fact, the U.S. cannot collect information on its citizens abroad, and cannot collect information on non-citizens while they are within the borders of the US. So if Usama Bin Laden crosses the border at Niagara Falls, NY (lax border, for the most part), the FBI/CIA/whomever CANNOT place a wiretap on his hotel phone without a legal warrant to do so.
I still think that a review of Carnivore is a good idea, but if looking at it's algorithms yielded information as to how to thwart it's capabilities, should that kind of information be out in the public? Would you be happy if, in the aforementioned scenario where your loved one is in danger, the criminals knew how to thwart the system, rendering the FBI's protection of your family useless?
Just some thoughts... I'm not fully a proponent of government, but I think that there are some things best left out of the public eye.
What I don't understand about all of the fuss over Carnivore I've read on sites like /. is that essentially it isn't any different from already existing methods of surveillance like phone tapping. If you don't trust the FBI to use Carnivore properly, then you shouldn't trust them to use other methods legally either. But there's no outcry over phone tapping because a) it's already here, and b) it's not affecting the Internet.
Really, the only reason that Carnivore wasn't built into the net when it was first created was that nobody in law enforcement ever thought it would come to what it has? The original ARPAnet was mainly used by academics in America - who would have ever thought that it would eventually be used by terrorist organisations in the Middle East to coordinate with cells in New York?
The astounding growth of the net both in America and abroad caught agencies off guard, and they're not moving to recitify the problem in whatever way they can. This is not an invasion of privacy, it's a sensible precaution to be used when it is required. Anyone who thinks that the FBI will scan every packet going through routers in the US is living in a paranoid fantasy world.
Carnivore isn't a "new danger to liberty", it's a new medium for an old technique. Either you trust the FBI or you don't, but stop being hypocritical in what you complain about.