First Look Inside Carnivore

EPIC requested almost 600 pages of data on the FBI's Carnivore through the Freedom Of Information Act. Yesterday, about 200 were "redacted in full" (withheld) and the rest were sent with varying amounts of black marks. EPIC is scanning them and putting them online as quick as it can; SecurityFocus has an interesting overview. It turns out the supposed email scanning tool also stories copies of webpages you read, and, at least in an earlier version, looked into tracking voice-over-IP.

Just for reference:

Amendment IV

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Re:No Worries!

[Tassach]

Carnivore/Omnivore on Solaris is scary. Carnivore/Omnivore on NT is VERY scary. If someone were able to exploit a hole on a carnivore box, they could then use it to monitor anyone's communication. This is of course possible under Solaris too, but NT is far more vulnerable to remote exploits.

A black-hat being investigated by the FBI could possibly turn their tool against them, using *nivore for counter-intelligence. At least the FBI has to pretend to obey the law and respect some limits -- a black-had has no such restrictions.

I wonder if there is enough information in what has been released to be able to identify a carnivore box remotely. Does it use promiscuous mode packet sniffing? Could you detect one with a variant of l0pht's antisniff? Does it exhibit any tcp/ip eccentricities that could be detected with nmap or SATAN?