Slashdot Mirror
Carnivore Report Released
Gwaitsai writes: "I cannot believe that I've seen nothing about carnivore here after the report was released yesterday (21st Nov). Could it be that everyone is too busy thinking about turkey! Excite has an article here and you can find the report itself here."
Yes and no. On one hand, I have more faith in the security of a (properly configured) linux box, so I would be somewhat less worried about outsiders accessing the information gathered. Of course, the security of the actual Carnivore code is still unknown.
On the other hand, I'm pretty amused that the FBI is please with its two-day uptime. In addition to being funny, it means that, for maybe five minutes every other day, I'm safe from them.
My mom is not a Karma whore!
The only real problem then would be getting people to employ it, and that could be done if it were made backwards compatible by accepting older smtp connections but adding a header that indicated it was at some point transmited in the clear, and accepting a security header that commanded it not to forward to in older servers.
It would seems like it would be a simple modification to SMTP. Though I suppose it would have to get through the IETF first.
Actually, there's a program out there called stunnel which allows you to create SSL functionality in any server. What it does is listen on a designated port and then tunnel any connections to it to a local (or even remote) port. We've actually started using it at where I work, by having stunnel listen on the pop3s port (995, I believe) and it tunnels connections to it to its local pop3 port. Outlook and Outlook Express at the very least have the capability for SSL-encrypted SMTP and POP3, and I believe Netscape 4.7x supports SSL-encrypted SMTP.
Just my $.02...
"For a dark man shall come unto the House of God, and the darkness shall be upon him, yea, even within him." -- from Noctropolis: Night Visions
Circumventing Carnivore sil@www.dot.antioffline.com
B 71ED36F5CA25692700182669!OpenDocument
What exactly is this input? Who knows but we can guesstimate its likely a combo of words and synonyms based on some violent and discriminating words maybe even translated into foreign languages.
While this may be no new news to anyone here are some thoughts on circumventing security modules such as Carnivore. All this was written on a flight from New York to California (how thrilling.)
What? Some slight information on Carnivore
Why? Because everyone is pissing up a storm on Carnivore How? Sitting down reading Information Security Management Handbook 4th Edition (Tipton, Krause)
Where? Flying over Canada on a re-routed flight to California
Based on the gathered information related to Carnivore, it copies mail sent from the ISP of a user provided he or she is being investigated, after obtaining a warrant, in order to filter e-mail based on human programmed input:
http://pcworld.idg.com.au/pcw.nsf/reviews/49939FE
With this in mind it should be easy to circumvent it with simple little tweaks in order to send that "threat" you've been thinking about, or any other irrelevant e-mail you've been paranoid to send down the wires due to fear of government snooping.
Carnivore is ISP based from what I read, so its functionality will not apply to using a re-mailer from whatever address your sending the e-mail from nor does it apply to sending spoofed e-mails with a packet injection tool nor a proxy since after all, it is only monitoring your account on your ISP with Carnivore running on that isolated network to capture your e-mail.
Based on the architecture the FBI would need to isolate your IP address as opposed to snooping a complete netblock in order to capture your data, this means they're going to have to set it up to snoop your ISP's router/switch and determine where exactly you are when you connect unless you have a static IP address in which they can segregate your traffic to a specific area which would be hellishly easy for them to do. I'm sure your ISP can simply switch you into a specific area via software and access lists at the drop of a dime as well.
Carnivore simply makes unknowledgeable people think the government(s) is(are) out to get them which personally I don't think is the case. Officials have better things to do (hopefully) than sniffing through days/weeks/months worth of e-mail looking for that "one" discriminating message your sending. Takes time and a lot of effort including legal work that theoretically has to be taken when we regard the masses.
However if your the target of some investigation do not be fooled into thinking they will not go this far.
Anyways enough of the BS corporate(ish) stuff you should realize by now.
Lets start with a threatening letter we'll assume John Doe wants to send but is afraid of things like Carnivore and Echelon type systems. Why should he send it? Who knows he's just fscked in his brain for all we know and wants to be the next Una'bummer'.
Based on typical filters and from what we know, we can determine that there is probably some sort of word based capturing going on within Carnivore which likely flags words which are incriminating enough to capture John Doe and make him Mitnick's ex-roommate's new roommate.
So the test begins. With a proxied Netscape browser we find proxy.foo.com and slightly obscure our information and change our hostname to whatever@wherever.com. In theorum mail is being sniffed to the account in question johndoe@sampleisp.com in which they have their warrant and not whatever@wherever.com which makes any information they gather obsolete. Well, after some legal mumbo jumbo obsoletes their methods and what information they gathered along with the terms of the warrant.
Hey if they're monitoring johndoe@sampleisp.com and sniff the whole network then jane.something@sampleisp.com should be able to hold them liable for invasion of privacy. Thats something I can't speak on since I'm not a lawyer.
Other ways to cirvumvent this would probably be as simple as creating your message and saving the entire message as a picture and simply sending it along with a message of "Picture of my new car."
Simplicity sometimes works better over the high tech since most technical minds would overexert themselves in ways of technology often forgetting the simple things you could accomplish without knowing much about higher end technology such as encryption schemes, spoofing, etc.
Another oddball way of conveying messages whether or not encrypted is to send a message written in binary with something as lame as:
[sil@stigmata] echo "I need help with this math problem:
[sil@stigmata] 43 61 72 6E 69 76 6F 72 65 20 63 69 72 75 6D
[sil@stigmata] 76 65 6E 74 69 6F 6E 20 74 65 73 74 20 70 68
[sil@stigmata] 61 73 65 20 31 0A" | mail -s hello somebody@somewhere.com
Do you think the makers of Carnivore have pre-determined someone sending out a message of this nature? Certainly if Carnivore's input was created by human input, its likely they wouldn't be expecting something like this unless it was a known fact beforehand that they would be dealing with some sort of cryptology.
For more obscurity depending on who you are sending the message to, both parties can agree on a scheme to use based on anything. It can be a time defined simple encryption scheme based on the hour of the day, day itself and month.
For example parties A & B decide they will create a unique method to cypher private messages with these variables.
T(D+M+Y)/2 Time + (DAY+MONTH+YEAR) where a message sent at 11:pm on 5/12/00 would be added to equal 28 all together then shifted this amount plus that of the English alphabet (26) divided by 2 so the word "TEST" becomes "RAQR"
This cypher was established since the letter T is the 20th letter of the alphabet I decided to count 27 characters from the letter T. Simple and effect and although based on one scheme its portable enough to obscure all messages since its time based and as stated who the hell would be able to figure this out before you had accmplished your dirty deed.
Other scenarios include the infamous (my favorite) spoofed mail technique using some relay host we could find anywhere on the net.
[sil@stigmata] hostname gary7.nsa.gov
[sil@gary7] adduser verona
[sil@gary7] su verona
[verona@gary7] echo "Hello Kapitan" | mail -s foo somebody@somewhere.com
You don't have to be a rocket scientist to do any of this and you don't have to be a genius to figure out ways to circumvent Carnivore, and if your still paranoid then get a packet injection suite and spoof the address along with the entire payload attached for added screwability.
What about translating the message into a foreign language, converting it to binary then adding two digits or letters to every new hex value, where OxF now becomes QzH? I'm sure you can get a clear picture on why you shouldn't worry your life over what the government is doing. Many times I see rants and people complaining about the lack of privacy, but what I fail to see is someone taking the time to find a neat trick to go on with life and privacy at their own expense. Lets face it, common sense should tell you that any government is going to do whatever they want, whenever they want and nothing you can do is going to stop them so get a life.
There are plenty of ways to circumvent technologies such as this without having the brain power of Albert Einstein and without having to delve deeper into technologies which will most likely be something authorities will be waiting for.
J. Oquendo
Thanks for the memories
Can someone nominate a mirror (preferably even in Australia) where we can get the .PDF draft report?
TIA
Tackhead suggests:
On the right track. One key with the Feebs. One for the ISP, itself encrypted with a third key, held by the Federal Judge. Settings placed in the presence of the Judge or a Special Master appointed by the Judge, and then locked down with the Judges key.
Ben Masel: 51,282 votes for US Senate in the Wisconsin Democratic Primary
.... Uses the internet to send messages like "The pure uncut cocaine is in the truck on West 4th". It's not worth it, a cell phone is much safer. It's also not what he/she would say. It'd be more like "Yeah well the YO is in the truck". The feds can't do much about that. Carnivore is just a big waste of money; all it'll catch are suburban kids talking about where the next weed party is gonna be. More gov't money wasted.
Carnivore was "reviewed" by a bunch of yes persons handpicked. Not one of the groups critical of Carnivore got to examine the system.
So naturally the government got exactly the verdict they wanted: Carnivore is OK.
The last two weeks should prove to everyone that government is NOT to be trusted, especially this bunch that runs it now. And it looks like they are going to get to stay, unfortunately.
The government has no right to be snooping ANYONES personal communications or information without a warrant. It's right there in the Constitution. They are supposed to have "probable cause" and show it to a judge. Though the quality of judges (Kaplan, the Florida Supremes) certainly has diminished in the last 30 years or so.
Unfortunately, not enough Americans have had a good enough Civics education (ie, from a non-Marxist professor). Ignorance isn't bliss, it's how the government gets away with breaking the law. Carnivore is illegal. But because of mass ignorance, AND a corrupt administration, nothing will be done about it.
=== The price of freedom is eternal vigilance
The CIA is too busy trafficking drugs so the FBI has to gather computer intelligence. Very admirable. -Scott
You really don't get how this works. Getting a judges signature for searches is easy. It is only the time that it takes to do that search which is a limiting factor. So, the FBI realizing this, has set about to place a piece of FBI hardware in place on-site at *EVERY* isp in America. This piece of hardware does not require a judge's signature to be used because it is controlled directly from the FBI's office. Yes, the FBI is suppose to get a judge's approval, but they don't have to with this setup. That is different from phone taps which intrinsically needs a judges signature (not just suppose to). The FBI cannot get a phone tap to go through without the judge's signature since the phone company won't allow it. The phone company controls it. Now, normally the ISP is suppose to control it. But the FBI has devised this horrific carnivore system. It means the isp does not control it, which means that there is not check in place to insure a judge's signature is received.
Well, sorry about that, I shifted my argument. What I really mean to say (in additon to what I've said) is that there's no slow down, no limiting step with carnivore. The FBI decides it wants info, it gets a judges signature (though I explained above how easy it is for them not to), and then it just pushes a couple of buttons from FBI headquarters and voila the search has taken place and the information has been seized. No limiting step. It's so easy that if you are not scared by this misplacement of power, you are very naive.
I hope someone has brought up that the FBI has already lied about the surveillance powers of Carnivore. The story broke about a week ago.
Carnivore can get a lot more info than the email headers (and content) which the FBI had claimed is the limits of its powers. No, in fact, carnivore can take everything the FBI wants it too. Read about it here:
Carnivore captures and archives 'unfiltered traffic'
New documents shed more light on FBI's "Carnivore"
Carnivore can monitor all internet traffic -- something the FBI had previously denied
the Slashdot article on recent carnivore devleopments
I find nothing in that article to suggest that the FBI is planning to put Carnivore in every ISP. That is a fantasy of Mr. Cringley. In addition, his supposition that Carnivore could shut down the Internet is disproven by the use of the read-only tap and the fact that it can only handle up to a steady stream of 15Mbps recording to a Jaz drive or 60Mbps recording to a hard disk (facts taken from the report).
Even if 6000 Carnivore units could record all that traffic, who could possibly analyze it all in any reasonable period of time. Oh, I know, the FBI's allies at Ft. Meade will do it for them. Like they don't have enough data to deal with already from Echelon. :)
First, this is my own opinion and (as far as i can tell) reflects the wisdom of the American people.
1) You're a pack of liars, you know it, we know it, everybody knows it.
2) How can your hand picked pack of sheeple even face themselves in the mirror? They're actually worse than traitors. Subverting the constitution should be punishable by death.
3) Since the advent of the Clinton administration goverment surveillance of the People has approached totalitarian proportions.
4) In your own twisted little mind how can you possibly believe this is a good thing?
5) You people are to stupid to carry a gun.
Just for background, I am ex-army with enough commendations to paper a wall. You brainless idiots make me sick, is it even possible for you to comprehend you might possibly be WRONG? I didn't think so.
Bite me......and your little swastika too...
Lets get this quote right shall we? I've seen it misquoted/misattributed to many times.
---Most Definitely not a Karma Whore---
Ok, sorry that that /. article had the Cringley link in it, and let me just say that i am not defending cringley. Yes, it's a read-only tap; yes, it can only handle a few data streams at a time; yes, it's storage capacity is extremely limited.
And yes, there are only 20 carnivore boxes in existence right now, so a national deployment is impossible.
What I was pointing out was that if one national ISP was refusing to install Carnivore, then they were all going to be asked to. Nobody rolls out an alpha system for nation wide release - but it's pretty evident that once in place, Carnivores are not removed. This makes sense - they're difficult to install.
My point was simply this: once there's a Carnivore in every ISP in the nation, they can selectively turn them on when they need to listen to someone. And while the law requires them to get a court order, the carnivore has no accounting whatsoever, so we'll never really know what they're listening to. And neither will the ISP's.
That's all.
--
What happens when you outlaw guns
OK, so we still need to be a bit vigilant. I would expect ISPs to demand that Carnovore boxes be removed once the warrant expires. And the warrant will almost certainly have an expiration.
As far as the accounting, I'd bet that that will be changed in response to the report. I expect several other technical and procedural improvements to be made in accordance with the report's recommendations.
I'm pretty sure that the FBI actually would prefer to follow procedures to make sure that information is gathered in a legal manner that does not infringe on citizens' rights. Otherwise, the defense lawyers will end up getting their clients off on technicalities. And if the FBI hates anything, it would be that.
Software sucks. Open Source sucks less.
Pardon my ignorance if i'm incorrect here, though i'm sure the many network techs who read this can answer..but isnt carnivore just a severely limited form of a common tool, the Packet Sniffer? I know its a physical box that the isp plugs into their network (mainly because carnivore has a modem in it for remote administration) All it does is scan incoming data for specific court-ordered tags (such as email).. this whole mess reminds me of the much media hyped "SATAN" a few years back which was merely a port scanner, but according to the media could be used to hack into any computer. Just seems like more technoignorant media bullshit...
-
I'm pretty sure that the FBI actually would prefer to follow procedures to make sure that information is gathered in a legal manner that does not infringe on citizens' righs.
Waco.
Ruby Ridge.
Steve Jackson Games.
Martial Law in Seattle.
$1,000,000 bond for using a cellphone at the RNC.
bullfucking shit
I'm pretty sure the FBI would like to take anyone who knows anything about a computer into a bathroom and rape them with a plunger handle, New York style. I think that's the major difference in our viewpoints - I don't trust the government. Mainly because I've worked for them.
But I respect your opinion. And the fact that you will continue a conversation well past the moderation window. (:
hats off,
-mwalker
--
What happens when you outlaw guns
Yeah, I was thinking maybe we should take this to email. ;)
I get your point about the FBI having screwed some things up. And I might even say that they don't care all that much about citizens' rights. But I think they do care about screwing things up so badly that they 1) look bad and 2) can't convict the perps. That's why I think they'll take the suggestions of this report to heart and follow reasonable procedures.
Software sucks. Open Source sucks less.
At least I'm not alone:
Intended to be installed at every Internet service provider in the country,
-suck.com. We should write them and ask them for their source.
--
What happens when you outlaw guns
After reading the report, the following is quite clear:
1. Carnivore explicitly has the ability and functionality to collect any and all IP traffic, not just email, delivered to it's network interface (just like a packet sniffer). This means that "Carnivore is an email tap" is DOJ spin. In reality it is a complete IP tap and should be publicized/discussed as such. I doubt a court order would restrict tapping to just email.
2. It is up to the FBI's internal procedures and trustworthiness to prevent or discourage "overcollection" (fishing expeditions)
3. The report points out that civil remedies exist to fix "overcollectoin" after the fact.
(I hope you can afford a good lawyer).
4. They use PC Anywhere to dialin to the carnivore box. Oh yeah, that's safe!
The real unknown now is exactly *what* traffic is redirected (tapped) to the carnivore box? Exactly where in an ISP's topology does this redirection or "tapping" occur? Only for dialup customers? T1 customers? T3? Nebraska and Deluth or only in big cities?
That's easy. How far can you throw him?
Seriously though, you have to take the man as a whole. This may be the only issue which you agree with him on. Which makes me wonder, what doesn't he want the feebs to see in his e-mail?
In 1999, marijuana killed 0 Americans...
Ewige Blumenkraft!
If you had read the report yourself, you would have found the answers to your questions. To read a dynamic IP address, you type in the MAC address of the system in question and Carnivore will listen for DHCP. It can also listen for RADIUS-assigned IP addresses by watching for the login name.
Just about all concerns with the system were addressed in the paper. The paper does make some recommendations to the FBI, like requiring access to the box to be auditable. There seem to be many checks and balances between the FBI and the court in regards to making sure that only the data listed in the court order is recorded. And the paper makes some recommendations to further check that.
All in all, I'm impressed with the paper. It is much more thorough and professional than I had expected. And while I was very skeptical before, I'm fairly well convinced that there is nothing sinister going on with the FBI in regards to Carnivore.
Software sucks. Open Source sucks less.
The FBI doesn't intervene. They just keep the SWAT teams around cause they look cool.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
You can also read the coverage by Yahoo! here/a& gt;.
Someday, look at the history of John Wilkes, (opposition m.p. in Britain. and learn why we have a fourth ammendment.
Just because law enforcement wants to search in an unrestricted manner does not mean that we should let them. Furthermore, I have not seen a method of encryption which is easy enough for my mother-in-law to use.
Protection of freedom by nerdly end-runs is no protection at all. My ability to talk on clearspeech phones has been preserved- so must my ability to send messages unintercepted. Yes, as a stopgap, we must keep anonymization and encryption legal. However, we should enforce the laws we have which protect our freedoms.
Sure, it's not admissable in court, but that doesn't mean that they don't use it in one form or another.
Gotten pulled over lately? How many ways were you being recorded, without consent? Had this happen, got pulled over (for what, I do not know, it turned out to be an interesting interaction with the cops, but I digress). Anyway, got in the cop car, and talked/argued with the guy for about 10 minutes.
Then I realize he's been tape-recording the converstaion. I shut off the recorded (didn't ask him, just did it), and asked him if what he had just recorded could be used against me.
His explaination was that it couldn't be used in a court of law, but he could use it for personal reference and let the state's attorney listen to it when deciding whether they want to pursue a case.
So, it's not usable in court, but it can be used to get you to court.
Doesn't seem quite right, eh?
How about those packets? Well, what if the packets pointed to a known black-list site, and they could use that to decide to prosecute you, but they couldn't actually use the packets? Or could they use the packets to get a search warrent to then use the packets in the courts? Kind of a begging the question sort of justice.
Sigh.
So much for civil rights.
The FBI maintains gun purchase records despite a court order to stop and the clear illegality of doing so. However, the Clinton administration has never much been bothered by questions of legality, leading me to believe that should Gore manage to lie/cheat/browbeat his way into the White House, Carnivore will most definately be run with the same level of moral and legal fiber that Janet Reno has always brought to the table.
Not that I'm fond of George Bush; I voted Harry Browne, who believes, as do I, that the constitution protects one from unlawful search and seizure, and that this is defined as any search not officially sanctioned by court order, so the installation of carnivore in the first place is a violation of the fourth amendment.
See, America is trying to catch crime before it happens, and that doesn't work. Persecution of hate groups is an example: it is ok to hate the haters. I cannot imagine that the FBI, with its current record of scapegoating, would pass up a chance to blame more of the results of general incompetence in governance on hate groups and members of the "gun culture" or creators of the "culture of violence", and, as these terms indicate, you don't even have to prove that the situation exists anymore. How much longer before everyone in the US is in some sort of seditious culture?
So, the Republicans define morality into law and the Democrats define sensitivity into law and I can't complain to someone about their behaviour in an appropriate manner over email for fear of triggering Carnivore. What a world we're headed to.
A society that will trade a little liberty for a little order will lose both and deserve neither. - Thomas Jefferson
Apparently the pilgrims didn't have turkey. But what did happen is many many years ago turkey producers decided to hype it as a "traditional thanksgiving dinner" because turkey was more profitable than any other meats. ---->> The husband of a person who I used to work with runs the meat department of a fair-sized grocery store. He told me once that turkey is, in fact, a loss-leader for meat departments; it's sold for less than the wholesale cost as an incentive to get people into the store. In a similar manner, dairy products are a "break-even" product where the gpm on a pound of butter is something around five cents.
If you're a zombie and you know it, bite your friend!
Ben Masel: 51,282 votes for US Senate in the Wisconsin Democratic Primary
I'm sure that he'd have noticed if they'd use eliza to trap him on IRC...
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
I don't like "Carnivore" because it can be misused easly. The US gov't has had a long history of abuses (maybe not as bad as Soviet russia or China, but it still happens), and I don't trust them with this system. Also, the very fact that such a sysrem like this exists shows that the additude of society as a whole (not just the gov't) is just getting harsher, moore suspicious, and very paranoid of the fellow man, and it must stop. Don't forget: The US gov't is supposed to be FOR the PEOPLE, OF the PEOPLE, BY the PEOPLE. I don't think that we should allow permanently attached "witetap" systems like Carnivore to be used in this country. (though I do favor setting up a TEMPORARY wire tap (which is physicaly removed afterwards) if there is reason to believe someone is using the net for terrorism/ sex crimes/other major crimes, and they have a legit warrent. A "neutral" non-gov't party should also be monitoring the operations to check for and prevent abuses.
>When correctly used, "it provides investigators with no more information than is permitted by a given court order," said the institute, an arm of the Illinois Institute of Technology.
scary isn't it ? i mean SURE the FBI will never do a thing without permission of the court order...
>"It's not sufficient for the bureau to say, 'Trust us, we won't do anything wrong.' Most users want more of an assurance than that."
I'm on it ! i don't trust FBI, maybe i've seen to much movies :)
ptitom
We already new a few ways to have a piece of software tested for free :
Write some (more or less) cool stuff, make it free for everybody, and (but you already know that one)...
Write some very unfriendly piece of softcrap, and threaten to make it a standard if none of you bastard hackers does not crack it.
NEW ONE : write a even more unfriendly free-*-threatening soft (or at least advertise it as such). Since everyone is complaining about it, make your favorite government organisation hire a team of fat brains to say it is OK, it will be tested in the process.
Assessment :
The first one is not really cool, because everyone has access to the source code, and your reputation is ruined beyond repair because you widely advertised your unability to code and design.
The second one is a bit more cool, since at least nobody will mess with your code. The only problem is it does not work. But at least you go some testing for free... Better chance next time.
The last one is definitely the better. Only a few dim-witted people have access to you DLL (Don't Load it, Lad !) source code, and they might even find some bugs for free. Please don't forget to include a special non-disclosure agreement about visual basic code unless you don't mind looking ridiculous.
We do not need any show-business to laugh and cry : we already have politicians.
[Pruneau
Supposedly the first Thanksgiving lasted 3 days, and the main dish served was deer. You'd have to be a helluva good marketer to start getting people to give up fat, ugly, tasty bird and start eating Bambi every fall!
"There's a party," she said,
"We'll sing and we'll dance,
It's come as you are."
Imagine the logic here! Pedophile Patrick was supposed to be some sort of software genius, yet he was tricked into talking to a Fed in an IRC chat room. How smart could he be?
Mmmmmm....Mtraffic. Think about it. Is this really useful? Are you happy to spend your tax dollars maintaining this system and staffing it? What about the potential for misuse or cracking of the database?
Got friends?
...would you like Carnivoure if it ran LINUX?
Got friends?
i think it was called sniff.c. it was placed lots of highschool networks, and was used to collent sensative information about teachers browsing habbits. (at least at my school)
Now tell us something we didn't know.
Like how to prevent the Feds from using it - to spec - but illegally.
Constructive suggestion: The device is placed under lock and key. Two keys are required to open the case in which the device resides. One of those keys is under the control of the ISP. You can think of a "key" as either half of cryptographic key (for remote access to Carnivore) or a physical key. Better yet, both.)
I don't mind an ISP rolling over for FBI in the face of a court order. It's not a court request, it's a court order after all! But I fear any system that denies my ISP the chance to stand up to a Fed trying to use Carnivore without that court order.
As of now, the only thing standing between my privacy and an FBI gone berzerk is... well, the FBI.
If it ain't there, it can't be abused.
If Carnivore is there, and effective access controls (I can't believe I'm using the term "effective access control" with a straight face!), all we have to do is wait for them to realize that IDE drives in removable cartridges are, gig-for-gig, the cheapest storage solution around. In the name of "cost savings", the Jaz will be phased out for a hard-drive-based solution. All of a sudden, the media-size limitation on capture imposed by the use of the Jaz drive is effectively eliminated.
(Note to self: Buy stocks in hard drive manufacturers if the Feds decide to push for laws to legalize the move to 24/7 surveillance and capture. And switch to end-to-end encryption if any single hard drive manufacturer shows a doubling in revenue in a single quarter on the grounds that they've decided to do it whether it's been legalized or not.)
My paranoid fantasy for the day:
FBI's position:
- It's OK to record SMTP headers (but not the DATA portion containing
the contents of an email) without a court order because "they're just like
the envelope of a letter".
The obvious extension:- "GET foo.html" is to HTTP as "To: foo@bar.com" is to SMTP.
- It's therefore OK to record the GET portion of any HTTP transactions
without a court order as long as you don't dump the contents of the web
page being viewed.
Watch where you click. If you don't, they will.Sure, I believe we have an opening at the poser level. -The Simpsons
Got friends?
These guys are going to snoop. One might even argue that they have to. Actively work to keep encryption and anonymization legal and to stay one step ahead of them.
I submitted this first thing in the morning and it didn't make it to the stories! damn mods.
the results themselves weren't much of a surprise I guess, so do we trust the results or not?
I would guess that my e-mail is boring from a law enforcement perspective, but I still hate the fact that some bored feeb fsck can read one of my future inventions & pawn it off to someone he owns a favor to. Or, even worse, (s)he could spoof me and tie me to any unsolved case. This is 100% unlikely, but still bothered me until I read further into the article. Check this out (emphasis added): With all those
By the way, I just love that lame excuse for hiding the source code. Et tu, corporate America?
In 1999, marijuana killed 0 Americans...
Ewige Blumenkraft!
Apparently the pilgrims didn't have turkey. But what did happen is many many years ago turkey producers decided to hype it as a "traditional thanksgiving dinner" because turkey was more profitable than any other meats.
I wonder if in 100 years the Pilgrims will be shown eating burritos..
"There's a party," she said,
"We'll sing and we'll dance,
It's come as you are."
It was also rejected...
Lets see now, it runs on NT, they use PC-Anywhere to dial in, and everybody logs onto it as "Administrator".
This thing is a h4x0rs dream-come-true. Any ISP that gets one of these crammed down his throat ought to be very, very worried. Maybe attrition.org should go ahead and just setup a page now for Carnivore hacks.
The FBI hires admitted, convicted pedophiles to write software like this. Now, if they hire people who got CAUGHT to write this software, how sophisticated can it be?
If this thing is ever abused to the extent that Hushmail is not secure anymore, I'm picking up and moving to Finland. Over there, your company workspace/cubicle is your private property -- and so is your email on the company laptop.
As long as it was part of the kernel, it would be ok. Because then we would have the source code and we could check to see whether or not it is legal.
Why would anyone be thinking about Turkey?
The only recent news about them involves a US military spokesman there that denies Iraq's claims of having shot down a US fighter jet [see here]; and a few weeks ago there were news stories about the Turkish government repressing (foreign) free enterprise business [see here]; and a heck of a long time ago (well, a few months, anyway) a bunch of boorish Brits got their asses kicked for desecrating the Turkish flag during a soccer match [see here].
Anyway, point is, nothing much seems to be happening in Turkey, so why are we assumed to be thinking about it?
Until some sort of really great geek hardware comes bursting out of its borders, or until they start some war with a neighbour, I just don't see why I'd ever think about Turkey.
Jus' curious about the original author's thinking...
--
--
Don't like it? Respond with words, not karma.
Clinton made me a Republican. Bush made me a Libertarian. Trump is making me question reality.
Well, convenient that the very next line of the report is not mentioned. It reads,
"Given that the advertised functionality provides ample capability to perform unauthorized surveillance, IITRI concluded there was little incentive to hide such capabilities in the code."
Why do that much analysis if it is obvious that it can collect everything anyway?
Had I an example to share (such as one of the other posters), I wouldn't have needed the "rhetoric" - and as you pointed out, since they have such a history of abusing their tools and methods, it seems a pretty justified rhetoric.
And that ain't news to me - my point (however muddled it might have been - I was scrawling that in a hurry) was that I'm not comfortable giving them yet another tool to abuse, particularly one that gives them the scope and ease of reach that this one could. Someone else in the thread pointed out a vast difference between Carnivore and wiretapping, and that's the potential scale.
At least we agree on a distro.:P
Karma: Excellent, but still won't get you laid.
They may have a shit economy, but things are brewing!
They use PCA-USA's windis shim. A good product, and cheap - about $500.
The nice thing about PCA-USA is that it gives you a copy of the NDIS stream, so you can create an anti-sniff proof network sniffer, among other things.
Seems to be a very sensibly designed packet sniffer - along the lines of how I would build such a thing.
If this report shows us anything, it's that we should not object to the implementation, but to the concept. Even if it is sensibly designed from off-the-shelf products, there is no way for them to gaurauntee they're picking up only the packets they want. In fact, it's quite impossible. How do you track someone with a dynamic IP? What's their signature? You don't know - you have to read everyone's traffic to find them.
--
What happens when you outlaw guns
Report released but no one saw it. Some people say that it was lost in a ISP mailsystem somehow
--------
Let's say there's another outbreak of the ILOVEYOU virus, right? So a potentially "dangerous" type of e-mail is being forwarded via e-mail. Can the FBI step in and do what many ISPs were doing, ie, blocking that attachment? Seems like the FBI's job, right?
Well at first blush, it seems like this is a valuable service the FBI might do-- to protect our digital infrastructure. But...what about other types of attachments or e-mail content could be considered "dangerous" that the FBI could use the same rationale for blocking?
Where's the line?
Allowing carnivore to exist starts us down the path where they can start doing way more than just monitoring e-mails...
-------------------
-------------------
This is my SIG. There are many like it, but this one is mine.
"The problem with Carnivore is that it gives the FBI access to the communications of hundreds, if not thousands, of innocent Internet users," he said. "It's not sufficient for the bureau to say, 'Trust us, we won't do anything wrong.' Most users want more of an assurance than that."
Is this really any worse than the FBI's ability to tap phones? The use of Carnivore must be allowed by a judge for it to be legal. Sure, the potential for abuse exists, but if the FBI gathers evidence through illegal means it isn't admissible in court anyway. Not that I'm necessarily for Carnivore (or any other measure that gives the government the ability to invade my privacy) but I don't think there is anything too terrible about wiretaps, and from what I can tell Carnivore has similar a similar benefit/abuse potential ratio.
-
I think the reson for the meager amount of reaction on this whole carnivore review becasue most everyone I talked to was expecting this so called "un-biased" review team to come out mostly in favor of it.
The fact that the FBI is insisiting on using Carnivore as opposed to the open-source version recently created says volumes about the the FBI's real intentions. If they are not going to be using this for surreptitious purposes, then why not use an open-souce version that everyone cal review?
www.enthea.org
This a case where the bugs really are a feature.
IITR finds 2 problems:
1. Improperly configured, the system acquires far too much traffic.
2. The system lacks an audit trail to determine who configured it.
So, when Carnivore snoops on entire groups or ISPs we will never know who to blame. This seems like a feature to me. The system can be used illegally without accountability.
This would not be as big of a problem were it not for the wall of silence. Law enforcement is the most crooked segment of American society - "honest cop" is an oxymoron. So any system that relies on "trust me" is pretty bad. As it's set up right now, it is much more than likely will be misused. Who did it will remain a mystery, since law enforcement personnel have a dubious sense of right and wrong when it comes to protecting their own. Recent studies indicate 80% of patrolmen admit to lying in court. Instances of police misconduct are insanely common, they just can't be front-page news in our corporate media.
My guess would be that a Tech Editing department expanded the acronym without asking the tech folk what it meant. Then the draft report, remember it is a draft, got sent out without the techies having a chance to review it.
you could try this
Seriously, all you really need is to be able to open a secure connection (SSH, https, is there a secure SMTP?) to some server, and use that to send SMTP signals (or whatever). Why go for simple hacks, when you can have pure, perfict, unbreakable security?
ReadThe ReflectionEngine, a cyberpunk style n
Ok, So it's litening to the connection as it goes past on the wire....
Why don't we simply have a system whereby mail server A and B encrypt the entire mail exchange transaction?
The only real problem then would be getting people to employ it, and that could be done if it were made backwards compatible by accepting older smtp connections but adding a header that indicated it was at some point transmited in the clear, and accepting a security header that commanded it not to forward to in older servers.
It would seems like it would be a simple modification to SMTP. Though I suppose it would have to get through the IETF first. This still leaves it in clear on the client side when it's uploaded to the server and downloaded, but similar mods could be made to the POP and IMAP connections.
wouldn't have parsed the acronymn DLL as "Down Load Link" instead of "Dynamic Load Library." (They really said this - see the preface, page iv or thereabouts).
This might lead one to suspect that much of this "independent" report was copied directly from documentation supplied by the FBI itself, i.e., the Appendices, which - conveniently enough - were redacted from the materials released.
Anyone else find it funny that it's spelled Carnivoure?
Got friends?
You mean Soykey? With Soysage stuffing?
Yum
We see nowadays so many cameras and photographic radars appearing on the streets. It seems to me that we cant even take a walk without being noticed. On the other hand, criptographic systems get better every day. Ian Pearson, a futurologist from British telecom, thinks that in the future we will have more privacy using computers than walking on the beach. This carnivore system made me think that, dont matter where, we wont have any kind of privacy.
I can't believe I am on the same side of an issue as Dick Armey. Is it a principled stand or another knee-jerk anti-Clinton/Reno reaction? In other words, how far can I trust him as an ally.
There are not too many advantages to being sane but knowing what is funny is one of them. - Kingsley Amis