Slashdot Mirror
Carnivore Report Released
Gwaitsai writes: "I cannot believe that I've seen nothing about carnivore here after the report was released yesterday (21st Nov). Could it be that everyone is too busy thinking about turkey! Excite has an article here and you can find the report itself here."
The only real problem then would be getting people to employ it, and that could be done if it were made backwards compatible by accepting older smtp connections but adding a header that indicated it was at some point transmited in the clear, and accepting a security header that commanded it not to forward to in older servers.
It would seems like it would be a simple modification to SMTP. Though I suppose it would have to get through the IETF first.
Actually, there's a program out there called stunnel which allows you to create SSL functionality in any server. What it does is listen on a designated port and then tunnel any connections to it to a local (or even remote) port. We've actually started using it at where I work, by having stunnel listen on the pop3s port (995, I believe) and it tunnels connections to it to its local pop3 port. Outlook and Outlook Express at the very least have the capability for SSL-encrypted SMTP and POP3, and I believe Netscape 4.7x supports SSL-encrypted SMTP.
Just my $.02...
"For a dark man shall come unto the House of God, and the darkness shall be upon him, yea, even within him." -- from Noctropolis: Night Visions
Tackhead suggests:
On the right track. One key with the Feebs. One for the ISP, itself encrypted with a third key, held by the Federal Judge. Settings placed in the presence of the Judge or a Special Master appointed by the Judge, and then locked down with the Judges key.
Ben Masel: 51,282 votes for US Senate in the Wisconsin Democratic Primary
Ok, sorry that that /. article had the Cringley link in it, and let me just say that i am not defending cringley. Yes, it's a read-only tap; yes, it can only handle a few data streams at a time; yes, it's storage capacity is extremely limited.
And yes, there are only 20 carnivore boxes in existence right now, so a national deployment is impossible.
What I was pointing out was that if one national ISP was refusing to install Carnivore, then they were all going to be asked to. Nobody rolls out an alpha system for nation wide release - but it's pretty evident that once in place, Carnivores are not removed. This makes sense - they're difficult to install.
My point was simply this: once there's a Carnivore in every ISP in the nation, they can selectively turn them on when they need to listen to someone. And while the law requires them to get a court order, the carnivore has no accounting whatsoever, so we'll never really know what they're listening to. And neither will the ISP's.
That's all.
--
What happens when you outlaw guns
OK, so we still need to be a bit vigilant. I would expect ISPs to demand that Carnovore boxes be removed once the warrant expires. And the warrant will almost certainly have an expiration.
As far as the accounting, I'd bet that that will be changed in response to the report. I expect several other technical and procedural improvements to be made in accordance with the report's recommendations.
I'm pretty sure that the FBI actually would prefer to follow procedures to make sure that information is gathered in a legal manner that does not infringe on citizens' rights. Otherwise, the defense lawyers will end up getting their clients off on technicalities. And if the FBI hates anything, it would be that.
Software sucks. Open Source sucks less.
I'm pretty sure that the FBI actually would prefer to follow procedures to make sure that information is gathered in a legal manner that does not infringe on citizens' righs.
Waco.
Ruby Ridge.
Steve Jackson Games.
Martial Law in Seattle.
$1,000,000 bond for using a cellphone at the RNC.
bullfucking shit
I'm pretty sure the FBI would like to take anyone who knows anything about a computer into a bathroom and rape them with a plunger handle, New York style. I think that's the major difference in our viewpoints - I don't trust the government. Mainly because I've worked for them.
But I respect your opinion. And the fact that you will continue a conversation well past the moderation window. (:
hats off,
-mwalker
--
What happens when you outlaw guns
Yeah, I was thinking maybe we should take this to email. ;)
I get your point about the FBI having screwed some things up. And I might even say that they don't care all that much about citizens' rights. But I think they do care about screwing things up so badly that they 1) look bad and 2) can't convict the perps. That's why I think they'll take the suggestions of this report to heart and follow reasonable procedures.
Software sucks. Open Source sucks less.
At least I'm not alone:
Intended to be installed at every Internet service provider in the country,
-suck.com. We should write them and ask them for their source.
--
What happens when you outlaw guns
After reading the report, the following is quite clear:
1. Carnivore explicitly has the ability and functionality to collect any and all IP traffic, not just email, delivered to it's network interface (just like a packet sniffer). This means that "Carnivore is an email tap" is DOJ spin. In reality it is a complete IP tap and should be publicized/discussed as such. I doubt a court order would restrict tapping to just email.
2. It is up to the FBI's internal procedures and trustworthiness to prevent or discourage "overcollection" (fishing expeditions)
3. The report points out that civil remedies exist to fix "overcollectoin" after the fact.
(I hope you can afford a good lawyer).
4. They use PC Anywhere to dialin to the carnivore box. Oh yeah, that's safe!
The real unknown now is exactly *what* traffic is redirected (tapped) to the carnivore box? Exactly where in an ISP's topology does this redirection or "tapping" occur? Only for dialup customers? T1 customers? T3? Nebraska and Deluth or only in big cities?
If you had read the report yourself, you would have found the answers to your questions. To read a dynamic IP address, you type in the MAC address of the system in question and Carnivore will listen for DHCP. It can also listen for RADIUS-assigned IP addresses by watching for the login name.
Just about all concerns with the system were addressed in the paper. The paper does make some recommendations to the FBI, like requiring access to the box to be auditable. There seem to be many checks and balances between the FBI and the court in regards to making sure that only the data listed in the court order is recorded. And the paper makes some recommendations to further check that.
All in all, I'm impressed with the paper. It is much more thorough and professional than I had expected. And while I was very skeptical before, I'm fairly well convinced that there is nothing sinister going on with the FBI in regards to Carnivore.
Software sucks. Open Source sucks less.
Someday, look at the history of John Wilkes, (opposition m.p. in Britain. and learn why we have a fourth ammendment.
Just because law enforcement wants to search in an unrestricted manner does not mean that we should let them. Furthermore, I have not seen a method of encryption which is easy enough for my mother-in-law to use.
Protection of freedom by nerdly end-runs is no protection at all. My ability to talk on clearspeech phones has been preserved- so must my ability to send messages unintercepted. Yes, as a stopgap, we must keep anonymization and encryption legal. However, we should enforce the laws we have which protect our freedoms.
Sure, it's not admissable in court, but that doesn't mean that they don't use it in one form or another.
Gotten pulled over lately? How many ways were you being recorded, without consent? Had this happen, got pulled over (for what, I do not know, it turned out to be an interesting interaction with the cops, but I digress). Anyway, got in the cop car, and talked/argued with the guy for about 10 minutes.
Then I realize he's been tape-recording the converstaion. I shut off the recorded (didn't ask him, just did it), and asked him if what he had just recorded could be used against me.
His explaination was that it couldn't be used in a court of law, but he could use it for personal reference and let the state's attorney listen to it when deciding whether they want to pursue a case.
So, it's not usable in court, but it can be used to get you to court.
Doesn't seem quite right, eh?
How about those packets? Well, what if the packets pointed to a known black-list site, and they could use that to decide to prosecute you, but they couldn't actually use the packets? Or could they use the packets to get a search warrent to then use the packets in the courts? Kind of a begging the question sort of justice.
Sigh.
So much for civil rights.
The FBI maintains gun purchase records despite a court order to stop and the clear illegality of doing so. However, the Clinton administration has never much been bothered by questions of legality, leading me to believe that should Gore manage to lie/cheat/browbeat his way into the White House, Carnivore will most definately be run with the same level of moral and legal fiber that Janet Reno has always brought to the table.
Not that I'm fond of George Bush; I voted Harry Browne, who believes, as do I, that the constitution protects one from unlawful search and seizure, and that this is defined as any search not officially sanctioned by court order, so the installation of carnivore in the first place is a violation of the fourth amendment.
See, America is trying to catch crime before it happens, and that doesn't work. Persecution of hate groups is an example: it is ok to hate the haters. I cannot imagine that the FBI, with its current record of scapegoating, would pass up a chance to blame more of the results of general incompetence in governance on hate groups and members of the "gun culture" or creators of the "culture of violence", and, as these terms indicate, you don't even have to prove that the situation exists anymore. How much longer before everyone in the US is in some sort of seditious culture?
So, the Republicans define morality into law and the Democrats define sensitivity into law and I can't complain to someone about their behaviour in an appropriate manner over email for fear of triggering Carnivore. What a world we're headed to.
A society that will trade a little liberty for a little order will lose both and deserve neither. - Thomas Jefferson
Ben Masel: 51,282 votes for US Senate in the Wisconsin Democratic Primary
i think it was called sniff.c. it was placed lots of highschool networks, and was used to collent sensative information about teachers browsing habbits. (at least at my school)
Now tell us something we didn't know.
Like how to prevent the Feds from using it - to spec - but illegally.
Constructive suggestion: The device is placed under lock and key. Two keys are required to open the case in which the device resides. One of those keys is under the control of the ISP. You can think of a "key" as either half of cryptographic key (for remote access to Carnivore) or a physical key. Better yet, both.)
I don't mind an ISP rolling over for FBI in the face of a court order. It's not a court request, it's a court order after all! But I fear any system that denies my ISP the chance to stand up to a Fed trying to use Carnivore without that court order.
As of now, the only thing standing between my privacy and an FBI gone berzerk is... well, the FBI.
If it ain't there, it can't be abused.
If Carnivore is there, and effective access controls (I can't believe I'm using the term "effective access control" with a straight face!), all we have to do is wait for them to realize that IDE drives in removable cartridges are, gig-for-gig, the cheapest storage solution around. In the name of "cost savings", the Jaz will be phased out for a hard-drive-based solution. All of a sudden, the media-size limitation on capture imposed by the use of the Jaz drive is effectively eliminated.
(Note to self: Buy stocks in hard drive manufacturers if the Feds decide to push for laws to legalize the move to 24/7 surveillance and capture. And switch to end-to-end encryption if any single hard drive manufacturer shows a doubling in revenue in a single quarter on the grounds that they've decided to do it whether it's been legalized or not.)
My paranoid fantasy for the day:
FBI's position:
- It's OK to record SMTP headers (but not the DATA portion containing
the contents of an email) without a court order because "they're just like
the envelope of a letter".
The obvious extension:- "GET foo.html" is to HTTP as "To: foo@bar.com" is to SMTP.
- It's therefore OK to record the GET portion of any HTTP transactions
without a court order as long as you don't dump the contents of the web
page being viewed.
Watch where you click. If you don't, they will.These guys are going to snoop. One might even argue that they have to. Actively work to keep encryption and anonymization legal and to stay one step ahead of them.
It was also rejected...
Why would anyone be thinking about Turkey?
The only recent news about them involves a US military spokesman there that denies Iraq's claims of having shot down a US fighter jet [see here]; and a few weeks ago there were news stories about the Turkish government repressing (foreign) free enterprise business [see here]; and a heck of a long time ago (well, a few months, anyway) a bunch of boorish Brits got their asses kicked for desecrating the Turkish flag during a soccer match [see here].
Anyway, point is, nothing much seems to be happening in Turkey, so why are we assumed to be thinking about it?
Until some sort of really great geek hardware comes bursting out of its borders, or until they start some war with a neighbour, I just don't see why I'd ever think about Turkey.
Jus' curious about the original author's thinking...
--
--
Don't like it? Respond with words, not karma.
They use PCA-USA's windis shim. A good product, and cheap - about $500.
The nice thing about PCA-USA is that it gives you a copy of the NDIS stream, so you can create an anti-sniff proof network sniffer, among other things.
Seems to be a very sensibly designed packet sniffer - along the lines of how I would build such a thing.
If this report shows us anything, it's that we should not object to the implementation, but to the concept. Even if it is sensibly designed from off-the-shelf products, there is no way for them to gaurauntee they're picking up only the packets they want. In fact, it's quite impossible. How do you track someone with a dynamic IP? What's their signature? You don't know - you have to read everyone's traffic to find them.
--
What happens when you outlaw guns
Let's say there's another outbreak of the ILOVEYOU virus, right? So a potentially "dangerous" type of e-mail is being forwarded via e-mail. Can the FBI step in and do what many ISPs were doing, ie, blocking that attachment? Seems like the FBI's job, right?
Well at first blush, it seems like this is a valuable service the FBI might do-- to protect our digital infrastructure. But...what about other types of attachments or e-mail content could be considered "dangerous" that the FBI could use the same rationale for blocking?
Where's the line?
Allowing carnivore to exist starts us down the path where they can start doing way more than just monitoring e-mails...
-------------------
-------------------
This is my SIG. There are many like it, but this one is mine.
"The problem with Carnivore is that it gives the FBI access to the communications of hundreds, if not thousands, of innocent Internet users," he said. "It's not sufficient for the bureau to say, 'Trust us, we won't do anything wrong.' Most users want more of an assurance than that."
Is this really any worse than the FBI's ability to tap phones? The use of Carnivore must be allowed by a judge for it to be legal. Sure, the potential for abuse exists, but if the FBI gathers evidence through illegal means it isn't admissible in court anyway. Not that I'm necessarily for Carnivore (or any other measure that gives the government the ability to invade my privacy) but I don't think there is anything too terrible about wiretaps, and from what I can tell Carnivore has similar a similar benefit/abuse potential ratio.
-
This a case where the bugs really are a feature.
IITR finds 2 problems:
1. Improperly configured, the system acquires far too much traffic.
2. The system lacks an audit trail to determine who configured it.
So, when Carnivore snoops on entire groups or ISPs we will never know who to blame. This seems like a feature to me. The system can be used illegally without accountability.
This would not be as big of a problem were it not for the wall of silence. Law enforcement is the most crooked segment of American society - "honest cop" is an oxymoron. So any system that relies on "trust me" is pretty bad. As it's set up right now, it is much more than likely will be misused. Who did it will remain a mystery, since law enforcement personnel have a dubious sense of right and wrong when it comes to protecting their own. Recent studies indicate 80% of patrolmen admit to lying in court. Instances of police misconduct are insanely common, they just can't be front-page news in our corporate media.
you could try this
Seriously, all you really need is to be able to open a secure connection (SSH, https, is there a secure SMTP?) to some server, and use that to send SMTP signals (or whatever). Why go for simple hacks, when you can have pure, perfict, unbreakable security?
ReadThe ReflectionEngine, a cyberpunk style n