Slashdot Mirror
Carnivore Meta-Report Released
matt_blaze writes: "I've been part of a group of five security researchers invited by the
Chief Technologist of the Justice Department to identify technical
issues with the FBI's "Carnivore" Internet wiretapping system to be
addressed by an "independent review". As Slashdot readers know, the
contractor chosen to conduct the review, IITRI, recently released a
draft report of its findings. We've studied that report and continue
to have serious concerns about Carnivore. Our report, released today,
can be found here." Telling stuff. Also, check out today's Suck regarding Carnivore as well.
more to the point-- neither pcAnywhere nor Microsoft Windows NT are open source. These software packages are both subject to vendor supplied back-doors, and hacker supplied attacks.
The meta-review of Carnivore is quite interesting. And the FBI is quite naive if they think that a device that "sniffs everything by default" and requires configuration to trim down what it sniffs is not going to be in promiscuous mode 99% of the time. In all the years I've been programming, I've found that users don't really like customizing their applications.
The Suck article was quite interesting in that it states that Carnivore may be the one application that causes everybody to start demanding encryption in their email products. And it's about time!!!
--
"May I have ten thousand marbles, please?"
Not the amount of stuff but the way they may use it. Carnivore is not bad because it sniifs every possible packet. Man I also sometimes find INTERSTING things while sniffing my channels for technical reasons... But if I get the right to send one guy to Magadan (believe me, it's Bahamas^-30) then that's a problem. However if laws and courts state that such information can be used only under written order, then sorry pals, but I can trade nukes and you have NOTHING against me... Really do you think that things are s private? At state or high-politics levels, things are so transparent that it is no wonder people talk about "information bordels" while referring such circles. Remember Clinton and his lovely adventures... The only thing we didn't see were hidden camera shots...
Yeah Carnivore looks bad as it seems to knock our privacy to the ground. So get to the ground! Land on Earth! Carnivore is being used. And there are hundreds of tons of information running around about the likes and dislikes of people. We can get addresses, phones, private info about people and organisations. Internet turned everything into a village. So it is natural for FBI to want a bigger grip on the stuff. However two things come out. First who will pay for this. Let's imagine I'm an american citizen. Me? Hey hold on a moment, that's MY pocket and I want THAT money used for things more rational than this. Now I'm a foreign citizen. Hey what are you doing IN MY BORDER? Get out or I start taking the dust outta my nukes ok?
Second, does this helps catching criminals? Generally no. The amount of information is too big to gather and process in a rational way. If you wanna catch him then you should already gave something against him and know what you're looking for. Like any normal detective does...
Third, can anyone use this against me? Yes. But if this stuff comes up then sorry, scrap it ASAP. Or else the same state that supports it may get some very hard times to live. Believe me. I lived in two totalitarian regimes and I know how people get harassed like cats. The results were quite destructive for those who tried to build the Perfect State. Today I know that many people who overused their powers are in the corner of society or six feet under ground...
Today, too much sniffing causes very serious troubles to the one who does it. More than the harassments you may get. The only thing is that if you're afraid or fearful. Then they will get you. But here the problem is nothing but you...
Frankly I got used that people may harass me for something... For most people this may be stress, trauma, hard times. But frankly I consider it also a school. The next ones will have to step two floors more to try something on me. If people reacted this way then FBI would think TEN times before its next silly move. Don't bash Carnivore. Tell them let go but who'll pay it. And what really does (you HAVE the right to know this). And if something gets wrong ask how FBI will really justify it. In the end, FBI will find 100 justifications to not to act the way it does...
I've seen software that only installed as administrator.
Needing to Install as adminstrator is sensible, in any corporate setup of any size the end user should not be installing software.
And I've worked for companies where all the QA people had "Administrator" privs on their NT boxes.
This is to do with programs needing to run as adminstrator (another related thing is programs which need read/write access to all sorts of strange things.) It's a sign of very sloppy programming.
The fact that they are using NT, or the fact that we (US taxpayers) will have to pay for it. This is just like the government, giving subsidies to tobacco growers while trying to convince people not to smoke.
JET Program: see Japan, meet intere
- No list of precision specifications. [This would be vulnerable to political feedback/interferance]
- No Quality Assurance work at all [bug checking, compatibility testing, etc.]except the minimal done by the developers
- No Quality checking on the design parameters to make sure that it would pass muster with someone beside a political hack.
Add to the list at your leisureAll in all, an excellent example of how NOT to design and code a peice of software.
sorta sounds like a peice of spaghetti coding [ie: throwing it spaghetti at the wall and seeing what sticks]
"It is a greater offense to steal men's labor, than their clothes"
I think part of the problem is that Microsoft sets such a poor example. I have seen various bits of software from MS that exhibit some or all all of all of the above failures.
And so what? Don't you see how cool is to sniff on your E-mail, your friends E-mail, your downloads, the pics you see? This voyeur madness overcomes everything. That's a sickness with every E-policeman still carrying a fresh polished and shiny badge from running after street gangs, patrolling streets and midnight rides... Yeah the FBI is MORE than this. But it is still a police force in most of its nature. They see the power of the net, the hackers, the megatons of info running over the screens, the fantasy world TV and Holywood poisons them. And they wanna KNOW EVERYTHING! Well I understand them because when Internet came up with the Web, many of us also wanted the same thing.
The best remedy for this Carnivore stuff is to let them go. Really! In a year or two, they will have enough people in the psychos to get an idea that this was a stupid idea...
The only problem is that if they will try to force the net to slow down to cope with their work. That is a possible chance. But then they will be hitting hard on someone's pockets. And i believe that no security in the world costs enough to let this go...
I'd like to see the feds try to use Carnivore in court, and have the defendant subpoena the box to have independent experts evaluate it, only to find that it had been cracked, and that all of the logs were fake, and that the admin password is something stupid like 'renorulez!' or something else dumb like that...
On the other hand, because they're doing this, it sounds like it's time to do ((IP over HTTP) over (IP over IP) over (IP over DNS)) and see how well the M$ box can handle it, I'm sure that some kickass kernel hacker could design a multilevel tunnel that would confuse the hell out of it anyway...
"Titanic was 3hr and 17min long. They could have lost 3hr and 17min from that."
IBM had PL/1, with syntax worse than JOSS,
And everywhere the language went, it was a total loss...
And I'm a fucking pessimist.
Blaze (et al) refers to the technical review as a "good starting point". He also mentions that a number of institutions refused to touch the review contract because of contract conditions.
Translation into layman's terms: IITRI took the job because respectable institutions wouldn't give the FBI a rubber stamp on their Orwellian program.
The group also mentions that the technical review didn't adequately discuss security issues-- and in fact notes a number of suggested practices that fly in the face of good security design.
Translation: Not only is the FBI going to be privy to your communications, but so is every fourteen-year-old sociopathic script kiddie. Oh, and IITRI, due to politics or stupidity (or both), suggests making it even easier for pubescent net punks to get their hands on your e-mail.
Okay, that's Blaze out of the way. Now on to Suck.
The basic gist of the article is this: Carnivore is real, the public has to admit it. So now everybody is going to want high-grade crypto to keep the FBI out of their stuff.
Sorry, Suck, but it ain't gonna happen. Consider:
* For a company to realize demand for a feature, enough people have to get excited about it enough to demand/request it. After "billions of dollars" in damage from Melissa/LoveBug/etc., plenty of people put the blame squarely on Microsoft. Pundits screamed, analysts yelled-- and Microsoft still hasn't seen enough demand to turn off scripting by default.
* To include "encrypted by default", people would have to have some sort of method for getting their best buddies' keys. Yeah, we have PGP key servers, but let's be realistic: we need a new standard. That'll be a few years. On top of that, Microsoft/Netscape/AOL/Yahoo/etc. would all have to take into account backwards-compatibility with standard e-mail. The technical issues behind doing something like this are a *bitch*.
* A lot of people actually support the Carnivore program. Out of ignorance or belief in government (the two *do* go hand-in-hand quite nicely, no?), many of the people I talk to don't have a problem with the Carnivore program. They trust the FBI to "only do it when they have a warrant". As well, they claim that they don't do anything important through e-mail anyway. And my mother thinks that Carnivore could be just the thing to catch drug dealers.
------
Come on people. I'm not saying that we shouldn't be optimistic, but this *is* a serious problem. The free market will *not* create enough demand for products that will stop Carnivore dead. People don't know, or don't care. If we want everything Suck says to come true, we have to inform people and get them to care. This is NOT a time to just sit on our laurels.
Tell your friends about Carnivore and why it's wrong. Tell them about the borderline-fraudulent methods the FBI has used in the "review" process. Let them know *what* is at stake and *why* it matters!
Send a large quantity of email/requests through these servers, containing ONLY these strings (i've noticed people with rather amusing .sig files
on here like "fbi crack dealer munitions cuba")
But make sure the text is random enough not to be easily filtered...
This would grind down the cpu on the Carnivore boxes (NT based..it's easy!) resulting in a possible crash, which owuld in turn result in flow being restricted through the FBI 'blackbox' and hence through that particular node of the net itself. Do this to enough 'central' nodes, and the entire internet is significantly slowed down - demonstrating to ordinary users, and big business alike that carnivore is a really bad idea.
You mean they havn't heard of the concept of a "tap"...
Here is the USAToday article on the EarthLink crash caused by Carnivore.
EarthLink dodges FBI's Carnivore
ATLANTA (AP) - EarthLink Inc. said Friday it has reached an agreement with the FBI to avoid future use of an electronic surveillance device called Carnivore that disrupted Internet access for some EarthLink customers earlier this year.
The Atlanta-based company, which has about 4.2 million subscribers nationwide, said it had installed the snooping software for the FBI at a data center in Pasadena, Calif., earlier this year after it lost a decision on the matter in federal court.
When Carnivore wouldn't work with an operating system on the company's machines, an older system was installed for the device, which then led some servers to crash, EarthLink's director of technology acquisition told The Wall Street Journal for a story in Friday's editions.
''Many'' people were affected, Steve Dougherty told the newspaper, although the company declined to say how many or where.
Dougherty did not return messages left at his office Friday.
Carnivore, which an FBI spokesman said was first used in the spring of 1999, scans all incoming and outgoing e-mails for messages associated with the target of a criminal investigation.
FBI spokesman Steven Berry said the device gives the agency ''a surgical ability to intercept and collect the communications which are the subject of a court order'' and ignores everything else.
EarthLink spokesman Kurt Rahn said the company and FBI officials had agreed that EarthLink would collect such data in the future when investigators obtain a court order.
''Basically, we reached a mutual agreement with the FBI that we would be able to monitor and gather the information that they needed ourselves,'' Rahn said. ''That way, they got what they wanted and we were able to maintain the integrity of our network.''
Berry declined to confirm any such agreement or discuss at which Internet service providers the agency has installed Carnivore. Berry said the bureau is currently using the device, but he declined to say in how many cases or where.
He said all Carnivore installations are done ''in close cooperation'' with the ISP, but he said that the FBI collects the data itself.
Rahn said the company has no dispute about following court orders to provide customer information to law enforcement, but is concerned when doing so compromises its operations.
''It wasn't necessarily anything that was terribly disruptive, but it was more sort of the potential that it could have been worse,'' Rahn said of the outage Carnivore caused.
''And basically since delivering e-mail and delivering the Internet to our members is what we do, having that threatened is not going to work for us,'' he said.
--
So you're innocent, but you just happen to be out taking a spin by yourself during the time of the murder. Hard to defend alibi. You could conceivably become indicted. That costs money. Whether or not you are innocent, it costs lot's of money (lost wages, bail, lawyers, etc.) and the information still has to be judged in your favor for you to be cleared since it is pretty obvious you made a death threat as revenge for some strife. If the pocketbook argument doesn't work, think about your personal credibility. If that doesn't work, remember bail is not usually given in murder one cases in my parts. Perhaps a suspension of your civil liberties may convince you.
You must remember that it is the context not the content that determines legitimacy. Carnivore can capture tons of content. However, it is impossible to ensure that it captures enough content to discern context. In some cases, like the one I mentioned above, it is impossible for it to determine any context. The English language (as a matter of fact, all sufficiently complex languages) is open for interpretation and your interpretation of a harmless note is not always the easiest to believe.
Was it Ben Franklin who said something to the effect: "Those who would give up liberty for safety deserve neither liberty nor safety."? The fourth and fifth amendments are not there to harbor criminals. They are there to protect the wrongly accused. And just because you claim legitimacy does not mean that you will never be accused. Go ahead and let them sniff? Given enough time and wide enough scope, the FBI could have brought charges against Mother Teresa.
Rather than a court order allow a switch to be thrown, I would prefer a larger price in time and money to install such a system to deter wanton use of this if it can even do what it claims. Remember, it's not how private something really is in the US, but how much privacy you expect that determines what kind of warrant is needed.
PerES Encryption
Sincerly I got aquainted to the fact that anyone may know things I wouldn't like to show. The Internet is a big school. But the fact that someone knows something more confidential or private about you does not mean that things may turn against you. On the contrary. the spell may turn against the wizard and he may get really hurt. And I have seen several examples of this...
Wanna read my mail? PLEASE! (300 mails a day) Wanna pick up my bookmarks. Cool. (4500 links) Wanna see my private life? Be my guest. (Ooooh myyyy... Get ready to live 32 hours a day) Sniff, crack, break, put cameras, do anything you may. (If you can get where I am and where I live) ANYWAY, YOU WILL NEVER KNOW WHO REALLY I AM. Without that any knowledge about me may turn dangerously against the perpetrator of my privacy.
"Now, I'm the Shadow of Night... The Phantom of Light... The Black Star... That shines on the Darkness of Space... I became a walker"
Shantz Ektanoor
- Steven Bellovin, AT&T
- Matt Blaze, AT&T
- David Farber U of Pennsylvania
- Peter Neumann, SRI International
- Eugene Spafford, Purdue University CERIAS
Wasn't it Matt Blaze who cracked the Law Enforcement Access Field (LEAF) in that government approved crypto standard they were trying to ram down our throat in the mid-80's?And Peter Neumann I know very well in an online way, as he is the moderator of the Forum on Risks to the Public in Computers and Related Systems which discusses all kinds of topics in software reliability and security, and provides an ongoing archive of known software bugs.
It is also available on the Usenet News as comp.risks and I consider it required reading for anyone wishing to take themselves seriously as a programmer.
This means you.
Neumann also wrote the book Computer Related Risks which draws on material from the forum but discusses it in more depth.
He is also a frequent consultant to the government and military on computer reliability, security and computer policy as you can see from Neumann's home page.
He writes great puns too, which are often found added to Risks submissions.
Now for my contribution - I'd like to suggest you read my page Why You Should Use Encryption.
This page discusses in a way that I hope is clear, approachable and compelling, why everyone - even your mom, even your kids, should use encryption.
Michael D. Crawford
GoingWare Inc
-- Could you use my software consulting serv
They want to run this software, but yet they have not done a systematic search for any bugs or security holes? What the hell is the FBI thinking? "We want to spy on your insecure software with our really insecure software... And hope no one else joins us in spying on you..."
"What can a thoughtful man hope for mankind on Earth, given the experience of the past million years? Nothing." -Bokonon
"One such approach is to publish the Carnivore source code for public review. Although an extraordinary step, we urge the DoJ to consider it seriously. "
I wonder how many people at the department of justice would actually seriously concider that? Wouldn't if be funny to run across the source-code with a GPL-like license which happens to read "And now that you've read this, we'll have to kill you." For National Security reasons of course.
---
"Of course, that's just my opinion. I could be wrong." --Dennis Miller
Carnivore is going to be more of a target than an actual bonus.
As always, I don't take responsibility for the content; I'm just mirroring it. If you're the author/owner/sponsor or whatever and you want it down, send me a mail.
But the inner workings are not something the public need to know about. It only opens the avenues of criticism [b]y the technically inept.
The logic of this statement completely escapes me. How would the details of the inner workings lead to criticism by the technically inept? If you display the technical diagrams of the newest Ford engine in, say, NY Times, do you expect this to generate technically inept criticism, or would an article in the automotive section on the same topic and without much technical detail generate this type of criticism?
We already know the equivalent of the article without much technical detail about Carnivore: it is a packet sniffer, with filtering capabilities, it runs on NT, there is little or no security. The "technically ept" can conclude based on this information that this tool will be relatively easy to misuse (or abuse), and that without the details (i.e. the source code) there is a good chance that adding Carnivore to your internal network may cause technical problems in addition to any of the issues discussed in the meta-review.
I wonder how exactly does an agency such as FBI select a contracter who writes their software. This contracter has to be trusted and than the independent reviewer has to be trusted as well. If I wanted to wiretap into FBI wiretap what do I have to do? From the reviewer it looks like the way Carnivore is written and tested does not qualify to be an FBI wiretapping software. The software tracks more than it is allowed (all network packets), it uses PCAnywhere to administer the configuration and the software! All we need now is a bug in the PCAnywhere software. Carnivore will slow down the traffic that it monitors and it probably will not be able to scale. If I was working for let's say some 'other' agency and I was interested in wiretapping the wiretappers and I had enough power, how difficult would it be for me to put everything in the right place for the FBI to take the bait. Get a certain company to do the contract, get someone inside the company to grab all the source code then screw with the independent reviewer (requires money but not impossible).
We'll keep backup of all your email and all the files you've ever sent over the net for your convinience and for our security.
You can't handle the truth.