Slashdot Mirror
Carnivore Meta-Report Released
matt_blaze writes: "I've been part of a group of five security researchers invited by the
Chief Technologist of the Justice Department to identify technical
issues with the FBI's "Carnivore" Internet wiretapping system to be
addressed by an "independent review". As Slashdot readers know, the
contractor chosen to conduct the review, IITRI, recently released a
draft report of its findings. We've studied that report and continue
to have serious concerns about Carnivore. Our report, released today,
can be found here." Telling stuff. Also, check out today's Suck regarding Carnivore as well.
- No list of precision specifications. [This would be vulnerable to political feedback/interferance]
- No Quality Assurance work at all [bug checking, compatibility testing, etc.]except the minimal done by the developers
- No Quality checking on the design parameters to make sure that it would pass muster with someone beside a political hack.
Add to the list at your leisureAll in all, an excellent example of how NOT to design and code a peice of software.
sorta sounds like a peice of spaghetti coding [ie: throwing it spaghetti at the wall and seeing what sticks]
"It is a greater offense to steal men's labor, than their clothes"
And I'm a fucking pessimist.
Blaze (et al) refers to the technical review as a "good starting point". He also mentions that a number of institutions refused to touch the review contract because of contract conditions.
Translation into layman's terms: IITRI took the job because respectable institutions wouldn't give the FBI a rubber stamp on their Orwellian program.
The group also mentions that the technical review didn't adequately discuss security issues-- and in fact notes a number of suggested practices that fly in the face of good security design.
Translation: Not only is the FBI going to be privy to your communications, but so is every fourteen-year-old sociopathic script kiddie. Oh, and IITRI, due to politics or stupidity (or both), suggests making it even easier for pubescent net punks to get their hands on your e-mail.
Okay, that's Blaze out of the way. Now on to Suck.
The basic gist of the article is this: Carnivore is real, the public has to admit it. So now everybody is going to want high-grade crypto to keep the FBI out of their stuff.
Sorry, Suck, but it ain't gonna happen. Consider:
* For a company to realize demand for a feature, enough people have to get excited about it enough to demand/request it. After "billions of dollars" in damage from Melissa/LoveBug/etc., plenty of people put the blame squarely on Microsoft. Pundits screamed, analysts yelled-- and Microsoft still hasn't seen enough demand to turn off scripting by default.
* To include "encrypted by default", people would have to have some sort of method for getting their best buddies' keys. Yeah, we have PGP key servers, but let's be realistic: we need a new standard. That'll be a few years. On top of that, Microsoft/Netscape/AOL/Yahoo/etc. would all have to take into account backwards-compatibility with standard e-mail. The technical issues behind doing something like this are a *bitch*.
* A lot of people actually support the Carnivore program. Out of ignorance or belief in government (the two *do* go hand-in-hand quite nicely, no?), many of the people I talk to don't have a problem with the Carnivore program. They trust the FBI to "only do it when they have a warrant". As well, they claim that they don't do anything important through e-mail anyway. And my mother thinks that Carnivore could be just the thing to catch drug dealers.
------
Come on people. I'm not saying that we shouldn't be optimistic, but this *is* a serious problem. The free market will *not* create enough demand for products that will stop Carnivore dead. People don't know, or don't care. If we want everything Suck says to come true, we have to inform people and get them to care. This is NOT a time to just sit on our laurels.
Tell your friends about Carnivore and why it's wrong. Tell them about the borderline-fraudulent methods the FBI has used in the "review" process. Let them know *what* is at stake and *why* it matters!
They want to run this software, but yet they have not done a systematic search for any bugs or security holes? What the hell is the FBI thinking? "We want to spy on your insecure software with our really insecure software... And hope no one else joins us in spying on you..."
"What can a thoughtful man hope for mankind on Earth, given the experience of the past million years? Nothing." -Bokonon