Carnivore Update

A reader writes: "Yahoo has a news item about the continued use of DCS-1000 AKA Carnivore. Looks like it's being used more than ever, and some privacy groups are still fighting in court for more disclosure about its use."

Carnivore

[CrazyDuke]

I don't have the link anymore. But, I would like to point out, assuming I remember correctly, that after 9/11 the FBI was actually bragging that carnivore keyword sniffs all traffic. This is despite all their pre-9/11 vehminent denials that the device did this. It was only supposed to pick up on email sent to and from people they where specifically watching.

I guess everyone is under investigation for possible crimes then, huh? :P

Re:Carnivore

[UM_Maverick]

Right, carnivore (in my understanding at least) does sniff all traffic, and stores it for a set period of time. However (and it's a big however), if the FBI wants to go in and read anything that's been sniffed, it needs to get a warrant. And the warrant doesn't say "we want to open the box"...it says "we want to open the box, and read only emails to person X from date y to date z"

And if you think it's easy to just hop in and get a warrant, I suggest you go read 'Black Mass' - it will shed some light on your misconceptions.

Hello! It's the same historically as a mail cover

[shpoffo]

Mail covers have been used by law enforcement for quite a while - it's a practice that allows them to scan/look at the front of an envelope to determine where it has been addressed to and from. Grabbing email headers is no different, and even the subject line may fall under this jurisdiction.
now i know that carnivore is no doubt being used to dig into message body and such, but please be aware that there is a precedent for certain functions of this system

-shpoffo

Re:my packets

[sphealey]

Speaking of Carnivore: for 3 months, just after September 11th. I noticed that all of my traffic was being routed through Arlington VA. This stopped about two months ago. Now my packets travel normally, (no Arlington node in every traceorute). Was that Carnivore?

Its possible, and something you might want to think about.

OTOH, a large percentage of the East Coast's Internet infrastructure was located in and around WTC, and much was destroyed and/or shut down. Different routes were certainly used while this stuff was under repair.

sPh

You're right...it means nothing.

[Surak]

You may not be familiar with SMTP servers like sendmail, postfix, etc. Mails that are sent from clients go into a queue. In the case of larger ISPs with many many users, the mail servers handle quite a bit of mail, so messages may sit in queue for longer.

The order that they are sent out of the queue in is determined by settings set by the administrator. Some SMTP servers are actually setup so that small-sized messages get priority over bigger messages. Since most e-mails are small, your larger messages with attachments may sit in the queue longer, waiting for a bunch of smaller messages to be sent.

This queueing depends on the mostly on the *senders* mail server. The receivers mail server will generally put messages from the receive queue into the users mailboxes in the order they came in, but not always.

Have your mail client display all headers...these show where the mail was along its route and typically have date/time stamps on them. This will help you determine where the hold up is (on the sender's mail server, on your mail server, etc.) Look for the length of time between timestamps. If one is unusually longer than the rest, that's where the hold up is. I'm not saying it's not Carnivore, but what you describe is a fairly common occurrence.

we never had privacy

[fabiolrs]

Since the 70s both US and former USSR used to monitor all of our phone calls... Im not surprised that US is now trying to monitor our e-mails... :))

Im really starting to believe that those pigeons used on India are the best sollution for our privacy needs!!!

Not just an online problem

[drew_kime]

Ever heard of a mail cover? According to Law.com:

A mail cover consists of recording the information on the outside of all the mail delivered to the target home or business. It is done by the post office at the request of a local, state or federal law enforcement agency and lasts for one or more 30-day periods.

<snip>

... a mail cover doesn't need a judge's approval. Nor, as in wiretaps, are the targets of a mail cover eventually notified of the practice. The only way to learn about it is through discovery in a legal proceeding, if the lawyer asks the right questions.

And of course:

Its use has risen by more than half since the mid-1980s.

It's time people realized that surveillence isn't just about Carnivore and face recognition.

Want to buy a Carnivore?

[wirzcat]

Here are the folks that make it:
www.niksun.com

Carnivore is called NetDetector for commercial sales.
http://www.niksun.com/products/pdf_files/N etDetect or_Data_Sheet.pdf
About $20k, runs on BSD.

Jam with M-x spook

[Tom7]

I like to use emacs M-x spook to insert "keywords" in my emails. This must really piss off the Carnivore folks...

You can get my comprehensive spook.lines file at http://www-2.cs.cmu.edu/~tom7/spook/. They're included below for your terrorist-finding pleasure.

$400 million 1 October 15 May 1600 Pennsylvania Ave 17 November 3rd October 747 757 767 ACLU ADF AES AIDS AIIB AK-47 ALIR ANO ARD ARN ASALA ASG Abu Dis Abu Nidal Abu Sayyaf Aceh Merdeka Aden-Abyan Afghanistan Ahl-e-Hadees Air Force One Al Qaeda Al Quaida Al-Fatah Al-`Asifa Alamo Albanian Alex Boncayao Brigade Alliance of Eritrean National Force Alliance pour la resistance democratique Allied Democratic Forces American American Airlines Amn Araissi Arab Revolutionary Brigades Arab Revolutionary Council Arafat Area 51 Aum Shinrikyo Aum Supreme Truth Avtomat Kalasnikov BATF Babbar Khalsa Baghdad Berlin Bhinderanwala Tiger Force Black September Brigate Rosse CERT CIA CIRA CNDD CNRM CNRT Catholic Reaction Force Cessna China Chukaku-Ha Clinton Cocaine Communist Conseil Cuba DCS1000 DDoS DES DFLP DNA DXM Dal Khalsa Dayak Delta Airlines Delta Force Dev Sol Devrimci Sol DoS EFF ELF-RC ESSA EZLN Eastern Shan State Army Eiffel Tower Ejercito Popular Boricua Ejercito Popular Revolucionario Ellalan Force Eritrean Euzkadi Ta Askatasuna FALINA FALINTIL FALN FBI FMLN FRETILIN FROLINA FSF Farabundo Marti Fatah Force 17 Free Aceh Ft. Bragg Ft. Meade GHB GIA GRAPO George Bush George W Bush Gerakin Aceh Merdeka Grey Wolves H2O2 HAMAS Hague Conference Harakat ul-Ansar Hawari Hitler Hizb-i Wahdat Hizb-i-Islami Hizb-ul-Mujahideen Hizballah Hizbullah Honduras ICBM IIS 5.0 IRA IRA Ikhwan-ul-Mussalmin Interahamwe Iparretarrak Islamic Israel JKLF Jamaat ul-Fuqra Jamat-e-Islami Jamiat-e-Ahl-e-Hadees John Dillinger KGB KKK Kach Kahane Chai Kashmir Kennedy Khaddafi Khalistan Khmer Rouge Komala Kosovo Kurdish Kurdistan Kuwait LSD LSD LTTE La Cosa Nostra Lakshar-e-Taiba Lautaro Legion of Doom Lenin Les mongoles MAPU/L MD5 MDMA MI6 MILF MNLF Macheteros Macheteros Mafia Maktab al-Khidamat Mantis Manuel Rodriguez Marxist Maubere Resistance Mayfly Mayi-Mayi Middle-Core Mohajir Qaumi Mong Tai Morazanist Mossad Mothaidda Quami Mujahedin-e Khalq Myanmar NORAD NSA Navy Nazi Nellis Range Noriega North Korea Oklahoma City Ortega Osama Bin Laden PALIPEHUTU PCP PETN PGP PLO Pakistan Panama Pearl Harbor Peking Provos Qaddafi RC5 RDX RENAMO RSA Reno Rijndael Romania Rule Psix SCUBA SDI SEAL Team 6 SHA SWAT Saddam Hussein Saheed Khalsa Scientology Semtex Serbian Shora-e-Jehad Sivi Vukovi South Africa Soviet Steyr Students of the Engineer TATP TEMPEST THC TNT Tal Al Za'atar Talaa' al-Fateh Tamil Eelam Teamsters Terra Lliure Treasury Tupac Amaru U-235 UN US Airways Usama Bin Laden Uzi WTO Waco White House World Trade Center World Trade Organization Zapatistas airframe airport al-Gama'at al-Islamiyya al-Jihad al-Qa'ida algorithm amatol ambush ambush ammo ammunition anonymous anti-tank archives armada armor armor-piercing arms arrangements assassinate assassination assassination assault atomic bomb bank account biological blowfish bomb bomb boobytrap border broken arrow c4 camera carnivore carnivore charcoal chemical child pornography chinese class struggle claymore cocaine cockpit codebook colonel commando composition b conspiracy constitution cordite corporate corrupt council counter-intelligence crack-cocaine cracking cray credit card cryptographic czar d-day data haven defcon defenses democratie detcord detonate detonators dictionary disruption dissent divers doctrine domestic doomsday double agent e-bola echelon ecstasy efnet embassy embassy embassy empire encrypt enigma espionage explosion explosive face recognition faction fertilizer fissionable flight 800 football freedom freemasons fuselage genetic gold bullion government grenades gun gunpowder guns h-bomb hack harbor heroin hijack hostage hostages hydrogen bomb hydrogen peroxide illuminati impulse incendiaries infiltration infosec infrastructure initiators insurgent intel international internet internet worm interpol ireland jihad kamikazi kampuchea ketamine kibo kill kill kill kill launch codes lead azide lead styphante liberate liberation limousine lockpick loyalist main charge man-in-the-middle marijuana martyr massive DDoS maverick mercury fulminate mescaline microfiche microfilm minefield mines motorcade motorola mouvement munitions napalm nationalist negotiation negotiatior nitric acid nitrocellulose nuclear nuclear nukes olympics oppressed orthodox outlook express password picric acid pipe-bomb plague platter charge plutonium plutonium policy political pornography pre-teen president president primers private key propaganda psyops public key pulse detonation engine radar rail gun rebel remailer resistance revolucionario rijndael robotic rocket fuel rockets root-servers.net rubella salt peter sanctions satelliate satellite satellite phone secret secret key secret service secure security sequence shaped charge shoe bomb shotgun smallpox smuggle sniper sniper socialist space station special k spy steganography strategic submarine subsonic suicide suicide bombing suitcase suitcase nuke sulfur supercomputer supersonic surveillance tear gas teflon bullets terminate terrorism terrorist theater missile defense thermite thermonuclear timers triacetone triperoxide tunneling undercover undernet underwater united nations uranium violence virus virus warfare wargames warrant weapons white house white noise generator windows XP wiretap zenith

NetDetector != Carnivore

[mencik]

If you read the independent report on Carnivore written by IITRI, you would know that Carnivore ran on a Windows NT box. Net Detector may do the same or similar functions, but it is not Carnivore. I was part of that team that evaluated Carnivore, but I have no idea if the DCS-1000 is the same product, or if they have changed to something different. I also do not know if they incorporated the many suggestions we made. The Justice Department never asked us to look at any follow-on products. For various reasons (none involving Carnivore that I know of), just about all of the evaluation team has left IITRI.

Re:September 11th used to justify everything.

[Happy+go+Lucky]

For what it's worth, you actually DO have a right to privacy in your own home, even with the blinds open. Check up on peeping tom laws sometime.

Not quite. The relevant case law is contained mainly in the landmark case Katz vs. United States. In it, the Nine Old Farts of the Potomac said that trespass is not a relevant issue in Fourth Amendment law. Rather, the relevant question is whether or not a person has a "reasonable expectation of privacy" in a certain place or item. (Remember the words in quotes: They're at the very heart of all search and seizure law in the US)

So, do you have a reasonable expectation of privacy in your own living room? That depends. Can the inside of your house be seen from the outside?

Remember, a cop can legally act on anything he sees, so long as he is in a place in which he is legally able to be when he sees it. And he can use binoculars, if he can demonstrate to the court that he would have been able to see what he saw from a closer position which he has a legal right to be in, and used the binoculars only to avoid detection.

Where it gets interesting is when you deal with new surveillance technology. "Extraordinary technical means" typically are closer to being a "search" within the meaning of the Fourth Amendment, requiring a warrant or other justification. There was a case a year or so ago in which an indoor marijuana grow was located using a thermal imager, and the images (and the search that followed) were suppressed, since the use of TI technology was a "search" within the meaning of the amendment.

In the specific case here...legally, any person with legal custody of a record is allowed to hand it over to police. If Earthlink violates their own privacy policy and decides to make nice with the FBI, you probably (IANAL) have a civil claim against them. However, whatever they gave the Feebs will probably be admissible in criminal court.

Also, Carnivore, as I understand it, can be used two ways. Either it can give the full content of email, or it can merely report the headers. The latter setting is basically analogous to a "mail cover," in which the information on the outside of a First-Class envelope is recorded. As of yet, there is no Federal case law on whether a mail cover constitutes a search requiring legal justification. My own guess is that the USSC will rule that it isn't, but it'll be a close decision. An email cover would be a lot like a pen register, which the USSC also doesn't consider to be a search requiring warrant.

Also, bear one other thing in mind: In mail that enters the United States from abroad, there is no legal bar to it being opened and inspected. That's for customs purposes, mostly, and I don't know if that reasoning will be extended to email or not. This is a new enough area of case law that there's still a lot of fumbling. Never mind our dual-sovereignty system here in the US, which makes things more complicated. Pen registers ARE considered to be searches by Colorado state courts, and I'm guessing that they'll do the same with mail covers. Likewise, the Federal courts have said that anybody with legal access to records can turn them over to police and have them be admissible, but the Colorado courts have said otherwise, but were a little vague about it.

So, if any of our overseas brethren are not yet thoroughly confused, follow up to this and I'll give a discourse on Colorado forfeiture law ;-)