Carnivore No More

wikinerd writes "FBI has retired the controversial Carnivore software, strongly criticized by privacy advocates for its email capturing abilities. However, it is believed that unspecified commercial surveillance tools are employed now. What does that mean for Internet users' privacy?"

In other news

[detrino]

FBI has begun to install its less intimidating sounding "herbivore" software accross the globe. Vegetarians rejoice.

Re:In other news

[JPriest]

Exactly, I work for an ISP, we are still installing these things for the FBI. I don't know much about the new version of Carnivore but I can tell you they have some bugs to be worked out still. (eg. they are not entirely passive, and the IP space needs to be added into them.) This makes network changes a PITA because I don't have access to configure new IP blocks into the new Carnivore platform. If they are going to make us install these things they should at least make them work seamlessly :P

Re:In other news

Kidding aside, just the like alleged dismantling of the "Office of Strategic Influence" (i.e., intentionally lying to the press), things may go on [CNN] under different project names. cf. also the Total, er, Terrorism, Information Awareness program.

Yea...

[Heem]

If they retired carnivore, it's likely only because now they have something "better".. or "worse" depending on how you look at it.

Re:Yea...

[laughingcoyote]

Pardon me? FUD?

Given the FBI's history of misconduct, I don't think that this is FUD whatsoever. You claim that this assertion is "factless", but it is really not illogical to presume that if they've done something before, they'll likely do it again.

In this case, the justification for suspicion is not technically "factual" (this would be near-impossible, since the FBI operates with a great degree of secrecy), but rather, logical. It is logical to presume that an organization which has behaved badly and resists reform intends to continue to behave badly. The fact that they resist oversight and transparency only adds to this perception, and rightfully so.

FUD is UNFOUNDED suspicion, I might remind you, not well-founded suspicion. I would submit that suspicion toward the FBI is quite well-founded given a history of misconduct from that organization. Please learn what the word (or acronym) means before you throw it around.

Security update

[SilverspurG]

Instead, the bureau turned to unnamed commercially-available products to conduct Internet surveillance thirteen times in criminal investigations in that period.

How much does it cost? I'm really sick of paying for this crap.

Re:Security update

[Mostly+a+lurker]

The cost is not the issue for me. Law enforcement costs money, but a certain amunt of it is necessaey. What I DO object to is law enforcement being allowed to operate without proper controls. That leads to a police state.

Re:Security update

[SilverspurG]

Good points but I've progressed past them. In reality, things are just the other way around.

Objecting to law enforcement operating without proper controls is futile. Proper controls are always argued on a case by case basis anyways, as well they should be.

Objecting to the cost of law enforcement is the only real consideration. This is the way it works. If we don't object to the cost there will always be a need for more money. Not putting a cap on the cost is inviting corruption.

Instead....

[chipster]

they decided to use free alternatives that work better;

• tcpdump
• ettercap
• Ethereal
• Kismet

Re:Instead....

[tomhudson]

FTA:

However, it is believed that unspecified commercial surveillance tools are employed now.

Actually, they just bought Gator :-)

No change

[kahei]

It means no change for Internet user's privacy, but confirms that the FBI weren't up to managing a large project, even in their core area.

Which leads me to the inescapable conclusion:

Privatize the FBI! I'm sure Halliburton would love that contract, but McDonald's would surely also be in the bidding. After all, who would suspect a few Ronald McDonalds wandering around the neighbourhood of being agents? Nobody, that's who! And by the time you notice their guns and badges -- TOO LATE, criminal!

Re:No change

[newr00tic]

[..] After all, who would suspect a few Ronald McDonalds wandering around the neighbourhood of being agents? [..]

..Could I have a Quarter-Pound-Me-In-The-Ass with those McCuffs, Occifer please?

Re:No change

[pair-a-noyd]

That would explain those wireless headsets they wear.

And if you see a Ronald McDonald talking into his sleeve, it's a god chance he's an undercover RM..

Itanium/Carnivore Connection

Clearly this is evidence that Carnivore ran on a Microsoft Windows and Itanium platform.

Oh, the humanity!

[Lisandro]

Check this little image from the article. "Carnivore's official logo shows bload-soaked incisors closing over a stream of data". EVIL!

It's a packet sniffer that reconstructs data (mail and web sites, as it seems from the article), not a boogieman! I agree, it can be a dangerous tool for privacy in the wrong hands, but still, it's not like you can just put it in your PC and start reading your neighour's mail.

Re:Oh, the humanity!

[pair-a-noyd]

but still, it's not like you can just put it in your PC and start reading your neighour's mail.

No, you need one of these..
http://www.systemrecycler.com/shomiti/

I have doubts...

[camcloud1]

They wouldn't have retired it unless they 1. Created a new app that supercedes it or 2. Found another way to retrieve the same information more effectively. Federal security agencies are kinda funny like that.

Re:I have doubts...

[Lisandro]

The article mentions it was ran on ISPs with no capabilities to monitor their users' Internet usage. I wonder how many they are; for starters, mail is a no brainer to monitor, unless it's webmail on remote server (Hotmail, f.ex.). And even then, the conection is encrypted.

Re:I have doubts...

[nyekulturniy]

This is not necessarily true. They could have developed a system that was so unusable and with so high development costs, that the only thing to do was to pull the plug on the project. The IRS has had to do this at least once in the last decade.

The better path for the FBI would be to develop a gradual improvement in software, thoroughly testing each app for compatibility with the existing system. That's not the type of project that Federal empire builders and big contractors want.

Internet users' privacy?

[jbrandv]

HaHaHaHa!

Re:What about encryption?

[ThisNukes4u]

Not if they don't know what key was used... A better way would be to encrypt the actual e-mail itself instead of relying on the way it is transmitted to keep your content secure. You can never trust the messenger.

goodbye Carnivore...

[figurewmeat]

...hello new echelon iteration?

They didn't just give up a method of infiltration - that's just foolish.

no news here. move along. nothing has changed.

Atkins is meat.

[Doc+Ruby]

The FBI has announced that their universally criticized Carnivore system has been retired. Who wants to bet that it's just been renamed, and expanded with those "commercial" search tools? You are, since you're reading this. And if you're American, you're paying for the casino! Don't you feel safer, with the government lying to you for your own good, to protect you from the terror of $500M FBI projects that don't work?

It Means

[CastrTroy]

It means that it's time to start encrypting your email. 4096 bit public key encryption should suffice. I can't believe this isn't more prevalent in today's world. We need WDIV Chopper News 4 to do an expose on how everyone is spying on your email. Maybe that would get the public's attention. What I'm surprised about is that AFAIK, none of the webmail providers support encrypting email. You could probably get the browser to encrypt it using Javascript or even with a Java applet. Anyway, having the option would be nice.

Re:It Means

[tabdelgawad]

There's a tradeoff with encryption. On the one hand, you make your email harder (impossible? do we really know?) to read for unauthorized third parties. On the other hand, given the percentage of people who use encryption, your emails will stick out like a sore thumb to the FBI/NSA/whoever as something worth investigating.

I know this is not fair; I don't have to be doing something criminal in order to want privacy. But I really wouldn't be surprised if encrypting your email nowadays raises a red flag in whatever carnivore-replacement program they're running.

Re:It Means

[EodLabs]

Hushmail does, and it was free last time I checked. The pay service has alot more features, but for a hotmail/gmail/etc.. substitue it's note bad.

why call it carnivore?

[budcub]

You'd think they'd name it something like "Perfectly harmless investigating program that would never ever violate your privacy"

Calling it Carnivore was asking for an uproar.

Re:why call it carnivore?

[Everleet]

Privacy never even crossed their minds.

Re:why call it carnivore?

They're probably replacing it with Fluffy Bunny Instant Search-Bar Software. Who'd be afraid of FBI'S-BS?

Re:why call it carnivore?

[Rakshasa+Taisab]

"Fluffy Bunny" is a cool name... don't underestimate the fluffy bunnies!

Conspiracy theory!

[Black+Parrot]

Hmmmm. MS gets into the anti-spyware business, and the FBI suddenly decides it doesn't need its custom spyware anymore...

What about the budget

[digitalgimpus]

They budgeted quite a bit of hard cash to develop Carnivore...

so who is going to be held responsible for that wasted cash due to bad planning?

IMHO that's a ton of money that can be used for many useful things... it was taken from our taxes... and now just sits on some cvs server (assuming they save it).

That cash could have been used to pay for some armor for troops deployed in Iraq. Or perhaps fund development of improved airline security equipment... something that would be beneficial.

Why the hell did this get approved if commercial equivilants were in the works? What seriously ill planning went into that?

If the FBI were a company... heads would roll. This wouldn't be acceptable.

BTW: This page has a small image of the carnivore logo (for anyone interested).

Re:What about the budget

[sam_handelman]

Someone is perhaps unaware of how the economy *actually* works.

The FBI paid to develop carnivore - and then the developers took side jobs developing these commercial equivalents, which they sold to the FBI. These commercial equivalents would never have come into existence if the Feds hadn't taken on the cost of the initial phase of development, and, from the look of things, provided an initial customer base for this software. The exact same thing happened with total information awareness (now a product being sold out of a cayman islands holding corporation or the like), in case you were not paying attention.

You may not like this sort of arrangement, but in that case you must really hate all the money the Feds wasted on information technology, automation, container shipping, or avionics, all of which were developed more-or-less the same way.

Of course, you can approve of this sort of arrangement without approving of it's use in this particular case, but that isn't the objection you raise.

If the FBI were a company... heads would roll. This wouldn't be acceptable.

How adorable! A Capitalist! Does woo believe in the free market? Does woo? Yes woo does!

We have never been at war with Eurasia.

We have always been at war with Eastasia.

Carnivore has offshoots

[itpr15061]

Carnivore relied heavily on a product called SilentRunner. SilentRunner was purchased by Computer Associates and given a new name, Network Forensics.

http://www3.ca.com/Solutions/Product.asp?ID=4856

It has the ability to decode email on the fly. I have the product and while it does have some "wow" factor, the usability and stability is atrocious. Another fine cobbled together product from CA.

Re:Carnivore has offshoots

[ScrewMaster]

It can decode ASCII plaintext in real-time? Wow, now that is impressive.

Ok, but now will they

[pair-a-noyd]

Open Source it or give it abandonware status?
That would be fun!

open source carnivore

[dlkj83jdk3883ll]

yes, Carnivore was opensourced in 2001 by a group calling themselves RSG. it was covered on slashdot. of course tcpdump is still better if all you want is to packet sniff, but this other version is good for realtime data visualization.

steganography

[whovian]

So ... the trick is to use some form of plain-text encryption that doesn't appear to be anything but a somewhat long-winded normal message discussing the weather or the latest playoffs.

Something like text based steganography (demo 1, demo 2)? Slashdot has covered steganography before.

Re:What about encryption?

[FrYGuY101]

Not if they don't know what key was used...

You underestimate us.

Your local NSA agent, c/o your local FBI agent.

E-Mail Isn't Secure

[Ensign+Regis]

E-Mail is just as secure as a postcard. Don't send secret information via either one.

Why Hide?

[freezin+fat+guy]

I'm sure the techies at FBI headquarters get lonely sorting through all the false positives these programs churn up. Instead of encrypting our email, I say include a friendly message for them. Hey, they're geeks too. (probably read slashdot)

First, make sure you include one or more key words, (pr3sid3nt, b0mb, j1h4d) then include a hello to the kind folks who snoop your correspondence for you.

Fuggedaboudit

[handy_vandal]

What does that mean for Internet users' privacy?

Privacy? What privacy?

Do you want criminals running your life?
Of course not!

But the world is full of criminals who want to run your life.
What you need is police, to protect you from criminals.

Magic Lantern + Organized Crime

Scarfo + keystroke logging

Then there's the problem of police protecting themselves from criminals -- or not, as the case may be -- but that's another story.

-kgj

Re:try china

[Tackhead]

> i hear the goverment over there have lots of experience in "monitoring" its "public" networks
>
> perhaps they may have some ideas for your FBI

Where the fuck do you think we're running the live beta and the scalability tests? Soviet Russia? :)

I'm only half in jest. Soviet Russia was the alpha test for both the surveillance system and the sociopolitical system. It failed - two coups, and economic collapse.

China was the beta. It succeeded. One attempted coup - crushed instantly, because the Chinese learned how to deal with dissidents. Political stability is rock-solid, and economic growth is stellar.

The full system goes live, planet-wide, within 10 years. You're free to choose whether or not to buy in now, but it's a limited time offer.

I bought in because steak tastes better than dog food, a plasma-screen TV made by slave labor beats making plasma-screen TVs for $0.01/h, and because winning is just plain more fun than losing.

I kinda like your slogan. "Try China". I did. And I liked it.

Re:People keep forgetting...

[symbolic]

There's a big difference between John Q. Hacker, and perhaps some waywardly curious employee somewhere spying on what I do, and the government doing the same thing. Because the government makes and enforces the rules, it is held to a higher standard. That standard is elaborated in the 4th Amendment- there has to be a REASON for the the government to be looking at anyone's mail, and that reason must suggest that they have either broken the law, or there is good reason to believe that they are about to break the law. If neither exists, they have business looking at it, even if it's not "private".