Slashdot Mirror
Norton Users Worried By PIFTS.exe, Stonewalling By Symantec
An anonymous reader writes that "[Monday] evening, on systems with Norton Internet Protection running, users began to see a popup warning about an executable named PIFTS.exe trying to access the internet. The file was shown to be located in a non-existent folder inside the Symantec LiveUpdate folder. There were several posts about this to the Norton customer forums asking for help or information on this mysterious program. The initial thread received several thousand views and several pages of replies in a few short hours before being deleted. Several subsequent posts to the Norton forum were deleted much more quickly. These actions — whether actively covering up, or simply not well thought through — have spurred people to begin crafting conspiracy theories about the purposes of this PIFTS program. I for one am blocking the program until more information becomes available." The current top link on Google for "PIFTS.exe" links to one of these deleted questions on Norton's support boards, which sounds innocent enough: "I searched this forum but did not see PIFTS.exe. Any idea what this is?"
An application that exists in a folder not accessible by the underlying operating system? Sounds suspiciously like a rootkit to me. If so, then man, am I glad I gave up Norton years ago! I mean seriously, what is so hard to understand about the concept that hiding things like directories is a security risk? Have we learned nothing from Sony's stupidity?
Oh yeah, it's Norton (aka Symantec) we're talking about here. I guess not.
We are here to protect you. You can trust us.
It's so easy for users to click through the installer or post-install pop-up window asking if you'd like to send anonymous* diagnostic info to the vendor to allow them to improve the quality of the product with future software updates based on the data.
Many default with the "Do not ask again" option checked, so once you click through...
(* however anonymous "anonymous" means. Just because they give you a button to look at the contents of the report doesn't means they showed you the headers or all of the data.)
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
you could always use a system where you dont need norton.
How come you didn't mention the NSA's backdoor into NAV?
For shame, sir, for shame.
Sent from your iPad.
Let's begin the conspiracy theories:
Ping Internet For Time on Slashdot?
Don't worry about it. It's just the Privacy Invader From Team Symantec.
Possible
Information
For
Terrorist
Sleeper cells
Therefore...Norton* = Terrorist.
*the slashdot user "Em Emalb" does not seriously think Norton supports terrorism, in fact, if the pounding on his door is any indicator, neither does Nort...)&(^#%)*&#^ stoptazingmePeterNorton! OWWW! Sonofa...that thing stings bro.
Sent from your iPad.
I posted a link to this slashdot article in the norton forums and it had close to 500 views in the 4 minutes that it existed. owned.
Specialization is for insects. -Heinlein
Reading TFA, the author noted a lot of padding in the suspect executable, presumably to have it match the filesize of something it's pretending to be.
The author then suggests with the rapid proliferation and Norton's screwy coverup in their forums, that the auto-updater may have sent out a virus/rootkit.
Perhaps Norton thought they could send out a patch to clean it up before anyone found out?
P = Purposely
I = Introduced
F = File
T = Thieving
S = System
That sounds a little too much like "James Bond" to me, mr anonymous poster. I think we should wait until someone disassembles it and looks at what it's doing.
Cory Doctorow talking about cloud computing makes as much sense as George W Bush talking about electrical engineering.
A long time ago i used to recommend Norton products. About 2002 / 03 you needed to use a special tool to remove their products in case they failed to operate. That was the point that hidden files kept screwing you up all the time. And they have looked back from that philosophy. I used to do a local radio show, and the phone calls were always " How do i fix this damn thing " Years of bad practices tell use one thing most of all. Stop using any norton product. They will never listen until they take a giant hit to their revenue. Maybe if they return to making real software, instead of spending all this time creating just another update cycle for a revenue stream, they will not change. Your time has a lot of value. Stop wasting it. Dump Norton.
If that's true, Symantec must be dumber than I thought if they provided a backdoor to a firewall that allows said firewall to warn the user.
'If Christ had tweeted the sermon on the mount, it might have lasted until nightfall.' - John Perry Barlow
The first one links to a blank page which will redirect in about 20 seconds to a malware site.
The second one is immediately flagged by Firefox as being a "Reported attack site".
This slashdot article is possibly a attack on the /. community.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
Sorry if this comes across as rather elitist, but the all-encumbering anti-virus packages these days just seem so out of date. Norton has always sold itself on the basis it has every possible corner and hole of Windows plugged, checked, double-checked and clamped shut (that is...until your subscription ran out anyway)
Up until a few years ago, I would have really wanted that assurance...like there was a big Daddy Norton with a big fuck-off gun vigilantly checking all entrances; verifying all in & out; assuming guilt until proven innocent.
Thing is, as much as people here may dislike Vista, one thing I think no one will deny is that it's a version of Windows far more capable of taking care of itself; the effect being that AV really doesn't need to be the relentless and fearsome bouncer it was.
Gone are the days when you could "just write in the system32 dir" etc; nay, even programs not rubber-stamped with a certificate that don't need root access will raise an eyebrow in the shell in Vista/W7.
My point is, AV now is nothing more than a "These programs are bad" list. The leaky sieve that was Windows past is diminishing every, and heavy security like Norton is becoming less and less relevant (thank god)...and they know it. Good riddance I say.
throw new NoSignatureException();
Symantec, if you made a mistake, just admit it. Let people know and tell them about the issue, the controls you put into place to fix it and the mechanisms you enacted to ensure that it does not happen again. Mistakes happen, and people will understand, if you are honest and forthright. But, if you keep dodging the issue and there really was something there, you can rest assured it will come to light and then people really will be angry and question their trust. Do the right thing. Tell people what happened, right away!
Check out HoneyPoint, our tools for combatting the insider threat! http://www.microsolved.com/honeypoint/
http://forums.zonealarm.org/zonelabs/board/message?board.id=Off-Topic&message.id=19903
Do really dense people warp space more than others?
I posted the following question on symantec's forum and it was deleted within 2 minutes: This afternoon for no apparent reason my computer launched a file under C:\documents and settings\all users\application data\symantec\liveupdate\downloads\Updt56\pifts.exe this exe then tried to connect to do a dns lookup. It seemed suspicious because if it was really part of my symantec product then why was it not recommended to allow this connection. I blocked the request then tried to delete the file but access was denied, I couldn't even open it in notepad to see what's inside. I restarted my computer and checked the location again but the directory was gone. Is this file a part of norton internet security or am I being attacked? Does symantec have any advice on this file as it seems to belong to symantec's product? That was not offensive and I have a official product, not some pirated copy. I deserve an answer because it's my pc their program is running on.
Tried to register at their forums with login 'pifts and got this:
Way to go Norton! We may have to rename Streisand effect to Norton effect pretty soon...
I call shenanigans. This comment has all the earmarks of an urban legend. An anonymous post claiming to have insider knowledge from another anonymous post.
Why would a third party "security" product require a secret law-enforcement backdoor? The FBI, CIA, NSA, etc. would simply have Microsoft provide a backdoor into ALL of Windows. They wouldn't waste time with a commercial product that only some Windows users install. Why go that route when going the MS route would ensure a backdoor into all systems and not just a very small subset of systems?
CIPAV is not something added willy-nilly into commercial applications. It's basically an extremely well designed rootkit that the FBI, etc. targets against specific users & computers by tricking users into installing it. (social engineering, etc.)
PIFTS is the sound of their market share with the excellent way they are treating their customers.
I know I would be removing this from my machines.
"Because we are not employing at entry level, offshoring will kill our industry stone dead."
Or smarter... If they were forced to put the backdoor in, then gagged by the court, maybe one of the programmers "accidentally" made a mistake so that the existence was indirectly revealed.
Perhaps this is why pifts.exe is being bandied about. It's a perfect way to get people to get to sites that will infect them with a virus by using search engines to point the way.
Steve's Computer Service, Hobbs, NM
Maybe Norton's anti-virus is so good that even THEY can't get a virus past it? ;)
What sort of response are you talking about?
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
I can think of a dozen unix/linux rootkits without even trying. Just because it's harder to install them, doesn't mean it's impossible. If you think you don't need to run any sort of security software (not Norton, of course, because they suck), then one day you're going to have a very very rude awakening.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
The second that Linux gets above a 50% market, it will also be targeted by viruses, and anti-virus will then be a must for Linux.
So, unless we want that to happen: Keep quiet and enjoy your virus-free Linux.
I'm not any good in assembly, but to me it seems as if PIFTS.exe both reads and writes to/from the registry and other files. It even appears to look out for debuggers (see line 8093). Other interesting addresses in the .asm-file:
34308: SWC00413C88__PIF__B8E1DD85_8582_4c61_B58F_2F:
34309: unicode '\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}',0000h
--
34370: SWC00413E78__60333AE5_B66E_4994_B15C_CA2D665:
34371: unicode '{60333AE5-B66E-4994-B15C-CA2D665CDC89}',0000h
--
34373: SWC00413EC8_systemState:
34374: unicode 'systemState',0000h
34375: SWC00413EE0_SOFTWARE_Symantec_PIF__B8E1DD85_:
34376: unicode 'SOFTWARE\Symantec\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEngine',0000h
--
34430: SWC00413FA0_http___stats_norton_com_n_p_modu:
34431: unicode 'http://stats.norton.com/n/p?module=2667',0000h (this looks very interesting!)
Don't just tell us about - report it! http://www.google.com/safebrowsing/report_badware/
Humor from a Genetically Molested Mind
For those of us who have systems with patient study data, this is a Big Fucking Deal. Luckily, we have firewalls involved, but still...
Please help metamoderate.
PIFTS.asm can be downloaded here: http://www.mytting-ikt.no/PIFTS.asm
Here's a dump of strings found in the pifts.exe on pastebin:
http://pastebin.com/m1e207a78
Interesting padding buffer right at the end? Spoofed length or just room to grow some internal resource?
There is an effort underway here http://chrysler5thavenue.blogspot.com/ to figure out exactly what the purpose of this villainous little program is.. You can download it here http://www.mediafire.com/?mnmh35b9d0k (BUT DON'T RUN IT). Right now all the theroes are tentative but we are leaning towards this being either symantec's cooperation with government on cyber spying, or a virus which was accidentally released after symantec themselves was infiltrated by middle eastern hackers (it calls home to north africa).
Here are the strings: http://pastebin.com/m1e207a78
Wow, you managed to uninstall Norton A/V in less than 48 hours????
It's a clue for you to stop using a platform where you must run anti-virus software and to finally switch to something better and come to the 21 century of computing.
I've been using Linux not quite as long as some, but probably longer than most. Quite probably longer than someone, like the parent poster, who has a Slashdot user ID five times larger than mine, especially since I lurked on Slashdot for a few years before getting an account. For me, Linux has been my primary computing platform for over 15 years, and, before then, it was Unix, or, prior to that, one of the DEC predecessors leading back to the early 80s. I have used machines running ITS, one of the first timesharing systems, when they were still contemporary.
That said, I'm tired of this dribble. Unix (in the industrial versions) had / has nearly no viruses or malware because there were very few people using it in total numbers. There was and continues to be little to be gained by writing a virus for these systems: no press coverage, no botnet of millions of computers. It doesn't pay. It isn't worth the effort. Same for Linux: the market is still too small. Same used to be true for MacOS, but that's starting to change as it increases in popularity.
Contrast this with Windows boxes that are so ubiquitous that a half-talented virus writer has a decent chance of getting their malware into hardened sites like the Pentagon through social vectors (eg, an absent-minded worker who uses a USB key on both home and work computers by mistake).
Linux has no viruses because the market is too small. To think that it is immune to attack from malware is naive at best, and, more probably, self-deceptive. If Linux starts to enjoy 10, 20 or 30 percent market share, we will see Linux-targeted malware become a common nuisance. We already see Firefox-specific browser exploits (but for Windows boxes). FOSS isn't somehow magically immune from nuisance teenage activity or out-and-out criminal intent.
So, please, enough of the holier-than-thou attitude.
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
Perfectly Innocent Firewall Testing System
I know a guy who knows someone who dated the sister of someone at symantec, and lets just say, they're going to team up with Starbucks To Begin Sinister 'Phase Two' Of Operation
Strings is available from sysinternals. If you ask me, it's cute and funny when MS-Bashers put their foot in their mouths before doing any research to back up their snide comments.
As of this writing, if you do a Google search for "PIFTS.exe" (like was noted in the above summary), the first several links will take you to compromised/attack vector sites.
Did /. just get social engineered?
(Yes, Offtopic to the posts above, but maybe this will have kept someone from getting a nasty surprise...)
"...there are some things that can beat smartness and foresight. Awkwardness and stupidity can." ~ Mark Twain
I've read a lot of reviews (Gizmo freeware, for example) : http://www.techsupportalert.com/best-free-anti-virus-software.htm which don't support this view.
Kaspersky seems to not have won out too well recently too.
Can you post a link to back up your argument?
Conversion Rate Optimisation French / English consultant
I've submitted the file to ThreatExpert, and the report is available here: http://www.threatexpert.com/report.aspx?md5=91b564d825a3487ae5b5fafe57260810
It appears as if this is a statistical reporting tool, given the URLs to which it calls home. All in all, it seems reasonably innocuous -- even if Symantec's response to it is unnecessarily heavy-handed.
The Freelance Wizard
I have a copy of PIFTS.exe now and am examining it.
Notes:
1) It is small
2) Internally it is a "patch tool" from patch "021809db"
3) The Operating System function calls it makes are generally non-threatening
4) It accesses the registry (Norton products) and does some kind of date based validation
My guess is... It is an activation checker of some kind. It looks like it is pulling the registration information from the registry and checking it against file dates.
It also seems to copy its self to the temp folder on execution although I'm not entirely sure as to why.
I won't disagree that NOD32 is an excellent scanner... but AVG is certainly not "the worst". I don't know where you get your data from, but at http://www.av-comparatives.org/seiten/home.html (follow Comparatives, then On-demand to get to the chart) you can see that AVG got 94.3% detection. Avast was slightly better than that at 97.3%. NOD32, interestingly enough, got a 93.0% detection. I'm not saying AVG or Avast is better, but with that information you can't say it's "the worst" either.
I've had far better experiences with AVG and Avast on my machines, as well as my customer's computers, than McAfee (84.4%) or Trend, for example. I've only experienced 1 virus in the recent past (a rootkit, no less) that was not cleanable by AVG/Avast... had to do that manually. On that machine, the virus got in past McAfee... for what it's worth.
Anyway, so with the data above... what's your reference for saying that AVG is "the worst"?
> Linux has no viruses because the market is too small
Well, even assuming this is the only reason (a bit questionable due to the situation with web servers), exploits usually are not particularly portable. And since each distribution compiles their own version, Linux reaching 50% market share actually might _not_ be enough, but what you would need might actually be a _single version_ of a _single distribution_ reaching 50%, which is far less likely.
Just waiting for Norton to pop up and say.... "Dear Honorable Sir or madam I am writing to you from Norton Nigerias headquarters. Please advise you have been awarded Nortons prize fund of one million thousand dollers please enter your account details below to receive funds in due course."
Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
Make a .job (scheduled command) to open your command prompt a minute from the time you create it. After it opens, crash explorer.exe and then restart it from the command prompt; you're now logged in as System. You should have access to that file. You can access everything as System. Does this work for you? Either that or boot a live CD and run 'strings' over the file... anything interesting there?
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
This is why we need additional mod options. I have points, but there's no option for "Interesting, if it's true" or "thanks for the info, but since there's no way to validate, caveat reader."
It's really easy to get bullshit modded up because of the number of people who say "I didn't know that, thanks". How many of the +4 so far are "+1 because it's true" vs. "It's news to me"?
ever try getting a response from the slashdot crew?
Ever had a thread deleted by the Slashdot crew?
Precisely.
-FL
Symantec Caught in Norton Rootkit Flap
"Symantec Corp. has admitted to using a rootkit-type feature in Norton SystemWorks that could provide the perfect hiding place for attackers to place malicious files on computers..."
http://www.eweek.com/c/a/Security/Symantec-Caught-in-Norton-Rootkit-Flap/
Nod32 still borks the TCP stack by default, so I avoid that (what the hell it's even doing hooking into it is beyond me).
Avast is pretty good... you can switch the nag screen off.
1. Most reviews on the Internet are pure crap. Either they are shills, paid and/or unpaid, or they are lifted from and/or linked from other sites related to whatever site you happen to be on at the moment. Search for reviews, and you will find many that are verbatim the same. Either site ops snarf them from wherever to fluff their lame pages, or people mass post, pasting the same thing in over and over. Niiice. I know, there are reputable sources for reviews. At least until they get found out either taking favors for favorables, or being lazy and reviewing products a month before release.
2. I ditched Norton last year at home - all gone. The first time in at least 19 years, I think, that I haven't had a Norton product on at least one of my machines. AVG is doing at least as well, which is to say that if my wife didn't click on those IQ tests and 'vote now' links, my machines would be free of nasties. A pox on their souls.
Picking a review site is my least favorite task. Hate it.
Oh, and I use my Linux boxen to browse 'questionable' sites. Seems they don't get infected. Or, if I'm really scared, my phone. hehe, let them attack that. The G1 Steel browser doesn't seem to get infected either if I set the agent to 'Desktop'. harrr.....
deleting the extra space after periods so i can stay relevant, yeah.
Disable the HTTP scanning module (which is recommended anyway on webservers). I think it hooks into the TCP stack it so it can scan things which will never be written to disk as they enter your PC - eg javascript files used by webpages etc. You don't really need that module for it to work effectively though.
FUD at it's best! This is what you get when your primary news source is 4chan.
The file is rather obviously (look at the strings/modules) a small update to the Symantec PIF Alert Engine. See PIFSvc.exe and PifEng.dll (which have been there for a while) for more information. From what I can tell, and I'm not a Symantec user, this is the part of the LiveUpdate componant, even if it wasn't binary analysis shows nothing untoward.
The real WTF is why are Norton deleting supports requests en-masse rather than simply sending out a press release.
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
I fucking just LOVE it when people post "information" which is not backed up by any source or link or anything.
http://www.virusbtn.com/news/2008/09_02
Here are the latest results I could find. Note that AVG is NOT the worst by far. The free version only suffers in it's lack of detection for malware but the GP did not say the the free version was installed. Now Avira comes out smelling like a rose in these tests so of course they are recommended but AVG is also very good.
Actually, last time I installed AVG that was turned off by default.
/ yet another smug, uninfected Linux user.
As the parent points out, just as soon as Linux reaches an appreciable market share it will be getting administered by users who don't know, or don't care, about security. Once this happens it won't matter even in the slightest how secure, or not, Linux is in comparison to Windows. There will be viruses and there will be infections. The inescapable thing that all operating systems have in common guarantees this; the weak point in the security between the seat and keyboard.
If Linux developers ignore this fact they'll be ensuring the inevitable is even messier than it needs be. Fortunately, I don't think most are that blinded by complacency.
Wrong. As another response points out, with linux's extremely high penetration in the server market, where servers tend to have a ton more bandwidth (and confidential data, for that matter), linux should be the primary target for viruses.
But for various reasons (non-mono-culture, in addition to better default security in the OS *and* most apps written for it) the best way found so far to hijack linux machines is attempting to crack common username+password combinations.
If you have any linux box with SSH open to the internet, you should know that these password attacks happen non-stop, all day every day. On every linux box I've admined. So the demand is obviously there, but the OS and the security culture around the OS is making it much more difficult.
Of course there's also a large difference between attacking desktops and servers, since desktop attacks often require user interaction, and server attacks have to be automated. But it's still easy to think back and notice a trend in even automated exploits on windows servers, where there haven't been (successful?) exploits on linux boxes.
Essentially, linux is secure enough that the only successful method of attack so far has been the user-stupidity point-of-entry, bad passwords.
Two of the biggest reasons linux has proved so (relatively) impermiable are the lack of a software mono-culture, and the existence of an easy target in Windows.
Even when Windows Server has had a smaller share of the server market, it's still been targeted by numerous (successful) automated attacks.
(and just to repeat the obvious, no OS is impossible to write viruses for or otherwise exploit, and I'm sure there are viruses for every OS out there. The real question is how many successful large scale attacks have there been on each - and successful large scale attacks have as much to do with monoculture and time-to-patch as any internal OS security policies)
(also it looks like my slashdot ID is lower than yours, do I win the EPEEN contest?)
When you use proprietary software, you don't really know what's happening on your system.
If somebody happened to notice a suspicious process on a Linux box, it'd have been the question of 15 minutes to figure out what package the file belongs to, get the source, take a look at it, and find out what it does and why is it there.
Instead what we have here a mess with some people coming up with conspiracy theories, Norton refusing to acknowledge the issue, and people trying to figure out what this thing does by looking at the output of strings without much success so far.
Things are much easier when source is available.
When I first saw this here, the first place I looked for additional information was the Internet Storm Center, where they eat this kind of stuff up. And sure enough, they even had a call from someone at Symantec saying that yes, this one is theirs.
Conspiracy theory or no (and it's looking more like no), there are two things that rescue this from dullsville:
In the comments on that SANS article, it's mentioned that yes, Symantec is deleting comments left and right, and meanwhile the talk is slowly wending its way onto the ZoneAlarm forums, which just goes to show that one man's misstep is another man's opportunity. And...
While the story behind the PIFTS file itself isn't terribly interesting, some unsavory rapscallion had noticed its popularity as a search term, and planted malware where people looking for information on it could stumble upon it. Fun stuff, eh? Look for malware information, and find it the hard way.
Google has already removed that link, but it might still be out there, just in case you use a different search engine. And there's no reason he/they won't try again on another site.
You cannot truly appreciate Dilbert until you read it in the original Klingon.
No, and that is exactly what I'm saying. That is not a virus (something that propagates itself without user intervention).
Something that requires social engineering (lure of porn in this case) to get the user to run it is something else altogether. And like I said there is no way to protect any platform from the user who chooses to download malware and run it.
As the island of our knowledge grows, so does the shore of our ignorance.
Symantec Corporation
20330 Stevens Creek Blvd. Cupertino, CA 95014
tel +1 408 517 8000
fax +1 408 253 3968
Make their lines so busy they don't have a choice but to answer us.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
What I don't understand is that I got the PIFTS.EXE warning from McAfee, not Norton. I originally had an OEM Norton installation on my notebook PC, but immediately removed it, months ago, as our corporate standard is McAfee. But it seems that the removal was far from complete; on closer examination there's still a Norton process and service running, and apparently these triggered an update and the subsequent McAfee alert. So my question is, what is a Norton process doing on my computer, when I ran the default uninstall routine and it terminated normally?
Symantec has (finally) responded with a sticky on the forum from "davecole".
It's a statistical reporting tool that is normally included in patches, however due to an internal screwup, it was not signed. Because it was unsigned, the firewall looked at it quite skeptically.
They also attempt to explain their actions on the forum; from their description, it sounds like a typical Ebaums/YTMND raid. Their admin response was to carpet bomb the forums with bans and deletions indiscriminately. I don't think this is very professional of the admins; it reminds me of how Habbo responded back in the day. When you're the mouthpiece of a company that size, you should know that a overly aggressive response to a raid will do you more PR damage than just letting it go.
Legalize recreational marijuana. Seriously.
Exactly how many fucking many processes does Norton need to have running at one time???
So many that they are running out of Process ID numbers. There is a move afoot to ditch the old PIDv4 standard and adopt the new PIDv6 standard. This will a LOT more Norton processes to run, thus enhancing security.
I won't post anonymously. I am in the security field, and I have no current agreements with anyone which would preclude me from agreeing with the quote above.
In my opinion the quote above is not that far off base. It's not exactly a backdoor though, as federal law enforcement agencies do not need back doors to install ML or any number of other sprojans (spy trojans) on Windows machines. While I will absolutely not get into the specifics of how this dll works, I will say this:
Imagine a big honkin' SGI-O2-blue (the type of blue, not the type of machine) refrigerator in a rack, plugged directly into a core router on a big internet hub (or even a small one) and munching down every single packet it sees and analyzing them for routing and content. That's Carnivore.
Now imagine someone's brain beginning to work and realizing that really the most efficient way to see internet traffic is not to do deep-scans on the service provider side, but to instead do all that data harvesting locally on the physical node in question and sending the results periodically offshore (where all domestic spy material must stop first, by federal law) where they're combed through by any number of security people working for the man.
That second one is not Carnivore. It's a much, much more serious matter.