But again - why not leave it up to a select few industry experts to view/test/debug the source? No need to post the source to everyone.
Who will select the experts? Will the true experts agree to the conditions and NDAs that the government will require? Who will guarantee that the binaries used in practice are produced from the exactly same source code which was reviewed by the experts? And most importantly, there is a great example of open source security - OpenBSD. How many exploits are there for OpenBSD and how many cracked sites?
And remember, all this discussion is relevant if Carnivore is really needed. I haven't heard or read anything that would tell me what Carnivore is doing something the ISPs can't do themselves, given the appropriate court order.
IF THIS IS GOING TO PROTECT ME AND MY CHILDREN OR PEOPLE I LIVE WITH - THEN I DON'T CARE IF YOU LISTEN.
I'd give up my rights to a little phone/net privacy if it protected my family, friends, or even other innocents (as long as the information isn't made public if I'm found to be an incorrect suspect).
I don't know who is not listenning - there are two points to satisfy your support for law enforcement: ISPs can provide the information easily themselves, and the FBI can use better technology to get access to only the packets of a suspect (by hooking a sniffer to a suspects entry point, not by sniffing the whole stream).
What we currently know about Carnivore shows that it is a system ripe for abuse. Here's my hypothetical: what if a pedofile used the information from a cracked Carnivore box to learn that your daughter is going to to the mall to meet her friends at the ice cream stand?
I'm probably going to get slammed by you guys for this, but tell me - what EXACTLY is the big deal about Carnivore sniffing around through email?
I know the rights to privacy thing already. But do you really think that people out there are going to be interested in our love letters or other "secret" email? If you're secrets are so important, then what do we have email encryption for? Sure, it can eventually be cracked. But I'm sorry but I don't see the FBI having all the time in the world to check what Joe Schmoe is emailing to Mary Jane about how much they love each other. Whatever. They have more important things to do.
I am not sure you know the right to privacy thing already. The right not to be searched, detained, etc. without a very good reason is detailed in the 4th amendment. This means that no one can open my letters in the mail, I can't be stopped and searched, the police can't come to my house and expect to be let in without a search warrant, etc. This also should mean that the FBI cannot know what web sites I am visiting just because they would like to, or because they were after the guy three doors down the block who uses the same ISP.
Obviously, Carnivore must be sniffing all the traffic at an ISP that may contain packets from or to a suspect, for whom there is a legitimate court order. Even if small, there is a chance that the non-related data is also recorded, or processed in some manner. With the advances of data mining, where is the guarantee that the full-scale sniffing that Carnivore does is not going to be used for something else?
The method of surveilance practiced by Carnivore (as far as we can tell) is analogous to what is called "trunk-tapping" in regular telephony. Incidentally, "trunk-tapping" is illegal, and cannot be used by law-enforcement agencies. If the FBI developes the equivalent of phone-tapping, where only the suspects line is tapped, and no other information can be accessed, then I don't think there will be much comotion over what is going on.
Then there is the technical and security aspect of it. No sysadmin in their right mind will agree to put a black box on their network, which is also accessible remotely. It is a huge security risk, that can be only mitigated by open-sourcing Carnivore and subjecting it to a security audit (similar to the one OpenBSD does).
By revealing the workings of Carnivore, whom are you trying to protect?
The FBI currently is trying to say, "We scan some of the traffic, but we only look at the suspect's packets." Until they explain what they mean by that, one can assume that they read and record everything and then sift through it. This is clearly in violation of the U.S. constitution and cannot be tolerated. The media keeps talking about e-mail scanning, while it seems obvious that there is much more than that going on, and the governments reluctance to say what and how exactly is scanned makes people suspicuous.
If you want the source code or more info about its inner workings, that tells me that :
1) You are performing unlawful activities you don't want people to know about.
OR
2) You're paranoid that the device does something other than email and packet capturing - like shuts down the net.
There are many reasons I wouldn't want anyone to know what my browsing habbits are... Maybe I wouldn't want the insurance company to know that I am looking at web sites about a chronic desease. What is the guarantee that Carnivore cannot be used to get that data - even in an unlawful manner, as a side job of a rogue FBI operative?
If I were an ISP, I wouldn't put anything on my network that I cannot inspect and do a security audit. If I were a small ISP, I probably won't have the resources to audit it myself, so the only option is to have it open sourced, and auditted by the community.
What is more if I were an ISP (even a small one) I would have the resources to provide the law enforcement agencies with the data they needed without the need for Carnivore. The insistance of the usefulness of Carnivore is suspicious by itself, eve for the not so paranoid.
The FBI claimed (during the Carnivore Congressional hearing last week) that the ISP which was being sued (presumably Earthlink/Mindspring), and the ISPs in every case where Carnivore had been used so far, were not able to provide the FBI with the data they needed. Given the almost trivial effort needed to track e-mail, and other internet activity (e.g. web browsing), this shows that either Carnivore is after much more than it is currently assumed, or the FBI wants a broad surveilance device, not limitted by the traditional court-order wire tapping.
As a matter of fact, one of the points made during the Judiciary committee hearing was that currently the FBI has to go the phone companies with the court order to get information about a particular phone number. The phone companies will then give them the information, thus making sure that the FBI only gets the information specified in the court order. In contrast, Carnivore (as far as the public knows) has access to much more information, and we have to trust the FBI to only pay attention to what is authorised. This is one of the main issues as far as the fourth amendment is concerned, because the regulations under which the FBI requires the instalation of Carnivore are meant only for the above scenario of the phone companies providing the info themselves.
Learn all about it at the C-SPAN web site (the hearing from Monday, July 24).
For those who didn't see the Congressional hearing on Carnivore on C-SPAN last week (you can watch all 3 hrs and 15 minutes of it from here), it showed one thing - it is currently not known what exactly Carnivore does.
Almost everyone assumes that Carnivore tracks e-mail - this may not be all. During the hearing suggestions and speculations covered a lot of TCP/IP protocols - from the near admission of the FBI that they have tracked ftp transfers, through the constant mentioning by the FBI pannelists that they look at packets, to the tracking of http requests, streaming media server connections, etc.
One of the panelists, the CEO of a small ISP in the DC area, testified that it took one of his sysadmins about 3 lines of configuration code and half an hour to implement tracking of e-mail (incoming and outgoing) on the CEO's account, which would have satisfied the needs of the FBI if this is were the only thing Carnivore does. The fact that the ongoing Earthlink lawsuit was brought up allegedly because Earthlink was unable to provide the requested information to the FBI (with a valid court order and all), seems to indicate that Carnivore is after much more than simple e-mail.
Among other interesting things that came out at that hearing was the security aspect of Carnivore - no sysadmin in their right mind would welcome a "black box" to become part of their LAN, and at the same time be accessible remotely.
Slackware used to be my favoriate, simply because it was secure and neat, but it used old libs and sorta died. Welcome back, too bad you haven't followed the Slackware releases more closely - the latest (7.1) contains the latest stable kernel (2.2.16) with the newest libraries and even an option for XFree86 version 4.
From the Wired article (Shamos is one of the MPAA witnesses): "The same thing is going to happen to videos as happened with Napster," Shamos told a packed courtroom.
Since all statistics show record profits for the music companies despite the existence on Napster, this implies that there will be record sales of DVDs and record profits for the movie companies. Well, we sure can't have that!;-)
Then I would suggest that once the status becomes Maintained, they are moved to a different list, so that we don't need to look through all of them to find out which are still orphaned. Of course, I think that this is lower priority than getting all the different lists of non-maintained projects in one place...
If IE has better caching technology, Mozilla should adopt it.
It is not better cashing technology (my very unscientific numbers in a previous post probably show that), it is the default setting in IE to load a cashed copy of a page without checking if there is a newer one on the server. Mozilla can do the same, but it is not a default setting.
Could you tell us what platform you are running on? While I can find pages which don't display properly in M16, these three have no problem under NT 4.0, SP5:
http://www.mozilla.org (they make Mozilla) http://www.mozillazine.org (the main Mozilla info/discussion site out there) http://www.w3.org (they make the standards to which Mozilla is supposed to conform)
That is strange - both M15 and M16 (used to post this) are significantly faster than IE 5.01 on a PII 450MHZ 128MB RAM under NT... Could it be that clueless newbies are confusing the loading of cached copies by IE as "faster loading"?
One idea that I've heard (and I don't know whether to like it or fear it), is that packets will negotiate their pritority by "paying" a toll to the routers. I am not aware of anything out there implementing this, but it is at least a very interesting problem to study, and model.
What is software? Software is code, in both object and source form. Code is copyrightable, and this is good; it lets you protect your work from those who would steal it, by whatever you define "stealing" to be (the GPL and Microsoft's standard EULA differ only in their definition of what stealing code is; other than this they do exactly the same thing).
Not true: the GPL grants you additional rights to the ones you would normally have with copyrighted material, while most EULAs try to take away rights you should normally have with copyrighted material (e.g. reverse engineering).
'highly trustable' signers (as one might imagine Larry Wall, Randal Schwartz, and Tom Christiansen to be)...
I wouldn't trust Larry Wall - after all, he invented Perl, didn't he? Imagine what he could do if he got "highly trustable" rights on a whole bunch of computers - how many more ways would he find to do everything...
Slashdot Mirror
But again - why not leave it up to a select few industry experts to view/test/debug the source? No need to post the source to everyone.
Who will select the experts? Will the true experts agree to the conditions and NDAs that the government will require? Who will guarantee that the binaries used in practice are produced from the exactly same source code which was reviewed by the experts? And most importantly, there is a great example of open source security - OpenBSD. How many exploits are there for OpenBSD and how many cracked sites?
And remember, all this discussion is relevant if Carnivore is really needed. I haven't heard or read anything that would tell me what Carnivore is doing something the ISPs can't do themselves, given the appropriate court order.
Or at least, are there movie studios that are not part of the DeCSS lawsuits?
IF THIS IS GOING TO PROTECT ME AND MY CHILDREN OR PEOPLE I LIVE WITH - THEN I DON'T CARE IF YOU LISTEN.
I'd give up my rights to a little phone/net privacy if it protected my family, friends, or even other innocents (as long as the information isn't made public if I'm found to be an incorrect suspect).
I don't know who is not listenning - there are two points to satisfy your support for law enforcement: ISPs can provide the information easily themselves, and the FBI can use better technology to get access to only the packets of a suspect (by hooking a sniffer to a suspects entry point, not by sniffing the whole stream).
What we currently know about Carnivore shows that it is a system ripe for abuse. Here's my hypothetical: what if a pedofile used the information from a cracked Carnivore box to learn that your daughter is going to to the mall to meet her friends at the ice cream stand?
I'm probably going to get slammed by you guys for this, but tell me - what EXACTLY is the big deal about Carnivore sniffing around through email?
I know the rights to privacy thing already. But do you really think that people out there are going to be interested in our love letters or other "secret" email? If you're secrets are so important, then what do we have email encryption for? Sure, it can eventually be cracked. But I'm sorry but I don't see the FBI having all the time in the world to check what Joe Schmoe is emailing to Mary Jane about how much they love each other. Whatever. They have more important things to do.
I am not sure you know the right to privacy thing already. The right not to be searched, detained, etc. without a very good reason is detailed in the 4th amendment. This means that no one can open my letters in the mail, I can't be stopped and searched, the police can't come to my house and expect to be let in without a search warrant, etc. This also should mean that the FBI cannot know what web sites I am visiting just because they would like to, or because they were after the guy three doors down the block who uses the same ISP.
Obviously, Carnivore must be sniffing all the traffic at an ISP that may contain packets from or to a suspect, for whom there is a legitimate court order. Even if small, there is a chance that the non-related data is also recorded, or processed in some manner. With the advances of data mining, where is the guarantee that the full-scale sniffing that Carnivore does is not going to be used for something else?
The method of surveilance practiced by Carnivore (as far as we can tell) is analogous to what is called "trunk-tapping" in regular telephony. Incidentally, "trunk-tapping" is illegal, and cannot be used by law-enforcement agencies. If the FBI developes the equivalent of phone-tapping, where only the suspects line is tapped, and no other information can be accessed, then I don't think there will be much comotion over what is going on.
Then there is the technical and security aspect of it. No sysadmin in their right mind will agree to put a black box on their network, which is also accessible remotely. It is a huge security risk, that can be only mitigated by open-sourcing Carnivore and subjecting it to a security audit (similar to the one OpenBSD does).
By revealing the workings of Carnivore, whom are you trying to protect?
The FBI currently is trying to say, "We scan some of the traffic, but we only look at the suspect's packets." Until they explain what they mean by that, one can assume that they read and record everything and then sift through it. This is clearly in violation of the U.S. constitution and cannot be tolerated. The media keeps talking about e-mail scanning, while it seems obvious that there is much more than that going on, and the governments reluctance to say what and how exactly is scanned makes people suspicuous.
If you want the source code or more info about its inner workings, that tells me that :
1) You are performing unlawful activities you don't want people to know about.
OR
2) You're paranoid that the device does something other than email and packet capturing - like shuts down the net.
There are many reasons I wouldn't want anyone to know what my browsing habbits are... Maybe I wouldn't want the insurance company to know that I am looking at web sites about a chronic desease. What is the guarantee that Carnivore cannot be used to get that data - even in an unlawful manner, as a side job of a rogue FBI operative?
If I were an ISP, I wouldn't put anything on my network that I cannot inspect and do a security audit. If I were a small ISP, I probably won't have the resources to audit it myself, so the only option is to have it open sourced, and auditted by the community.
What is more if I were an ISP (even a small one) I would have the resources to provide the law enforcement agencies with the data they needed without the need for Carnivore. The insistance of the usefulness of Carnivore is suspicious by itself, eve for the not so paranoid.
Who is Joe Montana? ;-P
The FBI claimed (during the Carnivore Congressional hearing last week) that the ISP which was being sued (presumably Earthlink/Mindspring), and the ISPs in every case where Carnivore had been used so far, were not able to provide the FBI with the data they needed. Given the almost trivial effort needed to track e-mail, and other internet activity (e.g. web browsing), this shows that either Carnivore is after much more than it is currently assumed, or the FBI wants a broad surveilance device, not limitted by the traditional court-order wire tapping.
As a matter of fact, one of the points made during the Judiciary committee hearing was that currently the FBI has to go the phone companies with the court order to get information about a particular phone number. The phone companies will then give them the information, thus making sure that the FBI only gets the information specified in the court order. In contrast, Carnivore (as far as the public knows) has access to much more information, and we have to trust the FBI to only pay attention to what is authorised. This is one of the main issues as far as the fourth amendment is concerned, because the regulations under which the FBI requires the instalation of Carnivore are meant only for the above scenario of the phone companies providing the info themselves.
Learn all about it at the C-SPAN web site (the hearing from Monday, July 24).
Just go there, and keep good notes... I think a timely informed post after the hearing is just as valuable as a real time broadcast...
For those who didn't see the Congressional hearing on Carnivore on C-SPAN last week (you can watch all 3 hrs and 15 minutes of it from here), it showed one thing - it is currently not known what exactly Carnivore does.
Almost everyone assumes that Carnivore tracks e-mail - this may not be all. During the hearing suggestions and speculations covered a lot of TCP/IP protocols - from the near admission of the FBI that they have tracked ftp transfers, through the constant mentioning by the FBI pannelists that they look at packets, to the tracking of http requests, streaming media server connections, etc.
One of the panelists, the CEO of a small ISP in the DC area, testified that it took one of his sysadmins about 3 lines of configuration code and half an hour to implement tracking of e-mail (incoming and outgoing) on the CEO's account, which would have satisfied the needs of the FBI if this is were the only thing Carnivore does. The fact that the ongoing Earthlink lawsuit was brought up allegedly because Earthlink was unable to provide the requested information to the FBI (with a valid court order and all), seems to indicate that Carnivore is after much more than simple e-mail.
Among other interesting things that came out at that hearing was the security aspect of Carnivore - no sysadmin in their right mind would welcome a "black box" to become part of their LAN, and at the same time be accessible remotely.
Slackware used to be my favoriate, simply because it was secure and neat, but it used
old libs and sorta died.
Welcome back, too bad you haven't followed the Slackware releases more closely - the latest (7.1) contains the latest stable kernel (2.2.16) with the newest libraries and even an option for XFree86 version 4.
From the Wired article (Shamos is one of the MPAA witnesses): "The same thing is going to happen to videos as happened with Napster," Shamos told a packed courtroom.
;-)
Since all statistics show record profits for the music companies despite the existence on Napster, this implies that there will be record sales of DVDs and record profits for the movie companies. Well, we sure can't have that!
I also got the friendly "We are sorry. The database is currently overloaded. Please try again
later." page.
Of course this means that instead of the few thousands we may be talking about few hundred thousands in the membership-at-large.
Well, given that "The Moscow Times" is an English language newspaper, I don't see what is disturbing about it...
Well, we can always hope to get there:
(voice of HAL) I cannot let you do that, Dave.
Then I would suggest that once the status becomes Maintained, they are moved to a different list, so that we don't need to look through all of them to find out which are still orphaned. Of course, I think that this is lower priority than getting all the different lists of non-maintained projects in one place...
For a site of "orphaned" projects, why so many of them have a status of maintained?
If IE has better caching technology, Mozilla should adopt it.
It is not better cashing technology (my very unscientific numbers in a previous post probably show that), it is the default setting in IE to load a cashed copy of a page without checking if there is a newer one on the server. Mozilla can do the same, but it is not a default setting.
This is what I am talking about:
- start IE
- start Mozilla
- go to Slashdot (IE brings a cashed page from 3 hours ago, since this is the deafult browser setting)
- hit the reload button in Mozilla - takes 3 seconds to reaload
- hit the reload button in IE - takes 5 seconds to reload
Repeated over 10 tries: 2.8 sec for M16, 3.2 for IE.I am sorry, but start-up times are irrelevant to me, as the browser stays minimized, but running all the time...
I don't understand why Garbus didn't push him on the point. It's a very important point.
Hopefully so that he can bring it up at the trial and have them thrown in jail for perjury.
Could you tell us what platform you are running on? While I can find pages which don't display properly in M16, these three have no problem under NT 4.0, SP5:
http://www.mozilla.org (they make Mozilla)
http://www.mozillazine.org (the main Mozilla info/discussion site out there)
http://www.w3.org (they make the standards to which Mozilla is supposed to conform)
Or are you just trolling?
Mozilla may be slower than IE on Windows
That is strange - both M15 and M16 (used to post this) are significantly faster than IE 5.01 on a PII 450MHZ 128MB RAM under NT... Could it be that clueless newbies are confusing the loading of cached copies by IE as "faster loading"?
Remember - you heard it here first! :-)
One idea that I've heard (and I don't know whether to like it or fear it), is that packets will negotiate their pritority by "paying" a toll to the routers. I am not aware of anything out there implementing this, but it is at least a very interesting problem to study, and model.
What is software? Software is code, in both object and source form. Code is copyrightable, and this is good; it lets you protect your work from those who would steal it, by whatever you define "stealing" to be (the GPL and Microsoft's standard EULA differ only in their definition of what stealing code is; other than this they do exactly the same thing).
Not true: the GPL grants you additional rights to the ones you would normally have with copyrighted material, while most EULAs try to take away rights you should normally have with copyrighted material (e.g. reverse engineering).
If you know C, and can spend enough time with them over the summer, this will be invaluable experience for your kids...
'highly trustable' signers (as one might imagine Larry Wall, Randal Schwartz, and Tom Christiansen to be)...
I wouldn't trust Larry Wall - after all, he invented Perl, didn't he? Imagine what he could do if he got "highly trustable" rights on a whole bunch of computers - how many more ways would he find to do everything...
;-)