This box is basically a packet sniffer owned by the government and dropped onto the backbone of an ISP, situated to intercept all traffic to and from the ISPs mail server(s).
The FBI can only place the box with a warrant, and they claim that once in place, Carnivore will only retain information about mail messages to and from the specific individual targeted by the warrant.
However, in order to do that, it must first intercept the headers and bodies from all messages to all customers of the ISP. The FBI says "Trust us, we have programmed Carnivore to throw away all of the non-target data".
It's not "ILLEGAL OR QUASI-ILLEGAL ACTIVITIES" that you should worry about, it's anything you do or say via e-mail that the current or future administration might object to, or use as dirt if you ever run for office, work to oppose new legislation, or just annoy somebody who has connections to your local FBI office.
I seriously doubt that the Carnivore host is going to be assigned any IP address on the ISP's network.
It's doubtful that the network card will be physically capable of responding to any packets, so antisniff, nmap, Satan, etc will not do you any good.
One such product I have worked with is the
Shomiti Century Tap, a 10/100Mps Full duplex transparent network tap. Undetectable without either a TDR or physically tracing the wires.
This also means that unless you have physical access to the machine (e.g. you work for an ISP at which the FBI has placed a Carnivore box), there is little possibility of running any exploits against weaknesses in the underlying OS.
From the articles I have read, the Carnivore dumps the collected evidence to tape, the FBI can then send an agent to retrieve the tape from the ISP. This makes sense from a 'chain of custody' standpoint, it's easier to explain to a judge how the FBI is sure the evidence has not been tampered with than if it was uploaded electronically to www.fbi.gov.
Carnivore runs on FBI-supplied hardware, not on the ISP's mail server directly.
The Carnivore box works like any packet sniffer, it needs to be on a hub or switch's span port to receive a copy of all traffic destined for the ISP's mail server.
If the FBI had decided to use Linux as the underlying OS, would you still be as joyful?
"You could have this anal-retentive table," Rezniksaid. "If anyone moves the salt shaker, the table would move it back to its position. It would always be perfectly set."
Coming soon to a Sharper Image near you, the all-new Felix Unger model kitchen table.
What is ignored are the secondary effects- when these weaknessses are exploited to manipulate the market, the long term result will be loss of trust in news feeds and stock information services.
It seems that all of the major financial news services have had serious security problems this year- Comstock, Bloomberg, etc.
To provide greater access to the Solaris Operating Enviroment encourage innovation on this.com platform, Sun
announced it is dramatically expanding access to the Solaris 8 Operating Environment.
Individuals and organization can use the Solaris 8 software
throughout their environment for commercial and
non-commercial use, for the cost of media plus shipping.
In a one-two punch, Sun is also slashing the cost of the Solaris 8 source code license to $0.
" We're moving to a service-driven model to maintain innovation and scale, " says Ingram. "We're giving our
communities a free license to use the source, while also providing them with a portfolio of world-class support
services to help them.com their businesses. It's a combination that can't be beat."
You don't have to have an UltraSparc to have Sun hardware.
If you want to play with Sparcs, pick up a used Sparc 20 with the SM71 CPU, they go for $500 with 128M, 2+ Gb drive, video card, and CDROM.
Yes, it's slow compared to your 550Mhz AMD monster, but the Sparc 20 will run Solaris 7 and 8, OpenBSD, and I even hear it runs Linux, though I've never tried.
Nearly every free and commercial software package for Solaris will run on a Sparc 20... it might be slow, but it will run.
If you think that a 75Mhz Sparc CPU isn't fast enough, move to the SM81, and/or add a second CPU- Solaris has some of the best SMP code anywhere.
If $500 is too much for you, you can pick up an old LX or even an IPX for $20-$50. These are very slow, obsolete, and not very upgradeable, but they were built by Sun...
The last time I paid for an upgrade from Sun was to move a network of SunOS 4.1.3 boxes to Solaris 2.5.1, I contacted our Sun Sales rep, who told me that:
All Sun hardware comes with a 'Right to Use' license for SunOS, and free upgrades, including to Solaris.
A copy of the Solaris media kit for Solaris 2.5 from a Sun Reseller was $199.
I only need one copy regardless of how many machines I upgrade- the 'media kit' is not a license.
Sun doesn't make money off upgrades, the make money off support contracts and hardware.
Solaris (for machines with fewer than 10 CPUs) is free, only cost for a Solaris 8 license on Intel or Sparc is the $75 'media fee', which gets you a LOT of media, it's not a bad deal.
Since before I can remember, any purchase of a computer from Sun comes with a 'Right to use' license for Solaris, and installation media. This would extend to new purchases of Cobalt hardware- in which case their 'paid' OS is a 'free' OS.
Perhaps your complaint is actually that Linux is an 'open' OS, while Sun has yet to make good on their promise to 'open' the source to Solaris.
I could (but don't) run Linux binaries on my *BSD systems. I can (and do) run SunOS/Solaris binaries on my Sparc OpenBSD systems.
Sun is actively working on supporting Linux binaries and porting Linux drivers to Solaris, so the Cobalt x86 boxes could run the Solaris kernel and yet still natively execute your Linux x86 binaries.
Just because it isn't Linux, doesn't mean it isn't any good.
A 'new version' of Solaris on the Intel (Cobalt offers Intel now) platform would be easy to support in the long run, they would just compile with slightly different defines than the standard release.
Much easier than supporting an entirely distinct, rapidly changing, Linux kernel.
UltraSparc chips, even the new low-power versions for laptops and small servers, are considerably more expensive than Intel.
Cobalt was dropping MIPS support long before this, going to pure Intel. Solaris already has Intel support, and is actively supporting the Intel versions.
Solaris on Intel is 99.9% the same source code as Solaris on Sparc. Only the kernel and 64-bit support differs.
Whether or not the server runs X, the 'xterm' binary is all that is needed to throw an Xterm back to the attacker. If the binary is not installed, it's seldom very difficult to cause the machine to download it as part of your exploit code- but these days most people just pull in 'netcat' and have that tie a shell prompt to a listening port.
There's no reason a web server host should ever be allowed to initiate connections of ANY sort to hosts outside the local network. All the HTTP requests are incoming-only and only port 80, the only outbound requests the server should make are to the local database server, etc.
Admins needs to understand the concept of 'defense in depth'. Put filters (or a separate filtering router) between the internet and the firewall, disallow outbound access for servers at the firewall, install IP-Filter on the web server hosts themselves, and harden the OS on each host.
Development networks should not have access to the live network, much less the live database.
Too much of linux and opensource have this idea that boxes should be "locked down" and "hardened" after installation. Really smart people say that, but it's totally wrong. Boxes should start out without known ways of getting in. Any access should be "opened" or "unlocked" or even softened" if that's what you want to say.
Exactly the philosophy behind OpenBSD. I like this quote from the ChangeLog:
019: SECURITY FIX: July 5, 2000
Just like pretty much all the other unix ftp daemons on the planet,
ftpd had a remote root hole in it. Luckily, ftpd was not enabled by default.
The problem exists if anonymous ftp is enabled.
Never use the same password for two un-connected web sites.
If you run Windows, one program I trust to store password's is Bruce Schneier's
Password Safe. Store your passwords in a passphrase-protected database using Blowfish encryption.
If Slashdot supported SSL and client certificates, we would have no need to change our passwords when the database is compromised- restore the backed up data to fix any client certificates that were changed by the hackers, and all is well.
Using certificates instead of username+password also eliminates the possibility of my password being stolen when somebody on my LAN or at my ISP sniffs the cleartext HTTP traffic.
This goes back to one of my comments on the question of 'Should Slashdot charge for access?', the concept of having an enhanced account level with SSL support, and giving SSL traffic a higher priority on the WAN/LAN links to the servers.
Call it a 'subscription' and I can get my employer to pay for it.
This is no suprise, I've never once had a new install from Ameritech go right the first time.
They still have a de facto monopoly on service in Chicago. It's gotten to the point that I've dumped my analog service, I now only have ISDN for data and a Cell phone from Verizon.
Over the last decade I have been involved with installation of many analog lines-
3 T1 Circuits
12 T1 Circuits
50 Analog lines (mostly for modems)
100+ ISDN lines (mostly for telecommuting)
Not a single one of these circuits was fully functional on the due date. I've had T1 and ISDN circuits 'disappear' months after they went live, because a line technician thought they were idle pairs and reused them for some other customer down the block.
On my personal ISDN line, Ameritech took three months to get the line live, and eight months after that before I got my first bill, totaling nearly a thousand dollars.
Disclaimer: I've worked for Ameritech (AADS), they did manage to pay my consulting fees on time, but all other facets of the company suck.
Personally, I couldn't see living in California. I need a job where I can telecommute 90% of the time, so I can pick a state to live in distinct from picking the job I work at.
Anybody need a Solaris/OpenBSD/Cisco network security analyst? I won't need to ask for six figures if work will pay for my T1 line.
At my last full-time job, I officially reported to the IT director.
In reality, everybody in IT was directly commanded by the CTO, who craved stress. He would intentionally delay taking actions on small problems until they turned into a crisis. Network Operations staff would end up working an unscheduled sixteen hour day at least once a week, due to avoidable crisis situations. Come in an hour late the next morning after working 8AM-Midnight, get yelled at.
This same guy raced sailboats on the weekend, and treated all of 'his' (regardless of who they reported to) employees as if we were crew on a sailing vessel.
Insubordination, any hint that you were looking at other positions at a less insane company, and you would be forced to 'walk the plank' (resign), gone by lunch time, never to be spoken of again.
So yes, stress is sometimes very much a direct result of bad management. In this case, Mr. Stressoholic is still the CTO, their stock is still rotting at a quarter of the IPO price, and nobody in management understands why they cannot hire (or retain) good people in our field.
I knew the guy who founded Mithral, back when he was a bored CS geek at IIT who was running out of names, and I can confirm that your guess is correct.
Slashdot Mirror
This box is basically a packet sniffer owned by the government and dropped onto the backbone of an ISP, situated to intercept all traffic to and from the ISPs mail server(s).
The FBI can only place the box with a warrant, and they claim that once in place, Carnivore will only retain information about mail messages to and from the specific individual targeted by the warrant.
However, in order to do that, it must first intercept the headers and bodies from all messages to all customers of the ISP. The FBI says "Trust us, we have programmed Carnivore to throw away all of the non-target data".
It's not "ILLEGAL OR QUASI-ILLEGAL ACTIVITIES" that you should worry about, it's anything you do or say via e-mail that the current or future administration might object to, or use as dirt if you ever run for office, work to oppose new legislation, or just annoy somebody who has connections to your local FBI office.
It's doubtful that the network card will be physically capable of responding to any packets, so antisniff, nmap, Satan, etc will not do you any good.
One such product I have worked with is the Shomiti Century Tap, a 10/100Mps Full duplex transparent network tap. Undetectable without either a TDR or physically tracing the wires.
This also means that unless you have physical access to the machine (e.g. you work for an ISP at which the FBI has placed a Carnivore box), there is little possibility of running any exploits against weaknesses in the underlying OS.
From the articles I have read, the Carnivore dumps the collected evidence to tape, the FBI can then send an agent to retrieve the tape from the ISP. This makes sense from a 'chain of custody' standpoint, it's easier to explain to a judge how the FBI is sure the evidence has not been tampered with than if it was uploaded electronically to www.fbi.gov.
Carnivore runs on FBI-supplied hardware, not on the ISP's mail server directly.
The Carnivore box works like any packet sniffer, it needs to be on a hub or switch's span port to receive a copy of all traffic destined for the ISP's mail server.
If the FBI had decided to use Linux as the underlying OS, would you still be as joyful?
A followup article on Technology Evaluation at (Slash may mangle this URL) http://www.technologyevaluation.com/research/resea rch highlights/security/2000/06/news_analysis/na_st_lp t_06_21_00_1.asp explains some of the implications of weaknesses in stock data services.
What is ignored are the secondary effects- when these weaknessses are exploited to manipulate the market, the long term result will be loss of trust in news feeds and stock information services.
It seems that all of the major financial news services have had serious security problems this year- Comstock, Bloomberg, etc.
Who can you trust to supply good data?
Specifically, it states:
If you want to play with Sparcs, pick up a used Sparc 20 with the SM71 CPU, they go for $500 with 128M, 2+ Gb drive, video card, and CDROM.
Yes, it's slow compared to your 550Mhz AMD monster, but the Sparc 20 will run Solaris 7 and 8, OpenBSD, and I even hear it runs Linux, though I've never tried.
Nearly every free and commercial software package for Solaris will run on a Sparc 20... it might be slow, but it will run.
If you think that a 75Mhz Sparc CPU isn't fast enough, move to the SM81, and/or add a second CPU- Solaris has some of the best SMP code anywhere.
If $500 is too much for you, you can pick up an old LX or even an IPX for $20-$50. These are very slow, obsolete, and not very upgradeable, but they were built by Sun...
I doubt Sun is going to raise the price of the Cobalt RaQ4 (Currently at $3K, list) if/when they start using Solaris instead of Linux.
Now there's a lukewarm endorsement of Linux if I've ever seen one.Until recently, Sun sold rather expensive licenses for Solaris X86, now it is 'free', for $75 media cost- http://www.sun.com/software/solaris/binaries/.
The last time I paid for an upgrade from Sun was to move a network of SunOS 4.1.3 boxes to Solaris 2.5.1, I contacted our Sun Sales rep, who told me that:
Since before I can remember, any purchase of a computer from Sun comes with a 'Right to use' license for Solaris, and installation media. This would extend to new purchases of Cobalt hardware- in which case their 'paid' OS is a 'free' OS.
Perhaps your complaint is actually that Linux is an 'open' OS, while Sun has yet to make good on their promise to 'open' the source to Solaris.
Sun is actively working on supporting Linux binaries and porting Linux drivers to Solaris, so the Cobalt x86 boxes could run the Solaris kernel and yet still natively execute your Linux x86 binaries.
Just because it isn't Linux, doesn't mean it isn't any good.
A 'new version' of Solaris on the Intel (Cobalt offers Intel now) platform would be easy to support in the long run, they would just compile with slightly different defines than the standard release.
Much easier than supporting an entirely distinct, rapidly changing, Linux kernel.
Cobalt was dropping MIPS support long before this, going to pure Intel. Solaris already has Intel support, and is actively supporting the Intel versions.
Solaris on Intel is 99.9% the same source code as Solaris on Sparc. Only the kernel and 64-bit support differs.
There's no reason a web server host should ever be allowed to initiate connections of ANY sort to hosts outside the local network. All the HTTP requests are incoming-only and only port 80, the only outbound requests the server should make are to the local database server, etc.
Admins needs to understand the concept of 'defense in depth'. Put filters (or a separate filtering router) between the internet and the firewall, disallow outbound access for servers at the firewall, install IP-Filter on the web server hosts themselves, and harden the OS on each host.
Development networks should not have access to the live network, much less the live database.
Now that is what proactive security is all about.
If you run Windows, one program I trust to store password's is Bruce Schneier's Password Safe. Store your passwords in a passphrase-protected database using Blowfish encryption.
Similar (but incompatible) software using Blowfish is available for macintosh, and Palmtops.
I'm still looking for an X11 equivalent.
Using certificates instead of username+password also eliminates the possibility of my password being stolen when somebody on my LAN or at my ISP sniffs the cleartext HTTP traffic.
This goes back to one of my comments on the question of 'Should Slashdot charge for access?', the concept of having an enhanced account level with SSL support, and giving SSL traffic a higher priority on the WAN/LAN links to the servers.
Call it a 'subscription' and I can get my employer to pay for it.
They still have a de facto monopoly on service in Chicago. It's gotten to the point that I've dumped my analog service, I now only have ISDN for data and a Cell phone from Verizon.
Over the last decade I have been involved with installation of many analog lines-
Not a single one of these circuits was fully functional on the due date. I've had T1 and ISDN circuits 'disappear' months after they went live, because a line technician thought they were idle pairs and reused them for some other customer down the block.
On my personal ISDN line, Ameritech took three months to get the line live, and eight months after that before I got my first bill, totaling nearly a thousand dollars.
Disclaimer: I've worked for Ameritech (AADS), they did manage to pay my consulting fees on time, but all other facets of the company suck.
Focal claims that they do not oversell the DSLAM, a major complaint with other local providers. Any comments on Focal's service?
OpenBSD does include a lot of extra junk, but a default installation has Apache, etc turned off by default.
Hey, for a school based in a third-world country (AKA the neighborhood of the Chicago Housing Projects), second rate is not half bad.
Scientoligists are consistent, you can understand and predict their actions. This guy has other major problems.
My New Rule
Personally, I couldn't see living in California. I need a job where I can telecommute 90% of the time, so I can pick a state to live in distinct from picking the job I work at.
Anybody need a Solaris/OpenBSD/Cisco network security analyst? I won't need to ask for six figures if work will pay for my T1 line.
Send email for the URL to my resume...
In reality, everybody in IT was directly commanded by the CTO, who craved stress. He would intentionally delay taking actions on small problems until they turned into a crisis. Network Operations staff would end up working an unscheduled sixteen hour day at least once a week, due to avoidable crisis situations. Come in an hour late the next morning after working 8AM-Midnight, get yelled at.
This same guy raced sailboats on the weekend, and treated all of 'his' (regardless of who they reported to) employees as if we were crew on a sailing vessel.
Insubordination, any hint that you were looking at other positions at a less insane company, and you would be forced to 'walk the plank' (resign), gone by lunch time, never to be spoken of again.
So yes, stress is sometimes very much a direct result of bad management. In this case, Mr. Stressoholic is still the CTO, their stock is still rotting at a quarter of the IPO price, and nobody in management understands why they cannot hire (or retain) good people in our field.
Hi, Adam!