Forgot your password?
typodupeerror
Privacy Your Rights Online

FBI E-Mail Wiretaps - The Carnivore System 353

Posted by Hemos
from the the-man-is-listening dept.
CharlieG writes "It seems the the FBI has been electronic wiretapping various e-mail accounts for a while now. First with a system called Omnivore, and now with a "More Selective" system called Carnivore. You can read about it on MSNBC.COM"
This discussion has been archived. No new comments can be posted.

FBI E-Mail Wiretaps - The Carnivore System

Comments Filter:
  • There's always somebody who says this, but they never manage to present any evidence. You wouldn't happen to have any evidence lying around, would you?


    ...phil
  • What if the police were snooping on conversations over short wave radio by tuning to the frequency of the people they were interested in.

    Bad example. Radio is inherently a broadcast medium, e-mail is more-or-less directed.


    ...phil

  • Not so. The first 10 amendments were agreed on before the Constitution itself was put in place. Indeed, the Constitution was ratified only with the agreement that the 10 amendments would follow; Several states' representatives refused to agree otherwise.

    So "amendment" doesn't mean "afterthought". Politics. Such fun stuff.
  • Really? Care to say how? Do you mean a backdoor in the program (the source is available) or a problem with the encryption algorithms? Are you a mathematician? Do you think the NSA has managed to prove that factoring isn't NP (which would be quite an accomplishment, esp. for a government organization)? Or, maybe, you mean that they've managed to prove that problems in NP can be solved more quickly (which would be the greatest mathematical achievement in decades). Truth is, if factoring cannot be solved in less than polynomial time, no organization, no matter how many mathematicians they employ, is going to be able to crack PGP fairly quickly.

    Heard of TWINKLE [counterpane.com]? How far ahead of this do you think the NSA might be?

    FWIW, I once worked a case for the FDLE, after which they tried to recruit me for their computer crimes unit. They were quite sanguine about encryption, saying they regularly shipped encrypted documents off to the NSA for decrypts, depending on how crucial they were to the case.

    Also remember that given access to the private key, keylength is less important than passphrase strength.

    It takes some work to use PGP securely, and ultimately, if some TLA wants your cleartext, they'll get it one way (cracking crypto) or another (Van Eyck, TEMPEST).

    -Isaac

  • "It's also a matter of principle that criminals need to be stopped, and that these kinds of measures need to be taken for the betterment of society. After all its no use having free access to source code if you're barricaded in your home by armed criminals is it?"

    Let's start by realizing that different people have different sets of ethics, and not everyone believes that the government has a strong sense of ethics. For example, I am confident that the government is extreamly hypocrytical, which by my sense of ethics is one of the worst things possible.

    Asking dictionary.com about 'principle' gives "basic truth, law, or assumption", "A rule or standard, especially of good behavior" and "The collectivity of moral or ethical standards or judgments".

    When you say "It's also a matter of principle that criminals need to be stopped...", it's reasonable for me to ask "Who's principle, who's ethics, which laws, and at what price?"

    The question many people are raising is if catching the criminals is important enough to justify breaking the law, violating the constitution, and ignoring the bill of rights.

    My answer is "No, of course it isn't worth it! The rules of society, as described by the constitution, make it clear that catching the criminals is NOT the most important thing."

    Let me make this as clear as I can manage. The 'betterment of society' is not served, and is in fact harmed, by a law enforcement group which intentionally violates the law, ever, even once. It doesn't matter if they catch a thousand murders and ten thousand rapists at the same time, if they had to violate one law to do so, they have made the world a worse place. It's simply a matter of principle.

    Obviously my principles are different from yours.

    And to answer your question, it depends on the criminals. In particular, it depends on what laws they are guilty of breaking. I mean, it makes a big differance if they are all guilty of murder, say, or just, you know, jaywalking or speeding or maybe growing a bit of pot and then smoking it.

  • "Sorry my friend, but ethics are ethics, and have been laid down from a source that cannot be denied."

    Wow. I'm just amazed.

    You can't argue with logic like that. You can point and laugh, but you can't argue with it.

    Just for the record, in order to prove that it can be done, I deny them. I also deny your god. Please refrain from stating that it isn't possible, as it obvious is. Tell me again that I can't deny something, and I'm likely to do just that, if I want.

    It is my belief that criminals can be caught and punished without breaking the law. It takes a little more work, but it's still possible.

    Breaking the law in order to catch someone and punish them is a lot like the death penalty. Is it fair for me to assume that you don't agree with the death penalty?

    "And as I believe I've said before, sin is sin, and trying to count the "amount" of sin is a foolish and pointless exercise. If you are guilty of a crime, you must be punished. It's as simple as that."

    You seem to be confusing 'sin' with 'crime'. Crime is defined by society. 'Sin', for those who believe, is defined by some higher power.

    the important point here is that society can, and often does, change the definition of crime. Drinking alcohol in the United States is a good example. It's legal. It's illegal. It's legal again. Of course, this caused some confusion.

    It is my belief that there currently exist many laws which actively harm society. Society would be better off without some of the laws.

    I'm willing to suppose it may be a bit of a leap for you to agree that some laws harm society. Let's see if we can agree that there are laws which are just downright silly, and don't need to exist.

    Please refer to www.dumblaws.com [dumblaws.com] and see if you can find even one law which makes something a crime when it need not be.

    Failing that, please explain the ethics behind this law:

    New Mexico, Las Cruces:
    You may not carry a lunchbox down Main Street.

    Is this a crime because The Lord told someone it should be?

    Is it a sin?

    Does it harm anyone?

    Can you suggest any possible reason for this law?

    Can you begin to understand how I might think that someone might be guilty of a crime yet still not need to be punished?

  • by trog (6564)
    While you are correct in your statement that PGP has never been "cracked", this is an over-simplistic view of the software's strength. Any mismanagement of the way the protocols are used could possibly weaken the crypto, which could be enough to be cracked. The algorythms are only as secure as they proport to be when they are implemented according to their reference implementation. While no one has the computing power to brut-force full strength RSA, perhaps an inadvertantly crippled RSA could be broken. This is a big problem with any crypto implementation.
  • by trog (6564)
    This is not the case at all. Recently, there was discovery of a bug in PGP that made it possible to guess keys. See http://www.securityfocus.com/bid/1251

    There have been several other bugs found in PGP; I can't remember the specifics, but I believe that the above bug was in PGP for over a year for being discovered, in spite of the fact that the code was open for everyone to see.

    If you've ever actually looked at the code for PGP, you'll see it's HORRIBLE. PGP is coded really sloppily. My comments were more directed at the high probability of an acidental implementation error due to programming practice, not an intentional crippling.

    This is particularly the case with Open Source projects, as willingness to code something rarely translates to being the best person to do it. Bruce Schneier commented on this in his Cryptogram newsletter. See:

    http://www.counterpane.com/crypto-gram-9909.html

    http://www.counterpane.com/pitfalls.html

    http://www.counterpane.com/whycrypto.html

    And please, this isn't a flame. This is born out of experience.
  • There is a fairly easy work around that piece of legislation. IT has been used in the financial community for a while now. What you need to do is have your Key being held by a custodian outside the UK jurisdiction. Then set up an agreement that in the case of any legal action against you the custodian is automatic required to refuse delivery of the key to you. That way you can not be held in contempt since you abide by the law requesting the key, but you are not getting it since something outside your control hinders it.
  • Exactly! Which is why I refuse to work anywhere that a drug test is mandatory. I don't use illegal drugs, just the legal ones. :-) I do, however, refuse to work where I AM NOT TRUSTED.
  • ...we have a set of ethics which we were given by the Lord.
    ...
    "Sorry, we could have stopped it, but I would have had to jaywalk to do so, ...

    ... And our Lord Jesus H. Fucking Christ spread his buns, and said: "Thou shalt not jaywalk, and always cross on thy green lights"... [Peter 89:45.12]


    --
    Here's my mirror [respublica.fr]

  • The idea that the FBI can scan E-mails as they enter or leave your ISP sounds scary at first, but what you have to remember is that you are not a criminal. They're hardly going to want to read your E-mail about your trip to see your sister at BJU are they? It's not like there are people reading your personal mail, it's just a machine and can't make value Judgements on what you write.

    So, if you're not afraid of the FBI looking at your e-mails to your sister, you're surely not afraid at letting ME look at those same e-mails, no?

    By the same token, you won't mind either me looking at those e-mails you sent to that chick you met last month at Catalina, no?

    Can't you see it's a matter of principle, or are you just dumed-down by mass-media hysteria not to realize your fundamental rights are being trampled???


    --
    Here's my mirror [respublica.fr]

  • The link on the page is bad, their home page is here [bikershome.com].
  • Just encrypting your e-mail with PGP is not enough. The sender and recipient histories can still be tracked. Here is my proposed solution to this problem...

    Have several anonymous remailers scattered around the world with well published public keys. Each remailer will decrypt the message with it's private key, find the new sender in the decrypted message, strip the original envelope information, and send the message along to the next remailer.

    Your message ends up encrypted in multiple layers that get stripped off one by one by each remailer. Eventually, it will get to its destination where the recipient will strip the last layer of encryption off.

    This way, there is no reasonable way anybody can track who you're getting messages from, or who you're sending them to. Even if the remailers keep connect logs, or message logs, you still can't tell.

    I'm thinking of writing this up as a python script that uses gpg and that can be set up as a filter in your .forward or .qmail file.

  • One possibility would be extending sendmail. If sendmail.org added a secure version of the various protocols (using the (almost) newly expired RSA public-key system), it would be invisible to the user.

    I suppose one could have SMTP report if it supports the new protocol, (SHLO to go along with EHLO/HELO ?) and if wherever the mail is being send does, you could use an extended set of commands to request a public key (KREQ ? ) from the server, send a session key (SKEY ), and encrypt the remainder of the session.

    Since sendmail is nearly umbiquitous, they could define the protocol however they pleased, publish it as a RFC per the usual routes, and have a defacto standard. One could (should) do the same thing with http, IMHO. Of course that would be up to the WC3.

    Unfortunatly encrypting the content of SMPT transfers/http doesn't protect against traffic analysis. Oh well...
  • With steganography you are hiding the fact of encryption.
    You can have the strongest encryption in the world, and it will not protect you from a subpoena for the (private) key.
    Security through obscurity isn't "bad" any more than lemurs are "bad".
    When security through obscurity interferes with the verification and validation of an algorithim, that will make the algorithim weaker. That could be considered bad.
    When you think you are hiding information and you are not, that could be considered bad. The link [outguess.org] that I gave is to a steganography program that helps to hide the fact of seganography from stegonagraphic analysis.
    I should, and do, use a lock on my safe that is so good that I can put that safe on a street corner, complete with a diagram of the lock, and no one can get into it.
    But I think I'll put that safe (with that same strong lock) in my house, instead. Maybe behind a portrait.
  • The idea that the FBI can scan E-mails as they enter or leave your ISP sounds scary at first, but what you have to remember is that you are not a criminal.

    Sure that's how it starts, but I challange you to find a time in modern history where power DIDN'T corrupt. It's not a matter of if, it's a matter of when they begin to use this to go after political dissidents and anyone else they don't like.

    Finkployd
  • Internet wiretaps are conducted only under state or federal judicial order, and occur relatively infrequently.

    And they use the magic words "drugs" and "terrorism", so anything they do is ok. Really.

    "'National security': the root password to the [United States] Constitution." - Phil Karn

  • PGP is okay, but I'm moderately certain the NSA can crack it fairly quickly. Don't know about the FBI.

    Really? Care to say how? Do you mean a backdoor in the program (the source is available) or a problem with the encryption algorithms? Are you a mathematician? Do you think the NSA has managed to prove that factoring isn't NP (which would be quite an accomplishment, esp. for a government organization)? Or, maybe, you mean that they've managed to prove that problems in NP can be solved more quickly (which would be the greatest mathematical achievement in decades). Truth is, if factoring cannot be solved in less than polynomial time, no organization, no matter how many mathematicians they employ, is going to be able to crack PGP fairly quickly.

    You're right about the social engineering part, though.
  • Someone who makes jokes about black people being "shiftless" in emails is unfit for public office, and as a citizen, I have the right to know that I'm being asked to vote for a Kloset Klansman.

    So you've never done or said anything in your life that wasn't politically correct? Even back before there was a concept of politically correct? Never told or laughed at a blonde joke? I hope you never plan to run for office, then - I guess you wouldn't get your vote.

    The public will just have to continue to evaluate candidates on the same basis that we evaluate each other - based on what they say and what they do in public. You have no right to anyone's private communications, and without a court order neither does the government.

  • So, if anyone finds or guesses the list of people the FBI listens for, cc: them and/or spoof them in every email you send. Add a few extra X-headers to trip it up. It'll fit nicely with the X-Jam-Echelon header, and will in fact maybe even be synergistic.

  • It's always nice to know that the FBI has given up on plantae and is only going for animalia now. I mean, with all the decision involved before, they had to choose if they wanted greens or blood!
    I wonder if I'm meat or celery to them . . .
  • Hmm, if we open up our lives and give away privacy, we can exchange it for security!
    I think it was Winston Churchill who said, "He who would give up privacy for security deserves neither." How about that?
  • It doesn't suprise me to hear that the NSA is used by other organizations to break encrypted documents.

    However, I would bet that a lot of those documents were encrypted using regular DES. The NSA can probably break DES in a minute or two by brute-force, using specialized hardware.

    However... Suppose they can break Triple-DES, or Blowfish, or RSA, or whatever.

    It is important to note that it would be difficult for them to safely use that information.

    If the FBI/NSA/CIA/DOJ/DOD/whatever ever did something using knowlege that could have only been obtained by breaking one of those codes, the cat would be out of the bag.

    The situation is very similar to Bobby Shaftoe's division in the Cryptonomicon, which had the job of running around creating plausible "cover stories" to explain why the Allies knew so much.

    For the NSA et. al. to USE information they got from breaking 3DES or one of the other "strong" systems, they would first have to create a plausible alternative way for them to have obtained that information. And, that would have to be a legal way if they wanted to use it in court.

    Now, they may do that. Apparently, they get a lot of "anonymous tips". Uh huh. But if there are say, three or four people in a conspiracy to cream-pie the president, and they only communicate through PGP, with good passphrases, and they are careful about Van Eck and other bugging... if they get caught and dragged in front of a judge, how will the Secret Service present the evidence?

    As soon as the secret is out, people would switch encryption methods. (Well, some people. The people who care enough to use encryption, anyway.)


    Torrey Hoffman (Azog)
  • Yes, but the effect is the same. If the conspirators get arrested, they will realize that either:

    1. Their encryption was broken
    2. Or, they were bugged (but why?)
    3. Or, one of their members is a traitor
    4. They screwed up some other way that got the cops onto them.

    If they are confident enough to rule out #3 and #4, 1 is the only other choice.

    So assume they get their day in court. Even if the Secret Service doesn't present evidence from broken encryption, (and instead uses evidence from regular bugging, search and seizure, whatever) the question still arises: Why were these people under investigation in the first place?

    What got the Secret Service looking at them? Was it just because they were using PGP? Not likely - too many people use PGP for them all to be checked out. So, their messages must have been cracked and scanned for incriminating phrases.

    The conspirators lawyer will ask for sure. And the secret will be out. Or at least, people will be suspicious. If it happens a few times, people will believe the NSA can crack PGP.

    This hasn't happened yet. So either the NSA cannot crack PGP, or they have been very very cautious how they have used the ability.


    Torrey Hoffman (Azog)
  • by jilles (20976)
    True, but at least it's a bit more controlled than right now while still working transparently for the user. Of course a long term solution for email is to build encryption into the mail protocol.

    But the thing I was trying to show is that the way we currently deal with networking is unsafe. TCP deals with reliable point to point connections, but these connections are unsafe. It leaves it to applications on top of it to deal with encryption and most applications don't do this. I would like to see encryption pushed down in such a way that it works transparently for applications. E.g. if I'm chatting through ICQ with a friend, the connection used by the two clients would be automatically encrypted.


  • [Retrieve hammer from hardware store]

    Speak these words: "Steganography equals security by obscurity."

    [Inflict one wound to torsoe with hammer]

    Speak these words: "Security by obscurity is bad."

    [Inflict one wound to torsoe with hammer]

    Speak these words: "The encryption I use should be so strong that I should be able to give encrypted copies of my deepest, darkest secrets to anyone that asks for them, provide them with the software I used to encrypt it along with a whitepaper describing how my encryption method works, teach them how to use it, and be confident that they won't be able to read that document."

    [Pin 1st place ribbon on chest; you've won!]
  • BZZZZT, wrooong, but thank you for playing.

    Steganography isn't for keeping information unreadable.You can already do that with encryption. The point is that you may not be able to send encrypted information through open channels without a man in black coming to your door and busting your aft section for "hindering the work of law enforcement" or something like that.

    The point of steganography is to hide the fact that you're communicating encrypted data in the first place.

    Yes, that smells like security through obscurity, but imagine this: You have an encryption algorithm so devious that it's unbreakable (in reasonable time, I mean) and the resulting data is indistinguishable from the stuff you get from /dev/urandom on a good day (which means that it can't be proven to be encrypted data and not meaningless noise). Now hide that data in the low-order bits of an image (replacing the already random enough data there) and no one can prove the data is encrypted since there is no significant difference between the output of (say) RC4 and cat /dev/urandom.

    Admittedly there are some caveats to this particular technique (although they can mostly be avoided if care is taken):

    • There are some (computer generated, mostly) images where the low-order bits aren't random enough in the source image that replacing them with noise would go undetected. With good selection of the carrier data, this doesn't matter. Just use scanned photographs or something like that.
    • Not all encryption algorithms and/or keys are good enough to get you encrypted data that can't be distinguished from noise. RC4 comes pretty close; I'm not sure about other algorithms.
  • Just one interesting side point to #2.

    IIRC, the US Government is the single biggest employer of Mathematicians worldwide.

    Care to guess how many of those are doing crypto?
  • Unfortunatly encrypting the content of SMPT transfers/http doesn't protect against traffic analysis. Oh well...

    It doesn't even protect against the FBI getting the plaintext. Remember, the wiretaps they're talking about here are with the (sometimes grudging) consent of the ISP, so if encrypted SMTP became the norm they'd just require the ISP to provide them with the private key of the mailserver as well, or to provide a tap into the unencrypted stream within the server software itself. The only way to be sure of your encryption is to trust both ends of the link.

  • Have you considered that there are people working for the government who care about our country as much, if not more than, we do?

    I enjoy comments such as yours, as it gives me an opportunity to trot out one of my favorite qoutes:

    Of all tyrannies a tyranny exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience. -- C. S. Lewis (1898-1963)

    According to you, we in the USA no longer need the 1st, 2nd, 4th or 5th amendments. Why should the FBI (or any LEO) be burdened by having to go to a court for a search warrant? surely, if you have nothing to hide, you have nothing to fear if they show up and ask to inspect your residence. And why shouldn't criminals be made to testify against themselves???

    Oh, yeah, I'm sure I'm gonna trust 'em to be honest. They wouldn't break any laws, like allowing the White House access to background check files of potential political foes. They wouldn't plant evidence, or give false testimony (hey to the L.A. PD!), nor do anything unjust!

    No, never!

    James

  • How about last post??
    -russ
  • You have no clue. Cryptographers are quite certain that 1024-bit keys generate uncrackable crypto. 512 they're less certain about.
    -russ
  • BTW, how does wiretapping interact with encrypted data? What if they tap the email and discover that it's all PGP'ed? Can they brute-force it?

    At the surface, it seems like they should be able to brute force it consistent with the court order for the wire tap. Just out of curosity, though, what about the DMCA's protections on decoding encrypted information?

    To wit: From Jack Valenti's, MPAA Chairman, deposition [cryptome.org]:

    10 Q You said any use of DVD that involves
    11 coping is illegal. Is that right?
    12 A I think what I said was, any time you
    13 circumvent encryption according to the DMCA you're
    14 violating the law. That's what I said.

    It seems to me, if DMCA is used that broadly, couldn't it be used to argue against the FBI decrypting email communication?

    Just a thought.

  • Someone wrote:

    Hmmm but if the carnivore has spotted the names of various drugs in a disproportionately large number of ur emails, isnt that grounds for a warrant?

    And then Kahuna wrote back:

    But it can't do that. I mean, it won't just "notice" them. Its a computer. If its purpose was to scan for drug references in all emails, they could do that, but it would have to be
    on purpose. They couldn't use the "plain sight" defense to validate the evidence, because it requires an extra deliberate step to gather. You can't get a warrent based on evidence that you should have needed a warrent to get. It taints the process all the way down the line.

    That's true... if the FBI is interested in a criminal prosecution. As far as I know, but I am not a lawyer nor particularly knowledgeable in the area, the Exclusionary Rule (legal precedent that says you can't use tainted evidence in court) is the only significant disincentive for an illegal search.

    If the FBI or other law enforcement agency is more interested in simply harrassing, intimidating, or embarrassing a target, then the Exclusionary Rule has no practical effect.

    I just saw Guilty by Suspicion on video the other night. True story, McCarthy era: film director harrassed by FBI agents, blacklisted because he wouldn't testify that his friends were Communists.

    Our protagonist in the movie (Robert DeNiro) was investigated and bullied on suspicion of something that isn't (and wasn't) even illegal. The only prosecutions coming out of the McCarthy investigations were for perjury and contempt of Congress, against people who either wouldn't talk to the HUAC or who were caught lying to it. Nobody was convicted of merely being a Party member. But that didn't stop the FBI and the HUAC from carrying out their dirty tricks. And the FBI couldn't be challenged under the Exclusionary Rule because they weren't presenting evidence at trial.

    Yes, it would be extremely difficult or impossible for law enforcement to use evidence inappropriately gathered by Carnivore in a criminal trial--they really do have to follow the rules there. But it would be relatively easy to use Carnivore or a similar device to gather information for other purposes, given just a little cooperation from ISPs.

    I honestly don't think harrassment or intimidation is the primary purpose of Carnivore. It actually seems pretty mild compared to other more intrusive and less targeted means of investigation. But don't assume that the Fourth Amendment will protect you outside of a criminal courtroom!

  • It's also a matter of principle that criminals need to be stopped

    Oh, I absolutely agree! The FBI proposes to commit a crime (violation of the Fourth Amendment), and in fact has thereby already committed a crime (conspiracy to deprive citizens of civil rights under color of law). They must be stopped. QED.
    /.

  • That is what I expect. That's how it's supposed to be. But is it that way in practice? Is it that way 95% of the time? What about the other 5%?
  • At least in paranoia, you could send your clones off to the termination center and hide out for a while. In real life, there's only one you.

    I think it's getting to the point where the cost of "protection" (or the illusion thereof) is that we have a government that is going to get worse than the crime was to start with.

    Well, screw the FBI. I'm going to go smoke a bowl and clean my machine gun. :-)
  • Um, everything's an argument for better encryption to /. readers isn't it? I resort to the oldest argument against encryption: if YOU aren't doing anything wrong, why do you care if THEY read your emails? Take, for instance, the emails I wrote this morning. If the FBI wants to hear about how drunk I got over the weekend, I'm sure they'll enjoy these little tidbits of informations. If, however, they're looking for stories about people planning a nationwide terror campaign, I'm sure they're realize they read the wrong email within a few seconds, and most likely delete it.



    Because it's none of their damn business. They ahve no need to know and hence shouldn't be looking. If they are going to look anyways then I'm going to find a way to stop them. And I'm going to do it because it's my RIGHT as a human being not to have every detail of my private life examined by some government thug to be sure it meets with his approval.

    Kintanon
  • The dire warnings seem overstated considering what is already accepted practice. They just pull the suspects emails in question prior to searching. Omnivore sounds like it was open to abuse and if that was deployed it should never have been, it's like wire tapping a small town to get evidence on one individual. Carnivore sounds like a right minded attempt to restrict scanning to the suspects account.

    So what's new?
    They still need a court order and they could always tap the suspects phone any time as things stand. This just let's them tap an account than might be moving on a dial in from different locations. The whole system has always been build on trust and controlled by the fact that any abuse of the system won't pass muster as evidence in court anyway.

    So, if a Judge let them deploy Omnivore it sounds like there's a need for some legislation to prevent this sort of dragnet approach in future but the Carnivore system is exactly the kind of thing I'd expect the FBI to be getting up to, why is everyone so surprised? The intention of developing Carnivore as a discriminating filter seems to be a move in the right direction IF it only traps and searches the email of the suspect, and that's the whole point of the newer system.

    Move along folks, there's nothing to see here.
  • This is outrageous. The FBI admits this is nothing more than a glorified sniffer. And, we all know a sniffer grabs plaintext passwords which many systems/services use. Looks like it's time to start watching my login records a little more closely.

    The analogy used was "It's the electronic equivalent of listening to everybody's phone calls to see if it's the phone call you should be monitoring." Actually, I'd say it's more analogous to having a bug in every home that uses that network. Considering that e-mail communications originating from one private residence destined for another private residence would qualify for some privacy protection, I would offer that placement of the "Carnivore" on a public wire steps way over the bounds of legitimate surveillance jurisdiction.

    I guess what shocks me the most is that they actually demonstrated this technology. They expect buy-in?

    Of course, there's always encryption....


    Linux rocks!!! www.dedserius.com [dedserius.com]
  • I believe that one of the controversial provisions of this UK law, is that it doesn't matter whether you CAN physically produce the key or not - if you don't hand it over when the police ask for it, they can throw you in jail until you do.

    I remember reading a news story where someone sent an encrypted message containing details about a "crime" to an important high official, but without giving him the key (and they threw away the key themselves). They challenged the UK police to arrest that high official, since he had "evidence of a crime", but wouldn't(couldn't) give the key.

    Funny how law enforcement seems to be a little more reasonable about enforcing stupid laws (in just about any country) when it comes to arresting "important" people.
  • Well if your not encrypting your mail, its like sending out only postcards. If you wanted things private, you would put your message in a nice envelope and mail it that way...

    Email isn't really all that different, it just seems that we all expect our postcards to be completely private.

  • "Internet wiretaps are conducted only under state or federal judicial order, and occur relatively infrequently."

    "The FBI defends Carnivore as more precise than Internet wiretap methods used in the past. The bureau says the system allows investigators to tailor an intercept operation so they can pluck only the digital traffic of one person from among the stream of millions of other messages. An earlier version, aptly code-named Omnivore, could suck in as much as to six gigabytes of data every hour, but in a less discriminating fashion."

    This sounds like it is indeed meant for targeting specific suspects, after having obtained the legal permission to do so. Is it open to potential abuse? Certainly - but aren't unencrypted internet data transmissions open to snooping anyway? This just sounds like a high-powered info-sifter...

  • > Because I'm not paranoid?

    Perhaps because you inore history? I would submit that the entire history of the human race is the history of power abused by indivbiduals.

    Do we forget that the FBI is the same organization that has abused its powers in the past. Would you consider it part of the FBIs job to forge letters to heads of the Maffia and heads of the US Communist party in attempts to litterally provoke the two organisations to violence against each other? Well they did it! I have seen the declassified papers on it!
    (www.thesmokinggun.com - an archive of files obtained under the FOIA)

    Furthermore....what they CLAIM to want is EASILY obtainable without "Carnivore". It would be TRIVIAL for an ISP to setup their mail server to blindly send copies of all messages and ONLY messages to and from the person being monitored to the FBI system...instead they insist on having THEIR box process EVERYONES messages.

    If Carnivore was the ONLY way to do the job, that would be one thing. The fact is, it isn't. In fact its the MOST intrusive method possible. It means THEY are sorting through data that they have NO right to access, in order to get at the data they do have the right to.
  • > Funny isn't it? Everyone gets their panties in a
    > wad about the government getting warrents to
    > check your email, but you flat out say that
    > IPS's could redirect and read your email without
    > anyone knowing, and no one cares?

    I care...unfortunaly its unavoidable. Its the way that email was implimented, there is no way to stop an eavesdropper on that level.

    My point was simply that they can get exactly the information they CLAIM to want, yet they seem to be insisting on a MORE intrusive system where the ONLY protection against them accessing more data than they "should" is well them.

    Why would they insist on this, when they can get the SAME data through LESS intrusive channels?

    Do I trust my ISP more than the Federal Government? Only because I have no other choice, short of convincing everyone I know to use PGP (fat chance that).

    My ONLY objection, in the context of this discussion, is that this system can be abused by the FBI, with, essentially, no oversight. Using the ISP system to divert mail would require complicity between ISP and FBI to be abused...and that at least marginally raises the bar.

    FBI agents are human beings. Human beings sometimes do bad things, even with the best intentions. As such, there must always be some level of protection in place to limit the damage that they can do.

    Again...what I am suggesting is truely trivial difference, if they are truely only doing what they claim to be doing. However it protects the people at large, if their intions are other than their claims. Seems like a win all around (unless of course your an FBI agent who wants to abuse your carnivorous machine)
  • Thats not what I am suggesting at all.

    There is a huge difference between tapping a phone line and listening in, and tapping the whole trunk and listening to every call, for every person on the block, simultaneously.

    It opens the system up for abuse. It means that ALL email going through the ISP can be logged...once the system is in place, ALL users email is subject to the whims of the human FBI agent who installed it and set it up.

    Protecting people from this is a trivial problem, and gives them NO less legitimate information.
  • To extend your analogy better....

    What they are doing is going to the post office and saying "There is a person in this city who we are investigating. We have a warrent that lets us read his mail before it gets to him." (assuming thats possible - remember this is an analogy)

    Then demanding that the Post office turn over ALL mail that comes to the post office to the FBI and lets the FBI sort out this persons mail from the rest.

    They arn't opening the letters per se...(tho in the case of email the distinction is blurred as the envelope doesn't conceal the contents) but demanding to look at "ALL" envelopes and make their own determination as to what they have access to.
  • The idea that grepping through piles of cached email for 'bomb', 'allah' and 'president' would be helpful at all helpful to the FBI is ludicrous. Actual plans for terror campaigns are usually communicated something like:

    From: susie777@hotmail.com (** ACTUALLY Brian O'Connor **)

    Subject: Party! (** ACTUALLY Bombing of British Consulate **)

    Hey girls(** ACTUALLY Fellow members of IRA splinter group **)! The party (** ACTUALLY attack preparation meeting **) is at Sheila's (** ACTUALLY Sean's **) on Saturday (** ACTUALLY Monday **). I'm bringing chairs (** ACTUALLY bomb material **) and Cindy (** ACTUALLY Michael **) is bringing hats and cake (** ACTUALLY automatic weapons and the map **). See you there!

    Susie

  • If the FBI wants to read my e-mail, no problem. All I ask is that they have an agent click on my All-Advantage referrer link. They could then use their accounts to help subsidize the project.
  • Even if this is originally intended as a positive thing, this can be abused latter down the line. Once the government can monitor all communications it will be abused despite the positive affects it could have. They would not have to waste thousands of man hours to analyze one hours worth of traffic. Parsers and analyzers have been getting better and they could easily sort out the people they would want to go after for just about anything. I might be paranoid but I have good reason to be.
    Molog

    So Linus, what are we doing tonight?

  • If they have a warrant to collect emails to/from a specific person, fine. If they don't have a warrant, any evidence collected is inadmissible in court.


    Gonzo
  • Ah - an anonymous coward who doesn't know how to read a URL. I'm not an Amazon referrer you idiot, and there is therefore no referrer ID in that link, it just tells you what the book is.

    Why don't you learn what you're talking about before throwing accusations like that around, and if you're going to accuse people, have the guts to do it with your name attached.

  • Run, don't walk, to Free S/WAN [freeswan.org] and get free IP/SEC transport level encryption for your Linux box. It can be configured to automagically negotiate strong encryption between any other IP/SEC box on the net (even using other vendor's products).

    Burris

  • Hmmm but if the carnivore has spotted the names of various drugs in a disproportionately large number of ur emails, isnt that grounds for a warrant?

    But it can't do that. I mean, it won't just "notice" them. Its a computer. If its purpose was to scan for drug references in all emails, they could do that, but it would have to be on purpose. They couldn't use the "plain sight" defense to validate the evidence, because it requires an extra deliberate step to gather. You can't get a warrent based on evidence that you should have needed a warrent to get. It taints the process all the way down the line.

    -Kahuna Burger

  • I refuse to accept that my 4th amendment rights protecting me from unreasonable search and seizure should be violated because there are criminals.

    OK, breath deeply. Now lets think about this. Why was the fourth ammendment introduced in the first place? There were no phones, there wasn't even much of a postal service yet. But there were homes and doors and people capable of breaking them down to search your home. And there were police who might hear that you were seen leading a little kid into your home just before he was reported missing, and they might want to search your home. So we have the means to search your home and people who would want to. What do we do? We write an ammendment that says they can't do it unreasonably and a bunch of laws laying out a "reasonable" procedure.

    Now the present. We have something besides your home, the internet, which people may want to search. We have ways for them to search it. And we still have an ammendment and a bunch of laws that say when and how they can do it. The existance of wiretap orders for other people who have given law enforcement enough justification to get a warrent, has nothing to do with your 4th ammendment rights, because they aren't searching and seizing you! As we understand carnivore and are discussing it, noone is spying on you.

    Jon had it exactly right. As long as the FBI has the right and in fact the duty to obtain search or wiretap warrents, they will expand those rights into new forms of communication. It no more invades your rights than a legal, warrented search of your neighbor does.

    -Kahuna Burger

    PS, some people have expressed distrust at the number of internet wire tap orders obtained. But I'd be a lot more worried if they weren't getting any. Their going through the warrent process indicates that those warrents are neccassary, indicates that they are working within the system. Not perfectly, but its an indication that internet wiretapping is being taken as seriously as phone tapping. And thats what we want, right?

  • What part of "under a wiretap warrent" didn't you understand? If they get a warrent, its ok by the 4th. The 4th is about getting warrents, and issuing them under propable cause.

    And one more time, they aren't reading the email of anyone except those who are on the carnivore tapes when they pull them. Saying otherwise is kinda like claiming that if I listen to police traffic on a scanner I am in fact listening to all my neighbors' cell phone calls because the equipment I have hears all of them not just what I'm tuned in on. Or that if I search DejaNews for "the keeper" I'm also performing an inapropriate background check of my potential employees by looking for their email addresses on porn, gay and alternative lifestyle newsgroups. Because, hey, that info is being scanned by the same program that gives me back my search results.

    Paranoia is one of the many reasons I don't vote libertarian. I keep one of the others in my wallet.

    -Kahuna Burger

  • And no record of it is kept after analysis, does it make an invasion of privacy?

    I'd say no. The article was perfectly clear. The idea is to get messages for people/accounts on which there is a warrent. The computer sifts the data for those messages, and only saves those ones. The people whose messages are analysed by the computer but not saved, not read not noted, have suffered no invasion of their privacy.

    Look at it this way. What if the police were snooping on conversations over short wave radio by tuning to the frequency of the people they were interested in. Could you seriously say that every person in the area using a short wave radio had had their privacy invaded because the radio equipment used at some level recieved every signal, even though the police only heard and recorded one? Its just as silly to claim that they are "invading" anyone's privacy but the person whose messages they actually read when they download the carnivor files.

    People who have a problem with the ability of law enforcement to get warents for wiretaps, should just say so. But when everything turns into some "Big Brother" paranoia rant, it just diminishes your credibility when you try to alert people to a real problem.

    Heh, story of SlashDot : The Hacker Who Cried 'Big Brother'

    -Kahuna Burger

  • My ONLY objection, in the context of this discussion, is that this system can be abused by the FBI, with, essentially, no oversight. Using the ISP system to divert mail would require complicity between ISP and FBI to be abused...and that at least marginally raises the bar.

    Again...what I am suggesting is truely trivial difference, if they are truely only doing what they claim to be doing. However it protects the people at large, if their intions are other than their claims. Seems like a win all around (unless of course your an FBI agent who wants to abuse your carnivorous machine)

    Actaully, I wonder about that. I have not had a lot of expereince with the rules of evidence, but would having a third party route all the data really result in as high a "quality" of evidence as the FBI harvesting it themselves? The advantage I see of the Carnivore method is that the data is filtered directly from the "feed". In your suggestion, could the ISP really guarenty the completeness of the info they were providing? Would their credibility become another route by which the data could be attacked (so, you claim to have provided these forwards to the FBI of the defendant's email. But as the provider, you are certainly capable of making a indistinguishable forgery of such a mesasage, right? Did you have any billing problems with the defendant?)

    On a slightly more serious note, your method would require the FBI to tell the ISP exactly who the target was, risking a civilly disobedient ISP doing the forwards, but tipping off the subject of the surveillance. Of course with Carnivore, if the ISP couldn't tell what it was scanning for, they wouldn't know that it wasn't pulling an "echelon".

    So, the best case senerio (given the existance of wiretapping laws, etc) would be: FBI shows up with a machine and two peices of paper. One is a authorized warrent, the other is a third party affidavate (I dunno, someone backed by the ACLU) stating that the filtering is programed only to pick out the email address of one individual, the one covered under warrent. You could even have the third party program and install the Carnivores, and then provide the kit and kaboodle to the FBI at the end, giving them the data and the chance to confirm that said 3rd party programmed it corectly.

    Of course a system like that would take a lot of work to get in place and people with the energy to do that much work on this topic generally wouldn't like it because its compromise. So they will probably just keep doing it the way that makes some people nervous, and those people will keep making noise. Real life is too bad that way.

    -Kahuna Burger

  • One problem with the Carnivore system is that we can't trust the FBI to only do selective filtering - they need to intercept all messages and then sort out the ones that apply - except we can't trust them not to take my messages with them!

    Are you not trusting the FBI, or not trusting the technology? The entire point of the system is that the FBI isn't just browsing through and deciding to take your messages. "They" aren't doing the sorting, no individual is going to say "hey! I know we just had a warrent for guy X but a line in guy Y's email caught my eye and I think we should look into it!" In fact, that is exactly what this systen is meant to avoid. Get it? The entire point of carnivore is to 1) save man hours, and 2) avoid invading the privacy of people who aren't covered by the warrent.

    Why is this bad? Given the existance of wiretapping warrents that can be applied to electronic communications, how can you guys possibly object to a technological solution to decrease the human instinct to notice things other than what they are looking for. Computers don't see anything except what they're looking for. Have you ever done a web search for breed rescues and had your computer say "Hey, this isn't related, but there a kinda neat article over on Slashdot about overclocking."? No? Me neither. But I regularly browse the "new titles" section of the library for one topic and end up with an interesting book on something else. If you are concerned about law enforcement exceeding their warrent, you should be celebrating Carnivore.

    If, on the other hand you just salivate like pavlov's dogs at the words "wiretapping" and "messages" Carnivore would be a bad thing by definition.

    -Kahuna Burger

  • I have to interpret as humor any post that claims that warrants are difficult to get. Clearly you have never worked in law enforcement or in the legal field. The system has been warped to make it easier and easier, and the common-law created by the conservative S.Ct. has admitted evidence obtained through clearly improper police procedure under the "good faith" exception. Even Miranda was under attack, and will be overturned if the next president to seat a Justice is republican. Doubt me? Read Scalia's writings some time. If you want to see how 'carnivore' will be abused, look at the L.A. scandals, and recall that the statistics hold that for every prosecuted instance of police misconduct, at least 100 other instances are successfully covered up. I have great respect and gratitude for many of the police officers patrolling the streets, but nothing but contempt and scouring anger toward those who abuse their power. And it goes without saying that this system will be abused, as every other police power is eventually abused. The question is always, do we want to accept that abuse in favor of the criminal activity it will stop? Do we want to accept that this will be used to spy on ex-wives, on political foes? What if it is the only way to stop a virologist version of the Unibomer?

    G.Gordon Liddy was once a prosecutor. Do you think he would blanch at faking a warrant if he felt that he was fighting a just cause? Have you seen the enemies lists he compiled for Nixon, with recommendations of assassination? Don't fool yourself into thinking that it is always rational, good-hearted people running the show. And whatever your politics, remember that the other side will occasionally have control of this mechanism, and will use it with the same fervor as a Gordon Liddy or James Carville - pick your villian.
  • The article says:

    Marcus Thomas, chief of the FBI's Cyber Technology Section at Quantico, said Carnivore represents the bureau's effort to keep abreast of rapid changes in Internet communications while still meeting the rigid demands of federal wiretapping statutes. "This is just a very specialized sniffer," he said.

    He also noted that criminal and civil penalties prohibit the bureau from placing unauthorized wiretaps, and any information gleaned in those types of criminal cases would be thrown out of court. Typical Internet wiretaps last around 45 days, after which the FBI removes the equipment. Mr. Thomas said the bureau usually has as many as 20 Carnivore systems on hand, "just in case."

    Mr. Thomas is entirely correct --- Carnivore is just a very complicated sniffer. And while privacy advocates are correct --- the government COULD sniff anyone. But the government COULD also wiretap anyone. The rule of law is what prevents that. The FBI can pay through the nose if they get caught making illegal wiretaps.

    The Carnivore system is perfectly consistant with the current laws and norms on government surveilence. To question Carnivore but allow for regular wiretaps, is in my opinion, an indefensible view point.

  • 've wondered about this one for a while. In the MS v. DOJ thing, apparently they used a bunch of emails from Billy G. as evidence.

    Admittedly, I didn't follow it all that closely, (by them time I had first heard about it, I was sick of hearing about it) but why didn't he just say "I didn't write that."

    It should be virtually impossible to prove that email was written by any particular person. I could set my "Real Name" to Bill Gates and send out an email, or if I really wanted to put effort into it I could even make it look like it really came from bgates@microsoft.com. It's not that hard to create a file with a certain set of text in it, so an email header that says "this is from person X" doesn't at all guarantee that it actually is.

    While it's true that it's easy to forge email on the internet, that's not where the billg mail came from in the Microsoft case. In that case, the email was from Microsoft's internal email system. It had been turned over to the government as part of the pre-trial discovery phase, which is basically when the lawyers for the two sides are allowed to demand that the other side turn over information that might be relevant to the case.

    Furthermore, the emails weren't just random mails from billg to the rest of the world. They were part of multiparty email correspondance on particular issues. IOW for Gates to disavow the emails, he would have had to claim that someone was not only forging his name but was also intercepting his personal emails and forging a conversation on his behalf. Not only that, but they were doing so not on some leaky internet system but on Microsoft's presumably secure internal system, and that the other people he was corresponding with, who presumably encountered him at least occasionally in person never brought up the topic of the emails in non-email conversation so that the forgery never came to light. That claim would be so obviously bogus that all it would do is damaged Gates's credibility as a witness and not impeach the credibility of the email at all.

  • Next thing you know DOJ discovers incriminating emails on Gates' machine from the MS internal network. Of course, more work would be required than just that one little act, but the philosophical point is that email is just bits on hard drives, and is therefore no more reliable than heresay, which is inadmissable.

    Yes, and written letters are just bits of ink on pieces of paper, but using them is quite common in legal circles. Fairly reasonably, if I ask you for your records and I find something incriminating in them (and bear in mind that you also have to provide copies to the court, so I can't change them and claim that they're original) it should be your burden to prove that the incriminating comments were forged, rather than mine to prove that they're genuine! If anything, people should be suspicious if they show something unusually exculpatory, since you're far more likely to modify them in a way that reflects well on you than to forge records that incriminate you. In any case, IIRC these aren't emails from Gates's desktop machine; they're from the corporate email archive.

    Getting back to something closer to the article that triggered the discussion, the FBI isn't talking about either of these things. They're talking about intercepting email in transit, so my original interpretation of the more conventional approach to header forging is more of what the FBI would be interested in. In thise case, though, the FBI's tap is actually less likely to be forged than a random email, since they're going to be tapping his immediate upstream connection, so a forger would need to insert their forgeries exactly there rather than at any random point in the network. As for the FBI being able to forge the email, they could potentially do that no matter what system you used, so you're going to have to trust them to be honest in any case.

    One interesting aspect of this is that it suggests that if you're a criminal you shouldn't PGP sign your incriminating emails. If they're PGP signed, it provides the FBI with excellent evidence to use in court that they're not forged; unsurprising since proving authenticity is the intent of signing them. If they're unsigned, though, it'll be a lot easier to claim that the FBI forged them. You can probably enhance the effect by signing all of your non-incriminating emails (which you figure that even the most hardened criminal would have) so that you can intimate that the FBI forged the incriminating ones but were unable to forge the signature since they didn't have your private key.

  • After all they search for words like "assasinate", "bomb", and "president"...

    They don't actually look for words like "make", "money" and "fast" or even "buy", "cheap" and "toner"...

    ...and they certainly wouldn't be looking for words like "XXX", "asian", and "sluts"... or would they? ;)
  • by LazyGun (138083)
    PGP is the answer
  • Why should electronic communication be legally less protected than telephone communication?

    I'll do ya one better. Why shouldn't a letter sent via electronic means not enjoy the same protections as a letter sent by the post office? Correct me if I'm wrong here, but tapping into a phone line isn't a federal offense, where as opening someone's postal mail most certainly is.

    This is NOT wiretapping folks. This is the process of ripping open your sealed envelopes. Worse yet, it rips all of them open with only a flimsy promise to only look at the letters in question. The FBI does not have a great track record for being trusted to abide by only playing by the rules of a search warrant.

    The really amazing thing is, America's founding fathers saw this very thing coming. The 4th amendment was not an after thought. It was put in to deliberately undermine tyranny within the nation they were building.
  • Umm i've travelled fairly extensively in europe and I live here too and i've never actually seen one of these phones.

    Certainly they do exist but they are about the size of a suitcase, cost thousands of dollars + several doller a minute in calls.

    Personally i've never seen cell networks like the ones in finland and estonia.

    Finland deserves credit because i've travelled up north into the country and still get a better reception with a Uk cellphone than i get in my apartment in central Edinburgh. Not to mention that they have boosters every few metres along the subways so you aren't ever out of touch, and cells on every single goddam rock that sticks out of the sea too :)

    Estonia on the other hand deserves equal amounts of credit for developing a network to rival the UK ones and yet only 10 years ago they were part of the USSR and the rate of growth there is just mindblowing.
  • Personally I think systems like this do nothing but promote the use of PGP.

    At the end of the day we all know that they almost certainly cant crack PGP encrypted stuff... except that I only started using PGP for vaguely sensitive mail when i first heard about the echelon system.

    I was always aware that my comms could be intercepted and certainly running a packet sniffer on a network brings in some interesting stuff, but I never really considered it was practical to filter all online traffic in that manner.

    The govt have coming forward and said "Guess what? We're already doing it!!" probably does about the same good for PGP usage as handing out $10 bills with every download.

    It really is a shame that the bulk of the public dont understand the reasons why encryption is a good thing. Sadly the conventional press tend to see it more as a system for protecting criminals rather than free speech, and popularist public opinion is against PGP.

  • The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

    It does not matter what the FBI says, they may not do this and be in compliance with our Constitution.

    Let your representatives know that you don't want the Constitution ignored, or vote for a candidate that will demand that the government complies.

    Look for a candidate at the Libertarian Party home page [lp.org].

    Topher
    Got Freedom? [lp.org]

  • While I'm just as concerned over privacy issues as the next person, I just want to address one point here. In the article, Mark Rasch, a former federal computer-crimes prosecutor says "It's the electronic equivalent of listening to everybody's phone calls to see if it's the phone call you should be monitoring."

    I disagree -- I think it's more like opening a telephone junction box to see which line you should be tapping. With that box open you have the potential of tapping all those lines, but you just tap the one. The computer may be monitoring all the traffic, but obviously it has no understanding of what it's processing; if the system is used properly (and granted, that may be a big IF), it's only recording suspect traffic.


    --
  • What is unnecesary Paranioa?

    When I was a kid, I hung with a lot of skins and punks. The Cops would shake us down every time they saw us.

    It wasn't that they knew we were up to something. (although yea sometimes we were... but no more then anyone else). I personaly have never had a record, but the cops knew we were trouble, mostly because we were skins & punks. (And no I was not a bigot)

    It is not a question of being a crook, it is a question of being percived as a "unwanted element". We were an unwanted element.

    I do not feel comfertable with the FBI (or anybody) with this kind of power. How long to they start shaking you down.
  • Maybe the FBI's just trying to figure out if Echelon exists or not.

    ----

  • by Anonymous Coward on Tuesday July 11, 2000 @06:30AM (#942868)
    Such a thing already exists.

    HushMail [hushmail.com]
  • by lazarusL (13104) on Tuesday July 11, 2000 @07:59AM (#942869) Homepage Journal

    ("apt-get install postfix-tls" if you use Debian.)

    Take a look at RFC 2446 (Transport Layer Security) and RFC 2487 (SMTP Service Extension for Secure SMTP over TLS) for details.

    For an implementation, look at postfix-tls:

    Authors:

    Postfix : Wietse Venema Wietse Venema [mailto];
    TLS extension : Lutz Jänicke Lutz Jänicke [mailto]

    Start with the postfix site [postfix.org] and then the TLS site [tu-cottbus.de] if you don't have the ability to apt-get source I guess.

  • Further, damnit, I'm NOT a criminal, so I shouldn't be treated as one. This is a classic case of guilty until proven innocent.
    Just because I'm not a criminal doesn't mean I want the gov't, or my next door neighbor, to be able to read my email. Of course, that's why I have a huge PGP key (check my userpage)...

    I am a private citizen, and my personal life is no business of the government.
  • by Badgerman (19207) on Tuesday July 11, 2000 @06:48AM (#942871)
    Paraphrasing Robert Anton Wilson:

    Imagine an authoritarian system as a pyramid with an eye on top (look at a dollar bill). Now, the guy at the top wants to control the people down below, but he has to rely on them for information. So he uses coercion to control them and extract information, but since fear of punishment, hate, and paranoia are driving the people below, they only say what will prevent punishment. The system reflects itself down the pyramid, and due to increasing ignorance, becomes brain dead over time.

    It seems this is the way we're heading with cybersleuthing, techno-eavesdropping, lawyers throwing lawsuits round, etc. We're all paranoid as hell, everyone doesn't trust anyone, and there are more and more threats each day.

    It appears the FBI is making yet another contribution to this. I wonder how this will be abused (and thus increase mistrust), how errors will be made (and thus increase mistrust), and how many bad precidents and angry reactions this will produce. I wonder how many lawsuits and court cases will result from their snooping.

    In their quest to enforce laws, the FBI makes themselves that much harder to trust by being more invasive. Ironic that.
  • by TheCarp (96830) <sjc@carp a n e t . net> on Tuesday July 11, 2000 @08:01AM (#942872) Homepage
    > This sounds like it is indeed meant for
    > targeting specific suspects,

    Well it deponds on how you wish to look at it really. Assuming its a given that they have the right to wiretap (I am putting aside the fact that I have major philosophical problems with law and law enforcement here)....they have the right to listen in on "data" (conversations email etc) comming from a known data source (victem er I mean bad guys phone) to gather evidence against him.

    Their entire system sounds basically like a system that takes all the email in the system, applies a set of regexs to the headers and takes all email too and from there target.

    Here is the problem I have. The "data source" is not a "known one". They are not listening to "His line" they are listening to the whole ISP. Even if its just a header grep...they have NO RIGHT to recieve and look through ANY data except that which comes from or two who they are looking at...even if it is JUST a gheader grep.

    The difference may not seem important but it is. If they wiretap your phone line, they can't abuse that to listen to my conversations, unless I use your phone. In this case there is the possibility of abusing their "wiretap" on YOU to listen to MY email because I am on the same ISP as you.

    if YOU are the target...they have NO right to have MY mail ever even TOUCH their system.
  • by grahamsz (150076) on Tuesday July 11, 2000 @06:17AM (#942873) Homepage Journal
    They have the carnivore sniff out any mime encoded JPGs containing an above average level of flesh tones.

    These are then filtered out and despatched to agents personal computers, saving them several hours a day in hunting for pr0n.

    These extra hours are what will really give them the advantage combatting cyber-terrorism.
  • by djrogers (153854) on Tuesday July 11, 2000 @07:00AM (#942874)
    I wouldn't much mind if this sort of thing required a warrant and if they were required to toss any data without a specific person's (or IP, at the outside) name/id on it.


    Sigh, the FBI does rquire a warrant to use Carnivore, and to top it off, it's _really_ hard to get. As for tossing extraneous data, it's the software that analyzes all the traffic, not humans. IANAFBIA, but from my experience, c-vore only _collects_ data on the target, agents don't even see the rest of the cruft.

    Let's get off of our parannoid horses for a minute, and think about this rationally. Do you _really_ think that the FBI would waste the thousands of hours of manpower it would require to manually analyze just one hour's worth of unfiltered data? Even if they did see that metallica.MP3 file you e-mailed to your aunt, would they really care enough to note who you are? Of course not, they're after the sick-ass guy who brags about whipping pre-pubescent girls and rubbing salt in their wounds (trust me, I'm _not_ overstating this).

    Besides, if you really need to overthrow the gov't (of course one day we will, history teaches us that) you'll just have to use encryption...

  • by tssm0n0 (200200) on Tuesday July 11, 2000 @06:12AM (#942875)
    Now the FBI can read all my spam... god knows I don't wanna read that crap.
  • by corniche (207397) on Tuesday July 11, 2000 @06:27AM (#942876) Homepage Journal
    in the UK, there is a bill being passed that if the police etc. wants to look at your encrypted data, you are required to supply the key. faliure to comply results in a jail sentence
    (up to 10 years i think)
    also, never be 100% sure that your encryption is safe, you never know quite what technology they've got....

    {shhhhh... the froggies are asleep.}
    spam-proofing?
  • by Ketzer (207882) on Tuesday July 11, 2000 @06:35AM (#942877)
    I've wondered about this one for a while.
    In the MS v. DOJ thing, apparently they used a bunch of emails from Billy G. as evidence.

    Admittedly, I didn't follow it all that closely, (by them time I had first heard about it, I was sick of hearing about it) but why didn't he just say "I didn't write that."

    It should be virtually impossible to prove that email was written by any particular person. I could set my "Real Name" to Bill Gates and send out an email, or if I really wanted to put effort into it I could even make it look like it really came from bgates@microsoft.com. It's not that hard to create a file with a certain set of text in it, so an email header that says "this is from person X" doesn't at all guarantee that it actually is.

    I know what many of you will say: "But you can track it's path through the mail servers, and if you're really thorough, you can pin it to an internal IP and MAC address and time of origin." Even that doesn't prove who was using that machine.
  • by Poe (12710) on Tuesday July 11, 2000 @07:03AM (#942878) Homepage
    Rather than using PGP, which is likely to get the undevided attention of any government agency, use steganography [outguess.org].
    Take your plaintext, encrypt it, hide it in some of the least signifigant bits in an image, attach the image to an ordinary email, and off it goes!
  • by mindstrm (20013) on Tuesday July 11, 2000 @08:05AM (#942879)
    about wiretaps is this.....

    Originally, you have this telephone system.

    Then.. the feds (or whoever, law enforcement) says 'hey.. would it be possible for us to listen to someone's phone call?' .. well.. technically it wasn't a challenge. So.. in the course of their investigation, they could make a court order the phone company to let them listen.. because *it was something they were capable of already, without difficulty*.

    It was just evidence gathering.

    Can anyone see how this is a world different than the feds saying 'you may not build a phone system unless we can wiretap it?'. It's a very different scenario. The first was simply evidence gathering based on what was available, the second is an actual attack on privacy, or, in other words, 'we forbid you from making a secure, private system'.

    People.. everyone *must* start using encryption!
  • ... I'm not surprised. We've already given away so many rights "for the baaaaaiiiiiiiiiibiiiees", the whole 1984 blew past us a long time ago.

    The scariest part of this is that people can, and frequently DO send e-mail from different places. Also, multiple people frequently use the same phone line. So consider these two situations:

    1. Someone who sends e-mail at home and at work.
    2. Two roommates who send e-mail from the same computer.

    It is very easy to forge e-mail. What's to stop someone from forging e-mail in the name of someone in two places? Nothing of course. What guarantee is there that the FBI will understand that they could easy get false data? None of course. Since we're already setting up classes of crimes for which "innocent until proven guilty" is no longer upheld (in practice), it won't be long until someone is convicted of a crime based upon what is fraudulent electronic evidence.

    Of course it has probably happened already.

  • by grahamsz (150076) on Tuesday July 11, 2000 @06:15AM (#942881) Homepage Journal
    Personally I would like to see an offshore provider giving https based webmail. This would probably be a lot more accesible to end users then PGP currently is and would surely start to cause problems for the US & UK governments and their dodgy schemes for monitoring access.

    In the UK i believe the police can now demand ISPs route certain customers traffic through them and whilst I dont do anything that i'm particularly worried about online it's still not a very comforting thought.

    I wonder if providing free encryption based web mail services would be something that havenco would be prepared to provide as a publicity stunt?
  • by DevTopics (150455) on Tuesday July 11, 2000 @06:31AM (#942882) Homepage
    To me, this is just another reason to use PGP for my email. Let's face it, email is insecure in every way you look at it: it can be wiretapped, it can be faked, it can be changed on the way, and so on.

    So I think that stories like this should be brought to a greater attention (read: Joe User should notice that). And we should get used to "sealing" our email with PGP like we're used to seal our envelopes.

    One other nice thing about encrypted email is: your ISP couldn't be held responsible for anything you say. I'm responsible for what I say, and you are responsible for what you say, and not vice versa. And this should be true for everyone.

    As long as PGP can't be decrypted, we can shrug our shoulders at stories like this.
  • by Darguz (162771) on Tuesday July 11, 2000 @09:31AM (#942883) Homepage
    The book "Applied Cryptography" looks at cracking a 256 bit key:

    It starts by stating that to change a single bit in a processor, you would (according to the laws of thermodynamics) need an amount of energy no less than kT where T is the absolute temperature of the system, and k is the Boltzman constant. If you run a computer at 3.2 degrees Kelvin, and with k being 1.38*10^-16 ergs/K, you would need 4.4*10^-16 ergs to set or clear a bit.

    The sun releases about 1.12*10^41 ergs in a year, so if you could collect all the energy from it for 32 years (of course, Earth would soon become very cold and dead then), you could have a your computer count up to 2^192, but you wouldn't have any energy left to do anything with the counter (such as cracking a key). A typical supernova releases about 10^51 ergs. If you collect all that energy, you could count up to 2^219.

    The conclusion is that unless computers are built from something other than matter, and occupy something other than space, a brute force attack against a 256 bit key is not possible.


    --
  • by arivanov (12034) on Tuesday July 11, 2000 @07:04AM (#942884) Homepage

    If the government has a technique that can decrease crime, prevent terrorism, and save lives, how can you be opposed to it?

    Pol Pot and Yeng Sari had such highly successful techniques. Cambodja virtually had no crime. It also did not have any literate cittizens left and had 25% of the population killed.

    Hitler also had such technique. The crime level in Nazi germany was very low. There were almost no pedofils left in Germany for example. So if broght now Hitler Germany would not have had any "child p0rn" problems as there were no consumers for "chid p0rn" left. He simply treated them like the jews. Actually jews had higher survival rates than pedos and gay in Nazi Germany and Stalin USSR.

    Stalin and his followers also had such technique. The crime level in the ex-eastern block was never asv low as in nazi germany but it was mostly petty crime. Not shooting in the streets like now.

    Are all these compelling reasons for us to restore anyone of these? Clone them maybe?

  • by mindstrm (20013) on Tuesday July 11, 2000 @10:23AM (#942885)
    Coming from a Canadian point of view here....

    It has long been viewed in north america (though the US changed it's law for some reason or other) that the public airwaves were just that; public. We regulated who could use what spectrum for what in order to make everybody happy. (if everyone fought, radio would be useless).

    Then, one day.. along came the cellular telephone. Lo-and-behold, these phones used standard FM in their allocated bands. So.. people with radio scanners could listen to phone calls.
    Now. .in the US.. it is now a crime to have a scanner that can listen in on cellular calls (let alone actually doing it). However.. when the same was proposed in canada.. the crtc said this:
    The airwaves are a public resource; they always have been and they always will be. The celluular providers had *NO REASONABLE EXPECTATION OF PRIVACY* for their calls. They were broadcasting in the clear.
    Remember, regulation states who can broadcast, not who can listen.
    So.. cellular providers deal with this up here by pushing digital.

    How is the internet any different? You KNOW that you don't have control over your packets once they are out of your network. Perhaps your upstream has an agreement wiht you guaranteeing certain privacy.. but what about their upstream? What about everyone? By it's nature, the internet is not a single resource, but a vast collection of networks all hooked together, covering every juristiction and idology known to man.

    Regardless of what the 'ignorant' public might think, there is *NO REASONABLE EXPECTATION* of privacy when putting packets on the internet, unless they are encrypted. Period.

    I'm not saying the itnernet is a public resource, like the airwaves.... but you *know* you can't control where those packets go. So .. ENCRYPT.
  • by jilles (20976) on Tuesday July 11, 2000 @07:01AM (#942886) Homepage
    Nah, too cumbersom. I think the whole problem is that TCP connections are not private. With SSH you can scramble any connection. So, why not scramble the traffic between mailservers? While we're at it, why not compress the data as well. I think encryption has to be built in to the network and not just added on to it. Basically any trafic to and from a PC can be read right now, unless you specifically choose to encrypt it. I would like to have it the other way around. Anything from chat sessions to ftp to X sessions I want encrypted.
  • by / (33804) on Tuesday July 11, 2000 @06:30AM (#942887)
    When Congress enacts this sort of program, they always give it a name like "The Freedom of Infants and Children Act" or the "Prevention of Violence to Puppies Act" with a rider that slips in the big-brother grants of power.

    The FBI, on the other hand, gives it a name that can't help but encourage visions of a government run-amok eating its citizens. Which, come to think of it, is not too far from the truth.
  • by Zulfiya (44302) on Tuesday July 11, 2000 @06:17AM (#942888) Homepage
    "It's the electronic equivalent of listening to everybody's phone calls to see if it's the phone call you should be monitoring," Mr. Rasch said. "You develop a tremendous amount of information."

    This guy is right on the money. This isn't about targeting a suspect and confirming other evidence (as wiretapping is meant to be), but about trolling for suspects. Why should electronic communication be legally less protected than telephone communication?

    I wouldn't much mind if this sort of thing required a warrant and if they were required to toss any data without a specific person's (or IP, at the outside) name/id on it. There's no need for this level of invasion. I also suspect, rather like the cybersensor filters, they're going to pick up more false hits than real crime, and wind up investigating and harassing uninvolved people.

    Now here's an argument for better encryption.

  • by AntiPasto (168263) on Tuesday July 11, 2000 @06:15AM (#942889) Journal
    SUBJ: Hello friend! MSG: Ahhh I love living in the United States, I love the government and its astoundingly perfect mindset that guards my every right and freedom. I am glad that you, my friend, my comrade, are living in this land that beats all others.

    It's so double plus good to be alive and protected by the Ministry of the FBI!

    ----

  • by ^_^x (178540) on Tuesday July 11, 2000 @07:23AM (#942890)
    Of course, they must have one.
    ...wait a sec...
    *CLICK, CLICK*
    There, my key is now 4096 bits, problem solved. ^_^

    Seriously, I think PGP is too versatile to be cracked so easily. i.e. I have a 2048/1024 DH/DSS key with the CAST cypher, but I also have a 2048 bit RSA key with the IDEA cypher. You can also have custom key sizes, for example Will Price at PGP has a 4000 bit DH key.

    Powerful and flexible.

    I recommend looking up "PGPDisk." It's easier to use than the already dead-simple normal PGP. It creates a virtual disk volume that's encrypted, and can auto-unmount itself. It's good even when the PC crashes, too. (In tact, data saved until crash is still there when you reboot.)

    ...however I don't know if it's out for Linux.
  • by Your Robotic Pal (191610) on Tuesday July 11, 2000 @07:02AM (#942891)
    I also thought that requiring a search
    warrant would reasonably limit privacy
    invasions by any agency.

    Until I found a website for an automated
    search warrant request software package.

    Like most of you, I don't do anything that anyone would be concerned about. I don't even keep copies of DeCss around, nor do I download metallica songs. And after seeing the anonymous family photo with the cucumber, the dog and what appears to be a small cheerleading squad, I haven't much interest in downloading Pr0n. With caffeine as my only drug, I'm not exactly worried...

    I even pay my parking tickets and cable bill.

    What is scary is the website I found (there are at least three packages for this)detailing software designed for automating search warrant requests (probable cause, non?) and capable of processing over 1100 search warrant requests per hour!

    I found these sites by accident while looking for information on search engine technology in 1996. I won't list the URLS, but you can find them. One site talked about how much faster it would be when electronic authorization (EDI) interaction became available.

    Imagine how low the threshold of probable cause will slip once some eager programmer decides that online email profiling data can go immediately into the search warrant request software, returning approval in under thirty seconds.

    There are no laws saying that e-mail, packet scans and IP traffic logs cannot be held indefinately, or archived for the last 120 days. This didn't apply to telephone calls - while call logs could be accessed, recording the actual conversations required a warrant - so speech that occured before the warrant was safe, or left as hearsay evidence. With digital archiving of all traffic, the landscape has changed.

    In the future, search warrants will effectively be *retroactive* - and can contain complete records of what you've done for months.

    For most people, privacy is seen as a way to hide indiscretions from general knowledge, or as a way to "get away" with crime. It isn't - that's a small quirk that can be handled through our current legal system.

    Privacy is really the way that we guarantee our right to stay at arm's length from our government (well, at least the individuals in it) and our ability to disagree and express that disagreement (without fear of punitive retaliation)to those in power, be they government officials, Microsoft or the MPAA.

    As long as we have that, everything else in a democracy can work. We don't really want a truly libertarian state (Been to Moscow lately?), but a democracy that embraces responsibility and liberty like RSM embraces pizza and ego.

    So Get off your dead asses
    and write those letters now!
    snicker.

  • by 11223 (201561) on Tuesday July 11, 2000 @06:18AM (#942892)
    One problem with the Carnivore system is that we can't trust the FBI to only do selective filtering - they need to intercept all messages and then sort out the ones that apply - except we can't trust them not to take my messages with them! The solution is to have your email users use an encrypted mail transport system so that when the FBI requests a wiretap, they are only given the key to decrypt the messages of the account they're looking for. There are a few (but not widely deployed) systems that do this already, but a better one could be possible now that RSA will be expiring soon.

    BTW, how does wiretapping interact with encrypted data? What if they tap the email and discover that it's all PGP'ed? Can they brute-force it?

  • by happystink (204158) on Tuesday July 11, 2000 @06:20AM (#942893)
    FBI sources were quoted as saying that among the first people targeted would be the people who put random Echelon keywords in their .sigs. "They all thought they were clever" Michaels said, "but it was just lame and annoying, and only a few hundred people ever did it, so it wasn't even effective. We were sitting around drinking one night and were like 'What the shit, let's test this on those guys!' and we've been following them ever since. Mostly it's just a bunch of guys talking about beard trimmers and PGP, it's kind of depressing."

To understand a program you must become both the machine and the program.

Working...