Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy Your Rights Online

Earthlink Refuses To Install Carnivore 316

A reader wrote in with story on C|Net that Earthlink has said that it will *not* install Carnivore, the FBI mail snoop program. Earthlink has said that it will cause disruptions to their customers, and thus refuses to install it. I'd say that's valid. Cringley has a story where he suggests that Carnivore is really about giving the government the power to shut down the Internet.
This discussion has been archived. No new comments can be posted.

Earthlink Refues to Use Carnivore

Comments Filter:
  • by CMiYC ( 6473 ) on Friday July 14, 2000 @05:18AM (#933547) Homepage
    U.S. Attorney General Janet Reno said she will review the FBI's Carnivore system for intercepting email from criminal suspects to address privacy concerns.

    Boy! I hope she gets Al Gore to help her out... She'll probably need it and since he invented the internet, I'm sure he can help her understand how it works.

    ---
  • by BMonger ( 68213 ) on Friday July 14, 2000 @05:19AM (#933548)
    I believe the article says that they did install it but due to incompatibility issues with the operating system it was removed. Since it basically broke their service it was removed. They didn't say that they wouldn't install one. Although I could be wrong. Been there before.
  • by Elyas ( 59360 ) on Friday July 14, 2000 @05:19AM (#933550)
    The article says they are not putting it on because it is incompatible with there system, would cause disruptions, and needs some technological modifications. They are CONCERNED about privacy issues, but didn't say no based on that. Unless this is just a delay tactic to try to build a case against Carnivore, it'll probably just go away once the FBI patches the system
  • by Jeffrey Baker ( 6191 ) on Friday July 14, 2000 @05:21AM (#933552)
    At a typical big-name colocation center, you get one or two 100 Mbps ethernet drops, or a gigabit ethernet drop, and maybe a few WAN drops into your cage. The ethernet drops go to some big honkin switch somewhere which you share with zero or more other customers, depending on the size of your installation. In at least the colocation centers I have dealt with (Exodus, Level 3, and Concentric), using promiscuous mode on any interface connected to a shared switched segment gets you shut down fast. So I wonder what Cringley is talking about when he says that every box in the colo center could be a sniffer.
  • Here is a question that I just thought of...Which is worse, that the government is trying to snoop on you without your knowledge, or that a business can usurp the power of the government, and refuse to comply for 'business' reasons.

    Remember, the RIAA and MPAA are both carrying out their little crusades in the name of 'business' reasons.

  • I've used Earthlink until I recently obtained SWBELL DSL. (Why did I switch? Because paying an extra $20.00 a month for a different ISP didn't seem very logical. Of course Bell is being sued for this very reason, but..) Their service has been great. I've never, ever got a busy signal. Customer service was always good. They had proprietary connect software, but you were NOT required to use it. And they supported alternative operating systems. (At last count I ran OS/2, BeOS, Linux, NT 4, and 2000.) I think it's great that one of the largest ISPs would refuse to put Carnivore in place. If one stands up, maybe more will, and perhaps this beast can be put to rest. Hell, if the FBI wanted to put a machine on *my* WAN they'd sure as hell have to give me a warrant or judgement specifically authorizing it.
  • U.S. Attorney General Janet Reno said she will review the FBI's Carnivore system for intercepting email from criminal suspects

    Maybe they can use it to recover all that "lost" White House e-mail....
    /.

  • by dragonfly_blue ( 101697 ) on Friday July 14, 2000 @05:23AM (#933559) Homepage
    Cringley's column gave me shivers. I don't know that he's right, but it's definitely going to be a problem if the FBI installs the Carnivore boxes in-line with the main routers.

    I think it's great that the FBI is using Carnivore, though. I mean, what better way to promote the usage of newer, secure protocols such as IPsec, Secure Shell, SCP, and privacy suites such as Pretty Good Privacy? And what better way, I ask you, to promote the retirement of older, flaky, insecure protocols like telnet and FTP?

    Well, something will eventually make people switch. Might as well be the Feds.

    Still, I think Earthlink is justified in denying the FBI the ability to shut off their service at random. That's just too much power, plain and simple. I hope they take this to court and win.

  • Yes, you may be bold now, but just wait until our secret administrative courts run a few of your employees through the ringer.

    You'll install it, you have no choice. But I doubt you'll be nearly as brazen in the announcement that it was installed as you were in your announcement that it would not be.

    Accuse me of having little faith, but I believe that until we rearchitecture the network to utterly defeat measures like this (transparent crypto?) the government will continue to use its machinery to coerce and manipulate the key internet players. Witness the "NSA key" in Windows 95/98/NT/W2K. Note how long until we found out about Echelon. Read how cryptography.. essentially a collection of mathematical formulas.. is classified as "munitions". The CDA, the DMCA, and a plethora of riders to innocent-sounding bills that we probably still haven't become public knowledge.

    Someday, someone is going to need to devise a technical solution to these political problems. This is why they are so afraid of geeks - they know we have it within our power to end this form of tyranny for good. We are in control of the ultimate modern day press. Literally, with the click of a mouse button, we can go public with thousands of pages of information, blow the lids off back-office politics, and empower the average citizen to take back their democracy and demand their rights. This is why of all the new laws being passed, it is against "computer crime" (civil disobedience by another name) is being targetted with the most extreme forms of retribution our legal system has to offer. $300k fines? 10 years in jail? These are punishments that most people conviced of felony manslaughter don't get.

    Good luck Earthlink.. but this ain't how you're going to beat them. If you want to beat them, adopt IPv6, and give your customers end-to-end encryption. Then.. go ahead and let them install omnivore. A boat load of good it'll do them then!

  • by Ketzer ( 207882 ) on Friday July 14, 2000 @05:24AM (#933561)
    Wow.
    I must say, I'm impressed.
    Most corporations don't often show much in the way of morality or ethics, and you can't really expect them too. Any publicly held company has to report to their shareholders, and if they start taking moral stands at the risk of stock value, they can get hit with due dilligence lawsuits from their shareholders. Most companies that espouse morals and principles do it as part of a corporate image, which in turn drives profits. (i.e. Microsoft exists to innovate and make computers better, Apple is brought to you by Einstein, because they think different)

    So it's very rare the companies have the metaphorical balls to do shit like this. I don't know much about Earthlink, but they have my respect now.

    I hope they don't get raped by the gov for this.

  • by Paul Johnson ( 33553 ) on Friday July 14, 2000 @05:25AM (#933562) Homepage
    Bob Cringely has missed the point. The US Government is not going to shut down the Internet: it would be an incrediably dumb and damaging thing to do. The whole conspiracy theory falls over at that point.

    The issue is the lack of independent inspection of what is in this Carnivore box. The ISP only has the FBI's word that it is not doing any improper snooping. Who knows what else it might be scanning for.

    Reno has promised to check things out, but even granting her good intentions she is at the mercy of reports prepared by her underlings.

    If such boxes are to be built and installed then the software they run should be open to inspection and the precise description of the files to be snooped should be part of the warrant. (I take it these things do need a warrant....)

    Paul.

  • by delevant ( 133773 ) on Friday July 14, 2000 @05:26AM (#933564)
    Cringley (sp?) suggests that the FBI wants the power to shut down the Internet.

    Why would they want to do that? There's no real reason that I can think of, unless they want to destroy the U.S. economy in one fell stroke.

    Instead, I suggest that they're using Carnivore as the thin edge of a very big wedge. Sure, they could sniff email traffic without a big black box. But by using a box, they get access to ISP premises every time they get a wiretap order.

    With big ISPs, they'll probably be installing those things several times a year. Eventually they'll be able to say "hey, why don't you just let us leave this thing plugged in?".

    Then, rather than having to go and plug in their big black box every time they get a wiretap order, they'll have the boxes all plugged in all the time.

    And that's when we'll find out that those boxes can do stateful packet inspection if asked. Next thing you know, they'll be able to physically prevent you from seeing "unauthorized" data on offshore servers. Kiss that data-haven goodbye.

    . . . but then again, I'm feeling paranoid today.

  • Doesn't it bother anyone that Earthlink is doing this because of customer disruption rather than privacy concerns?

    Encrypt your email -- screw the FBI.
    --

  • by kootch ( 81702 ) on Friday July 14, 2000 @05:28AM (#933570) Homepage
    I do love how we all feel that the Internet is a god-given right.

    On a day to day basis, I think most of us forget that the internet evolved out of a government program and not through open-source advocacy.

    And yes, the FBI also has the right to be able to intercept both your phone calls and your emails if you are under suspicion. No, they can not block you from sending or receiving, but they can look if they have substantial evidence. And yes, there are laws to make sure that they aren't looking unless they have substantial reason to be looking.

    and while they have the right to look, users also have the right to encrypt their email to prevent this.

    so instead of whining about your god given right to snoop-free internet access, actively protect yourself by encrypting your emails if your privacy is so important to you.
  • It's not neccicarily usurping the power of government, it's refusing to acknowledge powers that the governement should not have. A principle the country was founded on. I have to admit that large corporate powers are a bigger threat than the government right now, but I find them refusing to allow the government to bully in and try to install hardware for the spooks is an admirable action.
  • scarey.. major corporations standing up to the government.

    Somebody has to, and they're in a better position than most.
    /.

  • Letters were private,
    Then e-mail came. Smile, people,
    You're on camera!
  • by nemoc ( 178963 ) on Friday July 14, 2000 @05:32AM (#933576)
    To all of those who are posting the 'one more reason to use encryption' posts, do you honestly think that big brother won't just set up they're box to save and store all encrypted communication? or add the sender and reciever to a special 'potential trouble' list. And yes, they can tell if it's encrypted, because encryption, or at least good encryption, does obey a certain statistical pattern (i.e. plaintext will be have a high percentage of recurring character, while ciphertext should be totally random). Granted, compression does something simialer, but still -- I'm on enough lists as it is!

    I found this quote on cnet's article about the aclu's objection especially telling "Carnivore is roughly equivalent to a wiretap capable of accessing the contents of the conversations of all of the phone company's customers, with the 'assurance' that the FBI will record only conversations of the specified target," read the letter. "This 'trust us, we are the government' approach is the antithesis of the procedures required under our wiretapping laws."

  • Show up at every ISP with a SWAT team and shut off the power.


    Cut the big pipes that carry traffic up and down the east coast (or cross-country... hey, it wouldn't bring the internet down, but it would slow it up considerably.)


    Face it, the US government has the resources and manpower to do just about whatever it wants to the US portion of the Internet. Problem is, NONE OF THOSE OPTIONS WOULD BE LEGAL! And neither would using the Carnivore's to cut off a legitimate ISP. I can't believe a court would allow that under anythign but the most severe circumstances. As the Microsoft case has shown, most federal judges (even those like Jackson with little technical expertise) are pretty bright guys. They can catch on to the issues quickly and see what's truly important.


    So relax. I mean it. Life's too short...

  • by Zone5 ( 179243 ) on Friday July 14, 2000 @05:33AM (#933578)
    As a canadian customer of @Home (don't knock it, it's the only game in town), I wonder if my own email is flowing through some american justice/intelligence agency's hands on a daily basis? It wouldn't surprise me in the least to learn that I'm sharing the same infrastructure as the american customers of @Home - and in that case it would seem obvious that @Home wouldn't bother separating our traffic out. Most of the time we canadians can sit up here and shake our heads at the U.S. government's thick-headedness with regards to the internet, safe in the assumption that for the most part they can't touch us. In this case however, it looks like they just might have their grubby hands sifting through our lives too. This is not to imply that the canadian government's intrusion would be any more preferable (in fact, probably quite the opposite - CSIS is not well-known for respecting privacy or having proper oversight), but at least in theory they are accountable to me in some way. The FBI and CIA are not.
  • Even IBM's new monster machine couldn't sort through all of the spam that earthlink gets fast enough to not slow the service down.

    Every single day it's "Find Out About Anyone Fast!" or "Find [Out] About (Anyone) Fast!"

    You can't even add rules to outlook fast enough to keep up with it all. It'd be a full-time job.

    Hmmm... There's already talk about CPO, Chief Privacy Officer, how about a CSO - Chief Spam Officer... Somebody who sets the spam rules for an entire corporation...

    What's with the "Officer" anyway? We're not in the military...
  • by w3woody ( 44457 ) on Friday July 14, 2000 @05:35AM (#933583) Homepage
    Because the smaller co-location centers don't look for your system going into promiscuous mode. Granted they could detect this by looking at the switch, but the couple of smaller ISPs I've dealt with, the switch was located with it's lights pointed towards a blank wall.

    Besides, if the FBI dropped a computer on a switch and told them the ISP it was going into promiscuous mode, and there ain't a damned thing you can do about it because we're the FBI, then I suspect they wouldn't shut the system down. Meaning that in a sense, Cringley is right: they don't have to locate the machine right next to the router as traffic comes into the ISP facility; they can locate the box just about anywhere and as long as there isn't a packet filter at the switch, the box could theoretically get every packet.

    I do disagree with Cringley that the FBI wants the power to shut the Internet down. I suspect the FBI wants to place their machine right on the router as traffic comes in because they're too dumb to realize that they don't have to do this.
  • Let's all get a grip -- the government is not going to "shut-down" the internet.

    How hard is it to route traffic around the 'Carnivore' box -- um...two clicks of an RJ-45 cable. Remember what happened when radio stations were knocked out in WWII by the Germans?
    --

  • You mean besides the fact that the FBI's request is a violation of the fourth amendment?
  • by isaac ( 2852 ) on Friday July 14, 2000 @05:39AM (#933587)
    Earthlink is not saying "We won't cooperate with the FBI", they're saying "The Carnivore system is incompatible with our architecture". Big difference.

    Cringeley is right to be concerned about the CPOF implications of having FBI-controlled boxen sitting at the edges of American ISPs, though. Think about this in the context of the Internet Gambling Ban [slashdot.org] headed down the pike. Or the Drug information censorship act [slashdot.org] (aka, "Methamphetamine Anti-Proliferation Act", now buried in a bankruptcy-reform bill in conference). Sure the courts will probably strike down the prior-restraint provisions of the latter, but imagine a bill that doesn't address the publishing, but merely gives the FBI authority to "kill-file" a certain class of sites at the ISP level, without actually restricting the right to publish per se.

    Having consulted on a computer crime case for the FDLE, I've seen the "us-against-them" mentality inside the investigative law enforcement community first hand. "Them" doesn't mean just "criminals" either - from the LE perspective, there are only 3 types of people in the world: cops, convicts, and suspects. That the FBI (with their sterling history since the days of J. Edgar) would be on the leading-edge of such surveillance/enforcement techniques is wholly unsurprising to me.

    -Isaac

  • Most corporations don't often show much in the way of morality or ethics, and you can't really expect them too.

    This is not about ethics. This is about increasing stock value. In 5 easy steps.

    1) take popular stance against "th' Govnmint"

    2) see geeks rally behind you, often transferring accounts to your service

    3) reap the rewards of y*10^8 geeks who think you're a better company, more concerned with privacy than investor relations

    4) Quitely kowtow when "th' Govnmint" says "we really mean it"

    5) in a limited - distribution, boring-by-design press release, state that the requirements have been met.
  • by Zak3056 ( 69287 ) on Friday July 14, 2000 @05:40AM (#933592) Journal
    I do love how we all feel that the Internet is a god-given right.

    On a day to day basis, I think most of us forget that the internet evolved out of a government program and not through open-source advocacy.


    I fail to see how these two statements are mutually exclusive. Or are you forgetting that little blurb about Of the People, by the People, and for the People? It really pushes my buttons when someone basically says, "It was developed by the government, so consider yourself LUCKY you can use it."

    My tax dollars (okay, not many of those, as I was only born in 1974. But the tax dollars of my parents) went into creating this technical terror, and I will be damned if the DOJ takes the attitude of "we built it, so we can listen in"

  • This poses a few interesting questions, even for those of us outside the US. It is quite possible (and in some cases quite likely) for my email to be routed via the US on it's way from my UK based ISP to some other (non US) ISP (for obvious reasons the UK-US links are generally bigger and better than UK-somewhere else). Now, if the FBI 'accidentally' snoop my message to (say) someone in Australia, what happens? A US agency has (illegally?) snooped on email between two non-US citizens, both located outside the USA. Surely that's a matter for governmental concern (US and otherwise).

    Suppose my mail is to a friend elsewhere in Europe, this would surely contravene European privacy laws. Where does the legislation end? Is it purely a case of where (all) the intermediate servers are, or on the end points of the communication?

  • It filters packets, finds e-mail going to and from identified criminals, and saves that e-mail for later decryption and analysis.
    Wow, why don't they just go after these foul pesky identified 'criminals' if they know where their e-mail is coming from!?

    Hey, does this mean I should stop uploading MP3s onto Usenet?

    Pope

    Freedom is Slavery! Ignorance is Strength! Monopolies offer Choice!
  • Now, I'm not going to debate the merits/dangers of carnivore here, I just want to point out a few 'inacuracies' from Cringley's column.

    Every ISP I've ever seen, been in, or worked at used (at the very least) layer 2 switches to isolate colo'd servers. Some would even go as far as layer 3 switching and subnetting. How on earth does Cringley think that any colo'd server could sniff an entire ISP's network?

    I used to think that Cringley had at least a modicum of clue, but now I wonder. In an earlier part of his column, he suggests that every router could be set up to re-direct E-mail to the FBI with 'just a few lines' of configuration in the router. What a bunch of crap! Filtering E-mail requires access to the application layer, not the network layer as most ISP's routers would look at. And to suggest that such a scheme would inflict no penalty on teh routers is just ludicrous. Jumping from layer 3 routing to layer 7 routing would be a serious hit, especially on a GB level router.

    sigh.... Unfortunately, I suppose there are people in this world that are ignorant enough to write stuff like that, let alone buy it.
  • On a day to day basis, I think most of us forget that the internet evolved out of a government program

    Relevance?

    And yes, the FBI also has the right to be able to intercept both your phone calls and your emails if you are under suspicion. No, they can not block you from sending or receiving, but they can look if they have substantial evidence.

    Legitimate search warrants are limited to some specific item of suspicion -- open-ended fishing expeditions are illegal.

    Carnivore circumvents this limitation by sweeping all traffic. With the ISP and other parties "out of the loop" of data gathering, there is no way to limit the FBI's surveillance to the scope of the warrant.

    And yes, there are laws to make sure that they aren't looking unless they have substantial reason to be looking.

    Many of them have broken those laws (COINTELPRO, etc). How many of the perps did time at Club Fed (much less the don't-bend-over-for-the-soap real prisons where they belong)?
    /.

  • by Kaa ( 21510 ) on Friday July 14, 2000 @05:46AM (#933601) Homepage
    until our secret administrative courts run a few of your employees through the ringer.

    Ringer? You don't mean wringer, do you?

    BTW that's a good use for collecting all the info on everybody you can -- when the need arises you can always lean on them (aka blackmail).

    until we rearchitecture the network to utterly defeat measures like this (transparent crypto?)

    You cannot. A TCP/IP network is a "dumb" network and does nothing for security. Besides, you can always sniff at the router, provided you have access.

    Crypto solves this problem, but it has nothing to do with network architecture.

    Someday, someone is going to need to devise a technical solution to these political problems.

    Sorry. Technical solutions to political problems are very, very rare. After all, that's why they are political problems and not technical. Technology may open new ways to solve social and political problems, but it does not solve them by itself.

    empower the average citizen to take back their democracy and demand their rights.

    Meaningless blabber. What does "take back democracy" mean? Demand which rights? The right to sue anytime something bad happens to you? One of the problems with the Western public is that is is very happy to surrender rights for entitlements.

    give your customers end-to-end encryption.

    An ISP cannot "give" encryption to customers. Crypto lives at the ends of the link and the ISP only has control over the link itself. You can advise people to use crypto, but you cannot force them to use it (hint: most people consider crypto to be too much of a hassle).

    Kaa
  • Unless your operating system responds to IP packets sent to the right IP address but the wrong Ethernet address, there is NO WAY to detect promiscuous mode. You don't know what you're talking about.
    -russ
  • I take issue with Cringley statement that implies that all ISP's are dumb enough to allow co-lo to sniff the network. Some perhaps, but as someone who's worked at a number of ISP's I can say that most co-lo's are segmented into their own network. Usually at the very least by the use of a switching hub. The worst I've seen is some co-lo's sharing the same network, but I've never seen co-lo's allowed on the same network as the production ISP boxes. Give ISP's some credit!
  • by acidrain ( 35064 ) on Friday July 14, 2000 @05:47AM (#933605)
    I suspect the FBI wants to place their machine right on the router as traffic comes in because they're too dumb to realize that they don't have to do this.
    The whole point is that Joe Public understands a black box. Leaking the fact the the FBI has software running on the net wouldn't conjure up the same images. It's intimidation, nothing else. If they really wanted information, they would get it and we wouldn't know about it. This is a intellegent way to cut down on computer crime: make the crackers f**king paranoid. And make the wackos even more paranoid than they already are.
  • I don't think Cringely was trying to say that the FBI secretly dreams of shutting down the internet - but Carnivore means they *could* and they could also do every nasty intervention in between like cutting off a site, webring or user. If past abuses by the FBI don't make you a little concerned about this level of unsupervised control, you're either very underinformed, a true believer in the virtues of totalitarianism, or an idiot.
  • by Kaa ( 21510 ) on Friday July 14, 2000 @05:49AM (#933607) Homepage
    there is NO WAY to detect promiscuous mode. You don't know what you're talking about.

    Ahem. Go to the l0pht site and look at their tool called Anti-Sniff.

    Maybe then you would want to reconsider your position.

    Kaa
  • by shaper ( 88544 ) on Friday July 14, 2000 @05:49AM (#933609) Homepage

    Um, it's called civil disobedience, a basic responsibility of any free people. And a citizen cannot "usurp" power from a democratic government, by definition, because supposedly all government power belongs to the governed to begin with and is merely loaned to the government to promote common good, defense and stuff. So your concern might better be stated in the reverse: the government usurping a business' rights to free association and enterprise, as well as citizens' rights to freedom from unlawful search and seizure, in order to support dubious efforts to combat possibly nonexistent crime.

  • If you can sniff a connection, you can send TCP RST's to both ends.
    -russ
  • I think that cringly(sp?) is a little off on his deduction. In Theory, the government could shutdown the internet but shutting down thier routing thus all traffic coming in or out stops at thier sealed box. But, I do not believe that is the purpose.

    Right now the internet is out of control in the minds of the govt. It is the one thing that they haven't figured out how to tax. So, they put these boxes in the major areas, track you and figure out what you are buying, where you are coming from and then they can apply the appropiate tax to you. Govt gets its money and you get to be tracked and watched like a bad TV series. Nice eh?

    I may be off but I may be right....and that's the scary thing.
  • by FreeUser ( 11483 ) on Friday July 14, 2000 @05:55AM (#933622)
    And yes, the FBI also has the right to be able to intercept both your phone calls and your emails if you are under suspicion.

    I get so tired of people using the word "right" when they mean privelege.

    The FBI doesn't have any "rights" whatsoever, constitutional or otherwise. They have priveleges, vast priveleges extended to them by congress and upheld by courts who are more concerned with expediency than they are the constitution, much less individual civil liberties.

    These priveleges include wiretapping. However, if the various government agencies continue to abuse these priveleges, congress or the courts could pass a law, or make a ruling, to place additional limits on that privelege, or revoke it entirely.

    Not that either institution is likely to display such courage, but they could if they so chose.

    and while they have the right to look, users also have the right to encrypt their email to prevent this.

    Again, we have the privelege of being able to use encryption to prevent snooping.

    We desperately need a constitutional amendment guaranteeing us a right to privacy, including encryption and control of our data.

    Our forfathers took the right to privacy to be a given, and only really anticipated one possible abuse of it, which they explicitly disallowed in the constitution. Had they taken the subject up more generally this wouldn't be a problem, but alas, they considered privacy in large part to be a given and didn't explicitly write it into the constitution as a right. While they could extrapolate many threats to our democracy, they never dreamed of the kinds of intrusions into our private lives we now take for granted, and are no doubt spinning in their graves as I type this. As a result, a right we all perceive ourselves is woefully missing from our most fundamental law, with the kind of auful results we read about here on slashdot nearly every week.

    Alas, I am about as optomistic about congress and the states enacting a constitutional amendment to protect our privacy as I am about NASA getting a reasonable level of funding. The chances in both cases are unfortunately nil.
  • by Kagato ( 116051 ) on Friday July 14, 2000 @05:56AM (#933623)
    Taking a stand with the FBI is a risky position if you are a smaller ( 20,000 users) ISP. Earthlink has the legal and financal means to defend actions it believes are wrong.

    A head systems admin at a major University once warned me about crossing the FBI. It's a very quick way of going out of business. He made it very clear that the FBI is aware of the economics of ISP's. If you're down for more then a few minutes you'll start to lose customers. ISPs that go against the feds find out pretty quickly that all they have to do is confiscate all your equiptment as evidence. Maybe after a year or so you'll get your stuff back.

    I can picture the feds in front of the judge now: "Well your honor, we wanted to place a monitor on the network but they would not allow us to. The only recourse we have is to take the computers and examine the hard drives."

    Bam, Feds come knocking on your door, they leave with a bunch of computers, next week all your customers are gone and you've got bills to pay.
  • Meaning that in a sense, Cringley is right: they don't have to locate the machine right next to the router as traffic comes into the ISP facility; they can locate the box just about anywhere and as long as there isn't a packet filter at the switch, the box could theoretically get every packet.

    No, Cringley is not right. It all depends on the way the ISP is set up, but theoretically if you are on a network segment delineated by a switch, you will not see packets on other network segments beyond that switch. I doubt very much that any ISP larger than a very small one has network where from one non-router location you could sniff all traffic. After all that's why the switches were invented.

    Kaa
  • The only problem is that the data resides on an FBI owned and operated box and they are more bound to the law than most companies/ISPs.

    It's one thing for Toysmart to violate your 4th Ammendment rights, but when the FBI does it -- all hell breaks loose and people actually get punished for it. Or at least, that's how it's supposed to work.
    --

  • Blockquoth the poster:
    Someday, someone is going to need to devise a technical solution to these political problems. This is why they are so afraid of geeks - they know we have it within our power to end this form of tyranny for good.
    As others have mentioned, there are rarely technological fixes to political problems. What actually occurs is that technology obviates political problems by so utterly changing the world that the original assumptions, pro and con, simply don't apply.

    Don't believe me? Ask yourself how the United States manages (more or less) to govern workably across a linear distance of 3000 miles. The States could never have remained an integrated political and culture whole without advances such as telegraphy and the railroads ... ancient empires of comparable size were considerably less stable and considerably more decentralized.

  • The FBI for coming up with this thing or Sprint for even allowing them to connect it in the first place.

    I just love how law enforcement feels how they can invade the privacy of everyone because there are only a few people who are causing the problems.

    This is just plain lunacy, pure and simple.
  • But do they have my best interest in mind? I doubt it...

    Well, duh; most people look out for their own interests first. The trick is finding enough common ground to work with.

    For instance, I don't think that software companies lobbied against Clipper, crypto export regs, etc because they care about my privacy. They did it because the government's policies interfered with their ability to make money. That doesn't change the fact that the lobbying work was beneficial.

    There isn't all that much common ground here (Earthlink's objection is stated to be technical, not political), but it does have the beneficial effect of making things a bit more difficult for the government.
    /.

  • Filtering E-mail requires access to the application layer...

    Bzzzzt. Incorrect. Thanks for playing.

    All email is transmitted from place to place using the well-known SMTP port (port 25). All a router has to do is forward any packets with that destination port (incoming OR outgoing) in their header to the original destination and the FBI's destination, where the individual packets can be put back together into the complete email using all the other fun stuff in the various packet headers. It's like making a copy of every email that gets sent to or from that network. Of course, there really wouldn't be any way for a simple router to know WHO those emails are for; they're not capable of, say, doing a "grep" operation on the actual contents of the data of the packets to find the "To: " field of the email. This of course would mean that every email that goes through that network would end up in the FBI's evil little hands. EVERY EMAIL. Similarly, if they were to forward ports 20 and 21, every FTP packet could be forwarded to the FBI as well as its actual destination. For port 23, every byte of every telnet session. For port 80, every bit of a webpage. You get the idea. And what else is in every TCP/IP packet? Yep; the destination IP address. So the FBI could also know precisely what machine was on the receiving end of every packet, too... isn't that great?

    Now, there's no guarantee that these Carnivore boxes wouldn't do the same thing, of course, but if they only forward emails from/to a particular address (because they DO have access to the Application layer), that would be much better than having to set a router to forward ALL emails to the FBI's minions. Not that I'm saying Carnivore isn't evil... it quite clearly is. "I'm from the government; I'm here to help" isn't one of the All-Time Greatest Lies for nothing, you know.

    Unfortunately, I suppose there are people in this world that are ignorant enough to write stuff like that, let alone buy it.

    ...and other people who, having only part of the knowledge required to accurately pass judgement on someone, are ignorant enough to dispute it. Know your facts before speaking...


    "The best weapon of a dictatorship is secrecy, but the best weapon of a democracy should be the weapon of openness."
  • by Tau Zero ( 75868 ) on Friday July 14, 2000 @06:19AM (#933659) Journal
    Which is worse, that the government is trying to snoop on you without your knowledge, or that a business can usurp the power of the government, and refuse to comply for 'business' reasons.
    Worse than that is a government which dictates your network standards and OS selection so it's compatible with what they decided to use for a snooper. In other words, doing to ISPs what they did to the telcos (but perhaps without any money paid to the ISPs to compensate them for the expense).

    That said, Carnivore is a horrible idea. If the telco can restrict snooping access to particular lines by selecting only the ones used by the persons under investigation, that's fine. Using an undocumented, un-accountable black box to snoop everything going through an ISP is not acceptable; it's tantamount to letting the cops snoop everything on an entire phone exchange because of a single suspect using it.

    Amusing thought: How secure are the Carnivore boxen, and how much egg would the FBI have on its face if someone successfully hacked them? If the FBI isn't having nightmares over this possibility, they're not smart enough to be running something like Carnivore.
    --

  • Well first off, try pgp.com hmm :)
    Or search google.com for pgp

    then try ipsec (which is a bit more complicated) and a few others.

    Everyone and their mother should own a copy of PGP, otherwise your just unAmerican (hehe)
  • Comment removed based on user account deletion
  • A couple of things come to mind:
    • Although it's possible that your packets may route through the US, they probably won't go near a US box (which is where it looks like carnivore should be posted). The only reason for foreign to foreign email to end up on a US box would be if the US box was a secondary MX for the destination. foreign to foreign packets should get filtered out for security+volume reasons long before they get to local-only servers.
    • That having been said, if the email gets 'accidently' intercepted by the FBI, there may not be a whole lot you could do. Although it's the CIA that normally does spying on foreigners, my understanding is that the CIA is specifically prohibited from spying on Yanks, but there is no such restriction against the FBI snooping around foreigners.

      It gets worst because (Imigration based) precedents seem to indicate that constitutional rights only apply to people legally in the states. (or something like that). This may mean that, as a foreigner, your rights may be less than US residents would expect.

    IANAL (My sister's a lawyer, but she doesn't talk to me).
  • by pkj ( 64294 ) on Friday July 14, 2000 @06:22AM (#933668)
    According to the C-Net story, Earthlink has no reservations about installing Carnivore and in fact has already attempted to do so. They only pulled it when they discovered that it was "incompatible with their software."

    Although the article does not state as much, it implies that Carnivore will be installed at Earthlink as soon as the bugs are worked out.

    -p.

  • I think it's great that the FBI is using Carnivore, though. I mean, what better way to promote the usage of newer, secure protocols such as IPsec, Secure Shell, SCP, and privacy suites such as Pretty Good Privacy? And what better way, I ask you, to promote the retirement of older, flaky, insecure protocols like telnet and FTP?

    Ok, That's all fine and good for some people, geeks, hardcore internet users, /.'ers.... But what about the newbies out there using the internet to converse with relatives and friends half way round the world? Most of these people have problems entering in email addresses properly.

  • If the government built a public park would that mean it would be ok for all government agencies to surreptitiously intercept and record all communications that take place there?

    Like it or not, the internet is a global phenomenon, and a public resource. Yep, that's right, a public resource. Or should be anyway. Perhaps it's not "fair" to those who originally invested in it, but that's tough. When things become public commodities, control goes to the public. This is why it is ok to insanely raise prices in your little store, but illegal to gouge commodities and form monopolistic partnerships. Some people have the misconception that societies have to be "fair". Wrong. Societies exist for themselves, not the individual. Which is why copyright and patents EXPIRE, and become public domain. They are not god given rights, they are only "priveleges" donated to an individual for a limited time by the greater society. Don't like it? Tough. Move to China.
  • Help find it? Heck, it ate it. ;-P Ever wonder how it got the name 'Carnivore'? ;-P
  • I don't like this state of affairs any more than anyone else. But I do feel the need to point out that there *is* a legitimate reason for the methodology the feds have chosen.

    Can you say "Chain of Custody?"

    Evidence in criminal investigations is precious stuff. Plenty of cases have been lost by prosecutors when defense attorneys pointed out that the evidence being used against their client *might* not be kosher. Documents could have been altered. Drugs switched. DNA evidence botched. Or any of a zillion other scenarios.

    Because of this, law enforcement agencies try their best to enforce an airtight chain of custody on any evidence they acquire. You work in the lab and need to re-test those drugs? The property clerk has to sign off that he let the drugs out of his hands and into the hands of an authorized person. The lab tech has to sign their life away that they now possess the evidence and will handle it in accordance with the law. And there better not be even ten minutes when that evidence is out of the control of a sworn law enforcement officer! That's all it takes to get a case thrown out.

    In the case of wiretaps, what's the FBI to do? If they know that evidence may come into existence in the future (which is why they set up the wiretap in the first place), they must make sure that they establish custody of the evidence as soon as possible and never let it out of their hands. Serving a court order on an ISP that says "Hey, would you guys please keep track of this person's email for us? We'll be back to pick it up later." just won't cut it. Any defense attorney worth his salt will point out that email (or whatever) logs *could* have been altered by the ISP employees. In such a scenario, then, the law enforcement officers in the case *cannot* certify that such alteration did not occur because they were not in custody of the evidence at all times.

    Defendant goes free. Slam dunk for the defense.

    So what's the FBI to do? If 'net taps are legal, how on earth can they be carried out without breaking the chain of custody of the evidence?

    Any genius here wanna answer that one?

    Personally, I think we need to just make sure that the data gathered is rendered meaningless through ubiquitous encryption. But till that happens and law enforcement agencies give up on the whole concept of 'net taps, I don't see what else they can do *but* try to install boxes that only they control.
  • Earthlink is a marketing partner with USAA (a fraternal organization which offers financial services--including reduced Earthlink ISP fees-- to current and former military officers, NCOs, and get this, FBI and DEA agents.)

    So that means FBI agents can get Earthlink for their personal ISP at a reduced rate....hmmm

  • by streetlawyer ( 169828 ) on Friday July 14, 2000 @06:32AM (#933686) Homepage
    NEWSFLASH

    In a shock development, noted Karma whore Signal "Siggy" 11 has become a troll! Perhaps demoralised by the constant pressure of the fatwa or "trollslap" launched by his enemies, he released a post full of trollworthy statements. In one post, he combined:

    • The incorrect technical statement: Witness the "NSA key" in Windows 95/98/NT/W2K
    • The moronic political view: Someday, someone is going to need to devise a technical solution to these political problems
    • The ludicrous hyperbole: This is why they are so afraid of geeks - they know we have it within our power to end this form of tyranny for good. We are in control of the ultimate modern day press.
    • Another maddeningly silly technical statement: until we rearchitecture the network to utterly defeat measures like this (transparent crypto?)
    Clearly, Siggy's move into trolling will put pressure on the established slashdot trolls to compete. In a CNN [don-knotts.com] inteview, streetlawyer [slashdot.org], speaking for the notorious inchfan [slasdhot.org] troll collective said
    "It's gonna be a challenge. Siggy obviously has huge name recognition, and one has to think that he's
    using his brand unfairly to push into new markets [microsoft.com]. But I'm not excessively worried. His tech-ignorance is something that we've been doing for a long time, and his sub-Katz geek politics are really to Karma-whorish to show that he "gets it" with respect to trolling. He's got quite a nice line in spurious logic [perl.org], but he's no Dumb Marketing Guy. Bring it on, motherfuckers"
    Rob Malda was unavailable for comment.
  • Somehow I think that there won't ever be any way to "utterly defeat" measures like this

    çéLxÕÑætPÑä-£í8JöJ)Ê$ikÙb*SQË ©J2ÆZôñ)ä®×ýÜÀéqÚ:å}DecTÊ@ryptKèÑ6M~f£ÿ ékmeOjDöif*Û0youÄÀúÛcan£ÿ7çd õÊÓÅ3¼Üóßê£>rè15ìðgVÂÌÕòÝÇF|ä¾õÖN_ë=õó|)kæøiY5ôãv) hÄ øÊ*e+Úõî

    Crack that.

    Political problems have political solutions.

    Yes, and they also have technical problems. Problem: intellectual property rights are overtaking personal rights. Solution: distributed filesharing system, aka Napster/GNUella.

    Nobody cares about what you say or do, because people have more important things to think about than whether you can download MP3s for free or not.

    The fact that online websites like slashdot continue to grow in popularity would seem to dispute that claim.

    It's because of the vast damage that hackers can do with their illegal backdoor penetrations of other people's sites.

    I don't see any world markets collapsing, companies going out of business, or people dying as a result of hacker activity. Sure, they boast that they could do that, but if you believe everything you read you get what you deserve. In truth, hackers cause headaches for business and government. Nothing more. Y2K nuts predicted hackers would go and destroy the world. Hrrmm.. I'm still here. Then they predicted they would go breaking into the 911 and emergency system and shut it down. Gee, why would they do that? Unsuprisingly, they didn't.

    In supporting evidence of hackers (not crackers) spirit of exploration instead of damage, you'll note most breakins occur to educational instutitions, not commercial. This may be because they are curious about the system(s) they use every day. Go read "Hackers, heroes of the computer revolution" by Steven Levy. Another resource is to consult Appendix B of the Hacker Dictionary - here [tuxedo.org]

    No, hackers aren't dangerous because of what they do, they are dangerous because of what they know. THIS is why these laws are being passed. Thus far, the only big numbers damages from "hackers" have been over-inflated prices of "stolen proprietary information" and macro viruses which, quite frankly, is not hacker activity.

    For all of six weeks until the FBI cracks it.

    What confidence you have in the FBI! They must be able to do what thousands of academic professors dedicated to cracking these codes could not!

  • Our forfathers ....., and are no doubt spinning in their graves as I type this.


    Hate to be anal, but not all our forfathers cared much about the common man. If you look at what really went on there were the federalist and the anti-federalist. Most of the federalist would have loved it if the central government could have such powers. An a few of the anti-federalist also would have loved it if the individual states had such powers :)

  • Speaking of PGP, is there a PGP Disk-like package that'll work cross-platform? That is, if set up a file as a virtual encrypted filesystem on a shared partition, it'll let me access the files from either Windoze or Linux? Or if I put that file on a ZIP, I could then access the files on a Mac (reading DOS format) too?

    Encrypted filesystems (real or virtual) are great stuff, but so is the ability to access the same encrypted filesystem from different OS's.
  • I do love how we all feel that the Internet is a god-given right.

    Sure. "Freedom of speech" carries only as far as your unaugmented voice, and "freedom of the press" doesn't apply to anything but an actual machine which presses ink onto paper with dies.

    And yes, there are laws to make sure that they aren't looking unless they have substantial reason to be looking.

    Specifically, unless they have a court order permitting them to do so. Swell. Only problem is, there's not much difference between an unenforcable law and a bunch of words on a napkin. How will anyone know what they're doing?

    and while they have the right to look, users also have the right to encrypt their email to prevent this. so instead of whining about your god given right to snoop-free internet access, actively protect yourself by encrypting your emails if your privacy is so important to you.

    Riiight... so I take it that when you forget to lock a door or a window to your house, it's your fault if I come in and look through your stuff?

  • Again, we have the privelege of being able to use encryption to prevent snooping.

    No, actually, that one's a right; Freedom of Speech.

    Nowhere does our Constitution guarantee "freedom of speech, but only in English". We have an absolute right for that speech to be gobbledigook, or to merely seem like gobbledigook until the proper key is applied.

    We desperately need a constitutional amendment guaranteeing us a right to privacy, including encryption and control of our data.

    We just need for the US government to choose to sign the Universal Declaration of Human Rights [un.org] and recognize it as a treaty; it would then override the Constitution itself per Article VI [emory.edu].

    --
  • in addition to my original post, the justice department is going to put checks and balances on this system, but it will still function in some way, shape, or form.

    no, I'm not exactly happy about this entire thing, but with those checks put in place, i think the FBI should proceed with this technology.

    and yes, I do feel that if this technology interferes with the service it should not be allowed. however, if it does not, there is no reason why it should not be put in place.
  • There is a cross-platform standard for reading a disk on every OS; it's called "tar".

    Microsoft has chosen to make it difficult for you to use this standard, but free tools exist to allow it. You could carry them on a 2nd disk.

    Said files could be encrypted with PGP or any other tool; you'd probably want to carry that on a disk too, since privacy-enhancing tools aren't considered important by the OS manufacturers either.

    There is no cross-platform encrypted filesystem that works on everything; your best bet would be to carry your files around in tar format, decrypt them on the local disk when you need them, and securely wipe them off the local disk when you're done with them.

    BTW, the primary obstacles to such a filesystem are Microsoft and Apple.

    --
  • The people up in washington, think that are the govenment and can doing anything they want to. Wrong, I am the govenment you are and every American citizen is the government. I dont know about everone else but a system like this just makes me sick. I am going to write a few people in washington when I get home. I suggest everyone else do the same. I think that is time we quit being bullied around and do something about it. It is funny how history repeats it self. You would think we would have learned by now.

    What if authors said, NO I own the copyright to that book, you can't let people just borrow them for free. We would have no libaries and would no where close to where we are today.

    The FBI is saying their intention is to watch crimals is BULLSHIT, the people that we allow to abuse their power are scared, becuase the internet is not something that they can have complete control over. A team will not work if one person tries to have complete control. We all must be willing to play on the same team, if this great country is to survive.

    When this country was in it infanticy the main worry was a central government that was too strong and would not be a team player. Well people we are there. It is time we do something about. Use our power as the government and fix this problem. The government is not some big misterious being that we have have no control over. We are the government and it is time that we quit wineing about it and do something about it.
  • That's true, but the internet has no impact on that freedom. Barring you access to internet has no more affect on your right to free speech than a publisher refusing to publish your book.

    That depends upon who's doing the barring.

    I assure you, if the government ordered ALL publishers to refuse to publish your book, that would be viewed as an unConstitutional violation of your freedom of speech and of the press.

    If each and every single publisher decided seperately to refuse you, that's not a violation of your freedom, it's an indictment of your writing ability. :-)

    --
  • Sure. Not only drop packets, but also alter packets and created forged packets.

    Not finding the evidence you need? Or just want to stir things up a bit and see what develops? Heck, just program Carnivore to change some wording in the next e-mail....

    Everybody understands the principle of the basic wiretap. This is much more insidious, particularly seeing as it's a closed box. (Remember the old "Mission: Impossible" series where they'd tap into the phone lines and a voice artist would pretend to be the other party so that they could inject false information? Can you prove Carnivore can't/doesn't do this at the email level?
  • Your letters will accomplish jack and shit. We are no longer the government, there's 250 million people in the country. Not only do we have quite a large population for a supposedly democratic country but we're also a democratic republic. Being as such we only have the power to protest to our local congressman which has one vote out of ~700 or we can sue the government and take the case to the supreme court. Teams can and do work with one person having complete control, you might call it facism but it works. Every level of government has a bearucratic leader which basically has complete control over his or her underlings, this is partly why your letters will have no effect.
  • by alhaz ( 11039 ) on Friday July 14, 2000 @07:08AM (#933727) Homepage
    The problem with antisniff tho is that it's really, really easy to tell when someone is running antisniff on your segment. Anyone who's paying attention *Will* know you're looking for a sniffer.

    But that's beside the point. Most switches (and I've worked with everything from linksucks to 3com to smc to hp to cisco to foundry to extreme, and most inbetween too) don't give a rat's hind quarters if you're in promiscuous mode. I can't think of a recent switch that does. You can look at all the ARP broadcasts you like but they won't just start funneling the whole backplane to your port. Not unless you're doing something really evil to shut down the filter.

    What you generally need, and I've set up security sniffers for large, flat networks, is what they call a monitoring port. A monitoring port is just a port that essentially gets cc:'d all the traffic going through one other port on the switch.

    Now, most low-end managed switches, like 3Com (ugh, what cruft), support one monitoring port at a time. In this sort of situation, you need a topology where you're funneling all your data through a particular port, or you need many, many sniffers, because switching loops are bad juju. There are ways to set this up that don't suck very much, but they all go to crap when your utilization creeps past 40% or so.

    Mid-range managed switches, like Cisco switches, generally support multiple monitoring ports. This makes it a lot easier on your overall network topology, but you need many sniffers, or many ports on your sniffer.

    Of course, ALL of this presumes that your link is ethernet. 100mbps ethernet isn't a particularly fat pipe for the internal backbone of even a mid-size isp. ethernet isn't what you'd call an adaptive technology, it starts to suck when you're using only 1/3rd of it's capacity. Which quickly means that you end up buying big core routers, and having several separate ethernet segments. You start to have a topology that just doesn't lend itself to off the shelf sniffing hardware.

    Yeah, there's gigabit ethernet. But in my network admin days, had a spook shown up and told me that he wanted me to dedicate a gbps port as a monitoring port for my whole pipe, I'd have told him that either he can show me a court order or warrant or he can cram his sniffer where the sun doesn't shine. Those ports are *Expensive*.

    Other technologies used for high speed backbone links - fiberchannel, sonnet, etc, really aren't all that easy to sniff with off the shelf hardware.

    What I'm betting is the fbi said "We have a consumer-grade ethernet port on our sniffer and it has to be able to see allll the traffic on your isp, so you have to funnel every last link on your whole network onto a wire that acheives 14 megabytes per second on paper but rarely in reality more than maybe half that, so that we can protect you from crime"

    And earthlink probably put forth their best effort to implement it merely so that they could document how bad the idea is.

  • 5) in a limited - distribution, boring-by-design press release, state that the requirements have been met.
    Eh. Why even issue the second press release. In this scenario, I'd expect them to quietly knowtow and 'forget' to publicly announce it.

    My guess as to why Earthlink is willing to do this is that they looked at what Carnivore does and realized that it went beyond what the law mandated. If it does goes beyond what is allowed, I think that they know that the FBI isn't going to push the issue too much.

    The performance issue may just be an excuse for them to refuse or it may really be the reason why they're balking. It's kinda hard to get inside their head on that aspect of the issue.
    --------------
    Then there is the paranoid interpretation:
    This is a smokescreen. They're working with the FBI. Carnivore is in place and already eating. They're announcing the rejection of carnivore because they're hoping that the criminal element will flock to their service where the FBI can do a promiscuous snoop of EVERYBODY's email (with a pleasant concentration of 'interesting' traffic).

    Be paranoid. Be Very paranoid.
    BTW: IANAL (My sister is a lawyer but she doesn't talk to me).

  • I've been following the whole carnivore thing since just before the story appeared on /. since I saw it on some other news service a few hours earlier. The one thing that keeps bothering me that no one seems to have mentioned is that the FBI is going about this the wrong way.

    Afterall when they get a warrant to tap someone's phone they don't go to the Central Office and tap every line hoping they can pick up some of the person's conversations by listening for keywords. Instead they tap the line that feeds that person's home/business line(s). I don't see any reason why they can't do internet wiretaps in the same way. I can't be any more work to "decode" a modem signal or other data transmission than it is to search literally gigs of information per second. In fact in the long term it's probably easier and would take less computing power. So why can't they just tap the lines of the person they want to listen to.

    Just like with a tradional wiretap if the suspect being watched uses a phone at some strangers house chances are the feds won't be able to listen in. But so what that's a limitiation they've had to live with for years in order to protect our privacy since we do still live in a country which believes in the presumption of innocence.

    The only explanation I can come up with is that this is a thinly veiled attempt by the FBI to try and take away more of our constutional rights without going through the proper channels. It's happened before so I see no reason it can't be happening now.

    While I'm no fan of Reno I seriously hope she managed to prove she deserves her job by putting a stop to this nonsense now and pointing out that there's no reason tradional wiretapping measures can't be used for this purpose.
  • Bagh, back in my day we didn't need fancy schmancy snooper programs.

    There was only enough email to keep an FBI staff of 3 busy reading through messages. We just put the FBI on our cc: and it worked on the honor's system. Sometimes the FBI would reply back if they liked what they read.

    Nowadays, all you young hoodlums can't do anything honest, and we need all kinds of expensive fancy equipement to keep tabs on who's doing whats.

    BAGH!

  • I think you've read into the hype a bit too much. While the internet IS a massive network of different networks it can easily be shut down. Information on the net has to travel over a set of physical lines, control these lines and you can control information flowing on the internet. Sure you can use phone lines and short landline connections to network computers but theres no way it could handle the traffic the internet handles now. Outside the US data services are at a premium. Europe and Asia didn't have the National Science Foundation funding the development of internet communications. If someone wanted to shut down the internet proper they'd have to take out key nodes in the "web" and everyone would be reduced to long distance dialup connections if they had anything at all.
  • Are you somehow slow enough not to think logically yet smart enough to read? A box of this sort isn't some overpowered PC running on an Intel chip with Windows or Linux. This is a highly specialized piece of hardware. It's an uber-router that reads the content of mail packets rather than headers.
  • At the time it was a BBS. If I recall they were targeted because of some actions of an employee outside of the company. The secret service thought there might be evidence on the BBS and other office computers.

    The odd thing about Steve Jackson Games was the not only was the Secret Service watching them, but the FBI had agents working there on an unrelated case.
  • by theonetruekeebler ( 60888 ) on Friday July 14, 2000 @07:32AM (#933739) Homepage Journal
    Given the FBI's long history of abuses, power grabs, and rights violations, it's very easy to interpret nearly anything they do as sinister. But by automatically assuming that an entity or opponent is doing is motivated by evil or malice can blind you to what they are actually attempting to do. The problems arise when the guardians become so obsessed with what they are supposed to attack that they lose sight of what they are supposed to defend.

    The FBI's stated mission is to protect U.S. citizens from foreign and domestic enemies by investigating violations of federal law. That is really and truly what they try do to, and for the most part people join the FBI to protect and to serve. And if you are trying to defend the U.S. against its enemies, you you need to be able to find them. And to be able to find them, you need to update your surveillance techniques. And if the criminal activity is happening or being coordinated on-line, then the investigation and surveillance has to happen there.

    So the FBI starts advocating things like Clipper chips and Carnivore and starts lobbying for laws that require digital telephone switches have an evesdropping port built right in, and things like that. Can these tools be used to spy on criminals? Darn tootin'. They are fantastic for that. The problem is, though, that these tools can be misused as well.

    As a civil libertarian, I believe that the U.S. Constitution serves primarily to limit governmental power. It does this because its framers recognized that government power is abusable in such a way that its abuse is not just possible, but inevitable. So we do indeed need to be wary when the FBI wants to put a full-blown sniffer in front of every ISP's switch. We all take it as a given that this powerful spying tool would eventually be turned against peacable citizens.

    But what is the FBI's current intention for Carnivore? I suspect that in addition to its stated (albeit redundant) purpose as an Internet wiretapping tool, it is designed as a weapon against cyberterrorism; specifically, it is used to identify and terminate distributed denial-of-service attacks.

    We all saw what happened a few months ago when the DDoS attacks happened against CNN [cnn.com] and other high-profile sites. We all saw the havoc it wreaked and how hard it was to track down the perpetrators. But with Carnivore installed in front of the switch, the FBI could watch an attack develop real-time and terminate it immediately: First, they get sample packets from CNN. Then they broadcast a message to all Carnivore boxes to copy and block any packet going to CNN that matches the attack profile. Once the attack is contained, they swoop in with search warrants and arrest everybody who sent an attack packet.

    So that's what they are trying to do. Cringely was only partially correct: the FBI's goal is not to shut down the Internet; it is to defend the entire Internet at one time.

    Unfortunately, though, we can't let them do this, because as soon as the tool is in place, the RIAA will start pressuring the government to start actively patroling for MP3s, and the whole Carnivore matrix will become the web in which our freedom was finally ensnared.

    On the other hand, I would like to see a Carnivore-type system put in place by an industry consortium. It still strikes me as the best way to defend against DDoS.

    --

  • So what's the FBI to do? If 'net taps are legal, how on earth can they be carried out without breaking the chain of custody of the evidence?

    Any genius here wanna answer that one?

    How about making the FBI do a little legwork and tap at the customer's end, not the entire ISP network. Sniff that broadband connection or listen to the phone lines (contrary to popular belief, modems *ARE* tappable - there are special-purpose boxes to listen to and reconstruct bidirectional traffic from a traditional analog phone tap). Don't tap the entire ISP with a black box. There are other ways to gather wiretap intel; what makes me suspicious is that the FBI chose the "tap everyone and sort later" model, to say nothing of the suspicious nature of a "black box" with full access to an ISP's network traffic.

    -Isaac

  • Actually the governement agency responsible for this is the CSE [cse-cst.gc.ca], not CSIS. They are responsible for (at least) SIGINT (signal interception) for the Canadian Government. I infer they are doing our part for Echelon.

    The official URL is void of any useful information, however Google turned up an excellent page [uwaterloo.ca] on the CSE
  • That would effectively throw North America back into the information Stone Age, and the mantle of technical leadership would be picked up by more advanced countries like Botswana, Kyrgizstan, and Paraguay.
  • Cringley didn't actuallty say that their aim was to have the power to
    disable then net, but only that these boxes could act as a switch. I
    understood that as meaning they could do their own routing/filtering,
    which is much finer grained (and less panic inducing) that the on/off
    switch for the whole internet that people seem to be jumping to.
  • Any source or destination port on the network in question can be monitored, whether it's sendmail or exchange or SSH (though that'd probably be useless to monitor) or gopher or irc or Grandma Blattenzweig's Happy Fun Mail Exchange Protocol (GBHFMEP) Server. And yes, I'm sure the FBI would include Exchange ports in their snoopery... since there are plenty of companies out there ignorant enough to use it instead of sendmail just because it has calendars in it or some shit...


    "The best weapon of a dictatorship is secrecy, but the best weapon of a democracy should be the weapon of openness."
  • Blockquoth the poster:
    The Chinese empire lasted for three thousand years ....
    Fair enough. On the other hand, from my admittedly spotty understanding of Chinese history, it's not really fair to say the empire was continuous throughout that time. I believe (but am willing to be corrected) that long periods of stability were punctuated by sharp bursts of chaos wherein much of the structure retreated if not collapsed.

    As an aside, according to http://www-chaos.umd.edu/history/imp erial.html [umd.edu], the unification of China into the currently-recognizable entity occured around 221 BC, so that empire lasted for "only" 2100 years. :)

    The same source goes on to say "The collapse of the Han dynasty was followed by nearly four centuries of rule by warlords." The Han collapsed around 200 AD, so this dark period runs until around 600 AD. The Chinese Empire is down to, at best, 1300 years of continuous rule. But lo, "Misrule, court intrigues, economic exploitation, and popular rebellions weakened the empire, making it possible for northern invaders to terminate the dynasty in 907. The next half-century saw the fragmentation of China into five northern dynasties and ten southern kingdoms... But in 960 a new power, Song (960-1279), reunified most of China Proper." So the Chinese Empire has only about 1000 years.

    In fact, if you look into the history of the Chinese Empire, you find many turnovers and wholesale replacements of the ruling peoples and structures, including foreign dominantion at least twice. I believe the myth of a super-stable Chinese Empire placidly ruling for thousands of years is just that --- a myth.

  • You know the only sensitive thing about what's in that "box" the FBI wants to install at the ISPs?

    The list of criminals, of course! There's probably no due process (e.g., there might be suspects there). They're trying to protect the list! Sure, the ISPs could run some sniffer code simply enough .. but the list of suspects, the sites the FBI wants monitored, would be right there in the clear, available for any ISP employee (and any hacker) to copy and distribute.

    Which I'm sure all would agree is not a Good Thing.

    As for the boxes having the potential of being switches, of shutting down the Internet, what a load of hooey! All the ISP has to do is unplug the damned thing.

    I'd be concerned about privacy issues, yes, like who authorizes the names on the lists. Are the judges with the court orders in fact informed? Can anyone check on them? If the FBI has a pet judge, can ANYONE's name get on that list?

    That's what the issue is. Ignore that Cringely idiot. He may have good points at time, but he can be dumb as a brick too.

  • by P_Simm ( 97858 ) on Friday July 14, 2000 @08:17AM (#933771)
    I hate to break it to you, but the internet is a global network. All the FBI can do by installing Carnivore systems at American ISPs is piss off a lot of Americans.

    And I won't even touch how completely ridiculous the idea is in the first place ... well okay I will. Why in the WORLD would the FBI try to shut down internet connectivity for the US? And why would they need these boxes to do it? If they don't have the legal right to do so, ISPs and their well-payed laywers wouldn't let it happen (guess what, ISP technicians can unhook the Carnivore box and go about their business). If somehow the FBI did initiate some digital martial law where they had the right to do this, why would they need the boxes? They could just walk into the ISP with their nice shiny guns and start unplugging ATM cables.

    These Weekly World News /. news bits are great fun, but please don't take them seriously.

    You know what to do with the HELLO.


  • it actually is wierdly legal if the wartime powers act is invoked.

    The War Powers Act is already in effect: the US has been in a State of Emergency for most of a century.

    I'm not totally clear on the details, because this is one of the favorite topics of the conspiracy nutjobs, along with the FEMA Secret Government, black helicopters, UN-run concentration camps, Y2K and the New World Order, and these people tend to GET VERY WORKED UP about it and USE LOTS OF SCARE-CAPITALS!! So it's hard to dig the actual facts out of the noise.

    If I remember correctly, the way it works is, Lincoln created the War Powers Act (or maybe the Trading With The Enemy Act?) to declare martial law and wage war against the South. At the end of the civil war, it was terminated, but FDR invoked it again during the depression, in order to, I think, nationalize the banking system? Something like that, I think it had something to do with seizing control of privately owned banks and creating the Federal Reserve. So then it turns out that the act was never officially suspended, which means that every action of the President since 1933 is technically approved, by default, without any checks and balances from the other two branches, and the Constitution is, technically, suspended.

    Of course, this situation has only rarely been taken advantage of -- as far as one can usually tell, the Constitution is still obeyed. It has been taken advantage of a few times, though, I think by Nixon and Clinton when running some private war or another, but I don't remember the details there. (Only Congress has the power to declare war, but presidents have a habit of going to war without asking We The People first.) I'm not sure where the Japanese-American internment camps fit in to the picture, but they might also have been possible because of this same act.

    This one is somewhat less shrill that most, but it's very long and hard to follow: http://www.afcomm.com/afc/report.html [afcomm.com]

    The Constitution of the United States isn't perfect, but it's a lot better than what we have today.

    ----------------------------

    Oh by the way: http://www.freedomforum.org/newsstand/reports/sofa /foreword.asp [freedomforum.org]

    A Freedom Forum 1997 poll finds that: "When read the text of the First Amendment, 93% percent of respondents said they would ratify it" but "47% of those surveyed disagree with the idea that musicians should be allowed to sing songs with words that others find offensive", "29% think newspapers should not be allowed to criticize political candidates", and "75% would not allow people to utter words that might be offensive to racial groups."

    I hate it here.

  • Riiight... so I take it that when you forget to lock a door or a window to your house, it's your fault if I come in and look through your stuff?

    YES! If someone fails to take the proper precautions, then he/she has no one to blame but him/herself when things go wrong. That's the way the world works...

    Legally, no, and in fact that's why we have laws: to keep everything from devolving into a simple power struggle. Where I live, if I enter your house via unlocked window and search your effects without your permission, I am criminally liable.

    Naturally, though, we should take precautions to protect our privacy. Like keeping these silly boxes off our networks.

  • by PD ( 9577 )
    >telnet -x helium
    telnet: Warning: -x ignored, no ENCRYPT support.
    Trying 9.53.200.182...
  • Cringely blew it. A couple of posts (250 [slashdot.org] and 112 [slashdot.org]) have touched on the issue. Promiscuity isn't enough to receive everything, because there is no central point that it all goes by to receive it at. Any medium or large ISP or colo center, or even most small ISPs that have multiple locations, have a bunch of routers and switches that are designed to keep traffic flowing on the LAN or WAN segments where it's needed and not flowing on segments where it's not needed, because you have to do that to make things scale. A colo center might put your host on a 100 Mbps Ethernet with a dozen other hosts, and you can sniff their traffic, but the data switches that get the traffic from their 155 Mbps OC3 or 2.4Gbps OC48 to the Internet aren't going to shove the traffic from all the other 100Mbps Ethernets in the building onto yours - it won't fit. Each one gets only their own local traffic. Buying one host at an Exodus location isn't going to snoop all the OC48s coming into the building, nor will it snoop all the traffic going between servers in the same building (big hosting centers get a lot of traffic like that.) If you know that usualsuspects.com has a web server there, and you asked really nicely, you might get put on the same Ethernet segment, but that's not the one that whitehouse.gov or gambino.org are on, so it doesn't do you much good.

    Some ISPs might put all their mail servers on one big fast Ethernet so everything routes there, which makes it easier to do centralized management and some security, but traffic that isn't going to those mail servers doesn't go to that segment. This means that if you dial in to ISP A, and use your web client to access a web server at ISP B, or your POP client to access a mail server at ISP C, or your email sender to send mail to an SMTP server at ISP D, you're probably not going through ISP A's POP server Ethernet, you're just going through the LAN connections that get you to the routers going to those other ISPs. If it's all in one building, the carnivores might hang a bunch of promiscuous taps on every segment there and go into some big hacked multiprocessor router-thing, but anything less won't cut it.

  • That's BS and you know it. Both MS and Apple's OSes have publicly documented interfaces for custom filesystem modules.

    What does that have to do with the fact that they don't *INCLUDE* any such filesystems with their OSes?

    Or the fact that their documented interfaces are wildly different than those used by the majority of other OSes, making it a real PITA to code for them?

    It's not BS, and I know it.

    Fact: Microsoft could choose to work with the Unix world to support a standard.

    Fact: They choose not to.

    Fact: They change their own interfaces so often that not even the Microsoft-world encrypted filesystems (such as SFS) can keep up.

    If you really want encrypted access to your files from Microsoft, Apple, and Unix, you basically have one choice:

    NFS over secure tunnels. SSH is probably good enough, IPSEC is better. There are other options, but they're even more expensive.

    I didn't make it that way, it just is.

    If it wasn't, there'd BE a cheap cross-platform standard, because so many people want one. Microsoft would NEVER package such a standard, however, because it goes against their strategy of trying to get people to switch their whole networks to NT.

    If you could access your encrypted Unix filesystems from NT clients with out-of-the-box, supported-by-Microsoft tools, you'd have less impetus to switch those servers to NT, and Microsoft would never allow that.

    That's why they don't support standards worth a flip, it's why they try to break Samba every couple of service packs, and it's even why their telnet client sucks big green donkey dicks.

    --
  • The States could never have remained an integrated political and culture whole without advances such as telegraphy and the railroads ... ancient empires of comparable size were considerably less stable and considerably more decentralized.

    The US did not remain integrated. There was a big and bloody civil war which started because communication between the seat of power in the north and the southern states was so limited. The south, rightly, claimed the north was ignoring its needs on many issues.

    By the end of the war, telegraphy was starting to become widespread. The telegraph and introduction of a standard railroad guage in the US did more to heal the rift between the north and south than any politician's hollow promises.

    The same holds true for the British Empire. It achieved its glory days before there was sufficient communication to sustain it. So it collapsed because the needs of each far-off colonial outpost couldn't be met in a timely manner by England. Much of the blame for lack of communication, navigation, economics and other things rests squarely on the shoulders of a very corrupt societal structure. There was a good movie on the search for longitude which highlighted this recently.

    Is that off topic enough for a friday night?

    the AC
  • Actually, after reading Reid v. Covert, 354 U.S. 1 (1957), it appears that you are indeed correct.

    Serves me right for dropping out of pre-law before we got to that. :-)

    --
  • I mean, isn't sniffing email messages intended for a recipient the same thing as tapping a phone line? The intent is to communicate something to one person only, right?

    Yes, it is. Which is why the orriginal carnivore announcement made it clear that warrents are required. The warrent is required to read the email of that person who is being intercepted.

    I cannot get behind the idea that it is an invasion of anyone's privacy for a machine to "sniff" a packet and determine if they want to save it or not. If you are worried about it sniffing beyond its warrent deal with that! Lets talk third party authentification of the programming, inability of the FBI to change the programming from off site, things that matter! But if there is a warrent for the person being sniffed, I really doubt that the law will be struck down based on other people just getting their packets sniffed by a machine that then keeps no records of the examination.

    Its like saying that if I listen to a police band radio, I'm also invading the privacy of cell phone users, because my equipment is theoretically recieving them, even if I'm not listening. I don't think anyone outside of the hardcore geek/privacy minority will see a legitamate invasion, and privacy advocates would be better off demanding protocols to prevent non-warrented sniffing.

    -Kahuna Burger

  • ---
    Or the fact that their documented interfaces are wildly different than those used by the majority of other OSes, making it a real PITA to code for them?
    ---

    I've got news for you - in terms of marketshare, they are the majority of OSes.

    By your logic. Unix/Linux should conform to the market leader. Didn't think so.

    Don't blame the platform leaders if someone else doesn't develop a new file system. I don't know so much about Microsoft, but Apple hasn't significantly changed the manner in which you can access the filesystem. There have been a few file-system wide encryption tools out there already.

    Hell, recent versions of MacOS include basic encryption features already - built into the OS.

    - Jeff A. Campbell
    - VelociNews (http://www.velocinews.com [velocinews.com])
  • How odd. `or it can act as a switch' were the last words appearing in
    the article as I downloaded it, which struck me as a strange ending
    for the artice... http error I guess.


    Do we know the design of these boxes? For surveillance it is enough
    to send the packets to the box, which does nothing to affect the
    performance of the routers.

  • The article suggested to me that there were technical issues (as opposed to legal or political ones) that influenced Earthlink to deny Carnivore. Perhaps it is the case that if the technical issues are resolved, they might allow Carnivore in.

    Unlike many thousands of smaller ISPs, Earthlink is a 5-9's kind of operation. They have architectured their network to ensure a minimum of downtime. I've been a subscriber for a few months and have experienced no outages (aside from the IRC server being attacked, but that's not really in the 5-9's realm). Building a network like that is no easy task. You have to make it so that NO single failure can bring it down. No... you have to make it so that you can have one each of everything fail and it still be fully functional.

    I've designed a couple of smaller networks like this, and there are a lot of technical issues involved. If Carnivore were to be in them to be able to monitor the network, and assuming it was just operating in sniff mode (which is all it should need to do) it would still have to have multiple connections at multiple switches, and almost certainly multiple boxes all over the place. Deploying something like Carnivore while also NOT disrupting the network would be a major project.

    There is also the issue of how to get a sniffing tap into the network in the first place. In a small network I recently designed, it would have to tap into 4 different switches to be able to capture everything. My design at least did have switches, most of which can set up port 0 as promiscuous (though if it has a bandwidth lower than the whole switch, you lose packets). Earthlink is way larger than what I built, and has so many points of presence and so many points of exit, that I would imagine that Carnivore would have to be deployed in perhaps as many as 100 instances, each of which having perhaps approaching 100 fiber connections. That kind of scale may well not even be practical (aside from the fact that the ISP is probably already using the promiscuous port for other purposes).

    There are other approaches that reduce the scale, such as policy routing port 25 through different paths. But even then you have to have first a point where port 25 is diverted from, and then a point where port 25 can be re-injected without being re-diverted again, and that forces an architecture with more hops than most ISPs have (an architecture that also doesn't scale to 5-9's very well, either).

    I suspect Carnivore has technical limitations when you consider the scale of some of the networks like Earthlink/Mindspring/Netcom and others like AOL. Then what about all of those smaller ISPs. If the big ISPs let Carnivore in, many people will shift to the smaller ISPs (not necessarily because they have something to hide, either) so it would end up having to be deployed nearly everywhere (though maybe it can be done at the upstream backbone).

    I just don't see it being that simple to do. Anyone else have any more technical details on this black box?

  • That's great, except that businesses are not citizens and have no rights to free association, enterprise, or anything else. Business is allowed to do exactly what the citizens of the nation allow them to do, and the usual instrument of the people's will is the government.

    That being said, if there was a way for individuals to be civilly disobedient (see .sig) I would be all for it.

  • Tar doesn't fit the bill. And actually, 'ar' is better suited because the index gives you faster access to files buried at the back of the archive. (And I once implemented a system like this to get around a 40-file quota (but no limit on file size!) on a Cyber mainframe I once had an account on.)

    But creating cleartext copies on the disk is a huge flaw, one might as well just not bother encrypting in the first place.

    Consider: PGP Disk lets me create, say, a 100 MB file on a FAT filesystem which it'll then mount as a virtual disk. I can see the file if I mount the partition under Linux, what's needed is something that'll understand the loopback filesystem embedded in it so I can mount it. (For that matter, PGP Disk makes a Mac version too, supposedly -- can the Mac version read the Windows version? Everything below the hooks into the OS to make the contents of the file look like a filesystem could/should be common to all platforms, that's just whatever format the author chooses. But is such a cross-platform package available? (For that matter, is there open source available for mounting a file as a filesystem on Windows and Mac, encrypted or not? From there it's a simple step to encrypt the thing.)

    (Of course, the truly paranoid will re-wire their drive controllers and make personal patches to the OS as well as using strong encryption, for the same reason that crypt(3) perturbs the DES algorithm: it makes it tougher for the folks that might have hardware solutions.)
  • The FBI blurb did not describe the technical issues that are the reason why Earthlink did not allow Carnivore. If it is truly a plain sniffer, how could there be technical issues? The answer is there are such issues, such as determining where to sniff. Maybe the FBI wants the ISP to re-arrange the network so all traffic goes through a single switch where they connect to?

It was kinda like stuffing the wrong card in a computer, when you're stickin' those artificial stimulants in your arm. -- Dion, noted computer scientist

Working...