University to Review Carnivore 128
stubob writes "CNN.com is reporting in this article that within the next 2 weeks a university will be selected to review Carnivore. This is apparantly a follow-up to this story posted on Slashdot last week. It will be a hardware and software review, lasting until December. The FBI has not decided which university will perform the review, and no information was given on who at the university will actually be performing the review."
Re:SSH, PGP (Score:1)
Bob Jones U. doesn't use computers (Score:1)
WWNPD? (Score:1)
What Would Natalie Portman Do
Hint: It involves nudity and petrification!
(She'd probably kick an arse or two
that's what Natalie Portman'd do!)
press release (Score:1)
The FBI's Cornivore system will be reviewed by specialists in Content Analysis at Harvard that *cough* developed *cough* it, and will present a *cough* biased report tailored to reveal as *cough* little as possible but to *cough* placate the public as much as possible.
Just one university? I don't think so! (Score:1)
DOJ/FBI not off the hook- this doesn't comply... (Score:1)
Which University (Score:1)
Ummm, The FBI has not decided which university? (Score:1)
Re:And in other news today... (Score:1)
~afniv
"Man könnte froh sein, wenn die Luft so rein wäre wie das Bier"
Coincidence? (Score:1)
The interesting part appears in one of the paragraphs that talks about the company's background:
"The eSniff technology is the brainchild of Thomas Donahue. He was the founding VP of Technical Operations at Colorado Supernet, Inc....served as VP of IP Services at Qwest Communications...etc."
It goes on to say, "Tom became renowned in the area of network security. Because of Tom's reputation, the FBI asked him to help crack a very difficult case." (That case was Kevin Mitnick.)
The last sentence of the section reads:
His experiences confirmed what he already believed - that there is an enormouse need for network monitoring, and that monitoring is a vital component of organizational security.
I just can't help but wonder if there's a connection here. Hell, we had the NSA contributing funds to a company that was pushing the sale of drivers' license photos so they could be used for a new POS identification system, so...
Sources (Score:1)
On topic, I'd wager that the FBI has a preexisting relationship with this university, having been named so quickly.
OK, that's pretty ironic (Score:1)
Re:CIA (Score:1)
And the winner is....The School of the Americas! [soaw.org]
Re:FBI's selection method (Score:1)
Anyway, everyone knows that Penn State students are only good at drinking and rioting.
Sounds pretty pointless...for both sides (Score:1)
Why not just post the entire source code on the Internet? If what they are doing is so secure and trustworthy, surely everyone can look at it to no detriment to the FBI.
--
Easy answer (Score:1)
Who will do the review is simple: it will be an undercover agent placed in the university to watch the rebelious students. It will help that the agent is probably a network administrator because having access to tap the network makes spying sooo much easier.
@stake in my neighborhood (Score:1)
Don't bother, I know what it is! (Score:1)
You see, anyone who has watched the X-Files closely will automatically know that Carnivore is an alien derived system composed of new and mysterious technologies. They are monitoring our email to disclose the best time and point of attack!
The FBI is actually just a sheild for the impending alien invasion! They are among us!
okay, maybe not.
Re:This is Bad! (Score:1)
Re:Umm.. why a university? (Score:1)
--
FOIA Documents now! Not in six months! (Score:1)
I would say this tactic works fairly well, nobody's thought about the missing/found nuclear harddrives at los alamos lately. I wonder how the token non-investigation is going.
-- Greg
Re:University of Quantico? (Score:1)
No, that's phase II of the Carnivore test, the torture test.
George
Re:One university? No. (Score:1)
http://www.tuxedo.org/~esr/jargon/html/entry/Ze
He's just saying that you'd need more than one, whatever that number happens to be.
Re: (Score:1)
And in other news today (blatant swipe) (Score:1)
"It is definitely a creative masterpiece," stated Rufus Niederman, spokesperson for the 20 student review team, "we feel that it will be a real attention getter in the years to come. Although the plotline is really just a re-hashing of a standard theme, the powerful new twist should be quite an audience grabber."
The FBI was enthused by this accolade, and intends to shoot for the widest possible distribution. Look for it, comming soon, to a screen near you.
Clipper Chip Redux (Score:1)
Dorothy Denning is still at Georgetown.
I'm sure she would give it he usual thorough treatment...
Re:Why does the FBI get to choose? (Score:1)
I would think less time spent in the goverment would be a plus.
Think of all the tricks Al Gore must of picked up from Bill.
Later
Erik Z
Re:I'm a little confused. (Score:1)
People could argue (I wouldn't be on of them) that more recent actions by the FBI demonstrate their willful disregard for the constitution did not end with Hoover. Ruby Ridge and Waco are examples of this.
No organazation should have unchecked power, and in my opinion, carnivore is too much power without enough checking.
Not Really a University (Score:1)
This is quite different from handing it to
some random CS department. Not necessarily
better, but different. SDSC is one of the
NSF funded Supercomputer centers. They are
more closely associated with UCSD now than
when I worked there, but it's definitely a
research center, not a university department.
This is Bad! (Score:1)
This is not cool. :-(
Use FOI act to access the review!! (Score:1)
On another note, what will the criteria be for the study? Will that be public?
Will they hand back a good/bad one word report?
Will the explain how it works? Who determines the study criteria?
Will they even be able to see all the code?
Someone needs to FOI the FBI into submission.
(I just how the university gets lots of government money to make the FOI act a possibility.)
FBI's selection method (Score:1)
2. You are going to review Carnivore whether you like it or not.
3. Here are your results in case you forget to give us a good review.
I'm really not paranoid. I would like the FBI to pick a credible school (i.e. MIT). However, Penn State should be their choice since it is the best
-An alumni of PSU
Rigged demo, rigged outcome (Score:1)
- Whether the people at the university can be trusted, or have been vetted by the FBI to guarantee a conclusion favorable to them (a la the Tricot investigation of the Rainbow Warrior bombing in France), and
- Whether the university people doing the investigation are getting the exact Carnivore system which will actually be put into the field.
While I still have enough faith in academics that I would doubt that a committee could be chosen which could whitewash the system a la #1, #2 is impossible to guarantee. Any time that the Carnivore box gets into the FBI's possession, it could be loaded with software which does literally anything within the capabilities of the hardware. Examination of one set of software by a universe of absolutely trustworthy academics cannot rule out this possibility, and it is the reason why Carnivore cannot be ruled trustworthy.--
A University (Score:1)
-Daniel
Are they going to be nice about this? (Score:1)
What they should do, is only set it up to moniter certain e-mail accounts, that the students KNOW about, and then have them all send messages over a couple of days that might trip off the system that shouldn't, some that really should, etc, and see what the administrator comes up with.
If this system causes more e-mailings to be read than should be, it should be done away with.
Don't we all love the FBI? They are the PERFECT group to bring change in america! I mean, under J Edgar Hoover, they solved the problem of Martin Luther King REALLY quick. Oh, and let us not forget how much they helped with the JFK Assassination! Don't we have so much to thank them for?
This all makes me want to grow up to be an FBI agent. That way I can read all of CmdrTaco's e-mail from us weird
Re:Choose your own executioner? (Score:1)
Be cool if they sent it here (don't worry, we'd do a good job). Though since I don't work in the security lab I doubt I would ever get to see it.
Insanely obvious (Score:1)
Why does the FBI get to select the University? (Score:1)
Shouldn't, instead, it be a court or some other third party that gets to select the review board?
FBI & Universeities (Score:1)
In a seemingly unrelated news today,.... (Score:1)
Some have launched special schemes, for example Boston U. is now giving away 2000 marks extra credit to anybody who can hack into FBI and select their univ by computer.
Other Univs are taking aggressive measures and crashing each others Networks with mutated CIHs etc.; so that FBI picks the one with a functional lab.
More news later. Keep your browser open. and refresh often.
This Site is cool. Dont be a fool. Click here [iotaspace.net]
It's nice the FBI recognizes the college folk. (Score:1)
A cool Site to see. Is entry Free. [iotaspace.net]
Re:So what if it's reviewed (Score:1)
Hmm (Score:1)
GO CUNY (Score:1)
Re:Please not me..... (Score:1)
Sendmail is hosed and SIMS won't be ready for the beginning of the semester.
Now there's an interesting thought. Can carnivore keep up with SIMS? A packet sniffer can catch the packets, but sustained operation requires both capture and analysis. SIMS's MTA can be quite a handfull.
Temkin
those evil students (Score:1)
Actually this is kind of scary, since most students who have any smarts should be using rsh, and pgp. I wonder if the school would have some sort of policy against those programs on their network if they were pushed to it.
kick some CAD [cadfu.com]
Hmmm...Conflict of Interest? (Score:1)
FBI's Carnivore To Undergo University Review
The final review team will include ...
Donald Kerr, the FBI's Laboratory division
assistant director ...
Sounds like this is gonna be real objective.
A pointless political stunt and a waste of taxpayer's money.
Re:What criteria will they use to choose a univers (Score:1)
If Carnivore passes, all of its opponents will claim that it was bias and pressure from its supports.
If Carnivore doesn't pass, all of its supporters will claim that it is bias and pressure from its opponents.
Of course, you could put both opponents and supporters on the review team and hope the biases balance out.
Eric ze Kidder
Academe For Sale! (Score:1)
Sorry couldn't resist
Re:Columbia? (Score:1)
Columbia? (Score:1)
PSSST. FBI, I'll tell the world that your software is harmless if you slip me a $20 and a nice review.
hmmm (Score:1)
Re:Choose your own executioner? (Score:1)
Well if you ask Katz he'll tell you it's a conspiracy, because everyone knows the Universities are all for sale now.
Re:University? (Score:1)
Re:Umm.. why a university? (Score:1)
Send it to a "Patsy" school... like RIT... (Score:1)
Yeah... while they're at it, they'll probably plant a couple of FBI spies into the RIT architecture there too. I'll trust them... sure!
Re:One university? No. (Score:1)
A university is at least an objective (we hope) third-party. And if you select a university of sufficient size with a CS department of good reputation, such as MIT, Berkley, or Illinois/Chicago-Urbane (sp?), I think you could be assured of a good, professional evaluation. Two would be nice, but perhaps a bit of overkill.
An impartial review...? (Score:2)
And then we're supposed to accept the results as having some significance or relevence?
Excuse me, but have you EVER known an "impartial" review, when the reviewee pays the reviewer?
OF COURSE they're going to pick people most likely to be sympathetic, and ply them with "sweeteners" to "encourage" a favourable result.
If the FBI wanted a genuinely honest result, they would be taking a hands-off approach. They'd make Carnivore available to a RANDOM assortment of Universities, place NO constraints on who was to do the testing (detailed records would be ok, though, and very desirable), and provide proof that they had NO contact with the researchers, the University, or ANY friends or relations, during the work.
(They could reasonably be expected to ensure that no other intelligence agency did, either, though.)
Because it's cheaper... (Score:2)
Logging Method (Score:2)
Hey, wait a minute, how does Carnivore get its logs back to the FBI? Is the FBI going to have removable media in this thing and have the logs sent by snail-mail? Otherwise how the heck is this thing going to transmit stuff back when its installed at a busy site with a saturated outgoing connection? Would the ISP be able to do traffic analysis on the transmitted traffic to determine what kind of data the thing is logging?
So many questions, so few answers.
Re:I'm a little confused. (Score:2)
Um, no. The FBI has been exonerated repeatedly for what happened at Waco.
Not that I would trust the FBI to keep its nose clean, but at least blame them for things that are actually their fault.
-jon
Re:University of Quantico? (Score:2)
Re:The University will be Biased (Score:2)
In the end, only Congress and the courts will be able to check the powers of the DOJ, which is reaching beyond the 4th ammendment with Carnivore.
The court of public opinion will only be satisfied with complete public disclosure and verification that their rights aren't being violated.
The University will be Biased (Score:2)
one that receives grants from DOJ. If not,
then there would certainly be some other
financial/political conflict of interest. After
all, Every university receives copious ammounts of funding from the US Government.
Actually, it wont be the University as much as the professors at the university. There *has* to be at least one professor in the DOJ's pocket somewhere.
Umm.. why a university? (Score:2)
They bloody well better! (Score:2)
I am always wary of that sort of thing because universities are easily pushed around by the NSA and other similar bunches of spooks-in-suits... If they are easily pushed around on what cryptography research they can do and/or publish, why not deliver a fixed report after some smoke-filled-room discussions... Not to sound like a paranoid, but i'm usually skeptical of this sort of thing because we always find out 20 years later once things get declassified that the public was being lied to. It happened with the civil rights movement, where the army and the FBI were keeping lots of surveilance people busy watching potential rabble-rousers... It will happen again now with this, and we'll only find out after it's too late, and it'll happen yet again with tomorrow's technology so the powers that be can keep any free thinkers under thier thumbs...
Police the policemen - make our own ZooKeeper (Score:2)
Filter out all but the packets that pertain to the subject under the warrant - the Carnivore system gets NO chance to exceed its legal bounds.
You could even get fancier and "expunge" the subject line from the mail header packets that are fed to Carnivore.
I doubt this would be more than a few weeks worth of work for the right hackers 8-) Maybe even be a "floppy" distribution like the one-floppy router project. Call it ZooKeeper (feeds the Carnivores and Omnivores).
The FBI can't really object - we can make the source code available for THEM to audit. It does exactly what they need, so a court should back up someone using it (i.e. they ARE cooperating fully).
Any takers?
Re:I'm a little confused. (Score:2)
OK... From the story....
But privacy advocates and some members of Congress fear the system may cast too wide a net, encompassing private information about legal activities and leading to potential abuses.(emphasis added)
Some members of congress feel that there is potential for abuses. The only way for potential abuse is for monitoring information of non criminals/suspects which means private americans and corporations, From what I understand the FBI was instuted to protect, in part, the protection of Americans privacy. Some of our own congressmen admit, by implication, that the FBI is corrupt. I don't know about everybody else but if I had a choice I would not want the FBI involved in anyhthing remotely close to me due to the possibility of abuses. In fact if I had a choice I would have the power of the FBI GREATLY reduced so that Americans privacy would have more protection.
Liscencing roms is a possible solution (Score:2)
I remember seeing a interesting documentary on A&E about Las Vegas slot machines. There's an industry where the software that runs the machines quite likely could be (and as the documentary pointed out, has been) tampered with in favor of the issuing party. This is extremely serious, because if people don't believe the machines are giving them fair odds, they won't play, and Vegas would be finished (the machines run the town).
To prevent this, the ROMs that the machines run are *tightly* monitored by a government review board, who, I would assume, employ assembly language gurus and the like to make sure nothing fishy is up - and this board can randomly inspect any machine, at and time, for any reason, and god help you if your rom doesn't match the one on file.
Such a system would work very well to control the carnivore system, I think. Of course, my country isn't proposing to do anything this insane, yet.. When I think about it, sweet jesus, it's scary - they want to be able to tap any email or internet connection (packets are packets, right) at any time!
There's got to be a mecahnism put into some of the popular mail readers (mozilla?) to allow for hard encryption during transit happen real soon like. I mean, who gives a @#$@ how crappy the passwords are stored (put them in a .conf file) just so long as they're being *used* for email, ideally, transparently. Then carnivore is effectively useless. Too bad Microsoft wouldn't implement something like that - would be sweet. Or even if ICQ supported it (there is a ICQ client for secure comm now, Linux only..)
Just some thoughts.
Re:Umm.. why a university? (Score:2)
Of course not. I applied back in the 80's. I haven't heard from them yet.
What university gets to test? Here's a theory (Score:2)
Phone rings...someone on the other end of the line picks up.
Voice: "Hello?"
FBI Director: "Uh, yes, hello, this is the director of the FBI speaking. Ummm...I'm doing some..uhh..research here and I need to know the top ten most government funded universities in the US."
Voice: "Well, University X received this much, University Y received this much, and University A tops the list with a wopping X amount of money given to it by the government."
FBI Director: "Right!! Thanks!"
Director slams down phone. Leans out of office window, yelling:
"Johnson!! That university that we were looking to test Carnivore? I've got one lined up!"
This was meant to be humorous, not to be taken serious by any stretch of the imagination. Please moderate and reply accordingly
Re:Hmm (Score:2)
bought out for research.
The FBI should be forced to comply with FOIA (Score:2)
Re:CIA (Score:2)
CIA (Score:2)
You are more than the sum of what you consume.
Translation: (Score:2)
OK Kids.. Here's five dollars, you have twenty minutes to 'review' the system.. No you may NOT open the box - Heres the instruction manual:
Welcome to new CARNIVORE system
Your new CARNIVORE system made from component of hi quality. If use, keep dry. Not to open style case with not user serviceable parts inside.
To Operate
1) Press POWER button
2) plug to NETWORK connection
3) Wait for single beep tone
4) Leave connected- Only AGENT use now
If Problem occur
1) Check power cord - Is plug in?
2) Did POWER button completely depress?
3) Contact AGENT for assistance, No user serviceable parts inside.
A little reaching, but... (Score:2)
Internet2 is already there, with several tech-filled campuses using it. Why not just have the Internet2 test out the Carnivore and have those U's figure out its flaws, its innards, and what vulnerabilities to people's rights it would have.
To me, that seems like the best idea, and it won't disturb anything with other countries or people's rights, just make the U's on I2 a little more worked, but for the good of everyone.
Dragon Magic [dragonmagic.net]
Pick me! Pick me! (Score:2)
Seriously, do you want to end up with a bunch of students reading through (Ada, no doubt) obfuscated (wait, I already said Ada) source code and trying to figure out what it does? After all, the researchers are all too busy working on corporate research to be able to do this...
Anyway, all there needs to be is ONE buffer overflow/security hole in the code, and then the FBI can get in and push bits around on the stack until it's reading everybody's email. Remember to check for that!
University of Quantico? (Score:2)
Question: Does the FBI Training Academy count as a university?
Re:University? (Score:2)
The leader of the review will be a professor who will be spared from charges related to that 17 yr. old freshman he was screwing last semester..
Re:Umm.. why a university? (Score:2)
This way they can play it for ratings value by handing it over to a bunch of university legal scholors, who will probably arrived at some informed and intelligent opinion, which than can be thrashed about on Larry King Live, handed back to the House (via the FBI) where it can languish and be debated ad nauseum, despite good thought already put into it, but because it's not Dems or Gops.
Rather than toss it to the combatants^H^H^H^H^H^H^H^Hcandidates (Bush & Gore) who would thrash it around, get it politicized in the House and Senate (because it's an election year) then be implimented anyway after January 21, 2001.
This really is a hot topic, but I haven't heard any candidate say anything pro or con about it... Am I just missing it in the news, or is Bush in favor of it because his father (George Herbert Hoover Johnny Walker Anheuser Bush) - an old spook - likes the idea, and Gore likes it because he could read those secret emails still going back and forth between Monica and Bill?
Vote [dragonswest.com] Naked 2000
What criteria will they use to choose a university (Score:2)
CMU will do it. (Score:3)
I've got a plate of rice crispie treats and a pint of Guinness that says they do it. Anyone want to bet?
Why does the FBI get to choose? (Score:3)
If this is a public inquiry required by the gov't, why not let the public decide which university? Anyone else think this is a bit strange?
Also, totally OT, but... this is killing me...
Anyone else worried about G.W.'s ties to the CIA? I mean, his father was the head of the CIA for a while (during iran contra, i might add), and now, all of a sudden, BOOM his son is up for President. His son with 5 years of political experience...
So the former head of the CIA pulls some strings and gets his son nominated for president... Said son states that one of his 3 main platforms is national security....
I'm scared, and I'm wondering why noone is talking about this.
I guess it isn't really even offtopic. I mean, Carnivore is the FBI's surveilance system. Does anyone honestly believe that the CIA doesn't have a surveilance system in place?
I don't like Gore either, but with GW's puppetness, CIA ties and stated platform of national security, I'm more than a little worried.
So what if it's reviewed (Score:3)
Now, this should only be done when a full wiretap authorization has been given by a court order. The part that needs Real Close Examination is the logging of enabling and disabling such captures. If that's sloppy or has holes then anyone could be monitored without proper authorization.
Beyond that one should be asking what will be done to review that logging - will this be done by the FBI, making sure that the FBI is only watching who the courst have said they could? Self monitoring has certain weaknesses ...
This also applies to the "trace and trap" or "pen register" modes, where only the From: and To: information is being captured. The code review can confirm that the mode works as it should, but it also should confirm that moving from trap and trace to full capture mode gets logged as well
US citizens might consider the establishment of a standard for wiretap authorization; perhaps as a rider to CALEA. This would involve digital signatures for enabling levels of authorization, with an indirect process to generate the electronic command - the FBI asks, the court grants and sends the enabling command. And the code is well reviewed for any holes in the enabling and logging logic.
Real Question.. (Score:3)
What will that accomplish? (Score:3)
Is this going to be used as a final decision regarding the use of this email interceptor?
We just read an article which suggested that Academia is progressing towards profitability and less credibility
Am I too harsh in thinking that nothing will come as a result of a long and drawn out process of 'experts' reviewing the integrity of the system. It all depends on who they ask to review it.
If we are lucky, then somebody of good faith will be able to post intimate details of the inside guts of the system. Can we only hope, so we can keep our right to privacy?
Re:It's nice the FBI recognizes the college folk. (Score:3)
Mike: Hey, what's this thing do?
John: Hmm, seems like that's the part used to detect everyone's e-mail address as it passes through Carnivore.
Mike: You know what would be cool?
John: What?
Mike: I've got a way or hacking this thing. Let's keep quite about it, and when the FBI install these babies, we can use the hack to read everyone's email!
John: And why would we do that for? Other than for fun, of course.
Mike: To score with the chicks, John! To score with the chicks!
John: Oooooooh! Great idea!
*shudder* I _know_ guys in college who would really do this kind of thing...
Re:Umm.. why a university? (Score:3)
You've never worked at a University, huh?
What Would Katz Do? (WWKD) (Score:3)
Re:One university? No. (Score:3)
Let me reiterate.. at least two universites.
Having only n universities examine the machine is a 'bad idea'(TM). For any real security evaluation, you ought to have at least n+1 teams examine the device.
Let me reiterate... at least n+1 universities.
Re:I'm a little confused. (Score:4)
As stated in the above post, this outside review of the software doesn't prevent the FBI from making changes in the future without notifying anyone. I think the FBI is great and does a great job, but I'm not going to give them the keys to my house because they tell me they won't search it without a really good reason.
And in other news today... (Score:4)
"We will provide a superb education for all our students for years to come," said an FBI-U rep. "Well, at least until our 'faculty' get done 'researching' that Carnivore thing."
Sandidge
Re:And in other news today... (Score:4)
---
BJU!! (Score:4)
Choose your own executioner? (Score:5)
The decision of who and how will review Carnivore OUGHT to be made by a panel of SECURITY EXPERTS, not the people accused of 'wrongdoing' in the first place. I'd like the decision-maker to be Bruce Scheiner, and I'd like him to hand Carnivore over to the L0pht guys (umm, excuse me, @stake).
It should be the hacker community that gets to scrutinize Carnivore. Not because I'm a
In the very least, I hope a formidable research University gets the nod. Someplace like CMU, MIT, or UC Berkeley would/might do this right. I'm sorry but if they hand it to Harvard or Yale, our communal goose is cooked.
It's not a public review. (Score:5)
And here are relevant excerpts:
"The Federal Bureau of Investigation declined to give to Congress details of its Carnivore Internet surveillance system, telling a member of a House oversight committee that some of the documents he requested include classified information and others are the subject of a pending lawsuit seeking their release"
"...the bureau wrote that it is "not presently in a position" to provide documents he requested. "There remains substantial public misunderstanding and misinformation about the system," wrote John Collingwood, assistant director for public affairs."
"...the Justice Department has been negotiating such a review with the University of California at San Diego's Supercomputing Center, said Tom Perrine, the center's manager of security technologies."
and my favorite:
"Mr. Perrine said that part of the FBI's challenge using Carnivore is conducting Internet wiretaps under U.S. laws that predate the Internet. "Carnivore is probably the best program and the most privacy-protective program that [the FBI] could have written given the lack of guidance in law from Congress," he said."
Re:One university? No. (Score:5)
Seems simple to me...
I'm a little confused. (Score:5)
One university? No. (Score:5)
Let me reiterate.. at least two universites.