Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
The Courts Government News

Talk to One of the Chief Carnivore Reviewers 79

All right, this FBI Carnivore thing and the review it's undergoing at the Illinois Institute of Tech [IIT] has been getting lots of press and lots of flack. The person overseeing the legal end of the process is Dean Henry H. Perritt, Jr. of the IIT's Chicago-Kent College of Law. Ask Dean Perritt any question you want. Tomorrow afternoon we'll forward 10 of the highest-moderated ones to him, and we expect his answers back sometime next week. Note: Before you start questioning Dean Perritt, you may want to check this story in Slashdot's Your Rights Online section, which links to some interesting new Carnivore information. (Special thanks to pridkett for arranging this interview.)
This discussion has been archived. No new comments can be posted.

Talk Directly to the Boss Carnivore Reviewer

Comments Filter:
  • To be one of the people responsible for destroying the rights of every American citizen (including your own)?

    And how do you explain the legality of snooping through the email of potentially thousands of people to extract the evidence on a specific individual? How is this different from tapping every public payphone in a city to get at one drug dealer?
  • by Devolver42 ( 177242 ) on Thursday October 05, 2000 @06:08AM (#729524) Homepage
    Is it fair for an individual or group with clear political ties to a system to give that system a review? In other words, how can you be unbiased while still being politically tied to the situation?
  • by Jay Maynard ( 54798 ) on Thursday October 05, 2000 @06:09AM (#729525) Homepage
    There's been a lot of comment on how the conditions the DoJ has put on the reviewers make a fair review impossible. Things like the right to edit before release, the right to veto participants, and the need to only use cleared personnel cast a cloud over the impartiality of the process. Many prestigious institutions were invited to submit proposals, and yet only two - yours and one other lesser-known - did. The backgrounds of the people at IIT and their past ties with the DoJ don't give any more reason to be comfortable.


    How do those of us concerned about Carnivore's immense power for invasion of privacy have any reason to believe what you and your institution produce will be other than a whitewash designed to make Carnivore appear in the most favorable light?
    --

  • by ucblockhead ( 63650 ) on Thursday October 05, 2000 @06:09AM (#729526) Homepage Journal
    Do you agree with Ben Franklin, that those who would trade liberty for security deserve neither?
  • Does Carnivore do anything more than what the FBI claims?
  • by update() ( 217397 ) on Thursday October 05, 2000 @06:12AM (#729528) Homepage
    What factors do you think caused the FBI to select IIT over other applicants, like UC-Davis and the National Software Testing Laboratory? Political concerns or the technical merits of your proposal? What were they?

    ---------

  • by Col. Klink (retired) ( 11632 ) on Thursday October 05, 2000 @06:12AM (#729529)
    Are you free to answer questions posted here, or does the FBI review your answers first?
  • by Anne Marie ( 239347 ) on Thursday October 05, 2000 @06:13AM (#729530)
    Do you expect alumni donations to go up or down, now that you (dean of the college) are involved in this (high-profile) infamous activity?
  • Why does the goverment think they can forcefully police various ISP's and demand that they install their system? If the FBI has a court-order to monitor someone then they should request that the ISP give them monitoring options. They shouldn't be able to monitor whoever they wish. They have to present to the court a VALID reason and go through the ISP. What gives them the right to log my e-mails, web pages or something of the sort? I have done nothing, I pay my taxes, and you can't invade my privacy.
  • by sconeu ( 64226 ) on Thursday October 05, 2000 @06:14AM (#729532) Homepage Journal

    Will you be able to justify the time and expense of a) reviewing Carnivore, and b) deploying Carnivore, when Network ICE [networkice.com] has created Altivore [networkice.com], an open source program which claims to do everything for which the DOJ says that they need to use Carnivore?
  • by Anonymous Coward on Thursday October 05, 2000 @06:16AM (#729533)
    Is the substance of this review to be political or technical?

    To wit, is this review to determine if Carnivore performs actions that are within the scope of the law (political), or is it to define the complete potential of Carnvore (technical)?

    If the former has anything to do with it, how can you justify performing this review without bias with your clear political connections to the parties invovled?

  • by eclectro ( 227083 ) on Thursday October 05, 2000 @06:18AM (#729534)
    Most of us feel like that Carnivore is a done deal, and anything you might say against it will only be pulled out of the final report.

    Could you inconspicuosly add a keyword in the final report to indicate that there is something really bad here. Like maybe "peppered"??

    So you might say "the source code is peppered with comments" or maybe "we peppered each other endlessly with questions" or maybe "the code is peppered with features to make sure abuse doesn't take place"??
  • by psychosis ( 2579 ) on Thursday October 05, 2000 @06:18AM (#729535)
    What are your feelings on the cries of the privacy rights community on allowing a fully open review of the source code?
    Would you have rather seen the code released on, something like www.fbi-carnivore.com (made up) for all to see/play with/use/abuse, or do you think that choosing a team of professionals to perform an independent review, with later possibilities to release more details (as is underway) is the right way to go?
    What is your repsonse to those who call you "lackeys" and "government pawns" because of your participation?
    All in all, best of luck. I personally feel that the semi-closed method is the better choice, because I know that holding a security clearance does not automatically cause you to lose your ability to think critically. I look forward to learning the results of your review (even if it is sometime "down the line".)
  • by freq ( 15128 ) on Thursday October 05, 2000 @06:20AM (#729536) Homepage
    Can you give us any clue as to if there is any functionality in Carnivore to specifically sniff, filter and analyze encrypted IP traffic?

    Is it conceivable after your team's analysis that future of current versions Carnivore would allow the FBI to flag certain encrypted traffic as "suspicous" ???

  • What I don't understand is why people find this a potential for violating privacy. Did you know that it is illegal to tap a public phone because the possibility that someone other than the target may pick up the phone and make a call? Carnivore taps all the phones, listens to all the conversations and determines if the user is the target.

    Obviously this is an analogy, but its a pretty accurate one.
  • by LaNMaN2000 ( 173615 ) on Thursday October 05, 2000 @06:23AM (#729538) Homepage
    After all major research universities refused to apply to review Carnivore because the restrictions imposed on the reviewers are too stringent, why did IIT apply? What do you hope to acheive by reviewing Carnivore under the government's current terms?
  • by M-2 ( 41459 ) on Thursday October 05, 2000 @06:23AM (#729539) Homepage

    Can you give us your first impressions of the concept of the Carnivore concept when you initially heard about it?

    Can you give us your initial feelings as to the legal standings under the Fourth Amendment that allows Carnivore to be used for the purposes stated, which it would appear technically violates the Electronic Communications Privacy Act?

    What is your impression of the amount of interest the Internet community at large is taking in the entire Carnivore concept? Do you feel there is too much paranoid fantasy going on, or do you feel there is some justification?
    ----

  • This question is deeply insightful, cutting right to the core of the issue. It cannot be answered without causing the person to reflect on exactly what liberty is being infringed.

    However, law school deans can be bought as easily as anyone else by the FBI, who sent letters to all major newspapers revealing that Martin Luther King, Jr. was having affairs, but on the condition of secrecy. None of the newspapers were willing to print the information on that condition, btw. The FBI also sent a letter to MLK telling him he should probably commit suicide because they were about to tell on him. True story.

  • How do we know that the FBI will only deploy that which you have reviewed? FOIA requests have shown that the FBI has used other technology, which has done more than capture email.

    The basic problem here is that one connection to one wire gives them access to everyone's traffic passing on that wire. So the only limitation on the FBI's activities is your review and our trust that they are actually running what you have reviewed. What is to prevent them from running a new version of Carnivore, which has new capabilities. Given people's intolerance of "child porn" (including non-purient pictures of young nudists, pictures legal in one country but not another, and pictures of adults who look and dress younger than their age), what is to prevent the FBI from looking for people reading alt.binaries.pictures.kiddie-porn?
  • ... Find is _ONLY_ a potential for violating privacy, rather than a blatent violation.
  • by drenehtsral ( 29789 ) on Thursday October 05, 2000 @06:27AM (#729543) Homepage
    In the end a system like carnivore will only work for a while, and only against fairly unintelligent users because end-to-end strong encryption is no longer compuationally infeasable. Joe Schmoe with the middle of the road prebuilt gateway could easily handle the processor load of encrypting all his e-mail with 2048 bit RSA (which is now freely available, and even exportable). Not only that, but even with existing (and reasonably near-term) quantum computers, we are not even near enough qbits to start tackling these cyphers, since they can't be broken down when being fed to a quantum computer.

    So in short, is this whole thing just a moot point? Who would Carnivore really catch?
  • by VP ( 32928 ) on Thursday October 05, 2000 @06:28AM (#729544)
    During the congressional hearing on Carnivore, the FBI stated that current wire-tapping laws are adequate for the use of Carnivore. Further more, they revealed that the uses so far of Carnivore had been according to the regulations of optaining a "pen-register" wire tap. Are you aware that (from what we know) technically Carnivore is much closer to the concept of trunk-tapping, as most, if not all the traffic at the ISP has to go through Carnivore? AFAIK, trunk-tapping is illegal - would you be of the opinion that Carnivore automatically falls under the same illegal category of wire-tapping?

  • Being able to speak one's mind while remaining anonymous is one the the many tentant of our government. Collecting this information will not limit with thoughts we will be willing to express to our own private groups of friends.

    Should be not let the guilty party go unmonitored, and thus protect the rights of the public to not be monitored, to in fact have some liberty?

    (In my case I will premote having server to server communication encrypted, using a thrid party key sytem such as SSL)

    Be seeing you.

  • Will the FBI be reviewing/editing your answers to are questions?

  • Good point! This is the best question so far, I second it.

  • If you found that carnivore did more than the FBI is claiming, would you stand up to their threats if you published your results to counter their "edited" report? Would you be willing to lose everything you have to stand up for the rights of Americans, your property, your retirement, your liberty, and your professional reputation? You would be vilified and persecuted by the FBI for your actions, even though you would win the admiration of liberty loving individuals all over America.

    Or...

    Would you shrug your shoulders, and knowing that some day the truth will out, say nothing if the FBI completely changed your report, and hope that when exposed your reputation is not too badly tarnished?

    the AC
  • Yes, interesting, but you do realize there's only one possible answer he can give to this, right? (OK, two if you count "[REDACTED]" as an answer.)


    --

  • by Masem ( 1171 ) on Thursday October 05, 2000 @06:46AM (#729550)
    Right now, most people think of Carnivore as a black box that basically looks at email headers, grabs the emails of headers of marked addresses, and copies that off to somewhere else. Certainly enough speculation on the technical aspects of this, and many on the ethical side. What will you be looking for when you actually start this study? Are you trying to understand the technology behind it? Are you looking at it's effectiveness? The invasion of privacy issues that come from it? Will you be allowed to make suggestions and recommendations to the FBI, or are you mainly there to try to tell us, the American public, what and what not the Carnivore system can do?
  • I wonder how the FBIs will redact portions of an email? Hopefully with something better than the PDF fodder floating around with the review teams names....
  • Suppose that FBI wishes, with appropriate authority, to intercept the e-mail of a particular person. Suppose further that the person's ISP volunteers to monitor such e-mail and send the results to the FBI, using an open-source program that will demonstrably satisfy the FBI's legitimate needs.

    In that case, why should a court compel the installation of a secret, closed-source FBI Carnivore 'black-box' at the ISP?
  • Assuming that an ISP has been forced to use Carnivore, what happens if something goes wrong?

    Examples: A cracker finds a way to use Carnivore to gain entry to and damage the ISPs systems. A cracker gains access to Carnivore discloses to the targeted parties that they are being watched. Carnivore is incompatible in some way with the ISPs systems and causes them damage.

    Is the FBI off the hook for any damages the system causes?
    If the evaluation team certifies Carnivore as "secure" what is its liability if it later is cracked?

    What prevents Carnivore from being reconfigured to collect data on individuals who are not court ordered to be so?

    What prevents Carnivore from being configured by the FBI to collect data on individuals who are not court ordered to be so?
  • Americans may enjoy some legal protection against FBI (or others) abusing the carnivore system. WHat legal or moral protection exists to people who are not blessed with an U.S. citizenship? Are we fair game when ever our communications happen to be routed via USA?
  • If Carnivore were used to track your own correspondence, what legal rights would you rely on to defend against that use?

    -Water Paradox

  • OOps, that was an irrelivant subject. My bad. I was originally going to ask about the fact that postal mail is not interceptable, but then decided that i would be straying too far form the subject at hand. Damn, maybe i should go and get some more coffee %-) dardardar...

  • Will IIT and the participants identified with the Carnivore study accept financial responsibility for any abuse of and/or vulnerabilities in Carnivore not disclosed in their report?
  • How much of the IIT review will be for process, meaning how the information is used, what kinds of warrants are required, etc. versus the actual how does Carnivore work and can it be abused?

  • Is carnivore a tool to be used in traffic analysis only, or is carnivore a content analysis tool; does it inspect the content of a message?

    This is important because encrypting a message does no good against traffic analysis.

  • by Apuleius ( 6901 ) on Thursday October 05, 2000 @07:06AM (#729560) Journal
    Jeff Schiller of MIT
    has declined to review Carnivore,
    saying that "what they want is a rubber stamp."

    Obviously, you will say you intend to do a genuine
    review.

    Why should anyone take your word over Schiller's?
  • I notice in the documents released by EFF that vast portions of the Carnivore docs are blacked out.

    I am used to this type of release when it comes to Department of Defense, CIA, or NSA docs since those involve national security.

    However these are FBI docs. What criteria determine when a document should be classified by the FBI?

  • Let's suppose I run my own server. I provide the connections to 10 users, with my own cabling, etc. I am not using one ounce of government lines. Someone uses my server and connects to m$n.com for some (ungodly) reason. Will Carnivore be able to penetrate the server and look at my 10 users on my "private" network?
  • by westfirst ( 222247 ) on Thursday October 05, 2000 @07:06AM (#729563)
    The names of the IIT reviewers were initially redacted and only revealed when it turned out that the electronic version was poorly constructed. Why were the names hidden? Do you feel that it's hypocritical to demand privacy for your reviewers while stripping away the privacy of everyone else? If it's so important that our actions be open, why can't yours be open?
  • by plastickiwi ( 170800 ) on Thursday October 05, 2000 @07:07AM (#729564)

    Dean Perrit,

    The Slashdot story soliciting the questions you're now answering indicates that you're responsible for overseeing the "legal end" of the Carnivore review.

    Would you please clarify what this entails? What legal issues are involved in performing a technology review?

  • Several questions which are insightful are receiving 1, while off-topic material is receiving higher scores. Whoever is making the decision on the final 10 questions, please consider supplementing the moderation process with something that reveals diversity, controversy, and insight.
  • What is the history of the whole practice of intercepting electronic communication? As far as I know, it is unlawful for any US government branch to intercept the mail of suspects in criminal investigations, so why is it that they are allowed to intercept phone and email? Why should service providers be forced to compromise the integrity of their dealings with their customers to allow government access to private conversations? What do you think is the correct application of Ammendment IV to conversations and correspondence?
  • Now I'm no expert no the American Constitution (In fact I'm Canadian), but I believe that the constitution grants the right for 'free speach'. I do not recall it granting 'anonymous free speach'. I'm quite possibly wrong on that point, however, I feel quite strongly that someone who says something should be able to stand behind their statements. If you are unwilling to back up your statements and put your name to them then the statements are useless.
  • What type of impact do you think this will have on the Presidental and Senate races?. I for one am taking both Carnivour and the H1B Visa increase issues to the poll's with me this year. How long do you think will it take for the american citizen to get fed up with our current government's actions?.

  • Anonymous free speach, is free speach. The founders of the States believed that is was a much needed right. They did not call out "anonymous", but they did speak about it that way, as I recall.

    I will need to do some digging to get specifics though.

    The idea was that people could express an opinion, even an unpopular one, without having any harm or respisal. Unless people are completely free to express themselves then they will not.

    Remember that each and every person within the USA is a member of the government. The idea was a self governing social order. I wonder how that plays into the whole thing also. Basically the "people" are the top governing body.

    Well who has not wanted to spy on their bosses email. We've all been tempted, but most have resisted.

    I hope the FBI resists.

    Be seeing you.

  • Will Carnivore allow anyone to read my mail without a warrant signed by a judge?

    --
  • by RobertGraham ( 28990 ) on Thursday October 05, 2000 @08:01AM (#729571) Homepage
    I'm the author of Altivore [networkice.com] and a long time sniffer user. The RFP was for a "technical" review to validate that Carnivore captures only the data allowed by the court order. Yet reading the resumes of the members of your team, I don't see anybody with sufficient techical experience in sniffing technologies.

    Packet reassembly and state-based protocol analysis are critical to the minimization function. My believe is that Carnivore is essentially stateless, just like my own Altivore. I can create real-world scenarios where Altivore fails the minimization test. Sure, they occur less than 1% of the time; I don't know how that fits within the law. However, software can be written to meet minimization requirements 100% of the time (e.g. BlackICE does this for detecting cr/hacking).

    My question is: will a sniffing expert be analyzing the packet reassembly and protocol analysis part of the source code in order to validate that Carnivore captures all the data authorized by the court order, but no additional data? Moreover, is there really somebody on your team that understands even what I'm talking about?

  • Has the government indemnified IIT and/or the individuals taking part in this review against legal actions arising from your participation in it? Formally or off-the-record?

    --
  • Couldn't Carnivore do many of the things it claims to do simply by being a software package installed on an ISP's host machines? Why does it require a seperate 'box' when everything it's been purported to do can be acomplished by a script kiddie with a floppy disk of programs run from any Windows box on the 'net?
  • Well, considering the guy hasn't _looked_ at the thing yet...
  • It's humerous to think that the FBI would expect us to be satisfied with the an "independent" review that had to pass their screening, after reading the redacted FOIA responses submitted to EPIC.

    *scoove*

    from the FBI archives, now suitable for general public consumption:

    Article ## of the #.#. ############
    The ##### of the ###### to be ###### in their #######, houses, ######, and effects, against ############ ######## and ########, shall not be ########, and no ######## shall issue but upon probable #####, supported by #### or ###########, and particularly describing the place to be ########, and the persons or things to be ######.

  • by Anonymous Coward on Thursday October 05, 2000 @08:40AM (#729576)
    You must realize that the credibility of your review is very low, before it has hardly begun. It seems unlikely, in the present climate of suspicion, that you can achieve the objectives of DoJ, and the needs of the American people, to allay concerns that "the FBI's temporary use of the Carnivore system could interfere with the proper functioning of an ISP's network; concern that the system might, when used properly, provide investigators with more information than is authorized by a given court order; and concern that even if the system functions appropriately when properly used, its capabilities give rise to a risk of misuse, leading to improper invasions of privacy" [quoted from the Executive Summary of the DoJ RFP].

    Suppose this were an open-source investigation, incorporating the concerns of privacy advocates, free-speakers, independent technical experts, and other stakeholders. Without intending to speak for those stakeholders, I can imagine some of the issues that might be raised (I'm not asking you to answer these now):

    - What technical, legal, and procedural information is required from the DoJ?

    - What questions must be answered about the device, software, procedures, etc?

    - What safeguards are required on the deployment of the device, software, procedures, etc?

    - What should be done to assure that the government isn't abusing its power or threatening the privacy of bystanders?

    - How can the results of a "stacked-deck" inquiry be made credible?

    - How can minority opinions of the review team be published (without risking their careers or liberty)?

    Would you be willing to incorporate lines of inquiry and specific questions from privacy advocates, free-speakers, independent technical experts, and other stakeholders into the review process and the resulting report?

  • One of the issues with Carnivores deployment is that ISPs do not want a box which they do not control interfering with their services.

    Will your analysis include any investigations into the potentially detrimental effects this could have on an ISPs service, and if such are found can you use that as reason to prevent its deployment?

  • by painecave ( 189032 ) on Thursday October 05, 2000 @08:54AM (#729578)
    Why is Carnivore's source held private and not published for the online community at large to take a look at it?

    The security of a system is offen compromised by secrecy; holes in the system are often not fixed but glossed over through or patched by obfuscation instead of fixing the problem.

    A review by a large body of people often brings problems to light, and would force correct security fixes. Furthermore, it would put away any fear that Carnivore does anything that breaches the power of any government agency using it.

    I understand there is an argument for secrecy, but if Carnivore truly does not violate any laws, then I find it hard to believe it does anything out of the ordinary or uses any technology that is already not widely implemented.

    So to restate the question, why is Carnivore not Open Sourced to the online community (or at least 10-20 universities and organizations) if it does nothing illegal and doesn't use some supposed 'secret' technology?

  • After all, isn't this exactly what Carnivore is going to do? The proponents say "if you don't do anything wrong you won't even know it's there and therefore it's OK." WRONG! Censorship is not when the gov't keeps me from talking. Censorship is when the gov't reviews everything I want to say beforehand even if I always get approval.
    --
  • Will Carnivore allow anyone to read my mail without a warrant signed by a judge?

    Unless it contacts a central warrant server and verifies the appropriate information before allowing an FBI agent to log in, or has an OCR warrant scanner to activate it, then yes.
    ___

  • ... and if you don't think it is comparable to trunk-tapping, How do you feel about the large number of illegal wiretaps that occur in current law enforcement activities, and why do you beleive this behavior will not continue with Carnivore?
  • > Is the substance of this review to be political or technical?

    from earlier reports, my understanding is, both.

    the iitri (government lab) researchers are doing a technical review of the system. knowing what i do about iitri, i, and i would imagine the doj, expect that to be little more than a rubber stamp review of the system. they will say "yes carnivore does what it's inteneded to do, and nothing else" and we have to take their word for it, because they are probably the only people outside the fbi that will ever see the source.

    dean perrit and the other people from iit-kent law school, on the other hand, will be doing a legal review of the system. (much different than a political review, if only in connotation) this is what i expect to be interesting, and i would say the only hope we have of a positive outcome regarding carnivore. while the government can edit their report, and they have legal recourse for preventing people from sharing technical details, they have no means of preventing someone (esp. a respected law teacher) from sharing his interpretation of the legality of the system.

    and i wish people would not automatically assume everyone involved in this review (or the entire iit community) has "clear political connections to the parties invovled" while it is true that iitri has heavy government ties (it is essentially a privately owned government run research lab) the iit-kent law school, at least so far as i am aware, does not. i have met and dealt with dean perritt in the past, and i see no reason to expect that his opinions will be biased by political ties.
  • i don't see how this is a relevant question.

    while it is true that there are clear ties between iitri and many government agencies, iitri is doing the technical review of the system.

    dean perritt and the group from iit-kent is, as i understand, part of a separate group, doing a legal review of carnivore. I am unaware of any reason that anybody automatically should assume before the review begins that there is anyone in the iit-kent group that is politically tied to the situation.

    see my post further down the page for a bit more clarification.
  • > Who would Carnivore really catch?

    Even I can answer this... Carnivore will catch the same criminals that are caught by wiretaps.... or by fingerprints. Both of these techniques can be mitigated by careful use of technology (or gloves), and yet they are powerful and effective tools.

    Criminals are generally dumb because they commit crimes, and because they are dumb they tend to get caught. Think of it this way. There is a set of people who know how to use the internet, and the security tools that would keep them from getting caught. There is another set of people who prefer, for monetary or personal reasons, to commit crimes over normal legal behavior. The intersection of these sets is very small. The technoliterate with criminal intent are a rare breed, and will escape carnivore. Hoever, carnivore is going to catch all the dumb criminals. Carnivore was built because like AOL users, dumb criminals are flooding to the net, and the FBI needed a way to crack down on the majority of criminals who have net access, but not the saavy to have secure net access.
  • by GigsVT ( 208848 ) on Thursday October 05, 2000 @10:32AM (#729585) Journal
    In Marshall v. Barlow's, US Supreme Court 1978, the court found that businesses are subject to the same Fourth Amendment protection as individuals are, in regard to Administrative agencies. How will the FBI install these boxes in ISPs when there is no ongoing investigation, and no warrant?

    I could see the temporary installation during a specific investigation (with warrant) being constitutional, if there is no other way to get the data they need, but the permanant installation of these boxes goes directly contrary to this ruling. I quote Justice White, "The authority to make warrantless searches devolves almost unbridled discretion upon executive and administrative officers, particularly those in the field, as to when to search and whom to search".

    This ruling gives businesses power to refuse entry to any agent that does not have a warrant. How exactly are they going to install these boxes, if the ISP has the legal right to refuse them entry without a warrant?
    -

  • If this question makes the "cut" I'll retitle before sending. It's a damned good question IMO.

    - Robin
  • I have this sinking feeling that the stated objectives of carnivore are not the end goal here. I am curious if Carnivore could in fact me a means for the federal government to essentially put an "on/off" switch at every major traffic distribution point in U.S., with the intent that someday when the need presents itself, any and/or all of these points can very quickly be shut off.

    Is Carnivore really a way for the federal government to attempt to put into place a means to shut down the Internet on a large scale when it suits their purpose?
  • The core nature of the Carnivore system is that it forces an ISP to grant the Government both raw and remote access to all data flows coming in and out of the ISP. This data is ostensibly filtered and selected out by the Carnivore system, but this is pretty clearly a classic case of "trusting the client" not to extract more information than its otherwise authorized to by the spec.

    However pristine the code may be that you've been asked to evaluate, could you ever deny that the capability exists for a remote administrator to add new code which extracts additional information--or perhaps even spoofs new information onto ISP networks from the trusted perch of the Carnivore station?

    Indeed, given the precarious and difficult growth of secure remote access protocols over the years, can you really determine in a closed environment that only authorized U.S. government administrators, and not foreign agents, corporate spies, or even 15 year old children will not be handed the keys to an NT machine with direct access and control over all inbound and outbound network traffic for the Internet's major ISPs?

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com
  • Much of the original specification for carnivore is still considered classified (see redactions here: http://www.epic.org/privacy/carnivore/foia_documen ts.html). So just what will the FBI allow you to disclose in this interview?
  • It's a brave new world. We work at internet speed. And the world changes every day. So our software changes with us. Even high quality products that are tested extensively eventually become outdated. I'm sure that Carnivore will need to be tweaked and updated on a regular basis to stay one step ahead (or behind!) of the more technicaly minded citizens and criminals. Once your team has finished it's review of the Carnivore system, what guarantees do we have that the next update to allow Carnivore to work with the "Next Big Thing" wont also include a hack to work around the privacy controls that allowed Carnviore to pass your review?
  • What recourse does your team have if, in the name of "National Security," the FBI edits your report in such a way that the final published document contradicts your actual findings? In other words, how much do you trust the FBI censorship team to edit "fairly," and can you publically say anything if you feel they did not?

  • Or, more importantly, will it be running after the results are posted?

    Additionally, as someone else who posted asked, can Carnivore monitor my reviewing of the interview simply by my connecting to ./ to educate myself on your remarks? (I run my own networks through fairly non-interesting ISPs).

    Linux rocks!!! www.dedserius.com [dedserius.com]
  • Rather, does it do anything more than what the FBI *publicly* claims?

  • Thanks =:-) My brain was definetely not all there =:-)
  • All software/hardware packages require upgrades or at least changes from time to time. Carnivore will be almost certainly not be an exception to this rule.

    Is the review process going to be repeated whenever Carnivore is upgraded? If it is capable of remote administration, will we/you even know if Carnivore has been changed?

    If either answer above is 'No', then what additional confidence does this exercise give us?
  • so we get to talk to the PR man for IIT.
    Speaking as a student of IIT, I've already heard his nice soothing words for the student government, and wasn't a bit impressed. I wish better luck to you in wringing some truth from him.

    For clarification, this review is being carried out by IITRI, the research institute on the south end of campus that bears our name but doesn't communicate with the campus. In fact, until we saw the register and slashdot and raised a fuss, they weren't even going to tell us the review was ongoing.

    and when they did send in the guys with the very expensive suits and impressive titles to kill two birds with one stone (at that particular student gov. meeting, we were wrangling over other thorny issues) I found that they actually said usefull things when it came to the U-Pass (thorny issue in question) but when it came to carnivore, they seemed eager to lay the issue to rest and shut us up... and I've hear more honest sincerity and truthfulness from Microsoft ads than from those guys.

    *shakes head* I have no love for this institution, and no trust in it, having dealt too much with it. I wish you luck, but beg you to take everything it puts out with a very healthy dose of skepticism.

  • If you have been reading anything to do with carnivore since the begining of this, you would know that carnivore only listens to specific people, it does not hunt down new criminals, only moniters predetermined suspects. A warrent similar to that of a telephone tap is required to use Carnivore as an evidence gathering tool on someone. The FBI *claims* that Carnivore is not used to spy on an entire network. Mabey this [sdsc.edu]
  • What can I say? I looked up the info that EPIC has gotten...90% of it blacked out. What are the packet sniffin' capibilities of this program? It spooks me, also...as said before. Who is going to stop them from turning this thing on and snooping though everyone's e-mail? It's documented that the FBI cannot be trusted. I suppose it goes back to '91 when I first got on the net. The first thing I did was obtain a digital signature. The second thing I did was encrypt all my e-mail with PGP. There is nothing else that you can do if you want security. Even PGP can be broken with time, but if someone is so intrested in snooping into my e-mail to listen to my conversations with my girl overseas then let them. But it doesn't make me happy. I would be more happy if they would keep their noses outta my business. All in all this makes me sick, but this has turned into a rant. Unfortunatly, and I was going to say something decent...maybe I'll remeber sometime! ^_^
  • Encrypt everything. End of problem...
  • Well it certainlt will not stop international terrorists, the Mafia, or drug lords. They simply do not play by the rules, they have their own codes that are quite secure from the FBI. Who does that leave? Political enemies of an administration? Can you say FileGate?

"All the people are so happy now, their heads are caving in. I'm glad they are a snowman with protective rubber skin" -- They Might Be Giants

Working...