Carnivore Report Released 83
Gwaitsai writes: "I cannot believe that I've seen nothing about carnivore here after the report was released yesterday (21st Nov). Could it be that everyone is too busy thinking about turkey! Excite has an article here and you can find the report itself here."
Re:The question is... (Score:1)
Yes and no. On one hand, I have more faith in the security of a (properly configured) linux box, so I would be somewhat less worried about outsiders accessing the information gathered. Of course, the security of the actual Carnivore code is still unknown.
On the other hand, I'm pretty amused that the FBI is please with its two-day uptime. In addition to being funny, it means that, for maybe five minutes every other day, I'm safe from them.
My mom is not a Karma whore!
Re:Ok So why doesn't sombody apply SSL to SMTP (Score:2)
The only real problem then would be getting people to employ it, and that could be done if it were made backwards compatible by accepting older smtp connections but adding a header that indicated it was at some point transmited in the clear, and accepting a security header that commanded it not to forward to in older servers.
It would seems like it would be a simple modification to SMTP. Though I suppose it would have to get through the IETF first.
Actually, there's a program out there called stunnel [stunnel.org] which allows you to create SSL functionality in any server. What it does is listen on a designated port and then tunnel any connections to it to a local (or even remote) port. We've actually started using it at where I work, by having stunnel listen on the pop3s port (995, I believe) and it tunnels connections to it to its local pop3 port. Outlook and Outlook Express at the very least have the capability for SSL-encrypted SMTP and POP3, and I believe Netscape 4.7x supports SSL-encrypted SMTP.
Just my $.02...
"For a dark man shall come unto the House of God, and the darkness shall be upon him, yea, even within him." -- from Noctropolis: Night Visions
Circumventing Carnivore (Score:1)
While this may be no new news to anyone here are some thoughts on circumventing security modules such as Carnivore. All this was written on a flight from New York to California (how thrilling.)
What? Some slight information on Carnivore
Why? Because everyone is pissing up a storm on Carnivore How? Sitting down reading Information Security Management Handbook 4th Edition (Tipton, Krause)
Where? Flying over Canada on a re-routed flight to California
Based on the gathered information related to Carnivore, it copies mail sent from the ISP of a user provided he or she is being investigated, after obtaining a warrant, in order to filter e-mail based on human programmed input:
http://pcworld.idg.com.au/pcw.nsf/reviews/49939FE
With this in mind it should be easy to circumvent it with simple little tweaks in order to send that "threat" you've been thinking about, or any other irrelevant e-mail you've been paranoid to send down the wires due to fear of government snooping.
Carnivore is ISP based from what I read, so its functionality will not apply to using a re-mailer from whatever address your sending the e-mail from nor does it apply to sending spoofed e-mails with a packet injection tool nor a proxy since after all, it is only monitoring your account on your ISP with Carnivore running on that isolated network to capture your e-mail.
Based on the architecture the FBI would need to isolate your IP address as opposed to snooping a complete netblock in order to capture your data, this means they're going to have to set it up to snoop your ISP's router/switch and determine where exactly you are when you connect unless you have a static IP address in which they can segregate your traffic to a specific area which would be hellishly easy for them to do. I'm sure your ISP can simply switch you into a specific area via software and access lists at the drop of a dime as well.
Carnivore simply makes unknowledgeable people think the government(s) is(are) out to get them which personally I don't think is the case. Officials have better things to do (hopefully) than sniffing through days/weeks/months worth of e-mail looking for that "one" discriminating message your sending. Takes time and a lot of effort including legal work that theoretically has to be taken when we regard the masses.
However if your the target of some investigation do not be fooled into thinking they will not go this far.
Anyways enough of the BS corporate(ish) stuff you should realize by now.
Lets start with a threatening letter we'll assume John Doe wants to send but is afraid of things like Carnivore and Echelon type systems. Why should he send it? Who knows he's just fscked in his brain for all we know and wants to be the next Una'bummer'.
Based on typical filters and from what we know, we can determine that there is probably some sort of word based capturing going on within Carnivore which likely flags words which are incriminating enough to capture John Doe and make him Mitnick's ex-roommate's new roommate.
So the test begins. With a proxied Netscape browser we find proxy.foo.com and slightly obscure our information and change our hostname to whatever@wherever.com. In theorum mail is being sniffed to the account in question johndoe@sampleisp.com in which they have their warrant and not whatever@wherever.com which makes any information they gather obsolete. Well, after some legal mumbo jumbo obsoletes their methods and what information they gathered along with the terms of the warrant.
Hey if they're monitoring johndoe@sampleisp.com and sniff the whole network then jane.something@sampleisp.com should be able to hold them liable for invasion of privacy. Thats something I can't speak on since I'm not a lawyer.
Other ways to cirvumvent this would probably be as simple as creating your message and saving the entire message as a picture and simply sending it along with a message of "Picture of my new car."
Simplicity sometimes works better over the high tech since most technical minds would overexert themselves in ways of technology often forgetting the simple things you could accomplish without knowing much about higher end technology such as encryption schemes, spoofing, etc.
Another oddball way of conveying messages whether or not encrypted is to send a message written in binary with something as lame as:
[sil@stigmata] echo "I need help with this math problem:
[sil@stigmata] 43 61 72 6E 69 76 6F 72 65 20 63 69 72 75 6D
[sil@stigmata] 76 65 6E 74 69 6F 6E 20 74 65 73 74 20 70 68
[sil@stigmata] 61 73 65 20 31 0A" | mail -s hello somebody@somewhere.com
Do you think the makers of Carnivore have pre-determined someone sending out a message of this nature? Certainly if Carnivore's input was created by human input, its likely they wouldn't be expecting something like this unless it was a known fact beforehand that they would be dealing with some sort of cryptology.
For more obscurity depending on who you are sending the message to, both parties can agree on a scheme to use based on anything. It can be a time defined simple encryption scheme based on the hour of the day, day itself and month.
For example parties A & B decide they will create a unique method to cypher private messages with these variables.
T(D+M+Y)/2 Time + (DAY+MONTH+YEAR) where a message sent at 11:pm on 5/12/00 would be added to equal 28 all together then shifted this amount plus that of the English alphabet (26) divided by 2 so the word "TEST" becomes "RAQR"
This cypher was established since the letter T is the 20th letter of the alphabet I decided to count 27 characters from the letter T. Simple and effect and although based on one scheme its portable enough to obscure all messages since its time based and as stated who the hell would be able to figure this out before you had accmplished your dirty deed.
Other scenarios include the infamous (my favorite) spoofed mail technique using some relay host we could find anywhere on the net.
[sil@stigmata] hostname gary7.nsa.gov
[sil@gary7] adduser verona
[sil@gary7] su verona
[verona@gary7] echo "Hello Kapitan" | mail -s foo somebody@somewhere.com
You don't have to be a rocket scientist to do any of this and you don't have to be a genius to figure out ways to circumvent Carnivore, and if your still paranoid then get a packet injection suite and spoof the address along with the entire payload attached for added screwability.
What about translating the message into a foreign language, converting it to binary then adding two digits or letters to every new hex value, where OxF now becomes QzH? I'm sure you can get a clear picture on why you shouldn't worry your life over what the government is doing. Many times I see rants and people complaining about the lack of privacy, but what I fail to see is someone taking the time to find a neat trick to go on with life and privacy at their own expense. Lets face it, common sense should tell you that any government is going to do whatever they want, whenever they want and nothing you can do is going to stop them so get a life.
There are plenty of ways to circumvent technologies such as this without having the brain power of Albert Einstein and without having to delve deeper into technologies which will most likely be something authorities will be waiting for.
J. Oquendo
Please, a mirror site's URL? (Score:1)
Can someone nominate a mirror (preferably even in Australia) where we can get the .PDF draft report?
TIA
3 Keys, one for the Judge (Score:2)
Tackhead suggests:
On the right track. One key with the Feebs. One for the ISP, itself encrypted with a third key, held by the Federal Judge. Settings placed in the presence of the Judge or a Special Master appointed by the Judge, and then locked down with the Judges key.
No self respecting criminal (Score:1)
Nothing surprising here (Score:1)
So naturally the government got exactly the verdict they wanted: Carnivore is OK.
The last two weeks should prove to everyone that government is NOT to be trusted, especially this bunch that runs it now. And it looks like they are going to get to stay, unfortunately.
The government has no right to be snooping ANYONES personal communications or information without a warrant. It's right there in the Constitution. They are supposed to have "probable cause" and show it to a judge. Though the quality of judges (Kaplan, the Florida Supremes) certainly has diminished in the last 30 years or so.
Unfortunately, not enough Americans have had a good enough Civics education (ie, from a non-Marxist professor). Ignorance isn't bliss, it's how the government gets away with breaking the law. Carnivore is illegal. But because of mass ignorance, AND a corrupt administration, nothing will be done about it.
gee (Score:1)
Re:David Sobel's quote (Score:1)
Well, sorry about that, I shifted my argument. What I really mean to say (in additon to what I've said) is that there's no slow down, no limiting step with carnivore. The FBI decides it wants info, it gets a judges signature (though I explained above how easy it is for them not to), and then it just pushes a couple of buttons from FBI headquarters and voila the search has taken place and the information has been seized. No limiting step. It's so easy that if you are not scared by this misplacement of power, you are very naive.
I hope someone has brought up that the FBI has already lied about the surveillance powers of Carnivore. The story broke about a week ago.
Carnivore can get a lot more info than the email headers (and content) which the FBI had claimed is the limits of its powers. No, in fact, carnivore can take everything the FBI wants it too. Read about it here:
Carnivore captures and archives 'unfiltered traffic' [epic.org]
New documents shed more light on FBI's "Carnivore" [cnet.com]
Carnivore can monitor all internet traffic -- something the FBI had previously denied [zdnet.com]
the Slashdot article on recent carnivore devleopments [slashdot.org]
Re:Read the report. (Score:1)
I find nothing in that article to suggest that the FBI is planning to put Carnivore in every ISP. That is a fantasy of Mr. Cringley. In addition, his supposition that Carnivore could shut down the Internet is disproven by the use of the read-only tap and the fact that it can only handle up to a steady stream of 15Mbps recording to a Jaz drive or 60Mbps recording to a hard disk (facts taken from the report).
Even if 6000 Carnivore units could record all that traffic, who could possibly analyze it all in any reasonable period of time. Oh, I know, the FBI's allies at Ft. Meade will do it for them. Like they don't have enough data to deal with already from Echelon. :)
Yo FBI/Big Brother, do you have Brain 1? (Score:1)
First, this is my own opinion and (as far as i can tell) reflects the wisdom of the American people.
1) You're a pack of liars, you know it, we know it, everybody knows it.
2) How can your hand picked pack of sheeple even face themselves in the mirror? They're actually worse than traitors. Subverting the constitution should be punishable by death.
3) Since the advent of the Clinton administration goverment surveillance of the People has approached totalitarian proportions.
4) In your own twisted little mind how can you possibly believe this is a good thing?
5) You people are to stupid to carry a gun.
Just for background, I am ex-army with enough commendations to paper a wall. You brainless idiots make me sick, is it even possible for you to comprehend you might possibly be WRONG? I didn't think so.
Bite me......and your little swastika too...
Lets get this quote right shall we? I've seen it misquoted/misattributed to many times.
Re:Read the report. (Score:2)
And yes, there are only 20 carnivore boxes in existence right now, so a national deployment is impossible.
What I was pointing out was that if one national ISP was refusing to install Carnivore, then they were all going to be asked to. Nobody rolls out an alpha system for nation wide release - but it's pretty evident that once in place, Carnivores are not removed. This makes sense - they're difficult to install.
My point was simply this: once there's a Carnivore in every ISP in the nation, they can selectively turn them on when they need to listen to someone. And while the law requires them to get a court order, the carnivore has no accounting whatsoever, so we'll never really know what they're listening to. And neither will the ISP's.
That's all.
Re:Read the report. (Score:2)
As far as the accounting, I'd bet that that will be changed in response to the report. I expect several other technical and procedural improvements to be made in accordance with the report's recommendations.
I'm pretty sure that the FBI actually would prefer to follow procedures to make sure that information is gathered in a legal manner that does not infringe on citizens' rights. Otherwise, the defense lawyers will end up getting their clients off on technicalities. And if the FBI hates anything, it would be that.
Carnivore == Weak Packet Sniffer? (Score:1)
Re:Read the report. (Score:2)
Waco.
Ruby Ridge.
Steve Jackson Games.
Martial Law in Seattle.
$1,000,000 bond for using a cellphone at the RNC.
bullfucking shit
I'm pretty sure the FBI would like to take anyone who knows anything about a computer into a bathroom and rape them with a plunger handle, New York style. I think that's the major difference in our viewpoints - I don't trust the government. Mainly because I've worked for them.
But I respect your opinion. And the fact that you will continue a conversation well past the moderation window. (:
hats off,
-mwalker
Re:Read the report. (Score:2)
Yeah, I was thinking maybe we should take this to email. ;)
I get your point about the FBI having screwed some things up. And I might even say that they don't care all that much about citizens' rights. But I think they do care about screwing things up so badly that they 1) look bad and 2) can't convict the perps. That's why I think they'll take the suggestions of this report to heart and follow reasonable procedures.
Re:Read the report. (Score:2)
Intended to be installed at every Internet service provider in the country, [suck.com]
-suck.com. We should write them and ask them for their source.
Exactly what traffic does Carnivore have access to (Score:2)
1. Carnivore explicitly has the ability and functionality to collect any and all IP traffic, not just email, delivered to it's network interface (just like a packet sniffer). This means that "Carnivore is an email tap" is DOJ spin. In reality it is a complete IP tap and should be publicized/discussed as such. I doubt a court order would restrict tapping to just email.
2. It is up to the FBI's internal procedures and trustworthiness to prevent or discourage "overcollection" (fishing expeditions)
3. The report points out that civil remedies exist to fix "overcollectoin" after the fact.
(I hope you can afford a good lawyer).
4. They use PC Anywhere to dialin to the carnivore box. Oh yeah, that's safe!
The real unknown now is exactly *what* traffic is redirected (tapped) to the carnivore box? Exactly where in an ISP's topology does this redirection or "tapping" occur? Only for dialup customers? T1 customers? T3? Nebraska and Deluth or only in big cities?
Re:Dick Armey - Defender of Freedom (Score:1)
That's easy. How far can you throw him?
Seriously though, you have to take the man as a whole. This may be the only issue which you agree with him on. Which makes me wonder, what doesn't he want the feebs to see in his e-mail?
In 1999, marijuana [smokedot.org] killed 0 Americans...
Read the report. (Score:3)
Just about all concerns with the system were addressed in the paper. The paper does make some recommendations to the FBI, like requiring access to the box to be auditable. There seem to be many checks and balances between the FBI and the court in regards to making sure that only the data listed in the court order is recorded. And the paper makes some recommendations to further check that.
All in all, I'm impressed with the paper. It is much more thorough and professional than I had expected. And while I was very skeptical before, I'm fairly well convinced that there is nothing sinister going on with the FBI in regards to Carnivore.
uh huh... (Score:1)
The FBI doesn't intervene. They just keep the SWAT teams around cause they look cool.
Re:Circumventing Carnivore (Score:1)
I guess there's already some feeb h4x0r rewriting carnivore to detect these things.
I also know not to worry because some genius (you or someone else...) will come up with more.
In 1999, marijuana [smokedot.org] killed 0 Americans...
Other places where you can find out details (Score:1)
Encryption is not true freedom (Score:2)
Someday, look at the history of John Wilkes [xrefer.com], (opposition m.p. in Britain. and learn why [xrefer.com]we have a fourth ammendment.
Just because law enforcement wants to search in an unrestricted manner does not mean that we should let them. Furthermore, I have not seen a method of encryption which is easy enough for my mother-in-law to use.
Protection of freedom by nerdly end-runs is no protection at all. My ability to talk on clearspeech phones has been preserved- so must my ability to send messages unintercepted. Yes, as a stopgap, we must keep anonymization and encryption legal. However, we should enforce the laws we have which protect our freedoms.
Re:David Sobel's quote (Score:2)
Gotten pulled over lately? How many ways were you being recorded, without consent? Had this happen, got pulled over (for what, I do not know, it turned out to be an interesting interaction with the cops, but I digress). Anyway, got in the cop car, and talked/argued with the guy for about 10 minutes.
Then I realize he's been tape-recording the converstaion. I shut off the recorded (didn't ask him, just did it), and asked him if what he had just recorded could be used against me.
His explaination was that it couldn't be used in a court of law, but he could use it for personal reference and let the state's attorney listen to it when deciding whether they want to pursue a case.
So, it's not usable in court, but it can be used to get you to court.
Doesn't seem quite right, eh?
How about those packets? Well, what if the packets pointed to a known black-list site, and they could use that to decide to prosecute you, but they couldn't actually use the packets? Or could they use the packets to get a search warrent to then use the packets in the courts? Kind of a begging the question sort of justice.
Sigh.
So much for civil rights.
These are the same guys that... (Score:2)
Not that I'm fond of George Bush; I voted Harry Browne, who believes, as do I, that the constitution protects one from unlawful search and seizure, and that this is defined as any search not officially sanctioned by court order, so the installation of carnivore in the first place is a violation of the fourth amendment.
See, America is trying to catch crime before it happens, and that doesn't work. Persecution of hate groups is an example: it is ok to hate the haters. I cannot imagine that the FBI, with its current record of scapegoating, would pass up a chance to blame more of the results of general incompetence in governance on hate groups and members of the "gun culture" or creators of the "culture of violence", and, as these terms indicate, you don't even have to prove that the situation exists anymore. How much longer before everyone in the US is in some sort of seditious culture?
So, the Republicans define morality into law and the Democrats define sensitivity into law and I can't complain to someone about their behaviour in an appropriate manner over email for fear of triggering Carnivore. What a world we're headed to.
Re:warning!: WTF OT! (Score:1)
Interesting exerpt from the Report (Score:2)
Re:I don't have much faith in the FBI's software! (Score:1)
//rdj
Karnovore (Score:1)
Re:Scary and realistic slippery slope scenario... (Score:1)
>When correctly used, "it provides investigators with no more information than is permitted by a given court order," said the institute, an arm of the Illinois Institute of Technology.
scary isn't it ? i mean SURE the FBI will never do a thing without permission of the court order...
>"It's not sufficient for the bureau to say, 'Trust us, we won't do anything wrong.' Most users want more of an assurance than that."
I'm on it ! i don't trust FBI, maybe i've seen to much movies :)
ptitom
Re:Karnovore (Score:1)
thank you.
2 bugs : new ways to test your software for free. (Score:1)
We already new a few ways to have a piece of software tested for free :
Write some (more or less) cool stuff, make it free for everybody, and (but you already know that one)...
Write some very unfriendly piece of softcrap, and threaten to make it a standard if none of you bastard hackers does not crack it.
NEW ONE : write a even more unfriendly free-*-threatening soft (or at least advertise it as such). Since everyone is complaining about it, make your favorite government organisation hire a team of fat brains to say it is OK, it will be tested in the process.
Assessment :
The first one is not really cool, because everyone has access to the source code, and your reputation is ruined beyond repair because you widely advertised your unability to code and design.
The second one is a bit more cool, since at least nobody will mess with your code. The only problem is it does not work. But at least you go some testing for free... Better chance next time.
The last one is definitely the better. Only a few dim-witted people have access to you DLL (Don't Load it, Lad !) source code, and they might even find some bugs for free. Please don't forget to include a special non-disclosure agreement about visual basic code unless you don't mind looking ridiculous.
We do not need any show-business to laugh and cry : we already have politicians.
Re:warning!: WTF OT! (Score:1)
Supposedly the first Thanksgiving lasted 3 days, and the main dish served was deer. You'd have to be a helluva good marketer to start getting people to give up fat, ugly, tasty bird and start eating Bambi every fall!
"There's a party," she said,
"We'll sing and we'll dance,
It's come as you are."
Re:Nothing surprising here (Score:1)
1) Not one of the groups critical of Carnivore bothered to submit a proposal to have the chance to review Carnivore.
2) Read the report. The verdict was not, "Carnivore is OK". The report says that it should be used in place of even worse tools such as EtherPeek. It also lists quite a number of problems with Carnivore, such as the total lack of accountability, bugs in the analysis software, and it's ability to collect everything (up to its storage limits) if set improperly.
3) The reviewers were not "handpicked". Eleven groups bid to win the contract, more could have done so. IITRI happened to be the winner.
4) I agree that the government has no right to be snooping without a warrant. That is exactly why the FBI must get a warrant before installing Carnivore, and the must remove it at the expiration of the warrant.
5) Whether or not Internet wiretaps (like Carnivore) are legal under the existing wiretap statutes is something I'll leave to the legal experts to figure out. That was not part of the task IITRI was given to review either. I will grant thought that technology often outpaces changes in the laws.
I don't have much faith in the FBI's software! (Score:1)
Imagine the logic here! Pedophile Patrick was supposed to be some sort of software genius, yet he was tricked into talking to a Fed in an IRC chat room. How smart could he be?
Mmm (Score:1)
The question is... (Score:1)
carnivore has been out since 1995 (Score:2)
Carnivore works to spec. I still don't sleep well. (Score:5)
Now tell us something we didn't know.
Like how to prevent the Feds from using it - to spec - but illegally.
Constructive suggestion: The device is placed under lock and key. Two keys are required to open the case in which the device resides. One of those keys is under the control of the ISP. You can think of a "key" as either half of cryptographic key (for remote access to Carnivore) or a physical key. Better yet, both.)
I don't mind an ISP rolling over for FBI in the face of a court order. It's not a court request, it's a court order after all! But I fear any system that denies my ISP the chance to stand up to a Fed trying to use Carnivore without that court order.
As of now, the only thing standing between my privacy and an FBI gone berzerk is... well, the FBI.
If it ain't there, it can't be abused.
If Carnivore is there, and effective access controls (I can't believe I'm using the term "effective access control" with a straight face!), all we have to do is wait for them to realize that IDE drives in removable cartridges are, gig-for-gig, the cheapest storage solution around. In the name of "cost savings", the Jaz will be phased out for a hard-drive-based solution. All of a sudden, the media-size limitation on capture imposed by the use of the Jaz drive is effectively eliminated.
(Note to self: Buy stocks in hard drive manufacturers if the Feds decide to push for laws to legalize the move to 24/7 surveillance and capture. And switch to end-to-end encryption if any single hard drive manufacturer shows a doubling in revenue in a single quarter on the grounds that they've decided to do it whether it's been legalized or not.)
My paranoid fantasy for the day:
FBI's position:
- It's OK to record SMTP headers (but not the DATA portion containing
the contents of an email) without a court order because "they're just like
the envelope of a letter".
The obvious extension:- "GET foo.html" is to HTTP as "To: foo@bar.com" is to SMTP.
- It's therefore OK to record the GET portion of any HTTP transactions
without a court order as long as you don't dump the contents of the web
page being viewed.
Watch where you click. If you don't, they will.Re:Oh- puh=lease (Score:1)
Sure, I believe we have an opening at the poser level. -The Simpsons
Why Does It Bother You? (Score:2)
whatever (Score:1)
the results themselves weren't much of a surprise I guess, so do we trust the results or not?
Dr. Strangelove... (Score:1)
I would guess that my e-mail is boring from a law enforcement perspective, but I still hate the fact that some bored feeb [fbi.gov] fsck can read one of my future inventions & pawn it off to someone he owns a favor to. Or, even worse, (s)he could spoof me and tie me to any unsolved case. This is 100% unlikely, but still bothered me until I read further into the article [usdoj.gov]. Check this out (emphasis added): With all those
By the way, I just love that lame excuse for hiding the source code. Et tu, corporate America?
In 1999, marijuana [smokedot.org] killed 0 Americans...
warning!: WTF OT! (Score:1)
Apparently the pilgrims didn't have turkey. But what did happen is many many years ago turkey producers decided to hype it as a "traditional thanksgiving dinner" because turkey was more profitable than any other meats.
I wonder if in 100 years the Pilgrims will be shown eating burritos..
"There's a party," she said,
"We'll sing and we'll dance,
It's come as you are."
It was submitted... (Score:2)
Oh, just great. (Score:1)
This thing is a h4x0rs dream-come-true. Any ISP that gets one of these crammed down his throat ought to be very, very worried. Maybe attrition.org should go ahead and just setup a page now for Carnivore hacks.
Don't forget who writes this software! (Score:1)
Time to move to Finland (Score:1)
Re:Oh, just great. (Score:1)
The answer is... (Score:1)
Just a quick question (Score:3)
The only recent news about them involves a US military spokesman there that denies Iraq's claims of having shot down a US fighter jet [see here] [canoe.ca]; and a few weeks ago there were news stories about the Turkish government repressing (foreign) free enterprise business [see here] [canoe.ca]; and a heck of a long time ago (well, a few months, anyway) a bunch of boorish Brits got their asses kicked for desecrating the Turkish flag during a soccer match [see here] [canoe.ca].
Anyway, point is, nothing much seems to be happening in Turkey, so why are we assumed to be thinking about it?
Until some sort of really great geek hardware comes bursting out of its borders, or until they start some war with a neighbour, I just don't see why I'd ever think about Turkey.
Jus' curious about the original author's thinking...
--
Re:Carnivore == Weak Packet Sniffer? (Score:1)
Keys to defeating Carnivore (Score:1)
Re:And it has great security... (Score:1)
Well, convenient that the very next line of the report is not mentioned. It reads,
"Given that the advertised functionality provides ample capability to perform unauthorized surveillance, IITRI concluded there was little incentive to hide such capabilities in the code."
Why do that much analysis if it is obvious that it can collect everything anyway?
Re:David Sobel's quote (Score:1)
Had I an example to share (such as one of the other posters), I wouldn't have needed the "rhetoric" - and as you pointed out, since they have such a history of abusing their tools and methods, it seems a pretty justified rhetoric.
And that ain't news to me - my point (however muddled it might have been - I was scrawling that in a hurry) was that I'm not comfortable giving them yet another tool to abuse, particularly one that gives them the scope and ease of reach that this one could. Someone else in the thread pointed out a vast difference between Carnivore and wiretapping, and that's the potential scale.
At least we agree on a distro.:P
Don't underestimate them! (Score:1)
They may have a shit economy, but things are brewing!
Re:Read the report. (Score:2)
I did read the paper myself. DHCP requests can only be read if you are within the LAN broadcast group. If there is a router between Carnivore and the "suspect", Carnivore must listen to everyone in an attempt to nab the suspect. If you split your DHCP ranges into subnets (and who doesn't) that means one carnivore box per subnet - totally unfeasible.
My point stands.
And it stands without even mentioning network cards with reprogrammable MACs, rotary MAC network stacks, RADIUS through encrypted tunnels, or international traffic where the broadcast range is way out of U.S. jurisdiction.
Re:Read the report. (Score:2)
But they are targeting only 1 person, so they only need 1 Carnivore box -- placed as near as possible to the person they are looking for. They said that in the paper.
I don't think Carnivore is targeting these types of people, especially ones outside of US jurisdiction. Let's face it, you can circumvent Carnivore quite a bit by using SSL, SSH, and PGP. Most criminals are going to be smart enough to use those if they know how to reprogram their MAC address.
If you have comments or concerns with the report, the authors really would like your input. They understand that they might not have considered every aspect. Please let them know of your thoughts on their paper, but please do so in a non-inflamatory manner.
Re:Read the report. (Score:2)
If that's true, why are they putting a Carnivore in every ISP POP in the nation?
I don't think Carnivore is targeting these types of people, especially ones outside of US jurisdiction. Let's face it, you can circumvent Carnivore quite a bit by using SSL, SSH, and PGP. Most criminals are going to be smart enough to use those if they know how to reprogram their MAC address.
If they're not using it to target computer literate criminals, who are they going to use it against?
Let's review these data points:
1) It's useless against knowledgeable criminals.
2) It's being placed in every consumer ISP in the U.S.
It seems self-evident that this is aimed at the populace. But I admit that you have pointed this out more elegantly than I did.
Re:Read the report. (Score:2)
Where the heck did you come up with that? I find that very hard to believe since the FBI has to get a judge to give a court order specifying particular user information and a set time period every time a Carnivore box is deployed. Not to mention the fact that there are only a small number of people at the FBI capable of installing and monitoring a Carnivore box.
Please stop spreading FUD.
So is a phone wire tap. But criminals aren't exactly known for being super-intelligent. This is the FBI, not the CIA.
Re:Read the report. (Score:2)
sigh [slashdot.org].
Not to mention the fact that there are only a small number of people at the FBI capable of installing and monitoring a Carnivore box.
That's why they only want to have to do it once.
I find that very hard to believe since the FBI has to get a judge to give a court order specifying particular user information and a set time period every time a Carnivore box is deployed.
Actually they just permanently deploy it once, then they need a court order to use it. Of course, since there's no auditing [computeruser.com], no one will ever know if they're obeying that.
Re:Read the report. (Score:2)
Again I find it difficult to believe that you have read any of the articles that Sloshdot has referenced. The Carnivore boxes have a Zip or Jazz drive, which isn't enough to capture every packet that goes through an ISP. And they have to go to the ISP to get the disk, or else they have to download the info via a regular phone line.
They use PCA-USA (Score:2)
The nice thing about PCA-USA is that it gives you a copy of the NDIS stream, so you can create an anti-sniff proof network sniffer, among other things.
Seems to be a very sensibly designed packet sniffer - along the lines of how I would build such a thing.
If this report shows us anything, it's that we should not object to the implementation, but to the concept. Even if it is sensibly designed from off-the-shelf products, there is no way for them to gaurauntee they're picking up only the packets they want. In fact, it's quite impossible. How do you track someone with a dynamic IP? What's their signature? You don't know - you have to read everyone's traffic to find them.
Report released but no one saw it (Score:1)
--------
Scary and realistic slippery slope scenario... (Score:3)
Well at first blush, it seems like this is a valuable service the FBI might do-- to protect our digital infrastructure. But...what about other types of attachments or e-mail content could be considered "dangerous" that the FBI could use the same rationale for blocking?
Where's the line?
Allowing carnivore to exist starts us down the path where they can start doing way more than just monitoring e-mails...
-------------------
David Sobel's quote (Score:2)
"The problem with Carnivore is that it gives the FBI access to the communications of hundreds, if not thousands, of innocent Internet users," he said. "It's not sufficient for the bureau to say, 'Trust us, we won't do anything wrong.' Most users want more of an assurance than that."
Is this really any worse than the FBI's ability to tap phones? The use of Carnivore must be allowed by a judge for it to be legal. Sure, the potential for abuse exists, but if the FBI gathers evidence through illegal means it isn't admissible in court anyway. Not that I'm necessarily for Carnivore (or any other measure that gives the government the ability to invade my privacy) but I don't think there is anything too terrible about wiretaps, and from what I can tell Carnivore has similar a similar benefit/abuse potential ratio.
-
Re:warning!: WTF OT! (Score:1)
Looky here [aol.com] for another description - the best description only mentions 'fowl' and another from 20 years later specifically mentions wild turkeys.
Are you surprised? (Score:1)
I think the reson for the meager amount of reaction on this whole carnivore review becasue most everyone I talked to was expecting this so called "un-biased" review team to come out mostly in favor of it.
The fact that the FBI is insisiting on using Carnivore as opposed to the open-source version recently created says volumes about the the FBI's real intentions. If they are not going to be using this for surreptitious purposes, then why not use an open-souce version that everyone cal review?
Re:Scary and realistic slippery slope scenario... (Score:1)
Nope. The 'i' stands for investigation, not intervention.
2 bugs = feature (Score:2)
IITR finds 2 problems:
1. Improperly configured, the system acquires far too much traffic.
2. The system lacks an audit trail to determine who configured it.
So, when Carnivore snoops on entire groups or ISPs we will never know who to blame. This seems like a feature to me. The system can be used illegally without accountability.
This would not be as big of a problem were it not for the wall of silence. Law enforcement is the most crooked segment of American society - "honest cop" is an oxymoron. So any system that relies on "trust me" is pretty bad. As it's set up right now, it is much more than likely will be misused. Who did it will remain a mystery, since law enforcement personnel have a dubious sense of right and wrong when it comes to protecting their own. Recent studies indicate 80% of patrolmen admit to lying in court. Instances of police misconduct are insanely common, they just can't be front-page news in our corporate media.
Re:Down line load (Score:1)
Re:David Sobel's quote (Score:1)
No, it doesn't. But that same equiptment that is recording your routine traffic stop may also provide important evidence needed to catch a murderer or drug dealer who tears away from the scene.
Well, I guess it is just an inherent problem with law enforcement...the more tools you give them to do their jobs better, the more they will exploit and abuse those tools beyond how they were intended. If the FBI didn't have a such a rich history of bending survellance laws, then people wouldn't be as concerned about systems like Carnivore being abused. They've brought the critisms on themselves, I suppose.
Thanks for answering with specific reasons for concern, instead of just spouting generic "a bored FBI dude might want to blackmail me" rhetoric. News for hiryuu: If they want to find stuff out about you (for legit reasons or otherwise), they don't need Carnivore. They've got other stuff to watch you with already. As I said, the potential for abuse is pretty much the same as with wiretapping, if I'm not mistaken.
-
Re:Keys to defeating Carnivore (Score:1)
or... (Score:3)
Seriously, all you really need is to be able to open a secure connection (SSH, https, is there a secure SMTP?) to some server, and use that to send SMTP signals (or whatever). Why go for simple hacks, when you can have pure, perfict, unbreakable security?
Ok So why doesn't sombody apply SSL to SMTP (Score:1)
Ok, So it's litening to the connection as it goes past on the wire....
Why don't we simply have a system whereby mail server A and B encrypt the entire mail exchange transaction?
The only real problem then would be getting people to employ it, and that could be done if it were made backwards compatible by accepting older smtp connections but adding a header that indicated it was at some point transmited in the clear, and accepting a security header that commanded it not to forward to in older servers.
It would seems like it would be a simple modification to SMTP. Though I suppose it would have to get through the IETF first. This still leaves it in clear on the client side when it's uploaded to the server and downloaded, but similar mods could be made to the POP and IMAP connections.
Competent reviewers... (Score:1)
This might lead one to suspect that much of this "independent" report was copied directly from documentation supplied by the FBI itself, i.e., the Appendices, which - conveniently enough - were redacted from the materials released.
English conspiracy? (Score:1)
Re:Oh- puh=lease (Score:1)
Re:David Sobel's quote (Score:2)
I don't give a damn about whether it's admissible in court or not. Is that the only use you can imagine for information gained illegally? What happens when information obtained illegally is used to pressure confessions or submission of further evidence - i.e., "We know you performed act X, why don't you come clean?" Or when the information is misinterpreted/miscredited, and an innocent party is then pursued/harrased?
Hell, what happens if - hell, when - some agent or FBI IT dude gets bored/broke/unscrupulous and decides to screen and use information for personal entertainment/blackmail/wrecking someone's life? They have (near) ready access to that information, waiting for them - or at the very least, much closer than I'd be comfortable having them.
(Apologies to anyone who dislikes compulsive use of the slashes.:))
privacy on the beach (Score:1)
Re:David Sobel's quote (Score:1)
Fatter than you.
Dick Armey - Defender of Freedom (Score:1)
I can't believe I am on the same side of an issue as Dick Armey. Is it a principled stand or another knee-jerk anti-Clinton/Reno reaction? In other words, how far can I trust him as an ally.