Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Courts Government News

Carnivore Meta-Report Released 55

matt_blaze writes: "I've been part of a group of five security researchers invited by the Chief Technologist of the Justice Department to identify technical issues with the FBI's "Carnivore" Internet wiretapping system to be addressed by an "independent review". As Slashdot readers know, the contractor chosen to conduct the review, IITRI, recently released a draft report of its findings. We've studied that report and continue to have serious concerns about Carnivore. Our report, released today, can be found here." Telling stuff. Also, check out today's Suck regarding Carnivore as well.
This discussion has been archived. No new comments can be posted.

Carnivore Meta-Report Released

Comments Filter:
  • more to the point-- neither pcAnywhere nor Microsoft Windows NT are open source. These software packages are both subject to vendor supplied back-doors, and hacker supplied attacks.
  • > Apart from the issue of a compiled-in password, standard practice calls for such passwords to be one-way hashes, rather than plaintext.

    Tells you volumes, uhh...

  • I beg to differ; the amount of stuff they find out about you will more then likely end up being used against you. I hope you don't have any unlicensed software, or look at porn, or spank your kids (for the sake of disciple, not b/c you're a sadist or anything). And as good of a person as you are, they can find something to paint you as evil. Lets not forget those packets that we say came from your IP, but you have no way to prove they didn't. 'You were on the internet at this time, weren't you? Therefor, it MUST have been you sending that kiddy porn out.' Lets not forget the lesson we should have learned from Sacco and Vanzetti (sp?). With no evidence, they were sentenced to die.
  • This is a review of the report that was done by IIT Research Institute and none of the authors work for IIT Research. If you do not like the report you should be happy that some notable people like Blaze took the time to point out the limitations of the report.
  • The meta-review of Carnivore is quite interesting. And the FBI is quite naive if they think that a device that "sniffs everything by default" and requires configuration to trim down what it sniffs is not going to be in promiscuous mode 99% of the time. In all the years I've been programming, I've found that users don't really like customizing their applications.

    The Suck article was quite interesting in that it states that Carnivore may be the one application that causes everybody to start demanding encryption in their email products. And it's about time!!!
    --
  • All this talk makes me wonder: couldn't one just overload the recording devices? On my computer, running Windows and serving files over IRC on a LAN on a T3 (read : an entirely unoptimized setup, except for the size of the final pipe) I can reliably send 3+ gigs a day of data, mostly to people with far slower connection. If I transmitted at a sustained 500 KBps (quite possible) I would be able to send about 1.8 gigs per hour. My particular part of the LAN in my school serves about 300-400 people and is 100Mbit - 100/10 * 3600 is about 36/gigs an hour. How big is the hard disk on a Carnivore box? If everyone, or even 10 people (5%) were to run a program that sent low priority packets to fill up the bandwidth that is currently unused, it would take at least $20 an hour of HD space to log all that traffic or $500 a day. And that is just for one small residence hall in one univeristy--there are millions of @home and DSL users out and hundreds of thousands of homes and businesses with a T1/3/etc connection--even a 128kBit up will fill almost 2 gigs in one day. Even the FBI doesn't have that kind of cash, especially for a project that is on as thin ice constitutionally as this one Mixing up the ports used would make it harder to find the relative drops in the bucket that make up the web pages and mail messages. One could even make the junk packets consist of words selected from a dictionary, so as to fool software that only looks for English text or something along those lines.
  • Not the amount of stuff but the way they may use it. Carnivore is not bad because it sniifs every possible packet. Man I also sometimes find INTERSTING things while sniffing my channels for technical reasons... But if I get the right to send one guy to Magadan (believe me, it's Bahamas^-30) then that's a problem. However if laws and courts state that such information can be used only under written order, then sorry pals, but I can trade nukes and you have NOTHING against me... Really do you think that things are s private? At state or high-politics levels, things are so transparent that it is no wonder people talk about "information bordels" while referring such circles. Remember Clinton and his lovely adventures... The only thing we didn't see were hidden camera shots...
    Yeah Carnivore looks bad as it seems to knock our privacy to the ground. So get to the ground! Land on Earth! Carnivore is being used. And there are hundreds of tons of information running around about the likes and dislikes of people. We can get addresses, phones, private info about people and organisations. Internet turned everything into a village. So it is natural for FBI to want a bigger grip on the stuff. However two things come out. First who will pay for this. Let's imagine I'm an american citizen. Me? Hey hold on a moment, that's MY pocket and I want THAT money used for things more rational than this. Now I'm a foreign citizen. Hey what are you doing IN MY BORDER? Get out or I start taking the dust outta my nukes ok?

    Second, does this helps catching criminals? Generally no. The amount of information is too big to gather and process in a rational way. If you wanna catch him then you should already gave something against him and know what you're looking for. Like any normal detective does...

    Third, can anyone use this against me? Yes. But if this stuff comes up then sorry, scrap it ASAP. Or else the same state that supports it may get some very hard times to live. Believe me. I lived in two totalitarian regimes and I know how people get harassed like cats. The results were quite destructive for those who tried to build the Perfect State. Today I know that many people who overused their powers are in the corner of society or six feet under ground...

    Today, too much sniffing causes very serious troubles to the one who does it. More than the harassments you may get. The only thing is that if you're afraid or fearful. Then they will get you. But here the problem is nothing but you...

    Frankly I got used that people may harass me for something... For most people this may be stress, trauma, hard times. But frankly I consider it also a school. The next ones will have to step two floors more to try something on me. If people reacted this way then FBI would think TEN times before its next silly move. Don't bash Carnivore. Tell them let go but who'll pay it. And what really does (you HAVE the right to know this). And if something gets wrong ask how FBI will really justify it. In the end, FBI will find 100 justifications to not to act the way it does...
  • The best way to make people realize that something is a bad idea, is to physically demonstrate it. One way of doing this, would be:

    a) find out what particular strings/chunks of data the FBI servers are probing for

    b) Send a large quantity of email/requests through these servers, containing ONLY these strings (i've noticed people with rather amusing .sig files on here like "fbi crack dealer munitions cuba")

    The result would be two fold. Either:

    1) This would grind down the cpu on the Carnivore boxes (NT based..it's easy!) resulting in a possible crash, which owuld in turn result in flow being restricted through the FBI 'blackbox' and hence through that particular node of the net itself. Do this to enough 'central' nodes, and the entire internet is significantly slowed down - demonstrating to ordinary users, and big business alike that carnivore is a really bad idea.

    or

    2) the amount of junk data that the FBI receive as a result of this would be far more than they could possibly process making them realize that the whole idea is stupid.

    So get writing on those Auto-FBI spam programs.

    A couple of years ago the Australian government had a similar plan to try and 'filter' out bad content (ie, not just snooping, but actual censoring). We kicked up a rather large fuss, signed a few petitions, and the whole thing passed over. I think often that non-tech people don't realize something is a bad idea simply because they've got no concept of what's actually going on in these type of situations.
  • Of course I'm legit, but I might not want to always be legit in the future.

    The absolute most simple answer for this you have already provided in your tagline. Who is to determine what is legit? Sure, there are plenty of non-legit things that they could conceivably use carnivore to help investigate...today. But what happens if tomorrow they take something that is legit and make it illegal?

    I'm not pro-NRA or anything, but what if owning guns becomes illegal? It wouldn't affect me, but I know quite a few people who'd be up in arms (no pun intended) over it. Would you want them to be able to snoop on you to see what you're saying about the new gun laws?

    Maybe they outlaw PGP instead. Maybe they mandate yadda yadda that you don't agree with. Heck, in many places in the US (this "great country chock full of freedom") there are laws that restrict a consenting adults rights to get a hummer (not the SUV). Go figure. Laws don't always make sense, and one day we may all find ourselves on the other side of them (if we're not already).
  • I think that this would be an effective way of dealing with this. Someone should make a list of carnivore ips. I have an 8meg downstream with plenty of bandwidth to spare while im at school.
  • http://news.bbc.co.uk/hi/english/world/newsid_5030 00/503224.stm [bbc.co.uk]

    You speak lightly of your phone analogy, but the fact is, this is no analogy to speak of.

    Its a fact! scary huh!(see link above.)

    for much more wonderful information about terrible conspiracies and the like, go to disinfo.com [disinfo.com]

    scary indeed

  • I've seen software that only installed as administrator.

    Needing to Install as adminstrator is sensible, in any corporate setup of any size the end user should not be installing software.

    And I've worked for companies where all the QA people had "Administrator" privs on their NT boxes.

    This is to do with programs needing to run as adminstrator (another related thing is programs which need read/write access to all sorts of strange things.) It's a sign of very sloppy programming.
  • On top of all the obvious rapes of your privacy this software brings, this is just the cherry on top. The last time this sort of mass released untested buggy crap was forced on people it was called Windows.

    They can't open and read snail mail addressed to you, how can any court let them read through your email?
  • The fact that they are using NT, or the fact that we (US taxpayers) will have to pay for it. This is just like the government, giving subsidies to tobacco growers while trying to convince people not to smoke.
  • by Alien54 ( 180860 ) on Monday December 04, 2000 @10:04AM (#582792) Journal
    Sounds like:

    • No list of precision specifications. [This would be vulnerable to political feedback/interferance]
    • No Quality Assurance work at all [bug checking, compatibility testing, etc.]except the minimal done by the developers
    • No Quality checking on the design parameters to make sure that it would pass muster with someone beside a political hack.
    Add to the list at your leisure ...

    All in all, an excellent example of how NOT to design and code a peice of software.

    sorta sounds like a peice of spaghetti coding [ie: throwing it spaghetti at the wall and seeing what sticks]

  • by Anonymous Coward
    Given that this is an analysis of an official report, surely Carnivore has just been rendered useless as a tool in court? No fed in the land will be able to swear on the bible that he can be sure that any carnivore-provided evidence hasn't been tampered with, or indeed placed there by ten year olds.
    Of course, I Am Not an American, so you'll understand that my knowledge of US jurisprudence is limited to Ally McBeal and LA Law reruns.
  • Unfortunately, those of us who work in the Windows world see this a lot.
    • Applications that have to run as administrator for no good reason. You try and explain this to windows developers and they just look at you funny.
    • Applications that have to be logged on to run. Writing a service is really not that hard.
    • Applications designed with no thought given to remote management. It's been said before, but the best remote management tool for Windows is a car. Even so, running PCAW over the public internet is quite a unique solution.
    • Applications that require a reboot after installation/upgrade/config changes.


    I think part of the problem is that Microsoft sets such a poor example. I have seen various bits of software from MS that exhibit some or all all of all of the above failures.
  • And so what? Don't you see how cool is to sniff on your E-mail, your friends E-mail, your downloads, the pics you see? This voyeur madness overcomes everything. That's a sickness with every E-policeman still carrying a fresh polished and shiny badge from running after street gangs, patrolling streets and midnight rides... Yeah the FBI is MORE than this. But it is still a police force in most of its nature. They see the power of the net, the hackers, the megatons of info running over the screens, the fantasy world TV and Holywood poisons them. And they wanna KNOW EVERYTHING! Well I understand them because when Internet came up with the Web, many of us also wanted the same thing.
    The best remedy for this Carnivore stuff is to let them go. Really! In a year or two, they will have enough people in the psychos to get an idea that this was a stupid idea...

    The only problem is that if they will try to force the net to slow down to cope with their work. That is a possible chance. But then they will be hitting hard on someone's pockets. And i believe that no security in the world costs enough to let this go...
  • I'd like to see the feds try to use Carnivore in court, and have the defendant subpoena the box to have independent experts evaluate it, only to find that it had been cracked, and that all of the logs were fake, and that the admin password is something stupid like 'renorulez!' or something else dumb like that...

    On the other hand, because they're doing this, it sounds like it's time to do ((IP over HTTP) over (IP over IP) over (IP over DNS)) and see how well the M$ box can handle it, I'm sure that some kickass kernel hacker could design a multilevel tunnel that would confuse the hell out of it anyway...

    "Titanic was 3hr and 17min long. They could have lost 3hr and 17min from that."
  • The fact that Carnivore won't work well should not let you rest easy. The fact that the FBI can ask for (in the name of stopping drug dealers and kiddie porn) and get this level of power over the people of our beloved US should keep us up nights. The analogy is that of the phone company. It would be as if the FBI routinely could have people tape record conversations they have with you without your knowledge - you speak freely thinking you are having a private conversation, and then they present the tapes in court, using them against you. Oh, wait, I forgot about Linda Tripp. My point here is: it is the erosion of our civil rights that need concern us, not how many terabytes it will take.

    Man, I am glad I don't think about Linda Tripp when I have phone sex! Whew!

    Another thing: if the FBI were truly justified in their pursuit of this sort of power then any crypto could be construed as obstruction of justice, making us all potential criminals as we protect our cyber sex and lingerie purchases.

    But the FBI is in the wrong here, so, unless Lenin pulls up at the train station, we as free American citizens still have the right to protect ourselves from our own government. Great.
  • by Anonymous Coward on Monday December 04, 2000 @10:46AM (#582798)
    And I'm a fucking pessimist.

    Blaze (et al) refers to the technical review as a "good starting point". He also mentions that a number of institutions refused to touch the review contract because of contract conditions.

    Translation into layman's terms: IITRI took the job because respectable institutions wouldn't give the FBI a rubber stamp on their Orwellian program.

    The group also mentions that the technical review didn't adequately discuss security issues-- and in fact notes a number of suggested practices that fly in the face of good security design.

    Translation: Not only is the FBI going to be privy to your communications, but so is every fourteen-year-old sociopathic script kiddie. Oh, and IITRI, due to politics or stupidity (or both), suggests making it even easier for pubescent net punks to get their hands on your e-mail.

    Okay, that's Blaze out of the way. Now on to Suck.

    The basic gist of the article is this: Carnivore is real, the public has to admit it. So now everybody is going to want high-grade crypto to keep the FBI out of their stuff.

    Sorry, Suck, but it ain't gonna happen. Consider:

    * For a company to realize demand for a feature, enough people have to get excited about it enough to demand/request it. After "billions of dollars" in damage from Melissa/LoveBug/etc., plenty of people put the blame squarely on Microsoft. Pundits screamed, analysts yelled-- and Microsoft still hasn't seen enough demand to turn off scripting by default.

    * To include "encrypted by default", people would have to have some sort of method for getting their best buddies' keys. Yeah, we have PGP key servers, but let's be realistic: we need a new standard. That'll be a few years. On top of that, Microsoft/Netscape/AOL/Yahoo/etc. would all have to take into account backwards-compatibility with standard e-mail. The technical issues behind doing something like this are a *bitch*.

    * A lot of people actually support the Carnivore program. Out of ignorance or belief in government (the two *do* go hand-in-hand quite nicely, no?), many of the people I talk to don't have a problem with the Carnivore program. They trust the FBI to "only do it when they have a warrant". As well, they claim that they don't do anything important through e-mail anyway. And my mother thinks that Carnivore could be just the thing to catch drug dealers.

    ------

    Come on people. I'm not saying that we shouldn't be optimistic, but this *is* a serious problem. The free market will *not* create enough demand for products that will stop Carnivore dead. People don't know, or don't care. If we want everything Suck says to come true, we have to inform people and get them to care. This is NOT a time to just sit on our laurels.

    Tell your friends about Carnivore and why it's wrong. Tell them about the borderline-fraudulent methods the FBI has used in the "review" process. Let them know *what* is at stake and *why* it matters!
  • is a carnivore meat report really news for nerds? The T-rex liked to eat a lot of meat. Is that really news?
  • Hmmm, with a court order they CAN read your snail mail.

    With a court order they can seize anything within reason to investigate you. Carnivore is just another vehicle to do this, without a court order they aren't *suppose* to use it.

    I don't give a rats ass about carnivore, wanna know why? I have nothing to hide. I don't trade kiddie pr0n, and I don't email death threats. If you are legit, what are you all worrying about?

    They won't be using this to check for pirated software will they? Hmm, please ignore my previous statement.

  • Send a large quantity of email/requests through these servers, containing ONLY these strings (i've noticed people with rather amusing .sig files on here like "fbi crack dealer munitions cuba")

    But make sure the text is random enough not to be easily filtered...

    This would grind down the cpu on the Carnivore boxes (NT based..it's easy!) resulting in a possible crash, which owuld in turn result in flow being restricted through the FBI 'blackbox' and hence through that particular node of the net itself. Do this to enough 'central' nodes, and the entire internet is significantly slowed down - demonstrating to ordinary users, and big business alike that carnivore is a really bad idea.

    You mean they havn't heard of the concept of a "tap"...
  • As seen in the Earthlink Crash (resulting from Carnivore malfunction) and mentioned in the report here, the use of non audited filtering devices would lead to a system that is unpredicatble and higly unstable.

    Here is the USAToday article [usatoday.com] on the EarthLink crash caused by Carnivore.


    EarthLink dodges FBI's Carnivore

    ATLANTA (AP) - EarthLink Inc. said Friday it has reached an agreement with the FBI to avoid future use of an electronic surveillance device called Carnivore that disrupted Internet access for some EarthLink customers earlier this year.

    The Atlanta-based company, which has about 4.2 million subscribers nationwide, said it had installed the snooping software for the FBI at a data center in Pasadena, Calif., earlier this year after it lost a decision on the matter in federal court.

    When Carnivore wouldn't work with an operating system on the company's machines, an older system was installed for the device, which then led some servers to crash, EarthLink's director of technology acquisition told The Wall Street Journal for a story in Friday's editions.

    ''Many'' people were affected, Steve Dougherty told the newspaper, although the company declined to say how many or where.

    Dougherty did not return messages left at his office Friday.

    Carnivore, which an FBI spokesman said was first used in the spring of 1999, scans all incoming and outgoing e-mails for messages associated with the target of a criminal investigation.

    FBI spokesman Steven Berry said the device gives the agency ''a surgical ability to intercept and collect the communications which are the subject of a court order'' and ignores everything else.

    EarthLink spokesman Kurt Rahn said the company and FBI officials had agreed that EarthLink would collect such data in the future when investigators obtain a court order.

    ''Basically, we reached a mutual agreement with the FBI that we would be able to monitor and gather the information that they needed ourselves,'' Rahn said. ''That way, they got what they wanted and we were able to maintain the integrity of our network.''

    Berry declined to confirm any such agreement or discuss at which Internet service providers the agency has installed Carnivore. Berry said the bureau is currently using the device, but he declined to say in how many cases or where.

    He said all Carnivore installations are done ''in close cooperation'' with the ISP, but he said that the FBI collects the data itself.

    Rahn said the company has no dispute about following court orders to provide customer information to law enforcement, but is concerned when doing so compromises its operations.

    ''It wasn't necessarily anything that was terribly disruptive, but it was more sort of the potential that it could have been worse,'' Rahn said of the outage Carnivore caused.

    ''And basically since delivering e-mail and delivering the Internet to our members is what we do, having that threatened is not going to work for us,'' he said.


    --
  • Maybe this has already been covered and I've missed it.

    If every email in the US is subject to carnivore, won't that make international email to and from the US fair game?

    Is this legal? ratified by the UN? *curious*

  • If I read this Carnivor thing right then, the US government will have what amounts to opening your snail mail and reading it, but in electronic form... I would imagine their logic behind this is that if you turn something into 0's and 1's and send it over the net then you didn't really want it safe from prying eyes... I wonder if anyone knows a lawer who could turn this into a coup against the privacy and copyright issues surrounding MP3's? hmmmmmmm... given a bit more thought and time this might be do-able.
  • The problem is this.. what is legit? If it were so easy to say s/he is legit, there would be no reason to have, say, a judicial system. The judicial system is there to judge the credibility and context of evidence. If, for instance, you and a pal enjoyed playing unreal. After taking a serious whipping, he emailed you to say "Ha! Ha! You suck!" and you replied "I'll kill you tomoroow!", things can get taken out of context. If your pal shows up with a kitchen knife in his throat the next day and Carnivore was sniffing your email, you may become suspect numero uno.

    So you're innocent, but you just happen to be out taking a spin by yourself during the time of the murder. Hard to defend alibi. You could conceivably become indicted. That costs money. Whether or not you are innocent, it costs lot's of money (lost wages, bail, lawyers, etc.) and the information still has to be judged in your favor for you to be cleared since it is pretty obvious you made a death threat as revenge for some strife. If the pocketbook argument doesn't work, think about your personal credibility. If that doesn't work, remember bail is not usually given in murder one cases in my parts. Perhaps a suspension of your civil liberties may convince you.

    You must remember that it is the context not the content that determines legitimacy. Carnivore can capture tons of content. However, it is impossible to ensure that it captures enough content to discern context. In some cases, like the one I mentioned above, it is impossible for it to determine any context. The English language (as a matter of fact, all sufficiently complex languages) is open for interpretation and your interpretation of a harmless note is not always the easiest to believe.

    Was it Ben Franklin who said something to the effect: "Those who would give up liberty for safety deserve neither liberty nor safety."? The fourth and fifth amendments are not there to harbor criminals. They are there to protect the wrongly accused. And just because you claim legitimacy does not mean that you will never be accused. Go ahead and let them sniff? Given enough time and wide enough scope, the FBI could have brought charges against Mother Teresa.

    Rather than a court order allow a switch to be thrown, I would prefer a larger price in time and money to install such a system to deter wanton use of this if it can even do what it claims. Remember, it's not how private something really is in the US, but how much privacy you expect that determines what kind of warrant is needed.

    PerES Encryption [cloverlink.net]

  • The best remedy for this Carnivore stuff is to let them go. Really! In a year or two, they will have enough people in the psychos to get an idea that this was a stupid idea...

    The cost for your idea is simply too great. Sure, you think it would expose this device for what it is, but just imagine the lives that would be effected by this. Imagine if it was YOU that they decided to pick on.

    Besides, its more likely that no one would ever know that kinda thing was going on as a result of Carnivore. I doubt we'd hear about all the abuses of it, and the fact that no one does hear abuses about it would lead people to believe its not as bad as it sounds. No, letting them stomp on the Fourth Amendment is not a good idea; there was enough proof of what happens when police abuse thier powers 200 years ago when the clause was written. I don't think we need any more proof as to why we should respect it.
  • Wasn't there a post about this a couple of w33ks ago that stated the fact that there are certain backdoors that were programmed in by the original writers. Or so they paranoidly think may have happened.

    It should be a genearl rule that if they want to piggy back a box on a network to monitor traffic, they should make it manditory that the box be as secure as possible before jeaopardizing or comprimising some elses network.
  • I like this quote:

    "Journalist Duncan Campbell has spent much of his life investigating Echelon. In a report commissioned by the European Parliament he produced evidence that the NSA snooped on phone calls from a French firm bidding for a contract in Brazil. They passed the information on to an American competitor, which won the contract."

    And from

    http://fly.hiwaay.net/~pspoole/echelon.html

    "An office was created within the Department of Commerce, the Office of Intelligence Liaison, to forward intercepted materials to major US corporations."

    Let's focus on this for a minute: In light of the fact that corporations are quickly becoming more powerful than governments - I support a theory I heard somewhere that corporations are the new nations of the world - isn't it sad to realize that our freedoms are being taken away from us by the very same people who provide us with all these glittering toys? This ain't good if true.

    You know, I support my government, and I believe that our government is still the best weapon of resort to preserve our freedoms (even though I'm across the pond!). It is individuals within the government and the resulting systems of - for lack of a better word - evil conspiracies that leech our liberties. I can only hope that responsible people will continue to watch and report. And that responsible citizens will take an interest: stop playing PS2 for a minute and find out what is really going on. But then again, one can live a whole life in blissful ignorance...
  • Sincerly I got aquainted to the fact that anyone may know things I wouldn't like to show. The Internet is a big school. But the fact that someone knows something more confidential or private about you does not mean that things may turn against you. On the contrary. the spell may turn against the wizard and he may get really hurt. And I have seen several examples of this...

    Wanna read my mail? PLEASE! (300 mails a day) Wanna pick up my bookmarks. Cool. (4500 links) Wanna see my private life? Be my guest. (Ooooh myyyy... Get ready to live 32 hours a day) Sniff, crack, break, put cameras, do anything you may. (If you can get where I am and where I live) ANYWAY, YOU WILL NEVER KNOW WHO REALLY I AM. Without that any knowledge about me may turn dangerously against the perpetrator of my privacy.

    "Now, I'm the Shadow of Night... The Phantom of Light... The Black Star... That shines on the Darkness of Space... I became a walker"
    Shantz Ektanoor
  • The authors of the Carnivore meta-comments read like a veritable who's who among esteemed experts in computer security, reliability and public policy:

    • Steven Bellovin, AT&T
    • Matt Blaze, AT&T
    • David Farber U of Pennsylvania
    • Peter Neumann, SRI International
    • Eugene Spafford, Purdue University CERIAS
    Wasn't it Matt Blaze who cracked the Law Enforcement Access Field (LEAF) in that government approved crypto standard they were trying to ram down our throat in the mid-80's?

    And Peter Neumann I know very well in an online way, as he is the moderator of the Forum on Risks to the Public in Computers and Related Systems [ncl.ac.uk] which discusses all kinds of topics in software reliability and security, and provides an ongoing archive of known software bugs.

    It is also available on the Usenet News as comp.risks [comp.risks] and I consider it required reading for anyone wishing to take themselves seriously as a programmer.

    This means you.

    Neumann also wrote the book Computer Related Risks [fatbrain.com] which draws on material from the forum but discusses it in more depth.

    He is also a frequent consultant to the government and military on computer reliability, security and computer policy as you can see from Neumann's home page [sri.com].

    He writes great puns too, which are often found added to Risks submissions.

    Now for my contribution - I'd like to suggest you read my page Why You Should Use Encryption [goingware.com].

    This page discusses in a way that I hope is clear, approachable and compelling, why everyone - even your mom, even your kids, should use encryption.


    Michael D. Crawford
    GoingWare Inc

  • perhaps the real purpose of carnivore isn't to colect evidence for the FBI, but to be so badly written and so buggy, and crash so many networks that the ISP's will do the collection for the FBI.
    1. That way the FBI will have a neutral third party to testify
    2. Use of someone elses resources for storage
    3. and an implied responsibility for the content of user's traffic
    They probably are very close to releasing, an improved Carnivore that will seem very tame compaired to the original, everybody will be pacified, and forget about it anyways.
    "The real purpose of the office of the President isn't to wield power, but to draw attention away from it" Douglas Addams
  • Note that the article doesn't say Carnivore caused the problem directly. What caused the problem was the reinstallation of older software on the Earthlink system so that Carnivore could be used. If an ISP is forced to make such changes, then the claim could be made that the use of Carnivore caused the problem. However, the device itself was not the source of the problem. The older operating system software was.
  • ''It wasn't necessarily anything that was terribly disruptive, but it was more sort of the potential that it could have been worse,'' Rahn said of the outage Carnivore caused.

    As many predictions told about... Sooner or later oversizing eavesdropping will cause such things...

    People there is one small principle. If "Total Control" would be possible, then Egyptians would have already achieved this, Inquisition would only seek mutants and Hitler or Stalin didn't needed to make so many discourses and their police force would be 1000 times smaller... Humans are too complex to have a control system last more than a few years. And even 70 years could not break Russians of their anti-state character. As we perfectly know, any Europeoid will never trust the State, and will bash it in every possible chance. And no one of African origin will ever, ever humbly bound his neck without thinking about turning the neck of his master/boss/patron. And Asians will always say the State is needed while being member of sects, secret organisations or believing in things with a much more anarchist trend than anyone else. We humans are rebels and even working for the State we will ALWAYS defy it.

    The only chance to change this is to lobotomize all of us... Or to extreminate everyone and clone monkeys in our place.
  • IITRI took the job because respectable institutions wouldn't give the FBI a rubber stamp on their Orwellian program.

    IITRI didn't rubber stamp it either. Read the report, and you'll see they found quite a number of problems with it. Their only real recommendation is that it is better to use Carnivore which CAN selectively filter than commercial packet sniffers which read everything.

    Oh, and IITRI, due to politics or stupidity (or both), suggests making it even easier for pubescent net punks to get their hands on your e-mail.

    Where in the report does it say that?

  • This is just another case of "The Man" just not getting it and overstepping other people's boundaries.

    This is why we need more people in power that understand what technology can do for us and when it can be a bad thing.

    =-=-=-=-=
    "Do you hear the Slashdotters sing,

  • by quantax ( 12175 ) on Monday December 04, 2000 @09:51AM (#582816) Homepage
    They want to run this software, but yet they have not done a systematic search for any bugs or security holes? What the hell is the FBI thinking? "We want to spy on your insecure software with our really insecure software... And hope no one else joins us in spying on you..."
  • This is just another case of "The Man" just not getting it

    This not getting it, is that the same thing as not getting any?
  • "One such approach is to publish the Carnivore source code for public review. Although an extraordinary step, we urge the DoJ to consider it seriously. "

    I wonder how many people at the department of justice would actually seriously concider that? Wouldn't if be funny to run across the source-code with a GPL-like license which happens to read "And now that you've read this, we'll have to kill you." For National Security reasons of course.
  • by myc ( 105406 ) on Monday December 04, 2000 @09:57AM (#582819)
    not only buffer overflows but the fact that Carnivore needs to run as root/administrator. looks like they still have a ways to go before they have a useable system.


    ---
    Santa Claus: "Ho ho ho!"
  • by Anonymous Coward
    will be that some clever 13 year old hacker is going to figure out how to root a Carnivore box. And then the fun begins. Hmm, my school principal is dealing in child pr0n! whoot.

    Carnivore is going to be more of a target than an actual bonus.

  • by Anonymous Coward


    Comments on the Carnivore System Technical Review

    Steven M Bellovin
    AT&T Laboratories
    smb@research.att.com
    Matt Blaze
    AT&T Laboratories
    mab@research.att.com

    David Farber
    University of Pennsylvania
    farber@cis.upenn.edu

    Peter Neumann
    SRI International
    neumann@csl.sri.com

    Eugene Spafford
    Purdue University CERIAS
    spaf@cerias.purdue.edu

    3 December 2000

    I Introduction
    In September, 2000, we were asked by the Chief Scientist of the US Department of Justice to identify technical issues with the FBI's Carnivore Internet wiretap system that should be addressed by an independent review. On October 2, we met with Justice officials in Washington, DC, where we identified various areas of concern and issues that we believed must be addressed by any meaningful review process.

    The contractor chosen by the Government to conduct this review, IIT Research Institute, recently released a draft report of its findings ("Independent Technical Review of the Carnivore System", dated 17 November 2000). We have studied that report and we continue to have serious concerns relating to the Carnivore system.

    Although the IITRI study appears to represent a good-faith effort at independent review, the limited nature of the analysis described in the draft report simply cannot support a conclusion that Carnivore is correct, safe, or always consistent with legal limitations. Those who are concerned that the system produces correct evidence, represents no threat to the networks on which it is installed, or complies with the scope of court orders should not take much comfort from the analysis described in the report or its conclusions.

    We are especially concerned with several serious limitations of the analysis as presented:

    There is a lack of analysis of operational and "systems" issues, including interactions between the Carnivore code and its host environment and operating system. Many potential security flaws and collection errors are likely to be found in this area.

    There is no evidence of a systematic search for bugs, not even such common (and serious) errors as string buffer overflows or URL or header parsing problems, although these are listed as potential issues.

    The exclusion from analysis or testing of RADIUS is a very serious omission; RADIUS is especially difficult to interpret in a vendor-independent fashion, and has been cited as a source of Carnivore problems in media reports.

    There is inadequate discussion of audit and logging (both of logs maintained by Carnivore itself and of logs maintained by the host operating system and supporting tools). This is especially serious in light of the use of "PC Anywhere" and "Administrator" logins for remote access, which permits any files to be uploaded or changed, including the logs and audit trails.

    II Conclusions and Recommendations
    Unfortunately, serious technical questions remain about the ability of Carnivore to satisfy its requirements for security, safety, and soundness. While the IITRI report does represent a good starting point for answering these questions, we were disappointed that more attention was not paid to operational and "systems" issues. It is simply not possible to draw meaningful conclusions about isolated pieces of software without also considering the computing, networking, and user environment under which they are running. These and other areas must be examined further if the legal community, ISPs, and the public are to have confidence that Carnivore works as it is supposed to.

    We also urge that the report's recommendations with regard to logging and audit be considered carefully and made a high priority. The Carnivore system does not produce meaningful or secure audit trails. This is obviously a very serious deficiency.

    We applaud the DoJ and IITRI for their openness in the Carnivore review process, especially in light of the time constraints under which the review was conducted and the extraordinary sensitivity of critical law-enforcement surveillance technology. Nonetheless, we must emphasize that no single review can ever capture every potential problem with critical software of this complexity, especially when it must be run under a wide range of operational environments. Furthermore, as the software is enhanced and the environment under which it runs evolves, existing reviews may well be rendered obsolete. As such, the Department of Justice must consider an on-going process to maintain confidence in the system. One such approach is to publish the Carnivore source code for public review. Although an extraordinary step, we urge the DoJ to consider it seriously.

    III Itemized Comments
    Following is a list of comments keyed to the roman page numbers or symbolic section numbers in the draft report.

    p. xiii
    There is a statement that Carnivore is not powerful enough to capture everything, that unless the filter is configured correctly, it will not accurately collect data. This implies that it might not keep up with heavy load as part of a lawful intercept. As such, this issue should be explored to ensure Carnivore behaves correctly under heavy load.

    ES.4
    The user must be logged in as Administrator. This is bad, because flaws in the code can easily lead to system penetrations and violations of least privilege.
    Putting more and more into the driver is a poor way to produce a robust system. It requires too much privileged code.

    There are two typos: DLL stands for "dynamic link library." The correct brand name of the removable disk drive is "Jaz" and not "Jazz" disk.

    ES.5
    The draft says that "Carnivore represents technology that can be more effective in protecting privacy and enabling lawful surveillance than can alternatives." What alternatives? The scope of this statement is undefined.

    ES.6
    A "CRC" should not be used. Instead, a cryptographically strong "MAC" (message authentication code) or (at the least) a cryptographic checksum such as SHA-1 should be used. (Note: "CRC" -- "cyclic redundancy check" -- refers to a particular mathematical algorithm; it is simply one form of checksum.)

    1.1.1
    There is mention in point 17 about possible string buffer overflows in Carnivore or related tools. But there is no further discussion in the report. This is a very serious omission in the report; buffer overflows are among the most common causes of security weaknesses in network software.
    Clearly, the IITRI team could not do a thorough search for buffer overflows in the allocated time. But some analysis of the possible consequences of an overflow -- in Carnivore, CoolMiner, Packeteer, or wherever -- should be feasible.

    More generally, are there sanity checks on collected data?

    In general, there should have been a much more thorough search for bugs. The problems with the analysis programs should have been found in earlier testing by the FBI.

    3.2.3
    Why is the second minimization done by the case agent? If impermissible data is collected by Carnivore, the case agent can learn its contents before deleting it. This seems to violate the separation policy otherwise used.

    3.4.3
    PCAnywhere is far too powerful for this purpose. Any files can be changed or modified, with no auditing. A less general mechanism that provides suitable logging and that does not permit remote modification of log files would be far better.

    3.4.4
    Apart from the issue of a compiled-in password, standard practice calls for such passwords to be one-way hashes, rather than plaintext.

    3.4.4.1.2
    What protections are there against forged RADIUS or DHCP packets? What about forged addresses in general? Is the ISP required to do ingress filtering?

    3.5.1
    The note that "Carnivore is not intended to ... collect all packets" is wrong; that's a function that (as noted elsewhere) is present simply because of its behavior with no filters.

    3.5.3
    Table 3-1 is unclear on what happens if the strings appear in the middle of a packet, or if the string is split across two packets. See, for example, RFC 2920, for one way in which this can happen for e-mail.
    The handling of fragments is frequently problematic and should be addressed further.

    3.6.10
    DCHP can key on host name, not only MAC address.

    4.1
    The Windows NT configuration is quite crucial. This must be evaluated. Is there an IP stack? Can incoming packets crash or compromise the host environment even before the packets get to Carnivore? What is done for NT installation and configuration management? All conclusions depend on "correct configuration"; how likely is that in practice?
    RADIUS is not similar to DHCP, and in fact poses a large number of operational issues. In particular, there are numerous non-interoperable, vendor-specific extensions. The crash in the Earthlink case is rumored to stem from limitations in Carnivore's RADIUS-handling code (thus forcing the ISP to fall back to less-stable code that implemented a desired profile of RADIUS); failure to evaluate the Carnivore implementation is not acceptable.

    4.2.1
    The ISP has no way to verify that the settings have been correctly entered. Indeed, this seems to be a FBI requirement in some cases -- they report that in some cases the name of the person being intercepted is deliberately kept hidden from the ISP. (This suggests that Carnivore provides functionality to the FBI in excess of what can be obtained by cloning the target's e-mail account.) This contradicts the statement that Carnivore is used only when an ISP cannot provide the relevant data.

    4.2.2
    The report suggests that judicial oversight is the ultimate check on abuse. Given examples of the failure of such processes -- notably the recent wiretap fiasco in Los Angeles -- it is difficult to be completely reassured.
    This will become more of an issue if and when Carnivore versions are made available to more police agencies around the country.

    4.2.3
    Most protocol messages are not guaranteed to start on TCP packet boundaries.

    4.2.4
    In general, we agree with the report that much more attention needs to be paid to audit trails.
    Carnivore seems to allow use of keyword searching on all IP traffic on the subnet (no filtering to specific IP addresses). We would be interested to hear opinions on whether this capability is authorized by wiretap law.

    4.2.6
    We agree that the lack of a formal development environment, including formal and auditable change management to the source code, is crucial.

    4.2.8
    It is not legal to look at mail headers with a pen register warrant, because it can disclose correspondence between two or more parties who are not subjects of the court order.
    What are the consequences of missed or out-of-order packets? As Carnivore is not in-line in the protocol, it is quite difficult and not always possible to detect missed or out-of-order packets.

    The report states that under-collection is never a risk. This isn't true; missed RADIUS packets, missing exculpatory e-mail messages, etc., can have a large impact. How can an agent determine if traffic was missed or lost?

    There seem to be a number of cases of potential over-collection in pen mode. It captures entire IP headers for some protocols. It captures the entire packet if it contains an SMTP MAIL FROM: command, even though the rest of the packet might contain content (e.g., the body of an e-mail).

    In pen-mode, it captures and displays lengths of various communications. One concern is that this allows traffic analysis -- for instance, in the case of a user visiting a web site, knowing the length of the objects returned can often be used to identify which web page he was visiting (at least for static HTML content), and this is clearly not authorized in pen mode. (Images, in particular, are quite distinctive that way.)

    It also collects and displays lengths of, e.g., Subject: lines in pen mode.

    4.3.2
    There was very little analysis of different ISP configurations. What versions of DHCP or RADIUS is Carnivore compatible with? What DHCP options does it understand? How likely are the operational changes which may be required? Again, the Earthlink case is a warning.

    5.2
    We very much agree with the suggestion that separate versions be used for pen-register versus full-content intercepts. Usability in general is a concern, especially given that the default is to collect everything; configuration is a matter of telling Carnivore to exclude certain things.

    5.5
    It would also seem to be a good idea to capture the entire configuration of the machine after it is used; perhaps they could use a removable hard disk (as their only permanent storage, so that all software, everything would live on it), and after finishing an interception, put the the removable disk under seal.

    5.9
    "Once Packeteer and CoolMiner have had all the software bugs fixed, ..." The possibility of removing all bugs is a bad thing to assume. On the other hand, this software is being used now. It would be preferable to give defense attorneys whatever version is being used, even a buggy one, as that is the the tool used in the cases against their clients.

    About - Services - Affiliate - Privacy Policy - Contact
    Copyright © 1999-2000 Distinctly.com Inc. All rights reserved.

  • The draft says that "Carnivore represents technology that can be more effective in protecting privacy and enabling lawful surveillance than can alternatives." What alternatives? The scope of this statement is undefined.

    Ahhh, the power of Foretelling is such a beautiful thing. Too bad it's wasted on predicting Carnivore 2.0 in this case...
  • there's a mirror at http://dotslash.dynodns.net/00/12/04/1339257/carni vore_report_comments.html [dynodns.net]

    As always, I don't take responsibility for the content; I'm just mirroring it. If you're the author/owner/sponsor or whatever and you want it down, send me a mail.

  • Mirror please, or repost - content filter at my place of business blocks www.crypto.org as an "activist" website.

    /fucker

  • Lets face it - its good to have a thorough review of the Carnivore system, and for trusted oversight. But the inner workings are not something the public need to know about. It only opens the avenues of criticism my the technically inept. Have a community-trusted (read non-government subsidized) entity keep Carnivore in check. But don't expect Carnivore to be perfect.
  • by ephraim ( 192509 ) on Monday December 04, 2000 @10:12AM (#582826)
    I just want to point out that Matt Blaze and Gene Spafford, who are listed as authors of this report, are rather big names in computer science and networking. Spaf has been involved with the internet for over 20 years. These guys *really* know their stuff when it comes to security. Which makes their findings all the more scary.

    /EJS

  • What the hell is the FBI thinking?

    According to the article, and judging by "in Carnivore, CoolMiner, Packeteer, or wherever", it's an alien plot to develop competition for Minesweeper and solitaire. All hail the FBI!
  • So is Peter Neumann, who has run the ACM Risks Digest [sri.com] for oodles of years.
  • What the hell is the FBI thinking?

    According to the article, and judging by "in Carnivore, CoolMiner, Packeteer, or wherever", it's an alien plot to develop competition for Minesweeper and solitaire. All hail the FBI!
  • by VP ( 32928 ) on Monday December 04, 2000 @11:12AM (#582830)
    But the inner workings are not something the public need to know about. It only opens the avenues of criticism [b]y the technically inept.

    The logic of this statement completely escapes me. How would the details of the inner workings lead to criticism by the technically inept? If you display the technical diagrams of the newest Ford engine in, say, NY Times, do you expect this to generate technically inept criticism, or would an article in the automotive section on the same topic and without much technical detail generate this type of criticism?

    We already know the equivalent of the article without much technical detail about Carnivore: it is a packet sniffer, with filtering capabilities, it runs on NT, there is little or no security. The "technically ept" can conclude based on this information that this tool will be relatively easy to misuse (or abuse), and that without the details (i.e. the source code) there is a good chance that adding Carnivore to your internal network may cause technical problems in addition to any of the issues discussed in the meta-review.
  • by roman_mir ( 125474 ) on Monday December 04, 2000 @10:17AM (#582831) Homepage Journal
    I wonder how exactly does an agency such as FBI select a contracter who writes their software. This contracter has to be trusted and than the independent reviewer has to be trusted as well. If I wanted to wiretap into FBI wiretap what do I have to do? From the reviewer it looks like the way Carnivore is written and tested does not qualify to be an FBI wiretapping software. The software tracks more than it is allowed (all network packets), it uses PCAnywhere to administer the configuration and the software! All we need now is a bug in the PCAnywhere software. Carnivore will slow down the traffic that it monitors and it probably will not be able to scale. If I was working for let's say some 'other' agency and I was interested in wiretapping the wiretappers and I had enough power, how difficult would it be for me to put everything in the right place for the FBI to take the bait. Get a certain company to do the contract, get someone inside the company to grab all the source code then screw with the independent reviewer (requires money but not impossible).

    We'll keep backup of all your email and all the files you've ever sent over the net for your convinience and for our security.
  • Well I understand them because when Internet came up with the Web, many of us also wanted the same thing.

    Yeah, but at least we grew out of it. Law enforcement institutions aren't exactly known for their growing maturity. Hell, most lawmen I've met were stunted adolescents for that matter.

There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann

Working...