Dartmouth Student Invents A Carnivore Leash 188
timdorr writes: "Looks like a student at Dartmouth wants to turn Carnivore into a much more resonable tool according to this Wired article. I'd personally feel a lot less invaded if I knew the system was in place and in this form. Hopefully the government takes notice becuase Carnivore still seems like quite a loophole for our government to exploit."
hmmm (Score:2, Insightful)
Re:hmmm (Score:5, Insightful)
Can you trust all new administrations to do only good? McCarthy is a prime example of what happens when you let paranoia feed on patriotism. What if in the future a fascist(in the true sense) governemnt controls america. What will you do then? By this time, you've already been catalogued and filed and triplicated in every possible way; you gave up your right to privacy years ago.
Round two: A computer cracker or a corporate spy thieves the database for their own personal gain. You, and all 249 million of your neighbors are now in the hands of the highest bidding corporation or marketing firm. What are you gonna do? Nothing. You don't have any rights. You gave them away already.
Although the right to electronic privacy is not in the constitution for obvious reasons, the true intent of the bill of rights is obvious. The Bush Legislation Regime is feeding on our own fear of the enemy(whoever that is) to take away our rights. Everything from Carnivore to the SSSCA(or whatever new derivative is in the works) to the USA Patriot Act, our rights are being eroded away one law at a time. Americans are like frogs, they'll sit in their apathetic zombie worlds letting their rights vaporize while calmly waiting for the water to boil.
I may be a elitist prick; but the apathy, disillusionment, and ignorance surrounding me makes me want to vomit.
Re:hmmm (Score:3, Insightful)
Do you have the slightest thing to say on topic, or are you just taking any chance to rant? Seriously, I think you need to take off the tin-foil hat for once. Do we oppose phone taps on the grounds that if they really really wanted to, the FBI could tap everyone's phone? No! "Carnivore" is just phone tap for email with a catchy name, nothing more, which for no particular reason has turned into a lightning rod for every paranoid conspiracy out there.
(and just watch me get moderated "-2, Dissenting Opinion" for saying it too)
Not the same. (Score:3, Insightful)
Carnivore, on the other hand, listens without permission from the judicial system, without any oversight. There is no balance to this power.
Sure, Carnivore is equivalent to a phone tap for email---a phone tap that the feds can apply to anyone, for any reason, on the merest whim.
I think the tin-foil hats are justified here.
--grendel drago
Re:Not the same. (Score:1)
Accountability. (Score:2)
No personal vendetta is required; law enforcement officials may have the purest of intentions while stepping on my rights, but that doesn't justify them.
If we trust law enforcement to make these decisions, we give up on the whole idea of judicial oversight---the cops become accountable to no one.
--grendel drago
Re:Not the same. (Score:2)
First of all, every judge authorised to make wiretap decisions needs to have an encryption key signed by the secretary of state. Without this, the whole system falls apart, but nobody seems yet to have implemented it.
Secondly, a list needs to be electronically published and signed, containing the names and keys of all judges so authorised. Again, how else do they expect people to know who's got authorisation to get this data.
Thirdly, a standards body needs an XML template that the judges can fill in to authorise an electronic wiretap. Information required, the intended target, the name of the investigating officer, etc. Once these are in a standard form, they can be electronically processed.
This is all just what the story's proposing (albeit in a narrower sense) but did it ever occur to -anyone- before, to have something as basic as a way of finding out if an electronic warrant is valid?
If, as the article says, companies are spending hundreds of man-hours per week on this, they definitely need somewhere they can feed all the electronically-signed warrants, a computer which will determine their validity, log the information asked for, get the information, encrypt it both to the investigating officer's key, and to the judge's, then email it back to them.
Try explaining that to a policeman. "But I just want this information... and this, and this, and this... And I want it for free. And I want you to check this warrant for free also. And you can be sued if you accept an invalid warrant. And you can be sued if I take data not permitted by law. And you can be sued if your servers fuck-up while I'm poking around in them..."
Try explaining that to the sysadmins...
Re:hmmm (Score:1)
Well, you got that bit wrong at least. You are sitting at +5, Insightful.
Probably doesn't reflect on the quality of the rest of your post I guess.
Michael
Re:hmmm (Score:1)
This just reminds me of a really good quote by Benjamin Franklin that I'd really like to share...
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin
Too clever for his own good... (Score:2, Interesting)
Re:Too clever for his own good... (Score:3, Funny)
[/sarcasm]
I'm 1/4 Australian. When can I move?
Re:Too clever for his own good... (Score:2, Informative)
Though have you considered that you may be acting a bit paranoid? I mean, really, you seem to be (along with most of Carnivore's opponents) assuming the very worst, without any firm evidence to do so. How about giving things a chance before passing judgement?
Re:Too clever for his own good... (Score:2)
The point is that there is no judicial review, which is required by the Fourth Amendment. To at least a few Americans, violations agains the Constitution - even if done with the best of intentions - are problematic.
Without judicial review the police can do whatever they like. And police are only human, no better or worse than the rest of us, and just as prone to mistakes and the presence of 'bad apples'.
Max
Re:Too clever for his own good... (Score:2, Insightful)
Maybe I'm being paranoid. But, maybe I'd just like there to be no opportunity for abuse. I have to assume that the fact there are 100's of thousands of requests by the justice department for new information on online users that in some way, they are too broadly searching the net.
This is all based on the premise that the terrorists aren't using any type of concealment such as PGP(which we know they are). The invasion of privacy is unwarranted. There was no real review process for the PATRIOT act. It has some really good provisions. And a bunch that are blatantly 'over the line'. I want a safe homeland just as much as the next guy. I'm just hoping that fear similar to that felt during the cold war doesn't well up again. Our own fear is our worst enemy.
And remember (Score:3, Funny)
Kierthos
Re:And remember (Score:1)
I think people are freaking out about nothing...there is no way any 'men in black suits and thin ties' can monitor all the email that comes out of a major co-lo. they just can't....sorry, but that's a hard pill to swallow.
If you think carnivore is running on your server, well, I'll give you a free email address and web based email - that'll quite down all the whinning.
John
Re:And remember (Score:1, Offtopic)
One ring to rule them all,
ash nazg gimbatul,
one ring to find them,
ash nazg thrakatulûk agh burzum-ishi krimpatul.
one ring to bring them all and in the darkness bind them.
Re: (Score:2, Interesting)
Re:smart solution (Score:2)
OK, assuming for a moment the judge wouldn't simply grant the FBI permission to open the entire vault, this idea totally misses the point of Carnivore. Carnivore is a box that sits on the ISP's network and snoops the traffic, looking for whatever the FBI wants. It would sit on the network right next to the "vault" and see the exact same traffic the "vault" sees; nothing the "vault" does would hid anything from the Carnivore box. Get it?
THIS IDEA WILL NOT WORK.
Ah, Dartmouth, home of Usenet's greatest genius [killfile.org]. Must be the water.
Justice Dept partially paid for it. Wow (Score:1)
Re:Justice Dept partially paid for it. Wow (Score:1)
Re:Justice Dept partially paid for it. Wow (Score:1)
Wired == suckAssJournalism
Re:Justice Dept partially paid for it. Wow (Score:3, Informative)
> The guy's paper clears says it was funded by DoJ.
>
> Wired == suckAssJournalism
Learn to read carefully; the article clearly states
"The U.S. Department of Justice and IBM partially funded this research."
Wired isn't my journalistic choice, but this criticism at least is unfounded.
Re:Justice Dept partially paid for it. Wow (Score:1)
Just an eskimo's perspective from Canada. We do all live in igloos right?
Re:Justice Dept partially paid for it. Wow (Score:1)
Re:Justice Dept partially paid for it. Wow (Score:1)
unfortunately, it will provide no protection at al (Score:5, Insightful)
The big problem with this is that even if it's implemented, since under the Patriot Act judges need not sign off on subpoenas, the FBI et al would still be able to get all they keys they want and still access all the data.
For this device to be useful, unfortunately, the law must be changed to require judicial oversight... and the judges must be trustworthy!
Re:unfortunately, it will provide no protection at (Score:3, Insightful)
This is an important developement because it looks like striking the right balance between the individuals' right to privacy and the requirements of the government in their quest to protect us. Whether the system will be used to protect us or not is not something programming can change, sadly, that's a matter for the judges et al signing off on the subpoenas/search warrants/what not
Re:unfortunately, it will provide no protection at (Score:2)
Re:unfortunately, it will provide no protection at (Score:4, Insightful)
[ I said this before, but I like to repeat myself
Current public-key encryption (gnupg, pgp) is strong enough to keep you safe from "casual" prying eyes - like your spouse, children, parents, syadmin, boss, street cops, even the fbi. Maybe they *can* crack it (i mean the feds), but they won't go to that without strong reasons and probably more thinking.
What really pisses me off if this "casual" attitude to authorities snooping my personal communication; I'm sure that if the cia, nsa, kgb, mafia, big corporations or who knows else - want to read my email, they will. But I'm also sure that by using gpg, none of the small big-brothers will get their kicks.
Get some perspective (Score:4, Funny)
Everyone else knows that after 9/11 so many people made calls, emails, HAM traffic to the tune of 'terrorist' this, 'Cell' that, that Carnivore must have sustained a complete mental(server) breakdown. Put your thoughts to things of more importance (Israel/Palistineans, Coke vs Pepsi). The chance that something the FBI/CIA built outside of a national coding symposium would be so utterly, absolutely crashed from the traffic of keywords that it doesn't bear looking at. I'm not trying to point you in the direction of unilateral oversight and say it's OK, I'm just saying that 'right now' there are more important things to look at than a system more crashed and confused, that it probably thinks its an Atari 2600 with a buggy version of Combat loaded up
Re:Get some perspective (Score:2, Funny)
So, what three-letter agency do you work for?
Re:Get some perspective (Score:1)
If I was going to do something similar to a terrorist activity, I wouldn't just be pushing raw ASCII email messages with that kind of information in them. I would encrypt the message in a image and say, "Look at some pictures from my trip to NYC." Carnivore is looking for those kinds of patterns.
Re:Get some perspective (Score:3, Insightful)
Except that a terrorist "go code" probably wouldn't contain any information about what they were doing at all. Since they already know what the mission is.
If I was going to do something similar to a terrorist activity, I wouldn't just be pushing raw ASCII email messages with that kind of information in them. I would encrypt the message in a image and say, "Look at some pictures from my trip to NYC." Carnivore is looking for those kinds of patterns.
No you want to avoid encrypting anything and denfinitly not hiding inside a graphics file. Since this is likely to create obvious patterns. Far better to use a code a good code will appear to be a competly innocent message.
Re:Get some perspective (Score:3, Informative)
When examining a communications network -- which is what we would be doing if we were trying to track illegal activity through email -- the first thing we look at is not the content of the messages, but the pattern of communications between nodes. We would only have to start with keywords if we had no suspects, and that would be the sort of fishing expedition that is prohibited by law. But odds are we do have a suspect, so we look at who he's talking to, who those people are talking to, and so on, until we are eight or nine steps away from the suspect. (Much further than that is not only impractical but generally pointless.)
Having established a clique, we can examine the volume of mail between nodes, and see who is the best-connected (and therefore likely to be exerting some kind of administrative control). If, in the course of this, we see some people who are suspects in a previously unrelated investigation, we can explore the possibility of hitherto unknown connections.
Without once having looked at the content of a single message, we have developed a pretty clear picture of the relationships between our suspect, people not yet suspected of anything, and if we are lucky, other suspects.
Then we can start using keyword searches on a reasonable volume of mail to serve as a starting point for manual examination of message contents.
In any event, the word 'terrorist' is not going to be a problem for law enforcement, because terrorists don't call themselves terrorists -- that's a label that our propagandists apply to them. Judging from what has been released to the public, they refer to themselves as 'freedom fighters', 'fighter brethren', 'mujahideen', and several other labels -- which points out another thing we can exploit: people who belong to cliques, especially tight-knit underground ideological factions, develop their own characteristic jargon. Simple word-frequency analysis as well as more complicated techniques such as n-gram analysis and Markov chains, can be used to pick these out of the crowd once you have a 'model text' to study. (These techniques can be applied with significant but lesser accuracy to less-cohesive cliques, such as professions, religious affiliations, and ordinary political factions.)
In short, it is wise to bear in mind that however misguided federal law enforcement agencies may be, they are not stupid or naive, and neither are the computer scientists who work for them. Even if they were, the kind of programming involved is not especially challenging -- ninety percent of what you'd need to know can be found in Knuth.
great... (Score:3, Interesting)
Re:great... (Score:2, Interesting)
I'm far too addicted to various online forums, games, and the easy access of e-mail to give it up. But in a like manner, I'm far too addicted to the idea of "Innocent until proven guilty.", "Life, Liberty, and the Pursuit of Happiness", Freedom of Speech, the 5th Amendment, and so on.
Kierthos
Re:great... (Score:1)
What about "give me liberty or give me death"?
Max
Re:great... (Score:5, Insightful)
Each of these powers is granted so that they can fight crime. I don't have a problem with the police having any of these powers, as long as they are restricted, i.e. you need a warrent to search someones house, or tap their phone, so you should need one to read their e-mail. I have a problem with echelon and 'fishing-trips', and the police abusing their power of search and arrest. But then thats why we have rules. Its up to us/our representatives/the judges to make sure that the police obay those rules. This is why so many cases get thrown out of court on 'technicalities', because someone broke the rules.
On the whole this is pretty well inforced in britain, for example ALL interviews with the police, MUST be taped, and there has to be a witness, (unlike in the US where recording is only reccommended. That said we do have the rather dubious RIP bill but that still requires a warrent.
So basically, if you are against (restricted, needs a warrent etc) tapping of your e-mails, you should be against the (warrented) search of properties and the (warrrented) tapping of phones.
The internet is no different from any other communications medium. If you really think that it is, or has ever been some utopian paradise of free speech somehow seperate from the real world and real world laws, where anything is allowed, then you need to get out and about a bit more.
The Internet is just another communications network, no different from any other. It is not special, just more advanced. Using the internet is no different from using a phone, or fax. You are not special, it is not special. Grow up and stop seeing the world from such a narrow viewpoint (I can't beleive I just said that on
Paul
Re:great... (Score:2)
Re:great... (Score:1)
Re:great... (Score:1)
Seriously, the whole idea of this sort of thing is to find out what's happening without the guy knowing, is that so unreasonable, as long as it's with just cause? I mean, sure, someone COULD misuse it, but I doubt there's a thing in the world which can't be misused anyway, so it is hardly a conclusive rebuttal.
But ... (Score:2, Insightful)
Let's say someone is misusing it. If they have to knowingly decieve a judge in order to get their tap, then if they are caught it's obvious to all. If they don't have to get prior approval, it can be blown off with "oh that's the wrong address, sorry" without any easy way of proving that it is not the case. And as it's a casual thing, generate a load of taps - the "oh that shouldn't have been there" excuse becomes all the more plausable
Everyone accepts that misuse is always likely to occur (human nature). That's why you should have a set of checks and balances to disuade people from casual misuse.
But it's all smoke. The constitution (4th amnd.) says that your right of "privacy" should only be disturbed if authorised by a judge. If the government/authorities want to change that, then they need a new amendment (nothing less will do). Anything less is "not the american way". What's the point in having a constitution (contyract between people and government) if it's not followed by the government?
I've always understood that you are innocent until proven "a criminal". It's not that criminal's can't find out if they are under surveilance, it's *anyone*, criminal or otherwise can't find out. Who decides if it's a just cause -oit used to be a judge
Re:great... (Score:2)
Aside from possible uses for industrial espionage, which somebody else already pointed out... evidence integrity.
When law enforcement records the phonecalls or your activity, they use a media that can be examined for integrity. Audio and video tapes can be examined for signs of manipulation. Digital, text-form messages have no such property. After all, it is not unheard of police tampering with the evidence or even implanting some.
And for what? When they seriously need a scapegoat for a major and much publicized incident, or when they are certain in their collective mind that a certain person has committed the crime but not enough evidence exists. Now, fast forward to a situation, where these same law enforcement officials are in charge of the storage of digital evidence.
In such a situation, forging email content and removing other parts is both easy and plausible. Add that to the fact that you will have hard time to prove that you didn't send such emails. You and the counterparts would all naturally destroy any and all such messages immediately afterwards. Even having something in store that resembles the alleged evidence is not enough. You would have stored that as an alibi and destroyed the others.
So, in the end it's not about intercepting my digital correspondence. It's the possibility of easily tampering with that data, without leaving any evidence that such activity has ever taken place.
Re:great... (Score:3, Insightful)
One problem is that it's an information vacuum, it sucks up *everything* from the ISP, not just the packets sent or received by the suspect. They supposed to toss the packets belonging to everyone but the suspect but we only have their word on that. It's like they tapped every phone at a CO and are supposed to throw out all the tapes except the ones for the one house.
Another is that the implementation of Carnivore does *not* have the same oversight wiretaps or property searches do.
Have you ever seen Goodfellas or The Sopranos? When they do a wiretap, they're only allowed to record or listen if they hear in the first two minutes the target of the wiretap (not his wife, not his cousin) or if it's is material to the case. If its not, they have to turn it off for a period of time (something like 5 minutes) after which they can turn it back on to check again. With Carnivore they keep it all and don't even have a way of knowing who in the household was using the computer. Carnivore is like a secret search warrant of every home or business the suspect or anyone in his family visited.
Someone else mentioned a suspect has no way of knowing if they're being "bugged" by Carnivore but I don't think we have a fundemental right to know if a warrant has been issued with our name on it.
Of course wiretaps have gotten broader. I believe the FBI finally got their "roaming wiretap" law allowing them to listen to any phone the suspect *may* use. I'm sure there are rules of admissability if they record someone else by "mistake" but it's to late, the damage to innocent people's privacy has been done, they can't un-listen to their conversation.
The Internet is different from other communications networks, not in terms of our rights but in technical terms. This has important ramifications for how laws are written and implemented. You should be squirming at the sight of my my similes comparing Carnivore to wiretaps and house searches, most metaphors relating the Internet to the physical world break down with a little scrutiny, but I'm just trying to relate my perspective.
Carnivore is part of a larger trend we've been seeing in this country where what we believe is our right to privacy is being trampled by our government, not to mention corporations and other individuals. We see the lack of oversight for something like Carnivore and we feel the "chilling effect" it has on our speech and acts. It comes down to Quis cusotdiet ipsos custodes, "Who Watches the Watchers?" The recording of interviews by the police in the UK is smart for evdentiary reasons but it's really there to prevent abuses by the police. How do we get that for the use of Carnivore?
Re:great... (Score:2)
You are sadly mistaken there, or actually you're stating the obvious in a wrong context. Carnivore is _NOT_ analogous to phone tapping. An analogy would be such phone tapping where _all_ calls (and without warrants) would be recorded somewhere "safe" or atleast triggering on unwarranted recording by merely saying "my brother is such a terrorist" over the phone.
So, you see, the problem here which gets people so anxious is that Carnivore et al is about unwarranted monitoring. Little like having a surveillance camera in your living room and hoping that only feds would access the tapes and with proper warrants.
Naturally the feds should have warrants and such _when_ they actually start digging through and/or using the material, but many, like myself, are reluctant to believe that such information would not find it's way to the wrong hands...
Re:great... (Score:2)
a) I was replying to Taco's post. He expressed the view that he didn't want anyone being able to read his e-mail, no matter how good the system was. That was the angle I was working from.
b) I am against carnivor and similar systems as they stand. Someone made a comment that Carnivor sniffs everything at the moment. That is not a reason to be against sniffing of e-mail, it is a reason to abhore Carnivor and Echelon in their present state. It is also a reason to develope alternatives as this guy from Dartmouth has done.
c) I know that the USA PATRIOT act allows tapping without warrents, but this is not just confined to e-mails, it includes normal wire taps as well. This is not a reason to be against WARRENT RESTRICTED tapping, as I said several times in my post. It is however a reason to be against the USA PATRIOT act (and in the UK the R.I.P act (although that still requires warrents.
d) Abuse of evidence. Again I agree that there is a problem with abuse of evidence. Someone mentioned that when the FBI taps a phone they are restricted in what they can listen to. What stops them? Rules, and oversight. The same thing that will stop abuse of any power. Also I doubt that any conviction would stand purly on the basis of an e-mail, most convictions in this country that are based on a single piece of very limsy evidence generally get overturned pretty quick. Agian, systems like that being developed help in the oversight. Presumably there is a combination of technical systems, and human organisation that prevents the FBI from listening to the wrong thing on a wire tap, why can't the same be done for e-mail? Hmm?
All or most of this was in the original post, but then am I expecting too much of
It's funny that
Paul
Re:great... (Score:1)
Sheesh. Someone comes up with something GOOD, and CmdrTaco can't do anything but find some negative angle on it. How did this post get bumped up to a score of 3? Or do the editor's posts start off at 3?
And why is Slashdot a congregation point for libertarian communists?
Re:great... (Score:2)
Basically, I have always believed that if you send a plain-text email EXPECT it to be read by someone that it is not intended for.. consider it a public posting.
Encrypt your mail... (Score:5, Insightful)
I'll personally continue to encrypt my emails - as many as possible of course.
Routine use of encryption (like for the one-liners) defeats to some extent traffic analysys.
The recent improvements in factoring (look here [cr.yp.to] and here [counterpane.com]) don't affect 1536- or 2048-bit keys (or larger). For the time being, public-key encryption is the best means of protecting your e-mail privacy. Don't rely on some guys' kindness - with a little effort you can be sure your nosy admin/ parent/ spouse/ street cop won't "accidentally" read your stuff.
http://www.gnupg.org [gnupg.org]
Re:Encrypt your mail... (Score:4, Informative)
No, AC, you got it wrong: 128bit *symmetric* encryption is very strong - comparable to 1024-1536 bit public-key (or assymetric) encryption.
If you're feeling like a good read, try "Handbook of Applied Cryptography" - do a google search, it downloadable for free.
If you really want to make it less offensive... (Score:2, Funny)
Otherwise, only criminals are entitled to [or get any] privacy...
Re:If you really want to make it less offensive... (Score:1)
Owwww.... (Score:1)
Impractical? (Score:3, Interesting)
- how exactly does the FBI (or whatever) specify *what* they're looking for? Searching for "all traffic containing the keywords TERROR, BOMB, COCAINE and OSAMA" sounds like Carnivore as is, and would be pretty easy to defeat anyway. Anyone remember "The Longest Day", in which the Allies sent messages re: the date of the D-Day invasion over clear channel radio, using a code based on a Rimbaud (I think) poem?
- the data vault might hold the FBI/NSA/whoever to their warrant, it does nothing about intentionally vague/overreaching warrants or the laws that enable them.
- re: using this system to keep medical/financial/etc. info private: Hardly a catch all solution, the data vault can't stop companies from spreading/selling your info after you've given it to them in confidence.
- If these do become commonplace, how long before a bungled police investigation results in evidence being lost because of one of these things self destructing? And once that happens, how long until they become outlawed?
Re:Impractical? (Score:1)
Re:SIG_FAULT (Score:1)
"There are only two things that have come out of Berkeley; LSD and Unix. And that's NOT a coincidence!"
[/your blabla]
[myblabla]
LSD was discovered in Basel/Switzerland. [hawaii.edu]
What about Steve Vai?
Which Unix do you refer to?
[/myblabla]
I ack your points on the subject though.
Re: LSD (Score:1)
For further reference:
The History of LSD Therapy" [psychedelic-library.org]
Better than a slap in the face with a damp fish (Score:1)
Bout time. (Score:1)
If they have the right to enact the holy "DMCA" then what do we have to ensure they are not using computers to break the law for their own benifit?
We can't even have code distributed that might possibly break someones rights, but they can copy every data transmittion across a network that they don't own? I don't think so. There needs to be some sort of fair play here, or else we're not much better than a dictatorship in which they get to tell us what we can't do and we get to shut up and take it or be arrested under laws we didn't vote on (read DMCA).
Lazy (Score:1)
All this technology is available now, but no-one can be bothered to use it (except the criminals). All it would take is one popular browser/email/OS developer to implement encryption like they implement spy-ware and half the internet would become unavailable to the governments over-night.
Re:Lazy (Score:2)
Private Citizens vs. FBI (Score:3, Interesting)
Re:Private Citizens vs. FBI (Score:1)
Thet's really odd... because if you think how much storage this whole "vault" idea will take, you'd imagine maxtor, wd, seagate, ibm... oops - forget ibm, hitachi grinning and rubbing their hands.
Hold on (Score:3, Interesting)
The problem is the people have huge misconceptions about Carnivore. Being concerned about personal privacy, I chose to research Carnivore for an Ethics class at school. I found that Carnivore is pretty much just misunderstood; it is really incapable of doing any large-scale surveillance. There's an independant review that was conducted by IITRI last year that points out that Carnivore is the safest of any online monitoring tool and that it is incapable of wantonly collecting data. Incidentally, the report suggests that Carnivore be open-sourced. Fat chance.
The real issue is whether or not it's right to perform surviellance. I think that it can be necessary at times (with the required warrants) but I also think that it needs to be taken more seriously and greater restrictions need to be in place to ensure that it is only used in extreme situations. If you think that Carnivore could invade your privacy, read up on how many wiretaps are used every year. Carnivore is used much less and is safer to boot. The real problem here is whether the government should be allowed to monitor communications at all, not that Carnivore gives the government some awesome new powers of data capture.
njord
By the way, I really have no association with the government. I'm just a left-winger college student that did a little research and was surprised by what I found.
Re:Hold on (Score:3, Insightful)
If the ISP was allowed to review the code, compile it themselves, and install it one of their own boxes, the chance of abuse would be much smaller.
Questions for the security experts (Score:2, Interesting)
Even if the FBI physically seized the vault, legally or otherwise, it's supposed to be just about impossible for the cops to crack. Iliev's program runs on an IBM 4758 cryptographic coprocessor, designed to destroy itself if it detects an intrusion attempt. (emphasis added)
I'm curious about this passage from the article. Would the ISP have a backup copy or does it completely eradicate the information? Would it destroy all the Carnivore data at an ISP or just the files that a "hacker" was trying to access?
And finally, if the FBI got a warrant(?) to request the e-mails from a certain person, couldn't that person engineer a "hack" attempt on his own files, thus triggering their destruction before the FBI could access them?
Re:Questions for the security experts (Score:3, Informative)
You could keep a set of processors encoded with the same key available as backups in case the processor in use is destroyed, though.
Also, presumably in real life use noone would have network access to the interface you'd request data from, so unless someone gained physical access to the box at the ISPs offices, they wouldn't be able to trigger any destruction.
Re:Questions for the security experts (Score:1)
2000's: Carnivore++: blown chips
"Hey boss, we need another crate of Intel Crypto Chips."
Re:Questions for the security experts (Score:2, Informative)
How to predict government actions... (Score:3, Interesting)
The fact that Carnivore exists, in any form, indicates that the government wants access to all your communications, to know exactly what it is you're saying and hearing.
This modified Carnivore is an attempt to claw a way back up the slippery slope when you've already hit bottom.
You're only real options are either not to say or do or listen to anything the government might find objectionable, or encrypt all your communications.
Re:The art of argument 101 - how not to (Score:2)
Now, for the benefit of the unwashed masses, could you take the time to expound? I'm sure they'd *really* appreciate it.
Backdoor? (Score:3, Insightful)
I for one would like to know for sure that my medical information could be retrieved even after the destruction of the coprocessor.. would be nice when i'm caught in accident and i'm not able to sum up my medical history myself...
Off course it's possible to use a less secure version of this "vault" for this kind of applications
This is one nice solution though to harden the carnivore system against unwanted, illegal, snooping around for nice bits of information that could be used by a cop or fbi agent on the take...
How long before . . . (Score:2, Funny)
Iliev's Abstract (Score:2, Informative)
Nice tech, but does it apply? (Score:2)
So what is this story all about? Media whoring and fundraising?
Problem: we have invetented this cool technology, which noone is going to understand because it's a little complex and "people" (replace with "reporters" or "managers" as you see fit) are stupid. So how are we going to get some attention (and as a result, more funding)?
Solution: we apply our gadget to some area where it doesn't really fit in (just sort of will do), but which will result in loads of attention because we'll get connected with the latest buzzwords and issues.
Problem solved.
Re:Nice tech, but does it apply? (Score:1)
I hope this works out better than the ill fated "Clipper" chip, well described in Steven Levy's "Crypto".
http://mosaic.echonyc.com/~steven/crypto.html
The last time the government promoted its wonder privacy gizmo, it didn't work out so well. Not only did Clipper start a political firestorm, but it turned out later not to be secure.
A monitor, not a leash. (Score:2, Interesting)
The big debatable question is how you do it. I think it was an interview with Neal Stephonson posted to Slash that correctly noted that it's not nessisarily the monitoring of our lives, but whether that monitoring has a watchdog in place to keep the power from being abused. Personally, I think Alex has the right idea. You need a search warrent to enter an search a house and likewise you'd need something similar to access somebodies digital "life", both requiring just cause. I'm not saying that they're not prone to abuse, but it'd sure go a long ways in the right direction.
Unfortunately, the problem I see with Alex's system is not it's security, but in what Carny was originally designed to do. It is an evidence collector, designed to proactively track names and keywords, not wait for the e-police to have just cause to raid a database. Putting a search warrent lock on Carny defeats the entire purpose of having a system that illuminates potential problems before they happen. I think there acually needs to be a group that monitors everything the CIA/FBI/FIAA pulls from Carny and asks if it's A) relevant to the defense of our nation and B) Even ethical. That's the counter balance systems like Carnivore need, not simply a padlock.
Appendium (Score:1)
Clipper Chip? (Score:1)
Why all the pro-"Clipper Chip" type arguments??? (Score:5, Insightful)
I think people need a history lesson on all the arguments surrounding the Clipper chip. Remember, the problem isn't always government (although that's definitely part of it), but the inability of government to effectively protect the information from third parties that will abuse it. Key escrow is something that can and will be compromised. And because it is a technology that can and will infiltrated everything, it will allow complete access to your privacy by anyone who wants it. Again, it's the Clipper chip all over again!
Need I revisit the the classic boofernery of the Social Security Number? Outlawed by the government for use outside of its specific creation, it is now used by everyone. And it is extremely easy to obtain, let alone steal! Now the government wants to introduce a national ID, something that is "more controlled" than the SSN. But it too will be easy to obtain and steal in no time as well. Only now, with a national ID, more people will put more of that so-called "faith" it in, so good Americans will have a tougher time proving someone has stolen their identity when it does happen (and it will). And if Microsoft gets Passport behind an "eID," God help us!
Combine this with the CBDTPA/SSSCA, and there's plenty to worry about. The CBDTPA/SSSCA is exactly a pro-Clipper chip mentality! Only it isn't the FBI asking for it, but "Big Media." Heck, I'm surprised no one in "Big Media" is selling the CBDTPA/SSSCA to the government as an "unified solution" for "guaranting copyrights, privacy and law-enforcement" all in one shabang!
Now this researcher has got "all the answers." His solution? Implement an encrypted recording and storage system with key escrow for access. How original! How many times are we going to go in the same damn circle on this???
Very good point. (Score:1)
Re:Why all the pro-"Clipper Chip" type arguments?? (Score:2)
Who said anything about key escrow?
I'd imagine this sort of system would use public key technology. The Carnivore boxes would not be able to decrypt the stuff it encrypts. There's nothing to compromise.
The private key needed to decode it would be kept in a secure location. As long as RSA doesn't have some fatal flaw, i'm confident the key won't be compromised.
The problem with the Clipper Chip was that it would allow the government a way to read messages that we had encrypted. Carnivote doesn't do that. It's purpose is to allow the government to read message that we were too stupid or lazy to encrypt.
Re:Why all the pro-"Clipper Chip" type arguments?? (Score:2, Insightful)
The Dartmouth proposal is key escrow, but not as wide ranged as the Clipper proposal. This proposal does not state that you can't use PGP( or ROT-13 or some other encryption technology) for personal reasons, or that you can't create a private encrypted (VPN) digital voice channel between you and your friend (or partner in crime).
The proposal is that if ISPs are forced to provide a standard mechanism for government agencies to snoop transmissions (ala CALEA for telco) then make the mechanism encrypt the data in a way that forces a process to be followed (even if a portion of that process is illegal, such as stealing escrowed keys)
Currently the data is available with no auditing at all. Anyone who has the capability (agencies) can force there way into an ISP and take the info, even threaten the ISP to remain silent that the event even occured. With technology of this nature, the event could be logged and audited later (even reporting which key was used so it could be invalidated)
This proposal needs lots of peer review; however it's not the Clipper Chip revisited.
=Shreak
But Linux will be illegal soon! (Score:2, Insightful)
"The source code for the vault, which runs under the Linux operating system, is available on Dartmouth's website."
So this system will itself be illegal when Senator Hollings and his ilk finally get non-security-compliant systems banned.
Speaking of Fritz (Score:1)
graduate students are funded to produce THIS? (Score:1, Insightful)
- The judiciary being incorruptible;
- All ISPs being incorruptible;
- The laws being such that the judiciary doesn't OK any and every excuse to look at data;
- The idea that some kid supplying a nice geek-friendly method automatically makes it OK for a government to enforce mandatory logging.
Once again, an attempt to apply a technological solution to a social problem. This is to privacy as CSS encryption is to piracy.Tru dat (Score:1)
Or
"Here's a $50,000... Look the other way while I search for ______"
The government can't look through your mail, packages or monitor your every conversation in real life, why should they over the net?
You know what the big deal is about Carnivore? (Score:3, Insightful)
No? Well, how about we read all of your mail as a matter of routine.
No again? Why not have someone follow me around and tape all of my meatspace conversations?
Still no? So why are you giving in so easily when it's just the Internet?
Anybody who thinks that this capability won't be abused just has their head in the sand. It's only a matter of time.
LV
I'd pay for an offshore secure mail service... (Score:1, Interesting)
Hello EFF, gonna set such a service up or just gonna whine about the record industry all the time? ACLU, what about you?
(I know they could still track some traffic to/from the network, but surely not all of it, and much less efficiently than being able to actually browse through a stored history of mails.)
..in other news.. (Score:1)
"Innsmouth student invents a Cthulhu leash"
(Sorry, perhaps I should've got more sleep last night?)
Carnivore: A really mean Quake Server (Score:1)
On a side note, it seems incredibly easy for an organization to spoof carnivore by simply lighting off an email/ftp campaign with a bunch of bots; all the files containing the key words bomb,terrorism,nuclear,WTC,biological,anthrax,att
Why is this better? (Score:2, Insightful)
While I am not a big fan of Carnivore, I fail to see how this system protects us any better.
From the IBM website: (Score:2)
Paranoia (Score:1, Flamebait)
Being a, more or less, law abiding citizen, I have no issues with it at all. I might be a little concerned if I were dealing drugs over the internet, or performing some similar crime, but really, come on. You think the FBI is really concerned with how your day has been? That you just got an 'A' on your exam? Or that you hate your boss?
Sorry, but I think everyone blows this stuff way out of proportion. When I see carnivore being abused, then I'll be concerned, but until then, I'm willing to give them the benefit of the doubt.
FreeS/WAN (Score:2)
No it doesn't (Score:2)
First of all, the FBI gets a warrant for the DATA. If the ISP is unable to get the DATA themselves, the FBI can then insist that they install the Carnivore box. On the other hand, courts have ruled that if the ISP can indeed get the data, then Carnivore isn't needed.
Second of all, the reason the FBI created Carnivore was because existing tools could not get the data. This encryption device is based upon existing tools, and therefore does not help get the data at all. For example, if the warrant requires the ISP to deliver copies of the suspect's e-mail, this device cannot do it.
Third, people persist in believing that Carnivore is a keyword search engine like the rumored Echelon. This is false: no judge would grant a court order allowing the FBI the ability to search for keywords. (This encryption device is based upon a keyword search engine). A typical court order would be one that allows the FBI to get all e-mail to/from a named e-mail account. Another example would be a lesser court order allowing the FBI to record the e-mail addresses to/from the specified account, but not the contents.
I have written a Carnivore engine that has previously been written up in /. It, and a Carnivore FAQ, is at: http://www.robertgraham.com/altivore/ [robertgraham.com].
Aus, Can, NZ, USA, UK all use Echelon (Score:2, Interesting)
Echelon is used for those situations where your government wants to read information on foreign companies, organisations & individuals.
I wonder how many tourists, immigrants and US citizens that work for foreign owned companies or belong to international organisations there are.
It could easily be over 12 million people in the USA at any time are being watched by Big Brother.
Carnivore is just the tip of the iceberg on this issue.
Good point. (Score:1)
"PlansForTheAttack.MP3". But your right. It does something.
Heh, of course, maybe they realized it too late and figure since they can't get anything useful out of it, they'll use it as a trogan to draw attention from the real projects. Heck, they could just be using it to run some liquid multi- player Quake servers for all I know =p
Re:Why carnivor? (Score:2, Insightful)
While I'd agree most would be intelligent enough to do so, one should also never underestimate the stupidity of criminals, or people in general. I wouldn't be surprised in the slightest if many did send things in the open.