[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FYI] Open Source Wiretapping
- To: debate@fitug.de
- Subject: [FYI] Open Source Wiretapping
- From: "Ralf Stephan" <ralf@ark.in-berlin.de>
- Date: Sat, 22 Jul 2000 11:40:06 +0200
- Comment: This message comes from the debate mailing list.
- Mail-Followup-To: debate@fitug.de
- Reply-To: ralf@ark.in-berlin.de
- Sender: owner-debate@fitug.de
http://cryptome.org/carnivore-mbsb.htm
"Making Carnivore open source is not a complete panacea for protecting
against abuses or errors. First of all, it's likely rather complex,
so simply scanning the source code probably won't tell us much about
whether it is vulnerable to attack or misbehaves in the kinds of
traffic it collects. That would require extensive, focused review.
Open source code attracts several different kinds of reviewers. One
is made up of people who are interested in and want to study a system
for its own sake, but the main source of meaningful review usually
comes from people who have to read and understand the code because
they want to make useful modifications to it. Carnivore isn't likely
to attract much of that latter (and I think more important) kind of
review, at least from among the open community. On the other hand,
groups of focused expert reviewers can (and often do) miss things.
Any meaningful review, therefore, should include both independent
expert reviewers as well as releasing the code to the public. More
seriously, I suspect that the meat (so to speak) of any meaningful
analysis of Carnivore's security and behavior of lies not in its core
source code but rather in the parameters used when it is actually
configured and installed. Releasing the source code is a critical
first step in assuring the public that Carnivore can at least be
configured to do what it is supposed to do, and I hope the FBI sees
fit to take this step soon. I've submitted as part of my written
testimony a position paper I wrote with Steve Bellovin that makes the
case that there is little harm, and much good, to be done by releasing
the Carnivore code. It is available at
http://www.crypto.com/papers/openwiretap.html
ralf
--
http://ME.IN-berlin.de/~rws/