[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FYI] Open Source Wiretapping

   "Making Carnivore open source is not a complete panacea for protecting
   against abuses or errors.  First of all, it's likely rather complex,
   so simply scanning the source code probably won't tell us much about
   whether it is vulnerable to attack or misbehaves in the kinds of
   traffic it collects.  That would require extensive, focused review.
   Open source code attracts several different kinds of reviewers.  One
   is made up of people who are interested in and want to study a system
   for its own sake, but the main source of meaningful review usually
   comes from people who have to read and understand the code because
   they want to make useful modifications to it.  Carnivore isn't likely
   to attract much of that latter (and I think more important) kind of
   review, at least from among the open community.  On the other hand,
   groups of focused expert reviewers can (and often do) miss things.
   Any meaningful review, therefore, should include both independent
   expert reviewers as well as releasing the code to the public. More
   seriously, I suspect that the meat (so to speak) of any meaningful
   analysis of Carnivore's security and behavior of lies not in its core
   source code but rather in the parameters used when it is actually
   configured and installed. Releasing the source code is a critical
   first step in assuring the public that Carnivore can at least be
   configured to do what it is supposed to do, and I hope the FBI sees
   fit to take this step soon. I've submitted as part of my written
   testimony a position paper I wrote with Steve Bellovin that makes the
   case that there is little harm, and much good, to be done by releasing
   the Carnivore code.  It is available at