[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FYI] (Fwd) Wired: Will Crypto Feast on Carnivore?




------- Forwarded message follows -------
From:           	Owen Blacker <owen.blacker@pres.co.uk>
To:             	"UK Crypto list (E-mail)" <ukcrypto@maillist.ox.ac.uk>,
       	"Anoraks list (E-mail)" <anoraks@egroups.com>
Copies to:      	"NTK Tips (E-mail)" <tips@ntk.net>
Subject:        	Wired: Will Crypto Feast on Carnivore?
Date sent:      	Mon, 7 Aug 2000 10:14:41 +0100 
Send reply to:  	ukcrypto@maillist.ox.ac.uk

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.wired.com/news/print/0,1294,37915,00.html

Will Crypto Feast on Carnivore? 
by Chris Oakes 
3:00 a.m. Aug. 4, 2000 PDT 


Do you encrypt your email before you send it? 

Probably not. Most electronic mail traverses the Internet as
unscrambled, easy-to-read packets of text. Should it be intercepted
and pieced together by reasonably skilled interlopers, your message is
theirs for the reading.

The average Internet user hasn't exactly seemed alarmed by that
possibility, however. 

"The story (goes) that only criminals are going to use encryption,
because they're the only ones that care," said Marcelo Halpern, a
partner with information technology and e-commerce law firm Gordon &
Glickson. 

It's only criminals, "or people who are otherwise hyper-vigilant
about their privacy and don't want their email to their dad to be
read," he said. 

But in the aftermath of the FBI's recently revealed Carnivore email
surveillance system, email security companies are hoping they can
convince average email users to seal their electronic envelopes -- and
finally propel email encryption into a broader market. 

"We're seeing Carnivore pop up and become a real threat to people's
privacy and saying, 'Wait a second -- we could take this product
Mithril, our secure server product, re-brand it and put it out there,"
said Sean Steele, director of business development at security firm
ChainMail <http://www.chainmailinc.com/>. 

The FBI uses Carnivore to tap electronic mail communications in
criminal investigations. The system is installed on the network of a
suspect's ISP, where it catches all users' email before culling the
target communications. 

News about the system has been plentiful of late. On Wednesday, the
Electronic Privacy Information Center sued the FBI
<http://www.wired.com/news/politics/0,1283,37967,00.html> in search of
details about Carnivore's use. 

Thus, ChainMail has "re-branded" its product as Antivore
<http://www.antivore.org/>, to capitalize on the Carnivore, er,
craze. 

There's also Privada <http://www.privada.com/>, which claims its
email encryption product allows an ISP to comply with an FBI subpoena
without infringing on the privacy of its other customers. 

But like Antivore, the Privada offering is not new, only newly spun in
the aftermath of Carnivore. 

"With the FBI's Carnivore, it's made our job a whole lot easier,"
ChainMail's Steele said. "People are frightened of the possibility of
having the government read their email." 

Steele said the FBI has asked the company for basic information on
Antivore, and hopes their interest can even lead to a partnership.
"We'd love to see the FBI embrace a technology like ours.... In fact,
we'd like to propose a bundling of Antivore and Carnivore." 

ChainMail is touting the results of a recent survey commissioned by an
NBC affiliate in Richmond, Virginia. In an informal telephone poll of
approximately 500 area residents, surveyors found that 83 percent of
respondents wanted their email encrypted. 

But despite potential reaction to Carnivore, these companies will have
to jumpstart a lackadaisical public appetite for secure email if
they're going to be successful. 

The encryption that underlies email security products is far from new.
For years, companies have offered ISPs, networks, and end-users
products that use encryption to secure data. The most well known
end-user email encryption product is the free PGP, or Pretty Good
Privacy <http://www.linuxsupportline.com/~pgp/intro.html>. 

Still, the Internet-using public hasn't bitten. So can a new,
ominous-sounding government snooping system really change that? 

"It's the usual (question): 'If you have nothing to hide, why
bother?'" said Halpern. "Email is notoriously insecure.... But I
don't know whether Carnivore is going to scare the general populace
into covering up and encrypting." 

Besides, encryption only goes so far in protecting against Carnivore,
he said. The system is designed mainly to target the originating and
destination address of email -- something encryption typically doesn't
hide. The FBI and the DOJ have said Carnivore only looks at email
headers, seeking addressing information, not content. 

And even business users, who presumably have more sensitive
information to protect, skip encryption, Halpern said. 

"Most companies will quite comfortably send confidential information
over email -- knowing there's some finite chance that someone might
pick it off -- but not thinking that it's worth the effort. Because
encryption tools these days are still relatively clumsy." 

Carnivore-watcher Barry Steinhardt, associate director of the
American Civil Liberties Union <http://www.aclu.org/>, said part of
the reason for encryption's niche position in email applications is
political. 

"Export restrictions tend to keep a number of the major software
developers from building encryption into their products," Steinhardt
said. "And it's continued to create a need to use third party software
that was often beyond the capabilities of the average user."

The U.S. government has tightly restricted the export of products that
use high-strength, or "strong," encryption. To export
encryption-equipped products, American companies had to submit to a
strict approval process. The government claims that the free
proliferation of strong encryption technology represents a threat to
America's national security. 

Since the Clinton administration has recently loosened encryption
export policy, Steinhardt hopes to see encryption become standard in
email software -- "so that it will either be the default or at least
it will be easy to use." 

Companies like ChainMail agree -- and hope to deliver on the
simplicity promise. 

"I can't go to my mom and say, 'Mom, install PGP
<http://www.pgp.com/> on your email client,' because she just doesn't
understand how to make it work," said ChainMail's Steele. "And that's
why adoption has been so slow." 

Privada CEO Rick Jackson said rising awareness of online privacy in
general is helping boost consumer interest in security. 

"It's not a matter of adopting encryption, because that's just
technology," Jackson said. "However, as users become more informed
about how their personal information is shared online, the demand for
privacy services is increasing." 

Jackson says to give companies like his some time before drawing
conclusions on the viability of the consumer encryption market. 

"It's still a young market, but we're very optimistic with the
movement we've seen on the part of ISPs." Jackson said, adding that
Privada has installed its encrypted server product at a German ISP and
is in discussions with several unidentified ISPs in the United States.


Still, experienced encryption expert and security company founder
Bruce Schneier said encryption has been -- and will likely remain -- a
tough sell. Corporate firewalls, he said, have been the only
mainstream commercial products that have thrived in the commercial
Internet market. 

"As a general rule, people don't want to pay for security," Schneier
said. "No email encryption product is doing well. Why is that email
encryption isn't ubiquitous? It's a really good question." 

The state of the technology is not necessarily the problem, he said.
"We have a technical standard, we have lots of products, we had PGP
for years -- a free product. It's a little bit annoying to use, but if
you cared you'd use it." 

Email encryption companies, of course, see a change in the wind. ISPs
might even improve slim profit margins by offering an encryption
service at a slight premium, Steele said. 

"People are starting to show that they're willing to pay for
privacy," Steele said. "In fact, it has become -- at least for ISPs
that are willing to try -- it has become a premium service that they
can offer." 

Meanwhile, Carnivore is the email encryption marketer's best friend. 

"I talked to my mom this morning," Steele said. "She said, 'I haven't
seen you in weeks, what have you been working on?' I said, 'Well, have
you heard about this FBI thing?' And she actually had. People are
getting more and more cognizant of the fact that things aren't safe
out there."

- ---
Related Wired Links: 

Judge to FBI: Move on Carnivore
http://www.wired.com/news/politics/0,1283,37967,00.html
Aug. 2, 2000 

FBI Gives a Little on Carnivore
http://www.wired.com/news/politics/0,1283,37765,00.html 
Jul. 25, 2000 

It's Time for Carnivore Spin 
http://www.wired.com/news/politics/0,1283,37590,00.html
Jul. 14, 2000 

ACLU: Law Needs 'Carnivore' Fix 
http://www.wired.com/news/politics/0,1283,37470,00.html
Jul. 12, 2000
- ---

Copyright © 1994-2000 Wired Digital Inc. All rights reserved.

- -----
Owen Blacker
Senior Internet Developer and InfoSec Consultant, pres.co
DSS: 0x7e3c8eab | 2f45 c60d 6a0a 0007 193d  d994 cd36 e021 7e3c 8eab
RSA: 0x38fee6c3 |      7c41 e69c 5b8a 484d  22af 1859 f4c9 307b

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
Comment: Due to RIP, pls check for revocation before using this key!

iQA/AwUBOY5+MM024CF+PI6rEQLmuQCfQr6MjatYlDs2TOb7CqkU5G7hor4An1k8
F44BZ+YqgPTaBv0bpBFDmRff
=HR3j
-----END PGP SIGNATURE-----

_____________________________________________________________________
This message has been checked for all known viruses by UUNET delivered
through the MessageLabs Virus Control Centre. For further information
visit http://www.uk.uu.net/products/security/virus/


------- End of forwarded message -------