[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: [ISN] FBI's Carnivore highlights the need for public-source review, strong encryption


On 21.08.00 at 00:07 InfoSec News <isn@C4I.ORG> wrote:

>Friday, Aug. 18, 2000 1:01 pm PT
>THE FBI RECENTLY announced the existence of an Internet wiretapping
>system called Carnivore. According to the FBI, the purpose of the
>system is to listen in on the Internet traffic of a suspected criminal
>in an effort to collect evidence, similar to what a wiretap of a phone
>system would provide.
>But can't Carnivore's listening capabilities be defeated by
>encryption? Well that depends, according to the FBI. Carnivore's
>snooping depends on how strong the encryption is that's being used on
>the e-mail. Of course the FBI is short on details of the exact key
>size that defeats Carnivore. Nonetheless, this sparks what the insult
>with Carnivore really is. Who in his or her right mind believes that
>hackers and cyberterrorists are not smart enough to use strong
>encryption? So if the criminals use strong encryption and eliminate
>Carnivore's effectiveness, then what is it for? Maybe that's why the
>FBI is so reluctant to give up the source code to public scrutiny.
>A previous version of Carnivore, reportedly called Omnivore, gobbled
>up too much information for agents to effectively filter out the
>desired traffic, so they designed Carnivore. With Carnivore, the FBI
>is reportedly able to scan millions of e-mails every second. But why
>would they need to scan millions of e-mails? How many e-mails do
>criminals need to send?
>Carnivore reportedly works by installing the system at the ISP of the
>suspected criminal. The system, reportedly PC based, is behind lock
>and key, with only FBI agents having local access. The system is
>plugged into a "sniffable" port on the ISP's hub or switch. Carnivore
>can then gobble up enormous amounts of data and filter the undesired
>user traffic, focusing on the suspected criminal's traffic.
>The system reportedly has been used for tracking down hackers,
>terrorist groups, and drug traffickers, but the fact is that it could
>be used for anything. The problem with this type of technology is that
>the possibilities are nearly limitless -- espionage, information
>warfare, spying on the public -- choose your favorite. You name the
>devious purpose for this technology and it's likely to be available in
>Carnivore. The truth is we really know very little about Carnivore and
>will have a difficult time defending or crucifying it until its design
>is released to the public. But the FBI seems reluctant to make the
>source code available (surprise).
>If we cannot have a public-source review of Carnivore, who can we
>trust to police the FBI? Themselves? The traditional means of
>obtaining a search warrant and allowing agents to listen in on phone
>calls is one thing, but the Internet houses a flood of data beyond
>e-mail. Who controls what Carnivore filters? Who confirms that the
>product is not being abused? Carnivore needs checks and balances.
>According to the U.S. Constitution, there is no provision for
>maintaining a citizen's right to privacy. And in some cases, it's not
>even a privilege. In the recent Congressional subcommittee hearings,
>FBI and Department of Justice officials quoted a 1979 Supreme Court
>decision (Smith vs. Maryland, 442 U.S. 735 [1979]) citing that
>individuals have no right to privacy regarding telephone call records.
>This tells these agencies that without a warrant they can monitor whom
>you call and when. The same holds true, then, for Internet e-mail
>addresses. Monitoring to whom and when you send e-mail does not
>require a warrant; instead they consider only the contents of those
>messages private.
>We like to think of privacy as an attainable goal rather than a
>privilege either bestowed or removed by the government. But the
>reality is that as long as privacy is considered a privilege rather
>than a right, the government will be able to give or take liberties
>with your privacy.
>The only real hope for the general acceptance of Carnivore will be a
>completely open-source review by the public. The FBI reportedly plans
>on having an independent auditor review the source and vouch for its
>purpose; but until the public sees the code, there will always be
>skeptics (like us). Tell us what you think at
>Stuart McClure is president and CTO and Joel Scambray is managing
>principal at security consultant Foundstone ( www.foundstone.com ).
>ISN is hosted by SecurityFocus.com
>To unsubscribe email LISTSERV@SecurityFocus.com with a message body of


Homepage: http://home.kamp.net/home/kai.raven/index.html