[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: [ISN] FBI's Carnivore highlights the need for public-source review, strong encryption

To: "Debate" <debate@fitug.de>
Subject: Fwd: [ISN] FBI's Carnivore highlights the need for public-source review, strong encryption
From: "Kai Raven" <kaiderrabe@compuserve.de>
Date: 22 Aug 2000 09:39:36 +0200
Comment: This message comes from the debate mailing list.
References: <Pine.LNX.4.10.10008210004340.6170-100000@idle.curiosity.org>
Reply-To: kai.raven@ob.kamp.net
Sender: owner-debate@fitug.de


---BEGIN FORWARDED MESSAGE---

On 21.08.00 at 00:07 InfoSec News <isn@C4I.ORG> wrote:

>http://www.infoworld.com/articles/op/xml/00/08/21/000821opswatch.xml
>
>Friday, Aug. 18, 2000 1:01 pm PT
>
>THE FBI RECENTLY announced the existence of an Internet wiretapping
>system called Carnivore. According to the FBI, the purpose of the
>system is to listen in on the Internet traffic of a suspected criminal
>in an effort to collect evidence, similar to what a wiretap of a phone
>system would provide.
>
>But can't Carnivore's listening capabilities be defeated by
>encryption? Well that depends, according to the FBI. Carnivore's
>snooping depends on how strong the encryption is that's being used on
>the e-mail. Of course the FBI is short on details of the exact key
>size that defeats Carnivore. Nonetheless, this sparks what the insult
>with Carnivore really is. Who in his or her right mind believes that
>hackers and cyberterrorists are not smart enough to use strong
>encryption? So if the criminals use strong encryption and eliminate
>Carnivore's effectiveness, then what is it for? Maybe that's why the
>FBI is so reluctant to give up the source code to public scrutiny.
>
>A previous version of Carnivore, reportedly called Omnivore, gobbled
>up too much information for agents to effectively filter out the
>desired traffic, so they designed Carnivore. With Carnivore, the FBI
>is reportedly able to scan millions of e-mails every second. But why
>would they need to scan millions of e-mails? How many e-mails do
>criminals need to send?
>
>Carnivore reportedly works by installing the system at the ISP of the
>suspected criminal. The system, reportedly PC based, is behind lock
>and key, with only FBI agents having local access. The system is
>plugged into a "sniffable" port on the ISP's hub or switch. Carnivore
>can then gobble up enormous amounts of data and filter the undesired
>user traffic, focusing on the suspected criminal's traffic.
>
>The system reportedly has been used for tracking down hackers,
>terrorist groups, and drug traffickers, but the fact is that it could
>be used for anything. The problem with this type of technology is that
>the possibilities are nearly limitless -- espionage, information
>warfare, spying on the public -- choose your favorite. You name the
>devious purpose for this technology and it's likely to be available in
>Carnivore. The truth is we really know very little about Carnivore and
>will have a difficult time defending or crucifying it until its design
>is released to the public. But the FBI seems reluctant to make the
>source code available (surprise).
>
>If we cannot have a public-source review of Carnivore, who can we
>trust to police the FBI? Themselves? The traditional means of
>obtaining a search warrant and allowing agents to listen in on phone
>calls is one thing, but the Internet houses a flood of data beyond
>e-mail. Who controls what Carnivore filters? Who confirms that the
>product is not being abused? Carnivore needs checks and balances.
>
>According to the U.S. Constitution, there is no provision for
>maintaining a citizen's right to privacy. And in some cases, it's not
>even a privilege. In the recent Congressional subcommittee hearings,
>FBI and Department of Justice officials quoted a 1979 Supreme Court
>decision (Smith vs. Maryland, 442 U.S. 735 [1979]) citing that
>individuals have no right to privacy regarding telephone call records.
>This tells these agencies that without a warrant they can monitor whom
>you call and when. The same holds true, then, for Internet e-mail
>addresses. Monitoring to whom and when you send e-mail does not
>require a warrant; instead they consider only the contents of those
>messages private.
>
>We like to think of privacy as an attainable goal rather than a
>privilege either bestowed or removed by the government. But the
>reality is that as long as privacy is considered a privilege rather
>than a right, the government will be able to give or take liberties
>with your privacy.
>
>The only real hope for the general acceptance of Carnivore will be a
>completely open-source review by the public. The FBI reportedly plans
>on having an independent auditor review the source and vouch for its
>purpose; but until the public sees the code, there will always be
>skeptics (like us). Tell us what you think at
>security_watch@infoworld.com.
>
>
>Stuart McClure is president and CTO and Joel Scambray is managing
>principal at security consultant Foundstone ( www.foundstone.com ).
>
>ISN is hosted by SecurityFocus.com
>---
>To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
>"SIGNOFF ISN".
>

--- END FORWARDED MESSAGE---
-- 

Homepage: http://home.kamp.net/home/kai.raven/index.html
PGP:2048-RSA: 96FC7E3F DH/DSS PGP-Key ID: 0xB08FCDFD

Prev by Date: Re: [FYI] Heisenews: Smudo vs. Napster | Smudos Stellungnahme
Next by Date: Re: [Fwd: ICRA Update]
Prev by thread: <nettime> Bruce Schneier: Secrets and Lies (fwd)
Next by thread: [FYI] Free Riding on Gnutella
Index(es):
- Date
- Thread