FITUG e.V.

Förderverein Informationstechnik und Gesellschaft

Wired: Will Crypto Feast on Carnivore?

------- Forwarded message follows ------- From: Owen Blacker <owen.blacker@pres.co.uk> To: "UK Crypto list (E-mail)" <ukcrypto@maillist.ox.ac.uk>, "Anoraks list (E-mail)" <anoraks@egroups.com> Copies to: "NTK Tips (E-mail)" <tips@ntk.net> Subject: Wired: Will Crypto Feast on Carnivore? Date sent: Mon, 7 Aug 2000 10:14:41 +0100 Send reply to: ukcrypto@maillist.ox.ac.uk

http://www.wired.com/news/print/0,1294,37915,00.html

Will Crypto Feast on Carnivore? by Chris Oakes 3:00 a.m. Aug. 4, 2000 PDT

Do you encrypt your email before you send it?

Probably not. Most electronic mail traverses the Internet as unscrambled, easy-to-read packets of text. Should it be intercepted and pieced together by reasonably skilled interlopers, your message is theirs for the reading.

The average Internet user hasn't exactly seemed alarmed by that possibility, however.

"The story (goes) that only criminals are going to use encryption, because they're the only ones that care," said Marcelo Halpern, a partner with information technology and e-commerce law firm Gordon & Glickson.

It's only criminals, "or people who are otherwise hyper-vigilant about their privacy and don't want their email to their dad to be read," he said.

But in the aftermath of the FBI's recently revealed Carnivore email surveillance system, email security companies are hoping they can convince average email users to seal their electronic envelopes -- and finally propel email encryption into a broader market.

"We're seeing Carnivore pop up and become a real threat to people's privacy and saying, 'Wait a second -- we could take this product Mithril, our secure server product, re-brand it and put it out there," said Sean Steele, director of business development at security firm ChainMail <http://www.chainmailinc.com/>.

The FBI uses Carnivore to tap electronic mail communications in criminal investigations. The system is installed on the network of a suspect's ISP, where it catches all users' email before culling the target communications.

News about the system has been plentiful of late. On Wednesday, the Electronic Privacy Information Center sued the FBI <http://www.wired.com/news/politics/0,1283,37967,00.html> in search of details about Carnivore's use.

Thus, ChainMail has "re-branded" its product as Antivore <http://www.antivore.org/>, to capitalize on the Carnivore, er, craze.

There's also Privada <http://www.privada.com/>, which claims its email encryption product allows an ISP to comply with an FBI subpoena without infringing on the privacy of its other customers.

But like Antivore, the Privada offering is not new, only newly spun in the aftermath of Carnivore.

"With the FBI's Carnivore, it's made our job a whole lot easier," ChainMail's Steele said. "People are frightened of the possibility of having the government read their email."

Steele said the FBI has asked the company for basic information on Antivore, and hopes their interest can even lead to a partnership. "We'd love to see the FBI embrace a technology like ours.... In fact, we'd like to propose a bundling of Antivore and Carnivore."

ChainMail is touting the results of a recent survey commissioned by an NBC affiliate in Richmond, Virginia. In an informal telephone poll of approximately 500 area residents, surveyors found that 83 percent of respondents wanted their email encrypted.

But despite potential reaction to Carnivore, these companies will have to jumpstart a lackadaisical public appetite for secure email if they're going to be successful.

The encryption that underlies email security products is far from new. For years, companies have offered ISPs, networks, and end-users products that use encryption to secure data. The most well known end-user email encryption product is the free PGP, or Pretty Good Privacy <http://www.linuxsupportline.com/~pgp/intro.html>.

Still, the Internet-using public hasn't bitten. So can a new, ominous-sounding government snooping system really change that?

"It's the usual (question): 'If you have nothing to hide, why bother?'" said Halpern. "Email is notoriously insecure.... But I don't know whether Carnivore is going to scare the general populace into covering up and encrypting."

Besides, encryption only goes so far in protecting against Carnivore, he said. The system is designed mainly to target the originating and destination address of email -- something encryption typically doesn't hide. The FBI and the DOJ have said Carnivore only looks at email headers, seeking addressing information, not content.

And even business users, who presumably have more sensitive information to protect, skip encryption, Halpern said.

"Most companies will quite comfortably send confidential information over email -- knowing there's some finite chance that someone might pick it off -- but not thinking that it's worth the effort. Because encryption tools these days are still relatively clumsy."

Carnivore-watcher Barry Steinhardt, associate director of the American Civil Liberties Union <http://www.aclu.org/>, said part of the reason for encryption's niche position in email applications is political.

"Export restrictions tend to keep a number of the major software developers from building encryption into their products," Steinhardt said. "And it's continued to create a need to use third party software that was often beyond the capabilities of the average user."

The U.S. government has tightly restricted the export of products that use high-strength, or "strong," encryption. To export encryption-equipped products, American companies had to submit to a strict approval process. The government claims that the free proliferation of strong encryption technology represents a threat to America's national security.

Since the Clinton administration has recently loosened encryption export policy, Steinhardt hopes to see encryption become standard in email software -- "so that it will either be the default or at least it will be easy to use."

Companies like ChainMail agree -- and hope to deliver on the simplicity promise.

"I can't go to my mom and say, 'Mom, install PGP <http://www.pgp.com/> on your email client,' because she just doesn't understand how to make it work," said ChainMail's Steele. "And that's why adoption has been so slow."

Privada CEO Rick Jackson said rising awareness of online privacy in general is helping boost consumer interest in security.

"It's not a matter of adopting encryption, because that's just technology," Jackson said. "However, as users become more informed about how their personal information is shared online, the demand for privacy services is increasing."

Jackson says to give companies like his some time before drawing conclusions on the viability of the consumer encryption market.

"It's still a young market, but we're very optimistic with the movement we've seen on the part of ISPs." Jackson said, adding that Privada has installed its encrypted server product at a German ISP and is in discussions with several unidentified ISPs in the United States.

Still, experienced encryption expert and security company founder Bruce Schneier said encryption has been -- and will likely remain -- a tough sell. Corporate firewalls, he said, have been the only mainstream commercial products that have thrived in the commercial Internet market.

"As a general rule, people don't want to pay for security," Schneier said. "No email encryption product is doing well. Why is that email encryption isn't ubiquitous? It's a really good question."

The state of the technology is not necessarily the problem, he said. "We have a technical standard, we have lots of products, we had PGP for years -- a free product. It's a little bit annoying to use, but if you cared you'd use it."

Email encryption companies, of course, see a change in the wind. ISPs might even improve slim profit margins by offering an encryption service at a slight premium, Steele said.

"People are starting to show that they're willing to pay for privacy," Steele said. "In fact, it has become -- at least for ISPs that are willing to try -- it has become a premium service that they can offer."

Meanwhile, Carnivore is the email encryption marketer's best friend.

"I talked to my mom this morning," Steele said. "She said, 'I haven't seen you in weeks, what have you been working on?' I said, 'Well, have you heard about this FBI thing?' And she actually had. People are getting more and more cognizant of the fact that things aren't safe out there."

--- Related Wired Links:

Judge to FBI: Move on Carnivore http://www.wired.com/news/politics/0,1283,37967,00.html Aug. 2, 2000

FBI Gives a Little on Carnivore http://www.wired.com/news/politics/0,1283,37765,00.html Jul. 25, 2000

It's Time for Carnivore Spin http://www.wired.com/news/politics/0,1283,37590,00.html Jul. 14, 2000

ACLU: Law Needs 'Carnivore' Fix http://www.wired.com/news/politics/0,1283,37470,00.html Jul. 12, 2000 ---

Copyright © 1994-2000 Wired Digital Inc. All rights reserved.

----- Owen Blacker Senior Internet Developer and InfoSec Consultant, pres.co DSS: 0x7e3c8eab | 2f45 c60d 6a0a 0007 193d d994 cd36 e021 7e3c 8eab RSA: 0x38fee6c3 | 7c41 e69c 5b8a 484d 22af 1859 f4c9 307b

_____________________________________________________________________ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/

------- End of forwarded message -------

Zurück