FITUG e.V.

Förderverein Informationstechnik und Gesellschaft

Open Source Wiretapping

http://cryptome.org/carnivore-mbsb.htm "Making Carnivore open source is not a complete panacea for protecting against abuses or errors. First of all, it's likely rather complex, so simply scanning the source code probably won't tell us much about whether it is vulnerable to attack or misbehaves in the kinds of traffic it collects. That would require extensive, focused review. Open source code attracts several different kinds of reviewers. One is made up of people who are interested in and want to study a system for its own sake, but the main source of meaningful review usually comes from people who have to read and understand the code because they want to make useful modifications to it. Carnivore isn't likely to attract much of that latter (and I think more important) kind of review, at least from among the open community. On the other hand, groups of focused expert reviewers can (and often do) miss things. Any meaningful review, therefore, should include both independent expert reviewers as well as releasing the code to the public. More seriously, I suspect that the meat (so to speak) of any meaningful analysis of Carnivore's security and behavior of lies not in its core source code but rather in the parameters used when it is actually configured and installed. Releasing the source code is a critical first step in assuring the public that Carnivore can at least be configured to do what it is supposed to do, and I hope the FBI sees fit to take this step soon. I've submitted as part of my written testimony a position paper I wrote with Steve Bellovin that makes the case that there is little harm, and much good, to be done by releasing the Carnivore code. It is available at http://www.crypto.com/papers/openwiretap.html

ralf Zurück