FBI's Carnivore highlights the need for public-source review, strong encryption

[InfoSec News <isn () C4I ORG>]

http://www.infoworld.com/articles/op/xml/00/08/21/000821opswatch.xml

Friday, Aug. 18, 2000 1:01 pm PT

THE FBI RECENTLY announced the existence of an Internet wiretapping
system called Carnivore. According to the FBI, the purpose of the
system is to listen in on the Internet traffic of a suspected criminal
in an effort to collect evidence, similar to what a wiretap of a phone
system would provide.

But can't Carnivore's listening capabilities be defeated by
encryption? Well that depends, according to the FBI. Carnivore's
snooping depends on how strong the encryption is that's being used on
the e-mail. Of course the FBI is short on details of the exact key
size that defeats Carnivore. Nonetheless, this sparks what the insult
with Carnivore really is. Who in his or her right mind believes that
hackers and cyberterrorists are not smart enough to use strong
encryption? So if the criminals use strong encryption and eliminate
Carnivore's effectiveness, then what is it for? Maybe that's why the
FBI is so reluctant to give up the source code to public scrutiny.

A previous version of Carnivore, reportedly called Omnivore, gobbled
up too much information for agents to effectively filter out the
desired traffic, so they designed Carnivore. With Carnivore, the FBI
is reportedly able to scan millions of e-mails every second. But why
would they need to scan millions of e-mails? How many e-mails do
criminals need to send?

Carnivore reportedly works by installing the system at the ISP of the
suspected criminal. The system, reportedly PC based, is behind lock
and key, with only FBI agents having local access. The system is
plugged into a "sniffable" port on the ISP's hub or switch. Carnivore
can then gobble up enormous amounts of data and filter the undesired
user traffic, focusing on the suspected criminal's traffic.

The system reportedly has been used for tracking down hackers,
terrorist groups, and drug traffickers, but the fact is that it could
be used for anything. The problem with this type of technology is that
the possibilities are nearly limitless -- espionage, information
warfare, spying on the public -- choose your favorite. You name the
devious purpose for this technology and it's likely to be available in
Carnivore. The truth is we really know very little about Carnivore and
will have a difficult time defending or crucifying it until its design
is released to the public. But the FBI seems reluctant to make the
source code available (surprise).

If we cannot have a public-source review of Carnivore, who can we
trust to police the FBI? Themselves? The traditional means of
obtaining a search warrant and allowing agents to listen in on phone
calls is one thing, but the Internet houses a flood of data beyond
e-mail. Who controls what Carnivore filters? Who confirms that the
product is not being abused? Carnivore needs checks and balances.

According to the U.S. Constitution, there is no provision for
maintaining a citizen's right to privacy. And in some cases, it's not
even a privilege. In the recent Congressional subcommittee hearings,
FBI and Department of Justice officials quoted a 1979 Supreme Court
decision (Smith vs. Maryland, 442 U.S. 735 [1979]) citing that
individuals have no right to privacy regarding telephone call records.
This tells these agencies that without a warrant they can monitor whom
you call and when. The same holds true, then, for Internet e-mail
addresses. Monitoring to whom and when you send e-mail does not
require a warrant; instead they consider only the contents of those
messages private.

We like to think of privacy as an attainable goal rather than a
privilege either bestowed or removed by the government. But the
reality is that as long as privacy is considered a privilege rather
than a right, the government will be able to give or take liberties
with your privacy.

The only real hope for the general acceptance of Carnivore will be a
completely open-source review by the public. The FBI reportedly plans
on having an independent auditor review the source and vouch for its
purpose; but until the public sees the code, there will always be
skeptics (like us). Tell us what you think at
security_watch () infoworld com.


Stuart McClure is president and CTO and Joel Scambray is managing
principal at security consultant Foundstone ( www.foundstone.com ).

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".