Top Guns Want to Probe Carnivore

[InfoSec News <isn () C4I ORG>]

http://www.wired.com/news/politics/0,1283,38329,00.html

by Declan McCullagh
11:00 a.m. Aug. 21, 2000 PDT


WASHINGTON -- An eminent group of security experts has offered to
undertake an independent review of the FBI's controversial Carnivore
surveillance system.

Attorney General Janet Reno said in early August that the Justice
Department would commission a study of Carnivore from a major
university, but she has not yet come to a final decision as to which
institution she will recruit for this purpose.

The ad-hoc association of 13 security experts, who have dubbed
themselves the Open Carnivore group, includes individuals such as AT&T
Research's Matt Blaze and Tom Perrine of the San Diego Supercomputer
Center, both of whom testified before Congress about Carnivore in
July.

"We've put a great group of people together who are credible," Perrine
says. "None of us has an axe to grind."

Justice Department spokesman Chris Watney said on Monday that
officials were "still in the process of selecting a university to
review Carnivore."

News reports have suggested that researchers from MIT and Purdue
University independently contacted the Justice Department and also
offered to perform reviews. The government hopes a review will satisfy
critics who say Carnivore violates the privacy of innocent Internet
users.

One Justice Department source said that Open Carnivore is "doing their
own thing" and the agency isn't giving them much thought.

Other members of the Open Carnivore group include Peter Neumann of SRI
International, "Mudge" of @stake, Tsutomu Shimomura, who helped track
down convicted hacker Kevin Mitnick, and David Wagner of the
University of California at Berkeley.

Carnivore has come under fire on technical and legal fronts.

Privacy groups have said that, when installed at an Internet service
provider, Carnivore could be programmed to snack on more traffic than
it should. They also say that even if it works as described --
intercepting massive amounts of data and discarding what's not
relevant -- Carnivore could violate the Fourth Amendment's prohibition
on unreasonable searches and seizures.

"Even the independent university review won't answer all the
questions, because the reviewers won't know how the FBI has employed
it in past investigations and will employ it in future
investigations," says David Sobel of the Electronic Privacy
Information Center. "They're going to be looking at a static piece of
software."

Government officials hope to complete the investigation to send a
report to Reno by December 1, but have steadfastly refused to release
source code to the public.

EPIC has sued to obtain that information under the Freedom of
Information Act, and last Thursday asked a federal judge to speed up
the FBI's response.

The FBI on Monday said it's trying to be upfront about Carnivore.

"We've endeavored to be as open as possible on the Carnivore issue,"
said FBI spokesman Bill Carter. "We've briefed reporters on its
capabilities, we've testified before Congress. What else can we say?"

"You have to understand that as a law enforcement organization, there
are certain things that we have to do to uphold the law. If monitoring
someone's email is what we have to do, then we're going to be as open
as possible with the process," Carter said.

Open Carnivore's Perrine said that he is drafting a memorandum of
understanding to circulate among members of the group, and then
forward to the Justice Department.

Perrine said the Open Carnivore members have agreed not to release the
Carnivore source code. "The kinds of conditions we're looking for are
that we'll agree not to release the source code, we'll agree not to
divulge who wrote it," he said. "Any vulnerabilities we find, they'll
get the same treatment as any other vendor: They'll get advance notice
and a chance to fix it."

Assistant Attorney General Stephen Colgate, who is heading an internal
Carnivore review committee, recently said he wants to finish a report
that includes the panel's recommendations and the outside review by
December 1.

MIT and Purdue did not immediately return phone calls asking for
comment.

The members of the Justice Department committee include the head of
the FBI labs, the department's top privacy officer, and a
representative from the criminal division.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".