Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
FBI wiretapping on the internet?

By ramses0 in News
Wed Jul 12, 2000 at 03:10:15 PM EST
Tags: Technology (all tags)
Technology

The FBI now has a shiny black box they can install at ISP's to scan subject lines and save 'certain emails' for further review.

The system, called Carnivore, is "functionally equivalent to a wiretap, updated for the internet era", claims the FBI, and they already have 20 of these specialized PC's with special software available for deployment around the U.S.


Several interesting points are made in the article, most of them basically saying that the FBI should not be allowed to use this system. The FBI still claims that Carnivore is "like a wiretap", but there are some differences, the two most major being

  1. Because of the nature of ISP's, this box has to process -all- email at an ISP in order to discover which email's to really investigate.
  2. Total control of this system is in the hands of the FBI. The news story mentioned that old telephone wiretaps were handled by the phone company, and given to the government. With Carnivore, total control is held by the FBI.

Another complaint is that because Carnivore scans (and logs?) email subject lines, it's already an invasion of privacy.

Read the article for technical details, it's interesting to see where the future of FBI wiretapping might be going. I've always been a big fan of applying traditional laws to digital (the less laws the better, IMHO), so I'm sort of happy to see the FBI's attempt to use traditional wiretapping processes and apply them to internet stuff. I do think that there might have been a little bit of a mistake made in the implementation of this Carnivore system.

Some parting thoughts about the system, from James X. Dempsey, senior staff counsel at the Center for Democracy and Technology (whatever that is :^)=

He said that the main problem with Carnivore is its mystery.

Dempsey has a possible solution to the problem, though one that's probably unlikely - show everyone what it does and how it does it, allowing Internet providers to install the software themselves.

``The FBI should make this gizmo an open-source product,'' he said. ``Then the secret is gone.''

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o Yahoo
o Carnivore
o Also by ramses0


Display: Sort:
FBI wiretapping on the internet? | 22 comments (17 topical, 5 editorial, 0 hidden)
Why subject lines? (3.00 / 1) (#5)
by Eimi on Wed Jul 12, 2000 at 02:41:33 PM EST

What I really can't understand is why the software needs to read the subject of the email as part of determining whether to store it. It seems to me it would just be mail to or from some particular user....is anyone else thinking of altering spook to generate fake subject lines?

"We're only scanning e-mail addresses. No, re (1.00 / 1) (#6)
by Tin-Man on Wed Jul 12, 2000 at 03:02:15 PM EST

Sure, they probably only need to scan e-mail addresses. But since nobody knows what is going on inside the box, how can we know that's all they're getting?

They would have to stick such a device between the mail server(s) and the network, which means they get ALL traffic, e-mail or otherwise. And they can store anything they want.

You can be sure those specialized PC's come with BIG hard disks.
--
The future sure isn't what it used to be!
[ Parent ]

Re: Why subject lines? (3.00 / 1) (#9)
by sjanes71 on Wed Jul 12, 2000 at 04:52:50 PM EST

Hmm... a lot of encrypted mail (PGP, MIME/E?) usually has plain-text subject lines-- maybe they're not telling us that specifically, they're logging Subject lines of messages that have been encrypted?
____
Simon Janes
[ Parent ]
Re: Your subject here (3.00 / 1) (#12)
by Anonymous Hero on Wed Jul 12, 2000 at 08:13:23 PM EST

I already use generic subject lines because they aren't encrypted and have the ability to give insight to the body of the email. Not that sending or receiving encrypted mail won't put you on the hotlist anyway, but we should be more careful not to hand out our privacy.

[ Parent ]
(3.70 / 3) (#8)
by ctm on Wed Jul 12, 2000 at 04:11:40 PM EST

I hope they put a good spam filter in the thing or they will have tons of wasted disk space on it. Or think of the first made for Carnivore virus. Essentially send a bunch of messages with a subject which is known to be flagged.

Also the circumvention of such a system is so obvious it hurts. No one ever runs their own SMTP server outside of the ISP do they?
--------------
Which is worse ignorance or apathy?

Who knows? Who cares?

/dev/rand | pgp ? (5.00 / 2) (#10)
by Boojum on Wed Jul 12, 2000 at 06:32:36 PM EST

Better yet, feed some randomly generated bits through PGP for the body of the message. Let them have fun trying to figure out how to decrypt that!

[ Parent ]
Re: (4.00 / 1) (#11)
by Anonymous Hero on Wed Jul 12, 2000 at 07:16:12 PM EST

I hope they put a good spam filter in the thing or they will have tons of wasted disk space on it.
Heh, so to evade the FBI, all I'd have to do is embed my secret message in the middle of a get-rich-quick offer and send it to the world. After all nobody really reads spam...

[ Parent ]
Re: (4.00 / 1) (#13)
by ramses0 on Wed Jul 12, 2000 at 08:18:06 PM EST

Heh. That's actually a really good idea... use steganography to hide your message in a spam mail, or better yet, weave it into a little internet urban legend, so that your intended recipient will get it but you never have to directly send it to them.

Now *that's* hacking ;^)=

--Robert
[ rate all comments , for great justice | sell.com ]
[ Parent ]

What you can do. (4.80 / 4) (#14)
by techt on Wed Jul 12, 2000 at 08:42:50 PM EST

Email should be afforded every right which applies to postal mail. If our governments aren't going to recognize that, if they're going to abuse it, then its time to start encrypting each and every email. Users should install PGP or GPG. Programmers should write email clients which seamlessly and effortlessly integrate with these encryption tools. System administrators should set up Cypherpunk type II remailers such as Mixmaster.

Its up to us individuals to protect our privacy in the information age since our governments won't.


--
Proud member of the Electronic Frontier Foundation!
Are You? http://www.eff.org/support/joineff.html
Unfortunate side effect of crime.... (none / 0) (#15)
by blixco on Thu Jul 13, 2000 at 10:59:32 AM EST

...is that some of the laws and tools used to enforce those laws can be very threatening to the average citizen. The naive responses I've seen on other sites regarding Carnivore surprise me, though. It's almost as if people expect privacy to just happen. People seem to think that "their" email is "theirs" and forget that it's travelling a worldwide public network.

Your information is not yours once it hits this public network. Your email is flying around other people's routers and into their property in plain text, and has been for the past twenty years. The FBI is the least of your worries. They're under-staffed, over-worked, and can really care less about you. How about crackers and credit card kids? Marketing agencies that could use this same technology to scan all your email for keywords to use in "targeted" spam (spam targeted to your interests)?

How easy is it to spy on your email when it crosses my border routers? Pretty easy. It's not a question of legality of privacy...in the US, anyway, we're only concerned with those issues 1) if we get caught and/or 2) if they are self-serving. The fact is, our government will do what it wants to. Period. So forget the (unfortunately lofty) ideals of legality, privacy, and oversight. Start thinking like an engineer.

Problem? Email is plain text. Solution? Encrypt it. Use PGP, distribute it to your friends / family. Use whatever program you feel you can trust. Use home grown keys of HUGE lengths. Encrypt all of your mail if you are concerned about Big Brother, Crackers, or MegaCorp. Encrypt your IP traffic, set up some type of IPSec or PPTP encrypted tunnel between you and everyone you trust. Use SSH.

Or not. Especially in regards to this story. If you have reason to believe that the FBI is listening to you, then by all means encrypt everything. If you know (as you should by now) that law and privacy don't matter to this government (except for self interest), then encrypt. If you feel that your rights are being violated by the mere existance of a tool like Carnivore, then encrypt. In the end, it may just be paranoia.
-------------------------------------------
The root of the problem has been isolated.
Re: Unfortunate side effect of crime.... (none / 0) (#16)
by Anonymous Hero on Thu Jul 13, 2000 at 02:13:10 PM EST

I do not think people will encrypt untill it's easy. We need a user friendly way to get people to make PGP keys and we need all mail readers to check for the keys on the key servers. Talking to people about privacy will not help. We need the technology to default to privacy protective behavior.

[ Parent ]
Re: Unfortunate side effect of crime.... (none / 0) (#22)
by blixco on Fri Jul 14, 2000 at 08:38:54 AM EST

Why user friendly? Does your pen know to encode the letters you write on paper? Does your phone default to encrypted conversation mode? Does the world need to be user friendly? It's not. If you feel you need privacy, then you can find software that will give you that privacy. You will learn how to use it. You can teach others how to use it and develop a trusted base of people (a network of co-conspirators if you are so inclined). The technology has always been there and is very usable.

It doesn't need to be easy. It needs to be available...and it is. If you need it, you'll use it.
-------------------------------------------
The root of the problem has been isolated.
[ Parent ]
Security through obscurity (none / 0) (#17)
by Alhazred on Thu Jul 13, 2000 at 02:14:38 PM EST

First of all stay out of the way of the FBI, they aren't likely to bug you if you don't get in someone's way. Yeah, we are supposedly free to do what we want, but lets be real, you don't piss off people with lots of money or clout unless you REALLY REALLY HAVE TO.

However my main point was going to be that there was a similar concern with Usenet news back a few years ago, and everyone simply built sigs that had tons of likely key words in them and of course that means that the poor system gets flooded. Suppose every email sig has the words "bomb", "drug", and "Allah" in it! hehehe (pardon to any Islamic people out there reading this ;o)). Of course sending out lots of random bogus encrypted email to made up destinations and filled with very silly stuff would be pretty good too. These systems are after all PC class hardware, they can hardly handle a really big load. At worst they ship off stuff for analysis somewhere else, but actually thats even better, because then everyone can help bog down one big "mail cruncher" somewhere.

Basically I think these sorts of attempts are pretty lame. All the FBI will accomplish is maybe managing to set up a few of these boxes and nailing a few really dumb criminals. Not that I like the whole idea, but it was after all inevitable that this would happen...
That is not dead which may eternal lie And with strange aeons death itself may die.
FBI working for DoubleClick? (none / 0) (#18)
by birchcap on Thu Jul 13, 2000 at 02:34:16 PM EST

Maybe DoubleClick paid the FBI to use their legal powers to help them suck even more private information off the internet...

Let's face it, whatever the FBI is doing is junior league compared to the soft of shenanigans DoubleClick, the NSA, and presumably foreign intelligence agencies are up to. DoubleClick and their like capture nearly every click or most surfers in America, and people are getting all paranoid about something that requires a warrant?

Here's my bet: anyone who uses strong encryption is on a list kept by the NSA. And that probably gives you some reason to be paranoid.



Dubious claims (none / 0) (#19)
by adamsc on Thu Jul 13, 2000 at 03:32:28 PM EST

Because of the nature of ISP's, this box has to process -all- email at an ISP in order to discover which email's to really investigate.
Was I the only one who thought this sounded really contrived? I can see only one honest way for this sort of thing to work, which would completely invalidate the claim quoted above:
  1. FBI obtains warrant to tap $Suspect's communications.
  2. FBI contacts $Suspect's ISP (perhaps using phone/credit card company records to determine which ISP(s) to approach) with warrant.
  3. ISP modifies server configuration to send a copy of any mail to/from $Suspect's account(s) to the FBI
  4. FBI analyses incoming messages

Is there any conceivable reason why the FBI to be directly tapping all network traffic with nothing more than a promise that they'll only monitor things they have warrants for?

The only one I've come up with is that they might not be able to trust the ISP (believable when lots of money is involved) but if that's the case the ISP could easily prevent the 'Carnviore' from seeing anything incriminating.



Re: Dubious claims (none / 0) (#20)
by mdpopescu on Thu Jul 13, 2000 at 05:46:40 PM EST

I don't use my company's email server when sending private emails - I use another account, with another SMTP server. Therefore, the only *safe* way they can monitor my emails is to intercept every packet and see which ones look like emails. [Of course, I don't think I've ever sent an email on another port than 25, so they could limit themselves to that...]

My company *is* my ISP.

[ Parent ]

Duh..... (none / 0) (#21)
by Anonymous Hero on Thu Jul 13, 2000 at 09:46:56 PM EST

I don't think anyone here realizes it, but the FBI
does NOT require any kind of subponea to use this system at an ISP.
It only requires the ISP's coerced (Forced) cooperation. The FBI
has recently got many laws passed which give it broad and
expansive powers to monitor all digital communications without
any authorization.

FBI wiretapping on the internet? | 22 comments (17 topical, 5 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!