Securius Newsletter

July 31, 2000
Volume 1, Number 8
http://www.securius.com

Carnivore, the Fourth Amendment, and You

By Seth Ross

"It is not possible to determine or reasonably estimate the chance that some unknown force or person acting possibly irrationally at some unknown future time is going to abuse or misuse some unknown information in some unknown way." - Donn B. Parker

Computer security is a tough game. You know that you're playing against someone, but it's often impossible to know who. You may have some notion of how your opponent will operate but often you're completely in the dark. Sometimes, however, you get a break.

Last month, I discussed email security, with the sweeping warning that unknown parties could be intercepting your confidential email at will. This month, a potent and widespread threat to email confidentiality has come to light: the Federal Bureau of Investigation's Carnivore system.

Carnivore is a PC-based email interception system that taps into an Internet Service Provider (ISP) network in order to capture the email traffic of approved wiretap targets. The FBI provided some scant details about the systems during a Congressional hearing last week. Supposedly, the system is very discriminating about the traffic it intercepts (in contrast to an earlier design called Omnivore).

Here's a description from the Congressional testimony of Tom Perrine, of the San Diego Supercomputer Center, who claims to have seen a Carnivore system:

Physically, Carnivore is a personal computer with a network interface, and Zip or Jaz removable disk drive, running a version of the Microsoft Windows operating system, with the Carnivore software loaded. In order to use Carnivore, it must be physically attached to the network to be monitored. The Carnivore software has a Graphical User Interface (GUI) which presents the user with an easy-to-use way to describe the filters that are to be used in accepting (and recording) or rejecting network data seen by the system.
You can view all the Congressional testimony at
http://www.house.gov/judiciary/con07241.htm
or read the sketchy details presented in the press:
http://news.cnet.com/news/0-1005-200-2245549.html
http://www.msnbc.com/news/438436.asp
http://www.wired.com/news/politics/0,1283,37765,00.html

Even after the flood of words about the system, nobody outside the FBI really knows squat. Carnivore is a secret system. It may do only what the FBI says it does, more than the FBI says it does, or less than the FBI says it does. It may be the tightest security system on the planet, or it may be just as bug-ridden and vulnerable as other Internet systems. Without complete system details and an opportunity to review the system's source code, there's no way to verify that the system meets the explicit requirements of the Fourth Amendment to the US Constitution:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Assuming it's telling the truth, the FBI could confirm compliance with the "particular description" mandate above by releasing the source code for Carnivore. Security gurus Matt Blaze and Steve Bellovin have argued persuasively that this should be done: http://www.crypto.com/papers/opentap.html

Barring a complete public release of the Carnivore source code, the only way to assess the threat is by inference and speculation.

Carnivore is purportedly built around a commercial packet sniffing program. Packet sniffers take advantage of the fact that the Internet and supporting technologies are a broadcast medium - every machine on a Local Area Network sees every packet addressed to every machine. If a machine's Ethernet interface is kicked into promiscuous mode, that machine can analyze (sniff) every packet on the network looking for specific sources or destinations, protocols (like email), passwords, etc.

It's difficult to imagine a packet sniffing design that can meet the Fourth Amendment's specificity requirement. In order to find a wiretapped target's email, Carnivore must 1) inspect all packets for email traffic, and 2) inspect all email headers to determine if the mail is to or from the target.

This kind of open-ended sniffing presents numerous risks to the emailing public. Your mail can be intercepted because:

  • you correspond with a wiretap target
  • you use the same ISP as wiretap target
  • you correspond with someone at a target's ISP
  • you received a dynamically-assigned IP address previously used by a wiretap target
  • a bad actor has gained control of a Carnivore system
Given that the above risks apply universally, you must work on the assumption that all your mail is subject to possibly illegal searches and seizures. To the extent that Carnivore raises public awareness of the ease and ubiquity of eavesdropping systems - and lessens the unknowns cited by Donn B. Parker - it's performing a public service.

Slowly and surely, the networking public is realizing that packet sniffing is easy. Anyone can do it. There are dozens of commercial and free packet sniffing programs available, dual-use programs used by crackers and network administrators alike. Take, for example, Trinux, one of the most effective tools for cracking or analyzing a LAN. Trinux is a portable Linux distribution that fits on a single floppy disk and contains precompiled versions of popular network security/monitoring tools such as nmap, tcpdump, iptraf, and ntop. Load a Trinux floppy into your typical corporate Windows PC, re-boot into Trinux, type "tcpdump" and all the traffic on the corporate LAN is yours (don't even think of trying this without authorization). You can find out more at
http://www.trinux.org/

The scenario cited above - in which a bad actor gains control of Carnivore - is improbable because in many cases it'd be easier for bad actor to set up his/her own packet sniffer than to rely on the FBI's. In truth, the FBI is probably a lesser threat than 1) corporate spies, 2) disgruntled employees, or 3) nosy neighbors. The FBI has to stay within the bounds of the law (in theory). A corporate spy, on the other hand, may be dedicated to outing your information by any means possible. The disgruntled employee is just one re-boot away from your company's most confidential secrets. Your telecommuters won't know that their neighbor has set up a packet sniffer on the neighborhood's cable modem segment.

Given the multiplicity of threats, it's fortunate that there's an inexpensive, easy, and legal way to beat a Carnivore tap and similar packet-sniffing shenanigans: encryption. Anyone who's read previous issues of this newsletter won't be surprised at this recommendation: you should encrypt confidential data anytime it traverses public and insecure Internet systems.

There are dozens of inexpensive and free encryption programs and platforms that can render Carnivore and other packet sniffers harmless.

PC Guardian, for example, offers an easy email encryption plug-in for Microsoft Outlook and Lotus Notes:
http://www.pcguardian.com/software/email_s.html

If you don't use Outlook or Notes, Encryption Plus(r) Secure Export will work:
http://www.pcguardian.com/software/secure_s.html

There's PGP, the granddaddy of email encryption programs: http://www.pgp.com/

Secure Shell (SSH) encrypts a wide variety of Internet communications:
http://www.ssh.com/

Open SSH is a free version of the Secure Shell technology, from the good folks who develop the OpenBSD operating system:
http://www.openssh.com/

You can find additional encryption resources at
http://www.securius.com/Links/Encryption/

There's always hope that the FBI will do the right thing and end speculation about Carnivore by publishing its source code. Until then, assume the worst and take the steps necessary to beat the packet snoops.



Subscribe to the Securius Newsletter
Please enter your email address:



Securius.com is a service of GuardianEdge Technologies.
Copyright © 2006 GuardianEdge. All rights reserved.
We will not share your personal information with third parties.
Nor will we contact you without your permission.