Carnivore, the Fourth Amendment, and You
By Seth Ross
"It is not possible to determine or reasonably estimate the chance
that some unknown force or person acting possibly irrationally at
some unknown future time is going to abuse or misuse some unknown
information in some unknown way." - Donn B. Parker
Computer security is a tough game. You know that you're playing
against someone, but it's often impossible to know who. You may
have some notion of how your opponent will operate but often you're
completely in the dark. Sometimes, however, you get a break.
Last month, I discussed email
security, with the sweeping warning that unknown parties could
be intercepting your confidential email at will. This month, a potent
and widespread threat to email confidentiality has come to light:
the Federal Bureau of Investigation's Carnivore system.
Carnivore is a PC-based email interception system that taps into
an Internet Service Provider (ISP) network in order to capture the
email traffic of approved wiretap targets. The FBI provided some
scant details about the systems during a Congressional hearing last
week. Supposedly, the system is very discriminating about the traffic
it intercepts (in contrast to an earlier design called Omnivore).
Here's a description from the Congressional testimony of Tom Perrine,
of the San Diego Supercomputer Center, who claims to have seen a
Physically, Carnivore is a personal computer with a network
interface, and Zip or Jaz removable disk drive, running a version
of the Microsoft Windows operating system, with the Carnivore software
loaded. In order to use Carnivore, it must be physically attached
to the network to be monitored. The Carnivore software has a Graphical
User Interface (GUI) which presents the user with an easy-to-use
way to describe the filters that are to be used in accepting (and
recording) or rejecting network data seen by the system.
You can view all the Congressional testimony at
or read the sketchy details presented in the press:
Even after the flood of words about the system, nobody outside
the FBI really knows squat. Carnivore is a secret system. It may
do only what the FBI says it does, more than the FBI says it does,
or less than the FBI says it does. It may be the tightest security
system on the planet, or it may be just as bug-ridden and vulnerable
as other Internet systems. Without complete system details and an
opportunity to review the system's source code, there's no way to
verify that the system meets the explicit requirements of the Fourth
Amendment to the US Constitution:
The right of the people to be secure in their persons,
houses, papers, and effects, against unreasonable searches and seizures,
shall not be violated, and no Warrants shall issue, but upon probable
cause, supported by Oath or affirmation, and particularly describing
the place to be searched, and the persons or things to be seized.
Assuming it's telling the truth, the FBI could confirm compliance
with the "particular description" mandate above by releasing the
source code for Carnivore. Security gurus Matt Blaze and Steve Bellovin
have argued persuasively that this should be done: http://www.crypto.com/papers/opentap.html
Barring a complete public release of the Carnivore source code,
the only way to assess the threat is by inference and speculation.
Carnivore is purportedly built around a commercial packet sniffing
program. Packet sniffers take advantage of the fact that the Internet
and supporting technologies are a broadcast medium - every machine
on a Local Area Network sees every packet addressed to every machine.
If a machine's Ethernet interface is kicked into promiscuous mode,
that machine can analyze (sniff) every packet on the network looking
for specific sources or destinations, protocols (like email), passwords,
It's difficult to imagine a packet sniffing design that can meet
the Fourth Amendment's specificity requirement. In order to find
a wiretapped target's email, Carnivore must 1) inspect all packets
for email traffic, and 2) inspect all email headers to determine
if the mail is to or from the target.
This kind of open-ended sniffing presents numerous risks to the
emailing public. Your mail can be intercepted because:
Given that the above risks apply universally, you must work on the
assumption that all your mail is subject to possibly illegal searches
and seizures. To the extent that Carnivore raises public awareness
of the ease and ubiquity of eavesdropping systems - and lessens the
unknowns cited by Donn B. Parker - it's performing a public service.
- you correspond with a wiretap target
- you use the same ISP as wiretap target
- you correspond with someone at a target's ISP
- you received a dynamically-assigned IP address previously used
by a wiretap target
- a bad actor has gained control of a Carnivore system
Slowly and surely, the networking public is realizing that packet
sniffing is easy. Anyone can do it. There are dozens of commercial
and free packet sniffing programs available, dual-use programs used
by crackers and network administrators alike. Take, for example,
Trinux, one of the most effective tools for cracking or analyzing
a LAN. Trinux is a portable Linux distribution that fits on a single
floppy disk and contains precompiled versions of popular network
security/monitoring tools such as nmap, tcpdump, iptraf, and ntop.
Load a Trinux floppy into your typical corporate Windows PC, re-boot
into Trinux, type "tcpdump" and all the traffic on the corporate
LAN is yours (don't even think of trying this without authorization).
You can find out more at
The scenario cited above - in which a bad actor gains control
of Carnivore - is improbable because in many cases it'd be easier
for bad actor to set up his/her own packet sniffer than to rely
on the FBI's. In truth, the FBI is probably a lesser threat than
1) corporate spies, 2) disgruntled employees, or 3) nosy neighbors.
The FBI has to stay within the bounds of the law (in theory). A
corporate spy, on the other hand, may be dedicated to outing your
information by any means possible. The disgruntled employee is just
one re-boot away from your company's most confidential secrets.
Your telecommuters won't know that their neighbor has set up a packet
sniffer on the neighborhood's cable modem segment.
Given the multiplicity of threats, it's fortunate that there's
an inexpensive, easy, and legal way to beat a Carnivore tap and
similar packet-sniffing shenanigans: encryption. Anyone who's read
previous issues of this newsletter won't be surprised at this recommendation:
you should encrypt confidential data anytime it traverses public
and insecure Internet systems.
There are dozens of inexpensive and free encryption programs and
platforms that can render Carnivore and other packet sniffers harmless.
PC Guardian, for example, offers an easy email encryption plug-in
for Microsoft Outlook and Lotus Notes:
If you don't use Outlook or Notes, Encryption Plus(r) Secure Export
There's PGP, the granddaddy of email encryption programs: http://www.pgp.com/
Secure Shell (SSH) encrypts a wide variety of Internet communications:
Open SSH is a free version of the Secure Shell technology, from
the good folks who develop the OpenBSD operating system:
You can find additional encryption resources at
There's always hope that the FBI will do the right thing and end
speculation about Carnivore by publishing its source code. Until
then, assume the worst and take the steps necessary to beat the