Carnivore Replaced with Commercial App



EPIC has obtained two documents that the FBI presented to Congress concerning the Carnivore, renamed DCS-1000. The documents state that the FBI did not use Carnivore in 2002 or 2003 and instead used either “commercially available software” or an unspecified “network collection device”. EPIC suggests that “the FBI’s need for Carnivore-like Internet surveillance tools is decreasing, likely because ISPs are providing Internet traffic information directly to the government”. While it is certainly likely that ISP’s are directly providing more information through their own interception capabilities � and are likely less encumbered by interception regulations – I think that the real issue here is the public scrutiny of the Carnivore system itself. As the details of the Carnivore system, and its deficiencies, became public its use was dropped in favour of commercially available software and devices that likely have even more capabilities and less restrictions than Carnivore. It’s interesting that in the face of public scrutiny the FBI has chosen to use a less accountable, less precise method of electronic surveillance, especially when that scrutiny showed that their more targeted approach was deficient.

Carnivore does not have capabilities that commercially available software has (Carnivore restricted to HTTP, FTP, SMTP, POP), instead it was meant to restrict what information was intercepted in order to comply with court orders (equivalent to writing rules for packet sniffers such as Ethereal). Still there were documented cases of malfunction — in which emails of non-covered targets were intercepted � and issues, brought forward in an independent assessment, of agent accountability (operators are anonymous to the system: all users are logged in as “administrator” and no audit trail of actions is maintained.), mis-configuration and misuse (may miss some emails or accidentally include segments from other people’s emails), possible circumvention (through forged email headers and/or encryption) and lack of evidence authentication.

Basically, the Carnivore system involves:

(1) a one-way tap into an Ethernet data steam (10/100Base-T Ethernet using a Century Tap made by Shomiti Systems, Inc.);
(2) a general purpose computer to filter and collect data (a PC with an Ethernet adapter in promiscuous mode, removable Jaz drive, PCAnywhere, and 56k modem.);
(3) one or more additional general-purpose computers to control the collection and examine the data (loaded with post-processing programs Packeteer and Coolminer; agents use this control computer to connect to the collection computer with PCAnywhere);
(4) a telephone link to connect the additional computer(s) to the collection computer (the modem on the collection computer is connected to a telephone line protected by an electronic key, COTS Challenger Security Products, from Computer Peripheral Systems, Inc) ; and
(5) Carnivore software (loaded on the collection computer).

Carnivore software has four components:

(1) a driver derived from sample C source code provided with WinDis 32, a product of Printing Communications Associates implements preliminary filtering of IP packets;
(2) an application program interface (API);
(3) a dynamic link library (DLL) written in C++ provides additional filtering and data management; and
(4) an executable program written in Visual Basic provides a graphical user interface.

There are two modes of collection:

Pen Register: operator can see the header information for specified protocols between target IP addresses (IP addresses can be determined for DHCP and Radius by Mac address and username) such as TO and FROM e-mail addresses (SMTP), File Transfer Protocol (FTP) and Hypertext Transfer Protocol (HTTP). There are other options for intercepting traffic based on text strings, specific ports and email addresses.

Full Mode: in full collection mode it can record whatever transactions occur from or to a target IP address through TCP, UDP, and ICMP protocols including HTTP, FTP, SMTP, POP3, Exchange Mail, IMAP, CCmail, voice over IP, and streaming media; the operator can view the full content of those sessions.

Carnivore is basically a GUI to a sniffer program that can be used to set specific filters that cause the sniffer to record packet, packets that do not trigger the filter are discarded.
The rationale for Carnivore is that there are legitimate law enforcement uses for packet sniffing technology. However, the needs of law enforcement must be balanced with users� right to privacy. Therefore there is a need for tools targeted towards the legal and limited interception of communications.

One of the recommendations made by the independent technical review was:

Continue to use Carnivore rather than less-precise, publicly available sniffer software, such as EtherPeek, when precise collection is required and Carnivore can be configured to reflect the limitations of a court order.

These tools must comport with the legal authority under which they are used. This requires public scrutiny. And when public scrutiny showed that there was deficiencies in the FBI�s targeted, precise system they�ve decided to move towards the use of even more unaccountable electronic surveillance technology.

It will be interesting to see if the commercially available software the FBI now uses will be disclosed � or uncovered through FOIA � as well as the filtering rules (if any) they use, how the collected data is stored, and transported, and what, if any, accountability procedures are in place.

One comment.

  1. […] http://www.nartv.org/2005/01/16/carnivore-replaced-with-commercial-app/ Categories: General Tags: Comentarios (0) Referencias (0) Dejar un comentario Referencia […]

Post a comment.