16 August 2000
Date: Fri, 11 Aug 2000 19:13:35 -0400 (EDT) From: D To: jya@pipeline.com Subject: joke? I just read Richard F. Forno's "Who's Afraid of Carnivore? Not Me!". Are you posting this article as a supposed source of good information, or to be ridiculed? I fear for those taking his advice seriously, and for the future credibility of Cryptome. D
Date: Tue, 15 Aug 2000 21:04:46 -0400 From: John Young <jya@pipeline.com> To: D Subject: Re: joke? Yes, I've had some punches in the nose about the article. Not competent to judge it, as with a lot of stuff that comes this way, I have no defense. Yes, Cryptome's credibility is ever facing a bleak future. John
Date: Tue, 16 Aug 2000 From: John Young <jya@pipeline.com> To: D Subject: Re: joke? Sure, a critique would be most informative, and, hopefully, provocative, if you would allow publication. Another critique has come in, but not yet published. Want to see it before you do yours? If interested, I'll put it on Cryptome or send privately, as you wish. Regards, John
Date: Wed, 16 Aug 2000 06:51:33 -0400 (EDT) From: D Would you like me to critique it point-for-point? A man who has experienced as much privacy/encryption argument as yourself should not need assistance to realize the sillyness of treating crypto as a last resort. For example. D
Date: Tue, 16 Aug 2000 From: John Young <jya@pipeline.com> To: D Subject: Re: joke? Very well, here it is. Thanks for your comments. John ----- Date: Wed, 9 Aug 2000 08:32:18 -0400 (EDT) From: Anatole Shaw <Anatole@mindspring.com> To: Richard Forno <rforno@infowarrior.org> cc: John Young <jya@pipeline.com> Subject: response to Carnivore article Mr. Forno, > Let's stop and analyze this claim. The FBI has a Windows-based tool that > can be configured to differentiate between "legitimate" and "extraneous" > traffic that it intercepts at a given ISP. This will -- according to the > FBI testimony -- provide federal law enforcement folks the same ability to > intercept electronic communications (e-mail, web surfing, instant messages, > etc.) than they currently have in the world of the POTS telephone systems. > Right. And my Aunt Sally is a world-class hacker master. Let's see why. I'm not sure what I'm supposed to find so-hard-to-believe here. Most people have identifiers for Internet communications which are uniquely theirs. Most families share AOL accounts, which give different addresses to each person. Even when people share an address, they usually leave other identifiers like signature lines. We're not talking about tapping a modem line or DSL connection -- we're talking about sniffing packets, where all kinds of analysis are possible. Nearly every e-mail address, every ICQ handle, every Geocities login -- with enough investigation -- can be linked to an individual. I don't doubt that the FBI has enough programmers and investigators to determine a suspect's personal identifiers and scan for them going over the wire. > The Carnivore system is allegedly a single "item" or black-box "device" placed > at each ISP to monitor communications as authorized by court order. Where > is this box placed at the ISP? Hanging it off the gateway router or bastion > network means that this poor Windows box will have to intercept GIGABYTES > of raw data in real-time unless it is pre-configured to only monitor certain If intercepting all ISP customer traffic in real-time is such a difficult task, how do ISP's (as you claim) use it for policy enforcement? Consider that it is possible to capture 100% of the packets from a saturated 100Mbit ethernet link, using standard PC hardware and software. Consider, also, that a cheap router is capable of filtering a flood of traffic down to individual source/destination IP addresses, etc., before it reaches a sniffer. In the case of broadband users, that's about 1-2 megabits per second per suspect, maximum. Nothing supernatural required. > Is Carnivore unique? Does it take rocket science to create a Carnivore-type > system? Hardly. Many companies use sniffers to enforce acceptable use policies You confuse network diagnosis with complex eavesdropping, playing down the specialization of the meat-eating beast. These two activities place an entirely different set of demands on a sniffer. Producing filters to reliably search for personal identifiers in a wide range of protocols, is a time-consuming (if ultimately simple) task which no one in the private sector has apparently undertaken. Producing sniffers to analyze traffic patterns, on the other hand, is a global industry. A sniffer is not just a sniffer. The FBI's use of the term "diagnostic tool" in relation to Carnivore is entirely misleading. > The FBI claims they will only use Carnivore's scanning for court-ordered > intercepts of ISP traffic. Based on what we just saw, it is clear that Carnivore > provides a wealth of information BEYOND just the "header" information, and Based on what we just saw? Output from a commercial product rumored to be somewhere in Carnivore's brain? All you showed us was a full-payload packet dump, which tells us nothing except that you know how to run a Windows program. You have no idea what Carnivore "provides," only an inkling of what it can see (eat?). > Carnivore, there is no direct human (agent) monitoring the flow of intercepted > communications to insure that only the suspect's communications are being > stored and not someone else's. Yes, this is a real problem. In my opinion, it's entirely feasable to have an FBI Special Agent on the other end of the sniffer, selecting or discarding each message as appropriate. Indeed, Carnivore is still exposed to the discarded traffic, but Internet traffic -- high speed, with different communications interwoven -- makes this hard to remedy. It's impossible for a human to inspect packet payloads in real time, and "pull the plug" mid-packet when they're watching the wrong person. If law enforcement is going to collect any useful information in this scenario, there has to be automation. Do you have any better ideas? > The fact that the FBI claims to only take the headers begs the question, > "what happens to the rest of the data Carnivore collects?" Isn't it possible that it's received, but not "collected" at all? Don't you think that the FBI can produce software which immediately discards data which are unlawful to collect? We should not prejudge, but instead demand an independent audit of the software to verify its claimed behavior, and assess the difficulty of someone secretly modifying that behavior to break the law. Carnivore needs to verify authorization for configuration changes, and produce detailed audit trails, in a way that holds FBI agents accountable. It also needs to resist conventional forms of physical and network attack. I'll wager that this isn't the present state of things. Putting a computer in this position in the network topology (i.e., where it is able to see all ISP customer traffic), running an operating system so notorious for its security holes, is a great danger. > Set up a VPN. Use an encrypted point-to-point tunnel, SSH, or SSL > to encrypt your link to your mailserver. For example, Hotmail supports SSL-based > secured Web sessions. A sniffer looking at the traffic to your computer will > only see SSL gibberish as it is collected. This is misleading. Putting encryption across one link will not deter a national law-enforcement agency, when the same data are traveling unencrypted through another Carnivorized ISP. > Vigilant system administrators run routine network > scans on their networks for administrative and security purposes. Any good > system administrator -- particularly a security-minded one - would consider > the discovery of a new undocumented system on his network a security violation > and proceed to investigate it. Heck, I'd even take it offline. It's quite possible, in some topologies, to set up a sniffer which is invisible from a network perspective. If you ask the right people, you will hear anecdotes about major sniffer incidents at Internet exchange points, going unnoticed for long stretches of time. A computer does not always have a speak on the network to listen to it. Isn't this a moot point, though? Doesn't the FBI install these machines with the cooperation of ISP's? > Use out-of-band communications. The best way to hide information is > in plain sight. Don't use common ports for mail servers or chat sessions, > but map them to more common traffic. How does switching around port numbers move traffic out-of-band? "Out-of-band" means "not on the same wire." Port numbers are not wires or bands, they're just numbers. > Frequency Hop. Don't just use e-mail. Have multiple e-mail accounts > from multiple sources (POP3, IMAP, APOP, Web-based). Get multiple dial-up > accounts and personae. Use IRC, Instant Messaging, *Nix console chats, one- > time accounts, and combinations of these forms of communication. Set a defined > schedule for what medium and for how long you will use that medium for, and > see how long it takes for Carnivore to catch up with you. Or, use text editors > to exchange messages, and FTP them to various sites. Then switch to AIM. > Then e-mail. Then IRC on a particular channel. The possibilities are endless! POP3, IMAP, HTTP, IRC, AOL IM, FTP -- all these protocols you mention are normally unencrypted. Switching between different forms of insecure communications buys you Pretend Security(tm). Again, the band/wire/frequency analogy is poor -- it's all still traveling on the same piece of copper. You don't think that the FBI has the resources to write modules for monitoring all these different forms of communication? > When all else fails, stick with e-mail and encrypt it. > But, based on what I've heard from folks involved in computer crimes, the > worst thing an investigator can see when using a sniffer or reading intercepted > electronic communication is the following: "--- BEGIN PGP MESSAGE ---". Encryption is not a last resort, it's a first line of defense. Besides, how will you know when "all else fails"? Is that when they knock your door down? The PGP message header is the worst thing an investigator can encounter, because it means they have to be more intrusive to see those communications. Why should that scare anyone? It doesn't scare me. > Use PGP to send self-extracting files to your associates, encrypt files and exchange > them via FTP, and so forth. Trading self-extracting files over FTP is downright stupid. The FBI can put a trojan horse in that executable, and subvert the recipient's copy of PGP altogether, for example. Your mixture of boilerplate libertarianism and really bad advice casts doubt on your expertise, if not also the purity of your intentions. It would not surprise me to find you standing on the opposite side of the fence from where you speak. -- Anatole Shaw
Date: Wed, 16 Aug 2000 09:19:49 -0400 (EDT) From: D To: John Young <jya@pipeline.com> Subject: Re: joke? Can't say I agree with that 100%, but it all makes sense, it's all a reasonable interpretation of technology, and the raw statements about technology are correct. It covers all of Forno's errors, and even puts him in line gratuitously in places. It's worth publishing. Too bad it's less like an essay and more like an e-mail reply. Maybe you can ask for a re-write. Why will you 'blindly' publish a Forno essay, but not a Shaw reply? D
Date: Wed, 16 Aug 2000 09:55:21 -0400 (EDT) From: D To: John Young <jya@pipeline.com> Subject: Re: joke? > There's no rational answer. Maybe I was waiting for you to > inspire me to do the right thing. I don't know a better way > to figure out what to do, my head hurts. Consider me to be at your disposal for such evaluations. How many such lengthy replies to you receive and not publish? > Because I'm a sneaky SOB, who thinks he'd got a grand plan > which hides his obvious sloth. Then you should recruit Shaw into your CIA division. D
Date: Tue, 16 Aug 2000 From: John Young <jya@pipeline.com> To: D Subject: Re: joke? > How many such lengthy replies to you receive and not publish? Several a week, now, though once only occasionally. Sometimes I collect several on a topic and put them all up. Sometimes I forget what I meant to do, yeah, that happens pretty often. Most though are hate mail or totally off the topic named or replied to, or bitching about Cryptome -- the last cheers me up in a sick way. >Then you should recruit Shaw into your CIA division. That's your first task order, so don't fuck up, make the tie unleakable. Without dribbles of TLA-pseudo drool Cryptome's useless. So, can I publish your remarks about Forno, Cryptome, Shaw and me? Those kind of comments usually grab folks. I usually don't ask ahead of time, so no need to answer. SSOB
Date: Wed, 16 Aug 2000 11:15:33 -0400 (EDT) From: D To: John Young <jya@pipeline.com> Subject: Re: joke? The page you put up (carnivore-rf2.htm) is in strange order, and missing pieces. It makes it all a little confusing. Wait. You know this already. *sigh* D
Date: Wed, 16 Aug 2000 12:09:57 -0400 (EDT) From: Anatole Shaw <anatole@mindspring.com> To: John Young <jya@pipeline.com> Subject: carnivore Thanks for posting my response to the Forno piece. I'm a bit disconcerted by your presentation, however. Why is my email only presented as part of another thread? Would it never have appeared without "Mysterious D" moving the issue from Forno's credibility to Cryptome's? Personally, I think Cryptome has more to do with dissemination than verification, leaving the latter to the audience. Regards, --Anatole
Date: Wed, 16 Aug 2000 To: Anatole Shaw <anatole@mindspring.com> From: John Young <jya@pipeline.com> Subject: carnivore Anatole, Sorry you're disconcerted by my bad work habits. Good material comes in to this hovel and never gets properly acknowledged. Sombody like D comes along, raises hell, and spasms attention. Yeah, it happens like that. Richard sent his piece, it got put up; you sent yours and now it's up. And D's bitch, and yours. If I'm lucky Richard will bitch too. I don't know why I like bitching more than good writing and thinking. Must be a reaction to prolonged exposure to responsible publishing. What I liked about Richard's piece was not his thoughtful analysis of Carnivore, but his dramatic flair at the end about the salubrious effect of "PGP Message." And the bitching that must cause. There he and I cheer with D and thee. John