Visit Your Local PBS Station PBS Home PBS Home Programs A-Z TV Schedules Watch Video Donate Shop PBS Search PBS
I, Cringely - The Survival of the Nerdiest with Robert X. Cringely
Search I,Cringely:

The Pulpit
The Pulpit

<< [ Meet Eater ]   |  Carnivore 2.0  |   [ Everybody's Wrong ] >>

Weekly Column

Carnivore 2.0: More on the Perils of FBI Internet Surveillance and Why It's Even Worse in Australia

Status: [CLOSED]
By Robert X. Cringely
bob@cringely.com

Last week's column on Carnivore, the FBI's plan to install e-mail snooping PCs at the Internet Service Providers of suspected bad guys, raised a lot of interest from an interesting cross-section of readers. Hackers and especially ISPs were quick to question me on technical grounds (as I predicted), and generally suggested I return to school. But they also expressed alarm at the idea of Carnivore, not only for its probable assault on privacy, but also for its technical shortcomings. The usual bunch of concerned citizens thanked me for the heads-up and said they'd start sleeping with the lights on. And a number of foreign readers said it is even worse in their countries. But my favorite response of all was from the guy who said Carnivore boxes, which are sealed tightly and can't be opened by the host ISP, aren't computers at all.

"They're bombs," he said.

"You said that anyone could install a sniffer on a CoLo box," responded a guy who is very much in a position to know what he is talking about. "While that's true, it probably wouldn't be very interesting. Nearly all CoLo vendors that I'm aware of use switches, not hubs, as their backbones. Switches offer higher performance by "routing" at layer 2, so an interface only sees traffic destined for it. The Cisco 55xx/65xx/85xx switches and Extreme Networks switches I've worked with require that you configure a port specifically to be able to listen to ALL traffic (in Cisco'ese, it's called a span port). Now here is where it gets interesting."

"In order for the Carnivore box to see ALL mail traffic, it would need to either sit in front of the ISPs mail servers, which are typically a bunch of boxes fronted by a layer 3 load balancer like a Cisco local director. This means that the box must act like a router, and keep up with what could be a huge data stream for a big ISP. Unlike most routers, from what I understand, the C [Carnivore - Bob] box must also log to disk, which is inherently slow compared to shuffling packets between interfaces. This is Big ISP fear uno. The other possible config has the C box sitting on a span port connected to a VLAN that the mail systems are on. Again, it has to be able to suck packets off the wire damn quick."

"The switches I've seen have two possible settings here to keep the switches from being loaded down by the span port. If the span port listener can't keep up, you just drop the packets, or if it can't keep up, you buffer the data, till you have to block the source. You see where the danger could be, if the latter config is used. I don't think I'm being paranoid when I say that this is how the feds could shutdown one of the primary apps of the Internet, and severely impact the rest of its use."

So Carnivore can do what the FBI wants, but with a probable performance hit that most users would find unacceptable. That's may be why Earthlink sued the government to stop having to install Carnivores and why they settled last week on a system that does just what I proposed — forget the Carnivore box and have the ISP do the work.

Some folks think that the FBI doesn't even need Carnivore, that the NSA can do it for them right now ...

Another reader asked, "Are you aware that the NSA has monitored all of the NAPs (they provide the ISPs with their Internet connectivity) for years? I generally believe the FBI intends to use Carnivore in the way they have disclosed. They already have the "monitor everyone and everything" ability via the NSA's NAP access. Also, the Carnivore boxes probably don't have the performance or capacity for general monitoring."

This I don't buy. With private peering agreements, most Internet traffic now bypasses the NAPs and MAEs, which are public interconnect points between commercial backbones. I am told that one of the big West Coast NAPs was out of service last week for eight hours and nobody wrote a news story about it because no users complained. So the NSA, if it wanted to capture all that traffic, would have to be grabbing it also at the private peering points, which it isn't.

And if the Carnivore box is a PC, can't it be hacked? The consensus among my techie friends is "of course it could be hacked." There's even a very interesting business possibility in scanning the Net for Carnivores, hacking them, then selling to the Carnivore's intended target the knowledge that they are being monitored.

"Another thing that could cause problems would be the widespread use of encryption," a reader pointed out. "It wouldn't take a whole lot of paranoia on the part of geeks before we'd end up transferring most of our e-mail via IPSec- or SSL-encrypted links. The FBI could still do traffic analysis, but that can be worked around fairly simply, too; I just have to co-locate a couple of servers (S1 and S2) at different ISPs outside of the US. I then send all of my outgoing mail to S1, which forwards it to S2, which then forwards it to the final destination. Unless the FBI is aware that S2 is my machine (and they won't be able easily to work this out from US network traffic) they will know that I'm sending and receiving mail, but won't know the destination and source, respectively."

But Carnivore has its defenders, specifically folks who are worried about evidence being tainted or corrupted by going through the hands of anyone but a cop. It's the old "chain of evidence."

"Once the Bureau gathers this data, they have to take it to court," explained a reader. "Courts have very specific rules concerning electronic evidence. For example, most ISP log files are not admissible as evidence. The FBI data must also preserve integrity. If there is any way this data *could have been* tampered with, none of it is admissible. Given the lax operations of most ISPs, there is little hope that current data gathering capabilities would produce admissible evidence. And there are obvious problems with having ISPs send packets to the Bureau. Who do you serve? Who do you trust?"

Then let's hope the FBI isn't outsourcing the Carnivore program to the LAPD.

Forget about the FBI shutting down the Internet, pretty much everyone said. It's a worldwide network and bigger than any country. That, in itself, is a sobering thought and one that should give pause to lawmakers who think they can pass laws and actually enforce them to control Internet use.

Which brings us to Britain:

"We in the UK are way ahead of you in the big brother stakes," according to one reader. "The government is proposing exactly what you fear — to install black boxes in all our ISPs to intercept communications. And unlike your relatively accountable FBI, our messages will go to the secret services."

"The government already admits that innocent traffic will be copied to the services alongside suspicious materials and then searched."

"The RIP Bill is causing a bit of a disturbance amongst us IT workers in the UK as it gives the government the right to demand encryption keys from users and businesses and jail people if they refuse to or are unable to hand over keys."

"Already ISPs and Internet companies are threatening to leave the UK and move to other countries ... Oh and of course, the government can intercept any communications or demand keys from any company 'in the economic interests of the United Kingdom' — I'm sure all those American e-commerce companies will love that."

And to Australia, where things are even worse:

A programmer friend Down Under wrote about "the strange land of Australia, which has banned pornographic material from Internet sites (and shut a number of them down), which has recently legally granted the government the right to hack into any computer (via ASIO — Australian Security Intelligence Organization) and which has banned the transmission of video over datacasting channels and is now deciding on whether or not to ban video transmission over the Internet(current outlook is that it will probably put in an almost complete ban orsevere restrictions)."

"Why is this happening? Because in Australia we are not protected by strong freedom of speech laws as the U.S is, because politicians trade off censorship as a political poker chip and because the politicians believe that if they ban video over the Internet, then Rupert Murdoch and Kerry Packer, who own all the media here, will help them to win the next election. "What's next? Makes me ashamed to be an Australian netizen."

But even with our freedom of speech and privacy laws, it is clear that what's ahead for America in this Internet age is an inevitable escalation in the "arms race" between software that invades our privacy and software that fends off the invasion. And the only big winner is Intel, which will keep us buying faster and faster processors to keep from getting bogged down by the every increasing armor and loyalty oaths about bits and bytes will have to carry.

Comments from the Tribe

Status: [CLOSED] read all comments (0)