Carnivore – FBI Sniffer

Reading time: 14 – 24 minutes

Últimament tothom parla d’aquest sniffer q l’FBI usa per espiar als
delinqüents com q no tinc temps de mirar com funciona, enganxo un escrit q
he trobat d’un tio q diu q l’ha vist/usat.

Statement of Tom Perrine

Computer Security Office, San Diego Supercomputer Center

Subcommittee on the Constitution

Monday, July 24, 2000

Mr. Chairman, and Members of the Subcommittee. Thank you for inviting me to
testify
on this important subject.

From the beginning of my career in computer security, I have always been an
advocate of
personal privacy, unrestricted personal access to strong encryption, and less
government
oversight and intervention in the lives of law-abiding citizens. In the course
of my career I
have also designed and developed computer systems to protect classified
government
information, deployed nation-wide security systems to protect privacy and
intellectual
property and consulted on computer security to educational institutions, the
Department
of Defense and public and private organizations. Due to my work in detecting
and
analyzing computer intrusions, I also understand and support legitimate law
enforcement
access to Internet traffic.

Introduction

I believe that this current debate over the FBI’s new digital wiretap tool,
commonly known
as “Carnivore”, is really about the risks in naively attempting to simply
translate the
policies, law and practices of telephone wiretaps into the digital realm of the
Internet. The
Internet is fundamentally different from the telephone system. As we attempt to
provide
access to Internet traffic for the legitimate purposes of law enforcement, we
must be
exceptionally careful to avoid extending the scope and depth of current wiretap
and
surveillance access in new and unintended ways.

However, in order to get to the heart of the matter, it is necessary to
describe the Carnivore
system and describe its abilities to monitor the Internet. Additionally, I will
describe how
the Internet is different from the telephone system, and illuminate some
problem areas that
may open the door to extending the government’s ability to monitor citizens in
unintended
and intrusive directions.

Privacy and Security at the San Diego Supercomputer
Center

In my current duties, I wear two hats, one as a protector of privacy and the
other as a
security researcher.

As the security officer for the San Diego Supercomputer Center (SDSC) my
primary and
overriding mission is to protect the privacy and intellectual property of the
users of the
Center. SDSC is a national laboratory for computational science and
engineering. With
about 6000 users, several hundred computers and five supercomputers, including
he
world’s 9^th fastest supercomputer (Blue Horizon), with Terabytes of
data and numerous
high-speed network connections and we are under constant attack by would-be
computer
intruders. SDSC’s users are performing basic research in fields as wide-ranging
as astro-physics, engineering, life sciences, ecology and medicine. Premature
publication,
destruction, modification or theft of their data could have implications
ranging from
academic embarrassment through the theft of intellectual property worth
millions (or
possibly even billions) of dollars.

As a security researcher and the Principal Investigator of the Pacific
Institute for Computer
Security (PICS), I am constantly working to determine future threats to the
computers
attached to the public Internet, as well as threats to the actual Internet
infrastructure itself.
Researchers at PICS have in the past discovered software flaws in popular
operating
systems as well as vulnerabilities in the basic protocols of the Internet. I
provided
testimony on this topic to the President’s Commission on Critical
Infrastructure
Protection.

The San Diego Supercomputer Center, the Pacific Institute for Computer
Security and
other security activities are sponsored in large part by U. S. Government
activities. These
include the National Science Foundation, the National Institutes of Health,
the
Department of Defense, the Institute for Defense Analyses, the National
Security Agency
and the FBI. PICS’ involvement with the FBI has been limited to a small amount
of
technical assistance for the San Diego office. PICS and other SDSC staff have
provided
expert testimony in cases involving child pornography and computer
intrusions.

It was as a PICS researcher, discussing critical infrastructure
vulnerabilities with the FBI,
that I became aware of and was afforded a chance to see the hardware and
software product
known as “Carnivore”. The date was June 20^th of this year, and the
location was the FBI’s
Engineering Research Facility (ERF) in Quantico.

There are several important issues at play here, and the capabilities and
purpose of
Carnivore may be the least important. All of my observations concerning
Carnivore itself
must be considered in the context of my very limited access to Carnivore. I can
only testify
about what I was told and what I observed concerning Carnivore over a very
short period
of time.

What is Carnivore?

First of all, what is Carnivore? In technical terms, Carnivore is a
high-speed packet “sniffer”
with aggressive filtering capabilities. It examines all the data packets
passing through a
network, and filters out data that does not meet its filtering criteria. In
layman’s terms,
Carnivore is a digital wiretap capable of discarding all information that is
not to or from or
concerning the subject of the wiretap order.

In fact, other than its fancy, easy to use graphical user interface, and its
ability to monitor
high-capacity networks, Carnivore is not very different from the various packet
sniffer
programs available to network managers, system administrators, home computer
users and
so-called “hackers”.

By analogy, if the network is the cellular phone system, packet sniffers are
radio scanners,
capturing or listening to all data that goes by in the air or on the wire. Also
by analogy,
Carnivore is a “smarter” scanner, capable of detecting and recording only those
phone calls
to or from a specific person, or containing certain key words, and not
listening to all the
other users of the cellular system.

Carnivore’s major technical novelty is its apparent aggressive intent to
avoid capturing data
concerning those that are not the subjects of a wiretap order. It is
functionally very similar
to software written by Dr. Andrew Gross (of the Kevin Mitnick case) while he
was the
Principal Investigator of PICS in 1997.

Physically, Carnivore is a personal computer with a network interface, and
ZIP or Jaz
removable disk drive, running a version of the Microsoft Windows operating
system, with
the Carnivore software loaded. In order to use Carnivore, it must be physically
attached to
the network to be monitored. The Carnivore software has a Graphical User
Interface
(GUI) which presents the user with an easy-to-use way to describe the filters
that are to be
used in accepting (and recording) or rejecting network data seen by the system.
The user
interface was designed to be used by a less-technical user, such as an FBI
Special Agent in
the field. The version of Carnivore I saw, as it was described to me had few
provisions for
remote access to the gathered data, but did have the capability to be monitored
itself from a
remote site via telephone. As described to me, this was so that the technical
support staff at
the ERF could assist with technical problems, and so the assigned Special Agent
could
determine when the removable media needed to be changed. This remote access
method
would also allow a remote user to change the filtering criteria from a remote
site via a
telephone call.

As described to me, all gathered data was written to a ZIP or JAZ removable
disk drive,
and the data would be physically collected by a Special Agent visiting the
site. There are
issues involving the collection, storage, custody, and admissibility of digital
evidence. I
believe that this physical collection of the evidence is a conscious effort to
move this
“digital” evidence into the realm of physical evidence, which is well
understood by and
more comfortable to the legal system. Although the system is capable of
transmitting some
gathered data via the telephone connection, this is impractical given the
relative bandwidth
of the telephone and the high-speed networks being monitored.

What is Carnivore Not?

Carnivore does not appear (on its face) to be an ECHELON-like
“monitoring
infrastructure”, capable of real-time monitoring of millions of phone calls and
network
connections. Based on my limited examination of Carnivore, and technical
discussions with
its developers, it appears to be a tool specifically designed to meet the rigid
requirements of
a Title III wiretap order. Such an order is supposed to be a narrowly drawn and
rigidly
interpreted permission from a judge to monitor the electronic activities of a
specific person
or persons.

Quite frankly, Carnivore appears to be the best available technology to try
to implement
the limited permissions to monitor granted by a judge. The device is
capable of filtering
out information concerning those not subject to the wiretap order.

However, Carnivore is just a tool, and its capabilities must be considered
in the context of
how it could be used, the potential for intentional and
unintentional abuse, and the critical
need to consider the privacy and constitutional rights of citizens.

Privacy is “Extrinsic” to technology

Carnivore is just a tool. It is a tool that appears to be designed to be
able to allow the FBI
to balance the rights of citizens against the permission to monitor granted by
a judge in a
wiretap order. However, it is how the tool is used that will actually determine
whether or
not the privacy of innocent and uninvolved people will be violated.

Carnivore has the ability to filter out all “un-allowed” information, but
like any network
sniffer, the actual data collected or rejected is a matter of the configuration
of the device. It
is obvious that there is nothing to stop a person from using Carnivore (or any
other packet
sniffing tool) to gather all the network information they can store.

The fundamental issue really boils down to:

How do we balance the government’s legitimate need to monitor suspects in
ongoing
criminal investigations without trampling the rights of other citizens who
happen to share
the Internet with them?

Carnivore appears to be an attempt to strike such a balance. However,

It still may open too many possibilities for abuse, error and other
unintended
consequences.

Any technology, once created, can be abused. Automobiles enabled bank
robbers in fleeing across state
lines; and pagers, cellular and portable telephones enable the illegal drug
dealer. Packet sniffers are one tool
of the “hacker”, but are also needed by the network manager. These are all
“dual-use” technologies, having
both legitimate and non-legitimate uses. It is the use that determines intent
and effect; the technology just
enables the capabilities.

Of course, the ultimate concern of citizens should be the possibility of
“mass monitoring”
of all the users at an Internet Service Provider (ISP), a company, a
University, or a state or
a country. The technology already exists, it is simply a matter of time and
money to deploy
this technology on the scale required to achieve the goal.

The Internet is Different

The Internet is fundamentally different from the original analog telephone
system. This is
important to understand, because almost all of our legislation, legal precedent
and practice
in monitoring the Internet are derived from the old analog telephone
system.

The telephone system is a collection of tightly integrated systems, operated
by various
companies, sharing a common switching technology. Without this underlying
common
technology, the various parts of the system would be unable to communicate with
each
other in order to provide a telephone connection between the callers. In the
telephone
world, a wiretap order is often implemented the telephone service provider. In
this case,
the law enforcement agency delivering a directive to the operators of the
subject’s telephone
service provider, and the service provider performs whatever action is needed
to provide
access to the subject’s telephone calls. The calls are typically voice, not too
frequent, and
listened to in “real time” by people, in addition to any recordings that may be
made. All of
these factors provide a “gating” function that limits the scale and scope of
any surveillance
activities. It is simply infeasible for the government to implement wide-scale
monitoring of
large numbers of people, due to the need for cooperation from the telephone
service
providers and the labor-intensive nature of the surveillance. This is likely a
major reason
that the National Security Agency and other government agencies have long
sponsored
basic research in speech recognition.

However, the Internet is fundamentally different, and with Carnivore and
other systems,
the monitoring activity is different as well. It is apparent that the digital
nature of the
Internet allows a wider net to be cast, at a lower cost than in the telephone
world. The
Internet is a digital medium, and most of its data remains text-based. These
two attributes
combine to make it very easy to use computers to process large amounts of
collected data.
Textual data is much easier and cheaper to process than voice telephone, for
example. Also,
the government installs Carnivore with little or no participation from the
Internet Service
Provider (ISP). The ISP has no way of knowing what data is being gathered or
who the
target of the wiretap may be. As previously mentioned, the filtering done by
Carnivore can
be changed remotely, without the knowledge of the ISP, as well.

All of these factors combine to provide a capability that is broader and
more scalable than
in the analog telephone world, for which most of the wiretap statutes were
written.

It is important to ensure that any digital wiretap capability and law does
not allow what
Dr. Steve Bellovin of AT&T calls “scaling up to oppression”. It should
remain relatively
expensive for the government to monitor its citizens, so that this capability
will be reserved
for those exceptional cases that warrant electronic surveillance and discourage
casting a
wide net that will gather in information about unintended bystanders.

Any digital wiretap systems and law must provide the same protections,
checks and
balances that exist in the telephone world. It is not obvious that this is
currently the case.
It seems likely that the “law of unintended consequences” applies and that
current digital
wiretap capabilities and legal constraints do not provide the same protections
as in the
telephonic environment.

Control, Oversight and Accountability

If a “dual-use” technology, such as Carnivore and other network monitoring
tools exists,
the only way to protect against mis-use is to find ways to discourage, or
punish abuse.

This is explicitly embodied in current wiretap law, where there are
consequences ranging
from inadmissibility of evidence up to criminal prosecution for an improperly
performed
wiretap. But in order to impose these consequences, the improper activities
must be
discovered. Also, by the nature of a telephonic wiretap, the scope of the
wiretap is limited
to a small number of telephones and the people who use them. With a digital
wiretap, such
as Carnivore, only the FBI knows who is the subject of the wiretap, and whether
or not
data concerning other people is actually being gathered.

It would be trivial for the FBI to monitor ten or a hundred or a thousand
(or more) people
with a single Carnivore system, using a wiretap order which only authorized
monitoring of
a single subject. Essentially there is no way for any outside entity to know
the
configuration of the filters in a Carnivore system, or the true capabilities of
the Carnivore
system without examining the source code of the system during installation and
during the
monitoring itself.

Carnivore and Open Source

The ACLU and others have called for publication of or access to the source
code of the
Carnivore system. While interesting, this is unfortunately insufficient to
determine the true
capabilities of a particular Carnivore system as installed for any given
wiretap order. A
function of a Carnivore system is determined both by the program and the
filter
configuration active at any moment in time.

A one-time publication or review of the source code would provide only a
“snapshot” of
Carnivore’s capabilities, and it might be difficult to prove that the Carnivore
program
installed at an ISP was actually built from the sources reviewed. Since
Carnivore is under
constant development, the snapshot reviewed would be out-of-date within a few
weeks. A
review of the source code would not indicate the filters installed in a
Carnivore system at
any given time.

In the computer security and cryptography communities, no claims are
accepted until
programs or algorithms have undergone public scrutiny and peer review.
Typically,
security-relevant software then remains in the public purview, with many
contributors
making incremental improvements and continuing the review process. For our
computers,
and those at any site truly concerned with security, Open Source security tools
are compiled
from publicly available, peer-reviewed source code. These programs are widely
trusted
because it is believed that this public scrutiny would find and publicize most
flaws and any
“secret” functions. This affords a high level of confidence that these programs
perform
their stated functions properly, and not perform any inappropriate
functions.

It may be that to provide this level of confidence, that the source code for
Carnivore might
need to become publicly available, and that ISPs be permitted to acquire,
examine, compile
and configure the Open Source Carnivore software. Interestingly, this is more
analogous
to the current telephonic wiretap (installed by the telephone service
provider), than the
current use of Carnivore.

Conclusion

The issue of Carnivore is not really about technology. It is really about
the attempts of the
government to extend its lawful and appropriate access to electronic
communications into
the digital Internet realm. It seems that in the process of applying laws,
policies and
procedures into the digital realm, that the privacy of citizens has been eroded
in ways not
intended or permitted under the original wiretap legislation, current practice
or Supreme
Court decisions.

The FBI will always have to live with the legacy of the Hoover era, just as
the Congress will
have to constantly compare itself with the McCarthy hearings, and the Executive
Branch
must always remember Watergate. These and other incidents from our country’s
history
have contributed to an unfortunate general distrust of our public institutions
when they
concern themselves with the rights of our citizens.

I continue to have the utmost regard for the Special Agents it has been my
good fortune to
meet and work with. I understand and support their need for legal and proper
access to the
electronic communications of those subject to investigation for serious crimes.
The
challenge will be to provide the intended monitoring abilities that are
reasonable and
proper in the digital area.

Ladies and Gentlemen of the Subcommittee, thank you for your attention in
the matter,
and for the opportunity to provide this testimony.