Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Advisory Watch: March 27th, 2015
Linux Security Week: March 23rd, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Carnivore and Privacy: An Oxymoron? Print E-mail
User Rating:      How can I rate this item?
Features The US and UK governments want to install a device on public networks to monitor traffic for suspected criminal activities. But is that all they want to do? Chris Parker explains.

When one really thinks about it, the main reason for computer security is data privacy. People protect their systems so that unwanted people can't see data they're not authorized to see. Well, what if there was no way to protect your privacy because all incoming and outgoing data was being viewed by a third party. This is the potential power that the FBI wields.

Carnivore is a sealed box that the FBI installs at an ISP. The box filters packets, looking for emails of suspected criminals. Once emails from suspects are found, they are saved for decryption and analysis. The FBI claims that Carnivore is meant for nothing more than tapping the email of suspected criminals. Also built into Carnivore is a remote-access capability that allows FBI agents to check on the progress of the Carnivore system.

While it does need a court order to be used, ISPs dislike the idea of Carnivore because they have no way to ensure protection from Carnivore for their law-abiding customers. Also, ISPs feel that if Carnivore's only true purpose is to look for email addressed to or from a suspect, then there is no need for Carnivore because the ISP can do that for the FBI easily enough.

Another thing that is worrying people is the FBI's protest of the American Civil Liberties Union's (ACLU) Freedom of Information Act (FOIA) request for the source code of Carnivore's packet filtering program. If all Carnivore does is look for suspect's emails, why is the FBI so worried about the source code being released? Not only this is troublesome, but Carnivore has been active since 1999, with over 25 email-taps to date. It seems the FBI was trying to sneak Carnivore past the American people.

If FBI agents can access Carnivore remotely, what is stopping someone from cracking the system and tainting the evidence or even worse, use the system to spy on law-abiding citizens? If Carnivore does go into wide spread use, it will only be a matter of time before it is cracked. The chance to spy on 1000s of people will be too much to resist for crackers; it is probably too much to resist for the FBI.

Carnivore is not the first attempt at surveying email. The FBI has been trying to figure out the best way to tap email for a while; Carnivore is just their most recent attempt. Also, the UK is trying to get Regulation of Investigatory Powers (RIP) Bill passed.

The RIP Bill will allow UK authorities to monitor suspected criminals' email and other data connections. Similar to what the FBI are currently doing, the UK MI5 agency can put a Carnivore-like black box onto an ISP's network and then listen to all incoming and outgoing packets, looking for packets going to, or intended for, the suspect. Along with this, the RIP Bill will allow the MI5 agency to demand the encryption keys for encrypted data, or face 2 years in prison.

Once an employee gives the encryption code away, she isn't allowed to tell anyone, even management, or face 5 years imprisonment. This means that a company, who thinks their private, proprietary information is safe, may actually have their information being viewed by dozens of MI5 agents.

Critics of the bill say that it is pointless because the computer-literate criminals that this bill is supposed to help catch will easily be able to go undetected and keep their data private. A report that recently came out about the bill said that the bill will "undermine the privacy, safety and security of honest citizens and businesses."

With more and more people listening on private conversations and actions online, SSL and other forms of encryption are necessary to be truly secure. With the incredible impracticality of this, the only other solution is IP6, which does do secure encrypted connections for most types of packets.

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.