[ISN] Carnivore substitute keeps Feds honest

From: InfoSec News (isnat_private)
Date: Wed Oct 03 2001 - 00:21:45 PDT

  • Next message: InfoSec News: "[ISN] Firing (and Hiring) Hackers"

    By Thomas C Greene in Washington
    Posted: 02/10/2001 at 20:32 GMT
    The Forensics Explorers division of CTX is ready to go to market with
    a Carnivore-like suite called NetWitness which, the company says, can
    enable ISPs to surrender to the Feds only those specific bits of
    information about a suspect which a court has authorized for
    The NetWitness package can separate data to ensure strict, minimal
    compliance with a pen register or trap and trace order, and later
    associate the original content if a search warrant or a wiretap
    warrant is issued, Forensics Explorers General Manager Mark Longworth
    told The Register.
    Because Carnivore is capable of capturing far more data than a pen
    register or trap and trace order is meant to make available, an ISP
    may well prefer to install its own kit rather than trust Carnivore
    operators to stick to the letter of the law.
    There are two chief problems with Carnivore in terms of
    over-collection, as we reported in a previous article. First is the
    fact that packet traffic belonging to perfectly innocent subscribers
    passes through it along with the suspect's data. Basically, we have to
    trust the FBI not to abuse this incidental access. The motive for them
    not to do so is the looming possibility of screwing up a prosecution;
    but now, in the wake of the 11 September atrocities, it's a fair bet
    that the Feds are going to get a good deal more latitude from the
    courts in borderline cases.
    The second problem is that we have no assurance that, when used in
    'pen mode', Carnivore doesn't capture more of the packet than its
    origin, destination and time of transmission. It's quite possible that
    the subject line of an e-mail memo would be captured, for instance.
    This certainly goes beyond what's understood as a pen register or trap
    and trace, where only the origins and destinations of phone calls are
    to be recorded.
    The FBI is exuberantly installing Carnivore on public networks now in
    pursuit of the Bearded Chupacabra. But it's reasonable that an ISP,
    however eager to cooperate in this venture, might well object to
    having a mysterious 'black box' installed on its lines. But the fact
    is, it doesn't have to, so long as it can provide the FBI with the
    data it's authorized to collect.
    Doing in-house surveillance can become a feature with which an ISP
    might differentiate itself from its competitors. For example, you the
    innocent subscriber can be assured that if a pen register is executed
    against someone else on the network, your e-mail isn't going to end up
    in the hands of the FBI. And if you're ever unfortunate enough to come
    under federal scrutiny, you can be assured that the FBI won't be
    getting any data beyond what's been legally authorized.
    There is no logical reason for the FBI to insist that an ISP use its
    black box. Phone companies don't let them install mysterious devices
    on their lines, and neither should ISPs. These collections are covered
    under the CALEA (Communications Assistance to Law Enforcement Act),
    which obligates communications providers to comply, all right; but
    that isn't the same as saying that only equipment cobbled together by
    the Feds can be used.
    The FBI's irrational devotion to Carnivore is most likely the result
    of needing to justify the development costs, which we're told were in
    the neighborhood of $3 million. Pushing it aggressively is essentially
    a way of denying that it's a sub-standard tool.
    The NetWitness kit is well within the reach of most ISPs; the
    collector sells for approximately $2,500 and the analysis station for
    between $35,00 and $45,000, Longworth told us. Network Ice offers a
    free do-it-yourself Carnivore kit, but this requires development
    effort. It may or may not end up cheaper than NetWitness, according to
    the efficiency of one's in-house geeks.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Oct 03 2001 - 02:13:31 PDT