Return-Path: <sentto-279987-2647-1002085067-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Tue, 02 Oct 2001 22:01:09 -0700 (PDT) Received: (qmail 1793 invoked by uid 510); 3 Oct 2001 04:59:47 -0000 Received: from n11.groups.yahoo.com (216.115.96.61) by 204.181.12.215 with SMTP; 3 Oct 2001 04:59:47 -0000 X-eGroups-Return: sentto-279987-2647-1002085067-fc=all.net@returns.onelist.com Received: from [10.1.1.224] by n11.groups.yahoo.com with NNFMP; 03 Oct 2001 04:59:41 -0000 X-Sender: toby.kohlenberg@intel.com X-Apparently-To: iwar@yahoogroups.com Received: (EGP: mail-7_4_1); 3 Oct 2001 04:57:47 -0000 Received: (qmail 65291 invoked from network); 3 Oct 2001 04:57:45 -0000 Received: from unknown (10.1.10.142) by 10.1.1.224 with QMQP; 3 Oct 2001 04:57:45 -0000 Received: from unknown (HELO calliope1.fm.intel.com) (132.233.247.10) by mta3 with SMTP; 3 Oct 2001 04:59:39 -0000 Received: from fmsmsxvs041.fm.intel.com (fmsmsxvs041.fm.intel.com [132.233.42.126]) by calliope1.fm.intel.com (8.9.1a+p1/8.9.1/d: relay.m4,v 1.44 2001/10/01 19:10:43 root Exp $) with SMTP id EAA29208 for <iwar@yahoogroups.com>; Wed, 3 Oct 2001 04:59:38 GMT Received: from FMSMSX016.fm.intel.com ([132.233.42.195]) by fmsmsxvs041.fm.intel.com (NAVGW 2.5.1.6) with SMTP id M2001100222011011295 ; Tue, 02 Oct 2001 22:01:10 -0700 Received: by fmsmsx016.fm.intel.com with Internet Mail Service (5.5.2653.19) id <4CKGH32B>; Tue, 2 Oct 2001 21:57:53 -0700 Message-ID: <B6E52B5EDFAFD411BA42009027AE9D580FB84D00@FMSMSX39> To: "'iwar@yahoogroups.com'" <iwar@yahoogroups.com>, iwar@onelist.com X-Mailer: Internet Mail Service (5.5.2653.19) From: "Kohlenberg, Toby" <toby.kohlenberg@intel.com> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Tue, 2 Oct 2001 22:01:18 -0700 Reply-To: iwar@yahoogroups.com Subject: RE: [iwar] [fc:Carnivore.substitute.keeps.Feds.honest] Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Didn't Robert Graham formerly of NetworkICE, now of ISS, write a free tool that offered the same functionality as Carnivore? Named something like Altivore? Toby All opinions are my own and in no way reflect the views of my employer. -----Original Message----- From: Fred Cohen [mailto:fc@all.net] Sent: Tuesday, October 02, 2001 8:23 PM To: iwar@onelist.com Subject: [iwar] [fc:Carnivore.substitute.keeps.Feds.honest] Carnivore substitute keeps Feds honest By Thomas C Greene in Washington Posted: 02/10/2001 at 20:32 GMT The Forensics Explorers division of CTX is ready to go to market with a Carnivore-like suite called NetWitness which, the company says, can enable ISPs to surrender to the Feds only those specific bits of information about a suspect which a court has authorized for collection. The NetWitness package can separate data to ensure strict, minimal compliance with a pen register or trap and trace order, and later associate the original content if a search warrant or a wiretap warrant is issued, Forensics Explorers General Manager Mark Longworth told The Register. Because Carnivore is capable of capturing far more data than a pen register or trap and trace order is meant to make available, an ISP may well prefer to install its own kit rather than trust Carnivore operators to stick to the letter of the law. There are two chief problems with Carnivore in terms of over-collection, as we reported in a previous article. First is the fact that packet traffic belonging to perfectly innocent subscribers passes through it along with the suspect's data. Basically, we have to trust the FBI not to abuse this incidental access. The motive for them not to do so is the looming possibility of screwing up a prosecution; but now, in the wake of the 11 September atrocities, it's a fair bet that the Feds are going to get a good deal more latitude from the courts in borderline cases. The second problem is that we have no assurance that, when used in 'pen mode', Carnivore doesn't capture more of the packet than its origin, destination and time of transmission. It's quite possible that the subject line of an e-mail memo would be captured, for instance. This certainly goes beyond what's understood as a pen register or trap and trace, where only the origins and destinations of phone calls are to be recorded. The FBI is exuberantly installing Carnivore on public networks now in pursuit of the Bearded Chupacabra. But it's reasonable that an ISP, however eager to cooperate in this venture, might well object to having a mysterious 'black box' installed on its lines. But the fact is, it doesn't have to, so long as it can provide the FBI with the data it's authorized to collect. Doing in-house surveillance can become a feature with which an ISP might differentiate itself from its competitors. For example, you the innocent subscriber can be assured that if a pen register is executed against someone else on the network, your e-mail isn't going to end up in the hands of the FBI. And if you're ever unfortunate enough to come under federal scrutiny, you can be assured that the FBI won't be getting any data beyond what's been legally authorized. There is no logical reason for the FBI to insist that an ISP use its black box. Phone companies don't let them install mysterious devices on their lines, and neither should ISPs. These collections are covered under the CALEA (Communications Assistance to Law Enforcement Act), which obligates communications providers to comply, all right; but that isn't the same as saying that only equipment cobbled together by the Feds can be used. The FBI's irrational devotion to Carnivore is most likely the result of needing to justify the development costs, which we're told were in the neighborhood of $3 million. Pushing it aggressively is essentially a way of denying that it's a sub-standard tool. The NetWitness kit is well within the reach of most ISPs; the collector sells for approximately $2,500 and the analysis station for between $35,00 and $45,000, Longworth told us. Network Ice offers a free do-it-yourself Carnivore kit, but this requires development effort. It may or may not end up cheaper than NetWitness, according to the efficiency of one's in-house geeks. ® ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ ------------------------ Yahoo! Groups Sponsor ---------------------~--> Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide! http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:53 PST