Anda di halaman 1dari 27

Carnivore: Internet Wiretapping



Needs of the Law enforcement agencies Individual's privacy concerns Emerging technology

To inform about the current technical, government, and public opinion state of U.S. Internet wiretapping policy through a case study of the FBIs Carnivore system To discuss concerns about the current state of U.S. Internet wiretapping policy To propose changes to improve the U.S. system of Internet wiretapping

Executive Background
When does the FBI use Carnivore? The ISP cannot narrow sufficiently the information retrieved to comply with the court order The ISP cannot receive sufficient information The FBI does not want to disclose information to the ISP, as in a sensitive national security investigation.

Executive Background
Full mode wiretap
Case agent consults with the Chief Division Counsel, and a Technically Trained Agent.

Pen mode wiretap

Case agent writes up a request with a justification for necessity

Executive Background
FBI shows a judge the relevance of the information FBI shows a judge why traditional enforcement methods are insufficient FBI submits a request with information such as target ISP, e-mail address, etc. FBI waits 4-6 months

Hardware Architecture
A one-way tap into an Ethernet data stream A general purpose computer to filter and collect data One or more additional general purpose computers to control the collection and examine the data A locked telephone link to connect the computers

Hardware Architecture
The Internet

Ethernet Switch Tap

Other Network Segments




Target Bystander


Software Architecture
Functionality Filtering Filter Precedence Output Analysis

Software Architecture

Software Architecture
Fixed IP
Can choose a range of IP addresses.

Dynamic IP Protocol Filtering Text Filtering

Port Filtering E-mail address Filtering

If not in fixed IP mode, one can choose to include packets from in either Radius or DHCP mode. One can choose to include packets from TCP, UDP, and/or ICMP in either Full mode, Pen mode, or none. One can include packets that contain arbitrary text.
One can select particular ports to include (i.e 25 (SMTP), 80 (HTTP), 110 (POP3)). One can select to include packets that contain a particular e-mail address in the to or from fields of an e-mail.

Software Architecture
Filter Precedence Output
.vor .output .error

Packeteer CoolMiner

Software Architecture
TapNDIS (written in C) is a kernal-mode driver which captures Ethernet packets as they are received, and applies some filtering. TapAPI.dll (written in C++) provides the API for accessing the TapNDIS driver functionality from other applications. Carnivore.dll (written in C++) provides functionality for controlling the intercept of raw data. Carnivore.exe (written in Visual Basic) is the GUI for Carnivore.

Pen mode collection
Not strictly defined. Low standard for obtaining a court order for the interception of this information. Reporting of pen mode interceptions is minimal.

Minimization of interception:
No formal definition of minimization of search requirements. The minimization process only has optional judicial review. No requirements on who conducts the minimization.

FISA interceptions:
No notification requirement, unless information from the intercept will be used in a criminal trial. Completely confidential, the only information reported annually is the number of applications and the number of orders granted.

Trust Ease of access Loss of ISP control Procedural


Antidote to Carnivore. Developed by Chain Mail firm, Virginia,US. To secure corporate data. Used to encrypt users e-mail messages.

Technical Concerns
Wrong goals Bad implementation

Hidden functionality

Technical Problems: Wrong Goals

No structured development process No audit trails Limited security of data

Technical Problems: Bad Implementation

Problems with high throughput Standard Ethernet v. Full Duplex Security of remote computer Thwarted by crypto RADIUS (analysis omitted from Illinois Report)

Hidden Functionality
TapAPI provides 45 entry points callable from Carnivore.dll, only 22 are used. Commented out code: more sophisticated filters, real-time viewer, case tracking

Public Policy Proposals

Trust Ease of access ISP control Public awareness

Technical Proposals
Get goals right Open source code Tamper-proof the local data Provide secure remote configuration Auto-post logs to website

If youre talking to someone in the next bathroom stall, the government shouldnt have to be able to listen in.
Robert Ellis Smith Publisher, Privacy Journal