oreilly.comSafari Books Online.Conferences.


Carnivore: A System Admin's Concerns

by Mike DeGraw-Bertsch

You've probably read a good deal about Carnivore, and know that the FBI's scheme to grab and save the Internet traffic (email, web page requests, newsgroup posts) of suspected criminals has drawn the wrath of civil libertarians.

System administrator's are already familiar with the technology Carnivore emulates, and it's worth noting that the power it grants federal authorities -- the ability to grab and read a user's Internet traffic -- is already in the hands of system administrators. Apparently, we trust ourselves and our fellow system administrators more than we trust the Feds, even though the FBI needs a court order to access this information while the average administrator only needs a few spare minutes.

The technology behind Carnivore is not especially sophisticated. Carnivore is essentially a packet-sniffer with a bunch of built-in filters. A packet-sniffer is a tool that captures, or "sniffs," the traffic on a network.

Carnivore's filters ensure the system is complying with the court order under which it operates and only the allowed communications are intercepted. The FBI sets one filter, so only the suspect's data is captured. Other filters then limit the types of data that can be captured -- email, web pages, whatever. Finally, even more specific filters are set to look for certain keywords, or communications from specified parties.

If this works correctly, it means the FBI would nab email about a suspect's drug flight into Texas, while it would not see email about that suspect's virtual love affair with his neighbor on Usenet.

What Gives Them The Right?

Just as with a phone wiretap, the FBI must get the authorization of a federal judge to use Carnivore. To get this court order, they must convince the judge that they have probable cause for certain federal felonies. Further, other surveillance techniques must prove either too dangerous or ineffective. If those criteria are met, the FBI is limited to intercept only communications between the suspect and other named individuals, via specific means. For example, the order may specify that only newsgroup messages between the suspect and John Doe may be intercepted.

Beyond the above requirements, the court order lasts a maximum of 30 days (plus a potential 30-day extension), and the FBI is often required to provide progress reports every 7 to 10 days to the judge that issued the order. If the judge feels the desired information has been obtained, he may terminate the order prematurely.

Once it has federal authorization, the FBI then needs permission from the suspect's ISP. This step is often avoided in the case of wiretaps because of long-standing agreements between the Bells and the FBI. Certain ISPs, such as EarthLink, have public policies refusing to allow Carnivore. However, the only way they can legally do this is if they can provide the FBI with the same data Carnivore would otherwise gather. So while Carnivore is only put into place for a specific reason for specific times, EarthLink can monitor all of its customers, all of the time. Who's worse: the Fed or the private industry, selling all of your data to marketers?

If an ISP should refuse to allow Carnivore, and can not provide the necessary data, the FBI can obtain a court order forcing the ISP to allow them to install Carnivore.

Comment on this articleThe FBI needs a court order to view a suspect's mail, but any system administrator in the back room can already grab and read email at will. Should we be more worried about the FBI than the legions of unscreened sysadmins?
Post your comments

But can we trust the FBI to respect those limits? Some of its comments about Carnivore suggest that the FBI is not even sure about the technology they're using, and unaware how many others have the same power. The good news is, the system is easy enough to defeat for anyone willing to take a few precautionary measures.

Carnivore's care and feeding

Last year, I got a peek at Carnivore when FBI agents gave a talk in the Cyber Law and Society class I was taking at Harvard. Supervisory Special Agent Barry Smith and an associate told us the rise in Internet communications threatens the FBI's ability to fight crime, and Carnivore is one of the ways they hope to keep up. As more communication goes online, criminals are taking their activities there -- for planning, communication, and execution. Groove is useful for collaborative programming, but it could just as easily be used to plan a terrorist attack across international borders.

To install Carnivore at an Internet service provider, the FBI has to obtain a warrant, similar to a wiretap. (See the sidebar, "What Gives Them the Right?" for more details on the legalities.) The FBI asks the ISP isolate the suspect's connection to a "quiet" part of its LAN. This allows the FBI to connect without being overly obtrusive, and prevents its machine from being pelted with a lot of uninteresting data.

From there, the agency configures the necessary filters, then pushes the Monitor button. A stats screen pops up, and every day the captured data is written to a Zip disk. A field agent retrieves the disk and inserts a fresh one each day or week, taking the full disk back to the office for analysis.

My security concerns

Sounds simple enough. But as a system administrator, I have a few concerns.

The first is that Carnivore runs on NT. As a Unix administrator, I see this as a very bad thing. Windows NT has many well-known security flaws, and the Carnivore machine itself could be compromised unless all security patches are applied when they're made available. Even then, unpublished flaws (without patches) leave the machine vulnerable. The FBI says it puts a firewall between the Carnivore box and the rest of the ISP, and a team of security experts tends to NT patches. Even so, if you're not concerned about the FBI reading your email, you should be concerned that the Carnivore box could be hacked.

My second concern is that, depending on how the filters are set, Carnivore can capture any amount of data the FBI would like. The agents said Carnivore "only connects at Ethernet speeds," as if to suggest this limits the amount of data the agency can grab. This struck a chord, so I asked about it after their talk. After saying that OC-128 and Gigabit Ethernet are faster (to which I replied with a glare), he said that Carnivore sees too much data to store it all, and the FBI couldn't archive it. I pointed out that a 40-gigabyte hard drive costs only $150 these days, but he responded "we don't have time to look at all that data." I didn't want to argue more, or tell them about Perl.

Pages: 1, 2

Next Pagearrow

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: