Loading ...
Sorry, an error occurred while loading the content.

[RRE]Public Demo of Carnivore and Friends

Expand Messages
  • Phil Agre
    [Because this message was sent through an anonymous remailer, and because of its substance, I am taking the liberty of assuming that it was meant for wide
    Message 1 of 1 , Oct 25, 2000
      [Because this message was sent through an anonymous remailer, and because
      of its substance, I am taking the liberty of assuming that it was meant
      for wide circulation. When evaluating its accuracy and authenticity, I
      guess you should take its anonymity into account. I have reformatted it.

      On a related topic, there's an article about the draft anti-hacking treaty
      at <http://www.msnbc.com/news/480734.asp>.]

      This message was forwarded through the Red Rock Eater News Service (RRE).
      You are welcome to send the message along to others but please do not use
      the "redirect" option. For information about RRE, including instructions
      for (un)subscribing, see http://dlis.gseis.ucla.edu/people/pagre/rre.html

      Date: Tue, 24 Oct 2000 19:31:43 -0400
      From: An Metet <anmetet@...>
      Comments: This message did not originate from the Sender address above.
      It was remailed automatically by anonymizing remailer software.
      Please report problems or inappropriate use to the
      remailer administrator at <abuse@...>.
      To: cypherpunks@...
      Subject: CDR: Public Demo of Carnivore and Friends

      FBI agent Marcus C. Thomas (who is mentioned in the EPIC FOIA
      documents) made a very interesting presentation at NANOG 20 yesterday
      morning, discussing Carnivore.

      Agent Thomas gave a demonstration of both Carnivore 1.34 (the
      currently deployed version) and Carnivore 2.0 (the development
      version) as well as some of the other DragonWare tools.

      Most of this information isn't new, but it demonstrates that the
      DragonWare tools can be used to massively analyze all network traffic
      accessible to a Carnivore box.

      The configuration screen of Carnivore shows that protocol information
      can be captured in 3 different modes: Full, Pen, and None. There are
      check boxes for TCP, UDP, and ICMP.

      Carnivore can be used to capture all data sent to or from a given IP
      address, or range of IP addresses.

      It can be used to search on information in the traffic, doing matching
      against text entered in the "Data Text Strings" box. This, the agent
      assured us, was so that web mail could be identified and captured, but
      other browsing could be excluded.

      It can be used to automatically capture telnet, pop3, and FTP logins
      with the click of a check box.

      It can monitor mail to and/or from specific email addresses.

      It can be configured to monitor based on IP address, RADIUS username,
      MAC address, or network adaptor.

      IPs can be manually added to a running Carnivore session for

      Carnivore allows for monitoring of specific TCP or UDP ports and port
      ranges (with drop down boxes for the most common protocols).

      Carnivore 2.0 is much the same, but the configuration menu is cleaner,
      and it allows Boolean statements for exclusion filter creation.

      - --

      The Packeteer program takes raw network traffic dumps, reconstructs
      the packets, and writes them to browsable files.

      CoolMiner is the post-processor session browser. The demo was version
      1.2SP4. CoolMiner has the ability to replay a victim's steps while
      web browsing, chatting on ICQ, Yahoo Messenger, AIM, IRC. It can step
      through telnet sessions, AOL account usage, and Netmeeting. It can
      display information sent to a network printer. It can process netbios

      CoolMiner displays summary usage, broken down by origination and
      destination IP addresses, which can be selectively viewed.

      Carnivore usually runs on Windows NT Workstation, but could run on
      Windows 2000.

      Some choice quotes from Agent Thomas:

      "Non-relevant data is sealed from disclosure."

      "Carnivore has no active interaction with any devices on the network."

      "In most cases Carnivore is only used with a Title III. The FBI
      will deploy Carnivore without a warrant in cases where the victim
      is willing to allow a Carnivore box to monitor his communication."

      "We rely on the ISP's security [for the security of the Carnivore

      "We aren't concerned about the ISP's security."

      When asked how Carnivore boxes were protected from attack, he said
      that the only way they were accessible was through dialup or ISDN.
      "We could take measures all the way up to encryption if we thought it
      was necessary."

      While it doesn't appear that Carnivore uses a dial-back system to
      prevent unauthorized access, Thomas mentioned that the FBI sometimes
      "uses a firmware device to prevent unauthorized calls."

      When asked to address the concerns that FBI agents could modify
      Carnivore data to plant evidence, Thomas reported that Carnivore
      logs FBI agents' access attempts. The FBI agent access logs for
      the Carnivore box become part of the court records. When asked
      the question "It's often common practice to write back doors into
      [software programs]. How do we know you aren't doing that?", Thomas
      replied "I agree 100%. You're absolutely right."

      When asked why the FBI would not release source, he said: "We don't
      sell guns, even though we have them."

      When asked: "What do you do in cases where the subject is using
      encryption?" Thomas replied, "This suite of devices can't handle
      that". I guess they hand it off to the NSA.

      He further stated that about 10% of the FBI's Carnivore cases are
      thwarted by the use of encryption, and that it is "more common to
      find encryption when we seize static data, such as on hard drives."

      80% of Carnivore cases have involved national security.

      - --

      Also of interest was a network diagram that looked very similar to the
      one in the EPIC FOIA document at
      http://www.epic.org/privacy/carnivore/omnivorecapabilities1.html ,
      except that there was no redaction of captions.

      - --

      Marcus Thomas can be contacted for questions at mthomas@... or at
      (730) 632-6091. He is "usually at his desk."
    Your message has been successfully submitted and would be delivered to recipients shortly.