Defanging Carnivore

[Paul Howell]

At http://www.salon.com/tech/view/2000/09/25/robert_graham/index.html

Defanging Carnivore

A security specialist explains why his open-source version
of the FBI's snooping technology is a victory for privacy
fans.

- - - - - - - - - - - -
By Sean Dugan

Sep. 25, 2000 | Robert Graham has hacking in his blood. In
1988, as a student at Oregon State University, he helped
fight the infamous Morris Worm -- an out-of-control
software program that nearly broke the Internet. But
Graham's security roots go back even further back than
that: His grandfather was a code breaker who worked on
cracking Nazi communications during World War II. 

Graham is the CTO of NetworkICE, a security company
he co-founded with Greg Gilliom and Clinton Lum to
provide "anti-hacking" services such as intrusion detection
software. Given his family background and his own
interests, one could understand that Graham might be
interested in anything related to cyber-snooping. But on
Tuesday Graham took his involvement to a whole new
level, inserting himself directly into the middle of the
charged debate over Carnivore -- the FBI's
much-maligned system for spying on the e-mails of
suspected criminals. 

Graham released to the general public the source code to
"Altivore," a program that mimics all the capabilities of
Carnivore. Part protest against Carnivore's potential for
invasions of privacy and part defensive measure aimed at
subverting Carnivore, Altivore is the latest escalation of the
ongoing battle over just how much privacy we can expect
in cyberspace. 

Graham, 33, is a veteran of the venerable minicomputer
maker Data General. He says that these days he doesn't
get out too much, he's too busy taking care of business at
NetworkICE. And yet somehow he found the time to write
and release Altivore. 

Salon caught up with Graham the day after news about
Altivore's release broke. He was happy to explain why he
created the software, what he feels the real issues raised by
Carnivore are and why there should be a fundamental
human right to encryption. 

What prompted you to write Altivore? 

>From one perspective, just to poke fun at the FBI. As we
describe it, it's like "outing" the FBI. The FBI has kept
everything secretive and behind their back rooms and black
boxes. We have said: The technology is not as complex as
people think. It's actually pretty simple. So we took little
bits and pieces from our existing source base of our
products -- it's all still "sniffing" -- and dropped it in a new
little program called Altivore and shipped the source code
for it, so everyone could see how it's done. 

Also, to give ISPs [Internet service providers] an
alternative to the FBI. The FBI comes up with a search
warrant and really, what the FBI wants, is just the data.
They don't care how you get it. If the ISP can use Altivore
instead, they don't need to have this secretive black box on
the network. 

Was it much of a technical challenge? You said on
your Web site that you wrote it in a weekend. 

If I were to write it from scratch, it would take a little bit
longer. But since we're copying and pasting stuff that we
have already done -- little bits and pieces here and there --
it takes a lot less time. 

How long have you been using this sniffer
technology? 

The three founders of the company have been doing this
sort of thing for 10 years. I've done this 10 times before --
for me, even if it was from scratch, it would take me maybe
a couple [of] weekends, rather than one weekend. If you're
a gymnast, you can do a trick on the parallel bars -- you
just go ahead and do it, whereas it would take somebody
like me, for example, years to do the same trick. 

Is it accurate to characterize Altivore as open-source
software? 

That depends on someone's open-source definition. Right
now, we're holding the copyright close to our chest
because there are so many open-source licenses out there
to choose from. Right now, we're basically just "copyright:
us." I think we're looking at the BSD license, rather than
the GPL license. 

Do you think the FBI is being completely honest
about what Carnivore does? 

That's always the big question. In terms of technical
sophistication, it doesn't need to be technically
sophisticated to do what the FBI says it does. Now, you
can presume that it might do lots of other stuff that would
require more technical sophistication, but that debate goes
on more along the lines of Echelon. We believe that
Carnivore has no relationship to Echelon. Echelon is really
a content scanner looking for key words like "plutonium."
With Carnivore, you only get into a network once you have
a court order and the court order says something like
somebody's e-mail address. You'll never get a court order
for something like content scanning. If there's anything that
the FBI has that's like Echelon, it's not Carnivore -- it's
something else. 

Do you think the concerns raised about Carnivore by
groups like the EFF and the ACLU are legitimate? 

The main concern that the EFF and ACLU have is not
Carnivore -- it's the fact that the FBI can come in with a
court order in the first place and demand all your e-mail
traffic. That's their main concern; they don't care about the
technology. They make a lot of funny statements about the
technology which I'm amused about -- like the EFF said
that you can't scan for a single person's e-mail address and
sift it out of everyone else's e-mail -- but you actually can,
which Altivore shows. 

Their main issue is the privacy debate -- should the
government have the right to sniff all of our traffic? More
importantly, encryption technology is becoming more and
more built into what we do. The real debate that we're
going to have to answer and address as a society at some
point is whether encryption is a fundamental human right.
Does the government have the right to peer into all of our
data or do we have the right to do our best to hide our data
-- hide our information, our e-mail and correspondences
from the government? NetworkICE is along the lines that
we should be considering this and we should think of this as
a human right. 

What kinds of things should we be concerned about --
should we all really be encrypting our data? What are
the privacy concerns? 

Your ISP is already looking at your e-mail. Back at my old
company, I would send e-mails to my girlfriend. And a
couple of the e-mails were a little bit mushy. One of the
e-mails got misdirected because there was a problem with
the server. The people maintaining our e-mail service
probably had to look at that e-mail in order to figure why it
was misdirected. So, they probably read the e-mail
message. So, the moral of the story is whether it's the FBI,
or just the people trying to get your e-mail to you, people
are going to be reading your e-mail occasionally.
Therefore, if there's something in the e-mail message that
you don't want other people to read, you should encrypt it. 

Returning to Echelon and Carnivore -- do you think it
will ever be possible to completely monitor the entire
Net? From a technical standpoint, are we moving in
that direction? 

There's lot of capabilities that can do some effective
monitoring, but ultimately, the Net is too big to monitor.
For example, if I send e-mail from my company to your
company, how does it go across the Internet? There's no
centralized point on the Internet where it's going to go
through; it follows a convoluted path. The FBI cannot put
enough little monitoring devices throughout the Internet to
monitor all the traffic. And if they did, the amount of traffic
is really, really huge. They can do some monitoring, but
ultimately they cannot log it all. They can't save all the
network traffic to a disk for later analysis. 

That would be an awfully big hard drive. 

That's one of the points about Echelon -- people don't
know what it is targeting. But, spying on diplomatic
channels is a very common thing. Spying on satellite
transmission has been very common. But if I've got fiber
optic cable between you and me, Echelon can't monitor
that fiber optic cable. Echelon itself is very limited in what it
can monitor. So, we'll never have pervasive monitoring, but
the government will try and do the best job they can --
that's what governments do. 

Does creating Altivore put you in an awkward
position? On one side, you have the FBI. On the
other side, you have groups like the EFF. You seem
to be presenting this tool that allows snooping, but at
the same time, it's an alternative to the FBI's black
box. 

That was one of our main fears in releasing Altivore.
Fundamentally, we're releasing a product whose sole
purpose is to spy on people. Which is interesting -- since
we're promoting it as a tool to defend against being spied
upon. You could easily misinterpret our intentions here and
say, "Hey, you're trying to help the FBI with spying." It's an
interesting position to be in. Ultimately, the FBI comes in
with a search warrant and the real, main issue is the search
warrant. They're going to get the data, no matter what.
They're going to use Carnivore, or get the ISP to do it for
them. Either way, they're going to get the data. We're not
actually helping the FBI do anything more than they can
already do. 

So this is more about providing a choice to an ISP? 

Right. As we say, our current products kick hackers off
your networks. Altivore kicks the FBI off your network. 

- - - - - - - - - - - -

About the writer
Sean M. Dugan is senior research editor
at InfoWorld magazine and a freelance
writer. Send e-mail you don't mind the
FBI reading.