>X-Mailer: exmh version 2.0.2 2/24/98
>Subject: fyi: FC: FBI agent reportedly gives public demo of Carnivore
>To: saag@lists.tislabs.com
>Reply-to: saag@lists.tislabs.com
>From: Jeff.Hodges@KingsMountain.com
>Date: Wed, 25 Oct 2000 11:42:01 -0700
>Sender: owner-saag@lists.tislabs.com
>
>------- Forwarded Message
>
>Date: Tue, 24 Oct 2000 23:56:30 -0400
>To: politech@politechbot.com
>From: Declan McCullagh <declan@well.com>
>Subject: FC: FBI agent reportedly gives public demo of Carnivore
>Cc: mthomas@fbi.gov
>Reply-To: declan@well.com
>X-URL: Politech is at http://www.politechbot.com/
>
>[NANOG is the North American Network Operators Group; their most recent
>meeting was October 22 through October 24. --Declan]
>
>********
>
>Date: Tue, 24 Oct 2000 19:31:43 -0400
>From: An Metet <anmetet@mixmaster.shinn.net>
>Comments: This message did not originate from the Sender address above.
>It was remailed automatically by anonymizing remailer software.
>Please report problems or inappropriate use to the
>remailer administrator at <abuse@mixmaster.shinn.net>.
>To: cypherpunks@einstein.ssz.com
>Subject: CDR: Public Demo of Carnivore and Friends
>
>FBI agent Marcus C. Thomas (who is mentioned in the EPIC FOIA documents)
>made a very interesting presentation at NANOG 20 yesterday morning,
>discussing Carnivore.
>
>Agent Thomas gave a demonstration of both Carnivore 1.34 (the currently
>deployed version) and Carnivore 2.0 (the development version) as well as
>some of the other DragonWare tools.
>
>Most of this information isn't new, but it demonstrates that the
>DragonWare tools can be used to massively analyze all network traffic
>accessible to a Carnivore box.
>
>The configuration screen of Carnivore shows that protocol information can
>be captured in 3 different modes: Full, Pen, and None. There are check
>boxes for TCP, UDP, and ICMP.
>
>Carnivore can be used to capture all data sent to or from a given IP
>address, or range of IP addresses.
>
>It can be used to search on information in the traffic, doing matching
>against text entered in the "Data Text Strings" box. This, the agent
>assured us, was so that web mail could be identified and captured, but
>other browsing could be excluded.
>
>It can be used to automatically capture telnet, pop3, and FTP logins with
>the click of a check box.
>
>It can monitor mail to and/or from specific email addresses.
>
>It can be configured to monitor based on IP address, RADIUS username, MAC
>address, or network adaptor.
>
>IPs can be manually added to a running Carnivore session for monitoring.
>
>Carnivore allows for monitoring of specific TCP or UDP ports and port
>ranges (with drop down boxes for the most common protocols).
>
>Carnivore 2.0 is much the same, but the configuration menu is cleaner, and
>it allows Boolean statements for exclusion filter creation.
>
>- --
>
>The Packeteer program takes raw network traffic dumps, reconstructs the
>packets, and writes them to browsable files.
>
>CoolMiner is the post-processor session browser. The demo was version
>1.2SP4. CoolMiner has the ability to replay a victim's steps while web
>browsing, chatting on ICQ, Yahoo Messenger, AIM, IRC. It can step through
>telnet sessions, AOL account usage, and Netmeeting. It can display
>information sent to a network printer. It can process netbios data.
>
>CoolMiner displays summary usage, broken down by origination and
>destination IP addresses, which can be selectively viewed.
>
>Carnivore usually runs on Windows NT Workstation, but could run on Windows
>2000.
>
>Some choice quotes from Agent Thomas:
>
>"Non-relevant data is sealed from disclosure."
>
>"Carnivore has no active interaction with any devices on the network."
>
>"In most cases Carnivore is only used with a Title III. The FBI will
>deploy Carnivore without a warrant in cases where the victim is willing to
>allow a Carnivore box to monitor his communication."
>
>"We rely on the ISP's security [for the security of the Carnivore box]."
>
>"We aren't concerned about the ISP's security."
>
>When asked how Carnivore boxes were protected from attack, he said that
>the only way they were accessible was through dialup or ISDN. "We could
>take measures all the way up to encryption if we thought it was
>necessary."
>
>While it doesn't appear that Carnivore uses a dial-back system to prevent
>unauthorized access, Thomas mentioned that the FBI sometimes "uses a
>firmware device to prevent unauthorized calls."
>
>When asked to address the concerns that FBI agents could modify Carnivore
>data to plant evidence, Thomas reported that Carnivore logs FBI agents'
>access attempts. The FBI agent access logs for the Carnivore box become
>part of the court records. When asked the question "It's often common
>practice to write back doors into [software programs]. How do we know you
>aren't doing that?", Thomas replied "I agree 100%. You're absolutely
>right."
>
>When asked why the FBI would not release source, he said: "We don't sell
>guns, even though we have them."
>
>When asked: "What do you do in cases where the subject is using
>encryption?" Thomas replied, "This suite of devices can't handle that." I
>guess they hand it off to the NSA.
>
>He further stated that about 10% of the FBI's Carnivore cases are thwarted
>by the use of encryption, and that it is "more common to find encryption
>when we seize static data, such as on hard drives."
>
>80% of Carnivore cases have involved national security.
>
>- --
>
>Also of interest was a network diagram that looked very similar to the one
>in the EPIC FOIA document at
>http://www.epic.org/privacy/carnivore/omnivorecapabilities1.html , except
>that there was no redaction of captions.
>
>- --
>
>Marcus Thomas can be contacted for questions at mthomas@fbi.gov or at
>(730) 632-6091. He is "usually at his desk."
>
=============================================================================
"inet-admins" Internet access mailing list. Maintained by East Connection ISP.
Mail "unsubscribe inet-admins" to Majordomo@info.east.ru if you want to quit.
Archive is accessible on http://info.east.ru/rus/inetadm.html