FC: FBI agent reportedly gives public demo of Carnivore

Date view Thread view Subject view Author view

From: karee (karee@tstonramp.com)
Date: Wed Oct 25 2000 - 10:55:30 PDT

[Methinks the FBI is trying to dispel the 'evilness' of Carnivore by
being friendly. REading it, you realize however, just how sinister this
 little device is. Capturing login/password for different, services,
doing an NMAP scan and then some, and what was an interesting legal
quandry to me..

' IPs can be manually added to a running Carnivore session for
monitoring. ' -- Doesn't bug you? Just think about it this way.

Given my class on Con law, I understood that an officer had to get a
warrant for each house searched. If he screwed up, he needed to get
another warrant. If more houses come into purview, more warrants.
Unless this is changed, I fail to see how IP addresses can be treated so
 indifferently. Where is the control of abuse? Hell, you have Agent
searching out a local ip range for all that 'illegal terrorist action'
that is going on over the net (it's just so prevalent, you know)and they
 decide they need to include another range of addresses. ITs like
searching other homes, but this time, no process of law, just arbitrary
decision making. Any one else see this as an issue?

Here's another beauty:
'In most cases Carnivore is only used with a Title III. The FBI will
deploy Carnivore without a warrant in cases where the victim is willing
allow a Carnivore box to monitor his communication."

-- Um. No. Lets try again. I'll admit, that there is a percentage of
the population willing to be this stupid, but this is just rife with
abuse. If I was a victim of a crime, the last thing I'd want is someone
 monitoring me.

"We rely on the ISP's security [for the security of the Carnivore box]."

*scream* Ok. Someone needs to clue Mr. Thomas in on a few central
facts. All ISPs are not equally secure. What does that mean? Well
judging by the permissive statement said here, it means that, Joe
hacker, should he find out about a Carnivore box at his local ISP, can
have a grand ol' time trying to find the information. Hell, if I was
that much into the scene, I can't say I'd not be tempted. ITs bits.
Moreso its bits, that if found, could destroy the government in one fell
 swooop. Leave open the possibility that hackers can get personal
information of potentially -innocent- individuals b/c the Federal Bureau
 of Incompetence is leaving the security requirements to the ISP, and
well, no more Carnivore. I can't wait till we get some court cases on

Alright, end rant. THis one grinds me. -BB]

[NANOG is the North American Network Operators Group; their most recent

meeting was October 22 through October 24. --Declan]


Date: Tue, 24 Oct 2000 19:31:43 -0400
From: An Metet <anmetet@mixmaster.shinn.net>
Comments: This message did not originate from the Sender address above.
It was remailed automatically by anonymizing remailer software.
Please report problems or inappropriate use to the
remailer administrator at <abuse@mixmaster.shinn.net>.
To: cypherpunks@einstein.ssz.com
Subject: CDR: Public Demo of Carnivore and Friends

FBI agent Marcus C. Thomas (who is mentioned in the EPIC FOIA documents)

made a very interesting presentation at NANOG 20 yesterday morning,
discussing Carnivore.

Agent Thomas gave a demonstration of both Carnivore 1.34 (the currently
deployed version) and Carnivore 2.0 (the development version) as well as

some of the other DragonWare tools.

Most of this information isn't new, but it demonstrates that the
DragonWare tools can be used to massively analyze all network traffic
accessible to a Carnivore box.

The configuration screen of Carnivore shows that protocol information
be captured in 3 different modes: Full, Pen, and None. There are check
boxes for TCP, UDP, and ICMP.

Carnivore can be used to capture all data sent to or from a given IP
address, or range of IP addresses.

It can be used to search on information in the traffic, doing matching
against text entered in the "Data Text Strings" box. This, the agent
assured us, was so that web mail could be identified and captured, but
other browsing could be excluded.

It can be used to automatically capture telnet, pop3, and FTP logins
the click of a check box.

It can monitor mail to and/or from specific email addresses.

It can be configured to monitor based on IP address, RADIUS username,
address, or network adaptor.

IPs can be manually added to a running Carnivore session for monitoring.

Carnivore allows for monitoring of specific TCP or UDP ports and port
ranges (with drop down boxes for the most common protocols).

Carnivore 2.0 is much the same, but the configuration menu is cleaner,
it allows Boolean statements for exclusion filter creation.


The Packeteer program takes raw network traffic dumps, reconstructs the packets, and writes them to browsable files.

CoolMiner is the post-processor session browser. The demo was version 1.2SP4. CoolMiner has the ability to replay a victim's steps while web browsing, chatting on ICQ, Yahoo Messenger, AIM, IRC. It can step through telnet sessions, AOL account usage, and Netmeeting. It can display information sent to a network printer. It can process netbios data.

CoolMiner displays summary usage, broken down by origination and destination IP addresses, which can be selectively viewed.

Carnivore usually runs on Windows NT Workstation, but could run on Windows 2000.

Some choice quotes from Agent Thomas:

"Non-relevant data is sealed from disclosure."

"Carnivore has no active interaction with any devices on the network."

"In most cases Carnivore is only used with a Title III. The FBI will deploy Carnivore without a warrant in cases where the victim is willing to allow a Carnivore box to monitor his communication."

"We rely on the ISP's security [for the security of the Carnivore box]."

"We aren't concerned about the ISP's security."

When asked how Carnivore boxes were protected from attack, he said that the only way they were accessible was through dialup or ISDN. "We could take measures all the way up to encryption if we thought it was necessary."

While it doesn't appear that Carnivore uses a dial-back system to prevent unauthorized access, Thomas mentioned that the FBI sometimes "uses a firmware device to prevent unauthorized calls."

When asked to address the concerns that FBI agents could modify Carnivore data to plant evidence, Thomas reported that Carnivore logs FBI agents' access attempts. The FBI agent access logs for the Carnivore box become part of the court records. When asked the question "It's often common practice to write back doors into [software programs]. How do we know you aren't doing that?", Thomas replied "I agree 100%. You're absolutely right."

When asked why the FBI would not release source, he said: "We don't sell

guns, even though we have them."

When asked: "What do you do in cases where the subject is using encryption?" Thomas replied, "This suite of devices can't handle that." I guess they hand it off to the NSA.

He further stated that about 10% of the FBI's Carnivore cases are thwarted by the use of encryption, and that it is "more common to find encryption

when we seize static data, such as on hard drives."

80% of Carnivore cases have involved national security.


Also of interest was a network diagram that looked very similar to the one in the EPIC FOIA document at http://www.epic.org/privacy/carnivore/omnivorecapabilities1.html , except that there was no redaction of captions.


Marcus Thomas can be contacted for questions at mthomas@fbi.gov or at (730) 632-6091. He is "usually at his desk."


Date view Thread view Subject view Author view

This archive was generated by hypermail 2b29 : Wed Oct 25 2000 - 09:59:40 PDT