Supposedly Carnivore only targets specific kinds of traffic and doesn't really monitor everything at once. It's not like (again, supposedly) Echelon that examines everything and then red flags certain items. Carnivore is only looking for certain things. Also, there is no outside access to it. Someone has to physically come in and remove the mass media (what ever that may be: more than likely a hard drive). My guess is, Carnivore actually sounds a lot more threatening than it is. Still a violation of civil liberties as far as I'm concerned but it's bark is worse than it's bite. Especially since everyone has heard of it and there are ways around it. Let's see, I want to send email to someone but I want it to be completely anonymous. I go to safeweb.com or any other anonomizer and get myself a hotmail address. I then send it to the recipient with PGP encoded text. He logs on to hotmail through anonomizer and retrieves it, decodes it and reads it. If I was really smart I'd bounce around a couple of other proxies while I was at it. Carnivore? Toothless! Larry Diffey Technology Forward I speak for my employer because I speak for myself. ----- Original Message ----- From: "Bill McGonigle" <mcgonigle@medicalmedia.com> To: "Benny Fischer" <benny@infinet-is.com> Cc: <nanog@merit.edu> Sent: Monday, September 17, 2001 3:55 PM Subject: Re: Yahoogroups and Carnivore
On Monday, September 17, 2001, at 05:46 PM, Benny Fischer wrote:
-In the FAQ they claim there is no IP stack .. so how can it have ip based filters to let in traffic .. or is this all done with custom software?
If they're just capturing raw ethernet, they can disassemble the packets themselves without exposing the machine to "everything-over-IP" vulnerabilities. Surprisingly good design.
Still, I can't see how they can do all the analysis with "post-processing". There's just too much data on a big ISP's net. Does it write to a monstrous tape library? I'd think they'd at least want to do packet reassembly and sequencing in memory, then some filtering, for ease of analysis. That would mean in-line software, which could, of course, be brought down with just the right malformed TCP packet sequence. Unless they have much better-than-average programmers at the FBI. Of course if they're doing any filtering at that level, they'll miss steganographic TCP sequence numbers, etc. (if someone's invented that...)
-Bill