As of yesterday, the performance of Yahoogroup's has degraded from a couple minutes, to a couple of hours between posting and distribution. It is rumored that this is due to Carnivore being installed at major ISPs throughout the country. Any insights? Jay. +++ Jay Fenello, Internet Coaching http://www.Fenello.com ... 678-585-9765 http://www.YourWebPartner.com ... Web Support http://www.AligningWithPurpose.com ... for a Better World ----------------------------------------------------------- "A new civilization is emerging in our lives, and blind men everywhere are trying to suppress it." -- Alvin Toffler
A properly installed carnivore should have zero effect on the traffic passed through it... joelja On Mon, 17 Sep 2001, Jay Fenello wrote:
As of yesterday, the performance of Yahoogroup's has degraded from a couple minutes, to a couple of hours between posting and distribution. It is rumored that this is due to Carnivore being installed at major ISPs throughout the country.
Any insights?
Jay.
+++
Jay Fenello, Internet Coaching http://www.Fenello.com ... 678-585-9765 http://www.YourWebPartner.com ... Web Support http://www.AligningWithPurpose.com ... for a Better World ----------------------------------------------------------- "A new civilization is emerging in our lives, and blind men everywhere are trying to suppress it." -- Alvin Toffler
-- -------------------------------------------------------------------------- Joel Jaeggli joelja@darkwing.uoregon.edu Academic User Services consult@gladstone.uoregon.edu PGP Key Fingerprint: 1DE9 8FCA 51FB 4195 B42A 9C32 A30D 121E -------------------------------------------------------------------------- It is clear that the arm of criticism cannot replace the criticism of arms. Karl Marx -- Introduction to the critique of Hegel's Philosophy of the right, 1843.
That's just a silly statement, it's a text processor/parser. It's another layer. Of course its going to have an effect. On the average person, I would venture to guess its overwhelmingly negligible, but it could very well bottleneck someone like Yahoo. Regards, Cristopher Daniluk President & CEO email: cris@dsnet.net direct: 330/530-2373 Digital Services Network, Inc Unleashing Your Potential voice: 800/845-4822 web: http://www.dsnet.net/
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Joel Jaeggli Sent: Monday, September 17, 2001 3:40 PM To: Jay Fenello Cc: nanog@merit.edu Subject: Re: Yahoogroups and Carnivore
A properly installed carnivore should have zero effect on the traffic passed through it...
joelja
On Mon, 17 Sep 2001, Jay Fenello wrote:
As of yesterday, the performance of Yahoogroup's has degraded from a couple minutes, to a couple of hours between posting and distribution. It is rumored that this is due to Carnivore being installed at major ISPs throughout the country.
Any insights?
Jay.
+++
Jay Fenello, Internet Coaching http://www.Fenello.com ... 678-585-9765 http://www.YourWebPartner.com ... Web Support http://www.AligningWithPurpose.com ... for a Better World ----------------------------------------------------------- "A new civilization is emerging in our lives, and blind men everywhere are trying to suppress it." -- Alvin Toffler
-- -------------------------------------------------------------- ------------ Joel Jaeggli joelja@darkwing.uoregon.edu Academic User Services consult@gladstone.uoregon.edu PGP Key Fingerprint: 1DE9 8FCA 51FB 4195 B42A 9C32 A30D 121E -------------------------------------------------------------- ------------ It is clear that the arm of criticism cannot replace the criticism of arms. Karl Marx -- Introduction to the critique of Hegel's Philosophy of the right, 1843.
At 03:42 PM 9/17/2001 -0400, Cristopher Daniluk wrote:
That's just a silly statement, it's a text processor/parser. It's another layer. Of course its going to have an effect. On the average person, I would venture to guess its overwhelmingly negligible, but it could very well bottleneck someone like Yahoo.
My understanding is that it is no inline, it uses a "monitor port" on a switch which duplicates all traffic. If that is the case, then it is not a silly statement, it is factually correct. Can anyone confirm or deny the above?
Cristopher Daniluk
-- TTFN, patrick
On Mon, 17 Sep 2001, Patrick W. Gilmore wrote:
My understanding is that it is no inline, it uses a "monitor port" on a switch which duplicates all traffic.
If that is the case, then it is not a silly statement, it is factually correct.
Can anyone confirm or deny the above?
You are correct, Patrick. Carnivore is a passive network monitor, and passive attacks are undetectable. The only way a DCS1000 system would interrupt your network would be if it were improperly installed. (The FBI agent unplugs something he shouldn't, or decides to change your network layout to get everything flowing past his Carnivore box. At NANOG 20, the FBI demonstrated Carnivore to the attendees. One of those attendees was kind enough to write a report and anonymously publish it. http://cryptome.org/carnivore-demo.htm It's basically a sniffer with some really nice filtering and post-processing. By filtering, I mean filtering of the data logged, not of the data flowing through the network. --Len.
On Mon, 17 Sep 2001, Cristopher Daniluk wrote:
That's just a silly statement, it's a text processor/parser. It's another layer. Of course its going to have an effect. On the average person, I would venture to guess its overwhelmingly negligible, but it could very well bottleneck someone like Yahoo.
you don't really understand how it works... see the marcus Thomas fbi - presentation on carnivore at nanog-20 http://videolab.uoregon.edu/events/nanog/nanog_20.html carnivore is a passive not an active data-collector. traffic is replicated to it rather than passed through it... joelja
Regards,
Cristopher Daniluk President & CEO email: cris@dsnet.net direct: 330/530-2373
Digital Services Network, Inc Unleashing Your Potential voice: 800/845-4822 web: http://www.dsnet.net/
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Joel Jaeggli Sent: Monday, September 17, 2001 3:40 PM To: Jay Fenello Cc: nanog@merit.edu Subject: Re: Yahoogroups and Carnivore
A properly installed carnivore should have zero effect on the traffic passed through it...
joelja
On Mon, 17 Sep 2001, Jay Fenello wrote:
As of yesterday, the performance of Yahoogroup's has degraded from a couple minutes, to a couple of hours between posting and distribution. It is rumored that this is due to Carnivore being installed at major ISPs throughout the country.
Any insights?
Jay.
+++
Jay Fenello, Internet Coaching http://www.Fenello.com ... 678-585-9765 http://www.YourWebPartner.com ... Web Support http://www.AligningWithPurpose.com ... for a Better World ----------------------------------------------------------- "A new civilization is emerging in our lives, and blind men everywhere are trying to suppress it." -- Alvin Toffler
-- -------------------------------------------------------------- ------------ Joel Jaeggli joelja@darkwing.uoregon.edu Academic User Services consult@gladstone.uoregon.edu PGP Key Fingerprint: 1DE9 8FCA 51FB 4195 B42A 9C32 A30D 121E -------------------------------------------------------------- ------------ It is clear that the arm of criticism cannot replace the criticism of arms. Karl Marx -- Introduction to the critique of Hegel's Philosophy of the right, 1843.
-- -------------------------------------------------------------------------- Joel Jaeggli joelja@darkwing.uoregon.edu Academic User Services consult@gladstone.uoregon.edu PGP Key Fingerprint: 1DE9 8FCA 51FB 4195 B42A 9C32 A30D 121E -------------------------------------------------------------------------- It is clear that the arm of criticism cannot replace the criticism of arms. Karl Marx -- Introduction to the critique of Hegel's Philosophy of the right, 1843.
From what I understand of Carnivore (now known as DCS1000) it's a logging tool more than anything. It doesn't stop anything from going through based on content, it just logs the content and the Feds come in later and retrieve
their box. Yahoo could be screening stuff themselves just to cover their backsides. Or, they could just have a lot of increased traffic due to last weeks terrorism. Regards, Larry Diffey ----- Original Message ----- From: "Jay Fenello" <Jay@Fenello.com> To: <nanog@merit.edu> Sent: Monday, September 17, 2001 12:25 PM Subject: Yahoogroups and Carnivore
As of yesterday, the performance of Yahoogroup's has degraded from a couple minutes, to a couple of hours between posting and distribution. It is rumored that this is due to Carnivore being installed at major ISPs throughout the country.
Any insights?
Jay.
+++
Jay Fenello, Internet Coaching http://www.Fenello.com ... 678-585-9765 http://www.YourWebPartner.com ... Web Support http://www.AligningWithPurpose.com ... for a Better World ----------------------------------------------------------- "A new civilization is emerging in our lives, and blind men everywhere are trying to suppress it." -- Alvin Toffler
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 17 Sep 2001, Larry Diffey wrote:
Yahoo could be screening stuff themselves just to cover their backsides.
Or, they could just have a lot of increased traffic due to last weeks terrorism.
I think it is traffic levels. Yahoo group servers are most likely choking on their own. I am subscribed to 10+ Yahoo groups. Some of these groups have averaged about 2 posts a week. They are now doing 20 an day. Groups that were doing 20 posts a day, are doing 20 posts an hour. Given the thousands or groups they have, and the likelihood that most groups have seen a increase, they may not be able to handle this type of load. ====================================================================== Michael P. Lucking Michael@Lucking.COM -----BEGIN PGP SIGNATURE----- iD8DBQE7plpnYCZjVDyC1X4RArUxAKDlaYYN6QbIqpC4MjaMslHi5ilt3wCgkPyq xb99pygm37lz3GgQ0C4T01o= =1urv -----END PGP SIGNATURE-----
Here is a very good and through FAQ about Carnivore http://www.robertgraham.com/pubs/carnivore-faq.html -- John Hasty Network Operations Supervisor HiWAAY Information Services jhasty@hiwaay.net
After reading this FAQ I have a couple questions. -If the box is running in eth promiscuous mode and using monitor mode splitters how could it slow down any traffic.. it simply passes by the port and is recreated? -In the FAQ they claim there is no IP stack .. so how can it have ip based filters to let in traffic .. or is this all done with custom software? -I have not been asked ( yet ) to put one in place, can someone give a very brief time line of events and where they were asked to put it on their network? -I know this is redundant, but why even do it when PGP and SSH are so readily available? thanks for any input Benny Fischer Chief Technical Officer Infinet Internet Services benny@infinet-is.com 480-394-0647
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of John Hasty Sent: Monday, September 17, 2001 1:48 PM To: nanog@merit.edu Subject: Re: Yahoogroups and Carnivore
Here is a very good and through FAQ about Carnivore
http://www.robertgraham.com/pubs/carnivore-faq.html
-- John Hasty Network Operations Supervisor HiWAAY Information Services jhasty@hiwaay.net
On Monday, September 17, 2001, at 05:46 PM, Benny Fischer wrote:
-In the FAQ they claim there is no IP stack .. so how can it have ip based filters to let in traffic .. or is this all done with custom software?
If they're just capturing raw ethernet, they can disassemble the packets themselves without exposing the machine to "everything-over-IP" vulnerabilities. Surprisingly good design. Still, I can't see how they can do all the analysis with "post-processing". There's just too much data on a big ISP's net. Does it write to a monstrous tape library? I'd think they'd at least want to do packet reassembly and sequencing in memory, then some filtering, for ease of analysis. That would mean in-line software, which could, of course, be brought down with just the right malformed TCP packet sequence. Unless they have much better-than-average programmers at the FBI. Of course if they're doing any filtering at that level, they'll miss steganographic TCP sequence numbers, etc. (if someone's invented that...) -Bill
Supposedly Carnivore only targets specific kinds of traffic and doesn't really monitor everything at once. It's not like (again, supposedly) Echelon that examines everything and then red flags certain items. Carnivore is only looking for certain things. Also, there is no outside access to it. Someone has to physically come in and remove the mass media (what ever that may be: more than likely a hard drive). My guess is, Carnivore actually sounds a lot more threatening than it is. Still a violation of civil liberties as far as I'm concerned but it's bark is worse than it's bite. Especially since everyone has heard of it and there are ways around it. Let's see, I want to send email to someone but I want it to be completely anonymous. I go to safeweb.com or any other anonomizer and get myself a hotmail address. I then send it to the recipient with PGP encoded text. He logs on to hotmail through anonomizer and retrieves it, decodes it and reads it. If I was really smart I'd bounce around a couple of other proxies while I was at it. Carnivore? Toothless! Larry Diffey Technology Forward I speak for my employer because I speak for myself. ----- Original Message ----- From: "Bill McGonigle" <mcgonigle@medicalmedia.com> To: "Benny Fischer" <benny@infinet-is.com> Cc: <nanog@merit.edu> Sent: Monday, September 17, 2001 3:55 PM Subject: Re: Yahoogroups and Carnivore
On Monday, September 17, 2001, at 05:46 PM, Benny Fischer wrote:
-In the FAQ they claim there is no IP stack .. so how can it have ip based filters to let in traffic .. or is this all done with custom software?
If they're just capturing raw ethernet, they can disassemble the packets themselves without exposing the machine to "everything-over-IP" vulnerabilities. Surprisingly good design.
Still, I can't see how they can do all the analysis with "post-processing". There's just too much data on a big ISP's net. Does it write to a monstrous tape library? I'd think they'd at least want to do packet reassembly and sequencing in memory, then some filtering, for ease of analysis. That would mean in-line software, which could, of course, be brought down with just the right malformed TCP packet sequence. Unless they have much better-than-average programmers at the FBI. Of course if they're doing any filtering at that level, they'll miss steganographic TCP sequence numbers, etc. (if someone's invented that...)
-Bill
On Mon, 17 Sep 2001, Larry Diffey wrote:
Supposedly Carnivore only targets specific kinds of traffic and doesn't really monitor everything at once. It's not like (again, supposedly) Echelon that examines everything and then red flags certain items.
Wrong.
Carnivore is only looking for certain things. Also, there is no outside access to it. Someone has to physically come in and remove the mass media (what ever that may be: more than likely a hard drive).
Wrong. See the report I posted and the section in it about dialin and ISDN access.
Jay, While I am not a supporter of Carnivore, I did have the...privilege, let's say, of being served with a court order to install one, several years back. This was before it was quite public, except amongst the extremely paranoid. Although it creeps me out in principle (which, BTW, did not seem to bother the assigned FBI agents at all :), it was designed in a way so that it would not effect the traffic of the network it was being connected to. And believe me - I tried very hard to find a good reason not to connect it, as the court order gave an out, if it would damage or degrade our network. I was unable to find any way that it would degrade that network, despite my best efforts. Remember - those utilizing this device feel quite strongly that it should not be detectable. This follows from the principle that, when bugging a restaurant filled with Mafioso, a boom mike dropped from the ceiling may be a dead give-away. - Daniel Golding -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Jay Fenello Sent: Monday, September 17, 2001 3:26 PM To: nanog@merit.edu Subject: Yahoogroups and Carnivore As of yesterday, the performance of Yahoogroup's has degraded from a couple minutes, to a couple of hours between posting and distribution. It is rumored that this is due to Carnivore being installed at major ISPs throughout the country. Any insights? Jay. +++ Jay Fenello, Internet Coaching http://www.Fenello.com ... 678-585-9765 http://www.YourWebPartner.com ... Web Support http://www.AligningWithPurpose.com ... for a Better World ----------------------------------------------------------- "A new civilization is emerging in our lives, and blind men everywhere are trying to suppress it." -- Alvin Toffler
On Mon, 17 Sep 2001, Jay Fenello wrote:
As of yesterday, the performance of Yahoogroup's has degraded from a couple minutes, to a couple of hours between posting and distribution. It is rumored that this is due to Carnivore being installed at major ISPs throughout the country.
Any insights?
No hard information, just logic. This can't be carnivore, because carnivore, as I understand it, is passive. And you do realize how many people aren't behing the 'major' ISPs, right? Those people are going to see the same lag. Plus, when the rest of the net isn't suffering, and some part of yahoo is? Chances are it's yahoo's deal. I'm guessing they installed moderators. It wouldn't be bad policy to not allow encrypted postings, and how the hell are you going to autofilter that? Andy xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access
participants (12)
-
Andy Dills
-
Benny Fischer
-
Bill McGonigle
-
Cristopher Daniluk
-
Daniel Golding
-
Jay Fenello
-
Joel Jaeggli
-
John Hasty
-
Larry Diffey
-
Len Sassaman
-
Michael Lucking
-
Patrick W. Gilmore