What is Carnivore? Carnivore is a digital wiretap tool used by the FBI to monitor the Internet. It is capable of monitoring, or examining, all data packets passing through a network. The software allows filtering criteria to be set and consequently data that does not meet the pre-set criteria is filtered out. Therefore, it is primarily a collection of filtering tools which is not, nor should it be, illegal.

The system is comprised of hardware and software. The Carnivore computer is a standard personal computer with a network interface currently running on Microsoft Windows 2000 or NT operating system. The additional software, the Carnivore program, offers the operator via the Graphical User Interface, an easy to use method for setting the filters. These filters accept and record or reject the network data after screening by the system. Any data accepted by the filter is recorded onto a removable disk drive of the ZIP or Jaz type. In order to filter the data on the network, the system must be physically connected to the network. Carnivore allows for some remote access via a telephone dial up link. However, access to the recorded data is minimal via the dial up link. The limiting factor to gathering data via the telephone is the relatively narrow bandwidth and the potentially massive amounts of data culled from the high-speed networks monitored. The amount of data recorded is, of course, dependent upon the filtering criteria set by the operator. The main purpose for the remote connection is to change the filtering criteria. Therefore, a special agent must physically remove the Jaz or ZIP drive from the unit and bring the drive to an FBI lab for analysis of the data.

Carnivore resembles various packet sniffer programs available to network managers, system administrators, and hackers. The major differences are in the Graphical User Interface and the ability to monitor high capacity networks. The software is designed to filter all network data and accept or reject data based on the pre-set filtering criteria. It is therefore, the configuration of the device that determines what is recorded and what is rejected. Like any network sniffer, there is nothing to stop the operator from "abusing" the collection capability. When the collection criteria is expanded the only limiting system factor is the quantity of information that can be stored on the installed drive. In essence, there is no way for an outside entity to know the configuration of the system installed. In fact, Carnivore is locked in a secure "cage" when it is connected to the Internet Service Providers system. The ISP data center personnel do not have access to the system and are not present when the removable drives are collected. The unmonitored monitoring capability frightens some people and groups that their civil liberties may or can be breached.

As earlier stated, Carnivore monitors high-speed networks. Reportedly, it is well within Carnivore’s capabilities to monitor more than a thousand people with one system; the FBI has at least twenty systems. The purpose of the system is to intercept large volumes of electronic mail and other forms of electronic communication as it passes through a targeted network. Theoretically, Carnivore can scan millions of emails per second. This amounts to processing as much as six gigabytes of data every hour the system is on-line. This scanning process is completely passive; it alters no data nor does it prevent the designated recipient from receiving the packets. Carnivore scans the subject lines and headers of incoming and outgoing messages. As previously described, the useful, or legally culled data, is recorded onto the removable drive.

A weakness of the system, and every monitoring system, is the inability to eavesdrop on encrypted data. The use of strong encryption will negate the ability of Carnivore to collect data that would otherwise be filtered, accepted and subsequently recorded. Encrypting tools like PGP simply cannot be "cracked" by the system.

• Packets are pieces of a message. They must contain the destination address in addition to the data. A packet size will vary but generally does not exceed 1500 bits.
• Packetizing is merely breaking the message into multiple packets.
• A packet sniffer is a wire-tap device that plugs into computer networks and eavesdrops on the network traffic.
• A filter is a pre-determined pattern through which the data is passed. If the data matches it is recorded prior to being passed to its destination.
• Jaz Drive is a removable disk drive developed by the Iomega Corporation. Technically, it has a 12 ms seek time and a transfer rate of 5.5Mbps and a capacity of 2 GB.
• A sniffer is a program or device that monitors data travelling over a network. It is used as a legitimate network management tool. In the hands of a hacker, it can be a dangerous tool, virtually impossible to detect and insertable into a network at any connection. Sniffers can be viewed as a detriment to network security. Sniffers in the promiscuous mode accept all incoming traffic; the filter is turned off. A sniffing program can capture keystrokes as they are typed.
• Protocol analysis is the process of capturing network traffic with a sniffing program and reassembling the packets. This is performed through interpreting individual fields of each packet.
• Abstraction exists when the components of a system know nothing about the other components within the system. Each component operates separately and obliviously to the other system components.
• RMON or Remote MONitoring aids in the management of network traffic and devices. RMON keeps tabs on the systems components operating parameters and warns of impending or possible failures. In addition, the collected data is analyzed for determination of peak traffic times.

A general description of how packet sniffers work must include a little technical talk and some hypothetical scenarios. From the previous discussion about Carnivore in general to the technical definitions, we are led to a discussion about how does it all work, some noted shortfalls and some (and I am keeping to a minimum) legal issues. I will also make a comparison between network wiretaps and the conventional telephone wiretaps. This part of the paper is to highlight the current issues and make you aware of the legal statutes that are being used as inferences in order to establish network monitoring in support of a law enforcement agency. I addition, I believe that the comparison highlights valid concerns.

We have established that commercial packet sniffers have been around for some time and that they are in use daily by network managers to aid in network maintenance and by hackers to break into computers. A quick search on the Internet for packet sniffers and multiple vendors offering various products with varying capabilities can be readily obtained. The prices range from $1500.00 to $4500.00. The products all work from standard network adapters and have optional adapters for additional network analysis. The term capture drive is mentioned in some products. The capture drive is the filtering element of the system. As stated earlier the filter is in place to weed out the wanted form the unwanted; which is determined by the operator. The capture drive will send all desired data to the buffer for storage. Though it was not mentioned as a feature of the Carnivore system, some systems claim to save on disk at 100 mbps. This feature allows for saving huge quantities of data in comparison to the reported Jar or ZIP drive storage capabilities associated with Carnivore. For network managers there is the feature of minimal real-time system analysis. There are no reported features in any system of real-time data analysis other than the "filtering analysis".

The Internet was designed to survive single point failures. This means that if one server or a hundred servers crash the data is still accessible. View the connectivity of the Internet as a fisherman’s net. If there is a node removed the data can still be retrieved via an alternate connection. In addition, communication on this net follows a "least-cost path". In other words, the connection between any two nodes follows the most direct route unless there is an outage. As a packet traverses the Internet, it is passed from one router to the next router. Each router examines the destination IP address and determines the path the packet should take in order to meet it’s ultimate destination. The packet sniffer will also look at the destination IP and if the IP matches the filter setting, the data is copied to the drive and the message is passed. If the Internet is viewed as a fisherman’s net with redundant connectivity, then the best place to wiretap is a spot where the most traffic passes through. Hence, the desire to wiretap at the ISP data center. The point is the wiretap must be in an advantageous location and there is a need for physical connectivity to the wire in order to eavesdrop.

For eavesdropping, there are methods to gain remote access to the lines. Hackers will install sniffing software that they can remotely control onto individual machines or possibly at the ISP. In some instances, like cable-modems, the traffic can be rerouted through another machine. On Windows, sniffing is a part of the Remote Admin Trojan, like BackOrifice, which are used to sniff traffic in general. However, they can be configured to sniff for passwords and electronic mail them back to the hacker. The point is that eavesdropping on a line is not difficult and is a practice of many hackers. Still, the best way to defeat eavesdropping is strong encryption.

So where does Carnivore fit into this web of treachery? Again, Carnivore is proprietary closed-source software owned and operated by the FBI. In order for the FBI to wiretap a line they must meet the rigid requirements of Title III wiretap order. This order is meant to place specifically defined requirements upon the requestor in order for the judge to grant permission. The permission granted is supposed to narrowly define who can be electronically monitored, to what extent and for what purpose. It is in this area of legalities that the furor over Carnivore exists.

There is little doubt that Carnivore is capable of meeting all the legal requirements. The concerns are whether or not they limit the wiretap in the manner as prescribed by the judge. Remember that no one form the ISP data center configures the Carnivore system nor do they have access to the culled data nor does the court system. In other words it is how the tool is used that determines whether innocent or uninvolved peoples rights are being violated. This type of technology is often called "dual-use" technology due to the legitimate and non-legitimate applications.

The aforementioned Title III wiretap legislation pre-dates the current technology of the Internet. In fact, the legal precedent is specific to analog telephones and the systems that support their public and private use. In the application of a telephonic wiretap, the order is delivered to the carrier who in turn implements the judge’s order. The telephone service provider’s employees listen to, the recordings of the conversations in real time. The provider maintains what meets the restrictions of the wiretap, which are then passed off to the agency requesting the tap. The ease of telephonic wiretapping under the guise of a court order is facilitated by the fact that the U.S. government requires telephone companies to configure networks for ease of wiretap installations. This is simply not the case in the implementation of Internet wiretapping with Carnivore. The "middle man", service provider, is merely required to allow access to their equipment and the law enforcement agency does the rest. There is no check and balance as was evident in the wiretaps of the telephone system.

The digital nature of the Internet and the capabilities of the Carnivore system allow for a wider net to be cast by the FBI; and with no checks and balances in the implementation of Internet wiretapping by the FBI.

Wiretap warrants for telephonic traffic are specific to individuals. Yet, in the case of Internet wiretapping, there is no way of knowing who actually typed the intercepted messages. It is simple to "spoof" someone else’s email address. I addition, it is simple to alter digital messages along their route. Of greater concern, the digital packets of one message are intermixed along the wire with the digital packets of many other messages. Many opponents of Carnivore raise Fourth Amendment issues that cannot be easily ignored.

Amendment IV Searches and Seizures: The right of the people to be secure in their persons, houses, papers and effects against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched and the person or things to be seized.

Without examination of the source code and without an in place check and balance of the installed system, the current technology of packet sniffers cannot meet the stated criteria.

Carnivore offers little new technology in network monitoring. Sniffers programs, protocol analysis and all the hardware associated with Carnivore has been around for years. Altivore, developed by Network ICE, mimics the known features of Carnivore. With Altivore, the operator can

• Monitor an individual’s electronic mail; including the full content or just headers
• Monitor a specific individual’s access to certain types of servers; web, FTP
• Discover an individual’s current IP address and sniffing of the all the packet to or from that address

Network ICE’s stated goal is to educate the technically savvy person on the capabilities and possible pitfalls of a system the likes of Carnivore. Network ICE has made the software open source. Open source is the term used for software source code made public.

Many of the opponents to Carnivore have argued, in and out of the court system, for the source code to be released for public scrutiny. Yet, the source code is hardly the issue. The technical experts assigned by the federal court system to review that software note that they gain little from reviewing the source code. They contend that the issue is in the way in which the system is configured prior to and reconfigured during use.

Recently, several well known ISPs have gone back to the courts to gain access to the source code. The ISPs would like to ensure, to the extent that is possible, the software is stable and will be benign to their system. This request seems reasonable in light of the fact that the court can mandate the ISP to allow the FBI to install Carnivore in the ISPs data center. When Carnivore was installed in an ISP data center serving Southern California, outages to customers not targeted were reported.

So how would making the software open source protect the ISPs investment and squelch some of the critics? Opening the source code to public review could identify coding problems that could crash a particular ISPs services, or cause outages to customers as it has in the past. In addition, useful modifications may be recommended by outside technical sources. Probably the best outcome of releasing the software would be the small groups who would independently confirm what some experts already know. That confirmation would be that the core source code is not the issue; it’s in the parameters the software is configured and installed that is frightening.

In addition to Altivore comparisons, there have been references to another governmental secret wiretap and spy system used to collect data on individuals, groups and governments. These references are to Echelon. The United States of America and the United Kingdom developed echelon, in secrecy, during the Cold War. Rumors abound that the earliest inception of the system dates to the early 1940’s. The additions of Canada, Australia, and New Zealand bolstered the Echelon network. It is believed that the Echelon network is capable of monitoring worldwide communications. Telephone calls, faxes, and electronic mail all fall into the dragnet. The claim is that Echelon monitors billions of messages every hour with the aid of an elaborate network of satellites. Echelon satellites were placed in geo-stationary orbits and can be guided to different orbital paths as required for increased surveillance capabilities.

With little official comment from any government about the existence of the Echelon system, the following is generally believed to be the systems capabilities

• High speed dictionary computers that perform keyword searches on mountains of data
• A worldwide Wide Area Network that using IP addresses and strong encryption
• 120 American satellites providing dedicated satellite channels and a dedicated fiber network
• Advanced voice recognition software
• The National Security Agency houses the United States headquarters

It is safe to say that Carnivore provides an on-hand asset to the FBI and supported agencies. Carnivore is the logical next generation up from Echelon and the ability and desire to eavesdrop private communications is nothing new.

In summation, network sniffers are nothing new and are in use by network managers, hackers and law enforcement agencies worldwide. The common defense that is available to all Internet users is the implementation of a strong encryption tool.

1. Define a packet sniffer.
2. Who has access to commercial sniffing programs?
3. What is the best defense against sniffing?