SCN: Privacy
Steve
steve at advocate.net
Wed Oct 11 16:46:47 PDT 2000
x-no-archive: yes
========================
A security specialist explains why his open-source version of the
FBI's snooping technology is a victory for privacy fans.
(Sean Dugan, Salon.com)---Robert Graham has hacking in his blood.
In 1988, as a student at Oregon State University, he helped fight the
infamous Morris Worm -- an out-of-control software program that
nearly broke the Internet. But Graham's security roots go back even
further back than that: His grandfather was a code breaker who
worked on cracking Nazi communications during World War II.
Graham is the CTO of NetworkICE, a security company he co-
founded with Greg Gilliom and Clinton Lum to provide "anti-hacking"
services such as intrusion detection software. Given his family
background and his own interests, one could understand that
Graham might be interested in anything related to cyber-snooping.
But on Tuesday Graham took his involvement to a whole new level,
inserting himself directly into the middle of the charged debate over
Carnivore -- the FBI's much-maligned system for spying on the e-
mails of suspected criminals.
Graham released to the general public the source code to "Altivore,"
a program that mimics all the capabilities of Carnivore. Part protest
against Carnivore's potential for invasions of privacy and part
defensive measure aimed at subverting Carnivore, Altivore is the
latest escalation of the ongoing battle over just how much privacy
we can expect in cyberspace.
Graham, 33, is a veteran of the venerable minicomputer maker Data
General. He says that these days he doesn't get out too much, he's
too busy taking care of business at NetworkICE. And yet somehow
he found the time to write and release Altivore.
Salon caught up with Graham the day after news about Altivore's
release broke. He was happy to explain why he created the
software, what he feels the real issues raised by Carnivore are and
why there should be a fundamental human right to encryption.
What prompted you to write Altivore?
>From one perspective, just to poke fun at the FBI. As we describe it,
it's like "outing" the FBI. The FBI has kept everything secretive and
behind their back rooms and black boxes. We have said: The
technology is not as complex as people think. It's actually pretty
simple. So we took little bits and pieces from our existing source
base of our products -- it's all still "sniffing" -- and dropped it in a
new little program called Altivore and shipped the source code for it,
so everyone could see how it's done.
Also, to give ISPs [Internet service providers] an alternative to the
FBI. The FBI comes up with a search warrant and really, what the
FBI wants, is just the data. They don't care how you get it. If the ISP
can use Altivore instead, they don't need to have this secretive
black box on the network.
Was it much of a technical challenge? You said on your Web site
that you wrote it in a weekend.
If I were to write it from scratch, it would take a little bit longer. But
since we're copying and pasting stuff that we have already done --
little bits and pieces here and there -- it takes a lot less time.
How long have you been using this sniffer technology?
The three founders of the company have been doing this sort of
thing for 10 years. I've done this 10 times before -- for me, even if it
was from scratch, it would take me maybe a couple [of] weekends,
rather than one weekend. If you're a gymnast, you can do a trick on
the parallel bars -- you just go ahead and do it, whereas it would
take somebody like me, for example, years to do the same trick.
Is it accurate to characterize Altivore as open-source software?
That depends on someone's open-source definition. Right now,
we're holding the copyright close to our chest because there are so
many open-source licenses out there to choose from. Right now,
we're basically just "copyright: us." I think we're looking at the BSD
license, rather than the GPL license.
Do you think the FBI is being completely honest about what
Carnivore does?
That's always the big question. In terms of technical sophistication,
it doesn't need to be technically sophisticated to do what the FBI
says it does. Now, you can presume that it might do lots of other
stuff that would require more technical sophistication, but that
debate goes on more along the lines of Echelon. We believe that
Carnivore has no relationship to Echelon. Echelon is really a content
scanner looking for key words like "plutonium." With Carnivore, you
only get into a network once you have a court order and the court
order says something like somebody's e-mail address. You'll never
get a court order for something like content scanning. If there's
anything that the FBI has that's like Echelon, it's not Carnivore -- it's
something else.
Do you think the concerns raised about Carnivore by groups like the
EFF and the ACLU are legitimate?
The main concern that the EFF and ACLU have is not Carnivore -- it's
the fact that the FBI can come in with a court order in the first place
and demand all your e-mail traffic. That's their main concern; they
don't care about the technology. They make a lot of funny
statements about the technology which I'm amused about -- like the
EFF said that you can't scan for a single person's e-mail address
and sift it out of everyone else's e-mail -- but you actually can, which
Altivore shows.
Their main issue is the privacy debate -- should the government
have the right to sniff all of our traffic? More importantly, encryption
technology is becoming more and more built into what we do. The
real debate that we're going to have to answer and address as a
society at some point is whether encryption is a fundamental human
right. Does the government have the right to peer into all of our data
or do we have the right to do our best to hide our data -- hide our
information, our e-mail and correspondences from the government?
NetworkICE is along the lines that we should be considering this and
we should think of this as a human right.
What kinds of things should we be concerned about -- should we all
really be encrypting our data? What are the privacy concerns?
Your ISP is already looking at your e-mail. Back at my old company,
I would send e-mails to my girlfriend. And a couple of the e-mails
were a little bit mushy. One of the e-mails got misdirected because
there was a problem with the server. The people maintaining our e-
mail service probably had to look at that e-mail in order to figure
why it was misdirected. So, they probably read the e-mail message.
So, the moral of the story is whether it's the FBI, or just the people
trying to get your e-mail to you, people are going to be reading your
e-mail occasionally. Therefore, if there's something in the e-mail
message that you don't want other people to read, you should
encrypt it.
Returning to Echelon and Carnivore -- do you think it will ever be
possible to completely monitor the entire Net? From a technical
standpoint, are we moving in that direction?
There's lot of capabilities that can do some effective monitoring, but
ultimately, the Net is too big to monitor. For example, if I send e-mail
from my company to your company, how does it go across the
Internet? There's no centralized point on the Internet where it's
going to go through; it follows a convoluted path. The FBI cannot put
enough little monitoring devices throughout the Internet to monitor
all the traffic. And if they did, the amount of traffic is really, really
huge. They can do some monitoring, but ultimately they cannot log it
all. They can't save all the network traffic to a disk for later analysis.
That would be an awfully big hard drive.
That's one of the points about Echelon -- people don't know what it is
targeting. But, spying on diplomatic channels is a very common
thing. Spying on satellite transmission has been very common. But
if I've got fiber optic cable between you and me, Echelon can't
monitor that fiber optic cable. Echelon itself is very limited in what it
can monitor. So, we'll never have pervasive monitoring, but the
government will try and do the best job they can -- that's what
governments do.
Does creating Altivore put you in an awkward position? On one side,
you have the FBI. On the other side, you have groups like the EFF.
You seem to be presenting this tool that allows snooping, but at the
same time, it's an alternative to the FBI's black box.
That was one of our main fears in releasing Altivore. Fundamentally,
we're releasing a product whose sole purpose is to spy on people.
Which is interesting -- since we're promoting it as a tool to defend
against being spied upon. You could easily misinterpret our
intentions here and say, "Hey, you're trying to help the FBI with
spying." It's an interesting position to be in. Ultimately, the FBI
comes in with a search warrant and the real, main issue is the
search warrant. They're going to get the data, no matter what.
They're going to use Carnivore, or get the ISP to do it for them.
Either way, they're going to get the data. We're not actually helping
the FBI do anything more than they can already do.
So this is more about providing a choice to an ISP?
Right. As we say, our current products kick hackers off your
networks. Altivore kicks the FBI off your network.
Copyright 2000 Salon.com
* * * * * * * * * * * * * * From the Listowner * * * * * * * * * * * *
. To unsubscribe from this list, send a message to:
majordomo at scn.org In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * * http://www.scn.org/volunteers/scn-l/ * * * * * * *
More information about the scn
mailing list