SCN: Privacy

Steve steve at advocate.net
Wed Oct 11 16:46:47 PDT 2000 

x-no-archive: yes

========================

A security specialist explains why his open-source version of the 
FBI's snooping technology is a victory for privacy fans.  

(Sean Dugan, Salon.com)---Robert Graham has hacking in his blood. 
In 1988, as a student at Oregon State University, he helped fight the 
infamous Morris Worm -- an out-of-control software program that 
nearly broke the Internet. But Graham's security roots go back even 
further back than that: His grandfather was a code breaker who 
worked on cracking Nazi communications during World War II.  

Graham is the CTO of NetworkICE, a security company he co-
founded with Greg Gilliom and Clinton Lum to provide "anti-hacking" 
services such as intrusion detection software. Given his family 
background and his own interests, one could understand that 
Graham might be interested in anything related to cyber-snooping. 
But on Tuesday Graham took his involvement to a whole new level, 
inserting himself directly into the middle of the charged debate over 
Carnivore -- the FBI's much-maligned system for spying on the e-
mails of suspected criminals.  

Graham released to the general public the source code to "Altivore," 
a program that mimics all the capabilities of Carnivore. Part protest 
against Carnivore's potential for invasions of privacy and part 
defensive measure aimed at subverting Carnivore, Altivore is the 
latest escalation of the ongoing battle over just how much privacy 
we can expect in cyberspace.  

Graham, 33, is a veteran of the venerable minicomputer maker Data 
General. He says that these days he doesn't get out too much, he's 
too busy taking care of business at NetworkICE. And yet somehow 
he found the time to write and release Altivore.  

Salon caught up with Graham the day after news about Altivore's 
release broke. He was happy to explain why he created the 
software, what he feels the real issues raised by Carnivore are and 
why there should be a fundamental human right to encryption.  

What prompted you to write Altivore?  

>From one perspective, just to poke fun at the FBI. As we describe it, 
it's like "outing" the FBI. The FBI has kept everything secretive and 
behind their back rooms and black boxes. We have said: The 
technology is not as complex as people think. It's actually pretty 
simple. So we took little bits and pieces from our existing source 
base of our products -- it's all still "sniffing" -- and dropped it in a 
new little program called Altivore and shipped the source code for it, 
so everyone could see how it's done.  

Also, to give ISPs [Internet service providers] an alternative to the 
FBI. The FBI comes up with a search warrant and really, what the 
FBI wants, is just the data. They don't care how you get it. If the ISP 
can use Altivore instead, they don't need to have this secretive 
black box on the network.  

Was it much of a technical challenge? You said on your Web site 
that you wrote it in a weekend.  

If I were to write it from scratch, it would take a little bit longer. But 
since we're copying and pasting stuff that we have already done -- 
little bits and pieces here and there -- it takes a lot less time.  

How long have you been using this sniffer technology?  

The three founders of the company have been doing this sort of 
thing for 10 years. I've done this 10 times before -- for me, even if it 
was from scratch, it would take me maybe a couple [of] weekends, 
rather than one weekend. If you're a gymnast, you can do a trick on 
the parallel bars -- you just go ahead and do it, whereas it would 
take somebody like me, for example, years to do the same trick.  

Is it accurate to characterize Altivore as open-source software?  

That depends on someone's open-source definition. Right now, 
we're holding the copyright close to our chest because there are so 
many open-source licenses out there to choose from. Right now, 
we're basically just "copyright: us." I think we're looking at the BSD 
license, rather than the GPL license.  

Do you think the FBI is being completely honest about what 
Carnivore does?  

That's always the big question. In terms of technical sophistication, 
it doesn't need to be technically sophisticated to do what the FBI 
says it does. Now, you can presume that it might do lots of other 
stuff that would require more technical sophistication, but that 
debate goes on more along the lines of Echelon. We believe that 
Carnivore has no relationship to Echelon. Echelon is really a content 
scanner looking for key words like "plutonium." With Carnivore, you 
only get into a network once you have a court order and the court 
order says something like somebody's e-mail address. You'll never 
get a court order for something like content scanning. If there's 
anything that the FBI has that's like Echelon, it's not Carnivore -- it's 
something else.  

Do you think the concerns raised about Carnivore by groups like the 
EFF and the ACLU are legitimate?  

The main concern that the EFF and ACLU have is not Carnivore -- it's 
the fact that the FBI can come in with a court order in the first place 
and demand all your e-mail traffic. That's their main concern; they 
don't care about the technology. They make a lot of funny 
statements about the technology which I'm amused about -- like the 
EFF said that you can't scan for a single person's e-mail address 
and sift it out of everyone else's e-mail -- but you actually can, which 
Altivore shows.  

Their main issue is the privacy debate -- should the government 
have the right to sniff all of our traffic? More importantly, encryption 
technology is becoming more and more built into what we do. The 
real debate that we're going to have to answer and address as a 
society at some point is whether encryption is a fundamental human 
right. Does the government have the right to peer into all of our data 
or do we have the right to do our best to hide our data -- hide our 
information, our e-mail and correspondences from the government? 
NetworkICE is along the lines that we should be considering this and 
we should think of this as a human right.  

What kinds of things should we be concerned about -- should we all 
really be encrypting our data? What are the privacy concerns?  

Your ISP is already looking at your e-mail. Back at my old company, 
I would send e-mails to my girlfriend. And a couple of the e-mails 
were a little bit mushy. One of the e-mails got misdirected because 
there was a problem with the server. The people maintaining our e-
mail service probably had to look at that e-mail in order to figure 
why it was misdirected. So, they probably read the e-mail message. 
So, the moral of the story is whether it's the FBI, or just the people 
trying to get your e-mail to you, people are going to be reading your 
e-mail occasionally. Therefore, if there's something in the e-mail 
message that you don't want other people to read, you should 
encrypt it.  

Returning to Echelon and Carnivore -- do you think it will ever be 
possible to completely monitor the entire Net? From a technical 
standpoint, are we moving in that direction?  

There's lot of capabilities that can do some effective monitoring, but 
ultimately, the Net is too big to monitor. For example, if I send e-mail 
from my company to your company, how does it go across the 
Internet? There's no centralized point on the Internet where it's 
going to go through; it follows a convoluted path. The FBI cannot put 
enough little monitoring devices throughout the Internet to monitor 
all the traffic. And if they did, the amount of traffic is really, really 
huge. They can do some monitoring, but ultimately they cannot log it 
all. They can't save all the network traffic to a disk for later analysis. 

That would be an awfully big hard drive.  

That's one of the points about Echelon -- people don't know what it is 
targeting. But, spying on diplomatic channels is a very common 
thing. Spying on satellite transmission has been very common. But 
if I've got fiber optic cable between you and me, Echelon can't 
monitor that fiber optic cable. Echelon itself is very limited in what it 
can monitor. So, we'll never have pervasive monitoring, but the 
government will try and do the best job they can -- that's what 
governments do.  

Does creating Altivore put you in an awkward position? On one side, 
you have the FBI. On the other side, you have groups like the EFF. 
You seem to be presenting this tool that allows snooping, but at the 
same time, it's an alternative to the FBI's black box.  

That was one of our main fears in releasing Altivore. Fundamentally, 
we're releasing a product whose sole purpose is to spy on people. 
Which is interesting -- since we're promoting it as a tool to defend 
against being spied upon. You could easily misinterpret our 
intentions here and say, "Hey, you're trying to help the FBI with 
spying." It's an interesting position to be in. Ultimately, the FBI 
comes in with a search warrant and the real, main issue is the 
search warrant. They're going to get the data, no matter what. 
They're going to use Carnivore, or get the ISP to do it for them. 
Either way, they're going to get the data. We're not actually helping 
the FBI do anything more than they can already do.  

So this is more about providing a choice to an ISP?  

Right. As we say, our current products kick hackers off your 
networks. Altivore kicks the FBI off your network.  

Copyright 2000 Salon.com




* * * * * * * * * * * * * *  From the Listowner  * * * * * * * * * * * *
.	To unsubscribe from this list, send a message to:
majordomo at scn.org		In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * *     http://www.scn.org/volunteers/scn-l/     * * * * * * *

More information about the scn mailing list