Experts: Carnivore review had no teeth

Five security industy leaders say that an independent review of the FBI surveillance system failed to examine critical issues

A who's who among corporate and academic security researchers on Monday criticised a government-funded review of the FBI's Carnivore Internet surveillance system as "limited" and "inadequate". The researchers said that while a previous review completed by a team at the Illinois Institute of Technology Research Institute (Iitri) appeared to have been conducted in good faith, the results were incomplete.

"We continue to have serious concerns relating to the Carnivore system," stated the researchers in the report, authored by Steve Bellovin and Matt Blaze from AT&T Laboratories, David Farber from the University of Pennsylvania, Peter Neumann from SRI International, and Gene Spafford from Purdue University.

Carnivore is the less-than-auspicious code name for software developed by the FBI and private industry to eavesdrop on the Internet communications of suspected criminals. Analogous in some ways to a telephone wiretap, Carnivore has privacyrights watchdogs barking over the system's potential for widespread abuse by law enforcement.

Calling the Iitri analysis "a good starting point", the report said: "It is simply not possible to draw meaningful conclusions about isolated pieces of software without also considering the computing, networking, and user environment under which they are running."

Among other things, the security experts criticised the use of a single, all-powerful user -- the "administrator" -- on the system. Such a configuration turns any security hole into a critical flaw, since an unauthorised user on the machine has complete power.

Another problem -- which was pointed out in the Iitri analysis but not investigated -- is the possibility that one or more buffer overflow exists in the code, the security experts reported. A buffer overflow refers to a situation where data put into the system exceeds -- or overflows -- the available space. Frequently, such incidents allow attackers to run malicious code or to take over a system.

The report pointed to other flaws in the system and the FBI's procedure for operating the system, including the following.

  • In many cases, an agent determines what information is collected or deleted. Called minimisation, this should be done automatically or in real time.

  • The FBI uses PCAnywhere, an application for remotely accessing a computer, to connect to Carnivore. However, that software is far too powerful to be used safely in this context.

  • While the FBI has repeatedly claimed that Carnivore is not intended to collect all data, the researchers have taken issue with that statement.

  • The Iitri report did not adequately explore the security of the Windows NT computer on which the Carnivore system will be executed.

Finally, the researchers questioned the FBI's reliance on the so-called "pen register" statute -- the law that allows agents to obtain the phone numbers a suspect has called -- as the basis of using Carnivore to capture email headers.

The statute falls short of such use because headers could reveal the correspondence of two parties not included in a search warrant, if they carbon copy a third, suspected, person.

They can see you... Read about how and why in Surveillance, a ZDNet News Special

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read what others have said.

Show Comments