• Buro Jansen & Janssen is een onderzoeksburo dat politie, justitie, inlichtingendiensten, de overheid in Nederland en Europa kritisch volgt. Een grond-rechten kollektief dat al 30 jaar publiceert over uitbreiding van repressieve wetgeving, publiek-private samenwerking, bevoegdheden, overheids-optreden en andere staatsaangelegenheden.
    Buro Jansen & Janssen Postbus 10591, 1001EN Amsterdam, 020-6123202, 06-34339533, signal +31684065516, info@burojansen.nl (pgp)
    Steun Buro Jansen & Janssen. Word donateur, NL43 ASNB 0856 9868 52 of NL56 INGB 0000 6039 04 ten name van Stichting Res Publica, Postbus 11556, 1001 GN Amsterdam.

  • Categorieën

  • FBI agent Marcus C. Thomas (who is mentioned in the EPIC FOIA documents) made a very interesting presentation at NANOG 20 yesterday morning, discussing Carnivore. (2000)

    Agent Thomas gave a demonstration of both Carnivore 1.34 (the currently
    deployed version) and Carnivore 2.0 (the development version) as well as
    some of the other DragonWare tools.

    Most of this information isn’t new, but it demonstrates that the
    DragonWare tools can be used to massively analyze all network traffic
    accessible to a Carnivore box.

    The configuration screen of Carnivore shows that protocol information can
    be captured in 3 different modes: Full, Pen, and None. There are check
    boxes for TCP, UDP, and ICMP.

    Carnivore can be used to capture all data sent to or from a given IP
    address, or range of IP addresses.

    It can be used to search on information in the traffic, doing matching
    against text entered in the “Data Text Strings” box. This, the agent
    assured us, was so that web mail could be identified and captured, but
    other browsing could be excluded.

    It can be used to automatically capture telnet, pop3, and FTP logins with
    the click of a check box.

    It can monitor mail to and/or from specific email addresses.

    It can be configured to monitor based on IP address, RADIUS username, MAC
    address, or network adaptor.

    IPs can be manually added to a running Carnivore session for monitoring.

    Carnivore allows for monitoring of specific TCP or UDP ports and port
    ranges (with drop down boxes for the most common protocols).

    Carnivore 2.0 is much the same, but the configuration menu is cleaner, and
    it allows Boolean statements for exclusion filter creation.

    The Packeteer program takes raw network traffic dumps, reconstructs the
    packets, and writes them to browsable files.

    CoolMiner is the post-processor session browser. The demo was version
    1.2SP4. CoolMiner has the ability to replay a victim’s steps while web
    browsing, chatting on ICQ, Yahoo Messenger, AIM, IRC. It can step through
    telnet sessions, AOL account usage, and Netmeeting. It can display
    information sent to a network printer. It can process netbios data.

    CoolMiner displays summary usage, broken down by origination and
    destination IP addresses, which can be selectively viewed.

    Carnivore usually runs on Windows NT Workstation, but could run on Windows
    2000.

    Some choice quotes from Agent Thomas:

    “Non-relevant data is sealed from disclosure.”

    “Carnivore has no active interaction with any devices on the network.”

    “In most cases Carnivore is only used with a Title III. The FBI will
    deploy Carnivore without a warrant in cases where the victim is willing to
    allow a Carnivore box to monitor his communication.”

    “We rely on the ISP’s security [for the security of the Carnivore box].”

    “We aren’t concerned about the ISP’s security.”

    When asked how Carnivore boxes were protected from attack, he said that
    the only way they were accessible was through dialup or ISDN. “We could
    take measures all the way up to encryption if we thought it was
    necessary.”

    While it doesn’t appear that Carnivore uses a dial-back system to prevent
    unauthorized access, Thomas mentioned that the FBI sometimes “uses a

    firmware device to prevent unauthorized calls.”

    When asked to address the concerns that FBI agents could modify Carnivore
    data to plant evidence, Thomas reported that Carnivore logs FBI agents’
    access attempts. The FBI agent access logs for the Carnivore box become
    part of the court records. When asked the question “It’s often common
    practice to write back doors into [software programs]. How do we know you
    aren’t doing that?”, Thomas replied “I agree 100%. You’re absolutely
    right.”

    When asked why the FBI would not release source, he said: “We don’t sell
    guns, even though we have them.”

    When asked: “What do you do in cases where the subject is using
    encryption?” Thomas replied, “This suite of devices can’t handle that.” I
    guess they hand it off to the NSA.

    He further stated that about 10% of the FBI’s Carnivore cases are thwarted
    by the use of encryption, and that it is “more common to find encryption
    when we seize static data, such as on hard drives.”

    80% of Carnivore cases have involved national security.

    Marcus Thomas can be contacted for questions at mthomas@fbi.gov or at
    (730) 632-6091. He is “usually at his desk.”

    24 October 2000

    Find this story at 24 October 2000