Defanging Carnivore

A security specialist explains why his open-source version of the FBI's snooping technology is a victory for privacy fans.

Topics: FBI, Privacy,

Robert Graham has hacking in his blood. In 1988, as a student at Oregon State University, he helped fight the infamous Morris Worm — an out-of-control software program that nearly broke the Internet. But Graham’s security roots go back even further back than that: His grandfather was a code breaker who worked on cracking Nazi communications during World War II.

Graham is the CTO of NetworkICE, a security company he co-founded with Greg Gilliom and Clinton Lum to provide “anti-hacking” services such as intrusion detection software. Given his family background and his own interests, one could understand that Graham might be interested in anything related to cyber-snooping. But on Tuesday Graham took his involvement to a whole new level, inserting himself directly into the middle of the charged debate over Carnivore — the FBI’s much-maligned system for spying on the e-mails of suspected criminals.

Graham released to the general public the source code to “Altivore,” a program that mimics all the capabilities of Carnivore. Part protest against Carnivore’s potential for invasions of privacy and part defensive measure aimed at subverting Carnivore, Altivore is the latest escalation of the ongoing battle over just how much privacy we can expect in cyberspace.

Graham, 33, is a veteran of the venerable minicomputer maker Data General. He says that these days he doesn’t get out too much, he’s too busy taking care of business at NetworkICE. And yet somehow he found the time to write and release Altivore.

Salon caught up with Graham the day after news about Altivore’s release broke. He was happy to explain why he created the software, what he feels the real issues raised by Carnivore are and why there should be a fundamental human right to encryption.

What prompted you to write Altivore?

From one perspective, just to poke fun at the FBI. As we describe it, it’s like “outing” the FBI. The FBI has kept everything secretive and behind their back rooms and black boxes. We have said: The technology is not as complex as people think. It’s actually pretty simple. So we took little bits and pieces from our existing source base of our products — it’s all still “sniffing” — and dropped it in a new little program called Altivore and shipped the source code for it, so everyone could see how it’s done.



Also, to give ISPs [Internet service providers] an alternative to the FBI. The FBI comes up with a search warrant and really, what the FBI wants, is just the data. They don’t care how you get it. If the ISP can use Altivore instead, they don’t need to have this secretive black box on the network.

Was it much of a technical challenge? You said on your Web site that you wrote it in a weekend.

If I were to write it from scratch, it would take a little bit longer. But since we’re copying and pasting stuff that we have already done — little bits and pieces here and there — it takes a lot less time.

How long have you been using this sniffer technology?

The three founders of the company have been doing this sort of thing for 10 years. I’ve done this 10 times before — for me, even if it was from scratch, it would take me maybe a couple [of] weekends, rather than one weekend. If you’re a gymnast, you can do a trick on the parallel bars — you just go ahead and do it, whereas it would take somebody like me, for example, years to do the same trick.

Is it accurate to characterize Altivore as open-source software?

That depends on someone’s open-source definition. Right now, we’re holding the copyright close to our chest because there are so many open-source licenses out there to choose from. Right now, we’re basically just “copyright: us.” I think we’re looking at the BSD license, rather than the GPL license.

Do you think the FBI is being completely honest about what Carnivore does?

That’s always the big question. In terms of technical sophistication, it doesn’t need to be technically sophisticated to do what the FBI says it does. Now, you can presume that it might do lots of other stuff that would require more technical sophistication, but that debate goes on more along the lines of Echelon. We believe that Carnivore has no relationship to Echelon. Echelon is really a content scanner looking for key words like “plutonium.” With Carnivore, you only get into a network once you have a court order and the court order says something like somebody’s e-mail address. You’ll never get a court order for something like content scanning. If there’s anything that the FBI has that’s like Echelon, it’s not Carnivore — it’s something else.

Do you think the concerns raised about Carnivore by groups like the EFF and the ACLU are legitimate?

The main concern that the EFF and ACLU have is not Carnivore — it’s the fact that the FBI can come in with a court order in the first place and demand all your e-mail traffic. That’s their main concern; they don’t care about the technology. They make a lot of funny statements about the technology which I’m amused about — like the EFF said that you can’t scan for a single person’s e-mail address and sift it out of everyone else’s e-mail — but you actually can, which Altivore shows.

Their main issue is the privacy debate — should the government have the right to sniff all of our traffic? More importantly, encryption technology is becoming more and more built into what we do. The real debate that we’re going to have to answer and address as a society at some point is whether encryption is a fundamental human right. Does the government have the right to peer into all of our data or do we have the right to do our best to hide our data — hide our information, our e-mail and correspondences from the government? NetworkICE is along the lines that we should be considering this and we should think of this as a human right.

What kinds of things should we be concerned about — should we all really be encrypting our data? What are the privacy concerns?

Your ISP is already looking at your e-mail. Back at my old company, I would send e-mails to my girlfriend. And a couple of the e-mails were a little bit mushy. One of the e-mails got misdirected because there was a problem with the server. The people maintaining our e-mail service probably had to look at that e-mail in order to figure why it was misdirected. So, they probably read the e-mail message. So, the moral of the story is whether it’s the FBI, or just the people trying to get your e-mail to you, people are going to be reading your e-mail occasionally. Therefore, if there’s something in the e-mail message that you don’t want other people to read, you should encrypt it.

Returning to Echelon and Carnivore — do you think it will ever be possible to completely monitor the entire Net? From a technical standpoint, are we moving in that direction?

There’s lot of capabilities that can do some effective monitoring, but ultimately, the Net is too big to monitor. For example, if I send e-mail from my company to your company, how does it go across the Internet? There’s no centralized point on the Internet where it’s going to go through; it follows a convoluted path. The FBI cannot put enough little monitoring devices throughout the Internet to monitor all the traffic. And if they did, the amount of traffic is really, really huge. They can do some monitoring, but ultimately they cannot log it all. They can’t save all the network traffic to a disk for later analysis.

That would be an awfully big hard drive.

That’s one of the points about Echelon — people don’t know what it is targeting. But, spying on diplomatic channels is a very common thing. Spying on satellite transmission has been very common. But if I’ve got fiber optic cable between you and me, Echelon can’t monitor that fiber optic cable. Echelon itself is very limited in what it can monitor. So, we’ll never have pervasive monitoring, but the government will try and do the best job they can — that’s what governments do.

Does creating Altivore put you in an awkward position? On one side, you have the FBI. On the other side, you have groups like the EFF. You seem to be presenting this tool that allows snooping, but at the same time, it’s an alternative to the FBI’s black box.

That was one of our main fears in releasing Altivore. Fundamentally, we’re releasing a product whose sole purpose is to spy on people. Which is interesting — since we’re promoting it as a tool to defend against being spied upon. You could easily misinterpret our intentions here and say, “Hey, you’re trying to help the FBI with spying.” It’s an interesting position to be in. Ultimately, the FBI comes in with a search warrant and the real, main issue is the search warrant. They’re going to get the data, no matter what. They’re going to use Carnivore, or get the ISP to do it for them. Either way, they’re going to get the data. We’re not actually helping the FBI do anything more than they can already do.

So this is more about providing a choice to an ISP?

Right. As we say, our current products kick hackers off your networks. Altivore kicks the FBI off your network.

Sean M. Dugan is senior research editor at InfoWorld magazine and a freelance writer. Send e-mail you don't mind the FBI reading.

More Related Stories

Featured Slide Shows

  • Share on Twitter
  • Share on Facebook
  • 1 of 22
  • Close
  • Fullscreen
  • Thumbnails

    Once upon a time on the Bowery

    Talking Heads, 1977
    This was their first weekend as a foursome at CBGB’s, after adding Jerry Harrison, before they started recording the LP “Talking Heads: 77.”

    Once upon a time on the Bowery

    Patti Smith, Bowery 1976
    Patti lit up by the Bowery streetlights. I tapped her on the shoulder, asked if I could do a picture, took two shots and everyone went back to what they were doing. 1/4 second at f/5.6 no tripod.

    Once upon a time on the Bowery

    Blondie, 1977
    This was taken at the Punk Magazine Benefit show. According to Chris Stein (seated, on slide guitar), they were playing “Little Red Rooster.”

    Once upon a time on the Bowery

    No Wave Punks, Bowery Summer 1978
    They were sitting just like this when I walked out of CBGB's. Me: “Don’t move” They didn’t. L to R: Harold Paris, Kristian Hoffman, Diego Cortez, Anya Phillips, Lydia Lunch, James Chance, Jim Sclavunos, Bradley Field, Liz Seidman.

    Once upon a time on the Bowery

    Richard Hell + Bob Quine, 1978
    Richard Hell and the Voidoids, playing CBGB's in 1978, with Richard’s peerless guitar player Robert Quine. Sorely missed, Quine died in 2004.

    Once upon a time on the Bowery

    Bathroom, 1977
    This photograph of mine was used to create the “replica” CBGB's bathroom in the Punk Couture show last summer at the Metropolitan Museum of Art. So I got into the Met with a bathroom photo.

    Once upon a time on the Bowery

    Stiv Bators + Divine, 1978
    Stiv Bators, Divine and the Dead Boys at the Blitz Benefit show for injured Dead Boys drummer Johnny Blitz.

    Once upon a time on the Bowery

    Ramones, 1977
    “The kids are all hopped up and ready to go…” View from the unique "side stage" at CBGB's that you had to walk past to get to the basement bathrooms.

    Once upon a time on the Bowery

    Klaus Nomi, Christopher Parker, Jim Jarmusch – Bowery 1978
    Jarmusch was still in film school, Parker was starring in Jim’s first film "Permanent Vacation" and Klaus just appeared out of nowhere.

    Once upon a time on the Bowery

    Hilly Kristal, Bowery 1977
    When I used to show people this picture of owner Hilly Kristal, they would ask me “Why did you photograph that guy? He’s not a punk!” Now they know why. None of these pictures would have existed without Hilly Kristal.

    Once upon a time on the Bowery

    Dictators, Bowery 1976
    Handsome Dick Manitoba of the Dictators with his girlfriend Jody. I took this shot as a thank you for him returning the wallet I’d lost the night before at CBGB's. He doesn’t like that I tell people he returned it with everything in it.

    Once upon a time on the Bowery

    Alex Chilton, Bowery 1977
    We were on the median strip on the Bowery shooting what became a 45 single sleeve for Alex’s “Bangkok.” A drop of rain landed on the camera lens by accident. Definitely a lucky night!

    Once upon a time on the Bowery

    Bowery view, 1977
    The view from across the Bowery in the summer of 1977.

    Once upon a time on the Bowery

    Ramones, 1977 – never before printed
    I loved shooting The Ramones. They would play two sets a night, four nights a week at CBGB's, and I’d be there for all of them. This shot is notable for Johnny playing a Strat, rather than his usual Mosrite. Maybe he’d just broken a string. Love that hair.

    Once upon a time on the Bowery

    Richard Hell, Bowery 1977 – never before printed
    Richard exiting CBGB's with his guitar at 4am, about to step into a Bowery rainstorm. I’ve always printed the shots of him in the rain, but this one is a real standout to me now.

    Once upon a time on the Bowery

    Patti Smith + Ronnie Spector, 1979
    May 24th – Bob Dylan Birthday show – Patti “invited” everyone at that night’s Palladium show on 14th Street down to CBGB's to celebrate Bob Dylan’s birthday. Here, Patti and Ronnie are doing “Be My Baby.”

    Once upon a time on the Bowery

    Legs McNeil, 1977
    Legs, ready for his close-up, near the front door of CBGB's.

    Once upon a time on the Bowery

    Suicide, 1977
    Rev and Alan Vega – I thought Alan was going to hit me with that chain. This was the Punk Magazine Benefit show.

    Once upon a time on the Bowery

    Ian Hunter and Fans, outside bathroom
    I always think of “All the Young Dudes” when I look at this shot. These fans had caught Ian Hunter in the CBGB's basement outside the bathrooms, and I just stepped in to record the moment.

    Once upon a time on the Bowery

    Tommy Ramone, 1977
    Only at CBGB's could I have gotten this shot of Tommy Ramone seen through Johnny Ramones legs.

    Once upon a time on the Bowery

    Bowery 4am, 1977
    End of the night garbage run. Time to go home.

  • Recent Slide Shows

Comments

0 Comments

Comment Preview

Your name will appear as username ( settings | log out )

You may use these HTML tags and attributes: <a href=""> <b> <em> <strong> <i> <blockquote>