Defanging Carnivore

A security specialist explains why his open-source version of the FBI's snooping technology is a victory for privacy fans.

Published September 25, 2000 7:30PM (EDT)

Robert Graham has hacking in his blood. In 1988, as a student at Oregon State University, he helped fight the infamous Morris Worm -- an out-of-control software program that nearly broke the Internet. But Graham's security roots go back even further back than that: His grandfather was a code breaker who worked on cracking Nazi communications during World War II.

Graham is the CTO of NetworkICE, a security company he co-founded with Greg Gilliom and Clinton Lum to provide "anti-hacking" services such as intrusion detection software. Given his family background and his own interests, one could understand that Graham might be interested in anything related to cyber-snooping. But on Tuesday Graham took his involvement to a whole new level, inserting himself directly into the middle of the charged debate over Carnivore -- the FBI's much-maligned system for spying on the e-mails of suspected criminals.

Graham released to the general public the source code to "Altivore," a program that mimics all the capabilities of Carnivore. Part protest against Carnivore's potential for invasions of privacy and part defensive measure aimed at subverting Carnivore, Altivore is the latest escalation of the ongoing battle over just how much privacy we can expect in cyberspace.

Graham, 33, is a veteran of the venerable minicomputer maker Data General. He says that these days he doesn't get out too much, he's too busy taking care of business at NetworkICE. And yet somehow he found the time to write and release Altivore.

Salon caught up with Graham the day after news about Altivore's release broke. He was happy to explain why he created the software, what he feels the real issues raised by Carnivore are and why there should be a fundamental human right to encryption.

What prompted you to write Altivore?

From one perspective, just to poke fun at the FBI. As we describe it, it's like "outing" the FBI. The FBI has kept everything secretive and behind their back rooms and black boxes. We have said: The technology is not as complex as people think. It's actually pretty simple. So we took little bits and pieces from our existing source base of our products -- it's all still "sniffing" -- and dropped it in a new little program called Altivore and shipped the source code for it, so everyone could see how it's done.

Also, to give ISPs [Internet service providers] an alternative to the FBI. The FBI comes up with a search warrant and really, what the FBI wants, is just the data. They don't care how you get it. If the ISP can use Altivore instead, they don't need to have this secretive black box on the network.

Was it much of a technical challenge? You said on your Web site that you wrote it in a weekend.

If I were to write it from scratch, it would take a little bit longer. But since we're copying and pasting stuff that we have already done -- little bits and pieces here and there -- it takes a lot less time.

How long have you been using this sniffer technology?

The three founders of the company have been doing this sort of thing for 10 years. I've done this 10 times before -- for me, even if it was from scratch, it would take me maybe a couple [of] weekends, rather than one weekend. If you're a gymnast, you can do a trick on the parallel bars -- you just go ahead and do it, whereas it would take somebody like me, for example, years to do the same trick.

Is it accurate to characterize Altivore as open-source software?

That depends on someone's open-source definition. Right now, we're holding the copyright close to our chest because there are so many open-source licenses out there to choose from. Right now, we're basically just "copyright: us." I think we're looking at the BSD license, rather than the GPL license.

Do you think the FBI is being completely honest about what Carnivore does?

That's always the big question. In terms of technical sophistication, it doesn't need to be technically sophisticated to do what the FBI says it does. Now, you can presume that it might do lots of other stuff that would require more technical sophistication, but that debate goes on more along the lines of Echelon. We believe that Carnivore has no relationship to Echelon. Echelon is really a content scanner looking for key words like "plutonium." With Carnivore, you only get into a network once you have a court order and the court order says something like somebody's e-mail address. You'll never get a court order for something like content scanning. If there's anything that the FBI has that's like Echelon, it's not Carnivore -- it's something else.

Do you think the concerns raised about Carnivore by groups like the EFF and the ACLU are legitimate?

The main concern that the EFF and ACLU have is not Carnivore -- it's the fact that the FBI can come in with a court order in the first place and demand all your e-mail traffic. That's their main concern; they don't care about the technology. They make a lot of funny statements about the technology which I'm amused about -- like the EFF said that you can't scan for a single person's e-mail address and sift it out of everyone else's e-mail -- but you actually can, which Altivore shows.

Their main issue is the privacy debate -- should the government have the right to sniff all of our traffic? More importantly, encryption technology is becoming more and more built into what we do. The real debate that we're going to have to answer and address as a society at some point is whether encryption is a fundamental human right. Does the government have the right to peer into all of our data or do we have the right to do our best to hide our data -- hide our information, our e-mail and correspondences from the government? NetworkICE is along the lines that we should be considering this and we should think of this as a human right.

What kinds of things should we be concerned about -- should we all really be encrypting our data? What are the privacy concerns?

Your ISP is already looking at your e-mail. Back at my old company, I would send e-mails to my girlfriend. And a couple of the e-mails were a little bit mushy. One of the e-mails got misdirected because there was a problem with the server. The people maintaining our e-mail service probably had to look at that e-mail in order to figure why it was misdirected. So, they probably read the e-mail message. So, the moral of the story is whether it's the FBI, or just the people trying to get your e-mail to you, people are going to be reading your e-mail occasionally. Therefore, if there's something in the e-mail message that you don't want other people to read, you should encrypt it.

Returning to Echelon and Carnivore -- do you think it will ever be possible to completely monitor the entire Net? From a technical standpoint, are we moving in that direction?

There's lot of capabilities that can do some effective monitoring, but ultimately, the Net is too big to monitor. For example, if I send e-mail from my company to your company, how does it go across the Internet? There's no centralized point on the Internet where it's going to go through; it follows a convoluted path. The FBI cannot put enough little monitoring devices throughout the Internet to monitor all the traffic. And if they did, the amount of traffic is really, really huge. They can do some monitoring, but ultimately they cannot log it all. They can't save all the network traffic to a disk for later analysis.

That would be an awfully big hard drive.

That's one of the points about Echelon -- people don't know what it is targeting. But, spying on diplomatic channels is a very common thing. Spying on satellite transmission has been very common. But if I've got fiber optic cable between you and me, Echelon can't monitor that fiber optic cable. Echelon itself is very limited in what it can monitor. So, we'll never have pervasive monitoring, but the government will try and do the best job they can -- that's what governments do.

Does creating Altivore put you in an awkward position? On one side, you have the FBI. On the other side, you have groups like the EFF. You seem to be presenting this tool that allows snooping, but at the same time, it's an alternative to the FBI's black box.

That was one of our main fears in releasing Altivore. Fundamentally, we're releasing a product whose sole purpose is to spy on people. Which is interesting -- since we're promoting it as a tool to defend against being spied upon. You could easily misinterpret our intentions here and say, "Hey, you're trying to help the FBI with spying." It's an interesting position to be in. Ultimately, the FBI comes in with a search warrant and the real, main issue is the search warrant. They're going to get the data, no matter what. They're going to use Carnivore, or get the ISP to do it for them. Either way, they're going to get the data. We're not actually helping the FBI do anything more than they can already do.

So this is more about providing a choice to an ISP?

Right. As we say, our current products kick hackers off your networks. Altivore kicks the FBI off your network.

By Sean Dugan

Sean M. Dugan is senior research editor at InfoWorld magazine and a freelance writer. Send e-mail you don't mind the FBI reading.

MORE FROM Sean Dugan

Related Topics ------------------------------------------

Fbi Privacy