Carnivore FAQ

by Robert Graham

Carnivore FAQ (Frequently Asked Questions)

This document provides some answers (or sometimes just guess) to common questions posted about Carnivore.

Version 0.1, September 7, 2000

Author: Robert Graham

"They that give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759

1. What is Carnivore? According to the FBI:

The FBI explains the origin of the codename: Carnivore chews all the data on the network, but it only actually eats the information authorized by a court order.

1.1. What does Carnivore intercept?

Carnivore is used in two ways: as a content-wiretap and a trap-and-trace/pen-register.

A telephone content wiretap is where law enforcement eavesdrops on the suspects telephone calls, recording the oral communications on tape. Carnivore can do similar things for Internet communication:

capture all e-mail messages to and from a specific account capture all the network traffic to and from a specific user or IP address A less invasive style of wiretapping is the telephone trap-and-trace, where police tracks all the caller IDs of inbound telephone calls. For example, if your child has been kidnapped, the FBI will put a trap and trace on your phone in hopes of discovering the telephone number of the kidnappers. There is a similar feature known as a pen-register that tracks all outbound telephone numbers dialed. If you are a suspected drug dealer, the FBI might perform a virtual stake out where they put a trap-and-trace plus pen-register on your phone in order to discover everyone you call, and everyone who calls you. Similar functionality for the Internet consists of:

capture all the e-mail headers (including e-mail addresses) going to and from an e-mail account, but not the actual contents (or Subject: line)

list all the servers (web servers, FTP servers) that the suspect accesses, but dont capture the content of this communication

track everyone who accesses a specific web page or FTP file

track all web pages or FTP files that a suspect accesses

You'll notice that the trap-and-trace/pen-register functionality is mostly a subset of the content-wiretap interception. This is because the legal standards are more relaxed. A full content-wiretap can only be authorized by a federal district court judge, and only in cases of clear probable cause when certain crimes have been committed. The purpose of a full content-wiretap is to gather evidence to use during prosecution. In contrast, a trap-and-trace/pen-register can be authorized by lower judges. It is often used during the course of a criminal investigation in order to find out background information. This information is not considered hard evidence and may not standard up in court. Instead, it is often simply part of the background investigation.

Therefore, if the FBI suspects you of a crime for which you are using e-mail, they will do their best to get a court order to grab the full contents. If they cannot do that, they will back off and try to get a court order for all the e-mail addresses of people you correspond with (for example).

1.2. How does Carnivore intercept Internet communication?

Carnivore acts like a packet sniffer. All Internet traffic is broken down into bundles called packets. Carnivore eavesdrops on these packets watching them go by, then saves a copy of the packets it is interested in.

It is important to note that Carnivore is a passive wiretap. It does not interfere with communication. Some news reports falsely claim that Carnivore interposes itself into the stream, first grabbing data, then passing it along.

1.3. How often is Carnivore used? The FBI claims that Carnivore has been used roughly 25 times leading up to August, 2000.

The FBI claims that they used Carnivore only 10% of the time for such court orders: most of the time the ISP complies with the court order using their own facilities.

The FBI claims that the majority of cases have been for counter terrorism, though they also mention hacking and drug trafficking.

1.4. What does the Carnivore box consist of?

Each Carnivore box is likely to be slightly different. The FBI claims that the standard configuration looks something like:

A COTS (Commercial Off The Shelf) Windows NT (or Windows 2000) box with 128-megabytes of RAM, a Pentium III, 4-18 gigabytes of disk space, and a 2G Jaz drive where evidence is written to.

The software is written in C++

The box has no TCP/IP stack (so it cannot get hacked into from the net)

A hardware authentication device is used to control access to the box (preventing ISP personnel from accessing the device without leaving visible signs of damage).

What they call a network isolation device, which is probably a Shomiti or NetOptics tap. This prevents the box from transmitting even if a hacker where able to break in somehow.

COTS communications software, whatever that means. My guess is that this means that Carnivore is written as C++ plugins to the EtherPeek program.

Some units are rumored to have dial-in modem ports, but it seems that the standard procedure is to have an FBI agent come in daily to exchange the Jaz disk for a fresh one. 2. What is the controversy surrounding Carnivore?

People are worried about the privacy implications of Carnivore. There are three main concerns:

How (exactly) Carnivore works, and whether there are bugs that lead to privacy violations.

How Carnivore can be misused.

The privacy debate of wiretaps in general, and the changing rules of the Internet in particular.

2.1. Does Carnivore contravene the Fourth Amendment?

No. The Fourth Amendment states:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Carnivore requires a warrant to be issued given “probable cause” clearly specifying who the suspect is (e.g. email address), what lines will be tapped, and what kind of information is being seized (e.g. emails). Furthermore, wiretaps like Carnivore are usually held to a higher standard. A warrant for the contents of your e-mail can only be issued by a Federal District judge or higher, whereas normal search warrants can be authorized by any judge.

For paranoids: At least for now, the government considers tapping your e-mail a serious thing and curtails most of the FBIs ability to read it. The NSA may be coordinating with the Brits to monitor your e-mail (such as in the rumored Echelon project), but the FBI probably isn't.

2.2. Does Carnivore suck up mail from unintended targets?

There is a huge controversy over this issue because the FBI refuses to disclose how Carnivore works (see below). It is technically possible to write a system in a robust manner that wont capture data from innocent people. However, industry practice has been to take short-cuts in sniffing devices. If the FBI follows industry practice, then there are several cases whereby they may capture unintended data a small percentage of the time.

A spokesman from the EFF has made the claim that Carnivore cannot sniff e-mail for only one person out of a network stream containing thousands of e-mail. There claim is that even experts in AI (Artificial Intelligence) would not be able to build such a system. This spokesman was thinking of the program from the wrong perspective. Carnivore isn’t a dumb pattern matcher, but a protocol decoder. This means that instead of blinding searching the entire e-mail content for a specific e-mail address, Carnivore carefully follows the e-mail transfer protocols and only examine specific fields. The blind content searching would indeed be impossible. See the explanation below on SMTP for more info.

2.3. Does Carnivore do content-searching, such as sniffing e-mails that contain the word plutonium?

No. Carnivore only looks at e-mail addresses within the FROM or TO fields. See the next question for a more complete answer.

2.4. Is Carnivore a network of black-boxes deployed throughout the Internet? Is Carnivore an unrestrained wiretap of the entire Internet?

No. This type of widespread monitoring is not allowed by law.

To install a Carnivore box, the FBI must have a court order specifying exactly what is to be monitored (e.g. email contents), for exactly whom monitoring will take place (e.g. email address), and is limited for how long the box may be in place. Furthermore, the ISP does not have to accept a Carnivore box if they can satisfy the search warrant using their own means. Carnivore is only used when the ISP cannot satisfy the search warrant.

The FBI currently (August, 2000) has roughly only 20 Carnivore boxes. These boxes are stored in Quantico, Virginia. They are only used in specific cases under court order. The courts dont allow any one box to be in place for more than a month or two. Furthermore, these boxes are rarely placed on ISP backbones, but usually close to the servers they are designed to monitor.

For paranoids: This is not a satisfactory answer for paranoids who believe that government does not follow its own laws, so let me phrase it another way: if the government is doing widespread monitoring (such as the rumored Echelon program), it isn't doing it with Carnivore. Carnivore is not made for widespread monitoring, and is instead designed for only surgical wiretaps. Carnivore is widely publicized and many ISP engineers have direct experience with Carnivore (and know where the boxes are placed); Echelon is much more secretive. In other words, the government may have black-boxes deployed throughout the network, but they aren't Carnivore black-boxes.

2.5. Will Carnivore corrupt e-mails or otherwise misrepresent them?

A problem with Carnivore is that it doesnt see the original email, but a copy as it flows by on the wire. Email is fragmented into packets. It is possible that Carnivore will miss packets, or accidentally collected unrelated packets as being part of an e-mail message.

However, Carnivore can detect these problems and clearly mark them. Rather than capturing the email messages itself, it instead captures the raw packets that transported the email. These packets have checksums and sequence numbers to guard against corruption. Therefore, if Carnivore misses a packet that was in the middle of an email message, this hole is clearly marked within the packet.

Therefore, while Carnivore can certainly miss packets or capture too many packets, it will clearly indicate these problems and not misrepresent the e-mail.

2.6. Is Carnivore permanently located at the ISP?

No. It is unlikely to be in place for more than a month. There are strict government regulations on the use of wiretaps; they most be renewed every month. If they are making forward progress, then they stop because the evidence is sufficient to convict. If they aren’t discovering anything, they are removed as being useless. Either way, they don’t last long.

The FBI claims that they longest a Carnivore unit has been in place was 45 days.

2.7. Why doesn't the FBI release source code?

The FBI makes the following justifications as to why they don't release source code:

They say that hackers will find ways around it.

They claim that part of the code is from commercially licensed (i.e. they are contractually forbidden from releasing it).

Title 18 section 2512 of the United States Code prohibits possession/distribution of devices designed to surreptitiously eavesdrop on other peoples communications.

Industry experts dont buy these arguments:

Hackers already know how to find ways around Carnivore (e.g. PGP, anonymous remailers, anonymizing services, etc.). Experts think the real reason is that the code has not gone through a security audit and that hackers can easily attack Carnivore and bring it down. Experts believe that the only way to harden code against hacker attacks is to open it up to peer review.

The fact that key portions are licensed from commercial vendors rather than created by the FBI demonstrates that the FBI does not know how to create such code in the first place. This hints at severe weaknesses within the program that can lead to privacy violations (such as using the same short-cuts prevalent in network sniffers).

Sniffers and network monitoring products are pervasive throughout the industry. Carnivore is less capable than many programs people already have installed on their desktops. Carnivore would indeed be a useful email backup tool. The FBI makes the statement in their RFP: The Department recognizes that the Carnivore system is subject to certain inherent design limitations that preclude its use in certain situations. Those limitations will be identified to the Contractor [reviewing the system], but for obvious reasons will not be made public. Experts dont understand what obvious reasons the FBI could be talking about.

2.8. Is the FBI forthcoming on basic details?

The FBI claims that it has been forthcoming on basic details of the program. Many experts disagree, blaming the FBI for creating an environment of fear and mistrust.

Even though it cannot disclose the source code to Carnivore, it could disclose a lot more about it. For example, the FBI could run Carnivore in a test lab through all permutations (e-mail content, e-mail headers, IP packets, RADIUS logon, etc.) and disclose the evidence gathered along with original tracefiles. This would clearly demonstrate the capabilities of Carnivore without exposing the advanced details that they want to keep secret.

2.9. Can email be forged, introducing false evidence?

Yes, easily (you can do this yourself). You can simply reconfigure your own email system to use somebody elses email address. This wont allow you to read their email, but will certainly allow you to impersonate them when sending email out.

Another common problem is through the use of Trojan Horses. This would allow a hacker to not only forge an email, but to make it come from that person's IP address as well. Currently, this fools the FBI as well as courts (in a pending legal case, a defendant is accused of posting fraudulent information about a public company to Yahoo message boards; he claims that somebody else controlled his machine to post that information).

Finally, you can never prove that somebody was actually at the console. A neighbor could be walking over every day while the suspect is at work in order to send/receive emails from the computer.

None of this is really important for Carnivore, however. Probable cause must be shown before Carnivore is used to monitor the suspect. Remember that the FBI normally just has the ISP copy the email for them rather than having Carnivore do it. Whatever the source of the emails, the defense can still call into question that the emails are in fact legitimate for the above reasons.

3. What laws allow Carnivore

1968 Title III of the Omnibus Crime Control and Safe Streets Act

Commonly known simply as Title III; this law makes wiretapping legal.

1986 ECPA (Electronic Communications Privacy Act)

Commonly pronounced Ecpa (ek-pah). This law was designed to clarify how existing wiretap laws apply to cyberspace, but at the same time sets boundaries on how much the government can invade our on-line privacy.

1986 Computer Fraud and Abuse Act

Makes breaking into federal computers and trafficking in stolen passwords felonies.

1994 CALEA

Requires telephone carriers (including ISPs) to help with investigations. A court order usually comes in two parts: one authorizing the FBI to sniff, the other obligating the ISP to help out.

1998 roving wiretap

Allows the FBI to tap lots of peoples communication as long as it only keeps records of the suspects communications. In other words, Carnivore can be placed on a backbone that listens to thousands of peoples e-mails as long as it only remembers e-mails for the specific suspect.

3.1. What are pen-registers and “trap-and-traces?

A pen-register is a device the FBI might put on your phone line in order to record every telephone number you dial. A trap-and-trace is a different kind of device that records the caller-ID of everyone who dials you. Remember the movies when the suspect calls in, and the FBI says "keep him on the line" so they can trace him? That is a trap-and-trace.

These two items are frequently used as a sort of electronic stake-out. Because they only reveal the numbers called, the date/time, and potentially the length of the call, they arent as intrusive into privacy as a full wiretap. Therefore, the legal standards necessary to obtain a court order for them are significantly reduced.

According to the FBI, Carnivore is usually used more often as a pen register/trap-and-trace style device rather than a full wiretap.

3.2. What is a court order?

FBI agents must go to a judge and get them to authorize use of Carnivore. The court order specifies:

who the suspect is

account information (i.e. the exact e-mail address)

what crime they are suspected of

what is going to be tapped (i.e. which wire, etc.) The judge then authorizes the search warrant. At the same time, the judge will create a court order demanding that the ISP comply with the FBI.

Full content-wiretaps may only be used for certain felonies (e.g. terrorism, drug trafficking, kidnapping). They may only be issued by a Federal District Judge, not any old judge. They may only be granted to FBI agents. They may only be used to gather hard evidence, not for background reconnaissance.

3.3. I thought all computer records where hearsay?

According to the Federal Rules of Evidence, business records (including computer records) are considered hearsay (and not admissible in court) because there is no firsthand proof that they are accurate, reliable, or trustworthy. There are exceptions to this rule when you can demonstrate accuracy, reliability, and trustworthiness.

First, the FBI cannot simply capture a single e-mail and claim it as evidence. Instead, Carnivore must be running all the time (for a week, month, etc.). All of the e-mails captured during that time must be maintained. The FBI cannot simply take one e-mail from this set and use it as evidence, they must instead present to the court all e-mails captured during this time. If one e-mail says lets bomb the World Trade Center, but the next e-mail says I was only joking, then the FBI must present both to the defense team.

Second, the captured data must be authenticated according to rule 901 of the Federal Rules of Evidence. The FBI agents that put Carnivore into the ISP and locks it down will need to document everything they did. The FBI cannot simply give Carnivore to an ISP engineer and have them install it, because the ISP engineer is not considered a qualified witness.

Third, Carnivore must meet the best evidence rule. ISPs are usually able to create copies of e-mail directly from their servers. These copies have a higher integrity than e-mails sniffed from the wire (Carnivore might miss a packet, and therefore leave a gaping hole in the e-mail). Therefore, the FBI can only use Carnivore when the ISP is not willing or is unable to copy the e-mail from their servers.

3.4. What is chain of possession?

As part of the Rules of Evidence, all evidence must be sealed in a tamper-proof manner. Carnivore uses a Jaz drive for this. As soon as the Jazz disk is removed from the machine, it is immediately sealed in a bag, then written on the outside who (the FBI agent) sealed it and what date/time. From then on, anybody who opens that seal must likewise sign the form and clearly document what they did with the evidence. The evidence must not be altered (except in certain cases).

This is one of the reasons that the FBI cannot put a TCP/IP stack on the box. They cannot risk the defense team using this as an excuse as to why the evidence might be tainted.

3.5. What is minimization?

The laws state that the FBI must be very careful to minimize how much it inadvertently eavesdrops on. Agents must be very careful to monitor only the information authorized by the court order, and nothing more. For example, if they are wiretapping the telephone of the father of a family, then if a kid dials-out, they must immediately turn off the recording machines. For telephones, this requires an FBI agent who constantly listens on the line monitoring for such things.

This means that the FBI is not allowed to listen for any emails containing the word plutonium, because it would inadvertently capture messages from innocent people. Instead, they must prove to a judge that they can tap into only the traffic for the specific suspect; i.e. they must give the judge the exact e-mail address they are going to monitor.

FBI agents are very paranoid about this. If extra stuff leaks into their recordings, they must carefully discard it. Also, if a lot of stuff has leaked in, then the defense attorneys will move to suppress the evidence claiming proper procedure was not followed. Remember, the FBI has to prove a legitimate reason to the judge in order to get a court order, but also must be careful when they get the evidence that it wont be thrown out of court. This is especially important because full content-wiretaps are only obtained in order to get hard evidence that will indeed be used in court.

Note that full content-wiretaps have been used in this discussion; trap-and-trace style wiretaps are a little more lenient because they do not record the full contents of a conversation, only the parties doing the conversing.

4. What are the in-depth technical details of Carnivore?

4.1. Is Carnivore a sophisticated new technology?

Carnivore is often portrayed in the press as something extremely technologically sophisticated and clever. It isnt. For example, on news article claims that when the FBI unveiled Carnivore, it astonished industry specialists. It didnt. There are numerous products on the market significantly more advanced than Carnivore.

The author of this FAQ wrote an e-mail sniffing program identical to Carnivore 9 years ago. Carnivore has a couple of things that are unique to it (capturing e-mail packets rather than messages, RADIUS monitoring), but these arent necessarily sophisticated.

4.2. IP sniffing

Reportedly, the FBI has used Carnivore in a mode they call Omnivore: capturing all the traffic to/from the specified IP address. (Remember, a court order has to specify exactly who is being monitored, the FBI is outlawed from monitoring everybody). Reportedly, they used the AG Group's EtherPeek for this purpose. This is one of only a few packet sniffers that can accept an IP address as a capture filter, then write in real time (with no lost packets) directly to the disk.

There are numerous products that can fulfill these types of requirements. The easiest is the freeware program known as TCPDUMP, which is available for both Windows and UNIX. If the court order specifies a full capture for the IP address of 192.0.2.189, the command would simply be:

tcpdump w tracefile.tcp host 192.0.2.189

You can even do your own Carnivore. The popular personal firewall from Network ICE (BlackICE Defender) has a feature called Packet Logging. It will monitor all traffic to and from your own machine and save it directly to disk just like Carnivore. You can use this feature if you think you are under attack (though there are limits to its admissibility in court). The popular freeware utility known as Ethereal can then be used to display the contents of this data.

IP sniffing may also be done in a pen-register/ trap-and-trace mode. Many packet sniffer could be used for this capability. The desired IP address would be specified in a capture filter, then the slice/snap length would be set to 54 bytes. This would capture all the TCP/IP headers, but not the content. The raw data would be saved live to a file. Again, using TCPDUMP as an example:

tcpdump -w tracefile.tcp host 192.0.2.189 s -54

However, I suspect that this is overstepping the bounds of the law collecting more information than the warrant allows. In order to align it more closely with a traditional pen-register/trap-and-trace, it would need to capture a lot less information. It would monitor the wire and create a record that looks like the following:

IP address of initiator
IP address of the receiver
Time when conversation started
Duration of conversation
This would required more complex programming within the system.

4.3. RADIUS triggering

In the case of dial-up connections, the suspect has no fixed IP address. Therefore, Carnivore has to sniff the RADIUS logon/authentication packets in order to discover the IP address in use. This is the probably the only feature unique to Carnivore: the ability to track dialup users.

4.4. How does Carnivore sniff e-mail messages?

The SMTP protocol (the system for exchanging e-mail)looks something like the following.

<--220 mx.altivore.com SMTP server.

>>>HELO mx.example.com

<--250 mx.altivore.com Hello [192.0.2.183], pleased to meet you

>>MAIL FROM:

<--250 … Sender ok

>>>RCPT TO:

<--250

>>>DATA

<--354 Start mail input; end with .

>>>(e-mail message)

>>>\r\n.\r\n

<--250 Queued mail for delivery

>>>QUIT

<--221 mx.altivore.com closing connection

What you are seeing here is an exchange of data between two mail exchangers. One exchanger contacts the other in order to forward e-mail to it. Carnivore listens in on them surreptitiously. They start with a few greetings, and then get down to business. The exchanger that initiated the connection first transmits the envelope containing the MAIL FROM and RCPT TO fields, then sends the message. The message is terminated by a blank line containing a single dot.

The message itself contains headers and abody. These aren't shown in the diagram. One of the big questions about Carnivore is whether it tracks just the SMTP envelope or whether is looks within the RFC822 body. The following is a sample e-mail message that would be transferred over this connection:

From: "Alice Cooper"
To: "Bob D Graham"
Subject: Shipment
Date: Thu, 7 Sep 2000 15:51:24 -0700
Message-ID:
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 How is the plutonium shipment coming? I need it by Friday. --Alice

The logic is quite simple. If the court order specifies the suspects e-mail account as [email protected], the Carnivore triggers when it sees that address in the SMTP envelope, and starts capturing the e-mail message until it sees the end. Some court orders might limit this to only the headers rather than the content. In this case, Carnivore has to stop capturing at the first blank line. Furthermore, Carnivore has to remove the Subject: header because that is also considered content by the courts.

There are several products on the market that can capture e-mails in a similar fashion. One of the important differences with Carnivore is that it doesnt record the e-mail messages themselves, but instead captures the raw packets that carry the e-mails. In this fashion, it has a solid history of checksums and TCP sequence numbers that clearly show missing fragments are inadvertently captured fragments. This is extremely important in order to validate the authenticity of the data.

A pen-register/trap-and-trace mode can also be used. The MAIL FROM and RCPT TO addresses can be logged to a file whenever either of them matches the suspects address. The log entry would look like:

time
MAIL FROM address
RCPT TO address
Email message length

4.5. HTTP and FTP

In the sample scenarios described by the FBI, the describe cases where they want to track all the websites accessed by the suspect. The way they do that is filter for any packet from the suspect to port 80 (meaning HTTP), and record the IP address. This may be complicated by having to parse RADIUS described above.

4.6. HTTP, FTP, and NTTP

One of the claims I've read in the news is that Carnivore does something with HTTP more than monitoring IP addresses of the sites. I think the news reporters were confused, but there are some things the FBI could do with sniffing technology.

One technique would be to do a trap-and-trace on a webpage. For example, the FBI could put a sniffing device next to the server hosting this webpage, then monitor everyone who access just this one page on the site. Similar techniques could be used for monitoring users of certain FTP files.

NTTP (Usenet news) can be a little more interesting. The FBI can do trap-and-trace on specific newsgroups. Web-pages are actually fairly well controlled (little bad stuff) and innocent people often find themselves unintentionally at web-pages due to search engines. However, Usenet is less regulated and there are areas frequented by persistent cybercriminals. The various hacking newsgroups come to mind.

4.7. IRC

There are rumors that Carnivore was used to capture IRC traffic. I'm not quite sure what that means; if the FBI wanted to tune into IRC chatrooms, the could simply use any number of programs that simply log onto the chatrooms and record all the contents. Indeed, the FBI probably records the full contents of the most popular hacker IRC chatrooms. The reason is that this isn't wiretapping, it is simply recording data that is publicly visible. You don't need to be at the ISP to do this, but can monitor chatrooms from anywhere on the net.

Note that IRC supports generic handles rather than fixed account names. People can (and often do) masquerade as others. When the FBI monitors IRC, they want to track it back to the IP address that originated the content.

4.8. Does Carnivore drop packets?

This is a frequent question for sniffers: how much traffic that they suck up before they get overloaded?

This is an important question if Carnivore is placed upon a backbone, which often approach 100-mbps. While the Windows platform Carnivore is based upon can certainly keep up with this traffic in theory (Network ICE sells Windows-based gigabit solutions), most Windows-based sniffing are quite slow. Therefore, many people that Carnivore is too slow to be placed on backbones.

However, Carnivore is frequently used in a surgical manner. This means that if possible, it will only tap into the wire used by the e-mail server (for example). This means that the traffic loads in real-world deployments are extremely small.

4.9. Is Carnivore based upon Etherpeek?

EtherPeek was certainly used originally for investigative work by the FBI. It probably is what the FBI called Omnivore. They would obtain court orders for all traffic to/from an IP address and save it directly to evidence files. EtherPeek supports this feature well whereas other commercial sniffers don't do this as well.

My guess is that what the FBI is calling Carnivore is really just plugins/modifications for EtherPeek. They persistently claim that Carnivore is based upon a commercial sniffer, so this is my best guess. Also, if you look at EtherPeeks plugins, you will see that they are remarkably similar to Carnivore's described capabilities (though not exact). Therefore, I believe that FBI agents picked EtherPeek to grab IP information, then after seeing the new plugins appear in the latest version, licensed the plugin code form AG Group and made minor modifications.

5. How can I defend myself against Carnivore? (This section is quite sparse at this time; it will be updated in later versions of this document).

There are several ways. The first is to simply encrypt your data and use anonymizing services. If you are sending e-mail that you don’t want other people to read, you should certainly encrypt it.

Secondly, you could attack Carnivore directly. Carnivore is probably susceptible to typical buffer overflow attacks (such as sending very large emails). You can also change the format of your email address without changing the meaning. This will prevent Carnivore from correctly matching your email address. If you think your dial-up connecting is being sniffed by Carnivore, you can probably forge RADIUS packets in order to convince Carnivore that somebody else is using your IP address, which will cause it to stop monitoring.

6. What was the RFP of August 24, 2000?

On August 24, 2000, the FBI issued a Request For Proposal for experts to come in to evaluate Carnivore. Many experts have shied away from this because of the handcuffs placed on them, feeling that the FBI is just looking for a rubber stamp to alleviate the public's fears that than submitting their system to a full review.

Questions that have been raised include concern that the FBI's temporary use of the Carnivore system could interfere with the proper functioning of an ISP's network; concern that the system might, when used properly, provide investigators with more information than is authorized by a given court order; and concern that even if the system functions appropriately when properly used, its capabilities give rise to a risk of misuse, leading to improper invasions of privacy.

What this means is that:

Bungling on the FBI's part caused problems for a major ISP (Earthlink), who is now suing to keep Carnivore off their networks. The government wants to prove that under proper usage, Carnivore won't cause such problems in the future.

People are worried that Carnivore will capture more information that allowed by the court order. For example, a spokesman for EFF says that even experts in AI would not be able to figure out how to make Carnivore work properly. The FBI wants to prove their case in face of this criticism.

People are worried that the powerful capabilities can be misused in order to invade privacy.

Some academics refuse to participate. They believe that the FBI is simply trying allay the publics fears without addressing the real concerns. The RFP gives strict limitations on how the product is to be evaluated, and has full control over what the evaluator is allowed to publish as results. Therefore, the FBI can certain create a technical evaluation that gives Carnivore a clean bill of health while still failing to address any of the major concerns.

7. How does Carnivore relate to x?

People often compare Carnivore to other things. This sections lists some of the more common questions.

7.1. How does Carnivore compare to Britain's Regulatory Investigative Powers (RIP) bill?

RIP will mandate black-boxes at all ISPs (unlike Carnivore, where boxes have to be brought on site for each investigation).

Like Carnivore, a court order is needed.

They are pushing hard for encryption key recovery.

7.2. How does Carnivore compare to Russia's SORM (System of Ensuring Investigative Activity)?

SORM requires ISP to forward all traffic to the FSB (formerly KGB).

The FSB does not need a warrant and can use the information for whatever reason it wants. They also are outlawing encryption (unless key recovery is used).

7.3. How does Carnivore compare to Japan's laws?

There is a Japanese law that requires all ISPs to keep a trap-and-trace/pen-register style log of all Internet communications that their law enforcement can subpoena at any time.

7.4. How does Carnivore compare to Echelon?

Echelon is the rumored global spy network run by the NSA and British. If Echelon exists, it isnt related to Carnivore. First of all, the FBI and NSA are constantly engaged in turf battles with each other and dont like each other much. They are therefore unlikely to share technology. Secondly, while the technology is similar, the needs of the technology is different enough such that it is easier to write such systems separately than try to share technology. Therefore, Carnivore probably has nothing to do with Echelon.

8. Where can I learn more

Carnivore page

http://www.fbi.gov/programs/carnivore/carnivore.htm

The horses mouth, though this page is light on details and heavy on misdirection (such as the insistence on calling it a diagnostic tool rather than a wiretap).