CYBER EYE

Can an open-source alternative bail out the FBI's Carnivore?

William Jackson

For the past year, the Justice Department has been lobbying the private sector to support the investigation and prosecution of cybercrime.

You can trust us, department spokesmen have been assuring groups of leery industry representatives'we're not your father's FBI.

So far, security professionals have not beaten a path to the FBI's door. According to a study by analysts at TechnologyEvaluation.com Corp. of Boston, security pros distrust the bureau and see it as ungrateful, unreliable and domineering.

Now the G-men are facing one of their biggest public relations challenges since the Kansas City massacre: the unfortunately named Carnivore sniffer.

Carnivore is a network tool based on commercial code used by the FBI to eavesdrop on suspect traffic in court-ordered Internet wiretaps.

Despite the program's ominous name, Carnivore really is a benign tool with limited application, the FBI has said. Trust us.

But trust comes hard these days.

Carnivore entered the limelight when Internet service provider EarthLink Inc. of Atlanta sued the FBI in July, claiming Carnivore had crashed servers.

Show us the code

Privacy advocates, libertarians and industry watchdogs began demanding answers about Carnivore that the FBI couldn't give. Show us the code, they demanded.

But the bureau can't hand around the source code to the commercial products it licenses, either.

Justice has agreed to submit Carnivore to a limited evaluation. But even the evaluation process has been criticized by some academics who claim that restrictions make the department appear to be seeking a whitewash.

Meanwhile, a possible open-source alternative to carnivore might let service providers do court-ordered sniffing with full access to source code.

Robert Graham, chief technical officer and cofounder of Network Ice Corp. of San Mateo, Calif., put together a first draft of the code for Altivore after reading the Carnivore specifications in Justice's request for evaluation proposals.

'I wrote up a utility that matched the scenarios outlined by the FBI and posted it on the network,' Graham said. 'What we're doing with Altivore is giving an ISP a way of getting the data without having the FBI put a box on it.'

The idea is that if Internet providers use an open-source tool, there should be no questions raised as to its privacy-breaching ability. The FBI gets the evidence, the bad guys go to jail and no one else is compromised.

Unfinished business

Altivore is not yet a finished product, however.

'There are bugs,' Graham said. 'I know what some of them are, and there are probably others I don't know about.'

He is not working actively on the tool right now, but he has made it available at www.networkice.com/altivore for others to take a crack at.

Graham said he has gotten little feedback on the code since posting it on Sept. 9, although one large provider has contacted him about testing Altivore on its network.

None of this activity ensures that we will live happily ever after, of course.

The FBI will have to be convinced that an open-source tool cannot be circumvented by hackers, terrorists and other assorted perps.

But if the bureau is serious about earning the trust of the private sector, it should be glad of any opportunity to dump its Carnivore baggage.

inside gcn

  • security compliance

    Security fundamentals: Policy compliance

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group