What is Carnivore, Really
by Achilles Outlaw, Ph.D.
Right off the bat: Carnivore isn't anything to write home about. "Adventure" is a much scarier program.
We're scared of it because of all the mystery. But when one peels back the black shroud, one will see something very different from what was expected.
Most of what we know about Carnivore and the other FBI snoop programs comes from declassified documents released during a lawsuit filed by the Electronic Privacy Information Center (EPIC). 750 pages were released, most of them significantly blacked out. Included in these pages was the source code for OMNIVORE, the predecessor of Carnivore. That's blacked out, too.
Based on these documents, we know only a few things.
Carnivore was supposedly conceived in February of 1997 as OMNIVORE, an early version that ran on Sun's Solaris platform. A Windows NT version was released in 1999, which is the model used today.
Carnivore is an intercept program, using two methodologies: content wiretap and trap and trace/pen register. Content wiretap is what it sounds like: capture all email messages (in both directions) from a given account, or capture all network traffic (both directions) to/from a specific account/IP address. Trap and trace (inbound traffic) and pen register (outbound traffic) simply refer to the monitoring and recording of traffic to and from a site, FTP, or email.
Basically, a full content wiretap has to be authorized by a federal judge, while the trap and trace/pen register can be granted by pretty much any judge. Therefore it is "harder" to do a content wiretap. The result is that Carnivore, if ever used, probably isn't copying the entire emails, only the "To:" and "From:" lines. Technically, it can't even copy the "Subject:" line of an email because that would be considered content and as such requires a Federal judge's order.
If all of this sounds no different than what any savvy webmaster or ordinary ISP can do, then you've gotten the point.
It is important to understand that Carnivore isn't some supercomputer in Quantico that gets directed at a suspect. It really is quite benign. Carnivore is literally a Commercial Off-the-Shelf (COTS) Windows NT box, Pentium III (or IV) with a huge drive (2 GB Jaz drive) to store information. This box is taken to an ISP along with a court order/search warrant and information on who exactly they need to eavesdrop on. "An undetermined employee at ABC Corporation" is not sufficient to permit the use of Carnivore.
Why bother with all this?
The ISP does not need to comply if they can provide the information through other means, which is a lot easier than getting a Carnivore box set up. In other words, the ISP can simply copy your emails for the FBI, and Carnivore never gets used.
Where it all gets sticky is when you try and understand exactly how Carnivore gets all this information. Ostensibly, it is a packet sniffer that copies information as it passes by. Everything, including email, goes out over the Internet in packets; Carnivore copies each packet and reconstructs it as a complete email. A packet may occasionally get missed, so only an incomplete email is reconstructed, but it is always clear which packet was missed and that a packet was missed.
The analogous situation is this: Carnivore is a computer that sits in the post office and looks at the return and destination address of every letter that goes by. If either address matches the suspect's, the letter is copied and then sent back on its way. No match: no copy. Carnivore may copy only pages one, three, and four of the letter, but it will have clearly indicated that it missed page two. To which I say: big deal.
Furthermore, search warrants need to be renewed every month. So if Carnivore was installed, it likely would not be there for longer than that.
The point is that, once again, law enforcement is behind the curve. Email sniffers have been around for a while. Network ICE has an open-source version of Carnivore called Altivore (downloadable at www.networkice.com/altivore). Packet logging will do essentially the same thing, as will tcpdump. In fact, Carnivore itself is built with commercial products. Robert Graham, author of a great FAQ (see below), guesses that EtherPeek, available to anyone, is used by Carnivore to capture IP address traffic. (EtherPeek, along with other programs, is explicitly mentioned in the declassified documents.) And, remember, the ISP can do all this for the FBI anyway; Carnivore doesn't need to be used.
Since Carnivore works off of an email address, it doesn't take a genius to circumvent it. You can get a practically anonymous email account from Yahoo! (just make up the personal information), or use a Mixmaster or re-mailer. And as Graham points out, it is a very easy defense to say "I didn't send that email - it was another guy using Trojan Horse." You could even say someone sat at your terminal, hit Back on the browser enough times to get back into the email account, and wrote the offending emails.
So Carnivore isn't all it's cracked up to be. But Carnivore is really only one part of a three part package called DragonWare Suite, the full capabilities of which are still unknown.
What is known comes from an analysis by a private firm called SecurityFocus: "[DragonWare Suite can] reconstruct web pages exactly as a surveillance target saw them while surfing the web." What is also known are some of the programs involved in it: PACKETEER, COOLMINER, EtherPeek. On some of the declassified pages are references to "voice over IP" interception (phone calls, or also voice chat?) but not how this is done (or if it is done at all).
An interesting side note is that an early version of Carnivore (version 1.2) had to be scrapped because it picked up too much information; version 2.0 was more surgical. It seems at least a little odd that the FBI would want a snoop program that picked up less information. Going back to the post office analogy, the early Carnivore started copying letters with addresses that resembled the suspect's - instead of only "John Browstein" it also copied "Joe Brown" and "J. Abrowny," etc. I recognize that the reduction in capability was done because of public concerns over privacy, but it begs the question: if you can get more information, are there times when you actually do? If you know the suspect's last name and home state but nothing else, could Carnivore be used to copy anything that matched?
What Carnivore can't do is sniff out "flagged" words. For example, writing "Osama Bin Laden" and "bomb" will not get you picked up by Carnivore, because Carnivore works off of a known suspect's account or address, not content.
ECHELON, the NSA program that was (or was not) begun as far back as 1975 theoretically can do this very thing. In fact, even in 1975 the NSA could convert intercepted voice messages (i.e. phone calls) into text and do searches for flagged words off of the transcription. The important distinction is that Carnivore is used for prosecution, and as such needs to be specific and within the confines of the law. ECHELON, if it is used, is for surveillance and identification, so it needs to be as broad as possible. The NSA doesn't want to prosecute you (that's the Justice Department's job). It wants to find you. But what ECHELON is (and isn't) has to be discussed in a later article. The particulars surrounding the question "What is ECHELON?" may be mysterious now.
But any policy hinging on mystery eventually tires.
One last curiosity: the FBI didn't make Carnivore or DragonWare Suite. The FBI has budgeted $650,000 for a "Project ENHANCED CARNIVORE" and contracted a commercial firm to do the work. The firm's identity was blacked out in the declassified documents. Anyone want to take a guess?
For an excellent and much in-depth analysis of Carnivore, you can read Robert Graham's FAQ at www.robertgraham.com/pubs/carnivore-faq.html. He is also the author of a great dictionary of hacking terms. The declassified documents themselves can be seen at: www.epic.org/privacy/carnivore/foia_documents.html