LINUX SECURITY --- July 18, 2000 Published by ITworld.com, the IT problem-solving network http://www.itworld.com/newsletters ********************************************************************* HIGHLIGHTS * The FBI's Carnivore could mean the end of online privacy ********************************************************************* Is Privacy a Thing of the Past? by Rick Johnson If you have seen the news this week, then the FBI's latest tool should have you afraid to use the Internet. If you have not yet heard, here you go. The FBI system, dubbed Carnivore (http://www.fbi.gov/programs/carnivore/carnivore.htm), connects directly to an Internet Service Provider's network and has the potential to monitor all of the communications traveling through the network. It snoops e-mails, officials announced Friday. The FBI claims it will use the system only with valid court orders and that Carnivore will allow it to narrowly target its investigations. Of course, the system has to review all traffic to decide what is logged. Anyone see a problem with this? Through the Freedom of Information Act, the American Civil Liberties Union is trying to force the FBI to disclose details of the inner workings of its Carnivore system (http://www.idg.net/go.cgi?id=42853). "The FBI takes the position of, 'Trust us, we're the government. Open your entire network to us,'" says Barry Steinhardt, associate director for the American Civil Liberties Union, which sent a letter about Carnivore to members of Congress. "There's no way for an ISP to know what they're doing." The FBI refuses to reveal the inner workings or the Carnivore system to anyone. Due to the security concerns this presents, most ISP's are vowing to fight against any court order forcing the implementation of a Carnivore system. Having cut my teeth in this environment, I can tell you that an ISP is more than capable of complying with a court order and gathering any needed information. In the past, the FBI has been tremendous help in bringing to justice those who make the Internet unsafe. However, violating the privacy of many to convict one is not acceptable. I am by no means a paranoid conspiracy freak or anti-government activist. I am simply a concerned security administrator. I don't care whether it is a 14-year old script kiddie or a 92 year old government agency, if I'm not breaking the law, no one should have the capabilities to listen in on all traffic passing to and from my network. So, what does this have to do with Linux Security you ask? It's the most basic form of security -- privacy. You can lock down your servers but what good is it if the data leaving them is used against you? Sure, there are ways to encrypt standard services such as Web, mail, and FTP; however, they still maintain the ability to track where you visit and with who, you communicate. Of course, the general mentality is, "If you aren't committing a crime then you have nothing to worry about." How do you argue with that kind of logic? Remember, Big Brother is not just a TV show. Ok, so occasionally I like to play the role of the paranoid security freak. Can you blame me? Resources Vendors test Web privacy standard XML-tagged privacy statements will trigger users' privacy settings. http://www2.itworld.com/cma/ett_article_frame/0,2848,1_1195,00.html Workers not worried about e-mail privacy People are using corporate e-mail less for personal business. http://www2.itworld.com/cma/ett_article_frame/0,2848,1_1071,00.html Linux FreeS/WAN offers secure Internet communications EFF co-founder wants to ensure users' right to privacy. http://www.linuxworld.com/linuxworld/lw-1999-04/lw-04-privacy.html ************************************************************************ About the author ---------------- Rick Johnson is currently the Manager of Security Services for an emerging Managed Service Provider. When not writing, he heads the development team for PMFirewall, an Ipchains Firewall and Masquerading Configuration Utility for Linux. Rick can be contacted via email at rick@pointman.org or on the web at http://www.pointman.org. *********************************************************************
<<attachment: winmail.dat>>