The League of The South
Home Introduction to League of The South How to join League of The South blog Contact the League of The South League Members Section

Is the government spying on you - Part 2 Carnivore Capability
by Mike Crane, Morganton Georgia

In the previous--and initial--article I demonstrated the ease with which a private citizen can access public record information about the existence of a tax payer funded U.S. government spy system. This article presents some of the documented and known capabilities of this now-obsolete Carnivore system which was developed during the Clinton Administration (1993-2001).

As brief background, one needs to remember (or for the younger readers, to understand) what the internet communications and computer market looked like around the turn of the last century. Chart showing increase in speed of computer CPU.

  • Connectivity: The majority of internet connections were 9600 Baud dial up modems. Broadband speed DSL was growing very fast in market share. The author of this article was one of the first round of customers to have DSL installed in this rural mountainous area of north Georgia in the year 2000.
  • Processing Power: The growth in processing power has been nothing less than amazing. The chart at the right (click on image for full size chart) shows the growth in just one factor of processing power - CPU rates. Other factors such as memory cost, memory speed, support chips, etc all have shown this same amazing growth in capability.
  • Storage Capacity: The amount of data that can be stored on a hard drive and the speed at which it can stored and retreived has increased by over 10 fold since the late 1990s. Tetrabye (1,000 Gigabytes) are even available now for the home PC market at very reasonable prices.

So with this background lets look at what information about this tax payer funded system was squeezed out of the FBI by law suits and Freedom of Information requests. Obtaining this information was opposed and resisted by the government at every step.

Carnivore Details Emerge
Kevin Poulsen, SecurityFocus 2000-10-04

A web spying capability, multi-million dollar price tag, and a secret Carnivore ancestor are some of the details to poke through heavy FBI editing.

" Carnivore is remarkably tolerant of network aberration, such a speed change, data corruption and targeted smurf type attacks. "

FBI report WASHINGTON--The FBI's Carnivore surveillance tool monitors more than just email. Newly declassified documents obtained by Electronic Privacy Information Center (EPIC) under the Freedom of Information Act reveal that Carnivore can monitor all of a target user's Internet traffic, and, in conjunction with other FBI tools, can reconstruct web pages exactly as a surveillance target saw them while surfing the web.

The capability is one of the new details to emerge from some six-hundred pages of heavily redacted documents given to the Washington-based nonprofit group this week, and reviewed by SecurityFocus Wednesday. The documents confirm that Carnivore grew from an earlier FBI project called Omnivore, but reveal for the first time that Omnivore itself replaced a still older tool. The name of that project was carefully blacked out of the documents, and remains classified "secret."

The older surveillance system had "deficiencies that rendered the design solution unacceptable." The project was eventually shut down.

Development of Omnivore began in February 1997, and the first prototypes were delivered on October 31st of that year. The FBI's eagerness to use the system may have slowed its development: one report notes that it became "difficult to maintain the schedule," because the Bureau deployed the nascent surveillance tool for "several emergency situations" while it was still in beta release. "The field deployments used development team personnel to support the technical challenges surrounding the insertion of the OMNIVORE device," reads the report.

The 'Phiple Troenix' Project In September 1998, the FBI network surveillance lab in Quantico launched a project to move Omnivore from Sun's Solaris operating system to a Windows NT platform. "This will facilitate the miniaturization of the system and support a wide range of personal computer (PC) equipment," notes the project's Statement of Need. (Other reasons for the switch were redacted from the documents.)

The project was called "Phiple Troenix"--apparently a spoonerism of "Triple Phoenix," a type of palm tree--and its result was dubbed "Carnivore." Phiple Troenix's estimated price tag of $800,000 included training for personnel at the Bureau's Washington-based National Infrastructure Protection Center (NIPC). Meanwhile, the Omnivore project was formally closed down in June 1999, with a final cost of $900,000.

Carnivore came out of beta with version 1.2, released in September 1999. As of May 2000, it was in version 1.3.4. At that time it underwent an exhaustive series of carefully prescribed tests under a variety of conditions. The results, according to a memo from the FBI lab, were positive. "Carnivore is remarkably tolerant of network aberration, such a speed change, data corruption and targeted smurf type attacks.

The FBI can configure the tool to store all traffic to or from a particular Internet IP address, while monitoring DHCP and RADIUS protocols to track a particular user. In "pen mode," in which it implements a limited type of surveillance not requiring a wiretap warrant, Carnivore can capture all packet header information for a targeted user, or zero in on email addresses or FTP login data. Web Surveillance Version 2.0 will include the ability to display captured Internet traffic directly from Carnivore.

For now, the tool only stores data as raw packets, and another application called "Packeteer" is later used to process those packets. A third program called "CoolMiner" uses Packeteer's output to display and organize the intercepted data. Collectively, the three applications, Carnivore, Packeteer and CoolMiner, are referred to by the FBI lab as the "DragonWare suite."

The documents show that in tests, CoolMiner was able to reconstruct HTTP traffic captured by Carnivore into coherent web pages, a capability that would allow FBI agents to see the pages exactly as the user saw them while surfing the web.

Justice Department and FBI officials have testified that Carnivore is used almost exclusively to monitor email, but noted that it was capable of monitoring messages sent over web-based email services like Hotmail.

An "Enhanced Carnivore" contract began in November 1999, the papers show, and will run out in January of next year at a total cost of $650,000. Some of the documents show that the FBI plans to add yet more features to version 2.0 and 3.0 of the surveillance tool, but the details are almost entirely redacted.

A document subject to particularly heavy editing shows that the FBI was interested in voice over IP technology, and was in particular looking at protocols used by Net2Phone and FreeTel. EPIC attorney David Sobel said the organization intends to challenge the FBI's editing of the released documents.

In the meantime, EPIC is hurriedly scanning in the pages and putting them on the web, "so that the official technical review is not the only one," explained Sobel. "We want an unofficial review with as wide a range of participants as possible." The FBI's next release of documents is scheduled for mid-November.

Source: http://www.securityfocus.com/news/97

Some other publically available documents:

Court Order to force Eathlink to install Carnivore

Letter to Senators requesting information

So we have a few details that can help demonstrate the capabilities of the U.S. government at this point in time, around 1999-2000.

Carnivore Capabilities around 2000.

The documents, at least those I have found available, provide very little technical information. But even with this minimal information available it is easy to detect some "smokescreens" at best or outright skullduggery, especially in the government statements on filtering. Note the following in the information cited above:

" ... can configure the tool to store all traffic to or from a particular Internet IP address ..."

Chart sowing general contents of a TCP/IP packetThis would imply a government connection at probably the transport layer in the TCP/IP or IP protocol. Internet traffic is composed of small batches of data known as packets. Each packet has a header and data parts. A server at an ISP can have hundreds or thousands of users concurrently connected. Each is sending and receiving large number of packets. The data stream contains the packets going to and from each. At this level it is not known at time of receipt of a packet what type packet it is (email, login, browser, download, image, etc).

The IP address of the sender and destination are in each packet. But here is where we see the possibility of some chicanery in the government statements. In the 1990s (and predominately still today) the vast majority of connections to an ISP utilized "dynamic IPs." What this means is that when a user typically activated his dialup modem and established a connection with their ISP they were temporarily assigned an IP address. It could be a different one every time they connected.

So to know what the IP address of a "suspect" was at the packet layer, the government would at some point have to process the packets associated with a particular users login to determine the temporary IP address assigned. And guess what? To be able to log all internet traffic and to be able to filter on a specific court-approved suspect the government would have to be able to capture login information. Now isn't that special!

If you read the court order requiring Earthlink to install a Carnivore system, one of the issues they raised was concern for user privacy. Earthlink offered to provide the government all the data to which they were legally entitled and the government went to court to force Earthlink to give them access to much more.

The following statement in the information above confirms that the entire data stream was stored:

For now, the tool only stores data as raw packets, and another application called "Packeteer" is later used to process those packets. A third program called "CoolMiner" uses Packeteer's output to display and organize the intercepted data. Collectively, the three applications, Carnivore, Packeteer and CoolMiner, are referred to by the FBI lab as the "DragonWare suite."

Packeteer and CoolMiner used the stored raw data packets! Just as Earthlink cited in their effort to resist this government capability to spy on all users, the operation of Carnivore, Packeteer and CoolMiner required the storage of the raw data stream as would be expected. This would have to include analyzing login information to determine the dynamic IP assigned to the "suspect" authorized by the court.

This explains the future intent of the government in the year 2000 timeframe:

Some of the documents show that the FBI plans to add yet more features to version 2.0 and 3.0 of the surveillance tool, but the details are almost entirely redacted.

Of course we know that they would never exceed their legal limits!

So this is what we can establish circa 2000. The U.S. government

  • Had the capability to install a spy system that could record the entire data stream at an ISP (Internet Service Provider).
  • The government would go to court to force an ISP to install a Carnivore system if needed.
  • Had additional applications that could analyze the stored raw data.
  • There were development plans for even more applications to extract more information from the stored raw data stream, even though the current capability in the year 2000 provided more capability than the government publically admits today!

This system did have limitations.

The amount of traffic it could process was limited by the slower computers of that day. As we will see this limitation has been solved by advancing technology.

It could not fully read and analyze some encrypted data, such as, for example, https: websites, as this required either collaboration of the ISP or more computing power than was available in the unit. As we saw in the case of Earthlink lawsuit and recent media revelations, it appears that virtually all ISPs now collaborate with the government spy program(s).

What does this mean to you?

By around 2000 the government had the capability to record, store and analyze the vast majority of internet connections. And they actually used that system by applying pressure to "encourage" ISPs to collaborate. There were also plans to develop more capability. There is no doubt that the government was less than honest, and note that this was before 9/11 and the enactment of the Patriot Acts.

What you will see in the next few articles is government spy technology on steroids!

If this is disturbing, if this seems to be completely alien to your concept of government, consider coming to the 20th Annual League of the South Conference.

To be continued.

Learn more about the League of The South:

What is The League of the South?
by Dr Michael Hill - LS President


MADE IN DIXIE!
Copyright 1995-2014 AD League of the South, All Rights Reserved
 A