Carnivore: Where Privacy Meets Security - Page 2

 By Martin Goslar | Posted Oct 17, 2000
Page 2 of 2   |  Back to Page 1
Print Article

The U.S. Justice Department reportedly expects universities and associated contractors to agree not to publish anything "sensitive," such as innovative high-speed data search and retrieval approaches. Researchers are to be limited to examining only those matters the government allows them to examine. And research teams must agree to clear all personnel working on the evaluation with the government. So, it's background checks for one and all--and bright red flags for academic types.

To their credit, the agency has done an outstanding job of making the electronic frontier safer from marauding bands of cyber-banditos. The FBI has also been a major player in developing The Internet Fraud Center, training law enforcement agencies in state-of-the-art cyber-investigation techniques such as identifying perpetrator electronic signatures, and working with a variety of organizations worldwide to establish systematic cyber-crime communication and cooperation.

Government Intervention
The National Infrastructure Protection Center (NIPC) is located at the FBI and responds to cyber-attacks in telecommunications and information, energy, banking and finance, transportation, government operations, and emergency services infrastructures. Among other things, it offers:

  • Expert law enforcement cyber-investigation skills
  • Cyber-threat assessment, warnings, and vulnerability insights
  • Support on state and local law enforcement cyber-investigations
  • Coordination of cyber-investigation training in public and private sectors
  • Assistance in cyber-attack reporting for internationally related incidents
  • CyberNotes newsletter, which offers security-related summaries

    Check out the Cyber Threat and Computer Intrusion Incident Reporting Guidelines Form at: http://www.nipc.gov/i ncident/incident.htm.

  • What's at Stake, and What We Can Do

    As you've undoubtedly noticed, two security worlds are evolving: electronic and physical. Like it or not, the electronic version is often more interesting--and more threatening--than the real world. Beyond the e-glitter is a world far more complex than most real world citizens can fully understand.

    On Sept. 6, 2000, before the U.S. Senate's Committee on the Judiciary, assistant FBI director Donald Kerr said, in part, "during all the filtering/processing no FBI personnel are seeing any information--all of the information filtering/processing, [which is] purely in a machine-readable format, is occurring exclusively 'within the box.' ''

    But the question remains; should U.S. citizens accept Kerr's statements? Well, yes and no. Yes, because we've got to believe in our law enforcement agencies. But no, because we should, in the words of Mikhail Gorbachev, "trust, but verify."

    On a national level, our efforts should be focused on establishing independent auditing and verification organizations to certify the compliance and cooperation of agencies and industries alike. While most of the U.S. attorney general's efforts to obtain an independent Carnivore evaluation appear to be for one-time certification, ongoing auditing of Carnivore and other investigative systems is needed. Open and cooperative communication must be the backbone of this effort.

    On a corporate level, security vendors are preparing the way to counter the likes of Carnivore. Welcome to security white hats offering protection from government white hats! Vendors are taking advantage of this privacy threat obstacle to market new e-mail security services. While some companies, including ChainMail Inc., in Charlottesville, Va., tout encryption products such as Antivore, other firms, including start-up Sigaba Corp., in San Mateo, Calif., stand to benefit from surveillance fears. What we need is more security market sophistication to establish a "meeting of the good guys to defeat the bad guys."

    The old agency attitude that all those individuals outside of law enforcement are "civilians" is irrational. Industry safeguards, including background checks and effective internal and external audits, remain mandatory. According to Craig McLaughlin, cofounder and CTO of Privada Inc., in Sunnyvale, Calif., protecting his company's identity privacy services is needed to counter privacy breaches--regardless of which organization is the illicit perpetrator.

    Bottom line: If your firm wants to ensure the confidentiality of its online business activity, a privacy infrastructure is needed pronto. Don't depend on either a government agency or any other security "white hat" that might turn color to protect you. If your firm is a multinational one, electronic highways often supercede geopolitical borders. Privacy protection in this global arena is magnified by the potential of multiple rogue agencies and organizations, each with different laws and technology approaches.

    Welcome to the world of private and enterprise counterintelligence operations. //

    Dr. Goslar is principal e-security analyst of E-PHD LLC, an e-security research and analysis firm. He is also on the editorial board of the International Journal of Electronic Commerce and can be reached at Comments@E-PHD.COM.

    Comment and Contribute
    (Maximum characters: 1200). You have
    characters left.
    Get the Latest Scoop with Networking Update Newsletter