The Electronic Frontier Foundation got access to documentation on the FBI’s DCS-3000 system, and a Columbia University computer science professor weighed in on the contents.
This is the successor to the infamous “Carnivore” (DCS-1000), and it’s the system responsible for listening in on your cellular calls.
I’m concerned about a longer-term issue: I don’t think the FBI really understands computer security. More precisely, while parts of the organization seem to, the overall design of the DCS-3000 system shows that when it comes to building and operating secure systems, they just don’t get it.
I’m not surprised. This is the same agency that gave us the Virtual Case File boondoggle, a project that still wasn’t close to completion after five years and $100 million. The problems with Virtual Case File are attributed to poor, unexperienced management and a poor software architecture.
The most obvious example is the account management scheme described in the DCS-3000 documents: there are no unprivileged userids. In fact, there are no individual userids; rather, there are two privileged accounts. [. . .]
Instead of personal userids, the FBI relies on log sheets. This may provide sufficient accountability if everyone follows the rules. It provides no protection against rule-breakers.
Did they learn anything from their experiences with Virtual Case File?
My biggest concern, though, lies in the words of one of the FBI’s own security evaluations: the biggest threat is from insders. The network is properly encrypted for protection against outside attackers. The defenses against insiders — yes, rogue FBI agents or employees — are far too weak.
That sure sounds familiar.
Previous Entries