Slashdot Mirror
Linux and Forensic Discovery
Max Pyziur writes "Found this on cryptome.org where Linux is cited in a DOJ document against Moussaoui (sometimes referred to as the "20th man"). FBI: Moussaoui E-mail Not Recoverable - January 1, 2003." An interesting read which gives some insight into how computer evidence is handled in court.
Of the fact that lawyers will argue over anything.
Heh, this seems to be a discussion about whether they used "approved methods" of retrieving a deleted email. According to one person, the LinuxGNU was the only one approved by NIST (national institute of standards and technologies). This of course, is wrong...NIST doesn't "approve" software, they just test it and declare whether or not it works.
...someone in the government seems to realize that Microsoft can't be trusted ;-)
Don't you wish your girlfriend was a geek like me?
To anyone who is concerned about having their deleted files recovered, take a look at Wipe - in its strongest mode it will make 37 passes over the data in order to be sure that electron microscopes cannot reconstruct the bit patterns.
Linux is used by humans outside of the Slashdot community! Stay Tuned!
I'd rather be a conservative nutjob than a liberal with no nuts and no job.
How is this news? They are using "dd" a Linux utility. Seeing "Linux" in an article does not warrant a story about it. This demeans Linux by using every little scrap of news to attempt to show that it is in use. Instead we should be demostrating it's uses, rather that reporting that it is in use.
I am Lord Snowbeam. Heed my call!
The test reults are abailable here:
http://www.ojp.usdoj.gov/nij/sciencetech/cftt.htm
The document states that image files were generated fo the contents of the hard drives. I do not have confidence that an image would also display latent data.
I know myself that when I do a data recovery on a system, I can get many more megs of recovered data from file fragments, deleted folders, etc than can fit on the drive. Most of this extra stuff ias junk data, but you get the idea.
There is no substitue for the original.
Recovery can require a minimum of specialized software or be as complicated as looking at the platters under an electron microscope. I see nothing here that indicates use of such specialized technology, and yet this is supposed to be a national security matter.
"It is a greater offense to steal men's labor, than their clothes"
A troll, of course, but due to lack of moderator points:
/dev/hdb
dd
Yep. That would be much simpler under Windows.
I thought Solitaire only duplicated wasted work hours!
If thou see a fair woman pay court to her, for thus thou wilt obtain love
Argh...Once more with preview:
/dev/hda > /dev/hdb
dd <
Oohhhhhh... Someone said the word ``Linux"... Better put it on the front page...
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Actually, if you read on in the article, they state that Linux dd COULD have been used, that NIST had tested it and found it acceptable, but if you read the procedures used to the four HDDs, they actually used the other methods listed exclusively.
Sept. 10, 2001
Zach,
We're going off flying tommorrow, hope to see you on the other side. Last one there gets the 70 ugliest virgins!
M. Atta
Trolling is a art,
dd is a common Unix program. The SGIs at work have it, my various BSDs at home and work have it and Linux has it.
Trolling is a art,
You do realize that in the event of a search warrant or subpoena that privacy policy no longer applies, right? Of course, they can't turn over anything they no longer have, but if they have it the government will too. On a side note, the libraries in my city (seattle) have a very explicit privacy policy that states that they do not ever save information about books a patron has read and returned. The only things on the books are currently checked-out items, for exactly this reason.
It's not hard at all to modify data to create any hash value that you want, especially when you're including "deleted space" in the CRC calculations...
That kind of depends on the strength of the hash algorithm, wouldn't you say?
"I have opinions of my own, strong opinions, but I don't always agree with them." -- George H. W. Bush
(Recall that Massaoui was already in jail before Sep. 11. These pre-Sep. 11 e-mail search requests were rebuffed, according to FBI whistleblower Colleen Rowley.)
Sure you can. But to be able to do it with something like MD5, you need to factor some very large prime numbers. Hence the security.
but according to NIST, and my own experince, such is not the case. Not only is dd cheaper by thousands of dollars than the "professional" apps made to do such things, but it's often *more* effective, and almost always easier to use.
At its heart it's just a simple copy command.
In fact, the dd tool is so simple, and simple minded, that it would be easier to write a simple graphical front end for it than to learn the GUI of exiting Windows apps designed to do the same thing.
I don't know quite how to break this to you, but *sometimes* language is the simpler, more powerful and more *intuitive* means of getting something across than pointing at a picture and grunting.
Unless, of course, your intellect hasn't yet advanced to that level of sophistication.
KFG
Great idea. dd comes as standard with Linux, do you happen to know the name of the util that comes with Windows that can do what dd can do?
:)
P.S. good troll
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
Oops...If they were prime, they would be easy to factor. You need to factor the products of some very large primes.
(The last post wasn't a mistake--it was my intentional FUD to keep the terrorist from figuring out RSA. Shhhh!)
The contents any LBA that is in the drive's remap table (i.e. blocks that the drive electronics have previously determined either to be bad or going bad) aren't captured by dd - the drive instead sends the data payload corresponding to the LBA's remapped physical address. The bad/bad-ish block remains, and its data is quite possibly still valid (or perhaps valid but for a couple of localised errors). These blocks thus hold tiny slivers of data stored on the drive sometime in the past (the last thing written before the block went bad).
Although this missed data represents a microscopic fraction of the total data on the disk it could, at least in theory, contain recoverable data of an evidenciary nature. The only way to see this is a drive-vendor specific low-level read - I don't know much about the other two tools the article describes, but it doesn't sound like those do that either.
Given that there's only a handful of drive manufacturers left, and the (non-servo) parts of the firmware on their drives doesn't vary hugely between models, it really wouldn't be too hard for law-enforcement types to have proper physical-level imaging tools for any drive they're likely to encounter.
## W.Finlay McWalter ## http://www.mcwalter.org ##
It doesn't mean anything if you don't read the affidavit. Linux dd was used (is used) as one of 3 methods by the FBI CART to image disks during discovery. That's all it means.
Linux is made in America and other places, too.
www.dedserius.com
VB != VisualBasic
-
The Eagan, Minnesota Kinkos Computers
This would be rather thorough, it seems.19. The Initial September 2001 Inquiry at the Eagan, MN Kinkos: On October 17, 2002, I spoke with Minneapolis FBI Special Agent David Rapp. At that time, SA Rapp told me that, to the best of SA Rapps unrefreshed recollection, on or about September 19, 2001, SA Rapp went to the Kinkos store in Eagan, Minnesota, to inquire about a receipt found on the person of Zacarias Moussaoui at the time of his arrest. At that time, SA Rapp met with a person who represented himself as a Kinkos employee responsible for managing and maintaining customer computer workstations. At that time, the Kinkos employee informed SA Rapp, in substance, as follows:
(A) The Kinkos receipt did indicate that a computer workstation had been utilized;
(B) It could not be determined from the copy of the Moussaoui receipt alone which computer workstation was used;
(C) In response to SA Rapps inquiry about the possibility of acquiring any information from the computer workstations regarding the use of the computers by Moussaoui, the Kinkos employee stated that, since the date of the receipt, all computers had been wiped clean/formatted and started with a fresh install; and,
(D) The computer workstations were generally wiped weekly or bi-weekly approximately, even though Kinkos policy called for weekly wipings. At a minimum, the Eagan Kinkos store wiped the computers at least once per month.
[....]
21. Eagan Follow-up: On October 11, 2002, I requested that the Minneapolis FBI Field Office contact Kinkos personnel at the Eagan store and determine if, as alleged by the defense, the Kinkos computer could still maintain evidence of defendant Zacarias Moussaouis use from August 2001. On or about October 15, 2002, Special Agents Brendan Hansen and Christopher Lester visited the Eagan Kinkos and interviewed Brian Fay, who, as of August 11, 2001, was one of two Kinkos employees who knew how to restore an image onto the six computers with internet access designated for customer use. Mr. Fay stated that the six computers presently at the store are the same computers (with the same hard drives) that were present in August of 2001. These six computers are leased and scheduled to be replaced at the end of this year.
The computers are maintained by formatting the computers hard drives and reloading an image using Norton Ghost whenever business is slow and time allows. There are no logs recording the dates or frequency of loading images on to the computers and Fay could not estimate how frequently they were imaged. Although Fay was not personally familiar with the exact details of the formatting and imaging process he administers to the computers, Fay had been advised by Kinkos that the formatting and restoration process destroyed all files associated with previous users.
ouch
"It is a greater offense to steal men's labor, than their clothes"
From http://www.itl.nist.gov/fipspubs/fip180-1.htm:
So yes, two different files can have the same hash, but it's infeasible to do this. That's why hashing methods like SHA are used in cryptography; SHA-1 is used in DSA signatures.the shred utility will only work on non-log structured and non-journaling filesystems, i.e. ext2, but not ext3, jfs, reiserfs, etc. see: "man 1 shred" for more info.
That's a load of crap! It's not hard at all to modify data to create any hash value that you want, especially when you're including "deleted space" in the CRC calculations...
CRC-32, sure. CRC is meant to check for small random transmission errors, not to function as a secure hash algorithm. But if you've figured out a way to force data to match a given SHA-1, you better get a press agent and a secretary because every crypto nut in the world is gonna call bullshit. And no, "trying lots of combinations" doesn't count.
Not only was the word "Linux" mentioned, but so were the words "computer evidence," and "court."
Hey, this is Slashdot. News for Nerds. Stuff that matters.
A lot of us are interested in things such as Linux and computer security. I found this document to be an interesting read, and I am glad it was posted on Slashdot.
No, what they are saying is that they copied a disc and the two discs had the same hash value.
If you *don't care* what the contents of the original disc are, as is the case with forensic investigation, only that the dupe acurately reflects it, than checking the hash value of both against each is a perfectly valid test.
What they're testing for here *is* random errors in the copy process, not intentional tampering.
KFG
He probably just had one or two drives, but they were really big, so they were the equivalent of 140 drives.
"Sic Semper Tyrannosaurus Rex."
Well, that is primarily indicative of your ignorance of Linux and your willingness to buy into Microsoft propaganda.
i mean it must be easier to find the tool under windows thebn setup a linux machine
There is nothing to set up. Linux can boot and run from CD, with all software installed (check for DemonLinux and Knoppix, for example). That's one of the many reasons Linux is so good at this sort of thing.
How easy is it?
- Connect drive you want to copy to to the disk controller or USB port, or plug in Ethernet card.
- Insert bootable Linux CD and boot from CD.
- If you just want to mirror the drive, type something like "dd if=/dev/hda of=/dev/hdb".
- To mirror it over the network, type something like "pump; cat
/dev/hda | ssh me@host cat \> image".
I mean, how much easier can it get?For forensic applications, you might want to make sure that you hardware write-protect the source drive first, just to avoid accidents.
These people know what they are doing and how to reduce their workload. That is why they are using Linux.
You can't win -- bungling cuts both ways.
Anyone wonder why the heck the Minnesota FBI office went to Washington for a piddly search warrant, instead of their friendly local court? Because this was not an ordinary warrant, but a national security warrant designed to investigate suspected terrorists who might not have committed any crime to provide probable cause for a regular warrant. (You know, like Minority Report. OK, it's not that bad.
It will be interesting to see who gets blamed once all of the finger-pointing is over.
From NYT by James Risen*:
* Another little note -- James Risen with Jeff Gerth were the NYT reporters blamed with stoking the fire over Wen Ho Lee debacle. Of course, lots of people were blamed -- sound familiar?
Well duh. That's their *job.*
KFG
While I know you are trolling I will bit anyway.
Not only is dd on various *nixes, bsd's, etc, it is also available on windows. It is called cygwin, and it has dd also.
I mod down any one who says "I'm sure I will get modded down for this"
You say that the FBI was "too cautious" -- do you have any evidence that that was the motive?
I see no irony in being a privacy advocate while decrying FBI supervisors for denying the request to search Moussaoui's e-mail.
P.S. In another related story, the FBI supervisor who thwarted Rowley's investigation recently got a big cash bonus.
Are they saying that two different files can't have the same hash value? That's a load of crap! It's not hard at all to modify data to create any hash value that you want, especially when you're including "deleted space" in the CRC calculations... It's good at telling you if there were any random modifications caused by errors during copying, but not that the files are identical.
There are no known examples of two files that have the same MD5 (or SHA-1) hash values, so I think you should reevaluate your statement. While it certainly is true that such files do exist (2^128 MD5 values, > 2^128 possible files, pigeon-hole principle, etc...), that does not mean that finding them is computationally easy or even possible.
A brute force search of files would require ~2^128 files to be search to find a match. If 2^32 computers each processed 2^16 files a second on average per year (60*60*24*365 20^30 seconds), then it would take greater than 2^50 years to find a match. Equivalently, the odds that any of the files that have ever been produced by humans have the same MD5 are pretty bad.
It might be possbile that a cryptographic flaw in MD5 exists that could be exploited to reduce the number of files that needed to be searched. I believe no such flaw is known. If one does exist, I'm quite sure it doesn't provide dramatic benefits.
Given the weight of the issue and the evidence that could be contained on the disks therein, and given that the US government has an unlimited budget whenever anyone says "terrorism", why they went with dd (or the equivalent ) to copy a disk is beyond me.
I've seen doughnut shops have their hard disks worked on with more advanced technology.
Shouldn't they have taken the hard disk to a clean room, removed the platters from the disk and painstaking recorded every nanometer of them? I wouldn't trust a suspect's hard disk to make a copy of itself.
At the current state of the art, your best bet is to buy a new disk, and make sure that you never put any unencrypted bits on it: use a cryptographic filesystem such as CFS, and make sure your swap is encrypted also. As Gutmann notes, you may also want to take measures to make sure that sensitive data doesn't sit in RAM too long (!).
Once data is in clear on disk, there's really no way to be sure it's gone except to physically destroy the platter.
I don't of course know whether they would have gotten the warrant had they been allowed to present the case to the intelligence court. Hindsight is always distorting. But the reason cited by the central office was concern they might not get it, and I think up to now they've gotten just about everything they asked for and are worried about wearing out their welcome.
This will all be easier to judge once the 9/11 commission issues its report. What? There's no 9/11 commission? But it's been more thann a year! How could that be? (shock, outrage) My point is that the facts are there for the taking but a certain administration is actively resisting unearthing them. Not a conspiracy, just politics as usual.
Irony -- I meant it is ironic they didn't search when they should have, whereas elsewhere they have searched where they should not.
someone already made that for you.
e raser. html
The dude is in our local lug, http://www.sslug.dk/ and his name is Ole "perl" Tange.
You can get the program here
http://www.linux-kurser.dk/secure_harddisk_
...encrypting stuff in the first place using Bestcrypt / PGPdisk / whatever would make the entire wiping/recovery discussion (-1, Redundant) when it comes to collecting evidence.
Kjella
Live today, because you never know what tomorrow brings
Call this off-topic if you must, but I've seen gazillions of posts in this and many other threads about forensics and data recovery that are terribly misinformed about the realities of the field. Here's the two cents of a real, live forensic examiner:
/dev/hdX in vi, and starts paging through 5 GB or hex? Oh, god, no--that would take years. Making the bitstream image is the easy part, and your choices are virtually unlimited. For the actual analysis (what does it MEAN), you need something that can examine an allocation table, interpret the results, and display the contents in an easy-to-understand format. You need software that can quickly search across a drive for a particular keyword, regular expression, or file signature. You need something that can analyze data for randomness in order to re-assemble images that have been chunked out across virtual memory. Linux does NOT have basic utilities for all of this, and neither does Windows.
First, it is NOT realistically possible to recover data that has been overwritten ONE time. Yes, yes--I've read all the white papers on magnetic force microscopy (MFM) and I understand that a theory exists about recovery of overwritten data. In practice, nobody actually does it. Maybe one time, six years ago, some dude at NASA or MIT actually made this work conditions on an older disk with a lower bit density, but anyone telling you that old patterns can be read in the real world is full of shit. And yes, it's been tried. Millions have been spent on this, and nobody can do it. Anybody selling you software that claims under laboratory to be "more secure" because it overwrites more than once is being silly. It's not even paranoia, just lacking a clue.
That's why forensic examiners don't need to have the original media. In fact, one of the big tenets of the job is to never, ever, ever perform analysis on the originals. You make a bitstream copy of the perp's (excuse me, "client's") disk, and you work with that.
Oh, and electron microscopes have nothing to do with this theorized recovery process. MFM is a related but very different technology.
Second, Linux versus Windows versus LogicCube versus ImageMasster (another brand) is utterly beside the point. Forensic shops use what they find to be cost effective, fast, and convenient. The dd command is great, and all, and many examiners use it on Linux platforms for their disk imaging needs, but it's not an analytical tool.
Let me put it this way: do you actually think that a forensic examiner sits down, opens
Last, a good forensic examiner is less constrained by his/her knowledge of computers than by his/her investigative skills. I know more about operating systems, file allocation, and troubleshooting than any of the 30-50 year old former cops/feds/spooks that I work with, but they're capable of far more effective work than I am. Why? Because once you have a few basic computer operations taken care of, the work has as much to do with computers as Computer Science does.
The folks that put the child pornographers, embezzlers, script kiddies, and the rest of the computer criminals in jail generally know much, much less than you about computers, Slashdotters. They also don't give a rat's ass about Linux, Windows, Bill Gates, RMS, or any of it.
Well, it's not like privacy policies are legally binding or anything, either. You can promise all the privacy you want but be lying through your teeth.
Sorry, not even close.
MD5 has been compromised in a paper by Hans Dobbertin of the German Ministry of Information. The compromise is less than a total break but it is also now 8 years old.
MD5 uses only operations on 32 bit integers, addition, rotation and booleans. It does not use large integers of prime numbers.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
My own personal security is not enhanced in the least by an organization representing millions of heavily armed enforcers watching my every move. Quite the opposite, really: if I do something that gets on the nerves of some frustrated jerk in the Department of Ugly Euphemisms, he can most likely direct some men with guns to emphatically worsen the state of my world.
Government needs reasonable resource allocation first (I know, let's let murderers out early so we have more room to imprison pot smokers!), greater competence second, and maybe, just maybe, more investigative power last.
There are no known examples of two files that have the same MD5 (or SHA-1) hash values
:)
Sorry, my original message was kind of weak
The programs that the government uses to do the copy use CRC32, which is very easy to get around. The CRC32 values are listed in section 13 of the expert's affadavit. The government says that this is enough to authenticate the data.
SafeBack and the Logicube SFK-000A incorporate reliable internal CRC verification techniques, CART procedures do not require examiners to generate separate MD5 or SH-1 hashes for computers imaged using SafeBack or Logicube SFK-000A disk duplicator....All hard drives in this case were imaged by one of the three programs used by the FBI, all of which are recognized by the scientific community as reliable imaging programs. Thus, there should be no question about the authenticity of any of the hard drives.
In terms of autenticating evidence for use in court, shouldn't the government be using something stronger than CRC? If I were on the defense's side, I would tear this apart - the MD5 hash that they eventually received was taken well after the original image was created, leaving plenty of time to alter any data. There was ample opportunity for somebody (whether as part of a "government conspiracy" or as an overzealous investigator/prosecutor) to alter both the image and the original hard drive before taking the MD5 hash, and before the image was delivered to the defense as part of discovery. There's no use in having an MD5 hash if all it is doing is verifying that you have an exact copy of data that has been tampered with. The government should, as standard practice, take the MD5 hash before they even make the first image, and preserve that record along with other evidence. This would make it much more difficult for the defense to claim that the data presented in discovery or at trial is not authentic.
Ask your self: How the hell did they know to image his laptop on September 11th? This means they already knew he was part of the attack, and they were already on to him. Funny how we, the people, were never warned.
that does not mean that finding them is computationally easy or even possible.
:) )
/matter/ that MD5 is on shaky ground wrt to strength against collission attacks. The use of MD5 here is to verify that the copies are the same as the original images and that there werent any errors introduced during copying. For this purpose MD5 is fine.
Actually, there are well known issues with MD5 that make it susceptible to collission searches, see:
H. Dobbertin, "The Status of MD5 After a Recent Attack", RSA Labs' CryptoBytes, Vol. 2 No. 2, Summer 1996.
http://www.rsa.com/rsalabs/pubs/cryptobytes.html
dont think that URL works anymore. This one does, in which Robshaw gives an overview of the problems:
ftp://ftp.rsa.com/pub/pdfs/bulletn4.pdf
Basically, it has been demonstrated by Dobertin in 1996 that data with a colliding hash can be found with 10 odd hours of processing from a (by now very low powered) PC. Admittedly only for the compression round of MD5, not for the full set of rounds specified by MD5, however it is feared that existing techniques (ie those used to break MD4) can be applied to MD5. (indeed this is what Dobertin demonstrated). TTBOMK there is no known collision attack against the full MD5 algorithm. (least not public knowledge anyway
So your assertion is incorrect with respect to MD5.
SHA-1 is currently considered to be safe from hash collission attacks. However, that is not really relevant as the FBI specifically are using CRC-32 and MD5.
However, presuming that the question is not one of the FBI having deliberately modified the images, it does not
I use Friend/Foe + mod-point modifiers as a karma/reputation system.
I read the NIST document and noticed they mentioned a limitation of dd.
When copying, dd only copies entire blocks. If there is an incomplete block of information remaining at the end of the disk, for example, dd will not copy that last block at all.
Since dd defaults to a block size of 1024 bytes, and PC hard drives use a sector size of 512 bytes, this could happen. In this case, dd will not copy the final sector of the hard disk, as it is an incomplete block.
Because of a stupid decision made decades ago, traditional PC hard disk addressing uses 63 sectors per track, not 64. Therefore, odd total numbers of sectors are common. Modern addressing does away with CHS and just numbers all sectors from 0 to the end of the disk (many millions, in most cases). Still, because of the legacy of having 63 sectors per track, many disks have an odd total number of sectors.
It would be nice if dd had an option to correctly copy a partial block at the end of the source. If there is an incomplete block, it should simply copy one byte at a time until there are no more bytes to copy.
This would be easy to add to dd. Has it been done already? If so, it should be documented. Making it the default behaviour might break existing applications, so have it as an option that is highly recommended.
Dr. Demento On The 'Net!
/cydrive/c /cygdrive/d
I mod down any one who says "I'm sure I will get modded down for this"
A message...I don't know that it's even a complete sentence. I thought the bold just made it stand out from the rest of my post. You know, make it easy for people to see that it's a sig.
Sorry if the over-the-top emphasis on the letters made your eyes hurt. I'm sure that a couple asprin will make the headache go away by morning.
Assuming of course, that your key is secure. You willing to bet on that?
Are you sure about that? I thought that published privacy policies were considered legal contracts..?
Unless your recovery efforts involve custom hardware, the disk image obtained with "dd", together with bad block information and drive geometry, contains every bit of information you are ever going to get out of that drive. Any software-based recovery working on that image is going to be equivalent to recovery working on the original drive.
Not so! Remember, when you're using dd, you're still using a relatively high level protocol to talk to the drive. If you can get the drive into a "test" mode, where you can talk to the actual registers on the drive, there's a heck of a lot more you can do. For example, on some drives, you could tweak the positional calibration registers and move the head fractional tracks, reading the data at each step, and maybe pick up some data at the edges of the track that wouldn't be picked up in the center. (You're hoping that there was a slight positional drift from when the data was written to when the data was erased).
Now actually getting the drive into "test" mode, talking to the registers, and knowing what the hell the registers actually do is very difficult; you're basicallly talking about documentation that only an engineer working at a drive manufacturer would have. (And of course, this stuff is all non-standard, since it's never supposed to be directly accessed...so each model or family of drives would have different capablilties) This is pretty much the definition of "deep magic." But for the select few who have access to that documentation, some amazing tricks are possible.
Well, you could go both ways on it. But I can't imagine how they could be. There's no specific law for them, as far as I know, and they don't fall under any other area of contract law (for many of the same reasons EULA's don't). Best you could do would be to sue for nebulous damages that arose from a website giving out your personal info, which you could do privacy policy or no, but you'd have an easier time in court if they had one they violated.
Actually, it's not even GNU/Linux dd. dd is part of the coreutils package and is written by the GNU folks; it has nothing to do with Linux, other than GNU/Linux happens to include coreutils, which includes dd.
So, it's GNU dd.
did I read in all the legal bullshit that all the FBI uses for verification is a CRC sum?
It's easy to defeat CRC - just add empty space to the end of each file until you get the result you want. SHA-1 or MD-5 is safe(ish), but a straight CRC is too easy to forge.
I wouddn't trust these disk copies with a bargegepole.
oh brave new world, that has such people in it!
wrong again.
Wrong in what way?
Are you suggesting that < and > won't substitute for if= and of=? Or perhaps you are suggesting that one must specify specific partitions to dd?
In either case, I'm not wrong. GNU dd, as provided by Linux distributions accepts < and >. And specifying a device rather than a partition is accepted, and works as expected. Everyone has used this same command form to make boot floppies, right?
And where are you getting the bit about a boot CD? I didn't say anything about a boot CD, nor did the parent to my post. The two issues are entirely orthogonal. Strange post all-around...or maybe just more subtle trolling.
Anyone whose even stepped foot into a "Computer Crimes" department (or whatever your local police call their Info Warriors) knows they have been using *nix since day 1 in forensics.
/. wants to convey?
This is not news, and the idea we should be getting all excited over this suggests that *nix is such a desperatly useless pos as to warrant mass praise whenever anyone actually finds a use. Is that really the message
So your assertion is incorrect with respect to MD5.
I disagree.
Part of the MD5 algorithm is analytically weak, but that falls far short of an actual working attack for the whole thing. Researchers suspect that this weakness MIGHT eventually lead to an analytic attack against the whole of MD5, but as yet, no such attack exists. As Robshaw said: "While the existence of pseudo-collisions is significant on an analytical level, it is of less practical importance."
Moreover...
"Note that existing signatures that were generated using MD5 are likely to remain safe from compromise since it seems that current techniques used to cryptanalyze MD5 do not offer any advantage in finding a second preimage. Existing signatures should not be considered as being at risk of compromise at this point."
You only need to do 2^64 calculations if you share the results among the participating computers, including storing the original files. I did not posit any such abiilty.
Since there are ~2^80 atoms in the known universe, I think it unlikely that any such storage mechanism will ever be built.
I did state there was no publically known attack against the full rounds of MD5. However, that was 7 years ago, it is not safe to assume that no one else continued on with this work.
I use Friend/Foe + mod-point modifiers as a karma/reputation system.