Hackers Counter Microsoft COFEE With Some DECAF

An anonymous reader writes "Two developers have created 'Detect and Eliminate Computer Assisted Forensics' (DECAF). The tool tries to stop Microsoft's Computer Online Forensic Evidence Extractor (COFEE), which helps law enforcement officials grab data from password-protected or encrypted sources. After COFEE was leaked to the Web, Microsoft issued takedown notices to sites hosting the software." The article notes that DECAF is not open source, so you aren't really going to know for sure what it will do to your computer.

DECAF: A welcoming news

[ub3r+n3u7r4l1st]

Less innocent people will be going to jail. Less family will be broke up.

The time has come to rise against the machine.

Re:DECAF: A welcoming news

[skine]

I prefer to RAGE against the machine.

BAH-duh BAH BAH-duh BAH DAH-duh.

Re:DECAF: A welcoming news

Coding in the name of!

Re:DECAF: A welcoming news

Fuck you, I won't code what you tell me!

Re:DECAF: A welcoming news

[Wrath0fb0b]

Less innocent people will be going to jail. Less family will be broke up. [sic]

Any particular reason to think innocent people are more likely to use DECAF than the guilty? I fail to see why technical savvy should be correlated with innocence or guilt.

Re:DECAF: A welcoming news

[Per+Wigren]

Some of those who share sources
are the same that hate bosses

Re:DECAF: A welcoming news

[L4t3r4lu5]

Rage Against The Machine - "Killing In The Name" for UK Christmas No.1!

From the Facebook group: "Fed up of Simon Cowell's latest karaoke act being Christmas No. 1? Me too ... So who's up for a mass-purchase of the track 'KILLING IN THE NAME' from December 13th ... as a protest to the X Factor monotony?"

I've bought it from iTunes, Amazon, and re-bought the album in my local HMV. Get it done, people.

Re:DECAF: A welcoming news

[dunkelfalke]

Welcome, my son, welcome to the machine.

Re:DECAF: A welcoming news

So to protest the music industry, you want to give loads of cash to record labels? Fuck, man, you're a regular Che.

Re:DECAF: A welcoming news

Buying the album won't affect the Xmas number one singles charts...
 
And if you're doing it to 'make a statement against the record labels' just realise that Rage are signed to Epic, who are a subsidiary of Sony, one of the 'Big Four'.

Re:DECAF: A welcoming news

[cyber-vandal]

I've bought 3 copies and am looking forward to not having a karaoke number 1.

Re:DECAF: A welcoming news

And guess what?? Simon Cowell is one of the main men in Sony Records...

Re:DECAF: A welcoming news

[L4t3r4lu5]

I don't care whether Simon Cowell gets richer or not. I care that there is enough power held with the people to change history.

You might think it's small fry changing the outcome of the Christmas charts, but what if the next Facebook group is "Labour are shafting our rights. Let's get them out!"

Township called Rebellion indeed.

Re:DECAF: A welcoming news

Less innocent people will be going to jail. Less family will be broke up. [sic]

Any particular reason to think innocent people are more likely to use DECAF than the guilty? I fail to see why technical savvy should be correlated with innocence or guilt.

Insightful?! Mods are a little sleepy today?

Note that the GP didn't say it will put disproportionally less innocent people - only that there will be less innocent people.

In any case, you are wrong - there is a small disproportionality - guilty people leave other traces as well - innocent people's sole incrimination might be what's on their hard disk ;)

Re:DECAF: A welcoming news

[Rysc]

Note that the GP didn't say it will put disproportionally fewer innocent people - only that there will be fewer innocent people.

Fixed it for you. You and the OP made the same mistake. It's like nails on a chalk board, honestly!

You can have fewer innocent people or you can have less innocent people, but it means different things. Less innocent people are not as innocent, fewer innocent people are of a smaller number.

Re:DECAF: A welcoming news

[camg188]

Why do you care about popularity ratings? Just listen to what you like. End of problem.

Re:DECAF: A welcoming news

[L4t3r4lu5]

It's not about populatiry, it's about proving that the public en masse can change anything they want.

I'm waiting for the "National ID card is a bad idea. Let's get it abandoned" group. Also called the "Vote for anyone but Labour" group.

Re:DECAF: A welcoming news

[StingyJack]

That was actually bulls on parade

Re:DECAF: A welcoming news

[FatdogHaiku]

It's not about populatiry, it's about proving that the public en masse can change anything they want.

True, as long as it is of no consequence. Anything business or government really want will come about one way or another... keeping people occupied with mindless drivel like entertainment just makes it all easier.
Oh, someone is at the doo

Re:DECAF: A welcoming news

[ViViDboarder]

You do realize that people are writing the history of those people on singles chart as it is... This is a poor example of "changing" history. It would feel good if you did though, haha.

Re:DECAF: A welcoming news

[L4t3r4lu5]

But that's the point, isn't it. Start small, work upward...

Rome wasn't built in a day, nor was it destroyed as such. I'm not promoting anarchy or disestablishmentarianism, but just that democracy is still possible. All it needs is for people to learn to get their news from multiple sources, check facts, read a little more, and investigate even a tiny amount into the back-hand / poison pill policies which are charged through Parliament on the back of "Think of the Children" / "Terrorism is bad!" legislation.

God knows the idiot-box won't tell them that (Despite Cowell's idea to to Political X-Factor... God knows what that effect that will have).

Re:DECAF: A welcoming news

[dontmakemethink]

I fail to see why technical savvy should be correlated with innocence or guilt.

What exactly do you correlate Microsoft with? They routinely code more backdoors than a brothel, you really think their involvement with law enforcement won't backfire? Like you suggest, criminals are tech savvy too.

Re:DECAF: A welcoming news

Less innocent people will be going to jail. Less family will be broke up. [sic]

Any particular reason to think innocent people are more likely to use DECAF than the guilty? I fail to see why technical savvy should be correlated with innocence or guilt.

No correlation is implied. Fewer people go to jail, both innocent and guilty.

Re:DECAF: A welcoming news

[ub3r+n3u7r4l1st]

no wonder I screw up big time on Verbal section of the GRE test.

Re:DECAF: A welcoming news

Modded you up because, even though this bothers the ever-loving shit out of me every time I see it, I've decided to be less of a grammar nazi and have no other outlet for my urge to yell "get off my lawn!"

Re:DECAF: A welcoming news

[log0n]

You win! By far the best!

Perfect trojan horse

DECAF is not open source, so you aren't really going to know for sure what it will do to your computer.

Haha, that'd be the perfect trojan horse. Have people with (illicit) things to hide run a program that claims to prevent them from being caught, all the while this program is just reporting them. And even if they post code, they could just post any old source code and claim it was used to generate the executable.

Re:Perfect trojan horse

[Cryacin]

Who says Microsoft didn't get a "contractor" to write this and release it in the wild? NT phone home!

Re:Perfect trojan horse

[Ihmhi]

And even if they post code, they could just post any old source code and claim it was used to generate the executable.

Well yeah, until someone who has an I.Q. greater than a water buffalo compiles the source code and finds out that it doesn't match up with the finished DECAF product...

That's the point of having source code out there in the first place. It can be inspected for everything from your everyday uh-ohs to your big time no-nos.

Re:Perfect trojan horse

[angelwolf71885]

*glowing finger points at DECAF* friend friend

Re:Perfect trojan horse

[calmofthestorm]

If this is true then the NSA got a lot lazier, a lot more efficient, and a lot more effective. The Soviets pioneered denouncing your neighbors but this is one better.

Re:Perfect trojan horse

And then some one with a little higher I.Q. takes the time to do something fun like disassemble the executable or hell, use wireshark to capture any network traffic the program might generate to see what it is actually doing.

Re:Perfect trojan horse

"they could just post any old source code and claim it was used to generate the executable." ... which is why you read the code, and if you approve of the code, compile it yourself. If your C.S. skills aren't up to that level, then check with someone you trust as competent to do that code analysis/compilation.

It's essentially the same with every program.

But yeah, this looks like an exploit opportunity, and I won't run DECAF on any of my boxes (uh, wait... do I *have* any Windows boxes? Oh, yeah, my gaming box!) without first carefully isolating the code and analyzing what it does.

Re:Perfect trojan horse

[Stoian+Ivanov]

This is the beauty of Open Source - you can build your own binaries when paranoid :)

Re:Perfect trojan horse

"until someone who has an I.Q. greater than a water buffalo"
I won't have you besmirch the intelligence of bovine creatures with an affinity for bathing by likening to people who need to use software to defeat MS malware. Even such creatures know that if you want to do anything that the authorities or corporate oligarchy would disapprove of then you should be using Linux or better yet, OpenBSD. Please refrain from smearing the good name of our semi-aquatic hoofed friends.

Re:Perfect trojan horse

If this is true then the NSA got a lot lazier, a lot more efficient, and a lot more effective. In the XX century, the nazis pioneered denouncing your neighbors but this is one better.
Fixed that for you.

Re:Perfect trojan horse

[b4dc0d3r]

It's .NET and they ran Dotfuscator over it, so you're going to have to graduate past bovine intelligence on this one.

Re:Perfect trojan horse

[b4dc0d3r]

decaf.exe.config - no disassembly needed.

                        <setting name="NotifyUser" serializeAs="String">
                                <value>False</value>
                        </setting>
                        <setting name="CustomMessage" serializeAs="String">
                                <value>Yay!</value>
                        </setting>
                        <setting name="DropperPath" serializeAs="String">
                                <value>c:\calc.exe</value>
                        </setting>
                        <setting name="LDSPhoneHome" serializeAs="String">
                                <value>True</value>
                        </setting>
                        <setting name="LDSKillProcs" serializeAs="String">
                                <value>False</value>
                        </setting>
                        <setting name="LDSDisableNetwork" serializeAs="String">
                                <value>False</value>
                        </setting>

Re:Perfect trojan horse

[rdnetto]

I once tried to decompile a obfuscated .NET app. It's definitely possible to figure it out, since all the calls to the CLI, etc. are the same, but it can be pretty tricky when every function and class name looks like a GUID.
But if you have the time, it's definitely possible to deconstruct it.

EDIT: I just downloaded it and took a look at the code in Reflector. It seems pretty simple (only 5 classes and the settings namespace isn't obfuscated). Anyone familiar with .NET with about an hour of free time and the motivation to do so could easily decompile it, in spite of the obfuscation (or perhaps because of the challenge it poses :).

Re:Perfect trojan horse

[RobertM1968]

DECAF is not open source, so you aren't really going to know for sure what it will do to your computer.

Haha, that'd be the perfect trojan horse. Have people with (illicit) things to hide run a program that claims to prevent them from being caught, all the while this program is just reporting them. And even if they post code, they could just post any old source code and claim it was used to generate the executable.

Your distrust in Microsoft is totally unwarran....

Oh, nevermind... I cant even type that with a straight face... ;-)

no source? it's a trap!

[FunkyRider]

Maybe DECAF is a double agent blocking COFEE and collecting it's own things in the inventor's in interest. It's a trap!

Re:no source? it's a trap!

[Yvan256]

No, that's XPRESO.

Re:no source? it's a trap!

[ozmanjusri]

Slow down, stop blowin' the froth and chill a little.

That's right, it's a frappe!

Microsue

[GuNgA-DiN]

Oh Microsoft.... is there *anything* that can't be handled by a lawsuit?

Re:Microsue

BSOD

The Site...

[JBG667]

http://www.decafme.org/

Re:The Site...

What's next?

Decaf2000?
DecafXP?
DecafVista?
Decaf7?

Re:The Site...

[Yetihehe]

KDE Mokka.

Re:The Site...

Shouldn't that be Koffee. To Komplement Koffice?

Re:The Site...

[MathiasRav]

Name of the debugging add-on? "dkaf".

Re:The Site...

[solosaint]

i'm stealing this signature...

So let me get this straight...

[publiclurker]

I have incriminating information on my computer so I'm supposed to download and run some closed-source software from people who now know I have this information, and it will make my problems go away. Right.....

Re:So let me get this straight...

[Bios_Hakr]

So, set up a VM and then port it through WireShark. It shouldn't be too hard to figure out if it's communicating with some central server.

Re:So let me get this straight...

You shouldn't be running closed source software on computers you keep private information.

Re:So let me get this straight...

Linux: optimized for child porn!

Re:So let me get this straight...

[sheph]

Sorry I'm lost. How did you come to that astute conclusion?

Re:So let me get this straight...

[shird]

Communicating to some central server when you run it at least. If it stores the data and sends it on a different date you wouldn't know too easily.

Besides, it may be doing something other than sending off your data.. e.g encrypting it and ransoming you for the key to decrypt it.

Re:So let me get this straight...

[pitchpipe]

pitchpipe's inverse to Anonymous Coward's conditional: You shouldn't be running open source software on computers you keep public information. Oh, wait a minute!...

Re:So let me get this straight...

[Syberghost]

Yeah, because it's not possible for programs to detect they're running in a VM...

Re:So let me get this straight...

[Slashdot+Suxxors]

The parent made a joke in reference to the GP's post. It's a joke! God damn, just laugh! It was funny!

Re:So let me get this straight...

Okay then - run it on a normal machine and run Wireshark on its router.

Re:So let me get this straight...

[Gerzel]

For your private information it is too late. Your info is already on closed source and quite probably badly maintained/secured computers.

Re:So let me get this straight...

[MrNaz]

How did you come to that astute conclusion?

Well you see it's like this. The OP made a statement that was a tad too broad and could be misconstrued if more than was intended was read into it. When you take a situation like that, then you add in the conversational construct known as "humor" then you arrive at one of those so-called "jokes". This "joke" is intended to result in a reflex reaction in the reader, consisting of successive, rapid contractions of the diaphragm, often accompanied by a facial expression resembling a smile, but more exaggerated and with a more open esophageal passage. Usually, a sound is produced as well, which is referred to colloquially as "laughter".

I hope that clears it up.

Re:So let me get this straight...

[GameboyRMH]

What if someone actually wanted to secure a VM with this app?

I assume a program could detect if it's running in a VM by checking hardware and matching it with known VM configurations?

But anyone who's really serious about security shouldn't be running Windows anyways, even with full-disk encryption. What I'm interested in is seeing how COFEE presumably executes with admin privileges on a locked Windows PC with no user input - the technique could be used to make a "super switchblade," especially if it can run on Vista/7 which aren't as vulnerable to these attacks. I'd imagine COFEE uses some secret backdoor.

Re:So let me get this straight...

Run it on a real windows box connected to a hub and another PC with wireshark but not connected to the internet. If it tries to connect to something, put a third box (or a VM on the 2nd pc) and assign it whatever name/IP it is trying to connect to. VIOLA

Re:So let me get this straight...

[rdnetto]

That seems like overkill, plus you won't know if it's installing a trojan that activates later. If you're familiar with .NET just open it up in Reflector - even though it's obfuscated, any use of the .NET libraries like System.Net.Sockets will be in plain text.

Disable autorun, lock your computer

[OverlordQ]

AFAIK, if your computer is locked COFEE relies on autorun to work, so disable autorun and lock your computer will pretty much thwart COFEE, since it would somehow require bypassing MS's supplied GINA dll, which given it's Microsoft, might know how to do, but would find it highly unlikely.

Re:Disable autorun, lock your computer

[shacky003]

I seriously doubt a forensics tool created by the same developers that created what it tries to break into, is going to rely on autorun to get things started.. Even if that is the case, it's not exactly hard to obtain a password removal tool out in the wild to get rid of the "lock your computer"..(ie: linux live cd's that run scripts to kill saved winxp/vista/win7 account passwords) I've had one in particular for years that I use when someone calls me to say "how do I get into my box when I can't remember the password"

Re:Disable autorun, lock your computer

Either that, or install Linux ;)

Re:Disable autorun, lock your computer

[phantomcircuit]

COFFEE is designed to circumvent on disk encryption. To do this it gets the keys from the running system. So it is actually perfectly reasonable that they used autorun given that it runs stuff even when the screen is locked.

Re:Disable autorun, lock your computer

[MaximKat]

So it is actually perfectly reasonable that they used autorun given that it runs stuff even when the screen is locked.

Yeah, it does... in Windows 95.

Re:Disable autorun, lock your computer

[JWSmythe]

    Read the instructions. It works with autorun, but if autorun is disabled you're suppose to use the file manager to browse to the USB device and execute it.

    If you really read into the COFEE instructions, you'd see it doesn't give too much up. Well, it says a lot, but not about 3rd party software. It mostly gives standard MS stuff from the registry. Decrypted login passwords, what's set to run at boot time, etc. It would be a good forensic tool for cleaning up after a break in though, which may be more of what it is intended for.

    Now, if someone were using a P2P client to download kiddie porn, or a 3rd party mail client to talk to their underage smut peddling friends, it would be worthless. COFEE is very primitive to say the least. It's a start, and I'm sure by version 7 it could be something to worry about. Well, not for me. I don't have any smut peddling friends, and I don't have anything remotely smutty.

    I suppose for the lesser educated people who would use the same password for their Windows login as their webmail account, it could be hazardous to their freedoms. I still don't like the idea of people snooping around my computer. Even though I have nothing to hide, I don't like the idea of giving up my privacy.

Re:Disable autorun, lock your computer

[jonaskoelker]

$ apt-cache search GINA dll
$

Dammit, now I can't check out COFEE :(

Re:Disable autorun, lock your computer

[OverlordQ]

but if autorun is disabled you're suppose to use the file manager to browse to the USB device and execute it.

That is why I said lock the computer, then they can't get to the file manager.

Re:Disable autorun, lock your computer

[GameboyRMH]

+1 I posted on this further up. The "Autorun with screen locked" vulnerability is ancient history, and in Vista/7, Autorun requires user input. (and then the app would need admin privileges to do anything meaningful, spawning a UAC prompt, which again requires user input, and is designed to prevent inputs from being spoofed). There must be some secret backdoor in use.

Re:Disable autorun, lock your computer

[MaximKat]

Who said that it works on locked computers anyway? I couldn't find any supporting info

Not open source

[markdavis]

>The article notes that DECAF is not open source, so you aren't really going to know for sure what it will do to your computer.

And most people running MS-Windows know for sure what THAT will do to their computers?

Does seem odd, though, that DECAF would not be open so people (in the know) would trust it and could learn from it. Oh well.

This is the best idea they've come up with yet...

[robot256]

...to distribute rootkits and create botnets. Even better than those "Free Antivirus Software" downloads.

Seriously, is anybody going to trust something like this without the source? Somebody intelligent enough not to open unsolicited email attachments, at any rate.

(And yes, I realize there might be "legitimate" reasons for keeping the source out of law enforcement's hands, but frankly [at risk of trolling] I would rather be spied on by the government than identity thieves.)

Q: does COFEE run on Linux?

[alexmin]

No? GOOD

Meh...

[Nabeel_co]

I think I'll just stick to Pepsi

Arguments

[Demonantis]

I realize a large number of people won't trust it because its not opensource. I can see the authors view point though of not wanting Microsoft to turn around and make a patch against it. If you don't want it don't run it, but if it is a trojan a firewall can easily defeat that. If it is a virus word will spread and people will avoid it. It is like the Antivirus 2009 programs, other then being blatantly obvious viruses, don't work anymore because people know they are bad.

Re:Arguments

[JonJ]

I can see the authors view point though of not wanting Microsoft to turn around and make a patch against it.

One would think that Microsoft has little to no problems doing this without the source.

Re:Arguments

[henrik.falk]

Microsoft already knows what they need to patch, seeing as they know what source code they leaked.

Re:Arguments

[GameboyRMH]

Not having the source will act as a speedbump, at the least...although if DECAF can totally block whatever hidden backdoor COFEE is exploiting and prevent it from executing in the first place, there would be no advantage to hiding the source. From what I've read DECAF is security by obscurity at this stage - weak security but better than nothing.

Re:Arguments

[Java+Pimp]

I just did a Google search to see if anyone has reported it to be a virus and found nothing. It's probably safe.

I'm installing it now. I'll let you know what hap

Re:Arguments

[rdnetto]

I can see the authors view point though of not wanting Microsoft to turn around and make a patch against it.

One would think that Microsoft has little to no problems doing this without the source.

It's written in .NET, so even though it's obfuscated it's not that hard to reverse engineer it using Reflector. If I (a teenager who only dabbles in coding) could reverse engineer it in a few hours*, I have little doubt that some MS employee who is being paid to do so could figure it out in under a week.

*I have not reverse engineered it, but I have looked at the source, so I can say that it really isn't that complex.

Perhaps there is more here than meets the eye.

[Old+Flatulent+1]

Could be that Microsoft is also really concerned about Cofee accessing protected encrypted files that would allow hackers to pirate legitimate copies of Windows if the device identity encoding within WGA is cracked! I am afraid someone might have just let the horse out of the barn through a Windows backdoor. The heads are about to roll in Redmond again!

Confused?

[BountyX]

I'm a little confused, what exactly is the point of DECAF? Wouldn't encrypting your hard drive be more effective?

Re:Confused?

[Monkeedude1212]

Cofee attempts to decrypt your drive.

Or...

It could be that they are intending to sell it as a product in a future release.

You're missing the point of COFEE

The point of COFEE is to grab things that would be lost when the computer is shut down (passwords stored in ram, temporary files, etc) before they pull the plug and take it back to headquarters.

(Pull the plug, not just tell it to shut down, because it may have a shutdown process in place to wipe evidence.

And yes, you could use linux live CDs to remove passwords, but that involves changing what is on the disk, thereby ruining it as evidence. There are strict procedures in place to prevent the evidence from being corrupted. (ie: drive is duplicated, and then only the copy of the original drive is worked on...)

Re:You're missing the point of COFEE

I'm sure more competant forensics people don't pull the plug. Instead they would keep the machine up and running and capture it in that state, using clips to keep it fed the voltage as it gets loaded onto a vehicle and until it gets to the forensics area. There, you use a PCI or IEEE 1394 card to dump the box's RAM.

Then, the hard disk gets imaged via a hardware write blocker (very important), the decryption keys in RAM used to decrypt the image of the HDD, and the search for whatever stuff (after ACTA, any music files that don't have DRM most likely because of the guilty until proven innocent provisions) begins.

Re:You're missing the point of COFEE

You are basically right.

COFEE was not created for forensics people at all but instead for LEA guys. It was created to be used by ordinary policy officers who might encounter a suspicious PC in a live situation. It would be dramatically better if that officer used that COFFE stick on a live PC, before he pulled the plug instead of just pulling the plug and carrying the PC away without saving any volatile information.

Imaging RAM through firewire is pretty uncommon, although possible. Usually, an ordinary Linux CD/DVD is used by forensics people, toghether with "dd" and "nc" to aquire the RAM image and stream it over the network. That way you have the least impact on the life system. Firewire is really cool when you encounter a locked windows PC, forensically speaking, because that way you can copy the RAM without having to unlock the PC, but I doubt that this is actually done often, if ever.

Disclaimer: posting as AC as to not undo my moderation.

Just wait!!!

[Monkeedude1212]

Soon I'll Release my Beta version of FRENCH VANILA

(Forensic Reducing Emulator Named Coherantly and Handsomely for Very Awesome Naughty and Illicit Activities)

Re:Just wait!!!

did no one else notice that Illicit != i & L, just the i.

maybe
(Forensic Reducing Emulator Named Coherantly and Handsomely for Very Awesome Naughty, Illicit, and Lawless Activities)

Re:Just wait!!!

[MoeDumb]

Did no one notice that vanilla has two L's? And coherently was misspelled?

Which finally brings us to: Forensic Reducing Emulator Named Coherently and Handsomely for Very Awesome Naughty, Illicit, Lawless and Lascivious Activities.

My work is done.

Best DECAF is....

[cigawoot]

Linux! ammite?

Re:Best DECAF is....

but my linux box has Kaffeine!

Wait, what--?

[girlintraining]

...so you aren't really going to know for sure what it will do to your computer.

You're saying you don't know how to run a debugger in a VM session? or registry and file monitoring utilities? I get that analyzing machine code may be a bit of a lost art, but if you have the binary file you have everything you need to figure out what it does -- eventually. Someone will reverse-engineer it. In fact, I rather expect the authors knew this when they released it.

Re:Wait, what--?

[rdnetto]

if you have the binary file you have everything you need to figure out what it does

It's even better than that. .NET EXEs actually contain MSIL (a type of intermediate language) and are easily decompiled into the original source code (or something resembling it). DECAF has been obfuscated (all the variable/function/class names changed to meaningless letters), but it's simple enough that you could figure it out in under an hour, if you're familiar with .NET, especially since system libraries (e.g. System.Net.Sockets) will be referenced in plain text.

simple tools

[KevMar]

There is so much more COFEE should have done. It looks like it takes a look at your current running state. It grabs netwrok connections you have open, running processes, and user account names that are logged in. Things that get lost when you power a computer off. The autorun is just to make it simple for the user. I don't expect this is the only tool ran. I expect it is quick snapshot before you pull the plug.

Microsoft did take care to get the correct versions of the tools for each OS. You know how you can take some utils from XP and run on 2000 or Windows 7. This collection of tools looked like they should be able to run on any version. But for whatever reason they had a version of netstat for every Microsoft OS. My only reasoning for them to do it is for how it would stand up in the court room. It could be argued that using the XP version on the vista machine could have given invalid results because it was not ment to be ran on vista.

I have not looked at DECAF yet. But a simple root kit is all you need to defend this off. Hide running processes and network connections. Or better yet, stop breaking the law.

Re:simple tools

What if you don't realize you're breaking the law? I'm not talking about in obvious cases where there is something highly illegal going on and you are aware of it. I cannot find the story (anyone wanna help?) but I remember a story posted here a few months ago that talked about a man who clicked on this very blurry, tiny thumbnail which happened to be posted by the FBI in an attempt to flesh out pedophiles. Apparently it was a very tiny blurry thumbnail of child porn and the man arrested had no idea he was breaking the law. When do you separate innocent victims from people who are intentionally breaking the law? In the case of COFEE there is nothing to distinguish such a thing. Hell, the American legal system refuses to distinguish innocent victims from intentional predators when it comes to things like possession of child pornography. I agree with what the others have said here: I may not be doing anything illegal (at least as far as I know) but I still don't want someone going through my files. I value my privacy, and you should value yours as well.

Re:simple tools

And what about unjust laws?

How about....

Get a mac?

I am confused.

[TexasTroy]

Someone please explain. How is Windows secure (no pun intended) if Microsoft can release a tool, or script, which can get information from a password or encrypted system? Surely this cannot be an exploit to a backdoor. Does the use of COFEE require a user to already be logged in for it to work? Seriously. If this is the case, what keeps an evil-doer from using the tool to get into any window system they want and do whatever they want? If the tool has been leaked, then there is plausible deniability regarding any type of evidence on any windows box. Even if it were not leaked, this is proof that the windows platform is inherently insecure because there is a built-in method for bypassing its security features. Someone knowledgeable care to enlighten the uninformed?

Re:I am confused.

[Archangel+Michael]

No, you're not confused.

Re:I am confused.

[daveime]

Umm, because the password used to encrypt the data is on the SAME PC ?

Or to use a car analogy, the things inside a locked car are safe, unless you leave the keys in the lock.

Where are the

.. about DECAF and COFEE?

hmmm

this thing tries to access dns on startup and crashes if not allowed

seems suspicious to me

Re:hmmm

[daveime]

Half of the services on Windows try to access DNS. Even mundane stuff you wouldn't think of like Print Spoolers etc ... it's for network exploration, to see what's connected to your network, mostly (in little-girl-from-Aliens-voice).

Multiple Mod Categories

[TangoMargarine]

+1 Funny, -1 Troll, +1 WTF

IMO there are three kinds of funny: Funny as in joke funny, dry funny (e.g., sarcasm, dramatic irony), and "what the heck, where did that come from?" funny.

Re:Multiple Mod Categories

[mqduck]

"what the heck, where did that come from?" funny.

Now known on the Internet as "LOL SO RANDOM".

Re:LiveCD

[ZeroExistenZ]

were I living in a communist country like China, i'd use a linux livecd with no attached hard drive.

I first encrypted all my temporary data, encrypted everything in cache, it was a sweet algorithm. But I figured that wasn't enough, an onion-rings didn't help either. (I tried, I failed.)

So then I decided to use my PC without keyboard, so they couldn't log my keystrokes or via processing the audio for my keystrokes discover what I was typing. From there up, everything was a success, I could later remove my monitor so noone could see what I was doing and I could just imagine keyboardinupt on my PC.

I wasn't ever so productive and most of all SECURE.

Soon enough, I felt my mousemovements could also be secured by removing my mouse. Once I mastered this way of working, they suggested I also could work without turning on my PC, as they could measure my work by reading radiation from my CPU "if they really would be wanting to read my work", just tossing out my HD wasn't sufficient. So, right now, I'm 100% secure, sitting at my desk, imagening my work.

I did read something about mindreading, but I think that's just FUD.

And what does the COFEE generated data prove?

[fluch]

Seriously, what does COFEE generated data prove? If my computer would run XP and for some reason some official would want to plug a USB stick with the label "COFEE" into it, then what ever data they claim to find I could deny easily that it was mine. After all, on the USB stick there could have been ANY program which plants ANY data on the computer it was plugged into!

As far as I know, part of proper computer forensics work is to first (!) dublicate the hard drive in question, then generate a checksum for both drives (which of course should be the same), and lock away one of the drives to a seperate place such that one can prove later on that nobody has changed the original hard drive and that the gathered data is authentic!

But this COFEE is just pathetic!

Re:And what does the COFEE generated data prove?

[Matey-O]

It proves you don't know much about computer forensics, that's for sure.

Re:And what does the COFEE generated data prove?

[GameboyRMH]

I think the GP has a point regarding the planting of evidence. Unless the COFEE app(s) that ran on the suspect machine can be verified to have been built from known good source, there is a potential for planted evidence. Faking timestamps and even self-wiping the part of the app that does the planting after the fact is quite possible. Am I missing something?

Arrested Development Makes My Banana Stand

Arrested Development Makes My Banana Stand

It was forseen!

[Thoggins]

Slashdot users proved prophets for the nth time over: http://tech.slashdot.org/comments.pl?sid=1435688&cid=30021576

Re:It was forseen!

[robot256]

Who's to say that AC wasn't actually involved writing it at the time? :D

Re:It was forseen!

Who's to say that AC wasn't actually involved writing it at the time? :D

Are you insinuating, however subtly, that I am calling myself a prophet after posting anonymously while working on a secret anti-MS project?

If only I were *that* cool.

Re:It was forseen!

[Thoggins]

Stop that man! He has stolen my identity!

DECAF is not open source

DECAF is not open source, so you aren't really going to know for sure what it will do to your computer.

Oh yay! I cannot wait to install some unknown software on my computer that promises it will detect and block other unknown software.

No thanks...

[NastyGnat]

I'll stick with my SODAS (Some Other Data Archival System). It run's on Linux and doesn't like COFFEE or DECAF.

COFEE? DECAF? Pointless.

My 2 cents:

If someone has physical access to your machine, you're likely going to be boned. I tried COFEE, it's nothing special. It's not a secret elite tool. If you are knowledgeable enough to secure things so that physical access to your machine doesn't matter, there is nothing that COFEE can do to you.

All the hype around this is not generated by anyone in info. sec. It's typical "scary" media coverage.

 

Easy fix for live-moving

[GameboyRMH]

You could use an accelerometer or a ball-and-cup arrangement similar to a seat belt locking mechanism (very sensitive, especially on newer cars. It locks the seat belt reel if the ball isn't exactly centered) to trigger a computer to shut down or reset if moved. If it's inside the PC and looks pretty normal I doubt the cops would notice, even if they opened the PC (which they probably wouldn't since they could trip a case intrusion switch...sawing through the case in a known safe area would be their only option).

Re:Easy fix for live-moving

[Just+Some+Guy]

You could use an accelerometer or a ball-and-cup arrangement similar to a seat belt locking mechanism (very sensitive, especially on newer cars.

Or the status of the USB cable plugged into the huge laser printer next to your desk, or whether eth0 is up, or by using the built-in GPS (if there is one) or the external GPS (labeled "TIME") to establish plausible deniability.

Honestly, there are about a million things you could check to have a good idea that your computer isn't being moved.

Please...

[GameboyRMH]

WGA's been cracked six ways from Sunday. The issue is Microsoft's server-side validation - illegitimate copies can't get updates. This is why MS goes apeshit on unauthorized patch distribution.

Re:Please...

[Old+Flatulent+1]

WGA's been cracked six ways from Sunday. The issue is Microsoft's server-side validation - illegitimate copies can't get updates. This is why MS goes apeshit on unauthorized patch distribution.

I agree and this is the reason why there are still umpteem gazillon users with IE6 and windozeXP. The point is that perhaps the server side validation has also cracked! I seem to remember a bunch of copies of XP that showed up in Taiwan that could do IE7 updates recently. If I remember correctly the site that issued the certified update proved to be a malware site that managed to hose a great many illegitimate copies of windows that were being sold in Asia.

Re:This is the best idea they've come up with yet.

[NevarMore]

When was the last time you read the source of an application to audit it?

WINNAR!

[GameboyRMH]

there is a built-in method for bypassing its security features

Ding ding ding ding ding!

Re:Perfect trojan GNU?

[Errol+backfiring]

Well, yes, it isn't called GNU/Linux for nothing...

But...

[flyneye]

I'm also fed up with Rages " Lets venerate burglars who murder old people" misguided lyrics and their "lets make socialism acceptable so we can sell lots of Che T-Shirts at Hot Topic" attitude along with the guitarists " lack of technical expertise on a Whammy pedal, rendering it an misused, overused cliche for those of us who use it seriously."
        So maybe we should buy someone who isn't prepackaged industry approved rock and roll rebellion.
Or better yet quit worrying about who's on top of the industry charts, because it doesn't matter anyway.
Some other industry baby just as bad as Welcome to the Machine or Anonymous Cowell.

OT: Aaaaaagh!

[thePowerOfGrayskull]

Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.

Head... exploding... you evil.. bastard...

COFEE

What's the COFEE without the donuts?

Re:LiveCD

> I did read something about mindreading, but I think that's just FUD.

That's what the tinfoil hat is for.

Re:This is the best idea they've come up with yet.

[Hurricane78]

And yes, I realize there might be “legitimate” reasons for keeping the source out of law enforcement&s hands [...]

WTH? Machine code IS source code! Just in another language that is a tiny bit harder to read (assisted by tools). So there really is no real point in hiding the source code. Everybody who wants to look at what it does, can still do that.
How else would the CPU know what to do with it?

It’s sad, when even on Slashdot, people think that “closed” source would be anymore than security trough obscurity theater.

You don't understand! The cat *is* out of the bag!

[AftanGustur]

People, you don't understand what this means !!

This marks an end of an era ! Up until now investigators could be pretty comfortable assuming that their forensics analysis were giving off accurate data about the use and activity of the computer. Tools to analyse file, network and disk access are based on the assumption that the metadata has not been tampered with.

It is enough that you download and run this program every now and then to render every analysis of your computer pretty meaningless as evidence. Soon someone will write a open source program that runs as a service to ticker with your metadata just a little bit every other day or so, and that will set back forensics analysis quite a few years, and make everything so much harder.

DECAF?

[piemcfly]

I can't wait for the 'LATTE MOCHA' fork.

And nothing of value was lost

[barnyjr]

*Yawn*

Those of us in the computer forensics business don't use COFEE for real cases anyway. It's barely useful as a quick analysis tool for something you don't need to worry about presenting in court (thus completely nullifying the term forensics when talking about it).

Not surprised at all the typical slashdot anti-law enforcement rhetoric in here... especially all of the "innocent people will be saved!" statements. But I *am* a bit surprised that some of the commenters have said what they have. Do this many people really not want truly guilty people caught and prosecuted?

Re:And nothing of value was lost

[PhxBlue]

Not surprised at all the typical slashdot anti-law enforcement rhetoric in here... especially all of the "innocent people will be saved!" statements. But I *am* a bit surprised that some of the commenters have said what they have. Do this many people really not want truly guilty people caught and prosecuted?

I suspect your average Slashdotter is more concerned with the Fourth Amendment rights that prosecutors as a whole like to ignore when they're trying to build a case against someone who's alleged to have committed a crime.

Re:And nothing of value was lost

[barnyjr]

And what is your basis for the statement that "prosecutors as a whole like to ignore" the 4th Amendment? I have worked with prosecutors on a daily basis for the last 11 years and have never ONCE seen them violate the 4th Amendment or encourage it to be done. I *have* seen it happen on the street, however. Either way, that has nothing to do with this. This is talking about a device that is used to gather incriminating information on a Windows-based computer. If that information is obtained in violation of the 4th Amendment, it's going to be thrown out in court regardless of the method used to obtain it.

I guess I shouldn't be surprised about what people claim that they know when they have no first-hand knowledge of how things really work. Instead they rely on vague generalities that "this stuff happens all the time" without being able to point to a specific example.

Re:And nothing of value was lost

[vivaelamor]

Do this many people really not want truly guilty people caught and prosecuted?

Guilty of what and at the expense of what? Could you cite specific examples, as you seem so eager to chastise others for failing to provide?

I don't want people truly guilty of possessing marijuana to be caught and prosecuted. I don't want people truly guilty of indulging in whimsical fantasies involving fictional characters to be caught and prosecuted. I don't want people truly guilty of copyright infringement to be caught and prosecuted. Had this been some years ago I would not have wanted people truly guilty of being gay to be caught and prosecuted. I do not want people truly guilty of sexting to be caught and prosecuted. I do not want people truly guilty of being mistaken for a terrorist to be shot on the London Underground. I do not want people truly guilty of possessing a knife to be caught and prosecuted. I do not want people truly guilty of breast feeding to be caught and prosecuted. I do not want people truly guilty of disobeying school authorities to be caught and prosecuted.

Aside from that, I'd rather rot in prison than have some moron telling me that my privacy is less important than their fishing expedition for child pornography or bomb making recipes. Note from that article a detective is quoted as saying "Unless you tell us we're never gonna know... What is anybody gonna think?". I'd rather be water-boarded than cooperate with that sort of pond life. If a detective wants me to cooperate then they will need a better reason than 'we hope you're guilty of something, let us pry into your private life or we will presume the worse'.

If you haven't guessed, I'm not by definition a 'law-abiding' citizen. Were laws in perfect alignment with my principles then I would still only be law abiding by circumstance, not choice. I'd feel much safer around a person who doesn't try to kill me because they choose not to than someone who is just abiding by the law. So, here's me. Sticking it to the man. And proud of it. With long hair. But not a hippy.

Re:And nothing of value was lost

[jafiwam]

For 8 years running, the entire fucking federal government ignored the 4th amendment, which may very well be continuing. This is not some sort of extra paragraph that has to be stricken from court records. It's rampant, it's all over. FISA means nothing to you? The fact that it is a sufficient way to get wiretaps on the bad guys, but NO! It's not ENOUGH, we need REAL TIME monitoring of EVERYBODY (with AT&T's help).

You don't see it because you are one of them. Strange, how every cop or wannabe cop is always willing to say "i never seen nobody do nuthin' wrong" and yet there are still lots of abuse by authorities going on. You see things going right because you want to. And like every other shitbag cop, everybody else is automatically wrong, their complaints are invalid, and you are pure.

So eat a bowl of dick, some of us see through your apologist cop shit.

DECAF youtube video

DECAF Developers release youtube vid explaining reasons behind release

http://www.youtube.com/watch?v=lF-g1Pb1tGM

This is not a conspiracy theory any more..

Ok this is scary... I am visiting Turkey and when i tried to visit the "who we are" link in http://www.decafme.org/ I got a ministry of whatever of the Turkish government telling me that they are breaking some law... This is fucked...

Re:This is the best idea they've come up with yet.

[sabt-pestnu]

Sure, it's security through obscurity.

And sometimes, security through obscurity works. ... for long enough. Sure, you can disassemble megabytes of machine code. But if it takes man-years to read enough to know what it is doing, you still win if the people reading it take real-years to get practical results.

It's that you can't really know how much effort people are putting into defeating the obscurity, and how much success they are having until "too late", that makes security through obscurity so unreliable (and thus despised).

Re:This is the best idea they've come up with yet.

[robot256]

When was the last time you blindly installed a program that performs a loosely-defined set of high-level administrative tasks like deleting files and disabling hardware, and which was developed for the express purpose of deterring law-enforcement? It's one thing to question the motives of freeware zip program or video editor, but I would never give full control of my OS to a program that could very plausibly be written by the bad guys themselves.

The counter-argument is of course that they wrote it to protect themselves, not to screw honest people, but there is no guarantee one black-hat won't try to screw another. Granted, the risk of *clones* that are *actual malware* is arguably higher than the original being malware.

However, it just occurred to me that this could become relevant for a lot more people if the international DMCA takes effect and enforcement against individual downloaders ramps up...

Re:This is the best idea they've come up with yet.

[b4dc0d3r]

It's .NET and they ran Dotfuscator over it, so it's not that simple. At this point it's pretty damned obscure.

Re:This is the best idea they've come up with yet.

[rdnetto]

Even obfuscated, it's only 5 classes (which reference an unobfuscated settings namespace that gives you a little more info). Anyone familiar with .NET with some time on their hands could reverse engineer it.

Re:This is the best idea they've come up with yet.

[robot256]

Which is exactly why Microsoft will be the first one to do so, thus eliminating any point in hiding the source in the first place--besides deceiving potential users.

Game?

[idigitallDotCom]

My gut feel is that Microsoft (or somebody Big) fucked them (the authors of Decaf) in the arse and that's why they killed Decaf.
If i were a malicious hacker I'd rip decaf's internals out and either continue or repackage it. What kind of whackjob writes something like Decaf AS A LESSON TO THE WORLD. Sounds like one of those villains from Bond movies..