Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Counter Microsoft COFEE With Some DECAF

Posted by kdawson on from the please-mister-moto dept.

An anonymous reader writes "Two developers have created 'Detect and Eliminate Computer Assisted Forensics' (DECAF). The tool tries to stop Microsoft's Computer Online Forensic Evidence Extractor (COFEE), which helps law enforcement officials grab data from password-protected or encrypted sources. After COFEE was leaked to the Web, Microsoft issued takedown notices to sites hosting the software." The article notes that DECAF is not open source, so you aren't really going to know for sure what it will do to your computer.

31 of 154 comments (clear)

  1. DECAF: A welcoming news by ub3r+n3u7r4l1st · · Score: 2, Insightful

    Less innocent people will be going to jail. Less family will be broke up.

    The time has come to rise against the machine.

    --
    New Economic Perspectives
    1. Re:DECAF: A welcoming news by skine · · Score: 5, Funny

      I prefer to RAGE against the machine.

      BAH-duh BAH BAH-duh BAH DAH-duh.

    2. Re:DECAF: A welcoming news by Anonymous Coward · · Score: 5, Funny

      Coding in the name of!

    3. Re:DECAF: A welcoming news by Anonymous Coward · · Score: 5, Funny

      Fuck you, I won't code what you tell me!

    4. Re:DECAF: A welcoming news by Wrath0fb0b · · Score: 2, Insightful

      Less innocent people will be going to jail. Less family will be broke up. [sic]

      Any particular reason to think innocent people are more likely to use DECAF than the guilty? I fail to see why technical savvy should be correlated with innocence or guilt.

    5. Re:DECAF: A welcoming news by Per+Wigren · · Score: 5, Funny

      Some of those who share sources
      are the same that hate bosses

      --
      My other account has a 3-digit UID.
    6. Re:DECAF: A welcoming news by L4t3r4lu5 · · Score: 2

      Rage Against The Machine - "Killing In The Name" for UK Christmas No.1!

      From the Facebook group: "Fed up of Simon Cowell's latest karaoke act being Christmas No. 1? Me too ... So who's up for a mass-purchase of the track 'KILLING IN THE NAME' from December 13th ... as a protest to the X Factor monotony?"

      I've bought it from iTunes, Amazon, and re-bought the album in my local HMV. Get it done, people.

      --
      Finally had enough. Come see us over at https://soylentnews.org/
    7. Re:DECAF: A welcoming news by Rysc · · Score: 2, Informative

      Note that the GP didn't say it will put disproportionally fewer innocent people - only that there will be fewer innocent people.

      Fixed it for you. You and the OP made the same mistake. It's like nails on a chalk board, honestly!

      You can have fewer innocent people or you can have less innocent people, but it means different things. Less innocent people are not as innocent, fewer innocent people are of a smaller number.

      --
      I want my Cowboyneal
    8. Re:DECAF: A welcoming news by camg188 · · Score: 2, Insightful

      Why do you care about popularity ratings? Just listen to what you like. End of problem.

  2. Perfect trojan horse by Anonymous Coward · · Score: 5, Insightful

    DECAF is not open source, so you aren't really going to know for sure what it will do to your computer.

    Haha, that'd be the perfect trojan horse. Have people with (illicit) things to hide run a program that claims to prevent them from being caught, all the while this program is just reporting them. And even if they post code, they could just post any old source code and claim it was used to generate the executable.

    1. Re:Perfect trojan horse by Ihmhi · · Score: 4, Insightful

      And even if they post code, they could just post any old source code and claim it was used to generate the executable.

      Well yeah, until someone who has an I.Q. greater than a water buffalo compiles the source code and finds out that it doesn't match up with the finished DECAF product...

      That's the point of having source code out there in the first place. It can be inspected for everything from your everyday uh-ohs to your big time no-nos.

      --
      Random Thoughts From A Diseased Mind (Not For Dummies)
    2. Re:Perfect trojan horse by Anonymous Coward · · Score: 2, Insightful

      And then some one with a little higher I.Q. takes the time to do something fun like disassemble the executable or hell, use wireshark to capture any network traffic the program might generate to see what it is actually doing.

    3. Re:Perfect trojan horse by b4dc0d3r · · Score: 3, Informative

      It's .NET and they ran Dotfuscator over it, so you're going to have to graduate past bovine intelligence on this one.

  3. Microsue by GuNgA-DiN · · Score: 3, Funny

    Oh Microsoft.... is there *anything* that can't be handled by a lawsuit?

  4. The Site... by JBG667 · · Score: 5, Informative

    http://www.decafme.org/

    --
    There are 10 kinds of people in the world > > Those who understand binary and those who don't
  5. So let me get this straight... by publiclurker · · Score: 5, Insightful

    I have incriminating information on my computer so I'm supposed to download and run some closed-source software from people who now know I have this information, and it will make my problems go away. Right.....

    1. Re:So let me get this straight... by Bios_Hakr · · Score: 3, Informative

      So, set up a VM and then port it through WireShark. It shouldn't be too hard to figure out if it's communicating with some central server.

      --
      I'd rather you do it wrong, than for me to have to do it at all.
    2. Re:So let me get this straight... by Anonymous Coward · · Score: 5, Funny

      Linux: optimized for child porn!

    3. Re:So let me get this straight... by sheph · · Score: 2

      Sorry I'm lost. How did you come to that astute conclusion?

      --
      I don't believe in karma, I just call it like I see it.
    4. Re:So let me get this straight... by GameboyRMH · · Score: 2, Interesting

      What if someone actually wanted to secure a VM with this app?

      I assume a program could detect if it's running in a VM by checking hardware and matching it with known VM configurations?

      But anyone who's really serious about security shouldn't be running Windows anyways, even with full-disk encryption. What I'm interested in is seeing how COFEE presumably executes with admin privileges on a locked Windows PC with no user input - the technique could be used to make a "super switchblade," especially if it can run on Vista/7 which aren't as vulnerable to these attacks. I'd imagine COFEE uses some secret backdoor.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
  6. Disable autorun, lock your computer by OverlordQ · · Score: 4, Informative

    AFAIK, if your computer is locked COFEE relies on autorun to work, so disable autorun and lock your computer will pretty much thwart COFEE, since it would somehow require bypassing MS's supplied GINA dll, which given it's Microsoft, might know how to do, but would find it highly unlikely.

    --
    Your hair look like poop, Bob! - Wanker.
    1. Re:Disable autorun, lock your computer by MaximKat · · Score: 2, Interesting

      So it is actually perfectly reasonable that they used autorun given that it runs stuff even when the screen is locked.

      Yeah, it does... in Windows 95.

  7. This is the best idea they've come up with yet... by robot256 · · Score: 4, Insightful

    ...to distribute rootkits and create botnets. Even better than those "Free Antivirus Software" downloads.

    Seriously, is anybody going to trust something like this without the source? Somebody intelligent enough not to open unsolicited email attachments, at any rate.

    (And yes, I realize there might be "legitimate" reasons for keeping the source out of law enforcement's hands, but frankly [at risk of trolling] I would rather be spied on by the government than identity thieves.)

  8. Arguments by Demonantis · · Score: 5, Insightful

    I realize a large number of people won't trust it because its not opensource. I can see the authors view point though of not wanting Microsoft to turn around and make a patch against it. If you don't want it don't run it, but if it is a trojan a firewall can easily defeat that. If it is a virus word will spread and people will avoid it. It is like the Antivirus 2009 programs, other then being blatantly obvious viruses, don't work anymore because people know they are bad.

    1. Re:Arguments by JonJ · · Score: 2, Insightful

      I can see the authors view point though of not wanting Microsoft to turn around and make a patch against it.

      One would think that Microsoft has little to no problems doing this without the source.

      --
      -- Linux user #369862
  9. Re:Confused? by Monkeedude1212 · · Score: 2, Funny

    Cofee attempts to decrypt your drive.

  10. Just wait!!! by Monkeedude1212 · · Score: 4, Funny

    Soon I'll Release my Beta version of FRENCH VANILA

    (Forensic Reducing Emulator Named Coherantly and Handsomely for Very Awesome Naughty and Illicit Activities)

  11. Wait, what--? by girlintraining · · Score: 3, Insightful

    ...so you aren't really going to know for sure what it will do to your computer.

    You're saying you don't know how to run a debugger in a VM session? or registry and file monitoring utilities? I get that analyzing machine code may be a bit of a lost art, but if you have the binary file you have everything you need to figure out what it does -- eventually. Someone will reverse-engineer it. In fact, I rather expect the authors knew this when they released it.

    --
    #fuckbeta #iamslashdot #dicemustdie
  12. I am confused. by TexasTroy · · Score: 2, Insightful

    Someone please explain. How is Windows secure (no pun intended) if Microsoft can release a tool, or script, which can get information from a password or encrypted system? Surely this cannot be an exploit to a backdoor. Does the use of COFEE require a user to already be logged in for it to work? Seriously. If this is the case, what keeps an evil-doer from using the tool to get into any window system they want and do whatever they want? If the tool has been leaked, then there is plausible deniability regarding any type of evidence on any windows box. Even if it were not leaked, this is proof that the windows platform is inherently insecure because there is a built-in method for bypassing its security features. Someone knowledgeable care to enlighten the uninformed?

  13. Re:no source? it's a trap! by ozmanjusri · · Score: 2, Funny
    Slow down, stop blowin' the froth and chill a little.

    That's right, it's a frappe!

    --
    "I've got more toys than Teruhisa Kitahara."
  14. Re:LiveCD by ZeroExistenZ · · Score: 3, Funny

    were I living in a communist country like China, i'd use a linux livecd with no attached hard drive.

    I first encrypted all my temporary data, encrypted everything in cache, it was a sweet algorithm. But I figured that wasn't enough, an onion-rings didn't help either. (I tried, I failed.)

    So then I decided to use my PC without keyboard, so they couldn't log my keystrokes or via processing the audio for my keystrokes discover what I was typing. From there up, everything was a success, I could later remove my monitor so noone could see what I was doing and I could just imagine keyboardinupt on my PC.

    I wasn't ever so productive and most of all SECURE.

    Soon enough, I felt my mousemovements could also be secured by removing my mouse. Once I mastered this way of working, they suggested I also could work without turning on my PC, as they could measure my work by reading radiation from my CPU "if they really would be wanting to read my work", just tossing out my HD wasn't sufficient. So, right now, I'm 100% secure, sitting at my desk, imagening my work.

    I did read something about mindreading, but I think that's just FUD.

    --
    I think we can keep recursing like this until someone returns 1