Brings up a good point - I have been putting HISTIGNORE="[ ]*" in my bashrc files on my systems, that way anything I don't want saved in the history, I precede with a space. Works great.
Windows caches all types of stuff about filesystems it touches in the registry. Open regedit some time and search for "OpenSaveMRU" and you'll see that pretty much every file you click to open in Windows is in there.
Not that Linux is any better, at least Gnome systems - check out ".nautilus" in your home folder. Same thing going on there with the directory structure, you name it. The first thing I do on a new Ubuntu box is remove ".recently-used.xbel" and create a directory with the same name, and make ".nautilus" owned by root and not world-writable./tmp is obviously a problem on Unix-type systems as well, along with the swap partition.
Of course if your whole system is encrypted these are not problems, but then you don't exactly have a deniably-encrypted filesystem.
When my kids were younger (5 or so) they liked to play games on Windows like Tonka Power Tools and such - which really were barely designed to run on Windows at all and didn't play all that nice.
But now that they're older and things are moving to the Web, they're past those. I've since decreed that I won't install any more games on our one remaining Windows system. If they want to run games, tell them to save their money and buy a console - you spend way too much money on graphics cards and extra CPU to run games on Windows these days anyway.
I was going to convert our family machine to Ubuntu Hardy when it came out, but unfortunately there's an issue with Flash running on the Firefox beta that causes random browser crashes. As soon as that's taken care of we'll be Windows-free. I can't wait!
If you must stick with Windows, consider looking at Windows SteadyState which can help.
Something tells me you worked at DEC at some point in your career.
I don't think we'll be seeing things like file generation identifiers showing up in the actual filename any time soon - that's pretty primitive. I would like to see snapshotting of the type that's been available on NTFS for quite awhile, though, to allow for separate restoration of previous versions and proper backups of open files.
Gosh, without even trying I'm up into the 3+ terabyte range on my home server, and that's just for casual whole-house use for me an my family. An easy 6-7 gigabytes of that alone is a HUGE tree of JPG files for family photos accumulated since I started with digital photography in 1999. Another terabyte is raw video that I've been accumulating that needs to be edited down, just have to get around to it.
So, given those kind of figures, I think the "common server" could easily start getting there, if not now, surely within the next 10 years. When I get into that kind of storage, I'll want a filesystem that's been around awhile and has stood the test of heavy production use. No offense and no jokes here, but I never considered ReiserFS for that reason - I'm not going to trust my data to unproven filesystems.
But to suggest that Windows and Linux "are therefore (very roughly) back on the same playing field" because Windows doesn't (necessarily) have a deliberate backdoor is simply not true. I illustrated quite clearly the difference and the reason they aren't on the same playing field - because Windows security all but requires that users run as local administrators, and because Windows has autorun enabled by default that will run a designated application on any media inserted.
This isn't a "completely random set of circumstances", it's a common scenario, and the scenario that likely allows this tool to steal sensitive information from almost any random Windows machine to which one has physical access.
I'm no rabid Linux fan (though I do like it a lot and use it daily) but if you're not going to be upfront about the plain fact that Linux systems have better security by default that don't allow these scenarios to take place, expect to be called out on it.
I haven't seen anyone else actually thinking about the way this works, so I'll say it:
Think about your Windows machine: do you run as a local admin? Likely. Do you have your CD drive set to allow autorun? Also likely, as that's the default. Certainly most of the systems that will be targeted by this tool will be configured that way.
What exactly else is needed to pull copies of any file on your system? It's game over, even if you're running BitLocker or another full-disk encryption product.
On Linux, however, in the first place, this disk is unlikely to have the proper tools installed. Even if they are installed, Linux supports only limited autorun functionality, if any at all. The user in question also is very unlikely to be running with root privileges - it will almost certainly require a password to read anything like/etc/shadow or other sensitive files.
So if you see "no reason to think the same thing couldn't be done for Linux", then you're either a shill, naive, or not thinking.
Given that a tool like this, even one written for Linux, is unlikely to work without asking the investigated user to enter their root password (which could easily be construed as self-incrimination and lead to the gathered evidence being thrown out), the relevant authorities will likely confiscate the entire system.
Which leads back to drive encryption - unless the system is up and stays up, they'll have a tough time decrypting that data.
Another pet peeve I have on Windows: even if you encrypt the files, guess what? There's this great registry tree called "OpenSaveMRU" that keeps track of the name and location of every file you've opened or saved via standard file dialogs. In the registry, unencrypted. When I do forensics I make damned sure to save off that tree, it has very valuable information.
Ubuntu (Gnome actually) has sort of the same thing in the "Recent Documents" entry under the Places menu. But that's easy to kill - nuke the file ".recently-used.xbel" in your home directory and replace it with a directory of the same name. Not so on Windows, all you can do is use a script to regularly delete the contents of the OpenSaveMRU tree.
Shoot... Nothing but a Linux laptop (or even probably a Mac) would really be needed. I would imagine that 90% plus of the people executing these searches have zero clue about anything other than Windows, and not much of a clue about that either.
Witness the recent problems with getting a MacBook Air through an airport.
For me, it's no problem - everything I don't want stolen or don't want anyone looking at is encrypted and stealthed. They can take copies of it all they want, but they won't be brute-forcing a 60+ character passphrase with punctuation any time soon. The way my systems are set up, unless they get into fdisk they won't even know it's there. In any case, this is not the kind of situation where they'll be making me reveal passphrases at gunpoint - worst case, they'll deny me re-entry and I'll create a stink about it, I would frankly welcome the opportunity.
Back in 1995 I spent a year traveling the world with a carry-on gym bag full of computer tapes upgrading Sequent office servers - I shudder to think what a nightmare that would have been in the current climate.
A nice compromise is what I use: first thing I do when I set up a new Firefox install is "Accept cookies: until I close Firefox" and then put in exceptions for, say, slashdot.org and ubuntuforums.org to "allow". That way, as soon as I close Firefox, all the tracking cookies go away, but my "keep me logged in" cookies stay.
So yes, I'm still being tracked per-session, but not across sessions - except for my nearly-static-IP Comcast connection's IP address, I suppose.
They are getting there, though - I recently put in a new ASA 5540 pair set up for the AnyConnect SSL VPN client, which all of the documentation says "supports Linux". I had a problem getting the client working on Ubuntu, but when I opened up a TAC ticket they got me an early release version that did the trick. The AnyConnect client works well on Ubuntu other than the fact that the installer tries to set the vpnagentd to start up at system start and fails, so you have to start it manually from a command prompt.
Now, Secure Desktop is the next hurdle - when I enable that my client never connects. Have to work through that one as well.
VPNC works well for me too, except for the key rotation part which sucks.
For me, once I've found a job that I like and that is paying me a salary that I feel is fair for the work, all I care about are cost of living raises.
Problem is, over the past several years, companies don't seem to think they have to even keep up with that, while at the same time paying CEO types fat bonuses.
If my salary doesn't keep up with the cost of living, it's costing me money to work at that company, it's that simple - but try explaining that to most of the current crop of idiot HR people.
I don't normally believe much in donating to campaigns, and I'm rather doubtful that I want to see Dodd as our next president... But I did want to send a message to some people, so I sent $25 his way.
Billary and Osama, on the other hand, get bupkiss from me. I'm not impressed. Her Highness the Pre-Crowned is just Repugnican Lite as far as I'm concerned.
And a corrolary is, if you're protecting something, make SURE you're doing it with a passphrase and not just a hardware token, like a keyfile on a USB stick, because that's a physical thing that can be discovered or you can be forced to give up, just as the key to a safe.
The bigger problem is with Windows itself - I used to use Windows XP for my personal machine, and kept my personal data encrypted in a Truecrypt volume.
But if you want a log, I'll show you a log - open the registry editor and search for the key "OpenSaveMRU" sometime. That key contains the names of all of the files you have opened or saved using the Windows common file dialog. When I found out about this, I looked and saw that it had filenames of files on my Truecrypt volume that I would probably not want your average investigator seeing.
This is the thing I just love about Microsoft - they have a list of recently opened files in the Start menu, and allow you to disable it. "Great!" you think, "that's taken care of!" And then you find that this registry key exists which is much worse, and not many people know about it.
Here is a link of what you have to do regularly to get rid of that history. Of course, to properly get rid of it, you'd also have to wipe the sectors, and I'm not sure how to do that with registry editing.
But better is to do what I did - switch to Ubuntu, and then create directories called ".recently-used" and ".recently-used-xbel" in your home directory so Gnome doesn't track files either.
5 watts into an omni is definitely enough to get to the ISS, it's been done.
Back in 1993 when I got my ticket and very first radio (a Heath HW2P handheld that I believe only did 2 watts out on battery), I also got a Kantronics KPC-3 packet TNC and hand-built a cable to go from it to the handheld radio. I hooked up a twinlead J-pole antenna and hung it inside the patio door of my second-floor apartment, then waited for the Mir space station to come over. I did a quick "c r0mir" and was shocked to see a connection established to the packet BBS on the station! That definitely started it all.
As well, once in 1995 or so I had a 5-minute conversation with a cosmonaut on Mir from my car with 5 watts into a 1/2 wave 2 meter vertical on the way from Omaha to Sioux City.
I've also hit Mir via my Kenwood TH-D7A handheld radio with a built-in TNC. If you look in here and search for N0ZHY, you'll see packets I sent from Omaha through Mir which were picked up in Maryland! This was using only the standard rubber-duck antenna.
So it can definitely be done - and remember, good hams only use the power they need!
That doesn't sound right to me - I believe, unless I'm mistaken, that the controller on the drive levels writes across the entire drive, regardless of the partitioning scheme in place.
So even if your drive has, say, four partitions and one is written to a lot more than the others, that doesn't matter because the controller considers the entire flash space for write leveling.
I have a Latitude X300 that had a B-only MiniPCI wireless card in it, and I wanted G - so I bought an IPW2200 card for I think $30 shipped and it works out of the box perfectly, going all the way back to Dapper, I believe. Certainly on Feisty and Gutsy. Same goes for my Latitude X1 - it has an IPW2200 card, came up perfectly.
My boss was installing on a D430 - it has a Broadcom card, which required one extra step - plug it into the wired network, install "bcm43xx-fwcutter", which asks to download the Windows driver on install, you say yes, reboot and it works.
As people have said, entrapment only applies to law enforcement types.
In the civil arena, I believe unclean hands would be more applicable, especially if you can trace Media Defender back to the RIAA via contracts and such.
I did a project for Ameritrade back in 1999 to do a kind of single signon for Ameritrade customers to research providers like TheStreet.com and such.
Anyway, when I got onsite and started talking to them, I found out that the entire trading system was written in noncompiled Perl. They used huge modules for all their trading functions and had a habit of just "use"ing all of the modules in all of the scripts whether they needed them or not. I actually figured out that every time a trade was input by a user, the system had to load and tokenize well over 50,000 lines of Perl code in something like 75 files. Their idea of increasing performance was adding another huge SunFire server to the growing pool of over 30 in the group.
I asked them if they had ever thought of using something like FastCGI to speed things up by preloading the modules at least, or coding in C or C++ rather than Perl. They said noone really knew how to code in C and they couldn't figure out FastCGI.
Anyway, the upshot is that was kind of a scary bunch. It's hard enough to lure good programmers to Omaha in the first place, and then they required all of their staff to wear a shirt, coat and tie, so they didn't exactly get the cream of even that crop!
Slashdot Mirror
Brings up a good point - I have been putting HISTIGNORE="[ ]*" in my bashrc files on my systems, that way anything I don't want saved in the history, I precede with a space. Works great.
Windows caches all types of stuff about filesystems it touches in the registry. Open regedit some time and search for "OpenSaveMRU" and you'll see that pretty much every file you click to open in Windows is in there.
Not that Linux is any better, at least Gnome systems - check out ".nautilus" in your home folder. Same thing going on there with the directory structure, you name it. The first thing I do on a new Ubuntu box is remove ".recently-used.xbel" and create a directory with the same name, and make ".nautilus" owned by root and not world-writable. /tmp is obviously a problem on Unix-type systems as well, along with the swap partition.
Of course if your whole system is encrypted these are not problems, but then you don't exactly have a deniably-encrypted filesystem.
As long as it's not running Gentoo - but we know it's not because it's had the cycles free to send a picture back.
I keeeeed! I keeeeed!
Quite a lot of companies specify Word format (and possibly text) as being required.
I was going to say "and when they finish, the stars will start going out..." but they kinda beat me to it.
See "The Nine Billion Names of God" by Arthur C. Clarke if you don't get it...
When my kids were younger (5 or so) they liked to play games on Windows like Tonka Power Tools and such - which really were barely designed to run on Windows at all and didn't play all that nice.
But now that they're older and things are moving to the Web, they're past those. I've since decreed that I won't install any more games on our one remaining Windows system. If they want to run games, tell them to save their money and buy a console - you spend way too much money on graphics cards and extra CPU to run games on Windows these days anyway.
I was going to convert our family machine to Ubuntu Hardy when it came out, but unfortunately there's an issue with Flash running on the Firefox beta that causes random browser crashes. As soon as that's taken care of we'll be Windows-free. I can't wait!
If you must stick with Windows, consider looking at Windows SteadyState which can help.
Something tells me you worked at DEC at some point in your career.
I don't think we'll be seeing things like file generation identifiers showing up in the actual filename any time soon - that's pretty primitive. I would like to see snapshotting of the type that's been available on NTFS for quite awhile, though, to allow for separate restoration of previous versions and proper backups of open files.
Gosh, without even trying I'm up into the 3+ terabyte range on my home server, and that's just for casual whole-house use for me an my family. An easy 6-7 gigabytes of that alone is a HUGE tree of JPG files for family photos accumulated since I started with digital photography in 1999. Another terabyte is raw video that I've been accumulating that needs to be edited down, just have to get around to it.
So, given those kind of figures, I think the "common server" could easily start getting there, if not now, surely within the next 10 years. When I get into that kind of storage, I'll want a filesystem that's been around awhile and has stood the test of heavy production use. No offense and no jokes here, but I never considered ReiserFS for that reason - I'm not going to trust my data to unproven filesystems.
I'm calm.
But to suggest that Windows and Linux "are therefore (very roughly) back on the same playing field" because Windows doesn't (necessarily) have a deliberate backdoor is simply not true. I illustrated quite clearly the difference and the reason they aren't on the same playing field - because Windows security all but requires that users run as local administrators, and because Windows has autorun enabled by default that will run a designated application on any media inserted.
This isn't a "completely random set of circumstances", it's a common scenario, and the scenario that likely allows this tool to steal sensitive information from almost any random Windows machine to which one has physical access.
I'm no rabid Linux fan (though I do like it a lot and use it daily) but if you're not going to be upfront about the plain fact that Linux systems have better security by default that don't allow these scenarios to take place, expect to be called out on it.
I haven't seen anyone else actually thinking about the way this works, so I'll say it:
/etc/shadow or other sensitive files.
Think about your Windows machine: do you run as a local admin? Likely. Do you have your CD drive set to allow autorun? Also likely, as that's the default. Certainly most of the systems that will be targeted by this tool will be configured that way.
What exactly else is needed to pull copies of any file on your system? It's game over, even if you're running BitLocker or another full-disk encryption product.
On Linux, however, in the first place, this disk is unlikely to have the proper tools installed. Even if they are installed, Linux supports only limited autorun functionality, if any at all. The user in question also is very unlikely to be running with root privileges - it will almost certainly require a password to read anything like
So if you see "no reason to think the same thing couldn't be done for Linux", then you're either a shill, naive, or not thinking.
Given that a tool like this, even one written for Linux, is unlikely to work without asking the investigated user to enter their root password (which could easily be construed as self-incrimination and lead to the gathered evidence being thrown out), the relevant authorities will likely confiscate the entire system.
Which leads back to drive encryption - unless the system is up and stays up, they'll have a tough time decrypting that data.
Another pet peeve I have on Windows: even if you encrypt the files, guess what? There's this great registry tree called "OpenSaveMRU" that keeps track of the name and location of every file you've opened or saved via standard file dialogs. In the registry, unencrypted. When I do forensics I make damned sure to save off that tree, it has very valuable information.
Ubuntu (Gnome actually) has sort of the same thing in the "Recent Documents" entry under the Places menu. But that's easy to kill - nuke the file ".recently-used.xbel" in your home directory and replace it with a directory of the same name. Not so on Windows, all you can do is use a script to regularly delete the contents of the OpenSaveMRU tree.
So the best you can do is an article about login credentials getting hacked?
FTA: "Jackson stressed that while the site hacks were done sans a true vulnerability"...
Yeah, that definitely points to the inherent insecurity of Linux. Not.
Shoot... Nothing but a Linux laptop (or even probably a Mac) would really be needed. I would imagine that 90% plus of the people executing these searches have zero clue about anything other than Windows, and not much of a clue about that either.
Witness the recent problems with getting a MacBook Air through an airport.
For me, it's no problem - everything I don't want stolen or don't want anyone looking at is encrypted and stealthed. They can take copies of it all they want, but they won't be brute-forcing a 60+ character passphrase with punctuation any time soon. The way my systems are set up, unless they get into fdisk they won't even know it's there. In any case, this is not the kind of situation where they'll be making me reveal passphrases at gunpoint - worst case, they'll deny me re-entry and I'll create a stink about it, I would frankly welcome the opportunity.
Back in 1995 I spent a year traveling the world with a carry-on gym bag full of computer tapes upgrading Sequent office servers - I shudder to think what a nightmare that would have been in the current climate.
A nice compromise is what I use: first thing I do when I set up a new Firefox install is "Accept cookies: until I close Firefox" and then put in exceptions for, say, slashdot.org and ubuntuforums.org to "allow". That way, as soon as I close Firefox, all the tracking cookies go away, but my "keep me logged in" cookies stay.
So yes, I'm still being tracked per-session, but not across sessions - except for my nearly-static-IP Comcast connection's IP address, I suppose.
They are getting there, though - I recently put in a new ASA 5540 pair set up for the AnyConnect SSL VPN client, which all of the documentation says "supports Linux". I had a problem getting the client working on Ubuntu, but when I opened up a TAC ticket they got me an early release version that did the trick. The AnyConnect client works well on Ubuntu other than the fact that the installer tries to set the vpnagentd to start up at system start and fails, so you have to start it manually from a command prompt.
Now, Secure Desktop is the next hurdle - when I enable that my client never connects. Have to work through that one as well.
VPNC works well for me too, except for the key rotation part which sucks.
For me, once I've found a job that I like and that is paying me a salary that I feel is fair for the work, all I care about are cost of living raises.
Problem is, over the past several years, companies don't seem to think they have to even keep up with that, while at the same time paying CEO types fat bonuses.
If my salary doesn't keep up with the cost of living, it's costing me money to work at that company, it's that simple - but try explaining that to most of the current crop of idiot HR people.
This is nothing new, it's just the first phase of putting the WSYP Project into actual use.
I don't normally believe much in donating to campaigns, and I'm rather doubtful that I want to see Dodd as our next president... But I did want to send a message to some people, so I sent $25 his way.
Billary and Osama, on the other hand, get bupkiss from me. I'm not impressed. Her Highness the Pre-Crowned is just Repugnican Lite as far as I'm concerned.
I kinda hope Edwards pulls a Kerry, frankly.
And a corrolary is, if you're protecting something, make SURE you're doing it with a passphrase and not just a hardware token, like a keyfile on a USB stick, because that's a physical thing that can be discovered or you can be forced to give up, just as the key to a safe.
But if you want a log, I'll show you a log - open the registry editor and search for the key "OpenSaveMRU" sometime. That key contains the names of all of the files you have opened or saved using the Windows common file dialog. When I found out about this, I looked and saw that it had filenames of files on my Truecrypt volume that I would probably not want your average investigator seeing.
This is the thing I just love about Microsoft - they have a list of recently opened files in the Start menu, and allow you to disable it. "Great!" you think, "that's taken care of!" And then you find that this registry key exists which is much worse, and not many people know about it.
Here is a link of what you have to do regularly to get rid of that history. Of course, to properly get rid of it, you'd also have to wipe the sectors, and I'm not sure how to do that with registry editing.
But better is to do what I did - switch to Ubuntu, and then create directories called ".recently-used" and ".recently-used-xbel" in your home directory so Gnome doesn't track files either.
Uh...what? You're mistaken.
It works as well as O2K7 ever works, on XP. I use it every day, sadly.
Back in 1993 when I got my ticket and very first radio (a Heath HW2P handheld that I believe only did 2 watts out on battery), I also got a Kantronics KPC-3 packet TNC and hand-built a cable to go from it to the handheld radio. I hooked up a twinlead J-pole antenna and hung it inside the patio door of my second-floor apartment, then waited for the Mir space station to come over. I did a quick "c r0mir" and was shocked to see a connection established to the packet BBS on the station! That definitely started it all.
As well, once in 1995 or so I had a 5-minute conversation with a cosmonaut on Mir from my car with 5 watts into a 1/2 wave 2 meter vertical on the way from Omaha to Sioux City.
I've also hit Mir via my Kenwood TH-D7A handheld radio with a built-in TNC. If you look in here and search for N0ZHY, you'll see packets I sent from Omaha through Mir which were picked up in Maryland! This was using only the standard rubber-duck antenna.
So it can definitely be done - and remember, good hams only use the power they need!
73 de K0RUS
That doesn't sound right to me - I believe, unless I'm mistaken, that the controller on the drive levels writes across the entire drive, regardless of the partitioning scheme in place.
So even if your drive has, say, four partitions and one is written to a lot more than the others, that doesn't matter because the controller considers the entire flash space for write leveling.
I think your research was kind of shoddy...
I have a Latitude X300 that had a B-only MiniPCI wireless card in it, and I wanted G - so I bought an IPW2200 card for I think $30 shipped and it works out of the box perfectly, going all the way back to Dapper, I believe. Certainly on Feisty and Gutsy. Same goes for my Latitude X1 - it has an IPW2200 card, came up perfectly.
My boss was installing on a D430 - it has a Broadcom card, which required one extra step - plug it into the wired network, install "bcm43xx-fwcutter", which asks to download the Windows driver on install, you say yes, reboot and it works.
In short, do better research next time.
As people have said, entrapment only applies to law enforcement types.
In the civil arena, I believe unclean hands would be more applicable, especially if you can trace Media Defender back to the RIAA via contracts and such.
I did a project for Ameritrade back in 1999 to do a kind of single signon for Ameritrade customers to research providers like TheStreet.com and such.
Anyway, when I got onsite and started talking to them, I found out that the entire trading system was written in noncompiled Perl. They used huge modules for all their trading functions and had a habit of just "use"ing all of the modules in all of the scripts whether they needed them or not. I actually figured out that every time a trade was input by a user, the system had to load and tokenize well over 50,000 lines of Perl code in something like 75 files. Their idea of increasing performance was adding another huge SunFire server to the growing pool of over 30 in the group.
I asked them if they had ever thought of using something like FastCGI to speed things up by preloading the modules at least, or coding in C or C++ rather than Perl. They said noone really knew how to code in C and they couldn't figure out FastCGI.
Anyway, the upshot is that was kind of a scary bunch. It's hard enough to lure good programmers to Omaha in the first place, and then they required all of their staff to wear a shirt, coat and tie, so they didn't exactly get the cream of even that crop!