Microsoft Helps Police Crack Your Computer

IGnatius T Foobar writes "Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that "may have been used in crimes." It basically bypasses all of the Windows security (decrypting passwords, etc.) in order to eliminate all that pesky privacy when the police have physical access to your computer. Just one more reason not to run Windows on your computer."

Flaw

[Narpak]

Seems to me that if all you need to do to get full access to anyones computer (anyone running Windows that is) is a Microsoft made device; that is a serious security flaw.

What could possibly go wrong?

[mrbah]

Reverse engineering and (more) malicious usage in 3... 2... 1.

This is very smart on Microsoft's part...

[ConceptJunkie]

...it's just one more nail in the coffin of being "allowed" to use OSS. After all, if you have nothing to hide then you have nothing to fear, and only criminals would use OSS that would allow them to evade government snooping.

I'm sure some lobbyist is sitting with a Congressional staffer right now, explaining how requiring Windows on every computer is essential to the War on Terrorism.

Physical access equals ownage under any OS

[Mashiara]

unless the hardware itself is secured and tamper-resistant enough (ie cost of successfull tampering is higher than value of data).

This has always been true.

Box 0wned by person with physical access!

[Anonymous Coward]

News at 11!

Really?

[SatanicPuppy]

No unix using a non-encrypted file system is secure if you have physical access to the machine...Why would you assume it's any different with Windows?

I'd just boot knoppix and mount the partition. There, I have access to all the files. That goes for windows AND unix/linux.

If you really depend on the password for anything other than stopping casual or remote access, you're just fooling yourself.

Re:If It's Possible...

[vux984]

So, the sheer fact that there is a device that can do this also means that anybody can do this because the methods are in place for bypassing security. It's only a matter of time before someone spends enough energy to develop a device that can do this (outside of Microsoft).

No. The ONLY question that is of any interest is whether or not this device actually has a back door to Windows encryption. Somehow I seriously doubt that it does. Its probably little more than a bootable drive with NTFS support, and some tools. If you've got a password on your login, it doesn't mean you are using encryption. And this tool probably just lets you get straight to searching the -unencrypted- disk without cracking the login, or without pulling the drive and installing it somewhere else to scan through.

The implications of a device like this are scary to say the least. Although I'm not a Microsoft hater, this alone is more than enough to make me take a second look at options other than Microsoft Windows.

I suspect your average Linux LiveCD Recovery Disk has all the same tools on it. MS is just getting on board with their own version, to remove another area, where, right now, you have to use Linux. If that's the case the implications aren't scary at all.

And this whole are article is pure FUD.

Unless they've provided a back door to the encryption. That is the -only- question. But I really doubt they have.

FUD

[idlemind]

Since when has physical access to a machine ever been safe for any operating system? Also, it's not like Microsoft programmed in back doors for law enforcement; they are just bundling their version of script kiddie hacks.

Re:Flaw

[gstoddart]

Seems to me that if all you need to do to get full access to anyones computer (anyone running Windows that is) is a Microsoft made device; that is a serious security flaw.

And, a scary precedent.

When the man kicks in your door, hooks up his thumb drive to your Linux box and doesn't get what he wants ... you will have committed a crime by not making your information available in a format accessible to law enforcement. Only terrorists would do that.

The above is a deliberately absurd example. One which I fear is less far fetched than one would have previously hoped.

Mostly, I agree with some of the other posters here ... if Microsoft can make this, that means there's a defined mechanism you can use to completely defeat any form of security in Windows. And, that's bad; someone will figure this out.

Cheers

RE: Just one more reason not to run Windows

[Gitcho]

I'm all for protecting personal privacy, but if investigators are using these tools to comb through your PC, you don't need to stop using windows - you need to stop committing crimes.

Re:If It's Possible...

[SatanicPuppy]

Yea, look at linux...No way would it be possible to reset the root password [linuxgazette.net] if you had physical access to the machine.

I can't believe all the people who are freaking out about this. This isn't a remote exploit. This isn't a massive security hole. This is trivial stuff that anyone who is reasonably computer savvy should be able to do.

Could set crooks free easier too

[JustASlashDotGuy]

FTA:

It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site.

The second you plug one of these into the suspect's machine while it's running, you just set the criminal free. Reason being, you potentially just altered the original source of data and could have injected you own "evidence". Any lawyer would get you off in a heart beat.

You'd always have to shut it down, image the drive, and then run your test against the image. If you ever so much as boot the image and use the device at that point, you've still just changed a shit load of files during the boot up process and a lawyer may still be able to get you off.

This device is only helpful if it contains a standalone script that can be pointed to a set of files on a write-blocked drive. Blindly letting it have full read/write access to any drive would be instant not-guilty result.

Unless this device gets some hefty certs, I'd be surprised if any law enforcement agency that reports to the public courts would ever use this device as reported.

Re:Really?

[HeronBlademaster]

Obviously you didn't read the article. The whole benefit of the device is that it can plug in to a machine and gather evidence without having to unplug the machine from the network or a power source (to move it). The article also specifically describes the device as a USB thumb drive.

The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence [...] It can decrypt passwords and analyze a computer's Internet activity, as well as data stored in the computer.

I assume these 150 commands are specific to Windows' internal undocumented APIs that only Microsoft would be aware of.

Re:Really?

[bill_kress]

I saw a really good post that applies to this entire thread (including File Vault)

If the NSA isn't freaking out about some kind of encryption trying to get it banned, it's because they can get into it.

Also, the more secure you think your files are, the more likely you'll put stuff there that might interest them.

Re:Flaw

[Feyr]

look on google for ntpasswd

linux-based livecd that will reset any password on your windows partition.

if you have physical access and it's not encrypted, any data is fair game, it doesnt have anything to do with microsoft (in fact, im pretty pissed at ms for making it such a hassle to reset a password)

Re:Interesting thought

[blueg3]

Yes. Most criminal investigations have experts well-versed in many operating systems. More regional departments may not have Macintosh or Unix experts, though almost all computer forensic investigators have familiarity with Unix, and would send the computer to another office. There are a lot of experts working in law enforcement, so if their case is important enough, your hardware will be shipped to an office that has an expert.

They wouldn't boot your machine, though. They'd remove the drive, duplicate it, and then look at the duplicate through a hardware write blocker. Software would probably indicate that the majority of the disk was ext2/whatever Unix format you use partitions, and the layout of the root partition would make it fairly clear you were using a Unix variant. If they really wanted to "boot" your machine, they'd boot an image of your drive using a VM.

Re:Flaw

[SiChemist]

What you are doing is NOT password recovery-- it is RESETTING the password. Resetting a password is trivial on Linux and Windows (if you have physical access), but the article says this device can decrypt passwords on the system. That is worth worrying a little.

Re:Some COFEE info from an Australian L.E. Confere

[Chosen Reject]

I would hate an edit feature. That is what proofreading is for. Once you commit your post that should be it. I can't tell you how many times I've been in forums that allow editing of posts and suddenly I don't know what anyone is talking about simply because I showed up late. One person makes a comment, other people discuss, then that person edits his post to something else.

Not only that, it would be horrible for avoiding the trolls. All they would need to do is get a +5 informative on a post then edit it to be a link to a virus filled site or something else.