Hackers Counter Microsoft COFEE With Some DECAF 154
An anonymous reader writes "Two developers have created 'Detect and Eliminate Computer Assisted Forensics' (DECAF). The tool tries to stop Microsoft's Computer Online Forensic Evidence Extractor (COFEE), which helps law enforcement officials grab data from password-protected or encrypted sources. After COFEE was leaked to the Web, Microsoft issued takedown notices to sites hosting the software." The article notes that DECAF is not open source, so you aren't really going to know for sure what it will do to your computer.
DECAF: A welcoming news (Score:2, Insightful)
Less innocent people will be going to jail. Less family will be broke up.
The time has come to rise against the machine.
Re:DECAF: A welcoming news (Score:5, Funny)
I prefer to RAGE against the machine.
BAH-duh BAH BAH-duh BAH DAH-duh.
Re:DECAF: A welcoming news (Score:5, Funny)
Coding in the name of!
Re:DECAF: A welcoming news (Score:5, Funny)
Fuck you, I won't code what you tell me!
Re:DECAF: A welcoming news (Score:5, Funny)
are the same that hate bosses
Re: (Score:3)
From the Facebook group: "Fed up of Simon Cowell's latest karaoke act being Christmas No. 1? Me too
I've bought it from iTunes, Amazon, and re-bought the album in my local HMV. Get it done, people.
Re: (Score:2)
I've bought 3 copies and am looking forward to not having a karaoke number 1.
Re: (Score:3, Insightful)
Re: (Score:2)
I'm waiting for the "National ID card is a bad idea. Let's get it abandoned" group. Also called the "Vote for anyone but Labour" group.
Re: (Score:2)
It's not about populatiry, it's about proving that the public en masse can change anything they want.
True, as long as it is of no consequence. Anything business or government really want will come about one way or another... keeping people occupied with mindless drivel like entertainment just makes it all easier.
Oh, someone is at the doo
Re: (Score:2)
Rome wasn't built in a day, nor was it destroyed as such. I'm not promoting anarchy or disestablishmentarianism, but just that democracy is still possible. All it needs is for people to learn to get their news from multiple sources, check facts, read a little more, and investigate even a tiny amount into the back-hand / poison pill policies which are charged through Parliament on the back of "Think of the Children" / "Terrorism is bad!" legislation
But... (Score:2)
I'm also fed up with Rages " Lets venerate burglars who murder old people" misguided lyrics and their "lets make socialism acceptable so we can sell lots of Che T-Shirts at Hot Topic" attitude along with the guitarists " lack of technical expertise on a Whammy pedal, rendering it an misused, overused cliche for those of us who use it seriously."
So maybe we should buy someone who isn't prepackaged industry approved rock and roll rebellion.
Or better yet quit worrying about who's o
Re: (Score:2)
You might think it's small fry changing the outcome of the Christmas charts, but what if the next Facebook group is "Labour are shafting our rights. Let's get them out!"
Township called Rebellion indeed.
Re: (Score:2)
You win! By far the best!
Re: (Score:2)
Welcome, my son, welcome to the machine.
Re: (Score:3, Insightful)
Less innocent people will be going to jail. Less family will be broke up. [sic]
Any particular reason to think innocent people are more likely to use DECAF than the guilty? I fail to see why technical savvy should be correlated with innocence or guilt.
Re: (Score:2)
I fail to see why technical savvy should be correlated with innocence or guilt.
What exactly do you correlate Microsoft with? They routinely code more backdoors than a brothel, you really think their involvement with law enforcement won't backfire? Like you suggest, criminals are tech savvy too.
Re: (Score:3, Informative)
Note that the GP didn't say it will put disproportionally fewer innocent people - only that there will be fewer innocent people.
Fixed it for you. You and the OP made the same mistake. It's like nails on a chalk board, honestly!
You can have fewer innocent people or you can have less innocent people, but it means different things. Less innocent people are not as innocent, fewer innocent people are of a smaller number.
Re: (Score:2)
no wonder I screw up big time on Verbal section of the GRE test.
Perfect trojan horse (Score:5, Insightful)
Haha, that'd be the perfect trojan horse. Have people with (illicit) things to hide run a program that claims to prevent them from being caught, all the while this program is just reporting them. And even if they post code, they could just post any old source code and claim it was used to generate the executable.
Re: (Score:2)
Re:Perfect trojan horse (Score:5, Insightful)
And even if they post code, they could just post any old source code and claim it was used to generate the executable.
Well yeah, until someone who has an I.Q. greater than a water buffalo compiles the source code and finds out that it doesn't match up with the finished DECAF product...
That's the point of having source code out there in the first place. It can be inspected for everything from your everyday uh-ohs to your big time no-nos.
Re: (Score:2, Insightful)
And then some one with a little higher I.Q. takes the time to do something fun like disassemble the executable or hell, use wireshark to capture any network traffic the program might generate to see what it is actually doing.
Re:Perfect trojan horse (Score:4, Informative)
It's .NET and they ran Dotfuscator over it, so you're going to have to graduate past bovine intelligence on this one.
Re: (Score:2)
I once tried to decompile a obfuscated .NET app. It's definitely possible to figure it out, since all the calls to the CLI, etc. are the same, but it can be pretty tricky when every function and class name looks like a GUID.
But if you have the time, it's definitely possible to deconstruct it.
EDIT: I just downloaded it and took a look at the code in Reflector. It seems pretty simple (only 5 classes and the settings namespace isn't obfuscated). Anyone familiar with .NET with about an hour of free time and the
Re: (Score:2)
If this is true then the NSA got a lot lazier, a lot more efficient, and a lot more effective. The Soviets pioneered denouncing your neighbors but this is one better.
Re: (Score:1, Interesting)
"they could just post any old source code and claim it was used to generate the executable." ... which is why you read the code, and if you approve of the code, compile it yourself. If your C.S. skills aren't up to that level, then check with someone you trust as competent to do that code analysis/compilation.
It's essentially the same with every program.
But yeah, this looks like an exploit opportunity, and I won't run DECAF on any of my boxes (uh, wait... do I *have* any Windows boxes? Oh, yeah, my gaming
Re: (Score:1)
This is the beauty of Open Source - you can build your own binaries when paranoid :)
Re: (Score:2)
decaf.exe.config - no disassembly needed.
<setting name="NotifyUser" serializeAs="String">
<value>False</value>
</setting>
Re: (Score:2)
Haha, that'd be the perfect trojan horse. Have people with (illicit) things to hide run a program that claims to prevent them from being caught, all the while this program is just reporting them. And even if they post code, they could just post any old source code and claim it was used to generate the executable.
Your distrust in Microsoft is totally unwarran....
Oh, nevermind... I cant even type that with a straight face... ;-)
no source? it's a trap! (Score:1, Interesting)
Re: (Score:2)
No, that's XPRESO.
Re: (Score:3, Funny)
That's right, it's a frappe!
Microsue (Score:3, Funny)
Oh Microsoft.... is there *anything* that can't be handled by a lawsuit?
The Site... (Score:5, Informative)
http://www.decafme.org/ [decafme.org]
Re: (Score:1, Funny)
Decaf2000?
DecafXP?
DecafVista?
Decaf7?
Re: (Score:2)
So let me get this straight... (Score:5, Insightful)
Re:So let me get this straight... (Score:4, Informative)
So, set up a VM and then port it through WireShark. It shouldn't be too hard to figure out if it's communicating with some central server.
Re: (Score:2)
Communicating to some central server when you run it at least. If it stores the data and sends it on a different date you wouldn't know too easily.
Besides, it may be doing something other than sending off your data.. e.g encrypting it and ransoming you for the key to decrypt it.
Re: (Score:2)
Yeah, because it's not possible for programs to detect they're running in a VM...
Re: (Score:3, Interesting)
I assume a program could detect if it's running in a VM by checking hardware and matching it with known VM configurations?
But anyone who's really serious about security shouldn't be running Windows anyways, even with full-disk encryption. What I'm interested in is seeing how COFEE presumably executes with admin privileges on a locked Windows PC with no user input - the technique could be used to make a "super switchblade [hak5.org]," especially if it c
Re: (Score:2)
That seems like overkill, plus you won't know if it's installing a trojan that activates later. If you're familiar with .NET just open it up in Reflector - even though it's obfuscated, any use of the .NET libraries like System.Net.Sockets will be in plain text.
Re:So let me get this straight... (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Well you see it's like this. The OP made a statement that was a tad too broad and could be misconstrued if more than was intended was read into it. When you take a situation like that, then you add in the conversational construct known as "humor" then you arrive at one of those so-called "jokes". This "joke" is intended to result in a reflex reaction in the reader, consisting of successive, rapid contractions of the diaphragm, often accompanied by a facial expressi
Re: (Score:2)
"what the heck, where did that come from?" funny.
Now known on the Internet as "LOL SO RANDOM".
Re: (Score:2)
Re: (Score:2)
For your private information it is too late. Your info is already on closed source and quite probably badly maintained/secured computers.
Disable autorun, lock your computer (Score:5, Informative)
AFAIK, if your computer is locked COFEE relies on autorun to work, so disable autorun and lock your computer will pretty much thwart COFEE, since it would somehow require bypassing MS's supplied GINA dll, which given it's Microsoft, might know how to do, but would find it highly unlikely.
Re: (Score:1)
Re: (Score:2)
COFFEE is designed to circumvent on disk encryption. To do this it gets the keys from the running system. So it is actually perfectly reasonable that they used autorun given that it runs stuff even when the screen is locked.
Re: (Score:2, Interesting)
So it is actually perfectly reasonable that they used autorun given that it runs stuff even when the screen is locked.
Yeah, it does... in Windows 95.
Re: (Score:2)
You're missing the point of COFEE (Score:1, Interesting)
The point of COFEE is to grab things that would be lost when the computer is shut down (passwords stored in ram, temporary files, etc) before they pull the plug and take it back to headquarters.
(Pull the plug, not just tell it to shut down, because it may have a shutdown process in place to wipe evidence.
And yes, you could use linux live CDs to remove passwords, but that involves changing what is on the disk, thereby ruining it as evidence. There are strict procedures in place to prevent the evidence from b
Re: (Score:1, Informative)
I'm sure more competant forensics people don't pull the plug. Instead they would keep the machine up and running and capture it in that state, using clips to keep it fed the voltage as it gets loaded onto a vehicle and until it gets to the forensics area. There, you use a PCI or IEEE 1394 card to dump the box's RAM.
Then, the hard disk gets imaged via a hardware write blocker (very important), the decryption keys in RAM used to decrypt the image of the HDD, and the search for whatever stuff (after ACTA, an
Easy fix for live-moving (Score:2)
Re: (Score:2)
You could use an accelerometer or a ball-and-cup arrangement similar to a seat belt locking mechanism (very sensitive, especially on newer cars.
Or the status of the USB cable plugged into the huge laser printer next to your desk, or whether eth0 is up, or by using the built-in GPS (if there is one) or the external GPS (labeled "TIME") to establish plausible deniability.
Honestly, there are about a million things you could check to have a good idea that your computer isn't being moved.
Re: (Score:2)
Read the instructions. It works with autorun, but if autorun is disabled you're suppose to use the file manager to browse to the USB device and execute it.
If you really read into the COFEE instructions, you'd see it doesn't give too much up. Well, it says a lot, but not about 3rd party software. It mostly gives standard MS stuff from the registry. Decrypted login passwords, what's set to run at boot time, etc. It would be a good forensic tool for cleaning up after a break
Re: (Score:2)
but if autorun is disabled you're suppose to use the file manager to browse to the USB device and execute it.
That is why I said lock the computer, then they can't get to the file manager.
Re: (Score:2)
$ apt-cache search GINA dll
$
Dammit, now I can't check out COFEE :(
Not open source (Score:2)
>The article notes that DECAF is not open source, so you aren't really going to know for sure what it will do to your computer.
And most people running MS-Windows know for sure what THAT will do to their computers?
Does seem odd, though, that DECAF would not be open so people (in the know) would trust it and could learn from it. Oh well.
This is the best idea they've come up with yet... (Score:4, Insightful)
...to distribute rootkits and create botnets. Even better than those "Free Antivirus Software" downloads.
Seriously, is anybody going to trust something like this without the source? Somebody intelligent enough not to open unsolicited email attachments, at any rate.
(And yes, I realize there might be "legitimate" reasons for keeping the source out of law enforcement's hands, but frankly [at risk of trolling] I would rather be spied on by the government than identity thieves.)
Re:This is the best idea they've come up with yet. (Score:2)
When was the last time you read the source of an application to audit it?
Re: (Score:2)
And yes, I realize there might be “legitimate” reasons for keeping the source out of law enforcement&s hands [...]
WTH? Machine code IS source code! Just in another language that is a tiny bit harder to read (assisted by tools). So there really is no real point in hiding the source code. Everybody who wants to look at what it does, can still do that.
How else would the CPU know what to do with it?
It’s sad, when even on Slashdot, people think that “closed” source would be anymore than security trough obscurity theater.
Re: (Score:2)
Sure, it's security through obscurity.
And sometimes, security through obscurity works. ... for long enough. Sure, you can disassemble megabytes of machine code. But if it takes man-years to read enough to know what it is doing, you still win if the people reading it take real-years to get practical results.
It's that you can't really know how much effort people are putting into defeating the obscurity, and how much success they are having until "too late", that makes security through obscurity so unreliabl
Re: (Score:2)
It's .NET and they ran Dotfuscator over it, so it's not that simple. At this point it's pretty damned obscure.
Re: (Score:2)
Even obfuscated, it's only 5 classes (which reference an unobfuscated settings namespace that gives you a little more info). Anyone familiar with .NET with some time on their hands could reverse engineer it.
Meh... (Score:1)
I think I'll just stick to Pepsi
Arguments (Score:5, Insightful)
Re: (Score:3, Insightful)
One would think that Microsoft has little to no problems doing this without the source.
Re: (Score:2)
Re: (Score:2)
One would think that Microsoft has little to no problems doing this without the source.
It's written in .NET, so even though it's obfuscated it's not that hard to reverse engineer it using Reflector. If I (a teenager who only dabbles in coding) could reverse engineer it in a few hours*, I have little doubt that some MS employee who is being paid to do so could figure it out in under a week.
*I have not reverse engineered it, but I have looked at the source, so I can say that it really isn't that complex.
Re: (Score:1)
Re: (Score:2)
I just did a Google search to see if anyone has reported it to be a virus and found nothing. It's probably safe.
I'm installing it now. I'll let you know what hap
Perhaps there is more here than meets the eye. (Score:1)
Please... (Score:2)
Confused? (Score:2, Redundant)
Re: (Score:3, Funny)
Cofee attempts to decrypt your drive.
Just wait!!! (Score:5, Funny)
Soon I'll Release my Beta version of FRENCH VANILA
(Forensic Reducing Emulator Named Coherantly and Handsomely for Very Awesome Naughty and Illicit Activities)
Best DECAF is.... (Score:1)
Wait, what--? (Score:4, Insightful)
...so you aren't really going to know for sure what it will do to your computer.
You're saying you don't know how to run a debugger in a VM session? or registry and file monitoring utilities? I get that analyzing machine code may be a bit of a lost art, but if you have the binary file you have everything you need to figure out what it does -- eventually. Someone will reverse-engineer it. In fact, I rather expect the authors knew this when they released it.
Re: (Score:2)
if you have the binary file you have everything you need to figure out what it does
It's even better than that. .NET EXEs actually contain MSIL (a type of intermediate language) and are easily decompiled into the original source code (or something resembling it). DECAF has been obfuscated (all the variable/function/class names changed to meaningless letters), but it's simple enough that you could figure it out in under an hour, if you're familiar with .NET, especially since system libraries (e.g. System.Net.Sockets) will be referenced in plain text.
simple tools (Score:2)
There is so much more COFEE should have done. It looks like it takes a look at your current running state. It grabs netwrok connections you have open, running processes, and user account names that are logged in. Things that get lost when you power a computer off. The autorun is just to make it simple for the user. I don't expect this is the only tool ran. I expect it is quick snapshot before you pull the plug.
Microsoft did take care to get the correct versions of the tools for each OS. You know how yo
OT: Aaaaaagh! (Score:2)
Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
Head... exploding... you evil.. bastard...
I am confused. (Score:2, Insightful)
Re: (Score:2)
No, you're not confused.
Re: (Score:2)
Umm, because the password used to encrypt the data is on the SAME PC ?
Or to use a car analogy, the things inside a locked car are safe, unless you leave the keys in the lock.
WINNAR! (Score:2)
there is a built-in method for bypassing its security features
Ding ding ding ding ding!
And what does the COFEE generated data prove? (Score:2)
Seriously, what does COFEE generated data prove? If my computer would run XP and for some reason some official would want to plug a USB stick with the label "COFEE" into it, then what ever data they claim to find I could deny easily that it was mine. After all, on the USB stick there could have been ANY program which plants ANY data on the computer it was plugged into!
As far as I know, part of proper computer forensics work is to first (!) dublicate the hard drive in question, then generate a checksum for b
Re: (Score:2)
It proves you don't know much about computer forensics, that's for sure.
Re: (Score:2)
It was forseen! (Score:1)
You don't understand! The cat *is* out of the bag! (Score:2)
People, you don't understand what this means !!
This marks an end of an era ! Up until now investigators could be pretty comfortable assuming that their forensics analysis were giving off accurate data about the use and activity of the computer. Tools to analyse file, network and disk access are based on the assumption that the metadata has not been tampered with.
It is enough that you download and run this program every now and then to render every analysis of your computer pretty meaningless as eviden
Re:LiveCD (Score:4, Funny)
I first encrypted all my temporary data, encrypted everything in cache, it was a sweet algorithm. But I figured that wasn't enough, an onion-rings didn't help either. (I tried, I failed.)
So then I decided to use my PC without keyboard, so they couldn't log my keystrokes or via processing the audio for my keystrokes discover what I was typing. From there up, everything was a success, I could later remove my monitor so noone could see what I was doing and I could just imagine keyboardinupt on my PC.
I wasn't ever so productive and most of all SECURE.
Soon enough, I felt my mousemovements could also be secured by removing my mouse. Once I mastered this way of working, they suggested I also could work without turning on my PC, as they could measure my work by reading radiation from my CPU "if they really would be wanting to read my work", just tossing out my HD wasn't sufficient. So, right now, I'm 100% secure, sitting at my desk, imagening my work.
I did read something about mindreading, but I think that's just FUD.
Re: (Score:2)
Half of the services on Windows try to access DNS. Even mundane stuff you wouldn't think of like Print Spoolers etc ... it's for network exploration, to see what's connected to your network, mostly (in little-girl-from-Aliens-voice).
Re: (Score:2)
Not surprised at all the typical slashdot anti-law enforcement rhetoric in here... especially all of the "innocent people will be saved!" statements. But I *am* a bit surprised that some of the commenters have said what they have. Do this many people really not want truly guilty people caught and prosecuted?
I suspect your average Slashdotter is more concerned with the Fourth Amendment rights that prosecutors as a whole like to ignore when they're trying to build a case against someone who's alleged to have committed a crime.
Re: (Score:2)
For 8 years running, the entire fucking federal government ignored the 4th amendment, which may very well be continuing. This is not some sort of extra paragraph that has to be stricken from court records. It's rampant, it's all over. FISA means nothing to you? The fact that it is a sufficient way to get wiretaps on the bad guys, but NO! It's not ENOUGH, we need REAL TIME monitoring of EVERYBODY (with AT&T's help).
You don't see it because you are one of them. Strange, how every cop or wannabe cop is
Re: (Score:2)
Do this many people really not want truly guilty people caught and prosecuted?
Guilty of what and at the expense of what? Could you cite specific examples, as you seem so eager to chastise others for failing to provide?
I don't want people truly guilty [alternet.org] of possessing marijuana to be caught and prosecuted. I don't want people truly guilty [stateofprotest.com] of indulging in whimsical fantasies involving fictional characters to be caught and prosecuted. I don't want people truly guilty [arstechnica.com] of copyright infringement to be caught and prosecuted. Had this been some years ago I would not have wanted people truly gui [belfasttelegraph.co.uk]